Windows 7 Sending SSDP M-SEARCH Packets Even Though UPnP and SSDP Services Are Disabled

Question

I have a small Windows 7 business workgroup network (no Domain Controller, not using Homegroup) that I am trying to eliminate SSDP traffic from. I've disabled the SSDP Discovery and UPnP Device Host services on each computer and restarted each computer. When I use Wireshark to capture packets from one of the computers I see a SSDP packet sent every 90 seconds or so from each computer on the network with the following information:

Simple Service Discovery Protocol
    M-SEARCH * HTTP/1.1\r\n
    HOST: 239.255.255.250:1900\r\n
    ST: urn:schemas-upnp-org:device:InternetGatewayDevice:1\r\n
    MAN: "ssdp:discover"\r\n
    MX: 2\r\n
    \r\n
    [Full request URI: http://239.255.255.250:1900*]
    [HTTP request 1/2]
    [Next request in frame: 2649]

    MAN: "ssdp:discover"\r\n
    MX: 2\r\n
    \r\n
    [Full request URI: http://239.255.255.250:1900*]
    [HTTP request 1/2]
    [Next request in frame: 2649]

This issue is covered in this Server Fault question. I tried the registry edit suggested by Josh on Oct 3 '14 in that question but the SSDP packets keep getting sent. I know that these packets are searching for an IP gateway device. I've disabled UPnP in my IP router. Can someone tell me what is generating these packets? Can I disable whatever is creating the packets or is this something that is normal behavior?

Answer 1

From an elevated command prompt run:

netstat 1 -a -o >path\netstat.txt

where path is the path to a folder of your choice. Let that run for a few minutes then terminate it. Review the generated netstat text file and find the traffic in question. Look at the PID (process ID) for the traffic. Then launch Task Manager and find that PID. That will be the process that's generating the traffic.