locked
WINSS.EXE Holding TCP Connection to Level 3 Communications, Inc RRS feed

  • Question

  •  

    I have a TCP connection to 192.221.106.124:80 held by winss.exe.  I'm informed that winss.exe is part of OneCare and that the IP address points to Level 3 Communications, Inc in Colorado.

     

    Can anyone explain, please?
    Friday, February 22, 2008 5:23 PM

Answers

  • On my machine, winss.exe has a session established with 192.168.123.145:6331

    So, I searched for 6331 and found this thread, apparently scraped from the Microsoft public newsgroups since I participated in that discussion in October of last year.

    http://www.techtalkz.com/windows-live-onecare/146249-winss-exe-using-port-6331-why.html

    In my case, that IP address is another PC in my OneCare circle. I don't know why that PC versus the other PC in my Circle, but that's what it is.

    The above thread apparently explained the connection, posted by the thread starter:

    "Thanks for the information, it was a connection that was established to a
    remote computer running OneCare to another OneCare computer running inside
    Domain. This must have something to do with 'Manage your OneCare circle'
    because remote computer disconnected the internal Domain OneCare computer
    continuously attempted to re-establish connection to the last known IP
    addresses of the remote computer. It was attempting to connect via the
    Public Sprint IP address and the VPN IP address.

    This traffic did not stop on the Domain computer until the remote computer
    was reconnected in the Domain. Maybe WinSS.exe should stop trying after a
    number of failures; it continued trying to connect to Port 6331 on the last
    known IP addresses of remote computer for over 1 1/2 days, and shutdown
    domain computer did not stop it except while machine was turned-off. When
    computer was restarted it began attempting connection again."

     

    -steve

     

    Saturday, March 1, 2008 2:10 AM
    Moderator

All replies

  •  jebbushell wrote:

     

    I have a TCP connection to 192.221.106.124:80 held by winss.exe.  I'm informed that winss.exe is part of OneCare and that the IP address points to Level 3 Communications, Inc in Colorado.

     

    Can anyone explain, please?

     

    I'll see what I can find out about this later, but I'd be surprised in winss.exe is actually holding this connection open. Something else is, but OneCare may be registered due to scanning the activity over that socket.

    -steve

    Friday, February 22, 2008 8:03 PM
    Moderator
  • Jeb;

     

    More info, see this post by kesuki on 29Aug07:

    http://forums.microsoft.com/WindowsOneCare/ShowPost.aspx?PostID=2071843&SiteID=2

     

    Friday, February 22, 2008 8:37 PM
  • Just FYI, today Feb 25, the IP address is now 207.123.33.126 which is still Level 3 Communications.  The state is CLOSE_WAIT.

     

    Hopefully, this is not a feed to the DHS.

     

    Monday, February 25, 2008 10:44 AM
  • Still waiting.

     

    Is Windows OneCare providing monitoring services to the "authorities"?

     

    Wednesday, February 27, 2008 9:19 AM
  • I don't have an answer for you, since I've never seen what you're seeing. OneCare does not perform any monitoring for any 3rd parties. The only data communicated by OneCare is specific to the state of OneCare on the PC and happens with the OneCare servers during the periodic "heartbeat" communication session to check for updates. This does not include any PC usage data.

    -steve

     

    Wednesday, February 27, 2008 7:22 PM
    Moderator
  • In the command window, try the command

     

    NETSTAT -bn

     

    Using this command on my nachine indicates that program winss.exe is currently holding a TCP port in a CLOSE_WAIT state  on IP address 192.221.106.126:80

     

    In believe that winss.exe is a part of the OneCare suite.

     

     

    Thursday, February 28, 2008 2:45 PM
  • On my machine, winss.exe has a session established with 192.168.123.145:6331

    So, I searched for 6331 and found this thread, apparently scraped from the Microsoft public newsgroups since I participated in that discussion in October of last year.

    http://www.techtalkz.com/windows-live-onecare/146249-winss-exe-using-port-6331-why.html

    In my case, that IP address is another PC in my OneCare circle. I don't know why that PC versus the other PC in my Circle, but that's what it is.

    The above thread apparently explained the connection, posted by the thread starter:

    "Thanks for the information, it was a connection that was established to a
    remote computer running OneCare to another OneCare computer running inside
    Domain. This must have something to do with 'Manage your OneCare circle'
    because remote computer disconnected the internal Domain OneCare computer
    continuously attempted to re-establish connection to the last known IP
    addresses of the remote computer. It was attempting to connect via the
    Public Sprint IP address and the VPN IP address.

    This traffic did not stop on the Domain computer until the remote computer
    was reconnected in the Domain. Maybe WinSS.exe should stop trying after a
    number of failures; it continued trying to connect to Port 6331 on the last
    known IP addresses of remote computer for over 1 1/2 days, and shutdown
    domain computer did not stop it except while machine was turned-off. When
    computer was restarted it began attempting connection again."

     

    -steve

     

    Saturday, March 1, 2008 2:10 AM
    Moderator
  • I have LOTS of connections to Level_3.  None of them show up in netstat (vista).  Most of the IPs end in .123 or .124

     

    Put a packet sniffer on your DSL and you'll be amazed at the Level_3 traffic.  Traffic exists even after I block all outgoing (public) in windows firewall.

     

    Friday, March 7, 2008 6:30 PM
  • Steven,

     

    Thanks for this explanation/hypothesis.  It makes sense that the OneCare Circle is related to this TCP 6331  traffic.

     

    I wonder if the UDP 7001 traffic I'm seeing simulataneously is likewise related? **edit** no - it's MSN Messenger network scanning.

     

    This brings up a feature request I'd like to see developed into the product.  That is actually managing the computers that are part of the OneCare subscription.  In other words, I've removed OneCare from previously subscribed machines and now want to end the relationship of OneCare to that machine (and the OneCare Circle).  I want to see the list of associated OneCare PC's and manage this.  Not only will this cut down on the rejected traffic I'm seeing in my ISA logs but makes it practical to know which machines I've got in the subscription.  For instance I think I may have added a PC to my subscription and then given this away but I'm not completely certain.  My record keeping was unfortunately dodgy and it would be nice to just go online to my OneCare Service account and see the subsciption members.  This could also deal with someone heisting my account credentials - aka fraud.

     

    As OneCare is flirting with rolling into the SBS realm now, this is going to be even moreso crutial.  An administrator needs to have this kinds of useful information to ensure licensing compliance.

     

    Regards,

    Dale

    Sunday, March 23, 2008 1:08 PM
  •  Chad Johnson wrote:

    Steven,

     

     

    This brings up a feature request I'd like to see developed into the product.  That is actually managing the computers that are part of the OneCare subscription.  In other words, I've removed OneCare from previously subscribed machines and now want to end the relationship of OneCare to that machine (and the OneCare Circle).  I want to see the list of associated OneCare PC's and manage this.  Not only will this cut down on the rejected traffic I'm seeing in my ISA logs but makes it practical to know which machines I've got in the subscription.  For instance I think I may have added a PC to my subscription and then given this away but I'm not completely certain.  My record keeping was unfortunately dodgy and it would be nice to just go online to my OneCare Service account and see the subsciption members.  This could also deal with someone heisting my account credentials - aka fraud.

     

    As OneCare is flirting with rolling into the SBS realm now, this is going to be even moreso crutial.  An administrator needs to have this kinds of useful information to ensure licensing compliance.

     

    Regards,

    Dale

    This can be done now from a hub PC in your "Circle." Make one PC a hub and it will list all other PCs that are in the Circle (with version 2.0 of OneCare - older version removed in the past will not appear.) You can then expand the details and remove any PC from the subscription causing it be expired on that PC if it is still running on that PC.

    -steve

    Monday, March 24, 2008 2:18 AM
    Moderator
  • Hi Steven,

     

    I'm aware of those hub management features but these function insufficientally.  This is partly due to the fact that it is only an option and not a requirement to put the OneCare clients into the Hub Circle.  There are reasons why you wouldn't want to have everything in a managed hub especially if you are running a lab environment such as I do.  If this were to be ever deployed into a business environment (which Microsoft has on several occasions promoted) this too would be a confusing thing to administer if the total number of PC's exceeded one 3 PC hub.

     

    I'd also like to gently state that if the hub management actually fully removed the relationship we wouldn't have the need to create this thread on the phantom TCP 6331 traffic coming from the OneCare client.  That TCP 6331 traffic is also very odd in that the private IP range I've seen in the monitoring logs doesn't correspond to the any range I've ever used in my networks.

     

    What we need is a way for OneCare to cleanly manage its relationships with other OneCare clients and not through a dumbed down UI which now inadequately likewise must serve administrators if it is to continue being promoted into the workplace.

     

    Thanks,

    Dale

     

    Tuesday, March 25, 2008 8:34 PM
  • I agree that there should be a secure members site where you entire subscription details should be able to be managed.

    Stay tuned regarding OneCare for Server, which will likely have more management features. I know nothing about the plans except what was in the press release, but hopefully, it won't just be an enhanced Circle/Hub feature, but a true management interface for an administrator. If that happens, perhaps it will then move down to OneCare as we know it today for subscriptions that exceed 3 PCs (which is the current limit today).

    -steve

     

    Wednesday, March 26, 2008 2:35 AM
    Moderator