Windows 7 x64 CryptSvc under Svchost uploading data

[SomeUserName]

Can somone explain what **CRYPTSVC** cryptographic serivces/svchost is? I keep catching svchost uploading SOME kind of data via a network monitor.

I cannot find much info about cryptographic services. What EXACTLY is it and what kind of data would it be uploading or programs it would associate with and the data thats uploadin how can I find out to who/where its uploading TO?

This random contstant uploading is making me paranoid. When I kill the SVCHOST thet cryptsvc is in the uploading stops.

Its only small amounts of data.

 

[SomeUserName]

?????????????????

 

[Layback Bear]

Do you use any cloud storage that might be auto uploading to a cloud?

Does your Antivirus AVG Business Edition have a auto cloud storage built into the program?

 

[SomeUserName]

I have dropbox but it is nothing has been added so there shouldn't be any activity?? When I upload it is only in use while it is being used. Does dropbox use bandwidth when no files are being used from it?

In AVG there was something checked that said:
"Allow in-the-cloud verification of threat detections. CAUTION: Disabling this feature could impact AVGs ability to protect you correctly. It is strongly recommenced to keep this feature enabled." EVerything else was unchecked.
I'll try to disable that and see if the uploads stop.

Whats confusing me though is its not just uploading when there is activity. It just randomly starts and upload for like 5-10 mins before it stops. Unless I get overly paranoid and end the process/service myself.

(EDIT--Since you mentioned AVG I shall also note that when I upgraded from AVG 2012 to the new 2015 version my computer is running slower than a turtle/snail now)

 

[Layback Bear]

Going by what I have been reading AVG has become very bloated and uses a lot of resources.

I really can't verify that personally because I haven't used AVG in many years.
I use MSE and Malwarebytes Premium and they serve me well.

 

[SomeUserName]

OK so I left this sit for a few days but it still seems to be doing it. The network meter shows upload , I go to resource meter, Its svchost that show the highest upload in resource meter. Then I open task managaer and gp to the correct PID in services and of course it still that bloody cryptsvc uploading something and I can't figure out what is being uploaded and where its being uploaded TO. I kill the process in task manager and the upload stops. Little bit later cryptsvc is back and uploading again.

I um unable to find results on google on how to determine/research what is being uploaded by cryptsvc and to who or where whatever is being uploaded is going.

EDIT: I JUST FOUN CRYPTOGRAPHIC SERVICES IN SERVICES.MSC. i STOPPED IT AND DISABLED IT AS PER THE PICTURE. Is this leaving me open to any sort of attacks?

 

[SomeUserName]

I woke up this morning and as soon as I turned on the monitor, according to the network meter *something* was being uploaded to *somewhere* and I still cant figure out how to identify and solve this. I killed the cryptsvc service and sure enough the upload stopped. In Cloud verification is disabled in AVG. Its not Dropbox because Dropbox is only 1 Send (B/s). The cryptsvc often shows upload rate of 10,xxx Send (B/s).

I ask again...Is it safe to disable and leave disabled cryptsvc in services.msc without leaving myself open to any sort of attacks? I read the description of what cryptsvc is in services but still cannot figure out why it needs to upload so often and what it is that is being uploading and to where?

(The resource meter picture is after I killed the svchost that contained the cryptsvc service)

 

[Layback Bear]

All I can say is as long as you have a cloud update service doing auto updates you will be see updates.
If I was going to use a Cloud service I would use encryption if the data being put into the cloud is sensitive.
I would also do it manually not any kind of Auto settings.

Because I don't use a Cloud service I have no idea what setting selection you may or may not have.
You will have to look into the instruction of what ever cloud service you are using. I can't do that for you.

 

[logicearth]

You are likely worried for nothing. This service handles the certificates on the machine, those used in SSL, and digital signatures. When it connects to the Internet its most likely validating the certificates to the Root Certificate Authority that is responsible for the certificate. All of the downloads from Windows Update for example are signed. Other vendors do the same.

 

[SomeUserName]

Its at it again. REALLY Bad this morning too. I realize its a windows service but this is starting to cause me extreme paranoia.

Ive never seen the network meter go THIS nuts before. After I killed the service the upload flatlined.

Is that normal for cryptsvc to make the network meter to go like THAT???

 

[SomeUserName]

CryptSvc about 5mins ago right before I killed it.

 

[Callender]

CryptSvc uploading data

None of your screenshots show anything useful. Could you provide one showing the svchost PID and preferably something that shows that a connection has been established?

Example:

Svchost PID:





Connections:

 

[SomeUserName]

Yes. Here is the PID. Although its not doing anything strange right now. Its a very intermittent problem. The network meter is acting like it should.

As for connection established Im gonna DL EssentialNetTools as you show if its free or if its not free I'll be a while as Ill have to find something else that is.

 

[SomeUserName]

OK That PID is showing up as SVChost which is what it shows as in Windows TAsk Manager but when I right click that SVC host to services there is multiple listing for the one service # as shown in the previous picture and thats where the Cryptsvc is. But this is what EssentialNetTools Lists for PID 1524

 

[Callender]

Some free network tools

Here's a few links to stuff that you might want to use (free)

Essential Net Tools

Crowdstrike CrowdInspect (near bottom of page)

TCPeye

 

[Callender]

Your screenshot shows no data being transferred - just a listening port which is normal.

 

[Callender]

A little more info:

Okay so using Comodo Killswitch (free) on my own machine shows cyrptsvc PID running under svchost. Checking network shows zero data being transferred. Perhaps you could keep any eye on it next time it goes crazy and use one or more of these tools to see where it's connecting to?



If you see "Established" connection for the PID try getting the ip address and domain name.

 

[SomeUserName]

OK next time my network meter goes nuts like the previous pictures I'll open up the Essential Tools again (Unless told to drop Essential Tools and get Comodo instead) and repost the PIDS. The issue only happens maybe every second day or so but its not until a few days ago that I seen it as bad as the 1st pic on this page and the last pic of page 1. Its just so random I cant even pinpoint the trigger for it.

 

[SomeUserName]

CONNECTION ESTABLISHED.. However its not making the meter do anything crazy but there IS a connection there. I killed it as soon as I took the screenshot. IDK if this is of any use since the meter was OK though.

 

[Callender]

Disable remote desktop - test

Would you try this to see if it makes any difference?

Control Panel> System> Remote Settings

Configure as above.

Also next time you get the problem lets get a better look at what port it's using.

For now - run an Elevated Command Prompt and click in the top left corner on C:\_ then choose "Properties" > "Options" then enable "Quick Edit Mode"

Next time the problem occurs run Elevated Command Prompt and in the window that opens up type:

netstat -ano

Press Enter. Wait for the list to populate then highlight all the text by left clicking and dragging your mouse over the text. Then when it's highlighted - right click, open your text editor and paste the results. (Ctrl+V)

Post them here thanks.