You can be sure that your computer is connected to the server that hosts my website while you read this article, but in addition to the obvious connections to the sites open in your web browser, your computer can connect to a variety of other servers. which are not visible.
In most cases, you really won’t want to do anything written in this article as it requires a lot of technical things to consider, but if you think that there is a program on your computer that should not be there to communicate secretly on the Internet described below methods will help you discover something unusual.
It’s worth noting that a computer running an operating system like Windows with multiple programs installed will by default establish many connections to external servers. For example, on my Windows 10 PC, after a restart and no programs running, multiple connections are made by Windows itself, including OneDrive, Cortana, and even desktop search. Read my article on securing Windows 10 to find out how you can prevent Windows 10 from communicating with Microsoft servers too often.
There are three ways to monitor your computer’s Internet connections: via the command line, using the resource monitor, or using third-party programs. I will mention the command line last because it is the most technical and the most difficult to decipher.
The easiest way to check all of your computer’s connections is to use Resource Monitor. To open it, you have to click “Start” and then enter “Resource Monitor”. You will see several tabs at the top and we want to click on Network.
On this tab, you will see several sections with different types of data: processes with network activity, network activity, TCP connections and listening ports.
All data listed on these screens is updated in real time. You can click the header in any column to sort the data in ascending or descending order. In the “Processes with network activity” section, the list includes all processes that have some kind of network activity. You will also be able to see the total amount of data sent and received in bytes per second for each process. You will notice that there is an empty checkbox next to each process that can be used as a filter for all other sections.
For example, I didn’t know what nvstreamsvc.exe was, so I checked it and then looked at the data in other sections. In the “Network Activity” section, you want to view the “Address” field, which should contain the IP address or DNS name of the remote server.
By itself, the information here does not necessarily help you understand whether this is a good or bad thing. You should use some third party websites to help you identify the process. First, if you don’t know the name of the process, google it using the full name, for example nvstreamsvc.exe.
Always click at least the first four or five links, and you will immediately know if the program is safe. In my case it was due to NVIDIA streaming service, which is safe but I don’t need to. Specifically, this process is for streaming games from your PC to NVIDIA Shield, which I don’t have. Unfortunately, when you install the NVIDIA driver, it installs many other features that you don’t need.
Since this service runs in the background, I never knew it existed. It wasn’t showing up on the GeForce panel, so I assumed I just had the driver installed. Once I realized that I didn’t need this service, I was able to uninstall some NVIDIA software and get rid of the service that was constantly communicating over the network, although I never used it. This is one example of how examining each process can help you not only identify possible malware, but also remove unnecessary services that could be exploited by hackers.
Second, you must find the IP address or DNS name specified in the Address field. You can use a tool like DomainTools to provide you with the information you need. For example, in the “Network Activity” section, I noticed that the steam.exe process is connecting to the IP address 184.108.40.206. When I hooked it up to the tool mentioned above, I was delighted to know that the domain is controlled by Valve, the company that owns Steam.
If you see an IP address connecting to a server in China, Russia, or some other strange place, you might have a problem. A Google search usually brings you to articles on how to remove malware.
The Resource Monitor is great and provides a lot of information, but there are other tools that can give you a little more information. I recommend two tools – TCPView and CurrPorts Both look pretty much the same, except that CurrPorts provides a lot more data. Here is a screenshot of TCPView:
The most interesting are the lines with the ESTABLISHED state. You can right-click any line to end the process or close the connection. Here is a screenshot of CurrPorts:
Look at the ESTABLISHED connections again when viewing the list. As you can see from the scrollbar at the bottom, CurrPorts has a lot more columns for each process. You can actually get a lot of information with these programs.
Finally, there is the command line. We will use the netstat command to provide us with detailed information about all current network connections being output to the TXT file. Information is essentially a subset of what you get from Resource Monitor or third-party programs, so it is really only useful for technicians.
Here’s a small example. First, open an administrator command prompt and enter the following command:
netstat -abfot 5> c: activity.txt
Wait a minute or two and then press CTRL + C on your keyboard to stop capturing. The above netstat command will collect all network connection data every five seconds and save it to a text file. The abfot part is a set of parameters with which we can get additional information in the file. Here’s what each parameter means, in case you’re wondering.
When you open the file, you will see almost the same information we got from the other two methods above: process name, protocol, local and remote port numbers, remote IP / DNS name, connection status, process ID, etc.
Again, all this data is the first step towards determining if something suspicious is happening or not. You will have to google a lot, but this is the best way to find out if someone is spying on you or if malware is sending data from your computer to some remote server. If you have any questions, do not hesitate to comment. Enjoy!