roboto
Well-Known Member
- Joined
- May 25, 2013
- Messages
- 1,937
- Reaction score
- 50
so, we've had a few posts in the ban section of ppl claiming that it's agent.exe which is scanning your system, for reasons unknown, these ppl post in the ban section where no one can respond.
whatever, let's get down to it:
i took the time to monitor agent.exe for about 4 hours today on a system which was running wow.exe in 32bit mode, these are the results:
TL/DR; it does NOT scan your system for bots e.g.
What is Agent.exe
Size: roughly 400KB
Type: EXE
Description: Blizzard File Switcher
Digitally signed, issuer Twawte Code Signing CA
This file is downloaded by battle.net client
Where is Agent.exe located?
The Binary lies within %ProgramData%\Battle.net\Agent
Each downloaded agent-version is locate din a Folder named "Agent.BUILD", in my case it's Agent.4150
What does Agent.exe does by runtime?
2 things
1.) It opens wow.exe and checks it's version:
This call is made to determine the version of your wow.exe
On this Request the following DLLs are loaded:
you can see those are all Microsoft DLLs, not any blizzard internals
2.) it does connect o a local port and sends data
this call is made from [::1]:1120 -> [::1]:11791
this is just a TCP/IP Connection with the following metadata:
Now for the funny part and why this is all such bogus:
Abour every hour, Agent.exe does the following things:
Query the Registry at HKLM\System\CurrentControlSet\Tcpip\Parameters\
This Squence finds a connected LAN Adapter. (followed by a few checks on dhcp and such stuff)
It then goes for REGISTRY: HKCU\Software\Microsft\Windows\CurrentVersion\InternetSettings\Connections
This obtains the winhttp settings such as connection type and proxy
After this the Registry Thread is closed and a new one's opened.
Now Agent.exe opens a remote connection to a US-IP(mine was strating with 12.0.0.0) at port 1119
This is infact a blizzard IP and a blizzard port, ref in Battle.Net FAQ
Yes, you may need to open an additional port (1119) to log in to World of Warcraft using a Battle.net account.
The agent creates a new File (LOGFILE [sic!]) in %ProgramData%\Battle.net\Agent\Agent.BUILD\Logs
You can now open these logs for yourself.
After this, the following happens:
battlenet dir in Programdata is being queried, files are read and checked for creation date and version (self-update)
battlent installation dir is parsed
battlenet installation logs dir is parsed
all files in battl.net are checked for outdated/non original stuff
This data is now transmitted
Now agent.exe parses your WoW Directory
Yes, you've heard right.
The following files and folders are check in that manner:
\WoW.exe (for several times)
\Cache\* (ALL files in cache!)
\Data\* (ALL FILES IN DATA - CASC Database)
\Errors\*
\Interface\* (Yes, your addons as well!)
\Logs\*
\*.dll (dlls in wow root)
\Screenshot\*
\Utils\*
\WTF\*
These are just basic QueryOpenFile and QuerySecurityFile Operations, nothing to worry about. I guess the updater is just checking if all files are in place.
Followed, now \Data\data\<int>.idx and \Data\data\data.<int> and \Data\indices\<hash> files are scanned, all the same QuerySecuritfyFile & CloseFile crap again.
after a last open of wow.exe, agent.exe is finished and does not touch ANY OTHER DIR
So, what did we just saw here - well, let's look into the LOG Agent.exe did because it's such a nice application:
There are 4 logfiles:
Agent-*.log
AgentNGDP-*.log
curl*.log
Queue*.Log
Important: i've masked out many lines since these logs contain confidential information!
Agent*.log:
This is basicly a logfile of obtaining the latest wow version from battlenet cdn servers:
This log goes on and on for a very long time, basicly you're just watching battlenet looking for an update
AgentNGDP-*.log
This is a short long and tbh i got no ida what use it serves
You can see some blizz IPs and the windows version
not interesting at all
curl*.log
just curl minding his own business, still not fancy - well let's hope the Queue Log proves this big conspiracy theory...
Queue-*.log
Bummer.
Conculsion: i've just wasted 10 minutes of your life telling and showing you that Agent.exe is nothing tricky to scan your system.
Thanks for your time.
If you like to prove me wrong grab ProcessExplorer from sysinternals and monitor it for yourself.
Have fun!
PS: NIIIINJA PATCH!!!
whatever, let's get down to it:
i took the time to monitor agent.exe for about 4 hours today on a system which was running wow.exe in 32bit mode, these are the results:
TL/DR; it does NOT scan your system for bots e.g.
What is Agent.exe
Size: roughly 400KB
Type: EXE
Description: Blizzard File Switcher
Digitally signed, issuer Twawte Code Signing CA
This file is downloaded by battle.net client
Where is Agent.exe located?
The Binary lies within %ProgramData%\Battle.net\Agent
Each downloaded agent-version is locate din a Folder named "Agent.BUILD", in my case it's Agent.4150
What does Agent.exe does by runtime?
2 things
1.) It opens wow.exe and checks it's version:
This call is made to determine the version of your wow.exe
On this Request the following DLLs are loaded:
Code:
Agent.exe 0xed0000 0x5a0000 C:\ProgramData\Battle.net\Agent\Agent.4150\Agent.exe Blizzard Entertainment 1.20.2.4150 19.06.2015 20:19:20
DevDispItemProvider.dll 0x63140000 0x1a000 C:\Windows\SysWOW64\DevDispItemProvider.dll Microsoft Corporation 6.3.9600.16384 (winblue_rtm.130821-1623) 29.10.2014 03:02:53
sfc_os.DLL 0x63210000 0xf000 C:\Windows\SysWOW64\sfc_os.DLL Microsoft Corporation 6.3.9600.17415 (winblue_r4.141028-1500) 29.10.2014 04:00:27
AcLayers.DLL 0x63220000 0x277000 C:\Windows\AppPatch\AcLayers.DLL Microsoft Corporation 6.3.9600.17415 (winblue_r4.141028-1500) 29.10.2014 03:23:44
sfc.dll 0x6d100000 0x3000 C:\Windows\SysWOW64\sfc.dll Microsoft Corporation 6.3.9600.16384 (winblue_rtm.130821-1623) 22.08.2013 06:13:28
LINKINFO.dll 0x6d110000 0xb000 C:\Windows\SysWOW64\LINKINFO.dll Microsoft Corporation 6.3.9600.17415 (winblue_r4.141028-1500) 29.10.2014 03:56:41
actxprxy.dll 0x6f2e0000 0x103000 C:\Windows\SysWOW64\actxprxy.dll Microsoft Corporation 6.3.9600.17840 (winblue_r11.150522-0826) 23.05.2015 04:28:10
MLANG.dll 0x6f4f0000 0x33000 C:\Windows\SysWOW64\MLANG.dll Microsoft Corporation 6.3.9600.16384 (winblue_rtm.130821-1623) 29.10.2014 02:57:40
apphelp.dll 0x71280000 0xa0000 C:\Windows\SysWOW64\apphelp.dll Microsoft Corporation 6.3.9600.16384 (winblue_rtm.130821-1623) 29.10.2014 04:00:11
urlmon.dll 0x72730000 0x14a000 C:\Windows\SysWOW64\urlmon.dll Microsoft Corporation 11.00.9600.16384 (winblue_rtm.130821-1623) 23.05.2015 04:16:32
WINHTTP.dll 0x72880000 0x9f000 C:\Windows\SysWOW64\WINHTTP.dll Microsoft Corporation 6.3.9600.16384 (winblue_rtm.130821-1623) 29.10.2014 02:56:15
dwmapi.dll 0x72ee0000 0x1a000 C:\Windows\SysWOW64\dwmapi.dll Microsoft Corporation 6.3.9600.16384 (winblue_rtm.130821-1623) 29.10.2014 02:58:22
PlayToDevice.dll 0x73440000 0x39000 C:\Windows\SysWOW64\PlayToDevice.dll Microsoft Corporation 12.0.9600.16384 (winblue_rtm.130821-1623) 29.10.2014 02:30:14
iertutil.dll 0x73480000 0x232000 C:\Windows\SysWOW64\iertutil.dll Microsoft Corporation 11.00.9600.16384 (winblue_rtm.130821-1623) 23.05.2015 05:10:32
WININET.dll 0x736f0000 0x1e4000 C:\Windows\SysWOW64\WININET.dll Microsoft Corporation 11.00.9600.16384 (winblue_rtm.130821-1623) 23.05.2015 04:20:17
uxtheme.dll 0x738e0000 0xed000 C:\Windows\SysWOW64\uxtheme.dll Microsoft Corporation 6.3.9600.16384 (winblue_rtm.130821-1623) 29.10.2014 02:48:23
comctl32.dll 0x739e0000 0x206000 C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17810_none_a9edf09f013934e0\comctl32.dll Microsoft Corporation 6.10 (winblue_rtm.130821-1623) 25.04.2015 04:34:19
dlnashext.dll 0x73ca0000 0x6e000 C:\Windows\SysWOW64\dlnashext.dll Microsoft Corporation 12.0.9600.16384 (winblue_rtm.130821-1623) 29.10.2014 03:29:03
dhcpcsvc6.DLL 0x73f10000 0x13000 C:\Windows\SysWOW64\dhcpcsvc6.DLL Microsoft Corporation 6.3.9600.16384 (winblue_rtm.130821-1623) 29.10.2014 03:06:03
MPR.dll 0x74090000 0x16000 C:\Windows\SysWOW64\MPR.dll Microsoft Corporation 6.3.9600.16384 (winblue_rtm.130821-1623) 29.10.2014 03:06:32
rasadhlp.dll 0x74100000 0x8000 C:\Windows\SysWOW64\rasadhlp.dll Microsoft Corporation 6.3.9600.17415 (winblue_r4.141028-1500) 29.10.2014 03:05:32
fwpuclnt.dll 0x74110000 0x46000 C:\Windows\SysWOW64\fwpuclnt.dll Microsoft Corporation 6.3.9600.16384 (winblue_rtm.130821-1623) 29.10.2014 02:56:29
DNSAPI.dll 0x74160000 0x7e000 C:\Windows\SysWOW64\DNSAPI.dll Microsoft Corporation 6.3.9600.16384 (winblue_rtm.130821-1623) 29.10.2014 03:06:23
mswsock.dll 0x741e0000 0x4b000 C:\Windows\SysWOW64\mswsock.dll Microsoft Corporation 6.3.9600.16384 (winblue_rtm.130821-1623) 29.10.2014 03:06:15
fastprox.dll 0x74230000 0xc4000 C:\Windows\SysWOW64\wbem\fastprox.dll Microsoft Corporation 6.3.9600.17415 (winblue_r4.141028-1500) 29.10.2014 02:59:19
wbemsvc.dll 0x74300000 0x11000 C:\Windows\SysWOW64\wbem\wbemsvc.dll Microsoft Corporation 6.3.9600.17415 (winblue_r4.141028-1500) 29.10.2014 03:05:13
wbemcomn.dll 0x74320000 0x66000 C:\Windows\SysWOW64\wbemcomn.dll Microsoft Corporation 6.3.9600.17415 (winblue_r4.141028-1500) 29.10.2014 03:00:21
wbemprox.dll 0x74390000 0xd000 C:\Windows\SysWOW64\wbem\wbemprox.dll Microsoft Corporation 6.3.9600.17415 (winblue_r4.141028-1500) 29.10.2014 02:59:38
dhcpcsvc.DLL 0x743a0000 0x14000 C:\Windows\SysWOW64\dhcpcsvc.DLL Microsoft Corporation 6.3.9600.16384 (winblue_rtm.130821-1623) 29.10.2014 03:05:51
WINNSI.DLL 0x743c0000 0x8000 C:\Windows\SysWOW64\WINNSI.DLL Microsoft Corporation 6.3.9600.17415 (winblue_r4.141028-1500) 29.10.2014 03:06:17
IPHLPAPI.DLL 0x743d0000 0x20000 C:\Windows\SysWOW64\IPHLPAPI.DLL Microsoft Corporation 6.3.9600.16384 (winblue_rtm.130821-1623) 29.10.2014 03:06:09
Secur32.dll 0x74460000 0xa000 C:\Windows\SysWOW64\Secur32.dll Microsoft Corporation 6.3.9600.17415 (winblue_r4.141028-1500) 29.10.2014 03:06:19
PROPSYS.dll 0x74470000 0x13a000 C:\Windows\SysWOW64\PROPSYS.dll Microsoft Corporation 7.00.9600.17031 (winblue_gdr.140221-1952) 29.10.2014 04:02:22
SHCORE.dll 0x745b0000 0x8b000 C:\Windows\SysWOW64\SHCORE.dll Microsoft Corporation 6.3.9600.16384 (winblue_rtm.130821-1623) 23.01.2015 04:47:03
bcrypt.dll 0x749c0000 0x1e000 C:\Windows\SysWOW64\bcrypt.dll Microsoft Corporation 6.3.9600.16384 (winblue_rtm.130821-1623) 29.10.2014 03:05:46
CRYPTSP.dll 0x74a10000 0x19000 C:\Windows\SysWOW64\CRYPTSP.dll Microsoft Corporation 6.3.9600.17415 (winblue_r4.141028-1500) 29.10.2014 03:06:22
kernel.appcore.dll 0x74a30000 0x9000 C:\Windows\SysWOW64\kernel.appcore.dll Microsoft Corporation 6.3.9600.17415 (winblue_r4.141028-1500) 29.10.2014 03:04:26
profapi.dll 0x74a40000 0xf000 C:\Windows\SysWOW64\profapi.dll Microsoft Corporation 6.3.9600.17415 (winblue_r4.141028-1500) 29.10.2014 03:06:11
USERENV.dll 0x74a50000 0x1b000 C:\Windows\SysWOW64\USERENV.dll Microsoft Corporation 6.3.9600.16384 (winblue_rtm.130821-1623) 29.10.2014 03:00:57
WINSPOOL.DRV 0x74bb0000 0x65000 C:\Windows\SysWOW64\WINSPOOL.DRV Microsoft Corporation 6.3.9600.16384 (winblue_rtm.130821-1623) 29.10.2014 02:45:14
VERSION.dll 0x74c20000 0x8000 C:\Windows\SysWOW64\VERSION.dll Microsoft Corporation 6.3.9600.17415 (winblue_r4.141028-1500) 29.10.2014 03:59:45
bcryptPrimitives.dll 0x74c30000 0x54000 C:\Windows\SysWOW64\bcryptPrimitives.dll Microsoft Corporation 6.3.9600.17415 (winblue_r4.141028-1500) 29.10.2014 03:05:57
CRYPTBASE.dll 0x74c90000 0xa000 C:\Windows\SysWOW64\CRYPTBASE.dll Microsoft Corporation 6.3.9600.17415 (winblue_r4.141028-1500) 29.10.2014 04:01:15
SspiCli.dll 0x74ca0000 0x1e000 C:\Windows\SysWOW64\SspiCli.dll Microsoft Corporation 6.3.9600.17415 (winblue_r4.141028-1500) 29.10.2014 03:06:04
SHLWAPI.dll 0x74e00000 0x45000 C:\Windows\SysWOW64\SHLWAPI.dll Microsoft Corporation 6.3.9600.16384 (winblue_rtm.130821-1623) 29.10.2014 02:43:08
ole32.dll 0x74ee0000 0x128000 C:\Windows\SysWOW64\ole32.dll Microsoft Corporation 6.3.9600.16384 (winblue_rtm.130821-1623) 29.10.2014 02:47:16
IMM32.DLL 0x75010000 0x27000 C:\Windows\SysWOW64\IMM32.DLL Microsoft Corporation 6.3.9600.17415 (winblue_r4.141028-1500) 29.10.2014 03:59:48
RPCRT4.dll 0x75080000 0xba000 C:\Windows\SysWOW64\RPCRT4.dll Microsoft Corporation 6.3.9600.16384 (winblue_rtm.130821-1623) 29.10.2014 03:07:48
CFGMGR32.dll 0x75140000 0x3c000 C:\Windows\SysWOW64\CFGMGR32.dll Microsoft Corporation 6.3.9600.17415 (winblue_r4.141028-1500) 29.10.2014 03:06:02
msvcrt.dll 0x75350000 0xc3000 C:\Windows\SysWOW64\msvcrt.dll Microsoft Corporation 7.0.9600.17415 (winblue_r4.141028-1500) 29.10.2014 04:04:30
SETUPAPI.dll 0x75420000 0x1b1000 C:\Windows\SysWOW64\SETUPAPI.dll Microsoft Corporation 6.3.9600.16384 (winblue_rtm.130821-1623) 29.10.2014 02:43:38
MSCTF.dll 0x755e0000 0x112000 C:\Windows\SysWOW64\MSCTF.dll Microsoft Corporation 6.3.9600.16384 (winblue_rtm.130821-1623) 14.03.2015 02:53:05
GDI32.dll 0x75870000 0x10e000 C:\Windows\SysWOW64\GDI32.dll Microsoft Corporation 6.3.9600.17415 (winblue_r4.141028-1500) 29.10.2014 03:10:13
combase.dll 0x75990000 0x17d000 C:\Windows\SysWOW64\combase.dll Microsoft Corporation 6.3.9600.16384 (winblue_rtm.130821-1623) 29.10.2014 03:06:12
NSI.dll 0x75b10000 0x7000 C:\Windows\SysWOW64\NSI.dll Microsoft Corporation 6.3.9600.17415 (winblue_r4.141028-1500) 29.10.2014 04:03:31
PSAPI.DLL 0x75b20000 0x6000 C:\Windows\SysWOW64\PSAPI.DLL Microsoft Corporation 6.3.9600.17415 (winblue_r4.141028-1500) 29.10.2014 03:06:26
SHELL32.dll 0x75b30000 0x12ac000 C:\Windows\SysWOW64\SHELL32.dll Microsoft Corporation 6.3.9600.17031 (winblue_gdr.140221-1952) 12.02.2015 05:51:27
sechost.dll 0x76de0000 0x41000 C:\Windows\SysWOW64\sechost.dll Microsoft Corporation 6.3.9600.16384 (winblue_rtm.130821-1623) 20.03.2015 05:20:59
USER32.dll 0x76ef0000 0x153000 C:\Windows\SysWOW64\USER32.dll Microsoft Corporation 6.3.9600.16384 (winblue_rtm.130821-1623) 29.10.2014 03:04:32
KERNELBASE.dll 0x77050000 0xd7000 C:\Windows\SysWOW64\KERNELBASE.dll Microsoft Corporation 6.3.9600.17031 (winblue_gdr.140221-1952) 29.10.2014 04:03:10
clbcatq.dll 0x77130000 0x8d000 C:\Windows\SysWOW64\clbcatq.dll Microsoft Corporation 2001.12.10530.17415 (winblue_r4.141028-1500) 29.10.2014 02:44:51
OLEAUT32.dll 0x771c0000 0x95000 C:\Windows\SysWOW64\OLEAUT32.dll Microsoft Corporation 6.3.9600.17560 19.12.2014 06:49:55
ADVAPI32.dll 0x77300000 0x7c000 C:\Windows\SysWOW64\ADVAPI32.dll Microsoft Corporation 6.3.9600.16384 (winblue_rtm.130821-1623) 29.10.2014 03:57:48
wow64.dll 0x773d0000 0x4b000 C:\Windows\SYSTEM32\wow64.dll Microsoft Corporation 6.3.9600.17734 (winblue_r9.150319-1700) 20.03.2015 06:10:50
wow64win.dll 0x77420000 0x68000 C:\Windows\system32\wow64win.dll Microsoft Corporation 6.3.9600.16520 (winblue_gdr.140127-0329) 27.01.2014 21:53:11
wow64cpu.dll 0x77490000 0x9000 C:\Windows\system32\wow64cpu.dll Microsoft Corporation 6.3.9600.17734 (winblue_r9.150319-1700) 20.03.2015 06:10:52
ntdll.dll 0x774a0000 0x16e000 C:\Windows\SysWOW64\ntdll.dll Microsoft Corporation 6.3.9600.17031 (winblue_gdr.140221-1952) 23.03.2015 00:31:30
ntdll.dll 0x7ff92ddc0000 0x1ac000 C:\Windows\SYSTEM32\ntdll.dll Microsoft Corporation 6.3.9600.17031 (winblue_gdr.140221-1952) 23.03.2015 00:33:262.) it does connect o a local port and sends data
this call is made from [::1]:1120 -> [::1]:11791
this is just a TCP/IP Connection with the following metadata:
Code:
Length: 619
startime: 4532013
endtime: 4532013
seqnum: 0
connid: 0Now for the funny part and why this is all such bogus:
Abour every hour, Agent.exe does the following things:
Query the Registry at HKLM\System\CurrentControlSet\Tcpip\Parameters\
This Squence finds a connected LAN Adapter. (followed by a few checks on dhcp and such stuff)
It then goes for REGISTRY: HKCU\Software\Microsft\Windows\CurrentVersion\InternetSettings\Connections
This obtains the winhttp settings such as connection type and proxy
After this the Registry Thread is closed and a new one's opened.
Now Agent.exe opens a remote connection to a US-IP(mine was strating with 12.0.0.0) at port 1119
This is infact a blizzard IP and a blizzard port, ref in Battle.Net FAQ
Yes, you may need to open an additional port (1119) to log in to World of Warcraft using a Battle.net account.
The agent creates a new File (LOGFILE [sic!]) in %ProgramData%\Battle.net\Agent\Agent.BUILD\Logs
You can now open these logs for yourself.
After this, the following happens:
battlenet dir in Programdata is being queried, files are read and checked for creation date and version (self-update)
battlent installation dir is parsed
battlenet installation logs dir is parsed
all files in battl.net are checked for outdated/non original stuff
This data is now transmitted
Now agent.exe parses your WoW Directory
Yes, you've heard right.
The following files and folders are check in that manner:
\WoW.exe (for several times)
\Cache\* (ALL files in cache!)
\Data\* (ALL FILES IN DATA - CASC Database)
\Errors\*
\Interface\* (Yes, your addons as well!)
\Logs\*
\*.dll (dlls in wow root)
\Screenshot\*
\Utils\*
\WTF\*
These are just basic QueryOpenFile and QuerySecurityFile Operations, nothing to worry about. I guess the updater is just checking if all files are in place.
Followed, now \Data\data\<int>.idx and \Data\data\data.<int> and \Data\indices\<hash> files are scanned, all the same QuerySecuritfyFile & CloseFile crap again.
after a last open of wow.exe, agent.exe is finished and does not touch ANY OTHER DIR
So, what did we just saw here - well, let's look into the LOG Agent.exe did because it's such a nice application:
There are 4 logfiles:
Agent-*.log
AgentNGDP-*.log
curl*.log
Queue*.Log
Important: i've masked out many lines since these logs contain confidential information!
Agent*.log:
This is basicly a logfile of obtaining the latest wow version from battlenet cdn servers:
Code:
16:24:33.3000 New versioner created - battle.net.
16:24:33.3035 Agent::Product::LaunchGameSession() - Begin Waiting
16:24:33.3037 Agent::Product::LaunchGameSession() - End Waiting
16:24:33.4176 Launched J:/Battle.net/Battle.net.exe as PID: XXXX with --switcherall
**********************************************
16:24:33.5217 Firing Event: "database flush event"
16:24:33.5220 Handle Event: "database flush event"
16:24:33.5221 Request POST /gamesession
...
"uid" : "battle.net"
}
Response 200 (XXX ms): {
"response_uri" : "/gamesession/battle.net"
}
16:24:33.5290 Request GET /version/battle.net
Response 200 (1.0408 ms): {
"state" : XXX,
"local_version" : "1.2.9.5942",
"playable" : true,
"needs_rebase" : false,
"current_version" : XXX,
"build" : XXX,
"patch_application_complete" : true,
"download_complete" : true,
"background_download_available" : false,
"background_download_complete" : true,
"loose_file_patching_complete" : true,
"baseline" : ""
}
16:24:33.5345 Request GET /gamesession/wow_engb
Response 200 (0.0943 ms): {
"1" : {
"request_id" : XXX,
"pid" : XXX,
"pid_path" : "",
"binary_type" : "game"
}
}
16:24:34.0195 GameProcessManager - UPDATE:
Stored was - uid:battle.net, pid:XXX, parent pid:XXX, pid path:.
Updating to - uid:battle.net, pid:XXX, parent pid:XXX, pid path:X:\Battle.net\Battle.net.XXXX\Battle.net.exe.
16:24:34.1622 Firing Event: "database flush event"
16:24:34.1624 Handle Event: "database flush event"
16:24:34.1626 Request GET /agent
Response 200 (XXX ms): {
"update" : {},
"install" : {},
"backfill" : {},
"pid" : XXX,
"user_id" : "XXX",
"state" : XXX,
"playable" : true,
"patch_application_complete" : true,
"download_complete" : true,
"installed" : true,
"version" : "XXX",
"region" : "eu",
"type" : "retail",
"opt_in_feedback" : true,
"session" : "XXX",
"authorization" : "XXX"
}
16:24:34.1685 Request POST /agent
{
"opt_in_feedback" : true
}
Response 200 (0.0115 ms): {}
16:24:34.1726 Request POST /game/battle.net
{
"opt_in_feedback" : true
}
Response 200 (0.0926 ms): {}
16:24:34.1765 Request Issued to non-existent Uri: POST - /game/client
16:24:34.1801 Request GET /gamesession
Response 200 (0.1925 ms): {
"wow_dede" : {
"1" : {
"request_id" : XXX,
"pid" : XXX,
"pid_path" : "",
"binary_type" : "game"
}
},
"battle.net" : {
"1" : {
"request_id" : XXX,
"pid" : XXX,
"pid_path" : "",
"binary_type" : "game"
},
"2" : {
"request_id" : XXX,
"pid" : XXX,
"pid_path" : "X:\\Battle.net\\Battle.net.XXX\\Battle.net.exe",
"binary_type" : "game"
}
}
}AgentNGDP-*.log
This is a short long and tbh i got no ida what use it serves
You can see some blizz IPs and the windows version
Code:
16:24:42.7291 {d50} INF: Add new Host addr=YYY, port=80, name=dist.blizzard.com.edgesuite.net, proxy=false
16:24:42.7294 {d50} INF: Add new Host addr=YYY, port=80, name=dist.blizzard.com.edgesuite.net, proxy=false
16:24:43.4174 {139c} INF: Initialization step - FETCHING_BUILD_CONFIG
16:24:43.4177 {139c} INF: Initialization step - FETCHING_PATCH_MANIFEST
16:24:43.4181 {139c} INF: Initialization step - FETCHING_ENCODING_TABLE
16:24:43.4778 {139c} WRN: unrecognized tag 'Windows'
16:24:43.4869 {139c} WRN: invalid tag in tag query 'Windows x86_32 x86_64 EU? brBR speech?:Windows x86_32 x86_64 EU? brBR text?:Windows x86_32 x86_64 EU? zhCN speech?:Windows x86_32 x86_64 EU? zhCN text?'
16:24:43.8336 {15b4} INF: NGDP initialization - (archive: false, cache: true, Async: true)curl*.log
Code:
16:24:29.7998 Queue Request for http://enGB.patch.battle.net:XXX/patch : handle - XXX, index - 0, running - 0
16:24:29.8309 Queue Request for http://iir.blizzard.com:XXX/submit/BNET_APP : handle - XXX, index - 1, running - 0
16:24:30.1047 OnComplete: handle - 0x007defd0, result - 0, running - 2, request - found
16:24:30.1056 Queue Request for http://public-test.patch.battle.net:1119/patch : handle - XXX, index - 2, running - 0
16:24:30.4631 OnComplete: handle - 0x00762330, result - 0, running - 2, request - found
16:24:30.6931 OnComplete: handle - 0x007defd0, result - 0, running - 1, request - foundQueue-*.log
Code:
16:24:41.9744 Queuing /update/wow_brbr
16:24:41.9746 Insert to Queue at HEAD
16:24:41.9770 Start Queued Task 'Update wow_brbr'
16:25:49.9526 Remove /update/wow_brbr from Queue
16:25:49.9527 Remove (stop) Task Update wow_brbr
16:25:49.9531 Removed HEAD item from QueueConculsion: i've just wasted 10 minutes of your life telling and showing you that Agent.exe is nothing tricky to scan your system.
Thanks for your time.
If you like to prove me wrong grab ProcessExplorer from sysinternals and monitor it for yourself.
Have fun!
PS: NIIIINJA PATCH!!!
Last edited:
. But 0.5 seconds isnt a lot of time to recover any actual viewable images.
