Been doing some testing of the SAM protection. Terabytes Image for Windows is fine. Drive Snapshot failed. Eventviewer just said it couldn't access the SAM file. I'll retest Acronis for you. Nothing in event viewer from last time as I did a Macrium "uninstall"
I'm still on build 720. To install the new 723 RC, do I still have to jump through the above hoops (and which ones), or can I simply install 723 over 720? Thanks.
(1) Before the uninstallation of Build 720, disable "Block Untrusted Fonts" (2) then deinstall Build 720 and before rebooting remove the folder C:\ProgramData\HitmanPro.Alert (3) reboot (4) install Build 723
Yes, @mood, I followed your guide to install the 723RC--Block Untrusted Fonts tile was gone from the interface altogether. The Credential Theft Protection was enabled, so enabled the SAM as well. It's Halloween every day at HMPA, it seems.
More testing on the SAM file. Acronis True Image Home 2018 is good Full and incremental are fine. So far Drive snapshot is my only failure. If your curious about AOEMI just test it. Worst hat can happen is a failed backup. No other harm.
On the secondary machine with the beta? Nothing, no imaging. On primary machine, I use no betas but have an SSD that doesn't have full compatibility with Creators Update. So, no imaging there either, and I really need it there. I'm looking at your review of Terabytes, I think I'll try that instead of Macrium, which had multiple errors in event viewer the two times I tried to use it.
Do you have an idea why with the first test Acronis True Image Home 2018 was blocked, but not with the second test? What was different? Was SAM enabled with the first series of tests, but not with the second series of tests? And also, did IFW not fail the second test?
If you are happy with it you can use it on both machines, and be sure to check out Pandlouks scirpts. They are beyond awesome.
Good summary, thanks. I'll make my way through the open windows and tabs and then follow the updating procedure.
Haven't been testing the HMPA betas, but thinking about trying out the RC. Still running HMPA 3.6.7 b604. Are there any known issues running HMPA RC 723 with VoodooShield 3.59?
Tested AOMEI Backupper and it failed with SAM ticked. @RonnyT Can you add Drive Snapshot and AOMEI Backupper to the exclusions? AOMEI Backupper mitigation result: Mitigation CredGuard Platform 10.0.16299/x64 v723 06_45 PID 24240 Application C:\Program Files (x86)\AOMEI Backupper\ABCore.exe Description AOMEI ABCore 4.0.4 SAM access denied. Range = LBA 7264368 :272 Read = LBA 7264256 :256 Process Trace 1 C:\Program Files (x86)\AOMEI Backupper\ABCore.exe [24240] 2 C:\Program Files (x86)\AOMEI Backupper\ABService.exe [5376] Thumbprint 139455c7ea5db93f4fbffc1571e18f6d717fecfa7def24dbfec34735e114207f
the only issue i've encounter so far is clearing event logs in Event Viewer via command prompt* since it is so sloooow now 10 RS3 (1709 build 16299.64) * for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"
Hi Paul If you only image once a day or week, the you can just untick the one box, image and then retick. The reason it's so important to me is I Image with Macrium hourly and with IFW, not hourly but several times a day on my work machine, so it has to be transparanent. I may also go back to adding Acronis to the frequent list. You might note, all three of these programs have fast incremental imaging. Pete
I get that. I generally image nightly, and before significant changes. I am happy to leave SAM unticked, but maybe they can add DS and AOMEI as they are used a lot.
Up until yesterday I always left it unticked. Since they have Macrium, Acronis, and IFW, I'll bet they will add the others.
Hello, I'm on build 723, Windows 10 Insider Preview 17035, when trying to update to 17040 via Windows Update I get following message: Mitigation CredGuard Platform 10.0.17035/x64 v723 06_4e PID 2688 Application C:\Windows\System32\wuauclt.exe Description Windows Update 10 SAM access denied. Range = LBA 131635960 :136 Read = LBA 131636088 :7 Process Trace 1 C:\Windows\System32\wuauclt.exe [2688] "C:\WINDOWS\system32\wuauclt.exe" /RunHandlerComServer 2 C:\Windows\System32\svchost.exe [3636] c:\windows\system32\svchost.exe -k netsvcs After that windows update will initiaize again and try to install the update till it gets killed again. Also trying to update Visual Studio Enterprise 2017 I'll get: Mitigation Lockdown Platform 10.0.17035/x64 v723 06_4e PID 10684 Application C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Hosts\Microsoft.ServiceHub.Host.CLR\vs_installerservice.exe Description 1.1.31 Filename c:\windows\syswow64\\windowspowershell\v1.0\powershell.exe Command line: "c:\windows\syswow64\\windowspowershell\v1.0\powershell.exe" -NonInteractive -NoLogo -NoProfile -ExecutionPolicy Bypass -InputFormat None "$ErrorActionPreference="""Stop"""; $VerbosePreference="""Continue"""; $CeipSetting="""on"""; $ScriptPath="""C:\ProgramData\Microsoft\VisualStudio\Packages\Win10SDK_10.0.16299.Desktop,version=10.0.16299.0\WinSdkInstall.ps1"""; $SetupExe="""winsdksetup.exe"""; $SetupLogFolder="""windowssdk"""; $PackageId="""Win10SDK_10.0.RS3.Desktop"""; $LogFile="""C:\Users\marku\AppData\Local\Temp\dd_setup_20171117133109_001_Win10SDK_10.0.16299.Desktop.log"""; $SetupParameters="""/features OptionId.DesktopCPPx64 OptionId.DesktopCPPx86 OptionId.MSIInstallTools /quiet /norestart /uninstall"""; (gc $ScriptPath | out-string) | Invoke-Expression; if (!$?) { exit 1603 } elseif ($LastExitCode) { exit $LastExitCode }" Process Trace 1 C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Hosts\Microsoft.ServiceHub.Host.CLR\vs_installerservice.exe [10684] "C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Hosts\Microsoft.ServiceHub.Host.CLR\vs_installerservice.exe" desktopClr$C94B8CFE-E3FD-4BAF-A941-2866DBB566FE 1b16677f6367f916c0dbb40c42df1b8f 2 C:\Program Files (x86)\Microsoft Visual Studio\Installer\vs_installershell.exe [11920] "C:\Program Files (x86)\Microsoft Visual Studio\Installer\vs_installershell.exe" ./node_modules/microsoft-servicehub/host/HubController.js 6d789abbbd89ce2759078e46506ec4bc22605ad12b5507a276d9fa170de022ea 3 C:\Windows\SysWOW64\cmd.exe [13524] C:\WINDOWS\system32\cmd.exe /s /d /c call "C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\node_modules\microsoft-servicehub\launchController.cmd" "C:\Program Files (x86)\Microsoft Visual Studio\Installer\vs_installershell.exe" ./nod 4 C:\Program Files (x86)\Microsoft Visual Studio\Installer\vs_installershell.exe [17376] vs_installershell.exe --in "C:\ProgramData\Microsoft\VisualStudio\Packages\_bootstrapper\vs_setup_bootstrapper_201711171328345163.json" update --installPath "C:\Program Files (x86)\Microsoft Visual Studio\Preview\Enterprise" --activityId 8493574a-2583-4ece 5 C:\Program Files (x86)\Microsoft Visual Studio\Installer\vs_installer.exe [19080] "C:\Program Files (x86)\Microsoft Visual Studio\Installer\vs_installer.exe" --in "C:\ProgramData\Microsoft\VisualStudio\Packages\_bootstrapper\vs_setup_bootstrapper_201711171328345163.json" update --installPath "C:\Program Files (x86)\Microsoft Visual Stu 6 C:\Users\marku\AppData\Local\Temp\b859cd64881610083f\vs_bootstrapper_d15\vs_setup_bootstrapper.exe [17220] "C:\Users\marku\AppData\Local\Temp\b859cd64881610083f\vs_bootstrapper_d15\vs_setup_bootstrapper.exe" --update update --installPath "C:\Program Files (x86)\Microsoft Visual Studio\Preview\Enterprise" --activityId 8493574a-2583-4ece-ba7d-43470a21fb64 /final 7 C:\ProgramData\Microsoft\VisualStudio\Packages\_bootstrapper\vs_bootstrapper.exe [18280] "C:\ProgramData\Microsoft\VisualStudio\Packages\_bootstrapper\vs_bootstrapper.exe" --update update --installPath "C:\Program Files (x86)\Microsoft Visual Studio\Preview\Enterprise" --activityId 8493574a-2583-4ece-ba7d-43470a21fb64 /finalizeinstall 8 C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Hosts\Microsoft.ServiceHub.Host.CLR\vs_installerservice.exe [14088] "C:\program files (x86)\microsoft visual studio\installer\resources\app\ServiceHub\Hosts\Microsoft.ServiceHub.Host.CLR\vs_installerservice.exe" desktopClr$C94B8CFE-E3FD-4BAF-A941-2866DBB566FE 1be7f90b277c671aaf7a0c692b081652 9 C:\Program Files (x86)\Microsoft Visual Studio\Installer\vs_installershell.exe [3936] "C:\program files (x86)\microsoft visual studio\installer\vs_installershell.exe" ./node_modules/microsoft-servicehub/host/HubController.js 7e254e4bbaec911d4aacac9455a21df0eda4d3a6a3948caab4f1c971933ff1f5 10 C:\Windows\SysWOW64\cmd.exe [9964] C:\WINDOWS\system32\cmd.exe /s /d /c call "C:\program files (x86)\microsoft visual studio\installer\resources\app\node_modules\microsoft-servicehub\launchController.cmd" "C:\program files (x86)\microsoft visual studio\installer\vs_installershell.exe" ./nod 11 C:\Program Files (x86)\Microsoft Visual Studio\Installer\vs_installershell.exe [7224] vs_installershell.exe update --installPath "C:\Program Files (x86)\Microsoft Visual Studio\Preview\Enterprise" --activityId 8493574a-2583-4ece-ba7d-43470a21fb64 12 C:\Program Files (x86)\Microsoft Visual Studio\Installer\vs_installer.exe [10808] "C:\program files (x86)\microsoft visual studio\installer\vs_installer.exe" update --installPath "C:\Program Files (x86)\Microsoft Visual Studio\Preview\Enterprise" --activityId 8493574a-2583-4ece-ba7d-43470a21fb64 13 C:\Program Files (x86)\Microsoft Visual Studio\Preview\Enterprise\Common7\IDE\devenv.exe [15808] "C:\Program Files (x86)\Microsoft Visual Studio\Preview\Enterprise\Common7\IDE\devenv.exe" "C:\Users\marku\OneDrive\Documents\Techniker\Priv_Sonstiges\TINF\C\171117_Zinsen\EmptyProject\EmptyProject.sln" 14 C:\Windows\explorer.exe [7304] C:\WINDOWS\explorer.exe /factory,{ceff45ee-c862-41de-aee2-a022c81eda92} -Embedding Thumbprint 8d29374bb423f24d25e9872a2bb18637ea386987f431b540651c5b8792ced26a Third I'll get from time to time: Mitigation CredGuard Platform 10.0.17035/x64 v723 06_4e PID 4624 Application C:\Program Files\Windows Defender\MsMpEng.exe Description Antimalware Service Executable 4.12 SAM access denied. Range = LBA 131635960 :136 Read = LBA 131636088 :7 Thumbprint 46d27ce21097ef2efd740f09eec4868478ec9b94740c0671138d5a29fef09820 regards, saenta
Hi Saenta Go to the yellow box, and then to Credential protection. Untick the SAM box and you will be fine.
I've had these: Code: Log Name: Application Source: HitmanPro.Alert Date: 18/11/2017 11:28:49 AM Event ID: 911 Task Category: Mitigation Level: Error Keywords: Classic User: N/A Computer: Dave-PC Description: Mitigation CredGuard Platform 10.0.16299/x64 v723 06_25 PID 3488 Application C:\Program Files\Windows Defender\MsMpEng.exe Description Antimalware Service Executable 4.12 SAM access denied. Range = LBA 2413824 :256 Read = LBA 2413824 :64 Process Trace 1 C:\Program Files\Windows Defender\MsMpEng.exe [3488] 2 C:\Windows\System32\services.exe [632] Thumbprint 9da789ccc11105df09903bbc7a0afad3c6ff71bbe77d993d239fefdae48fbaa8 Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="HitmanPro.Alert" /> <EventID Qualifiers="0">911</EventID> <Level>2</Level> <Task>9</Task> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2017-11-18T00:28:49.088407200Z" /> <EventRecordID>7530</EventRecordID> <Channel>Application</Channel> <Computer>Dave-PC</Computer> <Security /> </System> <EventData> <Data>C:\Program Files\Windows Defender\MsMpEng.exe</Data> <Data>CredGuard</Data> <Data>Mitigation CredGuard Platform 10.0.16299/x64 v723 06_25 PID 3488 Application C:\Program Files\Windows Defender\MsMpEng.exe Description Antimalware Service Executable 4.12 SAM access denied. Range = LBA 2413824 :256 Read = LBA 2413824 :64 Process Trace 1 C:\Program Files\Windows Defender\MsMpEng.exe [3488] 2 C:\Windows\System32\services.exe [632] Thumbprint 9da789ccc11105df09903bbc7a0afad3c6ff71bbe77d993d239fefdae48fbaa8</Data> </EventData> </Event> Code: Log Name: Application Source: HitmanPro.Alert Date: 18/11/2017 11:28:49 AM Event ID: 911 Task Category: Mitigation Level: Error Keywords: Classic User: N/A Computer: Dave-PC Description: Mitigation CredGuard Platform 10.0.16299/x64 v723 06_25 PID 9308 Application C:\Windows\System32\SrTasks.exe Description Microsoft® Windows System Protection background tasks. 10 SAM access denied. Range = LBA 2413824 :256 Read = LBA 2413824 :144 Process Trace 1 C:\Windows\System32\SrTasks.exe [9308] C:\Windows\system32\srtasks.exe ExecuteScheduledSPPCreation 2 C:\Windows\System32\svchost.exe [1104] c:\windows\system32\svchost.exe -k netsvcs -p -s Schedule 3 C:\Windows\System32\services.exe [632] Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="HitmanPro.Alert" /> <EventID Qualifiers="0">911</EventID> <Level>2</Level> <Task>9</Task> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2017-11-18T00:28:49.283578900Z" /> <EventRecordID>7531</EventRecordID> <Channel>Application</Channel> <Computer>Dave-PC</Computer> <Security /> </System> <EventData> <Data>C:\Windows\System32\SrTasks.exe</Data> <Data>CredGuard</Data> <Data>Mitigation CredGuard Platform 10.0.16299/x64 v723 06_25 PID 9308 Application C:\Windows\System32\SrTasks.exe Description Microsoft® Windows System Protection background tasks. 10 SAM access denied. Range = LBA 2413824 :256 Read = LBA 2413824 :144 Process Trace 1 C:\Windows\System32\SrTasks.exe [9308] C:\Windows\system32\srtasks.exe ExecuteScheduledSPPCreation 2 C:\Windows\System32\svchost.exe [1104] c:\windows\system32\svchost.exe -k netsvcs -p -s Schedule 3 C:\Windows\System32\services.exe [632] </Data> </EventData> </Event> Disabling SAM on this machine for now.