Checking Microsoft Windows proxy server settings

I needed to check the proxy settings on a Windows 8 system that appeared to have been infected by malware that configured the system to use a proxy server running on the system that was installed by the malware. If you wish to view the proxy settings that will be used by Internet Explorer or by any application that will rely upon the system proxy settings for its own proxy use, the proxy server settings can be checked in Internet Explorer 11, and by a similar process in recent versions before it, by the following steps, either from within Internet Explorer or from a command prompt:

From within Internet Explorer

Udemy - April2516-25off-sitewide120x600
  1. Click on the gear icon in the upper, right-hand corner of the Internet Explorer window.
  2. Select Internet options.
  3. Click on the Connections tab.

    Internet Options Connections

  4. Click on LAN settings.

    Internet Options LAN Settings

  5. If "Use a proxy server for your LAN" has a check in the checkbox, then a proxy server has been set. Click on the Advanced button to see the details for the proxy server.

    Internet Options Proxy Settings

In the example above, I can see that the proxy server in use is running on the local loopback address for the system, i.e., 127.0.0.1, so the proxy server software is running on the system itself and is handling both HTTP and HTTPS connections. It is listening on port 55833.

From a command prompt

Alternatively, you can also view the proxy server settings by querying the Windows Registry from a command prompt as shown below:

C:\>reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    ProxyEnable    REG_DWORD    0x1

C:\>reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    ProxyServer    REG_SZ    http=127.0.0.1:55833;https=127.0.0.1:55833

The first reg query command shows that ProxyEnable is set to 1, since 0x1 indicates that the value is hexadecimal 1, which is the same as decimal 1, indicating a proxy server is being used for the currently logged in user under whose account the command was run. If the value was zero, then no system-wide proxy server is in use. The second reg query command shows the IP address for the proxy server. In this case the proxy server has been set up by malware on the system to route HTTP and HTTPS traffic through a proxy server it has installed on the system.

On another system configured to use a SOCKS proxy server set up via a PuTTY SSH connection, the same reg query command shows the following:

C:\>reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings"
 /v ProxyServer

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    ProxyServer    REG_SZ    socks=127.0.0.1:1080

Again, the 127.0.0.1 address indicates the SOCKS proxy server is running on the system on which the command was issued. In this case the SOCKS proxy server is listening on port 1080.

If I wanted to change the proxy server settings so that any browser using the system-side proxy server setting would no longer use the proxy server, I could change the value of ProxyEnable in the Windows registry to be zero with the following reg add command:

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 0 /f

The /d followed by a zero specifies that the data to assign to the registry ValueName, which was specified as ProxyEnable by the /v, is a zero. The /t specifies that the data type for the registry value is REG_DWORD and the /f forces an overwrite of the current value without a prompt appearing asking if you are sure you want to overwrite it. Without the /f, a window will open asking for confirmation of the replacement of the current value in that registry location.

The value for ProxyServer in the registry remains the same, but browsers will no longer use the proxy.

C:\>reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 0 /f
The operation completed successfully.

C:\>reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    ProxyServer    REG_SZ    socks=127.0.0.1:1080


C:\>reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    ProxyEnable    REG_DWORD    0x0

If you wished to enable the use of the proxy server agin, you could issue the same reg add command, but with /d 1, instead of /d 0.

Note: if you change the proxy server setting within Google Chrome and leave Chrome open when you change the value of ProxyEnable to zero or one with the reg add command, you will need to get Chrome to check the setting again by going through the steps to view the proxy server setting in Chrome or close and reopen Chrome.

Running show-firefox-proxy-setting.bat on the system that was configured to use an HTTP and HTTPS proxy listening on port 55833, as noted in Finding the proxy setting for Firefox from a command line, showed the following, since it was configured to use the system proxy settings:

C:\Users\Public\Documents>show-firefox-proxy-setting.bat

---------- C:\USERS\JDoe\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\L7FNKEJA.DEFAULT\PREFS.JS

I.e., no proxy information was displayed. If it had been configured for "manual proxy configuration" with 127.0.0.1 for both the HTTP Proxy and SSL Proxy setting with port 55833 for both, it would have shown the following:

C:\Users\Public\Documents>show-firefox-proxy-setting.bat

---------- C:\USERS\JDoe\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\L7FNKEJA.DEFAULT\PREFS.JS
user_pref("network.proxy.http", "127.0.0.1");
user_pref("network.proxy.http_port", 55833);
user_pref("network.proxy.ssl", "127.0.0.1");
user_pref("network.proxy.ssl_port", 55833);
user_pref("network.proxy.type", 1);

I.e., the proxy server setting information displayed only applies to a "manual proxy configuration" for Firefox.

Running the batch file on the system configured to use the SOCKS proxy where Firefox was configured to use a "manual proxy configuration", showed the following:

C:\>show-firefox-proxy-settings.bat

---------- C:\USERS\Joan\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\W9XPP5JC.D
EFAULT\PREFS.JS
user_pref("network.proxy.socks", "127.0.0.1");
user_pref("network.proxy.socks_port", 1080);
user_pref("network.proxy.type", 1);

When Firefox is configured for "No proxy", it will show something similar to the following:

C:\>show-firefox-proxy-settings.bat

---------- C:\USERS\Joan\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\W9XPP5JC.D
EFAULT\PREFS.JS
user_pref("network.proxy.type", 0);

I.e., it will show user_pref("network.proxy.type", 0);.

If you wish to check the proxy server setting for an account on the system other than the one under which you are currently logged in, you can specify the Security Identifier (SID) for the account, instead of HKCU as shown below.

C:\>reg query "HKEY_USERS\S-1-5-21-3084690208-3888753220-1328190815-1115\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v P
roxyEnable

HKEY_USERS\S-1-5-21-3084690208-3888753220-1328190815-1115\Software\Microsoft\Win
dows\CurrentVersion\Internet Settings
    ProxyEnable    REG_DWORD    0x1

You can determine the SID for an account from the command line by using the VBScript determine-sid script as shown below:

C:\Users\Public\Documents>cscript /nologo determine-sid.vbs Sue Onda
Userid:               Sue
Computer Name/Domain: Onda
SID:                  S-1-5-21-2441191556-19154564-1365248798-1001

The script must be run from an administrator account. The user account name and the name of the computer, since the script can also query remote computers, can be specified on the command line. E.g., in the case above the username is "Sue" and the computer name is "Onda". If they aren't specified on the command line, a window will appear prompting for both.