AutoOnboarder

AutoOnboarder, CtMT, pc.dll, ScriptEngine, and fpgen notes are consolidated here from the 2026-05-19 snapshot.

Deep-only retained findings

• Deep symbol extraction found .?AVGameSession_AwsSecret@Messages@Bifrost@NVIDIA@@ in MessagebusLib.dll; no literal AWS key value was present.
• gitlab-master.nvidia.com source-path references are embedded in NVIDIA.ScriptEngine.Service.exe symbols.

2026-05-19 application notes

nvctmtsvc.exe (CtMT)

Binary path: services/AutoOnboarder/nvctmtsvc.exe
Size: 24,788,592 bytes | SHA256: (see _analysis/checksums.txt)
PDB: C:\builds\b\out\build\windows-x64-release\services\orchestrator\nvctmtsvc.pdb

---

What this program actually does

nvctmtsvc.exe is CtMT (Content Management Transport) — the NVIDIA Content Management Service on a GeForce NOW gameseat. It runs as a Windows service (nvctmtsvc install / start at seat bootstrap) and orchestrates the full content lifecycle for streaming sessions:

1. Load seat/zone/content configs from GSConfigurator via Message Bus.
2. Join the seat Message Bus and TAS (Telemetry Aggregator Service).
3. Initialize AWS, cloud saves, HTTP, and Lightstep tracing.
4. Run a GFN protocol message handler that fans out install notifications to GCIS/NDC plugins.
5. Drive platform prewarm, artifact fetch, scraper/snapshot, platform controller (pc.dll), ScriptEngine, fpgen, and masquerade (MSQRD) during session setup/teardown.

Version from log: 2026.9.3.0, commit 6751aaa, build 12.05.2026 18:58:23.

---

Architecture / control flow

main.cpp (Windows service / CLI: install|start|stop|restart|status|query)
  └─ seat_configs_loader
        └─ GSConfigClient → MessageBus → GSConfigurator
              (ContentConfig, ZoneConfig, SasConfigData, SeatConfig, Lightstep)
  └─ Lightstep tracer (prod/[REDACTED_OTEL_HOST])
  └─ tas.cpp → MessageBus peer [CtMT:TasConnector]
  └─ AWS + cloud_save + HTTP init
  └─ gfn_protocols_processor (main worker thread)
        ├─ Subscribe/Unsubscribe from GfnGuard, GCIS:*, NDC:*
        ├─ ContentControllerAPI (LaunchSession, ShutdownSession, InstallApp, Prewarm, PlatformPrewarm)
        ├─ ScriptEngine remote (protobuf ScriptEngineMessage.InvokeRequest/Response)
        ├─ notify_gcis_subscribers → GCIS_APP_INSTALL_NOTIFICATION
        └─ platform_controller.cpp → dynamically loads pc.dll
  └─ commands_processor (prewarm, platform prewarm, shutdown to GS)
  └─ content_controller (session state machine, plugins, artifacts, userdata)
  └─ gfn_guard_plugin, d3dreg_plugin, disk_space_reserver, msqrd.cpp
  └─ sensitive_tools_manager (removes fpgen/d3dreg after use)
  └─ object_cache → fpgen.dll::generate_fingerprint (GetProcAddress)
  └─ Embedded Lua (export: luaopen_lfs)

RTTI / source modules (strings): gfn_protocols_processor.cpp, commands_processor.cpp, platform_controller.cpp, content_controller.cpp, cloud_save.cpp, gfn_guard_plugin.cpp, msqrd.cpp, seat_configs_loader.cpp, sensitive_tools_manager.cpp, object_cache.cpp.

Protobuf families: ContentControllerAPI, GCISCommunication, GsServiceApi, ScriptEngineMessagesDef.proto, NVIDIA.Bifrost.*.

---

External interfaces

Interface	Role
Windows Service nvctmtsvc	Installed/started by content-tools installer (nvctmtsvc.exe install, start)
GSConfigurator (Message Bus)	Config authority: ContentConfig, ZoneConfig, SasConfigData, SeatConfig, GsgTokens (CTMT.sessionToken)
Message Bus	Peer CtMT (+ CtMT:TasConnector); config at NvContainer\plugins\LocalSystem\messagebus.conf
TAS connector	Telemetry aggregation via bus
AWS S3	Cloud save upload/download (cloud_save.cpp, ctmt_userdata_* metrics)
Lightstep / OpenTelemetry	[REDACTED_OTEL_HOST], [REDACTED_OTEL_HOST]
GCIS plugins	Subscribe for GCIS_APP_INSTALL_NOTIFICATION; CtMT fans out app install events
GfnGuard	Security/masquerade coordination via gfn_guard_plugin.cpp
NDC:NdcPlugin	Same install-notification subscription pattern
ScriptEngine	Remote handler registered at startup (Added ScriptEngine remote)
pc.dll	Platform controller factory (create_platform_controller)
fpgen.dll	Dynamic generate_fingerprint for seat fingerprinting
Logs	%AG_LOGS%\AutoOnboarder\ctmt.log
Network	Outbound TCP observed from PID 8080 (Sysmon in ElmPluginOld.log)

---

API / CLI surface (inferred)

Command / function	Behavior
install	Register Windows service for auto-start
uninstall	Remove service registration
start / stop / restart	SCM control
status / query	Query service state
-- passthrough	Tokens after -- forwarded to service body
print_ctmt_version	Banner: version, commit, timestamp
do_start / on_start	Full startup sequence
ctmt_load_platform_controller	Load pc.dll, resolve exports
GetProcAddress(generate_fingerprint)	Load fpgen.dll at runtime
luaopen_lfs	Sole PE export — Lua filesystem bindings for embedded scripts
useScriptEngine	Config flag for ScriptEngine integration

ContentControllerAPI message types (strings): LaunchSession, ShutdownSession, InstallApp, Prewarm, PlatformPrewarm, Subscribe, Unsubscribe, SessionLaunchResult.

ScriptEngine protobuf (embedded in binary): InvokeRequest variants: Install, Configure, ConfigureMods, CollectMods, Shutdown, Cleanup.

---

Runtime logs

Bootstrap (logs/startup/contenttoolsSoftwareInstall.log)

Time	Event
18:42:57.824	Copy fpgen, scraperConfig, dummy, nvctmtsvc, pc.dll to AutoOnboarder\
18:42:57.931	nvctmtsvc.exe install
18:42:58.491	nvctmtsvc.exe start
18:42:58.540	Write mb.conf

Service startup (logs/AutoOnboarder/ctmt.log)

Time	Event
18:42:58.538	Version banner CTMT 2026.9.3.0
18:42:58.539–58.654	Load ContentConfig, ZoneConfig, SasConfigData, SeatConfig from GSConfigurator
18:42:58.734	Join MessageBus as [CtMT:TasConnector]
18:42:58.761–58.791	AWS, cloud saves, HTTP init; message handler start
18:42:58.812	Added ScriptEngine remote; nvctmtsvc started successfully
18:43:01–18:43:07	GCIS + NDC plugins subscribe for install notifications
18:43:22.761	Platform prewarm begins; GfnGuard configure
18:48:26.629	Load pc.dll; setup Steam platform controller
18:48:40.532	Start PC; apps initialized (CMS [REDACTED_CMS_ID] Steam demo)

Config fetches (logs/GSP/GSConfiguratorPluginCurrent.log)

CtMT registered as service nvctmtsvc; fetches ContentConfig, ZoneConfig, SasConfigData, SeatConfig, and later GsgTokens property CTMT.sessionToken.

Message Bus (logs/mb-repeater/mb-repeater.log)

Peer system:"CtMT" module:"ScriptEngine" joined at 18:42:58.519.

---

Failure modes

Code / string	Meaning
MessageBus config not found: {}	Missing bus config at startup
Failed to load seat configs.	GSConfigurator fetch failure
Failed to join MessageBus.	Bus connection failure
Failed to start CTMT message handler: {}.	Handler init failure
generate_fingerprint failed with ret={}	fpgen.dll call failed
CTMT_* error constants	e.g. CTMT_SCRIPT_FAILURE, CTMT_CLOUD_SAVE_INITIALIZATION_FAILURE, CTMT_PLATFORM_PREWARM_TIMEOUT, CTMT_CONTENT_CONTROLLER_BAD_STATE
Failed to deploy container, error: 41	MSQRD deploy failure (observed during I2P session)
Metadata from TechnicalMetadata.json differs	Artifact metadata mismatch (signing certs, cms_id)
SSLM subscription attempt was cancelled	Warning at startup (18:42:58.655)
Failed to enable logging, trying to stop & start again...	MSQRD logging retry

---

Relationships

Component	Interaction
NVIDIA.ScriptEngine.Service.exe	Bus peer CtMT:ScriptEngine; script invoke RPC
MessagebusLib.dll	Shared bus/protobuf types (CtMT embeds full Bifrost schema)
pc.dll	Platform lifecycle (Steam in snapshot)
fpgen.dll	Dynamic fingerprint generation
dummy.exe	Bundled placeholder tool (removed by sensitive_tools_manager)
GCIS plugins (7)	Install notification subscribers
_NdcPlugin	Install notification subscriber
GfnGuard / msq.exe	Masquerade and security
GSConfigurator	Config authority
Scraper	Filesystem/registry snapshots (scraper.log)

---

Not verified

• Exact Windows service display name and SCM recovery settings.
• Full catalog of CtMT telemetry counters.
• Whether generate_fingerprint succeeded in this snapshot (no explicit log line).
• AWS credential provisioning path on seat.

---

Evidence

• readpe, strings, radare2 on services/AutoOnboarder/nvctmtsvc.exe
• docs/reverse-engineering/_analysis/nvctmtsvc.strings.txt
• logs/AutoOnboarder/ctmt.log, scraper.log, platform_controller.txt
• logs/startup/contenttoolsSoftwareInstall.log
• logs/GSP/GSConfiguratorPluginCurrent.log
• logs/mb-repeater/mb-repeater.log
• services/AutoOnboarder/mb.conf, scraperConfig.ptxt

pc.dll (Platform Controller)

Binary path: services/AutoOnboarder/pc.dll
Size: 11,721,328 bytes | PDB: C:\builds\b\out\build\windows-x64-release\platform-controller\scraper_km_dll\pc.pdb

---

What this program actually does

pc.dll is the Platform Controller library — the seat-side engine that drives store-specific game session lifecycle (Steam, Battle.net, Epic, GOG Galaxy, EA App, and a dummy fallback). CtMT loads it dynamically via platform_controller.cpp → create_platform_controller and orchestrates platform init, app setup, service start/stop, cloud sync, and masquerade (MSQRD) path registration.

In this snapshot CtMT requests steam; the log shows full Steam PC construction for CMS [REDACTED_CMS_ID] ("MUMBA IV: Egypt Jewels Demo") with session [REDACTED_SESSION_ID].

Version from log: 2026.9.3, build 12.05.2026 18:58:23.

---

Architecture / control flow

create_platform_controller (export)
  └─ controller_factory.cpp
        ├─ steam_controller      (observed in snapshot)
        ├─ bnet_controller       (Battle.net)
        ├─ epic_games_controller
        ├─ ea_app / gog_galaxy   (symbols present)
        └─ default_platform → dummy.exe path
  └─ services_store (IService lifecycle per platform)
        ├─ *_session_state_controller (worker thread)
        ├─ *_services_storage
        ├─ watchers: userdata, manifests, install scripts, cloud sync
        └─ msqrd_controller (masquerade path hooks)
  └─ foxhound_facade (Steam C API 2026.3.10)
  └─ WinFS (Kiosk ACL grants on store directories)
  └─ init_logger / init_rsys_logger (rsyslog → [REDACTED_IP])
  └─ set_metrics_send_callback → CtMT telemetry (ctmt_pc_* stats)

Build paths (strings): platform-controller/platform_controller/steam_controller.cpp, bnet_controller.cpp, epic_games_controller.cpp, scraper_km_dll.cpp, bnet_utils/services_store.h.

---

External interfaces

Interface	Role
CtMT (nvctmtsvc.exe)	Loads DLL, sets callbacks, drives init/start/shutdown steps
Foxhound C API	Steam integration (Loaded foxhound: C API version: 2026.3.10.…)
MSQRD / masquerade	Registers platform build/common paths (msqrd_controller.cpp)
rsyslog	Remote sink [REDACTED_IP] (scraper_km_dll.cpp:85)
Scraper pipeline	Pre-seeds Steam FS/registry from AO snapshots before PC runs
Store processes	GalaxyClientService.exe, steamwebhelper.exe, Battle.net config paths
Logs	%AG_LOGS%\AutoOnboarder\platform_controller.txt
Config	session_info.json, allowlist.json, masquerade.json

---

Exported API

Export	Role
create_platform_controller	Factory: construct platform-specific controller by store name
init_logger	Initialize local PC logging
init_rsys_logger	Initialize remote rsyslog sink
set_metrics_send_callback	Register CtMT metrics callback (ctmt_pc_* counters)
clear_metrics_send_callback	Unregister metrics callback

Platform controller virtual API (RTTI): init_platform, init_apps, shutdown, get_installed_apps per store controller.

Telemetry counters (strings): ctmt_pc_init_platform_stats, ctmt_pc_session_event_stats, ctmt_pc_start_stats, ctmt_pc_shutdown_stats, ctmt_pc_service_failure.

---

Runtime logs

CtMT orchestration (logs/AutoOnboarder/ctmt.log)

Time	Event
18:48:26.629	Going to setup PC for platform: steam
18:48:26.629	Going to load PC library
18:48:26.679	Setting PC's callbacks
18:48:39.020	PC init step: platform
18:48:40.111	PC init step: apps
18:48:40.532	Going to start PC
18:48:41.803	Executing PC's post-start step

Platform controller (logs/AutoOnboarder/platform_controller.txt)

Time	Event
18:48:26.635	rsyslog sink [REDACTED_IP]; requested controller: steam
18:48:26.661	Construction of Steam PC
18:48:26.673	Foxhound loaded
18:48:26.678	State: unknown → pc_created
18:48:39.021	Steam build: F:\Asgard\GameLibrary\100207711\build
18:48:39.090	State: pc_created → platform_initialized
18:48:40.111	MSQRD init with Steam paths; apps init for CMS [REDACTED_CMS_ID]

Session metadata (logs/AutoOnboarder/session_info.json)

CMS [REDACTED_CMS_ID], game "MUMBA IV: Egypt Jewels Demo", store Steam, session [REDACTED_SESSION_ID].

---

Failure modes

String / log	Meaning
Failed to init list of allowed processes. File doesn't exist: C:\ASGARD\SERVICES\NVGRIDSVC\NVGRIDSVC.EXE	Non-fatal allowlist init failure (observed)
Failed to create Platform Controller	Factory failure
Initialization failure: services store is in invalid state	Bad IService state
Can't start/stop service '{}' due to its state: {}	IService state machine guard
Failed to install GalaxyClient	GOG Galaxy setup failure path
Failed to edit service app manifests in BNet DB	Battle.net manifest edit failure
E_PC_GAME_OWNERSHIP_ERROR	Ownership validation error (CtMT string)
Exception in worker thread of '{}'	Background service thread crash

---

Relationships

Component	Interaction
nvctmtsvc.exe	Host/orchestrator; loads exports dynamically
Scraper	Pre-session FS/registry baseline restore
dummy.exe	Referenced as fallback platform binary at C:\asgard\services\autoonboarder\dummy.exe
Masquerade (msq.exe, MSQRD)	Path filters for Steam build/common dirs
fpgen.dll	Sibling AutoOnboarder tool (not loaded by pc.dll)
Foxhound	Steam API shim

---

Not verified

• Epic/GOG/Battle.net controllers exercised in this snapshot (symbols only).
• Exact callback struct passed from CtMT to PC.
• Whether dummy platform controller is ever selected at runtime.

---

Evidence

• readpe -e, strings, radare2 on services/AutoOnboarder/pc.dll
• docs/reverse-engineering/_analysis/pc.strings.txt
• logs/AutoOnboarder/platform_controller.txt, ctmt.log, scraper.log
• logs/AutoOnboarder/session_info.json, allowlist.json, masquerade.json

dummy.exe

Binary path: services/AutoOnboarder/dummy.exe
Size: 21,104 bytes | SHA256: e0fe2e5138254d728f4ce87e44aa4dad9c62a42394546c6360f8635094963571
PDB: C:\builds\b\out\build\windows-x64-release\tools\dummy\dummy.pdb

---

What this program actually does

dummy.exe is a minimal placeholder executable in the AutoOnboarder bundle. Static analysis shows no meaningful application logic — only CRT startup, exception handling, and a asInvoker UAC manifest. It is referenced by pc.dll as the binary path for the default_platform / unknown store fallback alongside named stores (battle_net, ea_app, gog_galaxy, steam).

CtMT's sensitive_tools_manager also targets sensitive bundled tools for post-session removal (same class as fpgen and d3dreg.exe). No runtime log lines name dummy.exe directly in this snapshot.

---

Architecture / control flow

main (CRT startup only)
  └─ Standard MSVC console EXE init
  └─ No custom strings, no exports, no service/bus/network code
  └─ Manifest: requestedExecutionLevel asInvoker

String count: ~168 lines at -n 6 — essentially PE metadata + CRT + cert chain only.

---

External interfaces

Interface	Role
pc.dll	References C:\asgard\services\autoonboarder\dummy.exe as default/unknown platform binary
Seat install	Copied from V:\bin\dummy.exe at bootstrap
CtMT sensitive tools	Likely removed after session (same manager as fpgen)
Logs	None naming this binary in logs/AutoOnboarder/

---

API surface

Item	Value
Exports	None
Imports	VCRUNTIME140, KERNEL32 (QueryPerformanceCounter, exception filters), CRT
CLI	No usage/help strings recovered

---

Runtime logs

Source	Evidence
contenttoolsSoftwareInstall.log	18:42:57.853 — Copying 'V:\bin\dummy.exe' to 'C:\Asgard\Services\AutoOnboarder\dummy.exe'
pc.strings.txt	Platform list includes dummy.exe under C:\asgard\services\autoonboarder
AutoOnboarder logs	No direct invocation logged

---

Failure modes

No failure strings — binary appears inert. If invoked as a platform process, behavior is unknown (likely immediate exit or no-op).

---

Relationships

Component	Interaction
pc.dll	Platform controller factory references path for default/unknown store
nvctmtsvc.exe	Bundled and potentially cleaned by sensitive_tools_manager
fpgen.exe	Sibling AutoOnboarder utility tool

---

Not verified

• Whether PC ever selects default_platform / dummy at runtime.
• Exit code when launched.
• Original author intent (placeholder vs test harness).

---

Evidence

• readpe, strings, radare2 on services/AutoOnboarder/dummy.exe
• docs/reverse-engineering/_analysis/pc.strings.txt (platform path reference)
• logs/startup/contenttoolsSoftwareInstall.log
• docs/reverse-engineering/_analysis/checksums.txt, sizes.txt

MessagebusLib.dll

Binary path: services/AutoOnboarder/ScriptEngine/MessagebusLib.dll
Size: 2,069,104 bytes | Linker: MSVC 14.41

---

What this library does

MessagebusLib.dll is the native C++ Message Bus client for AutoOnboarder. It wraps the seat NvMessageBus pipe transport, embeds ContentControllerAPI and ScriptEngine protobuf schemas, and exposes a flat C export surface consumed by NVIDIA.ScriptEngine.Service.exe (P/Invoke) and potentially other CtMT tooling.

Environment variables: CTMT_HOME, CTMT_MB_CONF — resolve install root and bus config path (C:\asgard\ + AutoOnboarder paths in strings).

---

Architecture / control flow

MessagebusConnect(config_path, peer_name)
  └─ MessageBusImpl (client v3.22 family)
        ├─ PipeTransport → NvMessageBusBroadcast
        ├─ SetOnMessageCallback → inbound protobuf dispatch
        └─ MessagebusReply → outbound responses
  └─ Embedded protobuf descriptors:
        ContentControllerAPI (LaunchSession, ShutdownSession, InstallApp, Prewarm, …)
        ScriptEngineMessage (InvokeRequest/Response)
        NVIDIA.Bifrost.Common (Error, Event, MapEntry)
        GCISCommunication types (cross-referenced)
  └─ GsConfGetString → optional GSConfigurator string fetch
  └─ SendTelemetry / SendTelemetryWithMeasurand → seat telemetry

Log banner: MessageBus Client version 3.22 (MessageBus_7588.log).

---

External interfaces

Interface	Role
Message Bus broadcast	Named-pipe hub (port from mb.conf: 65000)
mb.conf	LogPath, MessageBusPort, InstallPath (NvContainer)
CtMT orchestrator	Same protobuf universe embedded in nvctmtsvc.exe
GSConfigurator	GsConfGetString export for config property lookup
Logs	MessageBus_<pid>.log under C:\asgard\logs\AutoOnboarder
Telemetry	ctmt_shutdown_game_data_telemetry, SendTelemetry* exports

---

Exported API

Export	Role
GetError	Retrieve last client error string
GsConfGetString	Fetch configuration string via GSConfigurator client
MessagebusConnect	Join Message Bus with config + peer identity
MessagebusDisconnect	Leave bus
MessagebusReply	Send reply to pending bus message
SendTelemetry	Emit telemetry event
SendTelemetryWithMeasurand	Telemetry with measurand dimension
SetOnMessageCallback	Register inbound message handler

Protobuf message families (strings):

Family	Examples
ContentControllerAPI	LaunchSession, ShutdownSession, InstallApp, Prewarm, PlatformPrewarm, Subscribe, SessionLaunchResult
ScriptEngine	InvokeRequest.Install/Configure/Shutdown/Cleanup, InvokeResponse.Mods
Bifrost common	Error, Event, GameSession, ModInfo, SessionApp

---

Runtime logs

Log	Evidence
ScriptEngine.log	Connected to MessageBus, listening... at 18:42:58.519
MessageBus_7588.log	Client v3.22 init; pipe connected to broadcast PID 6496
mb-repeater.log	ScriptEngine peer registered on bus
ctmt.log	CtMT uses separate NvContainer messagebus.conf (not this DLL directly)

Config (services/AutoOnboarder/mb.conf):

{
    "LogPath": "C:\\asgard\\logs\\AutoOnboarder",
    "MessageBusPort": 65000,
    "InstallPath": "C:\\Program Files\\NVIDIA Corporation\\NvContainer"
}

---

Failure modes

String	Meaning
Failed to connect to MessageBus, I guess	Connect failure
No Error / GetError	Error retrieval API
subscription_unavailable	Related CtMT subscription failure path
Pipe transport errors	Logged in MessageBus_*.log (connect/read/write)

---

Relationships

Component	Role
NVIDIA.ScriptEngine.Service.exe	Primary consumer
nvctmtsvc.exe	Embeds same protobuf schemas natively (not via this DLL)
services/GSP/Messagebus/*	Sibling MessageBus server/client builds
services/NDC/NvMessageBus.dll	Related NDC container bus client

---

Not verified

• Exact MessagebusConnect parameter struct (C# P/Invoke signature not recovered).
• Bus encryption settings for seat-local port 65000.
• Whether CtMT loads this DLL directly (likely ScriptEngine-only in bundle).

---

Evidence

• readpe -e, strings, radare2 on services/AutoOnboarder/ScriptEngine/MessagebusLib.dll
• docs/reverse-engineering/_analysis/MessagebusLib.strings.txt
• logs/AutoOnboarder/ScriptEngine.log, MessageBus_7588.log
• services/AutoOnboarder/mb.conf

NVIDIA.ScriptEngine.Service.exe

Binary path: services/AutoOnboarder/ScriptEngine/NVIDIA.ScriptEngine.Service.exe
Size: 4,059,304 bytes | Framework: .NET (net10.0 host)

---

What this program actually does

NVIDIA.ScriptEngine.Service.exe is a .NET worker service that runs as the CtMT ScriptEngine bus peer. It connects to the seat Message Bus with elevated privileges, listens for protobuf ScriptEngineMessage invoke requests from CtMT, and executes automation scripts during session lifecycle phases (install, configure, mod collection, shutdown, cleanup).

Version from log: 2026.3.4, commit 81343942, pipeline 46540749.

Go package reference (embedded): gitlab-master.nvidia.com/gfn/content-management-tools/scriptengine/nvse-basestructs.git

---

Architecture / control flow

.NET host (BackgroundService / WindowsService)
  └─ NVIDIA.ScriptEngine.Service.dll
        └─ Worker+<ExecuteAsync>d__1
              ├─ ConfigureServices / AddHostedService
              ├─ UseWindowsService (Windows service lifetime)
              ├─ Privilege elevation (SeTakeOwnership, SeAssignPrimaryToken, SeTcb, SeCreatePagefile)
              ├─ MessagebusLib.dll
              │     ├─ MessagebusConnect (peer: CtMT:ScriptEngine)
              │     ├─ SetOnMessageCallback
              │     └─ MessagebusReply
              └─ Google.Protobuf ScriptEngineMessagesDef
                    InvokeRequest: Install | Configure | ConfigureMods | CollectMods | Shutdown | Cleanup
                    InvokeResponse: Mods, Error

CtMT registers ScriptEngine as a remote handler at startup (Added ScriptEngine remote in ctmt.log). Message schema is also embedded in nvctmtsvc.exe and MessagebusLib.dll.

---

External interfaces

Interface	Role
Message Bus	Peer system:"CtMT" module:"ScriptEngine" (mb-repeater log)
MessagebusLib.dll	Native P/Invoke bridge for bus I/O
CtMT (nvctmtsvc.exe)	Sends ScriptEngineMessage.InvokeRequest RPCs
mb.conf	Local bus settings: port 65000, log path C:\asgard\logs\AutoOnboarder
NvContainer bus	CtMT uses separate messagebus.conf; ScriptEngine uses mb.conf
Logs	%AG_LOGS%\AutoOnboarder\ScriptEngine.log, MessageBus_<pid>.log
Windows privileges	SeTakeOwnership, SeAssignPrimaryToken, SeTcb, SeCreatePagefile

---

API surface (inferred)

Component	Role
Worker.ExecuteAsync	Main service loop
MessagebusConnect	Join bus as ScriptEngine module
SetOnMessageCallback	Receive inbound protobuf messages
MessagebusReply	Send responses
ScriptEngineMessage.InvokeRequest.*	Install, Configure, ConfigureMods, CollectMods, Shutdown, Cleanup
ScriptEngineMessage.InvokeResponse	Mod list + error propagation
SessionContext / ApplicationContext	app_store, version, external_id, mount_point, build_root, metadata_path
ModInfo / ModState	Mod scripting metadata
NLog	Structured logging

---

Runtime logs

ScriptEngine (logs/AutoOnboarder/ScriptEngine.log)

Time	Event
18:42:58.4338	CtMT ScriptEngine started
18:42:58.4445	Version 2026.3.4; privileges applied
18:42:58.5190	Connected to MessageBus, listening...

CtMT (logs/AutoOnboarder/ctmt.log)

Time	Event
18:42:58.812	Added ScriptEngine remote

Message Bus (logs/mb-repeater/mb-repeater.log)

Time	Event
18:42:58.519	Peer CtMT:ScriptEngine PID 7068, SYSTEM, elevated

MessageBus client (logs/AutoOnboarder/MessageBus_7588.log)

MessageBus Client version 3.22; pipe transport to broadcast process 6496.

Install (logs/startup/contenttoolsSoftwareInstall.log)

Copied from scriptengine\ to C:\Asgard\Services\AutoOnboarder\ScriptEngine\ alongside MessagebusLib.dll.

---

Failure modes

String / condition	Meaning
Failed to connect to MessageBus, I guess	MessagebusLib connect failure (in sibling DLL strings)
ScriptEngine.Error.message / .details	Protobuf error response fields
CTMT_SCRIPT_* (in CtMT)	CTMT_SCRIPT_FAILURE, CTMT_SCRIPT_TIMED_OUT, CTMT_SCRIPT_NOT_IMPLEMENTED, CTMT_SCRIPT_LOAD_FAILURE, CTMT_SCRIPT_BAD_CONTEXT
Failed to create script_engine: {}	CtMT ScriptEngine remote init failure

No script execution traffic appears in the short ScriptEngine.log snapshot.

---

Relationships

Component	Interaction
MessagebusLib.dll	Native bus client (required dependency)
nvctmtsvc.exe	Orchestrator; registers ScriptEngine remote
GCIS plugins	Indirect — scripts may drive install/security actions
NVIDIA.ScriptEngine.BaseStructs	Shared struct definitions (assembly reference)

---

Not verified

• On-disk script catalog paths and interpreter (Lua vs other).
• Specific InvokeRequest messages handled in this session (log too short).
• Windows service name registered in SCM (likely CtMT-managed, not standalone SCM entry).

---

Evidence

• strings, readpe, radare2 on services/AutoOnboarder/ScriptEngine/NVIDIA.ScriptEngine.Service.exe
• logs/AutoOnboarder/ScriptEngine.log, MessageBus_7588.log, ctmt.log
• logs/mb-repeater/mb-repeater.log
• services/AutoOnboarder/mb.conf

fpgen (AutoOnboarder)

Split deep docs:

• fpgen.exe — CLI fingerprint generator
• fpgen.dll — library used by CtMT / pc.dll

fpgen.exe

Binary path: services/AutoOnboarder/fpgen/fpgen.exe
Size: 58,992 bytes | SHA256: a45c0b36ca9fba01f6932f10ddb3a34b8fabf2ca7917da7444832862fe7c357b
PDB: C:\builds\b\out\build\windows-x64-release\tools\fpgen\fpgen.pdb

---

What this program actually does

fpgen.exe is a CLI fingerprint generator shipped in the AutoOnboarder bundle. It collects hardware and system identity signals (GPU via NVAPI/D3DKMT, device enumeration via SetupAPI, registry values, Windows service configs) and produces a seat fingerprint. The core logic lives in sibling fpgen.dll (generate_fingerprint export); the EXE is the standalone console entry point.

CtMT also loads fpgen.dll dynamically at runtime (object_cache.cpp → GetProcAddress(generate_fingerprint)) and logs generate_fingerprint failed with ret={} on failure. After use, sensitive_tools_manager removes fpgen from disk (Removing sensitive tools).

---

Architecture / control flow

fpgen.exe (console main)
  └─ fpgen.dll::generate_fingerprint
        ├─ nvapi_QueryInterface / nvapi_pepQueryInterface (NVIDIA GPU)
        ├─ D3DKMTEnumAdapters2 / D3DKMTQueryAdapterInfo (display adapters)
        ├─ SetupDi* / SetupGetInfDriverStoreLocationW (PnP devices)
        ├─ RegOpenKeyExW / RegEnumValueW / RegQueryValueExW (registry)
        ├─ OpenSCManagerW / OpenServiceW / QueryServiceConfigW (services)
        ├─ SHGetFolderPathW (known folders)
        └─ VerifyVersionInfoW / GetNativeSystemInfo (OS identity)

---

External interfaces

Interface	Role
CtMT (nvctmtsvc.exe)	Primary runtime consumer via dynamic fpgen.dll load
fpgen.dll	Shared implementation (generate_fingerprint)
Seat install	Copied from V:\tools\fpgen.exe at bootstrap
Sensitive tools cleanup	Removed post-session by CtMT sensitive_tools_manager
Logs	No dedicated fpgen.log; failures surface in ctmt.log

---

API surface

Symbol	Role
generate_fingerprint	Sole meaningful export (in DLL; EXE calls into DLL)
CLI stdout/stderr	Console output (no usage strings recovered in snapshot)

Hardware APIs used (imports/strings): NVAPI, D3DKMT, SetupAPI, Advapi registry, Service Control Manager.

---

Runtime logs

Source	Evidence
contenttoolsSoftwareInstall.log	18:42:57.825 — copy V:\tools\fpgen.exe → AutoOnboarder\fpgen\
nvctmtsvc.strings	generate_fingerprint failed with ret={}
nvctmtsvc.strings	Removing sensitive tools / remove_sensitive_tools
CtMT log	No explicit fingerprint success/failure line in captured session

---

Failure modes

String	Meaning
generate_fingerprint failed with ret={}	DLL call returned error code
GetProcAddress({}) failed, lastError={}	Dynamic load of fpgen.dll failed
Removing: {}	Sensitive tool deletion (includes fpgen path)

---

Relationships

Component	Interaction
fpgen.dll	Core fingerprint implementation
nvctmtsvc.exe	Dynamic loader + cleanup
dummy.exe	Sibling placeholder tool in AutoOnboarder root
d3dreg.exe	Also listed in sensitive tools removal set

---

Not verified

• CLI arguments and output format (stdout file vs inline hash).
• Cryptographic algorithm (hash type, salting).
• Whether EXE is invoked directly or only DLL via CtMT.

---

Evidence

• readpe, strings, radare2 on services/AutoOnboarder/fpgen/fpgen.exe
• docs/reverse-engineering/_analysis/fpgen.strings.txt
• docs/reverse-engineering/_analysis/nvctmtsvc.strings.txt (dynamic load strings)
• logs/startup/contenttoolsSoftwareInstall.log

fpgen.dll

Binary path: services/AutoOnboarder/fpgen/fpgen.dll
Size: 58,480 bytes | SHA256: f89fa55a93b7990087af3b1bbad216bfaa4a3db5aa1d393c8da6ec02d073bf91
PDB: C:\builds\b\out\build\windows-x64-release\fpgen\fpgen.pdb

---

What this library does

fpgen.dll implements generate_fingerprint — the core seat/device fingerprint routine used by fpgen.exe (CLI) and nvctmtsvc.exe (dynamic GetProcAddress load from C:\asgard\services\AutoOnboarder\fpgen\fpgen.dll).

The library queries GPU adapters (NVAPI, D3DKMT), PnP devices (SetupAPI), registry keys, Windows service configurations, and OS version info to derive a fingerprint blob consumed by CtMT telemetry/onboarding.

---

Architecture / control flow

generate_fingerprint (export, ordinal 1)
  ├─ GPU: nvapi_QueryInterface, D3DKMTEnumAdapters2, D3DKMTQueryAdapterInfo
  ├─ Devices: SetupDiGetClassDevsW, SetupDiEnumDeviceInterfaces, SetupDiGetDeviceRegistryPropertyW
  ├─ Registry: RegOpenKeyExW, RegEnumValueW, RegQueryValueExW
  ├─ Services: OpenSCManagerW, OpenServiceW, QueryServiceConfigW
  ├─ Folders: SHGetFolderPathW
  └─ OS: GetNativeSystemInfo, VerifyVersionInfoW, GetSystemDirectoryW

Same hardware enumeration surface as fpgen.exe; DLL is the loadable unit for CtMT embedding.

---

External interfaces

Interface	Role
fpgen.exe	Console wrapper loading this DLL
nvctmtsvc.exe	Runtime dynamic load via object_cache.cpp
sensitive_tools_manager	Post-use removal from disk
Install path	C:\Asgard\services\AutoOnboarder\fpgen\fpgen.dll

---

Exported API

Export	Ordinal	Role
generate_fingerprint	1	Compute seat fingerprint; return code logged by CtMT on failure

---

Runtime logs

Source	Evidence
contenttoolsSoftwareInstall.log	18:42:57.828 — copy V:\tools\fpgen.dll
nvctmtsvc.strings	generate_fingerprint failed with ret={}
nvctmtsvc.strings	GetProcAddress({}) failed, lastError={}
sensitive_tools_manager.cpp	Removing sensitive tools after session

No dedicated fpgen log file in snapshot.

---

Failure modes

Condition	Meaning
Non-zero return from generate_fingerprint	Logged by CtMT as generate_fingerprint failed with ret={}
GetProcAddress failure	DLL missing or export stripped
Post-session deletion	DLL removed from seat by sensitive tools manager

---

Relationships

Component	Interaction
fpgen.exe	CLI host
nvctmtsvc.exe	Primary production consumer
pc.dll / dummy.exe	Sibling AutoOnboarder binaries (no direct load)

---

Not verified

• Fingerprint output encoding (hex, base64, protobuf).
• Input parameters to generate_fingerprint (likely none — C ABI).
• Success path logging (only failure string found).

---

Evidence

• readpe -e, strings, radare2 on services/AutoOnboarder/fpgen/fpgen.dll
• docs/reverse-engineering/_analysis/fpgen-dll.strings.txt
• docs/reverse-engineering/_analysis/fpgen-dll.objdump.txt
• docs/reverse-engineering/_analysis/nvctmtsvc.strings.txt
• logs/startup/contenttoolsSoftwareInstall.log