Jaa


Windows Media Connect can’t see my DMR: III

You’ve run the UPnP enumeration script and everything shows up just fine.  That means that the problem is inside WMC itself.  For some reason Windows Media Connect (WMC) a is getting device notifications from UPnP but isn’t showing the device.  So, Let’s take a look at what happens when WMC gets a device notification.

Unlike any other UPnP Content Directory or Media Server that I’ve ever seen, WMC has a security model.  You decide what devices get access to what media folders on your Personal Computer (PC).  This is great, but it does place a special burden on WMC.  The concept of security is completely foreign to UPnP.  There is no basis in the protocol for it, so it has to be built separately on top.

The biggest problem in WMC’s security system comes in trying to determine who the requests come from.  UPnP isn’t any help here as all UPnP requests are completely anonymous.  The next obvious thing to look at would be the IP address of the caller.  If the IP address matched the database of known IP addresses, then grant access.  In practice that doesn’t work for two reasons.  The first one is that devices change their IP addresses all the time.  So keeping track of the changes and keeping the IP database up to date would be painful.  The second reason that isn’t a very good idea is that just about anyone who knows anything about networking knows how to change their IP address to anything they’d like.  That wouldn’t be much help in keeping your media collection private

The final solution wasn’t much better than IP address.  The final decision was to use MAC addresses to identify the DMRs.  I say that isn’t much better because spoofing MAC addresses isn’t really much more difficult than spoofing IP addresses.  But, that was the best that could be done given that the underlying protocol is completely anonymous.  So, keep this in mind: WMC is only as secure as the network it is running on.  If you network is secure then WMC is secure.  If your network is insecure, WMC’s access model isn’t enough to keep your media private.

When a request comes in or a device announcement is made the first thing that WMC does is convert the IP address of the source into a MAC address.  Here is the important part.  You can only turn an IP address into a MAC address if the IP address in question is on the same subnet.  This is the reason that WMC can’t operate if the DMR is on a different subnet.  It can’t resolve the IP address into a MAC address and therefore it will not recognize the calling device and it will not service the request.

After the MAC address has been determined, WMC looks up that MAC address in a special location in the reigistry.  If the MAC address is new then all of the information about that device is stored in the registry.  The raw information about the device is stored in a sub-key of HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Connect 2\Devices.  Under that key will be a key that is named with the MAC address of the device. The values of the MAC key will contain all of the information extracted from the device document of the caller.  There is a second set of registry keys that controls the security status of the devices that are found under this key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Connect 2\MAC Access Control.  Under the “Allowed” subkey are the MAC addresses of all of the allowed devices.  Under the “Denied” subkey, are all of the MAC addresses of all of the devices that have been specifically denied access. The final subkey is the “New” subkey.  All of the devices that have been discovered that the end-user hasn’t made a security decision about yet are found there.

So, when UPnP can find your device but it doesn’t show up in WMC I can imagine two things that are likely to be the root cause of the problem.  The first would be that the device isn’t on the same subnet so WMC couldn’t get a MAC address for it.  This can happen if your device and your server are connected to two different routers (perhaps because you needed a second wireless access point).  The other problem could be that the registry permissions are wrong and either WMC can’t write the information or the UI can’t read the information.  You may be able to fix this by fixing the permissions but frankly if the permissions on the HKEY_LOCAL_MACHINE registry hive are that wrong then you might really benefit from reinstalling the operating system. WMC would just be one thing in a very long list of things that didn’t work right about the computer.

Tomorrow, we’ll look at how you might troubleshoot the problem if UPnP can’t even see your device (the script doesn’t enumerate the device).

Comments

  • Anonymous
    January 28, 2006
    So how can I tell on what Subnet my 360 is? Is it the same as Subnet mask? Or is Subnet mask some sort of fake subnet as it's name implies.

    Also, how would you fix a registry permission problem? I know you said reinstall the OS, but I wanna see if I can get it to work before having to backup all my stuff and "restore" my PC.

    Thank you
  • Anonymous
    January 28, 2006
    By definition, two IP addresses are on the same subnet you do a bitwise AND on each of them with the subnet mask. If the resuts are equal, they are on the same subnet. However, that method doesn't work when dealing with a NAT router. Essentially each NAT router creates its own seperate subnet behind it. So two devices aren't on the same subnet even if the IP addresses and the subnet mask say they are.

    You'd fix registry permission problems by resetting the permissions to what they are supposed to be. To do that, you'd need access to a system that has correct permissions to use as a refrence. Since there are thousands of registry keys you are left hoping that the extent of the registry problems are small.