Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

WUDFHost and WMPlayer for USB flash drive - malware?

Maxim_S._ShatskihMaxim_S._Shatskih Member Posts: 10,396
I'm sorry for such a question, which can seem to be moronic, but probably somebody knows the quick and valid answer.

So:

- USB flash drive is inserted to the computer
- it was never ever inserted to this computer before
- AutoPlay is disabled in Control Panel
- NoDriveTypeAutoRun is NOT set
- after the USB flash is inserted, the WUDFHost.exe process is started as Local Service, which starts to _read all files on the USB flash_ (visible in the out-of-the-box Resource Monitor - the button in TaskMgr).
- also, wmplayer.exe is started, without any UI shown.
- when the same drive is inserted the second time, WUDFHost.exe is still started and running, but does not do anything. wmplayer.exe is also started for a brief moment and exits ASAP.
- you eject the USB flash - WUDFHost exits.

Is it legitimate? or malware?

I see some new devnode called "Flash disk" in devmgmt, of the class of "Portable Devices", serviced by UMDF, and a child of UMBus stuff. Also this same string of "Flash Disk" appears in the Windows Media Player UI, if you start it manually.

Is the WUDFHost.exe which is started by flash drive insert - related to this devnode? so, it can be legitimate?

For me, this is a surprise that the flash drive is not only USBSTOR's block disk device devnode, but also some "Portable Device".

I've heard on some "WPD", but I know nothing on it except it is implemented by UMDF.

What is WPD? is it legitimate for Windows Media Player to read all files on a newly inserted flash drive being a client of this WPD interface, serviced by the UMDF host? is it legitimate for the UMDF host for WPD to access the files on a flash drive?

I'm sorry once again, but it is alarming if some processes are started on flash drive insert, especially if this process is reading all of the files on the flash, doing 0.5GB in rather short time.

Is it legitimate behavior of WPD (again - what is it? and how is it related to a block device? is it also related to Windows Phone? or maybe iOS device in the absence of Apple's driver?) and WMPlayer using WPD?

--
Maxim S. Shatskih
Microsoft MVP on File System And Storage
xxxxx@storagecraft.com
http://www.storagecraft.com

Comments

  • Doron_HolanDoron_Holan Member - All Emails Posts: 10,435
    This is by design. Little known fact, UMDF 1.0 shipped in wmplayer for WPD support before it became an external platform.

    -----Original Message-----
    From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Maxim S. Shatskih
    Sent: Tuesday, May 19, 2015 1:56 PM
    To: Windows System Software Devs Interest List
    Subject: [ntdev] WUDFHost and WMPlayer for USB flash drive - malware?

    I'm sorry for such a question, which can seem to be moronic, but probably somebody knows the quick and valid answer.

    So:

    - USB flash drive is inserted to the computer
    - it was never ever inserted to this computer before
    - AutoPlay is disabled in Control Panel
    - NoDriveTypeAutoRun is NOT set
    - after the USB flash is inserted, the WUDFHost.exe process is started as Local Service, which starts to _read all files on the USB flash_ (visible in the out-of-the-box Resource Monitor - the button in TaskMgr).
    - also, wmplayer.exe is started, without any UI shown.
    - when the same drive is inserted the second time, WUDFHost.exe is still started and running, but does not do anything. wmplayer.exe is also started for a brief moment and exits ASAP.
    - you eject the USB flash - WUDFHost exits.

    Is it legitimate? or malware?

    I see some new devnode called "Flash disk" in devmgmt, of the class of "Portable Devices", serviced by UMDF, and a child of UMBus stuff. Also this same string of "Flash Disk" appears in the Windows Media Player UI, if you start it manually.

    Is the WUDFHost.exe which is started by flash drive insert - related to this devnode? so, it can be legitimate?

    For me, this is a surprise that the flash drive is not only USBSTOR's block disk device devnode, but also some "Portable Device".

    I've heard on some "WPD", but I know nothing on it except it is implemented by UMDF.

    What is WPD? is it legitimate for Windows Media Player to read all files on a newly inserted flash drive being a client of this WPD interface, serviced by the UMDF host? is it legitimate for the UMDF host for WPD to access the files on a flash drive?

    I'm sorry once again, but it is alarming if some processes are started on flash drive insert, especially if this process is reading all of the files on the flash, doing 0.5GB in rather short time.

    Is it legitimate behavior of WPD (again - what is it? and how is it related to a block device? is it also related to Windows Phone? or maybe iOS device in the absence of Apple's driver?) and WMPlayer using WPD?

    --
    Maxim S. Shatskih
    Microsoft MVP on File System And Storage xxxxx@storagecraft.com http://www.storagecraft.com


    ---
    NTDEV is sponsored by OSR

    Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev

    OSR is HIRING!! See http://www.osr.com/careers

    For our schedule of WDF, WDM, debugging and other seminars visit:
    http://www.osr.com/seminars

    To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
    d
  • Maxim_S._ShatskihMaxim_S._Shatskih Member Posts: 10,396
    Thanks Doron!

    And what does the second (WPD) driver for the same USB stick means? Is it some "download/upload files" protocol used by WMPlayer, conceptually similar to down/upload files to WinPhone or its ActiveSync-based predecessors?

    Also: if iTunes (and thus Apple's kmode USB driver) is not installed, and you connect the Apple device, you can browse photos on it using Windows shell. Is this stuff also WPD?

    --
    Maxim S. Shatskih
    Microsoft MVP on File System And Storage
    xxxxx@storagecraft.com
    http://www.storagecraft.com

    "Doron Holan" <xxxxx@microsoft.com> wrote in message news:xxxxx@ntdev...
    > This is by design. Little known fact, UMDF 1.0 shipped in wmplayer for WPD support before it became an external platform.
    >
    > -----Original Message-----
    > From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Maxim S. Shatskih
    > Sent: Tuesday, May 19, 2015 1:56 PM
    > To: Windows System Software Devs Interest List
    > Subject: [ntdev] WUDFHost and WMPlayer for USB flash drive - malware?
    >
    > I'm sorry for such a question, which can seem to be moronic, but probably somebody knows the quick and valid answer.
    >
    > So:
    >
    > - USB flash drive is inserted to the computer
    > - it was never ever inserted to this computer before
    > - AutoPlay is disabled in Control Panel
    > - NoDriveTypeAutoRun is NOT set
    > - after the USB flash is inserted, the WUDFHost.exe process is started as Local Service, which starts to _read all files on the USB flash_ (visible in the out-of-the-box Resource Monitor - the button in TaskMgr).
    > - also, wmplayer.exe is started, without any UI shown.
    > - when the same drive is inserted the second time, WUDFHost.exe is still started and running, but does not do anything. wmplayer.exe is also started for a brief moment and exits ASAP.
    > - you eject the USB flash - WUDFHost exits.
    >
    > Is it legitimate? or malware?
    >
    > I see some new devnode called "Flash disk" in devmgmt, of the class of "Portable Devices", serviced by UMDF, and a child of UMBus stuff. Also this same string of "Flash Disk" appears in the Windows Media Player UI, if you start it manually.
    >
    > Is the WUDFHost.exe which is started by flash drive insert - related to this devnode? so, it can be legitimate?
    >
    > For me, this is a surprise that the flash drive is not only USBSTOR's block disk device devnode, but also some "Portable Device".
    >
    > I've heard on some "WPD", but I know nothing on it except it is implemented by UMDF.
    >
    > What is WPD? is it legitimate for Windows Media Player to read all files on a newly inserted flash drive being a client of this WPD interface, serviced by the UMDF host? is it legitimate for the UMDF host for WPD to access the files on a flash drive?
    >
    > I'm sorry once again, but it is alarming if some processes are started on flash drive insert, especially if this process is reading all of the files on the flash, doing 0.5GB in rather short time.
    >
    > Is it legitimate behavior of WPD (again - what is it? and how is it related to a block device? is it also related to Windows Phone? or maybe iOS device in the absence of Apple's driver?) and WMPlayer using WPD?
    >
    > --
    > Maxim S. Shatskih
    > Microsoft MVP on File System And Storage xxxxx@storagecraft.com http://www.storagecraft.com
    >
    >
    > ---
    > NTDEV is sponsored by OSR
    >
    > Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
    >
    > OSR is HIRING!! See http://www.osr.com/careers
    >
    > For our schedule of WDF, WDM, debugging and other seminars visit:
    > http://www.osr.com/seminars
    >
    > To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
    >
  • Doron_HolanDoron_Holan Member - All Emails Posts: 10,435
    The umdf driver creates a wpd veneer on top of removable media. Wmplayer used wpd to enumerate media on the devices (find music, video, etc). The apple device shows up as an mtp device. Mtp is a subset of the wpd protocol.

    d

    Bent from my phone
    ________________________________
    From: Maxim S. Shatskih
    Sent: ?5/?20/?2015 1:16 AM
    To: Windows System Software Devs Interest List
    Subject: Re:[ntdev] WUDFHost and WMPlayer for USB flash drive - malware?

    Thanks Doron!

    And what does the second (WPD) driver for the same USB stick means? Is it some "download/upload files" protocol used by WMPlayer, conceptually similar to down/upload files to WinPhone or its ActiveSync-based predecessors?

    Also: if iTunes (and thus Apple's kmode USB driver) is not installed, and you connect the Apple device, you can browse photos on it using Windows shell. Is this stuff also WPD?

    --
    Maxim S. Shatskih
    Microsoft MVP on File System And Storage
    xxxxx@storagecraft.com
    http://www.storagecraft.com

    "Doron Holan" wrote in message news:xxxxx@ntdev...
    > This is by design. Little known fact, UMDF 1.0 shipped in wmplayer for WPD support before it became an external platform.
    >
    > -----Original Message-----
    > From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Maxim S. Shatskih
    > Sent: Tuesday, May 19, 2015 1:56 PM
    > To: Windows System Software Devs Interest List
    > Subject: [ntdev] WUDFHost and WMPlayer for USB flash drive - malware?
    >
    > I'm sorry for such a question, which can seem to be moronic, but probably somebody knows the quick and valid answer.
    >
    > So:
    >
    > - USB flash drive is inserted to the computer
    > - it was never ever inserted to this computer before
    > - AutoPlay is disabled in Control Panel
    > - NoDriveTypeAutoRun is NOT set
    > - after the USB flash is inserted, the WUDFHost.exe process is started as Local Service, which starts to _read all files on the USB flash_ (visible in the out-of-the-box Resource Monitor - the button in TaskMgr).
    > - also, wmplayer.exe is started, without any UI shown.
    > - when the same drive is inserted the second time, WUDFHost.exe is still started and running, but does not do anything. wmplayer.exe is also started for a brief moment and exits ASAP.
    > - you eject the USB flash - WUDFHost exits.
    >
    > Is it legitimate? or malware?
    >
    > I see some new devnode called "Flash disk" in devmgmt, of the class of "Portable Devices", serviced by UMDF, and a child of UMBus stuff. Also this same string of "Flash Disk" appears in the Windows Media Player UI, if you start it manually.
    >
    > Is the WUDFHost.exe which is started by flash drive insert - related to this devnode? so, it can be legitimate?
    >
    > For me, this is a surprise that the flash drive is not only USBSTOR's block disk device devnode, but also some "Portable Device".
    >
    > I've heard on some "WPD", but I know nothing on it except it is implemented by UMDF.
    >
    > What is WPD? is it legitimate for Windows Media Player to read all files on a newly inserted flash drive being a client of this WPD interface, serviced by the UMDF host? is it legitimate for the UMDF host for WPD to access the files on a flash drive?
    >
    > I'm sorry once again, but it is alarming if some processes are started on flash drive insert, especially if this process is reading all of the files on the flash, doing 0.5GB in rather short time.
    >
    > Is it legitimate behavior of WPD (again - what is it? and how is it related to a block device? is it also related to Windows Phone? or maybe iOS device in the absence of Apple's driver?) and WMPlayer using WPD?
    >
    > --
    > Maxim S. Shatskih
    > Microsoft MVP on File System And Storage xxxxx@storagecraft.com http://www.storagecraft.com
    >
    >
    > ---
    > NTDEV is sponsored by OSR
    >
    > Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
    >
    > OSR is HIRING!! See http://www.osr.com/careers
    >
    > For our schedule of WDF, WDM, debugging and other seminars visit:
    > http://www.osr.com/seminars
    >
    > To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
    >

    ---
    NTDEV is sponsored by OSR

    Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev

    OSR is HIRING!! See http://www.osr.com/careers

    For our schedule of WDF, WDM, debugging and other seminars visit:
    http://www.osr.com/seminars

    To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
    d
  • Alex_GrigAlex_Grig Member Posts: 3,238
    I'm afraid it's not a moronic question, it's just a moronic WMP design. Don't you love the fact it also drops a file to your USB stick?
  • Pavel_APavel_A Member Posts: 2,674
    On 20-May-2015 19:32, xxxxx@broadcom.com wrote:
    > I'm afraid it's not a moronic question, it's just a moronic WMP design. Don't you love the fact it also drops a file to your USB stick?

    The whole WPD thing is basically about DRM (users _should not_
    have non-encumbered way to copy music and video around, so...)

    By the way, OS X does nearly the same with USB drives (reads a lot,
    creates "cache" directories")... some Linuxes do something like that too...
    And, as I've noted earlier, it's hard to find a flash drive or SATA to
    USB adapter with write-protection switch.

    -- pa
  • Maxim_S._ShatskihMaxim_S._Shatskih Member Posts: 10,396
    > USB adapter with write-protection switch.

    +1

    --
    Maxim S. Shatskih
    Microsoft MVP on File System And Storage
    xxxxx@storagecraft.com
    http://www.storagecraft.com
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
Developing Minifilters 29 July 2019 OSR Seminar Space
Writing WDF Drivers 23 Sept 2019 OSR Seminar Space
Kernel Debugging 21 Oct 2019 OSR Seminar Space
Internals & Software Drivers 18 Nov 2019 Dulles, VA