SQM Process Hashes

February 24, 2019 in Reversing, Undocumented Windows Internals

Today I came across Registry entries that I have not seen being documented anywhere before, so decided to throw a quick & dirty post about it.

One of the less known/understood components of Windows is SQM. SQM stands for “Software Quality Metrics” and I don’t know really more than what I have read from the linked articles, plus general opinions online that this is a part of MS spying machine, so pardon my ignorance.

Today, I was looking at artifacts created by various processes and spotted this intriguing entry:

  • HKLM\Software\Microsoft\SQMClient\Windows\DisabledProcesses\<some hash-like looking value>

Knowing that Windows programmers love hashes, I was curious what this entry is for, and obviously, how to calculate the hash it refers to.

A quick test followed for a couple of popular programs, and I got these results:

Now that I had a few test values, I looked at the code of ntdll.dll (where I eventually traced the code responsible for these callouts to), and quickly discovered the routine. The hash type used here is known as UHash (I googled the constants used by the algorithm, and this is the name of the function that I found).

It basically takes the filename of the process (anything that follows the last directory separator), then iterates through it starting from its end (from a file extension), and then each character is upper-cased (Unicode!), and then added to the UHash formula.

You can see the full algo in a script here.

When ran with example process names as in the screenshot above, we get these values:

  • 494A65DD – powershell.exe
  • 4DA42CDB – calc.exe
  • DA0C75C2 – cscript.exe

The more troubling question is the meaning of it all. This, I frankly don’t know. There are a couple other keys associated with SQM in the same Registry branch e.g. DisabledSessions (under the same node). Googlign around and digging in the ntdll.dll shows that SQM seems to be dependent on Customer Experience settings i.e. CEIPEnable entry described here:

So, I guess the DisabledProcesses / DisabledSession entries could be flags that remove _some_ processes from active SQM monitoring (in a more granular way). And all in all, something that we probably want to completely disable via a higher-level CEIPEnable value, and others in the same location e.g.:

Comments are closed.