Windows 10 silently establishing connections to host at hk2-dspcdn to download random data

[Windows Central Question]

Hi,
Last night I just noticed my Internet connection was slow while trying to play a game and watching some youtube videos. At first I thought it was my ISP, but then I closed all the open applications and while monitoring my network using (resmon), the PC was still downloading data while everything was turned off!

A quick netstat with:
netstat -a | find "EST"

Shows about 10 connections being made to this host:
hk2-dspcdn

A quick google shows this is owned by Microsoft.
Has anyone else experience this?
Does anyone know why Windows 10 is retrieving data silently from this host, it's not a trivial amount either, I logged about 2GB of downloads?

And yes I've got all automatic updates turned off, as well as allow update p2p sharing turned off.

Thanks.

 

[xandros9]

Hmm if everything you say is true, I am intrigued by this.
Over what span of time was the 2 GB pulled?

Perhaps it was app auto-updates? Or maybe it was Windows 10 being extra stubborn and getting updates anyway. Got any more details actually about what build of 10 it is?

 

[Shad Dovv]

Hi,
I'm the OP of this topic, I just made an account so I can reply properly.
Tonight it happened again, so this time I made sure to log everything and took screen shots.

See attached files.
In summary within a 12 minute span network seems to have downloaded roughly 1.5GB with me literally doing nothing and just leaving the PC running, no browsers opened all apps closed.

I'm running Windows 10 Pro. Version 1607, OS Build 14393.351

Tonight something else odd happened, where connections where established to a bunch random hosts looking like IP addresses range from AKAMAI Technologies which is even more weird.

As said previously auto updates and p2p update sharing is also set to off.

 

[Palm_forlackofchoice]

I have noticed slowdowns too and just dismissed it as virus or windows defender at work.

 

[Shad Dovv]

This is more of a network slow down not so much PC slow down, so I don't think Windows Defender has anything to do with it.
Virus, possibly. But not likely because I don't do anything on this PC apart from playing some games from time to time.
What's cause for concern is all the external addresses seem to originate from a Microsoft host.

It's either Windows is not obeying the do not auto download update setting, or Windows 10 is doing something else weird here in the background and not letting users know about it.

 

[Shad Dovv]

Anybody else seen this happening on their Windows 10 system lately?

 

[Shad Dovv]

Just an update.
I've just literally booted up my PC and already these are the number of connections it's already established.
And this is without me even turning anything on yet.

TCP 10.1.1.8:49690 40.112.210.171:http ESTABLISHED
TCP 10.1.1.8:49692 a23-2-3-102:http ESTABLISHED
TCP 10.1.1.8:49694 a-0001:https ESTABLISHED
TCP 10.1.1.8:49695 a-0001:https ESTABLISHED
TCP 10.1.1.8:49696 a23-58-241-38:https ESTABLISHED
TCP 10.1.1.8:49697 bn3sch020010530:https ESTABLISHED
TCP 10.1.1.8:49698 a-0001:https ESTABLISHED
TCP 10.1.1.8:49699 a23-8-101-71:http ESTABLISHED
TCP 10.1.1.8:49700 a23-58-154-156:https ESTABLISHED
TCP 10.1.1.8:49701 a23-8-101-71:https ESTABLISHED
TCP 10.1.1.8:49705 8.36.113.137:https ESTABLISHED
TCP 10.1.1.8:49706 a23-37-151-185:http ESTABLISHED
TCP 10.1.1.8:49710 justgetflux:https ESTABLISHED
TCP 10.1.1.8:49735 a125-56:http ESTABLISHED
TCP 10.1.1.8:49736 a125-56:http ESTABLISHED
TCP 10.1.1.8:49737 a125-56:http ESTABLISHED
TCP 10.1.1.8:49738 a125-56:http ESTABLISHED
TCP 10.1.1.8:49739 a125-56:http ESTABLISHED
TCP 10.1.1.8:49740 8.36.113.137:https ESTABLISHED
TCP 10.1.1.8:49741 8.36.113.137:https ESTABLISHED
TCP 127.0.0.1:49709 hk2sch130021833:49722 ESTABLISHED
TCP 127.0.0.1:49709 hk2sch130021833:49723 ESTABLISHED
TCP 127.0.0.1:49709 hk2sch130021833:49730 ESTABLISHED
TCP 127.0.0.1:49709 hk2sch130021833:49731 ESTABLISHED
TCP 127.0.0.1:49709 hk2sch130021833:49732 ESTABLISHED
TCP 127.0.0.1:49709 hk2sch130021833:49733 ESTABLISHED
TCP 127.0.0.1:49709 hk2sch130021833:49734 ESTABLISHED
TCP 127.0.0.1:49722 hk2sch130021833:49709 ESTABLISHED
TCP 127.0.0.1:49723 hk2sch130021833:49709 ESTABLISHED
TCP 127.0.0.1:49730 hk2sch130021833:49709 ESTABLISHED
TCP 127.0.0.1:49731 hk2sch130021833:49709 ESTABLISHED
TCP 127.0.0.1:49732 hk2sch130021833:49709 ESTABLISHED
TCP 127.0.0.1:49733 hk2sch130021833:49709 ESTABLISHED
TCP 127.0.0.1:49734 hk2sch130021833:49709 ESTABLISHED

Note, I've rerouted the host hk2sch130021833 to go to 127.0.0.1 using the system's host file because I noticed most of the network traffic load was connecting to this host. I've resorted to doing this otherwise the network load would become unusable.