[German]I'll take up a topic for the readership that Frank Carius noticed when he recorded an RTP session via UDP using Wireshark. In the recording, he found a large number of UDP broadcast packets on ports 22222 and 3289. Of course, the question immediately arose as to what was causing these UDP broadcasts.
I came across the topic via a Facebook post by Frank, which he wrote about on MSXFAQ in the German article DASHOST.EXE und UDP-Sturm (DASHOST.EXE and UDP storm).
The screenshot above shows an excerpt from the Wireshark protocol. The packets are sent from a Windows client to a broadcast address 192.168.178.255 (home office with Fritz!Box). What Frank noticed was the frequency of these requests (sometimes 3 UDP broadcasts per second).
It was interesting that these UDP broadcasts were only found on RTP connections to the FRITZ!Box in the home office, but did not occur from the client in Frank's company environment. There, however, the client in question has a connection to the domain controller (DC), so that Windows then activates the "domain profile" on the network card, he wrote.
Frank's first suspicion was, of course, that malware or a misconfiguration was responsible for what he calls a UDP storm. Upon analysis, Frank Carius discovered that the UDP broadcast packets were being sent by the Device Association Framework Provider Host (dasHost.exe).
According to this source, the Device Association Framework Provider Host (dasHost.exe) is a central Windows service that enables the connection and pairing of wired and wireless devices with a computer.
In this context, I have noticed several sources, such as the source linked above or this Microsoft Answers forum post, which cause high system utilization. It says in this source that bad or corrupted drivers can cause high CPU load. You should make sure that the drivers are up to date and come from the manufacturer, i.e. have not been updated via Windows Update.
After the above analysis, Frank has come to the conclusion that this is a normal Windows function to find printers and other devices that may not be discoverable via UPNP or SSDP – Simple Service Discovery. Frank Carius believes that Microsoft has implemented the ENPC protocol provided by Epson here. Has anyone from the readership ever come across this topic and are there any other or further explanations / information?
