JohnOne Posted March 9, 2016 Share Posted March 9, 2016 (edited) I was wondering what was uploading to internet and decided to stop the services 1 by 1 to catch the culprit running under svchost. I had stopped a few already that I thought were possible candidates, like windows update and the likes, but one of the remaining services was uploading to somewhere or other, can you determine which one from the image? For me, I don't see what business any of those have uploading data to the internet, especially since I have every privacy setting and telemetry service I can find, turned off. EDIT: I estimate it uploaded over 15MB of data before I stopped it. Edited March 9, 2016 by JohnOne AutoIt Absolute Beginners Require a serial Pause Script Video Tutorials by Morthawt ipify Monkey's are, like, natures humans. Link to comment Share on other sites More sharing options...
spudw2k Posted March 9, 2016 Share Posted March 9, 2016 My first guess would be BITS. Have you disabled AU Uploads? http://www.howtogeek.com/224981/how-to-stop-windows-10-from-uploading-updates-to-other-pcs-over-the-internet/ There are a few services listed that are network-centric, but I'd be shocked if they we're uploading to the web. Having said that, I can't rule it out for sure. I'm not familiar enough with the Cert Propagatation service to know if it does web communication, but it's a candidate as well (15MB worth though...unsure). JohnOne 1 Spoiler Things I've Made: Always On Top Tool ◊ AU History ◊ Deck of Cards ◊ HideIt ◊ ICU ◊ Icon Freezer ◊ Ipod Ejector ◊ Junos Configuration Explorer ◊ Link Downloader ◊ MD5 Folder Enumerator ◊ PassGen ◊ Ping Tool ◊ Quick NIC ◊ Read OCR ◊ RemoteIT ◊ SchTasksGui ◊ SpyCam ◊ System Scan Report Tool ◊ System UpTime ◊ Transparency Machine ◊ VMWare ESX BuilderMisc Code Snippets: ADODB Example ◊ CheckHover ◊ Detect SafeMode ◊ DynEnumArray ◊ GetNetStatData ◊ HashArray ◊ IsBetweenDates ◊ Local Admins ◊ Make Choice ◊ Recursive File List ◊ Remove Sizebox Style ◊ Retrieve PNPDeviceID ◊ Retreive SysListView32 Contents ◊ Set IE Homepage ◊ Tickle Expired Password ◊ Transpose ArrayProjects: Drive Space Usage GUI ◊ LEDkIT ◊ Plasma_kIt ◊ Scan Engine Builder ◊ SpeeDBurner ◊ SubnetCalcCool Stuff: AutoItObject UDF ◊ Extract Icon From Proc ◊ GuiCtrlFontRotate ◊ Hex Edit Funcs ◊ Run binary ◊ Service_UDF Link to comment Share on other sites More sharing options...
Moderators JLogan3o13 Posted March 9, 2016 Moderators Share Posted March 9, 2016 @JohnOne I'm assuming (as I think spudw2k is referring to) that you're just seeing network traffic, not necessarily uploading to the web specifically. Am I correct? I can tell you that certificate propagation can be disabled unless you are using smart cards in your environment; while on it is checking in with A.D. to see if there is a GPO that affects smartcard certs, so it may generate some traffic (can't see it being 15MB but you may have a combo of things going on). BITS uses background bandwidth to transfer files between PCs, so you could definitely be seeing some traffic from that one. A lot of applications use BITS, beyond the MS apps like Windows Updates, so you'll have to test disabling it. Lastly, the IP Helper service does some background work for IPv4 to IPv6 tunneling. If you are not using IPv6 you can probably test disabling it. I have seen where that generates some traffic. JohnOne 1 "Profanity is the last vestige of the feeble mind. For the man who cannot express himself forcibly through intellect must do so through shock and awe" - Spencer W. Kimball How to get your question answered on this forum! Link to comment Share on other sites More sharing options...
JohnOne Posted March 9, 2016 Author Share Posted March 9, 2016 I'm not connected to any network other than the internet, and there is not even a router in the mix. A combination of both my firewall, and data meter on my phone told me the traffic was outbound, and it ceased immediately after stopping "User Manager" AutoIt Absolute Beginners Require a serial Pause Script Video Tutorials by Morthawt ipify Monkey's are, like, natures humans. Link to comment Share on other sites More sharing options...
spudw2k Posted March 9, 2016 Share Posted March 9, 2016 Interesting... Is the computer configured to use an MS Live account for auth or is it a local account? Just for my curiosity. JohnOne 1 Spoiler Things I've Made: Always On Top Tool ◊ AU History ◊ Deck of Cards ◊ HideIt ◊ ICU ◊ Icon Freezer ◊ Ipod Ejector ◊ Junos Configuration Explorer ◊ Link Downloader ◊ MD5 Folder Enumerator ◊ PassGen ◊ Ping Tool ◊ Quick NIC ◊ Read OCR ◊ RemoteIT ◊ SchTasksGui ◊ SpyCam ◊ System Scan Report Tool ◊ System UpTime ◊ Transparency Machine ◊ VMWare ESX BuilderMisc Code Snippets: ADODB Example ◊ CheckHover ◊ Detect SafeMode ◊ DynEnumArray ◊ GetNetStatData ◊ HashArray ◊ IsBetweenDates ◊ Local Admins ◊ Make Choice ◊ Recursive File List ◊ Remove Sizebox Style ◊ Retrieve PNPDeviceID ◊ Retreive SysListView32 Contents ◊ Set IE Homepage ◊ Tickle Expired Password ◊ Transpose ArrayProjects: Drive Space Usage GUI ◊ LEDkIT ◊ Plasma_kIt ◊ Scan Engine Builder ◊ SpeeDBurner ◊ SubnetCalcCool Stuff: AutoItObject UDF ◊ Extract Icon From Proc ◊ GuiCtrlFontRotate ◊ Hex Edit Funcs ◊ Run binary ◊ Service_UDF Link to comment Share on other sites More sharing options...
JohnOne Posted March 9, 2016 Author Share Posted March 9, 2016 Local account, I seiously go out of my way to stop this kind of thing because I use metered connection a lot, I keep my eye on it all the time and see very little traffic where I'm not certain exactly what it is. AutoIt Absolute Beginners Require a serial Pause Script Video Tutorials by Morthawt ipify Monkey's are, like, natures humans. Link to comment Share on other sites More sharing options...
spudw2k Posted March 9, 2016 Share Posted March 9, 2016 5 hours ago, JohnOne said: A combination of both my firewall, and data meter on my phone told me the traffic was outbound, and it ceased immediately after stopping "User Manager" You could configure your firewall to block all traffic and start "white listing". An aggressive approach to a problem which begs for it. JohnOne 1 Spoiler Things I've Made: Always On Top Tool ◊ AU History ◊ Deck of Cards ◊ HideIt ◊ ICU ◊ Icon Freezer ◊ Ipod Ejector ◊ Junos Configuration Explorer ◊ Link Downloader ◊ MD5 Folder Enumerator ◊ PassGen ◊ Ping Tool ◊ Quick NIC ◊ Read OCR ◊ RemoteIT ◊ SchTasksGui ◊ SpyCam ◊ System Scan Report Tool ◊ System UpTime ◊ Transparency Machine ◊ VMWare ESX BuilderMisc Code Snippets: ADODB Example ◊ CheckHover ◊ Detect SafeMode ◊ DynEnumArray ◊ GetNetStatData ◊ HashArray ◊ IsBetweenDates ◊ Local Admins ◊ Make Choice ◊ Recursive File List ◊ Remove Sizebox Style ◊ Retrieve PNPDeviceID ◊ Retreive SysListView32 Contents ◊ Set IE Homepage ◊ Tickle Expired Password ◊ Transpose ArrayProjects: Drive Space Usage GUI ◊ LEDkIT ◊ Plasma_kIt ◊ Scan Engine Builder ◊ SpeeDBurner ◊ SubnetCalcCool Stuff: AutoItObject UDF ◊ Extract Icon From Proc ◊ GuiCtrlFontRotate ◊ Hex Edit Funcs ◊ Run binary ◊ Service_UDF Link to comment Share on other sites More sharing options...
jaeger52 Posted March 9, 2016 Share Posted March 9, 2016 spudw2k, that's a good idea but perhaps a bit extreme in the absence of any apparent threat. White-listing has the virtue of offering complete control of access, but comes with problems of its own. JohnOne 1 Link to comment Share on other sites More sharing options...
spudw2k Posted March 9, 2016 Share Posted March 9, 2016 Agreed, but I know the nightmare of metered bandwidth. If it was me protecting my meter, I would want to be sure that nothing flies without my permission. Spoiler Things I've Made: Always On Top Tool ◊ AU History ◊ Deck of Cards ◊ HideIt ◊ ICU ◊ Icon Freezer ◊ Ipod Ejector ◊ Junos Configuration Explorer ◊ Link Downloader ◊ MD5 Folder Enumerator ◊ PassGen ◊ Ping Tool ◊ Quick NIC ◊ Read OCR ◊ RemoteIT ◊ SchTasksGui ◊ SpyCam ◊ System Scan Report Tool ◊ System UpTime ◊ Transparency Machine ◊ VMWare ESX BuilderMisc Code Snippets: ADODB Example ◊ CheckHover ◊ Detect SafeMode ◊ DynEnumArray ◊ GetNetStatData ◊ HashArray ◊ IsBetweenDates ◊ Local Admins ◊ Make Choice ◊ Recursive File List ◊ Remove Sizebox Style ◊ Retrieve PNPDeviceID ◊ Retreive SysListView32 Contents ◊ Set IE Homepage ◊ Tickle Expired Password ◊ Transpose ArrayProjects: Drive Space Usage GUI ◊ LEDkIT ◊ Plasma_kIt ◊ Scan Engine Builder ◊ SpeeDBurner ◊ SubnetCalcCool Stuff: AutoItObject UDF ◊ Extract Icon From Proc ◊ GuiCtrlFontRotate ◊ Hex Edit Funcs ◊ Run binary ◊ Service_UDF Link to comment Share on other sites More sharing options...
jaeger52 Posted March 9, 2016 Share Posted March 9, 2016 Fair point. If it's as negligible an amount of traffic as JohnOne initially stated it might be bearable, but if it fluctuates or increases you're dead on. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now