Hi Doug,
W2K/NT5; dunno about hidden directory rules in that kluge. It hasn't been high on my list to delve any more into M$ internal obfuscation - I just assume there are trapdoors yet to be ID'd. My naive guess would be to find the errant Task; surely a necessary component - by elimination. There may be a perfect Rixtool for that - alas! he has given up on entire M$ platform, re any future devs and is seeking a new OS venue; this despite his many years of effort in creating small bulletproof utils to illuminate Doze errata. (Maybe XP and its direction of final obfuscation -- was the final straw)
Here be present 'Doze related tools at [link|http://www.radsoft.net/| Radsoft]
Here's what may? be his latest venture (if it's the Right Rick) [link|http://rixstep.com/| Rixstep].
Also [link|http://www.sysinternals.com/| Sysinternals] has some compact monitoring utils - which also seem relevant. Filemon.exe is impressive (to me).
re ZA: What happens if you check (programs menu) X X for these listed items, and allow NONE server access. One would likely do packet-sniff things, but you know all that stuff.
With the reproducible effects - obv. you are looking to decide the method being used: no longer 'if'. I'm sure many here would like to know what the wannabe-Big Boys are fielding - thus far. Clearly they plan to get better and better - at pabulum-feeding a billion people ??! The hubris - but Ah... the techno folks like Cisco who WILL pander. Capitalism thy surname is Prostitution.
Why do scenes from The Boys from Brazil keep running through the internal viewer? (If you missed that, you Gotta find a copy!)
Luck with the sleuthing; I be too iggerant to offer even a first approach, though I'd bet there are some freeware utils already - capable of illuminating the process.
Ashton