Why would ipconfig.exe try to access the internet - without me ruininng the command? Is the PC/Router being attacked?

Today when I started my PC Norton Internet Security 2005 was not running. I switched off the router immediately. Norton said NIS needed activating - I was suspicious because I had renewed the subscription a couple of weeks ago with no problems and everything has been running fine.

The PC (Standalone - Windows XP professional) is kept up to date with all the virus and spyware (norton,spybot, adaware, AOL).

I switched the router back on and activated (again!) everything now seems OK. I did a symantec and shields up scan and cam out perfect (I am paranoid!). I then checked the norton firewall log and I had the following from earlier on is the day: -

"An instance of "C:\windows\system32\ipconfig.exe " is preparing to access the internet"

Why would ipconfig run itsself? - it wasn't me! Does this indicate someone was trying to access the router config?

PS Just lately I have had a lot of file sharing blocked messages are these related?

Please put my mind at rest or otherwise!


Who is Participating?
SunBowConnect With a Mentor Commented:
DHCP Ports
bootps           67/tcp    Bootstrap Protocol Server
bootps           67/udp    Bootstrap Protocol Server
bootpc           68/tcp    Bootstrap Protocol Client
bootpc           68/udp    Bootstrap Protocol Client
It generally should not, but it is more informative with more options these days. I just checked mine, and all data is what should be local. If you did not do it, do you have anyone else? For minimum packet attempts, my best guess is it is attempting to renew a dhcp lease. How old is yours?
C:\>ipconfig /?

    ipconfig [/? | /all | /renew [adapter] | /release [adapter] |
              /flushdns | /displaydns | /registerdns |
              /showclassid adapter |
              /setclassid adapter [classid] ]

    adapter         Connection name
                   (wildcard characters * and ? allowed, see examples)

       /?           Display this help message
       /all         Display full configuration information.
       /release     Release the IP address for the specified adapter.
       /renew       Renew the IP address for the specified adapter.
       /flushdns    Purges the DNS Resolver cache.
       /registerdns Refreshes all DHCP leases and re-registers DNS names
       /displaydns  Display the contents of the DNS Resolver Cache.
       /showclassid Displays all the dhcp class IDs allowed for adapter.
       /setclassid  Modifies the dhcp class id.

The default is to display only the IP address, subnet mask and
default gateway for each adapter bound to TCP/IP.

For Release and Renew, if no adapter name is specified, then the IP address
leases for all adapters bound to TCP/IP will be released or renewed.

For Setclassid, if no ClassId is specified, then the ClassId is removed.

    > ipconfig                   ... Show information.
    > ipconfig /all              ... Show detailed information
    > ipconfig /renew            ... renew all adapters
    > ipconfig /renew EL*        ... renew any connection that has its
                                     name starting with EL
    > ipconfig /release *Con*    ... release all matching connections,
                                     eg. "Local Area Connection 1" or
                                         "Local Area Connection 2"

Firewall Management 201 with Professor Wool

In this whiteboard video, Professor Wool highlights the challenges, benefits and trade-offs of utilizing zero-touch automation for security policy change management. Watch and Learn!

LouverrilAuthor Commented:
Thank you Sunbow,

Yes I think it was probably trying to revew a lease - I can't be certain (the PC and router get tunrned off often twice a day) but I have been swiching off the router and the pc and turning them on at the same time this behaviour could have caused it to ask for a new lease - if the PC got there first??

Best regards, Lou

From Dos prompt should give the start time of lease, near the bottom of the list. Leases often requested by any MS Windows at reboot. DHCP packets, OTOH are ever few and far between no matter what anyone else says about it - it is negligible traffic. So when you get a lot of 'hits' it should be something else being the cause.
LouverrilAuthor Commented:
Thanks Sunbow,

tried this and the lease was obtained today when I switched on and it says it expires 24 hours from then. So  it looks like it was windows requesting a new lease.

Best regards
While you are at it, you might take last look at IpConfig and jot down the other packets needing to get through, in particular to the DNS servers (3), so that you can ensure all have a pathway through the routing filters and any firewalls. If you haven't yet, you might want to ping one just to see how that might get logged.

Ping -a <IpAddress>

- 'should' return the name of the server <IpName>
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.