Identifying Windows service generating network traffic
I use TCPView from Sysinternals (MS Technet) for viewing realtime connection information in windows. it includes the process that initiates the flow.
http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx
if the traffic is coming from a SvcHost process, note the PID of the process, and run
tasklist /SVC > c:\tasks.txt
in a command prompt. open the file and make note of the servies that share that PID. one of them is the culprit. you should be able to disable many of them in services.msc.
if the traffic comes from PID 4 (the system process), you probably won't be able to dig deeper easily, but you can probably identify the thread causing the traffic with Process Explorer also from SysInternals, and from there the dlls that make up its stack. theres very little you can do based on this information however.
good luck.
Related videos on Youtube
Ivan Vučica
Croatian developer, who used to focus on (and still likes) mostly iOS and Mac development. Currently at works for a search engine company. Interests include game and web development, with game development experience on Mac, Windows and GNU/Linux. #SOreadytohelp
Updated on September 18, 2022Comments
-
Ivan Vučica over 1 year
Windows services run within host processes. Observing the traffic using Windows 8's Resource Monitor, I see traffic generated by
svchost.exe (netsvcs)
. It appears to be directed towards an IP address controlled by a major Croatian ISP.The address is 213.191.147.215.
Traffic generated by
svchost.exe (NetworkService)
is directed toward a (very similar) 213.191.147.216. Sniffing with Wireshark reveals that HTTP requests toward 213.191.147.216 include/msdownload/...
in the URL.GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab?edc2fcdacea5cc1a HTTP/1.1 Connection: Keep-Alive Accept: */* User-Agent: Microsoft-CryptoAPI/6.3 Host: ctldl.windowsupdate.com HTTP/1.1 200 OK Cache-Control: max-age=604800 Content-Type: application/octet-stream Last-Modified: Fri, 04 Oct 2013 00:14:07 GMT Accept-Ranges: bytes ETag: "80f18a496c0ce1:0" Server: Microsoft-IIS/7.5 X-Powered-By: ASP.NET Content-Length: 54009 Date: Tue, 22 Oct 2013 12:44:14 GMT Connection: keep-alive
This leads me to conclude these are both members of a Microsoft CDN in Croatia.
I have attempted to disable Windows Update service, but the download from .215 continued. This is troublesome; during summer, I had over 200mb downloaded over 3G within 10 minutes before I noticed what was happening. This was only minutes after I paid for 1gb of traffic to my provider. I really don't like Microsoft wasting my money after being explicitly told NOT to download any updates in the background.
Today I noticed this again. While I am not connecting via cellphone at this point, I'd love to know the solution to the issue once and for all.
Since I don't feel like disabling services at random hoping I'll hit the one that generates traffic, I'd highly prefer identifying which service is creating traffic.
How do I identify which background service initiated the download? How do I identify which background services are generating network traffic?
-
Ivan Vučica over 10 yearsObserve the
GET
request itself. Microsoft appears to use the same virtual host name to distribute certificate revocation lists. Also, stopping the Windows Update service did nothing to stop this particular request to.216
host, nor the actual large download from.215
. -
Ivan Vučica over 10 yearsThanks for TCPView -- I ran into it before posting the question. Luckily, even Resource Monitor was able to display the process information related to network traffic, but TCPView is made of pure awesome to someone used to UNIX tools. The
tasklist /svc
suggestion, however, is definitely what I was most interested to know, so I'm more than happily accepting the answer.