snifferpro

EEK hangs system at specific file

Recommended Posts

EEk completely hangs win 10 Pro ver 1803.  No Mouse, No keyboard, no activity.

Gets to same file and just hangs - have to power down and power back up.

Latest version of EEK downloaded 05/08/18.

First time running on Win 10 Pro 1803.

Hangs at

C:\Program Files\Windowsapps\A278A0B0D.Disneymagickingdom_2.9.0.8_x86_H6ADKY7GBF63M\assets\...\model_base_0_pack

Could not get a screen snap as keyboard and mouse dead at hangup.

Share this post


Link to post
Share on other sites

Let's try getting a log from FRST from the effected computer, and see if it shows anything relvant. You can find instructions for downloading and running FRST at the following link:
https://helpdesk.emsisoft.com/en-us/article/274-running-a-scan-with-frst

We can also try getting a diagnostic log from the same computer, although in this case the FRST log will probably be more useful:
https://helpdesk.emsisoft.com/en-us/article/275-running-the-emsisoft-diagnostic-tool

Share this post


Link to post
Share on other sites

Please note that if you reply to the e-mail notification, that your reply will not be added to the forum topic. If you would prefer to send us e-mails, then please send them to [email protected] and paste a link to this forum topic in the e-mail.

Fortunately someone did see your e-mail, and forwarded it to me, so I was able to see your logs. I noticed that you have Malwarebytes 3 installed. Have you tried adding the EEK folder (C:\EEK) to the exclusions in Malwarebytes 3, and then opening EEK and running your scan again?

Share this post


Link to post
Share on other sites

I put C:\EEK in the Malwarebytes exclusions and got the same result.  System completely locks up. No keyboard, no mouse.

Used power button to shut down.  Restarted. 

Closed Malwarebytes.

Ran EEK

System shutdown and rebooted by itself.

Share this post


Link to post
Share on other sites

Have you been able to find any errors in the Event Logs related to the issue? If so, can you copy the log and past it here? Or save it in a text file and attach it here (most attached files can only be downloaded by staff)?

Share this post


Link to post
Share on other sites

Looked at the event log and all I can find is the recovery from an unscheduled shutdown.

How do I create a text file from the event viewer?

This morning at 3:19 I started a custom scan.  Scan ran to 82% at 3:21 and rebooted.   Didn't see the file name, but at 82% it was probably on the file mentioned above.

Share this post


Link to post
Share on other sites

Here are the logs from event viewer

AMSI%4Operational.evtx

Application.evtx

DebugChannel.etl

HardwareEvents.evtx

Internet Explorer.evtx

Key Management Service.evtx

Microsoft-AppV-Client%4Admin.evtx

Microsoft-AppV-Client%4Operational.evtx

Microsoft-AppV-Client%4Virtual Applications.evtx

Microsoft-Client-Licensing-Platform%4Admin.evtx

Microsoft-RMS-MSIPC%4Debug.etl

Microsoft-User Experience Virtualization-Agent Driver%4Operational.evtx

Microsoft-User Experience Virtualization-App Agent%4Operational.evtx

Microsoft-User Experience Virtualization-IPC%4Operational.evtx

Microsoft-User Experience Virtualization-SQM Uploader%4Operational.evtx

Microsoft-Windows-AAD%4Operational.evtx

Microsoft-Windows-All-User-Install-Agent%4Admin.evtx

Microsoft-Windows-AllJoyn%4Operational.evtx

Microsoft-Windows-AppHost%4Admin.evtx

Microsoft-Windows-AppID%4Operational.evtx

Microsoft-Windows-ApplicabilityEngine%4Operational.evtx

Microsoft-Windows-Application Server-Applications%4Admin.evtx

Microsoft-Windows-Application Server-Applications%4Operational.evtx

Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx

Microsoft-Windows-Application-Experience%4Program-Compatibility-Troubleshooter.evtx

Microsoft-Windows-Application-Experience%4Program-Inventory.evtx

Microsoft-Windows-Application-Experience%4Program-Telemetry.evtx

Microsoft-Windows-Application-Experience%4Steps-Recorder.evtx

Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx

Microsoft-Windows-AppLocker%4EXE and DLL.evtx

Microsoft-Windows-AppLocker%4MSI and Script.evtx

Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx

Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx

Microsoft-Windows-AppModel-Runtime%4Admin.evtx

Microsoft-Windows-AppReadiness%4Admin.evtx

Microsoft-Windows-AppReadiness%4Operational.evtx

Microsoft-Windows-AppXDeployment%4Operational.evtx

Microsoft-Windows-AppXDeploymentServer%4Operational.evtx

Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx

Microsoft-Windows-AppxPackaging%4Operational.evtx

Microsoft-Windows-AssignedAccess%4Admin.evtx

Microsoft-Windows-AssignedAccessBroker%4Admin.evtx

Microsoft-Windows-Audio%4CaptureMonitor.evtx

Microsoft-Windows-Audio%4Operational.evtx

Microsoft-Windows-Audio%4PlaybackManager.evtx

Microsoft-Windows-Authentication User Interface%4Operational.evtx

Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx

Microsoft-Windows-Backup.evtx

Microsoft-Windows-Biometrics%4Operational.evtx

Microsoft-Windows-BitLocker%4BitLocker Management.evtx

Microsoft-Windows-BitLocker-DrivePreparationTool%4Admin.evtx

Microsoft-Windows-BitLocker-DrivePreparationTool%4Operational.evtx

Microsoft-Windows-Bits-Client%4Operational.evtx

Microsoft-Windows-Bluetooth-BthLEPrepairing%4Operational.evtx

Microsoft-Windows-Bluetooth-MTPEnum%4Operational.evtx

Microsoft-Windows-BranchCache%4Operational.evtx

Microsoft-Windows-BranchCacheSMB%4Operational.evtx

Microsoft-Windows-CertificateServicesClient-Lifecycle-System%4Operational.evtx

Microsoft-Windows-CertificateServicesClient-Lifecycle-User%4Operational.evtx

Microsoft-Windows-CloudStorageWizard%4Operational.evtx

Microsoft-Windows-CloudStore%4Operational.evtx

Microsoft-Windows-CodeIntegrity%4Operational.evtx

Microsoft-Windows-Compat-Appraiser%4Operational.evtx

Microsoft-Windows-Containers-BindFlt%4Operational.evtx

Microsoft-Windows-Containers-Wcifs%4Operational.evtx

Microsoft-Windows-Containers-Wcnfs%4Operational.evtx

Microsoft-Windows-CoreApplication%4Operational.evtx

Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx

Microsoft-Windows-CorruptedFileRecovery-Client%4Operational.evtx

Microsoft-Windows-CorruptedFileRecovery-Server%4Operational.evtx

Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx

Microsoft-Windows-Crypto-DPAPI%4Operational.evtx

Microsoft-Windows-DAL-Provider%4Operational.evtx

Microsoft-Windows-DataIntegrityScan%4Admin.evtx

Microsoft-Windows-DataIntegrityScan%4CrashRecovery.evtx

Microsoft-Windows-DateTimeControlPanel%4Operational.evtx

Microsoft-Windows-Deduplication%4Diagnostic.evtx

Microsoft-Windows-Deduplication%4Operational.evtx

Microsoft-Windows-Deduplication%4Scrubbing.evtx

Microsoft-Windows-DeviceGuard%4Operational.evtx

Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx

Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Operational.evtx

Microsoft-Windows-Devices-Background%4Operational.evtx

Microsoft-Windows-DeviceSetupManager%4Admin.evtx

Microsoft-Windows-DeviceSetupManager%4Operational.evtx

Microsoft-Windows-DeviceSync%4Operational.evtx

Microsoft-Windows-DeviceUpdateAgent%4Operational.evtx

Microsoft-Windows-Dhcp-Client%4Admin.evtx

Microsoft-Windows-Dhcpv6-Client%4Admin.evtx

Microsoft-Windows-Diagnosis-DPS%4Operational.evtx

Microsoft-Windows-Diagnosis-PCW%4Operational.evtx

Microsoft-Windows-Diagnosis-PLA%4Operational.evtx

Microsoft-Windows-Diagnosis-Scheduled%4Operational.evtx

Microsoft-Windows-Diagnosis-Scripted%4Admin.evtx

microsoft-windows-diagnosis-scripted%4operational.evtx

Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider%4Operational.evtx

Microsoft-Windows-Diagnostics-Networking%4Operational.evtx

Microsoft-Windows-Diagnostics-Performance%4Operational.evtx

Microsoft-Windows-DiskDiagnostic%4Operational.evtx

Microsoft-Windows-DiskDiagnosticDataCollector%4Operational.evtx

Microsoft-Windows-DiskDiagnosticResolver%4Operational.evtx

Microsoft-Windows-DSC%4Admin.evtx

Microsoft-Windows-DSC%4Operational.evtx

Microsoft-Windows-EapHost%4Operational.evtx

Microsoft-Windows-EapMethods-RasChap%4Operational.evtx

Microsoft-Windows-EapMethods-RasTls%4Operational.evtx

Microsoft-Windows-EapMethods-Sim%4Operational.evtx

Microsoft-Windows-EapMethods-Ttls%4Operational.evtx

Microsoft-Windows-EDP-Application-Learning%4Admin.evtx

Microsoft-Windows-EDP-Audit-Regular%4Admin.evtx

Microsoft-Windows-EDP-Audit-TCB%4Admin.evtx

Microsoft-Windows-EventCollector%4Operational.evtx

Microsoft-Windows-Fault-Tolerant-Heap%4Operational.evtx

Microsoft-Windows-FileHistory-Core%4WHC.evtx

Microsoft-Windows-FileHistory-Engine%4BackupLog.evtx

Microsoft-Windows-FMS%4Operational.evtx

Microsoft-Windows-Folder Redirection%4Operational.evtx

Microsoft-Windows-Forwarding%4Operational.evtx

Microsoft-Windows-GenericRoaming%4Admin.evtx

Microsoft-Windows-GroupPolicy%4Operational.evtx

Microsoft-Windows-HelloForBusiness%4Operational.evtx

Microsoft-Windows-Help%4Operational.evtx

Microsoft-Windows-HomeGroup Control Panel%4Operational.evtx

Microsoft-Windows-HomeGroup Listener Service%4Operational.evtx

Microsoft-Windows-HomeGroup Provider Service%4Operational.evtx

Microsoft-Windows-HotspotAuth%4Operational.evtx

Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx

Microsoft-Windows-Hyper-V-Hypervisor-Admin.evtx

Microsoft-Windows-Hyper-V-Hypervisor-Operational.evtx

Microsoft-Windows-IdCtrls%4Operational.evtx

Microsoft-Windows-IKE%4Operational.evtx

Microsoft-Windows-International%4Operational.evtx

Microsoft-Windows-International-RegionalOptionsControlPanel%4Operational.evtx

Microsoft-Windows-Iphlpsvc%4Operational.evtx

Microsoft-Windows-KdsSvc%4Operational.evtx

Microsoft-Windows-Kernel-ApphelpCache%4Operational.evtx

Microsoft-Windows-Kernel-Boot%4Operational.evtx

Microsoft-Windows-Kernel-EventTracing%4Admin.evtx

Microsoft-Windows-Kernel-IO%4Operational.evtx

Microsoft-Windows-Kernel-PnP%4Configuration.evtx

Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx

Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx

Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx

Microsoft-Windows-Kernel-WDI%4Operational.evtx

Microsoft-Windows-Kernel-WHEA%4Errors.evtx

Microsoft-Windows-Kernel-WHEA%4Operational.evtx

Microsoft-Windows-Known Folders API Service.evtx

Microsoft-Windows-LanguagePackSetup%4Operational.evtx

Microsoft-Windows-LiveId%4Operational.evtx

Microsoft-Windows-MemoryDiagnostics-Results%4Debug.evtx

Microsoft-Windows-Mobile-Broadband-Experience-Parser-Task%4Operational.evtx

Microsoft-Windows-Mobile-Broadband-Experience-SmsRouter%4Admin.evtx

Microsoft-Windows-Mprddm%4Operational.evtx

Microsoft-Windows-MUI%4Admin.evtx

Microsoft-Windows-MUI%4Operational.evtx

Microsoft-Windows-NcdAutoSetup%4Operational.evtx

Microsoft-Windows-NCSI%4Operational.evtx

Microsoft-Windows-NdisImPlatform%4Operational.evtx

Microsoft-Windows-NetworkLocationWizard%4Operational.evtx

Microsoft-Windows-NetworkProfile%4Operational.evtx

Microsoft-Windows-NetworkProvider%4Operational.evtx

Microsoft-Windows-NetworkProvisioning%4Operational.evtx

Microsoft-Windows-NlaSvc%4Operational.evtx

Microsoft-Windows-Ntfs%4Operational.evtx

Microsoft-Windows-Ntfs%4WHC.evtx

Microsoft-Windows-NTLM%4Operational.evtx

Microsoft-Windows-OfflineFiles%4Operational.evtx

Microsoft-Windows-OneBackup%4Debug.evtx

Microsoft-Windows-OOBE-Machine-DUI%4Operational.evtx

Microsoft-Windows-PackageStateRoaming%4Operational.evtx

Microsoft-Windows-ParentalControls%4Operational.evtx

Microsoft-Windows-Partition%4Diagnostic.evtx

Microsoft-Windows-PerceptionRuntime%4Operational.evtx

Microsoft-Windows-PerceptionSensorDataService%4Operational.evtx

Microsoft-Windows-PersistentMemory-Nvdimm%4Operational.evtx

Microsoft-Windows-PersistentMemory-PmemDisk%4Operational.evtx

Microsoft-Windows-PersistentMemory-ScmBus%4Certification.evtx

Microsoft-Windows-Policy%4Operational.evtx

Microsoft-Windows-PowerShell%4Admin.evtx

Microsoft-Windows-PowerShell%4Operational.evtx

Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager%4Operational.evtx

Microsoft-Windows-PrintBRM%4Admin.evtx

Microsoft-Windows-PrintService%4Admin.evtx

Microsoft-Windows-PriResources-Deployment%4Operational.evtx

Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx

Microsoft-Windows-Provisioning-Diagnostics-Provider%4Admin.evtx

Microsoft-Windows-Provisioning-Diagnostics-Provider%4AutoPilot.evtx

Microsoft-Windows-PushNotification-Platform%4Admin.evtx

Microsoft-Windows-PushNotification-Platform%4Operational.evtx

Microsoft-Windows-ReadyBoost%4Operational.evtx

Microsoft-Windows-ReadyBoostDriver%4Operational.evtx

Microsoft-Windows-ReFS%4Operational.evtx

Microsoft-Windows-Regsvr32%4Operational.evtx

Microsoft-Windows-RemoteApp and Desktop Connections%4Admin.evtx

Microsoft-Windows-RemoteApp and Desktop Connections%4Operational.evtx

Microsoft-Windows-RemoteAssistance%4Admin.evtx

Microsoft-Windows-RemoteAssistance%4Operational.evtx

Microsoft-Windows-RemoteDesktopServices-RdpCoreTS%4Admin.evtx

Microsoft-Windows-RemoteDesktopServices-RdpCoreTS%4Operational.evtx

Microsoft-Windows-RemoteDesktopServices-RemoteFX-Synth3dvsc%4Admin.evtx

Microsoft-Windows-RemoteDesktopServices-SessionServices%4Operational.evtx

Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx

Microsoft-Windows-Resource-Exhaustion-Resolver%4Operational.evtx

Microsoft-Windows-RestartManager%4Operational.evtx

Microsoft-Windows-RetailDemo%4Admin.evtx

Microsoft-Windows-RetailDemo%4Operational.evtx

Microsoft-Windows-SearchUI%4Operational.evtx

Microsoft-Windows-Security-Adminless%4Operational.evtx

Microsoft-Windows-Security-Audit-Configuration-Client%4Operational.evtx

Microsoft-Windows-Security-EnterpriseData-FileRevocationManager%4Operational.evtx

Microsoft-Windows-Security-LessPrivilegedAppContainer%4Operational.evtx

Microsoft-Windows-Security-Mitigations%4KernelMode.evtx

Microsoft-Windows-Security-Mitigations%4UserMode.evtx

Microsoft-Windows-Security-Netlogon%4Operational.evtx

Microsoft-Windows-Security-SPP-UX-GenuineCenter-Logging%4Operational.evtx

Microsoft-Windows-Security-SPP-UX-Notifications%4ActionCenter.evtx

Microsoft-Windows-Security-UserConsentVerifier%4Audit.evtx

Microsoft-Windows-SecurityMitigationsBroker%4Operational.evtx

Microsoft-Windows-SENSE%4Operational.evtx

Microsoft-Windows-SenseIR%4Operational.evtx

Microsoft-Windows-SettingSync%4Debug.evtx

Microsoft-Windows-SettingSync%4Operational.evtx

Microsoft-Windows-SettingSync-Azure%4Debug.evtx

Microsoft-Windows-SettingSync-Azure%4Operational.evtx

Microsoft-Windows-SettingSync-OneDrive%4Debug.evtx

Microsoft-Windows-SettingSync-OneDrive%4Operational.evtx

Microsoft-Windows-Shell-ConnectedAccountState%4ActionCenter.evtx

Microsoft-Windows-Shell-Core%4ActionCenter.evtx

Microsoft-Windows-Shell-Core%4AppDefaults.evtx

Microsoft-Windows-Shell-Core%4LogonTasksChannel.evtx

Microsoft-Windows-Shell-Core%4Operational.evtx

Microsoft-Windows-ShellCommon-StartLayoutPopulation%4Operational.evtx

Microsoft-Windows-SmartCard-Audit%4Authentication.evtx

Microsoft-Windows-SmartCard-DeviceEnum%4Operational.evtx

Microsoft-Windows-SmartCard-TPM-VCard-Module%4Admin.evtx

Microsoft-Windows-SmartCard-TPM-VCard-Module%4Operational.evtx

Microsoft-Windows-SmbClient%4Audit.evtx

Microsoft-Windows-SmbClient%4Connectivity.evtx

Microsoft-Windows-SMBClient%4Operational.evtx

Microsoft-Windows-SmbClient%4Security.evtx

Microsoft-Windows-SMBDirect%4Admin.evtx

Microsoft-Windows-SMBServer%4Audit.evtx

Microsoft-Windows-SMBServer%4Connectivity.evtx

Microsoft-Windows-SMBServer%4Operational.evtx

Microsoft-Windows-SMBServer%4Security.evtx

Microsoft-Windows-SMBWitnessClient%4Admin.evtx

Microsoft-Windows-SMBWitnessClient%4Informational.evtx

Microsoft-Windows-StateRepository%4Operational.evtx

Microsoft-Windows-StateRepository%4Restricted.evtx

Microsoft-Windows-Storage-ClassPnP%4Operational.evtx

Microsoft-Windows-Storage-Storport%4Health.evtx

Microsoft-Windows-Storage-Storport%4Operational.evtx

Microsoft-Windows-Storage-Tiering%4Admin.evtx

Microsoft-Windows-StorageManagement%4Operational.evtx

Microsoft-Windows-StorageSpaces-Driver%4Diagnostic.evtx

Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx

Microsoft-Windows-StorageSpaces-ManagementAgent%4WHC.evtx

Microsoft-Windows-StorageSpaces-SpaceManager%4Diagnostic.evtx

Microsoft-Windows-StorageSpaces-SpaceManager%4Operational.evtx

Microsoft-Windows-Store%4Operational.evtx

Microsoft-Windows-SystemSettingsThreshold%4Operational.evtx

Microsoft-Windows-TaskScheduler%4Maintenance.evtx

Microsoft-Windows-TCPIP%4Operational.evtx

Microsoft-Windows-TerminalServices-ClientUSBDevices%4Admin.evtx

Microsoft-Windows-TerminalServices-ClientUSBDevices%4Operational.evtx

Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx

Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx

Microsoft-Windows-TerminalServices-PnPDevices%4Admin.evtx

Microsoft-Windows-TerminalServices-PnPDevices%4Operational.evtx

Microsoft-Windows-TerminalServices-Printers%4Admin.evtx

Microsoft-Windows-TerminalServices-Printers%4Operational.evtx

Microsoft-Windows-TerminalServices-RDPClient%4Operational.evtx

Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx

Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx

Microsoft-Windows-TerminalServices-ServerUSBDevices%4Admin.evtx

Microsoft-Windows-TerminalServices-ServerUSBDevices%4Operational.evtx

Microsoft-Windows-Time-Service%4Operational.evtx

Microsoft-Windows-TWinUI%4Operational.evtx

Microsoft-Windows-TZSync%4Operational.evtx

Microsoft-Windows-TZUtil%4Operational.evtx

Microsoft-Windows-UAC%4Operational.evtx

Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx

Microsoft-Windows-UniversalTelemetryClient%4Operational.evtx

Microsoft-Windows-User Control Panel%4Operational.evtx

Microsoft-Windows-User Device Registration%4Admin.evtx

Microsoft-Windows-User Profile Service%4Operational.evtx

Microsoft-Windows-User-Loader%4Operational.evtx

Microsoft-Windows-UserPnp%4ActionCenter.evtx

Microsoft-Windows-UserPnp%4DeviceInstall.evtx

Microsoft-Windows-VDRVROOT%4Operational.evtx

Microsoft-Windows-VerifyHardwareSecurity%4Admin.evtx

Microsoft-Windows-VHDMP-Operational.evtx

Microsoft-Windows-Volume%4Diagnostic.evtx

Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx

Microsoft-Windows-VPN%4Operational.evtx

Microsoft-Windows-VPN-Client%4Operational.evtx

Microsoft-Windows-Wcmsvc%4Operational.evtx

Microsoft-Windows-WDAG-PolicyEvaluator-CSP%4Operational.evtx

Microsoft-Windows-WDAG-PolicyEvaluator-GP%4Operational.evtx

Microsoft-Windows-WDAG-Service%4Operational.evtx

Microsoft-Windows-WebAuthN%4Operational.evtx

Microsoft-Windows-WFP%4Operational.evtx

Microsoft-Windows-Win32k%4Operational.evtx

Microsoft-Windows-Windows Defender%4Operational.evtx

Microsoft-Windows-Windows Defender%4WHC.evtx

Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx

Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx

Microsoft-Windows-WindowsBackup%4ActionCenter.evtx

Microsoft-Windows-WindowsSystemAssessmentTool%4Operational.evtx

Microsoft-Windows-WindowsUpdateClient%4Operational.evtx

Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx

Microsoft-Windows-Winlogon%4Operational.evtx

Microsoft-Windows-WinRM%4Operational.evtx

Microsoft-Windows-Winsock-WS2HELP%4Operational.evtx

Microsoft-Windows-Wired-AutoConfig%4Operational.evtx

Microsoft-Windows-WLAN-AutoConfig%4Operational.evtx

Microsoft-Windows-WMI-Activity%4Operational.evtx

Microsoft-Windows-WorkFolders%4Operational.evtx

Microsoft-Windows-WorkFolders%4WHC.evtx

Microsoft-Windows-Workplace Join%4Admin.evtx

Microsoft-Windows-WPD-ClassInstaller%4Operational.evtx

Microsoft-Windows-WPD-CompositeClassDriver%4Operational.evtx

Microsoft-Windows-WPD-MTPClassDriver%4Operational.evtx

Microsoft-Windows-WWAN-SVC-Events%4Operational.evtx

Microsoft-WindowsPhone-Connectivity-WiFiConnSvc-Channel.evtx

OAlerts.evtx

Security.evtx

Setup.evtx

SMSApi.evtx

System.evtx

Windows PowerShell.evtx

Share this post


Link to post
Share on other sites
13 hours ago, snifferpro said:

How do I create a text file from the event viewer?

Right-click on an event in the Event Viewer, select Save Selected Events, change Save as type either to Text (Tab delimited) or Xml (Xml File), and then save it somewhere easy to find. You can actually select multiple events from the Event Viewer and save them at the same time this way.

 

Is the computer a laptop, or a desktop?

Share this post


Link to post
Share on other sites

This is a desktop computer.

I am now getting a system reboot every time I run eek.

I have one desktop system.

I have an SSD in a removable drive bay that I use as my production system.  This morning when I ran eek on the production system the system rebooted around 82%.

I then decided to shut down after it restarted.  I removed my production drive and placed a brand new SSD into the bay and fresh installed Win 10 Pro ver 1803 onto that drive. I installed nothing else except EEK.

Ran eek and selected custom scan to scan only my NEW C drive with the freshly installed Win 10 pro ver 1803.

At approximately 82-83% the system rebooted.  So to get a clean log file, I deleted all the entries in event viewer, shut down, rebooted ver 1803, ran eek and again it rebooted.

I have attached the latest event viewer log.

 

1803-2 system log.txt

Share this post


Link to post
Share on other sites

Interesting, the system log appears to have been cleared either right before or right after the system crashed (assuming that's what happened):

image.png
Download Image

 

BTW: Have I asked you what kind of scan you're running? I'm not seeing it in our conversation history.

Share this post


Link to post
Share on other sites

I am running a Custom scan of only the C drive.

You are correct - on 05/19/19 I ran EEK on the C drive and the system automatically rebooted at around 82%.

After the reboot, I decided to clear the log files so that on my next test of EEK I would get a fresh log file.

I ran EEK again and the system rebooted and the log you are seeing shows I cleared the log file at 7:52:59.

I then rebooted at 7:56 and ran EEK again.

I have since booted the system 3 times since and during one of those sessions I reinstalled the drivers for my Nvidia GPU.

I have not run EEK since 05/20/18.

Attached are the current logs.

1803-2 system log 052218 0211.evtx

1803-2 system log 052218 0211.txt

Share this post


Link to post
Share on other sites
On 5/22/2018 at 5:38 AM, snifferpro said:

I am running a Custom scan of only the C drive.

Are you using the default scan options, or did you enable the option for DDA (Direct Disk Access)? Does the crash happen regardless of the scan options you use?

Share this post


Link to post
Share on other sites

Using default scan options.  It's not a crash, it is more just a system lock up.  No messages, no blue screen.  Just a complete frozen system.

This morning I did the following;

Booted at 01:20 am.  Applied windows update KB4100403.  Updated and restated at 01:49

Turned off Auto Restart feature.  Rebooted at 01:59

Started EEK at 02:03.  Updated signatures.  Selected custom scan of only C drive, all defaults. Clicked Next.

System hung at 02:09.  Rebooted at 02:12

Attached log file

 

Reboot 0212.txt

Settings.PNG
Download Image

Share this post


Link to post
Share on other sites

Is your SSD made my Intel or Toshiba? If not, then the update probably wouldn't have helped.
https://www.bleepingcomputer.com/news/microsoft/microsoft-releases-kb4100403-to-fix-windows-10-intel-and-toshiba-ssd-issues/

 

14 hours ago, snifferpro said:

It's not a crash, it is more just a system lock up.  No messages, no blue screen.  Just a complete frozen system.

In most cases Windows will automatically reboot the system after a crash, so you don't see the blue screen with the error message.

Hold down the Windows logo key on your keyboard and tap R to open the Run dialog, enter the following, and then click OK:

%windir%\system32\SystemPropertiesAdvanced.exe

The Advanced System Properties should open. In the Startup and Recovery section, click on the Settings button.

Under System failure, make sure that the option to Automatically restart is not turned on.

image.png
Download Image

Share this post


Link to post
Share on other sites

I had turned off Automatic Restart yesterday but did not run EEK after the restart.

So this morning, I booted up and downloaded the latest EEK and installed it in a new folder and ran it.

Got to 84% and system hung.  Walked away for about 2 minutes and when I came back the system had rebooted.

Save event viewer logs and attached here.

I will verify that Auto Restart is turned off and repeat the test later today.

 

After 052518 download of EEK.evtx

After 052518 EEK download.txt

Share this post


Link to post
Share on other sites

Whatever is happening, it isn't being logged in the Event Logs. We'll need a memory dump to have an idea of what's going on. What kind of keyboard do you have? USB?

Share this post


Link to post
Share on other sites

I have been able to successfully run EEK Custom scan of my C drive.

Here is what I have learned.

I restored a drive image from 3/30/18 to eliminate any Microsoft updates that may have contributed to this problem.

My first scan on this restored image resulted in an auto system reboot.

I then unchecked Auto Restart, rebooted, and ran EEK Custom scan of C drive.  System auto restarted.

After reboot I started EEK and ran Malware Scan and it completed ok.  I closed EEK.

Restarted EEK and ran Custom scan of C drive.  The custom scan completed successfully.

I repeated the Malware scan then Custom scan 2 more times and each time the scans completed successfully.

I then removed the restored 3/30/18 drive and inserted and booted from my test win 10 ver 1803 drive.

Started EEK and ran Malware scan.  It completed ok.  Closed EEK.

Restarted EEK and selected Custom scan of C drive and it completed ok.

So at this point, if I run a Malware scan first, then close EEK and start it up again and run a Custom scan it appears to work.

This seems to be a repeatable work around which I will continue testing and experimenting with.

Your thoughts?

Share this post


Link to post
Share on other sites
On 5/26/2018 at 4:28 AM, snifferpro said:

Yes, it is an Apple USB keyboard.

The batch files in the ZIP archive at the following link can be used to enable a feature in Windows that will allow you to force your computer to crash and save a memory dump simply by pressing a keyboard combination:
https://www.gt500.org/emsisoft/USB_Crash_On_Crtl_Scroll_Lock_Batch_Files.zip

Simply do the following:

  1. Download and open the ZIP archive.
  2. Double-click on the Enable_Crash_on_Ctrl_Scroll_Lock_USB batch file.
  3. A black window will open and inform you that it is checking for administrator rights, and that it may take a moment.
  4. When asked you if you want to allow the Windows Command Processor to make changes to your computer, please click Yes to continue.
  5. A new black window should open, and should close again relatively quickly. Once the new black window closes, it is finished.
  6. Restart your computer so that the changes take effect.

After following those instructions, you can hold down the right Ctrl key on your keyboard and tap Scroll Lock twice to force your computer to crash and save a memory dump. This memory dump should contain enough information for us to get an idea of what is going on.

Share this post


Link to post
Share on other sites

When do I use the CTRL SCroll LOCK key combination?  If the keyboard locks up how will these keys work?

I've been doing some further testing and what was working for me in my last post is no longer working.

The only changes I have made to the system is that I have added Gimp 2 and Firefox to the system.

But I will try the batch file when the system locks up.

Share this post


Link to post
Share on other sites

Earlier today I made changes to the performance settings.  I created a custom page file of initial size=8278 and Max size = to 8278.

The computer successfully crash and creates a dump when I do a custom scan.

I have two dump files.

I did execute your batch file, but never got to use it as I now get a blue screen.

052818-4234-01.dmp

052818-4812-01.dmp

Share this post


Link to post
Share on other sites
2 hours ago, snifferpro said:

When do I use the CTRL SCroll LOCK key combination?

When the computer freezes, and before it tries to restart.

 

2 hours ago, snifferpro said:

If the keyboard locks up how will these keys work?

Usually Windows will still process input from input devices, however it depends on what exactly is freezing. Usually that's explorer.exe, but not always.

 

1 hour ago, snifferpro said:

The computer successfully crash and creates a dump when I do a custom scan.

Those are from the Windows folder? Or somewhere else?

Share this post


Link to post
Share on other sites

The dumps I sent were from the windows/Minidmp folder.

I think I have made some progress on my Win 10 Ver 1803 system.  Windows incorrectly identified my Marvell 6g add on card as a standard ahci controller.    I downloaded the correct drivers for the add on, installed them and now the add on is identified as "Marvell 92xx SATA 6G Controller".

I ran EEK with a custom scan and it completed successfully.  I will do a couple more scan just to make sure.

I still have the issue on my production system (Win 10 Pro Ver 1709) but I think the onboard sata controller may be identified incorrectly also.  I am going to move the production SSD to the bay that uses the  add on card and see if it scans correctly which will further convince me that the onboard controller is mis-identified.

As a side topic, is it better to do a Malware scan or a Custom scan?

I will report back with my further testing.

Share this post


Link to post
Share on other sites

Just in case it's not clear...  when you run the    Enable... bat file, and reboot, that sets up a change to the driver for USB-attached keyboards, so that in future pressing Ctrl & Scroll Lock (twice) will force Windows to blue-screen (and take a dump).   You only do that when the machine freezes and when it's the only way to collect diagnostic information for what Windows was doing when it froze.

A minidump probably won't be good enough.   The full dump should be in C:\Windows\MEMORY.DMP (or wherever is configured in the options dialogue that was shown above) and will need to be moved elsewhere on the machine before you (ideally) compress it (it willl be very large) and send it to Emsisoft.  You do need to move it elsewhere because next time the machine has a blue screen a new dump will be written to the same file.  Also, once you've sent the dump away and Emsisoft have received it ok, you can delete the dump file.   As far as mindump files go, I just delete them as soon as they are created.

W10 might be different, but on my W8.1 system I had to change another option on the Advanced System Settings dialogue that was shown a few posts ago.  Where it says "Write debugging information" there's a drop-down list which (in the screenshot) shows "Automatic memory dump".  That had to be changed to the "Complete Memory Dump" option.  This forces Windows to create much larger dump files, but they are more likely to contain the information that's needed.

   

Share this post


Link to post
Share on other sites
12 hours ago, snifferpro said:

As a side topic, is it better to do a Malware scan or a Custom scan?

A Malware Scan will scan for any malware that is active on the system. The Custom Scan is just for trying to find things that aren't active and are in odd places, or for scanning other drives/folders/files than what the Malware Scan would normally cover.

Share this post


Link to post
Share on other sites
12 hours ago, snifferpro said:

The dumps I sent were from the windows/Minidmp folder.

Minidumps are more than likely not going to show anything relevant to the crash. As Jeremy mentioned, we'd need a the system memory dump from the following location:
C:\Windows\MEMORY.DMP

Oh, and as a side-note, Windows will only save this memory dump if your pagefile is enabled and has enough space in it.

Share this post


Link to post
Share on other sites

This morning I started the enable batch file on my1803 test SSD and then ran eek custom scan.  Windows blue screened with "System Thread Exception Not Handled".

I did not have to use the Ctrl ScrlLock combination to produce the dump.

Could not send memory.dmp file as in zipped format it is 184mb

Is there another way to get the file to you?

 

Share this post


Link to post
Share on other sites

You'd be better to delete the URL from there - anyone can see it and download your dump (though probably no-one woud bother) and might see confidential stuff in it.  Instead if you PM (personal message) GT500 you can send a URL to him alone.  Do that by hovering over his avatar in any of his posts then click on Message.

Share this post


Link to post
Share on other sites
6 hours ago, snifferpro said:

GT500 - Here is the memory dump from 1803 test ssd

Thanks. I have passed your link to our developers, who will take a look at it as soon as they can.

Share this post


Link to post
Share on other sites

The dump indicated that it is having trouble with a Windows System File named "fileinfo.sys". The most likely culprits are filesystem damage/corruption, or a back stick of RAM. I'd start by checking the drive for errors, preferably from the recovery environment.

The easy way to get to the recovery environment is to hold Shift while clicking on the Restart button. Once there you can click on Troubleshoot, then click on Advanced options, and then click on Command Prompt. The computer may then restart and ask you to sign it before showing you a Command Prompt. Once you get to the Command Prompt, and assuming your SSD is your primary drive, type in the following and then press Enter on your keyboard:

chkdsk C: /X /perf

You can change the drive letter if needed, but keep in mind that the Recovery Environment may not give drives the same letter you're used to seeing in Windows.

Share this post


Link to post
Share on other sites

I should probably also mention that you need to run the exit command in the Command Prompt to restart your computer once finished.

Share this post


Link to post
Share on other sites

In addition to the above, you can rule out whether or not it's our driver causing the crash by renaming the driver before launching EEK and starting your scan. The driver is in the following location:

C:\EEK\bin64\epp.sys

If you are using a 32-bit edition of Windows, then rename the one in "bin32" instead of "bin64".

The name can be whatever you want. epp.sys.bak or epp_old.sys for example.

Be sure to restart your computer after doing this, and don't check for updates in EEK or it will redownload epp.sys and replace it.

If the scan completes without problems, then it was our driver that was the cause. If you still have issues during the scan, then it isn't isn't caused by our driver.

Share this post


Link to post
Share on other sites

GT500 - Yesterday I renamed epp.sys to epp.sys.bak.  I then restarted and ran EEK Custom scan and it completed successfully.

I ran it a second time and it completed successfully.  I did notice however that on the first run the percentage counter was much lower than usual.  The counter usually gets to 80% rather quickly.  On the first run it was only in the 70% range at about the same time interval.  The second run it was at 80% very quickly.

I did the chkdsk command prior to making any changes and it did not find any issues.  I also ran Memtest86+ for 4 hours with 2 passes and no errors reported.

It was after those tests that I renamed the file and successfully did a custom scan.

This morning tried the scan again and it hung the system.  I did not have the enable batch running so I rebooted, ran the enable batch, rebooted, started a scan and this time the system reset without a hang , blue screen or ctrl scrl lock combination.  Again, the percentage counter was different between the first scan and the second.

It appears that the enable batch does not function properly as I never get to try the key combination the system just resets and no memory dmp is created.

Would using a standard serial port keyboard be useful rather than an Apple usb keyboard?

The system is completely stable for everything else I do.

Here is the results of chkdsk

Chkdsk results.JPG
Download Image

Share this post


Link to post
Share on other sites
24 minutes ago, snifferpro said:

This morning tried the scan again and it hung the system.  I did not have the enable batch running so I rebooted, ran the enable batch, rebooted, started a scan and this time the system reset without a hang , blue screen or ctrl scrl lock combination.  Again, the percentage counter was different between the first scan and the second.

It appears that the enable batch does not function properly as I never get to try the key combination the system just resets and no memory dmp is created. 

a) when you say you didn't have the "enable batch running".... you misunderstand what the Enable .bat file does. When it is run it makes a change in the Registry, which enables deliberate BSODs.   You do not have to rerun the .bat file ever again - unless you've been turning the facility off with the Disable .bat file?

b) I don't understand what you mean when you say "the system reset without a hang , blue screen or ctrl scrl lock combination".   What is a "system reset"?   Do you mean a re-boot?  That shouldn't be happening.     And, if the system had taken a blue screen (whether you triggered it with Ctrl Scroll Lock, or it did it itself) the system also should not automatically restart.   In the screenshot you included a few posts ago you showed the "Automatically Restart" box was not ticked.  So no auto restart should be happening.   if the OS stops the machine should stay stopped.

Though... are you sure that there is no C:\WINDOWS\MEMORY.DMP file in existence?   Your screenshot shows that  the option to overwrite that file if one already exists is not set, so if such a file does exist and the system were to try to take a dump, maybe nothing would happen?    I don't know... I run my system with the overwrite option allowed.

 

> Would using a standard serial port keyboard be useful rather than an Apple usb keyboard?

No, because the registry change that the Enable .bat file makes is to the USB kernel drivers.  If you change to using a PS/2 keyboard there would need to be a corresponding change made to the PS/2 kernel support.

Share this post


Link to post
Share on other sites

If you're not disabling the registry thing, then the time for you to press Ctrl Scroll Lock (twice) is when a scan hangs. 

You could in theory press Ctrl Scroll Lock (twice) at any time to force a deliberate BSOD and dump.   But it's not a great idea to deliberately do this to a working system since it risks leaving files in a funny state, the file system itself in a funny state and so on.   Once a system is hung and you're looking at a power-off and reboot, which also risks files being in a funny state etc, that doesn't matter so much because there's no choice.  

Share this post


Link to post
Share on other sites

Jeremy - I usually disable the batch after testing so it wasn't running.

As for the reset, it goes to a black screen and then reboots.  Just as if I pressed the reset button on the computer case.

The SSD I'm using to test is a new install of Win 10 Pro 64 bit with barely anything installed.  I'm using it as a test bed because my production SSD Win 10 Pro 64bit version 1709 will not update to 1803. 

Share this post


Link to post
Share on other sites

Running the Disable .bat file is sensible in that it stops you (or any other user of your machine) from accidentally triggering a BSOD... but it's foolish if it means you'll never have the facility to force a BSOD when you need it.  Having to reboot, run the file, reboot and then try to recreate an intermittent problem is daft - you want to capture the dump when the problem actually occurs.    Also, neither .bat file stays running.  They just set a registry key and stop. 

If a reset is a black screen and a reboot, I wonder if the screenshots you included earlier were from the system you're doing this testing on?  You didn't by any chance screenshot the production system's settings did you?

Or... does the machine's BIOS (or equivalent) force a restart?

Also... this SSD that you're using presumably does have enough space on it for that 16GB+ paging file?   The minimum size you've set, 16557 MB isn't big enough(*) though as you've told it to use a paging file between that and a much larger size, I think that should be ok.  

* it needs to be RAM size + 257 MB according to: https://support.microsoft.com/en-gb/kb/2860880

Share this post


Link to post
Share on other sites

Just out of curiosity, have you tried downloading the drivers from the motherboard or computer manufacturer, and reinstalling all of them?

Share this post


Link to post
Share on other sites

Jeremy, I will verify the screen shots of 1803 and redo if necessary.

The SSD has 96gb of free space.

I'm not aware of any bios setting the forces a bsod.  My motherboard is an ASUS H170 PRO - been running for 4 years.

 

GT500, I have not downloaded the latest motherboard drivers but I was considering updating the BIOS to the latest revision as I am on the initial release.

Updating the drivers for the motherboard will take some time so that will have to be a weekend project.  I'm hesitant to do the bios update because of the blue screens, but since the operating system will not be in play it may be worth a shot.  What do you think?

I'm really curious as to why the custom scan worked 2 times in succession yesterday but failed today.

Share this post


Link to post
Share on other sites

> I'm not aware of any bios setting the forces a bsod.

I'm sure not.  It's the restart that puzzles me.

 

> I'm hesitant to do the bios update

I don't know how that works for your motherboard, but maybe it's reversible - either by having whatever's there now always present as a default, or being able to apply an update back to that level?

 

Share this post


Link to post
Share on other sites
1 hour ago, snifferpro said:

... I was considering updating the BIOS to the latest revision as I am on the initial release.

The last time I did that on an ASUS motherboard, the system ran much more stable, so it certainly could help in your case as well.

 

1 hour ago, snifferpro said:

I'm hesitant to do the bios update because of the blue screens, but since the operating system will not be in play it may be worth a shot.  What do you think?

Many ASUS motherboards have a feature where you can update the BIOS from a utility built into the BIOS that reads the BIOS file from a USB flash drive. This minimizes the risk of damaging the board (I've never bricked an ASUS motherboard when flashing them this way).

 

1 hour ago, snifferpro said:

I'm really curious as to why the custom scan worked 2 times in succession yesterday but failed today.

It's possible that the issue is intermittent.

Share this post


Link to post
Share on other sites

This system in the last 4 years has never had Hangs, BSOD's, or blue screens.  This issue started towards the end of April and only presents itself when I run a custom scan.

This motherboard does not have dual bios so there is no way to roll back in the event of a flash failure.  I think the usb flash bios update may be ok since the operating system and applications are not involved.  That however is a last resort.

I will be downloading all the motherboard updates and hopefully applying them this weekend.

I will keep you posted.

Share this post


Link to post
Share on other sites
8 hours ago, snifferpro said:

This system in the last 4 years has never had Hangs, BSOD's, or blue screens.

I actually wasn't referring to crashes and hangs. It was mostly small things like general system performance, stability of I/O throughput on SATA devices (meaning that read/write speeds were maintained better), boot speed, etc.

Share this post


Link to post
Share on other sites

Update

On 06/02/18 I downloaded and installed all ASUS motherboard drivers.
I ran EEK Custom scan twice and both times it completed successfully.

On 06/03/18 I booted up my 1803 system and ran EEK Custom scan and the computer locked up.
I rebooted and ran the Enable batch file and rebooted again.
I ran EEK Malware scan - no issue.
I ran EEk Custom scan - and system reset itself and produced a 16gb dump file.
Changed page file max size to reduce size of dump file and set to automatic memory dump.
Ran EEK Custom scan and system blue screend with "Page fault in non paged area".
Delted my C:\EEK folder and downloaded and installed latest EEK to C:\EEK
Ran Custom scan and system blue screened with "Kernal security check failure".
Rebooted and renamed epp.sys to bak.
Ran custom scan - scan got to 20% and just quit.  No blue screen, no reset, no dumps.
Started EEK custom scan again and got to 60%  and Blue screend with "System service
exception".  Usually when it blue screens it blue screens at 80%.
Updated the firmware of the SSD and ran custom scan.BS with "System service exception".

On 06/04/18 I decided to boot into safe mode and run a custom scan.
As was expected I did get a blue screen.  However, immediately preceeding the blue screen
I got a pop up box stating there was an appliction error with a2?????????. I tried to get a
screen shot with snipping tool, but the system then blue screened so I was unable to
get the remainder of the message.
I then restarted in safe mode and started snipping tool then eek and this time while running
eek the system hung completely.  The Ctrl Scrl Lock did not work.
I rebooted again in safe mode, started snipping tool, and ran a custom scan.  This time
the system blue screened with "Memory Management".

It seems that each time I run a custom scan I get different results.

 

Share this post


Link to post
Share on other sites
24 minutes ago, snifferpro said:

I ran EEk Custom scan - and system reset itself and produced a 16gb dump file.
Changed page file max size to reduce size of dump file and set to automatic memory dump.
Ran EEK Custom scan and system blue screend with "Page fault in non paged area".

The 16 GB dump needs to be compressed and sent to Emsisoft so they can try to find out what the problem is.   I would suggest you stop experimenting until Emsisoft have had a look at this dump.

After you then changed the pagefile size etc did you do a reboot (and it would ideally be a 'cold' one not just a restart) before trying anything else?  Maybe if you didn't reboot at that point Windows tried to page some virtual memory and the changed page-file size confused things?

 

Later you said: The Ctrl Scrl Lock did not work.

Do you know that the action is to hold down the righthand Ctrl key then press ScrollLock twice? 

 

You've had a LOT of hangs etc.  Do you, each time you reboot after a hang or BSOD or whatever, run a chkdsk on your disks?   Each hang/BSOD can leave file systems in a mess and not checking/repairing them, if they do get in a mess, will possibly make things worse.

Share this post


Link to post
Share on other sites
10 hours ago, snifferpro said:

Changed page file max size to reduce size of dump file and set to automatic memory dump.

Changing the pagefile size won't reduce the size of the dump, it will just cause it to error out saving the dump when it runs out of space. Use 7-Zip to compress the dump using the following settings to get the smallest file size (only Archive format, Compression level, and Compression method need to be changed):

image.png
Download Image

Share this post


Link to post
Share on other sites

I should probably mention that you will almost certainly need to use a file sharing service to send us the file. Both WeTransfer and MEGA allow files up to 2GB for free without an account. Note that both are time-limited, so the files will be automatically deleted after a while. I think WeTransfer gives 2 or 3 days, while I'm not certain about MEGA.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.