Remote Assistance (msra.exe) will need 45 seconds to connect from Win10 1809 or 1803

Experts, I need your help.

Our support team relies on remote assistance (msra.exe) for end user support. There is a bug in windows 10 v1803 and 1809 that affects this component and I am trying to make Microsoft aware of it. I have used the feedback app already half a year ago, but Microsoft has not done anything about it.

I created a Technet thread and I ask you to upvote that thread to let Microsoft know that several people care.
I case you think "why should I care?": msra.exe is a free and built-in way for easy end-user assistance, it is a must-know for admins in my opinion.
My thread holds steps to reproduce the problem and anyone should be able to confirm it within less than 5 minutes.

Points for anyone who reproduces this and upvotes that thread:
LVL 64
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Kyle AbrahamsSenior .Net DeveloperCommented:
What happens if you do it without the passcode?  
When I do MSRA here I often do it by machine name.


msra /offerRA

Does the same thing happen when doing it like that?
Have you tried doing a network trace to see if you can force a response / timeout faster for a domain name?

I'm assuming it's trying to connect to the internet to verify something first.  See if there's a way to shortcut that.
McKnifeAuthor Commented:
Hi Kyle.

/offerRA is not allowed here since it will need additional ports to be opened.
Anyway, trying it on 2 test systems doesn't even connect (believe me, I know how to configure it) while the normal process as outlined in my link works.

So, although we could possibly solve that, we will not do it. Since it all works after 45 seconds, it will be a timeout. This timeout is possibly due to certificate revocation list online checking, which, obviously, can only succeed, when online, which we are not and never will be (military network). I also asked the same some months ago on TechNet already and some mod said, I should try to change these timeouts but the settings had no effect at all..

All I want here from this forum is to get this reproduced (anyone with a VM lab will be able to repro within in 2 minutes) and then upvote my TechNet thread so that Microsoft might finally move. It should be so simple: 1803 changed the process msra.exe works, so that change will be documented and MS will know which timeouts/which verification takes place and how to stop it. I mean, this check is obviously worth nothing, since it works anyway after 45 seconds.

So please, let's not Analyse it further but just help me make MS move.
Kyle AbrahamsSenior .Net DeveloperCommented:
Good luck trying to make Microsoft move.  I've seen them ignore upvotes with thousands of people behind it.  They do what they want when they want.

Understood about your requirements to be offline - I get that especially because it's a military network.

I would still recomnmend running a wireshark though - try to see what it's connecting to.

From there you can use the hosts file to overwrite the IP address of that website.  (EG: use instead of wherever it's calling) to force the timeout quicker.

Do you have a DMZ (no pun intended) where you could setup 2 of these computers with your process?  Would be interested in seeing what a successful capture looks like versus a non-successful capture.

I don't mind trying to help you solve the problem but my 2 cents are the forum votes will be a waste of time.
Active Protection takes the fight to cryptojacking

While there were several headline-grabbing ransomware attacks during in 2017, another big threat started appearing at the same time that didn’t get the same coverage – illicit cryptomining.

McKnifeAuthor Commented:
The hosts file idea is good. Will test tomorrow. About capturing traffic: In the TN thread, I wrote:

I used wireshark and could see that in the meantime, at the target machine, the address
is contacted repeatedly, which of course, does not work without internet. That link holds a certificate revovcation list, if I am not mistaken, so it could be, that msra.exe tries to verify if some certificates are listed on that CRL.
But why would it? Why would it even use certificates?
And why did it work with the old versions without?
And why would it take 45 seconds to determine that that link cannot be retrieved?
Andrew LeniartFreelance JournalistCommented:

I tried to reproduce it here but got different results. The only other Windows systems I have available to me atm are VM's so not sure if that's the reason for the difference. Did the following as a test;

Raised an MSRA using the command line on your Technet thread  (Windows 10 Pro Build 1803)
Copied to Host System (Windows 10 Pro Build 1809)
Ran the help.msrcincident file from the host and entered password

Here is where I got a different results. I was prompted to allow connection on the VM (Did not immediately connect)

Prompted to allow connection on the VM - Clicked yes

Everything else worked as expected. No real delays that I could note.

For what it will be worth on the Technet forum, I just upvoted your thread and note there are two votes as of now. Tried to do that the other day but it wouldn't accept the vote for some reason.

Regards, Andrew

Edit: BTW, I had to laugh when I read this...

please note that editing your answer will not be reflected by mail notifications.

(Your original answer "I will try to reproduce such operation on my test environment, and post my test result as soon as possible" did not ask me to provide details)

Give her some time to read through the google results will ya! :)
Kyle AbrahamsSenior .Net DeveloperCommented:
Why would it even use certificates?

Could be that they're encrypting the MSRA traffic with certs now.  

45 seconds = 3 15 second lookups, which might be the case.

Can you ping the site without internet?  (EG: not sure if the DNS is cached)?

Either way:
Not sure how you guys feel  about running IIS on one of the boxes (or another computer on your network) but it seems like you could redirect the windows update to a machine and actually serve that file that it downloads.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
McKnifeAuthor Commented:
Andrew: Hi and thanks for trying. So your machines are not offline, I guess?

Kyle, using a local iis is a great idea. Will try soon.
Andrew LeniartFreelance JournalistCommented:
So your machines are not offline, I guess?

Not at present sorry as I don't have a second machine on the lan here at the moment. (long story)
McKnifeAuthor Commented:
No, during your test, were these two machines connected to the internet, or not? Because when  connected to the internet, there is no delay, everything works as expected.
McKnifeAuthor Commented:
Kyle, I followed your suggestion and hosted that file on a local IIS which I pointed at using a local DNS entry and of course the messages within the wireshark trace are gone (and the file is being accessed, which auditing proved), however, that 45 seconds delay is still there :-(

Now would you mind to upvote that thread on Technet if you are able to reproduce this?
McKnifeAuthor Commented:
Kyle...this is great: First, I had not noticed that after is now successfully retrieved, it wants a 2nd file, now:, located at

So I downloaded that one, too, placed it on our IIS and now it works without delay! *Big Smile*
However, that workaround is not perfect. It might be, that local Microsoft applications like office try to use that path, too, and that could lead to the following:

->Officeapp asks for something -> before, in our offline network, the request is denied at the firewall, since no internet access, "server unreachable"
->now, with the fake IIS in place, they get the response: [server reachable, but] file not found!

That could lead to error messages.

So I will tell Microsoft what I found and keep my fingers crossed that they act.

Kyle, thanks so much for that idea!
Others: please keep the upvotes coming, if you are able to reproduce this.
McKnifeAuthor Commented:

After investigating a little further what those files even do, I am now able to do without the IIS and still overcome that delay.
What I did: I downloaded all the current certs and lists to a share like this:
Certutil -syncWithWU \\server\certs\
Then, at the clients, I set (a REG_SZ value) RootDirURL=file://\\server\certs

And that's all we need! This works offline and is deployable. No more delays!
McKnifeAuthor Commented:
Thanks guys!
Kyle AbrahamsSenior .Net DeveloperCommented:
Glad you found a solution that worked.  Hopefully you can get MS to make it work better but I've never been big on relying on other people to do things correctly . . . causes too many disappointments.

Thanks for posting your follow ups so that anyone else who comes along on this thread can find the same solution.
McKnifeAuthor Commented:
Before I forget: after setting that registry key, you need to reboot the clients, or it has no effect.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
IT Administration

From novice to tech pro — start learning today.