Not stealthed

Yes, I had Firefox and Thunderbird opened during the scan, but I get the same results if those are not opened (i’ve just tried)

No, I don’t play any on-line games. I think the port 1025 is used by the Remote Procedure Call service…
I do have the router, and the UPnP is enabled, so the port 5000 is OK.

Please note I’ve done the scan with the “connect” method for TCP scan. When I use the SYN method, there is no open ports.

TheBFG, sorry I write about my problems in your thread (although they are related). If it bothers you, please say, and I’ll open a new thread.

Port 1025 is also used in network blackjacking (and not the Las Vegas kind of way either).

That’s good, I’ve never had any luck with these machines anyway :slight_smile:

I checked with CurrPorts, the port 1025 is used by the svchost, but this particular instance controls about 20 services. Is there a way to find exact service that is listening on this port?

I didn’t find much on google, but one old forum stated that Windows Updates uses port 1025.

Not in my case - I have auto update disabled, and I didn’t run it while scanning ;D

Then try the good old method of disabling every Windows Service that has the name “svchost.exe” one by one (except RPC of course because you still want to keep your computer alive).


Just out of interest, did anything in your environment changed between running the GRC probes. That is, have you:

  1. installed/removed/changed and software?
  2. added/changed/removed any rules in cfp or windows firewall?


There seems to be a great deal of mis-information on the net about the nature of this port. For my money, its just one of the ports MS uses for house keeping or some other simple task, but its best to be safe and do some more investigation.


According to the CurrPorts, the local and remote address for the port 1025 is, and it is in some way used for routing. The CFP doesn’t show any traffic on this port, so I will assume it is safe. But I will continue to monitor it.

Too bad CFP doesn’t have the feature to just log a certain type of traffic (e.g. for a specific port).

soyabeaner, I’ll try what you suggested, but I’ll have to take a day off from my work :slight_smile:


The IP Address is a reserved address that, amongst other things, refers to ‘this host on this network’ If you go to a command prompt and type:

route print [Enter]

You will see a small routing table, the first entry of which is

Something else you can try to identify the mystery of port 1025. Go to a command prompt and type:

tasklist /SVC [Enter]

This will show you some useful information about the processes running on your PC.


… or you can use Process Explorer :wink:

And of course, the svchost process that is listening to this port, is the one that controls most of the services (about 20)…

EDIT: I’m beggining to think soyabeaner was right when he said that Windows update could be using port 1025. Although update is disabled, its service is started, and it is controled by this particular instance of svchost

I’m not right :P. It was something I found in another forum’s archived thread. That’s not to say that only Windows Update can use the port. If there’s anything I’m decent at, it’s my googling skills 8).

Here are other links that may either bring ideas or just waste your time and confuse you more ;D:
Der Elektronik-Markt | → This is a new one ;D. It claims it’s Scheduler Service. Funny, because I have it on Automatic mode (for prefetching to work) but mine’s never had any net access. Maybe because I have zero tasks in it.

I also read that a lot of trojans/worms love to visit this port ;D

Thanks for the reply again
But this thread is getting a bit confusing ( for me anyway!) but no problem…

Answerr to above questions

  1. Toshiba PCX 2500
  2. Same

I have changed nothing to the windows firewall or any other settings
This port was just suddenly shown as closed instead of stealthed.
As I say maybe this is nothing to do with COMODO firewall but I still wonder why
it occurred. But that’s computer life I guess.
Anyway as far as I can understand, as long as the port is not open then basically no problem.
So maybe I will just put up with it for now and be content that COMODO is doing it’s job of blocking anything I don’t want.
Thanks for the quick responses


Its difficult to know where to go with this. Essentially the port is blocked, so its safe. The question, however, still remains. Why is port 1 now closed and not stealthed?

If nothing has changed on any of the computers or rules the firewall, then…


TNX, The BFC ~

Here’s what I found about your modem:

The cable modem is easy to install using either USB or a standard Ethernet 10/100 connection to your PC or to the network hub in a small business. With support for up to 16 PCs, the Toshiba PCX2500 DOCSIS Cable Modem is ideal for SOHO environments where secured, shared Internet access is a requirement. For MSOs, Toshiba's PCX2500 DOCSIS Cable Modem includes such advanced features as a customizable self-installation wizard, remote and local diagnostic capability, remote firmware download and SNMP support.

and from the manual

A cable modem MOdulates and DEModulates electrical signals in the same sense that the telephone modem does. However, since coaxial cable can carry much higher wave frequencies, cable modems are far more sophisticated. Their internals can include a tuner, a bridge, a router, an encryption/decryption device, an SNMP agent, USB port and and Ethernet hub. Furthermore, none of the activity caused by these circuits and codes disturbs your regular cable TV reception.

This was found at

If you’re using the USB connection, you might want to check for driver updates. You might also want to try their troubleshooter, just to make sure everything is as it should be.

My conclusion from all this is that your modem is likely to be serving as a router or hub (although not using NAT), given that it supports up to 16 PCs, and that is what is being scanned. The cable provider (my understanding) sets up and configures the modem, and may have remote access to it (I’d pretty much guarantee it…). If everything checks out, you might ask them what changes they have made, to cause the port to be reported differently.

Also, have you tried any of the other online tests, to see if they report the same thing?


Thans a lot
I understand your information
I will see what they say about it
Really appreciate you taking the time to research on this
Thanks …a great forum

No problem. Keep us posted; I’m interested to see what your ISP says about it. Hopefully they will have a knowledgeable, helpful answer…