clients tried to access other machines' file shares unexpectedly

Hi MS,

I have a problem here, I found some clients tried to access the file share allocated on my laptop when I used network monitor on my machine. From the network monitor trace, i found the source IP. Then I tried to troubleshoot on the client with source IP. I certainly saw it was sending SMB request to my machine. I went on troubleshooting and hope which process initiated the request. Unfortunately, i found no information about SMB connection request from process monitor logs. Finally, i tried to use process explorer to monitor the TCP/IP connections, from the live screen. I could see the system process with PID 4 initiated the SMB requests unexpectedly. It also sent the request to other machines. 

172.17.100.63 is source IP

172.17.100.224 is my laptop IP.

TCP    172.17.100.63:1054     172.17.100.224:445     FIN_WAIT_2      4   [System]  

TCP    172.17.100.63:1133     172.17.100.210:445     FIN_WAIT_2      4   [System]  

TCP    172.17.100.63:4951     172.17.100.226:445     FIN_WAIT_2      4   [System]  

TCP    172.17.100.63:4983     172.17.100.233:445     FIN_WAIT_2      4   [System]  

TCP    172.17.100.63:4995     172.17.100.202:445     FIN_WAIT_2      4   [System]

i know there are many sub processes under system process and we can use tasklist /svc to see them.

i also know how to isolate them into many separate ones.

But they are so many process and it is impossible to isolate all of them under system process.

can anybody let me know why the clients tried to access other machines' file share?

i already tried clean boot, uninstall third party application. 

please let me know how to go on troubleshooting this issue. Is it a by-design behavior on windows clients?


  • Edited by Rene YI 22 hours 39 minutes ago add info
September 10th, 2015 4:59am

Hi Rene,

Thank you for your question.

By this issue, we suggest you login on the PC which is 172.17.100.63 to check if user access your shared folder. This issue could be caused by the PC which is 172.17.100.63.

If the third party software has been found, uninstall it, then rebuild the profile to check if the issue persist. We could also rebuild the Windows profile on PC which is 172.17.224 to check if the issue persist.

In addition, check if there are any virus on those PCs. 

If there are any questions regarding this issue, please be free to let me know.

Best Regard,

Jim
Free Windows Admin Tool Kit Click here and download it now
September 11th, 2015 3:10am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics