Power User: Every user needs forensic skills
- By John McCormick
- Oct 07, 2004
Whether your job is computer forensics or you're just tired of endless Microsoft Windows upgrades and patches, it's nice to keep a live Linux CD-ROM handy.
LiveBSD and other Linux versions are available on bootable CD-ROMs from many online sites. It takes a while to boot up a command line or graphical interface from a CD, but these days it also takes me a long time to boot Windows XP and weed out the services I don't want.
LiveBSD is a stable operating system I can boot on virtually any PC, new or old, and be sure of having a really clean system. I bought my bootable disk online for less than $5 with shipping, including three Linux versions, utilities, documentation and an office suite. It booted up on the first try. I salute software that works.
In view of numerous problems with my aging XP Pro installation, I might just switch to Linux. Every day something else seems to go wrong as some critical part of XP eats up more CPU cycles.
The morning I wrote this column, svchost.exe had been hogging 95 percent to 100 percent of CPU resources for nearly two hours. But there was really nothing going on.
Symantec Corp.'s Norton Internet Security found no infection. Nor was Microsoft's Distributed Component Object Model running or Port 135 open.
I debated how to regain some of the power being gobbled up by services that didn't appear to be doing anything.
I don't yet trust XP Service Pack 2. Should I reboot? Do a clean XP install? Or switch to Linux? Any choice would take time and waste productivity.
Although there are extensive online chats about overloads like mine, finding out what's going on inside a particular system isn't easy.
It's normal for Win 2000 or XP systems to have several copies of svchost running, so you can't just open Task Manager and shut it down.
But worms such as Welchia can install fake versions of svchost. So can some adware, or even software Microsoft installed by default on your system.The removal
Although I had been running Norton Internet Security without any virus warnings, I started my exploration with a Welchia removal tool from www.symantec.com, remembering to shut off System Restore. Scanning took 111 minutes'remember, svchost was using 95 percent of CPU cycles'but there was no Welchia infection.
Next I tried Steve Gibson's free utility, which I had downloaded from grc.com/dcom/intro.htm, to see whether I might be the victim of some sort of practical joke from Microsoft.
DCOM uses a remote procedure call, usually through TCP port 135, to share Windows COMs over networks. Unfortunately, that gives malware a way in. Even more unfortunate, Microsoft enabled it by default.
Gibson's small utility shows whether DCOM needs to be disabled and can also kill it off.
If you aren't familiar with Gibson, I should mention that he might be the last person on Earth who still writes tiny, solid assembly code. My question is, if he can do it for free, why can't Microsoft do it after charging users billions of dollars?
Next I surfed over to www.lavasoft.de/software/adaware to get a fresh copy of Ad-Aware SE Personal, a good and free anti-spyware utility. I'll let you know what I find in a later column.
If you really want to know what's going on inside your XP system, run tasklist/svc from the command line. I found 49 services'including five copies of svchost'running on mine. John McCormick is a free-lance writer and computer consultant. E-mail him at [email protected].