Suspicious traffic from GWCtlSrv.exe

Guys, need your expert advice here. I am seeing a lot of traffic coming from csmg.lgmobile. com with process name GWCtlSrv.exe (GlassWire control service). Any idea what may be going on?

1 Like

This is the call stack.

Thanks for your report @Mr.T . I pity the fool who tries to get unusual network connections past you.

We will try to recreate this with Process Monitor and I am asking our team about it currently.

GlassWire’s control service does not connect to the LG website and has nothing to do with LG in any way. We’re a US company based in Austin, Texas.

You can actually check this with GlassWire itself. Please see the screenshot above.

In case there is any doubt you can see our privacy policy below.

Why does GlassWire’s desktop software access the network?
GlassWire’s software for desktop computers checks for software updates that may contain important security fixes along with updating its suspicious host list. GlassWire can block itself from accessing the network, however if you do so then you may not know about important software updates and GlassWire may not alert you if you connect to a suspicious host. GlassWire’s Android app does not ever access the network and has no suspicious host feature.

When installing or uninstalling GlassWire’s desktop software, our installer will contact so we can know how many installs of our software have occurred. This contact sends your software version number, OS version, if you’ve installed GlassWire before, along with an anonymized partial IP address and anonymized machine ID to help us estimate how many users we have.

If you check GlassWire itself do you also see this LG server connection with the GlassWire control service?

Meanwhile I will see what my team finds when we test with the same app you’re using. It will help us determine what’s going on.

Thanks for taking the time to report this.

1 Like


If you do not have a remote connection to that server via our remote monitoring feature then you are picking up the local network activity between our GlassWire service (GWCtlSrv.exe) and our UI.

For example, when GlassWire will pick up network activity it will show the host name on our UI (user interface). This host name doesn’t go outside your PC, but it is just going from our control service executable to our user interface. Those two parts of our applications are just communicating back and forth locally on your PC. Nobody can see that communication because it’s just happening on your PC.

Some questions:

  1. Did you try blocking that LG website in your hosts file? If so that could be why (localhost) resolves to that host name.

  2. Can you disable host name resolving temporarily in ProcessMonitor and see if the actual IP address appears?



You are the man, Ken. There was an entry for LG pointing to Removing that line solved the problem!

Have a happy Friday!



I would also like to thank you for all the great advice you provided me over the years and we are proud to know you use GlassWire!

1 Like