Solution to capturing WMZuneComm.exe traffic
424 views
Skip to first unread message
EricLaw
Apr 3, 2011, 12:26:36 PM4/3/11
to Fiddler
So, I've found the solution for this. :-)
For whatever reason, the WMZuneComm.exe service is hardcoded to use an
automatically detected proxy setting, not whatever setting that you
may have had configured in IE.
The "AutoDetect" settings are configured using a process called WPAD,
which depends on DHCP. Fortunately, a friend of mine wrote a DHCP
server whose sole job it is to announce that Fiddler is the proxy that
everyone should be using.
You can find his extension here: http://deletethis.net/dave/wpadserverfiddlerextension/
After you install it, on the Tools > WPAD Server Settings screen, in
the Response Filtering section, choose "No Response Filtering", or
create an ALLOW Filter for the local computer's IPv6 loopback address.
(I'll ask Dave to make the next version do this automatically).
After that, you'll find that when your Zune attaches to the computer,
the "Server log" screen in Dave's extension shows your computer
querying for the autoproxy, to which it returns a proxy configuration
script that tells the client to use Fiddler as the proxy.
Subsequently, you can see traffic from both the device and from the
Zune Update software (WMZuneComm.exe). For instance, when you choose
"Settings > Phone > Update" in the Zune client, you'll see the
following traffic:
HEAD http://download.windowsupdate.com/WM/MicrosoftUpdate/redir/duredir.cab
200 OK (application/octet-stream)
HEAD http://download.microsoft.com/WM/MicrosoftUpdate/redir/duredir.cab
200 OK (application/octet-stream)
HEAD http://www.update.microsoft.com/WM/MicrosoftUpdate/Redir/duredir.cab
200 OK (application/octet-stream)
HEAD http://www.update.microsoft.com/WM/MicrosoftUpdate/Selfupdate/duident.cab
200 OK (application/octet-stream)
POST https://www.update.microsoft.com/v6/ClientWebService/client.asmx
200 OK (text/xml)
HEAD http://download.windowsupdate.com/WM/MicrosoftUpdate/redir/duredir.cab
200 OK (application/octet-stream)
For whatever reason, the WMZuneComm.exe service is hardcoded to use an
automatically detected proxy setting, not whatever setting that you
may have had configured in IE.
The "AutoDetect" settings are configured using a process called WPAD,
which depends on DHCP. Fortunately, a friend of mine wrote a DHCP
server whose sole job it is to announce that Fiddler is the proxy that
everyone should be using.
You can find his extension here: http://deletethis.net/dave/wpadserverfiddlerextension/
After you install it, on the Tools > WPAD Server Settings screen, in
the Response Filtering section, choose "No Response Filtering", or
create an ALLOW Filter for the local computer's IPv6 loopback address.
(I'll ask Dave to make the next version do this automatically).
After that, you'll find that when your Zune attaches to the computer,
the "Server log" screen in Dave's extension shows your computer
querying for the autoproxy, to which it returns a proxy configuration
script that tells the client to use Fiddler as the proxy.
Subsequently, you can see traffic from both the device and from the
Zune Update software (WMZuneComm.exe). For instance, when you choose
"Settings > Phone > Update" in the Zune client, you'll see the
following traffic:
HEAD http://download.windowsupdate.com/WM/MicrosoftUpdate/redir/duredir.cab
200 OK (application/octet-stream)
HEAD http://download.microsoft.com/WM/MicrosoftUpdate/redir/duredir.cab
200 OK (application/octet-stream)
HEAD http://www.update.microsoft.com/WM/MicrosoftUpdate/Redir/duredir.cab
200 OK (application/octet-stream)
HEAD http://www.update.microsoft.com/WM/MicrosoftUpdate/Selfupdate/duident.cab
200 OK (application/octet-stream)
POST https://www.update.microsoft.com/v6/ClientWebService/client.asmx
200 OK (text/xml)
HEAD http://download.windowsupdate.com/WM/MicrosoftUpdate/redir/duredir.cab
200 OK (application/octet-stream)
EricLaw
Apr 3, 2011, 12:35:07 PM4/3/11
to Fiddler
One caveat: I haven't figured out how to get the WMZuneComm.exe client
to *stop* using the local Fiddler instance as a proxy. It appears that
closing Fiddler and restarting the service and the Zune client isn't
enough.
> HEADhttp://www.update.microsoft.com/WM/MicrosoftUpdate/Selfupdate/duident...
> 200 OK (application/octet-stream)
>
> POSThttps://www.update.microsoft.com/v6/ClientWebService/client.asmx
> 200 OK (text/xml)
>
> HEADhttp://download.windowsupdate.com/WM/MicrosoftUpdate/redir/duredir.cab
> 200 OK (application/octet-stream)
to *stop* using the local Fiddler instance as a proxy. It appears that
closing Fiddler and restarting the service and the Zune client isn't
enough.
> 200 OK (application/octet-stream)
>
> POSThttps://www.update.microsoft.com/v6/ClientWebService/client.asmx
> 200 OK (text/xml)
>
> HEADhttp://download.windowsupdate.com/WM/MicrosoftUpdate/redir/duredir.cab
> 200 OK (application/octet-stream)
EricLaw
Apr 3, 2011, 12:44:50 PM4/3/11
to Fiddler
Oh, Dave provided the instructions-- you must restart the DHCP Client
service, because it caches DHCP responses, including the one generated
by his plugin.
> > 200 OK (application/octet-stream)- Hide quoted text -
>
> - Show quoted text -
service, because it caches DHCP responses, including the one generated
by his plugin.
>
> - Show quoted text -
Leon Zandman
Apr 5, 2011, 4:54:13 PM4/5/11
to Fiddler
Wow, really cool! Thanks a lot. Gonna try this method.
Greetings,
Leon Zandman
Greetings,
Leon Zandman
Reply all
Reply to author
Forward
0 new messages