Today I will explain a behavior causing your machine to suddenly open a pop-up window of IE or Edge showing (usually) the MSN portal after the boot (or a network change). Yeah, it’s expected and is not a virus.
As you may all know (and if you don’t, please look at this note), Windows has an internal component for network connectivity changes detection called “Network Connectivity Status Indicator” (or NCSI as it’s called by his friends). This component, among other tasks, performs a background testing to determine if the machine has Internet connectivity, engages his brother, the Network Location Awareness (or NLA), to identify if it’s in a domain or a public network to define the proper firewall profile, etc.
As a summary, the NCSI, while detecting the internet connectivity, attempts to download a text file from either of the following addresses:
- Windows 8.1 and earlier versions: http://www.msftncsi.com/ncsi.txt
- Windows 10 and above: http://www.msftconnecttest.com/connecttest.txt
This, of course involves the following operations:
- DNS query and response for either of the FQDN.
- HTTP operations to contact the website.
- HTTP operations to determine those addresses contain the following Text content (without the quotes):
- Windows 8.1 and earlier: “Microsoft NCSI”
- Windows 10 and above: “Microsoft Connect Test”
As this is doing a simple HTTP GET operation over a plain text file hosted in a plain HTTP server, there is no information exchanged during the communication, so there is no cookies or other tracking components that may make you think it will get some of your personal information involved. The only information exchanged is a minimal download of the text file content from the server to your machine. Privacy is our key goal as a company.
So, what is the relationship of that procedure with the annoying IE or Edge pop-up?
Well, in certain scenarios, the NCSI cannot contact directly the NCSI website due to infrastructure limitations. For that reason, NCSI also has some passive probe processes (described in detail in the note I quoted before) in which it can identify if the machine has internet access due to the network usage. All of this is performed internally within Windows without getting any information outside of your machine. Again, we do care about your privacy.
This annoying-pop-up behavior is usually experienced in Windows 8 and higher. You may wonder why, and this is the explanation: Consider you’re at home checking your flight details before going to the airport. Your local network has no proxy nor Firewall limiting your internet connectivity. Your machine will perform the NCSI procedure without issues and will show you have Internet connectivity. It’s time to go to the airport, so you take a cab and get to that place. Your body is asking you for some caffeine, so you get to a Star-related coffee shop for a cup of coffee and want to check your social profiles while getting the caffeine inside your mouth. You connect to a public Wi-Fi hotspot from that place, which has a limitation of some sort of easy login. When you power up your machine, you will notice a Yellow Bang mark in your NIC and a “No internet” connectivity message when you hover over the NIC with the Mouse. In Windows 7 (and probably 8-8.1) you may see (usually if you pay much attention, because it vanishes quite quickly by design) a message stating that you need further actions to fully connect. If you didn’t see that message, you will have no internet until you open a browser and complete the requirements from that Wi-Fi hotspot to login. After that, you can start browsing the internet normally and, after a couple of seconds of browsing, you notice the Yellow bang mark magically is gone. What happened? The NCSI passive probe process.
Now, in recent versions, to make the user experience more comfortable for the normal user, when the machine detects some sort of login, it will immediately open the browser, so you can easily see the login requirements without opening the browser manually. That’s very cool, right?
OK, but I’m at my company’s network and we have no Wi-Fi hotspots in place, why is it still triggering the annoying-pop-up behavior?
Well, this usually happens when you have a proxy in place, and Windows is not allowed to contact the NCSI website directly. In such cases, the proxy will be contacted in the background and, usually, the proxy will require authentication, and after it gets authenticated, it will send you to http://www.msftconnecttest.com/redirect. This URI will redirect you to the MSN Portal. It’s a hotspot-like behavior.
Thanks for the clarification, but how do we stop that from happening? That’s really annoying!
To answer that, I will quote the note I mentioned at the beginning of this blog entry:
“We have also seen an issue where 3rd party Firewalls/Anti-Virus blocked the URL http://www.msftncsi.com/ncsi.txt resulting in a limited access status in the taskbar, even though there is
Internet Connectivity. Adding “*.msftncsi.com” to the list of trusted URLs should resolve the issue.”
Being that said, the only way to prevent the proxy from coming into action in the NCSI process, and avoiding the passive probe process (and therefore the annoying-pop-up behavior) is to whitelist the 2 addresses directly on your firewall over port 80 only:
For now, that’s all, hope this helps you understand why you’re experiencing this and also helps you save lots of time of troubleshooting!
See you next entry!