Secret Windows Update Check?

[NoelC]

In the past day I've observed my Windows 7, 8.1, and 10 systems all doing something uncommon:

My firewall blocked all these systems from communicating with ctldl.windowsupdate.com.  Specifically, it's Explorer.exe doing the trying. Normally I do not see these different systems all do something similar like this at nearly the same time, and Explorer.exe only VERY rarely communicates online. Curious, eh?

I have everything set as manual as possible on all three of these systems. Beyond the WU settings, I have various pro-privacy registry tweaks, the Windows Update service disabled, and of course the firewall in place to block comms that are not explicitly allowed (and without reconfiguration, which I do when requesting updates, Windows Updates are not allowed).

Explorer itself is not normally in the habit of communicating online much at all, which makes these observations stand out.

These are excerpted from my DNS server logs, coincident in time with the windowsupdate.com checks. The other DNS resolutions for the Windows 7, 8.1, and 10 systems around the same times as the ctldl.windowsupdate.com checks are listed in respective order.

DualServer20160419.log:[19-Apr-16 17:55:59] Client 192.168.2.44, crl.microsoft.com A resolved Locally to 23.14.84.171
DualServer20160419.log:[19-Apr-16 17:55:59] Client 192.168.2.44, ctldl.windowsupdate.com A resolved Locally to 96.16.98.112

DualServer20160419.log:[19-Apr-16 23:41:06] Client 192.168.2.32, crl.usertrust.com A resolved from Forwarding Server as 178.255.83.2
DualServer20160419.log:[19-Apr-16 23:41:07] Client 192.168.2.32, ctldl.windowsupdate.com A resolved Locally to 96.16.98.112

DualServer20160420.log:[20-Apr-16 08:31:49] Client 192.168.2.26, ctldl.windowsupdate.com A resolved Locally to 96.16.98.112
DualServer20160420.log:[20-Apr-16 08:31:49] Client 192.168.2.26, ocsp.startssl.com A resolved Locally to 23.14.84.171
DualServer20160420.log:[20-Apr-16 08:31:49] Client 192.168.2.26, www.classicshell.net A resolved from Forwarding Server as 184.168.173.1

I don't think this is triggered by Classic Shell itself, which does do occasional auto-update checks.  It's installed on all my systems, but since only one of the them actually checked classicshell.net it may just be a coincidence because those were times the systems were logged-in. 

But the unexplained part of the coincidence is that both Classic Shell and whatever else wants to talk to ctldl.windowsupdate.com at the same logon, after going more than a month without trying to communicate with anyone.  There's nothing special about April 19/20 as far as I can see, EXCEPT if Microsoft built some kind of secret check into Windows to happen around this time.

I am imagining some kind of internal update process that's occasionally kicked off inside Explorer. I'm also asking on the Classic Shell forum about this.

Any thoughts?

-Noel

[submix8c]

Since Explorer is capable of accessing the WWW (like IE, et al) maybe MS slipped a mickey for "Gee can't get there via IE API's, let's try Explore instead".

[NoelC]

It turns out these comms are legitimate.  The site ctldl.windowsupdate.com is contacted as part of normal certificate management activiites.

Thanks to xpclient (over on the Classic Shell site) for the info and this link:

https://technet.microsoft.com/en-us/library/dn265983.aspx 

The scary part is that I had already figured this out once for one of my systems but had neglected to remember it.  The only reason it was blocked is that I had accidentally assigned a more restrictive zone to Explorer.exe than I should have.

-Noel

Edited April 21, 2016 by NoelC