HitmanPro.ALERT Support and Discussion Thread

Discussion in 'other anti-malware software' started by erikloman, May 25, 2012.

  1. Telos

    Telos Registered Member

    Joined:
    Jul 26, 2016
    Posts:
    171
    Location:
    Frezhnacz
    I killed the HMP.A service. Awkward, but it worked for me.

    Hmmmm... so instead, we should periodically wipe free space?
     
  2. Duotone

    Duotone Registered Member

    Joined:
    Jul 9, 2016
    Posts:
    142
    Location:
    Philippines
    CryptoGuard>Current attacker

    This is what I've been doing, only problem is I always forgot to turn it back on:D:D:D.


    Thanks erik...
     
  3. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,843
    Location:
    the Netherlands
    Why not temporarily disable CryptoGuard, and re-enable it afterward?
    Is there a reason that you prefer stopping the HMP.A service over temporarily disabling CryptoGuard?

    With SSD? No free space wipes either.
    Options to make sure no information is to be found after disposal of an SSD:
    - physically destroy the SSD chips before disposal of the SSD,
    - or use full disk encryption from the moment you take the SSD in service (however, I don't know whether full disk encryption is compatible with the use of HMP.A CryptoGuard).
     
  4. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    This just suppresses the alert. It is still being blocked.

    Writing zeroes is a no-op for SSDs. Or worst case you are wiping different blocks. End result, data is never securely erased on SSDs.

    Best is to use drive encryption so that data never exists in plain format on the disk. Then you also don't have to worry about secure deleting files as they are already secure on the disk.
     
    Last edited: Sep 3, 2016
  5. Telos

    Telos Registered Member

    Joined:
    Jul 26, 2016
    Posts:
    171
    Location:
    Frezhnacz
    Good to know. For some reason though I recall Privazer wipe running after I did this. Well, I can't reconfirm as my beta recently expired.

    So I've been wasting my time writing zeros every week? At least I've got that encryption thingy going with a hardware-encrypted SSD. So much for false assurance.

    Thanks for your feedback Erik. I need to run some forensics on my SSD image.
     
  6. mirage22

    mirage22 Registered Member

    Joined:
    Apr 20, 2016
    Posts:
    51
    Hi Eric / Mark,

    Its been a month since the anniversary edition came out and it's follow on patches.

    I have again attempted to install HMPA - the latest beta version on my system. But after a reboot the system just hangs at a black screen with no disk activity. Luckily I made a system restore point before installing HMPA.

    Any clue as to what is happening and how to resolve it?
     
  7. Der.Reisende

    Der.Reisende Registered Member

    Joined:
    Aug 14, 2016
    Posts:
    51
    Location:
    Germany
    Sorry for being late, did not get a mail notification. Thank you for pointing out! Yes, to expected, thank you! I wanted to have both developers and people with similiar experiences to be aware of :) I run ZAM on my Malware testing laptop, as expected it works flawlessly there. I use ZAL on this PC (for any purpose but not for dangerous environments), as I got a lifetime license for it and hope to improve protection, doing online banking on this machine.
     
  8. CaptainLeonidasHMPA

    CaptainLeonidasHMPA Registered Member

    Joined:
    Aug 14, 2016
    Posts:
    42
    Location:
    The Netherlands
    Seems to me next week stands for longer then a week. An update would be handy.
    Perhaps adding days to those that bought a subscription till this "next week" becomes a real next week?

    Or perhaps I read the post wrong....
     
  9. mrhopper

    mrhopper Registered Member

    Joined:
    Sep 4, 2016
    Posts:
    1
    Location:
    uk
    Apologies if this is the wrong way to do things - unable to find a new thread button.
    HMP has been coming up with alerts recently:

    Log Name: Application
    Source: HitmanPro.Alert
    Date: 03/09/2016 23:22:48
    Event ID: 911
    Task Category: Mitigation
    Level: Error
    Mitigation CryptoGuard

    Platform 6.3.9600/x64 06_3a
    PID 1840
    Application C:\Windows\System32\dasHost.exe
    Description Device Association Framework Provider Host 6.3
    Filename C:\Windows\System32\dasHost.exe
    C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Dlna\DeviceIcons\71c1816c-d12d-4a95-b9ea-dbf726668c0c_1.png
    C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Dlna\DeviceIcons\75e37c48-e57c-4f43-ba57-45d286fd237d_0.jpg
    C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Dlna\DeviceIcons\71c1816c-d12d-4a95-b9ea-dbf726668c0c_0.jpg

    Process Trace
    1 C:\Windows\System32\dasHost.exe [1840]
    dashost.exe {5f2abe8d-f8ba-435d-83d3ff4462009523}
    2 C:\Windows\System32\svchost.exe [424]
    C:\WINDOWS\System32\svchost.exe -k LocalSystemNetworkRestricted

    I am no mechanic, but have worked out that the above might have something to do with 'dasHost.exe' and have put this through a program called 'roguekillerPE' which shows that the file is unsigned, the checksum is correct and virustotal risk is low.
    The alert log also gives the level as 'error'. Does this mean that the alert is an error? It's a bit unsettling when a black screen suddenly appears saying 'possible attack intercepted hmp has terminated the process....'
    Can anyone shed some light? The program has a link to 'event log online help' but this only goes to microsoft homepage.

    john
     
  10. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,920
    I'm running HMP.A 3.5.0 Build 546 and KIS 16.0.1.445(e). No problems so far. Are there any known conflicts?
     
  11. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,843
    Location:
    the Netherlands
    Hi John,
    It is fine that you post in this thread, that's the way to do.

    dasHost.exe is part of your Windows 8.1 "Device Association Service".
    I don't know why HMP.A CryptoGuard reacts to dasHost.exe, saying 'possible attack intercepted hmp has terminated the process....'
    HMP.A CryptoGuard reacts to things that resemble crypto-ransomware actions. I don't know why it reacts to dasHost.exe.
    Could you tell us whether those HMP.A mitigations happen in direct relation to certain actions, things you do on your computer?

    Erik or Mark Loman (the HMP.A developers) may understand what is going on.
     
  12. guest

    guest Guest

    I noticed that Keepass is not switching to the secure desktop if HMP.A is installed.
    Keepass setting: [X] Enter master key on secure desktop
    After deinstalling HMP.A, Keepass is finally switching to the secure desktop o_O
     
  13. Cache

    Cache Registered Member

    Joined:
    May 20, 2016
    Posts:
    445
    Location:
    Mercia
    There are known compatibility issues with using the secure desktop option in KeePass which is why it is deselected by default.
    http://keepass.info/help/kb/sec_desk.html
     
  14. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    dasHost may get triggered by a DLNA device in your network. Its a bit hard to trigger/reproduce to come up with a fix as it involves using a TV or other DLNA device to trigger it.

    We have this in investigation.
     
  15. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,843
    Location:
    the Netherlands
    Thanks, Erik.
    I hope John/ mrhopper can confirm that he has a DLNA device in his network, and whether he noticed a relation between using the DLNA device and the HMP.A CryptoGuard action.

    And Erik, can you enlighten us, how does a DLNA device trigger CryptoGuard? I would think DLNA behavior is nothing like the behavior that should trigger CryptoGuard. Or is it? I may be wrong.
     
  16. Adric

    Adric Registered Member

    Joined:
    Feb 1, 2006
    Posts:
    1,761
    Erik, I had a BSOD after safely removing a usb flash drive and then reinserting another one. BlueScreenView indicates HMPA was involved. I sent you the dump.

    DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS
     
    Last edited: Sep 4, 2016
  17. guest

    guest Guest

    Thanks. Then i better deselect it.
     
  18. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Windows creates PNG files for the DLNA device (TV or media player image) and modifies the images when the DLNA device is turned off.
     
  19. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    We will have a look at it. Thanks!
     
  20. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,843
    Location:
    the Netherlands
    Thanks, Erik. I see.
    I noticed the .png and .jpg files mentioned in John's/ mrhopper's post, but I never thought of a mechanism such as you described.
     
  21. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,233
    I was not running the beta. I was running the official release. Which, obviously, was not well tested. But hardly any software is, ever. Ask me how I know. I do this for a living, every single work day. My monitoring tells everyone the site is down, I verify manually the site is down, and yet STILL, people claim it is not. It's just the same here. No one can be bothered testing anything, and almost everyone is incapable of noticing software defects. I can't tolerate it. This is the part where someone claims that there are too many configuration types and this and that for all to be tested, that bugs are inevitable, that all is right with the world... And if I had the inclination, I could put the lie to that as well. Not checking for replies. Got a refund, I'm done.
     
  22. Hiltihome

    Hiltihome Registered Member

    Joined:
    Jul 5, 2013
    Posts:
    1,131
    Location:
    Baden Germany
    I had the same bluescreen twice, a few weeks ago.
    I don't recall which version of HMP.A was installed at that time.

    I'm running build 553 since it is out, and haven't seen that bluescreen since that.
     
  23. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    HitmanPro.Alert 3.5.2 build 556 Pre-Release

    Changelog (compared to build 548 )
    • Added compatibility with Windows 10 Anniversary Update.
    • Improved CryptoGuard ransomware detection
    • Improved CryptoGuard on Distributed File Systems (DFS)
    • Improved compatibility with Norton Security
    • Improved compatibility with Trend Micro
    • Improved compatibility with Trusteer Rapport on 64-bit machines
    • Fixed BSOD caused by WipeGuard resource locking
    • Fixed a few small issues found during internal testing
    Download
    httx://test.hitmanpro.com/hmpalert3b556.exe (release pulled; please hold for another build).
     
    Last edited: Sep 6, 2016
  24. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,843
    Location:
    the Netherlands
    All seems well on my Windows 7 x64.
     
  25. test

    test Registered Member

    Joined:
    Feb 15, 2010
    Posts:
    499
    Location:
    italy
    just installed in my environment (10 x64 build 14393.105, Intel i7 4790):
    - EDGE is unable to start

    Mitigation ROP

    Platform 10.0.14393/x64 06_3c
    PID 4896
    Application C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
    Description Microsoft Edge 11

    Callee Type LoadLibrary

    Branch Trace Opcode To
    ---------------------------------------- -------- ----------------------------------------
    RtlInitUnicodeStringEx +0x35 RET* LoadLibraryExW +0x4b
    0x00007FFCD742E055 ntdll.dll 0x00007FFCD3D1C8FB KernelBase.dll
    85c0 TEST EAX, EAX
    0f88d2d20500 JS 0x7ffcd3d79bd5
    0fb74de8 MOVZX ECX, WORD [RBP-0x18]
    4c8b55f0 MOV R10, [RBP-0x10]
    6685c9 TEST CX, CX
    0f8412010000 JZ 0x7ffcd3d1ca26
    bafeff0000 MOV EDX, 0xfffe
    0fb7c1 MOVZX EAX, CX
    48d1e8 SHR RAX, 0x1
    6641837c42fe20 CMP WORD [R10+RAX*2-0x2], 0x20
    0f84b7d20500 JZ 0x7ffcd3d79be3
    6685c9 TEST CX, CX
    0f84f1000000 JZ 0x7ffcd3d1ca26
    33c9 XOR ECX, ECX
    (E95278EE34BCACC:cool:


    memcpy +0x51 RET* 0x00007FFCC8B00838 urlmon.dll
    0x00007FFCD4B73D91 msvcrt.dll
    b801000000 MOV EAX, 0x1
    4489742448 MOV [RSP+0x48], R14D
    85c0 TEST EAX, EAX
    0f84425c0600 JZ 0x7ffcc8b6648c
    4983cfff OR R15, -0x1
    4183fd02 CMP R13D, 0x2
    0f84a8000000 JZ 0x7ffcc8b00900
    41be01000000 MOV R14D, 0x1
    4183fd03 CMP R13D, 0x3
    0f8503020000 JNZ 0x7ffcc8b00a6b
    33db XOR EBX, EBX
    488b0527161300 MOV RAX, [RIP+0x131627]
    c645c000 MOV BYTE [RBP-0x40], 0x0
    4885c0 TEST RAX, RAX
    (9304BC6E68531219)


    memcpy +0x51 RET* 0x00007FFCC8B009FE urlmon.dll
    0x00007FFCD4B73D91 msvcrt.dll
    44897c2448 MOV [RSP+0x48], R15D
    85db TEST EBX, EBX
    0f85f6030000 JNZ 0x7ffcc8b00e01
    448b742458 MOV R14D, [RSP+0x58]
    e9d0fcffff JMP 0x7ffcc8b006e5


    memcpy +0x51 RET* 0x00007FFCC8B00640 urlmon.dll
    0x00007FFCD4B73D91 msvcrt.dll
    4585f6 TEST R14D, R14D
    488d0586251000 LEA RAX, [RIP+0x102586]
    4c8d3d83251000 LEA R15, [RIP+0x102583]
    4c0f45f8 CMOVNZ R15, RAX
    418d4502 LEA EAX, [R13+0x2]
    89442468 MOV [RSP+0x68], EAX
    413bc4 CMP EAX, R12D
    0f87cd570600 JA 0x7ffcc8b65e33
    410fb707 MOVZX EAX, WORD [R15]
    41b804010000 MOV R8D, 0x104
    664189443500 MOV [R13+RSI+0x0], AX
    448b6c2468 MOV R13D, [RSP+0x68]
    44896c2448 MOV [RSP+0x48], R13D
    (1A1B82672D530A4:cool:


    memcpy +0x51 RET* 0x00007FFCC8B00640 urlmon.dll
    0x00007FFCD4B73D91 msvcrt.dll
    4585f6 TEST R14D, R14D
    488d0586251000 LEA RAX, [RIP+0x102586]
    4c8d3d83251000 LEA R15, [RIP+0x102583]
    4c0f45f8 CMOVNZ R15, RAX
    418d4502 LEA EAX, [R13+0x2]
    89442468 MOV [RSP+0x68], EAX
    413bc4 CMP EAX, R12D
    0f87cd570600 JA 0x7ffcc8b65e33
    410fb707 MOVZX EAX, WORD [R15]
    41b804010000 MOV R8D, 0x104
    664189443500 MOV [R13+RSI+0x0], AX
    448b6c2468 MOV R13D, [RSP+0x68]
    44896c2448 MOV [RSP+0x48], R13D
    (1A1B82672D530A4:cool:


    memcpy +0x51 RET* 0x00007FFCC8B00640 urlmon.dll
    0x00007FFCD4B73D91 msvcrt.dll
    4585f6 TEST R14D, R14D
    488d0586251000 LEA RAX, [RIP+0x102586]
    4c8d3d83251000 LEA R15, [RIP+0x102583]
    4c0f45f8 CMOVNZ R15, RAX
    418d4502 LEA EAX, [R13+0x2]
    89442468 MOV [RSP+0x68], EAX
    413bc4 CMP EAX, R12D
    0f87cd570600 JA 0x7ffcc8b65e33
    410fb707 MOVZX EAX, WORD [R15]
    41b804010000 MOV R8D, 0x104
    664189443500 MOV [R13+RSI+0x0], AX
    448b6c2468 MOV R13D, [RSP+0x68]
    44896c2448 MOV [RSP+0x48], R13D
    (1A1B82672D530A4:cool:


    memset +0xf8 RET* 0x00007FFCC8B0056F urlmon.dll
    0x00007FFCD4B74178 msvcrt.dll
    4c89b42430060000 MOV [RSP+0x630], R14
    4889742450 MOV [RSP+0x50], RSI
    4885f6 TEST RSI, RSI
    0f84da030000 JZ 0x7ffcc8b0095f
    44882e MOV [RSI], R13B
    488d0501271000 LEA RAX, [RIP+0x102701]
    48894598 MOV [RBP-0x68], RAX
    488d05ee261000 LEA RAX, [RIP+0x1026ee]
    488945a0 MOV [RBP-0x60], RAX
    ba09000000 MOV EDX, 0x9
    c745840a000000 MOV DWORD [RBP-0x7c], 0xa
    (287FC5C7BE7BDB94)


    0x00007FFCD7437320 ntdll.dll RET* 0x00007FFCC8B0055A urlmon.dll
    488bf0 MOV RSI, RAX
    4885c0 TEST RAX, RAX
    740d JZ 0x7ffcc8b0056f
    458bc4 MOV R8D, R12D
    33d2 XOR EDX, EDX
    488bc8 MOV RCX, RAX
    e80fa60500 CALL 0x7ffcc8b5ab7e
    4c89b42430060000 MOV [RSP+0x630], R14
    4889742450 MOV [RSP+0x50], RSI
    4885f6 TEST RSI, RSI
    0f84da030000 JZ 0x7ffcc8b0095f
    44882e MOV [RSI], R13B
    488d0501271000 LEA RAX, [RIP+0x102701]
    48894598 MOV [RBP-0x68], RAX
    488d05ee261000 LEA RAX, [RIP+0x1026ee]
    (344C13CBE7B21FEC)


    RtlRetrieveNtUserPfn +0x124 RET* 0x00007FFCD743730E ntdll.dll
    0x00007FFCD7495664 ntdll.dll
    4881c480000000 ADD RSP, 0x80
    415f POP R15
    415e POP R14
    415d POP R13
    415c POP R12
    5f POP RDI
    5e POP RSI
    5b POP RBX
    c3 RET
    (1169C5D56A0870D3)


    RtlAllocateHeap +0x187 RET* 0x00007FFCD7436DBC ntdll.dll
    0x00007FFCD74374F7 ntdll.dll
    4c8bc0 MOV R8, RAX
    4889442440 MOV [RSP+0x40], RAX
    e92b050000 JMP 0x7ffcd74372f4


    RtlGetCurrentProcessorNumber +0x11 RET* RtlAllocateHeap +0x2fc
    0x00007FFCD74A4A41 ntdll.dll 0x00007FFCD743766C ntdll.dll
    0fb68f58010000 MOVZX ECX, BYTE [RDI+0x158]
    83e03f AND EAX, 0x3f
    3bc1 CMP EAX, ECX
    0f83b8460800 JAE 0x7ffcd74bbd36
    8bc8 MOV ECX, EAX
    41b811000000 MOV R8D, 0x11
    488b4360 MOV RAX, [RBX+0x60]
    44896584 MOV [RBP-0x7c], R12D
    4c89642458 MOV [RSP+0x58], R12
    448965a0 MOV [RBP-0x60], R12D
    0fb61408 MOVZX EDX, BYTE [RAX+RCX]
    488b4368 MOV RAX, [RBX+0x68]
    4c8b0cd0 MOV R9, [RAX+RDX*8]
    418bd7 MOV EDX, R15D
    33c0 XOR EAX, EAX
    (567AE11D36E467FA)


    InitOnceExecuteOnce +0x17 RET* FindMimeFromData +0x20e
    0x00007FFCD3D3FD37 KernelBase.dll 0x00007FFCC8B0019E urlmon.dll
    40383de7341300 CMP [RIP+0x1334e7], DIL
    0f85075c0600 JNZ 0x7ffcc8b65db2
    4533c9 XOR R9D, R9D
    448bc7 MOV R8D, EDI
    488bd3 MOV RDX, RBX
    33c9 XOR ECX, ECX
    e835030000 CALL 0x7ffcc8b004f0
    4533c9 XOR R9D, R9D
    48890523361300 MOV [RIP+0x133623], RAX
    448bc7 MOV R8D, EDI
    488bd3 MOV RDX, RBX
    8bce MOV ECX, ESI
    e81e030000 CALL 0x7ffcc8b004f0
    4533c9 XOR R9D, R9D
    48890504361300 MOV [RIP+0x133604], RAX
    (9A01AB03860D5686)


    RtlRunOnceExecuteOnce +0x5a RET* InitOnceExecuteOnce +0xa
    0x00007FFCD7412C0A ntdll.dll 0x00007FFCD3D3FD2A KernelBase.dll
    85c0 TEST EAX, EAX
    780a JS 0x7ffcd3d3fd38
    b801000000 MOV EAX, 0x1
    4883c428 ADD RSP, 0x28
    c3 RET


    0x00007FFCC8B0192C urlmon.dll ~ RET* FindMimeFromData +0x1ed
    0x00007FFCC8B0017D urlmon.dll
    4533c9 XOR R9D, R9D
    48890569361300 MOV [RIP+0x133669], RAX
    4533c0 XOR R8D, R8D
    488d157f2a0400 LEA RDX, [RIP+0x42a7f]
    488d0dd8371300 LEA RCX, [RIP+0x1337d8]
    ff15faec0f00 CALL QWORD [RIP+0xfecfa]
    40383de7341300 CMP [RIP+0x1334e7], DIL
    0f85075c0600 JNZ 0x7ffcc8b65db2
    4533c9 XOR R9D, R9D
    448bc7 MOV R8D, EDI
    488bd3 MOV RDX, RBX
    33c9 XOR ECX, ECX
    e835030000 CALL 0x7ffcc8b004f0
    (CEF9008F370BFBE4)


    Stack Trace
    # Address Module Location
    -- ---------------- ------------------------ ----------------------------------------
    1 00007FFCD3D1CA1F KernelBase.dll LoadLibraryExW +0x16f
    2 00007FFCC8B00A94 urlmon.dll
    3 00007FFCC8B001BB urlmon.dll FindMimeFromData +0x22b
    4 00007FFCC8AFFD8D urlmon.dll
    5 00007FFCC8B448EA urlmon.dll UrlMkGetSessionOption +0x1aa
    6 00007FFCC8B289E7 urlmon.dll
    7 00007FFCC8B26F9F urlmon.dll
    8 00007FFCC8B2CCF1 urlmon.dll
    9 00007FFCC8B11CF7 urlmon.dll
    10 00007FFCC8B1C680 urlmon.dll
    11 0000000000000000 (unknown)

    - FP also with Avidemux 2.6

    Mitigation CallerCheck

    Platform 10.0.14393/x64 06_3c
    PID 4208
    Application C:\Program Files\Avidemux 2.6 - 64 bits\avidemux.exe
    Description Avidemux 2.6.12

    Callee Type ProtectVirtualMemory
    0x0000000000401000 (569344 bytes)

    Stack Trace
    # Address Module Location
    -- ---------------- ------------------------ ----------------------------------------
    1 00007FFCD3D45C95 KernelBase.dll VirtualProtect +0x35

    2 0000000000456496 avidemux.exe
    4989e8 MOV R8, RBP
    4889fa MOV RDX, RDI
    4889f1 MOV RCX, RSI
    e82cde0000 CALL 0x4642d0
    8b442454 MOV EAX, [RSP+0x54]
    83f840 CMP EAX, 0x40
    741a JZ 0x4564c7
    83f804 CMP EAX, 0x4
    7415 JZ 0x4564c7
    4d89e1 MOV R9, R12
    448b44242c MOV R8D, [RSP+0x2c]
    488b542448 MOV RDX, [RSP+0x48]
    488b4c2430 MOV RCX, [RSP+0x30]
    ffd3 CALL RBX
    90 NOP
    4883c460 ADD RSP, 0x60

    3 000000000045685A avidemux.exe
    4 000000000040124E avidemux.exe
    5 00000000004014C8 avidemux.exe
    6 00007FFCD4BB8364 kernel32.dll BaseThreadInitThunk +0x14
    7 00007FFCD7465E91 ntdll.dll RtlUserThreadStart +0x21

    Process Trace
    1 C:\Program Files\Avidemux 2.6 - 64 bits\avidemux.exe [4208]
    2 C:\Windows\explorer.exe [3196]
    3 C:\Windows\System32\userinit.exe [3124]

    - child processes apps does NOT produce flyout notifying if they are or less shielded
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.