Ghostwall & Win XP 64 Problem / Bug Request

Hi...

I wonder if you can help me..
I have installed ghostwall and i have a windows xp 64 machine and found a possible error..

I have something called browser sentinal running which monitor spyware, registry changes, etc..


I have installed ghostwall .. and found that a under that browser sentinal referered to the ghostwall driver /service file as

\windows\system32\drivers\ghstwl64.sys

when i went to the directory there is no such file, the closes file i found was ghstwall.sys

i search the registry and found the legacy entry and the reference is to ghstwall

and then under HLMK \services\ghstwall its referenced at ghstwl64.sys again but there is no such file

i then went in to system properties : drivers : show hidden drivers :
you can see under non pnp devices the ghostwall entry..

and try and stop / restart the service it fails to do in a timely fashion .. (m$ words not mine ... mine are basically hangs )

1) is there a way of logging the install so i can you send you to check if the install is correct..

2) is there a file missing ghstwl64.sys

3) should it install anything in to the \windows\wow64 directory

4) should i just copy the ghstwall.sys and rename it ghstwl64.sys

I might know nothing and everything is ok.. but i thought i would let you know.. as i dont know if u had a win64 test enviroment..

Thanks for your time

devo:uk

 

Have you checked the properties for ghstwall.sys, specifically the version tab? There could be a possibility that when queried it is returning a different internal name that what you see on the screen. It doesn't happen often, but I have seen it.

 

yep.. unfortunately there are no properties for the .sys driver show...

I reinstalled again to check

i used browser sentinal to watch for new system items and it show the following

new driver : ghostsec
Ghost Security Unified Driver
Kernel Driver
F:\program files (x86)\\GhostSecuritySuite\ghostsec.sys
File Version 1.005

new driver : ghstwall
F:\WINDOWS\system32\drivers\ghstwl64.sys
Kernel Driver
File is not found

here are the registry enteries

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_GHSTWALL]
"NextInstance"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_GHSTWALL\0000]
"Service"="ghstwall"
"Legacy"=dword:00000001
"ConfigFlags"=dword:00000000
"Class"="LegacyDriver"
"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc"="ghstwall"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_GHSTWALL\0000\Control]
"*NewlyCreated*"=dword:00000000
"ActiveService"="ghstwall"


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ghstwall]
"Type"=dword:00000001
"Start"=dword:00000002
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,46,00,3a,00,5c,00,57,00,49,00,4e,00,\
44,00,4f,00,57,00,53,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,\
00,5c,00,64,00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,67,00,68,00,73,00,\
74,00,77,00,6c,00,36,00,34,00,2e,00,73,00,79,00,73,00,00,00
"DisplayName"="ghstwall"
"WOW64"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ghstwall\Security]
"Security"=hex:01,00,14,80,b8,00,00,00,c4,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,88,00,06,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,04,00,00,00,00,\
00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,06,00,00,00,00,00,14,00,00,01,\
00,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,00,18,00,fd,01,02,00,01,02,00,\
00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,00,00,00,00,00,05,12,00,00,00,\
01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ghstwall\Enum]
"0"="Root\\LEGACY_GHSTWALL\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_GHSTWALL]
"NextInstance"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_GHSTWALL\0000]
"Service"="ghstwall"
"Legacy"=dword:00000001
"ConfigFlags"=dword:00000000
"Class"="LegacyDriver"
"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc"="ghstwall"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_GHSTWALL\0000\Control]
"*NewlyCreated*"=dword:00000000
"ActiveService"="ghstwall"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ghstwall]
"Type"=dword:00000001
"Start"=dword:00000002
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,46,00,3a,00,5c,00,57,00,49,00,4e,00,\
44,00,4f,00,57,00,53,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,\
00,5c,00,64,00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,67,00,68,00,73,00,\
74,00,77,00,6c,00,36,00,34,00,2e,00,73,00,79,00,73,00,00,00
"DisplayName"="ghstwall"
"WOW64"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ghstwall\Security]
"Security"=hex:01,00,14,80,b8,00,00,00,c4,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,88,00,06,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,04,00,00,00,00,\
00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,06,00,00,00,00,00,14,00,00,01,\
00,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,00,18,00,fd,01,02,00,01,02,00,\
00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,00,00,00,00,00,05,12,00,00,00,\
01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ghstwall\Enum]
"0"="Root\\LEGACY_GHSTWALL\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001


So i not too sure if it working or not.. if the file is required... but would like to get it working...


any ideas ?

 

My only other idea would be to send an email to Jason, mailto:support@ghostsecurity.com, outline your question and include a link to this thread. That way he will have all of the info you have provided available.

 

Hi devo.uk. In my X64 I can see that the system driver is working by going to Start - Accessories - System Tools - System information - Software Environment - System drivers, ghstwall is shown as a started kernel driver

HTH Pilli