AdminDesk

Appearance

UadPlugin.dll

What this program actually does

UadPlugin.dll is the User Activity Detection (UAD) plugin in the GCIS security stack. It monitors seat behavior through multiple watchers — network connections, Sysmon events, log files, and AppSensor cross-session messages — and enforces rules about suspicious process/network activity during active sessions.

It runs inside NvContainerGcis.exe with MB endpoint UadPlugin, consumes AppSensorMessage_* protobuf types (foreground window, process events, window events), and coordinates with GciPlugin for feature control and GssmPlugin for process-event telemetry.

Build: version 1.0 2026-04-07-b253f97. DLL version 1.0.0.0.

Architecture / control flow 

NvContainerGcis.exe
  └─ UadPlugin.dll
        ├─ GcisPluginTaskQueue / GciDeferredTaskQ (shared GCIS framework)
        ├─ GSConfigClient → ZoneConfig, SeatConfig, GcisConfigData
        ├─ Watchers (start on PluginStart after config load):
        │     ├─ NetworkWatcher — adapter/DNS/IP config changes
        │     ├─ AppSensorWatcher — AppSensorMessage from SSAU session
        │     ├─ LogFileWatcher — tail/parse security log files
        │     └─ SysmonWatcher — Sysmon process/network events
        ├─ GssmServiceAPI.Event.ProcessEvent — inbound process telemetry
        └─ GsecTasTelemetry — UEC events to TAS

Key RTTI: AppSensorMessage, AppSensorMessage_ForegroundWindow, AppSensorMessage_ProcessEvent, AppSensorMessage_WindowEvent, GssmServiceAPI.

External interfaces

GCIS Service API

MessagePurpose
GCISServiceAPI_GCISRequest_UadFeatureControlEnable/disable UAD features (handled via GciPlugin proxy)
GCISServiceAPI_GCISRequest_* (shared)Standard GCIS seat/session messages

Message Bus

  • Endpoint: UadPlugin
  • Receives AppSensor messages from SSAU session (configured in messagebus.conf cross-session peers)
  • GSConfigClient_<pid>_... peer for GSConfigurator

AppSensor messages (protobuf)

TypeInferred use
AppSensorMessage_ForegroundWindowTrack foreground window titles for rule matching
AppSensorMessage_ProcessEventProcess create/terminate from user session
AppSensorMessage_WindowEventWindow create/destroy/focus events

GssmServiceAPI process events

Consumes GssmServiceAPI.Event.ProcessEvent with fields: processPath, parentProcessPath, user, digitalSignature.

Windows APIs (from imports)

CreateToolhelp32Snapshot, GetAdaptersAddresses, CreateFileW, ReadDirectoryChangesW, CreateProcessW — process enumeration, network monitoring, log tailing.

Runtime timeline

Time (UTC)EventSource
19:04:52.817Module UadPlugin v1.0, MB-endpoint UadPluginUadPluginCurrent.log
19:04:52.867GSConfigurator fetch ZoneConfig/SeatConfig OKUadPluginCurrent.log
19:04:52.882Init OK; ***** Starting UadPlugin ****** queuedUadPluginCurrent.log
19:04:52.884AIN subscription fails error 1UadPluginCurrent.log
19:04:52.984TAS session initiatedUadPluginCurrent.log
19:04:53.051GcisConfigData not foundFailed to start UadPluginUadPluginCurrent.log
19:04:53.057Stop: Stopping all watchers (watchers never fully armed)UadPluginCurrent.log

First GCIS run (18:43) succeeded for sibling plugins when GcisConfigData was present; UadPlugin would have started watchers after config load in that path.

Failure modes

UEC / error stringMeaning
GSEC_UAD_Error_TooManyProcessesErrorProcess count threshold exceeded
GSEC_UAD_Error_ProcessExcessiveNetworkActivityErrorNetwork burst/continuous connection limits
GSEC_UAD_Error_AttemptToEnterInvalidSteamPasswordDetectedSteam credential abuse
GSEC_UAD_Error_FailedRetrievingNetworkAdaptersInfoNetworkWatcher init failure
GSEC_UAD_Error_UnableToOpenLogFile / UnableToReadLogFileLogFileWatcher path issue
GSEC_UAD_Error_UnableToCreateDirChangeNotificationDirectory watch failure
GSEC_UAD_Warning_SuspiciousAdapterChangeWasDetectedNIC/IP change during session
GSEC_UAD_Warning_DetectedDnsServerAddressAddedDNS tampering indicator
GSEC_UAD_Error_UnknownActionForWindowRuleMalformed window rule config
Missing GcisConfigDataPluginStart abort (observed in snapshot)

Not verified

  • Exact threshold values for network/process rules (in GcisConfigData blob).
  • Which log files LogFileWatcher tails by default.
  • Full window-rule schema and AppId parsing logic.
  • Whether AppSensor cross-session delivery works when GCIS fails to start.

Evidence

  • strings / RTTI on services/GCIS/plugins/UadPlugin.dll
  • logs/GCIS/UadPluginCurrent.log, UadPluginOld.log
  • services/GSP/plugins/messagebus.conf (AppSensor → UadPlugin cross-session)
  • logs/GSP/GSConfiguratorPluginCurrent.log

admindesk.top — Reversed & documented from Asgard rig backups and GCIS plugin binaries.