Why Does XP Auto-Connect to sa.windows.com?

termigator asks: "I have a private home network that has a Windows XP system on it (I know, the horrors, but it allows my wife to do some of her work at home). With recent discussions about DRM and the Microsoft EULA (which allows Microsoft to autodownload software), I decided to block all traffic on my Linux firewall from Microsoft systems (207.46.0.0/16) to the Windows XP box. This morning there was trapped traffic from Microsoft, after my wife was doing some work on the XP system the day before. I talked with my wife, and I could not determine what she could have done to cause the traffic to happen. Can anybody provide some insight?" Why can't Microsoft be up front about when it tries to phone home? Of course, phoning home isn't the big problem with most people, it's the fact that they try to be sneaky about it for certain tasks. With Microsoft pushing XP into the home, consumers should definitely be wary about storing private information on such systems until Microsoft provides some answers.

"Here is the logwatch summary:

Rejected packets from sa.windows.com (207.46.226.40).
  Port 1053     (tcp,eth0,output): 4 packet(s).
  Port 1054     (tcp,eth0,output): 4 packet(s).
Total of 8 packet(s).

Port 1053 is 'remote-as' and port 1054 is 'brvread'. I am guessing that the remote-as is related to the Remote Assistant feature in XP, but I've had no luck on finding any technical information about brvread via a Google search."

also ask your wife...

[jeffy124]

...if she had difficulties using the system. eg... did any programs crash? did any error messages pop-up? etc.

Also, how about you try using the box? Do exactly what she does, keeping watch on the firewall status for anything of interest. Experiment with the system and see what happens on the firewall.

Lastly, consider removing the firewall block, and instead doing a tcpdump of the suspicious packets. See if anything of interest comes up.

Ya lazy bum, you haven't tried Google yet?

[crisco]

A search [google.com] on google for sa.windows.com reveals nothing. But notice the line that says: Find web pages that contain the term "sa.windows.com". Click that link [google.com] and you get plenty of results. Hmm, first search result [windows.com] is to a privacy page on that domain, that provides some clues. Second link [indenial.com] is to an archived message from the NTBugTraq list, that might be a great place to find an answer. The eighth result is a link to an article [lockergnome.com] on LockerGnome, a page or two down and you have a nice concise explanation of what sa.windows.com does.

Now should I complete the whoring and post a cut and paste?

naaa....

Re:Ya lazy bum, you haven't tried Google yet?

[dev0n]

By default, Windows XP looks to be configured for behind- the-scenes connection to sa.windows.com whenever any sort of search is required, particularly when using the search feature within Internet Explorer. I was quickly able to prove that by hitting the search button, the connections were opened immediately. You can turn that off by changing the preferences once you open the search dialog... after getting rid of that cheesy animated pooch, anyway. In the Change Preferences list, click "Change Internet search behavior" and choose "With Classic Internet search". Now when you open the search dialog, the connection to sa.windows.com will no longer be initiated. There may very way be other areas within Windows XP that are tied to that thing, but IE is the most obvious one.

someone had to paste it! :) (from http://www.lockergnome.com/issues/techspecialist/2 0020314.html)

Search Assistant

[topside420]

It is a search assistant for Internet Explorer. A previous post had a great link [lockergnome.com] for info.

You can turn the feature off by changing the search method to 'Classic' in Internet Options.

block explorer with zone alarm

[YaRness]

you can block windows explorer (explorer.exe) from accessing the network with zone alarm (or a similar product).

(and this doesn't interfere with internet explorer accessing the network, FYI)

List of ways Windows XP connects to MS computers:

[Futurepower(R)]

Here is a (probably incomplete) list of ways Windows XP connects to Microsoft's servers. To generate this list yourself, disable Microsoft's firewall, and use the ZoneAlarm firewall, which is free for personal use. When Windows XP tries to connect to Microsoft, ZoneAlarm will bring up a dialog box asking whether that is okay. If you say no to some of the requests, some functions of Windows XP will not work (like networking).

1. Application Layer Gateway Service (Requires server rights.)
2. Fax Service
3. File Signature Verification
4. Generic Host Process for Win32 Services (Requires server rights.)
5. Microsoft Application Error Reporting
6. Microsoft Baseline Security Analyzer
7. Microsoft Direct Play Voice Test
8. Microsoft Help and Support Center
9. Microsoft Help Center Hosting Server (Wants server rights.)
10. Microsoft Management Console
11. Microsoft Media Player (tells Microsoft the music you like)
12. Microsoft Network Availability Test
13. Microsoft Volume Shadow Copy Service
14. MS DTC Console program
15. Run DLL as an app
16. Services and Controller app
17. Time Service, sets the time on your computer from Microsoft's computer.
18. Microsoft Office keeps a number in each file you create that identifies your computer. Microsoft has never said why.
19. Microsoft mouse software has reduced functionality until you let it connect to Microsoft computers.

These are just the ones I know. There may be others.

So, if you use Windows XP, your computer is dependent on Microsoft computers. That's bad, not only because you lose control over your possession, but because Microsoft produces buggy software and doesn't patch bugs quickly. For example, as of July 26, 2002, there are 20 unpatched security holes in Microsoft Internet Explorer [pivx.com]. This is a terrible record for a company that has $40 billion in the bank. Obviously, with that kind of money, Microsoft could fix the bugs if it wanted to fix them. Since the bugs are very public and Microsoft has the money, it seems reasonable to suppose that top management at Microsoft has deliberately decided that the bugs should remain, at least for now.

It seems possible that there is a connection between all the bugs and the U.S. government's friendly treatment of Microsoft's law-breaking [usdoj.gov]. The U.S. government's CIA and FBI and NSA departments spy on the entire world, and unpatched vulnerabilities in Microsoft software help spies.

There are many other big shortcomings in Windows XP. Windows XP, and all current Windows operating systems, have a file called the registry in which configuration information is written. If this one (large, often fragmented) file becomes corrupted, the only way of recovering may be to re-format the hard drive, re-install the operating system, and then re-install and re-configure all the applications. The registry file is a single, very vulnerable, point of failure. Microsoft apparently designed it this way to provide copy protection. Since most entries in the registry are poorly documented or not documented, the registry effectively prevents control by the user. There are many areas like this where what Microsoft's design conflicts with the needs of the users.

Note that Microsoft does not support making functional complete backups under Windows XP. Look at Microsoft's policy about this: Q314828 Microsoft Policy on Disk Duplication of Windows XP Installation [microsoft.com]. Only those who work with Microsoft software will understand the true meaning of Microsoft's policy. Since almost all programs use the registry operating system file, if you cannot make a functional copy of the operating system you cannot make a functional copy of all your application installations and configurations. There are other software companies that try to fix this, but the fixes don't work well, and Microsoft can, of course, break their implementations, as they have often done with other kinds of competitors.

Because the configuration information for the motherboard and the configuration information for the applications are mixed together in the registry file, the registry tends to prevent you from moving a hard drive to a computer with a different motherboard. That's another implication of the above Microsoft policy. So, if you have a motherboard failure, and a good complete backup, you may not be able to recover unless you have a spare computer with the same motherboard.

Only technically knowledgeable people know how to avoid signing up for a Microsoft Passport account during initial use of Windows XP. The name Passport gives an indication of Microsoft's thinking. A passport is a document issued by a sovereign nation. Without it, the nation's citizens cannot travel, and, if they leave, won't be allowed back in their own country. In Microsoft's corporate thinking, the company seems to be moving in the direction of believing that they own the user's computer. Most people are both honest and intimidated. Apparently about 95% do whatever they are asked on the screen. They give their personal information to Microsoft. They don't realize that, if they feel forced to get a Passport account, they should enter almost completely fictitious information, since the real question is not "What is your name and address", but "Can we invade your privacy". The honest answer to this is "No, you cannot invade my privacy", and the only effective way to communicate that is to give completely fictitious information. Since it is the educated people who have computers, Microsoft is building a database of the personal lives of educated people. Microsoft knows when they connect and from what IP address (which tends to show the area), what kind of help they ask, and information about what they are doing with their computers, including what music they like. It is not known, and there is no way to know, how much Microsoft or other organizations make use of this information, or their plans for future use.

Not only has Windows XP definitely gone further in the direction of allowing the user less control over his or her own machine, but with Palladium, Microsoft apparently intends to finish the job: Microsoft will have ultimate control over the user's computer and therefore all his or her data. Even now, under Windows XP, a recent security patch requires that the user agree to a contract that gives Microsoft administrator privileges over the user's computer [theregus.com]. The contract says that if a user wants to patch his or her system against a bug which would allow an attack over the Internet, he or she must give Microsoft legal control over the computer. See this article also: Microsoft's Digital Rights Management-- A Little Deeper [bsdvault.net]. You may need to be a lawyer to take apart the crucial sentence. "These security related updates may disable your ability to copy and/or play Secure Content and [my emphasis] use other software on your computer" legally includes this meaning: "These updates may disable your ability to use other software on your computer." Note that the term "security related updates" is meaningless to the user because the updates have no relation to user security. So, the sentence effectively means that Microsoft can control the user's computer without notice and whenever it wants. That kind of sentence is known in psychology as "testing the limits". If there is no strong public complaint about this, expect to see more and stronger language like this.

This Register article shows the direction Microsoft is going: MS Palladium protects IT vendors, not you [theregus.com]. Absolute power corrupts absolutely, and Microsoft is well down that road. See this ZDNet article, also: MS: Why we can't trust your 'trustworthy' OS [zdnet.com].

These Microsoft policies mean that any government which wants to be independent of the United States government, and any government which represents itself as controlled by the people, cannot use Microsoft operating systems, or other Microsoft proprietary systems.

Microsoft's self-destructiveness does not mean that the user should be self-destructive. There is no need to apologize for using Microsoft software. The correct solution to abuse is persuading the abuser to stop being abusive. Once I posted to a Slashdot story a link to an article on a web site of mine. By far the majority of visitors from the Slashdot story used Microsoft operating systems. Rather than feel embarrassed because Microsoft is abusive, action needs to be taken to prevent the abuse. If you are against Microsoft abuse, you are not against Microsoft; you are more pro-Microsoft than Bill Gates.

In some areas, Microsoft Windows XP has reduced functionality. For example, the command line interface does less in some ways than the CLI in Windows 98 SE (Second Edition). The CLI is a big embarrassment because of its limited capabilities, but at least in Win 95 it worked. With every version since then it has worked less well. (There are two kinds of command prompt, and, according to Microsoft employees, the differences between them are not fully documented.)

The command line prompt sometimes begins to display short file names. Microsoft employees say that Microsoft has no fix, although someone not connected with Microsoft did make a work-around.

Cutting and pasting into a command line program often puts successive extra spaces before each line. Microsoft employees say that there is no plan to fix this.

The fast paste mode that is in Windows 98 is gone in Windows XP. Microsoft employees say there is no plan to fix this.

The DOS QuickEdit mode sometimes flashes wildly when trying to edit from a DOS box.

When using the command line interface, Windows XP doesn't always update the time. After several hours, the time reported to command line programs can be several hours in error.

There is a DOS program called START.EXE that can be used to start other programs. But it does not operate the same way as in other versions of Windows. It starts a program, but cannot be made to return control to the command line program as previous versions did. There is no technical reason for this; it is just one of the shortcomings that are allowed to exist.

People often say that DOS has gone away. But Microsoft still calls the commandline interface DOS, and in Windows XP Microsoft has added new programs for configuring the OS that work only under DOS.

There are many other insufficiencies in Windows XP. Sometimes when you press a key while using Windows XP, it is seconds until there is any response. Apparently there is something wrong with the CPU scheduler in XP, because there are a lot of complaints about this in the forums and MS people have said that they are working on it. On one particular fresh installation of XP, on an Intel motherboard with either a Matrox G550 or an ATI Radeon video adapter, it requires 18 seconds to display a directory listing of 94 items. This is apparently related to a bug in the video software, not the adapter drivers.

Something is wrong with the Alt-Tab display of running programs under Windows XP. If there are a lot of programs, not all of them are displayed. The order jumps around in a seemingly random way.

Another indication of the direction Microsoft is taking Windows XP is that menus are sometimes 7 levels deep.

The most recent version of this article is available at http://www.hevanet.com/peace/microsoft.htm [hevanet.com].

Re:List of ways Windows XP connects to MS computer

[GargoyleMT]

Actually, in XP, the registry backup IS automagically made - that's what the "System Volume Information" folder in the root of your HD is used for. And that Application in the Accessories\System Tools Folder - called "System Restore"? That's how you access it. It'll work in safe mode, too.

Not a cureall for Registry Corruption, but it's an improvement from Windows 2000.

Re:List of ways Windows XP connects to MS computer

[greenrd]

Microsoft has the ability (I know AT least since Win98) that Windows automatically backs up the registry periodically (ie, at shutdown or boot, major hardware change, etc).

Irrespective of the whether the rest of his post is right, that's not true. Windows 2000 does not backup the SOFTWARE hive automatically, although it does back up the other even more important one, SYSTEM I think (this is completely moronic, because the system is almost unusable without an uptodate SOFTWARE hive). If you have a power cut, as I discovered to my cost, your registry may be corrupted beyond Windows ability to repair it. Your only option (unless there's some expensive payware I don't know about) is to completely reinstall Win2K.

You might say that I should have backed it up myself. But that would be nonsense. Is this covered anywhere in the getting started documentation? (I didn't see a copy of that, actually, because we have a site license and I just installed it from a CD) Does it say when you first install: "Tip of the Day: Windows 2000 is a crappy operating system, so you'd damn well back up your registry after every change if you don't want to have to reinstall everythign after a power cut!"

I think not.