VALUE HAS A VALUE IF ITS VALUE IS VALUED

Many people are witnessing a svchost.exe crash and it’s actually quite amazing. Unfortunately there’s no single point of reference for svchost related problems. Rather than answering one single question I’ll try to cover a theme that can best be summed up as:

What’s The Deal with SVCHOST?

Symptoms
Do any of these symptoms sound familiar?

· Your system becomes sluggish and you find that something called svchost or dllhost is taking nearly 100% of your CPU.

· Your system reports that svchost has performed an illegal operation and will be terminated. After that various things fail to work properly, if at all.

· After you log in, your system automatically reboots in one minute.

If so, then it’s almost certain that you either have a virus or your system is currently vulnerable to a particular type of exploit known as the “RPC buffer overflow”. We’ll look at addressing both.

But just what is svchost?
Let me tell you what it is not: On Windows XP, 2000, and 2003, svchost is not a virus. On those systems svchost is a required system component. If you happen to successfully delete it, your system will not run. You’ll be much worse off than before.

Do not delete svchost.exe. Don’t even think about it. [Important: do not confuse svchost, which we are discussing here, with scvhost, which has two letters transposed. They are not the same thing. The presence of scvhost may indicate a virus.]

Svchost, which is short for “service host”, is a core part of the operating system that provides support to many of the required services that are Windows. You can see all the copies of svchost and what services they are running by typing “tasklist /svc” in a command window. If you don’t have tasklist, or just prefer not to use the command shell, you can use SysInternals Process Explorer instead. On my machine one copy of svchost is responsible for 30 separate services, another is hosting 4, and the remaining 3 host one service apiece.

What about this “RPC” thing that has vulnerabilities?
Same story. RPC, for Remote Procedure Call, is a core operating system service. Windows won’t run without it. If you happen to successfully disable it, you’re in deep trouble.

Do not disable the RPC service. Don’t even think about it.

So what do you do?

First we have to understand that there are two possible problems:

· You could be infected with a virus.

· You could be under “attack” from an outside source attempting to exploit the RPC vulnerability.

It’ll do you no good to get things all cleaned up only to get hit again the moment you connect to the internet, so we’ll deal with the second point first.

Block the Vulnerability
The very first thing we have to do is plug the vulnerability. This will prevent some forms of re-infection as well as some forms of attack, both of which can cause the problems we’ve been talking about.

If you’re running Windows XP, you can turn on the Internet Connection Firewall. In Control Panel, select Network Connections, select the connection that corresponds to your internet connection, right click on that and select Properties, select the Advanced tab, and make sure that Protect my computer and network by limiting or preventing access to this computer from the Internet is checked.

If you’re running behind a NAT router you’re probably already safe, but make sure that ports 135, 139 and 445 are not being forwarded to any computer on your network.

If you have some other kind of firewall ensure that those same ports are blocked.

Update Your System
Install all of the latest service packs and patches. For Windows 2000, that means getting the latest service pack, as well as any additional patches. For Windows XP that also means getting the latest service pack and any additional patches. (Note: if you’ve installed Windows XP Service Pack 1, Microsoft now recommends installing Service Pack 1a that corrects a couple of problems.) The whole process can be simplified to this: visit Windows Update, let it analyze your system, and then download and install all the updates suggested.

The single, most important update relating to our svchost / rpc problem is this one: A Buffer Overrun in RPCSS Could Allow an Attacker to Run Malicious Programs. Make certain that the patches listed there have been installed.

You’re not done.

Scan for Viruses
To put it more completely, update your virus signatures to the latest possible and then scan for viruses. In fact, experience is showing that not all virus scanners are catching all viruses, so it would be in your best interest to use a second virus scanner as well.

You may not have a virus. But you may have contracted one as a result of the vulnerability.

There are several viruses that may result from this vulnerability. Some cannot be removed by the virus scanners traditional mechanisms. If that happens to you then you’ll need to download a special tool to remove that particular virus. Take the name of the virus identified by your scanner, visit the Symantec Anti-Virus Center, and search on that virus. Chances are if there’s a tool to remove they virus, they have it.

Scan for Spyware
There is anecdotal evidence that Spyware can also be associated with svchost related problems. Even if that’s not accurate, it’s a good idea to scan regularly anyway. Grab a copy of a tool such as Spybot Search and Destroy, or Ad-Aware.

Notes:

Note 1: Windows 95, 98 and Me users: most of this article does not apply to you at all. You shouldn’t be seeing the symptoms described here. If you do, or if you find svchost.exe on your machine then you likely have a virus and should scan and clean immediately.

Note 2: If you’ve already disabled the RPC service then Black Viper has a possible way to restore it. He also has instructions for stopping the 60 second shutdown as well.

Note 3: If you have a firewall such as ZoneAlarm, it may ask if it’s ok for svchost to access the internet. It’s probably ok to allow it. There is at least one legitimate service that svchost supports that does need to access the internet: the time service. It connects to time servers on the internet to ensure your clock is correct.