Collaboration

What do Microsoft and NCSI have in common?

NCSI is part of Microsoft Vista. It's also part of Windows 7. Michael Kassner explains what NCSI does and why you might choose to turn it off.

I have a friend who is brilliant--almost a complete alphabet after her name. She also likes to mess with my head--not that difficult. One of her ploys is asking about acronyms and initialisms.

For example, the other day Shelley asked if I knew what NCSI meant. Right from the start, I knew something was up. Still, I fell for it. I guessed, "Naval Criminal Investigative Service?"

"No, I'm serious. The NCSI Microsoft uses." She went on to explain, "I was experimenting with Wireshark and accidentally captured an exchange between my computer and Microsoft."

"Details," I said, now interested.

It seems Shelley wanted to look at the packet exchange during a network-connection startup--the TCP handshake. Unexpectedly, she found a packet with the following URL in the payload:

http://www.msftncsi.com/ncsi.txt

And, the response from MSFT (MS's stock symbol):

"Microsoft NCSI".

I entered the URL into my web browser and sure enough, Microsoft NCSI popped up. Shelley knew very well that I couldn't let this go, now.

What is NCSI?

Enough drama. NCSI stands for Network Connectivity Status Indicator. It is part of what Microsoft calls Network Awareness. Microsoft purposed Network Awareness to provide network-connectivity information to services and applications running on Windows Vista and Windows 7.

I'll bet you're familiar with:

Ever wonder how Microsoft knows whether the computer is connected locally or not, and if it has an Internet connection? Thank Network Awareness, specifically NCSI. It is hard at work providing information on:

  • Connectivity to an intranet.
  • Connectivity to the Internet (Including the ability to send a DNS query and obtain the correct resolution of a DNS name).

How?

I found out how NCSI works by reading this Super User Community blog. Network Awareness checks the following at the beginning of each network connection:

"NCSI performs a DNS lookup on www.msftncsi.com. It then requests http://www.msftncsi.com/ncsi.txt. This file is a plain-text file containing the phrase ‘Microsoft NCSI'.

If everything goes well, NCSI receives a 200 OK response header with the proper text.

The above exchange is what Shelley found during her packet sniffing. Actually, that is the only way one could find out it was happening. We can see the results though, by clicking on the networking symbol in the lower right corner of the screen:

No text file or redirected

If the querying computer does not receive the ncsi.txt, or there is a redirect, NCSI will try the following (Super User Community blog):

"NCSI sends a DNS lookup request for dns.msftncsi.com. This address should resolve to 131.107.255.255. If the address does not match, then it is assumed the Internet connection is not functioning correctly."

Windows will then display that fact in both Network Properties and the pop-up display.

Next question

Have you ever seen this pop up?

Creepy. How does the operating system know that?

Network Awareness checks one more thing. If the lookup for dns.msftncsi.com resolves correctly, but the web page still does not show, Net Awareness makes the following assumption: A web-browser authentication page is blocking access. That's when the pop-up balloon makes its entry.

Not something you want happening

As one of those security nuts, I immediately was concerned about what other information Microsoft might be gathering during the packet exchange. The TechNet webpage describing NCSI mentions:

"IIS logs are stored on the server at www.msftncsi.com. These logs contain the time of each access and the IP address recorded for that access. These IP addresses are not used to identify users."

If you are uncomfortable with Network Awareness, you can disable it in the registry (from Super User Blog):

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet

Under the Internet key, double-click EnableActiveProbing, and then in Value data, type: 0. The default for this value is 1. Setting the value to 0 prevents NCSI from connecting to a site on the Internet during checks for connectivity.

Alternatively, the Super User blog suggests building your own NCSI server. The web site has all the details. (Warning: Please be careful if you start altering registry keys, however. Make sure you have a reliable backup of your system in case you make a mistake.)

About

Information is my field...Writing is my passion...Coupling the two is my mission.

45 comments
dennisc443
dennisc443

This kept popping up and just being very annoying.. Finally got tired of it and put the www.msftncsi.com in the Google Search and found you guys.. Makes sense to me and will fix per your instructions.. Please note, I have a Windows 8 machine a few months old and it is doing VISTA things.. GADZOOKS, is MS ever going to know to let loose of yesteryear? Why not have MS figure out that the "dirty" response that puts up a screen that says: "Duh, I am stuck and can't get out" And if I can find and repair the item, why can't they? I did not finish High School, I did not take technical training.. But my brother (long departed) was a high level trainer at several places and the advice he gave me when I made a query about the Commodore 64 was basic common sense, throw the manual away and start bashing keys, you'll figure it out. This from a guy that couldn't ride a bike without crashing because he would start thinking of a problem and forget he was on the bike.. Smart sometimes indicates WIERD.. Thank you for someone coming up with how to change the Registry.. On my way downstairs to edit it.... ;)

Michael Horowitz
Michael Horowitz

Just after booting a Win7 64bit machine, I did an "ipconfig /displaydns" command. If any DNS lookups had been done they should show up here. The only entry was cr-tools.clients.google.com My guess is that this has to do with Chrome looking for updates at startup time. There was no reference to msftncsi.com. To make sure the machine was online I did a "ping yahoo.com" then another display of the DNS. This time, there were also entries for update.microsoft.com, but still nothing for msftncsi.com. It seems that that domain is not being referenced on this machine. I do try to run a clean ship and may have disabled a service that caused the usage of msftncsi.com. I always disable a bunch of services, but didn't keep a good record of the ones disabled on this machine.

david.hunt
david.hunt

Well, I thought that was a useful tip and worthy of adding to my batch script for fixing various embuggerments in the Registry, until I decided to look for it. In the Key path listed in the article, there is no "Internet" branch. Further a search for "EnableActiveProbing" in CurrentControlSet finds nothing. By the way, I don't get any "Internet" or "Local only" messages either :-) After login, when I connect to the Internet (by plugging in my Android phone and enabling Tethering), all that happens is the Network icon in the System Tray goes from looking normal to the little rotating circle overlayed on it, then to a yellow triangle with an exclamation mark and a few seconds later back to normal. At that point I know that I should have connectivity. The brief period with the exclamation mark is due to the phone being a bit slow to provide an IP via DHCP.

Michael Horowitz
Michael Horowitz

Rather than modify the registry, what if we modified the Hosts file to, in effect, disable the msftncsi.com site? Specifically, resolve each to 127.0.0.1 with these two entries: 127.0.0.1 www.msftncsi.com 127.0.0.1 dns.msftncsi.com By the way, ip2location confirms that the IP address you mentioned is MSFT: http://www.ip2location.com/131.107.255.255

Gis Bun
Gis Bun

What is the downside if NCSI is disabled? [i.e. does it affect anything?]

dayen
dayen

Good idea maybe gone terrible wrong or useless apps pray it not Microsoft getting into the spyware business I will try turning it off thank you very much for the info

el.baby
el.baby

The whole purpose of this is checking connectivity? and it is even easy to subvert if you have control of the router (given that the IP is fixed). The "page" is not even encrypted with ssl!

tekman2
tekman2

Is this the same as the Network Location Awareness service? if so, we can just disable this.

ian
ian

Thank you for this and because I did not know about NCSI, now begs the question Do I need NCSI at all and if so, how do I build my own NCSI server? Great article

pgit
pgit

Thanks for the registry hack. I'd always wanted to shut this critter off but no search would give me pertinent data. There's a couple other critters that seem hard to kill, like win vista and 7 firing up multicast to play a game of marco-polo with someone. I have seen this traverse a firewall that wasn't blocking any onside-originated traffic, which of course I changed post haste. If you ever run across any info on what win7 is doing with multicast transactions enabled by default, please pass it along. I have also searched for this extensively and per some instructions went through the arduous task of disabling all multicast, both in and out with the host's advanced firewall settings. Talk about major PITA. I found some info on what services to shut down to prevent this but none of those suggestions ever worked. Maybe you could ask Shelley about this for us? Sounds like she's the go-to on this sort of thing. Thanks for bending her ear on out behalf! And thank her for the great info... you two might consider doing a podcast together, ala security now! The rapport would no doubt be entertaining as well as informative. :D

LocoLobo
LocoLobo

Are there side-effects or network connectivity issues doing this with the MS OSes?

Michael Kassner
Michael Kassner

Thanks, Michael. Another member mentioned not having the registry key. I wonder if the version of OS matters.

Michael Kassner
Michael Kassner

This is why I love the comment section. I learn as much if not more from them.

Gis Bun
Gis Bun

You can also try your firewall software to block outgoing [and incoming] traffic or from a hardware firewall [a.k.a. router]. As well you can use the "route" command in Windows.

Michael Kassner
Michael Kassner

I do not see any reason why that would not work. If I have a second, I'll try it this evening. Unless you have already. Thanks for pointing it out.

Michael Kassner
Michael Kassner

The Windows app will not work correctly and the term "Internet Access" will be displayed even if there isn't one. Other than that, it appears to be business as normal.

disasterboy.info
disasterboy.info

From the Super user article: " When I changed this registry setting, Wireshark picked up no more communication to the NCSI site. As a result, there was no indicator that in-browser authentication was required, and the connection indicator would say ???internet connection??? even if there was in fact none present. "

Michael Kassner
Michael Kassner

I did several packet traces and did not find anything suspicious, but one never knows. If it has no adverse affect, why not? If you notice anything, please let us know.

Michael Kassner
Michael Kassner

I think the whole process is to give users a visual interpretation of what is happening network-wise. Maybe, I missed your point.

Michael Kassner
Michael Kassner

As Sean suggested the Super User site has the details about building a server. I have used the registry-key change and the only issue I have noticed is the Windows app will then always advertise that there is an Internet connection even if there isn't.

seanferd
seanferd

I've run into several problem situations others have had with this already. Basically, the server can be anything that responds to the query. If you already have a server, it will be like serving a blank web page. Change the domain which is checked to something you own, and have that domain return the text file when queried. edit: Here: http://blog.superuser.com/2011/05/16/windows-7-network-awareness/ More: http://tech.slashdot.org/story/11/05/17/2355256/How-Windows-7-Knows-About-Your-Internet-Connection http://technet.microsoft.com/en-us/library/cc766017 The text file: http://www.msftncsi.com/ncsi.txt

pgit
pgit

I can't see where you'd need this except to feed info the the UI shown in the illustration. I'd use other means to monitor connectivity myself. This is a client side only, specific and pertinent to the machine running running it-type of tool as far as I can see. i.e. the kind of thing the typical home user would simply expect to be there because Microsoft put it there. On the other hand Microsoft collecting stats doesn't have any benefit to me that I can fathom.

Michael Kassner
Michael Kassner

I have heard that games do odd things in the new versions of MS. I don't get involved in games, so I would not have any experience. I will ask around.

manofry
manofry

AFAIK the multicasts are done in IPv6. If you don't need it, you may disable it. If you want to do that in a big network, GPO makes it easy. I recommend testing.

Michael Kassner
Michael Kassner

I have checked it out with Windows 7, but not Vista. I did not see any issues. I did notice after the change, the network app would point out that an Internet connection is available even if there wasn't. The Super User blog also mentions the same results.

pgit
pgit

It's a PITA and it doesn't stop any processes you don't want/need. In the case of network awareness this is no big deal, it'll query the server and time out swiftly enough. But in the matter of the blathering (eg multicast) win7 and vista do by default, stopping the traffic at the firewall still leaves the clients flooding the wire with garbage. It's better to find and disable the services, and good luck with that. I've tried off and on for a couple years. Not even the microsoft users forums have any tips for targeting unwanted services.

Michael Horowitz
Michael Horowitz

I have not tried it, but not being able to sniff packets, I'm not in a position to test it thoroughly anyway.

seanferd
seanferd

Microsoft tracks you, and so can you! Your stolen laptop querying your own NLA server could be handy...

pgit
pgit

Useful links, thanks. I'm thinking of scripting the edit for wider deployment...

Michael Kassner
Michael Kassner

My packet traces did not turn up any adverse information.

Gis Bun
Gis Bun

If you have a homegroup, you can't disable IPv6. It is required.

Michael Kassner
Michael Kassner

I am under the impression that IPv4 uses it as well, particularly for media streaming.

TG2
TG2

is this the cause of users starting up a connection and for what ever reason, you get a "local only" connection? And by disabling this will we never again face such stupidity from microsoft's blinded attempt at proving there is a connection rather than route f**king IP as it was request to do? Yes, if you read hostility there, it is in fact there.. case in point.. tech goes on site to customer.. attaches his VISTA laptop ... gets no internet connection... I test from my side, DSL's up, I can get into our on site DSL router, I can see his router's mac .... tech just happens to have a dual boot system .. brings it up in XP mode ... and vioala! he can get out... brings up Vista again, still can't get out.. back to XP ... can get out just fine.. Personal experience.. hooked via wire into an older backbone switch, I know my IP, my Gateway, my DNS settings are all perfect.. and for maybe 10 seconds after starting my vista laptop ... I can ping a known good IP address.. then in steps microsofts f**ked up stupidity and now I'm no longer routing ip any more and the icon tells me "local only". I did happen to bring one of my buffalo wireless routers ...put *IT* into place with the exact same IP information I had given myself .. and then let DHCP take an ip from my buffalo.. and low and behold I'm getting out just fine. If this is the cause of such stupidity from microsoft ... then I'm on the hunt to turn it off.. I'd looked time and time again before.. but never an answer to this most INFURIATING problem when a good network gets labeled bad by "microsoft" for no f**king reason. please do pardon the above microsoft's "Local Only" has been a burr in my ass for several years, and had pretty much given up on it ever being fixed once 7 came out, it seems this problem happened less.. but some of us are not able to justify (*or* afford) the 150 upgrade just for 7 just to fix something microsoft should have been more clear on. I do find it so odd, that microsoft hasn't made an easier "off" switch for their "helpful" garbage ... especially when all you want them to do is route IP. Don't look for other stuff, don't go where I don't send you, and use the protocols that are set up and should be working just fine, without you meddling "kids" getting in the way (;) I'm a throwback to the simpler days of Scooby-doo - kids would really be "microsoft's network nazis")

Michael Kassner
Michael Kassner

That would be a sneaky way of learning the computer was in use. I wonder if the apps built for that purpose use a similar process.

Michael Kassner
Michael Kassner

I guess I haven't used Homegroup in large networks, relying more on AD.

manofry
manofry

Yes, IPv4 can multicast, but we were talking about the Network Discovery that WVista and WSeven use. If you disable IPv6 you can see computers in your homegroup the same way you did with WXP. In a big network, if it generates too much traffic, it may be disabled.

xambassador
xambassador

I work in MX three months of the year and although I mostly work with my OpenSuse now, I have received the 'local only' on the Vista OS there in the past. I had never made the geographical connection, however. There we are on a satellite connection whereas at home on a regular IP Service provider. The up-link via satellite can be notoriously slow (try using Skype!). Probably that slow up-link makes things time-out sometimes and passes it through other times. PS: In the last two years I have no longer needed Vista for anything - have Skype, Filezilla, 'everything' running in Linux.

Michael Kassner
Michael Kassner

That was some good information. I have not run into that. I am glad to have the fix in my back pocket though.

jcbronson
jcbronson

I think the NLA issue that TG2 refers to is how Microsoft inserts a null route if you don't answer that goofy "where is this computer located" question fast enough. Having imaged several 2008 servers in the past few years, I have seen more than my share of these "local only" and, better yet, "UNIDENTIFIED NETWORK" (AARGH!) problems after not clicking "work" fast enough on that first screen (it doesn't even care if you've already joined to the domain). It took an awful lot of digging to find out that I had to delete the null route to fix what shouldn't have been broken in the first place. I feel your pain, TG2! Here is the only place I've ever found the CORRECT answer to this problem: http://social.technet.microsoft.com/forums/en-US/itprovistanetworking/thread/b4e2f679-c2e2-490e-a32a-ed12527bd6f5

Michael Kassner
Michael Kassner

I have not experienced what you refer to. I would love to learn more about it. Could you give the sordid details if you have time?