ProcessGuard 1.2 continues to yield the Kernel Mode Failure if I allow ProcessGuard to started up on a system reboot.

I uninstalled PG 1.5 in SAFE MODE completely prior to installing PG 1.2. I do not get the Kernel Mode Failure if I manually start up PG 1.2 after a system reboot and other pgms are up and running.

Cannon attach to Kernel mode error remains here too. ???

Hmm ok this is probably a case where if PG was installed FIRST then everything would be fine. What do you have installed that might influence it ?

Can I ask you both to send me an ASViewer log to gavindcs@iinet.net.au so I can look at it tonight

Could help to uninstall and then try safe mode install. Dont know havent tried it but it cant hurt to try

Uninstalled per thread http://www.wilderssecurity.com/showthread.php?t=16931

Rebooted to safe mode and installed. Rebooted normally, no error. Dropped my key in the folder and rebooted, error came right back. I have not even enabled protection and it still gives the kernel error. ???

is pg_msgprot.exe is running in your taskmanager processes list ?

yes

I have disabled everything in my startup except for PG and the error still occurs :-[

Hi Eliot, Can you try the following: This applies to 1.200 as well 1.150 as starting afresh is sometimes better than trying to put right a poor install :)

Before installing the new version it is better to make sure that all the old files are gone, so disable PG protection, stop pg_msgprot in task manager & run the ununstall from the PG folder.
Reboot
Using explorer delete all your PG folder files except for your keyfile if there are any.
Then go to \windows\system32 and delete procguard.dll if there, then go to \windows\system32\drivers and delete procguard.sys if there.
(I also deleted all PG's reg keys as I had been running beta's but this may not be necessary for V1.150 users)

Before installing I closed all my running programmes AV/AT etc. Then Installed version 1.200 & rebooted.

Tested with APT and all is fine

HTH Pilli

Gave it a go. Still no joy. Maybe when I get home later I can try installing to the default folder with PG. If any of you think that would matter please let me know because now I have it on the 3rd partition of my second hard drive. Speaking of which, all my dhard drives are SATA if that makes any difference. Off to work now, subscribed to thread so I can follow up. Catch you later :)

really thanks you for your time and help!!!

Eliot, I think I'm right in saying that v1.200's UI loads from the startup group and not from a run key in the registry.

Check that the registry entry is disabled -- I had a similar problem when I upgraded today.

If you can't find the key, I'm sure someone here will help you.

I began to see the same message after I installed abtrusion protector.

I uninstalled at, but the message remained.

Fortunately I had a restore point from before at was installed, and reverting to that got rid of the message.

fwiw, the process guard driver was running, and the gui said it was enabled, so maybe it was still working.

Have tried the above suggestions to no avail. So I used my StartupDelayer program and delayed the startup of ProcessGuard GUI for about 60 seconds...no error. Works fine this way.

Definitely indicates to me that it is a timing/stability problem.

First tell me the date of PG_MSGPRot.exe in your Process Guard directory.

Then try renaming that PG_MSGprot.exe to PG_msgprot1.exe then rebooting to see if you still get the attach error.

Our beta team noticed the same issue when running an old PG_MSGProt.exe with the latest release.

-Jason-

The created date for PG-MSGProt.exe is 23-January-04, 12:49.59 PM

No, the error message does not appear when PG_MSGProt.exe is renamed. Procguard.exe shows up in memory.

HOWEVER, when I renamed PG-MSGProt1.exe back to PG-MSGProt.exe and rebooted, the error message DID NOT appear, the icon showed up for PG and it is in memory... Doggone thing!

Of course, now I have all my list of protected programs in. Perhaps that is changing the timing a bit.

Thanks Jason,

Siliconman01,pg_msgprot must be running for protection to work, likewise it must be stopped by disabling protection or Task Manager before installing

Further file information:

procguard.exe is 200KB dated 23/01/04 - PG folder
procguard.sy is 15KB and dated 23/01/04 - \windows\system32\driver

Phili,

Those match the stats I have in my system.

Hmm, I f you feel confident working in the registry - Do a search for "procguard" without the speech marks. What you are looking for is a folder "Run" called procGuard_ Start if it is there delete it.
The key is
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run - ProcGuard_Startup"="\"C:\\Program Files\\ProcessGuard\\procguard.exe\" -minimize

Do NOT delete any other Procguard keys unless you wish to totally re-install procgurrd after running the uninstall programme.
Procguard.exe should have placed a shortcut in your Start up folder Start - All programmes - Startup

The installation did not put ProcGuard.exe in the Programs/Startup folder. It put it in the Registry Run list. I verified that on the initial installation.

So it should be moved to the Startup folder??

I have no problems with registry work and know how to get it in the Startup folder.

Correct that must have been an install or uninstall fault.
I have checked both these PC's and there should be no Run key for procguard.exe only the startup shortcut.

You will find that after that PG should run correctly :) Check it with DCS's APT to make sure.

So procguard.sys should have started at boot up, procguard.exe from the startup folder. pg_msgprot & procguard.exe should be running in Task Manager.

Change made and confirmed working.

There must be a bug in the Installer for ProcessGuard. I confirmed that on installation, it loads the startup in the Registry RUN entries, NOT in the C:\Documents and Settings\All Users\Programs\Startup folder.

There is ONE condition that may be fooling me. I use Ad-Aware6 Plus with Ad-Watch. It is set to BLOCK all Upper Registry modifications. IF the procedure of the PG Installer is:

1. Place startup in the Registry RUN for the FIRST startup after installation.

2. Issue the Alert Box that this is the first startup and do you want to add files automatically.

3. If the user answers YES or NO, remove the entry from the Registry RUN and place a shortcut in the Startup folder.

If this is the sequence, then Ad-Watch could/would block step 3 and the startup would be left in Registry RUN.

If not this sequence, then the ProcessGuard Installer has a bug for Windows XP-SP1 Home. :o

Phew! Glad you have it working at last, As I was using the beta I deleted all references to PG in the registry so I cannot verify what AdWatch may or may not have done :)

I use SSM and suspended it during the install - I also have AdAware Pro with AdWatch but rarely use it now.

Others have not had problems so it is possible that AdWatch had an effect on the install - uninstall.

You certainly desrve a Karma cookie for your trouble ;D Best taken with a Jack Daniels or an Ice cold drink of your choice - Enjoy!

Gentleman Jack works just Fine! ::)

{QUOTE-> quoting: Pilli link=board=40;threadid=20183;start=15#msg123200 date=1074892110]

You certainly desrve a Karma cookie for your trouble ;D Best taken with a Jack Daniels or an Ice cold drink of your choice - Enjoy!
<-QUOTE}


Have another siliconman01,....glad you got it sorted out....good job.

Regards,
Jade.

Tried everything in this thread with no luck. Still get the error on boot. I have noticed that my procguard.sys is 14.2KB and not 15KB as the post up there says. I have made sure that all traces of PG was gone and then installed. The file is 14.2KB every time. ???

{QUOTE-> quoting: Eliot link=board=40;threadid=20183;start=15#msg123237 date=1074903087]
Tried everything in this thread with no luck. Still get the error on boot. I have noticed that my procguard.sys is 14.2KB and not 15KB as the post up there says. I have made sure that all traces of PG was gone and then installed. The file is 14.2KB every time. ???
<-QUOTE}

The value listed depends on where you look as well as "meaning" of K. In Windows Explorer, you'll see 15KB. Right-click the filename and select properties and you'll see 14.2 Kb (14,543 bytes or 15 KB where K means a 1000 (and the value is rounded up) not usual 1024, which yields 14.2 KB - confused yet?)

Blue

As seen with a DIR command from Command Prompt:
PG directory...
23/01/2004 12:49 PM 40,960 PG_MSGProt.exe

Windows\System32\drivers\ directory ...
23/01/2004 04:19 PM 14,543 procguard.sys

Eliot, From what I can see most problems are comiing from a bad install/uninstall.

Please close all running programmes - Especially utilities such as AdWatch, Abtrusion protector & System Safety Monitor as they can stop changes to the registry that effect both the install/uninstall process.

It is very important that the old registry start key below Is deleted
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run - ProcGuard_Startup"="\"C:\\Program Files\\ProcessGuard\\procguard.exe\" -minimize

And then reboot your machine

After which you must ensure that the procguard.exe shortcut is in your start up folder.

Also ensure that the files are dated as above

Protection should be running correctly as long as procgurd.sys & pg_msgprot are both running. Once you have enacled protection in procguard.exe then it does not need to run on the desktop.

When first enabling protection ensure that Protection - General protection 1 - 4 are enabled.

Test with APT

I do hope that Jason et al will check the PG Installer and confirm there is not a bug that is putting the Registry RUN startup entry in. That is the only way it could have gotten there on my system when revving up to PG 1.2 because I had PG 1.5 not even start up on computer reboot because of the kernel mode failure. I would start PG 1.5 manually if I wanted it after a reboot.

I'm not sure about it being put there by the installer as I cleared the registry before installing 1.200 and had no problems on three different machines ???
But each PC is different. :)

I can confirm for sure that the installer does not alter the registry in regards to startup. The only startup the installer writes now is a LINK to procguard.exe in the Startup folder. I don't know what is adding procguard.exe to your RUN key if there is something adding it, but it can't be the 1.200 installer.

-Jason-

{QUOTE-> quoting: Pilli link=board=40;threadid=20183;start=15#msg123403 date=1074936020]
Eliot, From what I can see most problems are comiing from a bad install/uninstall.

Please close all running programmes - Especially utilities such as AdWatch, Abtrusion protector & System Safety Monitor as they can stop changes to the registry that effect both the install/uninstall process.

It is very important that the old registry start key below Is deleted
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run - ProcGuard_Startup"="\"C:\\Program Files\\ProcessGuard\\procguard.exe\" -minimize

And then reboot your machine

After which you must ensure that the procguard.exe shortcut is in your start up folder.

Also ensure that the files are dated as above

Protection should be running correctly as long as procgurd.sys & pg_msgprot are both running. Once you have enacled protection in procguard.exe then it does not need to run on the desktop.

When first enabling protection ensure that Protection - General protection 1 - 4 are enabled.

Test with APT

<-QUOTE}

Done this as well. I feel as if I am fighting a never ending battle. I don't know what else to try. Hopefully something can shed some light on the matter. FYI: I have a fresh install image that I am gonna load and see what happens. Probably be later today after I get home. Will post back with the results ::)

Eliot, If you feel comfortable with regedit, Disable protection, uninstall PG, delete all pg's files except your key. Open regedit search for procguard and delete every key you can. Reboot - & then try re-installing.
Ensure no other utilities are running and that you have full Administrative rights.

No fear of the registry ;) I lived there in Win 9x ;D

I have several keys that I do not have permission to edit. Hmmmm, I AM the administrator. There is no other account on here besides the guest account. Now that is just puzzling. If I do not have access, then no one can. ???

OK, I have hi jacked the keys with full control. Deleted and gonna shoot for install again.

Legacy keys I believe :)
Here is how to delete them: Although it should not be necessary.
Right click on the key that will not delete - Select "Permissions" Click allow then apply - You should now be able to delete the key(s)

DELETED!!!!!!!!! PG LOADS ON BOOT WITH NO ERROR!!!!!!!!!!!!!!!!!!!! SORRY BOUT THE CAPS, BUT DARN I AM HAPPY NOW!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Much thanks to all who helped in this thread. Thanks to Registry First Aid which allowed me to locate and delete them all together.

I had to give myself permission to edit/del them. And yes, there was 2 keys "PROCGUARD" AND "PG_M...." I forget the spelling of that one, but it matched the file almost exactly from the PG directory. Both were Legacy keys :D

{QUOTE-> quoting: Jason / DiamondCS link=board=40;threadid=20183;start=15#msg123433 date=1074947836]
I can confirm for sure that the installer does not alter the registry in regards to startup. The only startup the installer writes now is a LINK to procguard.exe in the Startup folder. I don't know what is adding procguard.exe to your RUN key if there is something adding it, but it can't be the 1.200 installer. <-QUOTE}
I believe that..., if you disabled the registry key startup for Process Guard v 1.15 by using a selective startup configuration (Run>MSCONFIG>StartUp tab>uncheck Process Guard entry>Apply) to prevent the "could not attach" error, followed by starting the PG GUI manually, that inactive registry entry will not be removed when PG 1.15 is uninstalled. Depending upon what you do after the PG 1.15 uninstall (i.e. go from Selective to Normal startup), you could have an entry causing PG to start from a registry key, in addition to the now default Startup folder. Just a guess on this though.

Blue

Hi BlueZannetti, I should say it is a well founded gues too! :) Have a Karma cookie!

Let's hope Eliot has better luck after removing all the keys

Look up 3 posts ;) Its working great. Thanks again

;D ;D ;D Well done Eliot - Karma cookie for you!

*munch munch* ;D

Thought so - Jason knows how to fix it ! thanks again Eliot for trying things earlier with me ! Enjoy :)

Have put this startup thing on my "watch out for" list for when the next version of PG is released...just in case. :)

As for now, I'm just glad everyone is getting straightened out and PG 1.2 is working awesome. ::) ;)

It sure would be great to have a little utility that allows a user to export their list of programs and then import them back into a re-install or new version. Guess that could get dangerous though depending on the extent of changes in a new version. I know! I know! ...never satisfied ;D

I installed new version yesterday and have been following this thread since I was having the dreaded "kernal could not attatch error" too. :(

I went through and did all the suggestions as they were being posted, and still was having the problem. I even went as far as trying to install in safemode under the admin account, but that gave me an error (failed to install process guards driver) so don't bother trying that way :P

I found today the new suggestions and tried those too, but still getting error... then I saw the post about the legacy keys and went ahead and uninstalled in safemode ( 7th time ) deleted all reg keys again and all the other suggested things to delete / check for, only thing I did different was delete the 2 legacy keys that wouldn't delete before... rebooted and reinstalled again.

Install went fine again and rebooted... this time I didn't get the error so I shut down for a few minutes and started up and got error :'( really frustrating but I found that this time it didn't ask me about adding the default protections and there were none in the list. So I went into registry {HKLM\Software\Diamond Computer Systems\Process Guard\BeenRun} and changed this from 1 to 0 so PG would ask me to add the default processes after reboot.

Ok so I rebooted without error and was asked to add default protection which I did. So tested it for a few reboots and saw some logging so I added BOC and SAV to protected list with allowed flags which stopped the logging. ;)
Have went through several more reboots and shut downs / startups and all has been good so far. :) :D ;D

I'm thinking that it was deleting the legacy keys that eventually did help me along with modifing the been run key, So I feel that the uninstaller needs to be uprgraded to delete all the keys / modifications that PG does to your system when installed and running. With that implemented we should have no more of these problems.

I'm posting this as a thanks to everyone who has posted / replied in this thread :) and as also in hopes that this will help in the futher development of this fine product.
Thanks
;)

Protek, I am pleased you have it working after all your trouble. There is certainly a problem with the install/uninstall and I know that Jason is well aware of this discusiion, so I am sure we will hear back from him :)

You have a karma cookie from me - Enjoy!

I'm quite happy to report that - following just the basic instructions on how to go about replacing the old with the new - everything went just fine, including re-starts. Pete

lol! I just noticed, when going to "Help", "About", that you now have to close that window using the HID. Is that by design?

{QUOTE-> quoting: Gavin / DiamondCS link=board=40;threadid=20183;start=30#msg123481 date=1074957935]
*munch munch* ;D

Thought so - Jason knows how to fix it ! thanks again Eliot for trying things earlier with me ! Enjoy :)
<-QUOTE}

Anytime Gavin! You just got a karma cookie as did Pilli. Oops I gave you both 2 today ;D Im just glad to have all my DCS programs running 24/7 :D

Well I ran my defragmenter and now kernal mode error is back :(

Try disabling the schedule service of Perfect Disk and see if that helps any ???

That made no differance on this laptop... Time to fire up my startup delayer and delay PG for 60 seconds like I did on the last version. :(

I really think it has to do with laptop's booting slower then a desktop, not to say this is really that slow, it's a PIIIm 1.2 Ghz with 512 MB ram... but the spindle speed of this 30gig drive is just slower than a 3.5" drive and I doubt if it has any (buffer) cache on it.

Owell I'll just delay it and wait for the next version.
;)

I usually get the kernel mode error when I turn on the machine. Rebooting: no error.
(Even after getting the error, ps_msgprot.exe is running).
PG 1.2, first install, starts from Autostart, nothing in ..\Run... registry.

If I can live with this can PG and is my machine protected?

Hi Hadbard, Procguard.exe (The GUI) does not need to run for the protection to work, providing you have enabled protection in the Procguard GUI. And for Close Message Handling pg_msprot must be running :)
Down load the Advanced Process Termination programme from DCS to test: http://www.diamondcs.com.au/index.php?page=apt

HTH Pilli

Thanks, Pilli, it did.
It's the driver procguard.sys then that does the protecting? I looked in the wrong place.

Br, H.

I am pretty sure this "Cannot Attach Error" will be totally gone in the next publically available version. (v1.250)

-Jason-

Sounds good to me ;D
Thanks for the update !
;)

Yeah! Great news.

The Kernel problem has resurfaced on my machine after doing a defrag using the latest version of Perfect Disk. Has happened the last two times. Hopefully this will be fixed as stated in the PG 1.25.

No big catastrophy...just a big annoying. ;)

I have done a defrag with Perfect Disk (both Smart and Offline) and i haven't the error message with the current beta 1.250 ;)

Very encouraging input gkweb. Very!!! :D