That's where I started 2 weeks ago. But I tried it again and made some headway.
I kept track of when the Pi-Hole showed access to the two domains from my PC every 2 minutes.
Ran Process Monitor (to show Network Activity) and Wireshark both as Admin. Opened Windows Powershell as Admin and typed:
tasklist /svc /fi "imagename eq svchost.exe"
Then I waited and clicked enter on the command exactly when my PC was accessing those 2 domains.
Checked Wireshark for the same time and found the packets being sent to the pi-hole to check the DNS of those two domains.
Double clicked the packets and scrolled down to find the Source Port numbers:
57098 and 65208
Switched to Process Monitor and located the processes captured during the same time that was using those same Source Port numbers.
Double clicked and now I had:
- the PID (1576),
- the Path (C:\Windows\system32),
- the Command Line parameters (-k NetworkService) and
- the process name (svchost.exe)
Unfortunately, it’s the ubiquitous svchost.exe
Switch to Windows Powershell and checked out the results from when I ran the tasklist command.
PS C:\Users\MyPC> tasklist /svc /fi "imagename eq svchost.exe"
Image Name PID Services
========================= ======== ============================================
svchost.exe 1576 CryptSvc, Dnscache, LanmanWorkstation,
NlaSvc
Now I have the Services behind svchost.exe.
Then I went into the Registry and found the Registry Entries for each of the 4 Services and that gave me the DLL files and the file paths. They’re all under %SystemRoot%\System32:
CryptSvc = cryptsvc.dll
Dnscache = dnsapi.dll
LanmanWorkstation = wkssvc.dll
NlaSvc = nlasvc.dll
Ran system filechecker with command
sfc /scannow
Windows Resource Protection did not find any integrity violations.
Scanned each file with MalwareBytes and Avira.
Nothing found.
Decided to check each service’s Display Name and Description:
CryptSvc = Cryptographic Services = Provides four management services: Catalog Database Service, which confirms the signatures of Windows files and allows new programs to be installed; Protected Root Service, which adds and removes Trusted Root Certification Authority certificates from this computer; Automatic Root Certificate Update Service, which retrieves root certificates from Windows Update and enable scenarios such as SSL; and Key Service, which helps enroll this computer for certificates. If this service is stopped, these management services will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
Dnscache = DNS Client = The DNS Client service (dnscache) caches Domain Name System (DNS) names and registers the full computer name for this computer. If the service is stopped, DNS names will continue to be resolved. However, the results of DNS name queries will not be cached and the computer's name will not be registered. If the service is disabled, any services that explicitly depend on it will fail to start.
LanmanWorkstation = Server = Supports file, print, and named-pipe sharing over the network for this computer. If this service is stopped, these functions will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
NlaSvc = Network Location Awareness = Collects and stores configuration information for the network and notifies programs when this information is modified. If this service is stopped, configuration information might be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
Now I'm stumped. Do I stop each service and see if it stops access? Or bypass Pi-Hole and see if my PC is still accessing these domains every minute?