JeremyNicoll

a2guard.exe - Application Error - 0xc0000142

Recommended Posts

Win XP SP3 on a Dell 650 workstation...   EAM 7.0.0.25    OA 6.0.0.1736

 

I'd just booted one of my machines, and had logged-in to Windows, but was elsewhere in the room ...  I saw a message box out of the corner of my eye and went back to the machine to see it say:

 

   a2guard.exe - Application Error

   The application failed to initialize properly (0xc0000142).  Click on OK to terminate the application. 

 

 

I didn't immediately reply to this - used another machine to google the error code - maybe a problem with DLL initialisation - nothing definite though.  I then came back to the machine with the error and examined event logs.    First the time of this error is shown:

 

Event Type:     Information
Event Source:   Application Popup
Event Category: None
Event ID:       26
Date:           12/06/2013
Time:           09:52:18
User:           N/A
Computer:       DELL-650
Description:
Application popup: a2guard.exe - Application Error : The application failed to initialize properly (0xc0000142). Click on OK to terminate the application.

 

 

 

 

a2guard had tried to start just before that:

 

Event Type:     Success Audit
Event Source:   Security
Event Category: Detailed Tracking
Event ID:       592
Date:           12/06/2013
Time:           09:52:17
User:           DELL-650\Administrator
Computer:       DELL-650
Description:
A new process has been created:
        New Process ID: 2836
        Image File Name:        C:\Program Files\Emsisoft Anti-Malware\a2guard.exe
        Creator Process ID:     3400
        User Name:      Administrator
        Domain:         DELL-650
        Logon ID:               (0x0,0x228A7)

 

 

 

And, some part of OA was just starting

 

Event Type:     Success Audit
Event Source:   Security
Event Category: Detailed Tracking
Event ID:       592
Date:           12/06/2013
Time:           09:52:17
User:           DELL-650\Administrator
Computer:       DELL-650
Description:
A new process has been created:
        New Process ID: 2512
        Image File Name:        C:\Program Files\Online Armor\oaui.exe
        Creator Process ID:     3400
        User Name:      Administrator
        Domain:         DELL-650
        Logon ID:               (0x0,0x228A7) 

 

 

 

I had logged in (as Adminstrator) about 24 seconds earlier

 

Event Type:     Success Audit
Event Source:   Security
Event Category: Logon/Logoff
Event ID:       528
Date:           12/06/2013
Time:           09:51:53
User:           DELL-650\Administrator
Computer:       DELL-650
Description:
Successful Logon:
        User Name:      Administrator
        Domain:         DELL-650
        Logon ID:               (0x0,0x228A7)
        Logon Type:     2
        Logon Process:  User32
        Authentication Package: Negotiate
        Workstation Name:       DELL-650
        Logon GUID:     - 

 

 

 

Just after the time of the error I see one of my normal boot-time startups starting:

 

Event Type:     Success Audit
Event Source:   Security
Event Category: Detailed Tracking
Event ID:       592
Date:           12/06/2013
Time:           09:52:19
User:           DELL-650\Administrator
Computer:       DELL-650
Description:
A new process has been created:
        New Process ID: 3012
        Image File Name:        C:\Program Files\~N-folder\Netmeter\NetMeter.exe
        Creator Process ID:     3400
        User Name:      Administrator
        Domain:         DELL-650
        Logon ID:               (0x0,0x228A7) 

 

 

- that's started by a registry entry in HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run   - so it's all happening just after login, in the normal way.

 

 

About 30 mnins later, having collected this info, I clicked OK in the error's message box.   Task manager showed a2service running, but no other a2xxxx stuff.    OA is up; I looked at OA's log but it has nothing unusual in it.

 

I then used shortcut: Start - Pgms - Emsisoft - EAM Guard       to start a2guard - this seemed to work ok.

 

I then looked at EAM's log - it shows a malware signature update had started 18 seconds before the error occurred - I presume the update is managed by a2service?   The update log has:

 

General Information:

Update started: 12/06/2013 09:52:00
Update ended: 12/06/2013 09:54:32
Time elapsed: 0:02:32

Update successful

Detailed Information:

40 modules, 14187573 bytes

Signatures\BD\emalware.015 (115052 bytes) - updated
Signatures\BD\e_spyw.i18 (194005 bytes) - updated
Signatures\BD\emalware.006 (145172 bytes) - updated
Signatures\BD\e_spyw.i27 (341299 bytes) - updated
Signatures\BD\emalware.007 (143651 bytes) - updated
Signatures\BD\emalware.016 (112349 bytes) - updated
Signatures\BD\e_spyw.i28 (312209 bytes) - updated
Signatures\BD\e_spyw.i20 (141726 bytes) - updated
Signatures\BD\emalware.017 (129058 bytes) - updated
Signatures\BD\e_spyw.i01 (293293 bytes) - updated
Signatures\BD\e_spyw.i02 (317022 bytes) - updated
Signatures\BD\emalware.009 (131660 bytes) - updated
Signatures\BD\emalware.008 (134404 bytes) - updated
Signatures\BD\e_spyw.i21 (155498 bytes) - updated
Signatures\BD\emalware.018 (183449 bytes) - updated
Signatures\BD\e_spyw.i03 (288761 bytes) - updated
Signatures\BD\emalware.019 (133809 bytes) - updated
Signatures\BD\e_spyw.i22 (325526 bytes) - updated
Signatures\BD\emalware.010 (139807 bytes) - updated
Signatures\BD\emalware.020 (141328 bytes) - updated
Signatures\BD\jay.cvd (88890 bytes) - updated
Signatures\BD\emalware.012 (133703 bytes) - updated
Signatures\BD\variant.c00 (139879 bytes) - updated
Signatures\BD\e_spyw.i04 (272027 bytes) - updated
Signatures\BD\emalware.011 (118707 bytes) - updated
Signatures\BD\emalware.021 (116358 bytes) - updated
Signatures\BD\e_spyw.i24 (343364 bytes) - updated
Signatures\BD\e_spyw.i23 (293411 bytes) - updated
Signatures\BD\emalware.022 (153404 bytes) - updated
Signatures\BD\e_spyw.i05 (320184 bytes) - updated
Signatures\BD\emalware.014 (137628 bytes) - updated
Signatures\BD\emalware.023 (208648 bytes) - updated
Signatures\BD\e_spyw.i06 (326840 bytes) - updated
Signatures\BD\e_spyw.i26 (348054 bytes) - updated
Signatures\BD\dalvik.cvd (124933 bytes) - updated
Signatures\BD\emalware.013 (136392 bytes) - updated
Signatures\BD\update.txt (348 bytes) - updated
Signatures\BD\variant.c01 (5410643 bytes) - updated
Signatures\20130612.sig (1588 bytes) - updated
a2hosts.dat (1633494 bytes) - updated
                                     

 

so maybe there's a timing issue if a2guard tries to start while malware sigs are being revised?

 

 

 

 

 

 

 

 

 

 

 

         

 

Share this post


Link to post
Share on other sites

According to Microsoft, Event ID 26 happens when "you log off from a server that has Terminal Server enabled in Windows Server 2003 SP1", but I don't think that has anything to do with this. EventID.net does not appear to have information on that exact error message for that Event ID and Source.

As for Event ID 592 with the Source 'security', EventID.net says that this is just telling you that a process by the name a2guard.exe has been created, and these entires are only logged when the "Audit process tracking" audit policy is set to audit the creation of new processes. So, basically, this is just an informational report and not an error report.

Event ID 528 / Source Security is just logging a successful logon, according to EventID.net.

The only one you have to worry about is the first one, and I'd only worry about it if it was reproducible (if it isn't reproducible then we can't really debug it). It could have just been an odd fluke of some sort, since I am not aware of errors during updates that happen during startup. One thing you may want to do is check the Include subfolders box for the EAM exclusion in Online Armor. Since the database is stored in a subfolder, that could have had something to do with it. ;)

Share this post


Link to post
Share on other sites

I think you've misunderstood the description of an event id 26.  It's just a generic error message container - see:

 

 http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows%20Operating%20System&ProdVer=5.2&EvtID=26&EvtSrc=Application%20Popup&LCID=1033

 

though that page does say this is a driver loading error.

 

The page you found is one about a specific problem with Terminal Server, which gets reported using the generic message event.

 

I'm well aware that the process creation & logon events are for info; I turned these audit records on because it makes lots of problem diagnosis much easier if one can see all the PIDs etc of processes starting and stopping.  I included the contents of these event records not because I thought they were errors, but because they give an insight into what the OS was doing just before and just after the EAM problem occurred.

 

 

You say: "One thing you may want to do is check the Include subfolders box for the EAM exclusion in Online Armor."     In my notes about precisely how I've set up File Guard's whitelist and OA's exclusions on each of my machines I had noted that I'd not ticked subdfolders here because, although as you say subfolders do exist, none of them contain anything that I'd class as an executable; I don't think I'd expect OA to take much interest in mere data.  I've altered the setting though and I'll if the problem recurs.

Share this post


Link to post
Share on other sites

Oops, had a problem uploading some files ... trying again

Hi Jeremy,

Your log looks normal. The error you get is usually associated with missing DLLs or DLLs that aren't able to initialize properly. Are you able to reproduce this issue otherwise? I restarted one of my test systems over 200 times using the same configuration you are using but so far no luck.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.