Windows – way to determine which service (in svchost.exe) does an outgoing connection

connectionfirewallservicessvchostwindows

I'm redoing my firewall configuration with more restrictive policies and I would like to determine the provenance (and/or destination) of some outgoing connections.

I have an issue because they come from svchost.exe and go to web content/application delivery providers – or similar:

5 IP in range: 82.96.58.0 - 82.96.58.255      --> Akamai Technologies         akamaitechnologies.com
3 IP in range: 93.150.110.0 - 93.158.111.255  --> Akamai Technologies         akamaitechnologies.com
2 IP in range: 87.248.194.0 - 87.248.223.255  --> LLNW Europe 2               llnw.net
205.234.175.175                               --> CacheNetworks, Inc.         cachefly.net
188.121.36.239                                --> Go Daddy Netherlands B.V.   secureserver.net

So is it possible to know which service does a particular connection? Or what's your recommendation about the rules applied to these ones?

(Comodo Firewall & Windows 7)

Update:

netstat -ano & tasklist /svc help me a little but they are many services in one svchost.exe so it's still an issue. moreover the service names returned by "tasklist /svc" are not easy readable.

(All the connections are HTTP (port 80) but I don't think it's relevant)

Best Answer

SysInternals Process Explorer can do this for you.

Open the process properties of the svchost.exe instance you are trying to analyze. Click on the TCP/IP tab. Double click on the connection you are wanting to discover to bring up a stack trace of the connection. You should be able to trace the stack back to the DLL that implements the service. Here is an excerpt from the help file on the topic of Process Properites:

TCP/IP:

Any active TCP and UDP endpoints owned by the process are shown on this page.

On Windows XP SP2 and higher this page includes a Stack button that opens a dialog that shows the stack of the thread that opened the selected endpoint at the time of the open. This is useful for identifying the purpose of endpoints in the System process and Svchost processes because the stack will include the name of the driver or service that is responsible for the endpoint

Also on Configuring Symbols

Configure Symbols: on Windows NT and higher, if you want Process Explorer to resolve addresses for thread start addresses in the threads tab of the process properties dialog and the thread stack window then configure symbols by first downloading the Debugging Tools for Windows package from Microsoft's web site and installing it in its default directory. Open the Configure Symbols dialog and specify the path to the dbghelp.dll that's in the Debugging Tools directory and have the symbol engine download symbols on demand from Microsoft to a directory on your disk by entering a symbol server string for the symbol path. For example, to have symbols download to the c:\symbols directory you would enter this string:

srvc:\symbolshttp://msdl.microsoft.com/download/symbols

Note: You may need to run Process Explorer as administrator to be able to see the thread's stack.

Related Question