Infiltrator - Complete Report

Infiltrator Complete Report

Date: Mon 9/15/03 @ 10:09:40 PM

Computers Scanned for this Report

Infiltrator scanned 3 computers for this report, as follows:

192.168.1.101
192.168.1.100
192.168.1.102

Back to Top

Computer System Information

Infiltrator obtained the following system information for each target:

192.168.1.101

IP Address: 192.168.1.101

Name: clare

OS: Windows XP

Comments:

DNS Lookup: CLARE

Platform: 500 Major: 5 Minor: 1

Domain: SPYTECHLAN

Time: 02:54:45.02 (5) on 9/16/2003

Uptime: 59h 34m 56s

Net Logon Performed by PDC Server

192.168.1.100

IP Address: 192.168.1.100

Name: SPYTECH-DESKTOP

OS: Windows 2000 Version 5.1 (Build 2600 Multiprocessor Free)

Comments: Spytech Desktop

DNS Lookup: SPYTECH-DESKTOP

Platform: 500 Major: 5 Minor: 1

Domain: SPYTECHLAN

Time: 02:53:07.40 (5) on 9/16/2003

Uptime: 254h 54m 22s

Net Logon Performed by PDC Server

192.168.1.102

IP Address: 192.168.1.102

Name: SPYTECH-LAPTOP

OS: Windows XP

Comments: Laptop

DNS Lookup: spytech-laptop.eau.wi.charter.com

Platform: 500 Major: 5 Minor: 1

Domain: SPYTECHLAN

Time: 02:51:39.18 (5) on 9/16/2003

Uptime: 00h 20m 01s

Net Logon Performed by PDC Server

Back to Top

Computers Registry Information

Infiltrator obtained the following system information for each target via a remote registry connection:

192.168.1.101

No information could be retrieved.

192.168.1.100

Registered Owner: Spytech

Product Name: Microsoft Windows XP

Product ID: 55444-OEM-1111111-00228

Version: 5.1

Type: Multiprocessor Free

Build: 2600

Software Type: SYSTEM

Source Path: D:\i386

System Root: C:\WINDOWS

Path Name: C:\WINDOWS

Processor: AMD Athlon(TM) MP 2000+

Description: x86 Family 6 Model 6 Stepping 2

Vendor: AuthenticAMD

MHZ: 1666

192.168.1.102

Registered Owner: Nathan Polencheck

Product Name: Microsoft Windows XP

Product ID: 55232-324-1111356-23333

Version: 5.1

Type: Uniprocessor Free

Build: 2600

Software Type: SYSTEM

Source Path: E:\I386

System Root: D:\WINDOWS

Path Name: D:\WINDOWS

Processor:

Description: x86 Family 6 Model 8 Stepping 3

Vendor: GenuineIntel

MHZ: 701

Security Implications: Moderate
The information presented here is enumerated via a remote registry connection. This will always succeed if the scan target in question is local to the scan (ie: Infiltrator is scanning the computer it is running on), however, if this succeeds on a remote computer then caution should be taken, as the registry could be modified remotely by any user with escalated privileges.

Back to Top

NetBios Scan Results

Infiltrator obtained the following NetBios tables from the target computers:

192.168.1.101

No information could be retrieved.

192.168.1.100

SPYTECH-DESKTOP - Workstation Service

SPYTECHLAN - Domain Name

SPYTECH-DESKTOP - File Server Service

SPYTECHLAN - Browser Service Elections

SPYTECHLAN - Master Browser

__MSBROWSE__ - Master Browser

MAC Address: 00-03-b2-a1-63-d5

192.168.1.102

No information could be retrieved.

Security Implications: High
Contrary to many beliefs, the ability to enumerate a machines NetBios table is not a considerate security risk when properly configured. However, NetBios can cause a considerable security risk if poorly-passworded file/printer shares are activated, or if shares are not password-protected at all. If file/printer sharing is not needed it is still recommended that NetBios be disabled. More information can be obtained about this here.

Back to Top

SNMP Scan Results

Infiltrator obtained the following system information for each target via a SNMP connection:

192.168.1.101

SNMP Connection Failed.

192.168.1.100

Description: Hardware: x86 Family 6 Model 6 Stepping 2 AT/AT COMPATIBLE - Software: Windows 2000 Version 5.1 (Build 2600 Multiprocessor Free)

Object ID: .iso.org.dod.internet.private.enterprises.microsoft.software.systems.os.windowsNT.workstation

UpTime: 10 days, 0 hours, 53 minutes, 17 seconds

Contact: (none)

Location: (none)

Name: SPYTECH-DESKTOP

Service Count: 76

192.168.1.102

SNMP Connection Failed.

Security Implications: High
The SNMP service can create a considerable security risk when configured improperly. If Infiltrator was able to connect to a target via SNMP then action should be taken immediately, as an open SNMP service can provide a wealth of information to a malicious attacker. If the SNMP service is absolutely required, it should be protected with a hard-to-guess community string (the default is usually "public").

Back to Top

Ping Sweep Results

Infiltrator obtained the following information by performing a ping sweep:

192.168.1.101

Elapsed (average): 2ms

Time-To-Live (TTL): 128

Total Hops Away: 0

Target is on Network Segment

192.168.1.100

Elapsed (average): 0ms

Time-To-Live (TTL): 255

Total Hops Away: 0

Target is on Network Segment

192.168.1.102

Elapsed (average): 0ms

Time-To-Live (TTL): 128

Total Hops Away: 0

Target is on Network Segment

Security Implications: Low
Pinging alone is not a considerable security risk. An attacker can utilize ping sweeps to tell if hosts are alive, time zones of the target host, or even what operating system is being used. If you find your computers being pinged more than usual it may be wise to limit incoming ICMP traffic on your network in order to thwart ping sweeps.

Back to Top

Null Session Connection

Infiltrator null session connection attempt results:

192.168.1.101

NULL Session Connection was Established!

192.168.1.100

NULL Session Connection was Established!

192.168.1.102

NULL Session Connection was Established!

Security Implications: High
The null sessions is the starting point for nearly all NetBios and target enumerations. If a null session is able to be established then information may be able to be retrieved by remote users by connecting as an anonymous user with no password. Null Sessions should be disabled by setting the RestrictAnonymous key to 1. More information can be read here.

Back to Top

WebServer Information

Infiltrator obtained the following information about the webserver on each target (if present):

192.168.1.101

Server: No WebServer Present

Available Commands: Options Unavailable

192.168.1.100

Server: No WebServer Present

Available Commands: Options Unavailable

192.168.1.102

Server: No WebServer Present

Available Commands: Options Unavailable

Security Implications: Low
The ability to view view the server and software a webserver is running can allow an attacker to determine if out-of-date software, or vulnerable software is running on a server. A webserver should be configured to display the minimum amount of information to users that may be probing the server.

Back to Top

Password Policy Information

Infiltrator obtained the following password policies for each target:

192.168.1.101

No information could be retrieved.

192.168.1.100

Minimum Length: no minimum password length

Minimum Age: no minimum password age

Maximum Age: 42 days

History Length: no password history length set

Lockout: no lockout policy

Lockout Duration: lockout duration: 30 minutes

Lockout Reset: lockout reset: 30 minutes

192.168.1.102

Minimum Length: no minimum password length

Minimum Age: no minimum password age

Maximum Age: 42 days

History Length: no password history length set

Lockout: no lockout policy

Lockout Duration: lockout duration: 30 minutes

Lockout Reset: lockout reset: 30 minutes

Security Implications: High
A weak password policy can be an easy entry point into your network by a malicious user. Password policies that do not enforce complex passwords or repeated password changes make login points susceptible to brute force attacks. For more information on how to secure your password policy visit the Microsoft security guide here.

Back to Top

File Shares Listing

Infiltrator obtained the following file shares for each target:

192.168.1.101

My Documents

Type: File

IPC$

Type: IPC

Comments: Remote IPC

print$

Type: File

Comments: Printer Drivers

CanonBub

Type: Printer

Comments: Canon Bubble-Jet BJC-3000

clares cd

Type: File

Clare's Music

Type: File

ADMIN$

Type: File

Comments: Remote Admin

C$

Type: File

Comments: Default share

192.168.1.100

IPC$

Type: IPC

Comments: Remote IPC

Documents

Type: File

F$

Type: File

Comments: Default share

dip

Type: File

ADMIN$

Type: File

Comments: Remote Admin

C$

Type: File

Comments: Default share

192.168.1.102

IPC$

Type: IPC

Comments: Remote IPC

D$

Type: File

Comments: Default share

ADMIN$

Type: File

Comments: Remote Admin

C$

Type: File

Comments: Default share

Security Implications: High
File and print shares that are not protected by secure passwords allow extremely easy access to a target. An open share can be viewed by anyone on the network (or Internet if the target is non-networked computer) and should always be securely protected from unauthorized access.

Back to Top

Users Listing

Infiltrator obtained the following user listings for each target:

192.168.1.101

Administrator

Guest

HelpAssistant

SUPPORT_388945a0

ClareC

192.168.1.100

Admin (admin)

comment: Built-in account for administering the computer/domain

last login: Tue Feb 04 23:02:43 2003

good logins: 5

bad logins: 0

attributes:

Guest (guest)

comment: Built-in account for guest access to the computer/domain

last login: Sat Dec 14 04:29:39 2002

good logins: 189

bad logins: 0

attributes: disabled no password password cannot be changed

HelpAssistant (guest)

Remote Desktop Help Assistant Account

comment: Account for Providing Remote Assistance

good logins: 0

bad logins: 0

attributes: disabled password cannot be changed

Spytech (admin)

last login: Mon Sep 15 21:33:19 2003

good logins: 1919

bad logins: 0

attributes:

SUPPORT_388945a0 (guest)

CN=Microsoft Corporation,L=Redmond,S=Washington,C=US

comment: This is a vendor's account for the Help and Support Service

good logins: 0

bad logins: 0

attributes: disabled password cannot be changed

192.168.1.102

Administrator (admin)

comment: Built-in account for administering the computer/domain

good logins: 0

bad logins: 0

attributes:

Guest (guest)

comment: Built-in account for guest access to the computer/domain

last login: Fri Sep 05 01:19:10 2003

good logins: 0

bad logins: 0

attributes: no password password cannot be changed

HelpAssistant (guest)

Remote Desktop Help Assistant Account

comment: Account for Providing Remote Assistance

good logins: 0

bad logins: 0

attributes: password cannot be changed

Spytech (admin)

last login: Mon Sep 15 21:33:27 2003

good logins: 662

bad logins: 0

attributes:

SUPPORT_388945a0 (guest)

CN=Microsoft Corporation,L=Redmond,S=Washington,C=US

comment: This is a vendor's account for the Help and Support Service

good logins: 0

bad logins: 0

attributes: disabled password cannot be changed

Security Implications: Moderate
If an attacker is able to enumerate usernames on a target it will make brute force attacks on a target easier, however a strong password can elleviate this problem.

Back to Top

User Groups Listing

Infiltrator obtained the following groups listings for each target:

192.168.1.101

No information could be retrieved.

192.168.1.100

Administrators

SPYTECH-DESKTOP\Admin

SPYTECH-DESKTOP\Spytech

Backup Operators

Guests

SPYTECH-DESKTOP\Guest

Network Configuration Operators

Power Users

Remote Desktop Users

Replicator

Users

NT AUTHORITY\INTERACTIVE

NT AUTHORITY\Authenticated Users

HelpServicesGroup

SPYTECH-DESKTOP\SUPPORT_388945a0

192.168.1.102

Administrators

SPYTECH-LAPTOP\Administrator

SPYTECH-LAPTOP\Spytech

Backup Operators

Guests

SPYTECH-LAPTOP\Guest

Network Configuration Operators

Power Users

Remote Desktop Users

Replicator

Users

NT AUTHORITY\INTERACTIVE

NT AUTHORITY\Authenticated Users

HelpServicesGroup

SPYTECH-LAPTOP\SUPPORT_388945a0

Security Implications: Moderate
If an attacker is able to enumerate groups on a target it will make brute force attacks on a target easier, however a strong password can elleviate this problem.

Back to Top

Drives Listing

Infiltrator obtained the following drive listings for each target:

192.168.1.101

No information could be retrieved.

192.168.1.100

A:

C:

D:

E:

F:

192.168.1.102

A:

C:

D:

E:

Security Implications: Low
A drive listing alone is barely a security risk - as drives on a system can be easily guessed.

Back to Top

Startup Keys Listing

Infiltrator obtained the following registry startup keys for each target via a remote registry connection:

192.168.1.101

User Startup Keys
The list of HKEY_CURRENT_USER registry startup keys.

Machine Startup Keys
The list of HKEY_LOCAL_MACHINE registry startup keys.

No information could be retrieved.

192.168.1.100

User Startup Keys
The list of HKEY_CURRENT_USER registry startup keys.

Machine Startup Keys
The list of HKEY_LOCAL_MACHINE registry startup keys.

NvCplDaemon: RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

UpdReg: C:\WINDOWS\Updreg.exe

Jet Detection: C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe

DSKEY: C:\WINDOWS\system32\DsKey.exe

ccApp: "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

ccRegVfy: "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

Advanced Tools Check: C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE

QuickTime Task: "C:\Program Files\QuickTime\qttask.exe" -atboottime

wcmdmgr: C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch

WT GameChannel: C:\Program Files\WildTangent\Apps\GameChannel.exe

192.168.1.102

User Startup Keys
The list of HKEY_CURRENT_USER registry startup keys.

AIM: D:\PROGRA~1\AIM95\aim.exe -cnetwait.odl

MSMSGS: "D:\Program Files\Messenger\msmsgs.exe" /background

Machine Startup Keys
The list of HKEY_LOCAL_MACHINE registry startup keys.

PopupAgent: \\spytech-desktop\source\PopupAgent2\Debug\PopupAgent.exe

ccApp: "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"

ccRegVfy: "D:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

Advanced Tools Check: D:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE

Security Implications: Moderate
The information presented here is enumerated via a remote registry connection. This will always succeed if the scan target in question is local to the scan (ie: Infiltrator is scanning the computer it is running on), however, if this succeeds on a remote computer then caution should be taken, as the registry could be modified remotely by any user with escalated privileges.

Back to Top

Installed Hotfixes

Infiltrator obtained the following list of hotfixes for each target:

192.168.1.101

No information could be retrieved.

192.168.1.100

Windows XP Hotfix - KB821557

Windows XP Hotfix - KB823559

Windows XP Hotfix - KB823980

Windows XP Hotfix (SP1) Q328310

Windows XP Hotfix (SP1) [See Q329048 for more information]

Windows XP Hotfix (SP2) [See Q329115 for more information]

Windows XP Hotfix (SP1) Q329170

Windows XP Hotfix (SP1) [See Q329390 for more information]

Windows XP Hotfix (SP1) [See Q329441 for more information]

Windows XP Hotfix (SP1) [See Q329834 for more information]

Windows XP Hotfix (SP1) Q331953

Windows XP Hotfix (SP1) Q810577

Windows XP Hotfix (SP1) Q811493

Windows XP Hotfix (SP1) Q815021

Windows XP Hotfix (SP1) Q817606

192.168.1.102

Windows XP Hotfix - KB821557

Windows XP Hotfix - KB823559

Windows XP Hotfix - KB823980

Windows XP Hotfix (SP1) [See Q309521 for more information]

Windows XP Hotfix (SP1) [See Q311889 for more information]

Windows XP Hotfix (SP1) [See Q311967 for more information]

Windows XP Hotfix (SP1) [See Q313450 for more information]

Windows XP Hotfix (SP1) [See Q314147 for more information]

Windows XP Hotfix (SP1) [See Q314862 for more information]

Windows XP Hotfix (SP1) [See Q315000 for more information]

Windows XP Hotfix (SP1) [See Q315403 for more information]

Windows XP Hotfix (SP1) [See Q317277 for more information]

Windows XP Hotfix (SP1) [See Q318138 for more information]

Windows XP Hotfix (SP1) [See Q323172 for more information]

Windows XP Hotfix (SP1) [See Q324096 for more information]

Windows XP Hotfix (SP1) [See Q324380 for more information]

Windows XP Hotfix (SP1) [See Q326830 for more information]

Windows XP Hotfix (SP1) Q328310

Windows XP Hotfix (SP1) [See Q329048 for more information]

Windows XP Hotfix (SP2) [See Q329115 for more information]

Windows XP Hotfix (SP1) Q329170

Windows XP Hotfix (SP1) [See Q329390 for more information]

Windows XP Hotfix (SP1) [See Q329441 for more information]

Windows XP Hotfix (SP1) [See Q329834 for more information]

Windows XP Hotfix (SP1) Q331953

Windows XP Hotfix (SP1) Q810577

Windows XP Hotfix (SP1) Q811493

Windows XP Hotfix (SP1) Q815021

Windows XP Hotfix (SP1) Q817606

Windows XP Hotfix (SP1) Q819696

Security Implications: High
Care should always be taken to make sure all computers on your network are always up to date with the latest service packs and upgrades. An outdated system (such as an IIS 4 server) is easy prey for attackers. The Microsoft Hotfix and Security Bulletin is a great source of information for staying updated and current. The Bulletin can viewed here.

Back to Top

Installed Software

Infiltrator obtained the following list of installed software for each target:

192.168.1.101

No information could be retrieved.

192.168.1.100

1) Adobe Acrobat 5.0

Path: D:\WINDOWS\ISUNINST.EXE -f"D:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"D:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"

2) Advanced Tools

Path:

3) America Online

Path: D:\Program Files\Common Files\aolshare\Aolunins_us.exe

4) AOL Instant Messenger

Path: D:\Program Files\AIM95\uninstll.exe -LOG= D:\Program Files\AIM95\install.log -OEM=

5) AOL Coach Version 1.0(Build: 20020605.1)

Path: D:\WINDOWS\AolCInUn.exe

6) Internet Explorer Q822925

Path: D:\WINDOWS\ieuninst.exe D:\WINDOWS\INF\Q822925.inf

7) LiveReg (Symantec Corporation)

Path: D:\Program Files\Common Files\Symantec Shared\LiveReg\VcSetup.exe /REMOVE

8) LiveUpdate 1.80 (Symantec Corporation)

Path: D:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U

9) Outlook Express Update Q330994

Path: D:\WINDOWS\Q330994.exe D:\WINDOWS\INF\Q330994.inf

10) Driver Installation

Path: D:\WINDOWS\iun6002.exe "D:\Program Files\Driver Installation\irunin.ini"

11) Viewpoint Media Player

Path: d:\program files\viewpoint\viewpoint media player\mtsAxInstaller.exe /u

12) Microsoft Visual C++ 6.0 Professional Edition

Path: D:\Program Files\Microsoft Visual Studio\VC98\Setup\1033\Setup.exe

13) WinZip

Path: "D:\Program Files\WinZip\WINZIP32.EXE" /uninstall

14) WebFldrs XP

Path:

15) Microsoft Office XP Professional with FrontPage

Path: MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}

16) Macromedia Extension Manager

Path: RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{A5BA14E0-7384-11D4-BAE7-00409631A2C8}\setup.exe" mmUninstall

17) Macromedia Dreamweaver 4

Path: RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{ABDA9912-5D00-11D4-BAE7-9367CA097955}\setup.exe" mmUninstall

18) Norton AntiVirus 2003 Professional Edition

Path:

192.168.1.102

1) Adobe Acrobat 5.0

Path: D:\WINDOWS\ISUNINST.EXE -f"D:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"D:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"

2) Advanced Tools

Path:

3) America Online

Path: D:\Program Files\Common Files\aolshare\Aolunins_us.exe

4) AOL Instant Messenger

Path: D:\Program Files\AIM95\uninstll.exe -LOG= D:\Program Files\AIM95\install.log -OEM=

5) AOL Coach Version 1.0(Build: 20020605.1)

Path: D:\WINDOWS\AolCInUn.exe

6) Internet Explorer Q822925

Path: D:\WINDOWS\ieuninst.exe D:\WINDOWS\INF\Q822925.inf

7) LiveReg (Symantec Corporation)

Path: D:\Program Files\Common Files\Symantec Shared\LiveReg\VcSetup.exe /REMOVE

8) LiveUpdate 1.80 (Symantec Corporation)

Path: D:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U

9) Outlook Express Update Q330994

Path: D:\WINDOWS\Q330994.exe D:\WINDOWS\INF\Q330994.inf

10) Windows XP Application Compatibility Update[Q313484]

Path: D:\WINDOWS\$NtUninstallQ313484$\spuninst\spuninst.exe

11) Windows XP Application Compatibility Update[Q319580]

Path: D:\WINDOWS\$NtUninstallQ319580$\spuninst\spuninst.exe

12) Driver Installation

Path: D:\WINDOWS\iun6002.exe "D:\Program Files\Driver Installation\irunin.ini"

13) Spytech SpyAgent

Path: D:\WINDOWS\unvise32.exe D:\Program Files\Spytech Software\Spytech SpyAgent\uninstal.log

14) Viewpoint Media Player

Path: d:\program files\viewpoint\viewpoint media player\mtsAxInstaller.exe /u

15) Microsoft Visual C++ 6.0 Professional Edition

Path: D:\Program Files\Microsoft Visual Studio\VC98\Setup\1033\Setup.exe

16) WinZip

Path: "D:\Program Files\WinZip\WINZIP32.EXE" /uninstall

17) WebFldrs XP

Path:

18) Microsoft Office XP Professional with FrontPage

Path: MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}

19) Macromedia Extension Manager

Path: RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{A5BA14E0-7384-11D4-BAE7-00409631A2C8}\setup.exe" mmUninstall

20) Macromedia Fireworks 4

Path: RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{A8833100-1481-11D4-9731-00C04F8EEB39}\setup.exe" UNINSTALL

21) Macromedia Dreamweaver 4

Path: RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{ABDA9912-5D00-11D4-BAE7-9367CA097955}\setup.exe" mmUninstall

22) Norton AntiVirus 2003 Professional Edition

Path:

Security Implications: High
The enumeration of installed software on a target computer may not really help an attacker if they are able to obtain this information, but a network administrator should always enforce a strict software installation policy. Rouge software installs by users on a network can allow for the entrances of viruses and worms - which can easily spread through a network and create considerable damage. All software should be tested and approved by a test lab before being installed on each computer.

Back to Top

Running Services

Infiltrator obtained the following list of running services for each target:

192.168.1.101

No information could be retrieved.

192.168.1.100

1) AudioSrv - Windows Audio

Path: C:\WINDOWS\System32\svchost.exe -k netsvcs

Info: Manages audio devices for Windows-based programs. If this service is stopped, audio devices and effects will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.

2) BITS - Background Intelligent Transfer Service

Path: C:\WINDOWS\System32\svchost.exe -k netsvcs

Info: Uses idle network bandwidth to transfer data.

3) Browser - Computer Browser

Path: C:\WINDOWS\System32\svchost.exe -k netsvcs

Info:

4) ccEvtMgr - Symantec Event Manager

Path: C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

Info: Symantec Event Manager

5) Creative Service for CDROM Access - Creative Service for CDROM Access

Path: C:\WINDOWS\System32\CTsvcCDA.EXE

Info:

6) CryptSvc - Cryptographic Services

Path: C:\WINDOWS\system32\svchost.exe -k netsvcs

Info:

7) Dhcp - DHCP Client

Path: C:\WINDOWS\System32\svchost.exe -k netsvcs

Info: Manages network configuration by registering and updating IP addresses and DNS names.

8) dmserver - Logical Disk Manager

Path: C:\WINDOWS\System32\svchost.exe -k netsvcs

Info:

9) ERSvc - Error Reporting Service

Path: C:\WINDOWS\System32\svchost.exe -k netsvcs

Info: Allows error reporting for services and applictions running in non-standard environments.

10) Eventlog - Event Log

Path: C:\WINDOWS\system32\services.exe

Info: Enables event log messages issued by Windows-based programs and components to be viewed in Event Viewer. This service cannot be stopped.

11) EventSystem - COM+ Event System

Path: C:\WINDOWS\System32\svchost.exe -k netsvcs

Info:

12) FastUserSwitchingCompatibility - Fast User Switching Compatibility

Path: C:\WINDOWS\System32\svchost.exe -k netsvcs

Info: Provides management for applications that require assistance in a multiple user environment.

13) helpsvc - Help and Support

Path: C:\WINDOWS\System32\svchost.exe -k netsvcs

Info: Enables Help and Support Center to run on this computer. If this service is stopped, Help and Support Center will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.

14) HidServ - HID Input Service

Path: C:\WINDOWS\System32\svchost.exe -k netsvcs

Info:

15) lanmanserver - Server

Path: C:\WINDOWS\System32\svchost.exe -k netsvcs

Info: Supports file, print, and named-pipe sharing over the network for this computer. If this service is stopped, these functions will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.

16) lanmanworkstation - Workstation

Path: C:\WINDOWS\System32\svchost.exe -k netsvcs

Info: Creates and maintains client network connections to remote servers. If this service is stopped, these connections will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.

17) LmHosts - TCP/IP NetBIOS Helper

Path: C:\WINDOWS\System32\svchost.exe -k LocalService

Info: Enables support for NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution.

18) navapsvc - Norton AntiVirus Auto Protect Service

Path: C:\Program Files\Norton AntiVirus\navapsvc.exe

Info: Handles Norton AntiVirus Auto-Protect events.

19) Netman - Network Connections

Path: C:\WINDOWS\System32\svchost.exe -k netsvcs

Info: Manages objects in the Network and Dial-Up Connections folder, in which you can view both local area network and remote connections.

20) Nla - Network Location Awareness (NLA)

Path: C:\WINDOWS\System32\svchost.exe -k netsvcs

Info: Collects and stores network configuration and location information, and notifies applications when this information changes.

21) NProtectService - Norton Unerase Protection

Path: C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE

Info:

22) NVSvc - NVIDIA Driver Helper Service

Path: C:\WINDOWS\System32\nvsvc32.exe

Info:

23) PlugPlay - Plug and Play

Path: C:\WINDOWS\system32\services.exe

Info: Enables a computer to recognize and adapt to hardware changes with little or no user input. Stopping or disabling this service will result in system instability.

24) PolicyAgent - IPSEC Services

Path: C:\WINDOWS\System32\lsass.exe

Info: Manages IP security policy and starts the ISAKMP/Oakley (IKE) and the IP security driver.

25) ProtectedStorage - Protected Storage

Path: C:\WINDOWS\system32\lsass.exe

Info: Provides protected storage for sensitive data, such as private keys, to prevent access by unauthorized services, processes, or users.

26) RasMan - Remote Access Connection Manager

Path: C:\WINDOWS\System32\svchost.exe -k netsvcs

Info: Creates a network connection.

27) RemoteRegistry - Remote Registry

Path: C:\WINDOWS\system32\svchost.exe -k LocalService

Info: Enables remote users to modify registry settings on this computer. If this service is stopped, the registry can be modified only by users on this computer. If this service is disabled, any services that explicitly depend on it will fail to start.

28) RpcSs - Remote Procedure Call (RPC)

Path: C:\WINDOWS\system32\svchost -k rpcss

Info: Provides the endpoint mapper and other miscellaneous RPC services.

29) SamSs - Security Accounts Manager

Path: C:\WINDOWS\system32\lsass.exe

Info: Stores security information for local user accounts.

30) Schedule - Task Scheduler

Path: C:\WINDOWS\System32\svchost.exe -k netsvcs

Info: Enables a user to configure and schedule automated tasks on this computer. If this service is stopped, these tasks will not be run at their scheduled times. If this service is disabled, any services that explicitly depend on it will fail to start.

31) seclogon - Secondary Logon

Path: C:\WINDOWS\System32\svchost.exe -k netsvcs

Info: Enables starting processes under alternate credentials. If this service is stopped, this type of logon access will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.

32) SENS - System Event Notification

Path: C:\WINDOWS\system32\svchost.exe -k netsvcs

Info: Tracks system events such as Windows logon, network, and power events. Notifies COM+ Event System subscribers of these events.

33) ShellHWDetection - Shell Hardware Detection

Path: C:\WINDOWS\System32\svchost.exe -k netsvcs

Info: