svchost: tcp port 49277?

CIS’ Active connection window shows that svchost is constantly listening on tcp port 49277.
Does anyone know what this is?

I found one posting on the Web which mentioned that it was related to IE8, but Google can’t find anything on any Microsoft site which mentions that port.

I’m running CIS v5.3.175888.1227, av 7399 under Win7 Pro x64.

Thanks for whatever help you can provide.

Svchost (a generic host process) listens on a great many ports. The easiest way to find out what’s going on is (If you’re happy with the commad line use netstat) to download something like Currports:

or TCPview

Look at the process ID of the individual svchost process.

As an example, I have a number of svchost entries listening, take one:

svchost listening on process ID 1064 port 49153… Just because something is listening, doesn’t mean it’s connected or doing anything malicious.

By the way, I think one post was probably enough…

[attachment deleted by admin]

Do you have remote desktop enabled in Windows? See attached image.

[attachment deleted by admin]

Actually, RDP uses port 3389. The ports described by the OP in this thread and the other, refer to dynamic ports, which are much more likely to belong to a service such as event logs or audio service

Radaghast,

While any particular port may be intended to be used for reasonable purposes, opening undocumented ports can make a system vulnerable to unexpected intrusions. It’s too easy to introduce unintended security holes, even in well documented and tested protocols, as has been demonstrated in other services like SMB.

Thanks for pointing me to TCPview, which shows the associated job’s PID. TaskManager shows that the svchost job with that PID was started by username NETWORK SERVICE using the command line
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
A Web search reveals that’s how one starts PolicyAgent – which certainly isn’t appropriate on a system which isn’t part of an AD Domain (which this laptop is not) and “obviously” can be abused in undesirable ways.

I’m running Comodo’s firewall in full stealth mode while at home, blocking all externally initiated accesses, but now I should be able to find where this task is being started and eliminate it.

I have seen a port opened on the router by one of my housemate’s computers that was in that same range 49,000 and up. It turned out the Windows RDP was opening it.

You can try using Svchost Viewer and svchostanalyser to get a finger behind where the autostart may be and then disable it from starting.

Eric,

Thanks for the suggestions.

So far I haven’t found the relevant startup script. Unfortunately, the docs claim that PolicyAgent provides both IPSec features and the ability to remotely control Windows Firewall (presumably the latter explains the open port). I don’t currently use any IPSec functionality but I’m very annoyed that they’d combine the two functions.

As you have probably determined, the policy agent service is used to control IPSEC policies (authentication/IKE etc.) for secure connections, for example when using IPSEC over an L2TP VPN. Clearly, if you have no need for this functionality, you can simply disable the service which will close the listening ports used by svchost. This procedure is also true for a number of other services offered by svchost.

As far as RDP is concerned, the default and only port used by this service is 3389. It is, however, possible to change this value, by explicitly editing the registry:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp\PortNumber

Once this change has been made, the session has to be opened by defining both the ip address and the port of the computer during the connection initiation phase.