I run Win-10 in a VM to do software testing, which in this instance involved starting and configuring an email client under Windows, which would then communicate with a minimalist POP3/SMTP server I have on another machine. After trying and essentially failing with WIndows Mail, I then installed Claws Mail which played nicely with the server software, and, along with Thunderbird under Linux, was useful in showing up a couple of errors I'd made in implementing the server. So far so good.
However:
Running Windows Mail or possibly the so-called upcoming Outlook which replaces it, appears to have installed some secret background process or other which sprays non-standard rubbish towards the server whose address/port-numbers I'd entered previously. This happens about every 5-10 mins or so. This effect survives a restart.
Any pointers as to what this hidden process might be, or how I persuade it to cease and desist permanently?
First thing would be to find out what process is doing it. That might be as simple as opening a command prompt with admin rights, and running "netstat -ab" that will list all active connections, and also the binary that is responsible for the endpoint.
Looking at things added to the PC startup might also help. If you look here:
formatting link
autoruns64.exe, will show every conceivable something can be automatically started at boot.
formatting link
tcpview does what netstat does but with a GUI and it also presents far more information.
formatting link
Then you could move to use wireshark to capture the traffic - the packet analysis may give clues.
Or, since it is a VM, do you have a previous snapshot you can revert it to?
Seems I'm not posh enough to be allowed to run this, admin user though I may be (according to the Settings). I'm told that 'The required operation requires elevation'.
This showed a pile of stuff, nothing particularly recognisable. However, while looking through my account settings I noticed the email account I'd set up under Mail/Outlook, which had a setting for syncing email. So I removed that account and that may have suppressed the noise. I'll keep an eye on it.
Sysinternals Process Monitor now includes network capture, so you may be able to correlate packets sprayed, with some process activity. It it turns out to be a SVCHOST for example, you open a terminal and do "tasklist /svc" and get a list of services that way. You need that list, as it has the PID numbers of each SVCHOST. As Procmon by itself will not tell you what service you've recorded, but the PID can be compared to the tasklist, which does have names.
In the old days, WinXP Pro supported "tasklist /svc" whereas WinXP Home did not. The command might work in any Win10 SKU at the moment.
The new Outlook is some kind of scraper. The description so far, it does not strike me as a "first choice" to replace, say, Mail.App which was also a scraper.
In this picture, I made life difficult for myself, by using a Windows 7 VM for the test. As not every Process Monitor runs in there now. The newest Process Monitor versions are for W10/W11 kind of thing. I had to use an older version, perhaps downloaded from archive.org. The version is shown in the picture. The ZIP for PCATTCP network test, came from here... This is my test donkey, spraying a bit of traffic for the capture purposes.
formatting link
You start a receiver process and it waits and listens for the transmitter. The transmitter sends 16MB of packets, as a short test of network speed. This serves as a fake network scenario that needs debugging, and is captured in Process Monitor and displayed.
[Picture] Some basic debug using Process Monitor and donkey PCATTCP0114 as demo
formatting link
Traces captured in Process Monitor are "complete". The filter allows filtering out the noise in the trace, so you can concentrate on the topic at hand. But the trace is not really complete, unless you also do a "tasklist /svc" and record the identities of the SVCHOST for later correlation during analysis. That's so you can identify "potential" system processes sending network traffic. Only if a SVCHOST has just exactly "one thing inside it", have you got the thing "dead to rights". When 15 things live inside a SVCHOST, you don't know which one did it. There is a procedure for arranging the services, so there is one per SVCHOST, so you can actually modify the environment a bit, for better debug.
You can split it out into its own service by running:
"sc config <service> type= own"
And revert it via
"sc config <service> type= share"
In this case, we would type this in command prompt.
sc config wuauserv type= own <=== putting Windows Update inside a private SVCHOST A laborious way to label the lot.
Sysinternals Process Monitor now includes network capture, so you may be able to correlate packets sprayed, with some process activity. It it turns out to be a SVCHOST for example, you open a terminal and do "tasklist /svc" and get a list of services that way. You need that list, as it has the PID numbers of each SVCHOST. As Procmon by itself will not tell you what service you've recorded, but the PID can be compared to the tasklist, which does have names.
In the old days, WinXP Pro supported "tasklist /svc" whereas WinXP Home did not. The command might work in any Win10 SKU at the moment.
The new Outlook is some kind of scraper. The description so far, it does not strike me as a "first choice" to replace, say, Mail.App which was also a scraper.
In this picture, I made life difficult for myself, by using a Windows 7 VM for the test. As not every Process Monitor runs in there now. The newest Process Monitor versions are for W10/W11 kind of thing. I had to use an older version, perhaps downloaded from archive.org. The version is shown in the picture. The ZIP for PCATTCP network test, came from here... This is my test donkey, spraying a bit of traffic for the capture purposes.
formatting link
You start a receiver process and it waits and listens for the transmitter. The transmitter sends 16MB of packets, as a short test of network speed. This serves as a fake network scenario that needs debugging, and is captured in Process Monitor and displayed.
[Picture] Some basic debug using Process Monitor and donkey PCATTCP0114 as demo
formatting link
Traces captured in Process Monitor are "complete". The filter allows filtering out the noise in the trace, so you can concentrate on the topic at hand. But the trace is not really complete, unless you also do a "tasklist /svc" and record the identities of the SVCHOST for later correlation during analysis. That's so you can identify "potential" system processes sending network traffic. Only if a SVCHOST has just exactly "one thing inside it", have you got the thing "dead to rights". When 15 things live inside a SVCHOST, you don't know which one did it. There is a procedure for arranging the services, so there is one per SVCHOST, so you can actually modify the environment a bit, for better debug.
You can split it out into its own service by running:
"sc config <service> type= own"
And revert it via
"sc config <service> type= share"
In this case, we would type this in command prompt.
sc config wuauserv type= own <=== putting Windows Update inside a private SVCHOST A laborious way to label the lot.
Yup that is normal - even an admin user will run with bog standard user privilege most of the time. If you attempt to use the privilege the user activation control popup will interrupt and make you acknowledge that you are intentionally invoking admin privileges.
So with a command prompt you need to search for it first (type CMD at the windows menu - it will find "Command Prompt"), then right click on that and select "Run as administrator". At that point UAC might popup to get you to confirm.
Be warned that by default the UAC prompt actually appears on a "console" screen. This is OK if you are at the console but means it's not available via RDP.
I first discovered this when I was remotely supporting users and unable to perform admin actions because the prompt for credentials was only visible to the user.
I was able to run netstat by right-clicking on Powershell in the task bar as you suggest. There is, now, nothing in netstat's list that has a connection to the server, so I guess removing the accound did it. The noise stopped once I did that and hasn't resumed.
Yup, that can be a PITA! Fortunately the prompt times out if left for a minute or so and you can get control back.
The remote control software I use (ScreeenConnect) has an option where you can pre-load the credentials of an admin user (and test them) before the event. Then when UAC pops up you can use the option to send those credentials to it.
Or look in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System for a key called EnableUIADesktopToggle and set that to 1
TBH, i did not mention powershell - only command prompt - but most stuff that works in the command prompt will also work in powershell (the reverse, most certainly not!)
HomeOwnersHub website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.