Windows Troubleshooter Guide/Network Location Awareness

Windows computers have a system for detecting internet connectivity known as Network Location Awareness (NLA). It controls many aspects of how Windows categorizes internet connections, such as whether to assign networks as private or public.^[1] When you adjust firewall setting based on whether the network is "private" and "public", the definition of private and public is whether or not your network is currently connected to a network you define as private or public.^[2]

Network Location Awareness also has the ability to check and alert you whenever you are connected to the internet through a task force called Network Connectivity Status Indicator (NCSI). NCSI itself is an API for other programs to use when they need to know how good your internet connection is^[3].

But since Network Connectivity Status Indicator is itself an API, how the software detects whether you have internet connectivity is not exposed and can thus be hidden. However, a simple test can show what NCSI can do to check your internet connection^[4]. Here is the method below:

1. Check for website connection
   1. NCSI looks up www.msftncsi.com using your DNS.
   2. If the HTTP response header has a 200 OK status code, then it requests http://www.msftncsi.com/ncsi.txt^[5]. Note that if you go to that url, the text file reads "Microsoft NCSI".
2. Check for DNS connection
   1. Also, NCSI does a check for the existence of dns.msftncsi.com through your DNS.
   2. If it exists, then NCSI checks whether the IP is 131.107.255.255.
   3. If there is any problem in either getting a response for the DNS lookup or the IP doesn't match, the internet is assumed to have an issue.
   4. If the error dns_probe_finished_bad_config then try to get a static ip using vpn or contacting your internet service provider.^[7]
3. Check for IPv6 connection
   1. Similar, but dns.msftncsi.com is expected to resolve to fd3e:4f5a:5b81::1, and in HTTP test www is changed to ipv6 in text file URL.

If #2 works and #1 fails (the definition of fails is if there isn't a response or a redirect), then Windows alerts you that some kind of authentication might be blocking your internet connectivity (like a need to sign-in before using the internet) ^[4].

If #2 fails (the definition of fails is if there isn't a response [resolution failure] or the wrong address is returned), then Windows alerts you that you have no internet connection ^[4].

Note that sometimes, you might get a yellow warning sign/exclamation mark indicating that you have no internet, yet can connect fine. In this case, judging by the above cases, it should mean that #2 failed but #1 works.

The configuration parameters for NCSI uses the Registry. The key is located at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet. The list of the typical values are here

As you can see, changing the data of the name will change the behavior of what NCSI does. For example, changing ActiveWebProbeHost will change what website it will check. EnableActiveProbing is a boolean value that, if set to 0, turns off NCSI. Any other value turns it on. The last three names, PassivePollPeriod; StaleThreshold; and WebTimeout, have no predictable effect on the system ^[4].

As a side note, on the Microsoft documentation page describe how NCSI works, they mention that

IIS logs are stored on the server at www.msftncsi.com. These logs contain the time of each access and the IP address recorded for that access. These IP addresses are not used to identify users, and in many cases, they are the address of a network address translation (NAT) computer or proxy server, not a specific client behind that NAT computer or proxy server^[6].

1. ↑ "Network Location Awareness". TechNet. Microsoft Docs. Retrieved 2021-10-22.
2. ↑ MichaelPlatts [msft] (2010-09-08). "Network Location Awareness (NLA) and how it relates to Windows Firewall Profiles". Networking Blog. TechNet Blogs. Archived from the original on 2017-11-05.
3. ↑ "Network Awareness in Windows Vista and Windows 7". Microsoft Docs. Microsoft. Retrieved 2021-10-22.
4. ↑ ^{a b c d} MichaelPlatts. "Windows 7 Network Awareness: How Windows knows it has an internet connection". superuser community blog. StackExchange. Retrieved 01/11/2016. {{cite web}}: Check |authorlink= value (help); Check date values in: |accessdate= (help); External link in |authorlink= (help)
5. ↑ Changed to http://www.msftconnecttest.com/connecttest.txt in Windows 10 build 1607 (Anniversary Update), new text file reads "Microsoft Connect Test"
6. ↑ "Appendix K: Network Connectivity Status Indicator and Resulting Internet Communication in Windows Vista". TechNet. Microsoft. Retrieved 2021-10-22. Encryption and storage: NCSI does not use encryption (both the requests it sends and the responses it receives are standardized, as shown in the table earlier in this subsection). IIS logs are stored on the server at www.msftncsi.com. These logs contain the time of each access and the IP address recorded for that access. These IP addresses are not used to identify users, and in many cases, they are the address of a network address translation (NAT) computer or proxy server, not a specific client behind that NAT computer or proxy server.