Results 1 to 4 of 4

Thread: Major Problems with Program Control Access and Server Rights

  1. #1
    sarahlp Guest

    Default Major Problems with Program Control Access and Server Rights



    Hello: I am having a difficult time trying to understand why the Program Control is constantly changing certain programs rights. Here is the problem(s) I m having: with XPHome. Thanks in advance for your advise.

    Generic Host Process:
    Keeps showing green check for Internet Server

    Internet Explorer:
    Shows Trusted Server and Send Mail

    Microsoft Management Console:
    Internet Access and Trusted Server Rights

    Microsoft Office Word:
    Internet Access and Send Mail

    Microsoft Works Task Launcher:
    Internet Access

    Userinit Logon Application, Windows NT Logon Application, Services and Controller App, Spooler SubSystem, TCP/IP Netstat Command: All these want Internet Access

    Windows Installer:
    Has green checks all the way across

    Zone Alarm Client:
    Has green checks all the way across

    Windows Explorer:
    Insists on Internet Access and Trusted Server Rights. I found 2 Instances of explorer.exe in C:\Windows and C:\Windows\system32\dllcache, but antivirus and antispyware did not find anything.

    I tried to close ports and vulnerabilities using WWDC.exe, but that only made me lose internetConnectivity. I had to enable Netbios and restart my computer to get internet back.

    Restarted ZASS by deleting all files in Internet Logs (safe mode). That seemed to work for awhile until the changes reverted back as described above.

    Really don t know what else to do since scans show no problems to speak of:

    Active Connections

    Proto Local Address Foreign Address State PID

    TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING 904

    TCP 0.0.0.0:4230 0.0.0.0:0 LISTENING 1860

    TCP 0.0.0.0:4232 0.0.0.0:0 LISTENING 1860

    TCP 0.0.0.0:4236 0.0.0.0:0 LISTENING 1860

    TCP 0.0.0.0:4237 0.0.0.0:0 LISTENING 1860

    TCP 0.0.0.0:4238 0.0.0.0:0 LISTENING 1860

    TCP 0.0.0.0:4240 0.0.0.0:0 LISTENING 1860

    TCP 0.0.0.0:4242 0.0.0.0:0 LISTENING 1860

    TCP 127.0.0.1:10110 0.0.0.0:0 LISTENING 1336

    TCP 192.X:X:X::4230 207.68.173.76:80 CLOSE_WAIT 1860

    TCP 192.X:X:X::4232 199.93.33.126:80 CLOSE_WAIT 1860

    TCP 192.X:X:X::4236 209.170.117.11:80 ESTABLISHED 1860

    TCP 192.X:X:X::4237 207.68.178.239:80 CLOSE_WAIT 1860

    TCP 192.X:X:X::4238 207.68.178.239:80 CLOSE_WAIT 1860

    TCP 192.X:X:X::4240 207.68.178.153:80 CLOSE_WAIT 1860

    UDP 0.0.0.0:1026 *:* 832

    UDP 0.0.0.0:1032 *:* 832

    UDP 0.0.0.0:1106 *:* 832

    UDP 127.0.0.1:4229 *:* 1860

    UDP 127.0.0.1:4249 *:* 664

    Operating System:Windows XP Home Edition
    Software Version:6.0
    Product Name:ZoneAlarm Internet Security Suite

  2. #2
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: Major Problems with Program Control Access and Server Rights

    You probably have Smart Defense or Advisor enabled, the Alerts set to Medium or Low and maybe some misconfiguring somewhere.
    Set the alerts to high (it will bug you) and turn off the smart defense advisor and the alerts will show exactly what I will describe to you for the applications listed in your post.

    First the Generic Host Process or the svchost.exe and fixing a few things along the way while at the svchost.exe.
    This needs to thread in and out of the loopback (127.0.0.1) and the non route 0.0.0.0 and this needs to allow incoming connections from the DNS server(s) IP using the destination port 53 (UDP) or the DNS port.
    This also needs to have incoming connections from the DHCP server, where the connection is the remote port of 67 (UDP) or DHCP port and the PC's local port 68 (UDP) or the DHCP Client.

    If the DHCP and the DNS are not set as Trusted in the Zones and are set as Internet, then the ZA may change the svchost.exe to be allowed to accept incoming connections from the internet (or allow the internet server) to compensate for the short comings in the configuration.

    So just do this:

    Make sure your DNS and DHCP server IP's are in your Firewall's Trusted zone. Finding DNS and DCHP servers, etc

    1. Go to Run and type in command and hit 'ok', and in the command then type in ipconfig /all then press the enter key. In the returned data list will be a line DNS and DHCP Servers with the IP address(s) listed out to the side. Make sure there is a space between the ipconfig and the /all, and the font is the same (no capitals).
    2. In ZA on your machine on the Firewall, open the Zones tab, click Add and then select IP Address. Make sure the Zone is set to Trusted. Add the DNS IP(s) .
    3. Click OK and Apply. Then do the same for the DHCP server.
    4. The loopback (127.0.0.1) must be listed as Trusted.
    5. The Generic Host Process (svchost.exe) as seen in the Zone Alarm's Program's list must have server rights for the Trusted Zone.
    Plus it must have both Trusted and Internet Access.

    [Once the DNS and DHCP and loopback are listed as trusted, there should be no more further need for the svchost.exe to have any internet server attempts or needs.]

    Extra help is found at Guru Hoov site for the DNS/DHCP.

    Now open the ZA | Program Control | Main | open the Advanced | in the Server Attempts section, under the Internet Zone check the "always deny the connection". This will prevent any new internet server for any application from being allowed by the ZA.

    Internet Explorer is correct. It needs the Trusted server for the internal connections of the PC - the loopback (127.0.0.1) and the non route (0.0.0.0) to be opened to each other and connect to each other.
    Mail rights is given since the Outlook and the Messenger are so deeply meshed into the windows browser, it is seen as needed to have Mail rights. How this is handled by you is a different story, by that is exactly what the ZA is seeing when it looks at the windows operating system.

    Microsoft Management Console or mmc.exe. Correct too. The trusted server is the same as the explaination for the Internet Explorer - just for the internal addresses of the PC. The internet access is often needed for updates (and a sneaky phone home by windows to MS).
    Just open up the Administrative tools and use the consoles or services and watch it want to call home. Also some times the mmc.exe is used on the local network and can require server for the local network (trusted) and the DHCP server.

    Microsoft Office Word. Probably needs internet for updates or working with internet files (open or save files) from web sites through the browser. I had thought it had a feature to send mail or print mail so I would assume it needs the Mail rights.

    Microsoft Works Task Launcher.. Maybe is used with a website and could be needed. Maybe needs internet access for updates. Maybe not after all.
    Try it with Ask for the internet acccess and see what happens. I doubt if anything would break if it was denied internet access.

    Userinit Logon Application, Windows NT Logon Application, Services and Controller App, Spooler SubSystem, TCP/IP Netstat Command..
    actually I think the TCP/IP Netstat Command is just command or cmd.exe and the arp.exe, nslookup.exe, tracert.exe, ping.exe, ipconfig.exe are seperate applications. I could be wrong. But the command will need internet and trusted access for pinging, doing domain name lookups, and the tracerts and the kind all by UDP and by ICMP.
    Anyways, the spooler (I assume this is sppolsv.exe) only needs internet access if there is printing from a web site or server (even google maps likes to have the printer handy for printing out maps for the user). But for the most part the spooler does not need internet access and it is safer to keep it home.

    Now the userinit logon application or the userinit.exe and the windows nt logon application or the winlogon.exe and the Services and controller App or the services.exe all need internet access too.
    The directly seen observation would be when windows updates, these need to have internet access. But the ZA runs a little more deeper and it sees the userinit.exe, winlogon.exe and the services.exe as being "Parent Processes" when a "Child Process" attempts to connect to the internet.
    An example- the browser icon is clicked or opened in the Start menu - the three immediate processes involved are these three. These three are used to initiate the launch of the browser. Since these are the applications involved ifor the opening an internet application, these are seen as parents to the child browser and as such need to be allowed internet rights too.
    Another example is use the ping in the command (ping google.com for example). It is not just the cmd.exe and the ping.exe which require internet and be allowed to use ICMP (Echo Request type 8 out and Echo Reply type 0 in) but also the winlogon, explorer and the userinit.
    Notice how I snuck in the explorer.exe as an example and this bring me to the Explorer issue of your post.

    There is only one explorer.exe to be concerned about and that is the C\WINDOWS\explorer.exe and no others. If you look for the wmp.exe it is found in several places and it is only the WMP in the Program Files to be concerned about and no other. But the only legit explorer.exe that will require access is from the WINDOWS main directory and from no other location. The WMP is the very same issue- even though found in several places, it is only from the WMP file found in it's directory folder in the Program files that will only attempt the network connections. Look around and you will see messenger, outlook and a few other duplicated in several places. Plus the other examples (besides the explorer.exe) of the same file from the windows directory found in various sub directories of the windows directory.
    This makes it easier for applications to access the needed files if they are present in that folders that are not just their own usual location. Yes the explorer.exe needs trusted server not just for the usual internal connections but also often for accessing the DHCP server (so does the winlogon, services and the userinit, csrss, rundll32 and the lsass).

    Back to your list.

    Windows installer does like to accept connections in from associated servers when installation occurs and get needed certificates for the installer and it's files. But myself, I just give it internet access and no internet server rights. This hasn't failed me yet.

    ZA Client does not need internet server. It might like to have it if the Check for updates are set to automatic and the AV/AS scanners are set to automatic aupdates, but I use the ZA Pro and the ZA AntiSpy and have the zlclient.exe set to stay at home. I haven't seen any ill effects yet. Probably safe with Ask and if there is no requests for Internet Server seen after a month or so, then change it to no internet server.

    Your netstat is ok - just the loopback, non route and the DHCP.
    But next time 'tranlate" the PID values as seen in the command by the PID values as seen in the Task Manager into the actual Image name (application) and it is easier to figure out what is happening.
    Also next time try this to see what is happening:[*]Open the command.[*]Type "netstat -b 5 > activity.txt" and press enter. Then run an application such as a browser or an updater, wait till it is finished, then press Ctrl+C.[*]Type "activity.txt" on the command line to open the log file in the notepad.
    The file activity.txt will create a log of all process that made a connection to the various IPs.

    When you used the WWDC, you probabaly selected the RPC Locater and inadvertently disabled Remote Procedure Call (RPC). This is needed to get and keep a connection.
    The UPnP and the Messenger can be manually disabled in the Services.
    So can the SSDP Discovery Service and the Net.Tcp Port Sharing Service.

    Go here and follow the instructions for the Disable Netbios over TCP/IP to close some of the BIOS ports and the registry hacks to finish it off. The advice given at the markus jansson site is the shortcut for the advice given here and here, among others.
    For a good review of the windows services see here. The items in the Display Name column are linked for further descriptions.

    Sorry for the long winded reply, but there was a lot of ground to cover.

    Oldsod.

    Message Edited by Oldsod on 03-29-2008 06:02 AM
    Best regards.
    oldsod

  3. #3
    sarahlp Guest

    Default Re: Major Problems with Program Control Access and Server Rights

    Oh, my word!! An angel has fallen from the sky
    I have printed your invaluable information and added it to my little black notebook...PC Help For Dummies.

    Sure I'm not too proud to admit it, but at the same time I always put to practice, after carefully reading and understanding, any and all advise that thoughtful people like you actually take the time to explain.
    Thank you for your time and patience which should never be taken for granted by anyone in these forums.
    Sorry, about the PID.
    I didn't know the procedure for printing that additional info.
    After sending my post, I did a few more netstats just to see if anything was awry.
    In the process, I got this info:

    UDP 127.0.0.1:1883 *:* 1912
    I spent another 20 minutes making sure it wasn't a mistake.
    My TaskManager did not show any PID 1912 at all; the closest thing to it was explorer.exe 1292. So, I'm still confused about that.
    I'm glad that i cut and paste that info otherwise I would still be doubting myself!!

    Other than that, your solid information will be taken to heart and implemented on this end.
    Once again, thank you ever so much for you help and kindness.

  4. #4
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: Major Problems with Program Control Access and Server Rights

    You are very welcome, of course.

    Try a new netstat -ano listing when cross referencing the PIDs in the Task Manager. Make a new netstat for every new bootup for looking to see what is transpiring.

    You maybe interested in something like TCPView which shows IPs. ports, protocol and application in a nice GUI (basically a GUI for netstat).
    Or maybe in Process Explorer v11.11 which has lots of details and information (check out the properties and all it's possible settings and almost hidden nooks and crannies). Plus connections.

    Cheers and best regards.
    Oldsod.
    Best regards.
    oldsod

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •