svchost question

Whenever I boot up svchost.exe tries to connect to something via port 53 (dns). It says it’s UDP Out and it’s parent is services.exe

Comodo throws up an error saying explorer.exe tried to use svchost.exe through ole automation, which can be used to hijack other applications.

Can anyone tell me what it needs to connect for, or what it could be that needs to connect? I’ve been denying it and haven’t noticed anything not working.

Hi Stephen07, welcome to the forums.

Given that its SVCHOST via SERVICES on start-up it is probably either Windows Update or TimeSync (or both).

The port 53 (DNS) is just looking up the IP address for a given name (eg. Its the normal first point of contact for any outgoing comms.

The explorer-OLE message is probably something else completely different, very common… but something else. Do you have an entry on CFPs Log (Activity tab) for this?

Hi Stephen07, welcome to the forum :slight_smile:

You can read my recent post here should svchost.exe be allowed internet access?? about some of the things svchost.exe is responsible for under Windows.

In your situation, providing your system is free of infection, your seeing a normal windows DNS request process. In simplistic terms, it works like this:

  1. Open IE and browse to a web site
  2. A request is made by IE to the OS, for the IP Address of the web site
  3. svchost.exe (services.exe as parent) kicks in and queries DNS (UDP port 53) for the IP
  4. The IP Address is passed to the OS and cached
  5. IE makes use of the information to access the site.

As I say, it’s a bit more involved than that, but you can see the process.

With regard to OLE Automation, there are quite a few threads related to the subject on the forum. You can start here:
OLE Automation warnings
OLE Automation
Hope that helps.


I don’t believe MSIE (Microsoft Internet Explorer) uses SVCHOST in this manner. SVCHOST is SERVICES (all MS Windows Services) Internet goto-guy if you like. If SERVICES requires Net access then it is usually performed by SVCHOST on SERVICES behalf. MSIE does its own DNS resolutions & SVCHOST only gets involved when a Service is involved (such as a DNS Client or a DHCP Client).

In general, you should not block the SERVICES/SVCHOST relationship lightly. Windows uses this relationship a fair bit, blocking it will cause Windows OS functions to fail.

The explorer ole message is the same message, my whole post is about that message. Everytime I boot up it svchost is trying to connect to my isp’s dns servers and the text at the bottom of the message I get is that “explorer.exe tried to use svchost.exe through ole automation, which can be used to hijack other applications” one.

It is also logged as “high” in my log.

Can I see an Log entry for this Explorer-OLE message?

CFPs Log (Activity tab) can be exported to an HTML file (by right clicking on the Log). If you then open the exported Log HTML in your default browser, you can simply copy ‘n’ paste to post the Log details here. Remember to mask any private IP addresses that you don’t want made public.

Is this ok?

Date/Time :2007-05-15 18:04:39
Severity :High
Reporter :Application Behavior Analysis
Description: Suspicious Behaviour (svchost.exe)
Application: C:\WINDOWS\system32\svchost.exe
Parent: C:\WINDOWS\system32\services.exe
Protocol: UDP Out
Destination: xx.xx.xx.xx::dns(53)
Details: C:\WINDOWS\explorer.exe has tried to use C:\WINDOWS\system32\svchost.exe through OLE Automation, which can be used to hijack other applications.

The example you posted is just fine, thanks.

However, at the moment I cannot think of a legitimate reason why or what explorer.exe might be doing with svchost.exe using OLE. Its probably not explorer.exe directly, but something that is loaded with explorer.exe.

What processes do you have running on, and shortly after, start-up (excluding the MS ones)?

I can think of no sensible reason for this activity either. It looks like explorer is trying to do a DNS query. I wonder what address it’s looking for…Are there any additional log entries following this one, especially related to explorer?

You could always block explrer.exe in Application Monitor see this thread
should explorer.exe get access rights? (iexplorer.exe is IE)

According to msconfig i have nvcpl (nvidia control panel), nwiz.exe (again nvidia related), rundll32.exe (which it looks is to do something with some nvidia dll’s nvmctray.dll and nvtaskbarinit), cpf.exe (obviously), avgnt.exe (avira antivir). Also my tv card app, which I’m about to disable on startup to see if it makes a difference. Along with windows autoupdates.

OK… and there no explorer.exe or svchost.exe entries listed?

I assume the DNS request is a prelude to actual connection attempt. It might be worth opening CFPs Connections screen (Activity tab) with the OLE-Alert on-screen. Then allow it “not remembered” & see what happens next… which should be the connection attempt. Unfortunately, you’ll need to be quick as the Connections screen does record a history. You could always get What’s Running. It has a good detailed IP Connections screen. But, it doesn’t have a history either. The best method would be using a protocol analyzer, like WireShark,… but it is not really for beginners.

explorer.exe is listed once yes, but you said aside from the standard ms ones. There are 2 svchost.exe entries listed too.

I’ve just done some experimenting and it’s not the TV card things. Disabling auto updates seems to have stopped it. I’m going to enable that again and see if it comes back.

Now Comodo is doing strange things. It’s still blocking things but it’s no longer asking me if I want them to have access, it’s just blocking them without asking (and I haven’t ticked the box to say don’t ask me). It doesn’t seem to be putting anything in the log and when I click a log entry it says “an invalid argument was encountered”

Also when I look it doesn’t report any activity, the main page says “no application traffic yet” and connections is empty, even though I’m using IE.

I assume you mean in the Task Manager rather than MS Config here?

CFP should not come up with a “an invalid argument was encountered” when you click on the Log… thats for sure. Does CFPs Summary page say everything is OK?

Oh right yeah in task manager those ones.

Summary page looks normal yeah. Application monitor on, component monitor learning, network monitor on, application behaviour analysis on, protection strength excellent.

The connections tab now seems to be working again, it’s showing IE as having some in there and i can click on them.

The log still shows the error though, meaning i cant view details when I click items.

Also it’s still not throwing up messages to say something is trying to access, it’s just automatically blocking things which I like to restrict to only accessing the internet when I say so (i.e. I never tick the always allow box, I click allow each time if I want to grant that app access).


Sorry, I didn’t realise that CFPs Connections screen wasn’t working.

The log still shows the error though, meaning i cant view details when I click items.
Can you explain this in a little more detail.. I'm a bit confused because you don't need to click on the Log to see items, they're either there or not (unless the Event Logs From has been altered). Is this not the case with you?

Also can you give a little more detail on CFPs Log “invalid argument” error… Is it a pop-up from CFP? Is the event recorded in the Windows Event Logs?