Windows 8 Phoning home with explorer.exe

Discussion in 'Windows 8' started by mtrai, Sep 22, 2012.

  1. mtrai

    mtrai MDL Addicted

    Apr 24, 2008
    698
    249
    30
    I know I have not ever posted much at all but I have been a long time reader of MDL. Anyhow, I install a Asus Rog program the other day and was playing around with it this morning and discovered that Windows 8 has a permanant connect to this IP address through TCP and it also starts and stops a UDP connection to the same IP address.

    The IP address is 157.56.149.62 with a port of 443

    This one is through Explorer.exe with a TCP connection


    IP:157.56.98.62 Neighborhood
    Host:bn1wns1011320.wns.windows.com
    Country:United States
    # The following results may also be obtained via:
    # h**p://whois.arin.net/rest/nets;q=157.56.98.62?showDetails=true&showARIN=false&ext=netref2
    #

    NetRange: 157.54.0.0 - 157.60.255.255
    CIDR: 157.60.0.0/16, 157.54.0.0/15, 157.56.0.0/14
    OriginAS: AS8075
    NetName: MSFT-GFS
    NetHandle: NET-157-54-0-0-1
    Parent: NET-157-0-0-0-0
    NetType: Direct Assignment
    Comment: Abuse complaints will only be responded to if sent to abuse @microsoft.com[ and abuse @msn.com.
    RegDate: 1994-04-28
    Updated: 2010-08-19
    Ref: h**p://whois.arin.net/rest/net/NET-157-54-0-0-1


    OrgName: Mi*rosoft Corp
    OrgId: MSFT
    Address: One Mi*rosoft Way
    City: Redmond
    StateProv: WA
    PostalCode: 98052
    Country: US
    RegDate: 1998-07-10
    Updated: 2011-04-26
    Ref: h**p://whois.arin.net/rest/org/MSFT

    The Whois
    Whois record :
    MarkMonitor is the Global Leader in Online Brand Protection.


    Domain Management
    MarkMonitor Brand Protection™
    MarkMonitor AntiPiracy™
    MarkMonitor AntiFraud™
    Professional and Managed Services
    Visit MarkMonitor at w*w.markmonitor.com



    The UDP starts and stops and is 157.56.149.60 with a port 3544

    All the IP info and Whois is the same for the UDP connection.

    This got me a little concerned that windows 8 is doing this. Anyone able to shed some light on this? Thoughts?
     
  2. Kronz

    Kronz MDL Novice

    Aug 27, 2011
    16
    3
    0
    Yeah, Windows 8 does that. It will try to connect to MS to validate its activation whenever it can and DAZ is working to establish when exactly it does it and how it does it so, so it can be disabled.
     
  3. Agret

    Agret MDL Novice

    Aug 6, 2012
    38
    2
    0
    Which ASUS Rog program?
     
  4. free1975yuly

    free1975yuly MDL Expert

    Aug 24, 2011
    1,748
    147
    60
    Here I cannot see these isues...Maybe the reason is that I use a local account...?:confused:
     
  5. sausuke

    sausuke MDL Novice

    Sep 15, 2012
    46
    2
    0
    is windows explorer and this are the same?
     
  6. NTAuthority

    NTAuthority MDL Novice

    Dec 20, 2007
    6
    0
    0
    Most likely the connection used to test for internet connectivity and whether to show the little exclamation point icon on the 'Network' icon in the taskbar. Stop being paranoid. explorer.exe most likely doesn't perform activation checks.
     
  7. night.fox

    night.fox MDL Member

    Sep 21, 2009
    121
    10
    10
    actually i think it does perform activation checks.... I have a win 8 which i already used it as a main OS.... everytime i restart my win 8, my activation date always change to current date or the day i start or restart my computer. My win 8 enterprise was phone activated last august.... and it never change but I found out start of october, everyday the activation information changes to current date. Take note... ONLY when I restart and or boot from shutdown and when I am connected to internet..... PROBABLY though... that I set my windows updates settings to download and notify me instead of just installing updates automatically. I change the settings since last week i got this browser choice updates in which I read before that when you install this updates somehow problem uninstalling it....
     
  8. CorporateRAT

    CorporateRAT MDL Member

    Aug 4, 2012
    235
    44
    10
    Actually OP is right. MarkProtection anti piracy software is integrated in windows 8 code, and it sends data to MS. In my case it is sent through https and data is encrypted.
     
  9. anarchist9027

    anarchist9027 MDL Expert

    Oct 30, 2010
    1,320
    667
    60
    Well I guess now its only a matter of time before Microsoft disables the data.dat trick...
     
  10. Heidegger

    Heidegger MDL Member

    Mar 17, 2008
    136
    51
    10
    It's more likely SmartScreen. I notice Wsclient.dll (Windows Store Client) also connects on a regular basis, although that might have something to do with Start apps updating.
     
  11. Apok

    Apok MDL Novice

    Jul 1, 2007
    16
    0
    0
    So it's basically spyware....
    Can we block this connection without blocking updates?
    I have my router blocking ad servers via DNS poisoning, redirecting them to a mini web server (pixelserv) which serves a single transparent pixel. So if it's always the same hostname or set of hostnames, I can just add them to my router's list.
     
  12. Zettadox

    Zettadox MDL Novice

    Aug 21, 2012
    9
    0
    0
    Add this to your host file, i'd imagine it will work unless i'm missing something here. :eek:
    "127.0.0.1 157.56.149.62"