Windows 7 Network Awareness: How Windows knows it has an

internet connection
nhinkle

Have you ever been connecting to a new wireless network and seen the following pop-up balloon?

Whenever I connect to a WiFi network which requires in-browser

authentication, such as university networks and hotel access points, Windows somehow magically knows. Windows
also knows when your internet connection isn’t working, and can differentiate between having local LAN access,
no network access at all, or full internet access. But how?

This week’s question of the week is one I myself asked about this very topic. I guessed that there must be some
online Microsoft site that Windows is checking to determine the state of the connection, but I wanted proof, not just
speculation.

How does Windows know whether it has internet access or if a Wi-Fi

connection requires in-browser authentication?
Tobias Plutat and Jeff Atwood both replied with information about the Network Connectivity Status Indicator
(NCSI) service, first introduced in Windows Vista.

When called on by Network Awareness, NCSI can add information about the following capabilities
for a given network:

Connectivity to an intranet
Connectivity to the Internet (possibly including the ability to send a DNS query and obtain the
correct resolution of a DNS name)

NCSI is designed to be responsive to network conditions, so it examines the connectivity of a network

in a variety of ways. For example, NCSI tests connectivity by trying to connect to
http://www.msftncsi.com, a simple Web site that exists only to support the functionality of NCSI.

How does it work?

Windows does indeed check a Microsoft site for connectivity, using the Network Connectivity Status Indicator site.
There are a few variations of the connection checking process:

1. NCSI performs a DNS lookup on www.msftncsi.com, then requests http://www.msftncsi.com/ncsi.txt. This file is a plain-
text file and contains only the text Microsoft NCSI.
2. NCSI sends a DNS lookup request for dns.msftncsi.com. This DNS address should resolve to 131.107.255.255. If the
address does not match, then it is assumed that the internet connection is not functioning correctly.

The exact sequence of when which test is run is not documented; however, a little bit of digging around with a
packet sniffing tool like Wireshark reveals some info. It appears that on any connection, the first thing NCSI does is
requests the text file (step 1 above). NCSI expects a 200 OK response header with the proper text returned. If the
response is never received, or if there is a redirect, then a DNS request for dns.msftncsi.com is made. If DNS
resolves properly but the page is inaccessible, then it is assumed that there is a working internet connection, but an
in-browser authentication page is blocking access to the file. This results in the pop-up balloon above. If DNS
resolution fails or returns the wrong address, then it is assumed that the internet connection is completely
unsuccessful, and the “no internet access” error is shown.

The order of events appears to be slightly different depending on whether the wireless network is saved, has been
connected to before even if it is not in the saved connections list, and possibly depending on the encryption type.
The DNS and HTTP requests and responses showing up in Wireshark were not always consistent, even connecting
to the same network, so it’s not entirely clear what causes different methods of detection under different scenarios.

What about my privacy?

Some people may be concerned about Windows “phoning home” to Microsoft with their PC’s information through
this service. According to Microsoft’s documentation, NCSI retains the time of access and IP addresses of requests
made to www.msftncsi.com:

IIS logs are stored on the server at www.msftncsi.com. These logs contain the time of each access and
the IP address recorded for that access. These IP addresses are not used to identify users, and in many
cases, they are the address of a network address translation (NAT) computer or proxy server, not a
specific client behind that NAT computer or proxy server.

It is possible to disable NCSI by a registry setting if you don’t want Microsoft to be able to check your internet
connection.

1. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet
2. Under the Internet key, double-click EnableActiveProbing, and then in Value data, type:
0.The default for this value is 1. Setting the value to 0 prevents NCSI from connecting to a site
on the Internet during checks for connectivity.

When I changed this registry setting, Wireshark picked up no more communication to the NCSI site. As a result,
there was no indicator that in-browser authentication was required, and the connection indicator would say “internet
connection” even if there was in fact none present.
 In the same registry key were a series of other
parameters. The expected DNS response, the host to query for a DNS address, the expected content of the text file,
the name of the text file, and the domain with the text file were all included. The other parameters are not quite as
self explanatory. I tried adapting PassivePollPeriod, expecting it to change how frequently NCSI would poll the
server. It appeared at first that the decimal value was equal to that many tenths of a minute, so a value of 5 polls
every 30 seconds and a value of 10 polls every minute. However, the frequency also seemed to decrease with time.
I could not figure out the use of the other two values.

Can I run my own NCSI server?

For those concerned about privacy, is it possible to run your own server to respond to these requests? Let’s find out!

I created ncsi.nathanhinkle.com on my web hosting, and set it up to send /ncsi.txt as a plain text file with the
content nhinkle NCSI. I then changed all of the registry values to point to the values for my server, and what do
you know, it worked! Looking in Wireshark, requests were being made to my server instead of to Microsoft’s
server, and the system was still determining the status of the internet connection correctly. The user agent on the
requests was still Microsoft NCSI, indicating that it was indeed the same service making the requests.
So, if you want your computer to be able to check its connectivity to the internet while not sending your every
move to Microsoft, this is a way to do it. As an added benefit, this could be used as a tracking mechanism to see
where your computer goes, particularly should it get lost or stolen, since any connection attempt will result in your
server being requested.

As operating systems become increasingly complex, features like this can make your life much easier, but it’s
always good to know what’s happening behind the scenes.

Posted by nhinkle on May 16th, 2011

Filed under Question of the Week, Windows
« Migrating to Linux from Windows Getting the Most Out Of Mac OS X’s Exposé »

1. Bloodphilia says:
May 16th, 2011 at 8:17 am

Great post! I always wondered how they did this! Awesome that you tried setting up your own server.

And as the CAPTCHA says:

“Quality ofechana!”

P.S. What’s that small green timer in your taskbar that says “3:21! at the top screen shot?

2. nhinkle says:
May 16th, 2011 at 5:03 pm

Bloodphilia, that’s BatteryBar. It was actually suggested to me in a Super User question!

http://superuser.com/q/127089/20088

3. Chris Thompson says:

May 16th, 2011 at 11:42 pm

I came for an interesting article and I was shocked to see my BatteryBar application in your screenshot! As
the author I love running into people running my app.

4. Ian says:
May 16th, 2011 at 11:54 pm

This must be how the Zune detects internet access as well. It’s the most annoying thing because a Zune won’t
allow you to connect to a network that doesn’t have network access and therefore I can’t connect to my
university’s network since I have to authenticate before the Zune can detect internet.

5. Jason says:
May 17th, 2011 at 12:24 am
 If the service was ddos’d, would millions of windows users get a pop-up stating limited connectivity or
connected but further log in details required? Sound like a prank 4chan might play…

6. Sigjuice says:
May 17th, 2011 at 1:10 am

“How does it work?” should say http://www.msftncsi.com/ncsi.txt and not http://msftncsi.com/ncsi.txt

7. KronoS says:
May 17th, 2011 at 6:49 am

Fixed thanks.

8. Mike says:
May 17th, 2011 at 11:21 am

Is the most recent result stored somewhere (so I could look somewhere in memory for it instead of having to
run another DNS lookup/HTTP request myself?)

9. ASP.Net Halifax says:

May 17th, 2011 at 11:42 am

Some excellent investigative work to reveal how this works, very interesting read!

10. S says:
May 17th, 2011 at 12:53 pm

Very interesting read, especially the bit about using this as a tracking mechanism application.

Small error: should say “tenths of a minute” not “tenths of a second”

11. RENi says:

May 17th, 2011 at 1:32 pm

Maybe this is worth adding, the ncsi.txt file hosted on msftncsi.com seems to have no end of line.

$ file ncsi.txt ncsi.txt: ASCII text, with no line terminators

If you want to host your own, make sure it doesn’t have an eol either or else the ballon “Additional log on
information may be required” will popup.
12. Ted Sbardella says:
May 17th, 2011 at 2:49 pm

Very interesting – thanks so much!

13. nhinkle says:

May 17th, 2011 at 2:56 pm

Thanks “S” for pointing out that error, I have fixed it in the article.

14. Dinos says:

May 17th, 2011 at 8:22 pm

Minor correction, “NCSI performs a DNS lookup on http://www.msftncsi.com/ncsi.txt, then requests “

DNS lookup is performed on the name not on the URI. Proper sentence will be “NCSI performs a DNS
lookup on http://www.msftncsi.com then requests … “

Almost the same method is performed by Apple on iphone/ipod etc devices.

15. socceroos says:

May 18th, 2011 at 12:32 am

Well, seems that its not quite telling the truth. If it can do a DNS lookup then it has internet access.

Tunneling traffic through DNS queries is a sinch these days with all the ready-made tools.

16. dinos_correction says:

May 18th, 2011 at 12:36 am

if you’re being picky lookup does not use schema either – “NCSI performs a DNS lookup on
http://www.msftncsi.com then requests …”

17. DrunkMunki says:

May 18th, 2011 at 12:37 am

for those lazy people, you can find the registry import file below;
http://www.drunkmunki.com/NCSI_Probing.reg

just edit it to what you want then import it to every pc you need.
18. Jason says:
May 18th, 2011 at 12:41 am

“Proper sentence will be “NCSI performs a DNS lookup on http://www.msftncsi.com then requests … “”

Actually, its “NCSI performs a DNS lookup on http://www.msftncsi.com then requests … “

19. chefybuck says:

May 18th, 2011 at 1:02 am

Can disabling the NCSI lookup be used a work-around for the infamous “unknown network” in Vista and
sometimes Win7?

20. Ansuz says:

May 18th, 2011 at 1:05 am

…brilliant write up. A good idea for higher education & corporate admin’s to implement via Domain Policy.
I’m sure it will assist in reducing the number of calls for technical support…

21. Windows 7 Network Awareness | digital explorations says:

May 18th, 2011 at 1:47 am

[...] I was looking around on Slashdot tonight and found the article “Windows 7 Network Awareness: How
Windows knows it has an internet connection“. [...]

22. g0dkar says:

May 18th, 2011 at 1:49 am

You just got into Slashdot. Watch out!! – great article, btw (Yes, I RTFA, heh)

23. RO says:
May 18th, 2011 at 1:53 am

Interesting displayed by lynx text-mode browser (from Linux PC):

Linkname: Entry into main screen URL: http://www.msftncsi.com/ncsi.txt Charset: iso-8859-1 Server:
Microsoft-IIS/7.0 Date: Wed, 18 May 2011 01:46:07 GMT Last Mod: Tue, 13 Jan 2009 00:37:56 GMT
Cache-Control: max-age=30,must-revalidate Content-Length: 14 bytes Owner(s): None size: 0 lines mode:
normal

No Links on the current page

The text would indeed seem to have no terminating CR/NL since 14 bytes is the length of the text string
 exactly.

FWIW

24. Harry Johnston says:

May 18th, 2011 at 2:09 am

In a corporate setting, this can be configured with Group Policy. See “Network Connectivity Status
Indicator” in Network in the Computer Configuration node.

25. samwyse says:

May 18th, 2011 at 2:12 am

“As an added benefit, this could be used as a tracking mechanism to see where your computer goes,
particularly should it get lost or stolen, since any connection attempt will result in your server being
requested.” Personally, I’d want to track several computers with one server. Looks like I just need to set up
my server to return the same file for many different requests, then imbed my host name in the request. For
example, I could set ActiveWebProbePath to “nsci-NAME.txt” or set ActiveWebProbeHost to
“NAME.nsci.example.com” where my DNS is configed to resolve *.nsci.example.com to the same IP
address.

26. Vicks says:

May 18th, 2011 at 2:12 am

What about NCSI for ipv6? How does that work?

27. WhizzMan says:

May 18th, 2011 at 2:29 am

DNS lookups don’t lookup http:// or /nsci-something.txt They only look up the hostname part

28. Magnus says:

May 18th, 2011 at 2:38 am

Nice work, enjoyed the article.

29. Ron says:

May 18th, 2011 at 2:47 am

“If it can do a DNS lookup then it has internet access.”

 Unless there’s a DNS server on the LAN which has access to the world even though you might be blocked.

30. Windows 7 and Windows Vista: Network Awareness » Rob Sanders: Sanders Technology says:
May 18th, 2011 at 2:53 am

[...] interesting article which documents how Windows Vista and later versions of Microsoft Windows uses
network location awareness to determine aspects of your computer’s networking [...]

31. Jarmund says:

May 18th, 2011 at 3:09 am

Another alternative for lazy people:

http://www.jarmund.net/stuff/JarmundNCSI.reg

..my server, using it myself.

By the way, i’ve been told “this probably works for Windows Vista as well…” can someone confirm this?

32. WizADSL says:

May 18th, 2011 at 5:48 am

I found this info from MS about how NCSI works http://technet.microsoft.com/en-

us/library/ee126135%28WS.10%29.aspx ; you may want to take a look

33. nhinkle says:

May 18th, 2011 at 6:29 am

Thanks for the info, WizADSL. That looks to be an identical duplicate of the information in the article I
linked to, just updated with “Windows 7! in the title instead of “Windows Vista”, but good to know!

34. Arno Nym says:

May 18th, 2011 at 7:10 am

“NCSI performs a DNS lookup on http://www.msftncsi.com/ncsi.txt, then requests

http://www.msftncsi.com/ncsi.txt.” is bullshit.

“NSCI performs a DNS lookup on http://www.msftncsi.com, then requests …” is correct.

35. killasmurf86 says:

May 18th, 2011 at 9:29 am

@Jarmund << yes works on Vista as well

36. Marijn says:
May 18th, 2011 at 9:42 am

Great article! I always assumed it had to make some call to check internet connectivity, now it’s good to
know exactly how it works and even better so how to change the behaviour.

One thing that might be noteworthy is that Microsoft isn’t the only one who can track your internet
connectivity. The DNS servers you use, so probably your ISP, can track you just as easily. All they have to
do is log any lookups of ‘www.msftncsi.com’ and ‘dns.msftncsi.com’.

37. Criação de Sites says:

May 18th, 2011 at 12:12 pm

Thanks for letting us know how to disable this NCSI thing.

38. samwyse says:

May 18th, 2011 at 12:24 pm

OK, anyone can now use samwyse.appspot.com as an NCSI server. http://samwyse.appspot.com/ncsi-

example.txt will return a file consisting of “example NCSI” (no newline!), while
http://samwyse.appspot.com/ncsi-example.reg will return a Windows registry file to use this for the Active
Web Probe; the Active DNS Probe is currently unchanged. Note that you can replace the word “example”
with any text that you wish. Note that all access is logged via App Engine’s server log, so Google and I will
know what you’re doing. I’ll try later to add an internal log to allow users to view just accesses to “their”
strings.

39. sirmuzz says:

May 18th, 2011 at 2:45 pm

LOL arguing about the DNS lookup. You both have it wrong.

…”DNS lookup is performed on the name not on the URI. Proper sentence will be “NCSI performs a DNS
lookup on http://www.msftncsi.com then requests … “

Well your closer but still not there….

It is “DNS lookup is performed on the name not on the URI. Proper sentence will be “NCSI performs a DNS
lookup on http://www.msftncsi.com then requests … “

DNS = Networking 101….

40. sirmuzz says:

May 18th, 2011 at 2:46 pm
 Ok so you were right…damn website auto adds http://... bad webmaster bad!

41. Windows 7 Phones Home Every Time You Change Networks | Discourse.net says:
May 18th, 2011 at 2:50 pm

[...] good news is that, not only can you disable the service, you can even tell it to check your own server
instead. If you have a [...]

42. DigiP says:

May 18th, 2011 at 3:25 pm

Funny, because I had wrote about this in 2009 when troubleshooting connection issues in Windows 7 after a
new install. I’ve disabled this service because of the whole connectivity issue, if 7 can’t see that site because
its down or for whatever reason, it causes all sorts of issues trying to get online, even when you manually set
an IP configuration for the NIC.

See http://www.twistedpairrecords.com/blog/2009/11/07/windows-7-connectivity-issues/ for rant. You can

also change priority for IPv4 over IPv6, since IPv6 connections wil be tried first over IPv4, if your router
only does IPv4, its just one less step your machine has to perform to check for first.

43. Doug M. says:

May 18th, 2011 at 4:23 pm

all your network connection belong to us.

44. KronoS says:

May 18th, 2011 at 4:29 pm

don’t you mean ‘are belong to us’?

45. Kurt Shubert says:

May 18th, 2011 at 7:45 pm

Very interesting article. Thanks for the “enlightenment” on this.

This is one of those things I have wanted to know for some time but have never cared enough about to do the
research. Thanks for having taken the time to do it for me!

46. Jason O. says:

May 18th, 2011 at 7:46 pm

We had a different problem. It was the winhttp machine proxy settings. Info here.
http://social.technet.microsoft.com/Forums/en/w7itpronetworking/thread/e3e7a1e4-d410-4668-8c33-
 a57175c44e48

47. doofus says:

May 18th, 2011 at 9:18 pm

No need to insert the verb “are”.

It already does belong.

48. doofus says:

May 18th, 2011 at 9:19 pm

It should be “belongs” anyway.

49. Windows 7 Network Awareness - Tech Support Forums - TechIMO.com says:

May 19th, 2011 at 1:27 am

[...] 7 Network Awareness Windows 7 Network Awareness: How Windows knows it has an internet
connection – Super User Blog If you have Windows 7 Home you can manually add the registry key to keep
it from polling [...]

50. Michele says:

May 19th, 2011 at 5:46 am

“It should be “belongs” anyway.”

I believe Doug M. was parodying the famous 1991 Sega video game message “All your base are belong to
us” (as translated direct from Japanese).

51. iam8up says:

May 19th, 2011 at 10:43 pm

GREAT article. I was curious myself for some time.

Leave a Reply

Name (required)

Mail (will not be published) (required)

Website
 Submit Comment

Super User Blog

The Super User Community Blog

Search

Recently
How do I plan my vacation? Geek edition
Ask Different Podcast #3: iMac upgrades, Spotlight tips, Tiny Wings
Getting the Most Out Of Mac OS X’s Exposé
Windows 7 Network Awareness: How Windows knows it has an internet connection
Migrating to Linux from Windows

Pages
About the blog
Attribution

Archive
May 2011
April 2011
March 2011
February 2011
January 2011

Links
Full Post RSS Feed
Super User
posts are licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.
24 queries. 1.856 seconds.