Microsoft Network Realtime Inspection Service (NisSrv.exe) information
If you open the task manager on a device running a recent version of Windows, you may notice the Microsoft Network Realtime Inspection Service (NisSrv.exe) as one of the tasks running on the PC.
It may not be clear immediately if the process is legitimate or not, and what its purpose is. If you run Windows 10, you can expand the name to get Windows Defender Antivirus Network Inspection Service listed underneath the original entry.
Microsoft Network Realtime Inspection Service is a module of Microsoft security software. Which program depends on the version of Windows; on Windows 10 it is the built-in Windows Defender for instance.
The module is a legitimate process, provided that it is located in the right directory on the Windows machine.
The easiest way to find out about that is to right-click on the item and select open file location from the context menu.
The location that opens should be C:\Program Files\Windows Defender and the file in question NisSrv.exe on Windows 10 machines. On earlier versions of Windows, the location is different as a different program may be used for security. Windows 7 users should find the file listed under c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe" for instance.
If you are unsure about the legitimacy of the file, you may want to run additional verification checks. One option that you have is to upload it to Virustotal.com to have it scanned for malicious content.
You may also use the information provided by the Windows Services Manager to verify the legitimacy of the process and file.
Open the Services Manager afterwards to look up additional information on the service:
- Tap on the Windows-key, type services.msc and hit the Enter-key on the keyboard.
- Locate Windows Defender Antivirus Network Inspection Service and double-click on the entry to open the properties.
Information listed there include:
- Service Name: WdNisSvc
- Display Name: Windows Defender Antivirus Network Inspection Service
- Path to excutable: "C:\Program Files\Windows Defender\NisSrv.exe"
- Description: Helps guard against intrusion attempts targeting known and newly discovered vulnerabilities in network protocols
The Network Inspection System is a real-time protection module that monitors network traffic for malicious patterns. You can check out this Microsoft Technet article from 2013 for information on the feature.
Microsoft launched the feature back in October 2012 in Microsoft Security Essentials, and it has been a part of Microsoft's security solutions ever since.
Can you disable the Microsoft Network Realtime Inspection Service?
Microsoft Network Realtime Inspection Service is linked to Windows Defender's real-time protection. You may turn off real-time protection, but it is only temporarily according to the Windows Defender Security Center.
Real-time protection
Locates and stops malware from installing or running on your device. You can turn off this setting for a short time before it turns back on automatically.
So, there is no direct way of disabling the network realtime inspection service using Windows Defender's settings.
Note: The service cannot be disabled.
Generally speaking, it is recommended to keep the service activated. If it causes issues on a machine, you may want to consider switching to another antivirus solution instead as this will disable Windows Defender on the machine.
I disabled Windows Defender a long time ago by using Autoruns.
Yep used that to disable Nvidia Telemetry also
Process Lasso is very useful also with the “Terminate Always” feature.
Nope, it doesn’t do a thing for the end user, it’s just another piece of microsoft spying and “telemetry”. From their own blog post:
“…doesn’t take on the threat directly, its telemetry ‘can’ trigger actions that result in malware removal”.
https://blogs.microsoft.com/firehose/2013/06/25/network-real-time-inspection-is-latest-tool-to-fight-malware-detect-suspicious-activity/
Recommendation: Disable or Uninstall it.
It’s not spying your activity, you idiot.
Well, that’s a relief. Thank you ‘D’ for your personally-vouched reassurance, and surprisingly accurate assessment of my intelligence. And here’s me idiotically (see what I did there) believing everything I read in Microsoft’s own blog post on this tool. Glad you stopped by, ‘D’, to set the record straight.
NisSrv.exe does exist since MSE v2 (Microsoft Security Essentials). It’s possible to disable it via:
sc stop “NisSrv”
sc config “NisSrv” start= disabled
or if you want to delete it:
sc delete “NisSrv”
Of course the better thing would be to change ‘Start’ via registry to 4 or just rename the executable so that you can re-store it at any time.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NisSrv.
Automatic – 2
Manual – 3
Disabled – 4
Automatic (Delayed Start) – 2
However if you use WD I recommend to let it enabled.
does not work for me, the command promt returns 1060 error and also says cannot find service, the registry location you gave does not have any NisSrv located in it so i’m no wiser, i am using Win10 and NisSrv is running all the time, it’s interefering with my firewall so need to stop it.