Windows 7, The First 30 Minutes On The Network
Published: 06/05/2010
Microsoft Windows is an enormously complex operating system, more than most users realize. XP has around 80 background services with at least half of them running by default (most under the security privilege context of the all-powerful Local System account). The number of policy settings that can affect system behavior seem to increase with each OS release. IPsec is now natively built into the networking stack. Windows 7 allows administrators to granularly control the application footprint based on publisher, executable hashes, and other parameters. 802.11 profiles can now be made FIPS-compliant. After XP, Windows services have their own security identifier (SID). netsh sub-contexts have increased in number.
I've always been a little suspicious as to what goes on behind the scenes when an operating system is at work. Every time you access the Start menu, the registry gets accessed. There are a lot of under-the-hood transactions that a user never sees and event logs certainly don't show all possible audits by default (and besides, if every auditing parameter were flagged to do so, you'd have severe log bloat within minutes).
Even at idle, there are a lot of little elfs hard at work in the machinery moving something.
Keep in mind that I'm talking about Windows by itself without any third-party applications that typically riddle the OEM system image from your favorite hardware vendor. If you install Windows clean with only the minimal number of necessary drivers to bootstrap basic usability without non-Microsoft add-ons, one has to wonder what kind of things the operating system is designed to do behind your back. I always have this fear that some secret process is sending my private data back to a Microsoft mothership located somewhere on the Internet.
Therefore, to satisfy my curiosity, I performed a clean install of Windows 7 Enterprise edition, plugged the machine into the network, and captured the unannounced traffic that the OS initiated on its own during the first 30 minutes of its life on the wire. Here are the results of this little examination...
Platform specifics:
- IBM ThinkPad T60 2613-HPU
- Windows installed directly from CD media.
- No network interfaces went link-up during installation or before the network trace was started.
- Client machine was placed behind a typical consumer NAT gateway and leased an IP address of 10.1.1.11.
Filtering out the bulk
I started writing this article before Windows 7 was officially out (and got sidetracked by other pressing issues, which explains the relatively late publishing date of this article) but the installation was based on the MSDN RTM version which should be exactly the same as what corporate IT admins would use. Due to the relative size of the original network trace (30.8 MB), all packets which refer to binary downloads for OS updates are filtered out in the attached capture file. These are the following addresses:
download.windowsupdate.com | 68.142.123.80 208.111.159.33 |
au.download.windowsupdate.com | 65.54.89.14 |
If you see a DNS request for these in the trace, assume that shortly afterwards the OS made a connection to these hosts over TCP 80 and started the downloads. Legacy NetBIOS (why Microsoft still leaves this enabled by default after all these years is beyond me) and ARP packets have also been filtered out. The trace file summary below is representative of the original unfiltered trace capture and will indicate the connections made to these hosts.
Show trace summaryLots of little things add up...
The bulk of automated downloads are attributed to the internal Automatic Updates client. Windows 7 (and Vista) both have IPv6 capabilities enabled and thus perform neighborhood discovery in order to map out the local network. On occasion, Windows makes an SSL connection to v9.update.microsoft.com. I'm curious if it's uploading something ... and if so, what?
At packet 166, Win7 requests for a file called ncsi.txt. NCSI refers to the Network Connectivity Status Indicator, which was a function introduced in Vista where it detects whether Internet connectivity exists or not (as opposed to connectivity only within the local subnet) and changes the system tray network icon to the "globe" version if applicable. It did this by one of two ways - 1) doing a DNS request for www.msftncsi.com and then getting the ncsi.txt file to verify that Microsoft's server can be reached, or 2) simply doing the same DNS request lookup for dns.msftncsi.com and if the DNS server returns a valid response, assumes there is Internet connectivity. See Microsoft's website for more information.
SSDP is still active (packets 564 - 585). I was a never a big fan of this feature and I have to wonder why it still runs on an OS that's supposedly much more secure than its predecessors. I like my OS running as silent as possible.
On packet 586 there's a DNS request for the SRV record "_VLMCS._TCP." This is specific to Enterprise edition and is used to locate a corporate Key Management Server (KMS) in order to perform OS activations which work differently from the one-time activation process on retail editions of Windows 7. If a KMS is found, Win7 will initiate a connection to it over TCP 1688 and perform some voodoo RPC magic for the activation (which is only good for six months).
There are 109 IPv6-related packets in this trace alone. Most people don't use IPv6 yet on their networks, and while this only represents about 12 KB of transmission, over time this can still add up on a large network with many similar hosts. While you might be tempted to disable IPv6 from the network stack, keep in mind that Microsoft does not QA the OS without it enabled.
Still chatty
So there you have it - a brief look at the first half hour on the wire. From a bandwidth consumption perspective it's mostly patch downloads (which is ironic for a newly-security-enhanced OS that wasn't officially released yet at the time). Nothing too fishy, but who knows what happens afterwards. One of these days I may be tempted to do another review over a period of a week to see if there are any odd outbound connections beyond the first thirty minutes.
Go back to the main articles list.