Sunday, August 14, 2011

NDIS User-mode I/O Driver clogging XP

Ndisuio.sys is not spyware or any other malware.
It gains access to NDIS devices and processes through
IOCTL_NDISUIO_OPEN_DEVICE, and receives only those frames
that have an NDIS_MEDIUM type of NdisMedium802_3.
(source: http://msdn.microsoft.com/en-us/library/ms901264)
Sysgate firewall's traffic log clearly shows zero for outgoing traffic and non zero for incoming. It will just locally duplicate traffic.

ndisuio.sys outbound traffic is zero, 0 kb. Ndis.sys traffic issue



 If you don't use wireless networking just disable
"Wireless Zero Configuration" service.

If you do use Wi-Fi connection then this service is set to
'manual' or 'automatic', and it is (probably) running. So, after you connect to a wireless network, just stop this service and ndisuio.sys will stop with this behavior. No more data coming in for it anymore !
(note: to connect again to a wi-fi network, WZC needs to be started again.)

To deal with WZC service (or any other), do this:
Click "start", then click "run" and type "services.msc". Scroll all the way down to the bottom. Right click it and choose "Start" or "Stop", for starting and stopping it ;)
To change it's start up option, choose "properties" (or use double left click instead of right click).
Under "Startup type:" pick what you need. Click "OK" and that's it.