Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 10 replies
  • Subscribers 1 subscriber
  • Views 7944 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Endpoint v10 + Procmon.exe = bsod on Windows 7

winny_uk

To recreate this problem all I need to do is:-

run procmon.exe from Sysinternals (now Microsoft)

Set the filter to "Category = write", Add

Drop filtered events

Start monitor

After 100+ events I get a blue screen of death.

SYSTEM_SERVICE_EXCEPTION 0x0000003b 00000000`c0000005 fffff880`06c1344c fffff880`0766ce50 00000000`00000000 PROCMON23.SYS PROCMON23.SYS+844c     x64 ntoskrnl.exe+7f1c0     

I have tried excluding 2 files from the on-access scanning without success, procmon.exe and procmon23.sys (mentioned in the bsod error). Both are portable files so have no fixed install path, is this required?

Has anyone had the same problem, and could you share any workarounds you have put in place?

Many thanks.

:27091


This thread was automatically locked due to age.
  • 0
    Hello winny_uk, and how does Sophos come into play here? In the information you've posted I don't see any reference to Sophos (other than that you've attempted to exclude "something" from scanning - but the details hint at a misconception). Christian
    :27095
  • 0

    HI,

    3.0.3 configured in that way on my Win 64-bit  (Pro) doesn't cause me a problem.  SAV 10.0.6 installed.

    I assume if you uninstall SAV, you don't get the problem?

    Can you generate a full mem dmp and run it through WinDbg and run !analayze -v.  What does that say?

    Regards,

    Jak

    :27097
  • 0

    Thanks for the replies. I don't have any conclusive proof that Sophos is involved, but previously I've had the same problem with Kaspersky AV and Procmon. Adding exclusions to KAV stopped the bsod, so I presumed both products were trying to hook into the same routines.

    We eventually moved from KAV to Sophos v9 and I experienced no problems running Procmon, until the recent upgrade to v10 when it has started happening.

    I have opened a thread in the Procmon support forum and will share any further information for users that might be having similar issues.

    :27125
  • 0

    Thanks Jak.

    It's reassuring to see a working combination so I'm hopeful there is a solution for this. I'm running Windows 7 Pro (64bit), Sophos v10.0.6, Procmon v3.1.0.

    I'll follow your suggestion and post back the results.

    Many thanks.

    :27127
  • 0

    The windbg !analyze -v output is below.

    Microsoft (R) Windows Debugger Version 6.2.8400.0 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Windows\Minidump\071712-30856-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*C:\Program Files (x86)\Windows Kits\8.0\Symbols*http://msdl.microsoft.com/download/symbols
Executable search path is: 
Windows 7 Kernel Version 7601 (Service Pack 1) MP (8 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 7601.17835.amd64fre.win7sp1_gdr.120503-2030
Machine Name:
Kernel base = 0xfffff800`02c55000 PsLoadedModuleList = 0xfffff800`02e99670
Debug session time: Tue Jul 17 16:36:22.354 2012 (UTC + 1:00)
System Uptime: 0 days 0:08:42.275
Loading Kernel Symbols
...............................................................
................................................................
..............................
Loading User Symbols
Loading unloaded module list
....
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 3B, {c0000005, fffff88006c1344c, fffff8800766ce50, 0}

Probably caused by : PROCMON23.SYS ( PROCMON23+844c )

Followup: MachineOwner
---------

7: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: 00000000c0000005, Exception code that caused the bugcheck
Arg2: fffff88006c1344c, Address of the instruction which caused the bugcheck
Arg3: fffff8800766ce50, Address of the context record for the exception that caused the bugcheck
Arg4: 0000000000000000, zero.

Debugging Details:
------------------


EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

FAULTING_IP: 
PROCMON23+844c
fffff880`06c1344c 0fb708          movzx   ecx,word ptr [rax]

CONTEXT:  fffff8800766ce50 -- (.cxr 0xfffff8800766ce50)
rax=0000000000000007 rbx=fffffa800981bb50 rcx=000000000000004d
rdx=0000000000000007 rsi=fffffa800981bba0 rdi=0000000000000000
rip=fffff88006c1344c rsp=fffff8800766d830 rbp=0000000000000000
 r8=0000000004530000  r9=0000000000265000 r10=fffffa80089a0450
r11=0000000000000001 r12=0000000000000001 r13=fffff8800766db00
r14=fffffa8006a3f060 r15=fffff8800766dc20
iopl=0         nv up ei ng nz na po nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00010286
PROCMON23+0x844c:
fffff880`06c1344c 0fb708          movzx   ecx,word ptr [rax] ds:002b:00000000`00000007=????
Resetting default scope

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  WIN7_DRIVER_FAULT

BUGCHECK_STR:  0x3B

PROCESS_NAME:  VIGUARD.exe

CURRENT_IRQL:  1

LAST_CONTROL_TRANSFER:  from 0000000000000000 to fffff88006c1344c

STACK_TEXT:  
fffff880`0766d830 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : PROCMON23+0x844c


FOLLOWUP_IP: 
PROCMON23+844c
fffff880`06c1344c 0fb708          movzx   ecx,word ptr [rax]

SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  PROCMON23+844c

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: PROCMON23

IMAGE_NAME:  PROCMON23.SYS

DEBUG_FLR_IMAGE_TIMESTAMP:  4f7f1562

STACK_COMMAND:  .cxr 0xfffff8800766ce50 ; kb

FAILURE_BUCKET_ID:  X64_0x3B_PROCMON23+844c

BUCKET_ID:  X64_0x3B_PROCMON23+844c

Followup: MachineOwner
---------

    Another 3rd party executable is mentioned in the output, VIGUARD.EXE, which is included from the LANDdesk client suite. I will try removing these other elements, test again, and report back.

    :27131
  • 0

    I have uninstalled Sophos and can now run Procmon without the bsod problem.

    :27187
  • 0

    What about: VIGUARD.EXE, with Sophos installed and the LANDdesk softweare uninstalled does it also work?

    Regards,

    Jak

    :27191
  • 0

    Sorry for the delayed response.

    I'm pleased to confirm that removing Sophos OR the Landesk Client allows Process Monitor to run without a BSOD on my PC.

    :27623
  • 0

    Hi,

    Good to know.  I thought it must be the case as I think over the years I've run just about every version of ProcMon with every version of SAV without an issue.

    Out of interest, if you just kill the process: ViGUARD.exe but leave the Landesk Client software installed with Sophos does it work?  It may well be that there is a driver the ViGUARD.exe process interacts with but it would be nice to know exactly where the conflict lies.

    I did a quick Google for Viguard.exe as I don't have the Landesk software and I see that, the ViGUARD.exe process is started from the Run key.

    HKLM\..\Run: [ViGUARD] "C:\Program Files\ViGUARD\ViGUARD.EXE" /STARTUP 

    so you could re-launch it with  /STARTUP I suppose.

    Regards,

    Jak

    :27625
  • 0

    Thanks for your help and suggestions Jak.

    Killing the "viguard.exe" process before running Procmon with Sophos enabled works correctly every time. Viguard is described as "LANDesk Endpoint Security |  LANDesk Host Intrusion Prevention".

    I've checked the Landesk forums and cannot find any reference to BSOD in relation to Sophos, so as soon as I hear from their Customer Support I'll provide an update.

    Many thanks.

    :27629