Post by drcard on Jun 27, 2018 21:21:00 GMT -5
Hi all,
Note: This may appear to be too geeky to try, but it is real easy once you get started.
Note2: This works on Windows versions XP and up with very slight differences among the versions.
Overview:
All users know that their PC connects to Web sites in the background. This is how Windows and other applications on your PC get “updates”. The average user is expected to have faith that these background connections are from applications that they installed and are necessary to keep the PC safe and running smoothly. Prudent users want to know what applications are connecting to the Internet in the background and if that connection is necessary or useful. Most of these background connections are needed to keep your PC running up to date, but some just eat up your bandwidth with no real benefit to you; while some can cause you or your PC harm.
The following instructions allows the user to create a list of all Internet connections that your PC makes, including the application on your PC that is making that connection. The utility used to create this list is built into Windows, so no 3rd party application is needed. Following the instructions are tips on how to investigate the applications making these connection and help you decide if the connection is necessary or useful. In other words, create a list of who your PC is talking to and decide if you are going to let the conversations continue.
Creating a List of Internet Connections:
1. The utility you need to do this is already installed on every version of Windows since XP. While the utility is the same on each version of Windows, how to access that utility differs slightly among each version of Windows. These instructions are specific for Windows 7
2. Click the Start button and type PowerShell into the search box. Windows PowerShell will appear in the list above. Right click Windows PowerShell and select Run as administrator. Note: You will see in the list Windows PowerShell(x86) and Windows PowerShell ISE. The PowerShell(x86) is the 32 bit version of this utility. The ISE version is an enhanced version that handles scripting (not used by individual users).
3. The PowerShell command window will open. The PowerShell window will look like a command prompt window except for the background color of blue.
4. The directory that the prompt opens to will differ from user to user and will look like this example: PS C:\Users\Username (where Username is the name the user signs on to). This utility will work on any directory listed, but the list will be stored in the folder listed at end of the prompt. In my example, the list will be stored in the Username folder. If you desire the list stored in another folder then you need to change the directory of the prompt.
5. Type the following command at the prompt and press the Enter key. The _ (underscore) in the command is to show where a space must be placed in the command.
netstat_-abf_5_>_talking.txt
6. The cursor will flash under the last command. This means the utility is working and is creating the list. Let the cursor flash for 1 to 2 minutes. The 5 in the above command is looking at all connections every 5 seconds. Having the utility look for a couple minutes usually catches nearly all connections made in the background.
7. Press Ctrl+C to stop the utility from collecting data and complete the list. The prompt will return to the directory where the netstat command was entered.
8. The list is stored in the talking.txt file which is stored in the folder listed at the prompt (Username). Use Notepad to open the file. Note: You can open the file in PowerShell by typing talking.txt at the prompt and pressing the Enter key. The file will open in a Notepad window.
Tips on Investigating These Connections:
The document will have Active Connections listed as the title. The data will be divided into columns with the column headers of Proto, Local Address, Foreign Address, and State. Each connection will have data for each of these columns. The line after that connection’s data will have the application file that made that connection listed in brackets.
Proto = short for Protocol. There will be TCP and UDP protocols listed. TCP and UDP are both Internet protocols. The difference is that TCP has error checking functions that makes sure the data sent is received and accurate. UDP doesn’t have this error checking functions, but because of that it transfer data faster. UDP is used when error checking isn’t as important as speed such as online gaming or live streaming.
Local Address = This is the IP address assigned to your PC by your router. At the end of the IP address listed is a colon followed by some numbers. These numbers after the IP address is the port number on your PC that is making the connection.
Foreign Address = This is the IP address to the Web site your PC is making a connection to. To find out who this is: Open Google and type in Who is IP Address (where IP address is the address you want to find out who owns that address).
State = Indicates the status of the connection. Here are a few of the more common states and what they mean.
LISTENING – The connection is an open port waiting on a connection request from the Foreign Address listed. Most of the connections with the LISTENING state will have your PC’s name listed as the Foreign Address. These are communication within your PC and are necessary and normal. However, truly Foreign Address with this state could be malware and warrants investigation as to whom you are connected to. This is a common state for your Anti-Virus software to have for updates.
ESTABLISHED – Indicates the connection is open and receiving data. These need to be checked to see who your PC is downloading from.
FIN_WAIT-1(or2) – Waiting for a termination request (or confirmation of a termination request) from the Foreign Address. This means the communication has been completed and awaiting the termination of the connection. Many Web sites don’t want you to leave and thus, don’t always honor termination requests. The key here is that your PC has been talking to that Foreign Address.
CLOSED - Indicates that the connection has stopped. This does indicate that the connection had been open.
The next line under the protocol, addresses, and state line is the file (application) that made that connection. It will be listed in brackets. To find out about the application, open Google and type in What is Filename (where Filename is the name of the file shown including the file extension. You find many sites listing what the file is, what it does, do you really need it, and if desired how to disable it. An example how this works: I have a file named wmpnetwk.exe that makes a connection to my own PC. A Google search indicates that the file is part of Windows Media Center. The file sets my PC up to share videos and music on my PC with other devices on my home network. Nice, but I don’t use this service. It runs 24/7 and uses my resources to no benefit to me and as long as I don’t want to share videos and music with other devices on my home network is safe to disable.
That’s how it’s done. Find the file making the connection and let the experts on the Web guide you about what it is and what you should do about it.
Note: This may appear to be too geeky to try, but it is real easy once you get started.
Note2: This works on Windows versions XP and up with very slight differences among the versions.
Overview:
All users know that their PC connects to Web sites in the background. This is how Windows and other applications on your PC get “updates”. The average user is expected to have faith that these background connections are from applications that they installed and are necessary to keep the PC safe and running smoothly. Prudent users want to know what applications are connecting to the Internet in the background and if that connection is necessary or useful. Most of these background connections are needed to keep your PC running up to date, but some just eat up your bandwidth with no real benefit to you; while some can cause you or your PC harm.
The following instructions allows the user to create a list of all Internet connections that your PC makes, including the application on your PC that is making that connection. The utility used to create this list is built into Windows, so no 3rd party application is needed. Following the instructions are tips on how to investigate the applications making these connection and help you decide if the connection is necessary or useful. In other words, create a list of who your PC is talking to and decide if you are going to let the conversations continue.
Creating a List of Internet Connections:
1. The utility you need to do this is already installed on every version of Windows since XP. While the utility is the same on each version of Windows, how to access that utility differs slightly among each version of Windows. These instructions are specific for Windows 7
2. Click the Start button and type PowerShell into the search box. Windows PowerShell will appear in the list above. Right click Windows PowerShell and select Run as administrator. Note: You will see in the list Windows PowerShell(x86) and Windows PowerShell ISE. The PowerShell(x86) is the 32 bit version of this utility. The ISE version is an enhanced version that handles scripting (not used by individual users).
3. The PowerShell command window will open. The PowerShell window will look like a command prompt window except for the background color of blue.
4. The directory that the prompt opens to will differ from user to user and will look like this example: PS C:\Users\Username (where Username is the name the user signs on to). This utility will work on any directory listed, but the list will be stored in the folder listed at end of the prompt. In my example, the list will be stored in the Username folder. If you desire the list stored in another folder then you need to change the directory of the prompt.
5. Type the following command at the prompt and press the Enter key. The _ (underscore) in the command is to show where a space must be placed in the command.
netstat_-abf_5_>_talking.txt
6. The cursor will flash under the last command. This means the utility is working and is creating the list. Let the cursor flash for 1 to 2 minutes. The 5 in the above command is looking at all connections every 5 seconds. Having the utility look for a couple minutes usually catches nearly all connections made in the background.
7. Press Ctrl+C to stop the utility from collecting data and complete the list. The prompt will return to the directory where the netstat command was entered.
8. The list is stored in the talking.txt file which is stored in the folder listed at the prompt (Username). Use Notepad to open the file. Note: You can open the file in PowerShell by typing talking.txt at the prompt and pressing the Enter key. The file will open in a Notepad window.
Tips on Investigating These Connections:
The document will have Active Connections listed as the title. The data will be divided into columns with the column headers of Proto, Local Address, Foreign Address, and State. Each connection will have data for each of these columns. The line after that connection’s data will have the application file that made that connection listed in brackets.
Proto = short for Protocol. There will be TCP and UDP protocols listed. TCP and UDP are both Internet protocols. The difference is that TCP has error checking functions that makes sure the data sent is received and accurate. UDP doesn’t have this error checking functions, but because of that it transfer data faster. UDP is used when error checking isn’t as important as speed such as online gaming or live streaming.
Local Address = This is the IP address assigned to your PC by your router. At the end of the IP address listed is a colon followed by some numbers. These numbers after the IP address is the port number on your PC that is making the connection.
Foreign Address = This is the IP address to the Web site your PC is making a connection to. To find out who this is: Open Google and type in Who is IP Address (where IP address is the address you want to find out who owns that address).
State = Indicates the status of the connection. Here are a few of the more common states and what they mean.
LISTENING – The connection is an open port waiting on a connection request from the Foreign Address listed. Most of the connections with the LISTENING state will have your PC’s name listed as the Foreign Address. These are communication within your PC and are necessary and normal. However, truly Foreign Address with this state could be malware and warrants investigation as to whom you are connected to. This is a common state for your Anti-Virus software to have for updates.
ESTABLISHED – Indicates the connection is open and receiving data. These need to be checked to see who your PC is downloading from.
FIN_WAIT-1(or2) – Waiting for a termination request (or confirmation of a termination request) from the Foreign Address. This means the communication has been completed and awaiting the termination of the connection. Many Web sites don’t want you to leave and thus, don’t always honor termination requests. The key here is that your PC has been talking to that Foreign Address.
CLOSED - Indicates that the connection has stopped. This does indicate that the connection had been open.
The next line under the protocol, addresses, and state line is the file (application) that made that connection. It will be listed in brackets. To find out about the application, open Google and type in What is Filename (where Filename is the name of the file shown including the file extension. You find many sites listing what the file is, what it does, do you really need it, and if desired how to disable it. An example how this works: I have a file named wmpnetwk.exe that makes a connection to my own PC. A Google search indicates that the file is part of Windows Media Center. The file sets my PC up to share videos and music on my PC with other devices on my home network. Nice, but I don’t use this service. It runs 24/7 and uses my resources to no benefit to me and as long as I don’t want to share videos and music with other devices on my home network is safe to disable.
That’s how it’s done. Find the file making the connection and let the experts on the Web guide you about what it is and what you should do about it.