Advice Request Windows 11: What processes necessarily need connection or access to the network?

Please provide comments and solutions that are helpful to the author of this topic.

Decopi

Level 6
Thread author
Verified
Oct 29, 2017
252
By default, my Firewall is set to block all connections or access to the network. Specific programs and apps have specific rules that create exceptions.

For example, in the case of Windows 11, "MoUsoCoreWorker.exe" has access to the network (in order to allow Windows Updates). The same with "svchost.exe", necessary for connections to the network.
But after 1 month, I see that there are almost 50 different Microsoft processes trying to connect to the network.

Please my question: Specifically for the Windows 11 OS (excluding apps, Windows Defender and Programs), what are the Microsoft processes (names, no IPs) that necessarily need connection or network access? For example, all Windows Update processes (including drivers, office etc) I want them with access to the network.

Thank you very much
 
Last edited:

Decopi

Level 6
Thread author
Verified
Oct 29, 2017
252
Try reading more here about Microsoft processes:
Here are text addresses mostly , so you should some of them to IP (for e.g in powershell Resolve-DNSName <addr here>) and add them manually.

Thanks! I read the link you kindly sent me, but I need process names. My Firewall rules work allowing/blocking processes by its names. I don't allow/block by IPs.
 

vuksha_xc60

Level 1
Jun 22, 2020
29
All of the preinstalled Microsoft apps are located in C:\Program Files\WindowsApps (by them I mean Spotify, 3D Builder, Xbox etc.)
I think it's a hidden directory by default so you should enable that in File -> Options -> View -> Show hidden files and folders.

Other things I suggest you to disable is CompatTelRunner (it's under C:\Windows\System32)
 
  • Like
Reactions: Decopi
F

ForgottenSeer 94654

By default, my Firewall is set to block all connections or access to the network. Specific programs and apps have specific rules that create exceptions.

For example, in the case of Windows 11, "MoUsoCoreWorker.exe" has access to the network (in order to allow Windows Updates). The same with "svchost.exe", necessary for connections to the network.
But after 1 month, I see that there are almost 50 different Microsoft processes trying to connect to the network.

Please my question: Specifically for the Windows 11 OS (excluding apps, Windows Defender and Programs), what are the Microsoft processes (names, no IPs) that necessarily need connection or network access? For example, all Windows Update processes (including drivers, office etc) I want them with access to the network.

Thank you very much
Here is an example of the bare minimum rules needed for Firefox, Skype, internet access, DNS, Windows Update. You can customize the rules to be based upon what you actually use.

1649594992326.png
 

Decopi

Level 6
Thread author
Verified
Oct 29, 2017
252
All of the preinstalled Microsoft apps are located in C:\Program Files\WindowsApps (by them I mean Spotify, 3D Builder, Xbox etc.)
I think it's a hidden directory by default so you should enable that in File -> Options -> View -> Show hidden files and folders.

Other things I suggest you to disable is CompatTelRunner (it's under C:\Windows\System32)

Thanks again for you help.
As I wrote in my first comment, I'm looking after Windows 11 OS processes, excluding Windows Defender, Apps and Programs.
In other words, I'm not focused at Apps, Programs nor Windows Defender. My focus is Windows 11 OS (operating system) processes. Currently all these processes are blocked in my Firewall, except "MoUsoCoreWorker.exe" (Windows Updates) and "svchost.exe".
The question is: Does any other Windows 11 OS process need access to the network for critical reasons? By "critical reasons" I mean Windows processes where their network access is really useful (like Windows Update etc).

Here is an example of the bare minimum rules needed for Firefox, Skype, internet access, DNS, Windows Update. You can customize the rules to be based upon what you actually use.

View attachment 265696

Thanks.
Please I need to know what Windows 11 OS processes are inside your "System" category.
Also, among these "System" processes, please I'm only interested on those processes that are "critical" or "necessary" (files or processes where their network/internet access is REALLY useful). The "System" category may include lot of telemetry and garbage connections.
 
F

ForgottenSeer 94654

Thank you.
What program is this ?
Windows Firewall Control (Used to be by Binisoft)


Thanks.
Please I need to know what Windows 11 OS processes are inside your "System" category.
Also, among these "System" processes, please I'm only interested on those processes that are "critical" or "necessary" (files or processes where their network/internet access is REALLY useful). The "System" category may include lot of telemetry and garbage connections.
The "System" process is a single process. If you want to block Windows telemetry, then you need to research that topic. For one thing, firewall block rules are only one of the things needed to reduce Windows telemetry. There are utilities out there that can do it partially, but if your objective is to block any Microsoft telemetry, then that is not practical and probably impossible.
 
  • Like
Reactions: sypqys and Decopi

Decopi

Level 6
Thread author
Verified
Oct 29, 2017
252
The "System" process is a single process. If you want to block Windows telemetry, then you need to research that topic. For one thing, firewall block rules are only one of the things needed to reduce Windows telemetry. There are utilities out there that can do it partially, but if your objective is to block any Microsoft telemetry, then that is not practical and probably impossible.
Thanks again for your replay.
I'm not using your software Binisoft. And I'm not interested in blocking specific processes.
As I explained in my first post, by default I block 100%, everything. My rules are for exceptions, allowing specific processes.
Also as I said in my first post, I'm not focused on Apps, Programs, Windows Defender etc. I'm only focused at Windows 11 OS processes.
And my original question was and still is: What Windows 11 OS processes necessarily need connection or access to the network?
 
F

ForgottenSeer 94654

Thanks again for your replay.
I'm not using your software Binisoft. And I'm not interested in blocking specific processes.
As I explained in my first post, by default I block 100%, everything. My rules are for exceptions, allowing specific processes.
Also as I said in my first post, I'm not focused on Apps, Programs, Windows Defender etc. I'm only focused at Windows 11 OS processes.
And my original question was and still is: What Windows 11 OS processes necessarily need connection or access to the network?
You need to research it and figure it out yourself.
 

Decopi

Level 6
Thread author
Verified
Oct 29, 2017
252
You need to research it and figure it out yourself.
With all due respect, I believe that advanced users with strong knowledge can help other users by sharing their knowledge and experience.
Fortunately for me, I have already received great help thanks to another forum. So I don't need to break my head "researching it and figuring it out myself".
But anyway, thank you very much for your help!
 

SeriousHoax

Level 47
Well-known
Mar 16, 2019
3,630
You need to use Windows Firewall Control as shown above, set it in Ask mode and then every time something asks for internet connection, search online what that process does? Why it needs Internet connection? Then decide whether you'll allow that or not.
Windows Firewall Control creates all rules in Windows Firewall. So it's not a separate Firewall. You can even uninstall it once you have made your required rules.
If you want to try something different, then try Simplewall by henryapp.
This is something it's better to figure out by yourself. It's a learning process, don't look for a ready-made solution in this case. You may not find such thing. I learned a lot about windows when I experimented like this.
After creating your own rules, if you still have some confusion about something, then you can ask on this or any other forum you prefer.
 
F

ForgottenSeer 94654

With all due respect, I believe that advanced users with strong knowledge can help other users by sharing their knowledge and experience.
Fortunately for me, I have already received great help thanks to another forum. So I don't need to break my head "researching it and figuring it out myself".
But anyway, thank you very much for your help!
There is much Windows 10\11 telemetry that cannot be disabled, even by disabling firewall rules. The only thing you can do is to not connect to the internet. This has been documented going all the way back to 2015. To learn all of this, you have to research the topic online, read and learn for yourself. There's articles and utilities that have tried to tackle the deeply embedded telemetry but have determined that it cannot be disabled. You are assuming that "advanced" users are giving you correct or complete infos.

Microsoft knows all about people trying to block its telemetry and it has publicly stated that some telemetry cannot be disabled or blocked - because Microsoft does not want anyone disabling or blocking it.

The other thing that trying to disable Windows telemetry does not solve is application telemetry. That is a completely separate subject.

If you are so worried about operating system (and application) telemetry, then drop Windows and adopt a privacy Linux distro. Problem solved.
 
Last edited by a moderator:

Decopi

Level 6
Thread author
Verified
Oct 29, 2017
252
There is much Windows 10\11 telemetry that cannot be disabled, even by disabling firewall rules. The only thing you can do is to not connect to the internet. This has been documented going all the way back to 2015. To learn all of this, you have to research the topic online, read and learn for yourself. There's articles and utilities that have tried to tackle the deeply embedded telemetry but have determined that it cannot be disabled. You are assuming that "advanced" users are giving you correct or complete infos.

Microsoft knows all about people trying to block its telemetry and it has publicly stated that some telemetry cannot be disabled or blocked - because Microsoft does not want anyone disabling or blocking it.

The other thing that trying to disable Windows telemetry does not solve is application telemetry. That is a completely separate subject.

If you are so worried about operating system (and application) telemetry, then drop Windows and adopt a privacy Linux distro. Problem solved.
Thank you once again for your replay.
I believe my post wasn't clear (my apologies). Please, let me try to rephrase myself once again:
I'm not blocking individual processes (like telemetry etc).
My whole internet connection and network access both are blocked by default. I don't want to jump into details, but in short, absolutely nothing in my device has internet connection or network connection.
However, I do have a software which allows me to create rules for specific processes, giving them access to internet or network.
So again, it's not about blocking, it's about allowing specific processes.
That said, my focus never was Apps, nor Programs, nor Windows Defender. I'm focused only at Windows 11 OS processes.
And here is where I found lot of great help in different forums, advanced users helped me a lot, now I have an interesting list of OS (critical) processes that (really) need access to internet/network (otherwise too much stuff crashes).
But I do appreciate all the help I received here.
 
F

ForgottenSeer 94654

Please I need to know what Windows 11 OS processes are inside your "System" category.
System is a single process named "System."
Also, among these "System" processes, please I'm only interested on those processes that are "critical" or "necessary" (files or processes where their network/internet access is REALLY useful).
There are only 2 firewall rules required to be enabled to update and use Windows (and no such thing as "critical" or "necessary" Windows 11 processes that are required to use the OS):
  1. browser process (ports 80, 443) - unless you don't want to use a browser
  2. svchost (ports 53, 80. 443) - for DNS, Windows updates
The "System" category may include lot of telemetry and garbage connections.
There is no such thing as a "System" category of processes; System is a single Windows process named "System."
You made the above comment so you are very obviously wanting to block telemetry.

Many times I use a system with the network adapter disabled, and the OS works fine for months. Only once every few months do I have to enable network access to provide some updates.

Best of luck to you.
 
  • Like
Reactions: Decopi

Decopi

Level 6
Thread author
Verified
Oct 29, 2017
252
System is a single process named "System."

There are only 2 firewall rules required to be enabled to update and use Windows (and no such thing as "critical" or "necessary" Windows 11 processes that are required to use the OS):
  1. browser process (ports 80, 443) - unless you don't want to use a browser
  2. svchost (ports 53, 80. 443) - for DNS, Windows updates

There is no such thing as a "System" category of processes; System is a single Windows process named "System."
You made the above comment so you are very obviously wanting to block telemetry.

Many times I use a system with the network adapter disabled, and the OS works fine for months. Only once every few months do I have to enable network access to provide some updates.

Best of luck to you.
Thanks.
I must apologize once again, because when I saw the image you posted (Binisoft) I wrongly misunderstood "System", I thought it was a category (given by Binisoft), but now clearly I can see it was the "system.exe" process. At the image you posted, all processes are ".exe" except "System". And "System" is under "Program" column, but is written in capital letter without ".exe"... so in my ignorance I saw that "System" as a category (or path, or folder etc).
With your last explanation + your Binisoft message... now I can totally understand what you meant.
Thank you again.
 

Decopi

Level 6
Thread author
Verified
Oct 29, 2017
252
There's no "system.exe" process. System is "ntoskrnl.exe" as far as I know.
Yeah, "System" is related to Windows.
But thousand of Apps and Programs use "system.exe".
I never used Binisoft. From an outsider point of view, at first sight, I expected to see ".exe" processes allowed or blocked. When I saw "System", wrongly I thought it was a kind of folder, path or category provided by Binisoft.
My bad.
 

valvaris

Level 6
Verified
Well-known
Jul 26, 2015
260
Woow that is one way of blocking Windows :D
The other way is making your life easier.
Networking in terms of: "I want only Browsing" for Example to work and control what is communicating where a web proxy also called a forwarding proxy is a huge help in Direct Mode. This means a browser or system needs to address the Proxy directly before having access to the internet.

Example:
Firefox Browser has Proxy Address configured because it does not set the System Settings in Windows for use with Proxy.

Firefox Proxy 192.168.x.x Port 8080 -----> Forwarding Proxy ----> Internet
Windows ----> No Internet Access ---> Reason No Proxy Configuration

The other part is if you want to use other Applications some are compatible with Proxy Settings and are System independent others need WinHttp Proxy Configured or they just do not work.

That is the reason Network Administrators use Network Equipment like Firewalls.

Why?
In the OS itself there are Processes that need to run like mDNS - BITS - and others. (Process Explorer can give more insight!)

In terms of what is needed for minimum communication and internet use:
- HTTP Protocol - Port 80 TCP
- HTTPS Protocol - Port 443 TCP
- NTP Protocol - Port 123 TCP/UDP
- DNS Protocol - Port 53 TCP/UDP

What makes control over traffic more difficult?
Encrypted Traffic needs to be "Broken" to look inside so even if you block system process another process that could hijack a legit process and communicate with a Command-and-Control Server without your knowledge.
That is why Network Layer Protection is so important even for Home Use - Some call it DPI with SSL Inspection and can break down how things communicate.

So, a Zero Trust guideline is a particularly promising idea but needs to be done in Layers.
I refer to the OSI Layer Model

1650229872062.png


If you block something already at the lower layers, it just simply cannot reach higher. If you block something in the highest layer 7 for example you need to have tech. That can control that traffic like a Next Generation Firewall (NGF).

The up part of that is that you control everything Network Wide and can granularly adjust your Rules to specific needs. (User, Group, Computers, IPs and such...)

A fun point to start is:
Sophos XG Home Edition (Freeware and only Private use)
Untangle (Base License is Free but advanced features require a License)
PFsense and OPNsense are Freeware but also have Corp. License Models <- NGF as Addon (Paid Service on OPNsense)

I strongly suggest doing this as a separate Device / Server / Appliance - ^^

Software Firewalls installed on Windows are Applications, and all can be manipulated in such a way that the user does not know what is happening or what if the Application has a bug?

All even Hardware Firewalls need care and understanding and there is no silver bullet to a solution. But ways to make it more manageable.

There is no best way but recommended one's from different users.

My Setup for example is quite simple but efficient:

- My PC - Physical Connection on own Port of the Firewall - Own Subnet with no DHCP /30
- IoT Devices - Own Switch on Own Port of the Firewall with - Own Subnet DHCP on /28
- GEO Blocking Firewall Global Rule for incoming and outgoing traffic on all Ports
- My PC Zone only allowed HTTP / HTTPS / DNS / NTP
- IoT Devices only allowed HTTP / HTTPS / DNS / NTP
- No communication between IoT Devices and My PC Zone
- My PC Software in use is: F-Secure EPP Computer Protection (with Windows Firewall in build control with better logging) Default Deny Policy.
- Sophos XGS 126 with XStream Bundle License (ATP - DPI Engine [Port Agnostic] - SSL-Inspection - GEO Blocking - Webfilter - IPS - and Firewall Rules)

My Point is:
Good Protection starts at the Lower Layers of the OSI model and of course the best Firewall and AV is the "USER". Zero Trust ^^

P.S.:
My Network is build that way since I still learn from here and others in the IT field and I myself am in that Profession. For others that is pure overkill!!! But still, something to look at and be aware of.

P.P.S:
I know I also did not really answer your question but wanted to give your more insight on how your computer communicates. ^^

If someone needs more insight - I am happy to help. :D

Best regards
Val.
 
Last edited:

Decopi

Level 6
Thread author
Verified
Oct 29, 2017
252
Woow that is one way of blocking Windows :D
The other way is making your life easier.
Networking in terms of: "I want only Browsing" for Example to work and control what is communicating where a web proxy also called a forwarding proxy is a huge help in Direct Mode. This means a browser or system needs to address the Proxy directly before having access to the internet.

...

Best regards
Val.

Amazing + instructive + useful explanation.
Thank you!
 
  • Thanks
Reactions: valvaris

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top