NoelC Posted July 5, 2014 Posted July 5, 2014 Since around the time of the installation of Win 8.1 Update 1 I've had a couple of new WUDFHost.exe processes that run all the time. Today I saw one of them accessing data on a backup volume, which I assume was some kind of maintenance activity - but I'm not sure. My question is this: How can I determine what these processes are doing, why they're here, and what they're associated with (i.e., what feature or device has caused them to be running). I don't suspect them of causing a specific problem - my system's running fine - but I want to know why they're running. Process Explorer shows them to have been started by these two command lines: "C:\Windows\System32\WUDFHost.exe" -HostGUID:{193a1820-xxxx-xxxx-xxxx-be817523f6aa} -IoEventPortName:HostProcess-ae18c507-xxxx-xxxx-xxxx-ce7a84b73fb2 -SystemEventPortName:HostProcess-76f2d2b0-xxxx-xxxx-xxxx-25de41b0af65 -IoCancelEventPortName:HostProcess-52988628-xxxx-xxxx-xxxx-54018fc05bec -NonStateChangingEventPortName:HostProcess-c981e37e-xxxx-xxxx-xxxx-a8bd344c5791 -ServiceSID:S-1-5-80-dddddddddd-dddddddddd-dddddddddd-dddddddddd-ddddddddd -LifetimeId:8472fac1-xxxx-xxxx-xxxx-680353bbbc7f -DeviceGroupId:WpdFsGroup "C:\Windows\System32\WUDFHost.exe" -HostGUID:{193a1820-xxxx-xxxx-xxxx-be817523f6aa} -IoEventPortName:HostProcess-af2e6f5b-xxxx-xxxx-xxxx-39a9cc13f6d4 -SystemEventPortName:HostProcess-45e89330-xxxx-xxxx-xxxx-9e76811e37aa -IoCancelEventPortName:HostProcess-3007f65c-xxxx-xxxx-xxxx-c6cdd5617944 -NonStateChangingEventPortName:HostProcess-efca4373-xxxx-xxxx-xxxx-cfc06fd83dee -ServiceSID:S-1-5-80-dddddddddd-dddddddddd-dddddddddd-dddddddddd-ddddddddd -LifetimeId:f4aa6ef0-xxxx-xxxx-xxxx-d16f4eefddb2 -DeviceGroupId:WudfDefaultDevicePool As you can see, their function isn't obvious from what's showing. What tools can I used to delve further into what these are and why they're here? Thanks for any help or wisdom you can offer. -Noel
xpclient Posted July 6, 2014 Posted July 6, 2014 WUDF=Windows User Mode Driver Framework that was introduced in Vista for certain kinds of device drivers (for MTP devices, sensors etc) to provide greater stability and security than kernel-mode drivers.. WUDFHost is the host process for UMDF drivers including Windows Portable Device (WPD) drivers.
NoelC Posted July 6, 2014 Author Posted July 6, 2014 Thanks. The devil appears to be in the details with this one, and I need to track the various GUIDs down to try to see what's associated with what. Some additional clues are found at the ends of the command lines: -DeviceGroupId:WpdFsGroup-DeviceGroupId:WudfDefaultDevicePool It's possible that at least one of these is because I've got some ReFS formatted drives in my system. -Noel
jaclaz Posted July 6, 2014 Posted July 6, 2014 Did you "obfuscate" this:{193a1820-xxxx-xxxx-xxxx-be817523f6aa}and it is in reality:{193a1820-d9ac-4997-8c55-be817523f6aa} ? jaclaz
NoelC Posted July 6, 2014 Author Posted July 6, 2014 Yes, because I'm not sure what security risks might be exposed by posting them publicly. I started with the SIDs then figured what the heck, might as well do everything. -Noel
Tripredacus Posted July 7, 2014 Posted July 7, 2014 You may be able to identify what those GUIDs are by searching for them in the registry.
MagicAndre1981 Posted August 17, 2014 Posted August 17, 2014 This is easy. Run processHacker and look at the Environment Variable: find the "Attached Device" and now search for this in the Registry. In this case it is the emulated GPS from the Visual Studio. The second example is my old Hama USB Thumb drive: Or you can look at the "handles", here you find the handle and can select to open regedit at the location.
DosProbie Posted August 17, 2014 Posted August 17, 2014 Magic is right, Use Process Hacker to dig deeper plus it's a great alternative to Process Explorer.http://securityandrisk.blogspot.com/2010/03/process-explorer-vs-process-hacker.html ~DP
NoelC Posted August 17, 2014 Author Posted August 17, 2014 Ooh, Process Hacker certainly looks interesting. I'd heard of it but hadn't found the time to look it over. Thanks for the tip. guys! Off to do some exploring with a bunch of new information... -Noel
NoelC Posted August 17, 2014 Author Posted August 17, 2014 Wow, fantastic. Following your footsteps, Andre, in just seconds I have determined that one of my two WUDFHosts is also the SensorsSimulatorDriver as you've shown, and has been installed by Visual Studio 2013. The good news is that it may not need to be running as I am not developing location-aware software (though I have more checking to do on whether and how it can be safely disabled). The other WUDFHost is hosting the drivers for my two always-present MyBook external USB backup drives, and quite clearly needs to be left alone. I am always impressed at the depth of your knowledge, Andre. Thank you! -Noel 1
NoelC Posted August 17, 2014 Author Posted August 17, 2014 Well, I found a few posts by people who said they solved problems by removing the driver, implying it's not going to end the Visual Studio world to do so, and I couldn't find any overt setting that turns it off in Visual Studio, so it may just be as simple as disabling it via the Device Manager... Now that I think back, I think the second WUDFHost may have shown up at the time Visual Studio 2013 Update 2 came in. At that time I recall it saying something about updating the Windows Phone components, which I thought was odd because I don't develop Windows Phone software and don't even have that option checked in the Visual Studio installer. In any case, Visual Studio seems to come up and work just fine with the location simulator driver disabled, so I'm a happy camper. I just leaned my system down by one more process. -Noel
MagicAndre1981 Posted August 17, 2014 Posted August 17, 2014 nice to hear that you figured out what those processed do
osRe Posted August 17, 2014 Posted August 17, 2014 Why would a USB drive need a special driver? And if it's okay to turn this into another Microsoft rant... maybe in Windows 9 the Task Manager would show legible sub-details for WUDFHost and not only for svchost.
NoelC Posted August 17, 2014 Author Posted August 17, 2014 Well, I think Mark Russinovich works for Microsoft now, so in a way Process Explorer is already what you ask - though as you say, the bold new Task Manager should have integrated a lot of that code right into itself, so that it could actually BE a better Task Manager. Notably I didn't make progress in identifying what WUDFHost was doing until I tried Process Hacker with Andre's guidance, though. As far as why a USB disk would require a driver... In the big sense, doesn't everything require a driver? In the small sense, maybe wrapping it with WUDFhost is Microsoft's way of mitigating all the system crashes reported through time from USB drivers. -Noel
jaclaz Posted August 17, 2014 Posted August 17, 2014 As far as why a USB disk would require a driver... In the big sense, doesn't everything require a driver? In the small sense, maybe wrapping it with WUDFhost is Microsoft's way of mitigating all the system crashes reported through time from USB drivers.Or maybe the system is trying to have support for the MTP on the USB bus or for the specific device. jaclaz
Recommended Posts
Please sign in to comment
You will be able to leave a comment after signing in
Sign In Now