wuauclt.exe and MS HOTMAIL

I have been setting up very specific app rules within my firewall, and have noticed scvhost.exe occassionally trying to make a TCP connection to an IP addresss registered to MS Hotmail (Microsoft), using remote port 443. This concerned me, as I couldn't think of a legitimate reason any application would automatically try to make an SSL connection to Hotmail. So I did some digging.

Looking through PG logs over numerous days, I have determined that these connections to MS Hotmail occur exactly when the process wuauclt.exe runs. Now I realize this app has something to do with managing automatic Windows updates. And since Windows and Microsoft are obviously related, now I'm thinking these attempts to "phone home" are probably not malicious. But why a Hotmail address I sure would like to understand this, or maybe at least have someone else confirm this is OK before I allow it. Very strange.

Thanks.

 

I noticed it too : I guess this is to check your Passport account, so that Windows can show a "X unread messages" alert on your logon screen ( under your account picture), after you've logged of from your session . Didn't you ever notice theses alerts before?

Cheers,
nicM

 

nicM,

Not sure what you mean by Passport messages. I don't use Passport for messaging. Actually, I don't think I use Passport for anything at all.

Never really examined svchost connections before.

 

Well, I think the question is just : do you have an hotmail account? If yes, then Windows will check if there are new mails on it, when starting; I bet this is the purpose of this "TCP connection to an IP addresss registered to MS Hotmail (Microsoft), using remote port 443" ;

I don't see other explanations , but maybe I'm wrong.

Sorry, the term "alert" I used was misleading: I was talking about the "X unread messages" notification you get, when you re-log on, on teh "Welcome" screen. I mean If you logg off your Windows session (without to shut down) , and re-log on, you should see it .

Look here for more infos.

Cheers,
nicM

 

Nope.

 

HUh ? That's weird then, I don't see what this connection is made for...

Maybe the connection is done by default, as this unread mail checking is a default registry settings?

Sorry... I've only questions now , but no answers.

 

Exactly, nic. Did I understand you correctly that you are also seeing svchost trying to make a connection to Hotmail on your PC? If so, it's probably not mailicious.

My concern is that something hijacked my PC, and was phoning home. I understand using svchost in that way is not uncommon.

 

Hi Dazed and Confused,

Yes indeed, I noticed it few months ago on at least two XP computers at home (typically during the computer's start), and after doing a whois as you did, I thought that the "X unread messages" notification was probably making sense. Theses computers are clean, so there's nothing malicious involved a priori .

Btw I'm surprised that so few people had something to tell about that connection here .

Cheers,
nicM

 

Yes, I agree. It may have something to do with the forum where I posted this thread. On the other hand, it may be because not many have noticed it.

In any case, I am blocking the connections with no adverse result. Thanks for all your help!!