Windows processes - Which of them need internet access?

[LCF-AT]

Hi guys,

so I have a new question about all Windows 10 processes which are running sometimes or all the time and wanna access the internet.My question is which of them really need any internet access?Of course, when I have no internet connection then none process can communicate over internet but if I have then I get diffrent requests of specific Windows processes who wanna do anything over internet.So I did set my Firewall so that I get asked first before the process tried to access the internet the first time.Now I can allow or not allow it.Just wanna know which processes I have to allow and which I can disallow (un-needed things)?Is there any list on internet I can check for that?

svchost.exe	       - Yes
smartscreen.exe        - Yes
usocoreworker.exe      - Yes
taskhostw.exe 	       - Yes / No ?
systemsettings.exe     - Yes / No ?
speechruntime.exe      - Yes / No ?
backgroundtaskhost.exe - Yes / No ?
sihclient.exe          - Yes / No ?
...

I'am not sure about all processes and which of them I can disallow without problems.Main goal is it just to keep my Windows uptodate (important stuff) like updates etc.Maybe you have some infos about it or something.

greetz

[Xyl2k]

windows 10 want to internet all the time, even when you do nothing, even when you disable telemetry, even if you use apps to block windows, etc...
blocking process can get tricky i think, especially when it come to system process like svchost, instead i think a better solution would be to build a firewall and route all the traffic inside. (at least that what i do)
i configured my firewall (pfsense) with alliases for microsoft as they have many ips, built a whitelist and reject everything else.
some based on list i found on internet, some based on my home experience in monitoring my system.

Quote

 

AS8075_Microsoft2 - AS8075 Microsoft Corporation:
65.55.138.111 - Entry added Tue, 08 Sep 2015 16:34:23 +0000
157.55.133.204 - Entry added Tue, 08 Sep 2015 16:34:23 +0000
157.56.77.138 - Entry added Tue, 08 Sep 2015 16:34:23 +0000
157.56.96.54 - Entry added Tue, 08 Sep 2015 16:34:23 +0000
191.238.224.150 - Entry added Tue, 08 Sep 2015 16:34:23 +0000
157.56.96.58 - Entry added Tue, 08 Sep 2015 16:34:23 +0000
137.117.235.16 - Entry added Tue, 08 Sep 2015 16:34:23 +0000
157.55.240.220 - Entry added Tue, 08 Sep 2015 16:34:23 +0000
64.4.23.173 - Entry added Tue, 08 Sep 2015 16:34:23 +0000
191.237.208.126 - Entry added Wed, 16 Sep 2015 06:03:34 +0000
65.55.223.21 - Entry added Wed, 16 Sep 2015 06:03:34 +0000
64.4.23.259 - Entry added Wed, 16 Sep 2015 06:03:34 +0000
65.55.223.44 - Entry added Wed, 16 Sep 2015 06:03:34 +0000
111.221.74.21 - Entry added Wed, 16 Sep 2015 06:03:34 +0000
111.221.77.169 - Entry added Wed, 16 Sep 2015 06:03:34 +0000
111.221.74.18 - Entry added Wed, 16 Sep 2015 06:03:34 +0000
157.55.56.154 - Entry added Wed, 16 Sep 2015 06:03:34 +0000
157.55.56.146 - Entry added Wed, 16 Sep 2015 06:03:34 +0000
157.55.56.156 - Entry added Wed, 16 Sep 2015 06:03:34 +0000

AS8075_Microsoft_INTL - Microsoft Singapore, Brazil, Tokyo:
111.221.16.0 / 20 - Asia Pacific Network Information Centre (Singapore)
111.221.64.0 / 18 - Microsoft (Singapore)
191.232.0.0 / 13 - Microsoft (Brazil)
191.238.66.0 / 23 - Microsoft Informatica Ltda (Brazil)
191.239.64.0 / 19 - Microsoft Informatica Ltda (Brazil)
191.239.160.0 / 19 - Microsoft Informatica Ltda (Brazil)
191.239.192.0 / 22 - Microsoft Informatica Ltda (Brazil)
202.89.224.0 / 21 - Microsoft Corp, Tokyo

AS8075_Microsoft_UK - Microsoft UK:
51.8.0.0 / 16 - Microsoft Limited UK
51.10.0.0 / 15 - Microsoft Limited UK
51.12.0.0 / 15 - Microsoft Limited UK
51.18.0.0 / 16 - Microsoft Limited UK
51.51.0.0 / 16 - Microsoft Limited UK
51.53.0.0 / 16 - Microsoft Limited UK
51.103.0.0 / 16 - Microsoft Limited UK
51.104.0.0 / 16 - Microsoft Limited UK
51.107.0.0 / 16 - Microsoft Limited UK
51.116.0.0 / 16 - Microsoft Limited UK
51.120.0.0 / 16 - Microsoft Limited UK
51.124.0.0 / 16 - Microsoft Limited UK
51.132.0.0 / 16 - Microsoft Limited UK
51.136.0.0 / 15 - Microsoft Limited UK
51.138.0.0 / 16 - Microsoft Limited UK
51.140.0.0 / 14 - Microsoft Limited UK
51.144.0.0 / 15 - Microsoft Limited UK
94.245.64.0 / 18 - Microsoft Limited
193.149.64.0 / 19 - Microsoft Limited
193.221.113.0 / 24 - Microsoft Limited
213.199.128.0 / 18 - Microsoft Limited

AS8075_Microsoft_USA - Microsoft USA:
13.64.0.0 / 11 - Microsoft Corporation
13.96.0.0 / 13 - Microsoft Corporation
13.104.0.0 / 14 - Microsoft Corporation
23.96.0.0 / 14 - Microsoft Corporation
23.97.96.0 / 19 - Microsoft Corporation
23.100.0.0 / 15 - Microsoft Corporation
23.101.208.0 / 20 - Microsoft Corporation
23.101.224.0 / 20 - Microsoft Corporation
23.102.0.0 / 16 - Microsoft Corporation
23.103.64.0 / 18 - Microsoft Corporation
23.103.128.0 / 17 - Microsoft Corporation
40.64.0.0 / 10 - Microsoft Corporation
64.4.0.0 / 18 - Microsoft Corporation
13.64.0.0 / 11 - Microsoft Corporation
13.96.0.0 / 13 - Microsoft Corporation
13.104.0.0 / 14 - Microsoft Corporation
23.96.0.0 / 14 - Microsoft Corporation
23.97.96.0 / 19 - Microsoft Corporation
23.100.0.0 / 15 - Microsoft Corporation
23.101.208.0 / 20 - Microsoft Corporation
23.101.224.0 / 20 - Microsoft Corporation
23.102.0.0 / 16 - Microsoft Corporation
23.103.64.0 / 18 - Microsoft Corporation
23.103.128.0 / 17 - Microsoft Corporation
40.64.0.0 / 10 - Microsoft Corporation
64.4.0.0 / 18 - Microsoft Corporation
65.52.0.0 / 14 - Microsoft Corporation
65.54.66.0 / 23 - Microsoft Corporation
65.55.44.0 / 24 - Microsoft Corporation
65.55.117.0 / 24 - Microsoft Corporation
65.55.230.0 / 24 - Microsoft Corporation
65.55.231.0 / 24 - Microsoft Corporation
66.119.144.0 / 20 - Microsoft Corporation
70.37.0.0 / 17 - Microsoft Corporation
70.37.128.0 / 18 - Microsoft Corporation
70.37.148.0 / 23 - Microsoft Corporation
70.37.150.0 / 23 - Microsoft Corporation
104.40.0.0 / 13 - Microsoft Corporation
104.146.0.0 / 19 - Microsoft Corporation
104.146.128.0 / 17 - Microsoft Corporation
104.208.0.0 / 13 - Microsoft Corporation
131.253.1.0 / 24 - Entry added Wed, 16 Sep 2015 06:11:42 +0000
131.253.5.0 / 24- Entry added Wed, 16 Sep 2015 06:14:15 +0000
131.253.6.0 / 24- Entry added Wed, 16 Sep 2015 06:14:15 +0000
131.253.8.0 / 24 - Entry added Wed, 16 Sep 2015 06:14:15 +0000
131.253.12.0 / 22- Entry added Wed, 16 Sep 2015 06:14:15 +0000
131.253.18.0 / 24- Entry added Wed, 16 Sep 2015 06:14:15 +0000
131.253.21.0 / 24- Entry added Wed, 16 Sep 2015 06:14:15 +0000
131.253.24.0 / 24- Entry added Wed, 16 Sep 2015 06:14:15 +0000
131.253.32.0 / 20- Entry added Wed, 16 Sep 2015 06:14:15 +0000
131.253.33.0 / 24- Entry added Wed, 16 Sep 2015 06:14:15 +0000
131.253.61.0 / 24- Entry added Wed, 16 Sep 2015 06:14:15 +0000
131.253.62.0 / 23- Entry added Wed, 16 Sep 2015 06:14:15 +0000
131.253.128.0 / 17- Entry added Wed, 16 Sep 2015 06:20:07 +0000
132.245.0.0 / 16- Entry added Wed, 16 Sep 2015 06:20:07 +0000
132.245.156.0 / 22- Entry added Wed, 16 Sep 2015 06:20:07 +0000
134.170.0.0 / 16- Entry added Wed, 16 Sep 2015 06:20:07 +0000
134.170.217.0 / 24- Entry added Wed, 16 Sep 2015 06:20:07 +0000
137.116.0.0 / 15- Entry added Wed, 16 Sep 2015 06:20:07 +0000
137.135.0.0 / 14- Entry added Wed, 16 Sep 2015 06:20:07 +0000
137.135.128.0 / 17- Entry added Wed, 16 Sep 2015 06:20:07 +0000
138.91.0.0 / 16 - Microsoft Corp
157.55.0.0 / 16 - Microsoft Corporation
157.56.0.0 / 16 - Microsoft Corporation
157.60.23.0 / 24 - Microsoft Corporation
157.60.31.0 / 24 - Microsoft Corporation
167.220.240.0 / 22 - MSIT Edge Sydney
168.61.0.0 / 16 - Microsoft Corp
168.62.0.0 / 15 - Microsoft Corp
192.48.225.0 / 24 - Microsoft Corp
192.84.159.0 / 24 - Microsoft Corp
192.84.160.0 / 23 - Microsoft Corp
192.197.157.0 / 24 - Microsoft Corporation (KEY)
198.49.8.0 / 24 - Microsoft Corp
198.200.130.0 / 24 - Microsoft Corp
198.206.164.0 / 24 - Microsoft Corp
199.30.16.0 / 24 - Microsoft Corp
199.60.28.0 / 24 - Microsoft Corporation
199.74.210.0 / 32 - Microsoft Corp
199.103.90.0 / 23 - Microsoft Corporation
199.103.122.0 / 24 - Microsoft Corporation
199.242.48.0 / 21 - Microsoft Corp
204.79.135.0 / 24 - Microsoft Corporation
204.79.179.0 / 24 - Microsoft Corporation
204.79.195.0 / 24 - Microsoft Corporation
204.79.197.0 / 24 - Microsoft Corporation
204.79.252.0 / 24 - Microsoft Corporation
204.95.96.0 / 20 - Microsoft Corporation
204.152.140.0 / 23 - Microsoft Corporation
206.138.168.0 / 21 - MCI Communication Services Inc. d/b/a Verizon Business
206.191.224.0 / 19 - Microsoft Corporation
207.46.0.0 / 19 - Microsoft Corporation
207.46.33.0 / 24 - Microsoft Corporation
207.46.33.0 / 24 - Microsoft Corporation
207.46.34.0 / 23 - Microsoft Corporation
207.46.36.0 / 22 - Microsoft Corporation
207.46.40.0 / 21 - Microsoft Corporation
207.46.48.0 / 20 - Microsoft Corporation
207.46.64.0 / 18 - Microsoft Corporation
207.46.98.0 / 24 - Microsoft Corporation
207.46.128.0 / 17 - Microsoft Corporation
207.68.128.0 / 18 - Microsoft Corporation
207.82.250.0 / 23 - Savvis
208.68.136.0 / 21 - Microsoft Corporation
208.76.45.0 / 24 - Microsoft Corporation
208.76.46.0 / 24 - Microsoft Corporation
208.84.0.0 / 24 - Microsoft Corporation
208.84.1.0 / 24 - Microsoft Corporation
208.84.2.0 / 24 - Microsoft Corporation
208.84.3.0 / 24 - Microsoft Corporation
209.1.112.0 / 23 - Savvis
209.185.128.0 / 22 - Microsoft Corporation
209.195.240.0 / 22 - Savvis
209.240.192.0 / 19 - Microsoft Corporation
213.199.128.0 / 18 - Microsoft Limited
216.32.180.0 / 22 - Microsoft Corporation
216.32.240.0 / 22 - Microsoft Corporation
216.33.240.0 / 22 Microsoft Corporation

 

i did the same things for the stuff i use 'daily' pgp keys verifications services, server certs, akamai, and for some apps like steam, my email/ftp clients, etc..  (when the app want to call home to check for updates)
some with ip, like my first list for microsoft when they own the AS, and some with just domain names like:

Quote

servers_crl_ocsp:
crl.swisssign.net - SwissSign
crl.globalsign.net - GlobalSign
crl.globalsign.com - GlobalSign
crl.startssl.com - StartSSL
ocsp.certum.pl - CertUM
ocsp.comodoca.com - Comodo
ocsp.digicert.com - DigiCert
ocsp.startssl.com - StartSSL
ocsp.usertrust.com - UserTrust
ocsp.verisign.com - Verisign
ocsp.globalsign.com - Globalsign
sf.symcd.com - Verisign (OCSP)

it took time to build at first, but once done, no deviance allowed!

[NOP]

I use a firewall to ask me whether to allow or block internet access so it builds a whitelist & blacklist of apps / processes / services and either accepts / denies automatically if already asked me or asks me if new

I also use custom entries in hosts file for MS servers

[atom0s]

svchost.exe is a service container process, it holds multiple sub-systems in it to do various tasks for the system. You can request a full list of whats running in all of the instances of svchost.exe via:

[code]tasklist /svc | find "svchost.exe"[/code]
[code]tasklist /svc /fi "imagename eq svchost.exe"[/code]

These generally hold important system services, but some can be turned off from the systems Services configuration panel, don't just kill the process.

smartscreen.exe is part of Windows Defender.

usocoreworker.exe is part of Windows Update. (Update Service Orchestrator)

taskhostw.exe is used for the Windows tasks system.

systemsettings.exe is the newer UWP version of the control panel for Win10. These kinds of apps will go into a suspended state when they are closed/minimized to make them faster to reopen when requested. 

speechruntime.exe is generally for assistance related things, but it can be turned on by various other apps/services. (ie. things that use your speakers, microphone, web cam, etc.)

backgroundtaskhost.exe is used for Windows' background tasks, as the name implies. A lot of different parts of the system will use this process. More commonly why you may see it a lot on stock Win10 is due to telemetry, Windows Search and Cortona. Windows/Microsoft basically by default will attempt to send all data you search for on your system to MS's servers, more so when the search results in Bings suggestions popping up. (Removing Cortona fully will break Windows search to some degree, less than before now though if you do decide to remove it fully. I'd recommend Void Software 'Everything' search over the default Windows search anyway.)

sihclient.exe is also part of Windows Update. It's MS's attempt to enforce/ensure that Windows Update is running and not disabled. This service is part of the means of restoring it to working order, trying to ensure it's always active. 

You can use a tool like Wu10Man to disable updates though: https://github.com/WereDev/Wu10Man