Why does EpicGamesLauncher hook into every process on my machine? (and keep them open after they close?)

EDIT: FIxed as of 4/13

 

So venting here. Everyone wants their own game store, everyone wants a piece of the gamer pie. I get it. But for the love of all that’s holy, please code it right.

This is not how to do it folks;

Why god why?

Here’s the RAM I get back by killing their process, note that the working set of EpicGamesLauncher is about 232MB

 

Ok so I killed it when the handles were a bajillion;

In Use is about 12135 MB

So I killed it

 

I get back 405MB of RAM, even though the tool itself was only using a little over half that. Why? Zombie Processes and Threads held open.

 

Why in Slack? Steam? Anthem? WTF?!

 

This post brought to you by the letter F and the number 1.

 

Yes a tickets been open with them for 5 days as of posting this.

Peace out.

Logitech software fails to save settings? Fix here.

So, I’m a gamer.

And I’ve sort of settled on the Logitech series of gaming gear, C920, G213, G602. Running their gaming software (except for the overwolf overlay, I don’t need it, don’t stream).

Something that has kind of been nagging me, on the lower end of reality, is that when I set my mouse DPI, or notification preferences, post-reboot, they all disappeared. So at 5 am this morning I decided to find out why.

The answer is, for some reason, part of the tools installed by Logitech, namely LCore.exe in “C:\Program Files\Logitech Gaming Software”, does not run elevated by default. Why doesn’t it? I don’t know. Why does it need Administrator right? That’s actually a good question. I found tons of ACCESS DENIED events when I reproduced setting the check boxes as I preferred in the

To fix this do the following:

  • press the Windows Key + X
  • Select File Explorer
  • paste C:\Program Files\Logitech Gaming Software in the address bar and hit enter
  • Right click on LCore.exe and select Properties
  • Click the tab Compatibility
  • Check the box for Run As Administrator and click OK
  • Close File Explorer. Reboot.

Now you should have a system that saves your settings you want, like mouse DPI scaling, or button preferences, or not getting a notification Every Single Time you run a game that has a profile!

Proof in the pudding

Procmon showing LCore can’t access/write to its own key structure.

I checked the rights assignment. I tried changing rights on the regkey from the default, but the issue persisted. It probably has other keys it is trying to use, that are not located in HK_Local_Machine, but it’s 6:13 AM and I’m doing this pro bono, so maybe Logitech can noodle the specifics out and make a better installer for next rev.

Here’s what the registry rights were:

registry rights (unmodified)

 

 

Q/A

  • What up?  Nadda, you?
  • Why did you get lazy and not figure all this out and document it for Logitech?  I’m kinda tired right now, might edit after I sleep again.
  • What is the security impact of running LCore as administrator? It runs as administrator so it can screw stuff up if it gets exploited, etc. This is a design flaw of some kind in how they either 1) packaged the installer or program; or 2) a poorly tested solution. Well, or 3) both.

I personally had this issue, but it’s well documented at many places as a problem;

https://answers.microsoft.com/en-us/windows/forum/windows_vista-hardware/logitech-g5-mouse-settings-wont-save/

https://superuser.com/questions/421238/logitech-setpoint-doesnt-save-settings-windows-7

 

G303 doesn’t save RGB settings from LogitechG

Windows 10 N and Removable Storage Access Policies…not working as expected.

So I was doing some troubleshooting, answering questions, being helpful, the typical Wednesday afternoon, when I found that the policies for Removable Storage Access on Windows 10 N do not apply as expected.

The crux of the issue is that Windows 10 N does not have a media player. I think. Pretty sure that’s the break. Why would not having a media player break removable storage policies? Great question!

The GPOs I am talking about are these:

So, I think what the issue is, is that media player handling is part of the service that also manages removable storage. Since N doesn’t have a media player, it doesn’t need that service either.. I am pretty sure someone in Redmond was thinking that. Here is the services list from a Windows 10 Pro host:

The fine print says the following;

“Enforces group policy for removable mass-storage devices. Enables applications such as Windows Media Player and Image Import Wizard to transfer and synchronize content using removable mass-storage devices.”

Ok, so N doesn’t have Windows Media Player. So the “Portable Device Enumerator Service” is not present (no, really, see, it isn’t listed below):

As a result, these policies show as enabled, but don’t apply. See I can access my CD-Rom below:

Did that, then GPUpdate /force, checked the Event Log; I can see the Machine side processing successfully. How can it do this with the service missing? I don’t know.

Shout out to Mark over at spiceworks.com for finding this and bringing it to global attention; (internet and all) GPO to block USB drives is applied, but not working.

Troubleshooting: Tracking down what executed updates in Windows 10

“Why did I get an update installed on my Windows 10 machine?”

At first blush, this sounds like an easy-peasy kinda question to answer. But in a managed enterprise, with multiple IT departments that might not always play nice together, this can be a prickly subject. Because the question really isn’t “Why did this update install?”. It is usually something more like the CEO asking “Why did my PC slow down while I was in a board meeting presentation?”

And again, it’s a fair question. And should be easy. Except when it isn’t. Like today.

“Which management system we use caused an update to occur at this particular time point?”

For this, on 10 I asked for the output of Get-WindowsUpdateLog in an administrative PowerShell prompt. But the output came back formatted weirdly. Snippet below with removing some info (date, time made up)

2018/07/XX 5:55:03.0332383 149280 120000 Unknown( 13): GUID=a2b43708-af59-32cd-48bc-7cf111dee98e.
2018/07/XX 5:55:04.9808283 149280 120000 Unknown( 16): GUID=a2b43708-af59-32cd-48bc-7cf111dee98e.
2018/07/XX 5:55:04.9819252 149280 149372 Unknown( 19): GUID=1bce64d0-3b5c-3a28-bd28-0e6a0b1dc374.
2018/07/XX 5:55:08.2263039 4872 148044 Unknown( 12): GUID=26bba210-72d3-3f28-a89e-6bdc4716006d.
2018/07/XX 5:55:08.2263914 4872 148044 Unknown( 12): GUID=26bba210-72d3-3f28-a89e-6bdc4716006d.
2018/07/XX 5:55:08.2264610 4872 148044 Unknown( 18): GUID=8bc93df4-dfb7-3bd8-4da6-97dda6e01d4f.
2018/07/XX 5:55:29.5807238 4872 148180 Unknown( 19): GUID=7d6df39d-a28f-39fb-0934-ccd9f7428391.
2018/07/XX 5:55:29.5807720 4872 148180 Unknown( 63): GUID=d7143c12-c53a-301e-eff4-e0e2b985334a.

Ok….

So I have PID and I have presumably Thread ID. Don’t know what the process, or what it was doing, and then a GUID which might be helpful.

As it turns out I had previously given the customer instructions on how to collect ETW traces for me using WPRui. So we also had a trace too!

In the trace, my first question was “Did my product cause this?”

In it we found lots of disk activity, but nothing related to updates at all.

So I then tracked down the PID 149280 in the ETW trace, using WPA.

So, it’s a PIA to look manually for PID appended to all these process ids…I could ctrl+F and search in column for my PID, or I could add the PID value to the columns by right clicking a column and checking the box for PID. I searched.

Ok, so now we know the PID is MonitoringHost.exe…this doesn’t sound like something that would be pushing updates to a system, or does it?

Let us pretend we don’t know, how do we find out what this is? Couple ways, add a path to the process view I showed above will give a hint usually. The other would be to look for the parent PID and see who owns it. Lets do both…

Awesome. It’s the Microsoft Monitoring Agent. I k now from reading https://blogs.technet.microsoft.com/msoms/2016/08/17/the-many-faces-of-the-microsoft-monitoring-agent/ that this is some part of either SCOM/SCCM/OMS/Whatever else uses this common binary…

So what is it doing? Let us stack walk shall we?

I add a view from Computation in WPA to the Analysis view. Specifically ‘CPU Usage (Sampled)’, change it to Usage by Process, Stack. Then add Module and Function. I then find my process and right click/filter to selection to remove all other processes. Then simply right click the stack column and select ‘Expand Column’.

I see this is running .net, but I really only care about stacks from the specific binaries, so I scroll down a bit…

And I see this stack

This kinda stood out to me… (truncated them so they wouldn’t line wrap on a browser window… or trying to do that. Whatever I don’t know WordPress.)

OMSRunbookWorkerRegistration.dll!AgentService.OmsHybridRegistration.PowerShell.Commandlets.OmsHybridRunbookWorker

and

Hybrid.Registration.Cmdlets.dll!AgentService.HybridRegistration.PowerShell.Registry.HybridWorkerRegistry

Ok, so now I know it’s OMS code, running runbooks. Lets see what that does…

https://docs.microsoft.com/en-us/azure/automation/automation-update-management Spells it out pretty well…

Computers that are managed by Update Management use the following configurations to perform assessment and update deployments:

Microsoft Monitoring Agent (MMA) for Windows or Linux
PowerShell Desired State Configuration (DSC) for Linux
Automation Hybrid Runbook Worker
Microsoft Update or Windows Server Update Services (WSUS) for Windows computers

Well ok, I see Runbook Worker Registration happening, so it’s running that. Looks pretty likely this is what’s causing Windows Updates to patch.

 

Again, why?

Because I saw the PID of the process referenced in the WindowsUpdate Log

I analyzed the code the PID is running and I see clearly that it is running code for components that are used by an Azure patch automation offering.

How did it get there on the machine? Don’t know, not enough data, maybe someone testing out something, or configured into this by accident. Magic 8 ball says “future is uncertain”.

 

Peace!

Jeff Stokes

What does “A referral was returned from the server” on Windows mean?

It turns out, it can mean the binary you are running has a bad certificate.

Bust this.

I downloaded the latest insider preview for the Windows 10 ADK.

Then I simply wanted to capture a trace…

Ok…so, weird? So I launch a command prompt, try it that way, (WPR works fine, just no UI btw).

Ok…weird-er?

So I procmon’d it. ‘Cause, “when in doubt, procmon

Why is WPRUI.exe being scanned heavily by Defender? What gives?

Ok, and what is BAM.sys? Exactly?

So, I did some searching, and someone noticed if they get this error “A referral was returned from the server” it meant digital sigs were busted… so I checked. Surely Microsoft didn’t ship a binary with a bad cert…right?

……..

So that’s a quick and dirty “Why the hell is this happening” brought to you by the dude.

 

Cheers

 

The dude is out

Dude here, I’ve left Microsoft, again. I don’t get notified when comments are left here as a result. Apologies for being a bad curator.

I can’t take this content with me, I don’t think. So leaving here “for the record”.

Best of luck,

Jeff

What does the new Microsoft Ultimate Power Plan do? (not much)

There has been some excitement in the announcement of Microsoft’s new Ultimate Power Plan. This power plan, for those who haven’t heard about it, is destined for Windows 10 Professional for Workstations. The setting also is present in Windows 10 Professional and Enterprise build 1803, but you have to add it in an administrative cmdline.

powercfg -duplicatescheme e9a42b02-d5df-448d-aa00-03f14749eb61

 

After doing this, it appears in your Power Options:

Ultimate Power is ready!

So, what does it do exactly?

Well, right now, I don’t think it does anything High Performance doesn’t do.

What what?!

Yeah, so here I am running minerd, a CPU hashing program. It’s parked on 4 cores of my AMD Ryzen 2700x.

Now what is the hash rate for each. The same.

hash rates on each plan

So, what gives?

Do a dump of High Performance, and Ultimate. It’s not hard.

Dump:

set power plan to high performance
powercfg -query > C:\temp\high.txt
change to your power plan to ultimate
powercfg -query > C:\temp\ultimate.txt
???
compare
profit!

 

So what’s next?

Uh, nothing? I’m personally staying on Ryzen because it works a ton better than Balanced and saves a smidge of power. For an Intel in a production environment? High. What about Ultimate? Meh for now. Sorry Microsoft.

Other power articles:

http://www.wservernews.com/newsletters/archives/power-plan-considerations-12679.html

Server 2012 and balanced power plan

Server 2012 and balanced power plan, part deux – processor queue length

 

 

 

Performance Series Part 2 – How to import an xml file into Perfmon on Windows.

Applies to: Windows 7+, Windows Server 2008 R2+
Target audience: People I support primarily. Anyone who wants to perf like a pro?

Why

There may come a time where you need to import an xml file given to you by a support person into Perfmon. This is so precise, targeted data captures can be made of the impacted system, or sometimes to baseline a system to know what good looks like.

What

The xml file is a template that defines the performance metrics to capture and also sometimes time intervals, file format for the results file, etc.

How

Step 1: Open Perfmon (start/perfmon or computer management/performance)

Step 2: Expand Performance and go to Data Collector Sets then User Defined.

Step 3:  Right Click the User Defined folder then select New > Data Collector Set.

Step 4: Give it a name and leave the “Create from a template” selected. Click Next.

Step 5: Click Browse and then select this file.

Step 6: Click through the wizard (next/next) and then select the top radio button “Open properties for this data collector set“.

Step 7: If you want to tweak anything about this collection, now is the time to do it. Most of the configuration has been done for you though. 200 MB rolling logs created in sequence with host name in the file name. This collects at a 1 second interval, to preserve space you can adjust to 5 or 10 seconds if you like. You do this by right clicking “Pal System Overview” under your data collector.

 

 

 

 

 

And then modifying the field you want to modify (in this example, Seconds)

 

 

 

 

 

 

 

 

 

Step 7: Once you are happy with the configuration, right click your data collector set and select Start.

 

Note this does not sustain through a restart/crash of Windows. To do that you need to follow this article: https://blogs.technet.microsoft.com/jeff_stokes/2011/11/16/how-to-sustain-your-data-collector-set-through-a-reboot/

Performance Series Part 1 – How to collect an ETW/Xperf trace to capture general performance issues

Applies to: Windows 7+, Windows Server 2008 R2+
Target audience: People I support primarily. Anyone who wants to perf like a pro?

Step 1: Get the Windows Performance Toolkit, by way of the Windows Assessment and Deployment Kit. Since every iteration of the WPT happens to be distributed slightly differently than the previous version, I’ve included the MSFT guide on getting the most recent as a link. As it stands now, run through the web installer and uncheck everything but “Windows Performance Toolkit”.

It is worth noting that the resulting Windows Kits folder with the WPT in it is typically portable. Meaning once you install, you can usually copy/paste the folder to another host without going through the web installer again. There are also redist executables to install just the WPT for ‘next time/next system’ as well.

Step 2: Open WPRui (Start/WPRUI/enter)

Step 3: Expand the “More Options” caret.

  • Expand Resource Analysis.
    • Select “CPU Usage”,
    • Select “Disk I/O Activity”,
    • Select “File I/O Activity”
  • Expand Scenario Analysis.
    • Select “Minifilter I/O activity”

Step 3a: Optionally I may have you skip this and click “Add Profiles…” and add a custom XML instead of check individual boxes.

Step 4: Validate the Performance Scenario is “General”, Detail Level is “Verbose” and Logging mode is “Memory”.

Step 5: Click “Start” and then reproduce the ‘bad behavior’.

Step 6:  Let the collection run for the amount of time I gave you (or a couple minutes) and then click stop.

Step 7:  Wait.

Zip and upload the resulting ETL file and the same-named NGEN.PDB folder (if present) to me.

Activate dual displays in Nvidia control panel SLI area doesn’t seem to use both GPUs as advertised.

So I was playing a video game on one monitor while watching a video on the other.

And I noted that the video was stuttering in spots. And generally when the screen action got busy in the game. I have 2 1070ti GPUs in my system, this shouldn’t really be happening…

Complete stats of the system are on pcpartpicker.

Anyway, the setting I have in Nvidia doesn’t seem to be working as advertised. Take a look:

So note at the bottom the text “Your GPUs will drive all connected displays while optimizing rendering performance whenever possible using SLI or multi-GPU rendering.”

Awesome, sign me up….why does it say SLI disabled then?

I thought I should dig in more so I enabled the GPU activity icon in my notification area in Windows 10.

When I click on it though, no matter which app is on which monitor, the GPU activity reports no activity on one GPU…

But yeah check this out, the 2nd tab;

So why is everything on one GPU?!

Task Manager seems to back this up, the consumed video ram is 200MB on the one with no apps running, and 2GB with the one that has all the apps.

The only time I see activity on the 2nd GPU is when I take a screenshot with Snagit (presumably because Snagit is capturing what is displayed on the GPU itself? dunno).

So is this enough proof/diagnostic info/screenscraps and graphs to analyze? Not really;

I fire up WPRui from the Windows Performance Toolkit;

Note I have selected in this options area;

  • 1st level triage
  • CPU
  • Disk I/O activity
  • Video glitches
  • HTML Responsive analysis

(HTML because my movie is playing off a plex.tv host on my LAN)

And I hit start, run a game intro, watch some Rodney Dangerfield for a minute or three, and then stop the trace.

Interestingly, when I try to open the WPA tool and read the trace, it hangs…

Warning: EventSink {13399e05-4afd-48fd-ba25-6b673a7a2b92} signaled an Invalid Event:
Event#: 25707928 (T#0:#25707928)
TimeStamp: 120768768, Process: 2916, Thread: 20636, Cpu: 4
ClassicEventGuid: {01853a65-418f-4f36-aefc-dc0f1d2fd235}
ClassicEventDescriptor: 0x0c 0x00 0x0002
MofLength: 112
InitializeSession: OnEnd: Finished pass 1
InitializeSession: OnBegin: Starting pass 2

 

This is on insider preview Win10 pro, slow ring, and the preview ADK as well… more to come.