NTV ERP to Determine What is Starting a Service During Boot

Status
Not open for further replies.
AtlBo

AtlBo

Level 28
Thread author
Verified
Top Poster
Content Creator
Well-known
Dec 29, 2014
1,711
SMSvcHost.exe started running on boot on a system I am trying to get cleaned up and set up properly for more use. Not sure when it started autostarting as I haven't been looking over Task Manager as much as on the main system. Also, when I do look over TM I don't see all the processes unless I select "Show processes from all Users". Haven't been doing that much on this system. BTW, running on an admin account, and I would like to begin the march to SUA. Think it might take a while for this project. Maybe 2 weeks I guess.

One quick question before the rest. This system get its internet connection via ethernet with a wi-fi connected desktop next to it. Could this be why port sharing is running? I can't find a reference for this on Google.

Here is the rest. If the above is true, please disregard below.

SMSvcHost.exe starts I believe via a service called NetTcpPortSharing. The service is set to manual, but something seems to be starting the service on boot, so I wanted to find out what. This is mainly because I don't see it running on any other systems. So I added the location of SMSvcHost.exe to the vulnerables list of NVT ERP, hoping I could get some information on an alert or in the log. I also scanned the list of allowed processes to see if it was allowed so I could delete the entry if so. Then I scanned the list of allowed command lines to see if I could find anything that might indicate it was starting SMSvcHost.exe. Didn't see anything, so I rebooted to see if NVT ERP would alert when the SMSvcHost.exe tried to run. No luck...no alert. I would love to have some idea of why there is no alert if anyone thinks they might know. Location of SMSvcHost.exe:

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe

Best information I could find on port sharing:

Net.TCP Port Sharing

Didn't help me much.

This system is kind of a mess. I have Wireshark on the system attempting to learn to capture packets and analyze them and so on and several other tools like SpyStudio, which is a nice application for capturing real-time run-time activities of a process. I feel like I am learning to a significant degree with these applications, but at the same time, they introduce some complicating and somewhat unknown elements to me. Example is WinPcap with Wireshark. I don't know anything about WinPcap except that it is required to capture with Wireshark. I really need to update software on the PC too. It hasn't been used as much as the main, and so I will be working on that too.

Thx for any help...
 
  • Like
Reactions: shmu26, harlan4096, Rengar and 1 other person
AtlBo

AtlBo

Level 28
Thread author
Verified
Top Poster
Content Creator
Well-known
Dec 29, 2014
1,711
Think I may have begun to resolve this. When I installed ERP, I turned off "Allow safe Windows processes" which I thought was enough for the vulnerables list to create an alert. However, I realized I had trusted vendors on. Turned it off and booted and got the alert. Turns out it started itself which I guess means something set a registry key for it to turn (the service which starts the proces) on so it could use the port sharing.

Checked to see if the ethernet tether to another PC for connecting to the internet might be the reason SMSvcHost.exe starts. Disconnected and left it disconnected through two boots and SMSH.exe still started, so idk. Inconclusive, but looks like an installer along the way probably made a change I guess to the registry or to tasks.

Suspects:
SpyShelter->recent install led to boot crash (registry corruption) and reimage from a VERY recent image to fix
Wireshark or WinPcap (required for WS captures)->installed a long time ago so I don't think so. Not sure however. Haven't been using the PC very much to have noticed when this started.

Otherwise, idk, but I think there must be a registry key set to turn on the service during boot. Already ran an in place repair installation of Windows (upgrade installation). Didn't solve this that's for sure. Don't know if it was already present, but I haven't installed much since the restore a few days ago. Can't seem to find the answer in Autoruns, but maybe I can turn up something later. BTW, the image could potentially contain corruption from SpyShelter (even after repair install). Next good image is very old, so...

sfc shows no errors :)

Thx for looking :)
 
  • Like
Reactions: shmu26
AtlBo

AtlBo

Level 28
Thread author
Verified
Top Poster
Content Creator
Well-known
Dec 29, 2014
1,711
Solved with Autoruns. Had to uncheck "Hide Windows entries" to see the Windows startups in the services area. Unchecked the ones that don't shart by default (in pics) and SMSvcHost.exe didn't start on boot. Some pics below if anyone is interested.

I like NVT ERP for this kind of hunt for rogue processes. Don't know why setting SMSvcHost.exe to Vulnerable didn't trump the Trusted Vendors on setting. I'm sure Andreas has his reasons for doing it that way. Running in Alert mode not lockdown, and I don't know if the alert would have popped on lockdown. Nothing beats Autoruns for getting to the bottom of things with startups though.

I suspect when I was beginning to work with Wireshark I enabled a monitoring element of the program that may have changed this setting. I may have been seeking to see if there was any traffic on the protocol. The 6-20-2015 date is about 6 months after I installed Wireshark. SpyShelter is off the hook for sure.

System is starting to come around now that everything runs as desired with UAC on. Now I can focus on creating SUA. Thx again for looking...

Mystery Run on Boot net.TCP.Port Sharing Start These or Not.png SMSvcHost EXE NetTcpPortSharing.png Startup Entry Created 6-20-15.png Autoruns Uncheck Startups.png SMSvcHost EXE Gone.png
 
Last edited:
  • Like
Reactions: shmu26 and harlan4096
Status
Not open for further replies.

Similar threads

Xeno1234
Advice Request What is Sophos PROD
Replies
4
Views
287
Other security for Windows, Mac, Linux
Xeno1234
Xeno1234
R
    • Like
Question What happens when DNS service is down?
Replies
17
Views
543
General Security Discussions
Bot
Bot
nicolaasjan
    • Like
    • +Reputation
    • Applause
  • Sticky
Serious Discussion Microsoft is preparing a massive update on the Secure Boot keys for UEFI
Replies
1
Views
432
Windows 11
Ink
Ink

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top