TerryMz, thanks —
Windows 11 Pro gives you a couple of stronger controls (Group Policy + stricter Firewall rules). On
true dial‑up, even “small” background checks can absolutely destroy browsing.
Since you don’t see a single obvious app doing it, I’d do this in two phases:
1)
Clamp down the big built-in background downloaders (Windows Update / Delivery Optimization / Store / OneDrive)
2) If that’s still not enough,
use Firewall “block outbound by default” but add a couple of
required allow rules (especially
DNS, otherwise your browser may not load sites).
Phase 1 (recommended first): stop the biggest background downloaders
1) Set Windows Update to “notify only” (Pro)
This prevents the “silent downloading” that kills dial-up.
- Press Win + R → type
gpedit.msc → Enter
- Go to:
Computer Configuration → Administrative Templates → Windows Components → Windows Update → Manage end user experience
- Open Configure Automatic Updates
- Set to Enabled
- In “Options”, choose 2 – Notify for download and auto install
- Click Apply / OK
Also do:
- Delivery Optimization: Settings → Windows Update → Advanced options → Delivery Optimization → Off
2) Stop Microsoft Store auto-updates
Microsoft Store → Profile icon →
Settings → turn
App updates Off.
3) Stop OneDrive (if you don’t use it)
Right-click OneDrive cloud icon →
Quit OneDrive
Then OneDrive Settings → disable
Start OneDrive automatically (or uninstall OneDrive).
These three items are the most common “why is my connection pegged?” causes.
Phase 2 (most effective on dial-up): Firewall “Block outbound” + allow only what you want
Important: If you only allow your browser but forget
DNS, your browser often won’t resolve any website names. So we’ll allow:
- Your browser
- DNS (svchost/DNS Client) to port 53
Step A — Create allow rule for DNS (so web pages can resolve)
- Press Win + R → type
wf.msc → Enter
- Go to Outbound Rules → New Rule…
- Choose Custom → Next
- Program: This program path:
C:\Windows\System32\svchost.exe
- Protocol and Ports:
- Protocol: UDP
- Remote port: 53
- Scope: leave default (or set remote IP = Any)
- Action: Allow the connection
- Profile: choose the profiles you use (usually Private)
- Name:
Allow DNS (UDP 53)
Repeat once more for
TCP 53 (some DNS uses TCP):
- Same rule, but Protocol = TCP, Remote port = 53.
Step B — Allow your browser
Outbound Rules → New Rule… →
Program → select your browser EXE →
Allow.
Example:
- Edge:
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
- Firefox:
C:\Program Files\Mozilla Firefox\firefox.exe
- Chrome:
C:\Program Files\Google\Chrome\Application\chrome.exe
Step C — Now set outbound default to “Block”
- In
wf.msc, click Windows Defender Firewall Properties (right side)
- For your active profile (usually Private), set:
Outbound connections = Block
- Click OK
At that point, Windows is basically “offline unless you explicitly allowed it.”
If something you need stops working
Tell me what stopped (example: time sync, activation, email client), and I’ll give you the exact additional
minimal allow rule.
How to see what’s using the internet (so we can target it)
Since Task Manager isn’t showing it clearly, use Resource Monitor:
- Press Win + R → type
resmon → Enter
- Go to Network tab
- Under Processes with Network Activity, click the Send (B/sec) and Receive (B/sec) columns to sort.
If you report the top 2–3 process names you see there (even if it’s just
svchost.exe), I can tell you which Windows component it likely is and how to stop
that specific traffic.
Two quick questions (so I don’t accidentally break your dial-up connection)
1) What browser do you use (Edge / Chrome / Firefox)?
2) In
Resource Monitor → Network, do you see
svchost.exe doing the traffic, or something else?
Once I know that, I can give you a very tight “allow list” that keeps dial-up usable while still letting you browse.