• High level of Internet traffic while booting

    Home » Forums » Cyber Security Information and Advisories » Cyber Security for Business users » High level of Internet traffic while booting

    Author
    Topic
    #2469881

    This was submitted by @Kathy-Stevens

    While booting our Windows 10 PCs, we frequently observe a high level of internet traffic as indicated by blinking lights on our servers and routers. While some of the traffic is related to our internet security apps, I assume that the bulk of the traffic is between the computer and Microsoft. Is it a good idea to install a physical internet kill switch between our routers/modems and the internet service provider or between a work station and its router in-order to block internet access during boot-up? A quick internet search has revealed that such switches are available. One vendor is located at https://internetswitches.com/ .

    Viewing 8 reply threads
    Author
    Replies
    • #2469758

      While booting our Windows 10 PCs, we frequently observe a high level of internet traffic as indicated by blinking lights on our servers and routers.

      While some of the traffic is related to our internet security apps, I assume that the bulk of the traffic is between the computer and Microsoft.

      Is it a good idea to install a physical internet kill switch between our routers/modems and the internet service provider or between a work station and its router in-order to  block internet access during boot-up?

      A quick internet search has revealed that such switches are available.

      One vendor is located at   https://internetswitches.com/  .

      1 user thanked author for this post.
      • #2469866

        @kathy-stevens  This can be achieved also by using a 3rd party firewall, or a 3rd party firewall adon, and works very well

        * _ _ _ _ *
        1 user thanked author for this post.
      • #2469867

        This question deserves/should be in a Topic of it’s own.
        It really is off-topic in a thread about “Removing built-in Apps from Win10′”

        1 user thanked author for this post.
        • #2469874

          Suggest  submitting question under:  Cyber Security for Business users.  This is actually a complex issue that goes beyond just networking to include configuration changes on each client, although network changes like firewalls can be a big part of the answer.  The other choice is Networking, routers, firewalls, network configuration.

          Microsoft has “phone home” tasks that can run when idle or on a deferred basis, besides just at logon.

          1 user thanked author for this post.
    • #2469905

      Windows 10 is a very “connected” operating system, that phones home to Microsoft frequently.

      I do use a 3rd party firewall to block unnecessary network connection attempts made by many other 3rd party programs.

      But I don’t really see any point in interfering with Windows connecting to Microsoft, beyond the standard locking down of updates, as desired. Other than that, I just let Windows 10 do its thing… if you cannot trust Microsoft, who can you trust? 😉

      1 user thanked author for this post.
    • #2469909

      Why not get the FREE firewall by evorim EU based (GDPR conformity)

      Works in conjuntion with the existing Windows Security Firewall and has the ability to block whatever you see fit.
      Works nicely with Windows 7/ 8/ 10 and 11 (although can’t speak for 11) that uses little resources and has may options within.
      No time constraints, sign-up or email address submission required, what’s not to like?

      Careful, you might get addicted to viewing and researching connections…

      3 users thanked author for this post.
      • #2469918

        Their webpage states that:

        The firewall blocks all background transmissions of telemetry data of the Windows operating system to the server on the Internet.

        If so, this software sounds very promising!

        I also like it that their firewall enables the user to grant or deny Internet access to programs on a per-case basis. This is my favorite feature from the ZoneAlarm firewall.

        ADDENDUM: I just discovered that they also intend to put out a Linux version of their firewall. All of the Linux firewalls I’ve ever come across are opaque and difficult to use. Evorim’s firewall for Linux could be a game changer.

      • #2469925

        TIP: Recommend using v258 for Win7 or 8.1 for silent unobtrusive use, as v259 onwards has an added a splash popup which is, shall we say, annoying.

        Win10 best to use is v261> for added pre-configured telemetry blocks by default which change servers on occasion 🙂

      • #2469933

        As indicated at the start of the post,

        “While booting our Windows 10 PCs, we frequently observe a high level of internet traffic as indicated by blinking lights on our servers and routers.”

        During the boot process our firewall app loads, but our concern is the generation of internet traffic during boot-up and before the firewall begins to work.

        Thus, the thought of installing a physical internet kill switch between our routers/modems and the internet service provider or between a work station and its router.

        Is there any way to track the internet start-up traffic prior to the time that the firewall and other security related apps become active?

    • #2469926

      Short version:

      The only way I know of how to check *exactly* what external network connectivity is happening during the boot process is to use something like Sysinternals/TechNet’s small, free, portable Process Monitor (ProcMon), filter out *everything* except network activity (and using ‘Drop Filtered Events’) then choose ‘Enable Boot Logging’. This will capture all network events during the next boot process.

      Note: ‘Drop Filtered Events’ helps keep ProcMon‘s PML trace log as small as possible (or from exhausting the OS’ swap file… make sure you stop the trace as soon as Windows has got to a stable desktop (and let CurrPorts take over*). Don’t forget to remove the tick against the ‘Drop Filtered Events’ option when you’ve finished capturing.


      TL;DR version:

      There’s a big difference between connectionless UDP traffic and TCP traffic. I tend to think of most UDP traffic almost as ‘Are you there’ and don’t pay much attention to them. I’m more interested in the TCP connections, particularly those shown as ESTABLISHED, rather than just LISTENING, especially if they show as ‘Unknown’.

      currports_log_example

      *After the system(s) has booted, use something like Nir Sofer’s small, free, portable CurrPorts (with logging enabled) so you can build a picture of which events are regular and which are intermittent, including their remote endpoints. Personally I’m usually more interested in the very occasional ‘Unknown’ ESTABLISHED external TCP connections than the regular known ones which I call the Windows 10 ‘heartbeat’.

      windows_heartbeat_shown_using_glasswire
      (Windows 10 ‘heartbeat’ of external endpoint connections shown using Glasswire)

      On my systems Windows Defender updates are delivered from Microsoft servers whilst a lot of other Microsoft content is delivered by third-party providers – CDNs (Content Delivery Networks) – on Microsoft’s behalf. This includes Windows Updates and Microsoft Store updates.

      Note: I have Windows Updates blocked… so Windows Defender does a failback to using BITS (Background Intelligent Transfer Service) for its updates instead of using the default Update Orchestrator Service.

      For example, here in the UK I see regular connections to Microsoft in Dublin for Windows Defender‘s AV updates whilst the remainder are usually from Akamai’s CDN servers in England and the Netherlands on Microsoft’s behalf.

      For example:

      a23-212-232-96.deploy.static.akamaitechnologies.com
      23.212.232.96
      Netherlands
      Store
      winstore.app.exe

      This shows the Windows Store app connecting to an Akamai datacentre. You can reduce this behaviour by turning off background updates.

      Note also that by default Microsoft Edge preloads content *before* user login (even if you never use Edge) so you’re going to see multiple router flashes as its default start page loads all the Bing stuff hidden in the background. You can stop this behaviour or block Edge.

      There’s a whole bunch of Microsoft tools/apps/utilities/live tiles which make external connections, even if YOU don’t use them. You need to examine them and disable access (outbound, inbound or both) in your firewall. (I use sordum.org’s small, free, portable Firewall App Blocker for ease of use.)

      Don’t rely on adding the IP address endpoints to the HOSTS file if they are Microsoft-related. Since 2006 Microsoft now often ignores the HOSTS file for Microsoft-related URLs (and Defender now flags it if it’s amended). (See Microsoft HOSTS file bypass issue for more details.)

      Some more examples (note these are from Jan. 2018… I haven’t tested since):

      db5.settings.data.microsoft.com.akadns.net
      40.77.226.249
      United States
      Speech Runtime Executable
      speechruntime.exe
      
      wdcpeurope.microsoft.akadns.net
      52.178.163.85
      Ireland
      Microsoft Windows Malicious Software Removal Tool
      mrt-kb890830.exe
      
      cs9.wpc.v0cdn.net
      93.184.221.200
      United States
      Settings
      c:\windows\immersivecontrolpanel\systemsettings.exe
      
      modern.watson.data.microsoft.com.akadns.net
      65.55.252.202
      United States
      Windows Problem Reporting
      c:\windows\syswow64\werfault.exe
      
      sls.update.microsoft.com.nsatc.net
      52.229.171.202
      United States
      SIH Client
      c:\windows\system32\sihclient.exe
      
      db5.settings.data.microsoft.com.akadns.net
      40.77.226.249
      United States
      Microsoft Compatibility Telemetry
      c:\windows\system32\compattelrunner.exe
      
      e11290.dspg.akamaiedge.net
      104.103.185.104
      United States
      Microsoft Malware Protection Command Line Utility
      c:\program files\windows defender\mpcmdrun.exe
      
      e-0009.e-msedge.net
      13.107.5.88
      United States
      microsoft.photos.exe
      c:\program files\windowsapps\microsoft.windows.photos_2017.39101.16720.0_x64__8wekyb3d8bbwe\microsoft.photos.exe
      
      a-0026.a-msedge.net
      204.79.197.229
      United States
      searchui.exe
      c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe
      
      40.77.226.249
      United States
      Speech Model Download Executable
      c:\windows\system32\speech_onecore\common\speechmodeldownload.exe
      
      smartscreensvc.microsoft.com.nsatc.net
      13.79.239.82
      Ireland
      Windows Defender SmartScreen
      c:\windows\system32\smartscreen.exe
      
      vip5.afdorigin-prod-cw02.afdogw.com
      51.141.26.229
      United Kingdom
      Microsoft Outlook Communications
      c:\program files\windowsapps\microsoft.windowscommunicationsapps_17.8730.21725.0_x64__8wekyb3d8bbwe\hxtsr.exe
      
      wdcpeurope.microsoft.akadns.net
      52.166.110.64
      Netherlands
      Antimalware Service Executable
      c:\program files\windows defender\msmpeng.exe
      
      db5.settings.data.microsoft.com.akadns.net
      52.166.110.64
      Netherlands
      Microsoft Feedback SIUF Deployment Manager
      c:\windows\system32\dmclient.exe
      
      191.239.213.197
      Ireland
      App Uri Handlers Registration Verifier
      c:\windows\system32\apphost\registrationverifier.exe
      
      a-0001.a-msedge.net
      13.107.21.200
      United States
      Download/Upload Host
      c:\windows\system32\backgroundtransferhost.exe
      
      modern.watson.data.microsoft.com.akadns.net
      40.77.228.92
      United States
      Windows Problem Reporting
      c:\windows\system32\wermgr.exe
      
      e1898.dspg.akamaiedge.net
      23.212.232.96
      Netherlands
      Background Task Host
      c:\windows\system32\backgroundtaskhost.exe
      
      e2821.dspb.akamaiedge.net
      104.82.235.53
      United States
      Wireless Background Task
      c:\windows\system32\wifitask.exe
      
      ff02::1:2
      Host Process for Windows Services
      c:\windows\system32\svchost.exe
      
      a-0001.a-msedge.net
      13.107.21.200
      United States
      Search and Cortana application
      
      cs9.wpc.v0cdn.net
      93.184.221.200
      United States
      Search and Cortana application
      
      a-0019.a-msedge.net
      204.79.197.222
      United States
      Search and Cortana application
      
      a-9999.a-msedge.net
      204.79.197.254
      United States
      Search and Cortana application
      
      bn2.vortex.data.microsoft.com.akadns.net
      65.55.44.109
      
      array501-prod.dodsp.mp.microsoft.com.nsatc.net
      52.167.222.147
      United States
      Host Process for Windows Services
      
      array502-prod.dodsp.mp.microsoft.com.nsatc.net
      13.68.87.47
      United States
      Host Process for Windows Services
      
      array503-prod.dodsp.mp.microsoft.com.nsatc.net
      13.68.88.129
      United States
      Host Process for Windows Services
      
      array504-prod.dodsp.mp.microsoft.com.nsatc.net
      52.167.222.147
      United States
      Host Process for Windows Services
      
      array505-prod.dodsp.mp.microsoft.com.nsatc.net
      52.167.223.135
      United States
      Host Process for Windows Services
      
      DB5SCH103100314.wns.windows.com
      40.77.229.76
      United States
      Host Process for Windows Services
      
      c-0001.c-msedge.net
      13.107.4.50
      United States
      Host Process for Windows Services
      
      ipv4.login.msa.akadns6.net
      131.253.61.100
      United States
      Host Process for Windows Services
      
      fe3.delivery.dsp.mp.microsoft.com.nsatc.net
      64.4.54.18
      United States
      Host Process for Windows Services
      
      bn2.vortex.data.microsoft.com.akadns.net
      65.55.44.109
      United States
      Host Process for Windows Services
      
      arc.msn.com.nsatc.net
      207.46.194.33
      United States
      Background Task Host
      
      db5.settings.data.microsoft.com.akadns.net
      40.77.226.249
      United States
      Host Process for Windows Services
      Background Task Host
      (Microsoft Feedback SIUF Deployment)
      
      array501-prod.dodsp.mp.microsoft.com.nsatc.net
      13.68.82.8
      United States
      Host Process for Windows Services
      System
      
      service.datamart.windows.com.akadns.net
      13.68.117.33
      United States
      Wireless Background Task
      
      e10370.dscg.akamaiedge.net
      23.207.191.90
      United States
      Host Process for Windows Services
      
      ris.api.iris.microsoft.com.akadns.net
      40.77.229.148
      United States
      Background Task Host
      
      db5.displaycatalog.md.mp.microsoft.com.akadns.net
      40.77.229.125
      United States
      Host Process for Windows Services
      
      e1553.dspg.akamaiedge.net
      104.103.152.102
      United States
      Host Process for Windows Services
      
      e2821.dspb.akamaiedge.net
      104.82.235.53
      United States
      Wireless Background Task
      
      e7070.g.akamaiedge.net
      23.212.233.124
      Netherlands
      Host Process for Windows Services
      
      spclient.wg.spotify.com
      35.186.224.62
      United States
      Host Process for Windows Services
      
      a-0001.a-msedge.net
      13.107.21.200
      United States
      Background Task Host
      
      DB5SCH103100314.wns.windows.com
      40.77.229.76
      United States
      Host Process for Windows Services
      
      array507-prod.dodsp.mp.microsoft.com.nsatc.net
      52.184.155.206
      United States
      Host Process for Windows Services
      
      e11290.dspg.akamaiedge.net
      104.103.185.104
      United States
      Microsoft Malware Protection Command Line Utility
      
      23.212.232.96
      Background Task Host
      
      geo-prod.dodsp.mp.microsoft.com.nsatc.net
      40.77.226.219
      United States
      Host Process for Windows Services
      
      location-inference-westeurope.cloudapp.net
      52.178.38.38
      Netherlands
      Host Process for Windows Services
      
      e1706.g.akamaiedge.net
      104.103.114.93
      United States
      Host Process for Windows Services
      
      tsfe.trafficshaping.dsp.mp.microsoft.com
      40.77.229.141
      United States
      Host Process for Windows Services
      System
      
      db5.wns.notify.windows.com.akadns.net
      40.77.226.247
      United States
      Host Process for Windows Services
      
      a1683.dspw65.akamai.net
      62.253.3.219
      United Kingdom
      Host Process for Windows Services
      
      a122.dscg3.akamai.net
      62.253.3.139
      United Kingdom
      Host Process for Windows Services
      
      candycrushsoda.king.com
      185.48.81.162
      Sweden
      Host Process for Windows Services
      (Advertised games in the default Start menu)
      bubblewitch3mobile.king.com
      185.48.81.253
      Sweden
      Host Process for Windows Services
      (Advertised games in the default Start menu)
      e10663.g.akamaiedge.net
      23.212.234.37
      Netherlands
      Host Process for Windows Services
      
      52.169.71.150
      Ireland
      Antimalware Service Executable
      c:\programdata\microsoft\windows defender\platform\4.12.17007.18011-0\msmpeng.exe

      (Note that this last one happened when I plugged a USB stick in to transfer screenshots!)

      Hope this helps…

      7 users thanked author for this post.
      • #2469935

        What Rick said.  I wouldn’t assume that every bit of traffic is bad or wrong. Some start up traffic is also group policy related.

        Susan Bradley Patch Lady

        2 users thanked author for this post.
        • #2470159

          Perhaps I am over concerned about Windows 10 calling home.

          Our business is founded on Workstations with Intel Core i9 processors, 32 GB of memory, and dual SSD storage.

          They are only connected to the internet when we feel a need to update the systems. So, the boot issue is negligible.

          Our other machines are always connected to the internet. One way to circumvent my boot-up issue is not to shut them down when they are not in use.

      • #2470162

        Rick,

        Downloaded and tried the Edge Blocker program and through testing with my PowerShell Restart-Timer program I can confirm that Edge is doing stuff in the background.

        Testing metholodgy:

        1. Imaged C: drive with Reflect…Just in case!
        2. Download & extracted contents.
        3. Rebooted using Restart-Timer to get existing reboot timing.
        4. Ran the 64 bit version and Blocked Edge.
        5. Rebooted using Restart-Timer to get reboot timing with Edge blocked.
        Before Installation of Edge Blocker
        DELLXPS8920's System is Compacted: False
        11:56:25 AM
        11:57:04 AM
        Elapsed Reboot Time: 00:00:39.8246722
        
        After Installation of Edge Blocker
        DELLXPS8920's System is Compacted: False
        12:01:59 PM
        12:02:36 PM
        Elapsed Reboot Time: 00:00:37.1813947
        

        Next on to test FAB (Firewall Application Blocker)

        May the Forces of good computing be with you!

        RG

        PowerShell & VBA Rule!
        Computer Specs

        4 users thanked author for this post.
        • #2470163

          We also found that Microsoft Edge was doing “stuff” in the background.

          When we ran CCleaner’s Custom Clean, in its default mode, we always found that the largest number of items removed were Edge related.

          We solved the problem by disabling/removing Edge from all of our systems.

          • #2470373

            We solved the problem by disabling/removing Edge from all of our systems.

            Solved? you removed Edge from Windows10, Arnold Schwarzenegger had a famous saying in the Terminator movies..that applies to that action.

            FWIW: Try changing the following within GPedit: (I don’t use edge either):
            Computer Configuration> Administartive Templates> Windows Components> Microsoft Edge> Allow Edge to pre-launch at windows startup, when the system is idle and each time Microsoft Edge is closed

            I’ve set this to ENABLED on one device, which displays a configure pre-launch window, select ‘Prevent pre-launching’ from the drop down menu box.
            And I’ve set it to DISABLED on another device to compare the difference, haven’t seen edge background connections/ traffic using either method. YMMV

            Note: These are the ONLY things edited for Edge in GPedit (no other Edge related tweaks elsewhere according to my notes)

            3 users thanked author for this post.
          • #2470379

            One more note related to Microsoft Edge.

            We never used Microsoft Edge even so CCleaner’s Custom Clean found large numbers of content.

            Obviously, Edge was opening at boot-up and running in the background.

            2 users thanked author for this post.
    • #2470173

      Perhaps I am over concerned about Windows 10 calling home.

      I think you’re right to ponder what Windows 10 is doing in the background but may also have to accept that ’10’ is much, much more ‘chatty’ than any of its predecessors where the internet is concerned. (I don’t know about ’11’ – I looked, I experimented, I hated… and haven’t been back since it launched.)

      As you may have seen by the list I posted above (which I really need to update), ’10’ has an inordinate amount of built-in ‘chatty’ processes/executables. It takes time and a lot of Google-foo to work out what is relatively benign (like Store updates, Defender AV signature updates, etc.) and what may possibly raise privacy concerns (like default telemetry).

      What I like is that there’s a veritable small army of like-minded people out there that come up with some amazing 3rd-party apps/tools/utils/scripts to wind back the ‘chattiness’. They help me strip out a lot of the built-in tardiness between ‘boot and truly usable desktop’ so I get quicker to a point where my device does what *I* want it to do rather than what *Microsoft* wants it to do (hence my pruning of scheduled tasks, startups and services).

      I should also add that I’m retired and it’s fun to tinker with “what ifs”… 🙂

      1 user thanked author for this post.
    • #2470174

      … through testing with my PowerShell Restart-Timer program…

      RG – I’ve somehow lost your Restart-Timer PS script and it’s not in your public OneDrive shared folder (unless I’ve suddenly gone blind)? Eek!

    • #2470179

      During the boot process our firewall app loads, but our concern is the generation of internet traffic during boot-up and before the firewall begins to work.

      The firewall we run on each Windows client includes a networking device driver that hooks into the Windows OS at the NDIS layer, before TCPIP gets to process the packet. All Windows network traffic, is seen by this device driver, including packets sent at boot time, since the device driver is a part of the network stack. The firewall is a part of our third-party security suite. Any destination IP address, subnet, or port, or protocol, should be filtered by pre-existing firewall rules, or that is a firewall bug.

      An exception would be any network traffic produced by the “UEFI” subsystems, before Windows gets control. But one would assume, a secure boot is taking place, that would in theory, prevent any malware during “pre-boot”.

      Inserting a separate network device to filter packets, another “firewall” inserted into your network topology, besides your perimeter router, would be another option. Could run a destination report from some network devices on where all your outbound traffic goes, from the logs generated.

      The excess volume of network traffic Microsoft generates at boot time with Windows 10+ would be another topic to discuss. If any of this traffic is undesired, better to turn it off at the source, if possible, through Windows client configuration changes.

      Our client security suite, can have settings updates immediately following boot, to be automatically received over the network. Better for us to get them quickly.

      1 user thanked author for this post.
    • #2470635

      Ok I’ve updated a bunch of my programs and they are now on the One Drive Shared location.

      Can you point me to descriptions of each of the apps that you have posted on your “One Drive location”?

      Thanks

      • #2470672

        Kathy,

        Each of the programs contain, what is referred to in PowerShell as, comment based help.

        In PowerShell simply enter:
        Get-Help d:\Path\ProgramName.ps1 -Full

        Should supply all the information you need. Also I tried to make the names as descriptive as possible within PS naming guidelines.

        May the Forces of good computing be with you!

        RG

        PowerShell & VBA Rule!
        Computer Specs

        1 user thanked author for this post.
    • #2470678

      Each of the programs contain, what is referred to in PowerShell as, comment based help.

       

      Thanks, will give it a try.

    Viewing 8 reply threads
    Reply To: High level of Internet traffic while booting

    You can use BBCodes to format your content.
    Your account can't use all available BBCodes, they will be stripped before saving.

    Your information: