Agent.exe - what it really does

so, we've had a few posts in the ban section of ppl claiming that it's agent.exe which is scanning your system, for reasons unknown, these ppl post in the ban section where no one can respond.
whatever, let's get down to it:
i took the time to monitor agent.exe for about 4 hours today on a system which was running wow.exe in 32bit mode, these are the results:


TL/DR; it does NOT scan your system for bots e.g.


What is Agent.exe
Size: roughly 400KB
Type: EXE
Description: Blizzard File Switcher
Digitally signed, issuer Twawte Code Signing CA
This file is downloaded by battle.net client


Where is Agent.exe located?
The Binary lies within %ProgramData%\Battle.net\Agent
Each downloaded agent-version is locate din a Folder named "Agent.BUILD", in my case it's Agent.4150


What does Agent.exe does by runtime?
2 things

1.) It opens wow.exe and checks it's version:

This call is made to determine the version of your wow.exe

On this Request the following DLLs are loaded:

Code:

Agent.exe	0xed0000	0x5a0000	C:\ProgramData\Battle.net\Agent\Agent.4150\Agent.exe	Blizzard Entertainment	1.20.2.4150	19.06.2015 20:19:20
DevDispItemProvider.dll	0x63140000	0x1a000	C:\Windows\SysWOW64\DevDispItemProvider.dll	Microsoft Corporation	6.3.9600.16384 (winblue_rtm.130821-1623)	29.10.2014 03:02:53
sfc_os.DLL	0x63210000	0xf000	C:\Windows\SysWOW64\sfc_os.DLL	Microsoft Corporation	6.3.9600.17415 (winblue_r4.141028-1500)	29.10.2014 04:00:27
AcLayers.DLL	0x63220000	0x277000	C:\Windows\AppPatch\AcLayers.DLL	Microsoft Corporation	6.3.9600.17415 (winblue_r4.141028-1500)	29.10.2014 03:23:44
sfc.dll	0x6d100000	0x3000	C:\Windows\SysWOW64\sfc.dll	Microsoft Corporation	6.3.9600.16384 (winblue_rtm.130821-1623)	22.08.2013 06:13:28
LINKINFO.dll	0x6d110000	0xb000	C:\Windows\SysWOW64\LINKINFO.dll	Microsoft Corporation	6.3.9600.17415 (winblue_r4.141028-1500)	29.10.2014 03:56:41
actxprxy.dll	0x6f2e0000	0x103000	C:\Windows\SysWOW64\actxprxy.dll	Microsoft Corporation	6.3.9600.17840 (winblue_r11.150522-0826)	23.05.2015 04:28:10
MLANG.dll	0x6f4f0000	0x33000	C:\Windows\SysWOW64\MLANG.dll	Microsoft Corporation	6.3.9600.16384 (winblue_rtm.130821-1623)	29.10.2014 02:57:40
apphelp.dll	0x71280000	0xa0000	C:\Windows\SysWOW64\apphelp.dll	Microsoft Corporation	6.3.9600.16384 (winblue_rtm.130821-1623)	29.10.2014 04:00:11
urlmon.dll	0x72730000	0x14a000	C:\Windows\SysWOW64\urlmon.dll	Microsoft Corporation	11.00.9600.16384 (winblue_rtm.130821-1623)	23.05.2015 04:16:32
WINHTTP.dll	0x72880000	0x9f000	C:\Windows\SysWOW64\WINHTTP.dll	Microsoft Corporation	6.3.9600.16384 (winblue_rtm.130821-1623)	29.10.2014 02:56:15
dwmapi.dll	0x72ee0000	0x1a000	C:\Windows\SysWOW64\dwmapi.dll	Microsoft Corporation	6.3.9600.16384 (winblue_rtm.130821-1623)	29.10.2014 02:58:22
PlayToDevice.dll	0x73440000	0x39000	C:\Windows\SysWOW64\PlayToDevice.dll	Microsoft Corporation	12.0.9600.16384 (winblue_rtm.130821-1623)	29.10.2014 02:30:14
iertutil.dll	0x73480000	0x232000	C:\Windows\SysWOW64\iertutil.dll	Microsoft Corporation	11.00.9600.16384 (winblue_rtm.130821-1623)	23.05.2015 05:10:32
WININET.dll	0x736f0000	0x1e4000	C:\Windows\SysWOW64\WININET.dll	Microsoft Corporation	11.00.9600.16384 (winblue_rtm.130821-1623)	23.05.2015 04:20:17
uxtheme.dll	0x738e0000	0xed000	C:\Windows\SysWOW64\uxtheme.dll	Microsoft Corporation	6.3.9600.16384 (winblue_rtm.130821-1623)	29.10.2014 02:48:23
comctl32.dll	0x739e0000	0x206000	C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17810_none_a9edf09f013934e0\comctl32.dll	Microsoft Corporation	6.10 (winblue_rtm.130821-1623)	25.04.2015 04:34:19
dlnashext.dll	0x73ca0000	0x6e000	C:\Windows\SysWOW64\dlnashext.dll	Microsoft Corporation	12.0.9600.16384 (winblue_rtm.130821-1623)	29.10.2014 03:29:03
dhcpcsvc6.DLL	0x73f10000	0x13000	C:\Windows\SysWOW64\dhcpcsvc6.DLL	Microsoft Corporation	6.3.9600.16384 (winblue_rtm.130821-1623)	29.10.2014 03:06:03
MPR.dll	0x74090000	0x16000	C:\Windows\SysWOW64\MPR.dll	Microsoft Corporation	6.3.9600.16384 (winblue_rtm.130821-1623)	29.10.2014 03:06:32
rasadhlp.dll	0x74100000	0x8000	C:\Windows\SysWOW64\rasadhlp.dll	Microsoft Corporation	6.3.9600.17415 (winblue_r4.141028-1500)	29.10.2014 03:05:32
fwpuclnt.dll	0x74110000	0x46000	C:\Windows\SysWOW64\fwpuclnt.dll	Microsoft Corporation	6.3.9600.16384 (winblue_rtm.130821-1623)	29.10.2014 02:56:29
DNSAPI.dll	0x74160000	0x7e000	C:\Windows\SysWOW64\DNSAPI.dll	Microsoft Corporation	6.3.9600.16384 (winblue_rtm.130821-1623)	29.10.2014 03:06:23
mswsock.dll	0x741e0000	0x4b000	C:\Windows\SysWOW64\mswsock.dll	Microsoft Corporation	6.3.9600.16384 (winblue_rtm.130821-1623)	29.10.2014 03:06:15
fastprox.dll	0x74230000	0xc4000	C:\Windows\SysWOW64\wbem\fastprox.dll	Microsoft Corporation	6.3.9600.17415 (winblue_r4.141028-1500)	29.10.2014 02:59:19
wbemsvc.dll	0x74300000	0x11000	C:\Windows\SysWOW64\wbem\wbemsvc.dll	Microsoft Corporation	6.3.9600.17415 (winblue_r4.141028-1500)	29.10.2014 03:05:13
wbemcomn.dll	0x74320000	0x66000	C:\Windows\SysWOW64\wbemcomn.dll	Microsoft Corporation	6.3.9600.17415 (winblue_r4.141028-1500)	29.10.2014 03:00:21
wbemprox.dll	0x74390000	0xd000	C:\Windows\SysWOW64\wbem\wbemprox.dll	Microsoft Corporation	6.3.9600.17415 (winblue_r4.141028-1500)	29.10.2014 02:59:38
dhcpcsvc.DLL	0x743a0000	0x14000	C:\Windows\SysWOW64\dhcpcsvc.DLL	Microsoft Corporation	6.3.9600.16384 (winblue_rtm.130821-1623)	29.10.2014 03:05:51
WINNSI.DLL	0x743c0000	0x8000	C:\Windows\SysWOW64\WINNSI.DLL	Microsoft Corporation	6.3.9600.17415 (winblue_r4.141028-1500)	29.10.2014 03:06:17
IPHLPAPI.DLL	0x743d0000	0x20000	C:\Windows\SysWOW64\IPHLPAPI.DLL	Microsoft Corporation	6.3.9600.16384 (winblue_rtm.130821-1623)	29.10.2014 03:06:09
Secur32.dll	0x74460000	0xa000	C:\Windows\SysWOW64\Secur32.dll	Microsoft Corporation	6.3.9600.17415 (winblue_r4.141028-1500)	29.10.2014 03:06:19
PROPSYS.dll	0x74470000	0x13a000	C:\Windows\SysWOW64\PROPSYS.dll	Microsoft Corporation	7.00.9600.17031 (winblue_gdr.140221-1952)	29.10.2014 04:02:22
SHCORE.dll	0x745b0000	0x8b000	C:\Windows\SysWOW64\SHCORE.dll	Microsoft Corporation	6.3.9600.16384 (winblue_rtm.130821-1623)	23.01.2015 04:47:03
bcrypt.dll	0x749c0000	0x1e000	C:\Windows\SysWOW64\bcrypt.dll	Microsoft Corporation	6.3.9600.16384 (winblue_rtm.130821-1623)	29.10.2014 03:05:46
CRYPTSP.dll	0x74a10000	0x19000	C:\Windows\SysWOW64\CRYPTSP.dll	Microsoft Corporation	6.3.9600.17415 (winblue_r4.141028-1500)	29.10.2014 03:06:22
kernel.appcore.dll	0x74a30000	0x9000	C:\Windows\SysWOW64\kernel.appcore.dll	Microsoft Corporation	6.3.9600.17415 (winblue_r4.141028-1500)	29.10.2014 03:04:26
profapi.dll	0x74a40000	0xf000	C:\Windows\SysWOW64\profapi.dll	Microsoft Corporation	6.3.9600.17415 (winblue_r4.141028-1500)	29.10.2014 03:06:11
USERENV.dll	0x74a50000	0x1b000	C:\Windows\SysWOW64\USERENV.dll	Microsoft Corporation	6.3.9600.16384 (winblue_rtm.130821-1623)	29.10.2014 03:00:57
WINSPOOL.DRV	0x74bb0000	0x65000	C:\Windows\SysWOW64\WINSPOOL.DRV	Microsoft Corporation	6.3.9600.16384 (winblue_rtm.130821-1623)	29.10.2014 02:45:14
VERSION.dll	0x74c20000	0x8000	C:\Windows\SysWOW64\VERSION.dll	Microsoft Corporation	6.3.9600.17415 (winblue_r4.141028-1500)	29.10.2014 03:59:45
bcryptPrimitives.dll	0x74c30000	0x54000	C:\Windows\SysWOW64\bcryptPrimitives.dll	Microsoft Corporation	6.3.9600.17415 (winblue_r4.141028-1500)	29.10.2014 03:05:57
CRYPTBASE.dll	0x74c90000	0xa000	C:\Windows\SysWOW64\CRYPTBASE.dll	Microsoft Corporation	6.3.9600.17415 (winblue_r4.141028-1500)	29.10.2014 04:01:15
SspiCli.dll	0x74ca0000	0x1e000	C:\Windows\SysWOW64\SspiCli.dll	Microsoft Corporation	6.3.9600.17415 (winblue_r4.141028-1500)	29.10.2014 03:06:04
SHLWAPI.dll	0x74e00000	0x45000	C:\Windows\SysWOW64\SHLWAPI.dll	Microsoft Corporation	6.3.9600.16384 (winblue_rtm.130821-1623)	29.10.2014 02:43:08
ole32.dll	0x74ee0000	0x128000	C:\Windows\SysWOW64\ole32.dll	Microsoft Corporation	6.3.9600.16384 (winblue_rtm.130821-1623)	29.10.2014 02:47:16
IMM32.DLL	0x75010000	0x27000	C:\Windows\SysWOW64\IMM32.DLL	Microsoft Corporation	6.3.9600.17415 (winblue_r4.141028-1500)	29.10.2014 03:59:48
RPCRT4.dll	0x75080000	0xba000	C:\Windows\SysWOW64\RPCRT4.dll	Microsoft Corporation	6.3.9600.16384 (winblue_rtm.130821-1623)	29.10.2014 03:07:48
CFGMGR32.dll	0x75140000	0x3c000	C:\Windows\SysWOW64\CFGMGR32.dll	Microsoft Corporation	6.3.9600.17415 (winblue_r4.141028-1500)	29.10.2014 03:06:02
msvcrt.dll	0x75350000	0xc3000	C:\Windows\SysWOW64\msvcrt.dll	Microsoft Corporation	7.0.9600.17415 (winblue_r4.141028-1500)	29.10.2014 04:04:30
SETUPAPI.dll	0x75420000	0x1b1000	C:\Windows\SysWOW64\SETUPAPI.dll	Microsoft Corporation	6.3.9600.16384 (winblue_rtm.130821-1623)	29.10.2014 02:43:38
MSCTF.dll	0x755e0000	0x112000	C:\Windows\SysWOW64\MSCTF.dll	Microsoft Corporation	6.3.9600.16384 (winblue_rtm.130821-1623)	14.03.2015 02:53:05
GDI32.dll	0x75870000	0x10e000	C:\Windows\SysWOW64\GDI32.dll	Microsoft Corporation	6.3.9600.17415 (winblue_r4.141028-1500)	29.10.2014 03:10:13
combase.dll	0x75990000	0x17d000	C:\Windows\SysWOW64\combase.dll	Microsoft Corporation	6.3.9600.16384 (winblue_rtm.130821-1623)	29.10.2014 03:06:12
NSI.dll	0x75b10000	0x7000	C:\Windows\SysWOW64\NSI.dll	Microsoft Corporation	6.3.9600.17415 (winblue_r4.141028-1500)	29.10.2014 04:03:31
PSAPI.DLL	0x75b20000	0x6000	C:\Windows\SysWOW64\PSAPI.DLL	Microsoft Corporation	6.3.9600.17415 (winblue_r4.141028-1500)	29.10.2014 03:06:26
SHELL32.dll	0x75b30000	0x12ac000	C:\Windows\SysWOW64\SHELL32.dll	Microsoft Corporation	6.3.9600.17031 (winblue_gdr.140221-1952)	12.02.2015 05:51:27
sechost.dll	0x76de0000	0x41000	C:\Windows\SysWOW64\sechost.dll	Microsoft Corporation	6.3.9600.16384 (winblue_rtm.130821-1623)	20.03.2015 05:20:59
USER32.dll	0x76ef0000	0x153000	C:\Windows\SysWOW64\USER32.dll	Microsoft Corporation	6.3.9600.16384 (winblue_rtm.130821-1623)	29.10.2014 03:04:32
KERNELBASE.dll	0x77050000	0xd7000	C:\Windows\SysWOW64\KERNELBASE.dll	Microsoft Corporation	6.3.9600.17031 (winblue_gdr.140221-1952)	29.10.2014 04:03:10
clbcatq.dll	0x77130000	0x8d000	C:\Windows\SysWOW64\clbcatq.dll	Microsoft Corporation	2001.12.10530.17415 (winblue_r4.141028-1500)	29.10.2014 02:44:51
OLEAUT32.dll	0x771c0000	0x95000	C:\Windows\SysWOW64\OLEAUT32.dll	Microsoft Corporation	6.3.9600.17560	19.12.2014 06:49:55
ADVAPI32.dll	0x77300000	0x7c000	C:\Windows\SysWOW64\ADVAPI32.dll	Microsoft Corporation	6.3.9600.16384 (winblue_rtm.130821-1623)	29.10.2014 03:57:48
wow64.dll	0x773d0000	0x4b000	C:\Windows\SYSTEM32\wow64.dll	Microsoft Corporation	6.3.9600.17734 (winblue_r9.150319-1700)	20.03.2015 06:10:50
wow64win.dll	0x77420000	0x68000	C:\Windows\system32\wow64win.dll	Microsoft Corporation	6.3.9600.16520 (winblue_gdr.140127-0329)	27.01.2014 21:53:11
wow64cpu.dll	0x77490000	0x9000	C:\Windows\system32\wow64cpu.dll	Microsoft Corporation	6.3.9600.17734 (winblue_r9.150319-1700)	20.03.2015 06:10:52
ntdll.dll	0x774a0000	0x16e000	C:\Windows\SysWOW64\ntdll.dll	Microsoft Corporation	6.3.9600.17031 (winblue_gdr.140221-1952)	23.03.2015 00:31:30
ntdll.dll	0x7ff92ddc0000	0x1ac000	C:\Windows\SYSTEM32\ntdll.dll	Microsoft Corporation	6.3.9600.17031 (winblue_gdr.140221-1952)	23.03.2015 00:33:26

you can see those are all Microsoft DLLs, not any blizzard internals

2.) it does connect o a local port and sends data
this call is made from [::1]:1120 -> [::1]:11791
this is just a TCP/IP Connection with the following metadata:

Code:

Length:	619
startime:	4532013
endtime:	4532013
seqnum:	0
connid:	0

Now for the funny part and why this is all such bogus:
Abour every hour, Agent.exe does the following things:


Query the Registry at HKLM\System\CurrentControlSet\Tcpip\Parameters\
This Squence finds a connected LAN Adapter. (followed by a few checks on dhcp and such stuff)

It then goes for REGISTRY: HKCU\Software\Microsft\Windows\CurrentVersion\InternetSettings\Connections
This obtains the winhttp settings such as connection type and proxy
After this the Registry Thread is closed and a new one's opened.

Now Agent.exe opens a remote connection to a US-IP(mine was strating with 12.0.0.0) at port 1119
This is infact a blizzard IP and a blizzard port, ref in Battle.Net FAQ
Yes, you may need to open an additional port (1119) to log in to World of Warcraft using a Battle.net account.

The agent creates a new File (LOGFILE [sic!]) in %ProgramData%\Battle.net\Agent\Agent.BUILD\Logs
You can now open these logs for yourself.

After this, the following happens:
battlenet dir in Programdata is being queried, files are read and checked for creation date and version (self-update)
battlent installation dir is parsed
battlenet installation logs dir is parsed
all files in battl.net are checked for outdated/non original stuff
This data is now transmitted

Now agent.exe parses your WoW Directory
Yes, you've heard right.

The following files and folders are check in that manner:
\WoW.exe (for several times)
\Cache\* (ALL files in cache!)
\Data\* (ALL FILES IN DATA - CASC Database)
\Errors\*
\Interface\* (Yes, your addons as well!)
\Logs\*
\*.dll (dlls in wow root)
\Screenshot\*
\Utils\*
\WTF\*

These are just basic QueryOpenFile and QuerySecurityFile Operations, nothing to worry about. I guess the updater is just checking if all files are in place.
Followed, now \Data\data\<int>.idx and \Data\data\data.<int> and \Data\indices\<hash> files are scanned, all the same QuerySecuritfyFile & CloseFile crap again.
after a last open of wow.exe, agent.exe is finished and does not touch ANY OTHER DIR


So, what did we just saw here - well, let's look into the LOG Agent.exe did because it's such a nice application:

There are 4 logfiles:

Agent-*.log
AgentNGDP-*.log
curl*.log
Queue*.Log

Important: i've masked out many lines since these logs contain confidential information!


Agent*.log:
This is basicly a logfile of obtaining the latest wow version from battlenet cdn servers:

Code:

16:24:33.3000 New versioner created - battle.net.
16:24:33.3035 Agent::Product::LaunchGameSession() - Begin Waiting
16:24:33.3037 Agent::Product::LaunchGameSession() - End Waiting
16:24:33.4176 Launched J:/Battle.net/Battle.net.exe as PID: XXXX with --switcherall
**********************************************
16:24:33.5217 Firing Event: "database flush event"
16:24:33.5220 Handle Event: "database flush event"
16:24:33.5221 Request POST /gamesession
...

	"uid" : "battle.net"
}
Response 200 (XXX ms): {
	"response_uri" : "/gamesession/battle.net"
}
16:24:33.5290 Request GET /version/battle.net
Response 200 (1.0408 ms): {
	"state" : XXX,
	"local_version" : "1.2.9.5942",
	"playable" : true,
	"needs_rebase" : false,
	"current_version" : XXX,
	"build" : XXX,
	"patch_application_complete" : true,
	"download_complete" : true,
	"background_download_available" : false,
	"background_download_complete" : true,
	"loose_file_patching_complete" : true,
	"baseline" : ""
}
16:24:33.5345 Request GET /gamesession/wow_engb
Response 200 (0.0943 ms): {
	"1" : {
		"request_id" : XXX,
		"pid" : XXX,
		"pid_path" : "",
		"binary_type" : "game"
	}
}
16:24:34.0195 GameProcessManager - UPDATE:
	 Stored was - uid:battle.net, pid:XXX, parent pid:XXX, pid path:.
	 Updating to - uid:battle.net, pid:XXX, parent pid:XXX, pid path:X:\Battle.net\Battle.net.XXXX\Battle.net.exe.
16:24:34.1622 Firing Event: "database flush event"
16:24:34.1624 Handle Event: "database flush event"
16:24:34.1626 Request GET /agent
Response 200 (XXX ms): {
	"update" : {},
	"install" : {},
	"backfill" : {},
	"pid" : XXX,
	"user_id" : "XXX",
	"state" : XXX,
	"playable" : true,
	"patch_application_complete" : true,
	"download_complete" : true,
	"installed" : true,
	"version" : "XXX",
	"region" : "eu",
	"type" : "retail",
	"opt_in_feedback" : true,
	"session" : "XXX",
	"authorization" : "XXX"
}
16:24:34.1685 Request POST /agent
{
	"opt_in_feedback" : true
}
Response 200 (0.0115 ms): {}
16:24:34.1726 Request POST /game/battle.net
{
	"opt_in_feedback" : true
}
Response 200 (0.0926 ms): {}
16:24:34.1765 Request Issued to non-existent Uri: POST - /game/client
16:24:34.1801 Request GET /gamesession
Response 200 (0.1925 ms): {
	"wow_dede" : {
		"1" : {
			"request_id" : XXX,
			"pid" : XXX,
			"pid_path" : "",
			"binary_type" : "game"
		}
	},
	"battle.net" : {
		"1" : {
			"request_id" : XXX,
			"pid" : XXX,
			"pid_path" : "",
			"binary_type" : "game"
		},
		"2" : {
			"request_id" : XXX,
			"pid" : XXX,
			"pid_path" : "X:\\Battle.net\\Battle.net.XXX\\Battle.net.exe",
			"binary_type" : "game"
		}
	}
}

This log goes on and on for a very long time, basicly you're just watching battlenet looking for an update


AgentNGDP-*.log
This is a short long and tbh i got no ida what use it serves
You can see some blizz IPs and the windows version

Code:

16:24:42.7291 {d50} INF: Add new Host addr=YYY, port=80, name=dist.blizzard.com.edgesuite.net, proxy=false
16:24:42.7294 {d50} INF: Add new Host addr=YYY, port=80, name=dist.blizzard.com.edgesuite.net, proxy=false
16:24:43.4174 {139c} INF: Initialization step - FETCHING_BUILD_CONFIG
16:24:43.4177 {139c} INF: Initialization step - FETCHING_PATCH_MANIFEST
16:24:43.4181 {139c} INF: Initialization step - FETCHING_ENCODING_TABLE
16:24:43.4778 {139c} WRN: unrecognized tag 'Windows'
16:24:43.4869 {139c} WRN: invalid tag in tag query 'Windows x86_32 x86_64 EU? brBR speech?:Windows x86_32 x86_64 EU? brBR text?:Windows x86_32 x86_64 EU? zhCN speech?:Windows x86_32 x86_64 EU? zhCN text?'
16:24:43.8336 {15b4} INF: NGDP initialization - (archive: false, cache: true, Async: true)

not interesting at all

curl*.log

Code:

16:24:29.7998 Queue Request for http://enGB.patch.battle.net:XXX/patch : handle - XXX, index - 0, running - 0
16:24:29.8309 Queue Request for http://iir.blizzard.com:XXX/submit/BNET_APP : handle - XXX, index - 1, running - 0
16:24:30.1047 OnComplete: handle - 0x007defd0, result - 0, running - 2, request - found
16:24:30.1056 Queue Request for http://public-test.patch.battle.net:1119/patch : handle - XXX, index - 2, running - 0
16:24:30.4631 OnComplete: handle - 0x00762330, result - 0, running - 2, request - found
16:24:30.6931 OnComplete: handle - 0x007defd0, result - 0, running - 1, request - found

just curl minding his own business, still not fancy - well let's hope the Queue Log proves this big conspiracy theory...

Queue-*.log

Code:

16:24:41.9744 Queuing /update/wow_brbr
16:24:41.9746 Insert to Queue at HEAD
16:24:41.9770 Start Queued Task 'Update wow_brbr'
16:25:49.9526 Remove /update/wow_brbr from Queue
16:25:49.9527 Remove (stop) Task Update wow_brbr
16:25:49.9531 Removed HEAD item from Queue

Bummer.




Conculsion: i've just wasted 10 minutes of your life telling and showing you that Agent.exe is nothing tricky to scan your system.
Thanks for your time.
If you like to prove me wrong grab ProcessExplorer from sysinternals and monitor it for yourself.

Have fun!


PS: NIIIINJA PATCH!!!

 

Fortunately, those of us who don't keep tinfoil handy and are blessed with uncommon sense, figured as much.

I'd thank you for taking the time to do this but....

Well if for nothing other than stopping bogus threads and the dissemination of more misinformation.

 

Thanks for the research! Interesting information.

Is agent.exe involved in sending crashreport?

 

nope, it's not.
the file handling this is located in the same folder

%ProgramData%\Battle.net\Agent\BlizzardError.exe

 

Well if it scans your screenshots.....hopefully people dont have any screenshots of the HB overlay, which Im not sure if that even show up on a screenshot, though it would make sense that it does. And if they are looking at your screenshots and thats there...then boom they know your botting. Thats the only thing I can think of.

 

It just iterates through tge directory, i havnt been able to seen it read any actual data

/edit: On my System i got about 1k screenshots and all of them were parsed within 0.5 seconds, thats way to fast to "look" at the images

 

Thanks for the clarification, you rock!

better to be asking question that to be sorry and ignorant

 

Mate, that was fascinating!

Very informative read, thanks for sharing without being patronising!

 

thanks alot roboto, awesome!

 

thanks roboto! Is very interesting your report

 

A suspicious mind is a healthy mind!

 

Domo arigato, Mr. Roboto.

 

Thanks for that, roboto.

 

pretty funny that anyone thought this was a big discovery and that the hb guys could miss something as obvious as a separate process, it's like an insult to their ability

 

well this is what the agent exe does now! ;-)

 

Awesome! You are correct that is pretty quick to be able to see any screenshots, that would have been my only worry about that, I mean unless they have a way to extract those images to a directory as they get parsed, then it shouldn't be a problem. Everyone who knows code knows mostly anything is possible with the right coding . But 0.5 seconds isnt a lot of time to recover any actual viewable images.

 

Roboto , can you please tell us about the thing in the processes named: wow proxy?
appreciate your help

ps: amazing efforts and amazing topic cheers <3

 

will do

 

well, we've always known what it is, it's the part of blizzard launcher that allows p2p downloads of your new games and updates.

still it's kind of upsetting it scans interface and wtf folders, hope it's not sending back any info about them. certainly some bots use one or both of addons and macros.

 

Thanks Roboto... this Was also a concern of mine.