New
#11
Hi
Yer, I looked at that, but I couldn't see how it would help me. It shows me the Process ID of the svchost.exe that is generating the traffic (which I already know from two other sources) and the ten-ish ips which is connecting to, but not which of the 16 underlying Services [AppInfo][Browser][DoSvc][ifsvc][iphlpsvc][RasMan][Lanman Server][SENS][ShellHWDetection][Themes][Schedule][ProfSvc][UserManager][WpnService][Winmgmt] is generating the traffic.
TCPView only gives me options to close each connection (which just pops back up a minute later), or kill the (entire) Process (which presumably includes all 16 Services). Doing so kills the whole dial-up connection (which is presumably not surprising as Service "RasMan" (which runs the modem) has been stopped).
How would TCPView help me identify the (root) source of the traffic (and stop it) please ?
OK, I have found the source. It seems to be originating from
-svchost.exe launching Task Scheduler
-Task Scheduler launching Scheduled Start (sc.exe)
-Scheduled Start launching Windows Updates
(despite Windows Updates supposedy being disabled entirely or disabled when a only a Metered Connection is present).
So, I have disabled these tasks in :
Task scheduler>WindowsUpdate>Automatic App Update (Windows Store apps)
Task scheduler>WindowsUpdate>Scheduled Start (sc.exe)
Task scheduler>WindowsUpdate>Scheduled Start With Network (sc.exe)
Task scheduler>WindowsUpdate>sih (server initiated healing (sihclient.exe))
Task scheduler>WindowsUpdate>sih boot (sihclient.exe)
which seems to have stopped it.
Btw, it seems the PID allocation is dynamic - that stack of 16 Services has jumped around between PIDS 512, 912, 1028, 1036, 1048, 1060, 1576, 2396, 8132, over the last 2 days.
thanks for the pointers