GciPlugin

GciPlugin.dll — GeForce NOW Client Interface Plugin. Provides kernel-level security monitoring and enforcement through the GFNMON driver.

File Info

Property	Value
File	`GciPlugin.dll`
Size	23,769,120 bytes
Architecture	x64 (AMD64)
Build PDB Path	`C:\builds\gfn\security\gcis\out\x86_64-windows-release\GciPlugin\GciPlugin.pdb`
Export	`NvPluginGetInfo`

Deep Architecture

GciPlugin is the primary low-level host hardening plugin. It binds to masquerade/GFNMON callback surfaces, subscribes to process/driver/file/registry/network events, and turns those events into policy decisions and session termination messages.

Internal component names observed in symbols:

GciPluginMonitorFileAccess
GciPluginProtectedProcess
GciPluginRegistryProtection
GciPluginOnDriverLoad
GciPluginOnModuleLoaded
GciPluginCloudSync
GciPluginLaunchCommand
GciPluginSam
GciIpRouteProtector
MsqrdSysWatcher

1. File System Monitoring

Monitors file access operations
Tracks untrusted file access attempts
Validates file integrity and digital signatures
Cloud-synced file detection

2. Process Monitoring & Protection

Monitors process creation/termination
Protects critical system processes
Validates process integrity and security tokens
Supports critical vs non-critical protection modes

ProcessProtectionType levels:

Mode	Description
`Off`	No protection
`Critical Process Access`	Protects critical system processes
`Non-Critical Process Access`	Protects non-critical processes
`AllowCriticalProcessAccess`	Allows access to critical processes

3. Driver Loading Monitoring

Monitors kernel driver loading
Validates driver signatures
Detects unauthorized driver loading attempts

4. Registry Monitoring

Monitors registry key creation
Tracks access patterns against security policies
Monitored path: \registry\machine\system\currentcontrolset\services\

5. Network Route Protection

Monitors IP routing table changes
Protects network routes from modification

6. Security Validation

WinVerifyTrust API for digital signatures
Cryptographic catalog validation
PE file signature verification
Time-based tampering detection

7. AWS Integration

Downloads security manifests (SAM) from S3:

Bucket: gfn-sam.s3.amazonaws.com

Associated counters:

GciSamLoadStats
GciSamLoadStatsTotal

Runtime Pipeline (How It Works)

1) Init + Policy Load

Parses seat config and logger profile.
Connects to MessageBus/GCIS domains.
Loads SAM/policy artifacts and signature material.

Common failure indicators:

GSEC_GCI_Warning_SamDownloadFailure
GSEC_GCI_Warning_EmptySamDataReturned
GSEC_GCI_Error_SamLoadFailure

2) Driver/Callback Wiring

Dynamically resolves masquerade/GFNMON callback exports.
Registers callbacks for file/process/driver/registry and sync-sequence channels.
Starts worker threads for route/address monitoring.

Common failure indicators:

GSEC_GCI_Error_MsqrdFailedToLocateGfnmonInitialize
GSEC_GCI_Error_MsqrdFailedToSetDriverLoadNotifyCallback
GSEC_GCI_Error_IpRouteProtectorFailedToCreateEvents
GSEC_GCI_Error_NetworkChangeProtectorWorkerThreadNotRunning

3) Live Enforcement

Evaluates events against exception/policy lists.
Emits violations and, when required, forces session termination.
Can suppress or defer enforcement during controlled teardown windows.

Indicators:

GSEC_GCI_Warning_IgnoringGciViolationDueToSessionTearingDown
GSEC_GCI_Warning_SessionTerminationEnforcementDisabled
GSEC_GCI_Error_ReportForcedSessionTerminationFailed

GFNMON Kernel Driver Interface

GciPlugin interfaces with GFNMON, a kernel-mode driver providing low-level monitoring:

// Initialization
gfnmon_initialize()
gfnmon_configure()
gfnmon_uninitialize()

// File monitoring
gfnmon_set_on_file_access_callback()
gfnmon_add_file_access_filter()
gfnmon_clear_file_access_filters()
gfnmon_set_untrusted_file_opened_callback()

// Process protection
gfnmon_add_protected_process()
gfnmon_set_protected_process_opened_callback()
gfnmon_set_protected_process_configuration()
gfnmon_set_non_critical_process_configuration()

// Driver monitoring
gfnmon_set_driver_load_callback()
gfnmon_set_driver_queue_statistics_callback()
gfnmon_set_privileged_image_load_callback()

// Registry monitoring
gfnmon_set_registry_create_key_callback()
gfnmon_add_registry_access_filter_ex()
gfnmon_clear_registry_access_filters()

// Filesystem
gfnmon_set_reparse_point_callback()
gfnmon_set_rename_directory_callback()

// Sync
gfnmon_set_sync_message_sequence_number_callback()

MessageBus/GCIS Message Surfaces

App launch command notifications
Platform cloud-sync notifications
Session start/stop and activation state transitions
Security termination notifications

Evidence strings:

GCISCommunicationMessage.Notification.AppLaunchCommand
GCISCommunicationMessage.Notification.PlatformCloudSync
GSEC_GCI_Error_PostGameStartedMessageFailed
GSEC_GCI_Error_PostLkmNotificationFailed

Protected Paths

c:\asgard\services\nvgridsvc\nvgridsvc.exe
c:\program files\nvidia corporation\nvcontainer\nvcontainer.exe
c:\program files\windowsapps\microsoft.gamingservices_*\gamingservices.exe

Error Codes

GciPlugin handles these hex error codes:

Code	Meaning
`0x80030018`	Code integrity violation
`0x8003001B`	Blocked URL accessed
`0x8003001C`	Blocked file download
`0x8003001D`	Registry violation
`0x8003001E`	Unauthorized driver load

Common Error Messages

GeSecurityInfo failed with result {}
GetSecurityInfo failed with result {}
Failed to open thread token after impersonation. GetLastError() = {}
AccessCheck failed with accessMask {}. GetLastError() = {}
Failed to protect {}. Last error {}
VerifyTrust failed for file '{}' with error {}
System time is toggled to past time. Failing PE signature verification
Failed to impersonate logged in user. GetLastError = {}

Dependencies

Windows System DLLs

KERNEL32, USER32, SHELL32, ADVAPI32, ole32, WS2_32, RPCRT4, SHLWAPI, WTSAPI32, IPHLPAPI, VERSION, USERENV, CRYPT32, WINTRUST, bcrypt

Third-Party

aws-cpp-sdk-core.dll — AWS SDK Core
aws-cpp-sdk-s3.dll — AWS S3
libprotobuf.dll — Protocol Buffers

Logging

Uses spdlog with:

File logging with configurable levels
Remote logging capabilities
Logger profiles loaded from user data
Levels: warning, error, critical

Operational Debug Checklist

Confirm SAM download/load success before session activation.
Confirm all Msqrd/GFNMON callbacks were resolved and registered.
Check whether enforcement mode was intentionally set to off.
Verify route/network worker threads are alive.
Validate message posting to downstream domains (game started, LKM notification, termination).

GciPlugin ​

File Info ​

Deep Architecture ​

1. File System Monitoring ​

2. Process Monitoring & Protection ​

3. Driver Loading Monitoring ​

4. Registry Monitoring ​

5. Network Route Protection ​

6. Security Validation ​

7. AWS Integration ​

Runtime Pipeline (How It Works) ​

1) Init + Policy Load ​

2) Driver/Callback Wiring ​

3) Live Enforcement ​

GFNMON Kernel Driver Interface ​

MessageBus/GCIS Message Surfaces ​

Protected Paths ​

Error Codes ​

Common Error Messages ​

Dependencies ​

Windows System DLLs ​

Third-Party ​

Logging ​

Operational Debug Checklist ​