Is there a way to determine which service (in svchost.exe) does an outgoing connection?
I have found a method in this Server Fault answer (about services and memory usage) that I could use to analyze individually the network usage of services (with any network tool)
Peter Mortensen:Split each service to run in its own SVCHOST.EXE process and the service consuming the CPU cycles will be easily visible in Task Manager or Process Explorer (the space after "=" is required):
SC Config Servicename Type= own
Do this in a command line window or put it into a BAT script. Administrative privileges are required and a restart of the computer is required before it takes effect.
The original state can be restored by:
SC Config Servicename Type= share
SysInternals Process Explorer can do this for you.
Open the process properties of the svchost.exe
instance you are trying to analyze. Click on the TCP/IP tab. Double click on the connection you are wanting to discover to bring up a stack trace of the connection. You should be able to trace the stack back to the DLL that implements the service. Here is an excerpt from the help file on the topic of Process Properites:
TCP/IP:
Any active TCP and UDP endpoints owned by the process are shown on this page.
On Windows XP SP2 and higher this page includes a Stack button that opens a dialog that shows the stack of the thread that opened the selected endpoint at the time of the open. This is useful for identifying the purpose of endpoints in the System process and Svchost processes because the stack will include the name of the driver or service that is responsible for the endpoint
Also on Configuring Symbols
Configure Symbols: on Windows NT and higher, if you want Process Explorer to resolve addresses for thread start addresses in the threads tab of the process properties dialog and the thread stack window then configure symbols by first downloading the Debugging Tools for Windows package from Microsoft's web site and installing it in its default directory. Open the Configure Symbols dialog and specify the path to the dbghelp.dll that's in the Debugging Tools directory and have the symbol engine download symbols on demand from Microsoft to a directory on your disk by entering a symbol server string for the symbol path. For example, to have symbols download to the c:\symbols directory you would enter this string:
srvc:\symbolshttp://msdl.microsoft.com/download/symbols
Note: You may need to run Process Explorer as administrator to be able to see the thread's stack.
I know this may be outdated, but still this page ranks high in search for "svchost connections", so I'll toss my input here. There is tool called Svchost Process Analyzer, it may help: https://www.neuber.com/free/svchost-analyzer/index.html