JeremyNicoll

Member
  • Content Count

    1772
  • Joined

  • Last visited

  • Days Won

    26

Everything posted by JeremyNicoll

  1. I'll ask mansfield about csrss.exe I added kedit to OA's exclusions yesterday on one machine, and first impressions is that it may have helped. But I just added it on this machine; when eg I select 4 text files in a windows explorer window then r-click and choose open in kedit, two of the files did open ok. OA's logs shows more messages being denied:
  2. I'm not able to reproduce the problem on demand, no. It's a pity that there's no logging (by XP) of which DLL was the problem.
  3. Yes, I still have the PM, and I also have copies here of the whole set of files I'd sent to you. I've resent the PM.
  4. I think you've misunderstood the description of an event id 26. It's just a generic error message container - see: http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows%20Operating%20System&ProdVer=5.2&EvtID=26&EvtSrc=Application%20Popup&LCID=1033 though that page does say this is a driver loading error. The page you found is one about a specific problem with Terminal Server, which gets reported using the generic message event. I'm well aware that the process creation & logon events are for info; I turned these audit records on because it makes lots of problem diagnosis much easier if one can see all the PIDs etc of processes starting and stopping. I included the contents of these event records not because I thought they were errors, but because they give an insight into what the OS was doing just before and just after the EAM problem occurred. You say: "One thing you may want to do is check the Include subfolders box for the EAM exclusion in Online Armor." In my notes about precisely how I've set up File Guard's whitelist and OA's exclusions on each of my machines I had noted that I'd not ticked subdfolders here because, although as you say subfolders do exist, none of them contain anything that I'd class as an executable; I don't think I'd expect OA to take much interest in mere data. I've altered the setting though and I'll if the problem recurs.
  5. Did the March logs help? Sometimes I have to double-click a file as many as 5 or 6 times before the app that's meant to load it will respond. It's a nuisance.
  6. Oops, had a problem uploading some files ... trying again
  7. Win XP SP3 on a Dell 650 workstation... EAM 7.0.0.25 OA 6.0.0.1736 I'd just booted one of my machines, and had logged-in to Windows, but was elsewhere in the room ... I saw a message box out of the corner of my eye and went back to the machine to see it say: a2guard.exe - Application Error The application failed to initialize properly (0xc0000142). Click on OK to terminate the application. I didn't immediately reply to this - used another machine to google the error code - maybe a problem with DLL initialisation - nothing definite though. I then came back to the machine with the error and examined event logs. First the time of this error is shown: Event Type: Information Event Source: Application Popup Event Category: None Event ID: 26 Date: 12/06/2013 Time: 09:52:18 User: N/A Computer: DELL-650 Description: Application popup: a2guard.exe - Application Error : The application failed to initialize properly (0xc0000142). Click on OK to terminate the application. a2guard had tried to start just before that: Event Type: Success Audit Event Source: Security Event Category: Detailed Tracking Event ID: 592 Date: 12/06/2013 Time: 09:52:17 User: DELL-650\Administrator Computer: DELL-650 Description: A new process has been created: New Process ID: 2836 Image File Name: C:\Program Files\Emsisoft Anti-Malware\a2guard.exe Creator Process ID: 3400 User Name: Administrator Domain: DELL-650 Logon ID: (0x0,0x228A7) And, some part of OA was just starting Event Type: Success Audit Event Source: Security Event Category: Detailed Tracking Event ID: 592 Date: 12/06/2013 Time: 09:52:17 User: DELL-650\Administrator Computer: DELL-650 Description: A new process has been created: New Process ID: 2512 Image File Name: C:\Program Files\Online Armor\oaui.exe Creator Process ID: 3400 User Name: Administrator Domain: DELL-650 Logon ID: (0x0,0x228A7) I had logged in (as Adminstrator) about 24 seconds earlier Event Type: Success Audit Event Source: Security Event Category: Logon/Logoff Event ID: 528 Date: 12/06/2013 Time: 09:51:53 User: DELL-650\Administrator Computer: DELL-650 Description: Successful Logon: User Name: Administrator Domain: DELL-650 Logon ID: (0x0,0x228A7) Logon Type: 2 Logon Process: User32 Authentication Package: Negotiate Workstation Name: DELL-650 Logon GUID: - Just after the time of the error I see one of my normal boot-time startups starting: Event Type: Success Audit Event Source: Security Event Category: Detailed Tracking Event ID: 592 Date: 12/06/2013 Time: 09:52:19 User: DELL-650\Administrator Computer: DELL-650 Description: A new process has been created: New Process ID: 3012 Image File Name: C:\Program Files\~N-folder\Netmeter\NetMeter.exe Creator Process ID: 3400 User Name: Administrator Domain: DELL-650 Logon ID: (0x0,0x228A7) - that's started by a registry entry in HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run - so it's all happening just after login, in the normal way. About 30 mnins later, having collected this info, I clicked OK in the error's message box. Task manager showed a2service running, but no other a2xxxx stuff. OA is up; I looked at OA's log but it has nothing unusual in it. I then used shortcut: Start - Pgms - Emsisoft - EAM Guard to start a2guard - this seemed to work ok. I then looked at EAM's log - it shows a malware signature update had started 18 seconds before the error occurred - I presume the update is managed by a2service? The update log has: General Information: Update started: 12/06/2013 09:52:00 Update ended: 12/06/2013 09:54:32 Time elapsed: 0:02:32 Update successful Detailed Information: 40 modules, 14187573 bytes Signatures\BD\emalware.015 (115052 bytes) - updated Signatures\BD\e_spyw.i18 (194005 bytes) - updated Signatures\BD\emalware.006 (145172 bytes) - updated Signatures\BD\e_spyw.i27 (341299 bytes) - updated Signatures\BD\emalware.007 (143651 bytes) - updated Signatures\BD\emalware.016 (112349 bytes) - updated Signatures\BD\e_spyw.i28 (312209 bytes) - updated Signatures\BD\e_spyw.i20 (141726 bytes) - updated Signatures\BD\emalware.017 (129058 bytes) - updated Signatures\BD\e_spyw.i01 (293293 bytes) - updated Signatures\BD\e_spyw.i02 (317022 bytes) - updated Signatures\BD\emalware.009 (131660 bytes) - updated Signatures\BD\emalware.008 (134404 bytes) - updated Signatures\BD\e_spyw.i21 (155498 bytes) - updated Signatures\BD\emalware.018 (183449 bytes) - updated Signatures\BD\e_spyw.i03 (288761 bytes) - updated Signatures\BD\emalware.019 (133809 bytes) - updated Signatures\BD\e_spyw.i22 (325526 bytes) - updated Signatures\BD\emalware.010 (139807 bytes) - updated Signatures\BD\emalware.020 (141328 bytes) - updated Signatures\BD\jay.cvd (88890 bytes) - updated Signatures\BD\emalware.012 (133703 bytes) - updated Signatures\BD\variant.c00 (139879 bytes) - updated Signatures\BD\e_spyw.i04 (272027 bytes) - updated Signatures\BD\emalware.011 (118707 bytes) - updated Signatures\BD\emalware.021 (116358 bytes) - updated Signatures\BD\e_spyw.i24 (343364 bytes) - updated Signatures\BD\e_spyw.i23 (293411 bytes) - updated Signatures\BD\emalware.022 (153404 bytes) - updated Signatures\BD\e_spyw.i05 (320184 bytes) - updated Signatures\BD\emalware.014 (137628 bytes) - updated Signatures\BD\emalware.023 (208648 bytes) - updated Signatures\BD\e_spyw.i06 (326840 bytes) - updated Signatures\BD\e_spyw.i26 (348054 bytes) - updated Signatures\BD\dalvik.cvd (124933 bytes) - updated Signatures\BD\emalware.013 (136392 bytes) - updated Signatures\BD\update.txt (348 bytes) - updated Signatures\BD\variant.c01 (5410643 bytes) - updated Signatures\20130612.sig (1588 bytes) - updated a2hosts.dat (1633494 bytes) - updated so maybe there's a timing issue if a2guard tries to start while malware sigs are being revised?
  8. I think we're back to the dump then... does it show why the OA and/or EAM services have not shut down? Are they waiting for something else - what? - to happen?
  9. ... or in fact why all the still-running tasks have not yet shutdown. Are those that are still running waiting for one of their number to stop before they do?
  10. Windows sends a signal... do tasks which get this signal shutdown in a random order, or do they do so within the hierarchy of dependencies that exists between system-started tasks/services? I wonder if in the dump you've got you can see whether the OA and EAM services have been told to shutdown yet?
  11. Are any of the OA tasks waiting for something? I don't know what normally happens in XP during a shutdown; do tasks like OA get stopped, or does XP just decide that enough of the core services have stopped or reached a certain state of quiescence, and go to the next stage of the shutdown? I have noticed that explorer seems to have stopped ok, when I bring up task manager prior to telling XP to shut for the second time. But I have no idea what should happen next. (I hate this; I used to work as an MVS systems programmer, and knew how to examine MVS standalone dumps to see why a system was stalled. But I can't do it for XP.)
  12. The thing is, the machine's never had this happen while I've had OA in debug mode. Are you sure that debug logs will be helpful?
  13. Ah. Yes that works; with EAM running Stop becomes selectable. I clicked it, the service stopped. Then as you'd hope Start became selectable - I clicked it and EAM restarted. Hopefully the OP will be able to do the same...
  14. Oops - should have said that's on an XP system, and I mainly use Firefox.
  15. Do you have the BBC iPlayer and Adobe AIR .exe's and .dll's trusted in OA's Programs list? In EAM - Guard -Application Rules I have the iPlayer .exe defined as "Monitored" but specifically allowing two types of 'suspicious behaviour' namely 'spyware-related' and 'trojan download'... as EAM seemed to think the app was doing those.
  16. All options grayed out? You'd not said that before.... I'd thought that Start was grayed out only because the service was already running. Looking at services on my XP system though, I see the same thing - everything is grayed out. I wondered if that might be because the start-type is Automatic, so changed mine to start-type Manual... which worked, but Start/Stop etc remained grayed out. The OA services also have everything grayed out here. As the service & EAM & OA are all running fine on my machine that suggests to me that the services are defined to the OS in a way that prevents them from being started/stopped easily, presumably to prevent users (or malware) from interfering with them.
  17. Yes; it hardly helps to solve such a problem though. Yesterday I downloaded a tool - "NotMyFault.exe" - which allows one to provoke a BSOD, via a specially loaded driver named "myfault.sys", from http://technet.microsoft.com/en-gb/sysinternals/bb963901.aspx and I'd also made sure that XP on the machine I'm using most at the moment was configured to take full memory dumps. As luck would have it the machine stalled on shutdown. I waited maybe 45 seconds, then Ctrl-Alt-Del to start task manager, then maybe 30 seconds later used its File -Run option to run the NotMyFault.exe, with no parameters. That gives one a small GUI allowing a choice of types of system crash - I chose the 'Breakpoint' one (which BSODs because it issues a breakpoint with no debugger attached) and the system duly BSODed. Remember that the stop code and reported problem in myfault.sys are because of the way I triggered the BSOD, not the cause of the underlying stalled shutdown... It took about 20 minutes to save physical memory. I then rebooted. I was a little surprised that OA reported a minidump as well, which I duly submitted to you - id 73812 - at about 4am. Then I moved the MEMORY.DMP file out of C:\WINDOWS and renamed it. Using NirSoft's hashmyfiles I got hashes for that: Filename : 20130526 0349 MEMORY.DMP MD5 : 14b933bcd48445d3b305ee545e36b165 SHA1 : 63906e8e5ce162097236d01f89b3f467d8f379f8 CRC32 : 39c947c3 SHA-256 : ea99b74c97bc74393dd08b1c36110aede729bc29c46c8c47c2314dab084960ad SHA-512 : 0f1751ba7580b5a4eb28a04519b69990e50aa28145dfa12a17154ddfbe9a8f3ab0a06b28eaebc00e3d2a19b649b33ede6a559c2ba6dda37108d25c9b8dece74c SHA-384 : 0da44deca5b5c32050618bf7e67f26d1fd62ec8bbdc5bdc7da77ed634b7c406afc41b1121211bdf669a00ece3c2beb03 Full Path : C:\Documents and Settings\TheBoss\My Documents\Downloads\20130526 0349 MEMORY.DMP Modified Time : 26/05/2013 03:49:56 Created Time : 17/03/2013 01:09:39 File Size : 2,137,407,488 Extension : DMP File Attributes : A Then I used 7-zip to create a compressed copy of the dump. Hashes for that are: Filename : 20130526 0349 MEMORY.7z MD5 : 5db3ef7b7506272095f8f8bbeed3ac1d SHA1 : c8cba62b3f62698d689f10dca8a5e25cb757a893 CRC32 : bc053b41 SHA-256 : a512390b31624699aa0482c9a49e2f39aa1e972ad6fd0dfccbece9b48c3e5086 SHA-512 : 1991fdf904fce3a6fa9708454ebc8d7f0a1a54d6384d0d1ce8593d1ff9fe78328ce25e8db9505cc4a28c5227ce2d702a9f879bc279d159488bd9c8cc76fe251c SHA-384 : 10a6394d16a77eb3e670f4075b80925791588c0979bd3b09d2b01a7219e984bfd557fef0748c83e96bf43096c57e6b26 Full Path : C:\Documents and Settings\TheBoss\My Documents\Downloads\20130526 0349 MEMORY.7z Modified Time : 26/05/2013 05:07:52 Created Time : 26/05/2013 04:37:56 File Size : 795,261,198 Extension : 7z File Attributes : A I've uploaded this dump to dropbox - I'll PM you (Arthur) with a URL for it. I have also run a chkdsk on the machine in question's hard disk, after all one can't be certain that after a forced BSOD it'd be ok. No errors were reported, so I hope it is ok... I would be grateful if someone could look at the dump to see if there's any clue why shutdown seems stalled.
  18. More info: I've got CompleteMemoryDump set on the machine I'm using most at the moment, a netbook. My older laptop (which is the machine which had the BSOD I reported at the start of this thread) has become flakey (it hangs quite often if not BSODing) and I'll set it there next time I have it on, if I can. I might also force a BSOD next time it hangs, if it's responsive enough to let me do that. I also have a desktop machine with 3 GB RAM in it and I do not expect to be able to set it there. It turns out that there's two problems; first when XP generates a BSOD dump it does so in two stages - placing data in the page file, then at the next boot creating the C:\MEMORY.DMP files from the stored data. In XP, the page file used for this HAS TO BE on the same disk partition as the OS. However on this desktop machine the page file's in a partition by itself on a separate drive. Though... according to http://support.microsoft.com/kb/314482/en-us - How to configure paging files for optimization and recovery in Windows XP the solution to this is to define several paging files. The one on the system partition needs to be 1 MB greater in size than the machine's RAM, so that the dumptask can write header info out before dumping storage. Fortunately it seems that XP is intelligent enough (if there's more than one paging file defined) to use the one on the least-active partition to support virtual memory, and only use the on the system partition for dumping. So I'd try that, if it wasn't for the next problem... According to: http://support.microsoft.com/kb/307973 - which has lots of info about the registry entries that get set for various recovery options - "Complete Memory" dumps are not possible on 32-bit systems if the amount of RAM in use is 2 GB or more. I'm reluctant to take RAM out of this machine, unless it starts BSODing so much that I can expect to recreate the problem easily. Having said that, the netbook is being used every day, so if there's a OA/EAM problem causing BSODs that's where it's most lilely to show up.
  19. In services.msc, can you stop and then restart the EAM service? And if you can, do you get the message on the restart? If so, try stopping the EAM service, starting procmon as suggested above, restarting EAM, and then saving procmon data again.
  20. I do have SysInternals' ProcExp.exe here, and also their PSxxx utils, eg pslist. I'll try and research what processes are still running when a shutdown hangs. I'm not expert in ProcExp's facilities but note that in theory it allows one to create a minidump or full dump of a specific process. However when I tried that on oasrv.exe (while the system is running), I got an error message "Error writing dump file - handle invalid". I'm guessing that there's code in OA to prevent users dumping it, presumably as that could help someone reverse engineer it, and OA's History shows various kernel events related to eg oasrv.exe and procexp.exe. When I've found that shutdowns don't hang with OA's debug mode on, I've had all the subsidiary options for what to trace set on. I suppose it's possible that setting only a handful of them on might allow OA (if the problem really is in OA) to have the problem aqnd yet capture some relevant info. I'd need your suggestions on which options to set though.
  21. OK, I made the changes in Control Panel - System... (no need to install or run BellaVista for that). So if it does BSOD again I'll be able to send you a URL to fetch a dump from.
  22. I'm afraid I've had those settings in place for about 6 weeks.
  23. I have two XP Pro and one XP Home machine, all with the current (non-beta) versions of EAM and OA installed. Ever since installing these apps I've noticed that the machines frequently don't shutdown as cleanly as they used to do; when I do Start -> Turn Off Computer -> Turn Off, icons are removed from the desktop but instead of the desktop then progressing to the blue "Windows is shutting down" screen, I'm left staring at my desktop background. The problem did not occur until I started using OA & EAM (previously I had ZoneAlarmPro and ESET NOD32). At first I tried just waiting, several hours, then with less patience maybe 10 minutes - but nothing happens. Nowadays I wait about a minute, then Ctrl-Alt-Delete to get a task manager display, then use its ShutDown menu to re-select TurnOff and the machine(s) then shut down immediately. I have got into the habit of closing apps that previously I left running when I shut the machine down - eg my backup utility (which is never doing anything at the time - I make sure that if there's a backup about to start that it runs first), the Dropbox client, and pausing Scheduled Tasks (and waiting until whatever tasks were running have ended). (I run lots of Scheduled tasks but all of them are simple scripts written in ooRexx and just terminating their processes - which is what I imagine XP does during shutdown - will not cause any problems). However making sure that these apps are shut has not helped. I've tried several times over the last few weeks to get to the bottom of this, on more than one machine. The only clue I have is that when OA's Debug is on, the problem seems not to happen, which is irritating. There are no clues in the OA history, nor in XP's Event logs. It's not happening absolutely every time I shut the machine(s) down, but happens more often than not - maybe 90% of the time. Any ideas?