svchost.exe port 57398: What's going on here?

Hi there,

Long time user of Comodo’s excellent firewall.

I recently did a clean install of Windows 7 and also installed Comodo Internet security version 5.4.189822.1355 (just the firewall).

For the past few days, I’ve been receiving alerts that svchost.exe is trying to receive a connection from the internet and in all cases, it’s port 57398 UDP.

Not sure whether there could be something wrong with my ruleset or something else is going on.

My current ruleset:

Firewall log:

Any assistance would be greatly appreciated. Thank you!

Svchost will listen on various dynamic ports (49152 to 65535) for a variety of reasons, but they are called dynamic for a reason. In your case the port seems to be consistent, which is more indicative of p2p behaviour. Have you rebooted the PC since this started?

To make a better assessment of the behaviour we’ll need a little more information. As you probably know, svchost is just a host for numerous other processes, so what we need to find out is which of those processes is potentially in use, by this instance of svchost. To do that we need to find the process ID (PID)

Open a command prompt any type:

netstat -ano

look down the list until you find the UDP entries at the bottom. Identify the entry that is listening on port 57398 and look across to the right to find the PID (the last column on the right). Now, in the same command prompt, type:

tasklist /svc

Find the PID (middle column) and look at the processes that are being hosted by that instance of svchost. Please post them here.

You can also find the PID in Firewall/Active connections and Defence+/Active process list or any other network/process monitor such as Process Hacker or TCPView etc.

Hello Radaghast,

Here you go. It’s a bit long and messy :D. Thanks for your assistance so far:

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Users\user 1>netstat -ano

Active Connections

Proto Local Address Foreign Address State PID
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 808
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:5357 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:33116 0.0.0.0:0 LISTENING 3480
TCP 0.0.0.0:49152 0.0.0.0:0 LISTENING 496
TCP 0.0.0.0:49153 0.0.0.0:0 LISTENING 1004
TCP 0.0.0.0:49154 0.0.0.0:0 LISTENING 1068
TCP 0.0.0.0:49155 0.0.0.0:0 LISTENING 596
TCP 0.0.0.0:49156 0.0.0.0:0 LISTENING 580
TCP 0.0.0.0:49157 0.0.0.0:0 LISTENING 1484
TCP 127.0.0.1:10000 0.0.0.0:0 LISTENING 3480
TCP 127.0.0.1:49163 127.0.0.1:49164 ESTABLISHED 208
TCP 127.0.0.1:49164 127.0.0.1:49163 ESTABLISHED 208
TCP 127.0.0.1:49165 127.0.0.1:49166 ESTABLISHED 208
TCP 127.0.0.1:49166 127.0.0.1:49165 ESTABLISHED 208
TCP 192.168.1.2:139 0.0.0.0:0 LISTENING 4
TCP 192.168.1.2:49162 91.198.117.130:443 CLOSE_WAIT 1916
TCP 192.168.1.2:49362 74.125.236.87:443 TIME_WAIT 0
TCP 192.168.1.2:49407 74.125.236.87:443 TIME_WAIT 0
TCP 192.168.1.2:49409 74.125.236.87:443 TIME_WAIT 0
TCP 192.168.1.2:49410 74.125.236.87:443 TIME_WAIT 0
TCP 192.168.1.2:49411 74.125.236.87:443 ESTABLISHED 208
TCP 192.168.1.2:49412 74.125.236.87:443 ESTABLISHED 208
TCP 192.168.1.2:49413 74.125.236.82:443 TIME_WAIT 0
TCP 192.168.1.2:49415 209.85.231.132:443 TIME_WAIT 0
TCP 192.168.1.2:49416 74.125.236.87:443 ESTABLISHED 208
TCP 192.168.1.2:49427 74.125.236.93:443 TIME_WAIT 0
TCP 192.168.1.2:49461 74.125.236.80:80 TIME_WAIT 0
TCP 192.168.1.2:49474 91.199.212.149:80 TIME_WAIT 0
TCP 192.168.1.2:49476 91.199.212.149:80 TIME_WAIT 0
TCP 192.168.1.2:49477 91.199.212.149:80 TIME_WAIT 0
TCP 192.168.1.2:49487 173.174.231.111:51413 SYN_SENT 3480
TCP [::]:135 [::]:0 LISTENING 808
TCP [::]:445 [::]:0 LISTENING 4
TCP [::]:5357 [::]:0 LISTENING 4
TCP [::]:33116 [::]:0 LISTENING 3480
TCP [::]:49152 [::]:0 LISTENING 496
TCP [::]:49153 [::]:0 LISTENING 1004
TCP [::]:49154 [::]:0 LISTENING 1068
TCP [::]:49155 [::]:0 LISTENING 596
TCP [::]:49156 [::]:0 LISTENING 580
TCP [::]:49157 [::]:0 LISTENING 1484
UDP 0.0.0.0:500 : 1068
UDP 0.0.0.0:3544 : 1068
UDP 0.0.0.0:3702 : 1220
UDP 0.0.0.0:3702 : 1220
UDP 0.0.0.0:3702 : 3080
UDP 0.0.0.0:3702 : 3080
UDP 0.0.0.0:4500 : 1068
UDP 0.0.0.0:5355 : 948
UDP 0.0.0.0:33116 : 3480
UDP 0.0.0.0:55819 : 1220
UDP 0.0.0.0:60260 : 3080
UDP 0.0.0.0:60266 : 1220
UDP 127.0.0.1:1900 : 3080
UDP 127.0.0.1:60265 : 3080
UDP 192.168.1.2:137 : 4
UDP 192.168.1.2:138 : 4
UDP 192.168.1.2:1900 : 3080
UDP 192.168.1.2:57398 : 1068
UDP 192.168.1.2:60264 : 3080
UDP [::]:500 : 1068
UDP [::]:3702 : 3080
UDP [::]:3702 : 3080
UDP [::]:3702 : 1220
UDP [::]:3702 : 1220
UDP [::]:4500 : 1068
UDP [::]:5355 : 948
UDP [::]:33116 : 3480
UDP [::]:55820 : 1220
UDP [::]:60261 : 3080
UDP [::]:60267 : 1220
UDP [::1]:1900 : 3080
UDP [::1]:60263 : 3080
UDP [fe80::70e2:af3a:5d39:c355%10]:1900 :
3080
UDP [fe80::70e2:af3a:5d39:c355%10]:60262 :
3080

C:\Users\ user 1>tasklist /svc

Image Name PID Services
========================= ======== ============================================
System Idle Process 0 N/A
System 4 N/A
smss.exe 304 N/A
csrss.exe 452 N/A
wininit.exe 496 N/A
services.exe 580 N/A
lsass.exe 596 ProtectedStorage, SamSs
lsm.exe 608 N/A
svchost.exe 728 DcomLaunch, PlugPlay, Power
svchost.exe 808 RpcEptMapper, RpcSs
cmdagent.exe 900 cmdagent
svchost.exe 948 CryptSvc, Dnscache, LanmanWorkstation,
NlaSvc
svchost.exe 1004 Audiosrv, Dhcp, eventlog,
HomeGroupProvider, lmhosts, wscsvc
svchost.exe 1040 AudioEndpointBuilder, CscService, Netman,
PcaSvc, SysMain, TrkWks, UxSms,
WdiSystemHost, wudfsvc
svchost.exe 1068 AeLookupSvc, Appinfo, gpsvc, IKEEXT,
iphlpsvc, LanmanServer, MMCSS, ProfSvc,
Schedule, SENS, ShellHWDetection, Themes,
Winmgmt, wuauserv
svchost.exe 1220 EventSystem, fdPHost, netprofm, nsi,
WdiServiceHost, WinHttpAutoProxySvc
SbieSvc.exe 1280 SbieSvc
spoolsv.exe 1612 Spooler
svchost.exe 1656 BFE, DPS, MpsSvc
DTSRVC.exe 1764 DTSRVC
pdisrvc.exe 1800 PdiService
psia.exe 1916 Secunia PSI Agent
svchost.exe 1948 StiSvc
svchost.exe 1484 PolicyAgent
svchost.exe 3080 FDResPub, FontCache, SSDPSRV, upnphost
csrss.exe 2348 N/A
winlogon.exe 2136 N/A
dwm.exe 2920 N/A
explorer.exe 3104 N/A
taskhost.exe 2828 N/A
cfp.exe 3472 N/A
wmpnetwk.exe 3960 WMPNetworkSvc
svchost.exe 2680 WinDefend
firefox.exe 208 N/A
TrustedInstaller.exe 3796 TrustedInstaller
plugin-container.exe 3944 N/A
uTorrent.exe 3480 N/A
WINWORD.EXE 3860 N/A
audiodg.exe 712 N/A
cmd.exe 1552 N/A
conhost.exe 2704 N/A
tasklist.exe 1296 N/A
WmiPrvSE.exe 552 N/A

Thanks for the information, unfortunately I can’t think of any reason why any of the services associated with that instance of svchost should be listening on a port like that. Therefore, we’ll have to approach this in a slightly different way.

Please download Process Hacker and once running find the PID of the svchost instance hosting the following services:

AeLookupSvc
Appinfo
gpsvc
IKEEXT
iphlpsvc
LanmanServer
MMCSS
ProfSvc,
Schedule
SENS
ShellHWDetection
Themes,
Winmgmt
wuauserv

In the earlier post the PID is 1068 but if you’ve rebooted, it likely will have changed, unless there’s a specific process insisting on that port.

Once you know the PID, switch to the Network tab and find svchost with the same PID, then find out which service (Owner) is associated. Please post the results.

Hi-the PID no is 1040 and in local address it shows “iphlpsvc”.

By the way, I found out how the “svchost” alerts got triggered in the first place.

It happens whenever I try to download a torrent. My network rules (please refer my first screenshots) are configured properly for my router and u torrent. Just wondering whether something could be wrong there.

I had a feeling you might sat that, but I’m a little confused about the port number, as it doesn’t appear to be your uTorrent port… The iphlpsvc is a service that, amongst other things, provides support for certain types of ipv6 connectivity. As you’re running Windows 7, ipv6 is enabled by default and because you’re using the default firewall rules for svchost, you have no control over the types of outbound connections it can make.

When you use uTorrent, it will happily make use of the ipv6 transport, if available, which in your case is probably 6to4, but again, because your rules for uTorrent simply allow all outbound connections, you will not see anything to indicated this behaviour, except for the events you are now seeing and the only reason your seeing these is because the rule for svchost doesn’t allow inbound connections.

You really have two choices at this point, incidentally, this is not malicious behaviour, simply uTorrent using ipv6, You can modify your rules to correctly handle these connections, or you can disable ipv6, which should make this go away. To disable ipv6 transition technologies, open a command prompt and copy and paste the following:

netsh interface ipv6 set privacy state=disable
netsh interface ipv6 6to4 set state state=disabled
netsh interface ipv6 isatap set state state=disabled
netsh interface ipv6 set teredo disabled

Some additional information can be found here

Just a thought. Would you mind running and ipconfig /all from the command prompt and posting the results, please. Also, if you’re familiar with Wireshark you could run a capture and post that as well

Radaghast: I’ve disabled IPV6 with the command prompt and downloaded a torrent and woot! no more popups ;D…

Looks like it worked! ;D…I’ll post back if there are any further problems. Many thanks for your assistance :-TU

Here are the ipconfig results anyways:

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Users\User>ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : User-PC
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : VIA Rhine II Compatible Fast Ethernet Ada
pter
Physical Address. . . . . . . . . : 00-E0-4D-35-1A-EC
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::70e2:af3a:5d39:c355%10(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.2(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Thursday, May 26, 2011 12:44:57 AM
Lease Expires . . . . . . . . . . : Sunday, May 29, 2011 12:44:58 AM
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DHCPv6 IAID . . . . . . . . . . . : 234938445
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-15-61-18-73-00-E0-4D-35-1A-EC

DNS Servers . . . . . . . . . . . : 192.168.1.1
NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{090D636F-EBE8-4155-BA85-BA3B85AA0067}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:0:4137:9e76:24b3:d64d:855b:478(Prefe
rred)
Link-local IPv6 Address . . . . . : fe80::24b3:d64d:855b:478%11(Preferred)
Default Gateway . . . . . . . . . : ::
NetBIOS over Tcpip. . . . . . . . : Disabled

I’m glad that worked May I assume the ipconfig was taken before the netsh commands?

Yes Radaghast, that is correct. The Ipconfig was taken before disabling IPV6. One final question:

How will this impact my bittorrent uploads/downloads? I’m guessing that hardly any since IPV6 has not yet caught up with the internets? Thanks again!

At this stage you’ll not notice any impact if you disable ipv6 tunnelling, as you have done. In most tunnelling scenarios, if there’s a choice between ipv4 and ipv6, ipv4 will be used. Also, because of the way tunnelling, such as Teredo and 6to4 work, it may actually have an adverse effect on performance when using ipv6