Jump to content

Welcome to MSFN Forum
Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. This message will be removed once you have signed in.
Login to Account Create an Account


Photo

How Do I Determine What WUDFHost.exe is Doing and What It's Associ


  • Please log in to reply
18 replies to this topic

#1
NoelC

NoelC

    Software Engineer

  • Member
  • PipPipPipPipPip
  • 975 posts
  • OS:Windows 8.1 x64
  • Country: Country Flag

Since around the time of the installation of Win 8.1 Update 1 I've had a couple of new WUDFHost.exe processes that run all the time.  Today I saw one of them accessing data on a backup volume, which I assume was some kind of maintenance activity - but I'm not sure.

 

My question is this:

 

How can I determine what these processes are doing, why they're here, and what they're associated with (i.e., what feature or device has caused them to be running).  I don't suspect them of causing a specific problem - my system's running fine - but I want to know why they're running.

 

Process Explorer shows them to have been started by these two command lines:

 

"C:\Windows\System32\WUDFHost.exe" -HostGUID:{193a1820-xxxx-xxxx-xxxx-be817523f6aa} -IoEventPortName:HostProcess-ae18c507-xxxx-xxxx-xxxx-ce7a84b73fb2 -SystemEventPortName:HostProcess-76f2d2b0-xxxx-xxxx-xxxx-25de41b0af65 -IoCancelEventPortName:HostProcess-52988628-xxxx-xxxx-xxxx-54018fc05bec -NonStateChangingEventPortName:HostProcess-c981e37e-xxxx-xxxx-xxxx-a8bd344c5791 -ServiceSID:S-1-5-80-dddddddddd-dddddddddd-dddddddddd-dddddddddd-ddddddddd -LifetimeId:8472fac1-xxxx-xxxx-xxxx-680353bbbc7f -DeviceGroupId:WpdFsGroup

 

"C:\Windows\System32\WUDFHost.exe" -HostGUID:{193a1820-xxxx-xxxx-xxxx-be817523f6aa} -IoEventPortName:HostProcess-af2e6f5b-xxxx-xxxx-xxxx-39a9cc13f6d4 -SystemEventPortName:HostProcess-45e89330-xxxx-xxxx-xxxx-9e76811e37aa -IoCancelEventPortName:HostProcess-3007f65c-xxxx-xxxx-xxxx-c6cdd5617944 -NonStateChangingEventPortName:HostProcess-efca4373-xxxx-xxxx-xxxx-cfc06fd83dee -ServiceSID:S-1-5-80-dddddddddd-dddddddddd-dddddddddd-dddddddddd-ddddddddd -LifetimeId:f4aa6ef0-xxxx-xxxx-xxxx-d16f4eefddb2 -DeviceGroupId:WudfDefaultDevicePool

 

As you can see, their function isn't obvious from what's showing.

 

What tools can I used to delve further into what these are and why they're here?

 

Thanks for any help or wisdom you can offer.

 

-Noel




How to remove advertisement from MSFN

#2
xpclient

xpclient

    XP was my idea. 3rd party apps make NT6 my idea.

  • Member
  • PipPipPip
  • 326 posts
  • OS:XP Pro x64
  • Country: Country Flag

WUDF=Windows User Mode Driver Framework that was introduced in Vista for certain kinds of device drivers (for MTP devices, sensors etc) to provide greater stability and security than kernel-mode drivers.. WUDFHost is the host process for UMDF drivers including Windows Portable Device (WPD) drivers.


Impossible to run NT6 without third party fixes.


#3
NoelC

NoelC

    Software Engineer

  • Member
  • PipPipPipPipPip
  • 975 posts
  • OS:Windows 8.1 x64
  • Country: Country Flag

Thanks.  The devil appears to be in the details with this one, and I need to track the various GUIDs down to try to see what's associated with what.

 

Some additional clues are found at the ends of the command lines:

 

-DeviceGroupId:WpdFsGroup

-DeviceGroupId:WudfDefaultDevicePool

 

It's possible that at least one of these is because I've got some ReFS formatted drives in my system.

 

-Noel



#4
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,197 posts
  • OS:none specified
  • Country: Country Flag

Did you "obfuscate" this:

{193a1820-xxxx-xxxx-xxxx-be817523f6aa}

and it is in reality:

{193a1820-d9ac-4997-8c55-be817523f6aa} ? :unsure:

 

jaclaz



#5
NoelC

NoelC

    Software Engineer

  • Member
  • PipPipPipPipPip
  • 975 posts
  • OS:Windows 8.1 x64
  • Country: Country Flag

Yes, because I'm not sure what security risks might be exposed by posting them publicly.  I started with the SIDs then figured what the heck, might as well do everything.

 

-Noel



#6
Tripredacus

Tripredacus

    K-Mart-ian Legend

  • Super Moderator
  • 9,745 posts
  • OS:Server 2012
  • Country: Country Flag

Donator

You may be able to identify what those GUIDs are by searching for them in the registry.


MSFN RULES | GimageX HTA for PE 3-5 | lol probloms
msfn2_zpsc37c7153.jpg

#7
MagicAndre1981

MagicAndre1981

    after Windows 7 GA still Vista lover :)

  • Patrons
  • 5,985 posts
  • OS:Vista Ultimate x86
  • Country: Country Flag

Donator

This is easy. Run processHacker and look at the Environment Variable:
 
WUDFHost.png
 
find the "Attached Device" and now search for this in the Registry. In this case it is the emulated GPS from the Visual Studio.
 
The second example is my old Hama USB Thumb drive:
 
WUDFHost_2.png
 
Or you can look at the "handles", here you find the handle and can select to open regedit at the location.
 
WUDFHost_3.png


Posted Image

#8
DosProbie

DosProbie

    Friend of MSFN

  • MSFN Sponsor
  • 719 posts
  • OS:Windows 8.1 x64
  • Country: Country Flag

Donator

Magic is right, Use Process Hacker to dig deeper plus it's a great alternative to Process Explorer.

http://securityandri...ess-hacker.html

 

~DP :whistle:



#9
NoelC

NoelC

    Software Engineer

  • Member
  • PipPipPipPipPip
  • 975 posts
  • OS:Windows 8.1 x64
  • Country: Country Flag

Ooh, Process Hacker certainly looks interesting.  I'd heard of it but hadn't found the time to look it over.

 

Thanks for the tip. guys!  Off to do some exploring with a bunch of new information...

 

-Noel



#10
NoelC

NoelC

    Software Engineer

  • Member
  • PipPipPipPipPip
  • 975 posts
  • OS:Windows 8.1 x64
  • Country: Country Flag

Wow, fantastic. 

 

Following your footsteps, Andre, in just seconds I have determined that one of my two WUDFHosts is also the SensorsSimulatorDriver as you've shown, and has been installed by Visual Studio 2013.  The good news is that it may not need to be running as I am not developing location-aware software (though I have more checking to do on whether and how it can be safely disabled).

 

The other WUDFHost is hosting the drivers for my two always-present MyBook external USB backup drives, and quite clearly needs to be left alone.

 

I am always impressed at the depth of your knowledge, Andre.  Thank you!

 

-Noel


  • xpclient likes this

#11
NoelC

NoelC

    Software Engineer

  • Member
  • PipPipPipPipPip
  • 975 posts
  • OS:Windows 8.1 x64
  • Country: Country Flag

Well, I found a few posts by people who said they solved problems by removing the driver, implying it's not going to end the Visual Studio world to do so, and I couldn't find any overt setting that turns it off in Visual Studio, so it may just be as simple as disabling it via the Device Manager...

 

DisableLocationSimulatorDriver.png

 

Now that I think back, I think the second WUDFHost may have shown up at the time Visual Studio 2013 Update 2 came in.  At that time I recall it saying something about updating the Windows Phone components, which I thought was odd because I don't develop Windows Phone software and don't even have that option checked in the Visual Studio installer.

 

In any case, Visual Studio seems to come up and work just fine with the location simulator driver disabled, so I'm a happy camper.  I just leaned my system down by one more process.  :D

 

-Noel



#12
MagicAndre1981

MagicAndre1981

    after Windows 7 GA still Vista lover :)

  • Patrons
  • 5,985 posts
  • OS:Vista Ultimate x86
  • Country: Country Flag

Donator

nice to hear that you figured out what those processed do :)


Posted Image

#13
shae

shae

    Member

  • Member
  • PipPip
  • 255 posts

Why would a USB drive need a special driver?

 

And if it's okay to turn this into another Microsoft rant... maybe in Windows 9 the Task Manager would show legible sub-details for WUDFHost and not only for svchost. :)



#14
NoelC

NoelC

    Software Engineer

  • Member
  • PipPipPipPipPip
  • 975 posts
  • OS:Windows 8.1 x64
  • Country: Country Flag

Well, I think Mark Russinovich works for Microsoft now, so in a way Process Explorer is already what you ask - though as you say, the bold new Task Manager should have integrated a lot of that code right into itself, so that it could actually BE a better Task Manager.

 

Notably I didn't make progress in identifying what WUDFHost was doing until I tried Process Hacker with Andre's guidance, though.

 

As far as why a USB disk would require a driver...  In the big sense, doesn't everything require a driver?  In the small sense, maybe wrapping it with WUDFhost is Microsoft's way of mitigating all the system crashes reported through time from USB drivers.

 

-Noel



#15
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,197 posts
  • OS:none specified
  • Country: Country Flag

As far as why a USB disk would require a driver...  In the big sense, doesn't everything require a driver?  In the small sense, maybe wrapping it with WUDFhost is Microsoft's way of mitigating all the system crashes reported through time from USB drivers.

Or maybe the system is trying to have support for the MTP on the USB bus or for the specific device. :unsure:

 

jaclaz



#16
shae

shae

    Member

  • Member
  • PipPip
  • 255 posts

Even Process Explorer still doesn't show in a simple way what's the function served by each WUDFHost.

 

Regarding drivers for USB, I didn't mean in a general sense, but WUDFHost specifically. I thought it'd odd that you have it running when your USB HDD is connected, but I just tried a UFD and indeed also here WUDFHost loads. That's news to me.



#17
NoelC

NoelC

    Software Engineer

  • Member
  • PipPipPipPipPip
  • 975 posts
  • OS:Windows 8.1 x64
  • Country: Country Flag

I had thought that it didn't used to show up, but I did a search of the process list logs I've been accumulating daily, and sure enough one WUDFHost process has been running since the day I installed Windows 8.1 (I did so as a clean install after having been running Windows 7).  That the second one showed up is why I started this thread, and now I have verified by my logs that it happened when I installed VS 2013 back in March.

 

Jaclaz, does the media transfer protocol even apply with just a USB disk drive?  I've deconfigured many of the media sharing features.  That being said, Windows Media Player still DOES seem to want to scan my backup drives for media content from time to time.

 

-Noel



#18
NoelC

NoelC

    Software Engineer

  • Member
  • PipPipPipPipPip
  • 975 posts
  • OS:Windows 8.1 x64
  • Country: Country Flag

Let's see whether this turns up any answers:

 

http://social.techne...rum=w8itproperf

 

-Noel



#19
MagicAndre1981

MagicAndre1981

    after Windows 7 GA still Vista lover :)

  • Patrons
  • 5,985 posts
  • OS:Vista Ultimate x86
  • Country: Country Flag

Donator

btw, you can also use Windg to find the cause. Attach to the Process and run those 2 commands: .load wudfext !umdevstacks
 

0:009>  .load wudfext 
0:009> !umdevstacks 
Number of device stacks: 1
  Device Stack: 0x0000008aee69f380    Pdo Name: \Device\0000001a
    Active: Yes
    Number of UM devices: 1
    Device 0
      Driver Config Registry Path: SensorsSimulatorDriver
      UMDriver Image Path: C:\Windows\system32\DRIVERS\UMDF\SensorsSimulatorDriver.dll
      Fx Driver: IWDFDriver 0x8aee8e8688
      Fx Device: IWDFDevice 0x8aee8e8968
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Windows\System32\Drivers\UMDF\SensorsSimulatorDriver.dll - 
Error: Symbol SensorsSimulatorDriver!DllGetClassObject is not in the format "module!type::`vftable'".
        IDriverEntry: (unknown type) 0x0000008aee6b86f0
      Open UM files (use !umfile <addr> for details): <None>
      Device XFerMode: CopyImmediately RW: Buffered CTL: Buffered
      Object Tracker Address: 0x0000000000000000
        Object   Tracking OFF
        Refcount Tracking OFF
    DevStack XFerMode: CopyImmediately RW: Buffered CTL: Buffered


Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users



How to remove advertisement from MSFN