I have GlassWire installed on my PC to monitor network connections, and I regularly use a VPN. Lately, I’ve been noticing that the NT Kernel & System is uploading data to various local and non-local IP addresses, including my phone and my computer’s IP on my home LAN and VPN LAN. It’s also making connections to public IP addresses owned by Microsoft and Google, but what concerns me most is that it’s connecting to the IP addresses of VPN servers that I had connected to earlier in the same or previous day. Sometimes, it’s connecting to all 300 VPN servers my provider has.
I’m curious as to why this is happening. Does anyone know the actual purpose of the “NT Kernel & System”? Could this be some telemetry function, or less likely, malicious events? I’m worried that it’s logging all these IP addresses somewhere. If someone more knowledgeable than myself could inform me about the function of this program, I would be appreciative.
3 Answers
The behavior you are observing is a normal occurrence during network discovery, specifically through the Simple Service Discovery Protocol (SSDP), as indicated in the full name. In the case of a VPN, a network is created that acts much like a local network, prompting Windows to periodically send out discovery messages to verify the status of known computers, as well as locate new devices, computers, and services.
The IP address displayed as "224.0.0.252"
is used for Link-Local Multicast Name Resolution (LLMNR), which enables network discovery.