Lawrence Abrams has a significant discovery: Microsoft has quietly added a built-in network packet sniffer to the Windows 10 October 2018 Update, and
[See the full post at: BleepingComputer: Win10 version 1809 got a network sniffer, and nobody noticed until now]
![]() |
Patch reliability is unclear, but widespread attacks make patching prudent. Go ahead and patch, but watch out for potential problems. |
SIGN IN | Not a member? | REGISTER | PLUS MEMBERSHIP |
-
BleepingComputer: Win10 version 1809 got a network sniffer, and nobody noticed until now
Home » Forums » Newsletter and Homepage topics » BleepingComputer: Win10 version 1809 got a network sniffer, and nobody noticed until now
- This topic has 30 replies, 12 voices, and was last updated 3 years, 6 months ago.
AuthorTopicwoody
ManagerViewing 9 reply threadsAuthorReplies-
anonymous
Guest -
anonymous
GuestThe article that’s referred to in Bleeping Computer, says that the packet monitor is intended for only your use on your computer, NOT for Microsoft (or any other outfit/person) to spy on what you’re doing on or with your computer.
It’s designed for you to monitor the network traffic to and from your computer yourself using a program within Windows, rather than a third party program such as Wireshark.
Edit for content. Please follow the –Lounge Rules–
-
DriftyDonN
AskWoody PlusIf it’s on your computer and you don’t have an extensive background( I Dont) regarding msfts abilities behind the scenes, then that article isn’t going to educate to any great degree.
Why would msft put a tool for ME on the system and not BOTHER to bring it to anyone’s attention? Perhaps because they use it on your system too!
Skeptical
Edit for content.
-
-
Alex5723
AskWoody PlusSo does this sniffing tool run in the background as part of Microsoft’s Telemetry system ?
3 users thanked author for this post.
-
anonymous
Guest
Flashorn
AskWoody LoungerThanks again for this info Woody.
Now, simple question.
Can we get rid of IT.
Windows 10 uses so much more resources (especially CPU) that it does at times interfere with gaming. I still use W7 for gaming but, sometimes, I try it on my W10 machine and go back to 7 every time. My w10 machine is recent and with 1909 installed. It is a stable platform but, at 130 processes compared to 62 on my w7 machine, I Really don’t like it.
Sorry for the rant. My initial question still stands though, if anyone can answer it please.
Thanks
Flashorn.
-
This reply was modified 3 years, 6 months ago by
Flashorn.
-
joep517
AskWoody MVP -
joep517
AskWoody MVPThe larger number of processes on Windows 10 is largely from having the various service host processes load as an individual process rather than lumped together. This improves system stability so that if there is a problem with a process that process can be terminated without terminating several others that are running OK.
Also, all browsers that I know about have multiple processes running for the same reason as the service host processes being split. It makes for a more stable environment. It is also more secure as each process is isolated from the others.
Yes, there is more going on with Windows 10 than with Windows 7. You can take a look at this older information on Windows 10 service tweaking – Black Viper’s Windows 10 Service Configurations. Some may still be useful.
--Joe
3 users thanked author for this post.
Alex5723
AskWoody Plus-
joep517
AskWoody MVPWho can guarantee that any program included will not be compromised?
Who can guarantee that any program will not be invoked by Microsoft?
Do you go through and remove all the tools included in Windows just to be safe?
If you are that concerned go to a different OS and take your changes there.
--Joe
1 user thanked author for this post.
-
anonymous
Guest
-
Alex5723
AskWoody PlusDo you go through and remove all the tools included in Windows just to be safe?
If there is no malicious intent adding the tool why isn’t there any Microsoft documentation in 2 years ?
Before BleepingComputer post who knew about the tool ?
-
b
AskWoody_MVPIf there is no malicious intent adding the tool why isn’t there any Microsoft documentation in 2 years ?
It’s documented by Microsoft with instructions (three days ago) as the preferred method of verifying DoH after setup:
Now that you have Windows configured to use DoH, you should be able to verify it’s working by seeing no more plain text DNS traffic from your device. You can do this by using Packetmon, a network traffic analyzer included with Windows.
Windows Insiders can now test DNS over HTTPS -
b
AskWoody_MVP -
anonymous
GuestJust to keep the tin hat nearby, the article you reference above on testing DoH within Windows 10 was just written this past Wednesday, from what I see of the days/dates things have been written on that page. Granted, Lawrence’s article was posted today, the 16th of May.
I will say this, though: Lawrence doesn’t say anywhere in the article just how he found out about pktmon.exe being in version 1809 in the first place, nor if it might happen to exist in any earlier versions of Win 10.
Things that make you go “Hmmmm”. 😉
1 user thanked author for this post.
-
Flashorn
AskWoody LoungerHey Joe!
Appreciate your response but, my question was not Why but, Can I?
And as Alex has mentioned, I too am weary of MS. It’s not the disk space. have lots of space on this NvME.
As for Viper, I have been aware and reading him since he became Viper. I have also found that , every time we upgrade to a new version, it changes some of his recommendations so, lots of work compared to W7 or Vista or XP.
So, if you could help in me removing this new addition, I would be very grateful.
Thanks again for your input. appreciate it.
Flashorn.
-
Tom-R
AskWoody PlusFlashorn: If you just want to remove this, it should be pretty straightforward. Go to %windir%\system32, and just delete or rename the file “PktMon.exe”.
Note though that you’ll get an “Access is denied” message if you attempt this thru a normal command window. So you’ll need to be a TrustedInstaller. To do that I use NSudo, which you can download from MajorGeeks at: https://www.majorgeeks.com/files/details/nsudo.html
If you use NSudo to do this, just keep this warning in mind (from the MajorGeeks web page): “NSudo is a handy utility but should only be used by advanced users who understand what it does and the problems it could potentially cause.”
-
DriftyDonN
AskWoody Plus -
Tom-R
AskWoody PlusDriftyDonN: Thanks for letting me know about this. I’m seeing the file show up as infected now as well. Just 7 days ago (on 5/9/2020) I was at that same URL to download the same file, and had no issues at all — no sign of any infection then. But today (5/16/2020) the download link shows up as infected for me too — from two different computers.
I just now sent an email to the MajorGeeks website admin to report this issue. So hopefully, they’ll either fix the problem or (at least temporarily) disable the download links. But in the meantime, please do not download or use that newly posted version of the NSudo software — at least not what’s currently posted at the MajorGeeks website.
1 user thanked author for this post.
-
satrow
AskWoody MVP -
DriftyDonN
AskWoody Plus -
satrow
AskWoody MVPDid you read the Majorgeeks page before downloading the zip?
No.
A snippet from the middle section:
NSudo is a handy utility but should only be used by advanced users who understand what it does and the problems it could potentially cause. It has a lot of uses, for example, to assist in disabling the Windows Defender Security Health Service. Here’s how you can do that from our friend Snappy Phoenix:
“While you can easily disable Windows Defender and all its startup entries/tasks in task scheduler, there is one service that is protected if you check it in services.msc and won’t allow you to change its status to disabled.
Here is how you can disable it:
There are some useful clues there, some repeated, that may help you to understand what your SmartScreen/security is alerting you to.
1 user thanked author for this post.
-
satrow
AskWoody MVPYou can’t get the refusal screenshot without clicking a download link, browser pre-loading/-fetching/pet cat?
Look at the ‘Threat name’ in your screenshot – it begins with Gen. – Generic (guesswork/looks or acts like) – there’s no real detection other than ‘hey, this is a tool that can be used to turn off Windows security’. That was already stated on the MajorGeeks page and shouldn’t have been a surprise
I did download it, I also extracted it, and uploaded the zip and multiple ‘infected’ .dll and .exe for fresh examination at Virustotal. I’m not convinced that there are any infected files in there at all, it looks like a useful tool that can set off a few tripwires.
Nothing new there, Russinovich had at least three of his Sysinternal tools treated in the same way, Nir Sofer has always had this ‘problem’ with many of his tools.
Are they infected? No. Can they be used nefariously? Yes.
3 users thanked author for this post.
-
Tom-R
AskWoody Plussatrow: I use NSudo all the time; and whenever I need to update it I do so via the MajorGeeks website, which I also generally consider a trustworthy source for downloads. However, having said that, I would advise you to not trust that copy of NSudo that you just downloaded.
Here’s why. I downloaded NSudo 8.0 from MajorGeeks on 5/9/2020. At that time I had absolutely no warnings of any kind about any infections in the download file. However, based on the report here from DriftyDonN, I went back to MajorGeeks and downloaded the allegedly exact same file again on 5/16/2020. I used the same computer and same browser that I had used previously on 5/9. But this time the browser popped up a warning that the new file was infected. So something about that NSudo zip file changed; and it changed within the past week — between 5/9 and 5/16.
As I mentioned in my earlier post, I sent an email to the MajorGeeks website admin to report this issue, including the fact that VirusTotal now lists 19 different detection engines reporting threats with the NSudo file (whereas it was clean previously). I haven’t heard back yet; but until I do I would consider that new NSudo download file to be highly suspect. At this point, there’s just too many red flags that I’m seeing. And again, I’m saying this as a frequent user of the NSudo program and the MajorGeeks website.
2 users thanked author for this post.
-
satrow
AskWoody MVPVirustotal gives me the same pages/hashes for the files I’ve tested from both MajorGeeks and Github downloads:
History
First Submission 2020-03-08 09:37:51
Last Submission 2020-03-26 09:44:25
Last Analysis 2020-05-17 10:03:24
Earliest Contents Modification 2020-01-22 06:10:00
Latest Contents Modification 2020-03-08 05:39:14
Names
NSudo_8.0_All_Components.zipIndividual files flagged up:
Bundled Files
Scanned
Detections
File type
Name
2020-05-17
20
/ 71
Win32 DLL
NSudo_8.0_All_Components/NSudo Devil Mode/Win32/NSudoDM.dll
2020-05-08
4
/ 71
Win32 EXE
NSudo_8.0_All_Components/NSudo Launcher/Win32/NSudoLG.exe
2020-04-21
3
/ 69
Win32 EXE
NSudo_8.0_All_Components/NSudo Launcher/Win32/NSudoLC.exe
2020-04-21
1
/ 70
Win32 EXE
NSudo_8.0_All_Components/NSudo Launcher/ARM/NSudoLC.exe
2020-04-21
1
/ 68
Win32 EXE
NSudo_8.0_All_Components/NSudo Launcher/ARM/NSudoLG.exeHighest flagged count:
Basic properties
MD5 e5be7c5bf13da3421f31dfa203a41037
SHA-1 89101df4a3fdf2630e71c9641140f519d6e6aad7
SHA-256 413f14bf424cacff67c5395afa2ba25e84b038c8111471fb27ecca3bd3d6132f
Vhash 124056651d15155gz23@z
Authentihash b6aaa215bb5282b980785d3869be35d61d9398a4b7600a90ba3f1b1011eadf70
Imphash 053da52e98b6f21f8418d4bccf9e7633
SSDEEP 384:MXIRI2I5OlyNDWH+cTcvEhJhjU7W/oCKWX6jGEt4:2Bb5WaDWH+c48hzj+WQCfX6yc4
File type Win32 DLL
Magic PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
File size 22.00 KB (22528 bytes)
History
Creation Time 2020-03-07 21:23:52
First Submission 2020-03-09 07:45:21
Last Submission 2020-03-09 07:45:21
Last Analysis 2020-05-17 18:30:45
Names
NSudoDM
NSudoDM.dllMaybe the only things changed were the malware definitions?
-
Tom-R
AskWoody PlusInteresting. I checked github also; and I see that the zipped download file from there also gets detected as infected by my system and VirusTotal. Yet the previous download I have (also version 8.0) appears clean. I don’t have time anymore today; but I’ll try to find time tomorrow to compare the individual files to see what’s different. In the meantime I’m curious if MajorGeeks admin will reply regarding this. I would think that they would be concerned about hosting or linking to a file that VirusTotal is complaining about. It’s very strange.
1 user thanked author for this post.
-
-
-
berniec
AskWoody PlusHas anybody compared it with, say, wireshark?
I noticed that one of pktmon’s commands is ” unload Unload PktMon driver” I guess that gets loaded only when you run pktmon and then when you’re done packet’ing you can make the driver go away. Seems fairly safe to me.
1 user thanked author for this post.
TweakHound
AskWoody Loungerhttps://twitter.com/h0x0d/status/1012155038901329920
posted Jun 27, 2018
-
This reply was modified 3 years, 6 months ago by
TweakHound.
1 user thanked author for this post.
NetDef
AskWoody_MVPOh good grief people. There was no malicious intent regarding telemetry on packaging a CMD based sniffer utility. This function has been optional under a different name for all Windows editions since at least the XP days (and I think since Windows 2000.)
It’s used on demand by sysadmins for network troubleshooting, security auditing and development testing. It does not, nor ever has, sniff traffic unless you turn it on – and even then only for short sessions. (The data output of network sniffers can grow into truly ginormous log files!)
And it cannot sniff your entire LAN unless you know how to set managed network switch parameters for mirroring, or have an old fashioned network “hub” (not a switch) handy.
~ Group "Weekend" ~
anonymous
GuestViewing 9 reply threads -

Plus Membership
Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.
AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments.
Get Plus!
Welcome to our unique respite from the madness.
It's easy to post questions about Windows 11, Windows 10, Win8.1, Win7, Surface, Office, or browse through our Forums. Post anonymously or register for greater privileges. Keep it civil, please: Decorous Lounge rules strictly enforced. Questions? Contact Customer Support.
Search Newsletters
Search Forums
View the Forum
Search for Topics
Recent Topics
-
Thieves rob DC Uber Eats driver, reject Android phone for not being iPhone
by
Alex5723
3 hours, 7 minutes ago -
McAfee popup add (from micro. Store)
by
Robin Heckler
2 hours, 35 minutes ago -
Random Screen Shut Downs (Windows 11 Pro)
by
OkCarl
8 hours, 13 minutes ago -
CPU performance degradation after 23H2 update
by
Alex5723
6 hours, 25 minutes ago -
PDFgear
by
Alex5723
6 hours, 36 minutes ago -
I’m getting a new computer. I need instructions on setting it up CORRECTLY
by
Sly McNasty
54 minutes ago -
Microsoft will not activate a valid reinstall of Office 16
by
TomK
14 hours, 54 minutes ago -
Dell laptop Win 11 BLACK screen!
by
WSpfeldmann
12 hours, 49 minutes ago -
Firefox change from French to English.
by
DaveBRenn
4 hours, 53 minutes ago -
W10 22H2 Nov 2023 PT Update: No monsters here
by
Rob Kay
5 hours, 56 minutes ago -
Windows : Is This the End of ‘Intel Inside’ ?
by
Alex5723
9 hours, 51 minutes ago -
windows 10 upgrade to 11
by
ken
14 hours, 44 minutes ago -
WIN10 over 2 hours to boot
by
qaz
18 hours, 20 minutes ago -
How to do a Windows 11 repair install
by
Susan Bradley
3 hours, 31 minutes ago -
Ignore Susan Bradley’s Patch Watch at your peril
by
B. Livingston
6 hours, 56 minutes ago -
Tmas Greetings!
by
Max Stul Oppenheimer
7 hours, 11 minutes ago -
Microsoft Photos, Photos Legacy, and Windows 10
by
Ed Tittel
59 minutes ago -
Hardening your operating system
by
Susan Bradley
7 hours, 33 minutes ago -
Progress blocking browser fingerprinting, tracking ads and invisible trackers.
by
TechTango
6 hours, 21 minutes ago -
TeraCopy updates
by
Alex5723
1 day, 5 hours ago -
Help Me Figure Out a Formula?
by
WSJon5
22 hours, 48 minutes ago -
Anybody Moving from Reflect Free?
by
Casey H
13 hours, 16 minutes ago -
Chrome’s next weapon in the War on Ad Blockers: Slower extension updates
by
Alex5723
4 hours, 42 minutes ago -
Welltok data breach exposes data of 8.5 million US patients
by
Nibbled To Death By Ducks
2 days, 1 hour ago -
Pennsylvania water facility hit by Iran-linked hackers
by
Nibbled To Death By Ducks
2 days, 3 hours ago -
Permanent posts for blocking Copilot
by
Susan Bradley
5 hours, 26 minutes ago -
9000003 Blocking Copilot in Microsoft 365
by
Susan Bradley
2 days, 5 hours ago -
9000002 Blocking Copilot in Windows 10 and 11 Professional sku
by
Susan Bradley
1 day, 12 hours ago -
Add Group Policy Editor to Windows 10 Home Version
by
Drcard:))
1 day, 23 hours ago -
USB webcam no longer working after November 2023 updates
by
sefcug
16 hours, 48 minutes ago
Recent blog posts
- How to do a Windows 11 repair install
- Ignore Susan Bradley’s Patch Watch at your peril
- Tmas Greetings!
- Microsoft Photos, Photos Legacy, and Windows 10
- Hardening your operating system
- Permanent posts for blocking Copilot
- Apple zero days fixed – November 30, 2023
- MS-DEFCON 3: A slightly bumpy November
Key Links
Want to Advertise in the free newsletter? How about a gift subscription in honor of a birthday? Send an email to sb@askwoody.com to ask how.
Mastodon profile for DefConPatch
Mastodon profile for AskWoody
Home • About • FAQ • Posts & Privacy • Forums • My Account
Register • Free Newsletter • Plus Membership • Gift Certificates • MS-DEFCON Alerts
Copyright ©2004-2023 by AskWoody Tech LLC. All Rights Reserved.