Sign in to follow this  
Followers 0
JohnOne

Which of these services needs internet access?

10 posts in this topic

#1 ·  Posted (edited)

I was wondering what was uploading to internet and decided to stop the services 1 by 1 to catch the culprit running under svchost.

I had stopped a few already that I thought were possible candidates, like windows update and the likes, but one of the remaining services was uploading to somewhere or other, can you determine which one from the image?

win10seviceusingwanbandwidth.jpg

For me, I don't see what business any of those have uploading data to the internet, especially since I have every privacy setting and telemetry service I can find, turned off.

EDIT: I estimate it uploaded over 15MB of data before I stopped it.

Edited by JohnOne

AutoIt Absolute Beginners    Require a serial    Pause Script    Video Tutorials by Morthawt   ipify 

Monkey's are, like, natures humans.

Share this post


Link to post
Share on other sites



My first guess would be BITS.  Have you disabled AU Uploads? http://www.howtogeek.com/224981/how-to-stop-windows-10-from-uploading-updates-to-other-pcs-over-the-internet/

There are a few services listed that are network-centric, but I'd be shocked if they we're uploading to the web.  Having said that, I can't rule it out for sure.  I'm not familiar enough with the Cert Propagatation service to know if it does web communication, but it's a candidate as well (15MB worth though...unsure).

 

1 person likes this

Share this post


Link to post
Share on other sites

@JohnOne I'm assuming (as I think spudw2k is referring to) that you're just seeing network traffic, not necessarily uploading to the web specifically. Am I correct?

I can tell you that certificate propagation can be disabled unless you are using smart cards in your environment; while on it is checking in with A.D. to see if there is a GPO that affects smartcard certs, so it may generate some traffic (can't see it being 15MB but you may have a combo of things going on).

BITS uses background bandwidth to transfer files between PCs, so you could definitely be seeing some traffic from that one. A lot of applications use BITS, beyond the MS apps like Windows Updates, so you'll have to test disabling it.

Lastly, the IP Helper service does some background work for IPv4 to IPv6 tunneling. If you are not using IPv6 you can probably test disabling it. I have seen where that generates some traffic.

1 person likes this

√-1 2^3 ∑ π, and it was delicious!

Share this post


Link to post
Share on other sites

I'm not connected to any network other than the internet, and there is not even a router in the mix. A combination of both my firewall, and data meter on my phone told me the traffic was outbound, and it ceased immediately after stopping "User Manager"


AutoIt Absolute Beginners    Require a serial    Pause Script    Video Tutorials by Morthawt   ipify 

Monkey's are, like, natures humans.

Share this post


Link to post
Share on other sites

Interesting...

Is the computer configured to use an MS Live account for auth or is it a local account?  Just for my curiosity.

1 person likes this

Share this post


Link to post
Share on other sites

Local account, I seiously go out of my way to stop this kind of thing because I use metered connection a lot, I keep my eye on it all the time and see very little traffic where I'm not certain exactly what it is.


AutoIt Absolute Beginners    Require a serial    Pause Script    Video Tutorials by Morthawt   ipify 

Monkey's are, like, natures humans.

Share this post


Link to post
Share on other sites
5 hours ago, JohnOne said:

 A combination of both my firewall, and data meter on my phone told me the traffic was outbound, and it ceased immediately after stopping "User Manager"

You could configure your firewall to block all traffic and start "white listing".  An aggressive approach to a problem which begs for it.

1 person likes this

Share this post


Link to post
Share on other sites

spudw2k, that's a good idea but perhaps a bit extreme in the absence of any apparent threat. White-listing has the virtue of offering complete control of access, but comes with problems of its own.

1 person likes this

Share this post


Link to post
Share on other sites

Agreed, but I know the nightmare of metered bandwidth.  If it was me protecting my meter, I would want to be sure that nothing flies without my permission.  

Share this post


Link to post
Share on other sites

Fair point. If it's as negligible an amount of traffic as JohnOne initially stated it might be bearable, but if it fluctuates or increases you're dead on.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0