How to block only one instance of Svchost from accessing to Internet?

%3CLINGO-SUB%20id%3D%22lingo-sub-965600%22%20slang%3D%22en-US%22%3EHow%20to%20block%20only%20one%20instance%20of%20Svchost%20from%20accessing%20to%20Internet%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-965600%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20looking%20for%20a%20way%20to%20block%20a%20Windows%20service%20that%20runs%20under%20svchost.exe%20process%20from%20accessing%20to%20Internet.%20I%20can't%20block%20the%20whole%20process%20because%20it%20will%20break%20other%20things.%20I%20just%20want%20to%20block%20one%20instance%20like%20this%20svchost.exe%20-k%20utcsvc%20which%20is%20located%20in%20%25SystemRoot%25%5CSystem32%5Csvchost.exe%20-k%20utcsvc.%20Is%20there%20any%20way%20to%20do%20it%20inside%20Windows%20or%20with%20third%20party%20software%3F%20I'm%20using%20Kaspersky%20Internet%20security%20if%20that%20helps.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-965600%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Esvchost%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-965642%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20block%20only%20one%20instance%20of%20Svchost%20from%20accessing%20to%20Internet%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-965642%22%20slang%3D%22en-US%22%3EHi%2C%3CBR%20%2F%3EYou%20cannot.%20Instead%20try%20blocking%20the%20connection%20based%20on%20network%20flow%20characteristics%20like%20port.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-965667%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20block%20only%20one%20instance%20of%20Svchost%20from%20accessing%20to%20Internet%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-965667%22%20slang%3D%22en-US%22%3EI'm%20note%20sure%20if%20blocking%20IP%20address%20is%20an%20efficient%20option%20let%20alone%20blocking%20a%20port.%20they%20can%20be%20changed%20easily%20by%20the%20server.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-965675%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20block%20only%20one%20instance%20of%20Svchost%20from%20accessing%20to%20Internet%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-965675%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F436344%22%20target%3D%22_blank%22%3E%40Hawkings001%3C%2FA%3E%26nbsp%3BYou%20can%20create%20Outbound%20Block%20Rules%20in%20Windows%20Firewall%20to%20block%20connections%20from%20a%20specific%20Windows%20Service.%3C%2FP%3E%3CP%3EOpen%20wf.msc%20and%20create%20a%20new%20Outbound%20Rule.%20Choose%20Custom-Rule%20and%20click%20Next.%20Use%20%22%25SystemRoot%25%5Csystem32%5Csvchost.exe%22%20as%20program%20path.%20Directly%20beneath%20the%20program%20path%20you%20can%20select%20%22Customize...%22%20to%20specify%20which%20services%20this%20rule%20applies%20to.%20Select%20%22Apply%20to%20service%20with%20this%20service%20short%20name%22%20and%20enter%20%22utcsvc%22%20as%20the%20short%20name.%20Keep%20the%20defaults%20for%20Protocol%20and%20Ports%20(Any).%20Keep%20the%20Scope%20on%20Any%20to%20Any.%20Choose%20%22Block%20the%20connection%22%20as%20Action.%20Apply%20the%20rule%20to%20all%20profiles.%20Name%20your%20rule%20and%20click%20finish.%3C%2FP%3E%3CP%3EBlock-Rules%20always%20win%20against%20allow%20rules%2C%20and%20the%20rule%20you%20created%20applies%20only%20to%20this%20one%20service.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-965845%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20block%20only%20one%20instance%20of%20Svchost%20from%20accessing%20to%20Internet%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-965845%22%20slang%3D%22en-US%22%3EThis%20is%20a%20standard%20feature%20of%20Windows%20firewall.%20You'll%20need%20to%20disable%20KIS%20firewall%20and%20use%20the%20Windows%20firewall%20instead%20if%20you%20want%20to%20do%20this%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-965854%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20block%20only%20one%20instance%20of%20Svchost%20from%20accessing%20to%20Internet%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-965854%22%20slang%3D%22en-US%22%3E%3CP%3EI%20found%20out%20that%20this%20is%20a%20standard%20Windows%20firewall%20feature%20and%20I%20have%20to%20disable%20KIS%20firewall%20if%20I%20want%20to%20do%20this.%20I'll%20have%20to%20see%20If%20i%20can%20pull%20that%20off%20first%20and%20whether%20or%20not%20it's%20worth%20it..Thanks%20anyway%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

I'm looking for a way to block a Windows service that runs under svchost.exe process from accessing to Internet. I can't block the whole process because it will break other things. I just want to block one instance like this svchost.exe -k utcsvc which is located in %SystemRoot%\System32\svchost.exe -k utcsvc. Is there any way to do it inside Windows or with third party software? I'm using Kaspersky Internet security if that helps.

4 Replies
Highlighted
Hi,
You cannot. Instead try blocking the connection based on network flow characteristics like port.
Highlighted
I'm note sure if blocking IP address is an efficient option let alone blocking a port. they can be changed easily by the server.
Highlighted

@Hawkings001 You can create Outbound Block Rules in Windows Firewall to block connections from a specific Windows Service.

Open wf.msc and create a new Outbound Rule. Choose Custom-Rule and click Next. Use "%SystemRoot%\system32\svchost.exe" as program path. Directly beneath the program path you can select "Customize..." to specify which services this rule applies to. Select "Apply to service with this service short name" and enter "utcsvc" as the short name. Keep the defaults for Protocol and Ports (Any). Keep the Scope on Any to Any. Choose "Block the connection" as Action. Apply the rule to all profiles. Name your rule and click finish.

Block-Rules always win against allow rules, and the rule you created applies only to this one service.

 

Highlighted

I found out that this is a standard Windows firewall feature and I have to disable KIS firewall if I want to do this. I'll have to see If i can pull that off first and whether or not it's worth it..Thanks anyway