Hi all,
I’ve set up a win7 machine, encountered the same problem as other members already reported and I’m unable to solve it.
As seen in the attached image, at connection I’ve a multicast on port 5355. I found the PID of the svchost.exe responsible. The implied services are : NlaSvc, CryptSvc, DNS cache, Lanmanworkstation. None must be disable.
My router is the same as previously, my XP machines doesn’t have this problem. During the multicast attempts, I can enter the router without problem and it recognize the PC. I’m at a loss.
Second problem, at startup there is an attempt to connect to
213.199.181.90 ==> Microsoft
92.242.144.50 ==> Barefruit
Implied services : Event System, Netprofm, nsi, winHttpAutoProxySvc, wdiServiceHost.
The first 3 must not be disable. I’ve disabled the last 2 to no avail.
Besides these 2 services, I’ve disable as many services as is possible.
Any idea to solve this would be welcome.
Thanks in advance.
Boris
[attachment deleted by admin]
The multicast to 224.0.0.252 - also ff02::1:3 over IPv6 - is LLMNR or Link Local Multicast Name Resolution. This is a standard feature of Windows 7. It.s basically Link Local DNS.
The Connection to Microsoft, is probably related to the connected networks capability, have you disabled netprofm? Barefruit is a company used by Comodo - and others - for their DNS landing page, so it’s probably something to do with that. For these last two, you can disable Comodo DNS and see the results for Barefruit, but the for the MS connection, your best bet is Wireshark.
Cheers Radaghast,
I forgot to mention that it is win7 Pro, I don’t know if it could make a difference.
I’ve from time to time maintained (installation/update of softwares) win7 machines of acquaintances and didn’t notice the multicast stuff. But true enough, CFW was in safe mode. On my machine it is in custom mode with restricted rules for svchost.exe (DNS, DHCP and NTP only) so I was alerted of the multicast.
As I’ve also IGMP multicast, I’ve disable Windows Media Center and uninstall Microsoft Sync Framework, but the IGMP remains.
I’ve turned the problem up & down, searched a clue in win7 parameter options to no avail. Hence I think I’ll have to live with this multicast annoyance and make a rule to allow it.
No, I haven’t disable it.
As you suggested, I reverted to my ISP DNS, but it doesn’t make a difference.
The connection to MS is related to an update process though Windows Update is disabled in Control Panel and even in services. Certificates updates? Is it independent of Windows update?
No difference, it’s part of the base OS
I've from time to time maintained (installation/update of softwares) win7 machines of acquaintances and didn't notice the multicast stuff. But true enough, CFW was in safe mode. On my machine it is in custom mode with restricted rules for svchost.exe (DNS, DHCP and NTP only) so I was alerted of the multicast.
You’ll find it’s not restricted to svchost. Because of this, I have a rule for the ‘All Applications’ group that allows UDP Out to 224.0.0.252/ff02::1:3 - 5355 at the top of the list of Application rules. It’s not ideal but it’s better than having a duplicate rule for many different processes.
In case you didn’t know, LLMNR works hand in hand with Network Discovery and is very useful for resolving standard host names on the local link.
As I've also IGMP multicast, I've disable Windows Media Center and uninstall Microsoft Sync Framework, but the IGMP remains.
I’ve turned the problem up & down, searched a clue in win7 parameter options to no avail. Hence I think I’ll have to live with this multicast annoyance and make a rule to allow it.
No, I haven’t disable it.
What’s the multicast address?
As you suggested, I reverted to my ISP DNS, but it doesn't make a difference.
It’s quite possible your ISP also uses Barefruit, lots do. If it’s happening every time you boot, you can use dumpcap - part of wireshark - to create a packet dump at boot.
The connection to MS is related to an update process though Windows Update is disabled in Control Panel and even in services. Certificates updates? Is it independent of Windows update?
There are typically two types of certificate checks performed by the OS, one uses svchost and one uses explorer. The svchost initiated check, is part of Windows update, and is used to update the root store. The explorer process is for checking the validity of a digitally signed application. In you earlier post you mentioned several services you thought associated with the instance of svchost involved in the connection, but this is not the same instance of svchost used for certificate checking. That’s a job for CrypSvc, which shares a svchost with LanmanWorkstation and NlaSvc. Again, try dumpcap.
As you said it is part of the OS, I’ll have to live with the multicast ;D
I’ve found in http://sourcedaddy.com/windows-7/understanding-unicast-addresses.html some explanation of the ■■■■■■ multicast
Computers running Windows 7 and Windows Vista listen by default for multicast LLMNR traffic
Because link-local addresses are assigned to interfaces using IPv6 address autoconfiguration, link-local addresses in IPv6 correspond to Automatic Private IP Addressing (APIPA) addresses used in IPv4 (which are assigned from the address range 169.254.0.0/16).
The IGMP multicast address is 224.0.0.22 in FW’s log.
I’ll install wireshark on this computer and follow your advice.
Thanks a lot Radaghast for your help, explanations and advice.
Boris
You can disable LLMNR, although I don’t really see the point, as it’s only working on the local subnet:
- Open Network and Sharing Centre
- Open Change Advanced Sharing Settings
- Disable Network Discovery
- Open Regedit
- Go to - HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient
- Set - EnableMulticast = 0
- Reboot
The IGMP multicast address is 224.0.0.22 in FW's log.
This is another subnet multicast. This is a Group membership report. Basically it’s letting your router know it’s there. See RFC 3376 Ypu’ll find the System process also uses these, for the same reason.
You’re right. With age, I think I’m becoming excessively cautious. :-\
I’ve made a capture with Wireshark and the sequence is as follow:
DHCP request
ARP broadcast through APIPA address
DHCP request & ack
IGMP brodcast with v3 membership report
HTTP connection to 213.199.181.90
finally DNS server
213.199.181.90 is msftncsi.com = ncwncsi.glddns.microsoft.com = ncsi.glbd.microsoft.com
This connection is in fact resquested by the OS to check the connectivity; if the connection fails the trayicon for connection got a yellow cross. Hence it is Microsoft pinging home to check the connectivity.
It could be found HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNlaSvcParametersInternet
Well, I think this post could be marked solved. What was upsetting me is finally a normal behavior with win7, hence nothing to worry about. I thought something was messed up with my installation, now I’m reassured. Moreover you gave me a workaround to definitively turn off LLMNR if I become too annoyed with it.
Thanks again
[attachment deleted by admin]
Glad you’ve worked out the detail 