Windows 8 Phoning home with explorer.exe

Discussion in 'Windows 8' started by mtrai, Sep 22, 2012.

  1. mtrai

    mtrai MDL Addicted

    Apr 24, 2008
    I know I have not ever posted much at all but I have been a long time reader of MDL. Anyhow, I install a Asus Rog program the other day and was playing around with it this morning and discovered that Windows 8 has a permanant connect to this IP address through TCP and it also starts and stops a UDP connection to the same IP address.

    The IP address is with a port of 443

    This one is through Explorer.exe with a TCP connection

    IP: Neighborhood
    Country:United States
    # The following results may also be obtained via:
    # h**p://;q=

    NetRange: -
    OriginAS: AS8075
    NetName: MSFT-GFS
    NetHandle: NET-157-54-0-0-1
    Parent: NET-157-0-0-0-0
    NetType: Direct Assignment
    Comment: Abuse complaints will only be responded to if sent to abuse[ and abuse
    RegDate: 1994-04-28
    Updated: 2010-08-19
    Ref: h**p://

    OrgName: Mi*rosoft Corp
    OrgId: MSFT
    Address: One Mi*rosoft Way
    City: Redmond
    StateProv: WA
    PostalCode: 98052
    Country: US
    RegDate: 1998-07-10
    Updated: 2011-04-26
    Ref: h**p://

    The Whois
    Whois record :
    MarkMonitor is the Global Leader in Online Brand Protection.

    Domain Management
    MarkMonitor Brand Protection™
    MarkMonitor AntiPiracy™
    MarkMonitor AntiFraud™
    Professional and Managed Services
    Visit MarkMonitor at w*

    The UDP starts and stops and is with a port 3544

    All the IP info and Whois is the same for the UDP connection.

    This got me a little concerned that windows 8 is doing this. Anyone able to shed some light on this? Thoughts?
  2. Kronz

    Kronz MDL Novice

    Aug 27, 2011
    Yeah, Windows 8 does that. It will try to connect to MS to validate its activation whenever it can and DAZ is working to establish when exactly it does it and how it does it so, so it can be disabled.
  3. Agret

    Agret MDL Novice

    Aug 6, 2012
    Which ASUS Rog program?
  4. free1975yuly

    free1975yuly MDL Expert

    Aug 24, 2011
    Here I cannot see these isues...Maybe the reason is that I use a local account...?:confused:
  5. sausuke

    sausuke MDL Novice

    Sep 15, 2012
    is windows explorer and this are the same?
  6. NTAuthority

    NTAuthority MDL Novice

    Dec 20, 2007
    Most likely the connection used to test for internet connectivity and whether to show the little exclamation point icon on the 'Network' icon in the taskbar. Stop being paranoid. explorer.exe most likely doesn't perform activation checks.
  7. MDL Member

    Sep 21, 2009
    actually i think it does perform activation checks.... I have a win 8 which i already used it as a main OS.... everytime i restart my win 8, my activation date always change to current date or the day i start or restart my computer. My win 8 enterprise was phone activated last august.... and it never change but I found out start of october, everyday the activation information changes to current date. Take note... ONLY when I restart and or boot from shutdown and when I am connected to internet..... PROBABLY though... that I set my windows updates settings to download and notify me instead of just installing updates automatically. I change the settings since last week i got this browser choice updates in which I read before that when you install this updates somehow problem uninstalling it....
  8. CorporateRAT

    CorporateRAT MDL Member

    Aug 4, 2012
    Actually OP is right. MarkProtection anti piracy software is integrated in windows 8 code, and it sends data to MS. In my case it is sent through https and data is encrypted.
  9. anarchist9027

    anarchist9027 MDL Expert

    Oct 30, 2010
    Well I guess now its only a matter of time before Microsoft disables the data.dat trick...
  10. Heidegger

    Heidegger MDL Member

    Mar 17, 2008
    It's more likely SmartScreen. I notice Wsclient.dll (Windows Store Client) also connects on a regular basis, although that might have something to do with Start apps updating.
  11. Apok

    Apok MDL Novice

    Jul 1, 2007
    So it's basically spyware....
    Can we block this connection without blocking updates?
    I have my router blocking ad servers via DNS poisoning, redirecting them to a mini web server (pixelserv) which serves a single transparent pixel. So if it's always the same hostname or set of hostnames, I can just add them to my router's list.
  12. Zettadox

    Zettadox MDL Novice

    Aug 21, 2012
    Add this to your host file, i'd imagine it will work unless i'm missing something here. :eek: