Re: heavy traffic on port 1025

From: Erwin Michiels (ErwinMichiels_at_discussions.microsoft.com)
Date: 07/31/04 

Date: Sat, 31 Jul 2004 07:43:02 -0700

I'm very positive it is task scheduler listening on TCP port 1025. I used Process Explorer (freeware: http://www.sysinternals.com ) to determine this:
1) search for the instance of svchost.exe listening on port 1025 (rightclick the instance/properties/tab "TCP/IP");
2) if you found the instance, look on the tab "services" which services are running under this instance; disable the services one by one: if svchost.exe stops listening, you've got the right one; the only tricky part is that you have to reboot each time you disable a service, otherwise svchost.exe keeps listening.
Other sources also agree it's task scheduler listening on TCP port 1025, for instance http://snakefoot.fateback.com/tweak/winnt/service/stuv.html . If you google for "xp listening 1025" you'll find more sources confirming this.

"Doug Knox MS-MVP" wrote:

> I don't see why, if he's one of these experiencing this issue, he doesn't use
>
> NETSTAT -A -B
>
> To see what program is trying to access port 1025. It may be task scheduler, but I doubt it. Probaly something that's running as a task.
>
> --
> Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display
> Win 95/98/Me/XP Tweaks and Fixes
> http://www.dougknox.com
> --------------------------------
> Per user Group Policy Restrictions for XP Home and XP Pro
> http://www.dougknox.com/xp/utils/xp_securityconsole.htm
> --------------------------------
> Please reply only to the newsgroup so all may benefit.
> Unsolicited e-mail is not answered.
>
> "Star Fleet Admiral Q" <Star_Fleet_Admiral_Q(NO-SPAM)@(FORGET-SPAM)hotmail.com> wrote in message news:%23LGQwzrdEHA.1356@TK2MSFTNGP09.phx.gbl...
> > Question - if task scheduler is using port 1025, then why are you
> > telling everyone to block all the other ports 1024 and 1026-65535?
> > They may have other important applications running on those ports and
> > what you've told them just broke them - and yes, most people on these
> > groups are not "tech savey" so next there will be a post "My
> > such-n-such all of sudden quit working" - be mindful of your audience
> > when suggesting.
> >
> >
> > Star Fleet Admiral Q @ your service
> > --------------------------------------------------------
> > "Erwin Michiels" <ErwinMichiels@discussions.microsoft.com> wrote in
> > message news:E2B7FF8B-0FC3-47FF-A25F-03C32B19F0A1@microsoft.com...
> >> Many people seem to have noticed heavy traffic on port 1025. This
> > traffic is caused by the task scheduler service hosted by svchost.exe.
> > This service opens port 1025 by default. There are two ways to block
> > this traffic:
> >>
> >> 1) disable task scheduler service and reboot; be aware it is
> > possible that prefetch, system restore and bootvis won't work properly
> > anymore;
> >>
> >> 2) deny inbound traffic for svchost.exe using TCP on the local ports
> > 1024-65535; you can use a firewall like Agnitum Outpost 1.0 (freeware)
> > to configure your system this way (
> > http://www.agnitum.com/download/outpost1.html ).
> >>
> >> To exploit task scheduler listening on port 1025, you can even
> > download a tool from the net: remoxec from
> > http://www.securityfriday.com/tools/Remoxec.html . This explains
> > probably the amount of scans of port 1025.