i get "failed to attach driver kernel, make sure pg is properly installed" every time i bootup. is everyone else having the same problem?

What version of Process Guard?

-Jason-

i experienced it both with the free version of 1.1 and the full version.. (i never used the 1.0 version) PG still seems to run properly, as far as i can tell, despite that message.. (except for the major shutdown problem) if i disable processguard from startup, but not the other related process, i don't see the message. . my computer is pretty clean, not a lot of junk installed. i use kerio 2.15, trojan hunter, and etrust's ez av. it still happens when everything else is disabled.

ok, i have 1.15 installed now. i am still getting that same message at bootup, "could not attach driver kernel". the program seems to be running properly, and my msinfo32 shows that the procguard.sys driver is running.. i have found that if procguard is disabled in msconfig/startup, then i don't get the message. here is the way things look in my msinfo32: procguard***procguard***\??\c:\windows\system32\drivers\procguard.sys***Kernel Driver***Yes***Auto***Running***OK***Normal***No***Yes-end... i am curious about the question marks at the beginning of the line.. does that indicate that something is wrong?..
i am interested in knowing if this is a common problem that everyone else is also experiencing.

{QUOTE-> i am interested in knowing if this is a common problem that everyone else is also experiencing. <-QUOTE}

Not here, I have had the non attach problem in the past but not with the latest builds.

Try bootvis to see if that will optimize your start up as it is possibly a timing problem :)
http://www.chip.de/downloads/c_downloads_8833486.html

HTH Pilli

yes phil. that is what i was thinking, too. the program seems to run ok, otherwise, and if i don't have procguard auto-starting, i don't get the message. it says at the top of the procguard window that "this program does not have to be running for you to be protected" (or something like that). so.. if it isn't necessary for procguard to be running, it doesn't need to autostart, and the program will still be protecting me.that would suit me fine, if that is right.

redwolfe_98.
Yep, procguard.exe does not need to run once you hav enabled protection and completed your list.
Procguard.sys will stay enabled until such a time as you alter the contents via procguard.exe.
So in effect, once you have your list set it is "set it and forget it" :)
You can aleays check that procguard.sys is woorking through Sys Indo, Environmental settings, drivers

Still might be worth trying Bootvis to ensure your boot is set to the optimal.

it is a conflict with the kerio 2.15 firewall.. i disabled it in msconfig/services, and then the message from procguard didn't pop up. that is what i thought was causing the problem.. i remember, when i first started using tiny's tpf, which is now kerio 2.15, their saying something about it working at a low level.. everything is back to normal now.. i can easily run procguard from start/all programs.

Hm.. I've had a think about it and as much as I hope you DONT have a rootkit, there is a small chance. Either that or a low level driver which is doing something unusual.

So.. can you tell us everything that is installed on the system ? I'll PM you my home email and take a look, please run ASViewer from Safe Mode and turn on the options to show drivers etc.

http://www.diamondcs.com.au/index.php?page=asviewer

Redwolf_98, Take Gavin's advice as I run Kerio 2.1.5 & PG with not conflicts whatsoever on my laptop.

Gavin:

I also experienced this problem. It did not occur on my real computer (Kerio 2.15 is running on it). It did occur on my clean VMWare machine. It did not occur on my clean VirtualPC 2004 machine.

Maybe it's really a timing problem?

Cheers.

VMWare machine ? ;D

But thats not a real machine. Its emulator translation deficiencies. Rootkits and other patchers dont run under VMware either because its not a REAL OS and the patching they attempt isnt emulated.

MS Virtual PC is the former Connectix Virtual PC and we are familiar with this :) Microsoft have a better knowledge of their own OS and emulation of the OS obviously, I am sure that theirs will become the best virtual machine. Im also sure we are going to be using this soon (read : everyone else will be too)

I havent tried Virtual PC (Connectix) because there is no point testing low level device drivers on a virtual OS.. but it might be that THEY implemented the emulation better. But I still think its probably a matter of MS knowing their own OS better ? ;)

@Gavin I agree. But it seems that the problem has also occurred on a real computer (i.e., neither VMWare nor a rootkit seem to be the reason for the problem). Anyway, I just wanted to let you know that there is not only one but two persons who have experienced the same problem.

Btw.: Does or will PG support the native NT API ?

Cheers.

I downloaded 1.15 yesterday and this morning it did not connect. I have Windows XP Norton firewall ,NOD32,TDS3, AD-Aware,and Spy Bot S&D. Other than the not connect which I also had with 1.0 ,no problems.

I just wanted to add that I can't load TDS3 on boot either. So I have a program Boot Man and I don't let it start at boot . I double click on the short cut and start it. I guess I'll have to do the same thing with PG. Maybe NOD doesn't want them to start. I can live with it.

Looking at the few reports there might be timing issue, it wont be long before we isolate whatever is happening. Please ensure if you have the problem that you send as much info about your machine as possible along with an ASViewer log

Has anyone tried not starting PG at boot or at least delaying it until last ?. If this works then you can add a shortcut to PG to the start menu "StartUp" which would confirm its a timing or other driver conflict.

Jason & Gavin, I have found that running Bootvis - Next boot + driver delays, this will show you graphically what is booting etc. Then use Bootviz Optimise system as this rearranges the boot area for optimal operation.

New drivers such as the Windows update from MP8 to MP9 can also cause the PG not to attach correctly. (I found this out last night)

So a timing error or more like a driver boot up execution race :)

Pilli ,as I stated in my previous post ,it doesn't want to attach at boot. No problems at all if I start it from the short cut. Here is my iamondCS Autostart Viewer (www.diamondcs.com.au) - Report for Lou Preto@LULU, 12-07-2003
c:\windows\system32\autoexec.nt
C:\WINDOWS\system32\mscdexnt.exe
C:\WINDOWS\system32\redir.exe
C:\WINDOWS\system32\dosx.exe
c:\windows\system32\config.nt
C:\WINDOWS\system32\himem.sys
c:\windows\wininit.ini [rename]
NULL=C:\WINDOWS\emu10k1f.sys
NULL=C:\WINDOWS\2gmgsmt.sf2
NULL=C:\WINDOWS\SYSTEM32\devldr16.exe
NULL=C:\WINDOWS\SYSTEM32\ctwdm16.drv
NULL=C:\WINDOWS\ctlface.sys
NULL=C:\WINDOWS\sfman.sys
NULL=C:\WINDOWS\eapci2m.ecw
NULL=C:\WINDOWS\inf\other\oem30.inf
NULL=C:\WINDOWS\inf\Creativeoem30.inf
NULL=C:\WINDOWS\inf\other\Creativeoem30.inf
c:\windows\system.ini [drivers]
timer=timer.drv
c:\windows\system.ini [boot]\shell
C:\WINDOWS\Explorer.exe
c:\windows\system.ini [boot]\scrnsave.exe
C:\WINDOWS\System32\plusspac.scr
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
C:\WINDOWS\Explorer.exe
HKCU\Control Panel\Desktop\scrnsave.exe
C:\WINDOWS\System32\plusspac.scr
HKCR\htafile\shell\open\command\
C:\Program Files\Script Sentry\ScriptSentry.exe "%1" %*
HKCR\vbsfile\shell\open\command\
C:\Program Files\Script Sentry\ScriptSentry.exe "%1" %*
HKCR\vbefile\shell\open\command\
C:\Program Files\Script Sentry\ScriptSentry.exe "%1" %*
HKCR\jsfile\shell\open\command\
C:\Program Files\Script Sentry\ScriptSentry.exe "%1" %*
HKCR\jsefile\shell\open\command\
C:\Program Files\Script Sentry\ScriptSentry.exe "%1" %*
HKCR\wshfile\shell\open\command\
C:\Program Files\Script Sentry\ScriptSentry.exe "%1" %*
HKCR\wsffile\shell\open\command\
C:\Program Files\Script Sentry\ScriptSentry.exe "%1" %*
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\QuickTime Task
C:\WINDOWS\System32\qttask.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NvCplDaemon
RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\iamapp
C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\HP Lamp
C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hplamp.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\DellTouch
C:\WINDOWS\DELLMMKB.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\BJCFD
C:\Program Files\BellSouth\Client Foundation\CFD.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Tweak UI
RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\nod32kui
C:\Program Files\Eset\nod32kui.exe /WAITSERVICE
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\TkBellExe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ScriptSentry
C:\Program Files\Script Sentry\ScriptSentry.exe /check
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ctfmon.exe
C:\WINDOWS\System32\ctfmon.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\System32\webcheck.dll
C:\WINDOWS\System32\stobject.dll
C:\WINDOWS\Tasks\Symantec NetDetect.job
C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
C:\Documents and Settings\Lou Preto\Start Menu\Programs\Startup\Cookie Pal.lnk
C:\Program Files\CPal\CPal.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\APC UPS Status.lnk
C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PageKeeper Jobs.lnk
C:\Program Files\Caere\PageKeeper30\system\PKJobs.exe
HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
autocheck autochk *
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
C:\WINDOWS\system32\userinit.exe
HKLM\System\CurrentControlSet\Control\WOW\cmdline
C:\WINDOWS\system32\ntvdm.exe
HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
C:\WINDOWS\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
C:\WINDOWS\system32\imon.dll
C:\WINDOWS\system32\mswsock.dll
C:\WINDOWS\system32\rsvpsp.dll
HKLM\System\CurrentControlSet\Services\VxD\JAVASUP\
C:\WINDOWS\system32\JAVASUP.VXD
autostart

OK Williamp, One thing I notice is that you do not have a procguard autostart entry? Or maybe I am missing it :) I have put a space around my AsViewer entry.

DiamondCS Autostart Viewer (www.diamondcs.com.au) - Report for 127.0.0.1 12-07-2003
c:\windows\system32\autoexec.nt
C:\WINDOWS\system32\mscdexnt.exe
C:\WINDOWS\system32\redir.exe
C:\WINDOWS\system32\dosx.exe
c:\windows\system32\config.nt
C:\WINDOWS\system32\himem.sys
c:\windows\wininit.ini [rename]
NUL=C:\DOCUME~1\Alan\LOCALS~1\Temp\ginstall.dll
c:\windows\system.ini [drivers]
timer=timer.drv
c:\windows\system.ini [boot]\shell
C:\WINDOWS\Explorer.exe
c:\windows\system.ini [boot]\scrnsave.exe
C:\WINDOWS\System32\logon.scr
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
C:\WINDOWS\Explorer.exe
HKCU\Control Panel\Desktop\scrnsave.exe
C:\WINDOWS\System32\logon.scr
HKCR\vbsfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\vbefile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\jsfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\jsefile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\wshfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\wsffile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NvCplDaemon
RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\nwiz
nwiz.exe /install
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SystemTray
C:\WINDOWS\system32\SysTray.Exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\FmctrlTray
C:\WINDOWS\system32\Fmctrl.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\AVPCC
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\avpcc.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NeroCheck
C:\WINDOWS\System32\NeroCheck.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\GhostStartTrayApp
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SmcService
C:\PROGRA~1\Sygate\SPF\Smc.exe -startgui
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\RCScheduleCheck
C:\Program Files\VCOM\Recovery Commander\RCSCHED.EXE -CHECK

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ProcGuard_Startup
C:\Program Files\ProcessGuard\procguard.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\CTFMON.EXE

C:\WINDOWS\System32\ctfmon.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\b9
C:\Program Files\Firetrust\Benign\B9.exe /minimize
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\MailWasher
C:\PROGRA~1\MAILWA~1\MAILWA~1.EXE
HKU\.Default\Software\Microsoft\Windows\CurrentVersion\Run\CTFMON.EXE
C:\WINDOWS\System32\CTFMON.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\System32\webcheck.dll
C:\WINDOWS\System32\stobject.dll
C:\WINDOWS\Tasks\1 Copernic Intra-Daily ~AMD8 Alan.job
C:\Program Files\Copernic Agent\CopernicAgent.exe
C:\WINDOWS\Tasks\2 Copernic Daily ~AMD8 Alan.job
C:\Program Files\Copernic Agent\CopernicAgent.exe
C:\WINDOWS\Tasks\3 Copernic Weekly ~AMD8 Alan.job
C:\Program Files\Copernic Agent\CopernicAgent.exe
C:\WINDOWS\Tasks\4 Copernic Monthly ~AMD8 Alan.job
C:\Program Files\Copernic Agent\CopernicAgent.exe
C:\WINDOWS\Tasks\Scheduled Checkpoint.job
C:\Program Files\VCOM\Recovery Commander\RCSCHED.EXE
C:\Documents and Settings\Alan\Start Menu\Programs\Startup\SpywareGuard.lnk
C:\Program Files\SpywareGuard\sgmain.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk
C:\Program Files\Microsoft Office\OFFICE10\ONENOTEM.EXE
HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
autocheck autochk *
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
C:\WINDOWS\system32\userinit.exe
HKLM\System\CurrentControlSet\Control\WOW\cmdline
C:\WINDOWS\system32\ntvdm.exe
HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
C:\WINDOWS\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
C:\WINDOWS\System32\dcsws2.dll
C:\WINDOWS\system32\mswsock.dll
C:\WINDOWS\system32\rsvpsp.dll
HKLM\System\CurrentControlSet\Services\VxD\JAVASUP\
C:\WINDOWS\system32\JAVASUP.VXD
HKLM\System\CurrentControlSet\Services\VxD\VGARTD\
vgartd.vxd

I have a program called Start Man and have PG set up to not start at boot. I did that so I could start it after boot. Then I have no problems with it connecting.

after installing the new version of PG which went very well i didn't think there would be any problems. I was very aware of the shut down problem with version 1.1 and from reading the post i thought this was fixed with 1.150.So this morning i figured i would do a restart just to check if all was working.There was no problem with the shut down but on the restart when the log into windows screen came up and i clicked to log in the computer went though another restart and a scan disk for fatal errors after that went back to log in screen and once again went though the same problem and after the third time everything went ok but ms reported a fatal error and ask if i would like to send which i didn't for the time being.My concern is what happens when you have updates where you need to restart your computer is this going to botch the update process?I like this program and want to keep it but not tech enough to deal with possible problems.system xp home dsl

Hmm, Well at least Jason will have some AsViewer.txt's to peruse, hopefully others will also post.

Hello & welcome donsan709,
DCS are trying to ascertain start up problems at the moment, it would be a help if you could run Autostart Viewer available from here: http://www.diamondcs.com.au/index.php?page=asviewer
Start the Asviewer and make sure that "Main - Show drivers" is enabled The save as asviewer.txt - cut & paste the results into your next post.

Thank you. Pilli

DiamondCS Autostart Viewer (www.diamondcs.com.au) - Report for don zimmerman@DONRZMAN, 12-07-2003
c:\windows\system32\autoexec.nt
C:\WINDOWS\system32\mscdexnt.exe
C:\WINDOWS\system32\redir.exe
C:\WINDOWS\system32\dosx.exe
c:\windows\system32\config.nt
C:\WINDOWS\system32\himem.sys
c:\windows\system.ini [drivers]
timer=timer.drv
c:\windows\system.ini [boot]\shell
C:\WINDOWS\Explorer.exe
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
C:\WINDOWS\Explorer.exe
HKCR\vbsfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\vbefile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\jsfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\jsefile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\wshfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\wsffile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\CPQEASYACC
C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WCOLOREAL
C:\Program Files\COMPAQ\Coloreal\coloreal.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\srmclean
C:\Cpqs\Scom\srmclean.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NvCplDaemon
RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\nwiz
nwiz.exe /install
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\PCTVOICE
C:\WINDOWS\system32\pctspk.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\HPDJ Taskbar Utility
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Share-to-Web Namespace Daemon
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\BOCleanautostart
C:\PROGRA~1\NSClean\BOClean\BOClean.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ccApp
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Advanced Tools Check
C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\YBrowser
C:\Program Files\Yahoo!\browser\ybrwicon.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\QuickTime Task
C:\Program Files\QuickTime\qttask.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ProcGuard_Startup
C:\Program Files\ProcessGuard\procguard.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\MsnMsgr
C:\Program Files\MSN Messenger\MsnMsgr.Exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ctfmon.exe
C:\WINDOWS\System32\ctfmon.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Window Washer
C:\Program Files\Webroot\Washer\wwDisp.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Favorites
C:\Program Files\Webroot\Mpf4\Mpf.exe /S
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\System32\webcheck.dll
C:\WINDOWS\System32\stobject.dll
C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job
C:\PROGRA~1\NORTON~1\Navw32.exe
C:\WINDOWS\Tasks\Registration reminder 1.job
C:\WINDOWS\System32\OOBE\oobebaln.exe
C:\WINDOWS\Tasks\Registration reminder 2.job
C:\WINDOWS\System32\OOBE\oobebaln.exe
C:\WINDOWS\Tasks\Registration reminder 3.job
C:\WINDOWS\System32\OOBE\oobebaln.exe
C:\WINDOWS\Tasks\Symantec NetDetect.job
C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
C:\Documents and Settings\don zimmerman\Start Menu\Programs\Startup\MRU-Blaster Silent Clean.lnk
C:\Program Files\MRU-Blaster\mrublaster.exe
C:\Documents and Settings\don zimmerman\Start Menu\Programs\Startup\SpywareGuard.lnk
C:\Program Files\SpywareGuard\sgmain.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
C:\Program Files\Microsoft Office\Office10\OSA.EXE
HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
autocheck autochk *
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
C:\WINDOWS\system32\userinit.exe
HKLM\System\CurrentControlSet\Control\WOW\cmdline
C:\WINDOWS\system32\ntvdm.exe
HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
C:\WINDOWS\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
C:\WINDOWS\system32\mswsock.dll
C:\WINDOWS\system32\rsvpsp.dll
HKLM\System\CurrentControlSet\Services\VxD\JAVASUP\
C:\WINDOWS\system32\JAVASUP.VXD

I hope this is what you were asking for.

It is indeed - Thanks! ;D

Ok, if you are having problems first try DISABLING protection in procguard.exe's protection menu. Then try a few reboots, normal system things and see if any issues occur. If everything is fine with protection disabled then you likely have some conflict in your list. Since Procguard.exe cannot capture events that occur at log in or log off (at this stage, might be added in a future version) you cannot see what things may possibly be getting blocked.

It is a tweaking process in some ways to get your list working perfectly with everything else.

The "Cannot attach Error" is a timing issue as far as I can gather. I fixed it on most PC's by allowing it to fail for about 3 seconds but keep trying to attach. I can extend this time limit to allow slower machines to always attach too. I might extend it to 10 seconds, this won't affect machines that can attach to it very quickly, but should help the remaining people.

-Jason-

Define slower machines? I’m running Pentium-4 with Windows XP Pro that’s constantly being properly maintained and I reproduced this anomaly easily. Workaround for DiamondCS Process Guard FREE v1.150 anomaly is configure a delay to space its loading of the executable procguard.exe from the other Windows Start-up loadings…

CPU isn't all that matters I guess, hard drive and memory speed have some effect. I guess the biggest issue is how many drivers/services are on your system.

So I don't mean "Slow System" in the logical sense, more in that the system is slow to load the drivers for whatever reason. :)

-Jason-

{QUOTE-> quoting: Jason / DiamondCS link=board=40;threadid=17322;start=15#msg108057 date=1070875545]
CPU isn't all that matters I guess, hard drive and memory speed have some effect. I guess the biggest issue is how many drivers/services are on your system.

So I don't mean "Slow System" in the logical sense, more in that the system is slow to load the drivers for whatever reason. :)

-Jason-

<-QUOTE}

That what i was expecting you to say... ;)

Regardless making manual modifications to DiamondCS Process Guard FREE v1.150 Start-up method the anomaly still persists.

- procguard.exe Loading via “Startup Folder” –
* Disabling ALL 3rd Party Software from basic Start-up Groups, excluding Process Guard (procguard.exe)
Note: To no Avail problem still persist.

* Disabling ALL 3rd Party Software from Services, excluding Process Guard (pg_msgprot.exe).
Note: To no Avail problem still persist.

* Proceeded with each and every 3rd Party Driver Starting with Firewall Drivers, didn’t have to go beyond Disabling Look ‘n’ Stop’s Internet Filtering Layer Driver. Fixed the problem...

Obviously manual booting of Process Guard is required after Windows bootup for this thing to Load properly.

If the "Failed to attach Kernal" error is displayed you must uninstall and re-install, and then uncheck procguard.exe in MSCONFIG

I disabled procguard.exe in MSCONFIG.
This cured the "Failed to Attach Kernal " problem for me.

javascript:replaceText(' 8)')
javascript:replaceText(' 8)')

No if you get that message it is pointless to uninstall and re-install, that’ll just give more unnecessary work. Disabling procguard.exe from Start-up Group will fix the problem without Uninstalling and Re-installing the product as I said earlier.

{QUOTE-> quoting: Phant0m`` link=board=40;threadid=17322;start=30#msg108219 date=1070914646]
No if you get that message it is pointless to uninstall and re-install, that’ll just give more unnecessary work. Disabling procguard.exe from Start-up Group will fix the problem without Uninstalling and Re-installing the product as I said earlier.
<-QUOTE}

Actually, sometimes even less is needed. Most of my adventures and misadventures are captured in another thread here (http://www.wilderssecurity.com/showthread.php?t=17323).

After I undid the problems created by installing PG with KAV active (not a major deal), I reinstalled PG in a nice clean fashion. On reboot after the initial install, and when I set PG protection from disabled to active, the next reboot yielded the "Failed to Attach Driver..." message. In each case I ignored the message this time around and rebooted to find everything working fine. It's a though a state change in PG created the problem. Now I realize this isn't the case everytime, maybe not even the majority of the time. However, it's probably worth verifying that the problem is persistent before doing anything, although the disable in start-up solution is a very gentle fix.

Blue

donsan, i don't know what caused the problem with your computer, but i want to reassure you, i have not had any problems like that. thankfully, you were able to recover.. as far as procguard goes, if the program doesn't need procguard.exe to be running, one coulld easily add a shortcut to the quickluanch tray. i personally would preferr that anyway, as long as the program does not need procguard to be running to be effective. however, when i run the kill test, my vettray.exe is shut down, and so i was thinking that there is an actual failure in procguards protection (as it is running), somewhere, but i don't really know....

glad to hear you have not had the same problem redwolfe that i have had.For the time being i have uninstalled the program till the tech guys possibly iron the problems out.I do like this program and want to use but i want to be able to turn my computer off and on and not have these crashes that can't be good.I will look forward a new and inproved process guard

Since Procguard.exe is not necessary for the system to be protected and it appears to be nothing more than a log viewer and update program, why is it even connected to a startup timer and set to stay memory resident by default? Seems to me this is just a waste of a timer and memory. Or am I missing something here?

I randomly get the Kernel error. For example this A.M. after doing a system defrag, it started popping up. Seems to have corrected itself now, however.

{QUOTE-> Since Procguard.exe is not necessary for the system to be protected and it appears to be nothing more than a log viewer and update program, why is it even connected to a startup timer and set to stay memory resident by default? Seems to me this is just a waste of a timer and memory. Or am I missing something here?
<-QUOTE}

Hi siliconman01, Personally I like seeing that little lock in the notification area, although I know PG is working.
I would also be happy if it could be closed as long as there was something showing on the desktop that the PG driver procguard.sys was actually running, this could also act as a warning if for whatever reason the driver was closed.

It is started by default so people can view the logs the driver generates, if any. It doesn't need to be auto-run though. I find it surprising that putting it in the startup folder didn't fix your problem though Phantom.

More investigation may be required on our part.

-Jason-

Hey Jason / DiamondCS

We are family here which means I’m more than happy to assist as much as humanly possible to put this problem to bed, my E-mail is Phant0m@wilderssecurity.info

I just realized none of you guys had given me the text from the Window Log when it cannot connect. Something along the lines of :-
"Error: Process Guard could not attach to kernel-mode driver. Please make sure Process Guard is installed properly before continuing."

Please copy this message EXACTLY when it happens and post it here. It contains a number that will be helpful for me. Thanks.

-Jason-

I put Process Guard back in my RUN registry to get the info you wanted. On reboot, I got a BSOD, followed by a reboot, and then an error box "Could not attach to Kernel-mode driver. Please make sure Process Guard is installed correctly"

On clicking OK, the human intervention screen appeared and the Window Name #32770 was displayed. Is that the number you are requesting? It's the only number I saw in the chain of events.

No, there is an error in the Window Log where all the log occurs, like "Process A tried to gain priviles over Process B", etc. So not the messagebox which pops up, rather the window log of the main program.

-Jason-

[03:13:38] - Window Log Started
[03:13:39] - Error: 2. Process Guard could not attach to kernel-mode driver. Please make sure Process Guard is installed properly before continuing.
[03:13:59] - Process Guard Protection is ACTIVE

This is what is in the PG Windows Log after the kernel-mode error. Note that on this reboot, I did not get the BSOD.

Thanks SiliconMan :)

-Jason-

I believe mine was the same...

Hi, here is a copy of my ASViewer log. I get the "PG cannot attach to kernel" error message off and on. Even when I get the message, I have tried closing a protected program with Task manager via an Administrator acc and am unable to do so, So I assume PG is still protecting my computer. ::)

Sony Vaio, Notebook PCG-GRT100P
XP Pro SP1 with all critical updates
Pentium 4, 2.8ghr
512 mb ram

Hi ArchAngel_8 , procguard.sys (the driver) is always working unless disabled through procguard.exe (the user interface) So any protected programmes will still require the completion of the human interface box to close.

Starting procguard.exe manually after boot up is fine & will work OK. I am sure this bug wll be cured in the near future.

HTH Pilli

I HAVE THE SAME ERROR #2.
I USED asviewer TO DELETE AT STARTUP.
---------------------------------------------------------------------------------------------------------------------
THIS IS BEFORE
-DiamondCS Autostart Viewer (www.diamondcs.com.au) - Report for oldones@OLDONES-
R8ESKBH, 01-16-2004
c:\windows\system32\autoexec.nt
C:\WINDOWS\system32\mscdexnt.exe
C:\WINDOWS\system32\redir.exe
C:\WINDOWS\system32\dosx.exe
c:\windows\system32\config.nt
C:\WINDOWS\system32\himem.sys
c:\windows\system.ini [drivers]
timer=timer.drv
c:\windows\system.ini [boot]\shell
C:\WINDOWS\Explorer.exe
c:\windows\system.ini [boot]\scrnsave.exe
C:\WINDOWS\System32\logon.scr
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
C:\WINDOWS\Explorer.exe
HKCU\Control Panel\Desktop\scrnsave.exe
C:\WINDOWS\System32\logon.scr
HKCR\vbsfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\vbefile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\jsfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\jsefile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\wshfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\wsffile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\RegProt
c:\regprot\regprot.exe /start
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ProcGuard_Startup
C:\TDS\ProcessGuard\procguard.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\System32\webcheck.dll
C:\WINDOWS\System32\stobject.dll
HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
autocheck autochk *
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
C:\WINDOWS\system32\userinit.exe
HKLM\System\CurrentControlSet\Control\WOW\cmdline
C:\WINDOWS\system32\ntvdm.exe
HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
C:\WINDOWS\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
C:\WINDOWS\System32\dcsws2.dll
C:\WINDOWS\system32\mswsock.dll
C:\WINDOWS\system32\rsvpsp.dll
---------------------------------------------------------------------------------------------------------------------
THIS IS AFTER

DiamondCS Autostart Viewer (www.diamondcs.com.au) - Report for oldones@OLDONES-R8ESKBH, 01-16-2004
c:\windows\system32\autoexec.nt
C:\WINDOWS\system32\mscdexnt.exe
C:\WINDOWS\system32\redir.exe
C:\WINDOWS\system32\dosx.exe
c:\windows\system32\config.nt
C:\WINDOWS\system32\himem.sys
c:\windows\system.ini [drivers]
timer=timer.drv
c:\windows\system.ini [boot]\shell
C:\WINDOWS\Explorer.exe
c:\windows\system.ini [boot]\scrnsave.exe
C:\WINDOWS\System32\logon.scr
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
C:\WINDOWS\Explorer.exe
HKCU\Control Panel\Desktop\scrnsave.exe
C:\WINDOWS\System32\logon.scr
HKCR\vbsfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\vbefile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\jsfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\jsefile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\wshfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\wsffile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\RegProt
c:\regprot\regprot.exe /start
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\System32\webcheck.dll
C:\WINDOWS\System32\stobject.dll
HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
autocheck autochk *
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
C:\WINDOWS\system32\userinit.exe
HKLM\System\CurrentControlSet\Control\WOW\cmdline
C:\WINDOWS\system32\ntvdm.exe
HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
C:\WINDOWS\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
C:\WINDOWS\System32\dcsws2.dll
C:\WINDOWS\system32\mswsock.dll
C:\WINDOWS\system32\rsvpsp.dll

IT WILL STILL GET THE ERROR CODE #2 IF I DONT LET ENOUGHT TIME GO BY AFTER A REBOOT THE SYSTEM I GET THE SAME ERROE CODE #2 oH BTY I DID THE INSTALL ON A CLEAN INSTALL / NO OTHER PROGRAMS
BUT PROCESS GUARD... :D I AM USING A MB M7NCD BY BIOSTAR W/nVIDIS nFORCE 2 AND A AMD 2400 CPU , 256 MEMORY 400. ALL AT STANDARD SETTINGS.

If you open System Information - Software environment - System drivers and check that procguard.sys is started and Auto. If it is then are protectd, you can then start procguard.exe manually to make any changes :)

We are beta testing 1.200 this weekend, hopefully for release this coming week. Driver contention at start up i.e. "Cannot Attach" has been corrected and, so far, appears to be working well on beta tester PC's.
There are many other additions in V1.200 the main one being SetWindowsHookEx protection.

Hey all, I have been "laying low" for a while and just realized PG 1.2 was out. I was wondering, I just installed it, and I amstill getting the "failed to connect to the Kernel Driver" error message. I have been closing it and then starting it again and it always connects the second time. Is it the timing issue that Gavin spoke about? If I missed something somewhere regarding a fix or solution, I apologize. ::)

Hi ArchAngel_8, :)

Before installing the new version it is better to make sure that all the old files are gone, so disable PG protection, stop pg_msgprot in task manager & run the ununstall from the PG folder.
Reboot
Using explorer delete all your PG folder files except for your keyfile if there are any.
Then go to \windows\system32 and delete procguard.dll if there, then go to \windows\system32\drivers and delete procguard.sys if there.
(I also deleted all PG's reg keys as I had been running beta's but this should not be necessary got V1.150 users)

Before installing I closed all my running programmes AV/AT etc. Then Installed version 1.200 & rebooted.

Tested with APT and all is fine :)

HTH Pilli

:P ok Pilli.. Thanks. I'll give it a SHOT... lol