Any Netlimiter users in the house?

Discussion in 'PC' started by StormChaser, May 22, 2024.

  1. StormChaser

    StormChaser Producer

    Joined:
    Jan 16, 2021
    Messages:
    296
    Likes Received:
    119
    Hey Guys

    I have been using Netlimiter for a good few years now and think its a great little app but recently I have been wondering if something is possible. My DAW's pluginhost is always trying to make various outbound connections using the bitwigpluginhost-x64-sse41.exe is there any way to find out what is actually trying to make the connection connected to the pluginhost as in a VST/DLL/VST3 etc to make a better determination as to whether to "Perm Deny" or "Perm Allow"

    Thank you in advance.

    SC
     
    Last edited: May 22, 2024

    Attached Files:

  2.  
  3. tzzsmk

    tzzsmk Audiosexual

    Joined:
    Sep 13, 2016
    Messages:
    3,716
    Likes Received:
    2,282
    Location:
    Heart of Europe
    it's trying to authenticate a certain plugin, hard to tell which
     
  4. StormChaser

    StormChaser Producer

    Joined:
    Jan 16, 2021
    Messages:
    296
    Likes Received:
    119
    Hey tzzsmk

    yeah totally get that part but I am looking for a way to find out what is attaching to bitwigpluginhost-x64-sse41.exe to generate the TCP request.

    Looking in ProcMon I can see a bit more inforamation but it doesnt show me the IP Address and the Port and PID from Netlimiter doesnt show anything for TCP requests in ProcMon.
     
  5. saccamano

    saccamano Audiosexual

    Joined:
    Mar 26, 2023
    Messages:
    1,288
    Likes Received:
    522
    Location:
    CBGB omfug
    More than likely if you cannot readily see what is initiating the connection it's probably been farmed out to SVChost. SVChost among other things, is a nifty little way for coders to mask their network calls to a generic and cloaked host interface. Since you break way more than you fix by blocking SVChost (way too much other stuff uses it) you would be better spent to block bitwigpluginhost-x64-sse41 and be done with it.
     
  6. Xupito

    Xupito Audiosexual

    Joined:
    Jan 21, 2012
    Messages:
    7,292
    Likes Received:
    4,028
    Location:
    Europe
    Sad but true. It's literally called SerViCeHost so a lot of them are running in any Winows.

    Knowing MSoft probably some of them blowing out our dear PC's asshole without vaseline.
     
  7. orbitbooster

    orbitbooster Audiosexual

    Joined:
    Jan 8, 2018
    Messages:
    1,125
    Likes Received:
    626
    Don't bother, first try to deny it.
    If anything works, good, if not, delete the deny and create a rule to allow only localhost connection.
     
  8. tzzsmk

    tzzsmk Audiosexual

    Joined:
    Sep 13, 2016
    Messages:
    3,716
    Likes Received:
    2,282
    Location:
    Heart of Europe
    1) you can remove all plugins from the folder and try adding one by one until the popup shows
    2) Wireshark can probably tell you anything about what's going on in network packets
     
    • Agree Agree x 1
    • Useful Useful x 1
    • List
  9. StormChaser

    StormChaser Producer

    Joined:
    Jan 16, 2021
    Messages:
    296
    Likes Received:
    119
    I am so so close.

    I have figured out how to see the vst3/dll processes that are attached to the bitwigpluginhost-x64-sse41.exe and causing the outbound connection by using the process/stack modules and looking for any TCP/UDP send operations for that process and its clear what plugins are bound to this bitwigpluginhost-x64-sse41.exe but what I havent yet figured out it how to match the outbound IP address Netlimiter shows me to the vst3/dll to know which one is the one trying to communicate out.

    Doing a search for the IP address shown from Netlimiter doesnt show me anything, neither does it in Network Monitor.

    I have highlighted the vst3/dll in the attached image, this from my default Bitwig template which loads a couple of VST as part of my base template. Once you start digging it quite interesting to see.

    I am that close I can almost taste it :)
     
    Last edited: May 23, 2024

    Attached Files:

  10. Skaunker

    Skaunker Kapellmeister

    Joined:
    Apr 3, 2015
    Messages:
    78
    Likes Received:
    45
    good job, I bet poweruser tools like procexp may have this feature too of "process stack" "threads" "handles" dependencies too, and can be used to interrogate the svchost snitch on other cases.
     
  11. StormChaser

    StormChaser Producer

    Joined:
    Jan 16, 2021
    Messages:
    296
    Likes Received:
    119
    So true I can see some outbound connections are being triggered by SVCHOST and as you rightely said I am not going to block SVCHOST but I will be able to block SVCHOST to a specific outbound IP address as long as I am certain the IP address is something to do with my DAW or Plugins which I would be happy with.

    The lsass.exe process is another one which likes to try and chatter out when using my DAW the above approach should also work for this process too but I need to do a lot more digging which I will do once I am happy with the bitwigpluginhost-x64-sse41.exe
     
  12. StormChaser

    StormChaser Producer

    Joined:
    Jan 16, 2021
    Messages:
    296
    Likes Received:
    119
    I did start with that but it didnt give me what I was looking for. Still a fantastic little application.

    I just did a reverse IP address lookup and Tracert on one of outbound IP address both the approaches came back with the same result, whatever this is, I dont use Chrome or any Google Apps but could just be some kind hosting farm like the azures or the amazonnaws

    116.115.201.35.bc.googleusercontent.com [35.201.115.116]
     
  13. tzzsmk

    tzzsmk Audiosexual

    Joined:
    Sep 13, 2016
    Messages:
    3,716
    Likes Received:
    2,282
    Location:
    Heart of Europe
    that IP address belongs to USA, Missouri, Kansas, Google Cloud, Google LLC,
    so I wouldn't be surprised if it was some generic API like fonts or some telemetry
     
  14. saccamano

    saccamano Audiosexual

    Joined:
    Mar 26, 2023
    Messages:
    1,288
    Likes Received:
    522
    Location:
    CBGB omfug
    Lsass.exe is a security and auth service. I have seen as well the network chatter that Lsass puts forth, but I run all my machines connected to a local domain via a backend LAN and Lsass is what handles most of the authentication for logins to the machines. 99% of that network chatter is with other machines on my LAN (traffic traversing on the backend VLAN alone). Dunno what your net topology is there but you might tread a little softly around Lsass if you want to be able to login to your machine. Just fyi.

    Yeap... The sad truth these days. Unfortunately something (even though it doesn't even appear to be any way connected with google) on your machine is using assets of some kind that resides on googles' network as do a lot of other stuffs. It is for exactly these kinds of reasons that I recommend production machines do not be allowed to access the internet at all. You can use other purely dedicated machines that are setup specifically (i.e. all firewalled and trussed up, A/V'ed, etc) for accessing the big bad internet.
     
    Last edited: May 23, 2024
  15. StormChaser

    StormChaser Producer

    Joined:
    Jan 16, 2021
    Messages:
    296
    Likes Received:
    119
    Yeah I thought the same.

    Its crazy how much information is sent from our computers to god knows where, I have a whole stack of telemetry information blocked.

    Somebody did say above to just block the internet connection either on my entire DAW PC or the plugin host for everything but this is not possible as I jam online with other musicians using my DAW and some of my plugins need to report home to stay authenticated whilst others update themselves so I dont really want to do this.

    Also one added complication is each revision of Bitwig gets installed in a unique version folder and looks like the below so any allows or blocks need to be re-added each time it updates as the bitwigpluginhost-x64-sse41.exe is in a different directory to the previously allowed or blocked. I have thought about just creating a rule that Blocks or Allows IP addresses but I kind of like being able to see which process is trying to access certain IPs.

    C:\program files\bitwig studio\5.0.11\bin\bitwigpluginhost-x64-sse41.exe
    C:\program files\bitwig studio\5.0.16\bin\bitwigpluginhost-x64-sse41.exe
    C:\program files\bitwig studio\5.0.19\bin\bitwigpluginhost-x64-sse41.exe
     
    Last edited: May 23, 2024
  16. StormChaser

    StormChaser Producer

    Joined:
    Jan 16, 2021
    Messages:
    296
    Likes Received:
    119
    I have 3x Microsoft Windows Server 2019 on different network domains with 4 separate VLANs so I know all to well at the complications of the lsass if I start blocking various things. All my computers connects through a hardware Watchguard Firewall which has their full suite of modules activated, overkill absolutely :), nice to have you betch ya!
     
Loading...
Similar Threads - Netlimiter users house Forum Date
LoopCloud Users - Will it FLAG local samples/daw (warez) ? Software Dec 8, 2024
Any FanControl users here? PC Oct 30, 2024
Any Backblaze users here? Internet for Musician Jun 3, 2024
Great News for AMD & UAD Users! Computer Hardware Mar 15, 2024
Spire users: I need somebody (a Cyberpunk) Help! how to make "that" sound Feb 23, 2024
Loading...