Windows 10: TCPView shows multiple [System Process] network connections...

Hi all,

TCPView is showing multiple network connections listed as [System Process].

These are usually connected to unrecognized IPs and certainly not IPs I would want the system to automatically connect to without request or authorization on the part of the user.

Does this indicate malware? This isn't the usual block of Akamai servers that Windows Update uses to download updates.

I've tried an AV scan but it shows no results.

I've tried blocking these IPs with a firewall but plenty more IPs from entirely different domains keep appearing under [System Process]​.

How are they establishing connections, how can I identify these unknown processes and how can I completely prevent this activity without using a firewall that requires manual authorization for EVERY connection (this computer's user couldn't handle that level of complexity).

The OS is Windows 10.

Much appreciated.

:)

 

Windows 10 excessive system downloads

That does seem rather a lot of data usage for System. By way of comparison mine shows only 68.3MB of data usage over the last month. My first suspect would be the Updates setting that allows
uploading and downloads of Windows Update data to/from PCs on the internet.

You can try monitoring which processes are actively transferring data over the network and/or to hard disk without you having invoked those data transfers by using Resource Monitor and/or TaskManager. Resource Monitor will show the network addresses being
connected to by the various processes. There are also 3rd party programs which can give more details about the remote sites being connected to by individual apps or processes (eg. CPorts & IPNetInfo from NirSoft - freeware utilities: password recovery, system utilities, desktop utilities
). TCPView from
www.sysinternals.com is a similar utility which can display the quantity of bytes being sent/received by each process.

 

Many Connections in TIME_WAIT Status Lingering In Windows 10

I recently installed Windows 10 Pro x64, for normal, personal desktop usage (i.e. not to serve as a web or database server) and was using SysInternals TCPView to monitor connections, and am noticing at least a hundred connections with status of TIME_WAIT
lingering. The process information for these all is [System Process], PID 0, using TCP, and in almost all cases the remote address is my router at remote port 2555 (only a handful are not). I've seen this go as high as 200-300, but no lower than 115-130.

I have also used TCPView in Windows 7 Pro x64, and did not see anywhere near as many of these connections.

Has anyone else noticed this in Windows 10? Any ideas why this would be happening? And is this anything to worry about?

Any thoughts are appreciated.

 

If you can give us a list that will give us a better idea of what's going on. It worth checking schedule task to see if any of them are doing it

 

The list has a huge variation of IPs. I haven't noted any pattern in what IPs appear.

Could you suggest how I could identify this process or set of processes referred to as [System Process]?

 

If you see it with TIME_WAIT, do not worry about it, it is normal.

system idle process and TCP/IP - Sysinternals Forums

 

So the System Idle Process represents connections that are in the process of being dropped.

However, what ARE these connections? I don't recognize their IPs at all.

Also, why is Explorer making network connections to unknown IPs and how can I stop that? I have the explorer.exe firewalled and denied access to the internet but it is continuing to connect. I understand this is probably just Windows Update but would like to control all network traffic and only allow wuausrv and other explorer-based programs network access when I'm aware of what they're doing.

Further advice much appreciated.

 

I'd really appreciate it if someone could shed further assistance on the topic.