How to Identify the PID Making a DNS Query

D

Daddyman

New member
Member
Local time
9:02 AM
Messages
40
Something on my W7 Pro x64 computer is making hundreds of DNS requests to logmein.com every day. I want to learn the identity of 'something'.

My computer is definitely not infected, not even by a rootkit, and my wireless network is definitely not hacked. My Hosts file is unchanged from the default.

About eight months ago I did install LogMeIn, but a few days later I uninstalled it. I'm quite sure it uninstalled completely.

A capture application like Wireshark can see and analyze the DNS requests, but it doesn't tell me which PID is making the request. A network monitor like TCPview knows the PID but doesn't tell me what traffic is a DNS request.

I am nobody's idea of a network expert, but I understand this much: The problem with identifying which PID is making a DNS request is difficult because processes don't (usually) make DNS queries directly. They ask the OS resolver for hostname resolution, and the resolver in turn makes the DNS query.

I suppose I could open Wireshark and then end processes one by one until the DNS requests stop (or my computer crashes. :D) But isn't there some other way to find out which PID is making the original DNS request?
 

My Computer My Computer

Computer Manufacturer/Model Number
Dell Studio XPS 8100
OS
Windows 7 Professional x64
I can add some additional information to my original post, courtesy of Wireshark:


1- The DNS queries are definitely coming from my computer.
2- The source port is different every time, but always in the upper range of port numbers (50000 and up). For instance, the source ports are 58620, 62544, 56138, 54596, 52952, 57794, etc. This might be an attempt to prevent me from stopping this activity by setting a firewall rule. I would have to block every port from 50000 and up.


I still haven't identified the process that's doing this, nor can I understand why something or someone would be making literally thousands of DNS queries a day for logmein.com and patch.everquest.com.
 

My Computer My Computer

Computer Manufacturer/Model Number
Dell Studio XPS 8100
OS
Windows 7 Professional x64

My Computer My Computer

Computer type
PC/Desktop
Computer Manufacturer/Model Number
Lenovo IdeaCenter 450
OS
Windows 10 Pro X64
CPU
Intel Quad Core i7-4770 @ 3.4Ghz
Memory
16.0GB PC3-12800 DDR3 SDRAM 1600 MHz
Graphics Card(s)
Intel Integrated HD Graphics
Sound Card
Realtek HD Audio
Monitor(s) Displays
HP 22" LCD
Screen Resolution
1680 x 1050
Hard Drives
250GB Samsung EVO SATA-3 SSD
2TB Seagate ST2000DM001 SATA-2
1.5TB Seagate ST3150041AS SATA
Keyboard
Dell USB
Mouse
Lenovo USB
Internet Speed
Cable via Road Runner 3MB Upload, 30MB Download
Antivirus
Windows Defender, MBAM Pro, MBAE
Browser
Seamonkey
Other Info
UEFI/GPT
PLDS DVD-RW DH16AERSH
No solution thus far. For now, I just added the domains in question to my Hosts file, so the DNS queries have stopped. I may never find out what's really going on. :cry:
 

My Computer My Computer

Computer Manufacturer/Model Number
Dell Studio XPS 8100
OS
Windows 7 Professional x64
You must log in or register to reply here.

Similar threads

"Restoring Network Connections" error for dns-323 drive
Replies
1
Views
5K
samuria
samuria
Solved How to connect a Win7 PC to a Win10 PC via LAN/Router?
Replies
9
Views
6K
dg1261
D
How to remove a Ghost Network Adapter entry from Win 7
Replies
2
Views
4K
videobruce
V
Solved Looking for a way to monitor internet usage.
Replies
4
Views
1K
Aardvarkly
Aardvarkly
Solved Need some help connecting to the internet
Replies
6
Views
3K
status1
S
Back
Top