Notes on Reference Citations - Version 2.71, by Dr. Herong Yang
'mswsock.dll - Microsoft Windows Sockets 2.0 Service Provider' tutorial was cited in a forum post in 2008.
The mswsock.dll - Microsoft Windows Sockets 2.0 Service Provider tutorial was cited in a forum post in 2008.
Subject: mswsock.dll!WSPStartup+0x102b Date: November 27, 2008 Author: jialg Source: http://www.eggheadcafe.com/software/aspnet/33565303 /mswsockdllwspstartup0x.aspx >I would like to know if anyone knows that why my Windows Application >is running an Extra Thread (ThreadCount = MyThread'sCount + 1). >I think that (Extranious) thread was initiated by mswsock.dll >executable. But I didn't use this executable for any perticular >reason. This thread has start address as it is in Subject >line(mswsock.dll!WSPStartup+0x102b). It can be seen through >ProcssesExplorer. ... It may not easy to figure out the creator of that extra thread (possibly we need to set breakpoints on CreateThread APIs and trace who creates the threads), however, mswsock.dll!WSPStartup reminds me of a technique related to Winsock 2 LSP and spyware Trojans. I'd like to first make some guesses of the reason for the extra thread, then I will provide the test steps that can help us narrow down the problem. ======================== My Guesses of the Reason Guess 1. mswsock.dll is the DLL that implements the Winsock 2 SPI (Service Provider Interface) as the Basic Server Provider in the Winsock 2 SPI architecture. (http://www.herongyang.com/Windows/Winsock-mswsock-dll-Microsoft-Windo ws-Socket.html). Is it possible that some antivirus software or firewall program injects its DLL into your process to trace the app's network behaviors and creates that extra thread? To verify this guess, you may look at the list of DLLs loaded by your app in Process Explorer -> View menu -> Low Pane View -> DLLs. Are there any DLLs belonging to your Antivirus software or firewall? Looking at the complete call-stack of the extra thread may also help. You can view the call-stack in Process Explorer by double-clicking the process -> turn to the Threads tab -> double-clicking the extra thread. Is there any abnormal module name in the call-stack? Another possibility is some spyware Trojans. http://www.herongyang.com/Windows/Winsock-2-LSP-and-Spyware-Trojan.htm l. The above verification method can also be applied to this possibility. However, spyware trojans may use the same module name as Microsoft's modules, thus, we need to pay more attention to the path of the modules. ...
Table of Contents