Table of Contents
Hands up if you’ve seen the dreadful “yellow triangle” on your systray network icon at least once. The meaning of that is as simple as the popup label appearing on mouse hover: the system is connected to a network, but there’s no internet access. That’s not always true tho: sometimes, despite the yellow triangle and the message, your PC is indeed connected and you can surf the web without issues.
What’s the reason behind this odd behaviour by Windows? In this post we’ll try to answer to this question, looking at how our (not always) beloved operating system checks our connection status and how to solve the most common issues.
The big picture
When a Windows PC connects to a network – be it public or private – two services will be used to analyze its status: the Network Location Awareness (NLA) and the Network Connection Status Indicator (NCSI). Their purpose respectively is:
- to automatically identify the network and fetch its basic informations.
- to check if the network features internet access or not.
What we need, like you might guess, is mostly the latter: if you feel like you need more information regarding the former, you can find some detailed information on the Network Location Awareness (NLA) service looking at this great Technet.com post.
Network Connection Status Indicator (NCSI)
The Network Connection Status Indicator (NCSI) is part of NlaSvc (Network Location Awareness Service) and it basically serves the purpose of checking if we can reach Internet or not: the check is performed using the NLM_CONNECTIVITY Network List Manager native APIs (read here for more info). The applications and services installed on our system can fetch the result of these checks from the APIs NCSI/NlaSvc to determine the most suited / stable network among the available ones according to our needs.
The Internet Connection check is actually made by using a standard DNS call: the outcome, if less than ok, will be displayed by using an overlay icon – the yellow triangle, the red cross, and so on – over the network icon in the systray: it’s worth to notice that this is an overall result for all the available networks – that’s because the network icon is the same – focusing on the most troubled one. This basically means that, if you get the yellow triangle but the web seems to be working just fine, the first thing you should do would be to disable all the other network interfaces using the Control Panel and see if you manage to identify the one causing the issue.
How does it work?
Since Windows 7, the connectivity test performed by NCSI is part of Windows DirectAccess (read here if you never heard about it) and it features the frequent activity of some active probes sending an almost-realtime notification whenever any network connection’s status changes: on each connection, NCSI checks if the computer is connected to the Internet by issuing a standard DNS query to www.msftncsi.com, followed by a HTTP get request to the http://www.msftncsi.com/ncsi.txt file (a plain text file) and, finally, another DNS query to dns.msftncsi.com.
These checks can be easily identified and monitored with a network tracing software such as Network Monitor o Wireshark. If you don’t feel like installing new software on your system you can also perform the test using the netsh console command (available since Windows 7): to do that, just open an elevated command prompt and run the following code:
netsh trace start persistent=no capture=yes tracefile=c:\temp\neths-trace.etl
If you need to trace the network activity during the system boot sequence, change the above command setting the persistent parameter to yes: this way te trace will continue – even after a shutdown or reboot – until you’ll manually stop that issuing the following command:
netsh trace stop
The network activity log will be put into the netsh-trace.etl file: the extension isn’t required, but creating an .etl file will allow you to easily open it with Network Monitor.
For additional info on the netsh trace command and hints on how to effectively use it I also suggest you to read this post.
NCSI passive mode
Whenever there are other applications generating network traffing, the NCSI service will silently switch to passive mode, checking the completion of the TCP connections estabilished by the other software instead of using its own probes, and act accordingly.
How to disable NCSI
Disable the NCSI feature is not encouraged by Microsoft because it will make the OS unable to detect their network connections status. If you’re ok with that, you can either reconfigure some of its features or shutdown it entirely without affecting the stability of your system as it’s considered a non-critical service.
A useful thing for most users would be to reconfigure the active probes sent to the default Internet address www.msftncsi.com and dns.msftncsi.com, which could be blocked or unreachable due to a Proxy, Firewall or VPN presence. You can either:
- Disable them using group policy settings: doing this will raise the “yellow triangle” on your systray icon.
- Install your very own “NCSI server” (internal or external to your network) and tell the active probes to use it instead to check your Internet status.
Disable the Active Probes
In order to disable the probes you need to change the following registry key:
Setting the EnableActiveProbing DWORD value to 0 instead of 1 (which is the default value).
For additional info regarding the active and passive probes and how they actually work, we strongly suggest you to read this excellent Microsoft KB article.
Set an internal NCSI server
A NCSI server is nothing more than a web application hosting a text file. To set it up you need to have (or configure) an HTTP web server reachable by your PC and make it publish a simple .txt file containing a simple string of your choice (the one used by MS is “Microsoft NCSI”). Once you did that, go to the regedit and navigate thru the following key:
These are the settings you need to change to re-route the probes to your webserver’s .txt file:
- ActiveWebProbeHost (REG_SZ). Default value: www.msftncsi.com
- ActiveWebProbePath (REG_SZ). Default value: ncsi.txt
- ActiveWebProbeContent (REG_SZ). Default value: Microsoft NCSI
Depending on your network configuration settings, it could be also required to create a dedicated DNS zone for the webserver’s domain name in order to make it available to your internal network.
That’s it for now: happy networking!