Lawrence Abrams has a significant discovery: Microsoft has quietly added a built-in network packet sniffer to the Windows 10 October 2018 Update, and
[See the full post at: BleepingComputer: Win10 version 1809 got a network sniffer, and nobody noticed until now]
![]() |
There are isolated problems with current patches, but they are well-known and documented on this site. |
SIGN IN | Not a member? | REGISTER | PLUS MEMBERSHIP |
-
BleepingComputer: Win10 version 1809 got a network sniffer, and nobody noticed until now
Home » Forums » Newsletter and Homepage topics » BleepingComputer: Win10 version 1809 got a network sniffer, and nobody noticed until now
- This topic has 30 replies, 12 voices, and was last updated 3 years, 4 months ago.
AuthorTopicwoody
ManagerViewing 9 reply threadsAuthorReplies-
anonymous
Guest -
anonymous
GuestThe article that’s referred to in Bleeping Computer, says that the packet monitor is intended for only your use on your computer, NOT for Microsoft (or any other outfit/person) to spy on what you’re doing on or with your computer.
It’s designed for you to monitor the network traffic to and from your computer yourself using a program within Windows, rather than a third party program such as Wireshark.
Edit for content. Please follow the –Lounge Rules–
-
DriftyDonN
AskWoody PlusIf it’s on your computer and you don’t have an extensive background( I Dont) regarding msfts abilities behind the scenes, then that article isn’t going to educate to any great degree.
Why would msft put a tool for ME on the system and not BOTHER to bring it to anyone’s attention? Perhaps because they use it on your system too!
Skeptical
Edit for content.
-
-
Alex5723
AskWoody PlusSo does this sniffing tool run in the background as part of Microsoft’s Telemetry system ?
3 users thanked author for this post.
-
anonymous
Guest
Flashorn
AskWoody LoungerThanks again for this info Woody.
Now, simple question.
Can we get rid of IT.
Windows 10 uses so much more resources (especially CPU) that it does at times interfere with gaming. I still use W7 for gaming but, sometimes, I try it on my W10 machine and go back to 7 every time. My w10 machine is recent and with 1909 installed. It is a stable platform but, at 130 processes compared to 62 on my w7 machine, I Really don’t like it.
Sorry for the rant. My initial question still stands though, if anyone can answer it please.
Thanks
Flashorn.
-
This reply was modified 3 years, 4 months ago by
Flashorn.
-
joep517
AskWoody MVP -
joep517
AskWoody MVPThe larger number of processes on Windows 10 is largely from having the various service host processes load as an individual process rather than lumped together. This improves system stability so that if there is a problem with a process that process can be terminated without terminating several others that are running OK.
Also, all browsers that I know about have multiple processes running for the same reason as the service host processes being split. It makes for a more stable environment. It is also more secure as each process is isolated from the others.
Yes, there is more going on with Windows 10 than with Windows 7. You can take a look at this older information on Windows 10 service tweaking – Black Viper’s Windows 10 Service Configurations. Some may still be useful.
--Joe
3 users thanked author for this post.
Alex5723
AskWoody Plus-
joep517
AskWoody MVPWho can guarantee that any program included will not be compromised?
Who can guarantee that any program will not be invoked by Microsoft?
Do you go through and remove all the tools included in Windows just to be safe?
If you are that concerned go to a different OS and take your changes there.
--Joe
1 user thanked author for this post.
-
anonymous
Guest
-
Alex5723
AskWoody PlusDo you go through and remove all the tools included in Windows just to be safe?
If there is no malicious intent adding the tool why isn’t there any Microsoft documentation in 2 years ?
Before BleepingComputer post who knew about the tool ?
-
b
ManagerIf there is no malicious intent adding the tool why isn’t there any Microsoft documentation in 2 years ?
It’s documented by Microsoft with instructions (three days ago) as the preferred method of verifying DoH after setup:
Now that you have Windows configured to use DoH, you should be able to verify it’s working by seeing no more plain text DNS traffic from your device. You can do this by using Packetmon, a network traffic analyzer included with Windows.
Windows Insiders can now test DNS over HTTPSWindows 11 Pro version 22H2 build 22621.2361 + Microsoft 365 + Edge
-
b
Manager -
anonymous
GuestJust to keep the tin hat nearby, the article you reference above on testing DoH within Windows 10 was just written this past Wednesday, from what I see of the days/dates things have been written on that page. Granted, Lawrence’s article was posted today, the 16th of May.
I will say this, though: Lawrence doesn’t say anywhere in the article just how he found out about pktmon.exe being in version 1809 in the first place, nor if it might happen to exist in any earlier versions of Win 10.
Things that make you go “Hmmmm”. 😉
1 user thanked author for this post.
-
Flashorn
AskWoody LoungerHey Joe!
Appreciate your response but, my question was not Why but, Can I?
And as Alex has mentioned, I too am weary of MS. It’s not the disk space. have lots of space on this NvME.
As for Viper, I have been aware and reading him since he became Viper. I have also found that , every time we upgrade to a new version, it changes some of his recommendations so, lots of work compared to W7 or Vista or XP.
So, if you could help in me removing this new addition, I would be very grateful.
Thanks again for your input. appreciate it.
Flashorn.
-
Tom-R
AskWoody PlusFlashorn: If you just want to remove this, it should be pretty straightforward. Go to %windir%\system32, and just delete or rename the file “PktMon.exe”.
Note though that you’ll get an “Access is denied” message if you attempt this thru a normal command window. So you’ll need to be a TrustedInstaller. To do that I use NSudo, which you can download from MajorGeeks at: https://www.majorgeeks.com/files/details/nsudo.html
If you use NSudo to do this, just keep this warning in mind (from the MajorGeeks web page): “NSudo is a handy utility but should only be used by advanced users who understand what it does and the problems it could potentially cause.”
-
DriftyDonN
AskWoody Plus -
Tom-R
AskWoody PlusDriftyDonN: Thanks for letting me know about this. I’m seeing the file show up as infected now as well. Just 7 days ago (on 5/9/2020) I was at that same URL to download the same file, and had no issues at all — no sign of any infection then. But today (5/16/2020) the download link shows up as infected for me too — from two different computers.
I just now sent an email to the MajorGeeks website admin to report this issue. So hopefully, they’ll either fix the problem or (at least temporarily) disable the download links. But in the meantime, please do not download or use that newly posted version of the NSudo software — at least not what’s currently posted at the MajorGeeks website.
1 user thanked author for this post.
-
satrow
AskWoody MVP -
DriftyDonN
AskWoody Plus -
satrow
AskWoody MVPDid you read the Majorgeeks page before downloading the zip?
No.
A snippet from the middle section:
NSudo is a handy utility but should only be used by advanced users who understand what it does and the problems it could potentially cause. It has a lot of uses, for example, to assist in disabling the Windows Defender Security Health Service. Here’s how you can do that from our friend Snappy Phoenix:
“While you can easily disable Windows Defender and all its startup entries/tasks in task scheduler, there is one service that is protected if you check it in services.msc and won’t allow you to change its status to disabled.
Here is how you can disable it:
There are some useful clues there, some repeated, that may help you to understand what your SmartScreen/security is alerting you to.
1 user thanked author for this post.
-
satrow
AskWoody MVPYou can’t get the refusal screenshot without clicking a download link, browser pre-loading/-fetching/pet cat?
Look at the ‘Threat name’ in your screenshot – it begins with Gen. – Generic (guesswork/looks or acts like) – there’s no real detection other than ‘hey, this is a tool that can be used to turn off Windows security’. That was already stated on the MajorGeeks page and shouldn’t have been a surprise
I did download it, I also extracted it, and uploaded the zip and multiple ‘infected’ .dll and .exe for fresh examination at Virustotal. I’m not convinced that there are any infected files in there at all, it looks like a useful tool that can set off a few tripwires.
Nothing new there, Russinovich had at least three of his Sysinternal tools treated in the same way, Nir Sofer has always had this ‘problem’ with many of his tools.
Are they infected? No. Can they be used nefariously? Yes.
3 users thanked author for this post.
-
Tom-R
AskWoody Plussatrow: I use NSudo all the time; and whenever I need to update it I do so via the MajorGeeks website, which I also generally consider a trustworthy source for downloads. However, having said that, I would advise you to not trust that copy of NSudo that you just downloaded.
Here’s why. I downloaded NSudo 8.0 from MajorGeeks on 5/9/2020. At that time I had absolutely no warnings of any kind about any infections in the download file. However, based on the report here from DriftyDonN, I went back to MajorGeeks and downloaded the allegedly exact same file again on 5/16/2020. I used the same computer and same browser that I had used previously on 5/9. But this time the browser popped up a warning that the new file was infected. So something about that NSudo zip file changed; and it changed within the past week — between 5/9 and 5/16.
As I mentioned in my earlier post, I sent an email to the MajorGeeks website admin to report this issue, including the fact that VirusTotal now lists 19 different detection engines reporting threats with the NSudo file (whereas it was clean previously). I haven’t heard back yet; but until I do I would consider that new NSudo download file to be highly suspect. At this point, there’s just too many red flags that I’m seeing. And again, I’m saying this as a frequent user of the NSudo program and the MajorGeeks website.
2 users thanked author for this post.
-
satrow
AskWoody MVPVirustotal gives me the same pages/hashes for the files I’ve tested from both MajorGeeks and Github downloads:
History
First Submission 2020-03-08 09:37:51
Last Submission 2020-03-26 09:44:25
Last Analysis 2020-05-17 10:03:24
Earliest Contents Modification 2020-01-22 06:10:00
Latest Contents Modification 2020-03-08 05:39:14
Names
NSudo_8.0_All_Components.zipIndividual files flagged up:
Bundled Files
Scanned
Detections
File type
Name
2020-05-17
20
/ 71
Win32 DLL
NSudo_8.0_All_Components/NSudo Devil Mode/Win32/NSudoDM.dll
2020-05-08
4
/ 71
Win32 EXE
NSudo_8.0_All_Components/NSudo Launcher/Win32/NSudoLG.exe
2020-04-21
3
/ 69
Win32 EXE
NSudo_8.0_All_Components/NSudo Launcher/Win32/NSudoLC.exe
2020-04-21
1
/ 70
Win32 EXE
NSudo_8.0_All_Components/NSudo Launcher/ARM/NSudoLC.exe
2020-04-21
1
/ 68
Win32 EXE
NSudo_8.0_All_Components/NSudo Launcher/ARM/NSudoLG.exeHighest flagged count:
Basic properties
MD5 e5be7c5bf13da3421f31dfa203a41037
SHA-1 89101df4a3fdf2630e71c9641140f519d6e6aad7
SHA-256 413f14bf424cacff67c5395afa2ba25e84b038c8111471fb27ecca3bd3d6132f
Vhash 124056651d15155gz23@z
Authentihash b6aaa215bb5282b980785d3869be35d61d9398a4b7600a90ba3f1b1011eadf70
Imphash 053da52e98b6f21f8418d4bccf9e7633
SSDEEP 384:MXIRI2I5OlyNDWH+cTcvEhJhjU7W/oCKWX6jGEt4:2Bb5WaDWH+c48hzj+WQCfX6yc4
File type Win32 DLL
Magic PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
File size 22.00 KB (22528 bytes)
History
Creation Time 2020-03-07 21:23:52
First Submission 2020-03-09 07:45:21
Last Submission 2020-03-09 07:45:21
Last Analysis 2020-05-17 18:30:45
Names
NSudoDM
NSudoDM.dllMaybe the only things changed were the malware definitions?
-
Tom-R
AskWoody PlusInteresting. I checked github also; and I see that the zipped download file from there also gets detected as infected by my system and VirusTotal. Yet the previous download I have (also version 8.0) appears clean. I don’t have time anymore today; but I’ll try to find time tomorrow to compare the individual files to see what’s different. In the meantime I’m curious if MajorGeeks admin will reply regarding this. I would think that they would be concerned about hosting or linking to a file that VirusTotal is complaining about. It’s very strange.
1 user thanked author for this post.
-
-
-
berniec
AskWoody PlusHas anybody compared it with, say, wireshark?
I noticed that one of pktmon’s commands is ” unload Unload PktMon driver” I guess that gets loaded only when you run pktmon and then when you’re done packet’ing you can make the driver go away. Seems fairly safe to me.
1 user thanked author for this post.
TweakHound
AskWoody Loungerhttps://twitter.com/h0x0d/status/1012155038901329920
posted Jun 27, 2018
-
This reply was modified 3 years, 4 months ago by
TweakHound.
1 user thanked author for this post.
NetDef
AskWoody_MVPOh good grief people. There was no malicious intent regarding telemetry on packaging a CMD based sniffer utility. This function has been optional under a different name for all Windows editions since at least the XP days (and I think since Windows 2000.)
It’s used on demand by sysadmins for network troubleshooting, security auditing and development testing. It does not, nor ever has, sniff traffic unless you turn it on – and even then only for short sessions. (The data output of network sniffers can grow into truly ginormous log files!)
And it cannot sniff your entire LAN unless you know how to set managed network switch parameters for mirroring, or have an old fashioned network “hub” (not a switch) handy.
~ Group "Weekend" ~
anonymous
GuestViewing 9 reply threads -

Plus Membership
Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.
AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments.
Get Plus!
Welcome to our unique respite from the madness.
It's easy to post questions about Windows 11, Windows 10, Win8.1, Win7, Surface, Office, or browse through our Forums. Post anonymously or register for greater privileges. Keep it civil, please: Decorous Lounge rules strictly enforced. Questions? Contact Customer Support.
Search Newsletters
Search Forums
View the Forum
Search for Topics
Recent Topics
-
Windows 11 Insider Preview build 23555 released to DEV
by
joep517
2 hours, 24 minutes ago -
Something didn’t go as planned KB5030310, KB 5030219
by
Donald Wyllie
1 hour, 45 minutes ago -
“Enhanced” search box
by
WSraysig
3 hours, 36 minutes ago -
Windows Ends Installation Path for Free Windows 7/8 Upgrade
by
Alex5723
4 hours, 21 minutes ago -
Icon text drop shadows latest Win 11 update
by
kenlcarter50
4 hours, 4 minutes ago -
Group Policy to change context menu to Win10 version?
by
HATech19
5 hours, 57 minutes ago -
You can no longer activate newer Windows 11 builds with Windows 7/8/8.1 keys
by
joep517
6 hours, 46 minutes ago -
Reddit is removing the option to prevent Reddit from tracking ..
by
Alex5723
13 hours, 48 minutes ago -
Vivaldi for iOS and iPadOS released
by
Alex5723
13 hours, 52 minutes ago -
Windows 11 attempted update to 22H2 results in Error Code 0x8024001e
by
Tiernan
3 hours, 1 minute ago -
lock screen goes black after ~ 25-30 secs.
by
krism
6 hours, 35 minutes ago -
Need File Location Which Lists Default Apps Used
by
HARLEYMAN124
6 hours, 41 minutes ago -
Canadian’s identify alternative tape that prolongs life of laptop batteries
by
Kathy Stevens
1 day ago -
Browswers and Windows 11
by
WSG
1 day ago -
Advice on whether to upgrade to Windows 11
by
millerah
1 day ago -
Linuxmint LMDE 6 Officially Released
by
Microfix
3 hours, 49 minutes ago -
Edge browser – ad quality concern
by
doriel
1 day, 3 hours ago -
Strange problem after upgrade from Win10Pro 22H2 to Win11Pro 22H2
by
JohnH
15 hours, 3 minutes ago -
Return Full Context Menus to File Explorer
by
RetiredGeek
5 hours, 58 minutes ago -
Unusual Activity on Startup
by
Kenneth Stephens
23 hours, 5 minutes ago -
Windows Backup – incremental possible?
by
colin_thames
2 days ago -
New HD addition??
by
weendoggy
1 day, 15 hours ago -
Defcon 4 and Windows 11
by
cmar6
2 days, 7 hours ago -
Add-ins keep disappearing
by
hession
2 days, 4 hours ago -
MS-DEFCON 4: Is Windows 11 really a disaster?
by
Susan Bradley
45 minutes ago -
The Takahē is not extinct afterall
by
lylejk
2 days, 15 hours ago -
How to unbloc W10pro from moving to W11
by
hession
3 days, 5 hours ago -
Windows 11, Surface, and Windows Copilot
by
Will Fastie
1 hour, 59 minutes ago -
Why File Explorer keeps me on Windows
by
Josh Hendrickson
16 hours, 26 minutes ago -
Uninstalr — “World’s best cup of coffee”
by
Deanna McElveen
4 hours, 57 minutes ago
Recent blog posts
Key Links
Want to Advertise in the free newsletter? How about a gift subscription in honor of a birthday? Send an email to sb@askwoody.com to ask how.
Mastodon profile for DefConPatch
Mastodon profile for AskWoody
Home • About • FAQ • Posts & Privacy • Forums • My Account
Register • Free Newsletter • Plus Membership • Gift Certificates • MS-DEFCON Alerts
Copyright ©2004-2023 by AskWoody Tech LLC. All Rights Reserved.