Spooler subsystem app accessing DNS
Boogie Woogie Flu
ZoneAlarm Pro. ZoneAlarm controls both incoming and outgoing access. For
some unknown reason, I keep getting ZoneAlarm alerts telling me that the
Spooler subsystem app (spoolsv.exe) is attempting to access my ISP's DNS
server. It only seems to happen whenever I launch Adobe Photoshop or
Microsoft Photo Editor. Any ideas why Photoshop or Microsoft Photo Editor
would need access to DNS? Thanks.
Steven L Umbach
application updates, registration, etc. Probably nothing malicious. If you
are curious, let it proceed sometime to see what happens - maybe to the
point where you can identify the website it wants to access by using
nslookup against the ip address it wants to access. I usually just block
this stuff without getting any annoying notification. --- Steve
"Boogie Woogie Flu" <sp...@email.sux> wrote in message
news:%bSua.2630$Ws4....@nwrddc01.gnilink.net...
Boogie Woogie Flu
drivers,
> application updates, registration, etc. Probably nothing malicious. If you
> are curious, let it proceed sometime to see what happens - maybe to the
> point where you can identify the website it wants to access by using
> nslookup against the ip address it wants to access. I usually just block
> this stuff without getting any annoying notification. --- Steve
>
This was my original thought. I could see this for Photoshop maybe, but
Microsoft Photo Editor? This program is years old and updates are only
available through MS Office Service Releases. There is no registration,
automatic update or update notification function in this application, I'm
pretty sure of that. And if this were the case, would it not access the
software maker's website and not my ISP's DNS? Most importantly, it's not
the app itself trying to access the internet, it's the Spooler Subsystem
App. It seems to happen only when I launch these programs.
Steven L Umbach
ip addresses may change over time. The only thing I can suggest to track
down what is happening is to try a trace as I suggested in original
st. --- Steve
"Boogie Woogie Flu" <sp...@email.sux> wrote in message
news:qhTua.275$TM6...@nwrddc02.gnilink.net...
Boogie Woogie Flu
since
> ip addresses may change over time.
I doubt that it's caused Photoshop or Photo Editor looking for registration
or updates because different things happens when a program tries to check
for updates or registration
For example: ZoneAlarm gives me an alert when I launch Acrobat Reader. The
program that's trying to access the internet is AcroRd32.exe, not Spooler
Subsystem App and an nslookup on the address reveals that the target IP
address belongs to adobe.com, not a DNS server.
I have allowed the program access to see what would happen, but nothing
happens *that I can see.*
The only thing I can suggest to track
> down what is happening is to try a trace as I suggested in original
> st. ---
A trace to find out what? What I already know, that the target IP is my
ISP's DNS?
Steven L Umbach
computer, I would create a firewall rule to let spooler access the dns
server and log it to see if I could get more information on traffic it is
sending it. Or I would use a packet sniffer to capture the traffic outbound
port 53 to see what it wants to resolve which should give a clue as to what
is going on. If you are concerned about trojan or spyware activity, I would
run something like Pest Patrol. You could also run System File Checker sfc
/scannow if you think your spooler file has been changed. Just be sure to
have your install cdrom handy if you do that. --- Steve
"Boogie Woogie Flu" <sp...@email.sux> wrote in message
news:M0%ua.893$TM6...@nwrddc02.gnilink.net...
web shawk
you, it came up in programs like Photoshop, and Adobe writer, I think. If I
recall correctly, I found it is in relation to printer access. Just trying
to help, but don't hold me responsible for your decision. I'm also just here
to learn more. Good luck
"Boogie Woogie Flu" <sp...@email.sux> wrote in message
news:%bSua.2630$Ws4....@nwrddc01.gnilink.net...
James
news:%bSua.2630$Ws4....@nwrddc01.gnilink.net...
Windows 2000 does install TCP/IP printing by default.
http://support.microsoft.com/default.aspx?scid=kb;en-us;246868
Perhaps that explains why the printing subsystem needs dns?
James
Ellie
My guess is that ZA is simply alerting you to "conversation" occurring
between your computer's software and your net bios -- your basic I/O
system -- in other words internal communication. The programs are
looking for YOUR computer's DNS name (not your ISP's DNS). (In
addition to your [unique per session] IP, your computer has its own
[unique per session] DNS, and that's it's job -- coverts all your
"connection" decimal names to "short" names for speed.)
You obviously have some software coded to call up a spooler -- and it
is required to "get" your computer's short name squared away in
anticipation of a print command.
I'm no expert, but I use ZA and my computer is always talking to
itself. If you've any doubt -- check out the source DNS port and
destination info on the "technical" and "details" help screens ZA
offers for each alert. Check the source/destination sources against
your computer's current DNS (as listed in ipconfig and other places),
you'll probably see it starts and ends on your own desktop. (The
reason you're not "seeing" it connect or "do anything" is that all
it's doing is collecting your computer's short name. For instance, my
computer's "short" name is my first name.)
Boogie Woogie Flu
> between your computer's software and your net bios -- your basic I/O
> system -- in other words internal communication. The programs are
> looking for YOUR computer's DNS name (not your ISP's DNS).
The IP address that's shown in the ZA alert dialog is my ISP's DNS. I've
seen other alerts, like the Generic Host Process for Win32 where the address
referenced is "DNS:127.0.0.1" (My PC) but not when the spooler subsystem
requests access. It's always my ISP's DNS.
(In
> addition to your [unique per session] IP, your computer has its own
> [unique per session] DNS, and that's it's job -- coverts all your
> "connection" decimal names to "short" names for speed.)
>
> You obviously have some software coded to call up a spooler -- and it
> is required to "get" your computer's short name squared away in
> anticipation of a print command.
I thought of this as well, but I have NetBios over TCP/IP disabled and file
and printer sharing is not bound to TCP/IP. I'm using NetBeui exclusively
for file and printer sharing. So why would the print spooler need to access
DNS to resolve a NetBios name to an IP address?
> I'm no expert, but I use ZA and my computer is always talking to
> itself. If you've any doubt -- check out the source DNS port and
> destination info on the "technical" and "details" help screens ZA
> offers for each alert. Check the source/destination sources against
> your computer's current DNS (as listed in ipconfig and other places),
> you'll probably see it starts and ends on your own desktop.
Nope. It's definitely the DNS server assigned by my ISP.
(The
> reason you're not "seeing" it connect or "do anything" is that all
> it's doing is collecting your computer's short name. For instance, my
> computer's "short" name is my first name.)
Shouldn't need access to DNS to resolve a NetBios name if file and printer
sharing uses the NetBeui protocol only.
Boogie Woogie Flu
> http://support.microsoft.com/default.aspx?scid=kb;en-us;246868
>
> Perhaps that explains why the printing subsystem needs dns?
>
printer sharing not bound to TCP/IP?
If I'm using NetBeui exclusively for file and printer sharing, why would the
print spooler need access to DNS to resolve a NetBios name to an IP address?
Ellie
Perhaps we're miscommunicating.
The DNS server assigned by your ISP IS YOU -- it's your computer(your
computer acts as a "server" during connection to the internet, and has
a DNS decimal name assigned to it that correlates with your computer's
short name. This has nothing to do with the 127.0.0.1 internal
communication, per se).
Think about it. There's no reason/way for ZA to alert YOU to an
attempt to access your ISP's DNS. Your ISP's DNS is a huge computer
somewhere else, with it's own "short name," and other than the initial
handshake between you and your ISP (which is when "short names" were
exchanged and your connection-specific DNS was assigned to YOUR short
name), your computer's software couldn't care less about your
provider's short name.
Just trying to help you think through your issue. I certainly don't
know all the answers!
Boogie Woogie Flu
"Ellie" <ACE...@aol.com> wrote in message
news:4f4261f9.03060...@posting.google.com...
John S. Giltner, Jr.
Just Plain Insane wrote:
>
> If Zone Alarm didn't alert him it would prove ZA's worthlessness.
> When I first set up my firewall, one of the first connections made
> outbound was localhost to my ISPs DNS servers with UDP on 135. I
> had to set a rule so it would only do that for my ISPs DNS servers
> so I could get DNS resoilution.
>
port 135 is for NETBIOS name resolution. Why do you need to do NETBIOS
name resolution to your ISP's DNS servers? TCP/IP uses 53 for name
resolution.
John S. Giltner, Jr.
and look at what name it is attempting to reslove. This could give you
The only reason that the spooler should attempt to contact a DNS server,
at least that I can think of, is if you are attempting print to a
printer using TCP/IP printing (LPR/LPD). This has nothing to do with
NETBIOS print or file sharing.
I have read that you have NETBIOS over TCP/IP disabled and so you are
only using NETBEUI. It does not matter, if you attempt use the LPR
command to print to a remote printer, it has nothing to do with NETBIOS.
In fact even if you had NETBIOS over TCP/IP enabled and were doing print
over it, the spooler shoud never contact a DNS server. The spooler
would talk to NETBIOS and NETBIOS would attempt to reslove the name.
John S. Giltner, Jr.
is that DNS uses UDP port 53, however TCP port 53 can also be used.
Port 135 is NETBIOS, well to be more exact it is WINS.
If you have a proper services file on your PC you can issue netstat -n
command and you will see "microsoft-ds" listening on port 135 for both
TCP and UDP traffic.
Just Plain Insane wrote:
> On Sun, 08 Jun 2003 20:44:50 GMT I replied to "John S. Giltner,
> Jr." <gil...@earthlink.net> on a piece of toilet paper while
> scribbling their name and phone number on the bathroom wall in
> alt.computer.security
> Its the only port that ever contacts the DNS servers off my system
> besides 80. So the DNS server is the only outbound computer that
> can ever reach it, and thats UDP only, not TCP for 135.
>
John S. Giltner, Jr.
>
> Oh, you may want to stop top-posting, its ok to do that with
> emails, but on usenet its considered a little rude. Just a heads up
> for you.
>
I will attempt to remember this for this group. Each group seems to
have their own opinion as to top or bottom post.
I use Netscape and I have friends that use Outlook, they both top post
by default, just like a reply in e-mail. So you must change this.
Top posting is just like e-mail and allows the people following the
thread to see the next post easier.
Bottom posting allows people that have not been follwing the thread to
review everything top to bottom.
The other 'big' issues are:
inserting you answers or comments in the middle of the post
top snip or not to snip and how much to snip or not to snip