Working on a Windows 7 system that has network traffic very locked down. The system is not running any servers. Besides Windows itself, and an antivirus tool, it does not have any software that automatically performs internet activity.
After the system in booted or returned from a sleep state, I'm sometimes receiving notifications of attempted outgoing port 53 (DNS) traffic.
The traffic is coming from Host Process for Windows Services (svchost.exe), which at the time of the traffic is running one of the following groups of services:
- Appinfo,EapHost,gpsvc,IKEEXT,iphlpsvc,LanmanServer,MMCSS,ProfSvc,Schedule,SENS,ShellHWDetection,Themes,Winmgmt,wuauserv
- EventSystem,fdPHost,FontCache,netprofm,nsi,WdiServiceHost,WinHttpAutoProxySvc
For each of those 2 groups, which are the most likely services that are actually sending the port 53 traffic?
Edit: After writing this question, I found: Is there a way to determine which service (in svchost.exe) does an outgoing connection?
It was missing a windows tag, so it didn't appear in any of my searches. (To help others, I just added a windows tag to it.)
I can likely use the techniques described in that answer to eventually figure this out, but as this is a sporadic issue, if anyone already knows the answer to this question, they will save me a bunch of time by answering it. Thanks!
