Windows XP - SECURITY, SERVICES & STARTUP!

USERS! : notes on Win XP Pro User and Mozilla Browser User setup
INVESTIGATE! : notes on system operations questions and issues. 

• Access this computer from the network  (LR)  * I have not included the Users and Everyone groups, a departure from listed defaults.  In addition, by including all the available groups in the setting for "Deny access to this computer from the network" ...
  
• Adjust memory quotas for a process - Removed LOCAL SERVICE and NETWORK SERVICE.
• Change the system time - Added LOCAL SERVICE and NETWORK SERVICE.
• Deny access to this computer from the network - The setting did NOT include the default groups.  I restored them.  But note that there is a discrepancy within the mcc help files as to what the default settings are.   The display in Understanding Local Security Policy (ULSP) shows 'No one' as the default; the display in User Rights Assignment (URA) shows Administrators, Power Users, Backup Operators, Users and Everyone.   I have added the URA listed groups the two users which were already listed: "SUPPORT_388945a0" and Guest.  I have had no idea where the SUPPORT_388945a0 user comes from, this is the first indication that such a user exists.  (I later found a reference to that user as a 'vendor supplied' user, in this case a MS preconfigured user.   Hmmm.)  May, 2004:  I found that user "SUPPORT_388945a0" is listed as the only user in the "HelpServicesGroup", the "Group for the Help and Support Center" [Computer Management > Local Users and Groups > Groups 
• Deny logon as a batch job - I added the SUPPORT_388945a0 user here.  Though the new entry formatted oddly at first, after a reboot of the machine, the format of the entry is normal.  The defaults in USLP and URA help are 'No one' and 'None'.   (I also removed this user from 'Logon as batch job').
  
• Generate Security Audits - There is a difference in defaults or terminology between 'help' at Understanding Local Security Policy and User Rights Assignment - ULSP refers to LOCAL SERVICE and NETWORK SERVICE as defaults, URA to 'Local System'.  I left the former assignments in place.
• Logon as batch job - I removed 'SUPPORT_388945a0' from the policy and added it to 'Deny logon as batch job'.
• Log on as a service - This policy setting was set to permit the 'NETWORK SERVICE' to register a process as a service, while the default is none.  I removed  the NETWORK SERVICE listing.
• Profile a single process - another slight discrepancy between ULSP & URA, with ULSP listing Administrators and Power Users and URA listing Administrators and 'Local system'.   I used the ULSP settings.
  
• Remove computer from docking station - Should be disabled by URA default, and though relevant to portables, is irrelevant to this machine.  I removed all user groups from the policy authority list, even though they are listed in the ULSP defaults. 
  
• 'Replace process level token' included authority for 'NETWORK SERVICE' , which is listed in the ULSP defaults, though only 'Local System' is listed in URA.  Though it seems the NETWORK SERVICE would be irrelevant to a stand alone client machine, and I earlier had removed it, I have now restored it. 
  

• Accounts: Rename administrator account - default Administrator name has been changed.
• Accounts: Rename guest account - default Guest account name has been changed.
• Audit: Audit the access of global system objects - default is disabled, found it enabled and left it that way.
• Domain Controller: Refuse machine account password changes - default is disabled, found it undefined and changed it.
• Domain Member: Digitally encrypt or sign secure channel data (always) - default is disabled, found it enabled and changed it.
• Interactive logon: Do not display last user name - default is disabled, but I enabled it.
• Interactive logon: Do not require CTL+ALT+DEL - default is enabled on stand alone workstations, I initially enabled it, but then, as a test, disabled it to see if the setting had any effect on the logon process for a stand alone workstation not a part of a network domain.
  
• Microsoft Network Server: Disconnect clients when logon time expires - default for workstations is undefined, I disabled it.
• Network Access: Named pipes that can be accessed anonymously - default is none, found COMNAP, COMNODE, SQL\QUERY, SPOOLSS, LLSRPC, EPMAPPER, LOCATOR, TrkWks, TrkSvr; deleted all to restore default.
• Network Access: Remotely accessible registry paths - default is none, found listed, deleted all to establish default.
  

• System\CurrentControlSet\Control\ProductOptions
• System\CurrentControlSet\Control\Print\Printers
• System\CurrentControlSet\Control\Server Applications
• System\CurrentControlSet\Services\Eventlog
• Software\Microsoft\OLAP Server
• Software\Microsoft\Windows NT\CurrentVersion
• System\CurrentControlSet\Control\ContentIndex
• System\CurrentControlSet\Control\Terminal Server
• System\CurrentControlSet\Control\Terminal Server\UserConfig
• System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration

• Network Access: Shares that can be accessed anonymously - default is none, found COMCFG, DFS$, deleted them.
• Network Access: Sharing and security model for local accounts - no Help item was found.  Left as Classic, local users authenticate as themselves.  Contra Guest only auth.
• Network Security: Force logoff when logon hours expire - default is enabled.  I found it disabled and left it disabled.
• Network Security: LAN manager authentication level - Workstation default is undefined.  I found it at Send LM & NTLM responses, which is the server setting.  I left it that way.
• Network Security: LDAP client signing requirements - no Help item was found.  Left the setting at 'Negotiate signing'.
• Shutdown: Clear virtual memory pagefile - default is disabled, I found it disabled, but changed it to enabled.
• System Objects:  Default owner for objects created by members of Administrators group.   No default specified for workstations; default for servers is Administrators group, I found it at Object creator.   Changed it to the Server default, Administrators group.

The File and Printer Sharing for Microsoft Networks option appears when you view the properties of any connection in Network Connections. Click Uninstall to remove this component; clearing the File and Printer Sharing for Microsoft Networks check box will not work. For more information, see File and Printer Sharing for Microsoft Networks.

• Gibson Research Corporation Home Page...
• DCOM - Download (29 kbytes) and run DCOMbob.exe  (Note that DCOM is not explicitly listed as a Service in Win XP.  It is not clear to me whether this action modified the MS default services which are listed.)
• Windows Messenger - Download (22 kbytes) and run shootthemessenger.exe  (This is not the Microsoft Messenger Service used for Internet Messaging, but another service.)
  
• UPnP - Download (22 kbytes) and run unpnp.exe  (SSDS)
• See also:  SSDP Discovery Service

• Download (17 kbytes) and run sockettome.exe
  
• Download (22 kbytes) and run socketlock.exe
  

• Windows XP Home and Professional Service Configurations by Black Viper
• Windows XP Services Registry Files and Information
  

• Automatic Updates:  ENABLED but Manual @ login, and found STOPPED.  There is a lag time between release of updates and notification to Windows.  It may be more useful to check the WindowsUpdate site using IE directly than to use automatic updates.  I check a couple of times a month, down from at least once a day in the fall of 2003.  On a Win XP SP1 install for which security updates are no longer provided, I check Windows Update only monthly.
  
• September 16, 2004:  V5 and after of WindowsUpdate required that the AutomaticUpdates service be on.  Since it has to be on when Windows starts I set it to start automatically and change it back to manual start after the update is complete.
  
• BITS (Background Intel. etc) ENABLED | Manual | STOPPED.  It is apparently required by V5 WUpdate as of Sept., 2004
  
• September 16, 2004:  V5 of WindowsUpdate required that the BITS service be on.  It appeared that it had to be on when Windows started, which meant both enabling the service and setting it to start automatically.  It will not start unless the Workstation service is on, so that had to be started automatically as well.  I stop all 3 services after using WUpdate.
  
• COM+ Service has been stopped 1:41 PM 9/24/2003, DISABLED | Automatic | STOPPED. 10/01/2003 as no services which require it are being started.  So far there are no 'operating errors.  (This looks like another service used to support local area networking, and "subscribers" - who or what are "subscribers"?)
• Cryptographic Services:  ENABLED | Automatic | Started.
  
• +DHCP Client Service: - The DHCP service is required for access to the internet through always on connections behind a router/gateway.  
• DISABLED 23:29 10/01/2003 again! - 10:15 PM 9/18/2003 - Think it had been disabled earlier, twice.
  
• Enabled June, 2004, to support access to internet from behind a router. 
• Set to Manual start and Stopped, Sept. 16, 2004, as I am no longer behind a router.
• ENABLED | Automatic | Started in November, 2008 to support access through a router. This service was restarted with some difficulty.
  
• Dialup and Wan Miniport PPPoE access appear to rely on a different source (RACM?) of support for the DHCP TCP/IP function than does Windows networking. This makes it possible to have both DHCP and the Windows Sockets / Windows networking TCP/IP functions out of service and still have internet access. It is only when attempting to access the Windows networking functions that this becomes an issue.
  
• That can happen not only when establishing a home network or wireless access through a router, but also when using a UHP ADSL/Cable modem which has not been placed in bridge mode, since doing so requires accessing the modem's management interface through TCP/IP. (An experiment would be to set up a PPPoE connection which had a fixed Gateway address set to the modem's IP address, while IP functions on the NIC were disabled. This might permit access to the modem's management interface, with no Windows networking active.)
• Some malware attempts to replace the DHCP function and force the use of its own network facility for internet connectivity. This can corrupt the native Winsocket and IP; the problem with connectivity may show up only when the infection is removed. This is one possible reason that anti malware packages are often blamed for loss of connectivity - the infection that had replaced the native networking capability has been cured, but the native connectivity has not been restored.
• DHCP would not start because a service on which it was dependant was not active and the inherently insecure NetBT service (NetBios over TCP/IP) was listed as required for DHCP to load. There is no logical or systemic dependency between DHCP and NetBT, they are separate and independant protocols. NetBios over TCP is inherently insecure and TCP/IP installations on machines I administer do not enable NetBios over TCP/IP. The erroneous dependancy condition recorded in the registry was removed by a registry edit. (It seems likely that this false dependency was established by malware which is dependant on the inherently insecure NetBT for its operation.) [Tip: Fix NetBt Dependancy Error for DHCP Service] [Tip: Erroneous Dependancy on NetBT service prevents start of DHCP service]  Procedures for  modification of registry entries for Windows Services to remove undesirable dependancies are described in file "RemoveServiceDependency-RegistryChange.html" (not published to the web). 
• DHCP can be blocked from starting by problems with Windows Sockets and the installed TCP/IP protocol. There are two methods for rebuilding/replacing these functions; one is a procedure described by Microsoft at [ http://support.microsoft.com/kb/817571 ] [Tip: Microsoft KB Article Restore/Repair Winsock & TCP/IP] and the other is to use the WinSockFix.exe software which automates that procedure in a rigorous and elegant way, described here.  [Tip: Software Restore/Repair of Winsock & TCP/IP]
• Distributed Link Tracking client for NTFS: DISABLED | Manual | STOPPED. I only use one NTFS drive on this machine - the service seems useless here.
• DNS Client: ENABLED | Manual | STOPPED 9/24/2003 - Despite the description and warning: "Resolves and caches Domain Name System (DNS) names for this computer. If this service is stopped, this computer will not be able to resolve DNS names and locate Active Directory domain controllers."  This is a facility for local networks using local domain controllers.  DNS resolution for my web browsing activities are either handled by my ISP at their DNS servers or at internet DNS servers I specify in the TCP/IP properties for the connection.  Some ISP's require users to specify DNS server IP's in their  TCP/IP setup; others obtain DNS server information automatically.
  
• Error Reporting Service: DISABLED | Automatic | STOPPED.  If I experience recurring errors I want reported to MS, I will enable it.
• Event Log: ENABLED | Automatic | Started - This is the default state for the service.
  
• Fast User Switching: TEMPORARILY DISABLED | Automatic | STOPPED 2:40 PM 9/18/2003. MAY BE REenabled, as I want to learn how to set security for multiple users on the machine, etc.  DEPENDENCIES - DEPENDS UPON TERMINAL SERVICES       
  
• FTP publishing is not installed.  I use WebFolders/WebDav to publish to the internet, and do not need it (but need to be sure services needed to support WebFolders have NOT been disabled.  See WebDAV notes?  
• "Microsoft Windows 2000 supports the World Wide Web Distributed Authoring and Versioning (WebDAV) protocol. WebDAV, defined in RFC 2518, is a set of extensions to the Hyper Text Transfer Protocol (HTTP) that provide a standard for editing and file management between computers on the Internet.")
• Help and Support is ENABLED | Manual | STOPPED. 
  
• IMAPI CD-Burning - DISABLED. Not needed in the absence of a CDRW drive. 
  
• IPSEC Policy Agent: DISABLED | Automatic | STOPPED. IPSEC is not started, so "Policy Agent" should be quiet.
• LexBce Server:  ENABLED | Automatic | Started. Unless a Lexmark printer is present - Remove the LexBce Server from the dependancy list for the "Print Spooler" service, stop it, and disable it.
  
• Messenger Service: DISABLED both by GRC and BV criteria.  ***Marchand says this should eliminate Port 1027 UDP activity, it does not appear to do so.
• Network Connections Service - Enabled | Automatic | Started. Supports the Systray Icon for NC's, and may be dispensable in a stabilized system, if the activity indicator and stats are not needed.  DEPENDENCIES - ICF/ICSS & IPv6 FIREWALL ARE DEPENDENT ON THIS SERVICE
• Network Location Awareness (NLA) DISABLED | Manual | STOPPED. Supports the Internet Conn. Sharing, which is disabled in the "Safe" profile.  NLA can be disabled as well.  DEPENDENCIES - ICF/ICSS & IPv6 FIREWALL ARE DEPENDENT ON THIS SERVICE;  This service was enabled while the machine was on a LAN behind a router, but it is not clear that it was needed. It was found enabled and started in November, 2008, for reasons unknown, and that was corrected.
  
• Performance Logs and Alerts is part of system tools, and I have left it enabled, manual, as a learning and monitoring tool.  However it is  on manual start, and does not start at boot.
• Plug and Play: ENABLED | Automatic | Started - This is the default state for the service.
• Portable Media - DISABLED, as I do not use any portable media device.  I have not yet seen any WMPlayer impact.
• Protected Storage: ENABLED | Automatic | Started - This is the lsass.exe displayed in Program Manager. This is the default state for the service. LSASS not ISASS! ISASS is malware.
  
• Remote Access Connection Manager: ENABLED | Manual | Started.  Some DSL/ISP connections, PPPoE for instance, can depend on this service, as for an ELN PPPoE DSL connection.  DEPENDENCIES: ICF/ICSS & REMOTE ACC. AUTO. CONN. MGR.
• Remote Procedure Call (RPC) Locator DISABLED 2:37 PM 9/18/2003, was at default manual, but may not be needed.
• Server: DISABLED | This and the Workstation services must be on in order to access properties of Users and Groups [Computer Management > Local Users and Groups]  They are were enabled but set to manual start.   But May 15, 2004, Server service was uninstalled as a side effect of uninstalling the MS Print and File Share feature in Control Panel > Network Connections.   To stop (start) Server service from command line:
  
• [Start > Run > Cmd |  In command window:\> cd \ | In root:\>net stop server /y
  
• System Restore Service: ENABLED | Automatic | STOPPED in "safe".  This eliminates the "rollback" to a known working system state, and really should require that new software be installed AND TESTED only when the profiles GRC or Default are loaded, as system restore is active in those.
• TaskScheduler - DISABLED | Automatic | STOPPED. ***Marchand says this should eliminate Port 1025 TCP activity; it does not do so.
• Terminal Services: DISABLED 2:41 PM 9/18/2003 Should be enabled only to support Fast User Switching, when I am through playing with Users it should be disabled along with FUS.  DEPENDENCIES: FAST USER SWITCHING IS DEPENDENT ON TERM. SERV.  BUT, 9/16/2003 found running, enabled, and on automatic startup.  I disabled this service in both "Startup type" and in "Logon" for BVSafe.  I note that there is no option to STOP this service listed!.
• Telnet: DISABLED | Disabled | STOPPED.  This service must be active for certain testing based on the (transport level?) telnet function.
  
• I also modified the Registry per http://is-it-true.org/nt/xp/registry/rtips13.shtml by changing the DWord value for TsInternetUser to 1, in an effort to make that user visible at logon.  It did not work at logon, or in Control Panel, so I deleted the key altogether.   No side effects observed yet.  I wonder how I can determine if the TsInternetUser account exists on this machine.  And what is/was the function of the 'TsInternetUser' account anyway?   (Note that registry entries can make User accounts 'invisible' at start up, including accounts accessing the computer on a network, so you never know they are using the machine.)
  
• WebClient: ENABLED | Manual | STOPPED. Recorded as disabled in the "safe" profile.  (Experience through October 31, 2003, has not indicated any need for this service.)
  
• WIA  (Win Image Aquis.): ENABLED | Automatic | Started  I often stop this service. Not needed unless I install scanner, Video, Camera, etC.
• Windows Time: DISABLED | Automatic | STOPPED.  If enabled it runs each 7 days after success, but was not running successfully.  I have found the weekly use of 'Atomic Clock' as suitable on this machine.
  
• +Wireless Zero Configuration: ENABLED | Manual | STOPPED. Added, June, 2004, to support wireless networking.  Enabled, but Manual Start when no Wireless is in use.
  
• Workstation and Server services must be on in order to access properties of Users and Groups [Computer Management > Local Users and Groups] They are enabled but set to manual start.  The security effect is to make unauthorized mods of User and Group authorities more difficult; a very good thing.
  
• !!! Workstation service - Enabled | Manual STOPPED. (from Disabled 9/18/2003) there seemed to be no problem with the XP install's behavior.   I changed it from disabled to enabled, manual out of caution, but have noted that it has not started for an extended period.  (As of Sept., 2004, V5 of WUpdate requires that it be on automatically, for WUpdate to work.)  Five services depend on it:

• Alerter - disabled, manual, not started
• BITS (Background Intell. Trans. S.) - formerly disabled, enabled 10:50 9/16/2004, still manual, not started - except when  started for V5 of WUpdate to work.  
  
• Computer Browser - disabled, automatic, not started.
• Messenger - disabled, disabled, not started.
• Net Logon - disabled, manual, not started.
• RPC Locater - disabled in the BV Safe profile 2:37 PM 9/18/2003 
  

1. Help and Support - Enables Help and Support Center to run on this computer.  If this service is stopped, Help and Support Center will be unavailable.   10/14 status:  Enabled; Manual
2. Server - Supports file, print, and named-pipe sharing over the network for this computer.  10/14 status:  Enabled; Automatic;  changed to  Disabled, Manual
   
3. Workstation - Creates and maintains client network connections to remote servers.   10/14 status:  Enabled, Automatic; changed to Enabled, Manual

• WMI is running after boot.  It is still on Manual, but enabled at logon.  The setting was changed to "enabled" at logon after getting an error in attempting to access System Information.
• Neither Server (disabled) nor Workstation (enabled)  are started.
• 15 Services are running at startup.
• 15 Processes are running at startup, including hkcmd, which is being stopped, and whaich may be remove from the startup set.  These processes include four user  'optional processes' for security support - two for Zone Alarm, one for NW Client, and one for Startup Monitor.

• Two processes have been added to support internet access through local networks.

1. DHCP supports securing of IP addresses and the DNS server address.
2. Wireless Zero Configuration supports installation of wireless networks.

• The Remote Access Connection Manager used to support telephone & PPPOE connections to the internet is disused and could be dropped until those connections are restored.
• Note that the "Shell Hardware Detection" Service is not running. 
  

Hunting down and stopping programs that launch themselves at system startup whether you want them to or not is a pain. Windows can automatically start programs according to two folders and eight core registry subkeys. Here are the 10 locations from which Windows XP, Windows 2000, and Windows NT can automatically run programs at system startup.

10. The user Startup folder—The user's Startup folder is the most common location for programs that Windows automatically loads at boot time. You can find the user Startup folder at Documents and Settings, user, Start Menu, Programs, Startup. If you've migrated from NT, you'll find the Startup folder at WinNT, Profiles, user, Start Menu, Programs, Startup.

9. The All Users Startup folder—The next most common place to find autostart programs is the All Users Startup folder. Whereas the user Startup folder runs programs for only the user who's logged on, the All Users Startup folder autostarts programs no matter who logs on to the system. You can find this folder at Documents and Settings, All Users, Start Menu, Programs, Startup. If you've migrated from NT, you'll find the folder at WinNT, Profiles, user, Start Menu, Programs, Startup.

8. The load entry—Several registry subkeys also can start programs automatically. One esoteric location is the load entry at HKEY_CURRENT_USER\Software\Microsoft\WindowsNT\CurrentVersion\Windows\load.

7. The Userinit entry—The Userinit entry, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\Userinit, can also initiate programs when the system boots. You'll usually see an entry for userinit.exe, but this subkey can accept multiple comma-separated values (CSVs), so other programs can tack themselves onto the end of the entry.

6. The Explorer\Run entry—Unlike the load and Userinit entries, the Explorer\Run entry works in both the HKEY_CURRENT_USER and HKEY_LOCAL_MACHINE root keys. You can find the Explorer\Run subkey at HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run and at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run.

5. The RunServicesOnce subkey—The RunServicesOnce subkey is designed to start service programs before the user logs on and before the other registry autostart subkeys start their programs. You'll find the RunServicesOnce subkey at HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce and at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce.

4. The RunServices subkey—The RunServices subkey loads immediately after the RunServicesOnce subkey and runs before the user logs on. You'll find the RunServices subkey at HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices and at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices.

3. The RunOnce\Setup subkey—The RunOnce\Setup subkey's default value specifies programs to run after the user logs on. The RunOnce\Setup subkey is in the HKEY_CURRENT_USER and HKEY_LOCAL_MACHINE root keys. You'll find it at HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup and at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Setup.

2. The RunOnce subkey—Setup programs typically use the RunOnce subkey to run programs automatically. You'll find this subkey at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce and at HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce. The RunOnce entry in the HKEY_LOCAL_MACHINE root runs associated programs immediately after logon and before the other registry Run entries start their programs. The RunOnce subkey in the HKEY_CURRENT_USER root runs after the OS processes the other registry Run subkeys and the contents of the Startup folder. If you run XP, you can also check the RunOnceEx subkey at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx.

1. The Run subkey—By far the most common registry location for autorun programs is the Run entry, which you'll find at HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run and HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. The Run entry in the HKEY_LOCAL_MACHINE root runs immediately before the Run entry in the HKEY_CURRENT_USER root, and both subkeys precede the processing of the Startup folder. 

Regarding Michael Otey's Top 10: "Windows Program Startup Locations" (December 2002, http://www.winnetmag.com, InstantDoc ID 27100), I hate to say this, but there's an 11th place to look for pesky, unwanted Windows programs. The load and run lines in win.ini, a holdover from the Windows 3.1 days, still work, and many programs lurk there. I run Sysedit to check for real-mode drivers in config.sys and autoexec.bat files at the same time."

Jean-Baptiste Marchand

I ran across a link to M. Marchand's paper long before I could even begin to understand it, and found it again while trying to secure my Win XP installation in September, 2003.  It was updated in August, 2003, and from my browsing seems to be the best description available, by and large, focused on elimination of unused network services.   

M. Marchand relies on command line for his actions; I prefer to use Windows interfaces when such exist to accomplish the same result.   Determing which of the command line actions he describes equate to the various Windows interface actions available requires some puzzling.

The diagnostic tool used here is primarily the 'netstat' command, which is run 'as a command' in Win XP's 'Command prompt' window.  I also use the command line program 'fport' obtained by download from Foundstone, Inc.; and the Windows GUI program TCPView from www.sysinternals.com.   Tools are run with no applications active, as some of these, including Mozilla and the Microsoft Management Console, hold ports even when the machine is not connected to the internet.  Fortunately, Notepad does not.

In fact, testing disclosed that it was the unneeded service 'DNS Client Service' that was responsible for the svchost items:

With no applications using the internet, there originally remained the following connection traces:

netstat -ano 10

 Proto  Local Address          Foreign Address        State           PID     Image Name    User Name
 TCP    0.0.0.0:1025           0.0.0.0:0              LISTENING       4       System        SYSTEM
 UDP    0.0.0.0:1026           *:*                                    768     svchost       NETWORK SERVICE
 UDP    0.0.0.0:1040           *:*                                    768     svchost       NETWORK SERVICE  

AKA

FPort v2.0 - TCP/IP Process to Port Mapper - Copyright 2000 by Foundstone, Inc.
http://www.foundstone.com
 Pid   Process            Port  Proto Path
 4     System         ->  1025  TCP
 4     System         ->  1026  UDP
 7471215              ->  1040  UDP

The UDP at Port 1040 seemed to float between apps, as I saw it reported as Winamp, Mozilla, and System while working the problem.

Also, sometimes there is a 127.0.0.1:102n connection, (in addition to or instead of?) the 0.0.0.0: item.

After disabling the Workstation, RPC Locater, and Terminal Services services the number of Windows Services running are at 17; yet netstat -ano still showed:

Active Connections

  Proto  Local Address          Foreign Address        State           PID     Image Name    User Name
  TCP    0.0.0.0:1025           0.0.0.0:0              LISTENING       4       System        SYSTEM
  UDP    0.0.0.0:1026           *:*                                    776     svchost        
  UDP    0.0.0.0:1027           *:*                                    776
 
Both UDP connections were in use by svchost PID 776.  I used Ctrl-Alt-Del Task Manager to kill that process, and it seemingly had no effect on my connection!   I noted that Event viewer had this entry:

Event Type:    Error
Event Source:    Service Control Manager
Event Category:    None
Event ID:    7034
Date:        9/18/2003
Time:        11:57:24 PM
User:        N/A
Computer:    AN631322416
Description:
The DNS Client service terminated unexpectedly.  It has done this 1 time(s).

Permanent disabling of the DNS Client service is safe on a machine not a part of a local network served by it's own Domain Controller.  DNS resolution for WWW browsing is handled by the stand alone client machines' ISP, through the ISP's DNS servers.  

The number of active services was reduced to17, open processes at bootup at 13, including 2 svchost processes and the System Idle process .  That is pretty tight for an XP installation.   Gives me room to re enable Help and Support, and the services supporting  Webfolders/webdav/webclient.  

It is possible that I will be unable to eliminate the remaining open Port held by a system process, because the XP native PPPoE facility supporting my DSL connection may be  somehow tied to it.  The system Marchand did his testing on may not have had such a constraint.   I have tried to verify that the Remote Access Connection Manager (RasMan) is required to establish and maintain my PPPoE DSL connection by switching it off, and noted that the connection has failed. 

----[ Summary ]----

Minimization of network services can be realized in three steps:
 - disabling of unused services

Done in two steps:

Applied Gibson Research tools to Unplug UPnP and Decombobulate DCOM
Using the "Hardware Profiles" method

Applied Black Viper information on disabling of unused services, .
Disabled some additional networking specific services
   Alerter - disabled, manual, not started
   BITS (Background Intell. Trans. S.) - disabled, manual, not started.  (Subsquent Microsoft actions tie Windows Update functions to BITS, requiring that it be started when running Windows Update.   It cannot be disabled, but must be enabled and started to run wupdate.)
   Computer Browser - disabled, automatic, not started.
   Messenger - disabled, disabled, not started.
   Net Logon - disabled, manual, not started.
   RPC Locater - enabled, manual, not started.  Disabled in BV Safe 2:37 PM 9/18/2003
   Terminal Services DISABLED 2:41 PM 9/18/2003
   Fast User Switching TEMPORARILY DISABLED 2:40 PM 9/18/2003
   Workstation DISABLED,  later changed to enabled to support User management functions; may be needed to create Web folders

Neither Port 135 nor 445 are any longer active, so CIFS over TCP/IP is apparently dealt with as well.

Here is  yet another way to handle it:

# Alternate Procedure: The following information was developed, tested, and supplied by T-1 (t1@san.rr.com) #

 Go to :
 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\
Value Name: TransportBindName
Data: \device\
Either Rename TransportBindName to something like TransportBindNameX (Easier to change back later) Or Delete \device\
Then Reboot.

The Registry tweak is more flexible because the NetBT driver is allowed to run  (and therefore allows the dependent services to run), but it never opens port 445 (either TCP or UDP).  [This would likely kill the NBT load failure message in the event log.)

Services to disable are:
 Windows 2000:
  - IIS 5: iisadmin, w3svc, smtpsvc
  - Others: messenger, msdtc, policyagent, schedule
 Windows XP:
  - messenger, policyagent, schedule, ssdpsrv, w32time
 

SSDP (UPnP) -    using www.grc.com program "Unplugnpray"
Messenger, w32time, Task Scheduler -     disabled using Windows Services manager
Also DCOM -     using www.grc.com program "Decombobulator"
policyagent -     part of IPSEC services, which is disabled, automatic, not started, using Windows Services manager.

(I also installed www.grc.com program "socketlock' to prevent any user from using 'raw sockets' available in XP.)

Disabling of NetBIOS over TCP/IP is specific to each network interface. To globally disable CIFS over TCP (port 445), the SmbDeviceEnabled registry value must be added and set to 0 in the registry.

Net BIOS over TCP/IP - Disabled at TCP/IP properties for the network interface.  Port 445 was dealt with using Device Manager, per http://www.uksecurityonline.com/husdg/windows2000/close445.htm

Minimization of RPC services starts by disabling services that register RPC services.

Activation  of  Ports  1026, and 1027 seems to have been dealt with by disabling the DNS Client  service.  See below.   However this is complicated by the way in which these are apparently interchangeable with one another and with Port 1025, each being used by different services at different times.

The removal of the 'Connection-oriented TCP/IP' protocol sequence in the dcomcnfg utility allows to close TCP port 135.

Closing of TCP Port 135 was accomplished through the Win XP interfaces described above.  (And by closing DCOM?)

If necessary, listening interfaces restriction can be configured for some RPC services on Windows 2000, using the rpccfg tool.

Apparently not applicable to Win XP.   Will require more review. 

Starting with Windows 2000, Windows systems include a caching DNS service 
(dnscache), that keeps in memory results of DNS requests. 

On Windows 2000, this service sends DNS requests on UDP, using a different UDP
source port for each request. On Windows XP, the same port is always used: it is
allocated at the first DNS request and remains the same, as long as the dnscache
service is running.

On our Windows XP system, the port used by the dnscache service is UDP port
1026. If we stop the dnscache service, this port will be closed. 

It is possible to disable the socket caching mechanism used by the Windows XP
dnscache service, adding a registry value under the service key:

 Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\
 Value: MaxCachedSockets
 Type: REG_DWORD
 Content: 0

With this setting, the Windows XP dnscache service will behave as under Windows 
2000, i.e, different UDP sockets are used for each DNS requests. 

 -[ Windows XP ]-

On our Windows XP system, UDP port 1027 is used by RPC services started by the
Messenger service. As in Windows 2000, this port and UDP port 135 will no longer
be opened after disabling this service and rebooting. 

But on my machine, for both of  the two active svchost UDP Ports 1026 and 1027, disabling the DNS Client service (different than the dnscache service?) has apparently closed them.  I do not recall having executed the change to the registry he discusses.  The Messenger service he ties to Port 1027 was one of the very first I had disabled and cannot account for that Port being open on this machine. 

Port 1026 UDP and another nearby Port UDP (usually 1027) were in use by a svchost PID 776.  I used Task Manager to kill the 776 process.  Both UDP connections went away,  and my overall connectivity was NOT harmed.    Event Viewer logged the message " The DNS Client service terminated unexpectedly.  It has done this 1 time(s)."

NOTE:  9/25/2003 - Netstat is not showing any UDP ports in use, and was not even before I  again disabled DNS Client services.   This may be the result of having turned off the Microsoft Windows Networking,  but as noted above, killing the process which had been using the UDP ports also shut down DNS client services, earlier.   Perplexing.

I have observed, in connection with DCOM 'error' logging, that Windows will attempt to start a service as an apparent prerequisite to initiating another service, e.g. DCOM.   Could it be that Windows is 'using' various services as hooks for these UDP Port connections, and when one is disabled simply finds another, active one and attaches the UDP Port connection to it?  On 11/03/03 I note that with mmc running, and no internet connection, Windows is attributing a Port 1028 UDP connection to  mmc : UDP    127.0.0.1:1028         *:*                                    1840  mmconsole

For Port  1025 TCP the Marchand recommendations do not seem to work:

TCP port 1025 is used by RPC services of the Task Scheduler service. Again, as
in Windows 2000, this service must be disabled.

Both the Messenger service and Task Scheduler had been disabled, yet the Port is still active.    The statement that the active TCP Port 1025 can be attributed to Task Scheduler must be questioned.  I  have been unable to use  the rpcdump.exe program (obtained from the internet) to determine which, if any, RPC services are using the Port, the program returns a "binding" error. 

On my machine Port [1025, 1026] TCP is held by PID 4, System.   System process id 4 looks pretty basic to me.
http://www-tcsn.experts-exchange.com/Security/Win_Security/Q_20530309.html
http://www.tek-tips.com/gpviewthread.cfm/qid/71426/pid/23/lev2/3/lev3/17                           Good notes, several...
http://support.microsoft.com/support/kb/articles/Q280/1/32.ASP
The machine is trying to connect to a LAN through the Ethernet card it seems, as I get a red flag in the Systray when the DSL modem is off.  The message is:  "A network cable is unplugged."


FPort v2.0 - TCP/IP Process to Port Mapper
Copyright 2000 by Foundstone, Inc.
http://www.foundstone.com

Pid   Process            Port  Proto Path
4     System         ->  1025  TCP

Slightly Enlightened (Visitor)

Jul 9, 2002

I used a tool called fport which I got from www.Foundstone.com (no I don't work for them). That traced the port back to the svchost.exe of which there were several instances running in the processes box. These can then be traced back to the registry
HKLM/Software/Microsoft/Windows NT/CurrentVersion/SVCHOST
In there you will find entries corresponding to the processes that are running. By process of elimination I found svcimg in the registry and that seemed to be the one opening the port. Blitzed it (backed up the registry first) and the port is no longer a problem and the machine still works! Hope it helps.

But no, this is NOT a SVCHOST process on my machine, it is a system process, PID 4.   

• the warning is not caused by the condition suggested, or that
• at the time the error is generated, during system shutdown,  some additional service using a user account has started, or that
•  it is an open user program, not a service, which is responsible.
  

"Windows unloads each user's profile and user's section of the registry when the user logs off. This message indicates that Windows could not unload the user's profile because a program was referencing the user's section of the registry. This locked the profile. The registry cannot unload profiles that are locked and in use. When the program that is locking the profile is no longer referencing the registry, the profile will be unloaded."