Something keeps downloading and its really starting to bother me.

Posted on 2005-04-30
Last Modified: 2012-05-05
I'm on a dial-up connection, so any sort of download like this really brings my connection to a halt.  I'm a very paranoid person and I keep my computer very clean, I have AVG anti-virus, Ad-Aware SE, Zone-Alarm Pro.  And i'm running windows XP Pro SP2 with all latest updates.

According to my firewall, "Generic Host Process for Win32 Services" keeps downloading things at about 50% of my bandwidth.  I hit the stop button when I notice this and set the permissions to ask me if it wants to access again.  It then stops for about 10 mins or so, and then pops-up the message asking me if I want to accept connections for this.  I hit DENY, and everything seems to work just fine.

HOWEVER, this generic host process is usually required for when I access my e-mail or some websites.  So i'm in a constant battle of accepting it, and denying it when it wants to download for no reason.

I have automatic updates TURNED OFF.  So I have no idea what is trying to download on my computer.  If I just let it download it goes forever...WHAT on earth could it be?  Also every day I get blocked attempts probably just port scans, but dangit with all the windows updates I would think i'd be safe.

Anyways, what is this generic host process used for, and what do you think it could be downloading?

Question by:Whipsmack
    LVL 12

    Expert Comment


    Get "Process Explorer" (free) and see what is running:

    "Generic Host Process for Win32 Services" - it's svchost.exe - it's normal to see more than one instance
    of svchost.exe running on Win 2000/XP (I usually see 4 to 5 running).
    Go through them and look at what's "calling" them -
    Maybe, some "strange" Dll/exe  ?!?

    LVL 4

    Assisted Solution

    "Generic Host Process for Win32 Services" keeps downloading things at about 50% of my bandwidth."

    Actually, it might not be "downloading" at all. Since i have exactly the same firewall as you use, its pretty easy for me to see what can be happening.  Actually, the Generic Host Process for Win32 Services is only listening to a port, and thats ONLY in the trusted zone port TCP 1025 and 5000. In fact, on my PC, the services arent even generating ANY internet traffic, according to zonealarm

    Furthermore, did you really test if your connection is slower? or do you just think its slower? Modems are perfect things to get various connection speeds, most times because of large file downloads. Try testing your connection here:
    Block and test, and then unblock and test, and see if it really makes a difference. This site is one on the few that actually can test even if your proxied, so thats why use it :).

    Also try opening the task manager when your idle. take the tab Network, and see if any data is passing trough. If your not busy, it should be more then a few bits or so.

    Oh btw.... if those prorgams you noted are the only secuity tools, you are missing an anti-spyware progeam.  try these 2 if you dont have them: (Spybot search and destroy, very good freeware one)
    (Microsoft Antispyware, Beta, but functioning very well)
    LVL 32

    Accepted Solution

    Try the following from a command window (Start->Programs->Accessories->Command Window):

    > cd \
    > tasklist /svc > list.txt

    This will save a file named list.txt on your c: root folder. Please cut and paste the contents of that file here. It may help decide if anything suspicious is running on your system. Thanks.

    Author Comment

    Okay I downloaded that Process Explorer (pretty nifty :)  And I unblocked genernic host process and sure enough 2 minutes later it starts downloading.

    And yes i'm sure it's downloading because my network link is constantly receiving data.  And when I try to play a game my ping time goes from 200 to 600, meaning something is hogging my bandwidth.

    HERE is whats downloading the data according to the explorer

    svchost.exe (PID= 916) and theres a plus box where a file below that is running
    -    wscntfy.exe (PID=1384) Windows SEcurity Center Notification App
    Although the CPU process is only on svchost not the wscntfy

    Also, I took r-k's advice and made the list, it looks like svchost 916 has a lot more apps running through it then what process explorer was showing,.  Heres the list

    Image Name                   PID Services                                    
    ========================= ====== =============================================
    System Idle Process            0 N/A                                          
    System                         4 N/A                                          
    smss.exe                     500 N/A                                          
    csrss.exe                    552 N/A                                          
    winlogon.exe                 576 N/A                                          
    services.exe                 620 Eventlog, PlugPlay                          
    lsass.exe                    632 PolicyAgent, ProtectedStorage, SamSs        
    ati2evxx.exe                 792 Ati HotKey Poller                            
    svchost.exe                  808 DcomLaunch, TermService                      
    svchost.exe                  864 RpcSs                                        
    svchost.exe                  916 AudioSrv, BITS, Browser, CryptSvc, Dhcp,    
                                     dmserver, ERSvc, EventSystem,                
                                     FastUserSwitchingCompatibility, helpsvc,    
                                     lanmanserver, lanmanworkstation, Netman,    
                                     Nla, RasMan, Schedule, seclogon, SENS,      
                                     SharedAccess, ShellHWDetection, srservice,  
                                     TapiSrv, Themes, TrkWks, W32Time, winmgmt,  
                                     wscsvc, wuauserv, WZCSVC                    
    svchost.exe                  980 Dnscache                                    
    svchost.exe                 1016 LmHosts, RemoteRegistry, WebClient          
    spoolsv.exe                 1192 Spooler                                      
    avgamsvr.exe                1336 Avg7Alrt                                    
    avgupsvc.exe                1428 Avg7UpdSvc                                  
    ati2evxx.exe                1464 N/A                                          
    ncupdatesvc.exe             1560 NCUpdateSvc                                  
    explorer.exe                1596 N/A                                          
    wdfmgr.exe                  1736 UMWdf                                        
    vsmon.exe                   1808 vsmon                                        
    alg.exe                      364 ALG                                          
    atiptaxx.exe                 776 N/A                                          
    CTHELPER.EXE                 936 N/A                                          
    qttask.exe                  1048 N/A                                          
    winampa.exe                 1032 N/A                                          
    realplay.exe                1112 N/A                                          
    avgcc.exe                   1268 N/A                                          
    PDVDServ.exe                1296 N/A                                          
    SM1bg.exe                   1348 N/A                                          
    wscntfy.exe                 1384 N/A                                          
    zlclient.exe                1360 N/A                                          
    procexp.exe                 3060 N/A                                          
    msimn.exe                   2868 N/A                                          
    firefox.exe                  712 N/A                                          
    cmd.exe                     3752 N/A                                          
    tasklist.exe                2908 N/A                                          
    wmiprvse.exe                3336 N/A                                      

    Thanks a lot everyone!    

    Author Comment

    Well I wish that process explorer could tell me exactly which one of those apps under 916 is doing the downloading.  I suspected it might be the BITS technology that is used to download patches for a certain video game that I play.  I disabled it, restarted and that didn't fix it, still continues to download data. hmmm
    LVL 38

    Expert Comment

    by:Rich Rumble
    Turn off system restore, and try running ad-aware after system restore is off
    LVL 32

    Expert Comment

    >>>I suspected it might be the BITS technology that is used to download patches for a certain video game that I play.  I disabled it,...

    I think that gives the clue. There seems to be nothing wrong. BITS is the "Background Intelligent Transfer Service" from Microsoft. When it is in your tasklist it means that you are receiving a Windows update from Micrrosoft. You can download information about it at:

    For some reason, your automatic update is running even though you think it is disabled. Please check that setting again. I think the download activity you see is just BITS downloading stuff from Microsoft. Normally this should also put an icon in the system tray, and if you point the mouse over it, it should say "downloading" or something like that.
    LVL 32

    Expert Comment

    To further check what might be doing the downloading, you can type (in a command window):

    > netstat -o

    And optionally save it to a text file:

    > netstat -o > net.txt

    and then cut and paste the contents of the net.txt file here.
    LVL 32

    Expert Comment

    There is nothing in the Tasklist you posted that suggests anything wrong or suspicious.

    Author Comment

    Well I can't thank you all enough for the wonderful help.  I will be accepting an answer as soon as I get the download to come back so I can log it to that net.txt file.  

    Im positive windows update is off, the BITs for the game is off, and system restore is now off.  Nothing is happening yet i'll give it a bit and see if it comes back.
    LVL 32

    Expert Comment

    Thanks. I assume that your system is OK now that you turned off all the automatic downloads. Just for completeness, I want to mention that with Win/XP SP2 or later, the better command to check network connections is:

     netstat -ab

    this not only identifies the connections, but also names the process that is using each.

    Good luck.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    What Should I Do With This Threat Intelligence?

    Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

    SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
    Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
    To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now