Hey Guys

I have been using Netlimiter for a good few years now and think its a great little app but recently I have been wondering if something is possible. My DAW's pluginhost is always trying to make various outbound connections using the bitwigpluginhost-x64-sse41.exe is there any way to find out what is actually trying to make the connection connected to the pluginhost as in a VST/DLL/VST3 etc to make a better determination as to whether to "Perm Deny" or "Perm Allow"

Thank you in advance.

SC

 

Last edited: May 22, 2024

it's trying to authenticate a certain plugin, hard to tell which

 

Hey tzzsmk

yeah totally get that part but I am looking for a way to find out what is attaching to bitwigpluginhost-x64-sse41.exe to generate the TCP request.

Looking in ProcMon I can see a bit more inforamation but it doesnt show me the IP Address and the Port and PID from Netlimiter doesnt show anything for TCP requests in ProcMon.

 

More than likely if you cannot readily see what is initiating the connection it's probably been farmed out to SVChost. SVChost among other things, is a nifty little way for coders to mask their network calls to a generic and cloaked host interface. Since you break way more than you fix by blocking SVChost (way too much other stuff uses it) you would be better spent to block bitwigpluginhost-x64-sse41 and be done with it.

 

Sad but true. It's literally called SerViCeHost so a lot of them are running in any Winows.

Knowing MSoft probably some of them blowing out our dear PC's asshole without vaseline.

 

Don't bother, first try to deny it.
If anything works, good, if not, delete the deny and create a rule to allow only localhost connection.

 

1) you can remove all plugins from the folder and try adding one by one until the popup shows
2) Wireshark can probably tell you anything about what's going on in network packets

 

I am so so close.

I have figured out how to see the vst3/dll processes that are attached to the bitwigpluginhost-x64-sse41.exe and causing the outbound connection by using the process/stack modules and looking for any TCP/UDP send operations for that process and its clear what plugins are bound to this bitwigpluginhost-x64-sse41.exe but what I havent yet figured out it how to match the outbound IP address Netlimiter shows me to the vst3/dll to know which one is the one trying to communicate out.

Doing a search for the IP address shown from Netlimiter doesnt show me anything, neither does it in Network Monitor.

I have highlighted the vst3/dll in the attached image, this from my default Bitwig template which loads a couple of VST as part of my base template. Once you start digging it quite interesting to see.

I am that close I can almost taste it

 

Last edited: May 23, 2024

good job, I bet poweruser tools like procexp may have this feature too of "process stack" "threads" "handles" dependencies too, and can be used to interrogate the svchost snitch on other cases.

 

So true I can see some outbound connections are being triggered by SVCHOST and as you rightely said I am not going to block SVCHOST but I will be able to block SVCHOST to a specific outbound IP address as long as I am certain the IP address is something to do with my DAW or Plugins which I would be happy with.

The lsass.exe process is another one which likes to try and chatter out when using my DAW the above approach should also work for this process too but I need to do a lot more digging which I will do once I am happy with the bitwigpluginhost-x64-sse41.exe

 

I did start with that but it didnt give me what I was looking for. Still a fantastic little application.

I just did a reverse IP address lookup and Tracert on one of outbound IP address both the approaches came back with the same result, whatever this is, I dont use Chrome or any Google Apps but could just be some kind hosting farm like the azures or the amazonnaws

116.115.201.35.bc.googleusercontent.com [35.201.115.116]

 

that IP address belongs to USA, Missouri, Kansas, Google Cloud, Google LLC,
so I wouldn't be surprised if it was some generic API like fonts or some telemetry

 

Lsass.exe is a security and auth service. I have seen as well the network chatter that Lsass puts forth, but I run all my machines connected to a local domain via a backend LAN and Lsass is what handles most of the authentication for logins to the machines. 99% of that network chatter is with other machines on my LAN (traffic traversing on the backend VLAN alone). Dunno what your net topology is there but you might tread a little softly around Lsass if you want to be able to login to your machine. Just fyi.

Yeap... The sad truth these days. Unfortunately something (even though it doesn't even appear to be any way connected with google) on your machine is using assets of some kind that resides on googles' network as do a lot of other stuffs. It is for exactly these kinds of reasons that I recommend production machines do not be allowed to access the internet at all. You can use other purely dedicated machines that are setup specifically (i.e. all firewalled and trussed up, A/V'ed, etc) for accessing the big bad internet.

 

Last edited: May 23, 2024

Yeah I thought the same.

Its crazy how much information is sent from our computers to god knows where, I have a whole stack of telemetry information blocked.

Somebody did say above to just block the internet connection either on my entire DAW PC or the plugin host for everything but this is not possible as I jam online with other musicians using my DAW and some of my plugins need to report home to stay authenticated whilst others update themselves so I dont really want to do this.

Also one added complication is each revision of Bitwig gets installed in a unique version folder and looks like the below so any allows or blocks need to be re-added each time it updates as the bitwigpluginhost-x64-sse41.exe is in a different directory to the previously allowed or blocked. I have thought about just creating a rule that Blocks or Allows IP addresses but I kind of like being able to see which process is trying to access certain IPs.

C:\program files\bitwig studio\5.0.11\bin\bitwigpluginhost-x64-sse41.exe
C:\program files\bitwig studio\5.0.16\bin\bitwigpluginhost-x64-sse41.exe
C:\program files\bitwig studio\5.0.19\bin\bitwigpluginhost-x64-sse41.exe

 

Last edited: May 23, 2024

I have 3x Microsoft Windows Server 2019 on different network domains with 4 separate VLANs so I know all to well at the complications of the lsass if I start blocking various things. All my computers connects through a hardware Watchguard Firewall which has their full suite of modules activated, overkill absolutely , nice to have you betch ya!