Which of these services needs internet access?

[JohnOne]

I was wondering what was uploading to internet and decided to stop the services 1 by 1 to catch the culprit running under svchost.

I had stopped a few already that I thought were possible candidates, like windows update and the likes, but one of the remaining services was uploading to somewhere or other, can you determine which one from the image?

For me, I don't see what business any of those have uploading data to the internet, especially since I have every privacy setting and telemetry service I can find, turned off.

EDIT: I estimate it uploaded over 15MB of data before I stopped it.

Edited March 9, 2016 by JohnOne

[spudw2k]

My first guess would be BITS.  Have you disabled AU Uploads? http://www.howtogeek.com/224981/how-to-stop-windows-10-from-uploading-updates-to-other-pcs-over-the-internet/

There are a few services listed that are network-centric, but I'd be shocked if they we're uploading to the web.  Having said that, I can't rule it out for sure.  I'm not familiar enough with the Cert Propagatation service to know if it does web communication, but it's a candidate as well (15MB worth though...unsure).

 

[JLogan3o13]

@JohnOne I'm assuming (as I think spudw2k is referring to) that you're just seeing network traffic, not necessarily uploading to the web specifically. Am I correct?

I can tell you that certificate propagation can be disabled unless you are using smart cards in your environment; while on it is checking in with A.D. to see if there is a GPO that affects smartcard certs, so it may generate some traffic (can't see it being 15MB but you may have a combo of things going on).

BITS uses background bandwidth to transfer files between PCs, so you could definitely be seeing some traffic from that one. A lot of applications use BITS, beyond the MS apps like Windows Updates, so you'll have to test disabling it.

Lastly, the IP Helper service does some background work for IPv4 to IPv6 tunneling. If you are not using IPv6 you can probably test disabling it. I have seen where that generates some traffic.

[JohnOne]

I'm not connected to any network other than the internet, and there is not even a router in the mix. A combination of both my firewall, and data meter on my phone told me the traffic was outbound, and it ceased immediately after stopping "User Manager"

[spudw2k]

Interesting...

Is the computer configured to use an MS Live account for auth or is it a local account?  Just for my curiosity.

[JohnOne]

Local account, I seiously go out of my way to stop this kind of thing because I use metered connection a lot, I keep my eye on it all the time and see very little traffic where I'm not certain exactly what it is.

[spudw2k]

5 hours ago, JohnOne said:

 A combination of both my firewall, and data meter on my phone told me the traffic was outbound, and it ceased immediately after stopping "User Manager"

You could configure your firewall to block all traffic and start "white listing".  An aggressive approach to a problem which begs for it.

[jaeger52]

spudw2k, that's a good idea but perhaps a bit extreme in the absence of any apparent threat. White-listing has the virtue of offering complete control of access, but comes with problems of its own.

[spudw2k]

Agreed, but I know the nightmare of metered bandwidth.  If it was me protecting my meter, I would want to be sure that nothing flies without my permission.  

[jaeger52]

Fair point. If it's as negligible an amount of traffic as JohnOne initially stated it might be bearable, but if it fluctuates or increases you're dead on.