Unknown TCP connection ???

[meerkat]

Everytime I start windows and login to my account, there is an unknown TCP connection attempt to IP:65.55.119.90, Port:80. The Whois Record shows that this IP belongs to one of the Microsoft servers. Does anyone have an idea which service is responsible for this connection attempt?

 

[pebbly]

hi meerkat, welcome to the forums, that maybe windows update checking for new updates

 

[meerkat]

...that maybe windows update checking for new updates...

sorry but the "windows update" service (as well as many others) is already disabled in my system. It must be something else I haven't figured out yet ?!

 

[NZKFC]

Hello,

IP 65.55.158.80 is the the Event Viewer Reporting service. The service is there to offer advice about problems on your computer.

svchost.exe uses this IP I believe, not 100% sure.

 

[cabotp]

I was wondering the same thing on what was accessing that IP address. I found out that it was the "Net Location Awarness" Service. This was done using Process explorer and Process Monitor.

I haven't figured out yet why that service is trying to access the above IP address and port.

 

[fseal]

There is also the "Customer Experience Improvement Program" which sends statistcs to microsoft such as your screen resolution etc if that is enabled.

See this and click on the bottom of the 4 links listed for instructions on turning it off (or checking if it's off)

Turn off settings that were recommended during Windows setup

 

[cabotp]

Ok update from my last post.

What the Network Location service does is determine whether or not you have a valid and active connection to your local network and the Internet

Registry key \HKLM\SYSTEM\CurrentControlSet\services\NlaSvc\Parameters\Internet

Has the following parameters

ActiveDnsProbeContent & ActiveDnsProbeHost. Is used to see if you have an active and working DNS server. By confirming that the Host and Content (IP addresses) matches. You can change this from the default.

ActiveWebProbeHost - Where you download the text file from
ActiveWebProbePath - The path and name of the file to download
ActiveWebProbeContent - The contents that should be in that file.

The default is to download a text file call ncsi.txt from www.msftncsi.txt. With the contents "Microsoft NCSI." You can see the file at http://www.msftncsi.txt/ncsi.txt

You can change the values. And have your own text file to download. Not sure if the contents matter or not. I did change them and it seemed to have no affect. But your mileage may vary. Just make sure you have a working web server somewhere on the Internet to download the file. I also assume the path can be what ever you desire.

I changed my values to my own web server and put the file on there. As for the dns settings I just changed them to my server's IP and Name.

I assume this would work for Windows Vista as well. Not sure if Windows XP or 2000 uses the same service.

 

[meerkat]

Thank you fseal and carbotp,

I think I've found two ways to get rid of this TCP connection.
Either you completely disable the Network Location Service (NLA) from Administrative Tools -> Services or you simply add the following key and value to the registry and restart your PC.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet]
"EnableActiveProbing"=dword:00000000
The only side effect of this approach is that the system tray icon will misleadingly show you as disconnected.
If this icon bothers you, simply right click on system tray, customize notification icons and turn network icon off.