High level of Internet traffic while booting

Topic

New Reply

This was submitted by @Kathy-Stevens

Kathy Stevens wrote:

While booting our Windows 10 PCs, we frequently observe a high level of internet traffic as indicated by blinking lights on our servers and routers. While some of the traffic is related to our internet security apps, I assume that the bulk of the traffic is between the computer and Microsoft. Is it a good idea to install a physical internet kill switch between our routers/modems and the internet service provider or between a work station and its router in-order to block internet access during boot-up? A quick internet search has revealed that such switches are available. One vendor is located at https://internetswitches.com/ .

Reply | Quote

Replies

While booting our Windows 10 PCs, we frequently observe a high level of internet traffic as indicated by blinking lights on our servers and routers.

While some of the traffic is related to our internet security apps, I assume that the bulk of the traffic is between the computer and Microsoft.

Is it a good idea to install a physical internet kill switch between our routers/modems and the internet service provider or between a work station and its router in-order to  block internet access during boot-up?

A quick internet search has revealed that such switches are available.

One vendor is located at   https://internetswitches.com/  .

1 user thanked author for this post.

Fred

Reply | Quote

@kathy-stevens  This can be achieved also by using a 3rd party firewall, or a 3rd party firewall adon, and works very well

* _ ... _ *

1 user thanked author for this post.

Kathy Stevens

Reply | Quote

This question deserves/should be in a Topic of it’s own.
It really is off-topic in a thread about “Removing built-in Apps from Win10′”

1 user thanked author for this post.

windbg

Reply | Quote

Suggest  submitting question under:  Cyber Security for Business users.  This is actually a complex issue that goes beyond just networking to include configuration changes on each client, although network changes like firewalls can be a big part of the answer.  The other choice is Networking, routers, firewalls, network configuration.

Microsoft has “phone home” tasks that can run when idle or on a deferred basis, besides just at logon.

Windows 10 22H2 desktops & laptops on Dell, HP, ASUS; No servers, no domain.

1 user thanked author for this post.

PKCano

Reply | Quote

Windows 10 is a very “connected” operating system, that phones home to Microsoft frequently.

I do use a 3rd party firewall to block unnecessary network connection attempts made by many other 3rd party programs.

But I don’t really see any point in interfering with Windows connecting to Microsoft, beyond the standard locking down of updates, as desired. Other than that, I just let Windows 10 do its thing… if you cannot trust Microsoft, who can you trust?

Windows 10 Pro 22H2

1 user thanked author for this post.

Kathy Stevens

Reply | Quote

Why not get the FREE firewall by evorim EU based (GDPR conformity)

Works in conjuntion with the existing Windows Security Firewall and has the ability to block whatever you see fit.
Works nicely with Windows 7/ 8/ 10 and 11 (although can’t speak for 11) that uses little resources and has may options within.
No time constraints, sign-up or email address submission required, what’s not to like?

Careful, you might get addicted to viewing and researching connections…

Windows - commercial by definition and now function...

3 users thanked author for this post.

Kathy Stevens, satrow, Cybertooth

Reply | Quote

Their webpage states that:

The firewall blocks all background transmissions of telemetry data of the Windows operating system to the server on the Internet.

If so, this software sounds very promising!

I also like it that their firewall enables the user to grant or deny Internet access to programs on a per-case basis. This is my favorite feature from the ZoneAlarm firewall.

ADDENDUM: I just discovered that they also intend to put out a Linux version of their firewall. All of the Linux firewalls I’ve ever come across are opaque and difficult to use. Evorim’s firewall for Linux could be a game changer.

Keep Running Windows 7 Safely for Years to Come  
Make Windows 10 look and work like Windows 7

Reply | Quote

TIP: Recommend using v258 for Win7 or 8.1 for silent unobtrusive use, as v259 onwards has an added a splash popup which is, shall we say, annoying.

Win10 best to use is v261> for added pre-configured telemetry blocks by default which change servers on occasion

Windows - commercial by definition and now function...

Reply | Quote

As indicated at the start of the post,

“While booting our Windows 10 PCs, we frequently observe a high level of internet traffic as indicated by blinking lights on our servers and routers.”

During the boot process our firewall app loads, but our concern is the generation of internet traffic during boot-up and before the firewall begins to work.

Thus, the thought of installing a physical internet kill switch between our routers/modems and the internet service provider or between a work station and its router.

Is there any way to track the internet start-up traffic prior to the time that the firewall and other security related apps become active?

Reply | Quote

Short version:

The only way I know of how to check *exactly* what external network connectivity is happening during the boot process is to use something like Sysinternals/TechNet’s small, free, portable Process Monitor (ProcMon), filter out *everything* except network activity (and using ‘Drop Filtered Events’) then choose ‘Enable Boot Logging’. This will capture all network events during the next boot process.

Note: ‘Drop Filtered Events’ helps keep ProcMon‘s PML trace log as small as possible (or from exhausting the OS’ swap file… make sure you stop the trace as soon as Windows has got to a stable desktop (and let CurrPorts take over*). Don’t forget to remove the tick against the ‘Drop Filtered Events’ option when you’ve finished capturing.

---

TL;DR version:

There’s a big difference between connectionless UDP traffic and TCP traffic. I tend to think of most UDP traffic almost as ‘Are you there’ and don’t pay much attention to them. I’m more interested in the TCP connections, particularly those shown as ESTABLISHED, rather than just LISTENING, especially if they show as ‘Unknown’.

*After the system(s) has booted, use something like Nir Sofer’s small, free, portable CurrPorts (with logging enabled) so you can build a picture of which events are regular and which are intermittent, including their remote endpoints. Personally I’m usually more interested in the very occasional ‘Unknown’ ESTABLISHED external TCP connections than the regular known ones which I call the Windows 10 ‘heartbeat’.

(Windows 10 ‘heartbeat’ of external endpoint connections shown using Glasswire)

On my systems Windows Defender updates are delivered from Microsoft servers whilst a lot of other Microsoft content is delivered by third-party providers – CDNs (Content Delivery Networks) – on Microsoft’s behalf. This includes Windows Updates and Microsoft Store updates.

Note: I have Windows Updates blocked… so Windows Defender does a failback to using BITS (Background Intelligent Transfer Service) for its updates instead of using the default Update Orchestrator Service.

For example, here in the UK I see regular connections to Microsoft in Dublin for Windows Defender‘s AV updates whilst the remainder are usually from Akamai’s CDN servers in England and the Netherlands on Microsoft’s behalf.

For example:

a23-212-232-96.deploy.static.akamaitechnologies.com
23.212.232.96
Netherlands
Store
winstore.app.exe

This shows the Windows Store app connecting to an Akamai datacentre. You can reduce this behaviour by turning off background updates.

Note also that by default Microsoft Edge preloads content *before* user login (even if you never use Edge) so you’re going to see multiple router flashes as its default start page loads all the Bing stuff hidden in the background. You can stop this behaviour or block Edge.

There’s a whole bunch of Microsoft tools/apps/utilities/live tiles which make external connections, even if YOU don’t use them. You need to examine them and disable access (outbound, inbound or both) in your firewall. (I use sordum.org’s small, free, portable Firewall App Blocker for ease of use.)

Don’t rely on adding the IP address endpoints to the HOSTS file if they are Microsoft-related. Since 2006 Microsoft now often ignores the HOSTS file for Microsoft-related URLs (and Defender now flags it if it’s amended). (See Microsoft HOSTS file bypass issue for more details.)

Some more examples (note these are from Jan. 2018… I haven’t tested since):

db5.settings.data.microsoft.com.akadns.net
40.77.226.249
United States
Speech Runtime Executable
speechruntime.exe

wdcpeurope.microsoft.akadns.net
52.178.163.85
Ireland
Microsoft Windows Malicious Software Removal Tool
mrt-kb890830.exe

cs9.wpc.v0cdn.net
93.184.221.200
United States
Settings
c:\windows\immersivecontrolpanel\systemsettings.exe

modern.watson.data.microsoft.com.akadns.net
65.55.252.202
United States
Windows Problem Reporting
c:\windows\syswow64\werfault.exe

sls.update.microsoft.com.nsatc.net
52.229.171.202
United States
SIH Client
c:\windows\system32\sihclient.exe

db5.settings.data.microsoft.com.akadns.net
40.77.226.249
United States
Microsoft Compatibility Telemetry
c:\windows\system32\compattelrunner.exe

e11290.dspg.akamaiedge.net
104.103.185.104
United States
Microsoft Malware Protection Command Line Utility
c:\program files\windows defender\mpcmdrun.exe

e-0009.e-msedge.net
13.107.5.88
United States
microsoft.photos.exe
c:\program files\windowsapps\microsoft.windows.photos_2017.39101.16720.0_x64__8wekyb3d8bbwe\microsoft.photos.exe

a-0026.a-msedge.net
204.79.197.229
United States
searchui.exe
c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe

40.77.226.249
United States
Speech Model Download Executable
c:\windows\system32\speech_onecore\common\speechmodeldownload.exe

smartscreensvc.microsoft.com.nsatc.net
13.79.239.82
Ireland
Windows Defender SmartScreen
c:\windows\system32\smartscreen.exe

vip5.afdorigin-prod-cw02.afdogw.com
51.141.26.229
United Kingdom
Microsoft Outlook Communications
c:\program files\windowsapps\microsoft.windowscommunicationsapps_17.8730.21725.0_x64__8wekyb3d8bbwe\hxtsr.exe

wdcpeurope.microsoft.akadns.net
52.166.110.64
Netherlands
Antimalware Service Executable
c:\program files\windows defender\msmpeng.exe

db5.settings.data.microsoft.com.akadns.net
52.166.110.64
Netherlands
Microsoft Feedback SIUF Deployment Manager
c:\windows\system32\dmclient.exe

191.239.213.197
Ireland
App Uri Handlers Registration Verifier
c:\windows\system32\apphost\registrationverifier.exe

a-0001.a-msedge.net
13.107.21.200
United States
Download/Upload Host
c:\windows\system32\backgroundtransferhost.exe

modern.watson.data.microsoft.com.akadns.net
40.77.228.92
United States
Windows Problem Reporting
c:\windows\system32\wermgr.exe

e1898.dspg.akamaiedge.net
23.212.232.96
Netherlands
Background Task Host
c:\windows\system32\backgroundtaskhost.exe

e2821.dspb.akamaiedge.net
104.82.235.53
United States
Wireless Background Task
c:\windows\system32\wifitask.exe

ff02::1:2
Host Process for Windows Services
c:\windows\system32\svchost.exe

a-0001.a-msedge.net
13.107.21.200
United States
Search and Cortana application

cs9.wpc.v0cdn.net
93.184.221.200
United States
Search and Cortana application

a-0019.a-msedge.net
204.79.197.222
United States
Search and Cortana application

a-9999.a-msedge.net
204.79.197.254
United States
Search and Cortana application

bn2.vortex.data.microsoft.com.akadns.net
65.55.44.109

array501-prod.dodsp.mp.microsoft.com.nsatc.net
52.167.222.147
United States
Host Process for Windows Services

array502-prod.dodsp.mp.microsoft.com.nsatc.net
13.68.87.47
United States
Host Process for Windows Services

array503-prod.dodsp.mp.microsoft.com.nsatc.net
13.68.88.129
United States
Host Process for Windows Services

array504-prod.dodsp.mp.microsoft.com.nsatc.net
52.167.222.147
United States
Host Process for Windows Services

array505-prod.dodsp.mp.microsoft.com.nsatc.net
52.167.223.135
United States
Host Process for Windows Services

DB5SCH103100314.wns.windows.com
40.77.229.76
United States
Host Process for Windows Services

c-0001.c-msedge.net
13.107.4.50
United States
Host Process for Windows Services

ipv4.login.msa.akadns6.net
131.253.61.100
United States
Host Process for Windows Services

fe3.delivery.dsp.mp.microsoft.com.nsatc.net
64.4.54.18
United States
Host Process for Windows Services

bn2.vortex.data.microsoft.com.akadns.net
65.55.44.109
United States
Host Process for Windows Services

arc.msn.com.nsatc.net
207.46.194.33
United States
Background Task Host

db5.settings.data.microsoft.com.akadns.net
40.77.226.249
United States
Host Process for Windows Services
Background Task Host
(Microsoft Feedback SIUF Deployment)

array501-prod.dodsp.mp.microsoft.com.nsatc.net
13.68.82.8
United States
Host Process for Windows Services
System

service.datamart.windows.com.akadns.net
13.68.117.33
United States
Wireless Background Task

e10370.dscg.akamaiedge.net
23.207.191.90
United States
Host Process for Windows Services

ris.api.iris.microsoft.com.akadns.net
40.77.229.148
United States
Background Task Host

db5.displaycatalog.md.mp.microsoft.com.akadns.net
40.77.229.125
United States
Host Process for Windows Services

e1553.dspg.akamaiedge.net
104.103.152.102
United States
Host Process for Windows Services

e2821.dspb.akamaiedge.net
104.82.235.53
United States
Wireless Background Task

e7070.g.akamaiedge.net
23.212.233.124
Netherlands
Host Process for Windows Services

spclient.wg.spotify.com
35.186.224.62
United States
Host Process for Windows Services

a-0001.a-msedge.net
13.107.21.200
United States
Background Task Host

DB5SCH103100314.wns.windows.com
40.77.229.76
United States
Host Process for Windows Services

array507-prod.dodsp.mp.microsoft.com.nsatc.net
52.184.155.206
United States
Host Process for Windows Services

e11290.dspg.akamaiedge.net
104.103.185.104
United States
Microsoft Malware Protection Command Line Utility

23.212.232.96
Background Task Host

geo-prod.dodsp.mp.microsoft.com.nsatc.net
40.77.226.219
United States
Host Process for Windows Services

location-inference-westeurope.cloudapp.net
52.178.38.38
Netherlands
Host Process for Windows Services

e1706.g.akamaiedge.net
104.103.114.93
United States
Host Process for Windows Services

tsfe.trafficshaping.dsp.mp.microsoft.com
40.77.229.141
United States
Host Process for Windows Services
System

db5.wns.notify.windows.com.akadns.net
40.77.226.247
United States
Host Process for Windows Services

a1683.dspw65.akamai.net
62.253.3.219
United Kingdom
Host Process for Windows Services

a122.dscg3.akamai.net
62.253.3.139
United Kingdom
Host Process for Windows Services

candycrushsoda.king.com
185.48.81.162
Sweden
Host Process for Windows Services
(Advertised games in the default Start menu)
bubblewitch3mobile.king.com
185.48.81.253
Sweden
Host Process for Windows Services
(Advertised games in the default Start menu)
e10663.g.akamaiedge.net
23.212.234.37
Netherlands
Host Process for Windows Services

52.169.71.150
Ireland
Antimalware Service Executable
c:\programdata\microsoft\windows defender\platform\4.12.17007.18011-0\msmpeng.exe

(Note that this last one happened when I plugged a USB stick in to transfer screenshots!)

Hope this helps…

7 users thanked author for this post.

wavy, Microfix, Kathy Stevens, RetiredGeek, JohnW, satrow, windbg

Reply | Quote

What Rick said.  I wouldn’t assume that every bit of traffic is bad or wrong. Some start up traffic is also group policy related.

Susan Bradley Patch Lady/Prudent patcher

2 users thanked author for this post.

Kathy Stevens, JohnW

Reply | Quote

Perhaps I am over concerned about Windows 10 calling home.

Our business is founded on Workstations with Intel Core i9 processors, 32 GB of memory, and dual SSD storage.

They are only connected to the internet when we feel a need to update the systems. So, the boot issue is negligible.

Our other machines are always connected to the internet. One way to circumvent my boot-up issue is not to shut them down when they are not in use.

Reply | Quote

Rick,

Downloaded and tried the Edge Blocker program and through testing with my PowerShell Restart-Timer program I can confirm that Edge is doing stuff in the background.

Testing metholodgy:

1. Imaged C: drive with Reflect…Just in case!
2. Download & extracted contents.
3. Rebooted using Restart-Timer to get existing reboot timing.
4. Ran the 64 bit version and Blocked Edge.
5. Rebooted using Restart-Timer to get reboot timing with Edge blocked.

Before Installation of Edge Blocker
DELLXPS8920's System is Compacted: False
11:56:25 AM
11:57:04 AM
Elapsed Reboot Time: 00:00:39.8246722

After Installation of Edge Blocker
DELLXPS8920's System is Compacted: False
12:01:59 PM
12:02:36 PM
Elapsed Reboot Time: 00:00:37.1813947

Next on to test FAB (Firewall Application Blocker)

May the Forces of good computing be with you!

RG

PowerShell & VBA Rule!
Computer Specs

3 users thanked author for this post.

satrow, Rick Corbett, Kathy Stevens

Reply | Quote

We also found that Microsoft Edge was doing “stuff” in the background.

When we ran CCleaner’s Custom Clean, in its default mode, we always found that the largest number of items removed were Edge related.

We solved the problem by disabling/removing Edge from all of our systems.

Reply | Quote

Kathy Stevens wrote:

We solved the problem by disabling/removing Edge from all of our systems.

Solved? you removed Edge from Windows10, Arnold Schwarzenegger had a famous saying in the Terminator movies..that applies to that action.

FWIW: Try changing the following within GPedit: (I don’t use edge either):
Computer Configuration> Administartive Templates> Windows Components> Microsoft Edge> Allow Edge to pre-launch at windows startup, when the system is idle and each time Microsoft Edge is closed

I’ve set this to ENABLED on one device, which displays a configure pre-launch window, select ‘Prevent pre-launching’ from the drop down menu box.
And I’ve set it to DISABLED on another device to compare the difference, haven’t seen edge background connections/ traffic using either method. YMMV

Note: These are the ONLY things edited for Edge in GPedit (no other Edge related tweaks elsewhere according to my notes)

Windows - commercial by definition and now function...

3 users thanked author for this post.

Cybertooth, JohnW, Kathy Stevens

Reply | Quote

One more note related to Microsoft Edge.

We never used Microsoft Edge even so CCleaner’s Custom Clean found large numbers of content.

Obviously, Edge was opening at boot-up and running in the background.

2 users thanked author for this post.

wavy, Cybertooth

Reply | Quote

Kathy Stevens wrote:

Perhaps I am over concerned about Windows 10 calling home.

I think you’re right to ponder what Windows 10 is doing in the background but may also have to accept that ’10’ is much, much more ‘chatty’ than any of its predecessors where the internet is concerned. (I don’t know about ’11’ – I looked, I experimented, I hated… and haven’t been back since it launched.)

As you may have seen by the list I posted above (which I really need to update), ’10’ has an inordinate amount of built-in ‘chatty’ processes/executables. It takes time and a lot of Google-foo to work out what is relatively benign (like Store updates, Defender AV signature updates, etc.) and what may possibly raise privacy concerns (like default telemetry).

What I like is that there’s a veritable small army of like-minded people out there that come up with some amazing 3rd-party apps/tools/utils/scripts to wind back the ‘chattiness’. They help me strip out a lot of the built-in tardiness between ‘boot and truly usable desktop’ so I get quicker to a point where my device does what *I* want it to do rather than what *Microsoft* wants it to do (hence my pruning of scheduled tasks, startups and services).

I should also add that I’m retired and it’s fun to tinker with “what ifs”…

1 user thanked author for this post.

Kathy Stevens

Reply | Quote

RetiredGeek wrote:

… through testing with my PowerShell Restart-Timer program…

RG – I’ve somehow lost your Restart-Timer PS script and it’s not in your public OneDrive shared folder (unless I’ve suddenly gone blind)? Eek!

Reply | Quote

Rick, I just made some changes and will be posting it shortly.

May the Forces of good computing be with you!

RG

PowerShell & VBA Rule!
Computer Specs

Reply | Quote

Rick,

Ok I’ve updated a bunch of my programs and they are now on the One Drive Shared location.

May the Forces of good computing be with you!

RG

PowerShell & VBA Rule!
Computer Specs

2 users thanked author for this post.

Rick Corbett, Kathy Stevens

Reply | Quote

Kathy Stevens wrote:

During the boot process our firewall app loads, but our concern is the generation of internet traffic during boot-up and before the firewall begins to work.

The firewall we run on each Windows client includes a networking device driver that hooks into the Windows OS at the NDIS layer, before TCPIP gets to process the packet. All Windows network traffic, is seen by this device driver, including packets sent at boot time, since the device driver is a part of the network stack. The firewall is a part of our third-party security suite. Any destination IP address, subnet, or port, or protocol, should be filtered by pre-existing firewall rules, or that is a firewall bug.

An exception would be any network traffic produced by the “UEFI” subsystems, before Windows gets control. But one would assume, a secure boot is taking place, that would in theory, prevent any malware during “pre-boot”.

Inserting a separate network device to filter packets, another “firewall” inserted into your network topology, besides your perimeter router, would be another option. Could run a destination report from some network devices on where all your outbound traffic goes, from the logs generated.

The excess volume of network traffic Microsoft generates at boot time with Windows 10+ would be another topic to discuss. If any of this traffic is undesired, better to turn it off at the source, if possible, through Windows client configuration changes.

Our client security suite, can have settings updates immediately following boot, to be automatically received over the network. Better for us to get them quickly.

Windows 10 22H2 desktops & laptops on Dell, HP, ASUS; No servers, no domain.

1 user thanked author for this post.

Kathy Stevens

Reply | Quote

RetiredGeek wrote:

Ok I’ve updated a bunch of my programs and they are now on the One Drive Shared location.

Can you point me to descriptions of each of the apps that you have posted on your “One Drive location”?

Thanks

Reply | Quote

Kathy,

Each of the programs contain, what is referred to in PowerShell as, comment based help.

In PowerShell simply enter:
Get-Help d:\Path\ProgramName.ps1 -Full

Should supply all the information you need. Also I tried to make the names as descriptive as possible within PS naming guidelines.

May the Forces of good computing be with you!

RG

PowerShell & VBA Rule!
Computer Specs

1 user thanked author for this post.

Kathy Stevens

Reply | Quote

Each of the programs contain, what is referred to in PowerShell as, comment based help.

 

Thanks, will give it a try.

Reply | Quote