• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Corporate Microsoft values in registry

T

Tweaky

Junior Member
Hi there,

I discovered recently these entries in my W7SP1 registry which make my eyebrows raise.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP\Parameters\
Value name: DhcpDomain
Value data: ntdev.corp.microsoft.com

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP\Parameters\
Value name: DhcpNameServer
Value data: 172.31.79.142 172.31.79.144 157.54.104.75 157.54.14.162 157.54.80.10

For your information, this is a standalone W7SP1 system without LAN or network at all.
I do not use visual studio or other MS products that could change such entries.
Look at the DHCP server, it looks to me as a Microsoft internal developer DHCP server, why would this appear on a standalone system without network?
I hope someone can explain this or confirm that this is quite strange.
Microsoft did not respond to these question.

Regards,
Tweaky
 
Do you ever do OS updates online? Do you allow your OS to check for updates on line? Do you use the Internet? (The Internet is a WAN.)
 
Is this a fresh install that hasn't been connected to a network yet?

I suspect that these are just default values. If you connect to a network and use DHCP to get a network config, you'll see these values change to legitimate values for your network.
 
corkyg said:
Do you ever do OS updates online? Do you allow your OS to check for updates on line? Do you use the Internet? (The Internet is a WAN.)
Click to expand...
No, the system has never been updated online however it has been updated...just not online.
No, this system is standalone and has never been connected to a network.

I also noticed the windowsupdate.log recently which tried to connect to check updates.
 
Last edited:
seepy83 said:
Is this a fresh install that hasn't been connected to a network yet?

I suspect that these are just default values. If you connect to a network and use DHCP to get a network config, you'll see these values change to legitimate values for your network.
Click to expand...
No, this system has never been connected to a network.
I can't remember that I ever saw these settings until recently.
 
Last edited:
I don't have a Win7 install available right now, so I can't check that.

I do have a Windows 8 Enteprise iso and I just built a VM with it. I can tell you that Win8 doesn't have those registry values by default. The DhcpDomain and DhcpNameServer keys are created as soon as you connect it to a network, and they are populated with legitimate values for that network.

Do you have a legitimate Win7 install? Just thinking that you may have a pirated copy that was leaked by a dev at MS...
 
Tweaky said:
No, the system has never been updated online however it has been updated...just not online.
No, this system is standalone and has never been connected to a network.

I also noticed the windowsupdate.log recently which tried to connect to check updates.
Click to expand...
I think he is getting at the fact that Windows needs to know where to get the updates from. So these values will have to be in the OS when it ships to the consumer. Regardless of if they are going to use the internet or not.
 
smakme7757 said:
I think he is getting at the fact that Windows needs to know where to get the updates from. So these values will have to be in the OS when it ships to the consumer. Regardless of if they are going to use the internet or not.
Click to expand...

Those values have nothing to do with Windows Update.

They are parameters for the network card configuration.
 
seepy83 said:
Those values have nothing to do with Windows Update.

They are parameters for the network card configuration.
Click to expand...
Maybe Windows update or some other service running in the OS uses a VPN like configuration to receive updates/send information?

I doubt there is some big conspiracy behind those IP addresses.
 
Last edited:
Is not the Internet a network? I thought it was a Wide Area Network (WAN.)
 
Question: what would cause you to look for/find such a thing?

And, my copy of 7 does not have this. Just a DhcpNameServer entry with the default gateway address from my router.

So, if your copy has never been on the Internet, I see nothing to worry about (if you are), since it is a local-only address. It is probably just an entry that needs a value, even on their main copy for distribution.
 
Last edited:
seepy83 said:
I don't have a Win7 install available right now, so I can't check that.

I do have a Windows 8 Enteprise iso and I just built a VM with it. I can tell you that Win8 doesn't have those registry values by default. The DhcpDomain and DhcpNameServer keys are created as soon as you connect it to a network, and they are populated with legitimate values for that network.

Do you have a legitimate Win7 install? Just thinking that you may have a pirated copy that was leaked by a dev at MS...
Click to expand...
It's probably Windows 7 Build 7600.16385.win7_rtm.090713-1255 what I have installed, so quite possible what you say.
But I do have legitimate licenses for Windows 7()🙂
 
Tweaky said:
I'm honestly didn't know why these settings showed up so this is why I asked it here.
But Microsoft would not be so stupid to do it this way...
Click to expand...

They are local IPs (in case you didn't know) so they would be useless anywhere outside your local network, if you had one.
 
Only the first 2 are local (RFC 1918) IPs. The other 3 are public IPs registered to MS.

I'm sticking with my original theory that this Win7 machine was built using a leaked copy of the OS. There is absolutely no reason for these reg keys to be populated with that data.
 
Last edited:
seepy83 said:
Only the first 2 are local (RFC 1980) IPs. The other 3 are public IPs registered to MS.

I'm sticking with my original theory that this Win7 machine was built using a leaked copy of the OS. There is absolutely no reason for these reg keys to be populated with that data.
Click to expand...

Could be, we'll probably never know. As I posted earlier, why would one just "discover" an entry like that?
 
seepy83 said:
Only the first 2 are local (RFC 1918) IPs. The other 3 are public IPs registered to MS.

I'm sticking with my original theory that this Win7 machine was built using a leaked copy of the OS. There is absolutely no reason for these reg keys to be populated with that data.
Click to expand...
Your right, a fresh install showed these setting also so it must be a leaked version of Windows 7.
At least the mystery is solved now, again thanks everybody!
 
Tweaky said:
Your right, a fresh install showed these setting also so it must be a leaked version of Windows 7.
At least the mystery is solved now, again thanks everybody!
Click to expand...

I don't believe that has anything to do with a "leaked" version of Windows, but I do think it's possible that the Windows installation media you installed from was originally created from a sysprep Windows image. If so, the tech would most likely have gone online for updates prior to finalizing the image and that would account for these registry entries.

.
 
Bubbaleone said:
I don't believe that has anything to do with a "leaked" version of Windows, but I do think it's possible that the Windows installation media you installed from was originally created from a sysprep Windows image. If so, the tech would most likely have gone online for updates prior to finalizing the image and that would account for these registry entries.

.
Click to expand...

I'm not really looking to get into a debate about this, but like I said earlier...those registry keys that the OP was interested in getting more information about have absolutely nothing to do with Windows Update.

The only reason for DhcpDomain to be populated with ntdev.corp.microsoft.com would be if the system was locally connected to the ntdev.corp.microsoft.com the last time that the NIC was connected to a network and received configuration through DHCP.

Similarly, the only reason for DhcpNameServer to be populated with those IP addresses would be if the DNS servers assigned through DHCP were those addresses. The first two are RFC1918 addresses and can be used on anyone's local network. However, the last 3 are IPs owned by Microsoft. There is no reason for any DHCP server, other than one on Microsoft's network, to configure the its clients to use those addresses for DNS.
 
seepy83 said:
I'm not really looking to get into a debate about this, but like I said earlier...those registry keys that the OP was interested in getting more information about have absolutely nothing to do with Windows Update.

The only reason for DhcpDomain to be populated with ntdev.corp.microsoft.com would be if the system was locally connected to the ntdev.corp.microsoft.com the last time that the NIC was connected to a network and received configuration through DHCP.

Similarly, the only reason for DhcpNameServer to be populated with those IP addresses would be if the DNS servers assigned through DHCP were those addresses. The first two are RFC1918 addresses and can be used on anyone's local network. However, the last 3 are IPs owned by Microsoft. There is no reason for any DHCP server, other than one on Microsoft's network, to configure the its clients to use those addresses for DNS.
Click to expand...
Sorry it's not clear to me, do you mean these values have been assigned since my installation or are these values there before the installation?
If the last option is the case then yes I think it is a leaked version.
 
I am saying that those values are not there by default on a normal Windows 7 installation.

DhcpDomain and DhcpNameServer values are created when the PC is connected to a network, the NIC receives configuration through DHCP, and the DHCP server assigns a configuration that includes those options. Until that happens, those values do not exist.

Since you have never connected your PC to a network, then the values that you see must have been there in your (possibly leaked) installation media.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top