Windows 7 Network Awareness: How Windows knows it has an

internet connection

nhinkle

Have you ever been connecting to a new wireless network and seen the following pop-up balloon?

Whenever I connect to a WiFi network which requires in-browserauthentication, such as university networks and hotel access points, Windows somehow magically knows. Windowsalso knows when your internet connection isn’t working, and can differentiate between having local LAN access,no network access at all, or full internet access. But how?

This week’s question of the week is one I myself asked about this very topic. I guessed that there must be someonline Microsoft site that Windows is checking to determine the state of the connection, but I wanted proof, not justspeculation.

How does Windows know whether it has internet access or if a Wi-Fi

connection requires in-browser authentication?

Tobias Plutat and Jeff Atwood both replied with information about the Network Connectivity Status Indicator(NCSI) service, first introduced in Windows Vista.

When called on by Network Awareness, NCSI can add information about the following capabilitiesfor a given network:

Connectivity to an intranetConnectivity to the Internet (possibly including the ability to send a DNS query and obtain thecorrect resolution of a DNS name)

NCSI is designed to be responsive to network conditions, so it examines the connectivity of a networkin a variety of ways. For example, NCSI tests connectivity by trying to connect tohttp://www.msftncsi.com, a simple Web site that exists only to support the functionality of NCSI.

How does it work?

Windows does indeed check a Microsoft site for connectivity, using the Network Connectivity Status Indicator site.There are a few variations of the connection checking process:

1. NCSI performs a DNS lookup on www.msftncsi.com, then requests http://www.msftncsi.com/ncsi.txt. This file is a plain-

text file and contains only the text Microsoft NCSI.

2. NCSI sends a DNS lookup request for dns.msftncsi.com. This DNS address should resolve to 131.107.255.255. If the

address does not match, then it is assumed that the internet connection is not functioning correctly.

The exact sequence of when which test is run is not documented; however, a little bit of digging around with apacket sniffing tool like Wireshark reveals some info. It appears that on any connection, the first thing NCSI does isrequests the text file (step 1 above). NCSI expects a 200 OK response header with the proper text returned. If theresponse is never received, or if there is a redirect, then a DNS request for dns.msftncsi.com is made. If DNSresolves properly but the page is inaccessible, then it is assumed that there is a working internet connection, but anin-browser authentication page is blocking access to the file. This results in the pop-up balloon above. If DNSresolution fails or returns the wrong address, then it is assumed that the internet connection is completelyunsuccessful, and the “no internet access” error is shown.

The order of events appears to be slightly different depending on whether the wireless network is saved, has beenconnected to before even if it is not in the saved connections list, and possibly depending on the encryption type.The DNS and HTTP requests and responses showing up in Wireshark were not always consistent, even connectingto the same network, so it’s not entirely clear what causes different methods of detection under different scenarios.

What about my privacy?

Some people may be concerned about Windows “phoning home” to Microsoft with their PC’s information throughthis service. According to Microsoft’s documentation, NCSI retains the time of access and IP addresses of requestsmade to www.msftncsi.com:

IIS logs are stored on the server at www.msftncsi.com. These logs contain the time of each access andthe IP address recorded for that access. These IP addresses are not used to identify users, and in manycases, they are the address of a network address translation (NAT) computer or proxy server, not aspecific client behind that NAT computer or proxy server.

It is possible to disable NCSI by a registry setting if you don’t want Microsoft to be able to check your internetconnection.

1. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet2. Under the Internet key, double-click EnableActiveProbing, and then in Value data, type:

0.The default for this value is 1. Setting the value to 0 prevents NCSI from connecting to a siteon the Internet during checks for connectivity.

When I changed this registry setting, Wireshark picked up no more communication to the NCSI site. As a result,there was no indicator that in-browser authentication was required, and the connection indicator would say “internetconnection” even if there was in fact none present.

In the same registry key were a series of otherparameters. The expected DNS response, the host to query for a DNS address, the expected content of the text file,the name of the text file, and the domain with the text file were all included. The other parameters are not quite asself explanatory. I tried adapting PassivePollPeriod, expecting it to change how frequently NCSI would poll theserver. It appeared at first that the decimal value was equal to that many tenths of a minute, so a value of 5 pollsevery 30 seconds and a value of 10 polls every minute. However, the frequency also seemed to decrease with time.I could not figure out the use of the other two values.

Can I run my own NCSI server?

For those concerned about privacy, is it possible to run your own server to respond to these requests? Let’s find out!

I created ncsi.nathanhinkle.com on my web hosting, and set it up to send /ncsi.txt as a plain text file with thecontent nhinkle NCSI. I then changed all of the registry values to point to the values for my server, and what doyou know, it worked! Looking in Wireshark, requests were being made to my server instead of to Microsoft’sserver, and the system was still determining the status of the internet connection correctly. The user agent on therequests was still Microsoft NCSI, indicating that it was indeed the same service making the requests.

« Migrating to Linux from Windows Getting the Most Out Of Mac OS X’s Exposé »

So, if you want your computer to be able to check its connectivity to the internet while not sending your everymove to Microsoft, this is a way to do it. As an added benefit, this could be used as a tracking mechanism to seewhere your computer goes, particularly should it get lost or stolen, since any connection attempt will result in yourserver being requested.

As operating systems become increasingly complex, features like this can make your life much easier, but it’salways good to know what’s happening behind the scenes.

Posted by nhinkle on May 16th, 2011Filed under Question of the Week, Windows

1. Bloodphilia says:May 16th, 2011 at 8:17 am

Great post! I always wondered how they did this! Awesome that you tried setting up your own server.

And as the CAPTCHA says: “Quality ofechana!”

P.S. What’s that small green timer in your taskbar that says “3:21! at the top screen shot?

2. nhinkle says: May 16th, 2011 at 5:03 pm

Bloodphilia, that’s BatteryBar. It was actually suggested to me in a Super User question!http://superuser.com/q/127089/20088

3. Chris Thompson says: May 16th, 2011 at 11:42 pm

I came for an interesting article and I was shocked to see my BatteryBar application in your screenshot! Asthe author I love running into people running my app.

4. Ian says: May 16th, 2011 at 11:54 pm

This must be how the Zune detects internet access as well. It’s the most annoying thing because a Zune won’tallow you to connect to a network that doesn’t have network access and therefore I can’t connect to myuniversity’s network since I have to authenticate before the Zune can detect internet.

5. Jason says: May 17th, 2011 at 12:24 am

If the service was ddos’d, would millions of windows users get a pop-up stating limited connectivity orconnected but further log in details required? Sound like a prank 4chan might play…

6. Sigjuice says: May 17th, 2011 at 1:10 am

“How does it work?” should say http://www.msftncsi.com/ncsi.txt and not http://msftncsi.com/ncsi.txt

7. KronoS says: May 17th, 2011 at 6:49 am

Fixed thanks.

8. Mike says: May 17th, 2011 at 11:21 am

Is the most recent result stored somewhere (so I could look somewhere in memory for it instead of having torun another DNS lookup/HTTP request myself?)

9. ASP.Net Halifax says: May 17th, 2011 at 11:42 am

Some excellent investigative work to reveal how this works, very interesting read!

10. S says: May 17th, 2011 at 12:53 pm

Very interesting read, especially the bit about using this as a tracking mechanism application.

Small error: should say “tenths of a minute” not “tenths of a second”

11. RENi says: May 17th, 2011 at 1:32 pm

Maybe this is worth adding, the ncsi.txt file hosted on msftncsi.com seems to have no end of line.

$ file ncsi.txt ncsi.txt: ASCII text, with no line terminators

If you want to host your own, make sure it doesn’t have an eol either or else the ballon “Additional log oninformation may be required” will popup.

12. Ted Sbardella says: May 17th, 2011 at 2:49 pm

Very interesting – thanks so much!

13. nhinkle says: May 17th, 2011 at 2:56 pm

Thanks “S” for pointing out that error, I have fixed it in the article.

14. Dinos says: May 17th, 2011 at 8:22 pm

Minor correction, “NCSI performs a DNS lookup on http://www.msftncsi.com/ncsi.txt, then requests “

DNS lookup is performed on the name not on the URI. Proper sentence will be “NCSI performs a DNSlookup on http://www.msftncsi.com then requests … “

Almost the same method is performed by Apple on iphone/ipod etc devices.

15. socceroos says: May 18th, 2011 at 12:32 am

Well, seems that its not quite telling the truth. If it can do a DNS lookup then it has internet access.

Tunneling traffic through DNS queries is a sinch these days with all the ready-made tools.

16. dinos_correction says: May 18th, 2011 at 12:36 am

if you’re being picky lookup does not use schema either – “NCSI performs a DNS lookup onhttp://www.msftncsi.com then requests …”

17. DrunkMunki says: May 18th, 2011 at 12:37 am

for those lazy people, you can find the registry import file below;http://www.drunkmunki.com/NCSI_Probing.reg

just edit it to what you want then import it to every pc you need.

18. Jason says: May 18th, 2011 at 12:41 am

“Proper sentence will be “NCSI performs a DNS lookup on http://www.msftncsi.com then requests … “”

Actually, its “NCSI performs a DNS lookup on http://www.msftncsi.com then requests … “

19. chefybuck says: May 18th, 2011 at 1:02 am

Can disabling the NCSI lookup be used a work-around for the infamous “unknown network” in Vista andsometimes Win7?

20. Ansuz says: May 18th, 2011 at 1:05 am

…brilliant write up. A good idea for higher education & corporate admin’s to implement via Domain Policy.I’m sure it will assist in reducing the number of calls for technical support…

21. Windows 7 Network Awareness | digital explorations says: May 18th, 2011 at 1:47 am

[...] I was looking around on Slashdot tonight and found the article “Windows 7 Network Awareness: HowWindows knows it has an internet connection“. [...]

22. g0dkar says: May 18th, 2011 at 1:49 am

You just got into Slashdot. Watch out!! – great article, btw (Yes, I RTFA, heh)

23. RO says: May 18th, 2011 at 1:53 am

Interesting displayed by lynx text-mode browser (from Linux PC):

Linkname: Entry into main screen URL: http://www.msftncsi.com/ncsi.txt Charset: iso-8859-1 Server:Microsoft-IIS/7.0 Date: Wed, 18 May 2011 01:46:07 GMT Last Mod: Tue, 13 Jan 2009 00:37:56 GMTCache-Control: max-age=30,must-revalidate Content-Length: 14 bytes Owner(s): None size: 0 lines mode:normal

No Links on the current page

The text would indeed seem to have no terminating CR/NL since 14 bytes is the length of the text string

exactly.

FWIW

24. Harry Johnston says: May 18th, 2011 at 2:09 am

In a corporate setting, this can be configured with Group Policy. See “Network Connectivity StatusIndicator” in Network in the Computer Configuration node.

25. samwyse says: May 18th, 2011 at 2:12 am

“As an added benefit, this could be used as a tracking mechanism to see where your computer goes,particularly should it get lost or stolen, since any connection attempt will result in your server beingrequested.” Personally, I’d want to track several computers with one server. Looks like I just need to set upmy server to return the same file for many different requests, then imbed my host name in the request. Forexample, I could set ActiveWebProbePath to “nsci-NAME.txt” or set ActiveWebProbeHost to“NAME.nsci.example.com” where my DNS is configed to resolve *.nsci.example.com to the same IPaddress.

26. Vicks says: May 18th, 2011 at 2:12 am

What about NCSI for ipv6? How does that work?

27. WhizzMan says: May 18th, 2011 at 2:29 am

DNS lookups don’t lookup http:// or /nsci-something.txt They only look up the hostname part

28. Magnus says: May 18th, 2011 at 2:38 am

Nice work, enjoyed the article.

29. Ron says: May 18th, 2011 at 2:47 am

“If it can do a DNS lookup then it has internet access.”

Unless there’s a DNS server on the LAN which has access to the world even though you might be blocked.

30. Windows 7 and Windows Vista: Network Awareness » Rob Sanders: Sanders Technology says: May 18th, 2011 at 2:53 am

[...] interesting article which documents how Windows Vista and later versions of Microsoft Windows usesnetwork location awareness to determine aspects of your computer’s networking [...]

31. Jarmund says: May 18th, 2011 at 3:09 am

Another alternative for lazy people:

http://www.jarmund.net/stuff/JarmundNCSI.reg

..my server, using it myself.

By the way, i’ve been told “this probably works for Windows Vista as well…” can someone confirm this?

32. WizADSL says: May 18th, 2011 at 5:48 am

I found this info from MS about how NCSI works http://technet.microsoft.com/en-us/library/ee126135%28WS.10%29.aspx ; you may want to take a look

33. nhinkle says: May 18th, 2011 at 6:29 am

Thanks for the info, WizADSL. That looks to be an identical duplicate of the information in the article Ilinked to, just updated with “Windows 7! in the title instead of “Windows Vista”, but good to know!

34. Arno Nym says: May 18th, 2011 at 7:10 am

“NCSI performs a DNS lookup on http://www.msftncsi.com/ncsi.txt, then requestshttp://www.msftncsi.com/ncsi.txt.” is bullshit.

“NSCI performs a DNS lookup on http://www.msftncsi.com, then requests …” is correct.

35. killasmurf86 says: May 18th, 2011 at 9:29 am

@Jarmund << yes works on Vista as well

36. Marijn says: May 18th, 2011 at 9:42 am

Great article! I always assumed it had to make some call to check internet connectivity, now it’s good toknow exactly how it works and even better so how to change the behaviour.

One thing that might be noteworthy is that Microsoft isn’t the only one who can track your internetconnectivity. The DNS servers you use, so probably your ISP, can track you just as easily. All they have todo is log any lookups of ‘www.msftncsi.com’ and ‘dns.msftncsi.com’.

37. Criação de Sites says: May 18th, 2011 at 12:12 pm

Thanks for letting us know how to disable this NCSI thing.

38. samwyse says: May 18th, 2011 at 12:24 pm

OK, anyone can now use samwyse.appspot.com as an NCSI server. http://samwyse.appspot.com/ncsi-example.txt will return a file consisting of “example NCSI” (no newline!), whilehttp://samwyse.appspot.com/ncsi-example.reg will return a Windows registry file to use this for the ActiveWeb Probe; the Active DNS Probe is currently unchanged. Note that you can replace the word “example”with any text that you wish. Note that all access is logged via App Engine’s server log, so Google and I willknow what you’re doing. I’ll try later to add an internal log to allow users to view just accesses to “their”strings.

39. sirmuzz says: May 18th, 2011 at 2:45 pm

LOL arguing about the DNS lookup. You both have it wrong.

…”DNS lookup is performed on the name not on the URI. Proper sentence will be “NCSI performs a DNSlookup on http://www.msftncsi.com then requests … “

Well your closer but still not there….

It is “DNS lookup is performed on the name not on the URI. Proper sentence will be “NCSI performs a DNSlookup on http://www.msftncsi.com then requests … “

DNS = Networking 101….

40. sirmuzz says: May 18th, 2011 at 2:46 pm

Ok so you were right…damn website auto adds http://... bad webmaster bad!

41. Windows 7 Phones Home Every Time You Change Networks | Discourse.net says: May 18th, 2011 at 2:50 pm

[...] good news is that, not only can you disable the service, you can even tell it to check your own serverinstead. If you have a [...]

42. DigiP says: May 18th, 2011 at 3:25 pm

Funny, because I had wrote about this in 2009 when troubleshooting connection issues in Windows 7 after anew install. I’ve disabled this service because of the whole connectivity issue, if 7 can’t see that site becauseits down or for whatever reason, it causes all sorts of issues trying to get online, even when you manually setan IP configuration for the NIC.

See http://www.twistedpairrecords.com/blog/2009/11/07/windows-7-connectivity-issues/ for rant. You canalso change priority for IPv4 over IPv6, since IPv6 connections wil be tried first over IPv4, if your routeronly does IPv4, its just one less step your machine has to perform to check for first.

43. Doug M. says: May 18th, 2011 at 4:23 pm

all your network connection belong to us.

44. KronoS says: May 18th, 2011 at 4:29 pm

don’t you mean ‘are belong to us’?

45. Kurt Shubert says: May 18th, 2011 at 7:45 pm

Very interesting article. Thanks for the “enlightenment” on this.

This is one of those things I have wanted to know for some time but have never cared enough about to do theresearch. Thanks for having taken the time to do it for me!

46. Jason O. says: May 18th, 2011 at 7:46 pm

We had a different problem. It was the winhttp machine proxy settings. Info here.http://social.technet.microsoft.com/Forums/en/w7itpronetworking/thread/e3e7a1e4-d410-4668-8c33-

a57175c44e48

47. doofus says: May 18th, 2011 at 9:18 pm

No need to insert the verb “are”.

It already does belong.

48. doofus says: May 18th, 2011 at 9:19 pm

It should be “belongs” anyway.

49. Windows 7 Network Awareness - Tech Support Forums - TechIMO.com says: May 19th, 2011 at 1:27 am

[...] 7 Network Awareness Windows 7 Network Awareness: How Windows knows it has an internetconnection – Super User Blog If you have Windows 7 Home you can manually add the registry key to keepit from polling [...]

50. Michele says: May 19th, 2011 at 5:46 am

“It should be “belongs” anyway.”

I believe Doug M. was parodying the famous 1991 Sega video game message “All your base are belong tous” (as translated direct from Japanese).

51. iam8up says: May 19th, 2011 at 10:43 pm

GREAT article. I was curious myself for some time.

Leave a Reply

Name (required)

Mail (will not be published) (required)

Website

Submit Comment

Super User Blog

The Super User Community Blog

Search

Recently

How do I plan my vacation? Geek editionAsk Different Podcast #3: iMac upgrades, Spotlight tips, Tiny WingsGetting the Most Out Of Mac OS X’s ExposéWindows 7 Network Awareness: How Windows knows it has an internet connectionMigrating to Linux from Windows

Pages

About the blogAttribution

Archive

May 2011April 2011March 2011February 2011January 2011

Links

Full Post RSS FeedSuper User

posts are licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.24 queries. 1.856 seconds.