Every now and then, I fire up the excellent (and free and portable) CurrPorts program by Nir Sofer. It shows the currently opened TCP and UDP ports on a Windows computer. Without a good background in networking, there can be too much information. The image below is a sample of the output it creates (there is more than fits on a screen). For a full size screen shot click here.

Sample output from CurrPorts

On a Windows 10 computer, CurrPorts often shows that Cortana, the Microsoft search engine, has phoned home (so to speak). The screen shot below shows 11 instances of SearchUI.exe (which is part of Cortana) connecting to computers, all seemingly owned and operated by Microsoft. This screen shot was an instant in time, it is not a log file. Despite the fact that Cortana was not being actively used, it had 11 connections to the outside world.

Cortana phoning home

I always try to lock down Cortana as much the User Interface allows. For example, on the computer in question: Cortana Settings -> Permissions and History -> everything is off. From there, the Manage the information Cortana can access from this device -> everything is OFF. It is not configured to allow talking to Cortana. Cortana notifications are off. Even in the Edge browser, Cortana is not allowed to assist (Edge -> Settings -> View advanced settings -> Have Cortana assist me in Microsoft Edge is OFF). But, my lockdown attempts have not been enough to prevent frequent contact between Cortana and the Microsoft home office. Windows 10 is infamous for privacy invasion and not being able to keep Cortana from phoning home is part of that infamy.

Below are the full details of one of the 11 connections.

Details of one Cortana connection

I had noticed Cortana phoning home before, and tweeted about it back in July, but today there were too many connections to ignore. Enough is enough. You really have to wonder, what is Cortana telling Microsoft about a computer that it needs 11 different servers to handle the load?

Based on my brief monitoring, here is the list of IP addresses that I have seen Cortana (SearchUI.exe) connect to:

I don't know how many different IP addresses Cortana phones home to. For that, I would need to log each outbound connection it makes and maintain that log for a quite a while. I am not sure that I'll go that far, but if I did, I would use another program from Nir Sofer, TcpLogView.

For now, the outbound firewall rules in my router block all these Microsoft IP addresses and Windows 10 machines on my home network are a bit more private. Doing this, however, requires a router that supports outbound firewall rules and not many do.

Below is a screen shot of the firewall rules, configured in my Pepwave Surf SOHO to block Cortana from phoning home. The column headings are cut off, but the first two columns of "Any" mean that the rule applies to any computer connected to the router.

Outbound Firewall rules to block Cortana (Updated Sept 12,2018)

Most rules block a single IP address but there are two exceptions. The last rule blocks any IP address that starts with 204.79.197 and, the first rule blocks any IP address that starts with 13.107. It may well be that these two rules are too broad and that they block IP addresses I may need or want in the future. Since Microsoft is the enemy rather than a friend, I will never know.

September 5, 2018: (updated Sept. 12, 2018) I was wrong. I did find out, by accident. A Windows 10 computer was unable to load msn.com when the Edge browser started which raises two issues. First, why was it trying to load msn.com at all? The browser was configured to start up with a new tab page and new tabs were configured to be blank pages. Nonetheless, the browser tries to access msn.com. See a screen shot of the error message. It is wrong about the temporary DNS error, that was not the problem. Then, it turned out that no web browser on the machine could load anything at msn.com. A ping to www.msn.com returned an IP address of 204.79.197.203 which one of the above firewall rules blocked. I can live without msn.com.

- - - - UPDATES - - - - - - - - - - - - -

September 4, 2018. Found Cortana phoning home to another IP address 104.97.101.128 (a104-97-101-128.deploy.static.akamaitechnologies.com) and added it to the table of IP addresses.

Someone was nice enough to point me to this article Manage Windows 10 connection endpoints which discusses the various outgoing connections Windows 10 makes. It is domain name oriented so it does not lend itself to the program I am using which reports IP addresses rather than domain names. Another similar source is Windows 10, version 1709, connection endpoints for non-Enterprise editions. And this article Manage connections from Windows operating system components to Microsoft services has some great advice on containing Cortana that I will have to give a try.

September 5, 2018. Found Cortana phoning home to two more IP address: 52.84.74.109 (server-52-84-74-109.atl52.r.cloudfront.net) and 191.239.160.12 (Microsoft in Australia) and added them both to the table of IP addresses shown above and my firewall rules. Also added more details on all the Cortana configuration options that are disabled.

September 12, 2018. Updated the screen shot of firewall rules to include the recently observed IP addresses. And, this list seems to be complete. My testing was neither extensive nor exhaustive, but with the rules enabled, there were no connections made by SearchUI.exe on three different Windows 10 machines. With the rules disabled, Cortana did make connections to the outside world. I tested using TcpLogView by Nir Sofer. Rather than a snapshot at a specific point in time, it logs every connection a Windows computer makes to the outside world. Next up, I hope to test the suggestions in the articles mentioned above. But, even if they work as advertised, they only block Cortana on a single Windows 10 computer. Blocking in the router works for all Windows 10 computers connected to the router. On the other hand, for laptops, the suggestions in these articles block a single PC as it roams from router to router. Every coin has two sides. And, added image of Edge browser error message.

September 12, 2018: Yet another IP address detected, 23.62.16.93 on port 443. Its name is a23-62-16-93.deploy.static.akamaitechnologies.com. Modified the table of IP addresses above.

September 13, 2018: Yet another IP address detected, 40.117.133.21 on port 443. It seems to be Microsoft in Virginia. I modified the table of IP addresses above, but not the firewall screen shot.

September 14, 2018: Why does the Cortana executable, SearchUI.exe, live in this folder
   C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\
Could it be that using a random folder name is an attempt to get around firewall blocking rules? That is, when Windows 10 is updated, perhaps Microsoft generates a new folder name for the new version of SearchUI.exe? Its hard to imagine any other reason for the seemingly random characters in the folder name. I will have to check some other Windows 10 machines to see what their folder name is ...

September 24, 2018: Another downside to blocking these IP addresses, is that it prevents Windows Update on Windows 7 from running as I discovered in my next blog. Not a big deal, connecting through a VPN bypasses all controls in the router.

October 6, 2018: Now that the new release of Windows 10 (1809) was found to delete personal files and had to be withdrawn, the ability to block Windows Update is more important. David Redekop wrote on twitter that blocking IP addresses is a sub-optimal way to block Windows Update. Quoting: "Blocking by originating FQDN is more effective and requires little continued hunting. Blocking by IP is a never-ending hunt, not to mention it highly varies by geography... also includes blocking of their services that use shared Akamai CDN endpoints." A list of domains used by Windows Update is here Manage Windows 10 connection endpoints.

November 5, 2018: In retrospect, blocking Cortana using the Windows Firewall is probably a better approach. The down side is that it applies to just one computer rather than an entire network. The upside is that it can't be bypassed by connecting to Tor or a VPN. Another downside is that the user interface for the Windows firewall is awful. Still, if I get a chance, I'll look into it...