Are applications contacting home? See what programs are using the internet without your knowledge

into eternitys watersWhat’s that program you have running that’s accessing the internet? You don’t know? Find out using a simple command prompt command. It’s important to know what your programs are doing at any one time. You should have full control over what does and doesn’t use your connection, whether you’re at home or running on an O2 UK 3G dongle. This is a simple and effective process that allows for the monitoring of your system. Just follow the instructions and you’ll remain well-informed.


Step One:  Windows XP

Open up the Run box by pressing the Windows key and R at the same time.

Put in CMD and press OK. The command prompt window will open up:

Step One:  Windows Vista/Windows 7

Open the Start menu () and type in CMD:

Right click on it and select Run as Administrator:

Step Two

In your open Command Prompt window, enter the following:

netstat -b 5 > activity.txt

and hit enter. (Note: to paste something into Command Prompt, you’ll need to right click and click paste.)

If you forgot to run the prompt as an administrator (like I did in the screenshots above), just redo step one  You can tell when it’s running as administrator because instead of saying C:\Users\Username it says C:\Windows\system32.

If you’ve pasted the code right, a blinking cursor will… blink.

After a few minutes, press Ctrl+C. That’ll stop the command.

Now type in activity.txt to open the log:

When you press Enter, your default text editor-probably Notepad-will open:

Now, scroll through the lists.  You’ll see that it’s mostly your browser-but some times, there are programs like Google Talk’s webcam program installed that call home even when you aren’t using them.

Now that you’ve found any and all culprits that are programs accessing the internet (with and without your knowledge), you can either close them from the Task Manager or even uninstall them.

I’ve made a short (1 minute) video on doing this.

UPDATE 2: Clarified the Windows XP instructions.

[[Via Lifehacker via Cogizio]]

This article was written by Locutus on his tech blog Cogizio. You can read the original article here.

Creative Commons License photo credit: balloon tiers

Related Posts

  • DonFG

    There are too many free programs that do this.

  • blue

    One wonders if #19 uses postcards for all his communication. Perhaps the reason to use security is the same reason that they invented envelopes.

  • Or use Process Hacker and look at the Network Tab.
    Or use System Explorer and look under Connections.
    Both work and are far easier for the average user.  Enjoy.

  • alan

    Last week 10% or 20% of the sites I went to were not there.
    After my post on 23rd I found 70% were there with a following wind after several attempts
    There were no 404 error messages – the DNS just failed to resolve names into IP addresses.
    I vaguely remembered forthcoming DNS doom, and eventually found
    “DNSSEC unlikely to break Internet on May 5” – an article on
    Desperation, I unchecked the option to use the DNS provided by my ISP, and went elsewhere – and every site was back with me within a couple of minutes.
    That I call A RESULT.
    Pity it took me a couple of days to eventually get there.
    I am now back, and can advise that THIS is the script to do the job.
    I call the script NetStats.BAT
    It holds a single line command, which is :-

    start “USE Ctrl’C to terminate NETSTAT Logging and close this Window” cmd /c netstat -b 5 ^>activity.txt
    You can use Windows Explorer to select that script, and drag/drop a short-cut link to
    C:Documents and SettingsAll UsersStart MenuProgramsStartup
    That will launch a CMD that rapidly disappears as it launches another CMD which runs netstat.exe and logs into activity.txt in the same folder as the script.  This second CMD window reminds you to use Ctrl’C to terminate logging and close the Window.  You can minimize the window to the task bar and it will continue logging until you bring it back to focus.
    The official way to terminate is via use of Ctrl’C when focus is on its Window.  Simply / accidentally closing the window by clicking the tiny X in the top right corner also seems to work for me –
    but timing is everything.
    I am filled with dread by the thought of killing the netstat.exe process whilst it is halfway through appending the next line of text to Activity.txt.   This could corrupt / muddle the last few records in Activity.txt.   It may well cause more Lost Clusters.
    I remember Windows 98 refused to shutdown until I pulled the plug, and every morning it would blame me for not shutting down “PROPERLY”, and would tell me how many disc clusters I had lost ! !
    Windows XP does not APPEAR to fall apart so badly, until you run CHKDSK ! !
    Conclusion – Use Ctrl’C – anything else can injure your computer’s health

  • Sputnik

    Thank you Locutus for this information !
    Now I will be able to know if “ET wants to phone home” ! :-)

  • Don’t forget the shortcut to start CMD as Admin

  • JohnD

    @Locutus: @alan: @all – Thanks for the comments and advice.  I particularly like the term “startup chaos” that alan used as this is the period that I am concerned about.  I am not worried about the time after the software firewall kicks in, (I am currently using Online Armor but have used Comodo and Look & Stop in the recent past), but that period of seconds when the router lite shows a connection and the OS software gets started up and my protection programs are running.  A lot can happen in these seconds in computer time.  I key in on svchost because it will usually have unlimited access to the internet and so Many things use it for various purposes.  Ports 80 and 8080 are another open avenue.  I very seldom use IE, but CCleaner always finds cookies and such from IE, most I understand as programs like SuperAntiSpyware will use IE subliminally to do update checks but there is also usually a IE cookie for john@msn that I don’t particularly  like to see.   I suppose the only true way to do this type of monitoring would be a hardware packet sniffer between the router and the computer, but that would be a little bit over the top for a home PC.  This is a good topic, as we move so many of aspects of our personal lives onto the computer, such as financials, I would really like to know who is taking a “peek” at my PC and why.
    An apt headline from a Computerworld article today:

    “MSRT has scrubbed mutating Alureon rootkit from more than 360,000 Windows-based PCs since May 11”

  • OldElmerFudd

    @RobCr: I ran across this a couple of years ago. I don’t use it often – only five machines in my network – but it has quite a bit going for it. I use the free version (bottom of the page), and don’t recall a “pop-up” feature. Maybe the Pro version will do all you want. Take a look; it might work for you.

  • alan

    Comodo Security is free and does what you want, and then some.
    I use it for all my security needs.
    I swear by it.
    My son used to swear at it, because every time he ran a new application that wanted the Internet it would pause the connection until the user decided to Block or Permit.  It also had a check box to remember (or not) this decision for any further attempt.
    It is more docile now with WhiteLists
    They have an active user forum at

  • tejas

    @RobCr: This may not be what you want, and unfortunately, it’s not free, but I use BWMeter
    It has a very simple firewall that asks for permission when something wants internet access, and doesn’t bug you about again, unless you remove that program from the Forbid/Allow lists.

  • RobCr

    I have been through the 53 comments on that link I posted. Not much Joy there.

    What I would like (and perhaps Josh ?), is a nice simple program, which monitors your outgoing Internet traffic, and pops up, when there is out going traffic.
    And so that we are not overwhelmed with a plethora of detail, there be two options –
    – Hide all safe traffic (Stuff the Developer knows is usual)
    – When some traffic appears, it can be told – ‘Never show that one again’

    Surely, someone has developed that ?

  • chinaguy

    Glad to help Locutus. Goodness knows I get enough help from you guys. Nice to be able to give a little back.

  • Doru

    Click on Zum download and next.Download will have program and license.Instal program .After that,click right on license and make to open only with Jv 16(exe) who is install in Program files….Next open the program and go to:Help>Licence information>Install new license and select file:license.Next close and close the program.Open again and will be registered.If you don’t know how to download go to:Techno360.

  • Doru
  • Josh

    Some listed items are as mysterious as the hundreds of  CLSID/892598319….  entries that appear in registry cleaners. Without knowledge/research/time/courage, it could be more dangerous to tinker with it than leaving the listed items intact.  Will be so good if people could write programs that not only report these things, but also, at least, point you in the right direction to find out what the entries mean. Without that, it’s too daunting for John Does like me. Thank you to those who added some insight with their comments!

  • RobCr

    I am a bit tied up at the moment.
    Someone running one of my Data Base programs, has switched to Windows 7 (New PC), and is trying to use that instead of a server. So I am experimenting, and debugging.

    I took time out, to have a quick check of the NirSoft web site, in case he had a GUI program for monitoring the internet.
    My browse of his site did not appear to have exactly what we want.
    However I came across this web page, where someone was seeking a program (see who is calling home).
    The author mentions use of a NirSoft program, and another program.
    Also there are 53 comments, that I have not read yet.
    Perhaps someone may care to study the page in more detail, and also check if one of the 53 comments, points us to something simple, and effective.


  • Some of the progs are ones that start automatically on startup.
    To stop those you can run msconfig (Win98, XP and Vista) choose the Startup tab, then look down the list of which items are checked to load on startup.  If you are unsure then look them up online.
    If there is something you don’t want to load on startup then uncheck it, click the apply button, then ok.   (make sure it is something ok to not load!)
    Now restart your computer and they will no longer load on startup.

  • @alan: Keep me updated!  Sounds like a great startup routine.

  • alan

    Nothing happened in first two minutes after I logged in –
    except my start-up script did not continue with its activities until netstat received the Ctrl’C  to terminate.
    I am now creating a seperate script to simultaneously launch at from the startup folder.  This will hold the single line
    netstat -b 5 > activity.txt.

  • OldElmerFudd

    @Locutus: Just to add, I use Online Armor Pro on all my machines. I have to give permission for applications I install to call out. Processes like svchost.exe haven’t shown up in any of my activity reports.

  • OldElmerFudd

    @Locutus: I take the activity text file and and highlight part of an unfamiliar line, such as: “TCP    xxxxxx-a9f6040:2619  ESTABLISHED     636″  (x’s replace identifier)
    A little digging with a whois search took me through enough twists to find that Dropbox uses Softlayer’s servers. Google was a simple whois lookup using the section of the line.

  • @Doru: Well this is also good for seeing if that new program you’re trying out “AntiSoft GetRiddaBadware” is phoning home.

  • Doru

    In general are:browsers,antivirus and programs who use your webcam like:Skype,messenger.Also Google Talk .But all this programs are open when you open computer.I think that this is normal.If you afraid for example that Skype will record your camera,without your approval,rotate your webcam on the wall when you not use it and you solve the problem.Google Talk-what can do against my persson?I’m not a terrorist,i’m not a thief or burglar ,anarchist or criminal.So i don’t care.

  • @chinaguy: Thanks for that. I’ve updated the article!

    @jumbi: This is great especially for people who use Windows Firewall (it’s fine, people, it’s fine.) like me!

  • jumbi

    very good article!
    a nice firewall would easily help doing that, but great when you need to check that without installing other software.

  • chinaguy

    An update: I ran the command from the run box and it did result in what happened to Emrys. The command prompt showed up, showed a whole bunch of stuff that nobody could possibly read because of the short duration it was open and then shut down almost instantaneously. If that is what happened to you Emrys, it seems to be from your description above, then just be sure you run the command prompt and then paste in the instructions Locutus gave rather than pasting them into the run box. That is the only way this will work.

  • chinaguy

     @Emrys: I think your problem Emrys was that you did not paste the command into the command prompt but into the run box instead. Be sure you follow the instructions above to the letter including typing cmd into the run box and hitting enter. Do not paste the command: netstat -b 5 > activity.txt into the run box as that will result in the command running and then the command prompt promptly exiting after it has run. I have made the same mistake before. There was no mistake in the instructions but they need to be followed to the letter. If it doesn’t work after you try this post back and we, probably others who are better with computers than me, will help you.
    @Locutus: You did not make a mistake. The instructions were correct but Emrys just missed a step in the instructions. I have made the same mistake before. Very easy to do. When command prompt runs and then shuts down without letting you see what is going on it is usually because the command to be run was put into the run box not the command prompt. I will try it on the xp machine but am pretty sure that you made no errors.

  • @OldElmerFudd: Nice!  Say, how do you trace those back?

    @Marco: Where does it say that they are going (the “foreign address” column”)?

  • Marco

    I checked just for fun and found Chrome and Avast and that’s ok but I also found O&O Clever Cache files (ooccctrl.exe and ooccag.exe) that seem to be phoning quite often, I don’t know where? Why would a memory & cache optimization software need to access the Network so often????

  • alan

    I already have a script which runs at start-up following my password.
    It can also be accessed via
    Start / All Programs / Startup / Mystart.BAT
    I used that access route and right click to edit the script and add the magic bit.
    Please try “Netstat /?”
    That describes many options, and suggests to me that if svchost should be identified as a culprit, then Netstat will also show what asked svchost to do that.
    Finally, nothing will go out during the boot process if you are not connected to the internet – e.g. if you have dial-up modem which does not issue the password till you log in.  If however you have an “always on” broadband connection there could be a few dangerous seconds.
    I do not worry about my dangerous seconds because I am confident that Comoodo will block svchost unless it is working for an approved executable.

    At 19:52:19 “C:pagefile.sys” had a modified time-stamp as XP came out of BIOS
    At 19:52:32 the event log shows I submitted my password for log-on.
    I admit 13 seconds is an unlucky number, but I will keep my fingers crossed ! !
    I think if something bad happened in that 13 seconds I would be more concerned that a Rootkit had seized control.
    This seems to be the most popular article I have ever seen.
    I started this after seeing post 6 – now it is post 11 and advancing.

  • ha14

    Hi, Thanks for this review I read similar article on
    I used it to find it worms were connection to internet and sending infos without my knowledge.

  • haakon

    Great article- and thanks a lot!!!
     “Gil”: I do not know if this freebie is still there to have.
    I DID use the CMD and found lots of “connections” I did not recognize.
    THEN I remebered I had the Anvir app and use THAT instead.
    More or less detailed descriptions of what the “connecting” apps was and more. Also very easy to disable or remove them.
    I have more often than not removed ….”too much”  :-)
    The Anvir IS a great help when you dont know what to do 

  • OldElmerFudd

    This is a nice CLI tool that I started using with Windows XP. It’s a good idea to let the command prompt run for a couple of minutes to get all the information properly. Usually, the text document you create will contain the usual suspects (bg), your browser, AV, email client, whatever web-based apps – Dropbox, for instance – you have open. There’s likely to be a group of listings that look less familiar. In those instances where you’re not sure what something is, copy and paste into a browser search to find out. On this box, is is Dropbox’s server, and so on.

  • @Gil: There are ways-easy ways-but due to having to leave in about 30 seconds,  can’t share them right now. Maybe when I get back?

    Also, “To summarize, you are allowed to reprint owned content if the content is used for a noncommercial purpose and you provide attribution to in a clear and proper manner; for more detailed information please check out”

  • @alan: Glad to hear it worked out for you!
    @JohnD: I guess you could add it to startup like alan, but it’l only show things that happen after it starts up too.

  • Gil

    I’m running XP and didn’t have that problem, but the instructions may have been fixed. This is nice to know Locutus and you mentioned to end the task or uninstall the program. I don’t want to have end the task every time I boot up my computer and I don’t want to uninstall the program. Is there someplace to stop the program from starting up (it’s not listed in my startup folders).

    Also, what’s the policy for sharing articles like this with other groups. What I’d do is explain a little of what the article is about and provide a direct link to the page. That way, dotTech, authors, etc get their due credit.


  • alan

    No mistaken typo – it worked for me.
    A very informative article
    I am 100% sure I do not need this myself because Comodo blocks any outgoing data which I have not initiated.  But 101% is even better so I have pasted into my login start-up the command
    netstat -b 5 > activity.txt
    Tomorrow we will see if anything naughty phones home during the start-up chaos.
    A quick test now.  I see tons of stuff over a 2 minute period, but as expected it is all classified as either
    ESTABLISHED  PID  2616 [Firefox] – which is still running, or
    TIME_WAIT  PID 0 with no name, but Windows Task manager calls it System Idle Process.
    Nothing naughty in two minutes on my system.

  • @JohnD: Unfortunately I don’t know of any way to see what programs are using the internet during boot, sorry.

    @Emrys: I’m having problems with the XP computer, hang on.

  • JohnD

    Worked great for me on Win 7 and I copied and pasted your commands :)
    I have this umm, concern that applications are using the svchost process (Process Explorer will delve into svchost processesI know, but not historically to my knowledge) to communicate out, bypassing my software firewall.  This netstat command would be nice to have run at startup to see all of the communiques that go on during the boot process.  I wonder how that could be accomplished?
    Good job.

  • @Emrys: That sounds more like a mistake I made in typing the instructions. Hang on, let me boot my XP box.

  • Emrys

    I’m on XP. I followed the directions and I saw a bunch of stuff come up and the window closed. W the Frack? Is there something going on here?