A System Service Runs in Svchost.exe and Cannot Be Added to the Exceptions List

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Typically, you see this behavior when you need to add a service to the exceptions list, but the service runs within Svchost.exe, not within an executable (.exe) file that you can add to the exceptions list.

Cause

Most system services run within Svchost.exe. It is not recommended that you add Svchost.exe to the exceptions list. Doing so will allow any service running within Svchost.exe to receive incoming traffic through Windows Firewall.

Solution

If the service uses one or more fixed ports, you might be able to add the ports to the exceptions list. You can use the netstat and tasklist commands to determine whether a service uses fixed ports. First, run tasklist to identify the process identifier (PID) that is associated with the Scvhost.exe process in which the service is running. Then, run netstat to determine whether there are any fixed ports being established by the Svchost.exe process in which the service is running. You need to restart your computer several times and perform these procedures each time you restart your computer to verify that the same ports are being assigned each time.

To determine the process identifier for a service

  1. At the command line, type tasklist /svc, and press ENTER.

  2. Look up the PID that is associated with the Svchost.exe in which the service is running.

To determine which ports a process is using

  1. At the command line, type netstat -a -o -n, and press ENTER.

  2. Look up the port numbers that are assigned to the PID you are evaluating.

If, after restarting your computer several times, you can determine that the same ports are being assigned to Svchost.exe, try adding those ports to the exceptions list.

To add a port to the exceptions list

  1. Open Windows Firewall, and then click the Exceptions tab.

  2. Click Add Port.

  3. In Name, type a friendly name for the port exception.

  4. In Port number, type the port number used by the program.

  5. Click either TCP or UDP to specify the type of port that corresponds to your port number.

Important

Adding a port to the exceptions list can lessen the security of your computer because the port will be open any time the computer is running. You should add ports to the exceptions list only when it is not possible to add a program to the exceptions list.

If the service does not use static ports, but instead uses the RPC endpoint mapper (EPM) to allocate ports dynamically, you might be able to define the range of ports that the RPC EPM allocates and then add the defined ports to the exceptions list. For more information about defining a range ports that RPC assigns, see How to Configure RPC Dynamic Port Allocation to Work with Firewalls in the Microsoft Knowledge Base.

Important

Adding numerous ports to the exceptions list lessens the security of your computer and can increase the risk of attack. You should open numerous ports only as a last resort.