Why Is svchost In My Router????

Yesterday by chance I discovered an entry in my router's persistent port
forwarding screen. The description is "svchost (192.168.2.2:1032) 41670
UDP", public port is 41670 and forwarding to private port 1032. My pc's ip
is 192.168.2.2. I removed the entry but after rebooting my machine it was
back.

I checked the registry (I'm using Windows XP Pro complete w/ all updates)
and found this entry:
HKLM\SOFTWARE\Microsoft\DirectPlayNATHelp\DPNHUPnP \ActiveNATMappings\svchost
(192.168.2.2:1032) 41670 UDP. The data is in binary format.

Does anyone know if this entry is being put there by a legit Windows process
or should I be concerned?

"Wilbert" <Wilbert@discussions.microsoft.com> wrote in message
news:8BC8E23E-8AF5-4729-AEDD-4FC9BFEF7DA8@microsoft.com...
> Yesterday by chance I discovered an entry in my router's persistent port
> forwarding screen. The description is "svchost (192.168.2.2:1032) 41670
> UDP", public port is 41670 and forwarding to private port 1032. My pc's
> ip
> is 192.168.2.2. I removed the entry but after rebooting my machine it was
> back.
>
> I checked the registry (I'm using Windows XP Pro complete w/ all updates)
> and found this entry:
> HKLM\SOFTWARE\Microsoft\DirectPlayNATHelp\DPNHUPnP \ActiveNATMappings\svchost
> (192.168.2.2:1032) 41670 UDP. The data is in binary format.
>
> Does anyone know if this entry is being put there by a legit Windows
> process
> or should I be concerned?
>


Windows, or any OS, can't be putting entries into your router without your
permission. The router will require you to login (if you don't have it
password protected for its login then now is a good time to enable that
option in the router). Maybe you enabled an option in your router that
opens this port, like maybe letting it pass or send UDP requests for UPnP.
Seems your router wants this definition but you never mentioned WHICH router
(brand and model) that you have so no one familiar with it can help.

http://www.iana.org/assignments/port-numbers lists "BBN IAD" for ports
1030-1032, but that abbreviation is worthless (IANA isn't known for explicit
and informative titling of their port number assignments). Although IANA
assigns common uses of port numbers, that doesn't preclude any software from
using whatever port it wants.

You might want to visit the web site for whatever router that you have to
see why they require using and opening this port. It is likely tied to some
function you have enabled in the router.

--
_________________________________________________
| ** Reply to the newsgroup. Share with others ** |
| E-mail: Remove "NIX" and add "#LAH" to Subject. |
|_________________________________________________ |

Thanks Vanguard for your reply. I'm using the Microsoft MN-500 wireless
router, although my pc is wired to it.

"Vanguard (NPI)" wrote:

> "Wilbert" <Wilbert@discussions.microsoft.com> wrote in message
> news:8BC8E23E-8AF5-4729-AEDD-4FC9BFEF7DA8@microsoft.com...
> > Yesterday by chance I discovered an entry in my router's persistent port
> > forwarding screen. The description is "svchost (192.168.2.2:1032) 41670
> > UDP", public port is 41670 and forwarding to private port 1032. My pc's
> > ip
> > is 192.168.2.2. I removed the entry but after rebooting my machine it was
> > back.
> >
> > I checked the registry (I'm using Windows XP Pro complete w/ all updates)
> > and found this entry:
> > HKLM\SOFTWARE\Microsoft\DirectPlayNATHelp\DPNHUPnP \ActiveNATMappings\svchost
> > (192.168.2.2:1032) 41670 UDP. The data is in binary format.
> >
> > Does anyone know if this entry is being put there by a legit Windows
> > process
> > or should I be concerned?
> >
>
>
> Windows, or any OS, can't be putting entries into your router without your
> permission. The router will require you to login (if you don't have it
> password protected for its login then now is a good time to enable that
> option in the router). Maybe you enabled an option in your router that
> opens this port, like maybe letting it pass or send UDP requests for UPnP.
> Seems your router wants this definition but you never mentioned WHICH router
> (brand and model) that you have so no one familiar with it can help.
>
> http://www.iana.org/assignments/port-numbers lists "BBN IAD" for ports
> 1030-1032, but that abbreviation is worthless (IANA isn't known for explicit
> and informative titling of their port number assignments). Although IANA
> assigns common uses of port numbers, that doesn't preclude any software from
> using whatever port it wants.
>
> You might want to visit the web site for whatever router that you have to
> see why they require using and opening this port. It is likely tied to some
> function you have enabled in the router.
>
> --
> _________________________________________________
> | ** Reply to the newsgroup. Share with others ** |
> | E-mail: Remove "NIX" and add "#LAH" to Subject. |
> |_________________________________________________ |
>
>
>

Somebody suggested to me that I disable the Universal Plug and Play Device
Host service, which I did and the problem went away. After removing that
entry in the router and in the registry, I rebooted a few times and the entry
did not come back. Obviously, it was put there by UPnP.


"Vanguard (NPI)" wrote:

> "Wilbert" <Wilbert@discussions.microsoft.com> wrote in message
> news:8BC8E23E-8AF5-4729-AEDD-4FC9BFEF7DA8@microsoft.com...
> > Yesterday by chance I discovered an entry in my router's persistent port
> > forwarding screen. The description is "svchost (192.168.2.2:1032) 41670
> > UDP", public port is 41670 and forwarding to private port 1032. My pc's
> > ip
> > is 192.168.2.2. I removed the entry but after rebooting my machine it was
> > back.
> >
> > I checked the registry (I'm using Windows XP Pro complete w/ all updates)
> > and found this entry:
> > HKLM\SOFTWARE\Microsoft\DirectPlayNATHelp\DPNHUPnP \ActiveNATMappings\svchost
> > (192.168.2.2:1032) 41670 UDP. The data is in binary format.
> >
> > Does anyone know if this entry is being put there by a legit Windows
> > process
> > or should I be concerned?
> >
>
>
> Windows, or any OS, can't be putting entries into your router without your
> permission. The router will require you to login (if you don't have it
> password protected for its login then now is a good time to enable that
> option in the router). Maybe you enabled an option in your router that
> opens this port, like maybe letting it pass or send UDP requests for UPnP.
> Seems your router wants this definition but you never mentioned WHICH router
> (brand and model) that you have so no one familiar with it can help.
>
> http://www.iana.org/assignments/port-numbers lists "BBN IAD" for ports
> 1030-1032, but that abbreviation is worthless (IANA isn't known for explicit
> and informative titling of their port number assignments). Although IANA
> assigns common uses of port numbers, that doesn't preclude any software from
> using whatever port it wants.
>
> You might want to visit the web site for whatever router that you have to
> see why they require using and opening this port. It is likely tied to some
> function you have enabled in the router.
>
> --
> _________________________________________________
> | ** Reply to the newsgroup. Share with others ** |
> | E-mail: Remove "NIX" and add "#LAH" to Subject. |
> |_________________________________________________ |
>
>
>

"" wrote:
> Yesterday by chance I discovered an entry in my router's
> persistent port
> forwarding screen. The description is "svchost
> (192.168.2.2:1032) 41670
> UDP", public port is 41670 and forwarding to private port
> 1032. My pc's ip
> is 192.168.2.2. I removed the entry but after rebooting my
> machine it was
> back.
>
> I checked the registry (I'm using Windows XP Pro complete w/
> all updates)
> and found this entry:
> HKLMSOFTWAREMicrosoftDirectPlayNATHelpDPNHUPnPActi veNATMa
> ppingssvchost
>
> (192.168.2.2:1032) 41670 UDP. The data is in binary format.
>
> Does anyone know if this entry is being put there by a legit
> Windows process
> or should I be concerned?

You should be concerned reguradless of whether it is "ligitimate" or
not, you should take messurs to stop such activits, in this case the
best would be to install a good firewall, I would personaly recomend
ZoneAlarm.

ZoneAlarm:
http://www.zonelabs.com/store/conten...btop nav_zass

--
Posted using the http://www.windowsforumz.com interface, at author's request
Articles individually checked for conformance to usenet standards
Topic URL: http://www.windowsforumz.com/svchost...ict442036.html
Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.windowsforumz.com/eform.php?p=1492689