![]() |
MS-DEFCON 2:
Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don't do it.
|
-
Ghost computers and printers on my WIFI network
Home › Forums › AskWoody support › Windows › Windows 10 › Questions: Win10 › Ghost computers and printers on my WIFI network
Tagged: Ghost network entries
- This topic has 50 replies, 7 voices, and was last updated 1 month, 2 weeks ago.
Viewing 20 reply threads-
AuthorPosts
-
-
September 2, 2020 at 4:07 pm #2293389
William Mumaw
AskWoody PlusWhen I go into my network on my PC, I can see my router, computer and printer, but at times see another computer or printer. When I click on the unknown entries and go to properties, it shows only Midiatec model MT53xx and a mac address, no IP address or any other information. The entries will vary at times and go away the next time I look. I am running windows 10 home version with a Cisco router and WIFI, I have two computers and a printer on the network. I also have an Avast VPN. Everything works fine, but these ghost entries really bug me!! Any help or suggestions.
Thanks Bill
-
September 3, 2020 at 3:37 am #2293486
Paul T
AskWoody MVPMediatec is a chip manufacturer, so you could be seeing a TV, phone or IoT device.
Take the MAC address and search for the manufacturer. This usually gives you a good clue to the device.Connect to your router and look at active clients / DHCP leases.
Can you see any matching MAC addresses?
If the devices are rogue ones, you can block them at the router.cheers, Paul
-
September 3, 2020 at 4:48 pm #2293615
anonymous
GuestIf you do not see an IP address the devices are not connected (and should not show as connected in your router). The cause for these showing up in File Explorer is a Windows service named Windows Connect Now – Config Registrar.
If you use the Wireless Protected Setup feature, then Windows Connect Now service aids you in connecting to your device.
Directions using the user interface:
- Login as Administrator and press Win+R and type services.msc
- Find the Windows Connect Now – Config Registrar service and double click on the name.
- In the dialog box click on the Stop button, the service should quickly end.*
- Then the same dialog box set the Startup type to Disabled, click on Apply, and Okay to continue.
Directions using PowerShell or the Command Prompt:
Right click on the Start Menu and then Click on PowerShell (Admin) or Command Prompt (Admin).
Type these commands exactly as you see them*:
net stop wcncsvc
sc config “wcncsvc” start=disabledYour neighbor’s gadgets will still advertise their presence but you will not see them now or after a restart in File Explorer.
*If the service does not stop accept being reconfigured then make a complete note of the error(s) and post it here for more help.
2 users thanked author for this post.
-
September 4, 2020 at 4:25 pm #2293846
anonymous
Guest -
November 5, 2020 at 7:18 am #2309713
CynicalSnail
AskWoody PlusI have a related but even more obscure problem. I use Wireless Network Watcher (Nirsoft) to keep an eye on my LAN, mostly to see when things are not working. Three days ago (Nov 2), some odd devices appeared – no device details at all, and the MACs do not return anything on a search of several sites: 2E-D6-FF-81-C2-AA, 0E-A2-F4-54-B5-88, 26-25-00-42-1E-4E. They connect briefly from time to time, but that is all that I can see. They cannot be pinged.
So what are they? I have never seen anything like this appear before in several years of monitoring. No new kit has been installed, no guest devices of any kind on the premises that I am aware of. How do I find them? Is this malware (a scan has produced nothing)?
I have logged one item (-B5-88) being addressed using UDP by ‘System’ using netbios-ns, port 137, 78 packets at a time. Is this a change in Windows (Pro, 7, 64-b) in the October update, just installed – Nov. 2! ? Is this M$ being sneaky, yet again?
-
November 5, 2020 at 12:21 pm #2309767
Alex5723
AskWoody PlusPorts 135-139 should be blocked on your router. Check your router’s ports running Gibson’s HIELDS UP!
-
November 6, 2020 at 8:52 am #2309948
CynicalSnail
AskWoody Plus
-
-
-
November 6, 2020 at 3:23 am #2309898
Paul T
AskWoody MVPI use Wireless Network Watcher
All that is telling you is there are wireless devices broadcasting locally.
It does not tell you if they are connected to your wifi, you need to look on your router for that information.cheers, Paul
-
November 6, 2020 at 9:24 am #2309951
CynicalSnail
AskWoody PlusYou miss the point: they are being addressed as destination by System. This is not a broadcast detection problem (WNW finds all LAN connections). My broadcast detector has seen nothing of these. The router does not show anything when I look – they are only intermittent, well-spaced connections and are easily missed.
Meanwhile, I have found that TeamViewer is the *source* of some of the packets on those addresses (ICMP, IGMP, UDP). This is now disabled. It was installed several months ago (start of lockdown), so it is odd that it only now appears as a ‘connected device’.
But, what it appears to mean is that software can pretend to be a device with a MAC. That is rather disturbing. If that can be done, anything can be spoofed.
-
November 7, 2020 at 1:43 am #2310098
Paul T
AskWoody MVPSorry, I misunderstood the way WNW works.
MAC spoofing has long been a thing in Windows and it’s now a standard feature on Macs.
cheers, Paul
-
November 12, 2020 at 7:09 am #2311407
CynicalSnail
AskWoody PlusUpdate:
I discovered that one of the MAC addresses was a replaced device on my electricity supply system (concidentally the day after the Windows update). The manufacturer does not include any id in the packet.
Disabling Teams had no effect on the other two, so I uninstalled it. Rebooted. They are still there. This is decidly a function of the Windows update or something else is going on – malware I cannot detect.
This is extremely annoying and worrying. How can such things be tracked down, disabled or blocked. How can the function be determined?
-
-
-
November 12, 2020 at 7:34 am #2311412
-
November 12, 2020 at 7:45 am #2311415
CynicalSnail
AskWoody Plus
-
-
November 12, 2020 at 7:59 am #2311420
Paul T
AskWoody MVP-
November 12, 2020 at 8:07 am #2311422
CynicalSnail
AskWoody Plus
-
-
November 13, 2020 at 3:35 am #2311618
Paul T
AskWoody MVP-
November 13, 2020 at 4:14 am #2311619
CynicalSnail
AskWoody PlusIf I knew any more I would have told you already. All I can see is a MAC. Plainly, a router-assigned IPA is not informative in itself.
As for traffic, I have since found I can detect some:
Ethernet Type IP Protocol Source Address Destination Address Source Port Destination Port Service Name Status Packets Count Total Packets Size Total Data Size Data Speed Maximum Data Speed Average Packet Size Maximum Packet Size First Packet Time Last Packet Time Duration Latency Process ID Process Filename TCP Ack TCP Push TCP Reset TCP Syn TCP Fin Maximum Segment Size TCP Window Size TCP Window Scale TTL Source Country Destination Country
IPv4 UDP 192.168.1.21 224.0.0.251 5353 5353 43 6,020 4,816 140.0 140 2020-11-12 18:16:17 2020-11-13 08:50:50 14:34:33.474 0 0 0 0 0 255
IPv4 ICMP 192.168.1.21 192.168.1.2 40 2,240 1,440 56.0 56 2020-11-12 18:36:38 2020-11-13 08:34:04 13:57:25.953 0 0 0 0 0 64
IPv4 IGMP 192.168.1.21 224.0.0.22 11 440 220 40.0 40 2020-11-12 21:00:01 2020-11-13 08:10:14 11:10:13.464 0 0 0 0 0 1
IPv4 ICMP 192.168.1.22 192.168.1.2 64 6,784 5,504 0.1 KiB/Sec 106.0 106 2020-11-12 13:42:59 2020-11-13 07:48:19 18:05:19.920 0 0 0 0 0 64IPv4 UDP 192.168.1.2 192.168.1.21 137 137 netbios-ns 43 3,354 2,150 78.0 78 2020-11-12 18:39:01 2020-11-13 08:16:46 13:37:44.586 4 System 0 0 0 0 0 64
— does that help?
-
-
November 13, 2020 at 4:42 am #2311620
Alex5723
AskWoody Plus-
November 13, 2020 at 6:21 am #2311629
CynicalSnail
AskWoody Plus
-
-
November 14, 2020 at 2:22 am #2311838
Paul T
AskWoody MVP-
November 14, 2020 at 7:25 am #2311848
CynicalSnail
AskWoody Plus-
November 14, 2020 at 7:35 am #2311849
PKCano
Manager-
November 14, 2020 at 8:25 am #2311853
CynicalSnail
AskWoody PlusThanks for that suggestion. Other than the NIC, there is only
20:41:53:59:4E:FF RAS Async Adapter
02:00:4C:4F:4F:50 Microsoft Loopback Adapterneither of which are involved now (they also do not show in WNW or the Router’s lists).
-
This reply was modified 2 months, 1 week ago by
CynicalSnail.
-
November 14, 2020 at 12:50 pm #2311906
Susan Bradley
Manager -
November 14, 2020 at 6:45 pm #2311941
CynicalSnail
AskWoody PlusNo, never have.
The point is that these items only showed up immediately after the update to Win7 that was made on Nov 2 – never before have I seen such a thing, and I have been running WNW for a long time now. This really is as far as I am aware, a loopback has been on this machine from the beginning in that it seemed a normal item on any occasion that checks were made or network traffic was monitored.
If it is not meant to be there, how do I disable it to test, or delete if I do not need it at all? I have no need of a VPN, but I surely have never installed an Avast VPN (I did try it the AV at one stage, but found it problematic and dropped it – uninstalled – rather quickly). The timing of this problem is really the odd thing.
-
November 14, 2020 at 6:56 pm #2311943
-
November 14, 2020 at 7:00 pm #2311944
CynicalSnail
AskWoody Plus
-
This reply was modified 2 months, 1 week ago by
-
-
-
-
November 14, 2020 at 4:59 am #2311841
Alex5723
AskWoody PlusWNW
Wireless Network Watcher doesn’t work if your PC doesn’t see wi-fi connections (mine doesn’t).
The devices in my post above are wired.
Attachments:
You must be logged in to access attached files.
-
November 14, 2020 at 8:21 am #2311851
CynicalSnail
AskWoody Plus
-
-
November 14, 2020 at 8:39 am #2311856
Microfix
AskWoody MVP-
November 14, 2020 at 8:53 am #2311862
CynicalSnail
AskWoody Plus-
November 14, 2020 at 8:59 am #2311864
Microfix
AskWoody MVP-
November 14, 2020 at 9:05 am #2311867
CynicalSnail
AskWoody Plus
-
-
November 14, 2020 at 9:02 am #2311865
PKCano
Manager-
November 14, 2020 at 9:12 am #2311869
CynicalSnail
AskWoody Plus
-
-
-
-
November 14, 2020 at 12:47 pm #2311904
Alex5723
AskWoody PlusWNW does work
Never worked fully on any of my PCs.
-
November 15, 2020 at 12:37 am #2311979
Paul T
AskWoody MVPThe router has no record of those MACs , so they cannot be blocked
I would not be chasing things that don’t appear on the network. If they are only internal they are not malicious IMO.
cheers, Paul
-
November 15, 2020 at 3:28 am #2312003
CynicalSnail
AskWoody Plus
-
-
November 15, 2020 at 4:37 am #2312018
Paul T
AskWoody MVPdoes not explain why these three have turned up
Vagaries of Windows?
cheers, Paul
-
November 15, 2020 at 5:24 am #2312020
CynicalSnail
AskWoody Plus
-
-
December 3, 2020 at 9:14 am #2316816
CynicalSnail
AskWoody PlusUsing Wireshark I have now captured data for a 400 min run, logging some 600-odd events involving the unknown MACs. Several protocols are involved (NBNS, ICMP, MDNS, TLSv1.2, TCP, IGMPv3), all except the TCP is ‘internal’ – to or from the NIC.
Curiously, both MACs are addressing 224.0.0.1, which seems to be associated with activity by iTunes or somesuch: https://stackoverflow.com/questions/12483717/what-is-the-multicast-doing-on-224-0-0-251 But, Bonjour has been disabled on my machine for a very long time, ProcessExplorer reports no instance, and the namespace providers are not loaded (Autoruns). So is this Apple being sneaky somewhere else? One of the MACs addresses 224.0.0.22, which might be no big deal, but still …
However, the TCP packets originate from source 69.171.250.20 (addressing the LAN IP for MAC 26-25-00-42-1E-4E, TCP Retransmission), which apparently belongs to Facebook! (And with bad certificates at that!) What is going on? That is a very specific targetting of a “device” on my machine by an external agent through a specific port (which GRC Shields Up! reports as ‘stealth’).
It remains odd that these items have only just appeared, at the same time, and immediately after a Windows update.
Any ideas? Is there more I can get from the captured packets?
Thanks.
-
This reply was modified 1 month, 3 weeks ago by
CynicalSnail.
-
December 3, 2020 at 9:28 am #2316820
PKCano
ManagerI have two Seagate NAS drives. They come with Internet Services/Protocols integrated – iTunes, Facebook, various protocols, etc. When setting them up, I log in through the Seagate Dashboard and turn off the Services, Remote Administration, protocols I don’t want, etc.
Perhaps the activity is initiated by the NAS instead of the computer or Router. There should be computer installable software to access the administration functions of the NAS. If it is not installed available on the NAS itself, check the mfg’s website.
-
December 3, 2020 at 9:40 am #2316823
CynicalSnail
AskWoody Plus
-
-
This reply was modified 1 month, 3 weeks ago by
-
December 4, 2020 at 12:51 am #2317039
Paul T
AskWoody MVPwhich GRC Shields Up! reports as ‘stealth’
This doesn’t stop those ports being used. Your firewall will allow packets in, in response to packets out.
Block some ports / IP addresses and see what breaks.
cheers, Paul
-
This reply was modified 1 month, 3 weeks ago by
Paul T.
-
December 4, 2020 at 3:03 am #2317062
CynicalSnail
AskWoody Plus-
December 4, 2020 at 4:02 am #2317064
Paul T
AskWoody MVP-
December 4, 2020 at 4:16 am #2317065
CynicalSnail
AskWoody PlusI can post the full packet, of course … but what is the point?
The thread makes it plain what I am asking about: “ghost device” MACs that have only recently appeared.
I am not trying to block anything in particular, I just have a decent firewall. But activity that appears to be spoofing is a concern. I would like to know what is going on, that is all.
-
-
-
This reply was modified 1 month, 3 weeks ago by
-
December 4, 2020 at 7:13 am #2317093
Paul T
AskWoody MVP-
December 4, 2020 at 8:19 am #2317105
CynicalSnail
AskWoody PlusNot a practical proposition, I’m afraid. As I said at the beginning, this only started with the update I applied on Nov. 2. There was no other change on the machine. This is too much of a coincidence. Bear in mind that I have had connected devices monitored for some years and these two did not appear before that point: these are logged as “first detected” on that date.
There is no actual hardware device, so how do I identify the software that pretends by spoofing? I can search the entire machine for such a string, if I knew what it would look like.
-
December 4, 2020 at 12:00 pm #2317142
Alex5723
AskWoody PlusHave you tried : https://www.pcwdld.com/find-device-or-ip-address-using-mac-address ?
-
December 5, 2020 at 9:02 am #2317281
CynicalSnail
AskWoody Plus
-
-
-
-
December 4, 2020 at 9:22 am #2317113
Paul T
AskWoody MVP-
December 4, 2020 at 9:57 am #2317116
CynicalSnail
AskWoody Plus
-
-
December 13, 2020 at 8:09 am #2319187
CynicalSnail
AskWoody PlusA new one has just appeared: 3E-51-57-36-9D-8B
Again, no actual hardware.
-
This reply was modified 1 month, 2 weeks ago by
CynicalSnail.
-
This reply was modified 1 month, 2 weeks ago by
-
-
AuthorPosts
Viewing 20 reply threads -
Welcome to our unique respite from the madness.
It's easy to post questions about Windows 10, Win8.1, Win7, Surface, Office, or browse through our Forums. Post anonymously or register for greater privileges. Keep it civil, please: Decorous Lounge rules strictly enforced. Questions? Contact Customer Support.

Plus Membership
Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.
AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments. Click here for details and to sign up.
Search The Lounge
Recent Replies
anonymous on Computer running slowly when using Wi-Fi since last Windows update
24 minutes agoanonymous on SFC errors not repairable, upgrade to 2004?
26 minutes agoWCHS on Comments on AKB 2000016: Guide for Windows Update Settings for Windows 10
1 hour, 10 minutes agoGoneToPlaid on Hard Drive at 100% usage
1 hour, 32 minutes agoPaul on Windows 10 2004/20H2 Not Being Offered Due to Conexant HD Audio Issue
1 hour, 37 minutes agoPaul T on Comments on AKB 2000016: Guide for Windows Update Settings for Windows 10
1 hour, 42 minutes agoussrankin on Linking a graphic to a website
1 hour, 48 minutes agotpbrownec on SFC errors not repairable, upgrade to 2004?
1 hour, 57 minutes agoTex265 on Comments on AKB 2000016: Guide for Windows Update Settings for Windows 10
2 hours, 42 minutes agodmt_3904 on iOS 14 : Bug with Mail aliases
2 hours, 56 minutes agoPaul T on Stop paying $200 a year for your Internet cable modem
3 hours, 31 minutes agoSlacker2008 on Stop paying $200 a year for your Internet cable modem
3 hours, 33 minutes agoanonymous on Sorting alphanumeric text
3 hours, 55 minutes agorc primak on Freeware Spotlight – Immunet 7
4 hours, 48 minutes agoAlex5723 on iOS 14 : Bug with Mail aliases
5 hours, 20 minutes agoAscaris on What Linux is and why it has persisted
5 hours, 33 minutes agoCraigS26 on Comments on AKB 2000016: Guide for Windows Update Settings for Windows 10
6 hours, 8 minutes agoPaul T on Websites that still require Flash after EOL
6 hours, 25 minutes agoPaul T on Links not working in some e-mails
6 hours, 28 minutes agoOscarCP on Websites that still require Flash after EOL
6 hours, 28 minutes agodoriel on What Linux is and why it has persisted
6 hours, 40 minutes agomn-- on What Linux is and why it has persisted
6 hours, 46 minutes agoPaul T on Office 365 Outlook getting rejected by some servers
7 hours, 3 minutes agoAlex5723 on Websites that still require Flash after EOL
7 hours, 8 minutes agoPaul T on Freeware Spotlight – Immunet 7
7 hours, 15 minutes agoPaul T on MS-DEFCON 2 – Get ready for January updates
7 hours, 26 minutes agoOscarCP on What Linux is and why it has persisted
7 hours, 34 minutes agoPaul T on Sorting alphanumeric text
7 hours, 39 minutes agoPaul T on Websites that still require Flash after EOL
7 hours, 55 minutes agoPaul T on Using USB flash drive for both windows and on a Chromebook
7 hours, 58 minutes ago
Recent Topics
-
Latest increase in no. of Win 10 services
9 hours, 35 minutes ago
-
Outlook 365 – Title bar – Folder Name
11 hours, 25 minutes ago
-
Office 365 Outlook getting rejected by some servers
7 hours, 3 minutes ago
-
Firefox 85 released
18 hours, 15 minutes ago
-
Video & Sound Cards ?
17 hours, 11 minutes ago
-
newsd process on Big Sur downloading MASSIVE amounts of traffic
23 hours, 33 minutes ago
-
No bootable device (sometimes!)
23 hours, 55 minutes ago
-
email providers
1 day ago
-
Legacy Teams Client Download
1 day ago
-
Accidentally hit “Pause Updates” , now what?
21 hours, 18 minutes ago
-
My neighbours’ media devices
11 hours, 6 minutes ago
-
Links not working in some e-mails
6 hours, 28 minutes ago
-
Excess heat during laptop recharging?
11 hours, 26 minutes ago
-
Hackers are running your smart home
19 hours, 58 minutes ago
-
Freeware Spotlight – Immunet 7
4 hours, 49 minutes ago
-
Schrödinger’s Bill
16 hours, 55 minutes ago
-
Sorting alphanumeric text
7 hours, 39 minutes ago
-
Potential for iPhone 12 and MagSafe to Interfere With Medical Devices
1 day, 4 hours ago
-
Computer running slowly when using Wi-Fi since last Windows update
1 day, 8 hours ago
-
Websites that still require Flash after EOL
6 hours, 25 minutes ago
-
WinSlap (Windows 10 Privacy tool)
1 day, 19 hours ago
-
Using USB flash drive for both windows and on a Chromebook
7 hours, 58 minutes ago
-
Chrome browser stopped playing video
1 day, 1 hour ago
-
Apple News Wrap Up: January 23, 2020
2 days, 8 hours ago
-
Tasks for the Weekend – January 23, 2021
22 hours, 57 minutes ago
-
Need inexpensive domain
2 days, 8 hours ago
-
Outlook 2019 send and receive
2 days, 8 hours ago
-
Can’t add, or remove, any bluetooth device
1 day, 4 hours ago
-
Customize the mouse w10 2004–19041.746
2 days, 20 hours ago
-
Can’t install any programs since Win 2004 update
1 day, 7 hours ago
Search for Topics
Recent blog posts
Key Links
Copyright © 2004 – 2021 AskWoody Tech LLC. All rights reserved.