Jump to content

How Do I Determine What WUDFHost.exe is Doing and What It's Associ


NoelC

Recommended Posts

Since around the time of the installation of Win 8.1 Update 1 I've had a couple of new WUDFHost.exe processes that run all the time.  Today I saw one of them accessing data on a backup volume, which I assume was some kind of maintenance activity - but I'm not sure.

 

My question is this:

 

How can I determine what these processes are doing, why they're here, and what they're associated with (i.e., what feature or device has caused them to be running).  I don't suspect them of causing a specific problem - my system's running fine - but I want to know why they're running.

 

Process Explorer shows them to have been started by these two command lines:

 

"C:\Windows\System32\WUDFHost.exe" -HostGUID:{193a1820-xxxx-xxxx-xxxx-be817523f6aa} -IoEventPortName:HostProcess-ae18c507-xxxx-xxxx-xxxx-ce7a84b73fb2 -SystemEventPortName:HostProcess-76f2d2b0-xxxx-xxxx-xxxx-25de41b0af65 -IoCancelEventPortName:HostProcess-52988628-xxxx-xxxx-xxxx-54018fc05bec -NonStateChangingEventPortName:HostProcess-c981e37e-xxxx-xxxx-xxxx-a8bd344c5791 -ServiceSID:S-1-5-80-dddddddddd-dddddddddd-dddddddddd-dddddddddd-ddddddddd -LifetimeId:8472fac1-xxxx-xxxx-xxxx-680353bbbc7f -DeviceGroupId:WpdFsGroup

 

"C:\Windows\System32\WUDFHost.exe" -HostGUID:{193a1820-xxxx-xxxx-xxxx-be817523f6aa} -IoEventPortName:HostProcess-af2e6f5b-xxxx-xxxx-xxxx-39a9cc13f6d4 -SystemEventPortName:HostProcess-45e89330-xxxx-xxxx-xxxx-9e76811e37aa -IoCancelEventPortName:HostProcess-3007f65c-xxxx-xxxx-xxxx-c6cdd5617944 -NonStateChangingEventPortName:HostProcess-efca4373-xxxx-xxxx-xxxx-cfc06fd83dee -ServiceSID:S-1-5-80-dddddddddd-dddddddddd-dddddddddd-dddddddddd-ddddddddd -LifetimeId:f4aa6ef0-xxxx-xxxx-xxxx-d16f4eefddb2 -DeviceGroupId:WudfDefaultDevicePool

 

As you can see, their function isn't obvious from what's showing.

 

What tools can I used to delve further into what these are and why they're here?

 

Thanks for any help or wisdom you can offer.

 

-Noel

Link to comment
Share on other sites


WUDF=Windows User Mode Driver Framework that was introduced in Vista for certain kinds of device drivers (for MTP devices, sensors etc) to provide greater stability and security than kernel-mode drivers.. WUDFHost is the host process for UMDF drivers including Windows Portable Device (WPD) drivers.

Link to comment
Share on other sites

Thanks.  The devil appears to be in the details with this one, and I need to track the various GUIDs down to try to see what's associated with what.

 

Some additional clues are found at the ends of the command lines:

 

-DeviceGroupId:WpdFsGroup

-DeviceGroupId:WudfDefaultDevicePool

 

It's possible that at least one of these is because I've got some ReFS formatted drives in my system.

 

-Noel

Link to comment
Share on other sites

Yes, because I'm not sure what security risks might be exposed by posting them publicly.  I started with the SIDs then figured what the heck, might as well do everything.

 

-Noel

Link to comment
Share on other sites

  • 1 month later...

This is easy. Run processHacker and look at the Environment Variable:
 
WUDFHost.png
 
find the "Attached Device" and now search for this in the Registry. In this case it is the emulated GPS from the Visual Studio.
 
The second example is my old Hama USB Thumb drive:
 
WUDFHost_2.png
 
Or you can look at the "handles", here you find the handle and can select to open regedit at the location.
 
WUDFHost_3.png

Link to comment
Share on other sites

Ooh, Process Hacker certainly looks interesting.  I'd heard of it but hadn't found the time to look it over.

 

Thanks for the tip. guys!  Off to do some exploring with a bunch of new information...

 

-Noel

Link to comment
Share on other sites

Wow, fantastic. 

 

Following your footsteps, Andre, in just seconds I have determined that one of my two WUDFHosts is also the SensorsSimulatorDriver as you've shown, and has been installed by Visual Studio 2013.  The good news is that it may not need to be running as I am not developing location-aware software (though I have more checking to do on whether and how it can be safely disabled).

 

The other WUDFHost is hosting the drivers for my two always-present MyBook external USB backup drives, and quite clearly needs to be left alone.

 

I am always impressed at the depth of your knowledge, Andre.  Thank you!

 

-Noel

Link to comment
Share on other sites

Well, I found a few posts by people who said they solved problems by removing the driver, implying it's not going to end the Visual Studio world to do so, and I couldn't find any overt setting that turns it off in Visual Studio, so it may just be as simple as disabling it via the Device Manager...

 

DisableLocationSimulatorDriver.png

 

Now that I think back, I think the second WUDFHost may have shown up at the time Visual Studio 2013 Update 2 came in.  At that time I recall it saying something about updating the Windows Phone components, which I thought was odd because I don't develop Windows Phone software and don't even have that option checked in the Visual Studio installer.

 

In any case, Visual Studio seems to come up and work just fine with the location simulator driver disabled, so I'm a happy camper.  I just leaned my system down by one more process.  :D

 

-Noel

Link to comment
Share on other sites

Why would a USB drive need a special driver?

 

And if it's okay to turn this into another Microsoft rant... maybe in Windows 9 the Task Manager would show legible sub-details for WUDFHost and not only for svchost. :)

Link to comment
Share on other sites

Well, I think Mark Russinovich works for Microsoft now, so in a way Process Explorer is already what you ask - though as you say, the bold new Task Manager should have integrated a lot of that code right into itself, so that it could actually BE a better Task Manager.

 

Notably I didn't make progress in identifying what WUDFHost was doing until I tried Process Hacker with Andre's guidance, though.

 

As far as why a USB disk would require a driver...  In the big sense, doesn't everything require a driver?  In the small sense, maybe wrapping it with WUDFhost is Microsoft's way of mitigating all the system crashes reported through time from USB drivers.

 

-Noel

Link to comment
Share on other sites

As far as why a USB disk would require a driver...  In the big sense, doesn't everything require a driver?  In the small sense, maybe wrapping it with WUDFhost is Microsoft's way of mitigating all the system crashes reported through time from USB drivers.

Or maybe the system is trying to have support for the MTP on the USB bus or for the specific device. :unsure:

 

jaclaz

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...