Service hidden behind svchost.exe not detected

[tonecool]

trafficstars

I'm never getting the name of actual service trying to connect only svchost.exe process name and "Multiple matches found." red text :( (latest beta3, windows7 sp1, .net4.72)

[wokhan]

Service detection is a tricky process which is not 100% reliable. When you say never, you really mean it never ever worked? Or randomly fails?

[tonecool]

Before running WFN for the first time I started with default firewall rules and all outbound traffic blocked. At the time of writing post, I was using WFN for a couple of hours and no svchost calling services ware detected. But today one service got recognized (Windows time).

[wokhan]

Hi @AtlasHackert & @harrwiss, I think this old issue has been solved by one of you (along with services detection improvements). Please feel free to close the issue if so.

[harrwiss]

Hi @wokhan, yes I tried to improve that when I added the Service column to the security log - for me it works reliably now. Some code cleanup needs to be done though e.g. remove the ServicesForm in Notifier (think it's not needed anymore) and check consistency.

[wokhan]

Thanks! We'll keep the issue open until everything is cleaned up then 😉

[kekukui]

Just for reference, the 'Process Hacker' traffic monitor can identify which hidden service is using the network, for example:

https://github.com/processhacker/processhacker

[harrwiss]

Think WFN quite reliably detects the services now as well. Maybe we could compare them to see if we have any missmatches.

[wokhan]

The guy behind Process Hacker (wj32) is really good, if we got on par with what he offers (at least or this tiny little feature - but super useful), I'd be more than happy! Indeed, comparing could be a way to ensure we / you got it right.