Hi Gents

Does this ring a bell with anybody, or has anyone else experienced a similar problem?


Since installing PG v2.00 2 - 3 days ago, BOClean 411 only intermittently opens up on boot/reboot.

The icon does not appear in the System Tray. The two files normally present in Task Manager (BOCSEC.exe and BOClean.exe) are absent. I then have to start BOClean manually from Start - All Programs - BOClean.. It then runs OK and may/may not appear after the next reboot. I guess around 50% of the time it fails to flash up.

I have all four BOCLEAN files in my Program Protection (BOClean.exe, BOCSEC.exe, BPC4UPD.exe and BOCEXC.exe) just from trying to solve the problem, though I don't know if that is the correct thing to do or not. Possibly someone may comment on that too?

In General Protection Options, I have all four Options ticked (enabled). Therefore, because it was wanting to Write and set Global Hooks at various times, I have BOClean.exe set with full Allowed Privileges of Write, Terminate, Suspend and Set Info, plus Allow Global Hooks.

Yet still, BOCLEAN only opens up on reboot very erratically and I'm just starting to get my knickers in a twist here, 'cos I really don't know what I'm doing too well - all trial and error for me and hoping for the best.

Possibly I'm missing something obvious, or simple.
It is only a minor nuisance, but a nuisance nevertheless. BOClean has always been well behaved for me, never the slightest problem.

Most grateful for any advice from all you people with more experience and wiser heads than me. (I have by the way tried uninstalling and reinstalling BOClean - no difference. I am completely stumped at the moment.




???

Hi Oremina, I do not run BoClean but I found theis post by Pikedude that may be useful to you:

Pikedude Quote

I just had to reboot one more time before I posted this to make sure that BoClean would load again and it has for the past 5 reboots!

At first all I had in the Program Protection with all the options turned on was Boclean.exe but it would not load. Then I also added the Bocsec.exe with all the options turned on and that did not help.Now here's the crazy part (hopefully someone can explain it to me) I then added the BoClean database file (boc411.xvu) to the Protected Programs with the Allow Global Hooks and voila, BoClean loads at every boot (now at 5 boots just to be sure). I then removed the file from the Protected Programs and BoClean did not boot anymore, I had to manually click on the BoClean icon for it to load. I then placed the database file back into Protection with Allow Global Hooks and it started loading again.

I don't know if this is normal or really the case (maybe I was just very lucky at all the various boots), but it does seem to work for the moment.

Just thought I would pass this information along.

Also check: http://www.wilderssecurity.com/showthread.php?t=25720

Hi Pilli

Thanks very much for your speedy reply and for your link to the Pikedude thread. I found it very interesting and it gave me a little food for thought.

Don't think this is going to be resolved quickly - at least not by me - but I have tried one or two things in the last few minutes. It would appear that :-

Unlike Pikedude, putting the data file boc411.xvu into Program Protection and allowing Global Hooks made no difference.

Disabling Block Global Hooks in the General Protection Options did appear to make a diference and I rebooted five times with BOClean firing up each time.... Coincidence?? possibly...

I then enabled Block Global Hooks in General Protection Options and gave all four BOClean files in Program Protection Allow Global Hooks - all four of them which I hadn't done before.

After five more reboots. BOClean fired up again each time. Again, possibly coincidence.

Now, to be pefectly honest, none of this proves anything, but it possibly may give a glimmer of hope that it may be sorted. It's obviously not a widespread problem, as far as I am aware only Pikedude and I have complained about it.

I'll keep watching what happens and if I find out anything concrete or positive I'll post again. Possibly Pikedude may have sussed something else out by now and may let us know in due course.

Thanks for your help

Best wishes

Your Welcome Oremina :) Just keep popping in to see if someone comes up with a definitive answer.

Are there any entries in PG's log about BOCLEAN needing any type of "driver/services" install? That's about the only thing I haven't seen you mention, either settings or log-wise. Just wondered if fooling with that would help.

"Block Golden Hooks"? I like that! Does it do that automagically? ;D Pete

I've been having the same problem with BOClean since the 1.3 beta driver. PikeDude's idea did not work for me. Nor did Allow Driver/Services Install for all BOClean's related executables (as well as Allow Global Hooks). One new observation is that when BOClean does autostart, Process Guard exits without asking for human confirmation despite having set Close MSG Handling for it. When BOClean fails to start, Process Guard asks for human confirmation when exiting. Confirmed over several reboots.

Nick

-{ Quote: ""Block Golden Hooks"? I like that! Does it do that automagically? Pete " }-

Pete, Maybe there is a secret "premium" version - Let me know if you find out :P

Hi all
Thanks for the interest..

Pete - can you see me blushing - and that's not easy at my age... I guess its what you would call a "Freudian Slip", maybe thinking about other things at the time... Anyhow, I'm pleased it raised a smile and brightened a day or two.

I did indeed have some requests from BOclean.exe to Allow Drivers/Services, which I did, but it didn't make any difference.

Have just tried another reboot and Boclean flashed up yet again (with "Allow Global Hooks" on all four BOClean executables). Hope I'm not kidding myself here, going to be gobsmacked now the first time it doesn't fire up.

Nick - haven't tried CMH on it yet. What I'll do is watch is over the next day or two and post on that, either way. Can't really check anything else out until BOClean doesn't flash up again.

Pete 'n Pilli - keep looking for those Golden Hooks (automagically)!!

(I can't stand the embarrassment, my wife taking the
mickey as well, so I've modified it)..

;D

BOClean doesn't need driver/service privileges. The problem, which occurs with a lot of other apps besides BOClean, has been reported many times, and is a known issue. Jason knows about it.

I believe the issue has to do with global hooks, and so two possible workarounds until the bug is fixed are to: (1) Start any applications that PG interferes with (such as BOClean) manually, rather than at startup; or (2) Disable GH blocking in PG's general protection options.

just thought i would jump in and say i run bo clean and have added all four bc exe's ticked all allow flags and allowed global hooks since i have done this i have no problem with excessive bo clean logs or any problems with bo clean not starting on reboot.

I have had the "not starting on boot" issue with several applications, and allowing GH for them does not solve the issue on my system.

When BOCLEAN does not start, is there anything in the log at all relating to BOCLEAN or any other app which does not start?

PG v2.0 lists everything that has happened since the driver was activated, unlike previous versions, so this would be helpful to know.

-Jason-

This is the only log entry that is missing when BOClean does not start:

31 Mar 21:35:58 - [EXECUTION] c:\progra~1\nsclean\boclean\bocsec.exe with commandline c:\progra~1\nsclean\boclean\bocsec.exe was ALLOWED to run

Nick

Hi All,

Just wanted to post an update with how BoClean and Process Guard is behaving on my system. As I had said in the original post, what I had tried was possibly not the solution to what the real problem with BoClean not starting up is. It was just a guess and trying to figure out what it might be, but since that last post about 4-5 days ago BoClean has started up every day and after every reboot that I have done since. I left the file (boc411.xvu) in the protected applications since it was not doing any harm.

I haven't tried to remove it for fear of putting a hex on it ;D but I also can't see what the real problem could be. We probably have some software or driver that is conflicting that others probably don't have.

Also, looking back at my other posts I somehow forgot to mention that I'm running Windows XP Professional with the SP2 Release Candidate, if you have the same let us know, then we may finally get to the bottom of what is really happening.

Further thoughts..

Its a new day and I've booted twice and BOClean has fired up correctly each time. This is with all four BO executables in Protection, GH on all four but full Allow priveleges only on boclean.exe. Seems OK at the mo, but maybe just coincidence. (This is pretty much in line with donsan's experience).

I have here XP HE SP1 and besides BOClean my security programs which open up on boot are NAV2002, NIS2002 and a² Guard. None of those have been affected.

If it starts to play up again I shall revert to the suggestion by nameless and just disable Block GH until I hear further, but sems OK at the mo. I would suggest it isn't the proper answer vide the second post by nameless.

For Jason... This is only the start of my fourth day with PG so I can hardly claim to be slick on this lovely bit of kit, and I am still in the steep part of the learning curve but what I have tried to do is be advised by the logs and if any of the known and trusted apps have wanted priveleges they have been granted. So if nothing else I know the different colours in the logs. nick s is quite right when he says that on the occasions that BOClean has failed to start there has been no log entries in red/purple, just the sea of green/blue. The BOClean entries are noticeable by their absence. I think that's what nick s is saying and I would agree with that.

If anything else comes to mind that seems relevant I'll post again.
Hi Pikedude - I did briefly try your suggestion of putting the BOClean.xvu into protection, but not the slightest effect here.. still I understand the hex problem... while its working don't fix it eh?!!

Thanks for the input from everyone.

Jason

Following a Drive Image backup a short while ago, on reboot BOC icon was missing from systray and the two entries boclean.exe and bocsec.exe were missing from Task Manager.
I immediately rebooted with the same result but looked at the log which said:-
[Execution] c:\progra~1\nsclean\boclean\boclean.exe with commandline "c:\progra~1\nsclean\boclean\boclean.exe" was ALLOWED to run.

I then manually started BOC and then got two entries in the log:-

c:\program files\nsclean\boclean\boclean.exe with commandline "c:program files\nsclean\boclean\boclean.exe" was ALLOWED to run.

Followed by the next entry

c:\progra~1\nsclan\boclean\bocsec.exe with commandline c:\progra~1\nsclean\boclean\bocsec.exe was ALLOWED to run.

Hope this makes some sort of sense to you,but certainly there was only one entry when BOC failed to fireup on boot up and two entries after manual start.

Regards

Since BOCLEAN.EXE launches BOCSEC.EXE, what those log entries tell me is that when BOClean failed to start correctly, it simply terminated before being able to launch BOCSEC.EXE.

I think that speaking of multiple EXE files and other supporting files (such as the BOClean database file) needlessly complicates the matter. I have the same issue everyone is talking about here with simpler, one-EXE utilities like KatMouse (http://kickme.to/katmouse), and while using nothing but LFN.

Have any of you guys contacted Kevin in regards to this?

Would be helpful to find out why BOClean is failing in some instances with PG and Block Global Hooks enabled.

I still think this is caused by using 8.3 pathnames for some things, and that there must be a small bug in PG's 8.3 pathname resolving, but Kevin would be able to verify this.

-Jason-

Have just emailed Kevin and asked if he can spare a mo to have a quick looksee here, to see if he can add anything.

I also take on board the views of nameless, who is having problems with simpler one exe programs, in which case it is hardly likely to be simply a BOClean problem.. more like Global Hooks, but I'll keep quiet now, as with my knowledge on any of this I can't possibly do any good, just groping in the dark.
Thanks for your input nameless, Jason and everbody else.

-{ Quote: " quoting: Jason / DiamondCS link=board=40;threadid=26396;start=15#msg153594 date=1080812211]
Have any of you guys contacted Kevin in regards to this?

Would be helpful to find out why BOClean is failing in some instances with PG and Block Global Hooks enabled.

I still think this is caused by using 8.3 pathnames for some things, and that there must be a small bug in PG's 8.3 pathname resolving, but Kevin would be able to verify this.

-Jason-

" }-

Hiya ... back on March 10, Wayne requested a "full copy" of BOClean 4.11 for testing which we submitted within minutes. At that same time, we had requested a copy of the PG for our own testing but Wayne said "no need, there's a new one coming." Never did get a copy of it. Surprising since our guys and your guys have many years of cooperative history.

I won't throw out specifics of our design in public, but I can say that all we're using is a SINGLE "HSHELL_WINDOWCREATED" hook which is used to ensure that BOClean hasn't been killed by a nasty. This in turn is used to refire BOClean should this occur. There's more to it, but I don't want to put our techniques out in public. We chose this primarily because being a DOCUMENTED Win32 procedure, it is supported on Win95/98as well as NT/2000/XP.

From the sound of it, messages between our DLL and our programme are getting stomped whereas this wasn't the case prior. I suspect the problem might be the use of "undocumenteds" which Microsoft has said they are culling from the OS (insert standard Microsoft disclaimer on the use of "undocumenteds" here, heh) ... contact us at support@nsclean.com and we'll try to help out. However, it does look as though things that don't NEED to be intercepted are being trapped ...

Kevin

Most grateful for your timely response. It is much appreciated.

*frown*
Kevin mate, if you were unhappy about anything you could've just dropped me an email!

I asked for a copy of BOClean for PG compatibility testing simply because you don't have a demo/evaluation version available for download from your website, so I didn't have much choice - if you did I would've just used that. When you enquired about Process Guard I told you that the free version is virtually identical to the registered version with the one exception being that the registered version can protect more than one user-defined process which is all you'd need for compatibility testing, and you were happy with that response then so I'm a bit puzzled as to why you're upset now.

You said "but Wayne said 'no need, there's a new one coming.'", but let's put it in proper context again - here's the full paragraph:
-{ Quote: "Btw, Process Guard full and free are identical, the only difference being the full version can protect more than one process but that wont have any impact on compatibility testing - if there's a problem in the full version itll also be in the free version and vice versa, so you can grab it now and start testing immediately if you want - http://www.diamondcs.com.au/processguard/index.php?page=download
But id probably wait another week or so when we get the new version out as that has new features etc that will be more related to testing, such as process execution interception (kernel-mode, of course :-)" }-
The start of your response:
-{ Quote: "Works for me ... -snip-" }-

So I don't understand why you've had a change in heart, but you can test compatibility issues between BOClean and PG now because the free and full versions of PG are identical with the exception of protecting multiple processes, so I don't see what the problem is?
But even though its a bit pointless as the free version does all you need for testing, I'll send you a license to the full version in the morning as a sign of good faith. So, everything AOK then? *extends hand* :)

And apologies back at ya ... emailed you separately but won't go into that here - I'm sure you can verify if anyone needs to know that it's all amicable.

I was just surprised to see the response from Jason was all. You and I (and several others of us in this "biz") hava always had a long history of cooperation with one another so the response came as quite a surprise to me as well.

But hey, as offered, I'll hand over the source code if need be so you can see what that hook is about - it's the least harmless of all hooks in the WinAPI and certainly as a "notify hook" can't be used maliciously in any way that I can imagine.

I'll leave it there, and be happy to help out with specifics as we've always done for each other ... after all, PRUDENT vendors such as each other want interoperability to be a "given" for our customers. It's THAT important ... but I don't need to tell YOU this. :)

-{ Quote: "And apologies back at ya" }-
Thanks, but not necessary. :) I'm just happy there are no problems (it would've ruined the weekend!)

-{ Quote: "But hey, as offered, I'll hand over the source code if need be so you can see what that hook is about" }-
Thanks, but not required. :) But unfortunately this hook cannot be used for security purposes, I'll email you with full details. Full Disclosure lists would have a party with it :-\

Anyway we'll do some more compatibility testing on additional machines with PG and BOClean today to try and isolate what's going on, hopefully we'll have an answer in the next six hours or so in which case I'll email you the details and post a summary here.

Cheers,
Wayne

Hi Kevin,

I was just wondering if you have any code which if something fails (I guess this hook would be the starting place) that your app gracefully doesn't start? It would be helpful for me to know that it is your program that is gracefully shutting down rather than "something weird" going on like a crash causing it to not startup.

I will run some BOClean tests personally today to see if I can track down the issue, thanks for your timely response.

-Jason-

Well.. I have got BOClean to not startup 2 times now.

I don't think this is HOOK related, at least in regards to the hook which PG usually blocks when BOClean runs. The reason I think this is because BOClean runs fine SOMETIMES even when the hook is blocked on startup, and 100% of the time when you run it AFTER startup and it's hook gets blocked it runs also.

The odd thing is people have said turning off Block Global Hooks makes this problem go away, so it could possibly be a bug with the driver causing this on startup when there is CPU/HARD DRIVE congestion. There seems to be a lot of undocumented events occuring on startup so it may take a while to understand what is going on here which causes this particular issue.

-Jason-

In addition to the other two workarounds I mentioned above (those being (1) Disable GH blocking entirely and (2) Start affected applications manually, rather than at startup), I offer yet another: Load the affected applications at startup, but introduce a delay in their loading so that they can load without being affected by whatever Process Guard bug is causing this problem.

The utility I use to delay startup applications is a freebie named Delayer (http://www.cottonwoodsw.com/). It is better than most others of its type because it doesn't interfere with anything else (being that it doesn't load one instance of itself that wants to control everything, but rather works on individual command lines), it's free, and it offers plenty of options.

I am only assuming that this workaround will actually help, but it's a strong assumption. Take affected applications and delay them by 30 or 60 seconds, and they should no longer pose a problem. An example command line for BOClean would be as follows:

"C:\Program Files\Delayer\Delayer.exe" "C:\Program Files\BOClean\BOClean.EXE" /D60 /H

Note that for BOClean, you will need to shut BOClean down before modifying the startup value in the registry (or else it the changes will be undone when BOClean exits). Most applications won't have this requirement.

You can object that it's not a good idea for BOClean to be delayed on startup, but I say a delay is better than not having it running at all. And honestly, if your system shuts down with BOClean running, and nothing is detected, it will start up the same way. Besides, BOClean is quite CPU hungry when it loads, and delaying it will make startup performance better in general.

Hi All

This thread is going on a bit but I must say it seems to be in a very positive vein...

Latest situation here is that yesterday I broke PG - well I did something wrong with Program Protection and hooks or whatever, can't really remember, but what happened was that SymProxySvc (of NIS2002) kept asking for access to the internet (which it already had) and I couldn't get rid of it, just kept popping right back up. Couldn't do anything on the internet so it was a case of breaking down in tears or having a few beers.So had the beers and did a complete uninstall of PG in safe-mode, the whole shooting match including pguard.dat and phash.dat. After that everything was back to normal, no more problems with SymProxySvc or anything else.

I then reinstalled it, but had noticed a comment by Gavin in another thread to the effect that "Allow is good", but more importantly to me at this stage of the game that "blocking global hooks is not worth it for most people".. (see Gavin's reply in the thread-: "Well Done! and a Question").

Acoordingly I have left the Global Protection Options unticked, am putting .exe's into Program Protection one at a time and taking it easy instead of rushing to get it all done yesterday! Up to now everything if fine and I'm a happy camper again.

I will leave it so until the Global Hooks problem is solved.

I will mention something before I finish that once again may be coincidence - or not.

When I initially installed PG five days ago, I followed the instructions to the letter, all about "learning mode" etc.
When I did the reboot after that, as my desktop came up everything froze, by which I mean I had no icons at all in the systray, the mouse pointer would move about but nothing would react . After it became obvious that nothing would ever happen again, I switched off at the tower, went info safe mode and uninstalled it. Then reinstalled it again. This time, after the "learning mode" I put BOClean.exe into Program Protection along with NIS iamapp.exe and NAV navapw. It then performed perfectly.

The reason I mention this is that yesterday when I reinstalled, exactly the same thing happened again.
This time though I just put BOClean.exe on its own into PP and things went perfectly again.

Now, I really don't know if this makes any sense to you at DCS, I merely mention it in case it jogs anything in your minds and helps. It seemed to me as though BOClean needed to be in there first or nothing was going to happen. I just dunno... But that has happened both times I've done a clean install of PG and just seemed to me to be a bit coincidental.

Anyhow, I'm happy at the moment, PG is cooperating beautifully with everything else on my PC - but I guess only because Block GH is off.

I'll watch developments with great interest and hope everything works out well.

I have been waiting to be sure the BO Clean issue was worked out before installing the new version 2.0 of PG, I was gonna try it over the Easter holiday but I noticed the forums were down so I just left well enough alone.
It took me considerable effort to get 1.3 to run properly (only runs well by delaying the startup) so I didn't want to bother with all that if their is still problems between BOC and PG.
Thanks for any info you can provide. :)

tech - addict

In General Protection Options, I have Block Global Hooks disabled (unticked). That way I have no problem whatsoever with BOClean. But if I enable it, then the same problem arises, that is BOCLean will not fire up and has to be started manually (on occasion).
As far as I am aware the problem still exists, but having read round various threads it is a known problem and does not only apply to BOClean.

HTH

Thanks for the reply, guess I'll give it a try now.
Hopefully they can eventually get these apps to be fully compatable, I like them both very much and wouldn't want to do with out either one of them.
:D