Jump to content

Workstation SVCHOST.EXE process believed to be corrupting HTTP traffic


Madhits45
 Share

Recommended Posts

Dexter not sure why tcpdump wont work. I am using it on my NON-nlited system and it does the same thing. I cant find info online about this app so its no biggie.

In any case I think I have uncovered another layer to this mess. I found that when I kill a specific svchost.exe process that is run by the network it has the most affect on the port 80 traffic. What I figured out this morning is that process is one of the services. I traced it back to the workstation service. Whenever i kill the svchost.exe (AKA workstation) I get responses. However then my connection is lost. So this is no good. But worstations is working overtime when it does not need to.

So this means the problem is in workstation. So nlite is messing up that service somehow.

Nuhi what do you know about workstation service related to 802.11 ARP traffic corruption? Thats our problem.

I also shut down DHCP svchost and Wireless zero config svchost but both had little or no affect on the webpages. Wish there was a way to figure out what svchost was what service without trial and error?

Edited by Madhits45
Link to comment
Share on other sites


Quite possible, indeed. I think the differences are caused by the fact that you're running nlited XP and me nlited Server, and the svchost builds are quite different (there are a few years between them). Perhaps nlite alters some registry settings related to it. I might be able to discover them running a full system diff comparison in a controlled environment, but it would take me almost a week and a lot of nerves, so this would be the last resort.

Link to comment
Share on other sites

Dexter...

Try this..

Go Here: http://www.mvps.org/winhelp2002/services.htm

Then turn on PID in process to see what process maps to svchost.exe. Then you can see what one specificly has the issue. I am going to run a few tests using this method and prove that workstations is causing the problem. The only other possibility is that its a dependant service to workstations.

Link to comment
Share on other sites

I am going to run a few tests using this method and prove that workstations is causing the problem. The only other possibility is that its a dependent service to workstations.

Would these help you?

Processes

th_07524_1_122_849lo.jpg

Running services

th_07529_2_122_545lo.jpg

My network stack, one of these keeps feeding me the ARP packets

th_08082_3_122_518lo.jpg

(either PID 1820 or 1872, not sure yet)

As you can see, there is traffic on port 1642, and I have no idea what is it. (spoted this a long time ago, as I am a security freak and like to see everything that happens on my computers at any moment). Note that this amount of concurrent connections would most likely choke due to the constant arp who-has packets that occur, so for less powerful hardware this may lead to system slow-down (similar to flooding) or periodic freeze times. Similar stress conditions on 10/100 Mbps ethernet is bound to cause these simptoms. Did you try running 3-4 hundred TCP/IP connections at a time to see how XP handles the stress?

Edited by dexter.inside
Link to comment
Share on other sites

Interestig findings. How can I create 3-4 hundred TCP/IP in a short time for a test?

I noticed you have utorrent running. What is so interesting is that when I get an established connection like a torrent downloading I do seem to be able to charge through the ARP packets and get some http traffic to go through. My theory is because I'm on wireless if the connection can be utlized enough there is almost not enough bandwidth for this problem to occur. Thats one thing I find really strange about this problem is its ability to take a back seat so to speak. Weird uh.

There is still a possibilty that one of the other services holds the bug. Those being DHCP, DNS, workstation or one of there dependancies. Whenever I have killed one of those I have seen responses to HTTP traffic requests. Mostly workstaion.

All that is needed for an internet connection is Workstation and DHCP. DNS is not really needed from what I know.

Dexter do you have IM. What is your IM name on either AIM, Yahoo or ICQ?

Edited by Madhits45
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.


×
×
  • Create New...