Windows 8.1 constant svchost connections to Google?

Calico

Calico

New Member
Power User
Messages
828
I've recently installed Windows 8.1 and I noticed Svchost is constantly attempting to connect to Google. As I don't use any google services, apart from Gmail (via thunderbird) and I firefox only as my browser, I'm quite curious.

My firewall log gas lots of entries similar to these:
Code: 
25/03/2015 19:17:20 | 920 | Host Process for Windows Services | C:\windows\system32\svchost.exe | Out | 59684 | 173.194.71.132 | 443 | TCP
25/03/2015 19:17:20 | 920 | Host Process for Windows Services | C:\windows\system32\svchost.exe | Out | 59685 | 173.194.71.132 | 443 | TCP
25/03/2015 19:16:20 | 920 | Host Process for Windows Services | C:\windows\system32\svchost.exe | Out | 59682 | 64.233.164.132 | 443 | TCP
25/03/2015 19:16:20 | 920 | Host Process for Windows Services | C:\windows\system32\svchost.exe | Out | 59683 | 173.194.71.132 | 443 | TCP
25/03/2015 19:15:20 | 920 | Host Process for Windows Services | C:\windows\system32\svchost.exe | Out | 59680 | 64.233.164.132 | 443 | TCP
25/03/2015 19:15:20 | 920 | Host Process for Windows Services | C:\windows\system32\svchost.exe | Out | 59681 | 64.233.164.132 | 443 | TCP
25/03/2015 19:14:20 | 920 | Host Process for Windows Services | C:\windows\system32\svchost.exe | Out | 59678 | 64.233.164.132 | 443 | TCP
25/03/2015 19:14:20 | 920 | Host Process for Windows Services | C:\windows\system32\svchost.exe | Out | 59679 | 64.233.164.132 | 443 | TCP
25/03/2015 19:13:20 | 920 | Host Process for Windows Services | C:\windows\system32\svchost.exe | Out | 59632 | 64.233.164.132 | 443 | TCP

The IP addresses:
Code: 
==================================================
Order             : 1
IP Address        : 173.194.71.132
Status            : Succeed
Country           : USA - California
Network Name      : GOOGLE
Owner Name        : Google Inc.
From IP           : 173.194.0.0
To IP             : 173.194.255.255
CIDR              : 173.194.0.0/16
Allocated         : Yes
Contact Name      : Google Inc.
Address           : 1600 Amphitheatre Parkway, Mountain View
Email             : arin-contact@google.com
Abuse Email       : arin-contact@google.com
Phone             : +1-650-253-0000 
Fax               : 
Whois Source      : ARIN
Host Name         : 
Resolved Name     : 
==================================================

==================================================
Order             : 2
IP Address        : 64.233.164.132
Status            : Succeed
Country           : USA - California
Network Name      : GOOGLE
Owner Name        : Google Inc.
From IP           : 64.233.160.0
To IP             : 64.233.191.255
CIDR              : 64.233.160.0/19
Allocated         : Yes
Contact Name      : Google Inc.
Address           : 1600 Amphitheatre Parkway, Mountain View
Email             : arin-contact@google.com
Abuse Email       : arin-contact@google.com
Phone             : +1-650-253-0000 
Fax               : 
Whois Source      : ARIN
Host Name         : 
Resolved Name     : 
==================================================

The PID (920 currently) for the Svchost in question leads to:
Appinfo
BITS
gpsvc
iphlpsvc
LanmanServer
ProfSvc
RasMan
Schedule
SENS
ShellHWDetection
Themes
Winmgmt

I'm quite familiar with these services but I can't relate any of them to the connections shown above. I had a look through Task Scheduler but couldn't find any Google related tasks.

I'm probably missing something here...

Anyone have any ideas?
 

My Computer

System One

  • OS
    Windows 7 x64 Ultimate/Windows 8.1/Linux
    CPU
    FX-8350
    Motherboard
    GA-990XA-UD3
    Memory
    16GB DDR3 Corsair Vengeance
    Graphics Card(s)
    HD7860
    Sound Card
    Xonar Essence STX
    Monitor(s) Displays
    Benq
    Screen Resolution
    1920x1080
    Hard Drives
    Various
    PSU
    Corsair HX 850W
    Case
    Corsair Obsidian
    Cooling
    Thermalright
    Keyboard
    Logitech
    Mouse
    Logitech
    Internet Speed
    50/50
    Browser
    firefox
It is most likely related to [FONT=Verdana, Arial, Tahoma, Calibri, Geneva, sans-serif]thunderbird's checking, since it is regular.
Try to close [/FONT]thunderbird to see, if those connections will disappear.
 

My Computer

System One

  • OS
    Win 8.1.1 Pro x64
    Computer type
    Laptop
    System Manufacturer/Model
    Lenovo E525
    CPU
    AMD A4-3300M @ 2,0GHz
    Memory
    6GB DDR3 1333MHz
    Graphics Card(s)
    AMD Radeon HD 6480G 512MB shared
    Sound Card
    Creative Sound Blaster X-Fi Surround 5.1
    Screen Resolution
    1366x768
    Hard Drives
    WD 465GB
    Cooling
    Fusion Tweaker
    Keyboard
    Logitech K360
    Mouse
    Logitech M705
    Internet Speed
    50/50 MBps
    Browser
    Yandex
    Antivirus
    No AV & No Firewall
    Other Info
    Headphones: Sennheiser RS170
TairikuOkami said:
It is most likely related to [FONT=Verdana, Arial, Tahoma, Calibri, Geneva, sans-serif]thunderbird's checking, since it is regular.
Try to close [/FONT]thunderbird to see, if those connections will disappear.
Click to expand...


Thanks for the reply. Unfortunately, thunderbird doesn't use svchost, it makes it's own connections. Also. the secure mail ports used by Gmail are 995 and 465. However, the IP address used by thunderbird when checking mail does fall with one of the blocks mentioned above.

Code: 
25/03/2015 21:23:57 | 548 | Thunderbird | M:\windows\mozilla\thunderbird\thunderbird.exe | Out | 60626 | 64.233.165.16 | 995 | TCP

Curiously, whilst investigating this, I noticed my feed reader (QuiteRSS) also makes connections to an address within the 173.194 block. Specifically - 173.194.71.121 which points to lb-in-f121.1e100.net. This a generic Google host name:

What is 1e100.net?

1e100.net is a Google-owned domain name used to identify the servers in our network.

Following standard industry practice, we make sure each IP address has a corresponding hostname. In October 2009, we started using a single domain name to identify our servers across all Google products, rather than use different product domains such as youtube.com, blogger.com, and google.com. We did this for two reasons: first, to keep things simpler, and second, to proactively improve security by protecting against potential threats such as cross-site scripting attacks.

Most typical Internet users will never see 1e100.net, but we picked a Googley name for it just in case (1e100 is scientific notation for 1 googol).
Click to expand...

Source

In one link I read this is related to Chrome and Google safe browsing, but I don't have any chromium based products installed or otherwise. I know firefox also uses Google safe browsing but disabling that made no difference. I wonder if IE uses this service...
 

My Computer

System One

  • OS
    Windows 7 x64 Ultimate/Windows 8.1/Linux
    CPU
    FX-8350
    Motherboard
    GA-990XA-UD3
    Memory
    16GB DDR3 Corsair Vengeance
    Graphics Card(s)
    HD7860
    Sound Card
    Xonar Essence STX
    Monitor(s) Displays
    Benq
    Screen Resolution
    1920x1080
    Hard Drives
    Various
    PSU
    Corsair HX 850W
    Case
    Corsair Obsidian
    Cooling
    Thermalright
    Keyboard
    Logitech
    Mouse
    Logitech
    Internet Speed
    50/50
    Browser
    firefox
It is related to Google Search as well. If you are running Firefox and you type something into URL bar, it will give you suggestions, which it gets from Google Search, since it is Mozilla's default search engine.
 

My Computer

System One

  • OS
    Win 8.1.1 Pro x64
    Computer type
    Laptop
    System Manufacturer/Model
    Lenovo E525
    CPU
    AMD A4-3300M @ 2,0GHz
    Memory
    6GB DDR3 1333MHz
    Graphics Card(s)
    AMD Radeon HD 6480G 512MB shared
    Sound Card
    Creative Sound Blaster X-Fi Surround 5.1
    Screen Resolution
    1366x768
    Hard Drives
    WD 465GB
    Cooling
    Fusion Tweaker
    Keyboard
    Logitech K360
    Mouse
    Logitech M705
    Internet Speed
    50/50 MBps
    Browser
    Yandex
    Antivirus
    No AV & No Firewall
    Other Info
    Headphones: Sennheiser RS170
TairikuOkami said:
It is related to Google Search as well. If you are running Firefox and you type something into URL bar, it will give you suggestions, which it gets from Google Search, since it is Mozilla's default search engine.
Click to expand...

No, I'm afraid it's not that either. I remove the default search engines from firefox and replace with DDG. I also use Omnibar with search suggestions disabled and I have 'browser.search.suggest.enabled' set to false in my user.js. Moreover, firefox doesn't use svchost for making searches.

Edit: I should have mentioned in my original post, these are all in the 'blocked' connection log. So whatever is causing these connections is not adversely affecting day-to-day activities, at least not noticeably.
 

My Computer

System One

  • OS
    Windows 7 x64 Ultimate/Windows 8.1/Linux
    CPU
    FX-8350
    Motherboard
    GA-990XA-UD3
    Memory
    16GB DDR3 Corsair Vengeance
    Graphics Card(s)
    HD7860
    Sound Card
    Xonar Essence STX
    Monitor(s) Displays
    Benq
    Screen Resolution
    1920x1080
    Hard Drives
    Various
    PSU
    Corsair HX 850W
    Case
    Corsair Obsidian
    Cooling
    Thermalright
    Keyboard
    Logitech
    Mouse
    Logitech
    Internet Speed
    50/50
    Browser
    firefox
You must log in or register to reply here.
Back
Top