none
GRC Security Scan Problem with Svchost.exe, Lsass.exe, Wininit.exe, Services.exe listening on 1025-1030 port range RRS feed

  • Question

  • Hi,


    Configuration : Vista Home Premium machine with SP1 and latest updates installed


    A few days ago for some reason the default ports which where in the 40000-50000 range for
    svchost.exe, lsass.exe, wininit.exe changed to the 1025-1030 range.

    netstat -a
    bno

    gives the following results :

      TCP    0.0.0.0:1025           0.0.0.0:0              LISTENING
     [wininit.exe]
      TCP    0.0.0.0:1026           0.0.0.0:0              LISTENING
      Eventlog
     [svchost.exe]
      TCP    0.0.0.0:1027           0.0.0.0:0              LISTENING
      Schedule
     [svchost.exe]
      TCP    0.0.0.0:1028           0.0.0.0:0              LISTENING
     [lsass.exe]
      TCP    0.0.0.0:1029           0.0.0.0:0              LISTENING
      PolicyAgent
     [svchost.exe]
      TCP    0.0.0.0:1030           0.0.0.0:0              LISTENING
     [services.exe]

    The problem is that GRC ShieldsUp scan says those ports are opened, failing the TruStealth Analysis. The firewall used on that particular machine is Comodo, wininit.exe (sitting on port 1025) was always blocked from any incoming connections. Also another machine with exactly same configuration doesn't have this issue and same executables with exactly same components and processes listen on the 40000-50000 port range.

    Another thing is that ICS is activated on the problematic machine, but even after disabling it this problem persists.

    So my question is:
    What could cause this* and is there any way (probably some registry key) to re-configure or change the default listening ports for svchost.exe, lsass.exe, wininit.exe back to the "right" 40k-50k range ?


    P.S: *scanned with AVG antivirus, and other spyware tools, also checked the MD5 signature of those executables, they are legitimate and from Microsoft, so it's not a virus or spyware issue, rather some configuration causing this, but where to look for it?
    Friday, October 24, 2008 10:40 PM

All replies

  • This behavior can be caused by one of your background programs. Please boot in Clean Boot Mode to narrow down the cause.

     

    Clean boot

    =================

    Let’s disable all startup items and third party services when booting. This method will help us determine if this issue is caused by a loading program or service. Please perform the following steps:

     

    1. Click the Start Button type "msconfig" (without quotation marks) in the Start Search box, and then press Enter.

     

    Note: If prompted, please click Continue on the User Account Control (UAC) window.

     

    2. Click the "Services" tab, check the "Hide All Microsoft Services" box and click "Disable All" (if it is not gray).

    3. Click the "Startup" tab, click "Disable All" and click "OK".

     

    Then, restart the computer. When the "System Configuration Utility" window appears, please check the "Don't show this message or launch the System Configuration Utility when Windows starts" box and click OK.

     

    Please test this issue in the Clean Boot environment, if the issue disappears in the Clean Boot environment, we can use a 50/50 approach to quickly narrow down which entry is causing the issue.

     

    For more information about this step, please refer to the following KB article:

     

    How to troubleshoot a problem by performing a clean boot in Windows Vista

    http://support.microsoft.com//kb/929135

     

    However, if the issue persists in Clean Boot Mode, please boot in Safe Mode, and let me know if the issue occurs.

     

    Thursday, October 30, 2008 9:19 AM
    Moderator
  • Hi, thank you for your reply.

    I tried to do a clean boot, but it didn't solve the problem. Also tried to start Vista in Safe Mode with and without Network support, that didn't help. No other application is using the 40k-50k ports apart Firefox sometimes, but still there was no enough connections from FF to occupy all this range. What could cause this?

    P.S: the other machine doesn't have this problem at all, although they are running same configurations :

    - Vista Home Premium machine with SP1 and latest updates installed (french version)
    - Latest Comodo 3
    - AVG Antivirus
    - Lavasoft Ad-Aware
    Everything is up to date.

    could it be something related to the MS08-067 vulnerability?

    Thank you in advance.

    Tuesday, November 4, 2008 9:36 PM
  • Hi,

     

    In Windows Vista, changing related configuration for system processes needs high privilege. As far as we known, no     programs can change the port for system processes. I suggest that we check port information again. The following article may be referred.

     

    http://blogs.techrepublic.com.com/datacenter/?p=453

     

    Important Note: Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.

     

    If some process has occupied the 1025-1030 ports, system may change the ports for system processes to another port. If you find that system processes such as svchost.exe runs with ports in 40000-50000 range, I suggest that you try to find which processes are using the 1025-1030 ports. 

    Wednesday, November 12, 2008 9:53 AM
    Moderator
  • Hi, thank you for the reply.

    So is it normal that Windows Services run on the 1025-1030 ports?
    Here is the result of the netstat & tasklist commands :

    C:\Windows>netstat -a -n -o

    Connexions actives

      Proto  Adresse locale         Adresse distante       État
      TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       984
      TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       4
      TCP    0.0.0.0:1025           0.0.0.0:0              LISTENING       660
      TCP    0.0.0.0:1026           0.0.0.0:0              LISTENING       1076
      TCP    0.0.0.0:1027           0.0.0.0:0              LISTENING       1132
      TCP    0.0.0.0:1028           0.0.0.0:0              LISTENING       740
      TCP    0.0.0.0:1029           0.0.0.0:0              LISTENING       2352
      TCP    0.0.0.0:1030           0.0.0.0:0              LISTENING       708
      TCP    0.0.0.0:2869           0.0.0.0:0              LISTENING       4
      TCP    0.0.0.0:3389           0.0.0.0:0              LISTENING       1400
      TCP    0.0.0.0:5357           0.0.0.0:0              LISTENING       4
      TCP    0.0.0.0:23727          0.0.0.0:0              LISTENING       5660
      TCP    127.0.0.1:1042         127.0.0.1:1043         ESTABLISHED     1456
      TCP    127.0.0.1:1043         127.0.0.1:1042         ESTABLISHED     1456
      TCP    127.0.0.1:1044         127.0.0.1:1045         ESTABLISHED     1456
      TCP    127.0.0.1:1045         127.0.0.1:1044         ESTABLISHED     1456
      TCP    [::]:135               [::]:0                 LISTENING       984
      TCP    [::]:445               [::]:0                 LISTENING       4
      TCP    [::]:1025              [::]:0                 LISTENING       660
      TCP    [::]:1026              [::]:0                 LISTENING       1076
      TCP    [::]:1027              [::]:0                 LISTENING       1132
      TCP    [::]:1028              [::]:0                 LISTENING       740
      TCP    [::]:1029              [::]:0                 LISTENING       2352
      TCP    [::]:1030              [::]:0                 LISTENING       708
      TCP    [::]:2869              [::]:0                 LISTENING       4
      TCP    [::]:3389              [::]:0                 LISTENING       1400
      TCP    [::]:5357              [::]:0                 LISTENING       4
      UDP    0.0.0.0:123            *:*                                    1284
      UDP    0.0.0.0:500            *:*                                    1132
      UDP    0.0.0.0:3702           *:*                                    1284
      UDP    0.0.0.0:3702           *:*                                    1284
      UDP    0.0.0.0:4500           *:*                                    1132
      UDP    0.0.0.0:5355           *:*                                    1400
      UDP    0.0.0.0:23727          *:*                                    5660
      UDP    0.0.0.0:23728          *:*                                    5660
      UDP    0.0.0.0:49152          *:*                                    1284
      UDP    0.0.0.0:49158          *:*                                    1132
      UDP    0.0.0.0:52644          *:*                                    5660
      UDP    127.0.0.1:1900         *:*                                    1284
      UDP    127.0.0.1:49159        *:*                                    1132
      UDP    127.0.0.1:52645        *:*                                    5660
      UDP    127.0.0.1:53363        *:*                                    1284
      UDP    127.0.0.1:54454        *:*                                    5320
      UDP    127.0.0.1:61942        *:*                                    1108
      UDP    127.0.0.1:64553        *:*                                    1132
      UDP    127.0.0.1:64555        *:*                                    1108
      UDP    127.0.0.1:64556        *:*                                    2764
      UDP    [::]:123               *:*                                    1284
      UDP    [::]:500               *:*                                    1132
      UDP    [::]:3702              *:*                                    1284
      UDP    [::]:3702              *:*                                    1284
      UDP    [::]:49153             *:*                                    1284
      UDP    [::1]:1900             *:*                                    1284
      UDP    [::1]:53360            *:*                                    1284


    ===================================

    The concerned PIDs running on 1025-1030 ports are (ordered by port) :
    660, 1076, 1132, 740, 2352, 708

    ===================================

    /* This one is running on port 1025 */

    C:\Windows>tasklist /svc /fi "pid eq 660"

    Nom de l'image                 PID Services
    ========================= ======== ============================================
    wininit.exe                    660 N/A


    /* This one is running on port 1026 */

    C:\Windows>tasklist /svc /fi "pid eq 1076"

    Nom de l'image                 PID Services
    ========================= ======== ============================================
    svchost.exe                   1076 Audiosrv, Dhcp, Eventlog, lmhosts, wscsvc


    /* This one is running on port 1027 */

    C:\Windows>tasklist /svc /fi "pid eq 1132"

    Nom de l'image                 PID Services
    ========================= ======== ============================================
    svchost.exe                   1132 AeLookupSvc, Appinfo, BITS, Browser,
                                       CertPropSvc, EapHost, gpsvc, IKEEXT,
                                       iphlpsvc, LanmanServer, MMCSS, ProfSvc,
                                       RasMan, Schedule, seclogon, SENS,
                                       SessionEnv, SharedAccess, ShellHWDetection,
                                       Themes, Winmgmt, wuauserv



    /* This one is running on port 1028 */
    C:\Windows>tasklist /svc /fi "pid eq 740"

    Nom de l'image                 PID Services
    ========================= ======== ============================================
    lsass.exe                      740 KeyIso, SamSs



    /* This one is running on port 1029 */
    C:\Windows>tasklist /svc /fi "pid eq 2352"

    Nom de l'image                 PID Services
    ========================= ======== ============================================
    svchost.exe                   2352 PolicyAgent



    /* This one is running on port 1030 */

    C:\Windows>tasklist /svc /fi "pid eq 708"

    Nom de l'image                 PID Services
    ========================= ======== ============================================
    services.exe                   708 N/A

    Thursday, November 13, 2008 2:59 AM