Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


SMB-traffic on my computer

  • Please log in to reply
1 reply to this topic

#1 rogerthat69


  • Members
  • 31 posts
  • Gender:Male
  • Local time:10:24 AM

Posted 15 January 2017 - 11:12 AM

Hi folks,


I´m on a single Asus(8RAM i7-4710HQ 2.50GHz) lap-top alone(no lan) behind a router not using fileprinter-sharing(ever). Running Win 10 Home upgraded from 8.1. Experiencing since long some noticeable effects(not big but still very changed without reason really) regarding system start-up and close-down times(also confirmed by Event Viewer-logs). Running Firefox with 3-4 very popular add-ons but browser needs 450 Mb "in idle" with only 1 tab open. FF is rel. slow here but maybe normal. System shows noticeable time-delays also when not using internet-connected software or browsing. Memory-leaking(corrupted file-system) and/or external use of my computer(-resources) as client/server?


Due to the above I started to look more deeply into MS-logs:


1. Got a Warning from EV 2016-09-28 (MS Anniversary Update(date)) telling me that the source; SMBServer(ID1025), recognised that registry-key HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters been changed(this day or only a notice due to security-uppdate by MS?). Standardvalues are "empty" but here NullSessionPipes, NullSessionShares.  Explicitly the Warning says I am allowing anonymous users access to the server(my computer). Have I got a Server? Pretty new info also!!


2. Still I am told Firewall-ports are closed for file/printer-sharing(ID 1027) which would imply SMB-traffic would not be able to run through my FW(I am not

convinced though).


3. An Endpoint have been added(ID 1010); Domainname "Workgroup", Transportname; \Device\NetbiosSmb. Am I part to a Workgroup now?


4. My "Server"-resources have been activated(ID 1023) for accessbased enumeration.  This will be done either by Server-manager or by Windows PowerShell-cmdlet Set-SmbShare.


5. Networkname-info have been added(ID 1012) for my ISP-IP-Address and Router/Computer; Added; Netname: " * ".


Above 1-5 on the same day 2016-09-28 out of the SMBServer-Operational-log. Logged activities are registred until 2017-01-03.


From the SMBServer-Connectivity-log ID 1022 on the 2016-10-18 registred that a Firewallrule for File- and Printer-Sharing has been activated. The operational log(ID 1001) said: A client tried to connect to server with SMB1 but was denied by an Administrator(that´s me I guess). SMB1-filesharing has been inactivated or uninstalled. What I did was that I deactivated the Windows service; Server(old Lanmanserver). Right or wrong? I was uncomfortable.


SMBClient-Connectivity logs (from 2016-09-28 and ends 2016-01-03) TCP/IP interface-transactions.


As a "security"-response I have also inactivated the Windows service; Workstation(set to manual today)




From PowerShell-logs;


1. Got a Warning 2016-09-28(same as above) telling me PS Scriptblock´s were Executing Remote Commands.


This has been going on ever since in certain time-intervals. Could there be a connection between SMB-logs and PS-logs?


From some of the PS Scriptblocks I noticed the filename "Windows\TEMP\SDIAG.......... .js1". This gave me the clue that maybe

we are talking Microsoft doing Diagnostics on my system? I have then tried to search the internet on this subject correlating to

the SMB-protocol and/or MS using PowerShell-coding BUT found nothing at all. The thing is MS allowed the user to uninstall 

PowerShell in prior versions of WindowOS(i.e. Win7, Vista etc). With Win 10 Home that is not an option anymore. Why? Or

why does not MS tell their customer the reason? PowerShell can be used for exploitation as can the SMB-protocol. That´s why

I want to close these options. Yesterday a script run that collected Accessrights i.e. I checked the date/time matching it with MS

tasks scheduled in Task Scheduler but found null. Just as an paranthesis I can tell you how I changed PowerShell-permissions

to make the software unusable. What happened later? A hidden start-up command during booting; "powershell.exe -noexit

-command Set-Location '%V'" popped up probably making someone(MS)to run powershell on my computer but executing line

by line remotely??


Am I paranoid and compromized or is MS been given the admission to take whatever they want without permission or even telling

us about it?



ps! I have the dxgkrnl.sys startup-problem. The file + another one is wanted multiple times.



not yet solved ds!


Thanks for letting me posting




BC AdBot (Login to Remove)


#2 rogerthat69

  • Topic Starter

  • Members
  • 31 posts
  • Gender:Male
  • Local time:10:24 AM

Posted 16 January 2017 - 01:18 PM

Anyone else checked his/her own SMB/PowerShell LOGs?


Noticed that I could not set off(disable) VPN(advanced options) in Settings\Network and Internet\VPN. When I do it is "ON" again when I return to the page. Remarkably it worked

for a very short while when I first activated and started the Win 10 service "Remote Access Connection Manager(RasMan)" and then stopped VPN. But again only for a while. Believe

it or not but I have now tried several times to stop VPN and suddenly it seems to work. RasMan is "inactivated". That was 2 min ago. RasMan has now started while it is "inactivated"!

And so is SSTP-protocol(Secure Socket Tunneling ). There is something overriding here. VPN again is "ON" not possible to turn "OFF".


Going back to "Settings". Choose "Privacy" and then "Feedback and Diagnostics". You will find that you can not prevent Microsoft from collecting whatever they really want from your

machine. Well you can as I did choose "Basic" instead of Enhanced or Full(recommended). But as I showed, MS can implement/enable probably any kind of PS-scripts for collections.

Your are only informed there is some kind of differential in hell. Worse seems to be that MS tries to give you the impression that all that collected diagnose-data are dependent for your computer to work properly. MS says "...certain diagnos-data are essential for the operation of Windows and will not be possible to shut down. They also tell you that your are not made anonymous. Every collectible is registred on an individual basis. Probably in some kind of semi-machine-learning process. MS ends this telling you that if you comply with "Full Feedback" YOU will be rewarded with the best(instant) Window-experiance of all. What a lie. Good intentions, yes, but at a severe personal integrity-cost. My Windows will hopefully get better and

better for each Update. Not by any secret coding-activity computer for computer.


Back to the beginning of this post: Is there a connection between my Errors/Warnings etc. and Microsoft Feedback compliance? Is MS using SMB-protocol over a built in VPN to collect my data? I can not tell. I am not a computer-expert. But it seems to be parallells and circumstancial evidence here. On the other hand, why give your customer an error-warning during a normal

MS data-collection-process? Remember it started with the Anniversary Update 28th of September.


Looking forward to blog-reactions!





ps! I guess trying stop stop certain well-known but sometimes "unnecessary Windows-"Services" could end up destabilizing the OS. Is that fair? ds!

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users