Windows Troubleshooter Guide/Network Location Awareness

Windows computers have a system for detecting internet connectivity known as Network Location Awareness (NLA). It controls many aspects of how Windows categorizes internet connections, such as whether to assign networks as private or public[1]. When you adjust firewall setting based on whether the network is "private" and "public", the definition of private and public is whether or not your network is currently connected to a network you define as private or public[2].

Detecting Internet ConnectivityEdit

Network Location Awareness also has the ability to check and alert you whenever you are connected to the internet through a task force called Network Connectivity Status Indicator (NCSI). NCSI itself is an API for other programs to use when they need to know how good your internet connection is[3].

MethodEdit

But since Network Connectivity Status Indicator is itself an API, how the software detects whether you have internet connectivity is not exposed and can thus be hidden. However, a simple test can show what NCSI can do to check your internet connection[4]. Here is the method below:

  1. Check for website connection
    1. NCSI looks up www.msftncsi.com using your DNS.
    2. If the HTTP response header has a 200 OK status code, then it requests http://www.msftncsi.com/ncsi.txt[5]. Note that if you go to that url, the text file reads "Microsoft NCSI".
  2. Check for DNS connection
    1. Also, NCSI does a check for the existence of dns.msftncsi.com through your DNS.
    2. If it exists, then NCSI checks whether the IP is 131.107.255.255.
    3. If there is any problem in either getting a response for the DNS lookup or the IP doesn't match, the internet is assumed to have an issue.
    4. If the error dns_probe_finished_bad_config then try to get a static ip using vpn or contacting your internet service provider.[7]
  3. Check for IPv6 connection
    1. Similar, but dns.msftncsi.com is expected to resolve to fd3e:4f5a:5b81::1, and in HTTP test www is changed to ipv6 in text file URL.

AnalysisEdit

If #2 works and #1 fails (the definition of fails is if there isn't a response or a redirect), then Windows alerts you that some kind of authentication might be blocking your internet connectivity (like a need to sign-in before using the internet) [4].

If #2 fails (the definition of fails is if there isn't a response [resolution failure] or the wrong address is returned), then Windows alerts you that you have no internet connection [4].

Note that sometimes, you might get a yellow warning sign/exclamation mark indicating that you have no internet, yet can connect fine. In this case, judging by the above cases, it should mean that #2 failed but #1 works.

Configuring NCSIEdit

The configuration parameters for NCSI uses the Registry. The key is located at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet. The list of the typical values are here

List of typical values at the Key (Windows 10)
Name Type Data
(Default) REG_SZ (value not set)
ActiveDnsProbeContent REG_SZ 131.107.255.255
ActiveDnsProbeContentV6 REG_SZ fd3e:4f5a:5b81::1
ActiveDnsProbeHost REG_SZ dns.msftncsi.com
ActiveDnsProbeHostV6 REG_SZ dns.msftncsi.com
ActiveWebProbeContent REG_SZ Microsoft NCSI
ActiveWebProbeContentV6 REG_SZ Microsoft NCSI
ActiveWebProbeHost REG_SZ www.msftncsi.com
ActiveWebProbeHostV6 REG_SZ ipv6.msftncsi.com
ActiveWebProbePath REG_SZ ncsi.txt
ActiveWebProbePathV6 REG_SZ ncsi.txt
EnableActiveProbing REG_DWORD 0x00000001 (1)
PassivePollPeriod REG_DWORD 0x0000000f (15)
StaleThreshold REG_DWORD 0x0000001e (30)
WebTimeout REG_DWORD 0x00000023 (35)

As you can see, changing the data of the name will change the behavior of what NCSI does. For example, changing ActiveWebProbeHost will change what website it will check. EnableActiveProbing is a boolean value that, if set to 0, turns off NCSI. Any other value turns it on. The last three names, PassivePollPeriod; StaleThreshold; and WebTimeout, have no predictable effect on the system [4].

PrivacyEdit

As a side note, on the Microsoft documentation page describe how NCSI works, they mention that

IIS logs are stored on the server at www.msftncsi.com. These logs contain the time of each access and the IP address recorded for that access. These IP addresses are not used to identify users, and in many cases, they are the address of a network address translation (NAT) computer or proxy server, not a specific client behind that NAT computer or proxy server[6].

ReferencesEdit

  1. "Network Location Awareness". TechNet. Microsoft. https://technet.microsoft.com/en-us/library/cc753545(v=ws.10).aspx. Retrieved 01/11/2016. 
  2. [[w:https://social.technet.microsoft.com/profile/MichaelPlatts%20[msft] |MichaelPlatts]]. "Network Location Awareness (NLA) and how it relates to Windows Firewall Profiles". TechNet. Microsoft. http://blogs.technet.com/b/networking/archive/2010/09/08/network-location-awareness-nla-and-how-it-relates-to-windows-firewall-profiles.aspx. Retrieved 01/11/2016. 
  3. "Network Awareness in Windows Vista and Windows 7". Microsoft Developer Network. Microsoft. https://msdn.microsoft.com/en-us/library/ee264321(v=vs.85).aspx. Retrieved 01/11/2016. 
  4. a b c d MichaelPlatts. "Windows 7 Network Awareness: How Windows knows it has an internet connection". superuser community blog. StackExchange. http://blog.superuser.com/2011/05/16/windows-7-network-awareness/. Retrieved 01/11/2016. 
  5. Changed to http://www.msftconnecttest.com/connecttest.txt in Windows 10 build 1607 (Anniversary Update), new text file reads "Microsoft Connect Test"
  6. "Appendix K: Network Connectivity Status Indicator and Resulting Internet Communication in Windows Vista". TechNet. Microsoft. https://technet.microsoft.com/en-us/library/cc766017(v=WS.10).aspx. Retrieved 01/11/2016. "Encryption and storage: NCSI does not use encryption (both the requests it sends and the responses it receives are standardized, as shown in the table earlier in this subsection). IIS logs are stored on the server at www.msftncsi.com. These logs contain the time of each access and the IP address recorded for that access. These IP addresses are not used to identify users, and in many cases, they are the address of a network address translation (NAT) computer or proxy server, not a specific client behind that NAT computer or proxy server."