Disabling Network Connectivity Status Indicator (NCSI)

According to this article on MSDN, Microsoft introduced the Network Connectivity Status Indicator in Windows Vista. While there may be a number of reasons to investigate this service, my motivation is in eliminating the resulting network traffic from my malware sandbox. This service performs an HTTP GET request for a text document, ncsi.txt, from any number of Microsoft hosts.

Requests for NCSI.txt in Moloch

While it would be easy enough to filter this traffic based off of the user-agent (Microsoft NCSI) or similar, in this scenario I find it even better to simply eliminate the behavior all together. To accomplish this, there is only a simple change to the registry needed.

Windows 7

  1. Open the registry editor by pressing Windows-R, then typing in regedit before hitting enter


  2. Navigate to HKEY_LOCAL_MACHINE -> SYSTEM -> CurrentControlSet -> services -> NlaSvc -> Parameters -> Internet


  3. Double-click on EnableActiveProbing and change the value from 1 to 0


  4. Click OK

And now you should stop seeing that traffic!