Windows services run within host processes. Observing the traffic using Windows 8's Resource Monitor, I see traffic generated by svchost.exe (netsvcs). It appears to be directed towards an IP address controlled by a major Croatian ISP.
The address is 213.191.147.215.
Traffic generated by svchost.exe (NetworkService) is directed toward a (very similar) 213.191.147.216. Sniffing with Wireshark reveals that HTTP requests toward 213.191.147.216 include /msdownload/... in the URL.
GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab?edc2fcdacea5cc1a HTTP/1.1 Connection: Keep-Alive Accept: */* User-Agent: Microsoft-CryptoAPI/6.3 Host: ctldl.windowsupdate.com HTTP/1.1 200 OK Cache-Control: max-age=604800 Content-Type: application/octet-stream Last-Modified: Fri, 04 Oct 2013 00:14:07 GMT Accept-Ranges: bytes ETag: "80f18a496c0ce1:0" Server: Microsoft-IIS/7.5 X-Powered-By: ASP.NET Content-Length: 54009 Date: Tue, 22 Oct 2013 12:44:14 GMT Connection: keep-alive
This leads me to conclude these are both members of a Microsoft CDN in Croatia.
I have attempted to disable Windows Update service, but the download from .215 continued. This is troublesome; during summer, I had over 200mb downloaded over 3G within 10 minutes before I noticed what was happening. This was only minutes after I paid for 1gb of traffic to my provider. I really don't like Microsoft wasting my money after being explicitly told NOT to download any updates in the background.
Today I noticed this again. While I am not connecting via cellphone at this point, I'd love to know the solution to the issue once and for all.
Since I don't feel like disabling services at random hoping I'll hit the one that generates traffic, I'd highly prefer identifying which service is creating traffic.
How do I identify which background service initiated the download? How do I identify which background services are generating network traffic?
Best Answer
I use TCPView from Sysinternals (MS Technet) for viewing realtime connection information in windows. it includes the process that initiates the flow.
http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx
if the traffic is coming from a SvcHost process, note the PID of the process, and run
in a command prompt. open the file and make note of the servies that share that PID. one of them is the culprit. you should be able to disable many of them in services.msc.
if the traffic comes from PID 4 (the system process), you probably won't be able to dig deeper easily, but you can probably identify the thread causing the traffic with Process Explorer also from SysInternals, and from there the dlls that make up its stack. theres very little you can do based on this information however.
good luck.