JeremyNicoll

Machine intermittently stalls during boot - EAM guards implicated - v7 and v8

Recommended Posts

Win XP Pro SP3, uptodate fixes.  Intel Xeon 2 cpus, hyperthreading. 

 

I first noticed this problem 2-3 weeks ago, and it occurs on maybe 2/3 boots of this machine.  Having v8 installed has made no difference.

 

Symptom is that after I login to the Windows desktop, I see usual startup apps (like Dropbox) start, plus Task Manager (which happens because of a user startup folder shortcut).  Some of the other startup actions are to display various 'ToDo' lists onscreen, using my text editor, and start the Network Connections control panel applet.  I see from TM that eg Keditw32.exe is running, but consuming no cpu and no dialog panels arrive on screen.  CP's NC display does not open. 

 

Meantime, a2service.exe is 25% cpu busy (ie one core) and it stays like that for many minutes with nothing else happening.  I have found that sometimes ending explorer.exe in TM and restarting it fixes the problem, but more often - and less disruptive - I have found that using EAM's systray menu to disable all guards, and enable them again a couple of seconds later brings the whole machine back to life.  As soon as this is done a2service.exe's cpu usage drops to 0% or near there.

 

While these foreground activities fail to run, background stuff, eg Dropbox's indexing activities, or ooRexx execs I run under Scheduled Tasks all start and run ok.

 

For a while I've had the impression that the precise timing of EAM gathering new malware sigs might be implicated in this and other slow boots.

 

On 22 June I gathered as much info as I could.  I have an ooRexx exec that runs as soon as user login has happened (triggered from startup folder) and it recorded:

 

20130622 07:17:49.109000 Executing: Actions_triggered_from_user's_Startup-Folder.rexh                                  
20130622 07:17:49.109000   pid=3564 prio=NORMAL Create: 2013/06/22 7:17:47:218  Kernel: 0:00:00:265  User: 0:00:00:093
20130622 07:17:49.109000   tid=3576 prio=NORMAL Create: 2013/06/22 7:17:47:265  Kernel: 0:00:00:281  User: 0:00:00:078
20130622 07:17:49.109000                                                                                               
20130622 07:17:49.109000 ending; began: 20130622 07:17:49.000000, logstart: 20130622 07:17:49.109000.                  
20130622 07:17:49.109000 .                                                                                             
 

 

Meanwhile EAM's update log contained:

 

Update Started    Update Ended    Result    Type
22/06/2013 01:48:19    22/06/2013 01:48:43    Update successful    Automatic update
22/06/2013 00:53:19    22/06/2013 00:54:09    Update successful    Automatic update
21/06/2013 23:58:19    21/06/2013 23:58:46    Update successful    Automatic update
21/06/2013 23:03:20    21/06/2013 23:03:51    Update successful    Automatic update
21/06/2013 22:08:20    21/06/2013 22:08:50    Update successful    Automatic update
21/06/2013 21:13:20    21/06/2013 21:13:49    Update successful    Automatic update
21/06/2013 20:18:21    21/06/2013 20:18:53    Update successful    Automatic update
...

which appears to show that no update has occurred as the machine started - quite unusual.  But the tooltip text on the EAM systray icon said that the last update had occurred at "22/06/13 7:18"   - I wonder why the update log didn't show that?

 

This was with eam 7.0.0.25
   emsisoft engine 3.0.0.581
   bitdefender 11.0.1.6  

 

Now the EAM log showed:

 

Emsisoft Anti-Malware - Version 7.0
IDS log

Date    PID    Source    Event    Behavior/Infection
22/06/2013 07:37:00    3580    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.Spyware
22/06/2013 07:37:00    2404    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.Spyware
22/06/2013 07:37:00    3580    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.NewProcess
22/06/2013 07:37:00    2404    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.NewProcess
22/06/2013 07:36:01    948    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.Spyware
22/06/2013 07:36:01    3364    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.Spyware
22/06/2013 07:36:00    3364    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.NewProcess
22/06/2013 07:36:00    948    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.NewProcess
22/06/2013 07:35:00    3112    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.Spyware
22/06/2013 07:35:00    2760    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.Spyware
22/06/2013 07:35:00    3112    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.NewProcess
22/06/2013 07:35:00    2760    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.NewProcess
22/06/2013 07:34:05    2692    C:\Program Files\~L-folder\Lutus,Paul\AboutTime\AboutTime.exe    Allowed by rule    Behavior.Spyware
22/06/2013 07:34:00    1256    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.Spyware
22/06/2013 07:34:00    2772    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.Spyware
22/06/2013 07:34:00    1256    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.NewProcess
22/06/2013 07:34:00    2772    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.NewProcess
22/06/2013 07:24:01    1332    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.Spyware
22/06/2013 07:24:00    2224    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.Spyware
22/06/2013 07:24:00    1332    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.NewProcess
22/06/2013 07:24:00    2224    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.NewProcess
22/06/2013 07:23:01    808    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.Spyware
22/06/2013 07:23:00    3428    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.Spyware
22/06/2013 07:23:00    808    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.NewProcess
22/06/2013 07:23:00    3428    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.NewProcess
22/06/2013 07:22:01    3800    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.Spyware
22/06/2013 07:22:01    112    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.Spyware
22/06/2013 07:22:00    112    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.NewProcess
22/06/2013 07:22:00    3800    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.NewProcess
22/06/2013 07:21:01    1412    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.Spyware
22/06/2013 07:21:01    3516    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.Spyware
22/06/2013 07:21:00    1412    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.NewProcess
22/06/2013 07:21:00    3516    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.NewProcess
22/06/2013 07:20:01    2204    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.Spyware
22/06/2013 07:20:01    2148    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.Spyware
22/06/2013 07:20:00    2204    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.NewProcess
22/06/2013 07:20:00    2148    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.NewProcess
22/06/2013 07:18:19    1664    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.Spyware
22/06/2013 07:18:18    276    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.Spyware
22/06/2013 07:18:17    1368    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.Spyware
22/06/2013 07:18:17    1664    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.NewProcess
22/06/2013 07:18:00    276    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.NewProcess
22/06/2013 07:18:00    1368    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.NewProcess
22/06/2013 07:17:48    3564    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.Spyware
22/06/2013 07:17:47    3564    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.NewProcess
22/06/2013 01:53:00    1744    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.Spyware
22/06/2013 01:53:00    2152    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.Spyware
22/06/2013 01:53:00    1744    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.NewProcess
22/06/2013 01:53:00    2152    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.NewProcess
22/06/2013 01:52:00    3776    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.Spyware
22/06/2013 01:52:00    1984    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.Spyware
22/06/2013 01:52:00    3776    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.NewProcess
22/06/2013 01:52:00    1984    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.NewProcess
22/06/2013 01:51:00    3896    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.Spyware
22/06/2013 01:51:00    3548    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.Spyware
22/06/2013 01:51:00    3896    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.NewProcess
22/06/2013 01:51:00    3548    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.NewProcess
22/06/2013 01:50:00    3124    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.Spyware
22/06/2013 01:50:00    2652    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.Spyware  

 

and you can see that nothing happened between 0724 and 0734 - when boot was stalled.  Incidentally I think it would be useful if there were entries written to the log when one intentionally disables/enables guards - which happened at 0734 to make the machine do something.

 

OA's log:

 

OA log
Type,Date/Time,Action,Description,Misc
Screen logger detected: rexxhide.exe,22/06/2013 07:33:00,Allowed,C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe
Program Guard: kernel event,22/06/2013 07:33:00,None,"OADriver: SendMessage, 2564 -> 436, Msg: 49420/c10c - Deny (watched)",2564 - rexxhide.exe 436 - csrss.exe
Program Guard: kernel event,22/06/2013 07:24:56,None,"OADriver: OpenProcess, 2308 -> 2744 - Deny (protected)",2308 - rundll32.exe 2744 - oaui.exe
Program Guard: kernel event,22/06/2013 07:24:56,None,"OADriver: CreateKey, PID: 2308, Act:  1, Idn: 0, Mask: \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum - Deny (rule)",2308 - rundll32.exe
Program Guard: kernel event,22/06/2013 07:24:56,None,"OADriver: CreateKey, PID: 2308, Act:  1, Idn: 0, Mask: \REGISTRY\USER\S-1-5-21-507921405-838170752-682003330-500\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum - Deny (rule)",2308 - rundll32.exe
Program Guard: kernel event,22/06/2013 07:17:45,None,"OADriver: OpenProcess, 2308 -> 2744 - Deny (protected)",2308 - rundll32.exe 2744 - oaui.exe
Screen logger detected: nview.dll,22/06/2013 07:17:43,Allowed,C:\WINDOWS\system32\nview.dll
Program Guard: kernel event,22/06/2013 07:17:43,None,"OADriver: SendMessage, 2308 -> 436, Msg: 49420/c10c - Deny (watched)",2308 - rundll32.exe 436 - csrss.exe
Service started,22/06/2013 07:16:54,None,C:\Program Files\Online Armor\oasrv.exe
System boot,22/06/2013 07:16:54,None,System boot at: 22/06/2013 07:16:07
System shutdown,22/06/2013 01:53:32,None,System shutdown at: 22/06/2013 01:53:32

 

 

There was nothing in Event Logs for Application or System, but Security log shows regularly scheduled rexx execs starting and ending
every minute during the stalled period, then at 07:32:13

Event Type:     Success Audit
Event Source:   Security
Event Category: Detailed Tracking
Event ID:       593
Date:           22/06/2013
Time:           07:32:13
User:           NT AUTHORITY\SYSTEM
Computer:       DELL-650
Description:
A process has exited:
        Process ID:     1252
        Image File Name:        C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
        User Name:      DELL-650$
        Domain:         NET14MA
        Logon ID:               (0x0,0x3E7)  

 

(I don't know what that was, or if it was relevant.)

 

 

 

I also noticed the Security event log had quite a lot of events saying the Windows Firewall had noticed something or other - why's it in use when OA is up?   eg

Event Type:     Failure Audit
Event Source:   Security
Event Category: Detailed Tracking
Event ID:       861
Date:           22/06/2013
Time:           07:44:12
User:           NT AUTHORITY\NETWORK SERVICE
Computer:       DELL-650
Description:
The Windows Firewall has detected an application listening for incoming traffic.

Name: -
Path: C:\WINDOWS\system32\svchost.exe
Process identifier: 1076
User account: NETWORK SERVICE
User domain: NT AUTHORITY
Service: Yes
RPC server: No
IP version: IPv4
IP protocol: UDP
Port number: 52087
Allowed: No
User notified: No  

 

 

None of that gave me any obvious clues.

 

 

Today  when I had the system stall during boot, I tried bouncing explorer.exe again (just for a change) and that made no difference.  As usual, disabling guards did bring the machine to life.   I did notice that as well as a2service.exe being its usual 25% cpu busy, there was another .exe   SMSvcHost.exe also 20-25% busy; I don't know what that is...

 

I decided to try to collect some trace info.  I've already got DebugView, so defined it in EAM's process whitelist.  I set the registry key that enables trace output.  Because this is a boot-time problem I started DbgView and set its Capture - Log Boot option so any output during boot would be buffered.

 

The first time I rebooted after this, the boot did stall & disabling guard did wake it up.  But DbgView froze when I started it.

 

The second time I rebooted, there was no stall, guards were still off, a2service.exe cpu use was low.  I enabled guards, reset the 'capture boot log' option and rebooted.

 

On this third boot, there was no stall.

 

I reset things and rebooted, and again - no stall.

 

Each shutdown/reboot cycle takes me about 15 mins, especially if I'm making notes.  I can't predict when there's going to be a stall and when there won't be, and I've not been able to get DebugView buffered output in any stall situation (though I have seen it for boots that have had no problem). 

 

I've spent enough time on this today - have to do something else now - do you have any suggestions for how I might find out why a2service.exe sometimes goes mad as I boot?

 

 

 

 

 

 

 

 


  

 

 

 

      

 

 

 

 

Share this post


Link to post
Share on other sites

Usually this behavior indicates that one of your applications is triggering a huge amount of behavior blocker events. The fact that it only happens sometimes would indicate that you already have that application on your exclusion list, most likely because it caused issues before. Exclusions are only applied after EAM finished initialization and take place during the start of the excluded process. So if the excluded process starts before EAM finished initialization, it will not be excluded, triggering the huge slow down due to the excessive amounts of behavior blocker events it produces.

This also explains why you can't reproduce it reliably. Because whether or not it happens depends on whether or not the process starts up before EAM finished its initialization, which introduces certain randomness. Personally I would suggest to take a close look at the applications you have excluded and look for anything that you have configured to start automatically.

Share this post


Link to post
Share on other sites

Thanks for such a quick reply.

 

In EAM's whitelist I only have 6 entries, four being the recommended parts of OA.  The 5th entry, only added today, is for DbgView.exe.  The remaining one is C:\windows\system32\nvsvc32.exe  - which is something to do with nVidia. 

 

I've a three monitor system driven by a pair of nVidia graphics cards (one card can drive a pair of very high-res screens, but I use it just to drive one central 24" screen).  The other card can drive up to 4 lower-res screens and is driving a pair of 19" screens.  When I installed their drivers there were some screen-control things that came too.  I really don't know which of the nv-prefix things are essentials.  Certainly nvsvc32.exe is listed under task manager.  The central screen can pivot from landscape to portrait mode, and the nvidia drivers can rotate the images on each screen separately. 

 

There are other n-files.  OA lists several, all 'trusted' -

C:\WINDOWS\system32\NvCpl.dll          - NVIDIA Display Properties Extension, 6.14.10.9136, (6.14.10.9136)
C:\WINDOWS\system32\nview.dll
C:\WINDOWS\system32\NvMcTray.dll    - NVIDIA Media Center Library, 6.14.10.9136, (6.14.10.9136)
C:\WINDOWS\system32\nvsvc32.exe    - NVIDIA Driver Helper Service
C:\WINDOWS\system32\nvwdmcpl.dll
C:\WINDOWS\system32\nwiz.exe

 

In msconfig's "Services" tab, there's a mention of NVIDIA DISPLAY DRIVER SERVICE, which is the nvsvc32.exe  according to CP - Admin Tools - Services.

 

In msconfig's startup list there are several nvidia entries - NvCpl, nwiz, nvmctray

 

 

I have two other XP machines, though only one of them is at this house and is being used often.  It has the same mix of applications on it (and nearly the same OA exclusions and EAM whitelist) , but none of the nvidia stuff.  It doesn't stall at logon.    The machine that does stall also has a shutdown problem, and often I get Windows' warnings for things that are refusing to close in the expected time span - and these seem to be for some kind of nvidia application - "TwinView Window" - which I guess is an invisible window that is representing an app intercepting keyboard shortcuts etc.  I did search nvidia forums a week or two ago and found a lot of people have had this closedown issue, but no sign that nvidia had taken any interest let alone fixed it.

 

It doesn't seem to me that I can stop essential nvidia drivers etc from being present as I boot.  The issue must therefore be whether any of the Startup actions are unnecessary.   I googled; there seems to be some doubt what nvsvc32.exe actually does.  After you discount the rumours of it being malware and people (who don't have nvidia gfx cards) discovering they can get rid of it, I did find some reports that it really isn't needed for day-to-day use of nvida cards.  I've seen one suggestion that it's mainly used to help Windows install new gfx drivers, and another suggestion that it may actually be the cause of my TwinView shutdown isues.  So for now I've stopped it in CP - Admin Tools - Services, and changed it from Automatic to manual.  I've also unticked it in the msconfig - services tab.   Assuming that my machine still works, I'll update this thread in a few days with progress info.

 

Thanks for your help.

Share this post


Link to post
Share on other sites

FYI...this morning I had constant problems with my Windows 7 SP 1 64-bit stalling/locking-up/freezing as the desktop was loading. The culprit turned out to be EAM. I uninstalled it and reinstalled it and my computer seems to be OK now.

Share this post


Link to post
Share on other sites

Despite taking nvsvc32.exe out of startup the stalls have continued, though their natiure might have changed.  I started running SysInternals' ProcessExplorer instead of MS's task maanger, trying to get more info about what the system is doing...  But at the point where the system is stalled - when I'd previously noted that normal startup actions weren't completing with visible results, but their processes were listed by TM... I'm finding that PE is only partially starting.  Its window frame & furniture are being drawn but neither its window background nor meaningful dtaa are being drawn.  maybe that implicates the nvidia drivers still?

 

If, as Fabian suggested, something is triggering lots of behaviour blocker events, would one not expect these events to be logged somewhere?  

 

In EAM's Guard - Behaviour Blocker tab, I have all options ticked.  

 

If the problem does lie somewhere in the nvidia drivers, I find it hard to believe that they wouldn't continue to cause a problem for the whole time the machine is up.

 

 

Fabian also said "and look for anything that you have configured to start automatically."   - Which types of things started automatically are significant here?  

 

 

I just looked at OA's definitions related to Process Explorer.  It's Trusted/Normal in the Programs list, though I noticed that 'PROCEXP152.SYS' was listed as Unknown/Normal, and I've changed that to Trusted/Normal.  OA's log shows some kernel events each time PE starts; I think it's bits of OA being protected from PE's gaze, and since PE itself seems to start fine after its initial start has stalled, maybe irrelevant.    Maybe PE's initial start - when presumably the PROCEXP152.SYS driver gets loaded will work differently (ie better) now that I've marked that Trusted too. 

Share this post


Link to post
Share on other sites

If, as Fabian suggested, something is triggering lots of behaviour blocker events, would one not expect these events to be logged somewhere?

They are only logged if EAM found those events to be suspicious. For example every DNS request triggers a behavior blocker event. You don't want to log all of those. You can try start Debug View with EAM debugging infos disabled (!). You should see the behavior blocker events being fired that way as well as the process who fires them. I suggest you create a complete process exclusion for Debug View beforehand so you are able to start it unhindered when the stall reappears.

Share this post


Link to post
Share on other sites

a) DebugView's been an excluded process for several days, as soon as I tried to use it

b) DebugView won't start during a stall.  Nothing does.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.