IT Solution and Service Provider

High Bandwidth Utilization Due To Windows Update

1. Due to issue with Microsoft’s BITS protocol and CDN environment, windows update may end up using high Bandwidth. Your WAN utilization graph will look like this, even for several months.

WAN utilization graph

2. To identify the service which is downloading the data open Task Manager go to Performance manger and click Open Resource Monitor.

Open Resource Monitor

3. In this case Svchost.exe would be the process downloading the data and it should be connected to Microsoft update Content Delivery Network (CDN)

List of Microsoft update IPS can be found we at,
https://github.com/crazy-max/WindowsSpyBlocker/blob/master/logs/win81/firewall-test-update.csv

Content Delivery Network

4. Upon exploring the sub-services you will find BITS process downloading the data.

5. Further drilling the BITS process, you will get the Job ID of the actual process transferring the data.

drilling the BITS process

6. By further debugging the Job ID, you will get the remote file name which is being downloaded, it should be on windowsupdate.com.

debugging the Job ID

7. Name lookup of suspected IP, which is part of Windows update CDN.

Windows update CDN

8. Due to its suspicious behaviour some of these IPs are listed as malicious domains which probably is incorrect.
https://www.malwares.com/report/ip?ip=117.18.232.200
https://www.abuseipdb.com/check/117.18.232.200

Leave a Reply

Your email address will not be published. Required fields are marked *