Support NeoGAF

[Shifty]

Some information recently surfaced on Imgur that suggests the Epic Games Launcher may be gathering data from PCs it's installed on.

The evidence consists of an image with various screenshots of SysInternals Process Monitor and Fiddler (a network monitor) showing some potentially questionable activity from the Epic Games Launcher executable.

So far internet punditry seems to be addressing it at (somewhat non-technical) face value:




Kadayi sent it my way and suggested I break it down from a programmer's perspective. Since we've had a rush on Daily Mail-style thread titles lately I figured it'd be good to buck the trend and pick it apart, see if there's actually anything to this idea.

The image has a pretty heavy bias, so for the sake of mitigating outrage and hot takes I'll include it at the bottom. Any non-bulleted stuff is speculation, so I welcome fellow technically-minded gaffers to correct me if there are known harmless behaviours going on here.

Allegations thus far

• System certificate file reading
• Root certificate registry reading
• Internet Explorer registry key reading
• Scraping of third-party processes and their install directories
• DLL creation in third-party program directories
• Accessing Windows' built-in Location Awareness service
• User tracking via web domains and scripts

System certificate file reading

• EGL is accessing certificates, certificate revocation lists and certificate trust lists
  • (Stored in %AppData%\Roaming\Microsoft\SystemCertificates\My\)
• These are the user's personal certificates, created either manually by developers or automatically on behalf of the user by software, and used for various security-related things such as accessing remote services and signing code, among other things
• Based on the image, it...
  • Executes a CreateFile request to make sure the directory exists (common error-checking practice)
  • Executes two QueryDirectory calls
  • One to get any files in the directory
  • One to get any subdirectories in the directory
  • Iterates over the found files and directories and executes...
  • QueryStandardInformationFile to get details such as its size and filesystem state
  • ReadFile to read data from the file into memory
  • CloseFile to close the file and release its read handle

This is not standard practice. If EGL needed to use a certificate to access its services, it would create it on first run and cache its location in a config file, not read the user's entire collection.

Root certificate registry reading

• EGL then goes on to access the equivalent system certificates
  • (Stored in the registry at HKLM\SOFTWARE\Microsoft\SystemCertificates\Root)
• These are built-in certificates that ship with windows and are provided by Microsoft, or in some cases by companies that deploy their own Windows installations internally
• Based on the image, it executes...
  • RegQueryKey on HKLM (HKEY_LOCAL_MACHINE) to make sure it exists
  • RegOpenKey on HKLM\Software\Microsoft\SystemCertificates\Root to determine its contents
  • A series of RegQueryKey and RegEnumKey on HKLM\Software\Microsoft\SystemCertificates\Root\Certificates to determine its contents
  • A series of RegOpenKey, RegQueryValue, RegCloseKey on any found certificates to open them, read their contents into memory, and close them

This is definitely not standard practice. If you need to use these, Windows will take care of it automatically through its networking protocols.

Internet Explorer registry key reading

• EGL accesses and reads from the registry key at HKCR\CLSID\{06eee834-461c-42c2-8dcf-1502b527b1f9}\Instance\PropertySetStorage
• This contains various settings pertaining to "URL Shortcut PropSetStorage Mapping" for ieframe.dll, a.k.a. Internet Explorer Frame - the embedded IE used when certain programs need to render web content inline without using a third-party solution like Chromium

This is somewhat baffling given that, based on Epic's response to the Steam data scraping controversy, EGL uses Chromium to render the majority of its UI. It has no reason to care about Internet Explorer, so why is it poking around in its registry entry?

Third-party program scraping

• EGL queries the Windows API for running processes, then locates their install directories
• It then executes QueryNameInfo on their .exe, presumably to read a sanitized file path into memory

It's possible that this is used for integration with other applications, but typically (as in the case of Steam) those applications expose APIs that allow their functionality to be accessed in a secure and sandboxed way if they intend for their data to be used by third-party software.

DLL file creation

• Based on the image, EGL creates a file called shcore.dll in one of the directories found while scraping the filesystem for third-party programs. The program in question is Fiddler - a network monitor unaffiliated with EGL that does not ship with a copy of shcore.dll
• shcore.dll (a.k.a. "Shell Core") is a built-in windows DLL that appears to contain parts of Windows' UI functionality, such as per-monitor DPI scaling.

As you may be aware if you've modded PC games, adding a DLL alongside an existing .exe will cause it to override the system version of that DLL and effectively intercept any calls made to the functions therein - software like ReShade or Special K uses this method to 'hook in' to the DirectX subsystem and modify functionality to allow for user customization.

Since the only documented functionality in shcore.dll is per-monitor DPI awareness, this looks very suspect. EGL has no reason to modify the way other applications handle their DPI scaling, and if it were intended as a solution to in-game overlays it would be hooking a DirectX DLL instead.

If anything, this looks like an attempt to add a common entry-point to existing applications in order to execute some unknown code.

Accessing Windows' built-in Network Location Awareness service

• EGL uses RegCreateKey to access HKCU\OFTWARE\Microsoft\Windows NT\CurrentVersion\Network\Location Awareness
• This service assigns a security profile based on whether the device is connected to a public or private network
• Other interactions with this registry key aren't shown in the image

Not much to see here. EGL wants to know whether the user is on a private or public network. Could be to determine whether or not certain connections can be made, could be for something else.

User tracking via web domains and scripts

• The author of the image used Fiddler to monitor EGL's network traffic, and found that it accesses two tracking URLs - tracking.epicgames.com, and tracking.unrealengine.com
• Both of these domains serve tracking scripts to EGL in JavaScript format

This appears to be the least-suspicious part of EGL's behaviour, as tracking is commonplace in the web industry. Many websites serve these kinds of scripts to 'phone home' and notify some service (ex. Google Analytics) that the site was visited by a user, along with various anonymous data. EGL uses Chromium to render its UI, so this stuff comes with the territory.

It's worth noting that pre-Epic Store, the Epic Launcher had an option to disable analytics. I'm not sure if this is the case now.

Imgur Source - Evidence of Epic games launcher monitoring computer activity. I don't know if this has been posted yet, kinda hoping its all fake. Big if true.

 

[Afro Republican]

Netscape logo?

Man remember the Netscape Internet Explorer war and how IE became a free bundle with Windows to kill Netscape off? Over 20 years ago.

Opera was better than both though. I remember tabs being this cool new thing. You had to pay for it though back in the day.

Oh anyway, Epic, uh, yeah not a good look.

 

[infinitys_7th]

Modern PC gaming

Where are the benefits anymore if you aren't a graphics whore? There will eventually be a ton of "virtual consoles" each with exclusive games, so the benefit of Steam as the de facto "PC platform" is gone.

 

[Kadayi]

Shifty

GJ Fella. Definitely sounds like EGS is doing some things it shouldn't need to under the hood. I'm particularly concerned about the DLL file creation. I look forward to more code-savvy GAFFERS looking into this and adding their thoughts.

 

[CuNi]

Off topic:

Damn that picture looks like ripped out straight from 4chan.

On topic:
It's funny to see the rabbit hole go deeper apparently than just scanning and reading the Steam directory. While I wished and still wish for the demise of their store, I had honestly hoped it would happen fairly through everyone not giving a shit about EGS and most games still releasing on Steam, instead of Epic kinda killing themselves off with such actions and continued bad PR. Let's see where this continues to go to.

 

[JareBear: Remastered]

So Epic is watching me while I watch porn after playing Metro?

Well enjoy the show, assholes!

 

[Shin]

That's a lot of text for someone with 282 subscribers and 212 views for this "botnet".
I'll continue to watch how things play out, be it the Epic Store hate, consoles (war?) and what's not.

Also how can anyone take this person seriously when he lost it in a single image (not talking about the cut below).

 

[Fuz]

so the benefit of Steam as the de facto "PC platform" is gone.

IT'S NOT A FUCKING BENEFIT.


Goddammit.

 

[iorek21]

I sincerely hope that this, alongside with Epic's shitty exclusive deals, manages to CRUSH THIS EGS piece of crap

 

[Kadayi]

That's a lot of text for someone with 282 subscribers and 212 views for this "botnet".
I'll continue to watch how things play out, be it the Epic Store hate, consoles (war?) and what's not.

The botnet image post turned in another Epic thread and at the time I questioned its legitimacy. I'm not a coder but I'm going to take an accusation at face value, so I had a look around and found that youtube channel also speculating about it. Then I asked Shifty on the Discord as he's a Programmer whether he could look into it, and maybe make a thread about it so the rest of Programmer GAF can have a look themselves and reach a consensus.

No one is saying it is definitely a Botnet, but it does seem to be doing some strange things apparently.

Personally, I'm interested to hear other peoples conclusions.

 

[infinitys_7th]

IT'S NOT A FUCKING BENEFIT.


Goddammit.

Yes, not having to remember which launcher sends off some authorization bit for random games is not a benefit.

 

[Helios]

Also how can anyone take this person seriously when he lost it in a single image (not talking about the cut below).

Pretty sure the original image is from 4chan, so that is just standard talk to them.

 

[Spukc]

That's a lot of text for someone with 282 subscribers and 212 views for this "botnet".
I'll continue to watch how things play out, be it the Epic Store hate, consoles (war?) and what's not.

Also how can anyone take this person seriously when he lost it in a single image (not talking about the cut below).

What a fing edgelord shithead

 

[petran79]

The irony is that many antimalware programms like Adwcleaner detect and suggest deleting Tencent's Chinese client
Will they do the same for Epic launcher from now on?

 

[Ovek]

There are ways of presenting data if you want to be taken seriously, this is not it.

 

[Shifty]

That's a lot of text for someone with 282 subscribers and 212 views for this "botnet".
I'll continue to watch how things play out, be it the Epic Store hate, consoles (war?) and what's not.

Also how can anyone take this person seriously when he lost it in a single image (not talking about the cut below).

The YouTube video is just an example of current coverage. The analysis is based off the screenshots in the image coupled with a couple of hours worth of independent research into the various factors involved.

And regarding the extremely, eh, 'loud' nature of the image:

There are ways of presenting data if you want to be taken seriously, this is not it.

The point of this thread is to separate the actual evidence from the 4chan-tier shouting and look at it impartially.

 

[AtlAntA]

B.. But mah Satisfactory..?

 

[Kadayi]

There are ways of presenting data if you want to be taken seriously, this is not it.

This isn't about making a case, it's about investigating a claim. It could be true it could be false, but if we're *woah!!1 naughty 4Chan using bad words* we're not going to reach a conclusion.

 

[Holammer]

There's a lot of people freaking out when they look at the process monitor (some for the first time) and don't understand what it all means. That said, try to replicate the findings and see if there's something there.
In the meanwhile, why not give this reddit post a read?

 

[SurprisedPikachu]

If you haven't uninstalled Epic Games Launcher by now, you probably should. I can confirm the activity described in the image provided by Shifty. While my initial reaction was "it's how it scans for games installed by EGL" I found it weird it didn't do some things if I was connected to the Honk Kong region using Private Internet Access VPN. I tested this in a virtual machine with a fresh install of Epic Games Launcher. When I was connected to the Hong Kong region, it wasn't really doing anything - but when I disconnected and relaunched it started collecting information about my system - machine name, etc.

 

[Kadayi]

If you haven't uninstalled Epic Games Launcher by now, you probably should. I can confirm the activity described in the image provided by Shifty. While my initial reaction was "it's how it scans for games installed by EGL" I found it weird it didn't do some things if I was connected to the Honk Kong region using Private Internet Access VPN. I tested this in a virtual machine with a fresh install of Epic Games Launcher. When I was connected to the Hong Kong region, it wasn't really doing anything - but when I disconnected and relaunched it started collecting information about my system - machine name, etc.

 

[Dargor]

Jokes on them, Google has already stolen all my data

 

[Starlight Lotice]

Now imagine this on Fortnite.....the Chinese could control the messages of Western Children!

Spoiler

Probably not, but I wouldn't be shocked

If you DO have Epic's Game Store Installer, just google "Winneh the Pooh Porn" and see if you get flagged.

 

[BlackTron]

I'm glad I've never installed this because when I think of the hassle I don't need right now of wiping my HDD and starting over again I would probably leave it turned off for two months while playing Switch lol

 

[angelic]

 

[Heebie Jeebies]

As the saying goes, when a service is offered for free, you are the product. True with facebook. True with Epic Games Launcher.

There are ways of presenting data if you want to be taken seriously, this is not it.

 

[Shifty]

Prepping the bingo card for the eventual Sweeney statement.

"This is so we can give you a better service"
"It's totally not shady we were just cutting corners as we rushed the product to market"
"We're not doing anything that Windows and all of your other programs stop us from doing"

 

[MrTroubleMaker]

F this tencent spyware

 

[demigod]

N/M, looks like Shin covered it.

 

[Kadayi]

N/M, looks like Shin covered it.

Someone clearly didn't read the OP it seems.

 

[Kadayi]

I meant the niggernet exploder.

So? some 4chan poster is an Edgelord (shocker). That doesn't somehow invalidate the fact that the software itself seems to be doing something suspect when looked into by others. The whole point of the thread was (and I'll repeat) for people to look into what EGS was doing to see whether there was any merit to the .accusation of it being a Botnet. Seems that there may be concerns.

 

[-MD-]

Modern PC gaming

Where are the benefits anymore if you aren't a graphics whore? There will eventually be a ton of "virtual consoles" each with exclusive games, so the benefit of Steam as the de facto "PC platform" is gone.

Performance.

 

[demigod]

So? some 4chan poster is an Edgelord (shocker). That doesn't somehow invalidate the fact that the software itself seems to be doing something suspect when looked into by others. The whole point of the thread was (and I'll repeat) for people to look into what EGS was doing to see whether there was any merit to the .accusation of it being a Botnet. Seems that there may be concerns.

What on earth are you yappin about? I never denied that its spying.

Edit : fixed grammar.

 

[angelic]

Dear epic: I don't have your launcher installed but i like shooters, dragon ball, and my online searches often involve mature ladies. Hope that helps.

 

[Maguro]

Well who would have expected that?

 

[DESTROYA]

Have yet to install and try it, you just made sure I never will.
Thanks

 

[mcz117chief]

What amazes me is their arogance thinking nobody would notice.

 

[Ckit]

Any further confirmations on this? Why hasn't it received more attention?

 

[Solarstrike]

The truth is out there

 

[nikolino840]

Anyone can do the same research about steam/gog installer? Just to compare what others Company do?
Or i am in wrong?

 

[Shifty]

Anyone can do the same research about steam/gog installer? Just to compare what others Company do?
Or i am in wrong?

Anyone is free to download copies of Procmon and Fiddler and point them at the other store clients, yes.

 

[EverydayBeast]

Classic paranoid reputation by PC gamers, security and privacy has always been very spotty in modern times.

 

[Shifty]

Classic paranoid reputation by PC gamers, security and privacy has always been very spotty in modern times.

You're free to deconstruct the contents of the OP all you like, the facts are all laid out there. 'Come at me', as they say.

But it looks like you might just be here to score a cheeky dunk and move on.

 

[nikolino840]

Anyone is free to download copies of Procmon and Fiddler and point them at the other store clients, yes.

I suppose you don't want to do It

 

[TeamGhobad]

has Epic responded to this yet?

 

[Vitacat]

HOLY CRAP

Glad I deleted this junk a few days ago.

 

[Chozofication_]

Pretty much everything app related monitors you doesn't it? Plus Google's in damn near every device as standard now... Honestly why are people surprised?

Not saying ANY of it is good btw.