What is "ntoskrnl.exe" for

[RSalinas]

HMM, did any of this have to do with the MS blaster Worm, Cause the RPC , SVChost.exe, NT/AUTH is all connected to it

[CompuFast]

I have deleted ntoskrnl.exe and all other stuff with the name ntoskrnl that found with the win search assistance, and surprise it was replaced with a new one some how, like virus do

[johnnyis42]

ok, this is rediculous.

ntoskrnl.exe is a function for letting the NT kernel use network resources in a way to make remote administration of your machine by the admins much easier. though that is not the main purpose of the file's function, it is the end resuly.

it is primarily in there for WMI type functions, and RPC activities. if you block it and you are on a managed domain, and your administrators are worth their salt, your computer will be booted from the domain and you will not be able to use your corporate network properly.

notice most people posting about experiencing problems use xp pro or windows 2000. by default these machines are expecting to be connected to a domain, and therefore are looking for requests on port 445 (microsoft domain services). xp home users may see activity by ntoskrnl.exe if they have UPnP service still running, but only then on port 1900.

yes, this function can be exploited. however, and activity by it would seem strange if you are unsure of what your operating system is supposed to be doing by default. because your firewall tells you that it is trying to access the network doesn't mean you're being hacked, have a virus, or anything other than the service trying to contact the network.

a firewall is like a 7 year old in first grade who is really bright and is always raising their hand to answer questions, or tell the techer he knows somthing. the annoying little kid who says "ooo! ooo! look at what i found!" not everything it finds is of much interest. sygate and most up to date firewalls are great because it actually reacts differently to port scans and general network access. other firewalls don't descriminate and can be pretty annoying.

word of advice, don't set a firewall rule and just set anything to ask you every time for network access if you're not sure what it does. choose to block it each time without blocking it permanently and see if all your network activity still works. that should tell you what you need it for.

paranoia about a windows system file does not help, however. yes, you can delete those files and they will come right back.... by design that is suposed to happen with "windows system file protection" under windows xp and 2000. windows xp will pull the file back from its cache that gets updated any time a system file is changed. this is not virus activity!

i could go on, but i've probably already made some people mad. i just can't stand to see a discussion go on this long without seeing a point made at some point.

[CiXOT]

Yes it appears SSDP Upnp is culprit somehow being re-enabled ... Also some of these alarming remote connection from local block addresses are in fact locally iniated connections, I asume through ndisuio form virtual adaptor in your computer ... for example vmware creates virtual adpators which brodcasts packets that are recognised as remote connections according to sygate but ip addresses and mac addresses confirm they belong to the computer own networking components ... I can understand that it would inded need some way of access, exactly how, I dont know but for now im assuming ndisuio is for vmware as being used by it for driver emulation of some sort and ntoskrnl is for upnp as there both internal to windows ...

Sorry for dragging this up from the dead but i got a bit of a scare checking my logs as upnp got enable on my machine somehow, maybe i was testing something and forgot to turn it of ...