Why does Win7 frequently try to access Akamai servers through svchost?

VeganCaramel · 23 Jan 2017

Win 7 frequently tries to access Akamai servers through svchost.
Win XP never tries to do this.
Anyone know what M$ added to Win 7 that's trying to access these servers?

Notes:
- Win 7 does this even after a fresh install with no other software installed.
- Don't need any guesses. I have a whole list of guesses from googling. I'm wondering if anyone knows what Windows is actually doing.
- I'm using Win 7 Ultimate x64, super lean; no bells & whistles active; all non-mandatory services disabled, including Windows Update.

SOLVED:
Two Windows services, CryptSvc and NlaSvc, were trying to contact Akamai servers via svchost.
After monitoring their traffic, it appears CryptSvc may have been engaging in CRL activities and NlaSvc may have been engaging in NCSI activities. Much of the traffic was, understandably, not easily decipherable so I can't pass judgement on whether or not the communications were entirely innocent/harmless. Elsewhere in this thread, I've posted the results of the monitoring if you want to have a look.
Disabling CRL checking and Active Probing put an end to the Akamai server contact attempts. I posted more details and instructions elsewhere in this thread.

Callender · 23 Jan 2017

See: Maybe now windows 7 will update

and:

svchost (netsvcs) download from Akamai - What is initiating?

VeganCaramel · 23 Jan 2017

Thanks for the links.
I had never come across DnsEye. I'm sure I'll find it quite useful.
I have the Windows Update service completely disabled so I certainly hope Win 7 isn't still attempting to contact update servers.
Here are some of the Akamai IP's svchost has tried to connect to.

Code:

184.25.56.98
104.99.238.11
23.62.239.25
173.223.52.193
23.216.10.201
63.217.21.26
2.16.4.178
184.51.0.250
184.28.188.193
23.209.179.27
104.93.82.19
104.93.82.11

This is all I got when attempting a tracert on one of them:

Callender · 23 Jan 2017

Tracert is run via Elevated Command Propmt - not DNS Eye. Your DNS Eye screenshot shows reverse DNS lookups for those two ip addresses.

RE: "Here are some of the Akamai IP's svchost has tried to connect to"

On my machine ii only tries to connect to one Local Akami server when Windows Updates checks/ downloads are running.

Maybe you have MS Office Suite or other additinal MS Products installed that check for updates? I don't have any additional MS software on my machine so cannot say for sure if this is the case.

Check services running under svchost.

Svchost Process Analyzer - a svchost.exe file checker

VeganCaramel · 23 Jan 2017

Tracert is run via Elevated Command Propmt - not DNS Eye

.
Yeah, that screen cap is of what DnsEye displayed when I ran the Tracert on one of the above-listed Akamai IP's via elevated command prompt.

Maybe you have MS Office Suite or other additinal MS Products installed that check for updates?

No, but thanks for reminding me about SvchostAnalyzer.
I had planned to use it a while back for this very purpose but completely forgot about it. Nothing unexpected running right now but I'll be sure to fire it up the next time svchost tries to connect to an Akamai server.

Callender · 23 Jan 2017

You could try setting windows updates settings to "never check for updates" for a couple of days and if you don't get any connections then you can rule out anything else.

samuria · 23 Jan 2017

It's considered as malware it's a p2p program which is used for streaming getting the file from lots of places problem is it keeps using your bandwidth to feed other people remove it from the system it's not part of Windows

VeganCaramel · 23 Jan 2017

You could try setting windows updates settings to "never check for updates"

That's what it's always set to, plus the service is disabled via services.msc
I only allow it to be enabled for a short period after I install the OS then it stays disabled.

Callender · 23 Jan 2017

You can try netstat logging. I use EssentialNetTools with logging enabled. Anyway I've just seen the same thing on my machine:

PID 980

Why does Win7 frequently try to access Akamai servers through svchost?-essential-nettools.jpg

Connects to Akamai Server but only briefly

Why does Win7 frequently try to access Akamai servers through svchost?-ipnetinfo.jpg

Something running under one of these services is responsible

Why does Win7 frequently try to access Akamai servers through svchost?-svchost-process-analyzer.jpg

That's as far as I get at the moment.

Callender · 23 Jan 2017

Okay rule out Nlasvc. I've already applied this setting on my machine some time ago. Just checked.

What do Microsoft and NCSI have in common? - TechRepublic

That leaves the other two.

I give up for today. Might do more research tomorrow. Let me know if you track it down.