What is SVCHost doing, is this normal?


Sometimes I notice a popup claiming svchost.exe is trying to access the internet, sometimes even when i’m ■■■■ nothing and just on the desktop, i always block it and dont notice any change.

I was wondering if this is normal, or should I be suspicious about this.

The details of what SVChost is trying to do from the Firewall log are as follows:

Date/Time Application Action Source IP Source Port Destination IP Destination Port Protocol

6/1/2009 1:21:54 PM C:\WINDOWS\system32\svchost.exe Blocked 3161 135 TCP

6/1/2009 1:32:02 PM C:\WINDOWS\system32\svchost.exe Blocked 2964 135 TCP

6/1/2009 1:32:05 PM C:\WINDOWS\system32\svchost.exe Blocked 2964 135 TCP

6/1/2009 1:33:39 PM C:\WINDOWS\system32\svchost.exe Blocked 2730 135 TCP

6/1/2009 1:34:45 PM C:\WINDOWS\system32\svchost.exe Blocked 31615 135 TCP

6/1/2009 1:36:55 PM C:\WINDOWS\system32\svchost.exe Blocked 22496 135 TCP

6/1/2009 1:36:58 PM C:\WINDOWS\system32\svchost.exe Blocked 22496 135 TCP

6/1/2009 1:37:57 PM C:\WINDOWS\system32\svchost.exe Blocked 6000 135 TCP

6/1/2009 1:42:32 PM C:\WINDOWS\system32\svchost.exe Blocked 1790 135 TCP

6/1/2009 1:53:48 PM C:\WINDOWS\system32\svchost.exe Blocked 2874 135 TCP

6/1/2009 2:08:40 PM C:\WINDOWS\system32\svchost.exe Blocked 3767 135 TCP

6/1/2009 2:17:25 PM C:\WINDOWS\system32\svchost.exe Blocked 38465 135 TCP

6/1/2009 2:36:40 PM C:\WINDOWS\system32\svchost.exe Blocked 67 68 UDP

6/1/2009 3:42:18 PM C:\WINDOWS\system32\svchost.exe Blocked 67 68 UDP

Just for more info: I typed in some of the Source IP’s into an IP Lookup and they came back to some random places, most in UK, a couple were from France, one was from China and one was from Chillie.

I scan with MBAM, SAS and Comodo AV and none show any infections.

This might be normal SVChost activity, i’d just like to know what is going on here.


Svchost can be permitted (and should be) as Outgoing only.

Thanks I have changed the settings for svchost.exe as outgoing only. Shouldn’t this be done by default?

Anyhow i’m not very educated on ports and ip’s etc… what was actually going on?

All i can tell is that the source ip’s are from random places, with varying ports, and the destination is always on port 135

Is this normal or was something suspicious happening?

I’ve seen it on mine so I believe it is normal.

Well i looked most of those IP address and here is a list:

Country, Region, City =France, Ile-De-France, Paris =France, Ile-De-France, Paris = UK, Scotland, Glasgow = France, Ile-De-France, Paris =UK, England, Doncaster =China, Sichuan, Chengdu = UK, England, Huddersfield = UK, England, Stockton-on-Tees = Chile, Region Metropolitan, Santiago = UK, England, Nottingham

Thanks, so what are these IP’s doing trying to access on port 135, are they trying to hijack my computer !

some like the one from china and chile are probable hackers the others maybe infected PC’s with malware trying to spread, this is why you should set svhost to outgoing only.

Real quick question here: why are these packets getting past the router?

The destination IP address of tells me that you’re behind a NAT/router. A router like that will only allow traffic in to your machine in response to traffic from your machine. TCP port 135 is the Windows networking RPC port (I think), and if it is the RPC port, has no business talking to anything on the Internet.

If that is the RPC port, then there’s something wrong somewhere.

acording to GRC | Port Authority, for Internet Port 135   Port 135 is linked to RPC Endpoint Mapper

So there is something wrong

Well I haven’t had the problem since I set svchost to outgoing only.

I am connected wirelessly to an Orange Livebox.

I’ve scanned with Comodo MBAM and SuperantiSpyware and they don’t find anything wrong with my system.

I might change svchost back to what it was to see if the problem happens again, just to find out what is going on and see if i have any programs open when it occurs. Because if there is something going wrong somewhere as guru said i’d rather find out about it now.

I have BLOCKED al SVCHost.exe’s and nothing has stopped working on my PC. Seems all is fine. What should not work if it’s stopped?