Hubbry Logo
Background Intelligent Transfer ServiceBackground Intelligent Transfer ServiceMain
Open search
Background Intelligent Transfer Service
Community hub
Background Intelligent Transfer Service
logo
7 pages, 0 posts
0 subscribers
Be the first to start a discussion here.
Be the first to start a discussion here.
Background Intelligent Transfer Service
Background Intelligent Transfer Service
Background Intelligent Transfer Service
View on Wikipedia
from Wikipedia
Background Intelligent Transfer Service (BITS)
DeveloperMicrosoft
Initial releaseOctober 2001; 24 years ago (2001-10)
Stable release
10.3 / December 7, 2019; 6 years ago (2019-12-07)
Operating systemMicrosoft Windows
TypeDownload manager
LicenseProprietary commercial software
Websitelearn.microsoft.com/en-us/windows/win32/bits/background-intelligent-transfer-service-portal

Background Intelligent Transfer Service (BITS) is a component of Microsoft Windows XP and later iterations of the operating systems, which facilitates asynchronous, prioritized, and throttled transfer of files between machines using idle network bandwidth. It is most commonly used by recent versions of Windows Update, Microsoft Update, Windows Server Update Services, and System Center Configuration Manager to deliver software updates to clients, Microsoft's anti-virus scanner Microsoft Security Essentials (a later version of Windows Defender) to fetch signature updates, and is also used by Microsoft's instant messaging products to transfer files. BITS is exposed through the Component Object Model (COM) and the UWP API Windows.Networking.BackgroundTransfer.

Technology

[edit]

BITS uses idle bandwidth to transfer data. Normally, BITS transfers data in the background, i.e., BITS will only transfer data whenever there is bandwidth which is not being used by other applications. BITS also supports resuming transfers in case of disruptions.

BITS version 1.0 supports only downloads. BITS version 1.2 was included in Windows XP SP1 and Windows 2000 SP3. From version 1.5, BITS supports both downloads and uploads. Uploads require the IIS web server, with BITS server extension, on the receiving side.

Transfers

[edit]

BITS transfers files on behalf of requesting applications asynchronously, i.e., once an application requests the BITS service for a transfer, it will be free to do any other task, or even terminate. The transfer will continue in the background as long as the network connection is there and the job owner is logged in. BITS jobs do not transfer when the job owner is not signed in.

BITS suspends any ongoing transfer when the network connection is lost or the operating system is shut down. It resumes the transfer from where it left off when (the computer is turned on later and) the network connection is restored. BITS supports transfers over SMB, HTTP and HTTPS.

Bandwidth

[edit]

BITS attempts to use only spare bandwidth. For example, when applications use 80% of the available bandwidth, BITS will use only the remaining 20%. BITS constantly monitors network traffic for any increase or decrease in network traffic and throttles its own transfers to ensure that other foreground applications (such as a web browser) get the bandwidth they need. Note that BITS does not necessarily measure the actual bandwidth. BITS versions 3.0 and up will use Internet Gateway Device counters, if available, to more accurately calculate available bandwidth. Otherwise, BITS will use the speed as reported by the NIC to calculate bandwidth. This can lead to bandwidth calculation errors, for example when a fast network adapter (10 Mbit/s) is connected to the network via a slow link (56 kbit/s).[1]

Jobs

[edit]

BITS uses a queue to manage file transfers. A BITS session has to be started from an application by creating a Job. A job is a container, which has one or more files to transfer. A newly created job is empty. Files must be added, specifying both the source and destination URIs. While a download job can have any number of files, upload jobs can have only one. Properties can be set for individual files. Jobs inherit the security context of the application that creates them. BITS provides API access to control jobs. A job can be programmatically started, stopped, paused, resumed, and queried for status. Before starting a job, a priority has to be set for it to specify when the job is processed relative to other jobs in the transfer queue. By default, all jobs are of Normal priority. Jobs can optionally be set to High, Low, or Foreground priority. Background transfers are optimized by BITS, which increases and decreases (or throttles) the rate of transfer based on the amount of idle network bandwidth that is available. If a network application begins to consume more bandwidth, BITS decreases its transfer rate to preserve the user's interactive experience, except for Foreground priority downloads.

Scheduling

[edit]

BITS schedules each job to receive only a finite time slice, for which only that job is allowed to transfer, before it is temporarily paused to give another job a chance to transfer. Higher priority jobs get a higher chunk of time slice. BITS uses round-robin scheduling to process jobs in the same priority and to prevent a large transfer job from blocking smaller jobs.

When a job is newly created, it is automatically suspended (or paused). It has to be explicitly resumed to be activated. Resuming moves the job to the queued state. On its turn to transfer data, it first connects to the remote server and then starts transferring. After the job's time slice expires, the transfer is temporarily paused, and the job is moved back to the queued state. When the job gets another time slice, it has to connect again before it can transfer. When the job is complete, BITS transfers ownership of the job to the application that created it.

BITS includes a built-in mechanism for error handling and recovery attempts. Errors can be either fatal or transient; either moves a job to the respective state. A transient error is a temporary error that resolves itself after some time. For a transient error, BITS waits for some time and then retries. For fatal errors, BITS transfers control of the job to the creating application, with as much information regarding the error as it can provide.

Command-line interface tools

[edit]

BITSAdmin command

[edit]
BITSAdmin
DeveloperMicrosoft
Stable release
3.0
Operating systemMicrosoft Windows
TypeCommand
LicenseProprietary commercial software
Websitedocs.microsoft.com/en-us/windows-server/administration/windows-commands/bitsadmin

Microsoft provides a BITS Administration Utility (BITSAdmin) command-line utility to manage BITS jobs. The utility is part of Windows Vista and later.[2][3] It is also available as a part of the Windows XP Service Pack 2 Support Tools[4] or Windows Server 2003 Service Pack 1 Support Tools.[5]

Usage example: 

C:\>bitsadmin /transfer myDownloadJob /download /priority normal https://example.com/file.zip C:\file.zip

PowerShell BitsTransfer

[edit]

In Windows 7, the BITSAdmin utility is deprecated in favor of Windows PowerShell cmdlets.[6] The BitsTransfer PowerShell module provides eight cmdlets with which to manage BITS jobs.[7]

The following example is the equivalent of the BITSAdmin example above: 

PS C:\> Start-BitsTransfer -Source "https://example.com/file.zip" -Destination "C:\file.zip" -DisplayName "myDownloadJob"

List of non-Microsoft applications that use BITS

[edit]

See also

[edit]

References

[edit]
[edit]
Revisions and contributorsEdit on WikipediaRead on Wikipedia

Background Intelligent Transfer Service

View on Grokipedia
from Grokipedia
Background Intelligent Transfer Service (BITS) is a component of Windows operating systems, introduced with in 2001, that enables asynchronous file transfers—both downloads and uploads—over HTTP web servers and SMB file shares while minimizing impact on active network usage by leveraging idle bandwidth. BITS operates as a that prioritizes transfers to run in the background, automatically throttling speeds based on network conditions to preserve responsiveness for foreground applications, and supports resumption of interrupted transfers after network disconnects or system reboots without requiring manual intervention. It was initially released in version 1.0 with , providing basic prioritized and throttled downloads, and has evolved through multiple versions, incorporating features like upload capabilities (version 1.5 in ), concurrent foreground downloads and SMB support (version 2.0 in SP2), custom HTTP headers and (version 2.5 in ), peer caching (version 3.0 in ), BranchCache integration for WAN optimization (version 4.0 in ), and modern enhancements such as support and MDM policies (version 5.0 and later in and beyond). Key to its design, BITS uses a COM-based interface for developers in C/C++ and .NET environments, while (UWP) apps utilize the Windows.Networking.BackgroundTransfer API; administrators manage jobs via tools like the BitsAdmin command-line utility or cmdlets. Commonly employed by system components such as for delivering patches and updates, BITS also supports enterprise tools like System Center Configuration Manager and enables custom applications for efficient large-file handling in bandwidth-constrained scenarios. Despite its benefits, BITS has been noted for potential risks, as actors have exploited its legitimate service to masquerade malicious downloads, though provides guidelines for monitoring and securing BITS jobs. Overall, BITS remains a foundational technology for reliable, low-impact file transfers in Windows environments, with ongoing updates ensuring compatibility with contemporary networking standards like and modern standby modes.

Overview

Purpose

The Background Intelligent Transfer Service (BITS) is a Windows component designed to facilitate asynchronous and throttled file transfers between clients and HTTP web servers or SMB file servers, utilizing available idle network bandwidth to avoid interfering with foreground network activities. Introduced with in 2001, BITS enables low-priority background operations for downloading files to or uploading files from remote servers, allowing applications to initiate transfers that persist independently of the originating process. The primary objectives of BITS include minimizing the impact on users' available bandwidth by dynamically adjusting transfer rates based on network conditions, ensuring that transfers do not compete with interactive or time-sensitive applications. It supports both and scenarios, with a core focus on reliability through the ability to resume interrupted transfers seamlessly after network disruptions, application closures, or system restarts. Key benefits of BITS encompass its resilience to connectivity issues, which prevents and reduces the need for manual retries, as well as its seamless integration with core Windows services such as for efficient delivery of patches and updates without disrupting user workflows. By prioritizing efficiency and resource conservation, BITS enhances overall system performance in managed environments, supporting features like to respect metered connections and power policies.

History

The Background Intelligent Transfer Service (BITS) was developed by to overcome the limitations of synchronous mechanisms in earlier Windows operating systems, which often disrupted user activities and failed to resume after interruptions such as network disconnections or system restarts. By enabling asynchronous, low-priority transfers that utilize idle bandwidth, BITS was designed primarily to support background tasks like without interfering with foreground applications. BITS was initially released as version 1.0 with on October 25, 2001, introducing core features such as prioritized and throttled downloads that could resume automatically after restarts or network issues. Subsequent minor updates, including version 1.2 in 1, provided internal improvements without altering core functionality. Version 1.5, available starting with , added support for uploads and upload-reply operations, along with command-line tools and restrictions for non-administrative users. Version 2.0, introduced in SP2 and SP1, added support for concurrent foreground downloads, SMB paths, file range downloads, and bandwidth limiting. Key enhancements continued in later Windows versions. Version 2.5, introduced in (released January 30, 2007), , and SP3, incorporated custom HTTP headers, support, and certificate-based authentication, while version 3.0 in and added peer caching for optimization and (UAC) compatibility. Windows 7 (released October 22, 2009) brought version 4.0, which enhanced peer caching through integration with BranchCache, introduced more flexible security tokens, and enabled granular for better upload prioritization. Further iterations, such as version 5.0 in , , and (initially released July 29, 2015), added support and non-administrative helper tokens (in Windows 10 version 1607). Version 10.1 was included in Windows 10 Creators Update. In and later, including (released October 5, 2021), BITS evolved with versions 10.2 and 10.3, integrating support for Modern Standby to maintain efficient transfers during low-power states and improving security through server certificate validation and policy-based configurations. These updates emphasized power efficiency and security for modern devices. No major version changes have occurred since , with the service remaining stable at version 10.3 as of 2025. BITS continues to be actively used in for background transfers, including updates for via mechanisms. It also supports Azure-related update processes in ecosystems, ensuring reliable file handling for cloud-integrated tasks.

Technology

Transfers

The Background Intelligent Transfer Service (BITS) facilitates file transfers using a set of supported protocols tailored to different network resources. It primarily employs and for transfers to and from web servers, enabling secure and standard web-based file movement. Additionally, BITS supports SMB for accessing file shares on local or remote networks, allowing seamless integration with Windows file systems. These protocols ensure compatibility with common infrastructure while maintaining transfer integrity over varied connections. To handle large files efficiently, BITS employs chunked transfer mechanisms, breaking files into manageable segments for transmission. This approach, combined with HTTP Range headers, allows for precise resumption from the exact byte where a previous transfer interrupted. Resilience is a core feature, with automatic retries triggered on failures such as network timeouts or disconnections; BITS monitors connection health and reattempts transfers exponentially backing off to avoid overwhelming the network. Checkpointing persists transfer state in local storage, enabling resumption even after system reboots, logoffs, or prolonged interruptions without data loss or duplication. These mechanisms ensure high reliability for extended transfers in unstable environments. In recent versions (10.2 and later, Windows 10 October 2018 Update+), BITS supports transfers during Modern Standby on plugged-in devices and customizable HTTP methods for enhanced flexibility. BITS provides symmetric support for both downloads and uploads, treating them similarly in terms of protocol usage and resilience. Downloads pull files from remote sources to machine, while uploads push local files to servers; however, in early versions like BITS 1.0 and 2.0 (introduced with and Server 2003), uploads were restricted to HTTP methods via a custom BITS upload protocol layered on HTTP 1.1, limiting flexibility compared to modern multipart or ranged s. Later iterations expanded upload capabilities to full SMB support and more robust HTTP methods. A notable enhancement is transfers through BITS Peercaching, introduced in , which allows clients to source content from nearby peers rather than the origin server, reducing wide-area network load; this feature evolved into integration with BranchCache in subsequent Windows versions for optimized content distribution. The transfer process begins with job initiation, where an application or administrator creates a BITS job specifying the source, destination, and protocol. Once submitted, the transfer executes in the background, leveraging network resources to minimize impact on user activities. Upon completion—or if errors occur—BITS triggers notifications via events, allowing the owning application to respond; transfers persist across sessions as long as the user remains authenticated, ensuring continuity without manual intervention. This flow integrates low-level protocol handling with higher-level orchestration for efficient, unattended operations.

Jobs

In Background Intelligent Transfer Service (BITS), a job serves as the fundamental unit of work for managing file transfers, encapsulating one or more files to be downloaded from or uploaded to HTTP web servers or SMB file shares. Each job includes properties such as a user-defined display name for identification, a type specifying whether it is a , , or upload-reply operation, a priority level (foreground, high, normal, or low) that influences scheduling relative to other jobs, and optional notifications for state changes or completion events. Jobs are created programmatically through the BITS COM API, such as by calling IBackgroundCopyManager::CreateJob to generate a unique GUID and obtain an IBackgroundCopyJob interface, or via command-line tools like BitsAdmin or cmdlets such as Start-BitsTransfer. Upon creation, the job starts in a suspended state, allowing files to be added and properties to be configured before resuming the transfer. jobs support multiple files (up to 200), while upload and upload-reply jobs are limited to one file; files are added using methods like AddFile or AddFileSet, enabling efficient batch operations with individual local and remote paths. Job states progress through a defined life cycle, beginning in the SUSPENDED state for setup, then transitioning to QUEUED (awaiting execution), (establishing server connection), and TRANSFERRING (active movement) as the transfer proceeds. If interruptions occur, the job may enter TRANSIENT_ERROR for automatic retries, governed by configurable delays and timeouts; persistent issues lead to the state. Successful transfers reach TRANSFERRED, with upload-reply jobs additionally awaiting server acknowledgment before finalizing. Monitoring occurs via IBackgroundCopyJob::GetState for state queries, progress retrieval through GetProgress, and error details via GetError, which can identify context like HRESULT codes; events such as BG_NOTIFY_JOB_TRANSFERRED enable asynchronous notifications for state changes. For uploads, an additional ACKNOWLEDGED_UPLOAD_REPLY state confirms receipt of the server reply after transfer. Individual files within a job can encounter errors, queried separately via IBackgroundCopyError::GetFile to isolate issues without affecting the entire job. Upon reaching the TRANSFERRED state, a job completes by calling IBackgroundCopyJob::Complete, which finalizes the operation, renames temporary download files to their specified local paths (making them accessible), and transitions the job to ACKNOWLEDGED; incomplete jobs auto-cancel after 90 days, deleting temporary files but retaining uploaded data. Success or error conditions trigger notifications if registered, allowing applications to handle outcomes like logging or user alerts; transient errors retry automatically, while fatal ones require manual intervention, such as canceling the job with Cancel to remove all associated temporary files.

Bandwidth Management

Background Intelligent Transfer Service (BITS) employs a throttling mechanism that dynamically adjusts transfer rates based on available network bandwidth to minimize interference with foreground activities. It monitors network through the Internet Gateway Device (IGD) using UPnP or directly via the network interface card (NIC) to detect idle capacity. When user applications increase bandwidth consumption, BITS reduces its transfer rate accordingly, ensuring that interactive experiences like or streaming remain unaffected. This adaptive approach allows BITS to utilize most of the available bandwidth during low-activity periods while scaling back during high usage. BITS detects idle time by continuously observing patterns in network usage, such as outbound and inbound byte counts at the IGD or NIC level. If no other applications are active on the local network interface, BITS will consume nearly all available bandwidth, even if downstream network segments are congested. During high-activity periods, such as video streaming or file downloads by foreground apps, BITS pauses or throttles transfers to preserve for those activities. Additionally, it incorporates Low Extra Delay Background Transport (LEDBAT) on HTTP connections to alleviate and enhance overall (QoS). For uploads and downloads, BITS applies separate considerations in its throttling, with policies allowing distinct limits for background transfers in each direction. Upload jobs, for instance, can be constrained by session limits, defaulting to a maximum of 50 concurrent upload sessions per user on IIS-enabled servers. Peer caching, integrated via Windows BranchCache, further optimizes bandwidth by enabling devices to share locally cached files with peers on the same network, thereby reducing reliance on external internet bandwidth for repeated transfers. This feature limits the bandwidth used for serving content to peers at 1 Mbps by default, which helps prevent overload on local networks. Configuration of bandwidth management in BITS is achieved through Group Policy settings and corresponding registry keys under HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\BITS. Administrators can set maximum bandwidth limits in kilobits per second (Kbps) for specific time windows, such as during business hours, with a minimum enforceable limit of 2 Kbps; a value of 0 effectively blocks transfers. For example, the MaxInternetBandwidth policy (introduced in BITS 2.0) allows defining schedules like 10 Kbps from 8:00 A.M. to 5:00 P.M., while later versions add work-hour and maintenance-specific throttles. These limits integrate with broader QoS policies via mechanisms like LEDBAT, and job priorities can influence bandwidth allocation among active transfers. Registry entries enable fine-tuning of parameters such as maximum bytes per second for transfers, ensuring enterprise-level control without impacting default idle-time behavior.

Scheduling

BITS manages file transfer jobs through a queuing system where new jobs are added to a transfer queue upon resumption from a suspended state. Jobs are assigned one of four priority levels—foreground, high, normal, or low—which determine their execution order relative to others in the queue. Higher-priority jobs preempt lower-priority ones, ensuring critical transfers proceed first, while jobs of the same priority are scheduled using a round-robin algorithm that allocates time slices to each. Execution occurs only when system resources, such as idle network bandwidth, are available, preventing interference with foreground applications or active user tasks. Several triggers influence when queued jobs are processed. BITS detects system idleness, particularly idle network capacity, to initiate or resume transfers without impacting user experience. On battery-powered devices, transfers may pause during battery saver mode to conserve power, though they resume on AC power or when the mode ends. In versions 10.2 and later (Windows 10 October 2018 Update+), BITS supports scheduling during Modern Standby with MDM policies for enterprise management. Administrators can configure time windows via Group Policy to restrict background transfers during specified periods, such as business hours, by setting bandwidth limits to zero, effectively queuing jobs until the window closes. In cases of transient errors during transfers, BITS implements retry logic by automatically attempting resumption after a configurable minimum retry delay, defaulting to 600 seconds (10 minutes). Jobs remain in a transient error state until successful or until the NoProgressTimeout expires, after which they enter an error state; the default inactivity timeout is 90 days before cancellation. For custom timing beyond these defaults, BITS integrates with , allowing jobs to be programmatically resumed at scheduled intervals. BITS supports multi-session handling by allowing all foreground-priority jobs to run concurrently alongside a single background-priority job, with files within each job processed serially. Foreground jobs always take precedence over background ones, ensuring interactive transfers are not delayed. The total number of queued jobs is capped at 300 per machine and 60 per user by default, configurable via to manage system load.

Interfaces

Command-Line Tools

BITSAdmin is a legacy command-line tool provided by for managing Background Intelligent Transfer Service (BITS) jobs, allowing users to create, monitor, and control file transfers without requiring programming knowledge. It supports commands such as adding files to jobs (bitsadmin /addfile), resuming suspended transfers (bitsadmin /resume), completing jobs (bitsadmin /complete), and listing active jobs (bitsadmin /list). A basic syntax example for creating and initiating a job is bitsadmin /create /download MyJob http://example.com/file.exe C:\Downloads\file.exe, followed by bitsadmin /resume MyJob to start the transfer. Although deprecated since and , BITSAdmin remains functional on modern Windows versions for . For contemporary management of BITS jobs, provides the BitsTransfer PowerShell module, which offers cmdlets like Add-BitsFile to append files to a job, Start-BitsTransfer to initiate transfers, and Complete-BitsTransfer to finalize and save downloaded files. These cmdlets enable scripting for automated workflows, including error handling through constructs like try-catch blocks to manage interruptions or failures in transfers. For instance, a simple script might use Start-BitsTransfer -Source "http://example.com/file.exe" -Destination "C:\Downloads\file.exe" to queue a synchronous . Command-line tools like BITSAdmin and BitsTransfer cmdlets are commonly used for manual file transfers in administrative tasks, such as downloading updates or monitoring the BITS queue with commands like bitsadmin /list or Get-BitsTransfer. However, they lack a , relying entirely on text-based input, and certain operations—such as modifying system-wide job priorities—require elevated administrator privileges. As of 2019, has recommended transitioning to BitsTransfer cmdlets over the deprecated BITSAdmin for all new scripts and administrative routines to ensure long-term compatibility.

Programming APIs

The Background Intelligent Transfer Service (BITS) exposes a (COM)-based application programming interface (API) that enables developers to create, manage, and monitor asynchronous file transfers within Windows applications. The central interface, IBackgroundCopyManager, facilitates job creation via the CreateJob method, which initializes a new transfer job and returns an IBackgroundCopyJob pointer for subsequent operations such as adding files or setting priorities. Job enumeration is handled through the EnumJobs method, allowing applications to retrieve and inspect active or completed transfers. This COM API has been available since , providing a robust foundation for integrating BITS into . For .NET developers, BITS functionality is accessible through managed wrappers, primarily the BitsManager class in the Microsoft.BackgroundIntelligentTransfer namespace, which abstracts the underlying COM interfaces for easier integration. These wrappers support asynchronous operations, such as creating download jobs and handling completion events, and were first introduced with .NET Framework 4.0 to enable seamless use in managed code environments. Enhancements documented in 2019 extended compatibility to modern .NET runtimes, including support for .NET Core via sample implementations and updated DLL references like BITSReference1_5.dll. A representative C# example for initiating an asynchronous download involves instantiating the manager, creating a job, adding a remote file, and resuming the transfer:

csharp

using [Microsoft](/page/Microsoft).BackgroundIntelligentTransfer; var manager = new BackgroundCopyManager(); Guid jobGuid; IBackgroundCopyJob job; manager.CreateJob("Sample Download", BG_JOB_TYPE.BG_JOB_TYPE_DOWNLOAD, out jobGuid, out job); job.AddFile("[https](/page/HTTPS)://example.com/file.exe", @"C:\local\file.exe"); job.Resume(); job.RegisterStateCallback(this, null); // For notifications

using [Microsoft](/page/Microsoft).BackgroundIntelligentTransfer; var manager = new BackgroundCopyManager(); Guid jobGuid; IBackgroundCopyJob job; manager.CreateJob("Sample Download", BG_JOB_TYPE.BG_JOB_TYPE_DOWNLOAD, out jobGuid, out job); job.AddFile("[https](/page/HTTPS)://example.com/file.exe", @"C:\local\file.exe"); job.Resume(); job.RegisterStateCallback(this, null); // For notifications

This approach allows developers to leverage BITS's bandwidth-throttling features without managing low-level COM details. In Win32 C/C++ applications, the BITS COM interfaces are invoked directly after obtaining the IBackgroundCopyManager via CoCreateInstance from the CLSID_BackgroundCopyManager. Key methods include CreateJob for instantiating jobs and AddFiles (or the singular AddFile) on the IBackgroundCopyJob interface to specify source URLs and local destinations. Error conditions are reported through HRESULT return codes, with detailed diagnostics available via the IBackgroundCopyError interface's GetError and GetErrorDescription methods. Custom notifications, such as job state changes or transfer completion, are supported through the IBackgroundCopyCallback interface, which developers implement to receive callbacks during asynchronous operations. These elements ensure reliable integration in native codebases. BITS APIs remain supported in Windows 10 and later versions for desktop applications, with ongoing updates reflected in Microsoft Learn documentation as of 2021, including improved integration for scripting job management. For (UWP) apps introduced in Windows 10, direct BITS API usage is not recommended; instead, the Windows.Networking.BackgroundTransfer provides a tailored alternative for background transfers compliant with app container restrictions.

Applications

Microsoft Uses

Background Intelligent Transfer Service (BITS) has been a core component of since its introduction in , enabling the download of patches and updates by leveraging idle network bandwidth to minimize disruption to other activities. employs BITS jobs to handle these transfers, including support for delta updates that deliver only changed portions of files, thereby reducing data volume and transfer times. This approach ensures reliable, resumable downloads even during network interruptions or power loss. These implementations incorporate Delivery Optimization, which builds on BITS by enabling caching to further optimize bandwidth usage across devices. (WSUS) relies on BITS to download updates from Microsoft Update servers to the WSUS server itself, facilitating efficient enterprise-wide patch distribution. System Center Configuration Manager also uses BITS for delivering updates and software in enterprise environments. BITS performance in these contexts is configurable through Windows settings, such as Delivery Optimization options in Windows 11 under Settings > Windows Update > Delivery Optimization, where users can adjust bandwidth limits to balance transfer speeds with network priorities.

Third-Party Applications

Several third-party applications integrate the Background Intelligent Transfer Service (BITS) to manage file downloads and updates in the background, taking advantage of its capabilities for bandwidth throttling and resumability. This allows developers to offload transfer tasks to the operating system's native service, minimizing user interruption and optimizing network usage during idle periods. For instance, Google Chrome employs BITS for its automatic background updates on Windows systems, ensuring seamless installation without impacting foreground activities. Similarly, Skype for Business uses BITS to download Address Book Services files, facilitating efficient synchronization of contact data. These integrations highlight BITS's role in enhancing for . By leveraging the service's , third-party developers can schedule transfers that resume after interruptions, such as network outages, and limit usage to avoid competing with user-initiated activities. As of 2025, BITS remains a supported component in Windows, though some applications are transitioning to custom protocols for greater control over transfer behaviors.
ApplicationVersion IntroducedPrimary Use Case
2008Automatic background updates
2010Downloading address book files

Security

Misuse and Vulnerabilities

Adversaries have exploited the Background Intelligent Transfer Service (BITS) for persistence by creating long-running jobs that download and execute malicious payloads in the background, often evading antivirus detection due to the service's legitimate use for system updates. For instance, since , Strike beacons have been deployed using BITSAdmin to silently transfer implants over idle bandwidth, allowing attackers to maintain access without triggering network alerts. Other families, such as Egregor , have similarly abused BITS jobs to deliver secondary payloads, persisting for up to 90 days or longer by extending job expiration dates. A notable vulnerability in BITS is CVE-2020-0787, an elevation of privilege flaw stemming from improper handling of symbolic links during file operations, which enables low-privileged users to overwrite system files and gain SYSTEM-level access; this issue was patched by in March 2020. Attackers have also created rogue BITS jobs through proxy execution techniques, such as invoking BITS-related DLLs via rundll32.exe to bypass execution restrictions and initiate unauthorized transfers. BITS facilitates living-off-the-land attack vectors, where threat actors leverage its native Windows functionality for command-and-control (C2) communication, blending malicious traffic with routine update downloads to avoid firewall blocks. This technique has been observed in ransomware campaigns, such as those by groups associated with Ryuk around 2020-2021, using BITS for staging attacks on , including healthcare targets. In 2024, the BITSLOTH backdoor was identified, leveraging BITS for command-and-control in a stealthy manner. Detecting BITS misuse presents significant challenges, as jobs mimic benign system activities like transfers, leaving minimal disk artifacts and relying on the BITS queue manager database for storage, which requires specialized tools for . Without correlating BITS events with anomalous network patterns or notify commands, malicious jobs often remain indistinguishable from legitimate ones, complicating timely remediation.

Mitigation Strategies

To monitor BITS for potential security issues, administrators can review logs in the Event Viewer under the Microsoft-Windows-Bits-Client/Operational channel, focusing on event IDs 59 through 65, which indicate job starts (ID 59), data transfers (ID 60), errors (ID 61), suspensions (ID 62), resumptions (ID 63), completions (ID 64), and removals (ID 65). These events help identify anomalous job activity, such as unexpected transfers or failures that may signal misuse. Additionally, cmdlets like Get-BitsTransfer -AllUsers can query active and pending jobs across users, allowing detection of suspicious parameters, such as downloads from untrusted sources or notify commands that execute post-transfer. Hardening BITS involves configuring to restrict job creation and management, such as setting the Maximum number of BITS jobs per user or machine to limit proliferation, which can be found under > Administrative Templates > Network > Background Intelligent Transfer Service. To prevent unauthorized uploads, disable anonymous access in related network policies or restrict BITS interface permissions to administrators via settings, reducing the risk of non-privileged users initiating potentially malicious transfers. Regular restarts of the BITS service using commands like sc stop bits followed by sc start bits can clear stalled or compromised jobs, though this requires administrative privileges and should be scheduled during maintenance windows. Best practices for securing BITS include auditing third-party applications that leverage it for transfers, verifying their job configurations do not enable persistence mechanisms like notify callbacks, and ensuring only trusted software uses the service. Integrating (EDR) tools, such as Microsoft Defender for Endpoint, enables for BITS abuse, including behavioral monitoring of job creations from unusual processes or to suspicious endpoints. can detect malware abusing BITS through behavior-based detection, as demonstrated in analyses of threats like SLoad. If BITS is unused beyond essential functions, consider disabling the service via services.msc, but note this will impair and other dependent features like delivery optimization. Keeping Windows systems fully patched is essential, as updates address BITS-related vulnerabilities; for instance, recent patches enhance transfer validation to block exploits.

References

  1. https://learn.microsoft.com/en-us/windows/win32/bits/background-intelligent-transfer-service-portal
  2. https://www.techtarget.com/searchwindowsserver/definition/Microsoft-Windows-Background-Intelligent-Transfer-Service-BITS
  3. https://learn.microsoft.com/en-us/windows/win32/bits/what-s-new
  4. https://www.microsoft.com/en-us/download/details.aspx?id=22250
  5. https://cloud.google.com/blog/topics/threat-intelligence/attacker-use-of-windows-background-intelligent-transfer-service/
  6. https://learn.microsoft.com/en-us/windows/win32/bits/about-bits
  7. https://learn.microsoft.com/en-us/answers/questions/3878638/background-intelligent-transfer-service-problem
  8. https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn282296(v=ws.11)
  9. https://learn.microsoft.com/en-us/windows/win32/bits/bits-upload-protocol
  10. https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/cannot-download-file-background-intelligent-transfer-service
  11. https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-bpau/9f978107-e133-4a2d-8b1f-fbcd257251f5
  12. https://learn.microsoft.com/en-us/windows/win32/bits/creating-a-job
  13. https://learn.microsoft.com/en-us/windows/win32/bits/adding-files-to-a-job
  14. https://learn.microsoft.com/en-us/windows/win32/bits/using-windows-powershell-to-create-bits-transfer-jobs
  15. https://learn.microsoft.com/en-us/windows/win32/bits/life-cycle-of-a-bits-job
  16. https://learn.microsoft.com/en-us/windows/win32/bits/determining-the-status-of-a-job
  17. https://learn.microsoft.com/en-us/windows/win32/bits/handling-errors
  18. https://learn.microsoft.com/en-us/windows/win32/bits/completing-and-canceling-a-job
  19. https://learn.microsoft.com/en-us/windows/win32/bits/best-practices-when-using-bits
  20. https://learn.microsoft.com/en-us/windows/win32/bits/network-bandwidth
  21. https://blogs.technet.microsoft.com/networking/2018/07/25/ledbat/
  22. https://learn.microsoft.com/en-us/windows/win32/bits/bits-iis-extension-properties
  23. https://learn.microsoft.com/en-us/windows/win32/bits/peer-caching
  24. https://learn.microsoft.com/en-us/windows/win32/bits/group-policies
  25. https://learn.microsoft.com/en-us/windows/win32/api/bits/ne-bits-bg_job_priority
  26. https://learn.microsoft.com/en-us/windows/win32/api/bits/nf-bits-ibackgroundcopyjob-setminimumretrydelay
  27. https://learn.microsoft.com/en-us/windows/win32/bits/using-bits
  28. https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/bitsadmin
  29. https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/bitsadmin-examples
  30. https://learn.microsoft.com/en-us/windows/win32/bits/bitsadmin-tool
  31. https://learn.microsoft.com/en-us/powershell/module/bitstransfer/?view=windowsserver2025-ps
  32. https://learn.microsoft.com/en-us/powershell/module/bitstransfer/start-bitstransfer?view=windowsserver2025-ps
  33. https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/bitsadmin-list
  34. https://learn.microsoft.com/en-us/windows/win32/bits/bits-powershell-commands
  35. https://learn.microsoft.com/en-us/windows/win32/api/bits/nf-bits-ibackgroundcopymanager-createjob
  36. https://blogs.windows.com/windowsdeveloper/2019/01/17/using-background-intelligent-transfer-service-bits-from-net/
  37. https://learn.microsoft.com/en-us/archive/msdn-magazine/2003/february/net-apps-and-the-background-intelligent-transfer-service-api
  38. https://learn.microsoft.com/en-us/windows/win32/api/bits/nn-bits-ibackgroundcopyerror
  39. https://learn.microsoft.com/en-us/windows/win32/api/bits/nn-bits-ibackgroundcopycallback
  40. https://learn.microsoft.com/en-us/uwp/api/windows.networking.backgroundtransfer
  41. https://learn.microsoft.com/en-us/windows/deployment/do/waas-delivery-optimization
  42. https://www.reddit.com/r/chrome/comments/1nh6ky6/chrome_always_creates_bits_files_in_the_temp/
  43. https://learn.microsoft.com/en-us/skypeforbusiness/deploy/deploy-clients/configure-client-bootstrapping-policies
  44. https://attack.mitre.org/techniques/T1197/
  45. https://nvd.nist.gov/vuln/detail/CVE-2020-0787
  46. https://attack.mitre.org/techniques/T1218/011/
  47. https://www.infosecinstitute.com/resources/malware-analysis/how-criminals-are-using-windows-background-intelligent-transfer-service/
  48. https://www.secureworks.com/blog/malware-lingers-with-bits
  49. https://www.elastic.co/security-labs/bits-and-bytes-analyzing-bitsloth
  50. https://docs.logrhythm.com/devices/docs/microsoft-windows-bits-client-messages
  51. https://learn.microsoft.com/en-us/powershell/module/bitstransfer/get-bitstransfer?view=windowsserver2025-ps
  52. https://www.thedfirspot.com/post/a-bits-of-a-problem-investigating-bits-jobs
  53. https://www.linkedin.com/pulse/background-intelligent-transfer-service-bits-silent-workhorse-mittal-lxhyc
  54. https://www.microsoft.com/en-us/security/blog/2019/12/12/multi-stage-downloader-trojan-sload-abuses-bits-almost-exclusively-for-malicious-activities/
  55. https://learn.microsoft.com/en-us/defender-endpoint/configure-advanced-scan-types-microsoft-defender-antivirus
  56. https://superuser.com/questions/1072771/what-does-background-intelligent-transfer-service-exactly-do
Add your contribution
Related Hubs
User Avatar
No comments yet.