How to determine cause of connection attempts from a specific Windows service?

Question

On a locked-down Windows 7 test box on a completely isolated test network, I could account for every incoming and outgoing attempted network connection.

Then I temporarily installed the PortableApps.com version of SRWare's Iron web browser, used it to connect to a single known site on the internet, and then uninstalled it. If you're not familiar, Iron is a Chromium-based web browser similar to Google Chrome, but with an array of Google's undesirable code removed.

After doing this, Windows' svchost.exe regularly tried to connect to port 443 of a Google-owned IP address (34.104.35.123) via TCP. That connection was blocked by the Windows Filtering Platform (WFP). Interestingly, it was blocked by a default system filter, not a user filter. In other words, the filter blocking that connection did not not appear in the Windows Firewall list of filters, but did appear in wfpstate.xml generated by netsh.exe wfp show filters.

After the connection attempt to port 443 was blocked, a TCP connection to port 80 on the same IP address was attempted. Again, it was blocked by a system filter. This makes sense, as the service was likely first trying a secure connection, then a non-secure connection.

That sequence of connection attempts repeated every 60 seconds.

I rebooted the box, and those exact connection attempts persisted every minute.

After I performed extensive service isolation, I determined the actual service in svchost.exe generating the connection attempts appeared to be Schedule (AKA Task Scheduler).

The box is just a test box that was temporarily placed on a completely isolated test network, so I'm not worried about anything (the box will get reformatted soon enough), but I would like to learn exactly what was going on to further my understanding of the inner workings of Windows.

How can I determine what these unwanted connection attempts are for, and get them to stop?

BTW, my initial hunch was that running Iron resulted in the need for a security certificate to be updated, and Windows was continually trying to update that certificate, even though it no longer really needed to do so. But if this is the case, I don't understand why such connections would be blocked. I created Windows Firewall rules to allow that specific traffic, but the invisible default system-level firewall filters continued to block the connection attempts.

Answer 1

The IP address 34.104.35.123 is said to belong to YouTube, but I'm not sure this is correct.

The address belongs to the domain edgedl.me.gvt1.com.

In the article What are these suspicious Google GVT1.com URLs? this is described as :

The domains *.gvt1.com and *.gvt2.com, along with their subdomains, are owned by Google and typically used to deliver Chrome software updates, extensions, and related content.

Your suspicion seems to be right, and this is a remnant from the Iron web browser installation.

I would try to reinstall Iron and also Revo Uninstaller Free, then use Revo to uninstall Iron. Revo does a good job of chasing down all the left-overs.

You could also use tools such as :

• voidtools Everything to scan the disk for any leftovers
• RegScanner to scan the registry
• Autoruns to scan all startups, including in the Task Scheduler.