Insane data upload usage

Slime · Nov 13, 2019

Feeling kind of creeped out by my Nov 11 upload usage:

The only significant things I can think of doing in that timeframe are installing Windows 10 the morning before and installing Death Stranding that day, but I highly doubt either of those would affect upload usage. I haven't used any file-sharing programs in that timeframe either. I thought it might be caused by background stuff from the fresh Windows install, but the most I'm seeing on my PC's data usage page is 2.79 GB from Google Chrome, while everything else is in single-digit megabytes.

Anyone have any ideas of what might be the cause, and what to do about it? Truly weirded out.

oledome · Nov 13, 2019

Mark Zuckerberg has a live feed to your junk

Nabs · Nov 13, 2019

Can you enable some sort of bandwidth tracking on your router to see where it's coming from?

chandoog · Nov 13, 2019

Turn off all the privacy options and there is one option in the Updates page where if you don't disable it, Windows uses your system like a torrent client to share install data.

Chaosblade · Nov 13, 2019

chandoog said:
Turn off all the privacy options and there is one option in the Updates page where if you don't disable it, Windows uses your system like a torrent client to share install data.

This could definitely be it, Windows will use people's PCs as servers to share updates peer to peer unless you disable the option.

chandoog · Nov 13, 2019

Turn this shit of ASAP.

Syriel · Nov 13, 2019

chandoog said:
Turn this shit of ASAP.

This is a possible source for mystery upload.

Slime · Nov 13, 2019

chandoog said:
Turn off all the privacy options and there is one option in the Updates page where if you don't disable it, Windows uses your system like a torrent client to share install data.

Do you have a guide or something for all the things to turn off?

I did have this one enabled:

but according to the "Activity monitor" I haven't uploaded anything

chandoog · Nov 13, 2019

Slime said:
Do you have a guide or something for all the things to turn off?

I did have this one enabled:

but according to the "Activity monitor" I haven't uploaded anything

I honestly don't trust when Windows says N/A lol, it could mean anything.

Also, under the Privacy tab, literally just turn every single thing off. I don't keep any of that on and it doesn't impact my computer usage in the least. Though it does give me a lot of peace of mind that no unwanted things are running in the background.

Slime · Nov 13, 2019

chandoog said:
I honestly don't trust when Windows says N/A lol, it could mean anything.

Also, under the Privacy tab, literally just turn every single thing off. I don't keep any of that on and it doesn't impact my computer usage in the least. Though it does give me a lot of peace of mind that no unwanted things are running in the background.

kk

Well i did all that but I am still beyond weirded out

Thanks all

Is there any way to request information about the source of data usage from your ISP or anything?

Pwnz · Nov 13, 2019

chandoog said:
Turn off all the privacy options and there is one option in the Updates page where if you don't disable it, Windows uses your system like a torrent client to share install data.

Yup and 1909 just released so it's probably that.

chandoog · Nov 13, 2019

Pwnz said:
Yup and 1909 just released so it's probably that.

Yeah, kinda sucks that most of those settings get reverted after major updates.

Slime said:
kk

Well i did all that but I am still beyond weirded out

Thanks all

Is there any way to request information about the source of data usage from your ISP or anything?

I've never heard of anything like that personally but no harm in contacting your ISP's customer support, I suppose..

Pwnz · Nov 13, 2019

Slime said:
Do you have a guide or something for all the things to turn off?

I did have this one enabled:

but according to the "Activity monitor" I haven't uploaded anything

N/A = feature measurement broken lol. No way they wouldn't heavily use this to speed up updates and save lots of hosting.

Do you have other PCs on the network? That's why I have it enabled, I have 4 win10 machines at home. I don't know how data is measured by your ISP but you'd think it would remain local. Unless there's a weird VPN situation.

Slime · Nov 13, 2019

Would anyone here mind logging in to their router/ISP's data usage stats and let me know if they a similar spike in that timeframe??

Sorry I'm turning into a bit of a basketcase over this (I've had other weird security concerns over the past week)

https://www.resetera.com/threads/insane-data-upload-usage.152959/reply?quote=26438947

There are a couple other ones on the network. Would that show up in my ISP's upload usage though? Do transfers between devices on the same network count?

Slime · Nov 15, 2019

My computer just randomly woke up from sleep with no apps running and showed a bunch of network activity from these apps. Anyone know if these could play a part in the upload usage spike?

MrHealthy · Nov 15, 2019

Slime said:
My computer just randomly woke up from sleep with no apps running and showed a bunch of network activity from these apps. Anyone know if these could play a part in the upload usage spike?

I can't explain the bandwidth usage but if the computer is waking up from sleep for seemingly no reason it is being woken by network activity. You can disable this through device manager. Find your network adapter and under properties -> power management -> Allow this device to wake your computer.

GreenMonkey · Nov 15, 2019

Slime said:
My computer just randomly woke up from sleep with no apps running and showed a bunch of network activity from these apps. Anyone know if these could play a part in the upload usage spike?

None of those look suspicious at a glance. (I work in Cyber Security). Looks like mostly MS.

Do you have any syncing cloud stuff? Google photos, music, etc? A lot of video can eat up a lot of bandwidth.

killerrin · Nov 15, 2019

chandoog said:
Turn this shit of ASAP.

I seriously doubt that is the case for his uploads. It defaults to be disabled, and Local Network Only when enabled. As evident by his screenshot above. Any uploads would not count on his ISP's Bandwidth tracker as shown in the OP since it would be purely local network only, not even touching the moden, let alone past it.

Slime · Nov 15, 2019

GreenMonkey said:
None of those look suspicious at a glance. (I work in Cyber Security). Looks like mostly MS.

Do you have any syncing cloud stuff? Google photos, music, etc? A lot of video can eat up a lot of bandwidth.

Thanks for the replies, folks.

No syncing stuff, as I don't really use any cloud services.

Can you give me your opinion on this stuff? That TekSavvy one is weird to me because that is my ISP, but not my IP address.

MrHealthy said:
I can't explain the bandwidth usage but if the computer is waking up from sleep for seemingly no reason it is being woken by network activity. You can disable this through device manager. Find your network adapter and under properties -> power management -> Allow this device to wake your computer.

Thanks, will try this out

riotous · Nov 15, 2019

I mean if you torrent, which sounds like you do, you probably left your torrent client open without realizing it.

Simplest answer

Lishi · Nov 15, 2019

Few ideas.

You left a torrent open.
You dropped 100gb of porn in your google drive.

You are being the porn of someone else.

Futureman · Nov 15, 2019

There's someone living in your attic.

Slime · Nov 15, 2019

I haven't installed Bit Torrent since re-installing Windows 10 :/

Monkey Gland Sauce · Nov 15, 2019

Maybe be a co-incidentally timed phone backup?

Slime · Nov 15, 2019

Monkey Gland Sauce said:
Maybe be a co-incidentally timed phone backup?

Nope, my brother transferred some of his music over USB from the phone recently but that was after.

I'm really at a loss. The only thing I can think of is that's the day I installed and played Death Stranding for a bit, so is it possible the streaming function was running somehow without me knowing it..? I dunno

Monkey Gland Sauce · Nov 15, 2019

Slime said:
Nope, my brother transferred some of his music over USB from the phone recently but that was after.

I'm really at a loss. The only thing I can think of is that's the day I installed and played Death Stranding for a bit, so is it possible the streaming function was running somehow without me knowing it..? I dunno

Edit: nvm.

Maybe, do you have an account or something linked to it?

Slime · Nov 15, 2019

Monkey Gland Sauce said:
Edit: nvm.

Maybe, do you have an account or something linked to it?

Like Twitch or something? Nope. I imagine 16GB would be too much for ~2 hours of play anyway.

JJDubz · Nov 15, 2019

My PC had a scheduled task to wake at like 2 or 3 AM to install updates. There was recently a small virus definition update (iirc) that caused it and it was visible in Event Viewer.

Might be worth checking out.

Monkey Gland Sauce · Nov 15, 2019

Slime said:
Like Twitch or something? Nope. I imagine 16GB would be too much for ~2 hours of play anyway.

AFAIK in order to stream, you need to set it up with an account of another service like Twitch.

On your PC, you can check Settings -> Update and Security -> Backup to see if somehow it is set up to backup to the cloud.

Slime · Nov 15, 2019

Monkey Gland Sauce said:
AFAIK in order to stream, you need to set it up with an account of another service like Twitch.

On your PC, you can check Settings -> Update and Security -> Backup to see if somehow it is set up to backup to the cloud.

Nope, nothing activated in there.

I just checked Event Viewer but I don't really know what to look for. There are a lot of "Audit Success" Security events exactly around the time this happened though with details like:

Special privileges assigned to new logon.

Subject:
Security ID: SYSTEM
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7

Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege

And about 138 "Audit Failure" events from Nov. 9-14 with details like

Cryptographic operation.

Subject:
Security ID: PC
Account Name: PC
Account Domain: PC
Logon ID: 0x1018735

Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: UNKNOWN
Key Name: Microsoft Connected Devices Platform device certificate
Key Type: User key.

Cryptographic Operation:
Operation: Open Key.
Return Code: 0x80090016

Are these anything to be concerned about?

Nabs · Nov 15, 2019

How has your upload looked since the 12th?

Slime · Nov 15, 2019

Nabs said:
How has your upload looked since the 12th?

Was just 3GB the day after (still can't really account for that either) and 0.41 on the 13th. Yesterday still hasn't updated yet tho.

Monkey Gland Sauce · Nov 15, 2019

Slime said:
Nope, nothing activated in there.

I just checked Event Viewer but I don't really know what to look for. There are a lot of "Audit Success" Security events exactly around the time this happened though with details like:

Special privileges assigned to new logon.

Subject:
Security ID: SYSTEM
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7

Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege

And about 138 "Audit Failure" events from Nov. 9-14 with details like

Cryptographic operation.

Subject:
Security ID: PC
Account Name: PC
Account Domain: PC
Logon ID: 0x1018735

Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: UNKNOWN
Key Name: Microsoft Connected Devices Platform device certificate
Key Type: User key.

Cryptographic Operation:
Operation: Open Key.
Return Code: 0x80090016

Are these anything to be concerned about?

The first is normal. The second, AFAIK, is usually to do either with missing certificates or apps trying to do stuff, but not having their account details setup or something similar.

ty_hot · Nov 15, 2019

chandoog said:
Turn this shit of ASAP.

Wow, I remember this but I didnt realize it included people "on the internet" always thought it was just local. I was always pissed that this shit never worked when I had 2 PCs updating at the same time in the same network. Gonna fix that asap even though I dont have data cap.

FloatingDivider · Nov 15, 2019

Yeah the first special logon event is normal and you'll get multiple a day or even an hour and it's just windows assigning privileges to it's system account for maintenance activities usually. I haven't seen that second one before so I think that one is a little more suspect but I'd still be doubtful about it causing 16GB of upload.

If this really is a fresh install with a Microsoft provided installer it's highly unlikely the data usage is nefarious though and it's likelier MS was using you to push updates, or it uploaded stuff to onedrive or some other non malware related thing. I also doubt Death Stranding is responsible. That being said if you're still worried you can re-install windows 10 again since you recently did and not much would be lost?

Slime · Nov 15, 2019

Slime said:
Thanks for the replies, folks.

No syncing stuff, as I don't really use any cloud services.

Can you give me your opinion on this stuff? That TekSavvy one is weird to me because that is my ISP, but not my IP address.

Any other cybersecurity folks have any thoughts in this in particular? I just can't comprehend why any outside IPs would be interacting with SearchUI.exe/Cortana at all.

ChrisJSY · Nov 15, 2019

Why wouldn't it? Although I turn off all that junk search stuff that win10 has and turn cortana off, it needs to look outward to search for other stuff.
Most of those are microsoft IP's and an ISP in canada?

Where is this usage chart from, your PC or from your ISP web page?

FloatingDivider · Nov 15, 2019

I mean I'm not a cybersecurity expert but I know the dasHost connections are generally related to wireless devices and printers and are local afaik, so they can't be responsible for the uploaded data. The SearchUI.exe stuff is also relatively normal and expected behaviour for w10, as for why it's connecting to what it's connecting it's hard to say without analyzing the traffic but it's generally updating livetiles, caching searches, and sending telemetry and it's not wholly unexpected. You can disable some of the connectivity but there's no way to disable all of it outside of disconnecting. I'd also be baffled if it's responsible for 16GB of traffic.

These are Microsoft executables though so unless they've been altered by malware they shouldn't be doing anything nefarious, you can run an sfc/scannow to verify the integrity of these files.

Take all of this with a grain of salt because I'm not a computer expert but you should prolly run malware scanners if you're worried.

Slime · Nov 15, 2019

Thanks for all the tips, folks.

I think I might have solved it? For some reason I didn't consider that my father's computer might have been the problem. He has Windows 10 too but hasn't turned off any of the telemetry shit. Also it's probably packed full of malware.

Anyway I noticed my internet running really slow (I did a speed test and it was running at a tenth of the speed), and it started at like the exact same time he got up and turned on his computer, so I did a resource check and found this:

His laptop is sending out a huge amount of data through svchost.exe for some reason

Most of them are Microsoft, but apparently one is Verizon?

ChrisJSY, the data usage is from my ISP

FloatingDivider · Nov 15, 2019

That does sound like a likely suspect you should prolly run some malware scans

dom · Nov 15, 2019

What type of router do you have?

dom · Nov 15, 2019

Slime said:
Thanks for all the tips, folks.

I think I might have solved it? For some reason I didn't consider that my father's computer might have been the problem. He has Windows 10 too but hasn't turned off any of the telemetry shit. Also it's probably packed full of malware.

Anyway I noticed my internet running really slow (I did a speed test and it was running at a tenth of the speed), and it started at like the exact same time he got up and turned on his computer, so I did a resource check and found this:

His laptop is sending out a huge amount of data through svchost.exe for some reason

Most of them are Microsoft, but apparently one is Verizon?

ChrisJSY, the data usage is from my ISP

I assume it's still listed as B/sec, that's almost no data being sent. That's less than 1 Mb/s

Slime · Nov 15, 2019

^Touche

Hm, well I did find an additional thing that weirded me out

I got a program called Wireless Network Watcher, and it shows a few devices (the router, my main PC, and my dad's lapop), but there's a bunch of stuff it doesn't show (my printer, Switch, and PS4, for example). However, it does show my laptop, which hasn't been connected to wi-fi for days. At least, it has my laptop's name, but the MAC address is completely wrong.

I don't want to get all tinfoil-y, but could the data usage be from someone spoofing my devices' MAC addresses and leeching off my network?

Slime · Nov 15, 2019

Slime said:
^Touche

Hm, well I did find an additional thing that weirded me out

I got a program called Wireless Network Watcher, and it shows a few devices (the router, my main PC, and my dad's lapop), but there's a bunch of stuff it doesn't show (my printer, Switch, and PS4, for example). However, it does show my laptop, which hasn't been connected to wi-fi for days. At least, it has my laptop's name, but the MAC address is completely wrong.

I don't want to get all tinfoil-y, but could the data usage be from someone spoofing my devices' MAC addresses and leeching off my network?

I'm starting to wonder if this is what's going on. I checked my router's settings and under multicast the IP that was interacting with dasHost.exe from this post had been added. I know for sure it wasn't there when I did a factory reset of my router and updated the firmware a few days ago:

https://www.resetera.com/threads/insane-data-upload-usage.152959/reply?quote=26481223

Has anyone here ever heard of multicast being abused and what that could mean for my data?

EDIT:

The IP in question had been added to the IGMP Group Exception List in my router's multicast section. I looked that up and found this:

Is it possible that's where my data's going?

GreenMonkey · Nov 16, 2019

As far as the IPs, I'm not in front of a PC where they are easily searchable, but you can check the owners/IP details for each one online. I like DNSlytics.com but there are tons of them. Looks like Microsoft owned IPs at a glance.

Router comps are a thing, but they are normally used to compromise your PCs (by writing malicious DNS stuff into them to redirect legit traffic to malware and then pwn your PCs).

I wouldn't expect a DDoS from a router to eat up a lot of data, typically router involved ones aren't using a ton of data, but a lot of very tiny packets (the power of a DDOS is in the many, many sources).

Are you sure you don't have anyone with an iPhone backing up to iCloud or whatever? That's still my first thought given the randomness of the data usage. It suggests someone syncing when plugged inm

Slime · Nov 16, 2019

GreenMonkey said:
As far as the IPs, I'm not in front of a PC where they are easily searchable, but you can check the owners/IP details for each one online. I like DNSlytics.com but there are tons of them. Looks like Microsoft owned IPs at a glance.

Router comps are a thing, but they are normally used to compromise your PCs (by writing malicious DNS stuff into them to redirect legit traffic to malware and then pwn your PCs).

I wouldn't expect a DDoS from a router to eat up a lot of data, typically router involved ones aren't using a ton of data, but a lot of very tiny packets (the power of a DDOS is in the many, many sources).

Are you sure you don't have anyone with an iPhone backing up to iCloud or whatever? That's still my first thought given the randomness of the data usage. It suggests someone syncing when plugged inm

Definitely no syncing going on. My brother uses iTunes for podcasts, but he doesn't even have an account. I use Google Drive but don't upload anything to it (mostly just use it as a glorified word processor).

One thing I started noticing over the past few days, though, was ridiculously slow download speeds over wi-fi on this one PC. Other devices are quite a bit faster, I contacted my ISP and they confirmed my speeds are correct, and I connected to the router via ethernet and everything was fine! But then I remembered that the other day when I upgraded to Windows 10 the ethernet adapter just vanished the next morning, so I did a network reset and it worked fine. Then the same thing happened on the 14th. So..I removed the network adapter again, did the network reset, and all of a sudden my download speeds are prefectly fine.

Also, when I was looking through my network devices, I noticed a unknown "Bluetooth (Personal Area Network)" device, so I removed that and disabled all my bluetooth settings.

Could something like that be the culprit (like a neighbor really determined to leech off my wi-fi) or something?

Slime · Nov 16, 2019

I think my PC has just been straight-up hacked.

In my recent files I noticed these user account short cuts I don't recognize:

I found .ink files for Programs and Features and Network sharing center with an unknown account:

and this:

what the balls?

Slime · Nov 16, 2019

Anyone know how to file a FoI request in Canada? Maybe I shouldn't have liked all those YPG tweets

GreenMonkey · Nov 17, 2019

That # is clearly is an SID (the underlying...call it a social security number) for another account. Do you have a login? I don't see your account there in the listings.

It's possible that is your user account and the display name has just gotten a little scrambled or something.

I'm not an acct expert offhand.

You might try downloading the utility Autoruns and using it to see what is autostarting with your PC. Most malware has to have persistence and that generally involves either a startup item, or a scheduler job. There's some other trickier ways to maintain persistence but you don't see them very often.

Look for startup items pointing at \Users folder, ProgramData, or elsewhere. Most ProgramFiles and Windows entries aren't going to be too concerning...system file protection makes putting stuff there or in core Windows folders not worth their time.

Slime · Nov 17, 2019

GreenMonkey said:
That # is clearly is an SID (the underlying...call it a social security number) for another account. Do you have a login? I don't see your account there in the listings.

It's possible that is your user account and the display name has just gotten a little scrambled or something.

I'm not an acct expert offhand.

You might try downloading the utility Autoruns and using it to see what is autostarting with your PC. Most malware has to have persistence and that generally involves either a startup item, or a scheduler job. There's some other trickier ways to maintain persistence but you don't see them very often.

Look for startup items pointing at \Users folder, ProgramData, or elsewhere. Most ProgramFiles and Windows entries aren't going to be too concerning...system file protection makes putting stuff there or in core Windows folders not worth their time.

My login's the one below it. I have no idea where the other one came from. The only ones currently listed in user management are the main one and the ASP.net Machine Account

I used Autoruns and noticed a bunch of weird Bluetooth-related ones

EDIT:

And just as I was typing this my computer slowed to a crawl because Windows Media Networking Service started going out of control?? Disabled that from starting automatically

Insane data upload usage

Resettlement Advisor

▲ Legend ▲

▲ Legend ▲