"system" process connecting too many hosts

#1

Hi there,

I have an app called “system” connecting to many different hosts but sending and receiving only a few bytes. Is this some windows process that checks connections or something? There is no info about the app location etc visible.

Does anyone know what it could be?

#2

@Espresso

This appears to be normal Windows behavior. Some GlassWire users have asked GlassWire to show more details about what’s behind the Windows “System” and we are investigating how to do this in the future.

Meanwhile, this is how Windows works and it’s not recommended that you block the Windows “System”.

1 Like
#3

Thanks! Was a bit scared since it showed no info whatsoever. Thanks for clarifying

1 Like
#4

I presume this is “normal”, but why?

I can see in GlassWire that the majority of connections made by “System” show the traffic type as “NetBIOS Name Service”.

So far that makes sense to me, but only as far as my private network addresses go.

The question that remains for me is, why is it normal for most of this “NetBIOS Name Service” traffic that I see to be going to public IP addresses??? 200+ counted so far today…

This is the best explanation that I could find regarding this name service:
https://wiki.wireshark.org/NetBIOS/NBNS

Inquiring minds just want to know! :wink:

#5

There are several topics on this. Most of us don’t need NetBIOS running:

2 Likes
#6

Hey thanks for the reminder!

I remember seeing that last year, and as a result I had disabled NetBIOS over TCP/IP for my Wi-Fi adapter. I assumed that would be all of it.

Never really followed up like I should have, because I just discovered that the network adapter installed by my VPN service also has a similar set of advanced TCP/IP settings. I checked that and discovered it was still set to default. Yikes! I just set NetBIOS over TCP/IP to disabled in there also.

I have my VPN set to launch and connect at boot, so those settings must override the network settings for my Wi-Fi adapter.

2 Likes
#7

If the connections are to external IPs, chances are that is not normal. I don’t have any Allow rules for System processes talking out to the internet. I am pretty restrictive with my rules. What port is it for? Are you on a “shared” network, like one for an office? What is the name of the process (like “NetBIOS Name Service”)? Only a few bytes could be suspicious or totally normal based on what the traffic is. If it is to external IPs, do a WHOIS on those IPs, figure out where they are in the world… if a lot of them belong to China or Russia or the Middle-East or Africa (meaning 80% or more belong to one of those regions) then it is possible you have malware that is beaconing out to a control server. I mention those regions because most malware doesn’t phone home to the US or western Europe or many “first-world” countries for that matter.

Anyway, hope this helps.

#8

It seems to connect to hosts that are related to programs I use and websites I visit. That’s why I think it has to do with the way windows handles connections or something. Since it’s basically every host from other programs.

#9

I also use a WiFi adapter so it might be that

#10

Just turn off NetBIOS over TCP/IP for each installed adapter. Look in advanced settings for TCP/IPv4 properties on each adapter.

That eliminated all of the “System” connections using “NetBIOS Name Service” on my system.

#11

The System process knows the IP addresses Windows is communicating with.

GlassWire shows no information for the System program file. But you can see the program name and location in process managers like Windows Task Manager or Microsoft’s Sysinternals Process Explorer.

Here’s an example using Task Manager: You can see that System is the program ntoskrnl.exe. The name abbreviates “Windows NT Operating System Kernel” which is the core program that is Windows. That’s why it is involved with a lot of what you do

1 Like