HitmanPro.ALERT Support and Discussion Thread

Discussion in 'other anti-malware software' started by erikloman, May 25, 2012.

  1. feerf56

    feerf56 Registered Member

    Joined:
    Feb 24, 2015
    Posts:
    324
    1. I deleted DefenderControl from the EXCLUDE of Your applications.

    2. At Far Manager, I turned off Application Lockdown of CODE MITIGATIONS.

    The program is running. Thank you all for your help.

    2019-12-27_051418.jpg 2019-12-27_051442.jpg 2019-12-27_051541.jpg

    Curiosity:

    I turned on DefenderControl from Application Lockdown of CODE MITIGATIONS and DefenderControl is running. HitmanPro.Alert learned how to handle the program well!

    2019-12-27_053528.jpg 2019-12-27_053559.jpg
     
    Last edited: Dec 27, 2019
  2. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,842
    Location:
    the Netherlands
    Great!
    Thanks for the feedback, feerf56.

    Is this still the same after the next system reboot?
    If so, nice. If not, then you can disable Application Lockdown again.
     
  3. feerf56

    feerf56 Registered Member

    Joined:
    Feb 24, 2015
    Posts:
    324
    2019-12-28_043812.jpg 2019-12-28_043854.jpg
    No, it is not. After 2 reboot and 1 PC off it is perfect too. I remember it, as if a developer had written that the HitmanPro.Alert was usually able to learn. Could it have been HitmanPro? Sorry, I don't know exactly.
     
    Last edited: Dec 27, 2019
  4. guest

    guest Guest

    As i suspected, FAR.exe was a protected program.

    Far Manager is a "file and archive manager" and as soon as it is creating files (for example an archive is extracted) or is "introducing files to the system", the extracted executable will be protected.
    I would leave Application Lockdown disabled for this application.
     
  5. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,233
    I went a month without using Process Hacker, because Microsoft (i.e. Windows Defender) and HMP both started incorrectly detecting it as malware. I couldn't stand not using Process Hacker anymore, so I just reinstalled it. Windows Defender no longer incorrectly detects Process Hacker as malicious. Could you please do the same with HMP (i.e. "Description App/PrcHacker-A")? It's a system information tool and it allows process manipulation/termination, but it's not malicious.

    I have the "Anti-Malware" component completely disabled for the time being.
     
  6. heikwith

    heikwith Registered Member

    Joined:
    Jul 29, 2002
    Posts:
    91
    I have here a repeatable BSOD in HitmanPro.Alert.
    My system is Windows 10 1909 up-to-date.
    Output of minidump analyzed by WinDbg hereafter:

    Microsoft (R) Windows Debugger Version 10.0.19528.1000 AMD64
    Copyright (c) Microsoft Corporation. All rights reserved.


    Loading Dump File [C:\Windows\Minidump\123019-36609-01.dmp]
    Mini Kernel Dump File: Only registers and stack trace are available


    ************* Path validation summary **************
    Response Time (ms) Location
    Deferred srv*
    Symbol search path is: srv*
    Executable search path is:
    Windows 10 Kernel Version 18362 MP (8 procs) Free x64
    Product: WinNt, suite: TerminalServer SingleUserTS Personal
    18362.1.amd64fre.19h1_release.190318-1202
    Machine Name:
    Kernel base = 0xfffff805`32a00000 PsLoadedModuleList = 0xfffff805`32e48130
    Debug session time: Mon Dec 30 15:39:01.177 2019 (UTC + 1:00)
    System Uptime: 0 days 7:10:35.903
    Loading Kernel Symbols
    ...............................................................
    ................................................................
    ................................................................
    .............................
    Loading User Symbols
    Loading unloaded module list
    ..............................
    For analysis of this file, run !analyze -v
    nt!KeBugCheckEx:
    fffff805`32bc14e0 48894c2408 mov qword ptr [rsp+8],rcx ss:0018:ffffd380`f09f0f50=000000000000007f
    2: kd> !analyze -v
    *******************************************************************************
    * *
    * Bugcheck Analysis *
    * *
    *******************************************************************************

    UNEXPECTED_KERNEL_MODE_TRAP (7f)
    This means a trap occurred in kernel mode, and it's a trap of a kind
    that the kernel isn't allowed to have/catch (bound trap) or that
    is always instant death (double fault). The first number in the
    bugcheck params is the number of the trap (8 = double fault, etc)
    Consult an Intel x86 family manual to learn more about what these
    traps are. Here is a *portion* of those codes:
    If kv shows a taskGate
    use .tss on the part before the colon, then kv.
    Else if kv shows a trapframe
    use .trap on that value
    Else
    .trap on the appropriate frame will show where the trap was taken
    (on x86, this will be the ebp that goes with the procedure KiTrap)
    Endif
    kb will then show the corrected stack.
    Arguments:
    Arg1: 0000000000000008, EXCEPTION_DOUBLE_FAULT
    Arg2: ffffd380f09f1090
    Arg3: ffff8207f593eef0
    Arg4: fffff80532a3387e

    Debugging Details:
    ------------------

    *** WARNING: Unable to verify timestamp for win32k.sys

    KEY_VALUES_STRING: 1

    Key : Analysis.CPU.Sec
    Value: 4

    Key : Analysis.DebugAnalysisProvider.CPP
    Value: Create: 8007007e on DH-PC-W10N

    Key : Analysis.DebugData
    Value: CreateObject

    Key : Analysis.DebugModel
    Value: CreateObject

    Key : Analysis.Elapsed.Sec
    Value: 31

    Key : Analysis.Memory.CommitPeak.Mb
    Value: 73

    Key : Analysis.System
    Value: CreateObject


    ADDITIONAL_XML: 1

    BUGCHECK_CODE: 7f

    BUGCHECK_P1: 8

    BUGCHECK_P2: ffffd380f09f1090

    BUGCHECK_P3: ffff8207f593eef0

    BUGCHECK_P4: fffff80532a3387e

    TRAP_FRAME: ffffd380f09f1090 -- (.trap 0xffffd380f09f1090)
    NOTE: The trap frame does not contain all registers.
    Some register values may be zeroed or incorrect.
    rax=0000000000000001 rbx=0000000000000000 rcx=ffff9c85c8000340
    rdx=ffff9c85c8000340 rsi=0000000000000000 rdi=0000000000000000
    rip=fffff80532a3387e rsp=ffff8207f593eef0 rbp=ffff8207f593eff0
    r8=0000000000000000 r9=0000000000000110 r10=0000000000000000
    r11=ffff9c85c8002000 r12=0000000000000000 r13=0000000000000000
    r14=0000000000000000 r15=0000000000000000
    iopl=0 nv up ei pl nz na po cy
    nt!RtlpHpLfhSlotAllocate+0x3e:
    fffff805`32a3387e c6442440ff mov byte ptr [rsp+40h],0FFh ss:0018:ffff8207`f593ef30=??
    Resetting default scope

    CUSTOMER_CRASH_COUNT: 1

    PROCESS_NAME: Registry

    STACK_OVERFLOW: Stack Limit: ffff8207f593f000. Use (kF) and (!stackusage) to investigate stack usage.

    STACK_TEXT:
    ffffd380`f09f0f48 fffff805`32bd32e9 : 00000000`0000007f 00000000`00000008 ffffd380`f09f1090 ffff8207`f593eef0 : nt!KeBugCheckEx
    ffffd380`f09f0f50 fffff805`32bce145 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiBugCheckDispatch+0x69
    ffffd380`f09f1090 fffff805`32a3387e : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiDoubleFaultAbort+0x2c5
    ffff8207`f593eef0 fffff805`32a33294 : ffff9c85`c8000340 ffff9c85`c8002000 ffff9c85`c8004680 00000000`00000110 : nt!RtlpHpLfhSlotAllocate+0x3e
    ffff8207`f593f050 fffff805`32d6f06d : 00000000`00000001 00000000`00000000 00000000`00000000 00000000`000000f4 : nt!ExAllocateHeapPool+0xb94
    ffff8207`f593f190 fffff805`32a93fb9 : ffff9c85`fc068090 00000000`000000e4 ffff9c85`fc068090 ffff9c85`00000000 : nt!ExAllocatePoolWithTag+0x5d
    ffff8207`f593f1e0 fffff805`3302ae91 : ffffad02`ec37a080 00000000`00000000 00000000`00000000 fffff805`32f8d3e0 : nt!CmpAllocatePoolWithTag+0x9
    ffff8207`f593f210 fffff805`3302ad42 : 00000000`ffffffff ffff8207`f593f2f0 00000000`00000000 fffff805`32a39ddd : nt!CmpConstructNameFromKeyNodes+0xc1
    ffff8207`f593f290 fffff805`3302ac34 : 00000000`00000000 ffff8207`f593fa00 00000000`00000000 ffffad02`db5bb030 : nt!CmpConstructNameWithStatus+0xf2
    ffff8207`f593f2f0 fffff805`32a94282 : 00000000`00000000 00000000`00000000 00000000`00000800 00000000`00000000 : nt!CmpConstructName+0x14
    ffff8207`f593f320 fffff805`3302c193 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!CmpDoQueryKeyName+0x1a2
    ffff8207`f593f460 fffff805`3304757e : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!CmpQueryKeyName+0x13
    ffff8207`f593f4b0 fffff805`330448ae : ffff9c85`d139c580 ffffad02`db5bb030 00000000`00000800 ffff8207`f593f698 : nt!ObQueryNameStringMode+0xce
    ffff8207`f593f630 fffff805`3e2da37e : fffff805`3e2f5240 00000000`00000000 00000000`00000000 00000000`00000000 : nt!ObQueryNameString+0xe
    ffff8207`f593f670 fffff805`3e2f5240 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : hmpalert+0x2a37e
    ffff8207`f593f678 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : hmpalert+0x45240


    SYMBOL_NAME: hmpalert+2a37e

    MODULE_NAME: hmpalert

    IMAGE_NAME: hmpalert.sys

    STACK_COMMAND: .thread ; .cxr ; kb

    BUCKET_ID_FUNC_OFFSET: 2a37e

    FAILURE_BUCKET_ID: 0x7f_8_hmpalert!unknown_function

    OS_VERSION: 10.0.18362.1

    BUILDLAB_STR: 19h1_release

    OSPLATFORM_TYPE: x64

    OSNAME: Windows 10

    FAILURE_ID_HASH: {74c9883e-6392-ca5c-1b77-7180af17e9f3}

    Followup: MachineOwner
    ---------
     
  7. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    581
    Location:
    Hengelo
    HitmanPro.Alert 3.8.0 Build 859 Released

    After releasing the new features via our Community Technology Preview (CTP) program we’ve finally released the new HitmanPro.Alert.
    In case you didn’t follow or missed the CTPs, here's what's new:

    CryptoGuard v5 (default On, system level)
    Complete redesign and rewrite of the award winning and world's first anti-ransomware module (est. 2013). It now also monitors unknown file types, offers increased performance and reduced I/O overhead – which is specifically noticeable in low-bandwidth network scenarios and on endpoints where many documents or other files change frequently.

    Heap Heap Protect (default On, system level)
    We have identified an operational behavior of many multi-stage backdoors, like CobaltStrike and Meterpreter, and created a detection that will catch their so-called staged behavior. Specifically, we look at their memory allocation behavior at runtime.
    In addition, the memory allocation behavior observed in variants of prominent malware like Emotet and Trickbot (caused by the use of code obfuscation and multi-layer packing techniques), consequently result in typical behavioral traits the Heap Heap Protect will also notice and block – before malicious actions are executed. For malware authors it may be easy to obfuscate their malware, but it is a lot harder for them to change the associated memory behavior.

    We have been testing an early version of this system-wide mitigation since December 2018 (build 771) and the initial mitigation went into action with build 779 (April 2019). For this build (859 and higher) we’ve further enhanced Heap Heap Protect to also block malicious process migration and .NET attack code that spawns from PowerShell.

    APISetGuard (default On, system level)
    A Windows ApiSet Stub DLL is a dynamically loaded module that Windows side-loads to help an application to be compatible with newer Windows platform versions. Such modules, like “api-ms-win-core-fibers-l1-1-1.dll”, act as a proxy to ensure compatibility with functionality that has changed in Windows compared to older versions of the operating system. For example, a specific Windows API function that used to require 4 arguments on Windows 7, could now require 5 arguments on Windows 10. In this example, the ApiSet Stub DLL will act as a proxy and add the 5th argument to ensure compatibility.
    In an attack scenario, an adversary may place a malicious ApiSet Stub DLL alongside an application, to manipulate its functionality, or in case of endpoint defense software bypass tamper protection and terminate protection.
    APISetGuard and is an integral part of the DLL Hijacking mitigation under Advanced interface > Risk Reductions > Process Protection.

    FileProtection (default On, system level)
    This mitigation prevents replacement of accessibility tools (like StickyKeys) from a remote machine. This is specifically useful against attacks like BlueKeep, that target RDP-enabled servers and endpoints. In such an attack scenario, a remote attacker could replace an accessibility tool like the Utility Manager (UTILMAN.EXE) that is available on every Windows logon screen, including via RDP. Then, on the logon screen, the attacker can simply click on the accessibility tool to spawn his malware or a command prompt with SYSTEM privileges, without needing to provide any credentials. For more details and a demo, see: https://news.sophos.com/en-us/2019/07/01/bluekeep-poc-demonstrates-risk-of-remote-desktop-exploit/

    In addition, this mitigation protects the AMSI.DLL (Anti-Malware Scan Interface) when it is loaded by processes into memory. Defenses that use AMSI benefit from this protection as AMSI bypasses that rely on modifying the AMSI.DLL in memory will fail.

    JIT Guard (default On, app level)
    This new exploit mitigation prevents the use of Win32 API calls from within just-in-time (JIT) memory in web browser applications. This new mitigation is default enabled on Chrome-based and Firefox-based web browsers, and thwarts attacks on vulnerabilities like CVE-2019-9810.

    Lockdown DCOM (default On, app level)
    Part of Application Lockdown, this mitigation prevents the use of specific critical DCOM functions by VBA macros in Office applications.

    Safe Mode support
    We’ve added support for Windows in Safe Mode. This will stop ransomware that forces Windows to (re-)boot into a diagnostic mode and encrypt the system from there – in Safe Mode. This thwarts ransomware like GoSnatch, as described and demoed here: https://news.sophos.com/en-us/2019/07/01/bluekeep-poc-demonstrates-risk-of-remote-desktop-exploit/

    New user interface panels
    • Event List panel to view the alerts (finally replaces the standard Windows Event Viewer). The list offers a menu on each alert where you can suppress subsequent alerts on the same application, mitigation and condition. Details of alert events also include involved MITRE ATT&CK techniques.
    • Event Process Tree panel provides a timeline that graphically shows how an attack took place. Includes clickable objects, view dropped files per process, show time between processes, their exit state and hyperlinked SHA-256 hashes that opens a report on VirusTotal (when it has one). Also allows you to go back and forth in time using the time slider. And zooming in and out of parent and child processes using your mouse scroll wheel. Pressing Print Screen offers you to export the timeline to an image file.
    • Protected Volumes list panel to view the local and removable volumes as well as the network shares that are protected by CryptoGuard from ransomware.
    RDP Lockdown (default Off, system level)
    Locks down Remote Desktop (RDP) sessions to prevent attackers (that brute-forced or otherwise obtained a correct logon credential) from installing new programs like ransomware. Features:
    • Blocks access to new binaries that are introduced in RDP sessions
    • Strips administrator privileges from new processes
    • Allows to generate 2 factor token file to unlock an RDP session (automatically enforced when enabling mitigation)
    RDP Lockdown also includes a new shell extension that shows an overlay icon on binaries that have been introduced in a RDP session. The extension also helps with unlocking the RDP session via a token file located on a drive shared with the RDP session.

    Added
    • CryptoGuard can run in either v4 or the new v5 mode.
    • CryptoGuard v5 block modes: Terminate, Isolate and Audit
      • Terminate: terminates and isolates the ransomware process (new default)
      • Isolate: detects and isolates the ransomware by revoking write access (old default)
      • Audit: detects ransomware, but takes no action on it (new)
    • Added license expiration reminder. Users that renew their license will receive a discount of 15% on a new license when buying one via the new reminder message.
    • Anti-Malware now relies on a new network manager module to detect when internet connection is lost or restored.
    • Excalibur.db is regularly truncated to prevent the file to become too large on high activity machines).
    • Alert Events are now also stored in excalibur.db, the local event trace database.
    Improved
    • Improved CodeCave mitigation.
    • Improved HeapSpray mitigation.
    • CryptoGuard 4 and 5 now also handles ransomware attacks that leverage EFS (Windows Encrypting File System).
    • CryptoGuard 4 and 5 can now handle a deficiency in Windows leveraged by the RIPlace evasion technique.
    • WipeGuard inadvertently protected USB drives that were already connected during boot.
    • Keystroke Encryption was default enabled on the first window that was visible after install.
    • Inner workings of the Keystroke Encryption engine.
    • Keystroke encryption engine now correctly handles the Windows 10 Emoji Picker (shortcut Win + . )
    • Service is now hardened against an unsolicited stop commands.
    • Alert processes are now additionally hardened by enabling several Windows 10 exploit mitigations.
    Fixed
    • Fixed initial dashboard when installing product in CryptoGuard-only mode.
    • Alt-Tab window could get stuck when the foreground process had keystroke encryption active.
    Removed
    • Credential Theft Protection no longer shields the Security Accounts Manager (SAM) database on the disk (CredGuard SAM). Too many legitimate applications access the SAM database for no apparent reason.
    Screenshots
    Capture1.PNG

    Figure 1: Advanced interface

    Capture2.PNG

    Figure 2: CryptoGuard 5

    GoSnatch-1.PNG

    Figure 3: Snatch ransomware blocked, showing involved MITRE ATT&CK techniques

    GoSnatch-3.PNG

    Figure 4: Process Tree of Snatch ransomware blocked in Safe Mode

    Process Tree 2.PNG

    Figure 5: Process Tree of another ransomware attack blocked, revealing PowerShell command line

    JITGuard1.png

    Figure 6: New exploit mitigation JIT Guard

    AMSI Protection.png

    Figure 7: Preventing manipulation of the Windows Antimalware Scan Interface (AMSI)

    Download

    https://dl.surfright.nl/hmpalert38.exe

    And perhaps best yet, this entire security product is still 4.8 MB in size; yes, that is no typo, it is less than five megabytes!

    We're going to gradually update our users to this build starting Monday 6, 2020. We're posting this build here now for anyone who wants to jump ahead now. Enjoy and have a happy new year! :thumb:
     
    Last edited: Dec 30, 2019
  8. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,233
    Does CryptoGuard v5 do a huge amount of writing to the disk like its predecessor does, causing people like me who notice to disable it completely?
     
  9. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    581
    Location:
    Hengelo
    As mentioned, CryptoGuard 5 has reduced (disk) I/O overhead. For example, it no longer creates copies of files when they are opened for writing but instead transparently works with the internal Windows buffers for inspection. In addition, backups of the touched file blocks are not persisted to disk but are temporarily stored in memory, on the fly. So yes, it ought to be faster for your environment too.
     
    Last edited: Dec 30, 2019
  10. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,233
    Thank you. I saw that, but I/O and writing to disk aren't the same thing. :)
     
  11. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    581
    Location:
    Hengelo
    Let us know what you think of this new version. Feedback is always welcome. Thank you! :thumb:
     
  12. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,210
    Location:
    Among the gum trees
    Mark, do we need to disable Lockdown in Firefox to open downloaded programs, or has that been fixed?

    Thanks.
     
  13. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    581
    Location:
    Hengelo
    That has been fixed in this build.
     
  14. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,210
    Location:
    Among the gum trees
    Great! :thumb:
     
  15. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,210
    Location:
    Among the gum trees
  16. Hiltihome

    Hiltihome Registered Member

    Joined:
    Jul 5, 2013
    Posts:
    1,131
    Location:
    Baden Germany
    Smooth upgrade, on WIN10-1909-18363.535
    V5 enabled, successfully backup, with Veeam.
     
  17. Dragon1952

    Dragon1952 Registered Member

    Joined:
    Sep 16, 2012
    Posts:
    2,469
    Location:
    Hollow Earth - Telos
    I have the Kaspersky system watcher, so i have the hmpa crypto turned off now and won't be using V5 when i get the update next week.
     
  18. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    6,941
    Location:
    USA
    Installed it on two 7x64 computers. TY! :)
     
  19. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    1,242
    No problems upgrading build 859. Good Job :)

    Win10 1909 build 18363.535 x64/Norton Security v22.19.9.63
     
  20. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    Will 3.8.0 build 857 BETA auto-update, or do I need to download and install manually.

    3.7.12 build 793 ... same question.

    Edit: 857 BETA manually updated. No issues, Windows as per sig.
     
    Last edited: Dec 31, 2019
  21. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    581
    Location:
    Hengelo
    Users on 793 will be automatically upgraded to 859 next week, starting Monday 9, 2020. Users that want to jump ahead today can download the upgrade manually now: https://dl.surfright.nl/hmpalert38.exe
    Users on 857 (or earlier preview/beta) are automatically updated to 859 as of today (Tuesday 31, 2019).
     
  22. feerf56

    feerf56 Registered Member

    Joined:
    Feb 24, 2015
    Posts:
    324
    2019-12-31_154641.jpg

    2019-12-31_155819.jpg

    The application is not closed:

    2019-12-31_154702.jpg

    HitmanPro.Alert version 3.8.0 build 859 Windows Pro 64bit version 1909 build 18363.535
     
    Last edited: Dec 31, 2019
  23. heikwith

    heikwith Registered Member

    Joined:
    Jul 29, 2002
    Posts:
    91
    Mark,
    I got a repeatable BSOD in HitmanPro.Alert 3.7.12.793 (see my previous info about that).
    When I saw your reaction about possible early install of 859 final, I installed it but I got the same BSOD in hmpalert.
    I am running HitmanPro.Alert version 3.8.0 build 859 Windows Homeo 64bit version 1909 build 18363.535
    Hereafter I give you the output of the bmp analyzes from the WhoCrashed program:
    (the first two came from 859 and last two from 793)
    Welcome to WhoCrashed (Professional Edition) v 6.65
    This program checks for drivers which have been crashing your computer. If your computer has displayed a blue (or black) screen of death, suddenly rebooted or shut down then this program might help you find the root cause of the problem and a solution.

    Whenever a computer suddenly reboots without displaying any notice or blue (or black) screen of death, the first thing that is often thought about is a hardware failure. In reality, on Windows a lot of system crashes are caused by malfunctioning device drivers and kernel modules. In case of a kernel error, many computers do not show a blue or black screen unless they are configured for this. Instead these systems suddenly reboot without any notice.

    This program will analyze your crash dumps with the single click of a button. It will tell you what drivers are likely to be responsible for crashing your computer. It will report a conclusion which offers suggestions on how to proceed in any situation while the analysis report will display internet links which will help you further troubleshoot any detected problems.

    To obtain technical support visit www.resplendence.com/support

    Click here to check if you have the latest version or if an update is available.

    Click the Analyze Local button to analyze this computer or the Analyze Remote button for a computer on the network...


    System Information (local)
    Computer name: DH-PC-W10N
    Windows version: Windows 10 , 10.0, build: 18363
    Windows dir: C:\WINDOWS
    Hardware: MS-7797, MEDION
    CPU: GenuineIntel Intel(R) Core(TM) i7-3770 CPU @ 3.40GHz Intel8664, level: 6
    8 logical processors, active mask: 255
    RAM: 8531890176 bytes (7,9GB)



    Crash Dump Analysis
    Crash dumps are enabled on your computer.

    Crash dump directories:
    C:\WINDOWS
    C:\WINDOWS\Minidump
    C:\WINDOWS\LiveKernelReports

    On Tue 31-12-2019 12:18:32 your computer crashed or a problem was reported
    crash dump file: C:\WINDOWS\Minidump\123119-46453-01.dmp
    uptime: 03:54:17
    This was probably caused by the following module: hmpalert.sys (hmpalert+0x3C8EE)
    Bugcheck code: 0x7F (0x8, 0xFFFFF800350A1E50, 0xFFFFF50D80FBAEF0, 0xFFFFF80030A3387E)
    Error: UNEXPECTED_KERNEL_MODE_TRAP
    file path: C:\WINDOWS\system32\drivers\hmpalert.sys
    product: HitmanPro.Alert
    company: SurfRight B.V.
    description: HitmanPro.Alert Support Driver
    Bug check description: This bug check indicates that the Intel CPU generated a trap and the kernel failed to catch this trap.Double Fault, indicates that an exception occurs during a call to the handler for a prior exception. Most often this is caused by a software problem (kernel stack overflow) but this can also be caused by a hardware problem.
    A third party driver was identified as the probable root cause of this system error. It is suggested you look for an update for the following driver: hmpalert.sys (HitmanPro.Alert Support Driver, SurfRight B.V.).
    Google query: hmpalert.sys SurfRight B.V. UNEXPECTED_KERNEL_MODE_TRAP



    On Tue 31-12-2019 12:18:32 your computer crashed or a problem was reported
    crash dump file: C:\WINDOWS\MEMORY.DMP
    uptime: 03:54:17
    This was probably caused by the following module: hmpalert.sys (hmpalert+0x3C8EE)
    Bugcheck code: 0x7F (0x8, 0xFFFFF800350A1E50, 0xFFFFF50D80FBAEF0, 0xFFFFF80030A3387E)
    Error: UNEXPECTED_KERNEL_MODE_TRAP
    file path: C:\WINDOWS\system32\drivers\hmpalert.sys
    product: HitmanPro.Alert
    company: SurfRight B.V.
    description: HitmanPro.Alert Support Driver
    Bug check description: This bug check indicates that the Intel CPU generated a trap and the kernel failed to catch this trap.Double Fault, indicates that an exception occurs during a call to the handler for a prior exception. Most often this is caused by a software problem (kernel stack overflow) but this can also be caused by a hardware problem.
    A third party driver was identified as the probable root cause of this system error. It is suggested you look for an update for the following driver: hmpalert.sys (HitmanPro.Alert Support Driver, SurfRight B.V.).
    Google query: hmpalert.sys SurfRight B.V. UNEXPECTED_KERNEL_MODE_TRAP



    On Mon 30-12-2019 16:45:42 your computer crashed or a problem was reported
    crash dump file: C:\WINDOWS\Minidump\123019-37390-01.dmp
    uptime: 01:04:43
    This was probably caused by the following module: hmpalert.sys (hmpalert+0x2A37E)
    Bugcheck code: 0x7F (0x8, 0xFFFFE1001B1F1090, 0xFFFFBB8DFB57CEF0, 0xFFFFF8020E63387E)
    Error: UNEXPECTED_KERNEL_MODE_TRAP
    file path: C:\WINDOWS\system32\drivers\hmpalert.sys
    product: HitmanPro.Alert
    company: SurfRight B.V.
    description: HitmanPro.Alert Support Driver
    Bug check description: This bug check indicates that the Intel CPU generated a trap and the kernel failed to catch this trap.Double Fault, indicates that an exception occurs during a call to the handler for a prior exception. Most often this is caused by a software problem (kernel stack overflow) but this can also be caused by a hardware problem.
    A third party driver was identified as the probable root cause of this system error. It is suggested you look for an update for the following driver: hmpalert.sys (HitmanPro.Alert Support Driver, SurfRight B.V.).
    Google query: hmpalert.sys SurfRight B.V. UNEXPECTED_KERNEL_MODE_TRAP



    On Mon 30-12-2019 15:39:01 your computer crashed or a problem was reported
    crash dump file: C:\WINDOWS\Minidump\123019-36609-01.dmp
    uptime: 07:10:35
    This was probably caused by the following module: hmpalert.sys (hmpalert+0x2A37E)
    Bugcheck code: 0x7F (0x8, 0xFFFFD380F09F1090, 0xFFFF8207F593EEF0, 0xFFFFF80532A3387E)
    Error: UNEXPECTED_KERNEL_MODE_TRAP
    file path: C:\WINDOWS\system32\drivers\hmpalert.sys
    product: HitmanPro.Alert
    company: SurfRight B.V.
    description: HitmanPro.Alert Support Driver
    Bug check description: This bug check indicates that the Intel CPU generated a trap and the kernel failed to catch this trap.Double Fault, indicates that an exception occurs during a call to the handler for a prior exception. Most often this is caused by a software problem (kernel stack overflow) but this can also be caused by a hardware problem.
    A third party driver was identified as the probable root cause of this system error. It is suggested you look for an update for the following driver: hmpalert.sys (HitmanPro.Alert Support Driver, SurfRight B.V.).
    Google query: hmpalert.sys SurfRight B.V. UNEXPECTED_KERNEL_MODE_TRAP




    Conclusion
    4 crash dumps have been found and analyzed. A third party driver has been identified to be causing system crashes on your computer. It is strongly suggested that you check for updates for these drivers on their company websites. Click on the links below to search with Google for updates for these drivers:

    hmpalert.sys (HitmanPro.Alert Support Driver, SurfRight B.V.)

    If no updates for these drivers are available, try searching with Google on the names of these drivers in combination with the errors that have been reported for these drivers. Include the brand and model name of your computer as well in the query. This often yields interesting results from discussions on the web by users who have been experiencing similar problems.


    Read the topic general suggestions for troubleshooting system crashes for more information.

    Note that it's not always possible to state with certainty whether a reported driver is responsible for crashing your system or that the root cause is in another module. Nonetheless it's suggested you look for updates for the products that these drivers belong to and regularly visit Windows update or enable automatic updates for Windows. In case a piece of malfunctioning hardware is causing trouble, a search with Google on the bug check errors together with the model name and brand of your computer may help you investigate this further.
     
  24. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    581
    Location:
    Hengelo
    It is highly likely that a combination with some third party software is causing this. What other software do you have on your machine?
     
    Last edited: Dec 31, 2019
  25. feerf56

    feerf56 Registered Member

    Joined:
    Feb 24, 2015
    Posts:
    324
    For me, the BADUSB causes blue screen. I turned it off and since then everything is OK!
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.