Explorer.exe connects to Microsoft and it sends back unique code and stuff

Discussion in 'privacy general' started by hundaa, Feb 13, 2011.

Thread Status:
Not open for further replies.
  1. hundaa

    hundaa Registered Member

    Feb 13, 2011
    Ok, I have seen earlier threads about this explorer.exe contacting microsoft.com. I was just talking about scvhost.exe contacting who knows what with https in an earlier thread, but then I hit F3 (search) and saw explorer.exe trying to contact microsoft.com.

    I decided to look with wireshark (packet sniffing) what it is doing and I found out the following. Im not saying its a BAD thing what explorer.exe is doing, but I wanted to see what its doing.
    (Im using winxp 64)


    Explorer.exe trying to go to:

    "NetRange: -
    OrgName: Microsoft Corp
    OrgId: MSFT
    Address: One Microsoft Way
    City: Redmond
    StateProv: WA
    PostalCode: 98052
    Country: US"

    Explorer.exe sent following information from my computer to microsoft:

    It first sends some stuff back and forth that i dont paste because its probably not important.
    After that it sends 74 bytes. I dont understand what it sends, its some weird stuff.

    After that, explorer.exe sends new data to microsoft with the size of 198 bytes. The beginning of this data is the same as the 74bytes sent in earlier messages (includes my motherboards network cards mac with the word "Asustek" and also my routers mac, with the word "cisco"......and other stuff.

    The rest has following stuff:

    "Message: GET /sasearch/lcladvdf.xml HTTP/1.1\r\n
    Severity level: Chat
    Request Method: GET
    Request URI: /sasearch/lcladvdf.xml
    Request Version: HTTP/1.1
    If-Modified-Since: Fri, 25 Mar 2005 12:00:00 GMT\r\n
    User-Agent: SCAgent\r\n
    Host: sa.windows.com\r\n"

    After that they send a small packet back to me that has actually nothing in it except stuff like:

    "Acknowledgement number: 1 (relative ack number)
    Transmission Control Protocol, Src Port: global-cd-port (3229), Dst Port: http (80), Seq: 1, Ack: 1, Len: 0
    Window size: 65535"
    and so on.

    And after that my computer sends a new packet:

    it looks like:

    "Request Method: GET
    Request URI: /sasearch/balloon.xsl
    Request Version: HTTP/1.1
    If-Modified-Since: Fri, 25 Mar 2005 12:00:00 GMT\r\n
    User-Agent: SCAgent\r\n
    Host: sa.windows.com\r\n"

    Theres more stuff but I pasted only some.

    So first it tries to download lcadvdf.xml and after that balloon.xsl, from microsoft server.

    After that last message, microsoft send a new packet to my computer that says:

    "HTTP/1.1 304 Not Modified\r\n
    Date: Sun, 13 Feb 2011 23:15:16 GMT\r\n
    Theres more stuff but I pasted only some.

    The X character was numbers and Y was letters but I dont want to display what it was incase it was some identification code and not a real "etag".

    (mac addresses do get sent in tcp/ip but im not sure why they are in these messages)

    I have 2 other local ip:s in my computer because of VMWARE. Well, explorer.exe also sent some stuff to microsoft with their ips, part of the "Name query NBSTAT" (in screenshot).

    The xml and xsl file requests came from my local lan but it also used vmwares nic:s and to send stuff. I dont know how or why it does this because they should be controlled by vmware but I guess there is a logical answer.

    I think it only sent microsoft the info that I have those 2 nics in my computer too.

    heres screenshot from wireshark that does not show the detail window but it shows the overview window
    (the row that says ignored was ignored by accident but it had the same stuff)

    balloon.xsl (http://sa.windows.com/sasearch/balloon.xsl ) file is the following:

    SpellEdit TextEdit Combo List Checkbox Radio 1 8 2 4 3 SysAnimate32 1073741826 5009 SA_Button 13 5003 Heading
    Static 1073741832 5010 SA_Button 13 -1 SA_SpellEdit 10551364 SA_Button 65536 SA_Button 65536 -1 Button 65536 24
    SA_Button 65548 1 SA_Button 65538 1 SA_Button 9 1 Edit 8454272 ComboBox 10551299 200 ListBox 10551297 50
    SA_Button 13 -1 1 1 Expando 9 8 LS 8 SA_Button 13 5003 Heading 2 SA_Button 65536 5012 5 290 9

    lcladvdf.xml (http://sa.windows.com/sasearch/lcladvdf.xml ) is the following:

    "Search by any or all of the criteria below. C:\ Don't remember Within the last week 7 1 Past month 1 1 Within the past year 365 1 Specify dates Modified Date 1 Created Date 2 Accessed Date 3 Don't remember Small (less than 100 KB) 102400 Medium (less than 1 MB) 1048576 Large (more than 1 MB) 1048576 Specify size (in KB) at least SAPropLSSizeGE at most
    SAPropLSSizeLE *.* True True True True True "

    If you go to http://sa.windows.com it says "under construction".

    What is this? Somekinda joke? Well, at least my computer was a "HTTP/1.1 304 Not Modified" that got a 18 character long "ETAG" that according to wikipedia could be used as a replacement for a tracking cookie even if the ETAG wasn't originally created for that use. Cooool!!

    Is this an innocent looking feature that isn't explained anywhere by Microsoft or is it somekinda malevolent borg hive mind thing?

    If you want to check this for yourself, download wireshark here:

    it is quite easy to do the packet sniffing. In first window click your local NIC that is connected to internet and then it shows all connections going. I suggest you stop all web browsing and other programs so it wont flood the window. Remove explorer.exe from your firewalls blocked list if it was blocked, then open my computer and hit F3, it should provoke explorer.exe to contact hive mind, I mean sa.windows.com

    What could this be....? in earlier threads, people mostly say how to block it, not what it is or does.

    edit: Seems its not sending mac address, it was only shown on wireshark and it was hard to read.
    Last edited: Feb 14, 2011
  2. Heimdall

    Heimdall Registered Member

    Jul 29, 2009
    What you're seeing is default behaviour for Explorer. It's actually part of the Windows search service and the communication you're seeing is, what used to be called, the Windows Search Assistant, updating itself.

    The site for the privacy policy used to be http://sa.windows.com/privacy/ but that seems to have changed.

    Personally, I disable the Windows search service and block Explorer from connecting to the Internet.
  3. elapsed

    elapsed Registered Member

    Apr 5, 2004
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.