When go Usage - Host - +102 more hosts and scroll down I notice some of the locations for the ntoskrnl.exe are located in the Russian Federation and China. However, most are located in the US. Its this normal.
Thanks,
Best,
Carl
We made this page about Ntoskrnl.exe, and if it’s safe, and what it usually connects to.
On my PC I usually only see Ntoskrnl.exe connecting to local devices but I guess it could depend on what software you have installed on your PC.
Some software may connect to content delivery networks and in that case it could connect to servers all over the world, including China, Russia, Hong Kong, etc…
Is anyone else seeing the NT Kernel & System in your GlassWire firewall connecting to places outside your local network?
Funny you should ask. This one’s been perplexing since I first noticed it showing up in GW which is I can’t remember when and it hurts my head to think about it. It’s something Windows does, out of my control, and if anything malicious creeps in via that vector, my layered security scheme (which includes GW) will nab it. Anyhow…
The composite screen shot below shows four of the five systems I use.
Top: Windows 10 Pro 1909
An ASRock i9-9900K/Z390 system built in February. Runs 10-12 hours a day. The insert shows the three google connections that are always there after bringing up the system every morning.
Mid-left: Windows 10 Pro 20H2
An Asus E8400/G35 system built in 2008 running Win10 since a Tech Preview clean install in OCT 2014, removed from Slow Ring in 2016. Runs monthly for Windows Update and occasionally for testing stuff.
Mid-right: Windows 7 Home
An i5-2430 laptop in service since 2011. Pretty much unused for the last three years but lately for my HDTV to view some HBO Max content as Roku can’t seem to join the rest of the planet to close the deal with Warner and update its legacy HBO app.
Bottom: Windows 10 Home 20H1
A Dell i3-6100/H110 in service since 2016. Scheduled to turn on daily for 35 minutes as a NAS for an incremental backup of the ASRock system. Powered up for monthly updates and occasional copy of backup data to an external drive.
For another Windows 7 Home system, an i7-3770K/Z77, a showing for “NT Kernel & System” does not exist. So, no screen shot. This was my primary system since built in 2012, replaced by the ASRock.
All systems have been running GW since “day one” as the free version. Updated over time through paid versions, now Elite.
Methinks a bit more than “some.” 
1 Like
I usually only find the kernel communicating with local network addresses using Netbios protocol. But, as much as I can, I switch off location, tracking and OS/app statistics services.
1 Like
That’s interesting. Do you ever make use of your Windows host file to block certain hosts?
I just checked my own Ntoskrnl.exe again and I only see local traffic.
Not in about 20 or so years ago. My hosts files are the # rich default on all systems.
Just for the day? Try from JAN 01 to today, please.
2 Likes
I just checked for the entire month and only saw local connections so far. I’m using a new machine so that’s why it’s not for a longer history. It’s Windows 10 Pro using WiFi.
I thought perhaps you had blocked some domains with your host file and maybe your local host was resolving as Google somehow.
Do you use Google DNS?
No on Google DNS. Cloudflare DoH in Firefox and Opera. All boxes are system Cloud9 DNS. Router is default, Cox ISP.
Thanks for checking your month long spread. Anyone else on the team having system(s) more than a month old??
Congrats on the new machine BTW; new machines are nice. Like getting a new car. Almost.
At this point, it can be evident that the answer to OP’s question is, “We can’t seem to know what is normal for the NT Kernel & System data presented.”
I captured another screenie for November which simplifies things as the thirty or so traffic types found with a year-long span were the result of apps that spent a short time on my system. And ten tossed in when installing the driver for my LAN printer, the BRN30055C9ED22D host.
This is exactly the kind of value GW brings to the table. Those types active for which there is traffic I don’t find necessary or weird, I look into.
Except for that “Other” one.
I understand your focus on the hosts and DNS but I believer there is more to this.
Note that all my ntoskrnl.exe traffic occurs with “Other.”
The only Other I’ve ID’d to date is FTP on the LAN only for my nightly incremental backups (hence the considerable outgoing metric) and occasional file transfers with FreeCommander.
The Other traffic type needs to be examined by the GW team; as it stands it has little value. Especially to engage discovery for the behavior of ntoskrnl.exe as found by cascoli and myself, though he or she failed to provide much detail.
Cheers.
1 Like
I’ve been using Nirsoft’s NetworkTrafficView for several days and it seems some of the “Other” I’m seeing in GW is ICMP traffic.
Did you allow ICMP with Windows firewall? If not then it’s probably not ICMP because I think ICMP may be blocked by default.
Depends on what you mean by ICMP.
I’ve never intentionally changed any of Windows’ core networking protocols. Especially as buried in core networking rules are bunches of out-of-way stuff like this, presented generically by Xing out values:
Enabled: Yes
Direction: In
Profiles: Domain,Private,Public
Grouping: Core Networking
LocalIP: Any
RemoteIP: Any
Protocol: ICMPv4
Type Code
X X
Edge traversal: No
Action: Allow
On that subject, these GW rules (and two for ICMPv6) exist on my system:
Enabled: Yes
Direction: Out
Profiles: Domain,Private,Public
Grouping: GlassWire
LocalIP: Any
RemoteIP: Any
Protocol: ICMPv4
Type Code
Any Any
Edge traversal: No
Action: Allow
Rule Name: {GlassWire.in.protocol_1.profile_1.mode_2}
Enabled: Yes
Direction: In
Profiles: Domain,Private,Public
Grouping: GlassWire
LocalIP: Any
RemoteIP: Any
Protocol: ICMPv4
Type Code
Any Any
Edge traversal: No
Action: Allow
Rule Name: {GlassWire.out.protocol_0.profile_1.mode_2}
Spaces and tabs pasted here from Notepad are removed; you’ll just have to imagine how that text is formatted.
My point is that ICMP traffic is reported as “other” in GW, although there might not much that can or will be done about it.
Anyhow, this topic merely lingers without purpose or worth along with a similar thread, “BT Kernel & System traffic.” I’m done with it.
Seems your question, “Is anyone else seeing the NT Kernel & System in your GlassWire firewall connecting to places outside your local network?” didn’t need answering.
Cheers.
1 Like