Hi,Configuration : Vista Home Premium machine with SP1 and latest updates installedA few days ago for some reason the default ports which where in the 40000-50000 range for svchost.exe, lsass.exe, wininit.exe changed to the 1025-1030 range.netstat -abnogives the following results : TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING[wininit.exe] TCP 0.0.0.0:1026 0.0.0.0:0 LISTENING Eventlog[svchost.exe] TCP 0.0.0.0:1027 0.0.0.0:0 LISTENING Schedule[svchost.exe] TCP 0.0.0.0:1028 0.0.0.0:0 LISTENING[lsass.exe] TCP 0.0.0.0:1029 0.0.0.0:0 LISTENING PolicyAgent[svchost.exe] TCP 0.0.0.0:1030 0.0.0.0:0 LISTENING[services.exe]The problem is that GRC ShieldsUp scan says those ports are opened, failing the TruStealth Analysis. The firewall used on that particular machine is Comodo, wininit.exe (sitting on port 1025) was always blocked from any incoming connections. Also another machine with exactly same configuration doesn't have this issue and same executables with exactly same components and processes listen on the 40000-50000 port range.Another thing is that ICS is activated on the problematic machine, but even after disabling it this problem persists.So my question is: What could cause this* and is there any way (probably some registry key) to re-configure or change the default listening ports for svchost.exe, lsass.exe, wininit.exe back to the "right" 40k-50k range ? P.S: *scanned with AVG antivirus, and other spyware tools, also checked the MD5 signature of those executables, they are legitimate and from Microsoft, so it's not a virus or spyware issue, rather some configuration causing this, but where to look for it?

This behavior can be caused by one of your background programs. Please boot in Clean Boot Mode to narrow down the cause. Clean boot ================= Lets disable all startup items and third party services when booting. This method will help us determine if this issue is caused by a loading program or service. Please perform the following steps: 1. Click the Start Button type "msconfig" (without quotation marks) in the Start Search box, and then press Enter. Note: If prompted, please click Continue on the User Account Control (UAC) window. 2. Click the "Services" tab, check the "Hide All Microsoft Services" box and click "Disable All" (if it is not gray). 3. Click the "Startup" tab, click "Disable All" and click "OK". Then, restart the computer. When the "System Configuration Utility" window appears, please check the "Don't show this message or launch the System Configuration Utility when Windows starts" box and click OK. Please test this issue in the Clean Boot environment, if the issue disappears in the Clean Boot environment, we can use a 50/50 approach to quickly narrow down which entry is causing the issue. For more information about this step, please refer to the following KB article: How to troubleshoot a problem by performing a clean boot in Windows Vista http://support.microsoft.com//kb/929135 However, if the issue persists in Clean Boot Mode, please boot in Safe Mode, and let me know if the issue occurs.

Hi, thank you for your reply. I tried to do a clean boot, but it didn't solve the problem. Also tried to start Vista in Safe Mode with and without Network support, that didn't help. No other application is using the 40k-50k ports apart Firefox sometimes, but still there was no enough connections from FF to occupy all this range. What could cause this?P.S: the other machine doesn't have this problem at all, although they are running same configurations :- Vista Home Premium machine with SP1 and latest updates installed (french version)- Latest Comodo 3- AVG Antivirus- Lavasoft Ad-AwareEverything is up to date.could it be something related to the MS08-067 vulnerability?Thank you in advance.

Hi, In Windows Vista, changing related configuration for system processes needs high privilege. As far as we known, no programs can change the port for system processes. I suggest that we check port information again. The following article may be referred. http://blogs.techrepublic.com.com/datacenter/?p=453 Important Note: Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information. If some process has occupied the 1025-1030 ports, system may change the ports for system processes to another port. If you find that system processes such as svchost.exe runs with ports in 40000-50000 range, I suggest that you try to find which processes are using the 1025-1030 ports.

Hi, thank you for the reply.So is it normal that Windows Services run on the 1025-1030 ports? Here is the result of the netstat & tasklist commands :C:\Windows>netstat -a -n -oConnexions actives Proto Adresse locale Adresse distante tat TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 984 TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4 TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING 660 TCP 0.0.0.0:1026 0.0.0.0:0 LISTENING 1076 TCP 0.0.0.0:1027 0.0.0.0:0 LISTENING 1132 TCP 0.0.0.0:1028 0.0.0.0:0 LISTENING 740 TCP 0.0.0.0:1029 0.0.0.0:0 LISTENING 2352 TCP 0.0.0.0:1030 0.0.0.0:0 LISTENING 708 TCP 0.0.0.0:2869 0.0.0.0:0 LISTENING 4 TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING 1400 TCP 0.0.0.0:5357 0.0.0.0:0 LISTENING 4 TCP 0.0.0.0:23727 0.0.0.0:0 LISTENING 5660 TCP 127.0.0.1:1042 127.0.0.1:1043 ESTABLISHED 1456 TCP 127.0.0.1:1043 127.0.0.1:1042 ESTABLISHED 1456 TCP 127.0.0.1:1044 127.0.0.1:1045 ESTABLISHED 1456 TCP 127.0.0.1:1045 127.0.0.1:1044 ESTABLISHED 1456 TCP [::]:135 [::]:0 LISTENING 984 TCP [::]:445 [::]:0 LISTENING 4 TCP [::]:1025 [::]:0 LISTENING 660 TCP [::]:1026 [::]:0 LISTENING 1076 TCP [::]:1027 [::]:0 LISTENING 1132 TCP [::]:1028 [::]:0 LISTENING 740 TCP [::]:1029 [::]:0 LISTENING 2352 TCP [::]:1030 [::]:0 LISTENING 708 TCP [::]:2869 [::]:0 LISTENING 4 TCP [::]:3389 [::]:0 LISTENING 1400 TCP [::]:5357 [::]:0 LISTENING 4 UDP 0.0.0.0:123 *:* 1284 UDP 0.0.0.0:500 *:* 1132 UDP 0.0.0.0:3702 *:* 1284 UDP 0.0.0.0:3702 *:* 1284 UDP 0.0.0.0:4500 *:* 1132 UDP 0.0.0.0:5355 *:* 1400 UDP 0.0.0.0:23727 *:* 5660 UDP 0.0.0.0:23728 *:* 5660 UDP 0.0.0.0:49152 *:* 1284 UDP 0.0.0.0:49158 *:* 1132 UDP 0.0.0.0:52644 *:* 5660 UDP 127.0.0.1:1900 *:* 1284 UDP 127.0.0.1:49159 *:* 1132 UDP 127.0.0.1:52645 *:* 5660 UDP 127.0.0.1:53363 *:* 1284 UDP 127.0.0.1:54454 *:* 5320 UDP 127.0.0.1:61942 *:* 1108 UDP 127.0.0.1:64553 *:* 1132 UDP 127.0.0.1:64555 *:* 1108 UDP 127.0.0.1:64556 *:* 2764 UDP [::]:123 *:* 1284 UDP [::]:500 *:* 1132 UDP [::]:3702 *:* 1284 UDP [::]:3702 *:* 1284 UDP [::]:49153 *:* 1284 UDP [::1]:1900 *:* 1284 UDP [::1]:53360 *:* 1284===================================The concerned PIDs running on 1025-1030 ports are (ordered by port) : 660, 1076, 1132, 740, 2352, 708 ===================================/* This one is running on port 1025 */C:\Windows>tasklist /svc /fi "pid eq 660"Nom de l'image PID Services========================= ======== ============================================wininit.exe 660 N/A/* This one is running on port 1026 */C:\Windows>tasklist /svc /fi "pid eq 1076"Nom de l'image PID Services========================= ======== ============================================svchost.exe 1076 Audiosrv, Dhcp, Eventlog, lmhosts, wscsvc/* This one is running on port 1027 */C:\Windows>tasklist /svc /fi "pid eq 1132"Nom de l'image PID Services========================= ======== ============================================svchost.exe 1132 AeLookupSvc, Appinfo, BITS, Browser, CertPropSvc, EapHost, gpsvc, IKEEXT, iphlpsvc, LanmanServer, MMCSS, ProfSvc, RasMan, Schedule, seclogon, SENS, SessionEnv, SharedAccess, ShellHWDetection, Themes, Winmgmt, wuauserv/* This one is running on port 1028 */C:\Windows>tasklist /svc /fi "pid eq 740"Nom de l'image PID Services========================= ======== ============================================lsass.exe 740 KeyIso, SamSs/* This one is running on port 1029 */C:\Windows>tasklist /svc /fi "pid eq 2352"Nom de l'image PID Services========================= ======== ============================================svchost.exe 2352 PolicyAgent/* This one is running on port 1030 */C:\Windows>tasklist /svc /fi "pid eq 708"Nom de l'image PID Services========================= ======== ============================================services.exe 708 N/A