Decrypting the smart card minidriver auto-installation process

How to capture Microsoft Update traffic ?

  1. Install fiddler
  2. Enable HTTPS decryption (tools -> fiddler options -> https)
  3. force the WinHttp proxy
    netsh winhttp set proxy
    (reverse: netsh winhttp reset proxy)
  4. add the fiddler root CA to the “computer trusted root store”

windows+R -> mmc.exe -> add snap-in -> certificates -> add “personnal” and “computer” locate the “DO NOT TRUST” certificate in personnal -> trusted root and copy it to computer -> trusted root

Protocol overview

  1. call “
  2. call “
  3. download the .cab representing the driver

Reference : MS-WUSP: Windows Update Services: Client-Server Protocol Specification

Matching ATR

The SyncUpdates function send all the informations about the drivers installed. However, a new device is include in the Soap query :

   <HardwareIDs soapenc:arrayType="xsd:string[1]">
     <MatchingID xsi:nil="1"/>
     <Class xsi:nil="1"/>
     <Manufacturer xsi:nil="1"/>
     <Provider xsi:nil="1"/>
     <Model xsi:nil="1"/>

Please note that the CID_805100611030 match the historical Bytes of the ATR of the smart card (3bd6180081b1807d1f038051006110308f) as described in the Minidriver specifications v7, Appendix D.1