Why does "Windows Games Explorer" attempt to access the internet whenever I launch a game?

networking internet firewall windows-7

Solution 1:

Why is it happening?

This page suggests plausible reason:

There is an annoying software in Windows 7 called "Games Explorer", which can be started via the button "Games" in the Start Menu. It automatically downloads icons, covers - and other stuff Microsoft deemed useful - from the internet, whenever a game is started.

How to stop it?

I imagine several options (cleanest to dirtiest):

  1. Exclude the executable from the Program Compatibility Assistant (PCA) support.microsoft.com/en-us/kb/2545347.
  2. Disable Program Compatibility Assistant using Services panel or via Group Policy Editor.
  3. Redirect mentioned hosts to 127.0.0.1. I tried it and it didn't work for my case -- the process just hangs. However, this page suggests it worked for Oblivion.
  4. Restrict access to gameux.dll. This is what I did to "fix" Project Nomads (see below).
  5. Delete C:\Windows\AppPatch\sysmain.sdb. The first link suggests it worked.

I haven't tried #1, #2 and #5.

My experience

I noticed exactly the same problem when Project Nomads (2002) wouldn't start until I turn on the Internet. Game exe file would start rundll32.exe which in turn runs C:\Windows\System32\gameux.dll, which did request to 65.55.162.26:443.

I didn't want to experiment with deleting sysmain.sdb as first link suggests -- maybe some old programs would break? It's "Compatibility" feature after all.

Instead I took ownership of gameux.dll and removed my user from access list. Now when I start the game it says Access denied to gameux.dll, I press OK, rundll32.exe process exits and the game runs with no problem. No requests are performed and the game runs without Internet connection.

What is going on?

From Windows Shim Database (SDB) Parser tool page (tzworks.net/prototype_page.php?proto_id=33):

The Application Compatibility framework from Microsoft uses the Shim Database to identify if, and how, an application or DLL should be shimmed during process startup and/or DLL load. The default Shim Database is located at \Windows\AppPatch\sysmain.sdb and can contain thousands of entries for a normal Win7 box.

... the Application Compatibility framework allows installed applications on a Windows box to be patched 'on the fly' (ie. modified without a reboot), and this patch can be used to spawn other processes and/or inject undesired DLLs into the patched application.

I cannot tell for sure but my only explanation of your comment

the call is from rundll32.exe to a Microsoft-specific host which didn't exist until years after the game in question was developed

is that Windows is injecting that gameux.dll call into our innocent game exe's.

There's a paper Malicious Application Compatibility Shims if you're concerned about security.

P.S. Sorry I had to trick the editor to post >2 links with <10 rep.

Related

Why doesn't usual Drag&Drop work in Windows 10?
Can I safely migrate a ZFS pool from FreeBSD to Ubuntu?
Create a shortcut for Notepad++ to reopen a closed tab?
Where does msinfo32.exe get it's data from?
Windows 8.1 file explorer is Super slow
Import ovf and/or vmdk to Hyper-V
Where to download, or find a list of all the Windows updates?
Make an existing VM immutable
Windows 7: How to remove the test mode watermark on wallpaper?
Why is Windows folder so big in Windows 8.1? [duplicate]
How to avoid I/O bottlenecks in PC hardware selection and analysis?
Connecting to multiple network shares on the same host using different credentials?