Searching for DSMSVC service blocking into Winpe

Description of the anomaly
The control.exe printers command opens a window showing various devices.
However, in winpe, it takes several minutes for the display to be complete (the duration is variable depending on the material present, 10 minutes on my pc)
The question is: what can be done to ensure that the display is immediate?

Interest in a solution
The use of "bluetooth" would currently benefit greatly from a quick display of the contents of this window.
Indeed, the usual menus of windows to manage "bluetoohth" perform their display with GUI type "metro/UWP" unavailable in winpe.
Now, with the menu "Devices And Printers", after a right click on the icon of the periheric and with the sub-menu "properties", one can list and activate the services of such a device "bluetooth"
Of course, the coupling had to be done beforehand. I use a program which I found an example of sources on the WEB.
NOTE: It would be better to write a full manager to avoid using "Devices And Printers"

First investigations: PROCMON, IDA, ETW/WPP
We quickly find that we need to investigate around the DSMSVC service and in particular DeviceSetupManager.dll
But honestly, I don't know how I got to this point
The analysis with IDA of DeviceSetupManager.dll  is a prerequisite to get an idea of the actions of this DLL.
Noticing the presence of the "WPP_xx" functions, it comes to me the idea of implementing these traces. I have tried several times to implement them, but I have never been able to do so.
With the V1903 build, I find that the "logman.exe" commands all succeed and that I get a "well-filled" ETL file.
Until this version, I had never had a correct context. First chance!
I also find this:
https://posts.specterops.io/data-source-analysis-and-dynamic-windows-re-using-wpp-and-tracelogging-e465f8b653f7
The author explains that it is necessary to identify the Guids (control and trace_guids). Then he explains how to "build by hand" the TMF files.
That's a long time. You have to be meticulous and efficient, which I'm not.
I didn't build all the files, only the most important ones for my test.
I also implemented the "debug" logs for "windows-device-setup-manager" in eventlog.msc. These traces make it possible to verify the relevance of other WPP traces.
Note : During meeting i say that cfgmgr32 calls deviceiocontrol API but i lost how to see that. You can see "under" in the file i sent to you.


Implementation of the tests:
The DSMSVC service is disabled in my winpe Flat mode
I start Winpe and wait at least 15 minutes to avoid capturing parasist and unnecessary activity.
I'm launching the capture with "logman" for the 3 Guids involved.
I activate the "debug" logs in eventvwr.msc
I'm throwing procmon.
I activate the DSMSVC service (sc config DSMSVC start-demand)
I'm launching the command "Control.exe printers"
I wait for the full display: 10 minutes in my case

analysis elements
In all traces, you have to take into account the "Threads" so as not to mix the very large data!

Sequence found
With the WPP traces, I see 2 abnormal phenomena:
- a long series of calls to WaitForSingleObject that fail with code 258d (timeout or .?.)
- the error code 80004005h repeated several times

Tracks followed
The analysis of the code did not allow me to find out what was this "object or event" unavailable.
On the other hand I found more things around the 80004005h error. At first I thought it was an "access denied". But it's a false lead.
This code is written hard in the DLL code in the CPnpDeviceInfo::_WaitDeviceReady function. So it's not the return of a call for a function of the "system."

My first idea about the sequence
A thread calls "CPnpDeviceInfo::_WaitDeviceReady." This application is seeking CFGMFG32.DLL who transfers it to the "system".
But the returned data is such that the CPnpDeviceInfo function::_WaitDeviceReady regularly renews its call.
All other threads continue their activity. They all end up needing an object/event to continue.
So they crash and repeat their request regularly (500 ms).
After a 2-minute delay, the CPnpDeviceInfo::_WaitDeviceReady stop calls to the "system". And returns the error '80004005h'.
This anomaly occurs for 5 read entries in the key."
So 10 minutes in my case.
In the code, there is the _IsDeviceReady call loop:
every 150 milliseconds
and 2 minutes maximum
note:cfgmgr32.dll returns calls with the DeviceIoControl API that uses the handle created by NtCreateFile with the name "Device-DeviceApi-CMApi". Too complex for me after that.

The ultimate test
I note that:
- the system's solicitation implements a meter (320h)
- the return of the system is always negative
- the full display is correct even with these negative returns : this is the KEY of the workaround
I tell myself that I can change the value of the meter and reduce it to 1.
So I'm changing the DeviceSetupManager.dll file.
CPnpDeviceInfo::_WaitDeviceReady
Inc esi
cmp esi, 320h
000000180015EA0 FF C6 81 FE 20 03 00 00 00 0F 82 1A 23 FF 48 8B

fc.exe "C:"Users-Noelb-Desktop-ETW-WPP-modif of DevicesetupManager-ORG-DeviceSetupManager - Copy.dll"
Comparison of C files: 'USERS'NOELB-DESKTOP-ETW-WPP-MODIF OF DEVICESETUPMANAGER-ORG-DeviceSetupManager - Copy.dll and C:-USERS-NOELB-DESKTOP-WPP-MODIF OF DEVICESETUPMANAGER-DEVICESETUPMANAGER. Dll
000152A4: 20 01
000152A5: 03 00

*	trace WPP         ( 2056d = 0808h)

[3]09E4.0808::03/30/2020-14:07:55.889 [12] CDsmJob::RunJob: 7 INSTALL_DRIVERS
[3]09E4.0808::03/30/2020-14:07:55.889 [21] CDsmJob::_RunDriverInstallTask: Entry
[3]09E4.0808::03/30/2020-14:07:55.890 [53] CDsmTask::RefreshConfigFlags: -1 -1
[2]09E4.0808::03/30/2020-14:07:55.890 [54] CDsmTask::RefreshConfigFlags: 65535 {00000000-0000-0000-FFFF-FFFFFFFFFFFF}
[3]09E4.0808::03/30/2020-14:07:55.891 [16] CDsmDriverTask::UpdateAllDrivers: 0 OK WaitForMultipleObjectsEx
[3]09E4.0808::03/30/2020-14:07:55.891 [25] CDsmDeviceScan::WatchDevnodesNeedingSetup: 2 00000000-0000-0000-ffff-ffffffffffff
[2]09E4.0808::03/30/2020-14:07:56.006 [42] CDsmDeviceScan::_GetPresentDevnodeList: 90
[2]09E4.0808::03/30/2020-14:07:56.006 [17] CDsmDriverTask::UpdateAllDrivers: 90
[2]09E4.0808::03/30/2020-14:07:56.007 [29] CDsmDriverTask::_UpdateDriverLocal: HDAUDIO\FUNC_02&VEN_11C1&DEV_1040&SUBSYS_10CF14A5&REV_1002\4&1354C71&0&0101
[2]09E4.0808::03/30/2020-14:07:56.007 [11] CPnpDeviceInfo::_WaitDeviceReady: HDAUDIO\FUNC_02&VEN_11C1&DEV_1040&SUBSYS_10CF14A5&REV_1002\4&1354C71&0&0101
TIMEOUT 2 MINUTES !!!
[1]09E4.0808::03/30/2020-14:10:01.063 [12] CPnpDeviceInfo::_WaitDeviceReady: exit 80004005
[0]09E4.0808::03/30/2020-14:10:01.063 [30] CDsmDriverTask::_UpdateDriverLocal: case s_fLocalSearchEnabled==0
[0]09E4.0808::03/30/2020-14:10:01.063 [22] CDsmDriverTask::UpdateAllDrivers: 1 HDAUDIO\FUNC_02&VEN_11C1&DEV_1040&SUBSYS_10CF14A5&REV_1002\4&1354C71&0&0101
[0]09E4.0808::03/30/2020-14:10:01.063 [23] CDsmDriverTask::UpdateAllDrivers: call AddDevice
[0]09E4.0808::03/30/2020-14:10:01.064 [39] CDriverWerReportList::AddDevice: call NewNode HDAUDIO\FUNC_02&VEN_11C1&DEV_1040&SUBSYS_10CF14A5&REV_1002\4&1354C71&0&0101
[1]09E4.0808::03/30/2020-14:10:01.065 [29] CDsmDriverTask::_UpdateDriverLocal: ROOT\BASICDISPLAY\0000
[1]09E4.0808::03/30/2020-14:10:01.065 [11] CPnpDeviceInfo::_WaitDeviceReady: ROOT\BASICDISPLAY\0000
[1]09E4.0808::03/30/2020-14:10:01.066 [13] CPnpDeviceInfo::_IsDeviceReady: 0
[1]09E4.0808::03/30/2020-14:10:01.066 [12] CPnpDeviceInfo::_WaitDeviceReady: exit 0

* - annexes

*	sequence after start-up of "Devices and Printers" : procmon
	
It is the process of "exploring"exe" that is requested ( I checked it, with procexp ...)
	COpenControlPanel clsid 06622D85...
	dllhost.exe version 32bits est lancé ! ?
	ClsId A8A91A66... -> DeviceCenter.dll
	Chargement de :
		StructuredQuery.dll
		DataExchange.dll
	DeviceCenter.dll charge :
		DefaultDeviceManager.dll
		DDOIProxy.dll 			-- Device Display Object Proxies
		DefaultPrinterProvider.dll
		Fundisc.dll			-- Funstion Discovery Class
		FdDevQuery.dll			-- Device Query Provider Class
	CFGMGR32.dll explore les clés DeviceContainers et DeviceClasses de la ruche System

	Chargement de DeviceSetupManagerApi.dll -->>> démarrage du service DSMSVC (identifié avec IDA et Procexp)

	Lecture de nombreuses clés dans Wow6432Node ???
	Lecture de ...\device metadata\PreventDeviceMetaDataFromNetwork
		affichage ou non d'un bandeau un peu jaune en haut de la fenêtre
*	Notes:
The DSMSVC service is launched by SVCHOST who reads the key ...\dsmsvc\parameters\servicemain = DeviceSetupManager.dll
SVCHOST loads this DLL and returns service management requests from SERVICES.exe

DeviceSetupManager.dll imports the following function:
	from deviceassociation.dll :
		DafCloseAssociationContext
		DafCreateAssociationContext
		DafStartRemoveAssociation
	from SystemEventsBrokerClient.dll :
		SebRegisterPrivateEvent	
		SebEnumerateEvents
		SebQueryEventData	
	from CFGMGR32 :
		CM_Request_Device_EjectW

DeviceSetupManager.dll exports only2 functions :
	_DllMainCRTStartup
	ServiceMain 

*	extracted from the trace procmon

(1) 30/03/2020 14:07:56,0010003 PID:2532 TID:2056 
RegOpenKey HKLM\System\CurrentControlSet\Enum\HDAUDIO\FUNC_02&VEN_11C1&DEV_1040&SUBSYS_10CF14A5&REV_1002\4&1354c71&0&0101
Result:	SUCCESS
stack:
...32	KernelBase.dll	DeviceIoControl + 0x67 ----------------------DeviceIoControl = when meeting i can't show you this because i forget to use IDA and cfgmgr32
33	kernel32.dll	DeviceIoControlImplementation + 0x80
34	cfgmgr32.dll	TIoctlQuery::SyncQuery + 0x25e
35	cfgmgr32.dll	DevGetObjectPropertiesEx + 0x1dc
36	cfgmgr32.dll	DevGetObjectProperties + 0x3a
37	DeviceSetupManager.dll	GetDeviceObjectUINT + 0x69
38	DeviceSetupManager.dll	CDsmDriverTask::UpdateAllDrivers + 0x1a4
39	DeviceSetupManager.dll	CDsmJob::_RunDriverInstallTask + 0xb8
40	DeviceSetupManager.dll	CDsmJob::RunJob + 0x1d9
41	DeviceSetupManager.dll	CDsmJobScheduler::RunNextJob + 0x97
42	DeviceSetupManager.dll	CDsmCore::_JobWorker + 0x60
43	DeviceSetupManager.dll	CDsmCore::_JobCallback + 0x1f
44	ntdll.dll	TppWorkpExecuteCallback + 0xad
45	ntdll.dll	TppWorkerThread + 0x8d4
46	kernel32.dll	BaseThreadInitThunk + 0x14
47	ntdll.dll	RtlUserThreadStart + 0x21
...
(2) 30/03/2020 14:07:56,0012972  PID:2532 TID:2056 
RegOpenKey HKLM\System\CurrentControlSet\Enum\HDAUDIO\FUNC_02&VEN_11C1&DEV_1040&SUBSYS_10CF14A5&REV_1002\4&1354c71&0&0101
Result:	SUCCESS
stack:
...32	KernelBase.dll	DeviceIoControl + 0x67
33	kernel32.dll	DeviceIoControlImplementation + 0x80
34	cfgmgr32.dll	TIoctlQuery::SyncQuery + 0x25e
35	cfgmgr32.dll	DevGetObjectPropertiesEx + 0x1dc
36	cfgmgr32.dll	DevGetObjectProperties + 0x3a
37	DeviceSetupManager.dll	GetDeviceObjectBoolean + 0x67
38	DeviceSetupManager.dll	CPnpDeviceInfo::_WaitDeviceReady + 0x31
39	DeviceSetupManager.dll	CPnpDeviceInfo::Initialize + 0x24
40	DeviceSetupManager.dll	CDsmDriverTask::_UpdateDriverLocal + 0x71
41	DeviceSetupManager.dll	CDsmDriverTask::UpdateAllDrivers + 0x1d2
42	DeviceSetupManager.dll	CDsmJob::_RunDriverInstallTask + 0xb8
43	DeviceSetupManager.dll	CDsmJob::RunJob + 0x1d9	0x7ffeae406239
44	DeviceSetupManager.dll	CDsmJobScheduler::RunNextJob + 0x97
45	DeviceSetupManager.dll	CDsmCore::_JobWorker + 0x60
46	DeviceSetupManager.dll	CDsmCore::_JobCallback + 0x1f
47	ntdll.dll	TppWorkpExecuteCallback + 0xad
48	ntdll.dll	TppWorkerThread + 0x8d4
49	kernel32.dll	BaseThreadInitThunk + 0x14
50	ntdll.dll	RtlUserThreadStart + 0x21
...
(3) 30/03/2020 14:07:56,0016334 PID:2532 TID:2056 
RegOpenKey HKLM\System\CurrentControlSet\Enum\HDAUDIO\FUNC_02&VEN_11C1&DEV_1040&SUBSYS_10CF14A5&REV_1002\4&1354c71&0&0101
Result:	SUCCESS
stack:
...32	KernelBase.dll	DeviceIoControl + 0x67
33	kernel32.dll	DeviceIoControlImplementation + 0x80
34	cfgmgr32.dll	TIoctlQuery::SyncQuery + 0x25e
35	cfgmgr32.dll	DevGetObjectPropertiesEx + 0x1dc
36	cfgmgr32.dll	DevGetObjectProperties + 0x3a
37	DeviceSetupManager.dll	DeviceObjectHasProperty + 0x69
38	DeviceSetupManager.dll	CPnpDeviceInfo::_IsDeviceReady + 0x2d  -----<<<<<----
39	DeviceSetupManager.dll	CPnpDeviceInfo::_WaitDeviceReady + 0x60
40	DeviceSetupManager.dll	CPnpDeviceInfo::Initialize + 0x24
41	DeviceSetupManager.dll	CDsmDriverTask::_UpdateDriverLocal + 0x71
42	DeviceSetupManager.dll	CDsmDriverTask::UpdateAllDrivers + 0x1d2
43	DeviceSetupManager.dll	CDsmJob::_RunDriverInstallTask + 0xb8
44	DeviceSetupManager.dll	CDsmJob::RunJob + 0x1d9
45	DeviceSetupManager.dll	CDsmJobScheduler::RunNextJob + 0x97
46	DeviceSetupManager.dll	CDsmCore::_JobWorker + 0x60
47	DeviceSetupManager.dll	CDsmCore::_JobCallback + 0x1f
48	ntdll.dll	TppWorkpExecuteCallback + 0xad
49	ntdll.dll	TppWorkerThread + 0x8d4
50	kernel32.dll	BaseThreadInitThunk + 0x14
51	ntdll.dll	RtlUserThreadStart + 0x21
...