what is prompting svchost to connect?

LMHmedchem · May 31, 2012, 6:38pm

Since booting up this morning, I have had ~250 attempted outbound connections.

svchost.exe port 427 to 92.242.144.50 port 427 UDP
svchost.exe port 1648 to 92.242.144.50 port 139 TCP

My understanding of svchost is that it does nothing on its own but is tasked by some service or app. My basic question is what would be attempting to make such a connection and why have I never seen it before today.

Here is my Tasklist output for svchost,


Image Name:   svchost.exe
PID:          1292
Services:     DcomLaunch
              TermService

Image Name:   svchost.exe
PID:          1360
Services:     RpcSs

Image Name:   svchost.exe
PID:          1540
Services:     AudioSrv
              Browser
              CryptSvc
              Dhcp
              EventSystem
              LanmanServer
              lanmanworkstation
              Netman
              Nla
              Schedule
              SENS
              SharedAccess
              ShellHWDetection
              Themes
              W32Time
              winmgmt

Image Name:   svchost.exe
PID:          1936
Services:     hpqcxs08
              hpqddsvc

Image Name:   svchost.exe
PID:          1948
Services:     HPSLPSVC

Image Name:   svchost.exe
PID:          2020
Services:     Net Driver HPZ12

Image Name:   svchost.exe
PID:          1496
Services:     Pml Driver HPZ12

Image Name:   svchost.exe
PID:          1612
Services:     stisvc

Image Name:   svchost.exe
PID:          1440
Services:     SSDPSRV

Can anyone provide any insight as to why svchost is trying to connect the the WAN and what may be prompting it?

LMHmedchem

LMHmedchem · May 31, 2012, 10:18pm

Just to update, I just had requests for “system” to connect to the same two IP/port combinations.

system port 427 to 92.242.144.50 port 427 UDP
system port 1648 to 92.242.144.50 port 139 TCP

and also,

system to 92.242.144.50 port 445 TCP

Since port 445 is netbios, I have disabled NetBIOS over TCP/IP, as I probably should have done anyway.

This is a bit disturbing since port 445 and 139 are associated with file-sharing protocols.

LMHmedchem

panic · June 1, 2012, 12:13am

For XP
Click START → RUN → Services.msc
Locate the service HPQDDSVC and disable it

For Vista/7
Click START → Services.msc
Locate the service HPQDDSVC and disable it

Reboot and test if connections are still being attempted.

panic · June 1, 2012, 12:14am

P.S. This is a HP service known to cause hangs, crashes, etc.

LMHmedchem · June 1, 2012, 12:54am

There’s a surprise. I think a prerequisite for being an HP programmer is also having been a member of the Marks Brothers.

I have had my printer off for a while because I don’t use it very often and these HP services insist on keeping 300+ open network connections to the printer at all times (that’s not a typo). It looks like the HP services more or less ping the printer every 2 seconds all day, just to make sure it’s still there. Where they think it might have gone is anyone’s guess. I think it is possible that the connection to these addresses was triggered by some HP process trying to connect to the printer and failing. Since I have turned my printer back on, I have not had any more of these requests. I will keep checking to see if this is the case and post somewhere at HP to see if they know anything, thought that will be a waste of bandwidth if there ever was one.

LMHmedchem

panic · June 1, 2012, 2:19am

ROFLMAO - Groucho, Harpo and Piezo.

Buy a Brother - save yourself the angst.

Ewen