How to capture Microsoft Update traffic ?
- Install fiddler
- Enable HTTPS decryption (tools -> fiddler options -> https)
- force the WinHttp proxy
netsh winhttp set proxy 127.0.0.1:8888
(reverse: netsh winhttp reset proxy) - add the fiddler root CA to the “computer trusted root store”
windows+R -> mmc.exe -> add snap-in -> certificates -> add “personnal” and “computer” locate the “DO NOT TRUST” certificate in personnal -> trusted root and copy it to computer -> trusted root
Protocol overview
- call “http://www.microsoft.com/SoftwareDistribution/Server/ClientWebService/SyncUpdates“
- call “http://www.microsoft.com/SoftwareDistribution/Server/ClientWebService/GetExtendedUpdateInfo“
- download the .cab representing the driver
Reference : MS-WUSP: Windows Update Services: Client-Server Protocol Specification
Matching ATR
The SyncUpdates function send all the informations about the drivers installed. However, a new device is include in the Soap query :
<Device>
<HardwareIDs soapenc:arrayType="xsd:string[1]">
<string>SCFILTER\CID_805100611030</string>
</HardwareIDs>
<CompatibleIDs></CompatibleIDs>
<installedDriver>
<MatchingID xsi:nil="1"/>
<DriverVerDate>1950-08-21</DriverVerDate>
<DriverVerVersion>0</DriverVerVersion>
<Class xsi:nil="1"/>
<Manufacturer xsi:nil="1"/>
<Provider xsi:nil="1"/>
<Model xsi:nil="1"/>
</installedDriver>
</Device>
Please note that the CID_805100611030 match the historical Bytes of the ATR of the smart card (3bd6180081b1807d1f038051006110308f) as described in the Minidriver specifications v7, Appendix D.1