Does TCPView ever show the System Idle Process with any connections in the LISTENING or ESTABLISHED state?
All of the System Idle Process connections listed are in the TIME_WAIT state - which most probably means that some other process created the connection and closed it. ( I'd guess something trying to talk to spoolsv.exe since it's listening on port 6160 ) > Has anyone seen anything like this before? No, not that many connections in a timed wait state. But whenever a connection is closed it moves to the TIME_WAIT state and TCPView says it's owned by [System Process]:0 on my windoze machine. HTH, Lee John Davison <[EMAIL PROTECTED]> wrote on 07/07/2006 04:21:50 PM: > I've never seen anything like this before. After experiencing some really > strange behavior from various applications and lot of looking around, I > downloaded TCPView from System Internals and found that the System Idle > Process (id 0) is making connections to itself, from source port 6160 to a > series of local ports and keeps incrementing. > > Has anyone seen anything like this before? > > Here's a TCPView dump. > > lsass.exe:676 TCP 0.0.0.0:1043 0.0.0.0:0 LISTENING > RSLINX.EXE:516 TCP 0.0.0.0:2222 0.0.0.0:0 LISTENING > RSLINX.EXE:516 TCP 0.0.0.0:44818 0.0.0.0:0 LISTENING > spoolsv.exe:1272 TCP 0.0.0.0:6160 0.0.0.0:0 LISTENING > svchost.exe:440 TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING > svchost.exe:960 TCP 0.0.0.0:135 0.0.0.0:0 LISTENING > System:4 TCP 0.0.0.0:445 0.0.0.0:0 LISTENING > System:4 TCP 10.1.1.150:139 0.0.0.0:0 LISTENING > System:4 TCP 10.1.1.150:4017 10.1.1.1:139 ESTABLISHED > [System Process]:0 TCP 10.1.1.150:3475 10.1.1.12:445 TIME_WAIT > RSLINX.EXE:516 TCP 10.1.1.150:1071 10.1.1.99:2222 ESTABLISHED > svchost.exe:440 TCP 10.1.1.150:3389 10.1.1.121:1989 ESTABLISHED > svchost.exe:440 TCP 10.1.1.150:3389 10.1.1.134:45843 ESTABLISHED > [System Process]:0 TCP 10.1.1.150:6160 10.1.1.150:3421 TIME_WAIT > [System Process]:0 TCP 10.1.1.150:6160 10.1.1.150:3422 TIME_WAIT > [System Process]:0 TCP 10.1.1.150:6160 10.1.1.150:3423 TIME_WAIT > [System Process]:0 TCP 10.1.1.150:6160 10.1.1.150:3424 TIME_WAIT <.. snip ..> ------------------------------------------------------------------------------ This List Sponsored by: Black Hat Attend the Black Hat Briefings & Training USA, July 29-August 3 in Las Vegas. World renowned security experts reveal tomorrow's threats today. Free of vendor pitches, the Briefings are designed to be pragmatic regardless of your security environment. Featuring 36 hands-on training courses and 10 conference tracks, networking opportunities with over 2,500 delegates from 40+ nations. http://www.blackhat.com ------------------------------------------------------------------------------
