[WIN10] Windows 10 phantom lan connections with file sharing

GPz1100

Senior member
Jun 10, 2001
353
0
81
#1
Background:

* Fresh windows 10 (1803) install using ISO direct from microsoft.
* LAN configured on 10.x.x.x/24 subnet

After accessing file share on a different pc (same subnet), windows will attempt to open up phantom port 445 (dest) connections to remote ip's 192.168.1.241 and 192.168.3.241. There is nothing on the network configured for the 192.168.x.x subnets.

Service connecting is SYSTEM, PID 4 (see pic above). My firewall (UTM) is set to block anything in or out that isn't explicitly permitted. I discovered this issue when I noticed number of packet filter entries was unusually high.

There's two ways of dealing with this. I can configure the firewall to just drop and not log these packets or do the same in the windows firewall on the offending pc. The first I believe still generates this noise on the network, the second blocks it such that it never leaves the pc.

I consider both of these work arounds as bandaids. I'd really like to figure out why the windows box is even attempting to create these connections. Nothing in netstat or tcpview gives me any more detail other than what's pictured above. I tried disabling various discovery options but this still persists. As mentioned earlier it is related to file sharing. These outbound attempts do not show up if the windows 10 box doesn't attempt to access any network shares.

Both router2 and local.domain are on the 10.x.x.x/24 subnet.

 

mxnerd

Diamond Member
Jul 6, 2007
4,323
121
126
#2
Microsoft use TCP port 445 for several SMB services. (File sharing & print services)

https://support.microsoft.com/en-us...iew-and-network-port-requirements-for-windows

445 TCP SMB Fax Service
445 TCP SMB Print Spooler
445 TCP SMB Server
445 TCP SMB Remote Procedure Call Locator
445 TCP SMB Distributed File System Namespaces
445 TCP SMB Distributed File System Replication
445 TCP SMB License Logging Service
445 TCP SMB Net Logon

Don't understand why it connects to those 192.168.1.241 and 192.168.3.241 addresses though.

==

Do you happen to have have virtual adapters and set those IP addresses?

Open command prompt and type IPCONFIG /ALL to find out.
 
Last edited:

mxnerd

Diamond Member
Jul 6, 2007
4,323
121
126
#3
Installed 1809 on a new created VMware virtual machine, also created a network share, access the share from another PC and did not have anything like what you described.

There are no remote IP addresses that's not from the PC's own IP subnet range.

==

My 1803 machine also did not exhibit this behavior.
 
Last edited:

GPz1100

Senior member
Jun 10, 2001
353
0
81
#4
I tested further with a win 1803 install to an external hd. Same result.

No virtual adapters defined in either installation. Ipconfig/all shows a single adapter.

About the only thing I can think of is perhaps somehow some device on the network is responding to window's discovery with those IP addresses. There's quite a few switches, ap's, ata's and some other equipment on the lan.

Note, it's not enough to just connect to a share, you need to open up some folders too.

I'm going to test 1803 in a vm with the network set as bridged and with it host only. The latter should isolate it entirely from the lan.
 

mxnerd

Diamond Member
Jul 6, 2007
4,323
121
126
#5
I did open a folder from the share and also the files in the folder. Nothing.

==

Could it be that they are default IP addresses of some of your switches?

Your network IP range can be totally different from your managed/smart switches and still works.
 
Last edited:

GPz1100

Senior member
Jun 10, 2001
353
0
81
#6
That's a valid point but everything on here is defined on the 10.10.1.x subnet, including management. I can't imagine how windows is even discovering those ip's. What a strange issue to be having!!

I got the same result when testing two 1803's in isolated vm's. Tomorrow I will try two physical pc's connected via dumb switch. One will be win10 1803 (off of ext usb hd), other will be an earlier build of win10.
 

13Gigatons

Diamond Member
Apr 19, 2005
6,503
46
106
#7
Looks like a placeholder address for some windows service.
 

GPz1100

Senior member
Jun 10, 2001
353
0
81
#8
^^It's strange that I can reproduce this on demand every time but others can't. Maybe some other variable involved... I tried the 1809 build in a vm on my pc. Physically disconnected the cable that feeds the switch in this room to the rest of the lan. Same result.

One final test before I head to bed. Disconnected *my* pc from the network. Tried repeating test with win10 box accessing shares on another pc. No phantom connections! Only when accessing shares on *my* PC do these phantom connections show up (on the remote pc). And it's inbound only, that is pc's accessing content on my pc. No phantom ports on mine (or remote) pc when I access shares on others.

I'm still running windows 8 on this box. Same OS as when I built this thing 6 years ago. Maybe this is the motivation needed to redo this thing from scratch.

Btw, I can't find any references to this ip on my pc, no nics are configured for it, IP does not exist in the registry, nothing in netstat.
 

mxnerd

Diamond Member
Jul 6, 2007
4,323
121
126
#9
Make sure you use the ISO downloaded directly from Microsoft. Either Windows 8 or Windows 10. Some OEM media probably have some configuration that's burnt in the image.

I bought a mini PC from Amazon that's from China. The time zone setting was always incorrect after a few minutes or woken up from sleep state.

Even if I reset the time zone it always goes back to China's time zone. Eventually I found that it seems the vendor creates the image in a virtual machine then re-imaged that in the shipped PC. I have to modify a registry setting to fix it.
 
Last edited:

GPz1100

Senior member
Jun 10, 2001
353
0
81
#10
This is the link used: https://www.microsoft.com/en-us/software-download/windows10ISO

When browser is configured as a mobile UA option is there to dl the iso directly.

I had one of those qotom boxes from china too. First thing done was wipe their os entirely and reload my own.

--------------

I tried one more variation. PC with 1803 (the one from the op) accessing files on a laptop with 1607. No phantom ip's.

For giggles I then tried the same laptop accessing files on the win8 box (the one that causes the phantom ip's when accessed by 1803). Here too, no phantom ip's.

Something in 1803 or newer and the win8 box is causing this. For now I'll just use the firewall rule on 1803 to block those attempts. Sometime in the future I will upgrade (or rather install from scratch) the win8 to win10 and hopefully this will be fully resolved.
 


ASK THE COMMUNITY

TRENDING THREADS