I’ve noticed the ‘high’ CPU / Memory usage on the GWCtlSrv.exe (since all it should do is log all request and process requests from the Glasswire.exe) and i was wondering what it was doing.
I fired up procmon (technet.microsoft [DOT] com/en-gb/sysinternals/processmonitor) to log all system calls it is doing with a filter on GWCtlSrv.exe and see it’s constantly querying the system (though no notifications are shown).
Most notably the following lines:
- Read hosts file
13:40:09,5409144 GWCtlSrv.exe 10172 CreateFile C:\Windows\System32\drivers\etc\hosts SUCCESS Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened - Read Registery regarding Internet configuration (There are alot of these)
13:40:09,5413551 GWCtlSrv.exe 10172 RegCreateKey HKLM\Software\WOW6432Node\Microsoft\windows\CurrentVersion\Internet Settings\Connections SUCCESS Desired Access: Query Value, Disposition: REG_OPENED_EXISTING_KEY - Read registery regarding DNS/DHCP settings.
- Read svhost.exe Attributes
13:44:42,0891895 GWCtlSrv.exe 10172 CreateFile C:\Windows\System32\svchost.exe SUCCESS Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened - Read / list Catroot & Catroot2
13:44:42,0838822 GWCtlSrv.exe 10172 CreateFile C:\Windows\System32\CatRoot NAME COLLISION Desired Access: Read Data/List Directory, Synchronize, Disposition: Create, Options: Directory, Synchronous IO Non-Alert, Open Reparse Point, Attributes: N, ShareMode: Read, Write, AllocationSize: 0
But i did configure Glasswire to only monitor my trafic. So the following glasswire settings are ON:
- First Network Activity
- While you were away
- Internet access monitor
- Remote Glasswire connections
So the following settings are OFF
- Suspiscious host monitor
- DNS server settnigs Monitor
- Proxy Settings Monitor
- ARP Spoofing Detection
- Application Info Monitor
- Device List Monitor
- System File Monitor
- [PRO] Network Device Monitor
- [PRO]Camera and mic Monitor
Screenshot:
I did a clean install (Uninstall & Clean with geekuninstaller => Reboot => Install => Reboot => Change settings => Reboot) and installed it in a virtual machine so it must be a bug.
System information:
- System 1
Windows 10 Pro version 1703 (OS Build 15063.540)
Glasswire 1.2.109
Firewall disabled, other settings as above - Virtual Machine
Windows 10 Pro Insider Preview version 1703 (OS Build 16251.0)
Glasswire 1.2.109
Firewall Enabled, other settings as above