Not seeing all Windows Update traffic in Fiddler
167 views
Skip to first unread message
term srv
Apr 5, 2018, 10:07:12 PM4/5/18
to Fiddler
I am trying to monitor Windows 7's Windows Update / Windows Defender traffic in Fiddler. Fiddler is set as the system proxy ('Capture Traffic') and BITS:
netsh winhttp set proxy proxy-server="http=127.0.0.1:8888;https=127.0.0.1:8888"
So with both of those set I thought I would be able to watch Windows Update traffic. I do see some traffic but there is an encrypted connection to fe2.update.microsoft.com which does not use the proxy. I can see it in Wireshark.
netsh winhttp set proxy proxy-server="http=127.0.0.1:8888;https=127.0.0.1:8888"
So with both of those set I thought I would be able to watch Windows Update traffic. I do see some traffic but there is an encrypted connection to fe2.update.microsoft.com which does not use the proxy. I can see it in Wireshark.
Eric Lawrence
Apr 9, 2018, 11:08:41 AM4/9/18
to Fiddler
Curious: Did you set this option in both the 32bit and the 64bit consoles?
term srv
Apr 10, 2018, 6:11:35 PM4/10/18
to Fiddler
I didn't set the option in both 32 and 64 but I've since tried that and although it does appear the settings are independent it doesn't seem to have made a difference in my tests. The exact way I was checking for the updates was Windows Defender >
Help > Check For Updates. That uses Windows Update to retrieve the malware protection updates. I think I'm about ready to throw in the towel. I have tried several versions of Fiddler in a VM:
[Dec-30-15] v4.6.2.0
[Jun-12-17] v4.6.20171.26113
[Sep-15-17] v4.6.20173.38786
[Mar-20-18] v5.0.20181.14850
I also tried setting the system proxy manually in internet options, configuring fiddler to use no proxy and then rebooting with the network adapter disabled on start. Then I would start Fiddler, start wireshark on a separate machine and turn on the network adapter. My thinking was maybe Windows Update was caching the proxy settings on startup and by ensuring all proxy settings were already set it would use the proxy. That doesn't appear to be it though, since every which way I tried it I see the HTTPS connection to fe2.update.microsoft.com in Wireshark.
Of course I have HTTPS decryption enabled, the CONNECTs aren't hidden and the CA installed (and the Windows Update usage box is checked in certificate attributes). So at this point it appears there is an HTTPS fe2.update.microsoft.com 443 connection that for whatever reason bypasses the proxy.
[Dec-30-15] v4.6.2.0
[Jun-12-17] v4.6.20171.26113
[Sep-15-17] v4.6.20173.38786
[Mar-20-18] v5.0.20181.14850
I also tried setting the system proxy manually in internet options, configuring fiddler to use no proxy and then rebooting with the network adapter disabled on start. Then I would start Fiddler, start wireshark on a separate machine and turn on the network adapter. My thinking was maybe Windows Update was caching the proxy settings on startup and by ensuring all proxy settings were already set it would use the proxy. That doesn't appear to be it though, since every which way I tried it I see the HTTPS connection to fe2.update.microsoft.com in Wireshark.
Of course I have HTTPS decryption enabled, the CONNECTs aren't hidden and the CA installed (and the Windows Update usage box is checked in certificate attributes). So at this point it appears there is an HTTPS fe2.update.microsoft.com 443 connection that for whatever reason bypasses the proxy.
Reply all
Reply to author
Forward
0 new messages