Threat Level: green Handler on Duty: Jan Kopriva

SANS ISC: When Windows 10 Comes to Live: The First Few Minutes in the Live of a Windows 10 System - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
When Windows 10 Comes to Live: The First Few Minutes in the Live of a Windows 10 System

We often get emails from readers stating that they feel their system is compromised, even though they "do nothing". Most of the time, our response is "that's normal". Indeed, most modern operating systems, not just Windows, will trigger lots of network traffic without user activity. But I found little documentation about what exactly to expect from a "normal" Windows 10 system. So I ran a quick experiment:

Microsoft offers a number of free virtual machines. I picked the "Microsoft Edge Windows 10 (x64) Stable 1809" system. The reason I went this route is that it first of all made things more reproducible, and secondly, these virtual machines do not include additional software, so you only get the default Windows 10 behavior. These systems are also in a default configuration.

The initial plan was to only record the first boot. But I discard this quickly. After 5 minutes, I had a few hundred MBytes of traffic as Windows first downloaded a lot of updates (including VMware Tools). So I modified my plan: I let the system run for about an hour, until all updates were applied, then I rebooted it a couple of times again making sure that it didn't download additional updates. Finally, I recorded the first few minutes after a reboot.

You can find the raw packet capture at . I am using the PCAPNG format as I started to add comments to some of the packets. But here are the basic features:

I recorded 87 seconds. During that time, I captured 531 packets and 196kBytes. 20 DNS requests and responses, 18 TCP connections and 30 UDP connections. My host communicated with 18 other IPv4 hosts (there is no significant IPv6 traffic as the network didn't support IPv6).

Here is the short summary of the pcap:

IP address of the system:
MAC Address: 00:0c:29:1f:55:7b
Hostname: MSEDGEWIN10

The system was configured to log in automatically. I did not open a browser window and did not interact with the system beyond powering it on.

Here are some of the main features of the pcap:

  • initially, the operating system configures itself (IPv6 router solicitations, DHCPv6 and DHCPv4). 
  • The operating system is trying to configure a proxy via WPAD a couple of times
  • Content for tiles is downloaded (e.g. Weather) in the clear.
  • There are TLS connections to Bing and, likely for more content.
  • connections to canonicalizer.ucsuri.tcs which is part of Microsofts "Smartscreen" anti-malware.
  • Microsoft's geolocation
  • additional systems for things like Microsoft's login features.

There was also a DNS lookup for puppet.localdomain. Not sure if Windows is looking for a Puppet server here for configuration files.

See anything I missed? 

Johannes B. Ullrich, Ph.D. , Dean of Research, SANS Technology Institute

I will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANS Cyber Defence Japan August 2022


4513 Posts
ISC Handler
Apr 12th 2019

35 Posts
This is a great read and should be done for all major OS. Mac, Ubuntu, LinuxMint, aso. With this one could quickly check for reference.

1 Posts

Sign Up for Free or Log In to start participating in the conversation!