BSOD on exiting virtual mode (Windows shutdown)

Discussion in 'Returnil releases' started by VanguardLH, Apr 23, 2012.

Thread Status:
Not open for further replies.
  1. VanguardLH
    Offline

    VanguardLH Registered Member

    Windows XP Professional SP-3
    Returnil System Safe 2011 3.2.12918-REL14 (free version)
    Avast 7.0.1426 (free version)

    When I exit virtual mode for Returnil, or I shutdown Windows (to reboot to get out of Returnil's virtual mode), I see the "Saving settings" dialog followed by "Windows shutting down" and then the computer crashes with a BSOD which says:

    Code:
    Event Type:	Error
    Event Source:	System Error
    Event Category:	(102)
    Event ID:	1003
    Date:		04/22/2012
    Time:		10:30:00 PM
    User:		N/A
    Computer:	ZODIAC
    Description:
    Error code 00000024, parameter1 001902fe, parameter2 f78be0c0, parameter3 f78bddbc, parameter4 804e37fe.
    
    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
    Data:
    0000: 53 79 73 74 65 6d 20 45   System E
    0008: 72 72 6f 72 20 20 45 72   rror  Er
    0010: 72 6f 72 20 63 6f 64 65   ror code
    0018: 20 30 30 30 30 30 30 32    0000002
    0020: 34 20 20 50 61 72 61 6d   4  Param
    0028: 65 74 65 72 73 20 30 30   eters 00
    0030: 31 39 30 32 66 65 2c 20   1902fe, 
    0038: 66 37 38 62 65 30 63 30   f78be0c0
    0040: 2c 20 66 37 38 62 64 64   , f78bdd
    0048: 62 63 2c 20 38 30 34 65   bc, 804e
    0050: 33 37 66 65               37fe    
    Attached is the minidump file and the output from msinfo32.exe to give system info on my host.
    Well, I tried to upload the .dmp file but your "Manage Attachments" uploader screws up. It fails the upload when I select the .dmp file. I compressed it into a .zip file but then your uploader complains that it is an invalid file. Uh huh, invalid, sure, especially when I extract the compressed file and it compares okay bit-for-bit against the original. The .dmp file is 64KB. The .zip file is 9KB. You'll have to fix your forum software so I can attach the .dmp or its .zip file.
    Update: Figuring this forum software restricts the filetypes that can be uploaded, I renamed the .dmp file to .dmp.txt to pretend it was a text file. That uploaded okay. So rename .dmp.txt back to just .dmp when you retrieve it to your host.

    I attached the rvs-inst.log file. The rvs3.log file wouldn't upload due to filetype and size constraints in this forum. So I compressed the logfile into a .zip archive (but this forum won't take .zip files, either), and renamed it to rvs3.zip.txt. Rename back to .zip and then extract the rvs3.log file within (which is 4.7MB in size which exceeds the 1MB max for text files).

    Yes, I already know about the age-old shotgun troubleshooting step of installing Returnil first and then follow by Avast. I uninstalled both Avast and Returnil, used Avast's cleanup utility, installed Returnil, and lastly installed Avast. That did not help. Returnil still generates a BSOD when shutting down Windows.

    I looked at the minidump using Nirsoft's BlueScreenViewer. I selected the red-highlighted items which presumably means they are the likely candidates or just the top 4 items on the stack. I pasted then lines below:

    Code:
    aswMon2.SYS	aswMon2.SYS+485327f8	0xaf38c000	0xaf3a2000	0x00016000	0x00000000		avast! Antivirus System	avast! File System Filter Driver for Windows XP	7.0.1426.0	AVAST Software	C:\WINDOWS\system32\drivers\aswMon2.SYS	
    fltMgr.sys	fltMgr.sys+4907b0	0xf742e000	0xf744db00	0x0001fb00	0x480251da	04/13/2008 01:32:58 PM	Microsoft® Windows® Operating System	Microsoft Filesystem Filter Manager	5.1.2600.5512 (xpsp.080413-2111)	Microsoft Corporation	C:\WINDOWS\system32\drivers\fltMgr.sys	
    Ntfs.sys	Ntfs.sys+dff0	0xf7b52000	0xf7bde600	0x0008c600	0x48025be5	04/13/2008 02:15:49 PM	Microsoft® Windows® Operating System	NT File System Driver	5.1.2600.5512 (xpsp.080413-2111)	Microsoft Corporation	C:\WINDOWS\system32\drivers\Ntfs.sys	
    ntoskrnl.exe	ntoskrnl.exe+c7fe	0x804d7000	0x806ee580	0x00217580	0x4ea6ba87	10/25/2011 08:32:55 AM	Microsoft® Windows® Operating System	NT Kernel & System	5.1.2600.6165 (xpsp_sp3_gdr.111025-1629)	Microsoft Corporation	C:\WINDOWS\system32\ntoskrnl.exe	
    The above list doesn't include the headers so you can tell what are all the values in each line. So I saved those lines from Nirsoft's BlueScreenView into bsod.txt (attached) that shows the name and value of each parameter.

    So, if I'm reading this listing correctly (with items shown listed in ascending order by their "Address in Stack"), it looks like aswMon2.sys might be crashing first; however, it is Returnil making Avast crash. If I don't go into Returnil's virtual mode or if Returnil is absent from my computer then there are no crashes when I shutdown Windows.

    I disabled Returnil's anti-virus component since Avast would be active before going into virtual mode and still active after entering virtual mode. Of course, if Returnil is working correctly, it doesn't matter what AV program is running before and then during virtual mode since a reboot is supposed to wipe all changes, anyway. I disable the AV component in Returnil to eliminate overlapped functionality with Avast and try to prevent conflict. In Avast, I configured its auto-sandbox to ask me if I want a process sandboxed. I don't want anything sandboxed unless I say so. This is to provide protection against malware but I don't want my known good apps to get sandboxed, so I have Avast ask me what to do with any process it thinks is behaving suspiciously. I am not prompted to sandbox any Returnil process when I enable Returnil's virtual mode. Returnil's anti-execute option is set to "Trust programs from real disk only".

    In Avast, I added an exclusion for C:\Program Files\Returnil\RVS where are some of Returnil's files. Not all of them since, for example, it looks like Returnil puts some of its files under C:\Windows\system32\drivers. I didn't add those files because I'm not sure which ones belong to Returnil plus there could be other places Returnil deposited its files. Unless a comprehensive list of files and their locations is supplied, telling users to exclude Returnil files from Avast (or whatever other active security product they use) is probably worthless advice since users won't know where are all the locations for Returnil files. While I can try to exclude files in Avast for Returnil, I don't see anywhere in Returnil to exclude files for Avast. After adding the Returnil\RVS folder to Avast's exclusion list (in their File Shield since the exclude list under Settings is only for manual scan exclusions), I entered Returnil's virtual mode and shutdown Windows. I still got the BSOD.

    Right after Avast's driver is listed Microsoft's Filesystem Filter Manager driver (fltMgr.sys). Well, Returnil sticks in its own file driver to intercept disk changes (to the cache or virtualized disk) to discard them on a reboot.

    No, I'm not getting rid of Avast because Returnil still has problems playing nice with Avast. If I get rid of one of these two programs, I'll get rid of Returnil.

    Attached Files:

    Last edited: Apr 23, 2012
  2. Coldmoon
    Offline

    Coldmoon Returnil Moderator

    Hi,
    I have flagged the report and attachments to the engineering team and will get back as soon as I get their feedback on this.

    Mike
  3. VanguardLH
    Offline

    VanguardLH Registered Member

    I noticed something else but didn't before correlate it to Returnil. Recently I started seeing a popup telling me that a "Delayed Write Failed". Never had that before. Figuring Returnil adds a driver to the file API so it can intercept disk changes (when in virtual mode but the driver is probably still loaded and passing through commands and data when not in virtual mode), I decided to uninstall Returnil.

    Below are the Event Viewer entries at the time the Delayed Write Error occurred:

    Code:
    Event Type:	Warning
    Event Source:	Ntfs
    Event Category:	None
    Event ID:	50
    Date:		04/24/2012
    Time:		03:58:52 PM
    User:		N/A
    Computer:	ZODIAC
    Description:
    {Delayed Write Failed} Windows was unable to save all the data for the file . The data has been lost. This error may be caused by a failure of your computer hardware or network connection. Please try to save this file elsewhere.
    
    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
    Data:
    0000: 04 00 04 00 02 00 52 00   ......R.
    0008: 00 00 00 00 32 00 04 80   ....2..?
    0010: 00 00 00 00 56 00 00 c0   ....V..À
    0018: 00 00 00 00 00 00 00 00   ........
    0020: 00 00 00 00 00 00 00 00   ........
    0028: 56 00 00 c0               V..À    
    Code:
    Event Type:	Information
    Event Source:	Application Popup
    Event Category:	None
    Event ID:	26
    Date:		04/24/2012
    Time:		03:58:52 PM
    User:		N/A
    Computer:	ZODIAC
    Description:
    Application popup: Windows - Delayed Write Failed : Windows was unable to save all the data for the file \$Mft. The data has been lost. This error may be caused by a failure of your computer hardware or network connection. Please try to save this file elsewhere. 
    
    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
    Code:
    Event Type:	Warning
    Event Source:	Ntfs
    Event Category:	None
    Event ID:	50
    Date:		04/24/2012
    Time:		03:58:52 PM
    User:		N/A
    Computer:	ZODIAC
    Description:
    {Delayed Write Failed} Windows was unable to save all the data for the file . The data has been lost. This error may be caused by a failure of your computer hardware or network connection. Please try to save this file elsewhere.
    
    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
    Data:
    0000: 04 00 04 00 02 00 52 00   ......R.
    0008: 00 00 00 00 32 00 04 80   ....2..?
    0010: 00 00 00 00 56 00 00 c0   ....V..À
    0018: 00 00 00 00 00 00 00 00   ........
    0020: 00 00 00 00 00 00 00 00   ........
    0028: 56 00 00 c0               V..À    
    TrueCrypt wasn't even loaded at the times listed by these events. I did use TrueCrypt before to load an encrypted container but it had been closed an hour, or more, before the times for these events. I do NOT leave TrueCrypt running all the time. I configured it so it loads when I have it open an encrypted container (a .tc file) and to unload when the last container is closed. I don't need it running when I don't have a container open.

    After closing the TrueCrypt container, I played a video game for quite awhile which was fullscreen. So the "Delayed Write Failed" popup was either delayed until I exited the game or I simple didn't see it until I exited the game.

    I was getting the Delayed Write Failed several times every day. Chkdsk and the HDD maker's diag utilities found no problems. I didn't have these errors before installing Returnil (which was recent, like in the last week, as I decided to trial it again). After uninstalling Returnil, I've not had one of these errors. It's still a bit early to say they are completely gone, so I'll see if they show up now that Returnil is off my computer.

    My computer is old, probably built by me around 6-8 years ago. It has an Abit NF7-S v2 motherboard with the nForce2 chipset, 2GB dual-channel 400Mhz memory, and a mix of IDE and SATA hard disks. Because its BIOS does not natively support SATA drives (and why I have to hit F6 on installing Windows to load the SATA driver into Windows), I decided to use the IDE hard disk for the OS partition since the BIOS knows how to recognize that HDD. While the SATAraid BIOS sees the presence of the SATA disks (they are not in a RAID configuration), they aren't usable until Windows loads and the SATA drivers get loaded. The msinfo32 output should show the mix of hard disks. The IDE disk has 1 partition (C:) for the OS. One SATA disk is for drive D: (just 1 partition for entire disk) and holds data files, not apps. The only part of the OS on the SATA disk is the pagefile (which has extents defined on both the C: and D: drive but Windows will first use the extent on a partition other than for the OS to boost performance). The other SATA disk does not get a drive letter assigned except during backups. This is to help hide the backups so users or malware might not find them. I don't know if the mix of IDE (for OS) and SATA (for data and backups) hard disks would cause a problem with Returnil's file driver.
    Last edited: Apr 25, 2012
  4. Coldmoon
    Offline

    Coldmoon Returnil Moderator

    Hi,
    A delayed write failure in Windows should be due to a full cache if you were in Virtual Mode. Can you try increasing the cache size maximum until you stop seeing that error message and let me know the results?
  5. VanguardLH
    Offline

    VanguardLH Registered Member

    To what cache size setting were you referring?

    I wasn't getting the Delay Write Failed error while in Returnil's virtual mode. I was not yet in virtual mode. I was getting these errors outside of virtual mode.

    When I was in virtual mode, it wasn't long enough to see these errors pop up. In a day, I might see anywhere from 3 to 6 of the Delayed Write Failed errors (while Returnil was installed but NOT yet in virtual mode). Because I saw the BSODs on exit, the only times that I've gone into virtual mode afterward was to test that the BSOD was caused by Returnil being active (in virtual mode) and then shutting down Windows (to exit virtual mode).

    Probably the most likely cause for the Delayed Write Failed errors outside of virtual mode was when I had am encrypted TrueCrypt .tc file open (as drive S:). The .tc file is 50GB in size. Maybe the hook for Returnil to monitor and intercept all disk I/O still exists outside of virtual mode; that is, you add your hook but it is primarily for redirecting file I/O to your cache or virtual disk when in virtual mode yet it is still passing file I/O commands when not in virtual mode, and maybe it cannot handle the huge TrueCrypt files that I have (but the non-hooked setup works okay).

    As a test, I uninstalled Returnil to check if I still get any Delayed Write Failed errors. So far in the day since, not any such errors. It is early so I'll wait a week before concluding that Returnil's presence was causing the errors. During that time, I'll be opening my TrueCrypt files occasionally so I can see if those trigger the errors.

    So for now Returnil is uninstalled while I see if any more Delayed Write Failed balloons appear over the system tray or if any such errors appear in Event Viewer.
  6. Coldmoon
    Offline

    Coldmoon Returnil Moderator

    Virtual Mode > Settings > Percentage of... option

    A Windows delayed write error occurs when Windows does not have sufficient space left to write to the disk. This CAN happen with RVS/RSS when the cache is full and there is no longer any room left on the virtual System Partition (cache).

    There is no hook as that implies bad coding using a kernel hack of some type. The virtualization is created using a specific driver developed for the Windows environment using Microsoft best practices and a proper coding process.

    Does the issue occur if the TC volume is unencrypted but still mounted while Returnil is in Virtual Mode?

    You have two issues going on here effecting your available free space on the HDD. The first is that when in Virtual Mode and before a restart to release the virtualization, the default setting for the cache is to use a maximum of 50% of non-used space on the disk. If you have a smaller HDD and combine the fact that your TC volume is 50GB, you might actually be running out of disk space.

    If you are not saving game sessions to disk, you might try moving the TC volume to a non-system disk and then increasing the maximum percentage for the cache to see if that resolves the delayed write issue.
  7. VanguardLH
    Offline

    VanguardLH Registered Member

    The huge 50GB .tc TrueCrypt file is on drive D: so it is already on a non-system hard disk - except, as mentioned, Windows is configured to place an extent of its paging file here (pagefile.sys). Returnil's virtual mode is protecting drive C: which is the OS partition (Windows XP Pro). C: and D: are partitions that encompass an entire hard disk. C: is one primary and active partition on the IDE hard disk. D: is one primary partition on the SATA hard disk. When I open the .tc file, it's on drive D:. I did not configure Returnil to protect anything other than the OS partition (drive C:). D: is not protected. Drive C: is a 120GB IDE hard disk, one partition, and has 74GB in free space left. Drive D: is a 160GB SATA hard disk, one partition, and has 96GB of free space left.

    However, I don't understand why a setting regarding Returnil's cache and which is valid only when Returnil's virtual mode is active applies for when virtual mode is NOT active. I haven't been in virtual mode long enough to deem whether the Delayed Write Failed error occurs when in virtual mode. I do know that when NOT in virtual mode (the prevalent scenario) is when I get the Delayed Write Failed errors. How does a cache size that utilitizes the free space on a drive have any effect when that cache is NOT being used? The errors are occuring before I get into Returnil's virtual mode and where Returnil's cache is irrelevant. Does Returnil protect its cache space even when virtual mode is not active? That is, does Returnil hide the sectors used for the cache from the Windows API so it cannot see those sectors even when not in virtual mode? Does Returnil, like a rootkit, or Commodo's Time Machine, or some other snapshot tools, keep its cache in reserve so Windows cannot use that disk space even when the utility is not active (when not virtualized)? Or does that space used for the cache become available as normal free clusters in the file system when not in virtual mode?

    I've read where somehow a UDMA mode too high gets used for a drive. That is, the BIOS is configured to use, say, UDMA-6 for a channel on which a disk is attached but the drive itself only supports UDMA-5. I've checked this in Device Manager. The IDE channels are set to UDMA-5 for the Western Digital 120GB WD1200JB IDE hard disk. That hard disk supports mode 5 Ultra ATA (http://wdc.custhelp.com/app/answers/detail/search/1/a_id/704#). The SATA channel on the mobo (listed as SCSI controllers in Device Manager) lists the device as supporting ATA-7 with the "Current Transfer Mode" as Ultra DMA 6. The hard disk supports that. So it looks like the channels/controllers and hard disks are properly configured for the correct ATA protocol and transfer rate.

    Some articles relating causes of the Delayed Write Failed error mention the LargeSystemCache registry setting. According to http://support.microsoft.com/kb/895932, and from reading several other articles, it seems the LargeSystemCache registry setting should be zero (0) to be disabled which is also the default for Windows XP (I have the Pro version of XP). This article warns against using the system cache mode when using an AGP video card (which is true in my case). So it seems this setting is correct for my setup.

    Memory could be a cause; however, without Returnil installed (i.e., with Returnil absent from my host), there are no Delayed Write Failed errors. Also, memtest86 finds no problems with system memory after 3 passes.

    I've ran both "chkdsk.exe /r" on all HDDs as well as Western Digital's diagnostics utility and they found no bad sectors. SMART data for both HDDs show zero (0) for Current Pending Sector Count (meaning no sectors had a read error that requires a later retest during a write operation or using the background test done by the hard disk's own diags).

    The IDE hard disk (C:, the OS partition) uses the correct 80-wire, 40-signal flat ribbon cable to eliminate noise or ringing errors. No other device is attached to that ribbon cable (I only have the one IDE hard disk and the CD/DVD drives using a different ribbon cable to a different mobo header and controller).

    I read http://support.microsoft.com/kb/330174 but cannot find an "Enable write caching" option for the IDE or SATA disks. I suspect it's always enabled or determined by the driver and the user doesn't get a choice. However, I can't see why any user would want to incur a performance penalty by disabling this option, if present.

    So far, the culprit appears to be the Returnil driver. When it is absent, there are no Delayed Write Failed errors. When it is present, and WITHOUT having to go into Returnil's virtual mode, the errors appear. I would assume Returnil's driver was not involved until virtual mode was activated but maybe I'm wrong. I don't know when Returnil's driver gets loaded (on Windows startup before login or loaded dynamically on-the-fly when needed), when it becomes active, when it is supposed to intercept disk I/O, or how it works.
  8. Coldmoon
    Offline

    Coldmoon Returnil Moderator

    One thing I would ask you to check is to see if you can reproduce the blue screen with RSS installed, but with Avast! uninstalled.

    Mike
Thread Status:
Not open for further replies.