top of page
  • Writer's pictureJosh Stroschein

Disabling Network Connectivity Status Indicator (NCSI)

According to this article on MSDN, Microsoft introduced the Network Connectivity Status Indicator in Windows Vista. While there may be a number of reasons to investigate this service, my motivation is in eliminating the resulting network traffic from my malware sandbox. This service performs an HTTP GET request for a text document, ncsi.txt, from any number of Microsoft hosts.

Requests for NCSI.txt in Moloch

While it would be easy enough to filter this traffic based off of the user-agent (Microsoft NCSI) or similar, in this scenario I find it even better to simply eliminate the behavior all together. To accomplish this, there is only a simple change to the registry needed.

Windows 7

  1. Open the registry editor by pressing Windows-R, then typing in regedit before hitting enter

  1. Navigate to HKEY_LOCAL_MACHINE -> SYSTEM -> CurrentControlSet -> services -> NlaSvc -> Parameters -> Internet

  1. Double-click on EnableActiveProbing and change the value from 1 to 0

  1. Click OK

And now you should stop seeing that traffic!



Want to know when my latest content drops? Sign-up to receive email notications and access to other exclusive content!

bottom of page