Collaboration

What do Microsoft and NCSI have in common?

NCSI is part of Microsoft Vista. It's also part of Windows 7. Michael Kassner explains what NCSI does and why you might choose to turn it off.

I have a friend who is brilliant--almost a complete alphabet after her name. She also likes to mess with my head--not that difficult. One of her ploys is asking about acronyms and initialisms.

For example, the other day Shelley asked if I knew what NCSI meant. Right from the start, I knew something was up. Still, I fell for it. I guessed, "Naval Criminal Investigative Service?"

"No, I'm serious. The NCSI Microsoft uses." She went on to explain, "I was experimenting with Wireshark and accidentally captured an exchange between my computer and Microsoft."

"Details," I said, now interested.

It seems Shelley wanted to look at the packet exchange during a network-connection startup--the TCP handshake. Unexpectedly, she found a packet with the following URL in the payload:

http://www.msftncsi.com/ncsi.txt

And, the response from MSFT (MS's stock symbol):

"Microsoft NCSI".

I entered the URL into my web browser and sure enough, Microsoft NCSI popped up. Shelley knew very well that I couldn't let this go, now.

What is NCSI?

Enough drama. NCSI stands for Network Connectivity Status Indicator. It is part of what Microsoft calls Network Awareness. Microsoft purposed Network Awareness to provide network-connectivity information to services and applications running on Windows Vista and Windows 7.

I'll bet you're familiar with:

Ever wonder how Microsoft knows whether the computer is connected locally or not, and if it has an Internet connection? Thank Network Awareness, specifically NCSI. It is hard at work providing information on:

  • Connectivity to an intranet.
  • Connectivity to the Internet (Including the ability to send a DNS query and obtain the correct resolution of a DNS name).

How?

I found out how NCSI works by reading this Super User Community blog. Network Awareness checks the following at the beginning of each network connection:

"NCSI performs a DNS lookup on www.msftncsi.com. It then requests http://www.msftncsi.com/ncsi.txt. This file is a plain-text file containing the phrase ‘Microsoft NCSI'.

If everything goes well, NCSI receives a 200 OK response header with the proper text.

The above exchange is what Shelley found during her packet sniffing. Actually, that is the only way one could find out it was happening. We can see the results though, by clicking on the networking symbol in the lower right corner of the screen:

No text file or redirected

If the querying computer does not receive the ncsi.txt, or there is a redirect, NCSI will try the following (Super User Community blog):

"NCSI sends a DNS lookup request for dns.msftncsi.com. This address should resolve to 131.107.255.255. If the address does not match, then it is assumed the Internet connection is not functioning correctly."

Windows will then display that fact in both Network Properties and the pop-up display.

Next question

Have you ever seen this pop up?

Creepy. How does the operating system know that?

Network Awareness checks one more thing. If the lookup for dns.msftncsi.com resolves correctly, but the web page still does not show, Net Awareness makes the following assumption: A web-browser authentication page is blocking access. That's when the pop-up balloon makes its entry.

Not something you want happening

As one of those security nuts, I immediately was concerned about what other information Microsoft might be gathering during the packet exchange. The TechNet webpage describing NCSI mentions:

"IIS logs are stored on the server at www.msftncsi.com. These logs contain the time of each access and the IP address recorded for that access. These IP addresses are not used to identify users."

If you are uncomfortable with Network Awareness, you can disable it in the registry (from Super User Blog):

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet

Under the Internet key, double-click EnableActiveProbing, and then in Value data, type: 0. The default for this value is 1. Setting the value to 0 prevents NCSI from connecting to a site on the Internet during checks for connectivity.

Alternatively, the Super User blog suggests building your own NCSI server. The web site has all the details. (Warning: Please be careful if you start altering registry keys, however. Make sure you have a reliable backup of your system in case you make a mistake.)

About

Information is my field...Writing is my passion...Coupling the two is my mission.

46 comments
dennis97519
dennis97519

Ha. That's why my web browser goes to that site after login to a wifi network.

dennisc443
dennisc443

This kept popping up and just being very annoying.. Finally got tired of it and put the www.msftncsi.com in the Google Search and found you guys.. Makes sense to me and will fix per your instructions.. Please note, I have a Windows 8 machine a few months old and it is doing VISTA things.. GADZOOKS, is MS ever going to know to let loose of yesteryear? Why not have MS figure out that the "dirty" response that puts up a screen that says: "Duh, I am stuck and can't get out" And if I can find and repair the item, why can't they? I did not finish High School, I did not take technical training.. But my brother (long departed) was a high level trainer at several places and the advice he gave me when I made a query about the Commodore 64 was basic common sense, throw the manual away and start bashing keys, you'll figure it out. This from a guy that couldn't ride a bike without crashing because he would start thinking of a problem and forget he was on the bike.. Smart sometimes indicates WIERD.. Thank you for someone coming up with how to change the Registry.. On my way downstairs to edit it.... ;)

Michael Horowitz
Michael Horowitz

Just after booting a Win7 64bit machine, I did an "ipconfig /displaydns" command. If any DNS lookups had been done they should show up here. The only entry was cr-tools.clients.google.com My guess is that this has to do with Chrome looking for updates at startup time. There was no reference to msftncsi.com. To make sure the machine was online I did a "ping yahoo.com" then another display of the DNS. This time, there were also entries for update.microsoft.com, but still nothing for msftncsi.com. It seems that that domain is not being referenced on this machine. I do try to run a clean ship and may have disabled a service that caused the usage of msftncsi.com. I always disable a bunch of services, but didn't keep a good record of the ones disabled on this machine.

david.hunt
david.hunt

Well, I thought that was a useful tip and worthy of adding to my batch script for fixing various embuggerments in the Registry, until I decided to look for it. In the Key path listed in the article, there is no "Internet" branch. Further a search for "EnableActiveProbing" in CurrentControlSet finds nothing. By the way, I don't get any "Internet" or "Local only" messages either :-) After login, when I connect to the Internet (by plugging in my Android phone and enabling Tethering), all that happens is the Network icon in the System Tray goes from looking normal to the little rotating circle overlayed on it, then to a yellow triangle with an exclamation mark and a few seconds later back to normal. At that point I know that I should have connectivity. The brief period with the exclamation mark is due to the phone being a bit slow to provide an IP via DHCP.

Michael Horowitz
Michael Horowitz

Rather than modify the registry, what if we modified the Hosts file to, in effect, disable the msftncsi.com site? Specifically, resolve each to 127.0.0.1 with these two entries: 127.0.0.1 www.msftncsi.com 127.0.0.1 dns.msftncsi.com By the way, ip2location confirms that the IP address you mentioned is MSFT: http://www.ip2location.com/131.107.255.255

Gis Bun
Gis Bun

What is the downside if NCSI is disabled? [i.e. does it affect anything?]

dayen
dayen

Good idea maybe gone terrible wrong or useless apps pray it not Microsoft getting into the spyware business I will try turning it off thank you very much for the info

el.baby
el.baby

The whole purpose of this is checking connectivity? and it is even easy to subvert if you have control of the router (given that the IP is fixed). The "page" is not even encrypted with ssl!

tekman2
tekman2

Is this the same as the Network Location Awareness service? if so, we can just disable this.

ian
ian

Thank you for this and because I did not know about NCSI, now begs the question Do I need NCSI at all and if so, how do I build my own NCSI server? Great article

pgit
pgit

Thanks for the registry hack. I'd always wanted to shut this critter off but no search would give me pertinent data. There's a couple other critters that seem hard to kill, like win vista and 7 firing up multicast to play a game of marco-polo with someone. I have seen this traverse a firewall that wasn't blocking any onside-originated traffic, which of course I changed post haste. If you ever run across any info on what win7 is doing with multicast transactions enabled by default, please pass it along. I have also searched for this extensively and per some instructions went through the arduous task of disabling all multicast, both in and out with the host's advanced firewall settings. Talk about major PITA. I found some info on what services to shut down to prevent this but none of those suggestions ever worked. Maybe you could ask Shelley about this for us? Sounds like she's the go-to on this sort of thing. Thanks for bending her ear on out behalf! And thank her for the great info... you two might consider doing a podcast together, ala security now! The rapport would no doubt be entertaining as well as informative. :D

LocoLobo
LocoLobo

Are there side-effects or network connectivity issues doing this with the MS OSes?

Editor's Picks