Corporate Microsoft values in registry

Tweaky · Aug 31, 2013

Hi there,

I discovered recently these entries in my W7SP1 registry which make my eyebrows raise.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP\Parameters\
Value name: DhcpDomain
Value data: ntdev.corp.microsoft.com

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP\Parameters\
Value name: DhcpNameServer
Value data: 172.31.79.142 172.31.79.144 157.54.104.75 157.54.14.162 157.54.80.10

For your information, this is a standalone W7SP1 system without LAN or network at all.
I do not use visual studio or other MS products that could change such entries.
Look at the DHCP server, it looks to me as a Microsoft internal developer DHCP server, why would this appear on a standalone system without network?
I hope someone can explain this or confirm that this is quite strange.
Microsoft did not respond to these question.

Regards,
Tweaky

corkyg · Aug 31, 2013

Do you ever do OS updates online? Do you allow your OS to check for updates on line? Do you use the Internet? (The Internet is a WAN.)

seepy83 · Aug 31, 2013

Is this a fresh install that hasn't been connected to a network yet?

I suspect that these are just default values. If you connect to a network and use DHCP to get a network config, you'll see these values change to legitimate values for your network.

Tweaky · Aug 31, 2013

corkyg said:
Do you ever do OS updates online? Do you allow your OS to check for updates on line? Do you use the Internet? (The Internet is a WAN.)

No, the system has never been updated online however it has been updated...just not online.
No, this system is standalone and has never been connected to a network.

I also noticed the windowsupdate.log recently which tried to connect to check updates.

Tweaky · Aug 31, 2013

seepy83 said:
Is this a fresh install that hasn't been connected to a network yet?

I suspect that these are just default values. If you connect to a network and use DHCP to get a network config, you'll see these values change to legitimate values for your network.

No, this system has never been connected to a network.
I can't remember that I ever saw these settings until recently.

seepy83 · Aug 31, 2013

I don't have a Win7 install available right now, so I can't check that.

I do have a Windows 8 Enteprise iso and I just built a VM with it. I can tell you that Win8 doesn't have those registry values by default. The DhcpDomain and DhcpNameServer keys are created as soon as you connect it to a network, and they are populated with legitimate values for that network.

Do you have a legitimate Win7 install? Just thinking that you may have a pirated copy that was leaked by a dev at MS...

smakme7757 · Aug 31, 2013

Tweaky said:
No, the system has never been updated online however it has been updated...just not online.
No, this system is standalone and has never been connected to a network.

I also noticed the windowsupdate.log recently which tried to connect to check updates.

I think he is getting at the fact that Windows needs to know where to get the updates from. So these values will have to be in the OS when it ships to the consumer. Regardless of if they are going to use the internet or not.

seepy83 · Aug 31, 2013

smakme7757 said:
I think he is getting at the fact that Windows needs to know where to get the updates from. So these values will have to be in the OS when it ships to the consumer. Regardless of if they are going to use the internet or not.

Those values have nothing to do with Windows Update.

They are parameters for the network card configuration.

smakme7757 · Aug 31, 2013

seepy83 said:
Those values have nothing to do with Windows Update.

They are parameters for the network card configuration.

Maybe Windows update or some other service running in the OS uses a VPN like configuration to receive updates/send information?

I doubt there is some big conspiracy behind those IP addresses.

corkyg · Aug 31, 2013

Is not the Internet a network? I thought it was a Wide Area Network (WAN.)

Ketchup · Aug 31, 2013

Question: what would cause you to look for/find such a thing?

And, my copy of 7 does not have this. Just a DhcpNameServer entry with the default gateway address from my router.

So, if your copy has never been on the Internet, I see nothing to worry about (if you are), since it is a local-only address. It is probably just an entry that needs a value, even on their main copy for distribution.

Ketchup · Aug 31, 2013

corkyg said:
Is not the Internet a network? I thought it was a Wide Area Network (WAN.)

The BIGGEST network of them all

Tweaky · Aug 31, 2013

seepy83 said:
I don't have a Win7 install available right now, so I can't check that.

I do have a Windows 8 Enteprise iso and I just built a VM with it. I can tell you that Win8 doesn't have those registry values by default. The DhcpDomain and DhcpNameServer keys are created as soon as you connect it to a network, and they are populated with legitimate values for that network.

Do you have a legitimate Win7 install? Just thinking that you may have a pirated copy that was leaked by a dev at MS...

It's probably Windows 7 Build 7600.16385.win7_rtm.090713-1255 what I have installed, so quite possible what you say.
But I do have legitimate licenses for Windows 7()

Tweaky · Aug 31, 2013

Thanks everybody for your reply, it think it is becoming clear to me where these settings come from and it looks like no conspiracy thing is going on.
But I will test it with another official release from Microsoft to see what will happen.
http://techdows.com/2011/07/downloa...h-sp1-iso-official-direct-download-links.html

Ketchup · Aug 31, 2013

Tweaky said:
Thanks everybody for your reply, it think it is becoming clear to me where these settings come from and it looks like no conspiracy thing is going on.
But I will test it with another official release from Microsoft to see what will happen.
http://techdows.com/2011/07/downloa...h-sp1-iso-official-direct-download-links.html

Conspiracy? Is that what you were thinking? Why?

Tweaky · Aug 31, 2013

ketchup79 said:
Conspiracy? Is that what you were thinking? Why?

I'm honestly didn't know why these settings showed up so this is why I asked it here.
But Microsoft would not be so stupid to do it this way...

Ketchup · Aug 31, 2013

Tweaky said:
I'm honestly didn't know why these settings showed up so this is why I asked it here.
But Microsoft would not be so stupid to do it this way...

They are local IPs (in case you didn't know) so they would be useless anywhere outside your local network, if you had one.

seepy83 · Sep 1, 2013

Only the first 2 are local (RFC 1918) IPs. The other 3 are public IPs registered to MS.

I'm sticking with my original theory that this Win7 machine was built using a leaked copy of the OS. There is absolutely no reason for these reg keys to be populated with that data.

Ketchup · Sep 1, 2013

seepy83 said:
Only the first 2 are local (RFC 1980) IPs. The other 3 are public IPs registered to MS.

I'm sticking with my original theory that this Win7 machine was built using a leaked copy of the OS. There is absolutely no reason for these reg keys to be populated with that data.

Could be, we'll probably never know. As I posted earlier, why would one just "discover" an entry like that?

Tweaky · Sep 1, 2013

seepy83 said:
Only the first 2 are local (RFC 1918) IPs. The other 3 are public IPs registered to MS.

I'm sticking with my original theory that this Win7 machine was built using a leaked copy of the OS. There is absolutely no reason for these reg keys to be populated with that data.

Your right, a fresh install showed these setting also so it must be a leaked version of Windows 7.
At least the mystery is solved now, again thanks everybody!

redyouch · Sep 8, 2013

Just change the values. And how did you find this?

Bubbaleone · Sep 8, 2013

Tweaky said:
Your right, a fresh install showed these setting also so it must be a leaked version of Windows 7.
At least the mystery is solved now, again thanks everybody!

I don't believe that has anything to do with a "leaked" version of Windows, but I do think it's possible that the Windows installation media you installed from was originally created from a sysprep Windows image. If so, the tech would most likely have gone online for updates prior to finalizing the image and that would account for these registry entries.

.

seepy83 · Sep 9, 2013

Bubbaleone said:
I don't believe that has anything to do with a "leaked" version of Windows, but I do think it's possible that the Windows installation media you installed from was originally created from a sysprep Windows image. If so, the tech would most likely have gone online for updates prior to finalizing the image and that would account for these registry entries.

.

I'm not really looking to get into a debate about this, but like I said earlier...those registry keys that the OP was interested in getting more information about have absolutely nothing to do with Windows Update.

The only reason for DhcpDomain to be populated with ntdev.corp.microsoft.com would be if the system was locally connected to the ntdev.corp.microsoft.com the last time that the NIC was connected to a network and received configuration through DHCP.

Similarly, the only reason for DhcpNameServer to be populated with those IP addresses would be if the DNS servers assigned through DHCP were those addresses. The first two are RFC1918 addresses and can be used on anyone's local network. However, the last 3 are IPs owned by Microsoft. There is no reason for any DHCP server, other than one on Microsoft's network, to configure the its clients to use those addresses for DNS.

Tweaky · Sep 15, 2013

seepy83 said:
I'm not really looking to get into a debate about this, but like I said earlier...those registry keys that the OP was interested in getting more information about have absolutely nothing to do with Windows Update.

The only reason for DhcpDomain to be populated with ntdev.corp.microsoft.com would be if the system was locally connected to the ntdev.corp.microsoft.com the last time that the NIC was connected to a network and received configuration through DHCP.

Similarly, the only reason for DhcpNameServer to be populated with those IP addresses would be if the DNS servers assigned through DHCP were those addresses. The first two are RFC1918 addresses and can be used on anyone's local network. However, the last 3 are IPs owned by Microsoft. There is no reason for any DHCP server, other than one on Microsoft's network, to configure the its clients to use those addresses for DNS.

Sorry it's not clear to me, do you mean these values have been assigned since my installation or are these values there before the installation?
If the last option is the case then yes I think it is a leaked version.

seepy83 · Sep 17, 2013

I am saying that those values are not there by default on a normal Windows 7 installation.

DhcpDomain and DhcpNameServer values are created when the PC is connected to a network, the NIC receives configuration through DHCP, and the DHCP server assigns a configuration that includes those options. Until that happens, those values do not exist.

Since you have never connected your PC to a network, then the values that you see must have been there in your (possibly leaked) installation media.

Corporate Microsoft values in registry

Junior Member

Elite Member | Peripherals

Platinum Member

Junior Member

Junior Member

Platinum Member

Golden Member

Platinum Member

Golden Member

Elite Member | Peripherals

Elite Member

Elite Member

Junior Member

Junior Member

Elite Member

Junior Member

Elite Member

Platinum Member

Elite Member

Junior Member

Junior Member

Golden Member

Platinum Member

Junior Member

Platinum Member