Solved

Why does Explorer.exe seek sa.windows.com(80) on open?

Posted on 2003-11-10
6
1,631 Views
Last Modified: 2008-02-01
Why is explorer trying to connect to Mirosoft everytime I open it.

Not IE but Windows "%SystemRoot%\explorer.exe".

Here is my NIS log:
Details: This one time, the user has chosen to "block" communications
Outbound TCP connection
Remote address,service is (sa.windows.com(207.46.248.249),http(80))
Process name is "C:\WINDOWS\Explorer.EXE"

Thanks in advance.
0
Comment
Question by:Suburb-Man
6 Comments
 
LVL 24

Expert Comment

by:Kenneniah
ID: 9717201
It's a part of the search assistant. It goes online to verify connections and possibly pull updates to the search assistant. I'm not sure if anyone has figured out exactly what the purpose is, but here's what MS says about it:

http://sa.windows.com/privacy/
0
 
LVL 24

Accepted Solution

by:
Kenneniah earned 125 total points
ID: 9717212
Software updates

The Search Companion Web Service is designed to automatically upgrade as product bugs are discovered and fixed and new features become available.  As you use the Search Companion service, it will periodically use your Internet connection to check whether certain supporting files have been updated.  If an update is available, Search Companion will replace the outdated supporting files on your machine with newer versions of those files downloaded from Microsoft servers.  Search Companion supporting files are very small, and downloads will only take a few seconds even on slow Internet connections.  Supporting files do not contain executable code, and can not be used to infect your machine with a software virus.

Search Companion may check for updates even if you are using Search Companion only to find files on your local system.  For example, if you use Search Companion to find only Music files on your machine, Search Companion may check to see if there are any new types of Music files that should be included in your search.  No information about your local system or the content of your search is ever sent to Microsoft during this update check.

0
 
LVL 3

Expert Comment

by:jman1980
ID: 9717215
there are various trojans that use legitimate names in your machine. the only legitimate reason that i could think of this trying to connect is if you have autoupdate enabled. if you dont, it could be something like this... http://www.cexx.org/dlder.htm
0
Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

 
LVL 34

Expert Comment

by:sramesh2k
ID: 9718712
The Search Assistant connects to sa.windows.com to keep the Search feature up to date, tips, etc on the WindowsXP machine.  You can stop it from connecting by reverting to the Classic Search

This is done to check for updates to its features, tips, wording and etc. Not allowing access can cause its own set of problems, usually a "A file that is required........." error message.

http://groups.google.com/groups?q=sa.windows.com&hl=en&lr=&ie=UTF-8&selm=OdMBczeKDHA.1960%40TK2MSFTNGP11.phx.gbl&rnum=1
0
 
LVL 1

Author Comment

by:Suburb-Man
ID: 9725635
Thanks all,

     I do have windows (critical) autoupdate enabled and Error/Crash reporting, but I didn't know I had search companion installed/enabled. I'll confirm.

To jman1980, always good to check all posibilities, but since it is going to MS's site the only kind of virus/trojan I can think of is a traffic jammer type; DOS attack or the like. Since it is only once per opening explorer.exe, it is ligitimate.

I am torn at deciding solution: clearly Kenneniah answered my question, but sramesh2k told be about changing the setting.  Both are important. What is it and what to do about it. I should open another question ask what to do about it and let sramesh2k reply and then give answer and points. Yes that is what I'll do.
See: "Modifing Search Assistant sa.windows.com explorer.exe"
http://www.experts-exchange.com/Operating_Systems/WinXP/Q_20794784.html

Thanks again.
0
 
LVL 24

Expert Comment

by:Kenneniah
ID: 9725932
You are welcome and thanks for the points! In the future if you feel 2 people have helped you can split points between them instead of posting another question
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Can I legally transfer my OEM version of Windows to another PC?  (AKA - Can I put a new systemboard in my OEM PC?) Few of us are both IT and legal experts but we all have our own views of Microsoft's licensing rules and how they apply.  There are…
Issue: Unstable cursor in Windows XP and Windows runs extremely slow in that any click will bring up the Hour glass (sometimes for several seconds before giving you what you want) . Troubleshooting Process and the FINAL FIX: This issue see…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now