According to this article on MSDN, Microsoft introduced the Network Connectivity Status Indicator in Windows Vista. While there may be a number of reasons to investigate this service, my motivation is in eliminating the resulting network traffic from my malware sandbox. This service performs an HTTP GET request for a text document, ncsi.txt, from any number of Microsoft hosts.
While it would be easy enough to filter this traffic based off of the user-agent (Microsoft NCSI) or similar, in this scenario I find it even better to simply eliminate the behavior all together. To accomplish this, there is only a simple change to the registry needed.
- Open the registry editor by pressing Windows-R, then typing in regedit before hitting enter
- Navigate to HKEY_LOCAL_MACHINE -> SYSTEM -> CurrentControlSet -> services -> NlaSvc -> Parameters -> Internet
- Double-click on EnableActiveProbing and change the value from 1 to 0
- Click OK
And now you should stop seeing that traffic!