I looked in the Task Manager just now and it doesn't show a single instance of svchost running. I always had multiple ones in XP. It did come up momentarily when I went to Windows Update but disappeared again as soon as WU was fully loaded. I guess this is part of the hardening they speak of?
Sure doesn't sound right to me. You should have multiple instances of svchost.exe running at any given time. Remember that only a few svchost.exe services require internet access; most run on localhost only. You sure you are not filtering out the display of them in Task Manager?
I will be posting in the next couple of days, the svchost services my WIN 7 x64 SP1 requires. I really should charge for this info since no where on the web could I find details on this.
In the meantime, a FYI:
I have found a somewhat "brute force" method of determining what svchost service is executing when a popup alert is generated by WFN. This works for WIN 7 x64 SP1. I also assume it will work for XP and Vista.
Note: Before adding any firewall rule for a svchost.exe service, determine that the service is a valid Windows or application generated service. Also remember that the service might be valid but intrusive e.g. Google update service, etc.
Allowing the svchost.exe service to execute as noted below could cause a leakage of data from your PC if the service is malicous. At present, I know of no way to determining what service requires outbound access until it does a network transmission. If the developer of WFN can figure out a way to display the short service name of a blocked svchost.exe request, he would have found the "Holy Grail" of Windows sub-tasking in my opinion.
1. Keep the WFN popup visible on the desktop and note the IP address and port shown.
2. Open a command prompt window as admin.
3. Enter the following minus the quotes after the command prompt - "netstat -anob". Do not press the enter key yet.
4. Click on the Allow button on the WFN popup for svchost.exe. Immediately thereafter press the keyboard Enter key to execute the netstat command that was previously entered.
5. Scroll up in the command prompt window searching for the original blocked IP address. Once found, you will observe to left on the same line, the short name of service that svchost requested.
Note that netstat command will most likely display the program name that called svchost.exe. Therefore, you will not see the service short name listed under svchost.exe but under the calling program name.
6. Open up Task Manger and click on the Services tab and search for the full service name associated with the short name that was displayed as a result of the netstat command.
7. Delete the global allow firewall rule for svchost.exe that WFN generated.
8. Create a new WIN 7 firewall custom outbound rule for svchost.exe selecting the above appropriate service. For protocol I always use TCP and for destination/receiving ports I always use 80 and 443.