Remote Assistance (msra.exe) will need 45 seconds to connect from Win10 1809 or 1803

McKnife
McKnife used Ask the Experts™
on
Experts, I need your help.

Our support team relies on remote assistance (msra.exe) for end user support. There is a bug in windows 10 v1803 and 1809 that affects this component and I am trying to make Microsoft aware of it. I have used the feedback app already half a year ago, but Microsoft has not done anything about it.

I created a Technet thread and I ask you to upvote that thread to let Microsoft know that several people care.
I case you think "why should I care?": msra.exe is a free and built-in way for easy end-user assistance, it is a must-know for admins in my opinion.
My thread holds steps to reproduce the problem and anyone should be able to confirm it within less than 5 minutes.

Points for anyone who reproduces this and upvotes that thread: https://social.technet.microsoft.com/Forums/ie/en-US/c1f4acda-e579-49bb-92af-22d73f9204ca/remote-assistance-msraexe-will-need-45-seconds-to-connect-from-win10-1809-or-1803?forum=win10itprogeneral
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Kyle AbrahamsSenior .Net Developer

Commented:
What happens if you do it without the passcode?  
When I do MSRA here I often do it by machine name.

EG:

msra /offerRA

Does the same thing happen when doing it like that?
Have you tried doing a network trace to see if you can force a response / timeout faster for a domain name?

I'm assuming it's trying to connect to the internet to verify something first.  See if there's a way to shortcut that.
Distinguished Expert 2018

Author

Commented:
Hi Kyle.

/offerRA is not allowed here since it will need additional ports to be opened.
Anyway, trying it on 2 test systems doesn't even connect (believe me, I know how to configure it) while the normal process as outlined in my link works.

So, although we could possibly solve that, we will not do it. Since it all works after 45 seconds, it will be a timeout. This timeout is possibly due to certificate revocation list online checking, which, obviously, can only succeed, when online, which we are not and never will be (military network). I also asked the same some months ago on TechNet already and some mod said, I should try to change these timeouts but the settings had no effect at all..

All I want here from this forum is to get this reproduced (anyone with a VM lab will be able to repro within in 2 minutes) and then upvote my TechNet thread so that Microsoft might finally move. It should be so simple: 1803 changed the process msra.exe works, so that change will be documented and MS will know which timeouts/which verification takes place and how to stop it. I mean, this check is obviously worth nothing, since it works anyway after 45 seconds.

So please, let's not Analyse it further but just help me make MS move.
Kyle AbrahamsSenior .Net Developer

Commented:
Good luck trying to make Microsoft move.  I've seen them ignore upvotes with thousands of people behind it.  They do what they want when they want.

Understood about your requirements to be offline - I get that especially because it's a military network.

I would still recomnmend running a wireshark though - try to see what it's connecting to.

From there you can use the hosts file to overwrite the IP address of that website.  (EG: use 127.0.0.1 instead of wherever it's calling) to force the timeout quicker.

Do you have a DMZ (no pun intended) where you could setup 2 of these computers with your process?  Would be interested in seeing what a successful capture looks like versus a non-successful capture.

I don't mind trying to help you solve the problem but my 2 cents are the forum votes will be a waste of time.
Introduction to R

R is considered the predominant language for data scientist and statisticians. Learn how to use R for your own data science projects.

Distinguished Expert 2018

Author

Commented:
The hosts file idea is good. Will test tomorrow. About capturing traffic: In the TN thread, I wrote:

I used wireshark and could see that in the meantime, at the target machine, the address
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?0899494e558a2b7f
is contacted repeatedly, which of course, does not work without internet. That link holds a certificate revovcation list, if I am not mistaken, so it could be, that msra.exe tries to verify if some certificates are listed on that CRL.
But why would it? Why would it even use certificates?
And why did it work with the old versions without?
And why would it take 45 seconds to determine that that link cannot be retrieved?
Andrew LeniartIT Professional | Freelance Journalist | Looking for Opportunities
Distinguished Expert 2018

Commented:
McKnife,

I tried to reproduce it here but got different results. The only other Windows systems I have available to me atm are VM's so not sure if that's the reason for the difference. Did the following as a test;

Raised an MSRA using the command line on your Technet thread  (Windows 10 Pro Build 1803)
Copied to Host System (Windows 10 Pro Build 1809)
Ran the help.msrcincident file from the host and entered password

Here is where I got a different results. I was prompted to allow connection on the VM (Did not immediately connect)

Prompted to allow connection on the VM - Clicked yes

Everything else worked as expected. No real delays that I could note.

For what it will be worth on the Technet forum, I just upvoted your thread and note there are two votes as of now. Tried to do that the other day but it wouldn't accept the vote for some reason.

Regards, Andrew

Edit: BTW, I had to laugh when I read this...

please note that editing your answer will not be reflected by mail notifications.

(Your original answer "I will try to reproduce such operation on my test environment, and post my test result as soon as possible" did not ask me to provide details)

Give her some time to read through the google results will ya! :)
Senior .Net Developer
Commented:
Why would it even use certificates?

Could be that they're encrypting the MSRA traffic with certs now.  

45 seconds = 3 15 second lookups, which might be the case.

Can you ping the site without internet?  (EG: not sure if the DNS is cached)?

Either way:
Not sure how you guys feel  about running IIS on one of the boxes (or another computer on your network) but it seems like you could redirect the windows update to a machine and actually serve that file that it downloads.
Distinguished Expert 2018

Author

Commented:
Andrew: Hi and thanks for trying. So your machines are not offline, I guess?

Kyle, using a local iis is a great idea. Will try soon.
Andrew LeniartIT Professional | Freelance Journalist | Looking for Opportunities
Distinguished Expert 2018

Commented:
So your machines are not offline, I guess?

Not at present sorry as I don't have a second machine on the lan here at the moment. (long story)
Distinguished Expert 2018

Author

Commented:
No, during your test, were these two machines connected to the internet, or not? Because when  connected to the internet, there is no delay, everything works as expected.
Distinguished Expert 2018

Author

Commented:
Kyle, I followed your suggestion and hosted that file on a local IIS which I pointed at using a local DNS entry and of course the messages within the wireshark trace are gone (and the file is being accessed, which auditing proved), however, that 45 seconds delay is still there :-(

Now would you mind to upvote that thread on Technet if you are able to reproduce this?
Distinguished Expert 2018

Author

Commented:
Kyle...this is great: First, I had not noticed that after pinrulesstl.cab is now successfully retrieved, it wants a 2nd file, now: disallowedcertstl.cab, located at http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?44b7a9e4dc8e7f8a

So I downloaded that one, too, placed it on our IIS and now it works without delay! *Big Smile*
However, that workaround is not perfect. It might be, that local Microsoft applications like office try to use that path http://ctldl.windowsupdate.com, too, and that could lead to the following:

->Officeapp asks for something -> before, in our offline network, the request is denied at the firewall, since no internet access, "server unreachable"
->now, with the fake ctdl.windowsupdate.com IIS in place, they get the response: [server reachable, but] file not found!

That could lead to error messages.
--

So I will tell Microsoft what I found and keep my fingers crossed that they act.

Kyle, thanks so much for that idea!
Others: please keep the upvotes coming, if you are able to reproduce this.
Distinguished Expert 2018

Author

Commented:
Bingo!

After investigating a little further what those files even do, I am now able to do without the IIS and still overcome that delay.
What I did: I downloaded all the current certs and lists to a share like this:
Certutil -syncWithWU \\server\certs\
Then, at the clients, I set (a REG_SZ value) RootDirURL=file://\\server\certs
HKLM\Software\Microsoft\SystemCertificates\AuthRoot\AutoUpdate

And that's all we need! This works offline and is deployable. No more delays!
Distinguished Expert 2018

Author

Commented:
Thanks guys!
Kyle AbrahamsSenior .Net Developer

Commented:
Glad you found a solution that worked.  Hopefully you can get MS to make it work better but I've never been big on relying on other people to do things correctly . . . causes too many disappointments.

Thanks for posting your follow ups so that anyone else who comes along on this thread can find the same solution.
Distinguished Expert 2018

Author

Commented:
Before I forget: after setting that registry key, you need to reboot the clients, or it has no effect.
Rob HutchinsonTech Lead, Desktop Support

Commented:
We had the same problem, but were able to get the new Microsoft Win10 tool "Quick Assist" to work, it almost works just like Teamviewer, but better.

https://support.microsoft.com/en-us/help/4027243/windows-10-solve-pc-problems-with-quick-assist
Distinguished Expert 2018

Author

Commented:
Rob, Quick Assist is not suitable for us, since it needs internet access. We are in a restricted network.

By the way, the problem has resurfaced and is even uglier than I first thought. Solving it in the described way was not reproducible. I plan to give this a 2nd try in the late summer time, when no urgent work is due.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial