Why does "Windows Games Explorer" attempt to access the internet whenever I launch a game?

Question

I'm running Windows 7 SP1 Ultimate (64-bit) and the OS is making some undesirable and unidentified calls to the internet.

Whenever I launch a game (in this case Unreal Tournament) I notice Windows attempts to make a connection to an IP address of 65.55.162.26 via rundll32.exe.

Using Fiddler (and/or cursory Google search) reveals the IP is related to the following hostnames:

games.metaservices.microsoft.com
music.metadata.windowsmedia.com.akadns.net
info.music.metaservices.microsoft.com

I discovered this is most likely coming from "Windows Games Explorer" (or just "Games" as it's known in the Start Menu).

However, even when I disable all online-related options within Games Explorer, Windows is still attempting to make a connection.

I want to be clear that this isn't something which is being triggered by the game itself.

Why is this happening, given that I've disabled all the online features of Windows Games Explorer, and what can I do (besides blocking the above hostnames in my hosts file) to stop it?

I'm asking out of the principle that the OS shouldn't be making calls when I've specifically asked it not to.

Answer 1

Why is it happening?

This page suggests plausible reason:

There is an annoying software in Windows 7 called "Games Explorer", which can be started via the button "Games" in the Start Menu. It automatically downloads icons, covers - and other stuff Microsoft deemed useful - from the internet, whenever a game is started.

How to stop it?

I imagine several options (cleanest to dirtiest):

1. Exclude the executable from the Program Compatibility Assistant (PCA) support.microsoft.com/en-us/kb/2545347.
2. Disable Program Compatibility Assistant using Services panel or via Group Policy Editor.
3. Redirect mentioned hosts to 127.0.0.1. I tried it and it didn't work for my case -- the process just hangs. However, this page suggests it worked for Oblivion.
4. Restrict access to gameux.dll. This is what I did to "fix" Project Nomads (see below).
5. Delete C:\Windows\AppPatch\sysmain.sdb. The first link suggests it worked.

I haven't tried #1, #2 and #5.

My experience

I noticed exactly the same problem when Project Nomads (2002) wouldn't start until I turn on the Internet. Game exe file would start rundll32.exe which in turn runs C:\Windows\System32\gameux.dll, which did request to 65.55.162.26:443.

I didn't want to experiment with deleting sysmain.sdb as first link suggests -- maybe some old programs would break? It's "Compatibility" feature after all.

Instead I took ownership of gameux.dll and removed my user from access list. Now when I start the game it says Access denied to gameux.dll, I press OK, rundll32.exe process exits and the game runs with no problem. No requests are performed and the game runs without Internet connection.

What is going on?

From Windows Shim Database (SDB) Parser tool page (tzworks.net/prototype_page.php?proto_id=33):

The Application Compatibility framework from Microsoft uses the Shim Database to identify if, and how, an application or DLL should be shimmed during process startup and/or DLL load. The default Shim Database is located at \Windows\AppPatch\sysmain.sdb and can contain thousands of entries for a normal Win7 box.

... the Application Compatibility framework allows installed applications on a Windows box to be patched 'on the fly' (ie. modified without a reboot), and this patch can be used to spawn other processes and/or inject undesired DLLs into the patched application.

I cannot tell for sure but my only explanation of your comment

the call is from rundll32.exe to a Microsoft-specific host which didn't exist until years after the game in question was developed

is that Windows is injecting that gameux.dll call into our innocent game exe's.

There's a paper Malicious Application Compatibility Shims if you're concerned about security.

P.S. Sorry I had to trick the editor to post >2 links with <10 rep.