Oh, rempl. It’s been awhile so they’re behind if they’re just noticing it now.
I don’t recall which post you were seeing, so I’d recommend runasti64 if you want to get this under control, because it’s attached to some scheduled tasks you won’t be allowed to disable. This program opens an elevated cmd as the TrustedInstaller access, from there you can launch a program for equivalent permissions (taskschd.exe). That way you can disable or delete the tasks responsible for this behavior. Helps in lots of other instances where Windows now locks us out of controlling certain behavior–like I recently posted on the new smartscreen.exe behavior as of 1803/1809.
Since you asked, I’ve been a supporter of Net Limiter since XP. It’s literally the first program I put on a new Windows system before I’ll even connect it online, then set the default blocker behavior to ASK. That way I’m prompted when any process on my system tries to connect inbound or outbound. So it takes time to shape rules but I’ve cut down so much bullshit just among Windows, especially since Win10 turned into spyware.
NL works with IPs and ports, so DNSQuerySniffer is useful to help shape those rules, because this will log any time your system is trying to resolve hosts and what those IPs are actually resolving to. That gives you the best insight when it comes to controlling traffic, since you may want program X to be able to reach a site to download images–for example–but you don’t want it connecting to Google because it’s purely tracking built into the app.
…
You set to Ask on inbound+outbound, then what?
The Blocker tab works like a standard firewall by processing rules in order of top > bottom. So if I have an Out rule that says Firefox can connect to 10.0.0.5:53; then an Out rule saying Firefox is blocked for everything; Firefox can connect to 10.0.0.5 on port 53 and everything else it attempts is blocked. Change the order so the 10 rule is beneath the block everything, and everything is blocked because it will process that before it allows.
So at the very bottom of the list should be an In and Out System rules. That’s going to be connectivity essential to Windows, very basic functions with port 0, NetBIOS, DHCP, APIPA. You can try limiting it to private subnets like 192.128.0.0/16, fe80::, ports like 137 and 138 etc but I just permit all because Microsoft does not ever run anything over System. And if you deny it, you’re going to block the fundamental operations of Windows networking.
After that you’re free to set any rules, one to watch out for is svchost.exe because a Windows OS attaches numerous running services (check services.msc) to this process. It could be anything from BITS to wuauserv so you’d also need to pay attention to the process ID reported by NL matched against the PID reported in task manager.
…
Another one you’ll see is dashost.exe. It’s okay to allow this completely or exempt specific ports, but this is purely for your LAN connectivity, bluetooth, file sharing. You should see ports like 1900, 3702, 2869. You can search for these and see they’re associated with UPnP, broadcasts. So that’s another one that if you block it, you’re breaking basic OS functions unless you wanted to isolate the system on LAN for some reason.
