NCSI is part of Microsoft Vista. It's also part of Windows 7. Michael Kassner explains what NCSI does and why you might choose to turn it off.
I have a friend who is brilliant—almost a complete alphabet after her name. She also likes to mess with my head—not that difficult. One of her ploys is asking about acronyms and initialisms.
For example, the other day Shelley asked if I knew what NCSI meant. Right from the start, I knew something was up. Still, I fell for it. I guessed, "Naval Criminal Investigative Service?"
"No, I'm serious. The NCSI Microsoft uses." She went on to explain, "I was experimenting with Wireshark and accidentally captured an exchange between my computer and Microsoft."
"Details," I said, now interested.
It seems Shelley wanted to look at the packet exchange during a network-connection startup—the TCP handshake. Unexpectedly, she found a packet with the following URL in the payload:
And, the response from MSFT (MS's stock symbol):
I entered the URL into my web browser and sure enough, Microsoft NCSI popped up. Shelley knew very well that I couldn't let this go, now.
What is NCSI?
Enough drama. NCSI stands for Network Connectivity Status Indicator. It is part of what Microsoft calls Network Awareness. Microsoft purposed Network Awareness to provide network-connectivity information to services and applications running on Windows Vista and Windows 7.
I'll bet you're familiar with:
Ever wonder how Microsoft knows whether the computer is connected locally or not, and if it has an Internet connection? Thank Network Awareness, specifically NCSI. It is hard at work providing information on:
- Connectivity to an intranet.
- Connectivity to the Internet (Including the ability to send a DNS query and obtain the correct resolution of a DNS name).
I found out how NCSI works by reading this Super User Community blog. Network Awareness checks the following at the beginning of each network connection:
"NCSI performs a DNS lookup on www.msftncsi.com. It then requests http://www.msftncsi.com/ncsi.txt. This file is a plain-text file containing the phrase ‘Microsoft NCSI'.
If everything goes well, NCSI receives a 200 OK response header with the proper text.
The above exchange is what Shelley found during her packet sniffing. Actually, that is the only way one could find out it was happening. We can see the results though, by clicking on the networking symbol in the lower right corner of the screen:
No text file or redirected
If the querying computer does not receive the ncsi.txt, or there is a redirect, NCSI will try the following (Super User Community blog):
"NCSI sends a DNS lookup request for dns.msftncsi.com. This address should resolve to 184.108.40.206. If the address does not match, then it is assumed the Internet connection is not functioning correctly."
Windows will then display that fact in both Network Properties and the pop-up display.
Have you ever seen this pop up?
Creepy. How does the operating system know that?
Network Awareness checks one more thing. If the lookup for dns.msftncsi.com resolves correctly, but the web page still does not show, Net Awareness makes the following assumption: A web-browser authentication page is blocking access. That's when the pop-up balloon makes its entry.
Not something you want happening
As one of those security nuts, I immediately was concerned about what other information Microsoft might be gathering during the packet exchange. The TechNet webpage describing NCSI mentions:
"IIS logs are stored on the server at www.msftncsi.com. These logs contain the time of each access and the IP address recorded for that access. These IP addresses are not used to identify users."
If you are uncomfortable with Network Awareness, you can disable it in the registry (from Super User Blog):
Under the Internet key, double-click EnableActiveProbing, and then in Value data, type: 0. The default for this value is 1. Setting the value to 0 prevents NCSI from connecting to a site on the Internet during checks for connectivity.
Alternatively, the Super User blog suggests building your own NCSI server. The web site has all the details. (Warning: Please be careful if you start altering registry keys, however. Make sure you have a reliable backup of your system in case you make a mistake.)