Wednesday, November 5, 2025

Windows - How to check svchost.exe outgoing connections to external DNS servers other than my local DNS


How to check svchost.exe connecting to remote addresses effectively. 


I use a tool from Nirsoft that makes this easy using LiveTcpUdpWatch - View TCP/UDP network activity of every application on Windows (nirsoft.net)





Process ID Process Name Protocol Local Port Local Address Remote Port Remote Port Name Remote Address Received Bytes Sent Bytes Received Packets Sent Packets Receive Speed Send Speed Connect Time Disconnect Time Accept Time Connections Count Disconnect Count Process Path ASN Remote IP Country Organization Remote IP Remote Host Name
1672 svchost.exe UDP IPv6 5355 ff02::1:3 49911   fe80::d4a5:1562:817:1350 48   2                 C:\Windows\System32\svchost.exe       fe80::d4a5:1562:817:1350  

Let's now to examine the remote address fe80::d4a5:1562:817:1350, we right-click on the line and choose



You have to get IPNetInfo: Retrieve IP Address Information from WHOIS servers (nirsoft.net) and install it in same directory, say something like C:\Program Files (x86)\Nirsoft

With the following window below, text extracted and we see it connect to IANA for DNS Server.

#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/resources/registry/whois/tou/
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/resources/registry/whois/inaccuracy_reporting/
#
# Copyright 1997-2025, American Registry for Internet Numbers, Ltd.
#


NetRange:       FE80:: - FEBF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF
CIDR:           FE80::/10
NetName:        IANA-LINK-LOCAL-UNICAST
NetHandle:      NET6-FE80-1
Parent:          ()
NetType:        IANA Special Use
OriginAS:       
Organization:   Internet Assigned Numbers Authority (IANA)
RegDate:        2022-02-26
Updated:        2024-05-24
Comment:        Link-Local Unicast [RFC4291]
Ref:            https://rdap.arin.net/registry/ip/FE80::



OrgName:        Internet Assigned Numbers Authority
OrgId:          IANA
Address:        12025 Waterfront Drive
Address:        Suite 300
City:           Los Angeles
StateProv:      CA
PostalCode:     90292
Country:        US
RegDate:        
Updated:        2024-05-24
Ref:            https://rdap.arin.net/registry/entity/IANA


OrgAbuseHandle: IANA-IP-ARIN
OrgAbuseName:   ICANN
OrgAbusePhone:  +1-310-301-5820 
OrgAbuseEmail:  abuse@iana.org
OrgAbuseRef:    https://rdap.arin.net/registry/entity/IANA-IP-ARIN

OrgTechHandle: IANA-IP-ARIN
OrgTechName:   ICANN
OrgTechPhone:  +1-310-301-5820 
OrgTechEmail:  abuse@iana.org
OrgTechRef:    https://rdap.arin.net/registry/entity/IANA-IP-ARIN


#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/resources/registry/whois/tou/
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/resources/registry/whois/inaccuracy_reporting/
#
# Copyright 1997-2025, American Registry for Internet Numbers, Ltd.
#


AI Content


What is fe80::d4a5:1562:817:1350?

  • This is a link-local IPv6 address, part of the fe80::/64 range.

  • Link-local addresses are automatically assigned to network interfaces for communication within the same local network segment.

  • They are not routable on the internet and are used for internal purposes like device discovery and service resolution.

Why is svchost.exe connecting to it?

  • svchost.exe hosts many Windows services. In this case, it's likely handling:

    • LLMNR (Link-Local Multicast Name Resolution): Resolves names without DNS.

    • NDP (Neighbor Discovery Protocol): Detects other devices and configures network settings.

    • mDNS or SSDP: Service discovery protocols used by apps and devices.

These protocols use UDP over IPv6 to communicate with nearby devices using link-local addresses like fe80::d4a5:1562:817:1350.

🔐 Is this safe?

  • Yes, this is normal behavior in IPv6-enabled networks.

  • It’s part of how Windows discovers and interacts with other devices (printers, routers, etc.).

  • If you're concerned about privacy or traffic:

    • You can disable unused IPv6 features or the IP Helper service.

    • Use tools like Wireshark or Process Explorer to monitor activity.


IANA server ? 

The connection to fe80::/64 by svchost.exe on Windows 7 is not to an IANA server—it’s a local link-local IPv6 address used for internal network communication.

Here's a breakdown of what’s happening and why:

What is fe80::/64?

  • fe80::/64 is a reserved IPv6 address range for link-local communication.

  • These addresses are automatically assigned to network interfaces and are only valid within the local network segment.

  • They cannot be routed across the internet and are not associated with IANA servers or any external organization.

Why is svchost.exe connecting to it?

  • svchost.exe is a generic host process that runs Windows services.

  • In this case, it's likely hosting the IP Helper service (iphlpsvc), which supports IPv6 features like:

    • LLMNR (Link-Local Multicast Name Resolution) for name resolution without DNS

    • Neighbor Discovery Protocol (NDP) for detecting other devices on the local network

    • Multicast DNS (mDNS) or other service discovery protocols

These services use UDP over IPv6 to communicate with other devices on the same local network using link-local addresses like fe80::d4a5:1562:817:1350.

Posted by metadataconsulting (profile) at 7:00 AM

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)