Masquerade Drivers

Masquerade driver/filter services are consolidated here from the 2026-05-19 snapshot.

2026-05-19 application notes

gfnmon.dll

Canonical binary: services/masquerade/gfnmon.dll
Analysis date: 2026-05-28 (Asgard snapshot 2026-05-19)

---

What this program actually does

gfnmon.dll is a signed PE32+ x64 DLL (536,688 bytes, compiled 2026-05-07) exporting 34 gfnmon_* functions. Strings and RTTI name it NVIDIA Masquerade and reference masquerade::km::io callback dispatch types (gfnmon_process_create, gfnmon_file_access, gfnmon_untrusted_file_opened, gfnmon_driver_load, etc.).

The DLL is the user-mode control library for the masquerade monitor kernel stack. Seat install copies it to C:\Asgard\Services\masquerade\gfnmon.dll alongside kernel driver nvgfnmon.sys (installed via nvgfnmon.inf). Consumers load the DLL and call exports to register filters and event callbacks that are forwarded to the kernel driver via overlapped I/O (CreateThreadpoolIo, CreateFileW, GetOverlappedResult).

Performance counter names in services/masquerade/nvmsqrdsvc.man (gfnmon_process_start_count, gfnmon_untrusted_file_open_count, gfnmon_driver_load_count, etc.) confirm runtime telemetry categories tied to this API surface.

Not verified: Which process(es) in this snapshot dynamically load gfnmon.dll at runtime (no LoadLibrary gfnmon string match in seat logs).

---

Architecture / control flow

  Consumer process (Not verified which in logs)
        |
        | LoadLibrary(gfnmon.dll) + gfnmon_initialize / gfnmon_configure
        v
  gfnmon.dll  -- threadpool overlapped I/O -->  nvgfnmon.sys (minifilter, FSFilter Activity Monitor)
        |
        | callback dispatch (gfnmon_callback<...> templates in RTTI)
        v
  Registered user callbacks (process/file/registry/driver events)

1. Init: gfnmon_initialize → gfnmon_configure (per export names and main-sized init function at 0x180022c60 in r2).
2. Policy setup: filter/callback setters (gfnmon_add_*, gfnmon_set_*, gfnmon_clear_*).
3. Runtime: kernel driver posts events; DLL invokes registered callbacks; sync variants exist (*_sync_callback, gfnmon_set_sync_message_sequence_number_callback).
4. Teardown: gfnmon_uninitialize.

Domain model exports (gfnmon_set_default_domain, gfnmon_add_process_to_domain, gfnmon_set_process_protection_configuration_for_domain) indicate multi-domain process isolation policy.

---

External interfaces (gRPC, message bus, Win32, drivers)

Interface	Present	Evidence
gRPC	Not verified	No gRPC strings in binary (r2 izq filter)
NVIDIA Message Bus	Not verified	No MessageBus strings in binary
Kernel driver (nvgfnmon.sys)	Yes	Install log installs nvgfnmon.inf; DLL uses threadpool I/O + CreateFileW pattern consistent with driver device comms
Win32 ETW/Perf	Yes	Imports EventRegister, EventWriteString, PerfStartProviderEx, PerfCreateInstance, etc. (ADVAPI32)
Win32 process/volume APIs	Yes	CreateToolhelp32Snapshot, OpenProcess, QueryFullProcessImageNameW, volume enumeration APIs
Registry (policy)	Yes (API surface)	Exports gfnmon_add_registry_access_filter, gfnmon_set_registry_create_key_callback

Related kernel drivers in the same masquerade pack (not direct DLL imports, co-deployed): nvguard.sys, nvmsqrd.sys, nvfoxhnd.sys.

---

API / exports / imports table

Exports (34, radare2 iE)

Export	Notes (from name only)
gfnmon_initialize	Init
gfnmon_configure	Apply configuration
gfnmon_uninitialize	Teardown
gfnmon_set_driver_load_callback	Driver load notification
gfnmon_set_driver_queue_statistics_callback	Queue metrics
gfnmon_set_on_file_access_callback	File access events
gfnmon_set_untrusted_file_opened_callback	Untrusted file open
gfnmon_set_file_operation_callback	Generic file ops
gfnmon_set_reparse_point_callback	Reparse point / junction
gfnmon_set_rename_directory_callback	Directory rename
gfnmon_set_registry_create_key_callback	Registry key creation
gfnmon_add_registry_access_filter	Registry path filter
gfnmon_add_registry_access_filter_ex	Extended registry filter
gfnmon_clear_registry_access_filters	Reset registry filters
gfnmon_add_file_access_filter	File path filter
gfnmon_clear_file_access_filters	Reset file access filters
gfnmon_add_file_operation_filter	File operation filter
gfnmon_clear_file_operation_filters	Reset file op filters
gfnmon_add_protected_process	Mark protected process
gfnmon_add_process_to_domain	Domain assignment
gfnmon_set_default_domain	Default security domain
gfnmon_set_domain_for_placement	File placement domain
gfnmon_set_minimum_allowed_domain_for_privilege	Privilege floor
gfnmon_set_process_protection_configuration	Process protection config
gfnmon_set_process_protection_configuration_for_domain	Per-domain protection
gfnmon_set_protected_process_configuration	Protected process policy
gfnmon_set_protected_process_opened_callback	Protected process handle open
gfnmon_set_non_critical_process_configuration	Non-critical process allow-list
gfnmon_set_process_create_callback	Async process create
gfnmon_set_process_create_sync_callback	Sync process create
gfnmon_set_process_terminate_callback	Async process terminate
gfnmon_set_process_terminate_sync_callback	Sync process terminate
gfnmon_set_image_load_callback	Module load
gfnmon_set_privileged_image_load_callback	Privileged module load
gfnmon_set_sync_message_sequence_number_callback	Sync message ordering

Key imports (sample)

DLL	Functions (sample)
KERNEL32.dll	CreateFileW, CreateThreadpoolIo, StartThreadpoolIo, GetOverlappedResult, CreateToolhelp32Snapshot, OpenProcess, volume/path APIs
ADVAPI32.dll	EventRegister, EventWriteString, PerfStartProviderEx, PerfCreateInstance, LookupPrivilegeValueW
MSVCP140.dll	C++ runtime

---

Runtime timeline (from logs/)

Time (2026-05-19)	Event	Source
18:42:56.337	gfnmon.dll copied to C:\Asgard\Services\masquerade\	logs/startup/msqrdSoftwareInstall.log
18:42:56.617	nvgfnmon.inf driver install rc=0	logs/startup/msqrdSoftwareInstall.log
18:42:56.617	Registry fixup for driver nvgfnmon	logs/startup/msqrdSoftwareInstall.log

No log lines in logs/ reference gfnmon_* export calls or gfnmon.dll load events directly.

---

Failure modes

Mode	Evidence
Driver not installed / device open fails	nvgfnmon.inf install failure would block kernel path; install log shows rc=0 in this snapshot
Callback registration errors	Not verified in seat logs (no gfnmon_* log strings)
GciPlugin start failure (related seat component)	logs/GCIS/NvContainerGcis.log: mandatory plugin GciPlugin failed in Starting state at 19:04:53 — Not verified whether this involves gfnmon.dll

---

Evidence sources

• Binary: services/masquerade/gfnmon.dll
• Driver INF: services/masquerade/nvgfnmon.inf
• Perf manifest: services/masquerade/nvmsqrdsvc.man (gfnmon_* counters)
• Install log: logs/startup/msqrdSoftwareInstall.log
• readpe, strings (workspace analysis 2026-05-28)

---

Radare2

Property	Value
Type	PE32+ DLL, x64, signed, canary enabled
Size	536,688 bytes
Compiled	Thu May 7 16:00:31 2026
PDB	C:\builds\gfn\content-management-tools\masquerade\masquerade\masquerade\bin\user\Release\gfnmon.pdb
Entry	entry0 at 0x180049754 (DllMain dispatch)
Exports	34 gfnmon_* functions
Notable strings	NVIDIA Masquerade, NVIDIA CORPORATION, masquerade::km::io::disposal_types
Key functions (r2 afl)	gfnmon_initialize, gfnmon_uninitialize, domain/filter export stubs

msq.exe

Canonical binary: services/masquerade/msq.exe
Analysis date: 2026-05-28 (Asgard snapshot 2026-05-19)

---

What this program actually does

msq.exe is a signed PE32+ x64 console CLI (541,296 bytes, compiled 2026-05-07) with no PE exports. RTTI reveals a cxxopts-based command dispatcher with classes cmd_create, cmd_start, cmd_stop, cmd_list, cmd_mount, cmd_unmount, cmd_deploy, cmd_undeploy, cmd_image, cmd_remove, cmd_wait, cmd_touch, cmd_commit, cmd_config, cmd_index, cmd_log, cmd_perf, cmd_run, and event_monitoring.

Help strings embedded in the binary define subcommands:

• CREATE — creates container
• START — starts an existing container
• STOP — stops a running container
• LIST — lists existing containers
• IMAGE — add existing image to container
• MOUNT — mount all images for container
• UNMOUNT — unmount container stuck in unmount_pending
• REMOVE — remove container
• WAIT — wait for container until it stops
• DEPLOY / UNDEPLOY — deploy-mode lifecycle
• TOUCH — touch file in container

Status enum strings include status::container_is_not_running, status::only_one_active_container_is_supported, status::failed_to_create_container, etc.

During seat install, msq.exe is invoked once and exits rc=0 before kernel drivers are installed (logs/startup/msqrdSoftwareInstall.log).

Not verified: Exact subcommand invoked at install time (install log only shows process exit code).

---

Architecture / control flow

  CLI (main @ 0x140022d50)
        |
        | cxxopts parse → cmd_* handler
        v
  Named-pipe LPC client  (CreateNamedPipeW / ConnectNamedPipe / ReadFile / WriteFile)
        |
        | serialize_iterator / deserialize_iterator / context@pipe@lpc
        v
  nvmsqrdsvc.exe (msq::core pipe server — Not verified pipe name from this binary alone)
        |
        v
  Container state machine + nvmsqrd.sys kernel driver

Secondary paths:

• ETW tracing: StartTraceW / StopTraceW / EnableTrace (cmd_log, cmd_perf).
• Performance counters: PerfStartProviderEx and related ADVAPI32 perf APIs.
• Filesystem: FindFirstFileW, GetFileAttributesW, CreateFileW for local container metadata (container_dir string).

Container state transition log strings: CONTAINER STATE UPDATE: Container stopped|mounted|deployed|running.

---

External interfaces (gRPC, message bus, Win32, drivers)

Interface	Present	Evidence
gRPC	Not verified	No gRPC strings
Message Bus	Not verified	No MessageBus strings
Named pipe LPC	Yes	CreateNamedPipeW, ConnectNamedPipe, RTTI context@pipe@lpc, event_monitoring pipe handler
Win32 ETW	Yes	StartTraceW, StopTraceW, EnableTrace
Win32 Perf counters	Yes	PerfStartProviderEx, PerfCreateInstance, …
Kernel driver	Indirect	Commands target nvmsqrdsvc / nvmsqrd.sys; no direct DeviceIoControl import in msq.exe

---

API / exports / imports table

Exports

None (radare2 iE empty).

CLI subcommands (RTTI / strings)

Command class	Purpose (from embedded help strings)
cmd_create	Create container
cmd_start	Start container (REQUIRED: name; OPTIONAL: entry point, single-CT mode)
cmd_stop	Stop container (REQUIRED: guid)
cmd_list	List containers (OPTIONAL: active only)
cmd_image	Add image to container
cmd_mount	Mount container images
cmd_unmount	Force unmount from unmount_pending
cmd_deploy	Enter deploy mode
cmd_undeploy	Leave deploy mode
cmd_remove	Delete container (OPTIONAL: remove sandbox)
cmd_wait	Block until container stops
cmd_touch	Touch file in container
cmd_commit	Not verified (class present, no help string captured)
cmd_config	Not verified
cmd_index	Index generation (--generate-index, --use-index strings)
cmd_log	ETW log level control
cmd_perf	Performance counter control
cmd_run	Not verified

Key imports

DLL	Functions (sample)
KERNEL32.dll	Named pipe + file APIs, events, WaitForMultipleObjects
ADVAPI32.dll	ETW + perf counter APIs, RevertToSelf
USER32.dll	CharLowerW, CharLowerBuffW
MSVCP140.dll	C++ iostream/locale
pdh.dll	Not verified usage (import present)
ole32.dll	CoCreateGuid (deep extract)

---

Runtime timeline (from logs/)

Time (2026-05-19)	Event	Source
18:42:56.308	Copied to C:\Asgard\Services\masquerade\msq.exe	logs/startup/msqrdSoftwareInstall.log
18:42:56.375	Process finished: msq.exe -> 0	logs/startup/msqrdSoftwareInstall.log
18:43:22.763+	CTMT msqrd.cpp sets masquerade parameters (registry_enabled, touch_priority, thread_pool_threads) after services started	logs/AutoOnboarder/ctmt.log

No per-invocation command-line capture in logs.

---

Failure modes

Status / error string	Meaning (from string name)
status::container_doesnt_exist	Target container missing
status::container_is_already_running	Duplicate start
status::container_is_not_running	Operation requires running container
status::only_one_active_container_is_supported	Single active container limit
status::failed_to_create_container	Create path failure
status::unable_to_save_container_config	Persist failure
Failed to start trace, error	ETW trace start failure (cmd_log)
File specified with --use-index doesn't exist	Index file missing (cmd_index)

Install-time failure not observed in this snapshot (rc=0).

---

Evidence sources

• Binary: services/masquerade/msq.exe
• Install log: logs/startup/msqrdSoftwareInstall.log
• Session log: logs/AutoOnboarder/ctmt.log (masquerade init via CTMT, not direct msq.exe calls)
• readpe, strings (workspace analysis 2026-05-28)

---

Radare2

Property	Value
Type	PE32+ console EXE, x64, signed
Size	541,296 bytes
Compiled	Thu May 7 16:00:22 2026
PDB	...\masquerade\bin\user\Release\msq.pdb
Entry	entry0 → main at 0x140022d50 (619 bytes)
Exports	None
Notable strings	Container CLI help, NVIDIA Masquerade, NVIDIA Masquerade KM, status:😗 enums
IPC	Named pipe Win32 imports + pipe@lpc RTTI

msqrun.exe

Canonical binary: services/masquerade/msqrun.exe
Analysis date: 2026-05-28 (Asgard snapshot 2026-05-19)

---

What this program actually does

msqrun.exe is a signed PE32+ x64 console helper (239,216 bytes, compiled 2026-05-07) with no PE exports. RTTI shows msq::launcher handling named-pipe LPC requests (deserialize_iterator, serialize_iterator, context@pipe@lpc) with methods bound to run_handler.

The binary launches processes inside an MSQ container sandbox:

• CreateProcessAsUserW — spawn with impersonated user token
• CreateEnvironmentBlock / DestroyEnvironmentBlock — per-user environment
• CreateJobObjectW / SetInformationJobObject / OpenJobObjectW — job-based process grouping
• ImpersonateNamedPipeClient — client identity from pipe connection
• CreateNamedPipeW — LPC server/client role for launcher commands

Error string: Container is not running.

Deployed to C:\Asgard\Services\masquerade\msqrun.exe during masquerade install. Referenced as OPTIONAL entry point in msq.exe START command help (OPTIONAL: entry point to run in container).

Not verified: Direct log evidence of msqrun.exe invocation in this snapshot (no matching lines in logs/).

---

Architecture / control flow

  Parent (nvmsqrdsvc container runtime — Not verified caller in logs)
        |
        | spawns or connects to msqrun.exe
        v
  msqrun.exe  main @ 0x140005380
        |
        | msq::launcher::run_handler (pipe RPC)
        |   ImpersonateNamedPipeClient
        |   CreateEnvironmentBlock
        v
  CreateProcessAsUserW  -->  sandboxed process in container job

Pipe protocol matches msq.exe / nvmsqrdsvc.exe (lpc serialize/deserialize iterators).

---

External interfaces (gRPC, message bus, Win32, drivers)

Interface	Present	Evidence
gRPC	Not verified	No gRPC strings
Message Bus	Not verified	No MessageBus strings
Named pipe LPC	Yes	Full named-pipe API set + ImpersonateNamedPipeClient
Win32 process launch	Yes	CreateProcessAsUserW, job objects, environment blocks
IO completion port	Yes	CreateIoCompletionPort, GetQueuedCompletionStatus (deep extract)
Kernel driver	Indirect	Requires running container (enforced by nvmsqrdsvc / nvmsqrd.sys); no direct DeviceIoControl import

---

API / exports / imports table

Exports

None.

Internal API surface (RTTI)

Symbol	Role
msq::launcher	Pipe command handler for run operations
msq::launcher::run_handler	Returns msq::status, writes to basic_stringstream
status@msq	Shared status enumeration with msq.exe / nvmsqrdsvc.exe

Key imports

DLL	Functions
KERNEL32.dll	Named pipes, CreateProcessAsUserW, job objects, IOCP, files
USERENV.dll	CreateEnvironmentBlock, DestroyEnvironmentBlock
ADVAPI32.dll	Token/security (via process creation path — Not verified full list)
MSVCP140.dll	C++ streams/locale

---

Runtime timeline (from logs/)

Time (2026-05-19)	Event	Source
18:42:56.312	Copied to C:\Asgard\Services\masquerade\msqrun.exe	logs/startup/msqrdSoftwareInstall.log

No runtime invocation lines for msqrun.exe in logs/ (rg msqrun → install copy only).

---

Failure modes

Condition	Evidence
Container is not running	Embedded error string
Pipe handler returns msq::status error	RTTI signature; specific codes Not verified without dynamic trace
Job assignment failure	Related counters in nvmsqrdsvc.man: msq_failed_add_to_job_count (manifest only)

---

Evidence sources

• Binary: services/masquerade/msqrun.exe
• Install log: logs/startup/msqrdSoftwareInstall.log
• Related CLI docs: msq.exe START help strings (entry point option)
• readpe, strings (workspace analysis 2026-05-28)

---

Radare2

Property	Value
Type	PE32+ console EXE, x64, signed
Size	239,216 bytes
Compiled	Thu May 7 16:00:06 2026
PDB	...\masquerade\bin\user\Release\msqrun.pdb
Entry	entry0 → main at 0x140005380
Exports	None
Notable strings	Container is not running, CreateProcessAsUserW, NVIDIA Masquerade
IPC	Named pipe + msq::launcher RTTI

nvguardsvc.exe

Canonical binary: services/masquerade/nvguardsvc.exe
Analysis date: 2026-05-28 (Asgard snapshot 2026-05-19)

---

What this program actually does

nvguardsvc.exe is a signed PE32+ x64 Windows service executable (4,509,296 bytes, compiled 2026-05-07). It registers on the NVIDIA Message Bus as GfnGuard:GfnGuard Service (confirmed in logs/SmithyV2/.../SmithyControllerPlugin.log and logs/mb-repeater/mb-repeater.log at 18:42:57–18:43:08).

Static analysis shows:

• GFNGuardAPI protobuf message types (GFNGuardMessagesDef.proto, GenericGFNGuardMessage, configure/launch/shutdown session messages)
• GSConfigClient integration (GSConfiguratorServiceAPI, waits for GSConfigurator peer on Message Bus)
• ContentController / Bifrost protobuf types (NVIDIA.Bifrost.Messages.GameSession, etc.)
• Filter manager linkage (FLTLIB.DLL) for interaction with nvguard.sys minifilter

GSPrerequisites queries this binary as a configurable service:

Services=["nvguardsvc"] Exe='c:\asgard\services\masquerade\nvguardsvc.exe'

(logs/GSP/GSConfiguratorPluginCurrent.log)

CTMT (logs/AutoOnboarder/ctmt.log) drives GfnGuard lifecycle: configure, application metadata, links, detach, lambda — all via Message Bus to the GfnGuard peer served by this process.

Windows service name: nvguardsvc (auto-start type 2, started during install).

Not verified: Whether this binary is literally named "GFN Guard" in its internal service display string (Message Bus module name is GfnGuard Service).

---

Architecture / control flow

  Service start (nvguardsvc)
        |
        +--> Join NVIDIA Message Bus (MessageBusEx / BusObserverEx)
        |         config: C:\Program Files\NVIDIA Corporation\NvContainer\plugins\LocalSystem\messagebus.conf
        |         (also seat-local mb.conf with MessageBusPort 65000)
        |
        +--> Wait for GSConfigurator peer (GSConfigClient)
        |
        +--> Register GfnGuard API handlers (protobuf)
        |         <-- CTMT gfn_guard_plugin (configure app, links, detach, lambda)
        |         <-- GSPrerequisites ZoneConfig queries
        |
        +--> Apply rules to nvguard.sys via FLTLIB / driver configuration
        |         (telemetry counters: gfnguard_add_subject_rule_*, gfnguard_apply_app_rules_*)
        |
        +--> Optional gfnmon.dll callbacks (Not verified direct load in this binary)

main at 0x140037c10 (~1314 bytes) orchestrates initialization. Strings reference waiting for TAS on Message Bus before exit/timeout — Not verified what TAS stands for beyond string context.

---

External interfaces (gRPC, message bus, Win32, drivers)

Interface	Present	Evidence
gRPC	Not verified	No gRPC library strings in r2 izq output
NVIDIA Message Bus	Yes	MessageBusEx, BusObserverEx, Joining MessageBus as peer, Failed to create MessageBus observer
Protobuf (GFNGuard, Bifrost, GCIS)	Yes	Extensive .proto type strings, google::protobuf RTTI
GSConfigurator / GSPrerequisites	Yes	GSConfigClientImpl, GetConfiguration, GSP log entry
Win32 service SCM	Yes	Service APIs in deep extract (CreateServiceW, etc.)
Win32 crypto/TLS	Yes	CRYPT32.dll, bcrypt.dll, AWS SigV4 strings (cloud check path)
WTS	Yes	WTSGetActiveConsoleSessionId
Minifilter (nvguard.sys)	Yes	FLTLIB.DLL import; nvguard.inf co-installed; perf counters gfnguard_*
HTTP/cURL	Yes	CURLOPT_PIPEWAIT string (cloud check — Not verified endpoint)

Seat Message Bus config (services/masquerade/mb.conf):

"MessageBusPort": 65000,
"InstallPath": "C:\\Program Files\\NVIDIA Corporation\\NvContainer"

---

API / exports / imports table

Exports

None.

Message Bus identity (runtime logs)

Field	Value
system	GfnGuard
module	GfnGuard Service (also Telemetry peer at PID 7588)
session	0
user	S-1-5-18 (SYSTEM)

Protobuf APIs (string evidence)

API family	Messages / types (sample)
GFNGuardAPI	Configure, configure rules, configure application, configure cloud check, application links, application detach, launch session, shutdown session
GSConfigurator	GetConfiguration, update_service_configuration_response
Bifrost	GameSession, SessionApp, ModInfo, BlockVolume, PrewarmGame
GCISCommunication	Listed in deep extract

Key imports (sample)

DLL	Role
KERNEL32.dll	Process, file, sync, threadpool IO
ADVAPI32.dll	Security, ETW/perf
FLTLIB.DLL	Filter manager communication
WS2_32.dll	Network (Not verified protocol)
CRYPT32.dll / bcrypt.dll	TLS/certs for cloud check
WTSAPI32.dll	Session ID
USERENV.dll	Environment
dbghelp.dll	Diagnostics

---

Runtime timeline (from logs/)

Time (2026-05-19)	Event	Source
18:42:56.323	Copied to masquerade dir	logs/startup/msqrdSoftwareInstall.log
18:42:57.278	nvguard.inf driver install rc=0	logs/startup/msqrdSoftwareInstall.log
18:42:57.586	nvguardsvc.exe exit rc=0 (install helper invocation)	logs/startup/msqrdSoftwareInstall.log
18:42:57.587	Service startup type set to 2 (automatic)	logs/startup/msqrdSoftwareInstall.log
18:42:57.705	Started service: nvguardsvc	logs/startup/msqrdSoftwareInstall.log
18:42:57.772	Message Bus peer GfnGuard:GfnGuard Service added	logs/mb-repeater/mb-repeater.log
18:43:08.536	SmithyController sees GfnGuard peers join	logs/SmithyV2/.../SmithyControllerPlugin.log
18:43:22.761	CTMT: GfnGuard available, configuring	logs/AutoOnboarder/ctmt.log
18:43:23.871+	CTMT sends GfnGuard application configure / ACK cycles	logs/AutoOnboarder/ctmt.log
18:43:23.913	GSPrerequisites GetConfiguration for nvguardsvc / ZoneConfig	logs/GSP/GSConfiguratorPluginCurrent.log
18:48:36–18:48:40	CTMT GfnGuard communication timeouts for some apps	logs/AutoOnboarder/ctmt.log

---

Failure modes

Failure	Evidence
Message Bus observer creation failed	String: Failed to create MessageBus observer, possibly MessageBus DLL/SO is missing.
Message Bus connect timeout	Timed out while connecting synchronously to message bus.
Address collision	GSConfigClient address collision error reported by message bus
GSConfigurator missing	GSConfigurator not on bus. / Failed to receive response from GSConfigurator
TAS missing at init	TAS not found on MessageBus before overall init timeout of {}
Protobuf dispatch error	Error dispatching message from MessageBus... incompatible protobuf versions
CTMT communication timeout	CTMT_GFN_GUARD_COMMUNICATION_FAILURE / Failed to communicate with gfn guard [0] timeout
Empty service name	service_name is empty. Aborting...
GSPrerequisites config parse errors	Multiple service_api_response does not have ... strings

---

Evidence sources

• Binary: services/masquerade/nvguardsvc.exe
• Driver INF: services/masquerade/nvguard.inf
• Message Bus config: services/masquerade/mb.conf
• Perf manifest: services/masquerade/nvmsqrdsvc.man (gfnguard_* counters)
• Logs: logs/startup/msqrdSoftwareInstall.log, logs/AutoOnboarder/ctmt.log, logs/GSP/GSConfiguratorPluginCurrent.log, logs/mb-repeater/mb-repeater.log, logs/SmithyV2/SmithyController/1779216188403/SmithyControllerPlugin.log

---

Radare2

Property	Value
Type	PE32+ console EXE, x64, signed
Size	4,509,296 bytes
Compiled	Thu May 7 16:01:29 2026
PDB	...\masquerade\bin\user\Release\nvguardsvc.pdb
Entry	entry0 → main at 0x140037c10
Exports	None
Notable strings	MessageBusEx paths, GFNGuard protobuf types, GSConfigClient, Bifrost messages
Dependencies	Large protobuf + MessageBus + curl/AWS sigv4 surface

nvmsqrdsvc.exe

Canonical binary: services/masquerade/nvmsqrdsvc.exe
Analysis date: 2026-05-28 (Asgard snapshot 2026-05-19)

---

What this program actually does

nvmsqrdsvc.exe is a signed PE32+ x64 Windows service (1,343,600 bytes, compiled 2026-05-07) described in strings as "NVIDIA Masquerade user-mode service". It implements the msq::core container engine: create/mount/deploy/start/stop containers backed by the nvmsqrd.sys HSM minifilter driver.

Key capabilities (RTTI + error strings):

• msq::container state machine: stopped → mounted → deployed / running / unmount_pending
• Named-pipe LPC server dispatching to msq::core and msq::runtime_controller (CreateNamedPipeW, ImpersonateNamedPipeClient)
• VHDX / virtual disk operations: VirtDisk.dll, CreateVirtualDisk, OpenVirtualDisk, GetVirtualDiskPhysicalPath, WIMGAPI.DLL
• Transactional NTFS: ktmw32.dll, CreateFileTransactedW, OpenTransaction
• Sandbox: job objects, ACL manipulation (SetEntriesInAclW), transactional file ops
• Windows service host: StartServiceCtrlDispatcherW, RegisterServiceCtrlHandlerExW, SetServiceStatus

Policy file services/masquerade/nvmsqrdsvc.json lists excluded processes/directories and cleanup paths on commit.

Windows service name: nvmsqrdsvc (automatic start, started at install). ETW perf provider in services/masquerade/nvmsqrdsvc.man registers 159+ counters (msq_*, gfnmon_*, foxhound_*, gfnguard_*).

Constraint enforced in binary: CURRENTLY ONLY ONE ACTIVE CONTAINER IS SUPPORTED.

---

Architecture / control flow

  Windows Service (nvmsqrdsvc)  main @ 0x140004a60
        |
        +--> Register perf counters (nvmsqrdsvc.man / Perf* APIs)
        |
        +--> Named pipe server (LPC)
        |         ^                              |
        |         | msq.exe CLI commands         | msqrun.exe launcher RPC
        |         |                              v
        +--> msq::core / msq::runtime_controller
        |         |
        |         +--> msq::container lifecycle
        |         |       VirtDisk VHDX mount, sandbox, JSON config persist
        |         |
        |         +--> DeviceIoControl  -->  nvmsqrd.sys (FSFilter HSM)
        |
        +--> msq::container_event_listener (state change notifications)

Container transitions log strings include mounted_to_running_transition, mounted_to_deployed_transition, unload_stopped_containers.

---

External interfaces (gRPC, message bus, Win32, drivers)

Interface	Present	Evidence
gRPC	Not verified	No gRPC strings
Message Bus	Not verified	No MessageBus strings in this binary
Named pipe LPC	Yes	Full pipe server API + msq::core pipe handlers
Win32 SCM	Yes	Complete service API set in deep extract
VirtDisk / VHDX	Yes	VirtDisk.dll, CreateVirtualDisk, OpenVirtualDisk
WIM	Yes	WIMGAPI.DLL import
Minifilter	Yes	FLTLIB.DLL, DeviceIoControl; nvmsqrd.sys via nvmsqrd.inf
Transactional NTFS	Yes	ktmw32.dll, transacted create APIs
Process launch	Yes	CreateProcessW (distinct from msqrun's CreateProcessAsUserW)

---

API / exports / imports table

Exports

None.

Internal classes (RTTI)

Class	Role
msq::core	Pipe command implementation (container CRUD, mount, deploy)
msq::runtime_controller	Runtime pipe control
msq::container	Container object + state transitions
msq::container_event_listener	Event callbacks on state changes
msq::container_stop_waiter	Wait for stop completion
event_system::event_listener	Internal event bus

Container states (strings)

State	String
stopped	container_state::stopped
mounted	container_state::mounted
unmount_pending	container_state::unmount_pending
deployed	container_state::deployed
running	container_state::running

Key imports (sample)

DLL	Functions (sample)
KERNEL32.dll	Pipes, processes, volumes, thread pools, DeviceIoControl
ADVAPI32.dll	Service control, security descriptors, perf counters
VirtDisk.dll	Virtual disk attach/open
FLTLIB.DLL	Filter communication
WIMGAPI.DLL	WIM images
mi.dll	Not verified purpose
SHLWAPI.dll	Path helpers
USERENV.dll	Environment blocks

Configuration (nvmsqrdsvc.json)

Key	Value (sample)
directories_to_exclude	%ProgramData%\Microsoft\Crypto\
processes_to_exclude	%WinDir%\system32\werfault.exe
directories_to_cleanup_on_commit	%WinDir%\Logs, %TEMP%, …

---

Runtime timeline (from logs/)

Time (2026-05-19)	Event	Source
18:42:56.331	Copied nvmsqrdsvc.exe, .man, .json	logs/startup/msqrdSoftwareInstall.log
18:42:57.035	nvmsqrd.inf driver install rc=0	logs/startup/msqrdSoftwareInstall.log
18:42:57.404	Install helper: nvmsqrdsvc.exe rc=0	logs/startup/msqrdSoftwareInstall.log
18:42:57.404	Startup type → 2 (automatic)	logs/startup/msqrdSoftwareInstall.log
18:42:57.415	Started service: nvmsqrdsvc	logs/startup/msqrdSoftwareInstall.log
18:43:22.763	CTMT Initializing masquerade → msqrd.cpp removes container, enables logging	logs/AutoOnboarder/ctmt.log
18:43:22.909–22.949	CTMT sets MSQRD params: registry_enabled=false, touch_priority=3, thread_pool_threads=2	logs/AutoOnboarder/ctmt.log
18:48:40.111	AutoOnboarder MSQRD controller: MSQRD deployed - false, MSQRD IO redirection - false	logs/AutoOnboarder/platform_controller.txt

Not verified: CTMT msqrd.cpp IPC mechanism to nvmsqrdsvc (likely pipe/RPC; not named in logs).

---

Failure modes

Error string	Condition
Failed to create a new container	Container creation
Failed to create sandbox for container	Sandbox setup
Failed to save JSON description of container	Config persist
Only one active container is supported	Second active container
Container [{}] is not in unmount_pending state, use 'stop'	Invalid unmount
Attempt to start sandboxless container	Start without sandbox
No sandbox found, couldn't deploy container with --sandbox option	Deploy mismatch
Failed to mount container / Failed to stop container	Lifecycle errors
status::container_doesnt_exist / status::container_already_exist	CLI-level status codes (shared with msq.exe)
MSQRD logging enable retry	Failed to enable logging, trying to stop & start again... in logs/AutoOnboarder/ctmt.log

---

Evidence sources

• Binary: services/masquerade/nvmsqrdsvc.exe
• Config: services/masquerade/nvmsqrdsvc.json, services/masquerade/nvmsqrdsvc.man
• Driver INF: services/masquerade/nvmsqrd.inf
• Logs: logs/startup/msqrdSoftwareInstall.log, logs/AutoOnboarder/ctmt.log, logs/AutoOnboarder/platform_controller.txt

---

Radare2

Property	Value
Type	PE32+ console EXE, x64, signed
Size	1,343,600 bytes
Compiled	Thu May 7 16:00:41 2026
PDB	...\masquerade\bin\user\Release\nvmsqrdsvc.pdb
Entry	entry0 → main at 0x140004a60 (~1305 bytes)
Exports	None
Notable strings	msq::core::*, container state enums, single-container limit
Driver IO	DeviceIoControl + FLTLIB.DLL