How Windows knows the computer is connected to the Internet?

Ever wonder how Windows knows whether the computer is connected locally or not, and if it has an Internet connection? It’s because of Network Awareness, specifically NCSI.  That’s right NCSI and it doesn’t mean Naval Criminal Investigative Service because that would be NCIS.

NCSI is hard at work providing information on:

  • Connectivity to an intranet.
  • Connectivity to the Internet (Including the ability to send a DNS query and obtain the correct resolution of a DNS name).

NCSI stands for Network Connectivity Status Indicator. It is part of what Microsoft calls Network Awareness. Microsoft purposed Network Awareness to provide network-connectivity information to services and applications running on Windows Vista and Windows 7.

I’ll bet you’re familiar with:

How?

Network Awareness checks the following at the beginning of each network connection:

“NCSI performs a DNS lookup on www.msftncsi.com. It then requests http://www.msftncsi.com/ncsi.txt. This file is a plain-text file containing the phrase ‘Microsoft NCSI’.

If everything goes well, NCSI receives a 200 OK response header with the proper text.

If the querying computer does not receive the ncsi.txt, or there is a redirect, NCSI will try the following:

“NCSI sends a DNS lookup request for dns.msftncsi.com. This address should resolve to 131.107.255.255. If the address does not match, then it is assumed the Internet connection is not functioning correctly.”

Windows will then display that fact in both Network Properties and the pop-up display.

Network Awareness checks one more thing. If the lookup for dns.msftncsi.com resolves correctly, but the web page still does not show, Net Awareness makes the following assumption: A web-browser authentication page is blocking access. That’s when the pop-up balloon makes its entry.

 

Is there a concerned?

Is there a concerned about what other information Microsoft might be gathering during the packet exchange. Well as stated in The TechNet webpage describing NCSI mentions:

“IIS logs are stored on the server at www.msftncsi.com. These logs contain the time of each access and the IP address recorded for that access. These IP addresses are not used to identify users.”

If you are uncomfortable with Network Awareness, you can disable it in the registry. By editing the registry: (Warning: Please be careful if you start altering registry keys, however. Make sure you have a reliable backup of your system in case you make a mistake.)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet

Under the Internet key, double-click EnableActiveProbing, and then in Value data, type: 0. The default for this value is 1. Setting the value to 0 prevents NCSI from connecting to a site on the Internet during checks for connectivity.

This entry was posted in New Technical. Bookmark the permalink.

Leave a Reply