Jump to content

Welcome to MSFN Forum
Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. This message will be removed once you have signed in.
Login to Account Create an Account



Photo

How Do I Determine What WUDFHost.exe is Doing and What It's Associ


  • Please log in to reply
24 replies to this topic

#1
NoelC

NoelC

    Software Engineer

  • Member
  • PipPipPipPipPipPipPip
  • 1,953 posts
  • Joined 08-April 13
  • OS:Windows 8.1 x64
  • Country: Country Flag

Since around the time of the installation of Win 8.1 Update 1 I've had a couple of new WUDFHost.exe processes that run all the time.  Today I saw one of them accessing data on a backup volume, which I assume was some kind of maintenance activity - but I'm not sure.

 

My question is this:

 

How can I determine what these processes are doing, why they're here, and what they're associated with (i.e., what feature or device has caused them to be running).  I don't suspect them of causing a specific problem - my system's running fine - but I want to know why they're running.

 

Process Explorer shows them to have been started by these two command lines:

 

"C:\Windows\System32\WUDFHost.exe" -HostGUID:{193a1820-xxxx-xxxx-xxxx-be817523f6aa} -IoEventPortName:HostProcess-ae18c507-xxxx-xxxx-xxxx-ce7a84b73fb2 -SystemEventPortName:HostProcess-76f2d2b0-xxxx-xxxx-xxxx-25de41b0af65 -IoCancelEventPortName:HostProcess-52988628-xxxx-xxxx-xxxx-54018fc05bec -NonStateChangingEventPortName:HostProcess-c981e37e-xxxx-xxxx-xxxx-a8bd344c5791 -ServiceSID:S-1-5-80-dddddddddd-dddddddddd-dddddddddd-dddddddddd-ddddddddd -LifetimeId:8472fac1-xxxx-xxxx-xxxx-680353bbbc7f -DeviceGroupId:WpdFsGroup

 

"C:\Windows\System32\WUDFHost.exe" -HostGUID:{193a1820-xxxx-xxxx-xxxx-be817523f6aa} -IoEventPortName:HostProcess-af2e6f5b-xxxx-xxxx-xxxx-39a9cc13f6d4 -SystemEventPortName:HostProcess-45e89330-xxxx-xxxx-xxxx-9e76811e37aa -IoCancelEventPortName:HostProcess-3007f65c-xxxx-xxxx-xxxx-c6cdd5617944 -NonStateChangingEventPortName:HostProcess-efca4373-xxxx-xxxx-xxxx-cfc06fd83dee -ServiceSID:S-1-5-80-dddddddddd-dddddddddd-dddddddddd-dddddddddd-ddddddddd -LifetimeId:f4aa6ef0-xxxx-xxxx-xxxx-d16f4eefddb2 -DeviceGroupId:WudfDefaultDevicePool

 

As you can see, their function isn't obvious from what's showing.

 

What tools can I used to delve further into what these are and why they're here?

 

Thanks for any help or wisdom you can offer.

 

-Noel




How to remove advertisement from MSFN

#2
xpclient

xpclient

    XP was my idea. 3rd party apps make NT6 my idea.

  • Member
  • PipPipPip
  • 339 posts
  • Joined 30-July 05
  • OS:XP Pro x64
  • Country: Country Flag

WUDF=Windows User Mode Driver Framework that was introduced in Vista for certain kinds of device drivers (for MTP devices, sensors etc) to provide greater stability and security than kernel-mode drivers.. WUDFHost is the host process for UMDF drivers including Windows Portable Device (WPD) drivers.


Impossible to run NT6 without third party fixes.


#3
NoelC

NoelC

    Software Engineer

  • Member
  • PipPipPipPipPipPipPip
  • 1,953 posts
  • Joined 08-April 13
  • OS:Windows 8.1 x64
  • Country: Country Flag

Thanks.  The devil appears to be in the details with this one, and I need to track the various GUIDs down to try to see what's associated with what.

 

Some additional clues are found at the ends of the command lines:

 

-DeviceGroupId:WpdFsGroup

-DeviceGroupId:WudfDefaultDevicePool

 

It's possible that at least one of these is because I've got some ReFS formatted drives in my system.

 

-Noel



#4
jaclaz

jaclaz

    The Finder

  • Developer
  • 15,297 posts
  • Joined 23-July 04
  • OS:none specified
  • Country: Country Flag

Did you "obfuscate" this:

{193a1820-xxxx-xxxx-xxxx-be817523f6aa}

and it is in reality:

{193a1820-d9ac-4997-8c55-be817523f6aa} ? :unsure:

 

jaclaz



#5
NoelC

NoelC

    Software Engineer

  • Member
  • PipPipPipPipPipPipPip
  • 1,953 posts
  • Joined 08-April 13
  • OS:Windows 8.1 x64
  • Country: Country Flag

Yes, because I'm not sure what security risks might be exposed by posting them publicly.  I started with the SIDs then figured what the heck, might as well do everything.

 

-Noel



#6
Tripredacus

Tripredacus

    K-Mart-ian Legend

  • Super Moderator
  • 9,837 posts
  • Joined 28-April 06
  • OS:Windows 7 x86
  • Country: Country Flag

Donator

You may be able to identify what those GUIDs are by searching for them in the registry.


MSFN RULES | GimageX HTA for PE 3-5 | lol probloms
tpxmsfn1_zps393339c1.jpg


#7
MagicAndre1981

MagicAndre1981

    after Windows 7 GA still Vista lover :)

  • Patrons
  • 6,148 posts
  • Joined 28-August 05
  • OS:Windows 8 x64
  • Country: Country Flag

Donator

This is easy. Run processHacker and look at the Environment Variable:
 
WUDFHost.png
 
find the "Attached Device" and now search for this in the Registry. In this case it is the emulated GPS from the Visual Studio.
 
The second example is my old Hama USB Thumb drive:
 
WUDFHost_2.png
 
Or you can look at the "handles", here you find the handle and can select to open regedit at the location.
 
WUDFHost_3.png


Posted Image

#8
DosProbie

DosProbie

    MSFN Expert

  • MSFN Sponsor
  • 1,007 posts
  • Joined 16-October 12
  • OS:Windows 8.1 x64
  • Country: Country Flag

Donator

Magic is right, Use Process Hacker to dig deeper plus it's a great alternative to Process Explorer.

http://securityandri...ess-hacker.html

 

~DP :whistle:



#9
NoelC

NoelC

    Software Engineer

  • Member
  • PipPipPipPipPipPipPip
  • 1,953 posts
  • Joined 08-April 13
  • OS:Windows 8.1 x64
  • Country: Country Flag

Ooh, Process Hacker certainly looks interesting.  I'd heard of it but hadn't found the time to look it over.

 

Thanks for the tip. guys!  Off to do some exploring with a bunch of new information...

 

-Noel



#10
NoelC

NoelC

    Software Engineer

  • Member
  • PipPipPipPipPipPipPip
  • 1,953 posts
  • Joined 08-April 13
  • OS:Windows 8.1 x64
  • Country: Country Flag

Wow, fantastic. 

 

Following your footsteps, Andre, in just seconds I have determined that one of my two WUDFHosts is also the SensorsSimulatorDriver as you've shown, and has been installed by Visual Studio 2013.  The good news is that it may not need to be running as I am not developing location-aware software (though I have more checking to do on whether and how it can be safely disabled).

 

The other WUDFHost is hosting the drivers for my two always-present MyBook external USB backup drives, and quite clearly needs to be left alone.

 

I am always impressed at the depth of your knowledge, Andre.  Thank you!

 

-Noel


  • xpclient likes this

#11
NoelC

NoelC

    Software Engineer

  • Member
  • PipPipPipPipPipPipPip
  • 1,953 posts
  • Joined 08-April 13
  • OS:Windows 8.1 x64
  • Country: Country Flag

Well, I found a few posts by people who said they solved problems by removing the driver, implying it's not going to end the Visual Studio world to do so, and I couldn't find any overt setting that turns it off in Visual Studio, so it may just be as simple as disabling it via the Device Manager...

 

DisableLocationSimulatorDriver.png

 

Now that I think back, I think the second WUDFHost may have shown up at the time Visual Studio 2013 Update 2 came in.  At that time I recall it saying something about updating the Windows Phone components, which I thought was odd because I don't develop Windows Phone software and don't even have that option checked in the Visual Studio installer.

 

In any case, Visual Studio seems to come up and work just fine with the location simulator driver disabled, so I'm a happy camper.  I just leaned my system down by one more process.  :D

 

-Noel



#12
MagicAndre1981

MagicAndre1981

    after Windows 7 GA still Vista lover :)

  • Patrons
  • 6,148 posts
  • Joined 28-August 05
  • OS:Windows 8 x64
  • Country: Country Flag

Donator

nice to hear that you figured out what those processed do :)


Posted Image

#13
shae

shae

    Advanced Member

  • Member
  • PipPipPip
  • 346 posts
  • Joined 06-July 08

Why would a USB drive need a special driver?

 

And if it's okay to turn this into another Microsoft rant... maybe in Windows 9 the Task Manager would show legible sub-details for WUDFHost and not only for svchost. :)



#14
NoelC

NoelC

    Software Engineer

  • Member
  • PipPipPipPipPipPipPip
  • 1,953 posts
  • Joined 08-April 13
  • OS:Windows 8.1 x64
  • Country: Country Flag

Well, I think Mark Russinovich works for Microsoft now, so in a way Process Explorer is already what you ask - though as you say, the bold new Task Manager should have integrated a lot of that code right into itself, so that it could actually BE a better Task Manager.

 

Notably I didn't make progress in identifying what WUDFHost was doing until I tried Process Hacker with Andre's guidance, though.

 

As far as why a USB disk would require a driver...  In the big sense, doesn't everything require a driver?  In the small sense, maybe wrapping it with WUDFhost is Microsoft's way of mitigating all the system crashes reported through time from USB drivers.

 

-Noel



#15
jaclaz

jaclaz

    The Finder

  • Developer
  • 15,297 posts
  • Joined 23-July 04
  • OS:none specified
  • Country: Country Flag

As far as why a USB disk would require a driver...  In the big sense, doesn't everything require a driver?  In the small sense, maybe wrapping it with WUDFhost is Microsoft's way of mitigating all the system crashes reported through time from USB drivers.

Or maybe the system is trying to have support for the MTP on the USB bus or for the specific device. :unsure:

 

jaclaz



#16
shae

shae

    Advanced Member

  • Member
  • PipPipPip
  • 346 posts
  • Joined 06-July 08

Even Process Explorer still doesn't show in a simple way what's the function served by each WUDFHost.

 

Regarding drivers for USB, I didn't mean in a general sense, but WUDFHost specifically. I thought it'd odd that you have it running when your USB HDD is connected, but I just tried a UFD and indeed also here WUDFHost loads. That's news to me.



#17
NoelC

NoelC

    Software Engineer

  • Member
  • PipPipPipPipPipPipPip
  • 1,953 posts
  • Joined 08-April 13
  • OS:Windows 8.1 x64
  • Country: Country Flag

I had thought that it didn't used to show up, but I did a search of the process list logs I've been accumulating daily, and sure enough one WUDFHost process has been running since the day I installed Windows 8.1 (I did so as a clean install after having been running Windows 7).  That the second one showed up is why I started this thread, and now I have verified by my logs that it happened when I installed VS 2013 back in March.

 

Jaclaz, does the media transfer protocol even apply with just a USB disk drive?  I've deconfigured many of the media sharing features.  That being said, Windows Media Player still DOES seem to want to scan my backup drives for media content from time to time.

 

-Noel



#18
NoelC

NoelC

    Software Engineer

  • Member
  • PipPipPipPipPipPipPip
  • 1,953 posts
  • Joined 08-April 13
  • OS:Windows 8.1 x64
  • Country: Country Flag

Let's see whether this turns up any answers:

 

http://social.techne...rum=w8itproperf

 

-Noel



#19
MagicAndre1981

MagicAndre1981

    after Windows 7 GA still Vista lover :)

  • Patrons
  • 6,148 posts
  • Joined 28-August 05
  • OS:Windows 8 x64
  • Country: Country Flag

Donator

btw, you can also use Windg to find the cause. Attach to the Process and run those 2 commands: .load wudfext !umdevstacks
 

0:009>  .load wudfext 
0:009> !umdevstacks 
Number of device stacks: 1
  Device Stack: 0x0000008aee69f380    Pdo Name: \Device\0000001a
    Active: Yes
    Number of UM devices: 1
    Device 0
      Driver Config Registry Path: SensorsSimulatorDriver
      UMDriver Image Path: C:\Windows\system32\DRIVERS\UMDF\SensorsSimulatorDriver.dll
      Fx Driver: IWDFDriver 0x8aee8e8688
      Fx Device: IWDFDevice 0x8aee8e8968
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Windows\System32\Drivers\UMDF\SensorsSimulatorDriver.dll - 
Error: Symbol SensorsSimulatorDriver!DllGetClassObject is not in the format "module!type::`vftable'".
        IDriverEntry: (unknown type) 0x0000008aee6b86f0
      Open UM files (use !umfile <addr> for details): <None>
      Device XFerMode: CopyImmediately RW: Buffered CTL: Buffered
      Object Tracker Address: 0x0000000000000000
        Object   Tracking OFF
        Refcount Tracking OFF
    DevStack XFerMode: CopyImmediately RW: Buffered CTL: Buffered


Posted Image

#20
MagicAndre1981

MagicAndre1981

    after Windows 7 GA still Vista lover :)

  • Patrons
  • 6,148 posts
  • Joined 28-August 05
  • OS:Windows 8 x64
  • Country: Country Flag

Donator

I sent a feature request to Mark. Maybe he implements and easy show of the attached device in an update to Process Explorer.


Posted Image

#21
NoelC

NoelC

    Software Engineer

  • Member
  • PipPipPipPipPipPipPip
  • 1,953 posts
  • Joined 08-April 13
  • OS:Windows 8.1 x64
  • Country: Country Flag
Good idea. I had alluded to that on the discussion board for ProcExp already, but coming from you and with more specific goals, I'm sure he'll see the merit.

-Noel

#22
NoelC

NoelC

    Software Engineer

  • Member
  • PipPipPipPipPipPipPip
  • 1,953 posts
  • Joined 08-April 13
  • OS:Windows 8.1 x64
  • Country: Country Flag

In investigating something else I finally figured out why WUDFHost was running for my external backup drives.

 

Turns out among other things these drives are considered "Portable Devices" in the Device Manager.

 

This doesn't seem unreasonable at first, but a "Portable Device" turns out to be the term for something like a smart phone or music player that can be plugged-into a USB port.

 

WUDFHost is NOT started when the devices are disabled in Device Manager in the Portable Devices category.  Yet I do not lose the ability to access the files on the drives.

 

I noticed that media player would look all through these backup drives occasionally, and that plus some warning messages in the System Event Log that I finally was able to find some info on lit the bulb over my head.

 

One less service running, no loss of functionality.  :thumbup

 

-Noel


Edited by NoelC, 12 March 2015 - 06:45 PM.


#23
MagicAndre1981

MagicAndre1981

    after Windows 7 GA still Vista lover :)

  • Patrons
  • 6,148 posts
  • Joined 28-August 05
  • OS:Windows 8 x64
  • Country: Country Flag

Donator

dmex coded a plugin for ProcessHacker to show which driver is used by WUDFHost.exe in the tooltip:

 

Rnj4nzK.jpg

 

http://processhacker...90&p=5334#p5334


Posted Image

#24
NoelC

NoelC

    Software Engineer

  • Member
  • PipPipPipPipPipPipPip
  • 1,953 posts
  • Joined 08-April 13
  • OS:Windows 8.1 x64
  • Country: Country Flag

Thanks for the follow-up, Andre.  And thank you also for requesting the feature.

 

I don't have any more instances of WUDFHost running on my Win 8.1 workstation,  but I do have some running in my Win 10 test system that I haven't investigated yet, and this plug-in has identified three drivers:

 

WUDFHostOnWin10.png

 

-Noel


Edited by NoelC, 15 April 2015 - 07:34 AM.


#25
MagicAndre1981

MagicAndre1981

    after Windows 7 GA still Vista lover :)

  • Patrons
  • 6,148 posts
  • Joined 28-August 05
  • OS:Windows 8 x64
  • Country: Country Flag

Donator

it was now merged directly into the program. Get the code from Subversion (svn://svn.code.sf.net/p/processhacker/code/) and compile your own version.


Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users