JeremyNicoll

Member
  • Content Count

    1818
  • Joined

  • Last visited

  • Days Won

    28

Posts posted by JeremyNicoll


  1. I think you've misunderstood the description of an event id 26.  It's just a generic error message container - see:

     

     http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows%20Operating%20System&ProdVer=5.2&EvtID=26&EvtSrc=Application%20Popup&LCID=1033

     

    though that page does say this is a driver loading error.

     

    The page you found is one about a specific problem with Terminal Server, which gets reported using the generic message event.

     

    I'm well aware that the process creation & logon events are for info; I turned these audit records on because it makes lots of problem diagnosis much easier if one can see all the PIDs etc of processes starting and stopping.  I included the contents of these event records not because I thought they were errors, but because they give an insight into what the OS was doing just before and just after the EAM problem occurred.

     

     

    You say: "One thing you may want to do is check the Include subfolders box for the EAM exclusion in Online Armor."     In my notes about precisely how I've set up File Guard's whitelist and OA's exclusions on each of my machines I had noted that I'd not ticked subdfolders here because, although as you say subfolders do exist, none of them contain anything that I'd class as an executable; I don't think I'd expect OA to take much interest in mere data.  I've altered the setting though and I'll if the problem recurs.


  2. Win XP SP3 on a Dell 650 workstation...   EAM 7.0.0.25    OA 6.0.0.1736

     

    I'd just booted one of my machines, and had logged-in to Windows, but was elsewhere in the room ...  I saw a message box out of the corner of my eye and went back to the machine to see it say:

     

       a2guard.exe - Application Error

       The application failed to initialize properly (0xc0000142).  Click on OK to terminate the application. 

     

     

    I didn't immediately reply to this - used another machine to google the error code - maybe a problem with DLL initialisation - nothing definite though.  I then came back to the machine with the error and examined event logs.    First the time of this error is shown:

     

    Event Type:     Information
    Event Source:   Application Popup
    Event Category: None
    Event ID:       26
    Date:           12/06/2013
    Time:           09:52:18
    User:           N/A
    Computer:       DELL-650
    Description:
    Application popup: a2guard.exe - Application Error : The application failed to initialize properly (0xc0000142). Click on OK to terminate the application.

     

     

     

     

    a2guard had tried to start just before that:

     

    Event Type:     Success Audit
    Event Source:   Security
    Event Category: Detailed Tracking
    Event ID:       592
    Date:           12/06/2013
    Time:           09:52:17
    User:           DELL-650\Administrator
    Computer:       DELL-650
    Description:
    A new process has been created:
            New Process ID: 2836
            Image File Name:        C:\Program Files\Emsisoft Anti-Malware\a2guard.exe
            Creator Process ID:     3400
            User Name:      Administrator
            Domain:         DELL-650
            Logon ID:               (0x0,0x228A7)

     

     

     

    And, some part of OA was just starting

     

    Event Type:     Success Audit
    Event Source:   Security
    Event Category: Detailed Tracking
    Event ID:       592
    Date:           12/06/2013
    Time:           09:52:17
    User:           DELL-650\Administrator
    Computer:       DELL-650
    Description:
    A new process has been created:
            New Process ID: 2512
            Image File Name:        C:\Program Files\Online Armor\oaui.exe
            Creator Process ID:     3400
            User Name:      Administrator
            Domain:         DELL-650
            Logon ID:               (0x0,0x228A7) 

     

     

     

    I had logged in (as Adminstrator) about 24 seconds earlier

     

    Event Type:     Success Audit
    Event Source:   Security
    Event Category: Logon/Logoff
    Event ID:       528
    Date:           12/06/2013
    Time:           09:51:53
    User:           DELL-650\Administrator
    Computer:       DELL-650
    Description:
    Successful Logon:
            User Name:      Administrator
            Domain:         DELL-650
            Logon ID:               (0x0,0x228A7)
            Logon Type:     2
            Logon Process:  User32
            Authentication Package: Negotiate
            Workstation Name:       DELL-650
            Logon GUID:     - 

     

     

     

    Just after the time of the error I see one of my normal boot-time startups starting:

     

    Event Type:     Success Audit
    Event Source:   Security
    Event Category: Detailed Tracking
    Event ID:       592
    Date:           12/06/2013
    Time:           09:52:19
    User:           DELL-650\Administrator
    Computer:       DELL-650
    Description:
    A new process has been created:
            New Process ID: 3012
            Image File Name:        C:\Program Files\~N-folder\Netmeter\NetMeter.exe
            Creator Process ID:     3400
            User Name:      Administrator
            Domain:         DELL-650
            Logon ID:               (0x0,0x228A7) 

     

     

    - that's started by a registry entry in HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run   - so it's all happening just after login, in the normal way.

     

     

    About 30 mnins later, having collected this info, I clicked OK in the error's message box.   Task manager showed a2service running, but no other a2xxxx stuff.    OA is up; I looked at OA's log but it has nothing unusual in it.

     

    I then used shortcut: Start - Pgms - Emsisoft - EAM Guard       to start a2guard - this seemed to work ok.

     

    I then looked at EAM's log - it shows a malware signature update had started 18 seconds before the error occurred - I presume the update is managed by a2service?   The update log has:

     

    General Information:

    Update started: 12/06/2013 09:52:00
    Update ended: 12/06/2013 09:54:32
    Time elapsed: 0:02:32

    Update successful

    Detailed Information:

    40 modules, 14187573 bytes

    Signatures\BD\emalware.015 (115052 bytes) - updated
    Signatures\BD\e_spyw.i18 (194005 bytes) - updated
    Signatures\BD\emalware.006 (145172 bytes) - updated
    Signatures\BD\e_spyw.i27 (341299 bytes) - updated
    Signatures\BD\emalware.007 (143651 bytes) - updated
    Signatures\BD\emalware.016 (112349 bytes) - updated
    Signatures\BD\e_spyw.i28 (312209 bytes) - updated
    Signatures\BD\e_spyw.i20 (141726 bytes) - updated
    Signatures\BD\emalware.017 (129058 bytes) - updated
    Signatures\BD\e_spyw.i01 (293293 bytes) - updated
    Signatures\BD\e_spyw.i02 (317022 bytes) - updated
    Signatures\BD\emalware.009 (131660 bytes) - updated
    Signatures\BD\emalware.008 (134404 bytes) - updated
    Signatures\BD\e_spyw.i21 (155498 bytes) - updated
    Signatures\BD\emalware.018 (183449 bytes) - updated
    Signatures\BD\e_spyw.i03 (288761 bytes) - updated
    Signatures\BD\emalware.019 (133809 bytes) - updated
    Signatures\BD\e_spyw.i22 (325526 bytes) - updated
    Signatures\BD\emalware.010 (139807 bytes) - updated
    Signatures\BD\emalware.020 (141328 bytes) - updated
    Signatures\BD\jay.cvd (88890 bytes) - updated
    Signatures\BD\emalware.012 (133703 bytes) - updated
    Signatures\BD\variant.c00 (139879 bytes) - updated
    Signatures\BD\e_spyw.i04 (272027 bytes) - updated
    Signatures\BD\emalware.011 (118707 bytes) - updated
    Signatures\BD\emalware.021 (116358 bytes) - updated
    Signatures\BD\e_spyw.i24 (343364 bytes) - updated
    Signatures\BD\e_spyw.i23 (293411 bytes) - updated
    Signatures\BD\emalware.022 (153404 bytes) - updated
    Signatures\BD\e_spyw.i05 (320184 bytes) - updated
    Signatures\BD\emalware.014 (137628 bytes) - updated
    Signatures\BD\emalware.023 (208648 bytes) - updated
    Signatures\BD\e_spyw.i06 (326840 bytes) - updated
    Signatures\BD\e_spyw.i26 (348054 bytes) - updated
    Signatures\BD\dalvik.cvd (124933 bytes) - updated
    Signatures\BD\emalware.013 (136392 bytes) - updated
    Signatures\BD\update.txt (348 bytes) - updated
    Signatures\BD\variant.c01 (5410643 bytes) - updated
    Signatures\20130612.sig (1588 bytes) - updated
    a2hosts.dat (1633494 bytes) - updated
                                         

     

    so maybe there's a timing issue if a2guard tries to start while malware sigs are being revised?

     

     

     

     

     

     

     

     

     

     

     

             

     


  3. Windows sends a signal...   do tasks which get this signal shutdown in a random order, or do they do so within the hierarchy of dependencies that exists between system-started tasks/services?

     

    I wonder if in the dump you've got you can see whether the OA and EAM services have been told to shutdown yet?


  4. Are any of the OA tasks waiting for something?   I don't know what normally happens in XP during a shutdown; do tasks like OA get stopped, or does XP just decide that enough of the core services have stopped or reached a certain state of quiescence, and go to the next stage of the shutdown?   I have noticed that explorer seems to have stopped ok, when I bring up task manager prior to telling XP to shut for the second time.  But I have no idea what should happen next.

     

    (I hate this; I used to work as an MVS systems programmer, and knew how to examine MVS standalone dumps to see why a system was stalled.  But I can't do it for XP.)


  5. All options grayed out?   You'd not said that before....   I'd thought that Start was grayed out only because the service was already running.    Looking at services on my XP system though, I see the same thing - everything is grayed out.   I wondered if that might be because the start-type is Automatic, so changed mine to start-type Manual... which worked, but Start/Stop etc remained grayed out.   The OA services also have everything grayed out here.

     

    As the service & EAM & OA are all running fine on my machine that suggests to me that the services are defined to the OS in a way that prevents them from being started/stopped easily, presumably to prevent users (or malware) from interfering with them. 


  6. Yes; it hardly helps to solve such a problem though.

     

    Yesterday I downloaded a tool - "NotMyFault.exe" - which allows one to provoke a BSOD, via a specially loaded driver named "myfault.sys", from

     

       http://technet.microsoft.com/en-gb/sysinternals/bb963901.aspx

     

    and I'd also made sure that XP on the machine I'm using most at the moment was configured to take full memory dumps.  As luck would have it the machine stalled on shutdown.  I waited maybe 45 seconds, then Ctrl-Alt-Del to start task manager, then maybe 30 seconds later used its File -Run option to run the NotMyFault.exe, with no parameters.  That gives one a small GUI allowing a choice of types of system crash - I chose the 'Breakpoint' one (which BSODs because it issues a breakpoint with no debugger attached) and the system duly BSODed.

     

    Remember that the stop code and reported problem in  myfault.sys   are because of the way I triggered the BSOD, not the cause of the underlying stalled shutdown...

     

    It took about 20 minutes to save physical memory.  I then rebooted.  I was a little surprised that OA reported a minidump as well, which I duly submitted to you - id 73812 - at about 4am.

     

    Then I moved the MEMORY.DMP file out of C:\WINDOWS and renamed it.   Using NirSoft's hashmyfiles I got hashes for that:

     

     Filename          : 20130526 0349 MEMORY.DMP
     MD5               : 14b933bcd48445d3b305ee545e36b165
     SHA1              : 63906e8e5ce162097236d01f89b3f467d8f379f8
     CRC32             : 39c947c3
     SHA-256           : ea99b74c97bc74393dd08b1c36110aede729bc29c46c8c47c2314dab084960ad
     SHA-512           : 0f1751ba7580b5a4eb28a04519b69990e50aa28145dfa12a17154ddfbe9a8f3ab0a06b28eaebc00e3d2a19b649b33ede6a559c2ba6dda37108d25c9b8dece74c
     SHA-384           : 0da44deca5b5c32050618bf7e67f26d1fd62ec8bbdc5bdc7da77ed634b7c406afc41b1121211bdf669a00ece3c2beb03
     Full Path         : C:\Documents and Settings\TheBoss\My Documents\Downloads\20130526 0349 MEMORY.DMP
     Modified Time     : 26/05/2013 03:49:56
     Created Time      : 17/03/2013 01:09:39
     File Size         : 2,137,407,488
     Extension         : DMP
     File Attributes   : A

     Then I used 7-zip to create a compressed copy of the dump.   Hashes for that are:

     Filename          : 20130526 0349 MEMORY.7z
     MD5               : 5db3ef7b7506272095f8f8bbeed3ac1d
     SHA1              : c8cba62b3f62698d689f10dca8a5e25cb757a893
     CRC32             : bc053b41
     SHA-256           : a512390b31624699aa0482c9a49e2f39aa1e972ad6fd0dfccbece9b48c3e5086
     SHA-512           : 1991fdf904fce3a6fa9708454ebc8d7f0a1a54d6384d0d1ce8593d1ff9fe78328ce25e8db9505cc4a28c5227ce2d702a9f879bc279d159488bd9c8cc76fe251c
     SHA-384           : 10a6394d16a77eb3e670f4075b80925791588c0979bd3b09d2b01a7219e984bfd557fef0748c83e96bf43096c57e6b26
     Full Path         : C:\Documents and Settings\TheBoss\My Documents\Downloads\20130526 0349 MEMORY.7z
     Modified Time     : 26/05/2013 05:07:52
     Created Time      : 26/05/2013 04:37:56
     File Size         : 795,261,198
     Extension         : 7z
     File Attributes   : A

     

    I've uploaded this dump to dropbox - I'll PM you (Arthur) with a URL for it.

     

    I have also run a chkdsk on the machine in question's hard disk, after all one can't be certain that after a forced BSOD it'd be ok.  No errors were reported, so I hope it is ok...

     

    I would be grateful if someone could look at the dump to see if there's any clue why shutdown seems stalled.


  7. More info: I've got CompleteMemoryDump set on the machine I'm using most at the moment, a netbook.  My older laptop (which is the machine which had the BSOD I reported at the start of this thread) has become flakey (it hangs quite often if not BSODing) and I'll set it there next time I have it on, if I can.  I might also force a BSOD next time it hangs, if it's responsive enough to let me do that.

     

    I also have a desktop machine with 3 GB RAM in it and I do not expect to be able to set it there.  It turns out that there's two problems; first when XP generates a BSOD dump it does so in two stages - placing data in the page file, then at the next boot creating the C:\MEMORY.DMP files from the stored data.  In XP, the page file used for this HAS TO BE on the same disk partition as the OS.  However on this desktop machine the page file's in a partition by itself on a separate drive.   Though... according to

     

      http://support.microsoft.com/kb/314482/en-us

        - How to configure paging files for optimization and recovery in Windows XP

     

    the solution to this is to define several paging files.    The one on the system partition needs to be 1 MB greater in size than the
    machine's RAM, so that the dumptask can write header info out before dumping storage.  Fortunately it seems that XP is intelligent enough (if there's more than one paging file defined) to use the one on the least-active partition to support virtual memory, and only use the on the system partition for dumping.   So I'd try that, if it wasn't for the next problem...

     

    According to: http://support.microsoft.com/kb/307973  - which has lots of info about the registry entries that get set for various recovery options - "Complete Memory" dumps are not possible on 32-bit systems if the amount of RAM in use is 2 GB or more.  I'm reluctant to take RAM out of this machine, unless it starts BSODing so much that I can expect to recreate the problem easily.

     

    Having said that, the netbook is being used every day, so if there's a OA/EAM problem causing BSODs that's where it's most lilely to show up.


  8. I do have SysInternals' ProcExp.exe here, and also their PSxxx utils, eg pslist.  I'll try and research what processes are still running when a shutdown hangs.   I'm not expert in ProcExp's facilities but note that in theory it allows one to create a minidump or full dump of a specific process.  However when I tried that on oasrv.exe (while the system is running), I got an error message "Error writing dump file - handle invalid".   I'm guessing that there's code in OA to prevent users dumping it, presumably as that could help someone reverse engineer it, and OA's History shows various kernel events related to eg oasrv.exe and procexp.exe.

     

    When I've found that shutdowns don't hang with OA's debug mode on, I've had all the subsidiary options for what to trace set on.  I suppose it's possible that setting only a handful of them on might allow OA (if the problem really is in OA) to have the problem aqnd yet capture some relevant info.  I'd need your suggestions on which options to set though.


  9. I have two XP Pro and one XP Home machine, all with the current (non-beta) versions of EAM and OA installed.  Ever since installing these apps I've noticed that the machines frequently don't shutdown as cleanly as they used to do; when I do Start -> Turn Off Computer -> Turn Off, icons are removed from the desktop but instead of the desktop then progressing to the blue "Windows is shutting down" screen, I'm left staring at my desktop background.    The problem did not occur until I started using OA & EAM (previously I had ZoneAlarmPro and ESET NOD32).

     

    At first I tried just waiting, several hours, then with less patience maybe 10 minutes - but nothing happens.  Nowadays I wait about a minute, then Ctrl-Alt-Delete to get a task manager display, then use its ShutDown menu to re-select TurnOff and the machine(s) then shut down immediately.

     

    I have got into the habit of closing apps that previously I left running when I shut the machine down - eg my backup utility (which is never doing anything at the time - I make sure that if there's a backup about to start that it runs first), the Dropbox client, and pausing Scheduled Tasks (and waiting until whatever tasks were running have ended).  (I run lots of Scheduled tasks but all of them are simple scripts written in ooRexx and just terminating their processes - which is what I imagine XP does during shutdown - will not cause any problems).  However making sure that these apps are shut has not helped.

     

    I've tried several times over the last few weeks to get to the bottom of this, on more than one machine. The only clue I have is that when OA's Debug is on, the problem seems not to happen, which is irritating.  There are no clues in the OA history, nor in XP's Event logs.

     

    It's not happening absolutely every time I shut the machine(s) down, but happens more often than not - maybe 90% of the time.

     

    Any ideas?

     

     

     


  10. That's odd; although I recall seeing a poup telling me that OA was allowing access to your servers to send the file, I don't recall seeing a submit-id, which I would certainly have saved if I had seen it.  Is it something that would have been displayed until I dismissed/acknowledged it, or it there some way I could have missed it?   I also think the entry became unticked (and greyed?) in the list of dumps (there was only one) in the dump reporting dialogue.   I also don't see any way that I can repopen that dialog, which is perhaps a bad thing.

     

    I'll send the dump to you in a PM.