ubuysa
The BSOD Doctor
As part of an audit I did recently on my PC to ensure that I wasn't sending any telemetry data to Microsoft that I wasn't comfortable with (and that's easy to do in Windows by the way, it doesn't require a third party tool) I came across Windows Push Notifications, they're part of the Windows Notification Service (WNS). I spotted WNS when running Wireshark to check what telemetry packets were being sent to Microsoft, there was a persistent connection that sent and received encrypted data to IP address 51.103.5.186 - this is the current IP address of the host wns.windows.com. A data packet exchange was occurring every minute. Yep, ever single minute of every single day my (and your) PC does an encrypted data exchange with a Microsoft WNS server. What's going on here?
I identified wns.windows.com as the main WNS server from this website https://docs.microsoft.com/en-us/windows/privacy/manage-windows-20h2-endpoints which lists all the telemetry and related endpoints for version 20H2. The entry for wns.windows.com says the following....
Wait a minute here. So every minute of every day my PC is doing an encrypted data exchange with the WNS server to obtain notification data from a third party cloud service. Research on how WNS works has shown that Microsoft have to authorise the third party cloud service site, but nonetheless my PC is in (very!) regular encrypted communication with an unknown (to me) third party site.
You can argue that this is just the way cloud computing is these days, there are a whole host of packets being received from various content delivery companies for example - though none of those communications are encrypted, nor occurring every minute of every day.
The purpose of this WNS communication isn't sinister of course, it's designed to enable UWP apps to receive updates and notifications to make all those fancy live tiles look nice and useful. However, although WNS is aimed at UWP apps there doesn't seem to be anything that precludes it working with other Windows components. On this website https://docs.microsoft.com/en-us/windows/client-management/mdm/push-notification-windows-mdm for example, Microsoft explain how WNS can be used for remote device management.
Clearly if you make use of live tiles and UWP apps that require updates and badges etc. then you absolutely need the push notification service, but I don't. I have no fancy live tiles, though I do of course have several UWP apps, some built in to Windows and a couple I've installed myself. None of them use badges or live tiles however so I looked for a way to turn push notification off.
And here's where it gets even more worrying.
The user service that manages push notifications is called WpnUserService_xxxxx (where xxxxx is a string of hex numbers, presumable to differentiate this instance of the service from any others that may start?) so stopping push notifications just means stopping this service and disabling it. Except you can't disable it. It won't let you. Why? If you look at the LogOn tab in the service's Properties you can see that it doesn't run under the local user account but under some other account (the name is blank) but with a password that is obfuscated - and which we don't know of course.
So here we have a service that you can't stop (it will restart if you stop it) and which communicates using encrypted data (which you can't read) with a third party cloud service (which you don't know and can't find out)....
There is another service called Windows Push Notification System Service which you can stop and disable and that apparently disconnects the PC from the WNS server. It does seem to work too, the one minute packet exchange stops when yo stop (and disable) this service. Experimenting has shown that if you set it to Manual (which is the wiser option when 'disabling' services) it gets restarted. If you disable this service all your push notifications will stop and UWP apps will no longer receive updates and badges etc.
I was still not happy however, because that WpnUserService_xxxxx service was still running. Much more investigation did reveal a way to stop and disable it however, and as you might expect it's a registry hack.
Please don't make changes to your registry unless you are very confident that you know what you're doing.
The registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WpnUserService contains a key called "Start" and the default value of this key is "2" - which presumably means enable and start the service. If you modify the value of this key to "4" the service will be stopped and disabled.
I don't want to make too big a deal about this push notification service. If you use live tiles etc. then you need it. Even if you don't then it's probably harmless and doing only what it's advertised to do - support updates and badges for UWP apps. But the ex-professional in me is deeply concerned about a service that uses encrypted communication (which we can't read) with a third party cloud service (which we don't know) every minute of every day - and which is controlled by a system service which doesn't run under the local user account and which is hard to disable. All my spidey-senses tingle when I see that sort of thing.
I'm posting this just for information. Make whatever use of it that you wish.
I identified wns.windows.com as the main WNS server from this website https://docs.microsoft.com/en-us/windows/privacy/manage-windows-20h2-endpoints which lists all the telemetry and related endpoints for version 20H2. The entry for wns.windows.com says the following....
Wait a minute here. So every minute of every day my PC is doing an encrypted data exchange with the WNS server to obtain notification data from a third party cloud service. Research on how WNS works has shown that Microsoft have to authorise the third party cloud service site, but nonetheless my PC is in (very!) regular encrypted communication with an unknown (to me) third party site.
You can argue that this is just the way cloud computing is these days, there are a whole host of packets being received from various content delivery companies for example - though none of those communications are encrypted, nor occurring every minute of every day.
The purpose of this WNS communication isn't sinister of course, it's designed to enable UWP apps to receive updates and notifications to make all those fancy live tiles look nice and useful. However, although WNS is aimed at UWP apps there doesn't seem to be anything that precludes it working with other Windows components. On this website https://docs.microsoft.com/en-us/windows/client-management/mdm/push-notification-windows-mdm for example, Microsoft explain how WNS can be used for remote device management.
Clearly if you make use of live tiles and UWP apps that require updates and badges etc. then you absolutely need the push notification service, but I don't. I have no fancy live tiles, though I do of course have several UWP apps, some built in to Windows and a couple I've installed myself. None of them use badges or live tiles however so I looked for a way to turn push notification off.
And here's where it gets even more worrying.
The user service that manages push notifications is called WpnUserService_xxxxx (where xxxxx is a string of hex numbers, presumable to differentiate this instance of the service from any others that may start?) so stopping push notifications just means stopping this service and disabling it. Except you can't disable it. It won't let you. Why? If you look at the LogOn tab in the service's Properties you can see that it doesn't run under the local user account but under some other account (the name is blank) but with a password that is obfuscated - and which we don't know of course.
So here we have a service that you can't stop (it will restart if you stop it) and which communicates using encrypted data (which you can't read) with a third party cloud service (which you don't know and can't find out)....
There is another service called Windows Push Notification System Service which you can stop and disable and that apparently disconnects the PC from the WNS server. It does seem to work too, the one minute packet exchange stops when yo stop (and disable) this service. Experimenting has shown that if you set it to Manual (which is the wiser option when 'disabling' services) it gets restarted. If you disable this service all your push notifications will stop and UWP apps will no longer receive updates and badges etc.
I was still not happy however, because that WpnUserService_xxxxx service was still running. Much more investigation did reveal a way to stop and disable it however, and as you might expect it's a registry hack.
Please don't make changes to your registry unless you are very confident that you know what you're doing.
The registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WpnUserService contains a key called "Start" and the default value of this key is "2" - which presumably means enable and start the service. If you modify the value of this key to "4" the service will be stopped and disabled.
I don't want to make too big a deal about this push notification service. If you use live tiles etc. then you need it. Even if you don't then it's probably harmless and doing only what it's advertised to do - support updates and badges for UWP apps. But the ex-professional in me is deeply concerned about a service that uses encrypted communication (which we can't read) with a third party cloud service (which we don't know) every minute of every day - and which is controlled by a system service which doesn't run under the local user account and which is hard to disable. All my spidey-senses tingle when I see that sort of thing.
I'm posting this just for information. Make whatever use of it that you wish.
Last edited:
