WUDFHost and WMPlayer for USB flash drive - malware?

I’m sorry for such a question, which can seem to be moronic, but probably somebody knows the quick and valid answer.

So:

  • USB flash drive is inserted to the computer
  • it was never ever inserted to this computer before
  • AutoPlay is disabled in Control Panel
  • NoDriveTypeAutoRun is NOT set
  • after the USB flash is inserted, the WUDFHost.exe process is started as Local Service, which starts to read all files on the USB flash (visible in the out-of-the-box Resource Monitor - the button in TaskMgr).
  • also, wmplayer.exe is started, without any UI shown.
  • when the same drive is inserted the second time, WUDFHost.exe is still started and running, but does not do anything. wmplayer.exe is also started for a brief moment and exits ASAP.
  • you eject the USB flash - WUDFHost exits.

Is it legitimate? or malware?

I see some new devnode called “Flash disk” in devmgmt, of the class of “Portable Devices”, serviced by UMDF, and a child of UMBus stuff. Also this same string of “Flash Disk” appears in the Windows Media Player UI, if you start it manually.

Is the WUDFHost.exe which is started by flash drive insert - related to this devnode? so, it can be legitimate?

For me, this is a surprise that the flash drive is not only USBSTOR’s block disk device devnode, but also some “Portable Device”.

I’ve heard on some “WPD”, but I know nothing on it except it is implemented by UMDF.

What is WPD? is it legitimate for Windows Media Player to read all files on a newly inserted flash drive being a client of this WPD interface, serviced by the UMDF host? is it legitimate for the UMDF host for WPD to access the files on a flash drive?

I’m sorry once again, but it is alarming if some processes are started on flash drive insert, especially if this process is reading all of the files on the flash, doing 0.5GB in rather short time.

Is it legitimate behavior of WPD (again - what is it? and how is it related to a block device? is it also related to Windows Phone? or maybe iOS device in the absence of Apple’s driver?) and WMPlayer using WPD?


Maxim S. Shatskih
Microsoft MVP on File System And Storage
xxxxx@storagecraft.com
http://www.storagecraft.com

This is by design. Little known fact, UMDF 1.0 shipped in wmplayer for WPD support before it became an external platform.

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Maxim S. Shatskih
Sent: Tuesday, May 19, 2015 1:56 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] WUDFHost and WMPlayer for USB flash drive - malware?

I’m sorry for such a question, which can seem to be moronic, but probably somebody knows the quick and valid answer.

So:

  • USB flash drive is inserted to the computer
  • it was never ever inserted to this computer before
  • AutoPlay is disabled in Control Panel
  • NoDriveTypeAutoRun is NOT set
  • after the USB flash is inserted, the WUDFHost.exe process is started as Local Service, which starts to read all files on the USB flash (visible in the out-of-the-box Resource Monitor - the button in TaskMgr).
  • also, wmplayer.exe is started, without any UI shown.
  • when the same drive is inserted the second time, WUDFHost.exe is still started and running, but does not do anything. wmplayer.exe is also started for a brief moment and exits ASAP.
  • you eject the USB flash - WUDFHost exits.

Is it legitimate? or malware?

I see some new devnode called “Flash disk” in devmgmt, of the class of “Portable Devices”, serviced by UMDF, and a child of UMBus stuff. Also this same string of “Flash Disk” appears in the Windows Media Player UI, if you start it manually.

Is the WUDFHost.exe which is started by flash drive insert - related to this devnode? so, it can be legitimate?

For me, this is a surprise that the flash drive is not only USBSTOR’s block disk device devnode, but also some “Portable Device”.

I’ve heard on some “WPD”, but I know nothing on it except it is implemented by UMDF.

What is WPD? is it legitimate for Windows Media Player to read all files on a newly inserted flash drive being a client of this WPD interface, serviced by the UMDF host? is it legitimate for the UMDF host for WPD to access the files on a flash drive?

I’m sorry once again, but it is alarming if some processes are started on flash drive insert, especially if this process is reading all of the files on the flash, doing 0.5GB in rather short time.

Is it legitimate behavior of WPD (again - what is it? and how is it related to a block device? is it also related to Windows Phone? or maybe iOS device in the absence of Apple’s driver?) and WMPlayer using WPD?


Maxim S. Shatskih
Microsoft MVP on File System And Storage xxxxx@storagecraft.com http://www.storagecraft.com


NTDEV is sponsored by OSR

Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Thanks Doron!

And what does the second (WPD) driver for the same USB stick means? Is it some “download/upload files” protocol used by WMPlayer, conceptually similar to down/upload files to WinPhone or its ActiveSync-based predecessors?

Also: if iTunes (and thus Apple’s kmode USB driver) is not installed, and you connect the Apple device, you can browse photos on it using Windows shell. Is this stuff also WPD?


Maxim S. Shatskih
Microsoft MVP on File System And Storage
xxxxx@storagecraft.com
http://www.storagecraft.com

“Doron Holan” wrote in message news:xxxxx@ntdev…
> This is by design. Little known fact, UMDF 1.0 shipped in wmplayer for WPD support before it became an external platform.
>
> -----Original Message-----
> From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Maxim S. Shatskih
> Sent: Tuesday, May 19, 2015 1:56 PM
> To: Windows System Software Devs Interest List
> Subject: [ntdev] WUDFHost and WMPlayer for USB flash drive - malware?
>
> I’m sorry for such a question, which can seem to be moronic, but probably somebody knows the quick and valid answer.
>
> So:
>
> - USB flash drive is inserted to the computer
> - it was never ever inserted to this computer before
> - AutoPlay is disabled in Control Panel
> - NoDriveTypeAutoRun is NOT set
> - after the USB flash is inserted, the WUDFHost.exe process is started as Local Service, which starts to read all files on the USB flash (visible in the out-of-the-box Resource Monitor - the button in TaskMgr).
> - also, wmplayer.exe is started, without any UI shown.
> - when the same drive is inserted the second time, WUDFHost.exe is still started and running, but does not do anything. wmplayer.exe is also started for a brief moment and exits ASAP.
> - you eject the USB flash - WUDFHost exits.
>
> Is it legitimate? or malware?
>
> I see some new devnode called “Flash disk” in devmgmt, of the class of “Portable Devices”, serviced by UMDF, and a child of UMBus stuff. Also this same string of “Flash Disk” appears in the Windows Media Player UI, if you start it manually.
>
> Is the WUDFHost.exe which is started by flash drive insert - related to this devnode? so, it can be legitimate?
>
> For me, this is a surprise that the flash drive is not only USBSTOR’s block disk device devnode, but also some “Portable Device”.
>
> I’ve heard on some “WPD”, but I know nothing on it except it is implemented by UMDF.
>
> What is WPD? is it legitimate for Windows Media Player to read all files on a newly inserted flash drive being a client of this WPD interface, serviced by the UMDF host? is it legitimate for the UMDF host for WPD to access the files on a flash drive?
>
> I’m sorry once again, but it is alarming if some processes are started on flash drive insert, especially if this process is reading all of the files on the flash, doing 0.5GB in rather short time.
>
> Is it legitimate behavior of WPD (again - what is it? and how is it related to a block device? is it also related to Windows Phone? or maybe iOS device in the absence of Apple’s driver?) and WMPlayer using WPD?
>
> –
> Maxim S. Shatskih
> Microsoft MVP on File System And Storage xxxxx@storagecraft.com http://www.storagecraft.com
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>

The umdf driver creates a wpd veneer on top of removable media. Wmplayer used wpd to enumerate media on the devices (find music, video, etc). The apple device shows up as an mtp device. Mtp is a subset of the wpd protocol.

d

Bent from my phone


From: Maxim S. Shatskihmailto:xxxxx
Sent: ?5/?20/?2015 1:16 AM
To: Windows System Software Devs Interest Listmailto:xxxxx
Subject: Re:[ntdev] WUDFHost and WMPlayer for USB flash drive - malware?

Thanks Doron!

And what does the second (WPD) driver for the same USB stick means? Is it some “download/upload files” protocol used by WMPlayer, conceptually similar to down/upload files to WinPhone or its ActiveSync-based predecessors?

Also: if iTunes (and thus Apple’s kmode USB driver) is not installed, and you connect the Apple device, you can browse photos on it using Windows shell. Is this stuff also WPD?


Maxim S. Shatskih
Microsoft MVP on File System And Storage
xxxxx@storagecraft.com
http://www.storagecraft.com

“Doron Holan” wrote in message news:xxxxx@ntdev…
> This is by design. Little known fact, UMDF 1.0 shipped in wmplayer for WPD support before it became an external platform.
>
> -----Original Message-----
> From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Maxim S. Shatskih
> Sent: Tuesday, May 19, 2015 1:56 PM
> To: Windows System Software Devs Interest List
> Subject: [ntdev] WUDFHost and WMPlayer for USB flash drive - malware?
>
> I’m sorry for such a question, which can seem to be moronic, but probably somebody knows the quick and valid answer.
>
> So:
>
> - USB flash drive is inserted to the computer
> - it was never ever inserted to this computer before
> - AutoPlay is disabled in Control Panel
> - NoDriveTypeAutoRun is NOT set
> - after the USB flash is inserted, the WUDFHost.exe process is started as Local Service, which starts to read all files on the USB flash (visible in the out-of-the-box Resource Monitor - the button in TaskMgr).
> - also, wmplayer.exe is started, without any UI shown.
> - when the same drive is inserted the second time, WUDFHost.exe is still started and running, but does not do anything. wmplayer.exe is also started for a brief moment and exits ASAP.
> - you eject the USB flash - WUDFHost exits.
>
> Is it legitimate? or malware?
>
> I see some new devnode called “Flash disk” in devmgmt, of the class of “Portable Devices”, serviced by UMDF, and a child of UMBus stuff. Also this same string of “Flash Disk” appears in the Windows Media Player UI, if you start it manually.
>
> Is the WUDFHost.exe which is started by flash drive insert - related to this devnode? so, it can be legitimate?
>
> For me, this is a surprise that the flash drive is not only USBSTOR’s block disk device devnode, but also some “Portable Device”.
>
> I’ve heard on some “WPD”, but I know nothing on it except it is implemented by UMDF.
>
> What is WPD? is it legitimate for Windows Media Player to read all files on a newly inserted flash drive being a client of this WPD interface, serviced by the UMDF host? is it legitimate for the UMDF host for WPD to access the files on a flash drive?
>
> I’m sorry once again, but it is alarming if some processes are started on flash drive insert, especially if this process is reading all of the files on the flash, doing 0.5GB in rather short time.
>
> Is it legitimate behavior of WPD (again - what is it? and how is it related to a block device? is it also related to Windows Phone? or maybe iOS device in the absence of Apple’s driver?) and WMPlayer using WPD?
>
> –
> Maxim S. Shatskih
> Microsoft MVP on File System And Storage xxxxx@storagecraft.com http://www.storagecraft.com
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>


NTDEV is sponsored by OSR

Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer</mailto:xxxxx></mailto:xxxxx>

I’m afraid it’s not a moronic question, it’s just a moronic WMP design. Don’t you love the fact it also drops a file to your USB stick?

On 20-May-2015 19:32, xxxxx@broadcom.com wrote:

I’m afraid it’s not a moronic question, it’s just a moronic WMP design. Don’t you love the fact it also drops a file to your USB stick?

The whole WPD thing is basically about DRM (users should not
have non-encumbered way to copy music and video around, so…)

By the way, OS X does nearly the same with USB drives (reads a lot,
creates “cache” directories")… some Linuxes do something like that too…
And, as I’ve noted earlier, it’s hard to find a flash drive or SATA to
USB adapter with write-protection switch.

– pa

> USB adapter with write-protection switch.

+1


Maxim S. Shatskih
Microsoft MVP on File System And Storage
xxxxx@storagecraft.com
http://www.storagecraft.com