1

I have GlassWire installed on my PC in order to monitor incoming and outgoing network connections, and I also use a VPN regularly (these 2 details seem irrelevant but will become useful later),

Very often, regardless of what I may be doing at the time, I notice in GlassWire that NT Kernel & System is contacting (uploading data but not getting response back) to various local and non-local IP addresses, such as 10.0.0.5 (my phone), 10.0.0.3 (my computer's IP on my home LAN), 10.8.0.136 (my computer's IP on the VPN LAN) as well as multicast IPs (224.0.0.252).

It also makes some connections to some public IP addresses owned by Microsoft and Google, but what concerned me most was that I noticed that most of the non local IP addresses it was making connections to were the IP addresses of VPN servers that I had connected to myself earlier in the same day or even the previous day.

Sometimes I can see it's made a connection to seemingly every single one of the some 300 VPN servers my provider has.

Why is it making these connections, I am curious, why is NT Kernel & System querying the IP addresses of VPN servers that I have connected to in the past? Does anyone know the actual purpose of the "NT Kernel & System" , I'm wondering if this is some telemetry function or less likely, malicious events? I am concerned with it contacting all these IP addresses and I hope it's not logging them somewhere.

I would be appreciative if someone more knowledgeable than myself on the function of this program could inform me please.

harrymc
  • 455,459
  • 31
  • 526
  • 924
Computer_User
  • 97
  • 1
  • 9
  • How many network adapters do you have in *Settings > Network & Internet > Status > Change adapter options*? If there are 300 adapters, then this is normal. What is your Windows version? – harrymc Jan 12 '20 at 19:45
  • I'm using Windows 10 Build 18363 and I have 6 network adapters (Bluetooth, Ethernet, Ethernet 2, Ethernet 4, VirtualBox Host-Only Network #2, and Wi-Fi, with Ethernet 2 and 4 being the VPN network adapters, and I'm connecting the PC with wire) . – Computer_User Jan 12 '20 at 20:55
  • Do I understand correctly that you use 2 VPNs? What are these 300 servers? – harrymc Jan 12 '20 at 21:01
  • Yes I use two different VPNs, one is a commercial VPN, and those 300 servers are belonging to this provider, and the other VPN is a private one that I have set up – Computer_User Jan 12 '20 at 23:48

1 Answers1

0

What you are seeing is normal behavior for network discovery, full name Simple Service Discovery Protocol.

Since the VPN creates a network, which in most aspects behaves just the same as a local network, Windows is periodically issuing discovery messages on the network for verifying the status of all the other computers that it knows about, as well as finding new computers, devices and services.

The 224.0.0.252 IP address that you see is the Link-Local Multicast Name Resolution, by which network discovery is achieved.

harrymc
  • 455,459
  • 31
  • 526
  • 924
  • Thank you, this clears it up for me a lot. – Computer_User Jan 13 '20 at 22:13
  • I also get connections to Microsoft servers, but unlike OP, I do not use VPN to these endpoints. How would then end up being queried by my computer? Any thoughts? – Jon Nov 10 '20 at 19:07