wuauclt.exe and MS HOTMAIL

Discussion in 'other software & services' started by Dazed_and_Confused, Apr 22, 2006.

Thread Status:
Not open for further replies.
  1. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    I have been setting up very specific app rules within my firewall, and have noticed scvhost.exe occassionally trying to make a TCP connection to an IP addresss registered to MS Hotmail (Microsoft), using remote port 443. This concerned me, as I couldn't think of a legitimate reason any application would automatically try to make an SSL connection to Hotmail. So I did some digging. ;)

    Looking through PG logs over numerous days, I have determined that these connections to MS Hotmail occur exactly when the process wuauclt.exe runs. Now I realize this app has something to do with managing automatic Windows updates. And since Windows and Microsoft are obviously related, now I'm thinking these attempts to "phone home" are probably not malicious. But why a Hotmail addresso_O I sure would like to understand this, or maybe at least have someone else confirm this is OK before I allow it. Very strange. :doubt:

    Thanks.
     
  2. nicM

    nicM nico-nico

    Joined:
    Jul 15, 2004
    Posts:
    631
    Location:
    France
    I noticed it too : I guess this is to check your Passport account, so that Windows can show a "X unread messages" alert on your logon screen ( under your account picture), after you've logged of from your session :) . Didn't you ever notice theses alerts before?

    Cheers,
    nicM
     
  3. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    nicM,

    Not sure what you mean by Passport messages. I don't use Passport for messaging. Actually, I don't think I use Passport for anything at all. :doubt:


    Never really examined svchost connections before.
     
  4. nicM

    nicM nico-nico

    Joined:
    Jul 15, 2004
    Posts:
    631
    Location:
    France
    Well, I think the question is just : do you have an hotmail account? If yes, then Windows will check if there are new mails on it, when starting; I bet this is the purpose of this "TCP connection to an IP addresss registered to MS Hotmail (Microsoft), using remote port 443" ;

    I don't see other explanations :shifty: , but maybe I'm wrong.


    Sorry, the term "alert" I used was misleading: I was talking about the "X unread messages" notification you get, when you re-log on, on teh "Welcome" screen. I mean If you logg off your Windows session (without to shut down) , and re-log on, you should see it :) .

    Look here for more infos.

    Cheers,
    nicM
     
  5. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    Nope. :doubt:
     
  6. nicM

    nicM nico-nico

    Joined:
    Jul 15, 2004
    Posts:
    631
    Location:
    France
    HUh ? o_O That's weird then, I don't see what this connection is made for...

    Maybe the connection is done by default, as this unread mail checking is a default registry settings?

    Sorry... I've only questions now ;) , but no answers.
     
  7. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    Exactly, nic. Did I understand you correctly that you are also seeing svchost trying to make a connection to Hotmail on your PC? If so, it's probably not mailicious. ;)

    My concern is that something hijacked my PC, and was phoning home. I understand using svchost in that way is not uncommon. :doubt:
     
  8. nicM

    nicM nico-nico

    Joined:
    Jul 15, 2004
    Posts:
    631
    Location:
    France
    Hi Dazed and Confused,

    Yes indeed, I noticed it few months ago on at least two XP computers at home (typically during the computer's start), and after doing a whois as you did, I thought that the "X unread messages" notification was probably making sense. Theses computers are clean, so there's nothing malicious involved a priori ;) .

    Btw I'm surprised that so few people had something to tell about that connection here o_O .

    Cheers,
    nicM
     
  9. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    Yes, I agree. It may have something to do with the forum where I posted this thread. On the other hand, it may be because not many have noticed it. :cool:

    In any case, I am blocking the connections with no adverse result. Thanks for all your help!! :D
     
Loading...
Thread Status:
Not open for further replies.