Process ID zero on Windows

50 pts.
Tags:
Process ID
Windows XP
Windows XP administration
Windows XP SP3
I am learning how to analyze what a Windws system is doing based on looking at processes and network connections.

One system I just ran across has Process ID zero with multiple connections to external IP addresses (most Yahoo registered) on port 80. This has me suspicious as I assume process ID zero (PID 0) would be one of the first processes to run at startup and would be unlikely to ever need to talk to anything on the Net.

Can someone explain this or am I potentially looking at a system with unauthorized software running and hiding?



Software/Hardware used:
Windows XP SP3

Answer Wiki

Thanks. We'll let you know when a new response is added.

I found something similar a few months ago while using <a href=”http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx”>Sysinternal’s TCPView</a>, and after some research I found this (but this is exclusive for TCPView, so if you are using other monitoring software this might not apply):

“Notes – Svchost.exe is related to various Windows Services. A Remote Address of *.* means the port is open but not connection to anything. TCPView may show that the System Idle process (PID 0) is using some TCP ports. This behavior may occur if a local program connects to a TCP port, and then stops. The program’s TCP connection to the port may be left in a “Timed Wait” state even though the program is no longer running. In this case, TCPView may detect that the port is in use. However, TCPView cannot identify the program that is using the port because the program has stopped and the PID was released.”

-CarlosDL

———-

Discuss This Question: 1  Reply

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Cybernorris
    [...] is the original:  Process ID zero on Windows By admin | category: zero system | tags: based-on-looking, doing-based, learning-how, [...]
    0 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following