locked
Power Pack 3 TransportService.exe issue? RRS feed

  • Question

  • Since installing Power Pack 3 on my WHS, every 5 minutes it tries 40+ times to connect to 65.55.7.141 (sqm.microsoft.com according to Sygate).

     

    C:\Program Files\Windows Home Server\TransportService.exe   329 KB

     

    I noticed this when my router lights flash when I was not expecting traffic.  I thoroughly scanned my server with a virus scanner (Norton Anti Virus) , and by careful timing I could catch it with netstat -b but I could find no process other than "TransportService.exe" version 6.0.2423.0 10-7-2009.  I ran RootKit Revealer and found nothing of interest. I ran HiJack This! also.  I installed Sygate personal firewall then and ran a backtrace on the link.

    A tracert shows the connection going deep inside microsoft.

    Partial Router log clip: 0.53 is my WHS

    04-01-2010    08:21:52    Local7.Debug    192.168.0.1    Thu, 2010-04-01 08:21:49 - TCP packet - Source: 192.168.0.53 - Destination: 65.55.7.141 - [Connection closed.Bytes transferred : 964 Src 4052 Dst 80 from LAN]
    04-01-2010    08:21:52    Local7.Debug    192.168.0.1    Thu, 2010-04-01 08:21:49 - TCP packet - Source: 192.168.0.53 - Destination: 65.55.7.141 - [Connection closed.Bytes transferred : 964 Src 4053 Dst 80 from LAN]
    04-01-2010    08:21:52    Local7.Debug    192.168.0.1    Thu, 2010-04-01 08:21:49 - TCP packet - Source: 192.168.0.53 - Destination: 65.55.7.141 - [Connection closed.Bytes transferred : 964 Src 4054 Dst 80 from LAN]
    04-01-2010    08:21:52    Local7.Debug    192.168.0.1    Thu, 2010-04-01 08:21:49 - TCP packet - Source: 192.168.0.53 - Destination: 65.55.7.141 - [Connection closed.Bytes transferred : 964 Src 4055 Dst 80 from LAN]
    04-01-2010    08:21:52    Local7.Debug    192.168.0.1    Thu, 2010-04-01 08:21:49 - TCP packet - Source: 192.168.0.53 - Destination: 65.55.7.141 - [Connection closed.Bytes transferred : 964 Src 4048 Dst 80 from LAN]
    04-01-2010    08:21:52    Local7.Debug    192.168.0.1    Thu, 2010-04-01 08:21:49 - TCP packet - Source: 192.168.0.53 - Destination: 65.55.7.141 - [Connection closed.Bytes transferred : 964 Src 4049 Dst 80 from LAN]
    04-01-2010    08:21:52    Local7.Debug    192.168.0.1    Thu, 2010-04-01 08:21:49 - TCP packet - Source: 192.168.0.53 - Destination: 65.55.7.141 - [Connection closed.Bytes transferred : 964 Src 4050 Dst 80 from LAN]
    04-01-2010    08:21:52    Local7.Debug    192.168.0.1    Thu, 2010-04-01 08:21:49 - TCP packet - Source: 192.168.0.53 - Destination: 65.55.7.141 - [Connection closed.Bytes transferred : 964 Src 4051 Dst 80 from LAN]
    04-01-2010    08:21:52    Local7.Debug    192.168.0.1    Thu, 2010-04-01 08:21:49 - TCP packet - Source: 192.168.0.53 - Destination: 65.55.7.141 - [Connection closed.Bytes transferred : 964 Src 4060 Dst 80 from LAN]
    04-01-2010    08:21:52    Local7.Debug    192.168.0.1    Thu, 2010-04-01 08:21:49 - TCP packet - Source: 192.168.0.53 - Destination: 65.55.7.141 - [Connection closed.Bytes transferred : 964 Src 4061 Dst 80 from LAN]
    04-01-2010    08:21:52    Local7.Debug    192.168.0.1    Thu, 2010-04-01 08:21:49 - TCP packet - Source: 192.168.0.53 - Destination: 65.55.7.141 - [Connection closed.Bytes transferred : 964 Src 4062 Dst 80 from LAN]
    04-01-2010    08:21:52    Local7.Debug    192.168.0.1    Thu, 2010-04-01 08:21:49 - TCP packet - Source: 192.168.0.53 - Destination: 65.55.7.141 - [Connection closed.Bytes transferred : 964 Src 4063 Dst 80 from LAN]
    04-01-2010    08:21:52    Local7.Debug    192.168.0.1    Thu, 2010-04-01 08:21:49 - TCP packet - Source: 192.168.0.53 - Destination: 65.55.7.141 - [Connection closed.Bytes transferred : 964 Src 4056 Dst 80 from LAN]
    04-01-2010    08:21:52    Local7.Debug    192.168.0.1    Thu, 2010-04-01 08:21:49 - TCP packet - Source: 192.168.0.53 - Destination: 65.55.7.141 - [Connection closed.Bytes transferred : 964 Src 4057 Dst 80 from LAN]
    04-01-2010    08:21:52    Local7.Debug    192.168.0.1    Thu, 2010-04-01 08:21:49 - TCP packet - Source: 192.168.0.53 - Destination: 65.55.7.141 - [Connection closed.Bytes transferred : 964 Src 4058 Dst 80 from LAN]
    04-01-2010    08:21:52    Local7.Debug    192.168.0.1    Thu, 2010-04-01 08:21:49 - TCP packet - Source: 192.168.0.53 - Destination: 65.55.7.141 - [Connection closed.Bytes transferred : 964 Src 4059 Dst 80 from LAN]
    04-01-2010    08:21:52    Local7.Debug    192.168.0.1    Thu, 2010-04-01 08:21:49 - TCP packet - Source: 192.168.0.53 - Destination: 65.55.7.141 - [Connection closed.Bytes transferred : 940 Src 4036 Dst 80 from LAN]
    04-01-2010    08:21:52    Local7.Debug    192.168.0.1    Thu, 2010-04-01 08:21:49 - TCP packet - Source: 192.168.0.53 - Destination: 65.55.7.141 - [Connection closed.Bytes transferred : 940 Src 4037 Dst 80 from LAN]
    04-01-2010    08:21:52    Local7.Debug    192.168.0.1    Thu, 2010-04-01 08:21:49 - TCP packet - Source: 192.168.0.53 - Destination: 65.55.7.141 - [Connection closed.Bytes transferred : 940 Src 4038 Dst 80 from LAN]
    04-01-2010    08:21:52    Local7.Debug    192.168.0.1    Thu, 2010-04-01 08:21:49 - TCP packet - Source: 192.168.0.53 - Destination: 65.55.7.141 - [Connection closed.Bytes transferred : 940 Src 4039 Dst 80 from LAN]
    04-01-2010    08:21:52    Local7.Debug    192.168.0.1    Thu, 2010-04-01 08:21:49 - TCP packet - Source: 192.168.0.53 - Destination: 65.55.7.141 - [Connection closed.Bytes transferred : 940 Src 4032 Dst 80 from LAN]
    04-01-2010    08:21:52    Local7.Debug    192.168.0.1    Thu, 2010-04-01 08:21:49 - TCP packet - Source: 192.168.0.53 - Destination: 65.55.7.141 - [Connection closed.Bytes transferred : 940 Src 4033 Dst 80 from LAN]
    04-01-2010    08:21:52    Local7.Debug    192.168.0.1    Thu, 2010-04-01 08:21:49 - TCP packet - Source: 192.168.0.53 - Destination: 65.55.7.141 - [Connection closed.Bytes transferred : 940 Src 4034 Dst 80 from LAN]
    04-01-2010    08:21:52    Local7.Debug    192.168.0.1    Thu, 2010-04-01 08:21:49 - TCP packet - Source: 192.168.0.53 - Destination: 65.55.7.141 - [Connection closed.Bytes transferred : 940 Src 4035 Dst 80 from LAN]
    04-01-2010    08:21:52    Local7.Debug    192.168.0.1    Thu, 2010-04-01 08:21:49 - TCP packet - Source: 192.168.0.53 - Destination: 65.55.7.141 - [Connection closed.Bytes transferred : 940 Src 4044 Dst 80 from LAN]
    04-01-2010    08:21:52    Local7.Debug    192.168.0.1    Thu, 2010-04-01 08:21:49 - TCP packet - Source: 192.168.0.53 - Destination: 65.55.7.141 - [Connection closed.Bytes transferred : 940 Src 4045 Dst 80 from LAN]
    04-01-2010    08:21:52    Local7.Debug    192.168.0.1    Thu, 2010-04-01 08:21:49 - TCP packet - Source: 192.168.0.53 - Destination: 65.55.7.141 - [Connection closed.Bytes transferred : 940 Src 4046 Dst 80 from LAN]
    04-01-2010    08:21:52    Local7.Debug    192.168.0.1    Thu, 2010-04-01 08:21:49 - TCP packet - Source: 192.168.0.53 - Destination: 65.55.7.141 - [Connection closed.Bytes transferred : 940 Src 4047 Dst 80 from LAN]
    04-01-2010    08:21:52    Local7.Debug    192.168.0.1    Thu, 2010-04-01 08:21:49 - TCP packet - Source: 192.168.0.53 - Destination: 65.55.7.141 - [Connection closed.Bytes transferred : 940 Src 4040 Dst 80 from LAN]
    04-01-2010    08:21:52    Local7.Debug    192.168.0.1    Thu, 2010-04-01 08:21:49 - TCP packet - Source: 192.168.0.53 - Destination: 65.55.7.141 - [Connection closed.Bytes transferred : 940 Src 4041 Dst 80 from LAN]
    04-01-2010    08:21:52    Local7.Debug    192.168.0.1    Thu, 2010-04-01 08:21:49 - TCP packet - Source: 192.168.0.53 - Destination: 65.55.7.141 - [Connection closed.Bytes transferred : 940 Src 4042 Dst 80 from LAN]
    04-01-2010    08:21:52    Local7.Debug    192.168.0.1    Thu, 2010-04-01 08:21:49 - TCP packet - Source: 192.168.0.53 - Destination: 65.55.7.141 - [Connection closed.Bytes transferred : 940 Src 4043 Dst 80 from LAN]
    04-01-2010    08:21:52    Local7.Debug    192.168.0.1    Thu, 2010-04-01 08:21:49 - TCP packet - Source: 192.168.0.53 - Destination: 65.55.7.141 - [Connection closed.Bytes transferred : 952 Src 4020 Dst 80 from LAN]
    04-01-2010    08:21:52    Local7.Debug    192.168.0.1    Thu, 2010-04-01 08:21:49 - TCP packet - Source: 192.168.0.53 - Destination: 65.55.7.141 - [Connection closed.Bytes transferred : 952 Src 4084 Dst 80 from LAN]
    04-01-2010    08:21:52    Local7.Debug    192.168.0.1    Thu, 2010-04-01 08:21:49 - TCP packet - Source: 192.168.0.53 - Destination: 65.55.7.141 - [Connection closed.Bytes transferred : 952 Src 4021 Dst 80 from LAN]
    04-01-2010    08:21:52    Local7.Debug    192.168.0.1    Thu, 2010-04-01 08:21:49 - TCP packet - Source: 192.168.0.53 - Destination: 65.55.7.141 - [Connection closed.Bytes transferred : 976 Src 4085 Dst 80 from LAN]
    04-01-2010    08:21:52    Local7.Debug    192.168.0.1    Thu, 2010-04-01 08:21:49 - TCP packet - Source: 192.168.0.53 - Destination: 65.55.7.141 - [Connection closed.Bytes transferred : 952 Src 4022 Dst 80 from LAN]
    04-01-2010    08:21:52    Local7.Debug    192.168.0.1    Thu, 2010-04-01 08:21:49 - TCP packet - Source: 192.168.0.53 - Destination: 65.55.7.141 - [Connection closed.Bytes transferred : 964 Src 4086 Dst 80 from LAN]
    04-01-2010    08:21:52    Local7.Debug    192.168.0.1    Thu, 2010-04-01 08:21:49 - TCP packet - Source: 192.168.0.53 - Destination: 65.55.7.141 - [Connection closed.Bytes transferred : 952 Src 4023 Dst 80 from LAN]
    04-01-2010    08:21:52    Local7.Debug    192.168.0.1    Thu, 2010-04-01 08:21:49 - TCP packet - Source: 192.168.0.53 - Destination: 65.55.7.141 - [Connection closed.Bytes transferred : 952 Src 4016 Dst 80 from LAN]

     

    Thursday, April 1, 2010 2:05 PM

Answers

  • This is normal traffic. When you accept the defaults as you set your server up, you agree to send information back to Microsoft (non-personally identifiable) regarding your use of your server. This allows Microsoft a better picture of how people are actually using the product, what minor issues they're having that Microsoft could improve, what features they never touch, etc.

    SQM stands for (I think) Software Quality Management.

    Bottom line: let it do it's job. :)


    I'm not on the WHS team, I just post a lot. :)
    • Marked as answer by JoCrazy0 Thursday, April 1, 2010 3:43 PM
    Thursday, April 1, 2010 2:27 PM
    Moderator

All replies

  • This is normal traffic. When you accept the defaults as you set your server up, you agree to send information back to Microsoft (non-personally identifiable) regarding your use of your server. This allows Microsoft a better picture of how people are actually using the product, what minor issues they're having that Microsoft could improve, what features they never touch, etc.

    SQM stands for (I think) Software Quality Management.

    Bottom line: let it do it's job. :)


    I'm not on the WHS team, I just post a lot. :)
    • Marked as answer by JoCrazy0 Thursday, April 1, 2010 3:43 PM
    Thursday, April 1, 2010 2:27 PM
    Moderator
  •  

    Thank you for the quick response.  I guess its "beware of what you agree to, the result may not be what you expect" !   I had the TransportService blocked from sending to that ip for a bit. When I unblocked it, oh the flood!  The behavior looks like a port scan the way the port numbers rotate (which was my initial concern about a virus). I'm all for Microsoft improving the quality of the software, having had my issues with data corruption and loss in XP, but EVERY 5 MINUTES??? Sheesh!

     

    Anyway, thanks again.

    -Joe

     

    Thursday, April 1, 2010 3:43 PM
  • I elected to continue with this thread, rather than start another one (Mods feel free to move it, if appropriate).  I recently installed SNORT (an intrusion dection system) on my home network and have started to see traffic to 65.55.7.141 (sgm.microsoft.com).

    It alerted on a seqence of three HTP403 Frobidden errors coming from 65.55.7.141 and addressed to my home server.  These 403 errors come in threes about five minutes a part, and continue....

    I decided to Wireshark the connection between my home server and 65.55.7.141, and this is what I found.  As you can see it is the SQM data.  If you read the captured data the problem is that the Microsoft sqm.microsoft.com is not accepting the connetion!  Anyone have  any idea how to alert Microsoft so that we can get this fixed?

    Lawrence

    ---------------WireShark TCP/IP Capture-----------------

     POST /sqm/Windows/sqmserver.dll HTTP/1.1
    Accept: */*
    Content-Type: application/octet-stream
    Pragma: no-cache
    X-Description: This application is uploading non-personal data to improve quality of service
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
    Host: sqm.microsoft.com
    Content-Length: 196
    Connection: Keep-Alive
    Cache-Control: no-cache
     
    MSQMx..........#....L........................'..........................~.)..y.D...uOo:.d..$|...............................<...w...............w...................V...............................HTTP/1.1 403 .6 Forbidden
    Cache-Control: no-cache
    Pragma: no-cache
    Content-Type: text/html
    Expires: Sun, 09 Mar 1975 00:00:00 GMT
    Server: Microsoft-IIS/7.5
    X-Powered-By: ASP.NET
    Date: Mon, 19 Jul 2010 23:32:37 GMT
    Connection: close
    Content-Length: 1233
     
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml">
    <head>
    <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
    <title>403 - Forbidden: Access is denied.</title>
    <style type="text/css">
    <!--
    body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
    fieldset{padding:0 15px 10px 15px;} 
    h1{font-size:2.4em;margin:0;color:#FFF;}
    h2{font-size:1.7em;margin:0;color:#CC0000;} 
    h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} 
    #header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
    background-color:#555555;}
    #content{margin:0 0 0 2%;position:relative;}
    .content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
    -->
    </style>
    </head>
    <body>
    <div id="header"><h1>Server Error</h1></div>
    <div id="content">
     <div class="content-container"><fieldset>
      <h2>403 - Forbidden: Access is denied.</h2>
      <h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>
     </fieldset></div>
    </div>
    </body>
    </html>

    Tuesday, July 20, 2010 12:01 AM
  • ... Anyone have  any idea how to alert Microsoft so that we can get this fixed? ...
    Ignore it. It's Microsoft's problem, and I will pretty much guarantee they already know about it.

    I'm not on the WHS team, I just post a lot. :)
    Wednesday, July 21, 2010 12:13 PM
    Moderator