Is it a Virus?
✔ NO - Safe
Must be in C:\Windows\System32\drivers\netbt.sys
Warning
Typical driver activity
If you see unexpected CPU spikes or many netbt-sys instances, verify signatures and scan for malware
Can I Disable?
⚠ NO - Not Recommended
NetBIOS over TCP/IP supports legacy networking; disable only if you truly do not need it, via adapter settings
What is netbt-sys?
netbt-sys is the Windows NetBIOS over TCP/IP transport driver. It enables legacy name resolution, broadcast signaling, and basic network neighborhood discovery used by Windows file sharing and some older applications. The driver loads during boot and cooperates with the NIC stack and firewall to support legacy networking.
It operates as a kernel driver that provides NetBIOS name resolution over TCP/IP, enabling legacy network service discovery and simple name-to-address translation, while working with the Windows networking stack to maintain compatibility.
Quick Fact: NetBIOS over TCP/IP was widely used in older Windows networks and is still supported for backward compatibility.
Types of NetBIOS Processes (conceptual)
- Driver Component: Core kernel driver interop with TCP/IP stack
- Network Listener: Handles NetBIOS name service requests
- Legacy Session: Supports legacy sessions for SMB name resolution
- Name Query Matcher: Matches NetBIOS names to IPs on local/broadcast networks
- Broadcast Handler: Broadcast-based discovery for workgroups
- System Integration: Cooperates with firewall and NIC drivers
Is netbt-sys Safe?
Yes, netbt-sys is safe when it is the legitimate Windows driver located in the System32\drivers folder and signed by Microsoft.
Is netbt-sys a Virus or Malware?
The real netbt-sys is not a virus. Malware masquerading as drivers should be detected by signatures and verified file paths.
How to Tell if netbt-sys is Legitimate or Malware
- File Location: Must be in C:\Windows\System32\drivers\netbt.sys or similar System32 path. Any netbt.sys elsewhere is suspicious.
- Digital Signature: Right-click netbt.sys in File Explorer -> Properties -> Digital Signatures. Should show Microsoft Corporation.
- Driver Version: Open Properties -> Driver Details to confirm a Microsoft-signed version and recent date.
- Resource Usage: Normal usage is low; unusual CPU/memory activity may indicate a problem.
Red Flags: If netbt.sys is missing from the System32\drivers folder, has no signature, or triggers security alerts, scan with Windows Defender or a trusted AV.
Why Is netbt-sys Running on My PC?
netbt-sys runs as part of the Windows networking stack. It loads to provide NetBIOS over TCP/IP support for legacy name resolution, browser services, and basic network discovery. It may start during boot or when NetBIOS features are used.
Reasons it's running:
- Active NetBIOS Features: NetBIOS name resolution or browsing requires the driver to be active
- Legacy Network Compatibility: Older Windows networks rely on NetBIOS for workgroup name resolution
- Network Discovery: Windows network discovery or SMB-related services trigger loading
- Startup and Services: The NetBIOS driver is loaded during system startup as part of the networking stack
- VPN/Remote Access: Some VPNs or remote access tools may rely on NetBIOS name queries
Can I Disable or Remove netbt-sys?
Disabling netbt-sys is not recommended, as it supports legacy networking. You can disable NetBIOS over TCP/IP in the network adapter settings if you do not need legacy name resolution.
How to Stop netbt-sys
- Disable NetBIOS over TCP/IP: Open Network Connections, select active adapter, Properties, IPv4 > Advanced > NetBIOS over TCP/IP > Disable
- Disable related services: Turn off File and Printer Sharing if not needed
- Restart: Reboot the machine to apply changes
Can I Uninstall netbt-sys?
- ✔ netbt-sys is a core Windows driver and cannot be uninstalled via Programs and Features.
- ✔ To reduce NetBIOS usage, disable NetBIOS over TCP/IP in the network adapter settings and disable legacy networking features.
- ✔ Ensure you keep a modern networking stack: IPv6 enabled, and SMB over TCP/IP if needed.
Common Problems: NetBIOS Driver Issues
If netbt-sys is causing problems, here are common causes and practical fixes that stay focused on NetBIOS over TCP/IP.
Common Causes & Solutions
- Outdated NIC drivers: Update your network adapter driver from the manufacturer or Windows Update
- NetBIOS over TCP/IP misconfiguration: Enable or disable NetBIOS over TCP/IP depending on your network requirements
- Conflicting security software: Temporarily disable third-party firewalls or security apps to test
- Corrupted system files: Run sfc /scannow and DISM to repair Windows system files
- Blocked NetBIOS ports: Ensure UDP 137/138 and TCP 139 are allowed by firewall for required services
- Malware masquerading as netbt: Run a full system scan and verify digital signatures of netbt.sys
Quick Fixes:
1. Update NIC drivers
2. Check NetBIOS over TCP/IP setting in IPv4
3. Restart networking stack or reboot
4. Run Windows Defender full scan
5. Disable unused legacy network features
Frequently Asked Questions
What is netbt-sys?
netbt-sys is the Windows NetBIOS over TCP/IP transport driver, enabling legacy name resolution and simple network discovery.
Is netbt-sys safe?
Yes, when it is the legitimate Microsoft driver located in System32\drivers and signed by Microsoft.
Can I disable NetBIOS over TCP/IP?
Yes, in most cases you can disable NetBIOS over TCP/IP on your network adapter to stop legacy NetBIOS traffic.
Why does netbt-sys run after Windows startup?
It loads as part of the networking stack or when NetBIOS features are used, and may start with the system.
What happens if netbt-sys is missing or corrupted?
Missing or corrupted netbt-sys can cause legacy network discovery and SMB-related issues; run sfc/dism or replace the driver.
How do I verify netbt-sys digital signature?
Navigate to C:\Windows\System32\drivers\netbt.sys, right-click -> Properties -> Digital Signatures; should show Microsoft Windows.