Recent BD version now produces "You are safe" when Windows Media Center extender sessions start

I understand and appreciate both of your suggestions to actually submit a ticket to Support, along with the expected additional diagnostic information. But the unique characteristics of this particular symptom make me wonder if whether everything that would be useful and helpful and of value would, in fact, get captured in the generated logs, etc. Maybe it will, and I'm just a bit skeptical.

First, there is no "screenshot" possible. The symptom is not something seen on the host PC and appearing on one of its monitors. The symptom appears on one of the TVs around my house, as presented to that TV by the Windows Media Center Linksys DMA2100 "extender" at that TV location. The extender has just been launched, and has started a Windows "Remote Desktop Protocol (RDP)" session and connected to the host Win7 PC, as a "Windows RDP user". So conceptually the TV connected to that extender is really functioning as the "monitor" for that RDP session, but which has has no associated physical keyboard.

In other words it's not an actual remote PC connecting via RDP and signing in to a host PC to start a remote Windows session usng standard RDP. But in reality that is exactly how a WMC "extender" does connect to WMC running on the host PC, in order to deliver TV to the television connected via HDMI cable to the extender.

Bottom line: the only "screenshot" possible would be for me to take a photo with my phone of the screen of the TV right when the "You are safe" screen coming from BD gets presented on the TV screen. I will have to be quick, because the message only lasts about 5 seconds before going away. Same with the second message about "your passwords are protected" or something like that that also appears briefly and then also goes away. Nevertheless I could be prepared to take these two photos with my camera.

Second, that really is the entire story about the "event" I'm creating the ticket about. So what is really needed for BD support to understand what is occurring would be if these logs I submit provide a "trace" of what went on back at the host when the RDP user (i.e. the "WMC extender") connected, along with why and how BD even got involved as is now verbalizing and externalizing that connection. By all clues, BD never did this before now, as of the past few days. I've been using BD for at least 6 years now and it NEVER BEFORE PRESENTED "YOU ARE SAFE" on the TV screen of the remote extender session when it started.

If this same awareness of the new RDP session was always detected in the past, but BD was just silent and never actually sent out "you are safe" when the session started, I am reporting that BD now does send out "you are safe" when that very same RDP session that started silently for the past 7 years has now started doing it in the past few days.

And that "you are safe" output is really bothersome and annoying and negatively impacting the normal startup of that WMC extender session. Takes me a minute or two to fight with the screens, get the flashes to appear, disappear, re-appear, re-disappear, and then finally stop, and normal operation now continue. But if I eventually close the RDP session (i.e. power off the extender, so that it disconnects the RDP session with the host Win7 PC), and wait 10 minutes, and then start it up again, well I then have to fight through this whole "you are safe" message story all over again.

I will create the support logs and submit a ticket. Hopefully a "trace" of the starting of the RDP session and its corresponding BD actions will be captured in the logs.

I will produce those logs later today.

But just to be sure I am explaining my thoughts properly, I believe that the TV connected to the WMC extender is actually just like the monitor of a remotely connecting PC would be, if it were to connect using standard Windows RDP to a host Windows PC. WMC extenders are, actually Windows "users" for RDP connections.

And as such, they are assumed to probably have a display screen and keyboard and mouse, just like a real computer would. But in the case of the WMC extender with its own special purpose and function it doesn't actually need a keyboard or mouse. Only a display, which is actually the TV. And then the "desktop output" of the extender gets sent to the display, i.e. to the TV screen. Normally, it sends live/recorded TV from Windows Media Center, the onscreen Guide, the DVR recordings list, etc. But actually it is really the "Windows Desktop" of this remotely connected Windows "user" that connected using RDP.

Hence why I believe BitDefender believes that when it is now newly sending out "You are safe" opening messages to the TV screen, it really thinks it is sending that message to the display Windows Desktop of whatever real computer user person was doing this "remote connection via RDP" to the host Windows. It apparently doesn't notice or realize or care that it is actually a Windows Media Center Extender RDP session, with its own unique characteristics and requirements.

In other words, BD should NOT SEND OUT THESE MESSAGES when the extender connects through RDP and signs in, to start the extender RDP session. BD never sent these messages for the past 7 years, but now it has started doing it just in the past few days. Clearly a change was made to BD that tells "all RDP-connecting users that they are safe and protected", which is something that never got done previously until the last few days.

There obviously HAS been a new and significant update brought out for BD in the past few days. And inside of this update is a new change, that now tells RDP-connecting users that "they are safe". That may be wonderful for real RDP-connecting human beings who are using a real remote computer with mouse, keyboard, display screen, etc., genuinely connecting through RDP to the host Windows in order to launch a new "user session". But it is NOT THE CASE FOR A WMC EXTENDER SESSION LAUNCHING!

That is what this story is all about. Whatever you are now newly doing for regular RDP sessions getting launched (i.e now sending out "you are safe" to their desktop screen), it needs to be suppressed when the RDP session is a Windows Media Center Extender doing the session launching. There should be NO MESSAGES SENT to the TV being managed by the WMC extender when the RDP session gets launched.

Well, things are deterioriating.

Over the past week I have started seeing a new symptom, again tied to Bitdefender running on this same Win7 machine that also runs Windows Media Center with the Ceton TV tuner card in it. The new symptom is that there is what looks like a "memory leak" from Bitdefender that accumulates over 2-3 days, until the system becomes unusable due to memory usage exceeding 70% (of the 16GB in this machine). Normally right after booting the memory usage is around 30% with not much running aside from the auto-start programs.

Memory usage can increase if WMC gets going, recording programs or supporting extender sessions. But it's just minor.

At this moment, having been forced to re-boot just this morning (so that it is now about 12 hours later) I see that Bitdefender has accumulated almost 7GB of memory!!

Andrei M. responded to the support ticket, asking me to do a complete full absolute uninstall (using instructions provided), and then a brand new from-scratch clean reinstall. I will do that, but I'm not sure that is really going to accomplish anything.

In my opinion these brand new symptoms ("You are safe" message going out to all of my WMC extender session TV screens when those sessions are launched, and now "memory leak" that causes Windows to eventually become inoperative) are the result of the recently rolled out new version of the product. Before the past two weeks I never had either of these symptoms on this machine, and I've been using Bitdefender on it for 7 years.

Nevertheless, I will do the full uninstall, reinstall, and see what happens. If there is no improvement I will be forced to uninstall Bitdefender permantenly on this machine and revert to Microsoft Security Essentials and Malwarebytes Premium.

And 30 minutes later:

I believe this is completely related to what's been going on with this WMC machine over the past two weeks: I have been doing an excessive amount of DVR recording, of both Wimbledon tennis (about 13 hours per day) and Tour de France bike race (about 5 hours per day), plus other normal daily recordings etc.

All of these recordings produce very large WTV files (say 15GB - 30GB) in the \Recorded TV folder (managed by WMC). These WTV recordings are all "encrypted" (by DRM) because the channels are copy-protected by my Spectrum cable service. So this folder is growing enormously, and constantly, over the past 2 weeks. They cannot actually be "read" and understood, except by WMC during playback using DRM-decryption.

I am very suspicious that these very large encrypted WTV files in this one \Recorded TV folder are the "culprit" that is responsible for the "memory leak" of Bitdefender.

I have now added ""exceptions" to Bitdefender, for \Recorded TV. I am going to reboot (as I have to anyway) and see if anything improves.

I am also going to add exceptions for the "RDP session users" folders in \Users:

It's now about 3 hours later. And there has been ZERO activity for WMC on the machine. So if it's related to this new and MAJOR MEMORY LEAK shown by Bitdefender, I would think it's not relevant for the past 3 hours.

And yet, Bitdefender continues to hemorrhage/consume memory like a madman!!

Now the above machine is my "production" Windows Media Center Win7 machine, and it has 16GB of RAM. I do have a second "backup" machine which has 32GB of RAM. Same Ceton TV tuner card in it, same WMC setup and configuration and capability, including talking to a whole duplicate set of an additional four extenders around the house. But normally this backup system is not used. It's just there as a backup, in case I need it should some disaster strike my primary WMC machine.

Well, I just decided to take a look at memory on the backup system, where Bitdefender (latest version pushed out over the past few weeks) is also installed. And, shockingly (but perhaps not surprisingly) THERE IS ALSO AN EXTRAORDINARY MEMORY LEAK ON THAT SECOND WIN7 MACHINE AS WELL!!

So at this moment over 13GB of memory is tied up by BDSERVICEHOST!! This second machine was rebooted yesterday, just over 28 hours ago. And it's now sucked up 13GB of memory!!!

I've had it. Apparently the product is no longer usable with a Win7 machine. I will almost certainly uninstall it on both of those machines.

I am now going to investigate its memory usage on the other 18 machines on my account, which are mostly Win10 and two Win11.

This is a seriously unacceptable DEFECT IN THE PRODUCT!!!

Alexandru,

I think you are missing my point. I fully appreciate and understand what you've quoted above from the FAQ article regarding BDSERVICEHOST and memory usage, etc. However the screenshots I've posted are evidence THAT THIS IS ABNORMAL MEMORY CONSUMPTION!

My "production" WMC Win7 machine (16GB) starts off as "normal" memory usage for BDSERVICEHOST, i.e. around 500MB. Exactly as your article suggests. But then it just grows and grows and grows and grows and grows... until eventually all of memory is consumed and Windows becomes inoperable. No scans are going on, nothing is scheduled, its just a machine running normally.

For example I was required to reboot this machine 11 hours ago, and it started off with 500MB memory in use. So it is not 11 hours later, and memory usage is now up to 6GB!!!! That is 6GB of the 16GB in the machine, tied up by BDSERVICEHOST.

As a second example, my "backup" WMC Win7 machine (32GB) also starts off as "normal" with the same 500MB memory used by BDSERVICEHOST. And it, too, was also rebooted 11 hours ago. I had discovered that there was the same "memory leak" on that machine, and it was up to 13GB in use by BDSERVICEHOST!!!!! That is 13GB!!!! So I rebooted, 11 hours ago, starting memory usage at the normal 500MB. And not surprisingly, after the same 11 hours of operation as my "production" machine has been up, the "backup machine" is also now up to 6.2GB of memory tied up by BDSERVICEHOST!!!

So BOTH machines have seen memory consumptoin grown from 500MB to 6GB in the same 11 hours since being rebooted. Surely you cannot believe this is "normal"??? This is obviously some kine of serious problem.

NOTE: I have checked all of my other Win10 machines (that are not Win7 running Windows Media Center with Ceton TV tuner cards). All Win10 machines are TOTALLY NORMAL!! Memory usage by Bitdefender on all of them is your "normal" value of 500MB.

This should PROVE that something is absolutely broken with the latest Bitdefender version that got rolled out in the past 2 weeks, as it runs on both of my Win7 machines that both run Windows Media Center. They both show a MEMORY LEAK that does not stop leaking until all of memory is consumded by BDSERVICEHOST. That is just a fact. Obviously a problem.

NOTE I have a scheduled remote connectivity session scheduled with Andrei, for Thursday morning. Hopefully he may have some kind of insight and ideas from poking around in both of my Win7 machines. We shall see.

Windows Media Center along with the Ceton drivers for the Ceton InfiniTV tuner card only run on Win7. MS discontinued WMC in Win10. There is no option but to continue running Win7 if WMC is desired. I have chosen this option, just for this "production" machine (and the "backup").

I have been running WMC since 2010, as my "whole home" solution (with infinite recording storage capability) to TV watching and DVR record/playback. WMC supports both my Ceton cablecard-enabled TV 6-tuner card as well as my Hauppauge OTA/ATSC 4-tuner card. I have four extenders/TVs around the house. I do not have to pay Spectrum Cable for 4x multi-box equipment rental, DVR service and box fees, all with limited storage capacity, etc. Instead I pay a grand total of $3/month x2 for the 2 cablecards I required, inserted into the Ceton tuner cards in each of my win7 WMC machines. Saves probably $60/month at least, for the past 13 years. Not to mention the extreme superiority of the WMC user interface and functionality.

All the other 18 of the 20 machines on my BD license run Win10 or Win11. None of them involve Windows Media Center. My reason for remaining on Win7/WMC for these specific two machines is simply that: WMC.

So it's been another three hours since my last observation of memory usage by BDSERVICEHOST, on both machines which were both rebooted 14 hours ago now.

Note that one machine is "production", and I have been watching playback of tennis all day, plus doing perhaps 5 hours of new recording. The "backup" machine has done nothing. It is simply sitting idle all day long, with zero recording and zero watching.

And yet, BOTH MACHINES HAVE CONSUMED ALMOST THE IDENTICAL AMOUNT OF MEMORY THROUGH BDSERVICEHOST running on each machine! So the rate of memory consumption on each machine is essentially identical, pointing to what must be an inherent problem both are exhibiting... very likely specicically because of the Win7 environment. Again, my other 18 Win10/Win11 machines are sitting at 500MB of memory and never increasing.

(1) Here is the 16GB Win7 "production" machine right now, 14 hours after reboot.

(2) Here is the 32GB Win7 "backup" machine right now, 14 hours after reboot.

Since I was already up to 72% memory consumed by BD on my "production" machine, and thus had to re-boot today anyway, I decided to go ahead with the FULL AND COMPLETE uninstall/reinstall that was requested by Mihai (of BD support) last Monday. This involves using the Bitdefender_2022-Uninstall-tool, etc.

It also involves removing my device from Bitdefender Central protected devices on my account. Note that this involves an even older still-unfixed problem (originally reported back in 2019 and still unfixed) with Bitdefender Central and the registration of a protected device. Turns out the technique used here for identifying devices is to use the presumed unique MAC address of THE FIRST NETWORK ADAPTER (in Device Manager). Well, on my Win7/WMC machines it turns out the first network adapter is the Ceton TV tuner card

which is actually a "gateway" with an IP address of 192.168.200.1, to its own network:

DFW: 192.168.200.1, true MAC 00:22:2c:80:87:19

Z170: 192.168.200.1, true MAC 00:22:2c:80:94:80

with the 6 tuners accessed using 6 port numbers:

 tuner 1:   192.168.200.2:8000

   tuner 2:   192,168,200.2:8001

   tuner 3:   192.168.200.2:8002

   tuner 4:   192.168.200.2:8003

   tuner 4:   192.168,200.2:8004

   tuner 6:   192.168.200.2:8005

This problem here is that while each Ceton InfiniTV tuner card on my two machines (DFW "production" and Z170 "backup") actually DOES have its own unique MAC address as shown above, they actually appear to have identical MAC addresses as returned from IPCONFIG /ALL, where the last three bytes of the MAC address are "masked" as "FF FF FF".

So instead of using a REAL network adapter from device manager (e.g. my Intel I219-LM) which truly does have a full genuuine 6-byte MAC address, Bitdefender Central simply grabs the first NIC in Device Manager and its "masked" MAC address:

Well, now we're in trouble. Because when I install Bitdefender on my second "backup" Win7/WMC machine (i.e. Z170), the MAC address on that machine's first network adapter is a duplicate of the "masked" MAC address as found on DFW machine. All Ceton cards have a MAC address that is 00:22:2C, and apparently with a final 3 bytes of FF:FF:FF, making them all "identical" to Bitdefender Central.

So instead of ending up with TWO UNIQUE DEVICES PROTECTED, I only get one device shown, with the device name (DFW) of the FIRST MACHINE INSTALLED. The subsequent installs don't do anything, because the apparently identical MAC address tells Bitdefender Central is it is the same machine as was already installed and protected.

Back in 2019 I first reported this issue, and suggested that they simply "black list" the Ceton MAC address which will ALWAYS SHOW UP AS 00:22:2C:FF:FF:FF, and cause problems. Just ignore it and get the next network adapater and use it instead (e.g. my Intel NIC, which would absolutely be unique on every machine). But this has never been done, and so to this day despite having two different machines I only show one device protected.

Anyway, as requested by Mihai I've now followed the instructions for the complete uninstall/reinstall of BD on my DFW "production" machine. And of course the deletion of the device previously shown at Bitdefender Central and the new reinstall, now results in DFW being my one-and-only device. I just wanted to give that part of this story as well, since that problem goes back to 2019 when I first reported it (and got a ticket number: Integrated Support 2019032221420003) and remains unfixed. And of course it starts anew today, with my uninstall/reinstall procedure for DFW. Z170 must necessarily come next, with the resulting duplication story.

The install did also bring in a product update, which necessitated a machine reboot. So I had a chance to look at memory usage right after reboot again, on this brand new clean install. Looks perfectly normal right now, using only 550MB:

And just for the sake of completeness, in the 30 minutes it's taken me to compose this post, BDSERVICEHOST has consumed 300KB of memory (even though I've done nothing but use Firefox):

I think it's apparent that the uninstall/reinstall has accomplished nothing.

Oh... and "Your are safe" still is sent out to the WMC extender sessions when they launch, from the brand newly installed BD on DFW.

So that didn't change either from the full uninstall/reinstall.

So, it all seemed quite productive. Andrei remoted into my DFW "production" Win7 WMC machine right on schedule, and we proceeded to work together for the next 2 hours. The objective really was for him to look around of course, but primarily to generate a complete system memory dump as well as producing a complete set of system logs from BD support tool, etc. And then to upload all of this to their support site for the engineers in Romania to investigate, hopefully to have an epiphany and realize what is generating millions of entries in memory that is consuming all of both my Win7 machines.

I hadn't rebooted all day, and by the time the "dump tool" was invoked overnight we were almost out of RAM. The dump tool failed twice to complete the dump, complaining of "invalid data". So we had to reboot (thus starting BD from scratch, with the noreml 550MB initially tied up). We then waited an hour for the "memory leak" to proceed, until it reached 1GB of storage used at which time we once again attempted to take the memory dump. And this time it was successful.

Andrei packaged up everything to be looked into in a ZIP file that I uploaded to their support site. We shall see what becomes of it. My expectation is that the engineers will have an "epiphany" once they see the millions of repeated entries in memory, that clearly point to the "culprit" bug code which they can then correct.

In the meantime I have now completely uninstalled BD from both my Win7 systems. I cannot tolerate the defective product condition on my normally reliable WMC machines. in the interim I have reverted both Win7 machines back to Windows Defender (i.e. Microsoft Security Essentials) plus Malwarebytes Premium.

If/when the BD support team comes up with a beta fix they'd like me to try (hopefully in a few days) I will reinstall the product. Until then, it's been banished from my Win7 world.

Nevertheless, a very productive session. Andrei is a pro.

Just a status update, now about 3 weeks since my remote connection session with Andrei, during which a complete system dump was transferred to Bitdefender's upload site that reflected the new "memory leak in Win7" symptom (which had progressed post-boot up to the 1GB point, but which would have gone on forever and eventually consumed all free memory in the machine).

Presumably the dump would have shown many hundreds of thousands or more of some kind of "table entries", generated in some endless loop of defective logic in the latest version of Bitdefender engine pushed out in the past month or so. Anybody who knows the internal design of the software and who looked at the hundreds of thousands of "duplicate" (or endless) entries would/should have instantly seen the "giant clue", and opened the page of code to where these entries are being generated, and would then have now been on the diagnostic trail to TRUE DEBUGGING!

In other words, I would have assumed that since this bug makes Bitdefender NO LONGER USABLE ON WIN7 SYSTEMS (or perhaps with some caveats that explained why both of my own Win7 systems, both of which have Ceton TV tuner cards and drivers in them, perhaps making them unique but at least understandable as to why the "memory leak" is occurring) it might have been ELEVATED to some "red flag high-priority" for the debugging geniuses at Bitdefender. I would have expected that, especially since they now had the forensic full-memory dump and all other needed diagnostic logs in thier possession.

Well, you would be wrong. So far in the past 3 weeks I have only heard back from Bitdefender in just one single email, containing the same BOILERPLATE response to my own query a week later asking for an update on any breakthroughs that might have been discovered (and generated automatically, same as to EVERY bug report after 1-2 weeks), with the following USELESS TEXT that I have seem MANY TIMES OVER THE YEARS, anytime I submit a bug report:

"Thank you for your follow-up e-mail.

As mentioned previously on the ticket, a fix for this Bitdefender behavior is still undergoing development. We do not have an estimated time for the release of the fix yet, but we will contact you as soon as it's implemented by an automatic update of Bitdefender. Please keep in mind that all reported bugs require investigation time.

Thank you for your patience and understanding. Rest assured that we will contact you again as soon as the fix is released."

Honestly, I wanted a bit more personal interaction from Andrei or someone on the debugging team... assuming anybody is actually analyzing the memory dump and seeing hundreds of thousands of "giant clues" duplicate entries in some table or something. Yes, of course the actual "fix/solution" will take some time to develop. And maybe I would be asked to pre-test a beta version of the code, on my two Win7 machines which are BOTH EXHIBITING THE FATAL MEMORY LEAK NOW IN BITDEFENDER ON BOTH WIN7 SYSTEMS! If I was willing to let Andrei have a remote connection to my system in order to gather the dump, surely I would be willing to dedicate one or both machines to his team to pre-test a beta version of the fix... BEFORE YOU JUST SEND IT OUT AS YOU PROMISE IN THE EMAIL. I'm more than willing to help in any way I can.

In the meantime, as I previously reported, Bitdefender has been UNINSTALLED AND REMOVED from both of my Win7 systems. I am now operating solely with MS Windows Defender along with Malwarebytes Premium. And I am perfectly fine to run that way forever now, if Bitdefender cannot correct the FATAL MEMORY LEAK which was born last month in the latest engine version pushed out.

Again, I have/had been using Bitdefender on both Win7 systems for the past 7 years and never saw this FATAL MEMORY LEAK until last month's product update. Surely that should focus your diagnostic efforts to that portion of code which is NEW/UPDATED. And the "giant clues" in the memory dump (which you've had for 3 weeks now) should certainly have zeroes in on the obviously "new code" which is generating the "hundreds of thousands of table entries" revealed in the memory dump.

Surely SOME PROGRESS MUST HAVE BEEN MADE BY NOW, no??? And if so, I've heard nothing about it.