Alan_S

Computer freezes at startup – faulting application a2service.exe

Recommended Posts

I've been following the thread 'a2service.exe application error' as I've been experiencing virtually the same problem. The big difference is that I have Windows 7 Pro, 32-bit. It happens after logon on Windows start-up. Everything is frozen. Not even the clock display updates and the keyboard and mouse are ignored. The only way out is power off / power on.

According to my notes, it has happened 6 times (besides the 2 below) the first occurrence being March 30th.
      2018-03-30   13:34
      2018-04-04   08:38
      2018-04-14   08:47
      2018-04-23   14:14
      2018-04-26   13:20
      2018-05-04   17:49
I've been trying to pin it down since, through advice in the forum and getting rid of stuff that might collide with EAM.

I turned on EAM debug logging and that just might be a cure!  It worked flawlessly for 28 days, and then I turned it off 2018-06-01. Perhaps I should have let it stay on longer.

I had Malwarebytes Anti Malware Version 2, installed January 2014. Also, their Anti Exploit, installed February 2015. They and EAM (mutually excluded) never appeared to bother each other and the last program update to MBAM v2 I've noted was March 2016. Still, I did a clean uninstall of both 2018-05-21 (nearly a month ago) and that seemed to do the trick. But now the freeze has occurred again. Strange it should do so after such a long period.

2018-06-20 16:42

Turned on the PC. After start-up / logon, clicked the Firefox quick launch icon. The whole system froze. The clock display remained at 16:42. Tried CTL-Alt-Delete but no reaction. After a while got a pop-up “The application is not responding” (it didn't say what application). Clicked the pop-up's “End Process” button and the whole screen went blue. Not a BSOD – the screen had been wiped: the normal screen background is the same solid blue. Powered-off. Then powered on, booting from the Windows installation DVD. Started a command window and ran CHKDSK /F on all the partitions. No problems found. Restarted Windows normally. The Event Viewer showed the following error entries:

Event ID 1000 Logged 2018-06-20 16:42:49
Faulting application name: a2service.exe, version: 2018.5.0.8686, time stamp: 0x5b0da6b6
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x00000000
Faulting process id: 0x2e8
Faulting application start time: 0x01d408a4e49f03d1
Faulting application path: C:\Program Files\Emsisoft Anti-Malware\a2service.exe
Faulting module path: unknown
Report Id: 33e0d8d7-7498-11e8-b7d8-001aa095aa60

Event ID 7022 Logged 2018-06-20 16:46:36
The Background Intelligent Transfer Service service hung on starting.

Event ID 7011 Logged 2018-06-20 16:47:29
A timeout (30000 milliseconds) was reached while waiting for a transaction response from the ShellHWDetection service.

 

The pertinent part of the forensics log:

Emsisoft Anti-Malware Full 2018.5.0.8686 stable [en-us]
OS: Windows 7 Service Pack 1 (Version 6.1, Build 7601, 32-bit Edition)
2018-06-20 17:01:54 Scheduler Update Downloaded and installed 34 files (4313 kb) (53 sec.).
2018-06-20 16:59:16 Core Protection started Version 2018.5.0.8686.
2018-06-20 16:42:22 Core Protection started Version 2018.5.0.8686.
2018-06-20 13:43:04 Operating System Shutdown received System initiated shutdown.

Ran FRST. On starting, got a pop-up 'Failed to update (1)'. Shouldn't be a firewall problem as I'd set it to allow 'unknown' outbound connections. But the scan seemed to run normally. Please let me know if you need the results - would it be safe to attach openly or is the info sensitive?

Late that night, powered off the PC - always do so overnight.

2018-06-21 08:35

Turned on the PC. Everything looked normal after logon but whenever the mouse pointer was on the bar at the bottom of the screen (don't know the correct term) it became an hourglass. Left it for a while and then clicked on the desktop (not on an icon) which became misty, just like when launching the snipping tool, and the mouse pointer became an hourglass wherever it was. Everything frozen, as above. This behaviour has happened several times in the past. Powered off / on and ran CHKDSK /F as above (no problems) then restarted Windows normally. The Event Viewer showed the following error entries:

Event ID 1000 Logged 2018-06-21 08:35:48

Faulting application name: a2service.exe, version: 2018.5.0.8686, time stamp: 0x5b0da6b6
Faulting module name: KERNELBASE.dll, version: 6.1.7601.24117, time stamp: 0x5add1e31
Exception code: 0x0eedfade
Fault offset: 0x0000845d
Faulting process id: 0x2e4
Faulting application start time: 0x01d4092a0a189b50
Faulting application path: C:\Program Files\Emsisoft Anti-Malware\a2service.exe
Faulting module path: C:\Windows\system32\KERNELBASE.dll
Report Id: 54eafff4-751d-11e8-a070-001aa095aa60

Event ID 7022 Logged 2018-06-21 08:39:42

The Background Intelligent Transfer Service service hung on starting.

 

The pertinent part of the forensics log:

2018-06-21 09:21:50 Scheduler Update Downloaded and installed 93 files (4456 kb) (1 min. 19 sec.).
2018-06-21 09:19:05 Core Protection started Version 2018.5.0.8686.
2018-06-21 08:35:28 Core Protection started Version 2018.5.0.8686.
2018-06-21 00:16:11 Operating System Shutdown received System initiated shutdown.

 

The configuration:

Dell Inspiron PC from November 2007, but still runs fine.
Windows 7 Pro, 32-bit. Since October 2016, just apply (manually) security-only updates.
Sphinx Windows 10 Firewall Control
Windows Defender real-time is disabled, as is auto updates and auto scan
(can't think of any other security programs still installed)
EAM is set to update at 2 hour intervals so it almost always updates at startup.  Self protection is off.
Time zone is CET
 

Recent changes:

2018-05-21 Uninstalled Malwarebytes Anti Malware and Anti Exploit
2018-06-01 Disabled EAM debug logging
2018-06-02 Let Firefox update to 60.0.1
2018-06-04 Manually applied May MS security-only patches KB4103712 (Win) and KB4103768 (IE)
2018-06-02 Let Firefox update to 60.0.2
2018-06-02 Let Thunderbird update to 52.8.0
2018-06-02 Uninstalled Flash Player
Also, updated a Firefox add-on.

Nothing new installed and the only other updates I know of are of EAM itself. Don't know if it's relevant, but I regularly run CCleaner to clean up Firefox, IE and Thunderbird data. No registry stuff.

 

Finally, I have a laptop too: HP EliteBook 8440p, also ancient, also Win 7 32-bit. Software-wise, it's virtually identical to the Dell, though obviously and all the drivers and other low-level stuff are different. And the freeze-on-startup happens on it too. But I feel it's more manageable to concentrate on one PC at a time.

However, when I reached for the Windows installation DVD to run CHDSK after the 2018-06-20 16:42 incident, I remembered it was stuck in the EliteBook and a DVD can only be ejected when an OS is running. So, I turned it on and started Windows. And guess what happened? The freeze-on-startup situation, logged at 16:45:53!  

It seems  very strange that two incidents should occur within minutes of each other on two different computers.   Indeed, strange that the two incidents on the Dell should occur within hours of each other, after weeks of flawless operation.  Could there be a connection with the EAM update content? Or is it just a coincidence?

Sorry to be so long-winded but I feel it's better to give too much info than too little.

 

Share this post


Link to post
Share on other sites

I don't see anything in the logs that would explain what's going on. We can try forcing a BSoD to get a memory dump. Is your keyboard USB? If you use a built-in keyboard on a laptop, then that's usually PS/2 instead of USB.

Share this post


Link to post
Share on other sites

The Dell has a USB keyboard.  Speccy says the HP Elitebook has a PS/2.  I use the (stationary) Dell much more as it has a full size keyboard and a big screen.  

Share this post


Link to post
Share on other sites

OK, I'll give you links for both ZIP archives. Each one contains two batch files. One batch file to enable a keyboard shortcut that causes a BSoD and memory dump, and one batch file to disable it again.
https://www.gt500.org/emsisoft/USB_Crash_On_Crtl_Scroll_Lock_Batch_Files.zip
https://www.gt500.org/emsisoft/PS2_Crash_On_Crtl_Scroll_Lock_Batch_Files.zip

The first is for USB, and the second is for PS/2. Download the one for your keyboard, open it, and double-click on the batch file to run it. After it checks for administrator rights, you should be asked if you want to allow the Windows Command Processor to make changes to your computer. You'll have to click Yes to proceed. After clicking Yes, the batch file will reopen with administrator rights, and it should only take a second or two to change the registry value that enabled the keyboard shortcut.

Your computer will need to be restarted after running the batch file in order for the changes to take effect.

Once you've run the batch file to enable the keyboard shortcut and restarted your computer, simply hold down the Right Ctrl key on your keyboard and tap Scroll Lock twice, and that should cause the computer to crash and save a memory dump. Do this when things are frozen, and the memory dump should give us a clue as to why it's happening.

The memory dump should saved as C:\Windows\MEMORY.DMP and it will be very large. I recommend 7-Zip to compress it (using the Archive formatCompression level, and Compression method settings from the following screenshot for the smallest file size).

image.png
Download Image

Share this post


Link to post
Share on other sites

Today's activities:

Looked more carefully at the laptop and see it doesn't have a Scroll-Lock key. Nor does the User Guide give any help.

However, I ran the 'enable' script on the Dell, which has a USB keyboard.  Then tested it and it created a BSOD and dump just as you said. Restarted the computer from the Windows Installation DVD and ran CHKDSK, as a safety measure.  Started Windows normally. It looked OK but noted that the red cross over the loudspeaker icon in the notification area didn't disappear as it normally does.  Hovering the mouse pointer over the icon showed that “The audio service is not running”.  This happens sometimes, though very rarely, and all is well after a restart.  Nothing seemed to happen on clicking restart.  Assuming I'd missed it, clicked again (a pity perhaps, with hindsight) and noticed that the clock hadn't been updating.  A freeze!  Activated your advice and got a BSOD and a dump.

Event viewer data:

Event ID 1000 Logged 2018-06-27 14:24:50
Faulting application name: a2service.exe, version: 2018.5.0.8686, time stamp: 0x5b0da6b6
Faulting module name: a2core.dll, version: 2018.4.0.1028, time stamp: 0x5ac376f1
Exception code: 0xc0000005
Fault offset: 0x0007f2f9
Faulting process id: 0x2f4
Faulting application start time: 0x01d40e1195dd2e61
Faulting application path: C:\Program Files\Emsisoft Anti-Malware\a2service.exe
Faulting module path: C:\Program Files\Emsisoft Anti-Malware\a2core.dll
Report Id: 15bb9d80-7a05-11e8-a533-001aa095aa60

Event ID 1001 Logged 2018-06-27 14:38:27

The computer has rebooted from a bugcheck. The bugcheck was: 0x000000e2 (0x00000000, 0x00000000, 0x00000000, 0x00000000). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 062718-21465-01.

Hope it all helps to nail the problem!  I'll leave everything as-is so that I can send the data should it happen again.

I'll send the dump via PM.

 

 

Share this post


Link to post
Share on other sites

I had the no SCROLL-LOCK key problem on my Samsung laptop.  These are my notes for what I did to get around that.

One solution to that is to plug in a fully-featured USB keyboard; that would
be ok if one only wanted a dump for a specific test (which in fact is all I
want to do now) but is no use at all if you want to be able to take a dump
when something unpredictable happens in future. If the OS is stuffed then it
is extremely unlikely to be able to handle a dynamic addition of a keyboard
even supposing one has a spare keyboard to hand.

According to:

https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/forcing-a-system-crash-from-the-keyboard

there's a way to define an alternate pair of trigger keys.   First:


(a) you need to make sure that the  CrashOnCtrlScroll  registry value that
    was described above (in the standard method) is either extant but set to 0, or not present in
    the registry at all.


(b) you need to choose which (one or more) keys you wish to make eligible as
    the first one to be pressed as a trigger.  The choices are:

    0x01       Rightmost SHIFT key
    0x02       Rightmost CTRL  key       <-- I chose this
    0x04       Rightmost ALT   key
    0x10       Leftmost  SHIFT key
    0x20       Leftmost  CTRL  key
    0x40       Leftmost  ALT   key

    You can specify more than one, by adding them, eg 0x11 would enable either SHIFT key.


(c) For the second key you need to pick something and then find out what its
    scancode is.  A scancode is the code the hardware sends to the driver when
    a particular button is pressed (it's nothing to do with the legend on a key-
    cap).  The driver then sends that code onwards to a higher level OS function
    which, based on the configured keyboard layout, translates the scancode into
    a 'virtual keycode'... which represents whatever action/character the user
    expects that key to generate.

    There's a thorough description of this process at:
    https://jacksautohotkeyblog.wordpress.com/2016/04/14/understanding-autohotkey-keyboard-scan-codes-and-virtual-key-codes-beginning-hotkeys-part-12/


    Then you find the scancode in a predefined table of scancodes:

    const UCHAR keyToScanTbl[134] = {
    0x00,0x29,0x02,0x03,0x04,0x05,0x06,0x07,0x08,0x09,   offsets +000 -> +009
    0x0A,0x0B,0x0C,0x0D,0x7D,0x0E,0x0F,0x10,0x11,0x12,           +010 -> +019
    0x13,0x14,0x15,0x16,0x17,0x18,0x19,0x1A,0x1B,0x00,           +020 -> +029
    0x3A,0x1E,0x1F,0x20,0x21,0x22,0x23,0x24,0x25,0x26,           +030 -> +039
    0x27,0x28,0x2B,0x1C,0x2A,0x00,0x2C,0x2D,0x2E,0x2F,           +040 -> +049
    0x30,0x31,0x32,0x33,0x34,0x35,0x73,0x36,0x1D,0x00,           +050 -> +059
    0x38,0x39,0xB8,0x00,0x9D,0x00,0x00,0x00,0x00,0x00,           +060 -> +069
    0x00,0x00,0x00,0x00,0x00,0xD2,0xD3,0x00,0x00,0xCB,           +070 -> +079
    0xC7,0xCF,0x00,0xC8,0xD0,0xC9,0xD1,0x00,0x00,0xCD,           +080 -> +089
    0x45,0x47,0x4B,0x4F,0x00,0xB5,0x48,0x4C,0x50,0x52,           +090 -> +099
    0x37,0x49,0x4D,0x51,0x53,0x4A,0x4E,0x00,0x9C,0x00,           +100 -> +109
    0x01,0x00,0x3B,0x3C,0x3D,0x3E,0x3F,0x40,0x41,0x42,           +110 -> +119
    0x43,0x44,0x57,0x58,0x00,0x46,0x00,0x00,0x00,0x00,           +120 -> +129
    0x00,0x7B,0x79,0x70 };                                       +130 -> +133

    and it's the OFFSET into this table that you actually need to use.  I've
    listed decimal offsets at the rhs as the rows are listed in tens, but I
    expect the value one uses needs to be in hex.


(d) You then define two REG_DWORD values in (for PS/2 keyboards):

       HKLM\SYSTEM\CurrentControlSet\Services\i8042prt\crashdump

    and for USB keyboards:

       HKLM\SYSTEM\CurrentControlSet\Services\kbdhid\crashdump

    as follows.  Create:

       Dump1Keys    REG_DWORD    the bit map described at (b)

       Dump2Key     REG_DWORD    the offset described at (c)


    NOTE the keynames: the first is plural, the second is not.


(e) Ah... but... how do you find out the scancode generated by various buttons
    on your specific keyboard?  Google shows that many people are very annoyed
    that MS completely fail to address that in their documentation.

   

    You can ignore this stuff about AHK, which I used to make sure that the key and
    hence scancode that I chose really were for the key I thought they were for...

    [I found that AutoHotKey has a feature that allows one to see scancodes for
    keys pressed, so on 20170617 installed AHK & wrote a small AHK script that
    does nothing except present a MsgBox, & wait for the user to close it. But
    while that is running, one can r-click the script's systray icon, open the
    script's "main window" and choose:  View -> Key History & Script Info   to
    see scancodes.

    The script is in:   (if you need it I can send it to you)


    Obviously it would be sensible to pick a key that I am very unlikely to
    press by accident!  I reckon that means something on the numeric keypad,
    eg "*".


    The AHK script shows that that is "NumPadMult" with scancode 037 (which
    I can see is a hex value as when I pressed "s", that was listed as 01F).


    (Actually, this is listed [as "KP *"] at:
     http://www.computer-engineering.org/ps2keyboard/scancodes1.html
     https://en.wikipedia.org/wiki/Scancode
     but it's useful to have had AHK confirm it.  Also note that 037 is the
     scancode for that key being PRESSED and there's another code for when
     it gets RELEASED.)


    Scancode 0x37 is at decimal offset +100 in the table above, so its hex
    offset is 0x64.


    I found /some/ examples of defining Dump1Keys & Dump2Key where the values
    shown match my expectations.  OTOH, some of the examples I found didn't.

    Still, I'm reasonably confident that I understand this process.

 

What I need to do now is:

(using 'regedit' started from an elevated Command Prompt):


(a) check that  CrashOnCtrlScroll
    is not defined (or if it is, has value 0), in both the PS/2 and USB keybd
    locations at:

       HKLM\System\CurrentControlSet\Services\i8042prt\Parameters

       - it WAS defined, and set to 1; I deleted it.


       HKLM\System\CurrentControlSet\Services\kbdhid\Parameters

       - it didn't exist


(b) check that neither  Dump1Keys  nor  Dump2Key  are defined at:

       HKLM\SYSTEM\CurrentControlSet\Services\kbdhid\crashdump

       - the \crashdump  subkey didn't exist.


(c) create REG_DWORD keys named  Dump1Keys  and  Dump2Key  at:

       HKLM\SYSTEM\CurrentControlSet\Services\i8042prt\crashdump

    with values:     Dump1Keys   0x02       (ie RIGHT CTRL)

                     Dump2Key    0x64       (ie NUM PAD *)

       - created, first, \crashdump
         then the two named values.


(d) reboot


(e) cross my fingers and try it...


(f) IT WORKED! 

 

Share this post


Link to post
Share on other sites
9 hours ago, Alan_S said:

I'll send the dump via PM.

Memory dump received, and forwarded to our developers. It's a bit small, so if it doesn't contain enough information then it may be necessary to reconfigure Windows for a full memory dump and then try again, however we won't know that until they take a look at the dump you've already sent.

Share this post


Link to post
Share on other sites

Jeremy, many thanks for the explanation.  I'm in awe!  Unfortunately, the link computer-engineering.org seems defunct - it gives “Contact Support”. But the Wikipedia one is OK.

Actually, at this stage at least, I feel it's preferable to concentrate on the stationary Dell as it is much simpler, with far less “goodies” and is what I generally use. But your AHK scancode presenter sounds very useful. I'll get back to you if Emsisoft want me to experiment on the laptop.

 

Share this post


Link to post
Share on other sites

I've been told that we'll need a full/complete memory dump. I would believe the following instructions for configuring Windows to save a full/complete memory dump will work on any version of Windows (or at least Windows 7, 8, 8.1, and 10):

  1. Hold down the Windows key (the one with the Windows logo on it, usually between the Ctrl and Alt keys) and hold down the R key to open the Run dialog.
  2. Type in control system and click OK.
  3. On the left, click on Advanced system settings.
  4. In the Startup and Recovery section, click on the Settings button.
  5. Please ignore the System Startup and System Failure sections.
  6. In the Write debugging information section, please change the first option to Complete memory dump (it may say something like Small memory dump, Kernel memory dump, or Automatic memory dump).
  7. The Dump file field should say %SystemRoot%\MEMORY.DMP which means that it will save the dump as MEMORY.DMP in your Windows folder (usually C:\Windows). If it does not say %SystemRoot%\MEMORY.DMP then please change it so that it does.
  8. Make sure that Overwrite any existing file is selected.
  9. Click the OK button, and restart your computer to save the changes.

Note that this memory dump is going to be very large. You may need to use a file sharing service to send us the memory dump. WeTransfer offers 2GB for free without an account, and MEGA claims to offer 50GB for free (although an account is required). If you're feeling paranoid, feel free to password protect the archive you save with 7-Zip and send me the password in a private message. If you're required to enter our e-mail address when uploading the file, then feel free to enter [email protected] and paste the link to this forum topic in the message so that we know whose memory dump it is.

Share this post


Link to post
Share on other sites

OK . all set up and tested - the dump file is now 2.9GB.   Now, I suppose, we just wait for  it to happen.

Share this post


Link to post
Share on other sites

> the dump file is now 2.9GB.

Do you mean the compressed dump, or the actual dump file?  That size, if it's the actual dump file, suggests you may have 3 GB RAM in your machine?  If you have (lots) more then I'd have expected the dump to be bigger. 

And, did you note the point in one of the earlier discussion threads, that your paging file needs to be on the same disk as Windows is, and at least 257 MB larger than your system's amount of RAM. The dump gets written into the paging file when you have the BSOD (because the OS kernel knows that that is a safe place to put it but knows nothing else about files on the disk), and only moved out of that into C:\WINDOWS\MEMORY.DMP when you next boot the system. 

 

Share this post


Link to post
Share on other sites
57 minutes ago, JeremyNicoll said:

did you note the point in one of the earlier discussion threads, that your paging file needs to be on the same disk as Windows is, and at least 257 MB larger than your system's amount of RAM.

Windows will usually keep the pagefile large enough by default. If it doesn't, then we'll cross that bridge when we have to. ;)

Share this post


Link to post
Share on other sites

2.9GB is the size of the actual dump file created when I tested the mechanism. 

The installed RAM is 4GB but, being a 32-bit system, I realize that it's only able to access about 3GB without PAE and it all works well so I never experimented with that.  

Yes, the page-file is on the same disk as Windows.  Normally, I have it set to 5000MB (fixed) but I remembered reading that it has to be large enough to handle the dump process.  Suppose I should have delved further, but there's plenty of space so I simply set it to 10000MB (fixed).   Thanks for the info about  how the dump gets written Jeremy - didn't know about that mechanism, but it makes perfect sense! 

Share this post


Link to post
Share on other sites

> Windows will usually keep the pagefile large enough by default. If it doesn't, then we'll cross that bridge when we have to. 

I believe that Windows' management of a system-managed pagefile size only adjusts its size based on the day-to-day normal use of the file by Windows, and doesn't adjust when an anomalous huge file is required for a full system dump.  Indeed I think you said in an earlier thread that pagefile size adjustment won't happen while a dump is being taken.   If one is trying to capture a dump for some problem that happens unpredictably I think it's stupid to deliberately not set the pagefile big enough from the start, if it means that when the problem does occur, only a partial dump will be taken.  It just means you have to go through the whole process again.

However Alan_S's fixed-size pagefile is clearly going to be adequate to the task.

Share this post


Link to post
Share on other sites
15 hours ago, Alan_S said:

The installed RAM is 4GB but, being a 32-bit system, I realize that it's only able to access about 3GB without PAE and it all works well so I never experimented with that.

It's been a while, but if I remember right PAE is automatic in most versions of Windows. That being said, it's not uncommon for a motherboard to reserve RAM for its own usage, so it's possible that's why Windows only sees 2.9GB.

Share this post


Link to post
Share on other sites

It happened again this morning, 2018-07-13. 

Powered on and started normally. After logon, quite a bit of disk activity which died down quickly. Nothing seemed to be happening. After a while, clicked the Start button. Nothing happened but the mouse cursor turned to an hourglass when hovered over the taskbar. Noted the system clock display in the notification area was not updating. Left this for a few minutes. Still frozen, so caused a BSOD using the Right Ctrl / Scr-lock / Scr-lock thing as above. BSOD was *** STOP: 0x000000E2 (0x00000000, 0x00000000, 0x00000000, 0x00000000) Pressed the computer's power button, which caused a re-boot. Let Windows start normally. Noticed EAM started updating. All seems normal now.

Event viewer shows:

Event ID: 1000 Logged 2018-07-13 07:48:20

Faulting application name: a2service.exe, version: 2018.6.0.8750, time stamp: 0x5b3a2dc0
Faulting module name: a2core.dll, version: 2018.4.0.1028, time stamp: 0x5ac376f1
Exception code: 0xc0000005
Fault offset: 0x0007f2f9
Faulting process id: 0x2dc
Faulting application start time: 0x01d41a6d08771c55
Faulting application path: C:\Program Files\Emsisoft Anti-Malware\a2service.exe
Faulting module path: C:\Program Files\Emsisoft Anti-Malware\a2core.dll
Report Id: 585f91af-8660-11e8-b0cc-001aa095aa60

Event ID: 1001 Logged 2018-07-13 07:57:05

The computer has rebooted from a bugcheck. The bugcheck was: 0x000000e2 (0x00000000, 0x00000000, 0x00000000, 0x00000000). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 071318-15615-01.


Event ID: 7022 Logged 2018-07-13 07:52:08

The Background Intelligent Transfer Service service hung on starting.
 

After re-starting, ran FRST and the Emsisoft Diagnostic Tool in case these can help.  I've sent them, and the memory dump, to  support.emsisoft.com via WeTransfer, mentioning you and this case in the message text.   

Share this post


Link to post
Share on other sites

2018-07-13 11:15

Well, it happened yet again. This time on my HP laptop (the above post was about a freeze on the Dell stationary).

Powered on and started normally. After logon, did nothing at all: no use of keyboard and no clicking (well, I did pick up the mouse as such and move it as it was in the way). Waited a while as I noted that the only icons in the notification area were the Emsisoft shield, the battery indicator and the system clock, which stayed at 11:15. There should also be icons for the HP Quick Launcher, Synoptics Pointing Device, Sphinx Windows 10 Firewall Control, OpenOffice Quick Starter, Windows Action Centre, Wireless NW Access and Loudspeaker. At 11:25 , caused a BSOD using the Right Ctrl / Scr-lock / Scr-lock mechanism as above. BSOD was *** STOP: 0x000000E2 (0x00000000, 0x00000000, 0x00000000, 0x00000000) Pressed the computer's power button, which caused a re-boot. Let Windows start normally. Noticed EAM started updating. All seems normal now.

 

Event viewer shows:

Event ID 1000 Logged 2018-07-13 11:15:07

Faulting application name: a2service.exe, version: 2018.6.0.8750, time stamp: 0x5b3a2dc0
Faulting module name: a2core.dll, version: 2018.4.0.1028, time stamp: 0x5ac376f1
Exception code: 0xc0000005
Fault offset: 0x0007f2f9
Faulting process id: 0x334
Faulting application start time: 0x01d41a89eda2194e
Faulting application path: C:\Program Files\Emsisoft Anti-Malware\a2service.exe
Faulting module path: C:\Program Files\Emsisoft Anti-Malware\a2core.dll
Report Id: 3b8f898d-867d-11e8-b6f4-9238f26662e5

Event ID 1001 Logged 2018-07-13 11:44:21

The computer has rebooted from a bugcheck. The bugcheck was: 0x000000e2 (0x00000000, 0x00000000, 0x00000000, 0x00000000). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 071318-15646-01.

 

I hope that this (reporting incidents on two different computers) doesn't confuse matters, but this incident could hardly be 'cleaner' – no clicking, no keyboard activity. What I find interesting is that this incident occurred on starting the HP laptop (for the first time today) just 3 1/2 hours after today's occurrence on the Dell. This also occurred 2018-06-21. There's no connection between the two, unless disk access is enabled manually.

 

After re-starting, ran FRST and the Emsisoft Diagnostic Tool in case these can help.  I've sent them to you via PM and sent the memory dump via WeTransfer, to  support.emsisoft.com, mentioning you and this case in the message text.   

 

Share this post


Link to post
Share on other sites

I've received the memory dumps, and am downloading them. I'll let you know once someone has had a chance to look over them for me.

Share this post


Link to post
Share on other sites

Just as a quick update to this, our developers are still trying to go over the memory dumps. Part of the stack trace was corrupted, which is making it difficult for them. It appears that something in a2service is getting stuck calling for a scan, however they haven't been able to figure out what yet.

I'll let you know if our developers ask for more debug info.

Share this post


Link to post
Share on other sites

Thanks for the update!

Is there anything I can do in preparation so that the dump info will be OK next time it occurs?

What I have done is to turn on debug logging. When I had debug logging on before, it ran for over three weeks without any problems, so I turned it off as it seemed to be a 'vaccination'.  But the last occurrence was after four weeks of success, so there's probably no connection. Anyway, thought it worth a try,

 

Share this post


Link to post
Share on other sites
18 hours ago, Alan_S said:

Is there anything I can do in preparation so that the dump info will be OK next time it occurs?

Not without knowing why the stack is corrupt. If we knew what was causing it, then avoiding it might be possible, however I don't expect we will figure out why it's happening.

Share this post


Link to post
Share on other sites

I seem to have this as well, but on Windows 10 x64.

Did not link the issue to EAM, but will check the event log when it happens again.

Share this post


Link to post
Share on other sites
On 7/21/2018 at 2:41 PM, XIII said:

I seem to have this as well, but on Windows 10 x64.

Did not link the issue to EAM, but will check the event log when it happens again.

Are there any previous entries in your Event Logs regarding a2service.exe?

Share this post


Link to post
Share on other sites

Occurred on powering on and starting my HP laptop this morning, 2018-07-25 at 08:49

Didn't press any keys, didn't click the mouse. Just lifted it out of the way.

All desktop icons but one didn't “iconize” but remained the generic “white sheet with a bent over top right corner”

The clock display didn't change from 08:49    Forgot to document which icons were present in the notification area.

08:15 activated a BSOD using the Right Ctrl / Scr-lock / Scr-lock mechanism as above.

Event viewer showed:

Event ID 1000 (Error) Logged 2018-07-25 08:49:08

Faulting application name: a2service.exe, version: 2018.6.0.8750, time stamp: 0x5b3a2dc0
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x00000000
Faulting process id: 0x338
Faulting application start time: 0x01d423e38542b2cf
Faulting application path: C:\Program Files\Emsisoft Anti-Malware\a2service.exe
Faulting module path: unknown
Report Id: d3abea9d-8fd6-11e8-8bef-ccbc49f8c7de

Event ID 1001 (Error) Logged 2018-07-25 09:02:25

The computer has rebooted from a bugcheck. The bugcheck was: 0x000000e2 (0x00000000, 0x00000000, 0x00000000, 0x00000000). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 072518-27814-01.

Event ID 219 (Warning) Logged 2018-07-25 08:48:37

The driver \Driver\WUDFRd failed to load for the device USB\VID_138A&PID_0007\00b032af7386.
(Note: This always seems to occur on start, seemingly without any harm. Don't know what I'm supposed to do about it...)


So, the usual pattern. But this time debug logging was active!

I've sent the following to  [email protected]   via WeTransfer, referring to this case and GT500.

MEMORY_DMP_HP_2018-07-25.7z
EmsisoftDiagLog.txt
FRST.txt
Addition.txt
a2guard_20180724134730(4272).7z
a2guard_20180725084900(3824).7z
a2guard_20180725090308(4380).7z
a2service_20180724134651(820).7z
a2service_20180725084840(824).7z
a2service_20180725090217(852).7z
a2start_20180724134744(5656).7z
a2start_20180725084922(4628).7z
a2start_20180725090329(5760).7z

As you see, I've also included logs before and after the event. Might be something helpful there?

Fingers crossed...
 

Share this post


Link to post
Share on other sites

I've downloaded your logs, and will pass them on to the developer who was looking into this. ;)

Share this post


Link to post
Share on other sites

BTW: My manager looked at your memory dump, and told me that you BIOS is from 2010, but HP has a newer BIOS released in 2015 for your computer. I know a BIOS update can be a bit nerve racking, however in cases like this they can often help.

He also told me that 3 our of your 4 processors cores were idle in the memory dump, which seems rather odd. Are you using any sort of software that would restrict other programs to only running on specific CPU cores?

Share this post


Link to post
Share on other sites

Sorry, have been busy lately. However, this morning I finally had another total lockup.

The Application error has indeed Event ID 1000 and the faulting application name is a2sevice.exe (version 2018.6.0.8750).

The faulting module name is KERNELBASE.dll, version 10.0.17134.165

The exception code is 0x0eedfade

Does this help?

Share this post


Link to post
Share on other sites

First the “3 processor cores idle” observation. It only has two. According to Speccy, an Intel Core i5 560M Arrandale. But, also according to Speccy, it has 4 threads. Perhaps that's the explanation. Can't think of anything that would restrict processor usage, but I've included a list from Process Explorer in the material I've sent (see below).

My BIOS version on the 8440p Elitebook is F.11. I know it's antique, but I'm a bit reluctant to touch it. Apart from the fact that it's worked all these years, a major issue for me is what if an update proves problematic? HP offer two variants: F.12 (2011) and F.60 (2015). Why offer two with such a huge gap? Did they start a new branch? Something to do with UEFI? What's the difference and which to choose? I asked Mr. Google for advice and, as usual, didn't manage find an authoritative and straight answer. Looking at the F.60 parentage, the description of its predecessor, F.50, states “NOTE: After this BIOS update has been installed, previous BIOS versions cannot be reinstalled.” So if there's a problem, it would appear to be a trip to the recycling centre.

Then there's the fact that the freeze trouble occurs on both my computers. Why, if the problem is the HP BIOS? And if is, that's not going to help the Dell desktop: Dell's most recent effort, from 2009, is installed.

Sorry, that was a long ramble but what I'm saying is there are so many unknowns and potential pitfalls that I don't feel confident. If it ain't broke.... But if it becomes an absolute requirement, well, let's cross that bridge then.

One thing I forgot to mention before: The EliteBook OS is to all intents and purposes a clone of the Dell. Obviously different drivers etc. but I keep patches and other changes in sync.

I've used EAM since December 2011 without any major problems and suddenly last March the freezes started. I can't find any changes made before that time that look suspicious.


And a new freeze yesterday, 2016-07-26, on the laptop. Different from last, though it has happened before: After starting, clicked the desktop icon for the file manager (use XYplorer) but nothing happened. Moved the mouse pointer to the taskbar and it changed to an hourglass. Moved back to the desktop and it was normal. Clicked the desktop background and it became an hourglass there too. Decided a dump was in order so pressed right Ctrl and the screen immediately became misty, just like when using the Snipping Tool. Double-pressed Scr-Lock and got the BSOD.

Event viewer shows:

Event ID 1000 (Error) Logged 2018-07-26 14:35:30

Faulting application name: a2service.exe, version: 2018.6.0.8750, time stamp: 0x5b3a2dc0
Faulting module name: KERNELBASE.dll, version: 6.1.7601.24117, time stamp: 0x5add1e31
Exception code: 0x0eedfade
Fault offset: 0x0000845d
Faulting process id: 0x32c
Faulting application start time: 0x01d424dd137248f3
Faulting application path: C:\Program Files\Emsisoft Anti-Malware\a2service.exe
Faulting module path: C:\Windows\system32\KERNELBASE.dll
Report Id: 618cf357-90d0-11e8-b4b8-aef5eb95c4f2

Event ID 1001 (Error) Logged 2018-07-26 14:54:51

The computer has rebooted from a bugcheck. The bugcheck was: 0x000000e2 (0x00000000, 0x00000000, 0x00000000, 0x00000000). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 072618-30014-01.

I'll send the dump and the Process Explorer output via WeTransfer as before. Sadly, debug logging wasn't enabled. By the way, does a run of FRST and Emsisoft Diagnostic Tool provide anything beyond the runs you already have?
 

Share this post


Link to post
Share on other sites

BTW, my computer is a no name PC with a Core 2 Duo (E8400), so it’s not HP specific.

My BIOS is even older, but MSI (motherboard manufacturer) does not offer anything more recent.

Share this post


Link to post
Share on other sites
20 hours ago, Alan_S said:

First the “3 processor cores idle” observation. It only has two. According to Speccy, an Intel Core i5 560M Arrandale. But, also according to Speccy, it has 4 threads. Perhaps that's the explanation. Can't think of anything that would restrict processor usage, but I've included a list from Process Explorer in the material I've sent (see below).

It's due to Hyper-Threading. Each physical core is essentially split into two "logical cores", which are each capable of processing a single thread. It basically doubles the number of threads a physical core can process at the same time, and turns a dual-core CPU into a quad-core, a quad-core into an octa-core, etc.

 

20 hours ago, Alan_S said:

My BIOS version on the 8440p Elitebook is F.11.  ...  HP offer two variants: F.12 (2011) and F.60 (2015).  ...  What's the difference and which to choose?

I can't say what the difference is (not without being able to look at a changelog), however when it comes to choosing a BIOS update the recommendation is usually to choose the newest one, as it will be the least likely to have problems. Usually if there are special considerations when installing a BIOS update (such as needing to update to a specific BIOS version before updating to the latest) then the manufacturer will mention that in the download description or the changelog.

 

20 hours ago, Alan_S said:

By the way, does a run of FRST and Emsisoft Diagnostic Tool provide anything beyond the runs you already have?

More than likely not, unless there have been any changes to the system. FRST's Addition log does list the last 10 errors from the Event Viewer, however those aren't always helpful (certainly not as helpful as debug logs and memory dumps).

 

20 hours ago, Alan_S said:

I'll send the dump and the Process Explorer output via WeTransfer as before.

I'm going to hold off on downloading any further memory dumps for now. Our developers haven't finished with the last one yet, and I don't want to keep sending them new ones until they've had a chance to at least go over what they have. Memory dumps are rather large, and take a lot of time to download and analyze.

If we need any more memory dumps, then I'll let you know. ;)

 

22 hours ago, XIII said:

Sorry, have been busy lately. However, this morning I finally had another total lockup.

The Application error has indeed Event ID 1000 and the faulting application name is a2sevice.exe (version 2018.6.0.8750).

The faulting module name is KERNELBASE.dll, version 10.0.17134.165

The exception code is 0x0eedfade

Does this help?

In this case the information from the Event Viewer isn't extremely helpful. We'd need memory dumps and debug logs.

That being said, if it is the same issue that Alan_S has been having, then we should have plenty of those for now.

Share this post


Link to post
Share on other sites

Thanks for the explanation re threads.  Never get too old to learn something new!

The BIOS "questions" were rhetorical really, to explain my hesitation.  If It comes to a BIOS upgrade I'll see if HP support can help.

I actually hesitated to send the new dump, thinking exactly what you said.  Did so anyway as the symptoms are a little bit different, though I doubt the underlying cause is.  If you do need it, just give a shout as I've kept the material.

Share this post


Link to post
Share on other sites

I haven't heard anything from our developers yet, so I'll try to check in with them and see if they have anything new for me on this.

Share this post


Link to post
Share on other sites

FYI: Our developers believe they have figured out what is causing the issue you encountered, and hope to be able to get it fixed soon.

Share this post


Link to post
Share on other sites

OK. Feel free to keep an eye on our Product Update and Beta Update blogs just in case I'm not able to let you know when the fix is available:
https://blog.emsisoft.com/en/category/emsisoft-news/product-updates/
https://blog.emsisoft.com/en/category/emsisoft-news/beta-updates/

FYI: We have RSS feeds for each of those as well if you want to be automatically notified when there's a new version of our software:
https://blog.emsisoft.com/en/category/emsisoft-news/product-updates/feed/
https://blog.emsisoft.com/en/category/emsisoft-news/beta-updates/feed/

Share this post


Link to post
Share on other sites

I'm already on then beta channel and I do subscribe to the updates feed.

I was not aware of the beta feed though. Subscribed. Thanks!

Share this post


Link to post
Share on other sites

When we updated the blog recently we added new feeds. Betas are often published under "Product Updates", so most of the time you won't miss betas if you only subscribe to that feed.

Share this post


Link to post
Share on other sites

Any update on this?

This week the behavior got way worse. Two EAM updates that required a program restart. Both locked up my PC and I had to force a reboot. That boot locked up  the PC again and I had to foce another boot. Only then I could start working again (actually in one instance Windows complained that it could no longer boot, but another restart fixed this).

I'm close to (temporarily) uninstalling EAM since EAM is currently a bigger risk to losing work than malware is... 😢

 

 

Share this post


Link to post
Share on other sites

The newest beta, released only a few minutes ago, addresses problems with a2service not shutting down properly (a 32 second delay on my system is now fixed, with shutdown being nearly instant).  I don't know if whatever they changed will also make a difference for your problem.  It might be better to wait until Arthur (GT500) comments...

Share this post


Link to post
Share on other sites

This newest beta was the second update this week that locked my PC twice... 😢

The problem in this topic seems more related to not properly starting?

Share this post


Link to post
Share on other sites

The newest beta, though, required the older product to restart... so a locked pc as the old thing was replaced would be the old version failing not the new one.  If you had a lockup with the newest one (8843) after it was installed, you need to report it on the Betas part of the forum.

Share this post


Link to post
Share on other sites

I haven't been given any further information on the issue reported by Alan_S. I was told that a fix is being worked on, but we don't generally like to estimate when such fixes may be done simply because we don't want to disappoint anyone if we don't meet an ETA that we give.

Share this post


Link to post
Share on other sites
20 hours ago, JeremyNicoll said:

The newest beta, though, required the older product to restart... so a locked pc as the old thing was replaced would be the old version failing not the new one.

Huh,  why would the old version restart after an update?

Share this post


Link to post
Share on other sites

Sorry, what I wrote was unclear... I meant that the older product initiated the restart, so if it 'locked the pc' while it was shutting down or it was arranging for the new code to start, that 'lock' would be in the old code not the new code.

Share this post


Link to post
Share on other sites

Could be, but then it would be a new issue, which I hope is not the case.

I think it's more likely the issue already reported here: EAM locking the PC when it starts.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.