Windows 10 system traffic

Due to privacy concerns I’m trying to block various system components of Windows 10 from accessing the Internet, while still allowing 3rd party apps to access the Internet. Which seems to be working great with the mandatory Cortana search and things like that. However, I’ve met a problem.
Svchost.exe or at least one of it’s instances, appears to be necessary for the functioning of the Internet connection, so I can’t fully block it. At the same time, several of it’s instances are used by system applications so I can’t really stop them from connecting to the Internet if it’s fully allowed.
Clearly specific ruleset has to be applied, but I’m not sure what. Is it possible to block certain instances of svchost while allowing the others to access the Internet, and also what rules should I apply to svchost and to the system in general ? Is there a way to directly block specific services from accessing the internet while allowing others to function, like the DNS client ?

Rules are applied to applications based on file path, so a block rule for C:\WINDOWS\System32\svchost.exe applies to all instances of svchost running in memory as svchost is only located in the system32 windows directory. You can however, is block based on destination IP address if you can figure out which IP addresses svchost and System use to communicate with Microsoft.

That doesn’t seem reliable, IP addresses change. I want to block specific services from Internet access, so basically Comodo can’t do this ?

Nope, if you block say port 53 for svchost then the dns/rpc client service will fail to do dns lookups which means any application that uses the dns/rpc client service from svchost, those applications will also not be able to perform dns queries.

Any other solution you may think of ?
I obviously don’t want to block the DNS service, but there are unnecessary services that don’t actually need Internet access that run through svchost.exe, and I want to block them without having to actually disable them from services.msc.

Maybe have a look at the outbound rules for Windows firewall with advanced security and look at the rule description to see if they can be blocked? Otherwise you might need to disabled the service using the service control panel.

I made a post here and completely understand the OP’s concern. Unless anyone feels they can explain better I will re post tomorrow with a complete breakdown and exact nature of the point and response. svchost can be controlled on a case by case . . . mainly through custom policy and very high firewall alert level. not to mention the HIPs. I Rambled on over a few paragraphs and deleted it. My explanation was all over the place but none the less correct.


* this is meant for a PC that connects to the internet only. Other services like Home Groups , Remote sharing, and others then would need to have additional rules applied before adding the block all rule .

First set your system application rule under firewall to ask instead of allow. This will produce several new options including svchost. then set your firewall to custom policy and alerts to very high. Allow the connections in the screenshot only (with yes to your bootpc alerts and your DNS servers allow them then create a block all rule for all other connections. The only exception is to change the bottom block rule from block to allow when running window update ( I have updates set to never check - and do the manually about once a week). After the update restore the rule back to block all. The other requests are unnecessary. Probably analytic or system usage data. Of this I cannot be sure but all the same these connections are not required, and good luck finding out why these connections are made. This is from a offline system point of view. When online Akami controls around two thirds of the traffic on the internet so that’s a different story. If the rules applied in the screenshot are applied it makes the redundant requests a non subject and increases your overall privacy. Not to mention the loss of random unknown popup requests.

Certain programs that are trusted files that have been blocked through the firewall can easily connect using various methods to access the internet through svchost bypassing your block rules and phoning home. Just another reason to approach this technique.

This is just to demonstrate the amount of unsolicited connections that are made for apparently no specific reason. At least none that can be justified or explained.

Any feedback to this post are greatly welcome.

[attachment deleted by admin]

Could you give more info about how these rules work ?

Svchost makes tons of background connections to Akami/Microsoft servers even with automatic updates, customer improvment program, and every other service disabled I could imagine or have found that would be the only reasons the connections would be made. As mentioned before I only give svchost full outgoing access when I manually run Windows update.

Explorer.exe is blocked because the only legitimate purpose for it to connect is to verify Digital signatures of which I rely on CIS to handle that.

aepdu.dll - Is the Program Compatibility Wizard of which I have no use. Despite the stated function I feel like it is more for Analytical purposes.

wsclient.dll - Windows Store Licensing Client does not require access for Windows Apps to function. Again I think this is for Analytical purposes.

wsqmcons.exe - is the Customer Experience Improvement Program which still wants internet access even when I have opted out and disabled it.

System is blocked because I have no use for Unicast, Multicast and Broadcast Messages.

I just feel that the transmission of unneeded traffic especially traffic that has the intended purpose of profiling myself and user habits is not anyone’s business. You have users who don’t care about what data they share and then some like me who want control.

  • Of coarse this is just my opinion . Different services and features require their own specific rules to be created under svchost depending on your features and configuration.

Take a look at this .

[attachment deleted by admin]