RO enables minidumps however BSOD's usually produce full dumps. You're probably aware that they are generally written to C:\Windows\Memory.dmp so one may be there. It'll probably be a few GB depending on your RAM size but if you could zip it up (they are a lot of empty space) and send it our way it would help immensely.
If you can boot into safe mode, you should be able to locate the full dump in C:\Windows (hopefully it wrote one). But we are looking over the latest code now to see where this might be happening. Uninstalling does remove the databases so your settings will be lost.
Should have thought of that! Unfortunately, I have restored an image so dump is gone. It doesn't seem to be a general problem, else others would have reported this by now. Btw I did try to update again after an image restore and got the same BSOD so it wasn't an isolated incident, so restored again and uninstalled RO. I could try a clean install tomorrow to see if I get the same issue. If I do, I will send the dump.
Does the RO installation require a reboot afterwards? I'd like to test RO in a Shadow Defender session but a reboot would reset the session.
RO does require a reboot. Upper disk filters (which is what the MBR protection driver is) cannot load on-demand so it requires a reboot.
During normal operation, bang...BSOD Page Fault in Nonpaged Area, Failed: HDRansomOffDrv.sys. I'm zipping the 8GB memory dump and will send the download link to info at heidef.com As shortly after zipping the dump, I got another BSOD, so for the time being I've disabled the 3 protection options... Luckily I was able to reboot my PC w/o problems...pfew..
Good I only got a mini dump. Weird I changed the VM so it selected the full memory.dmp, but it did't build one. But it was result of same driver. I am going to try and identify the confliclt
HeiDef -Concerning App Lockdown setting box. Very useful addition IMHO and beyond expectations is the expanded menu (growing!). Really like the SIMPLICITY of Folder Protection that sports the simple uncheck/recheck feature from context menu. Beautiful! Thank You ever so much for timely attention and efforts as you answer many more questions and help with users issues. You guys are appreciated! Am sort of unclear exactly what this possible error hints about. Please specify and thanks again in advance for this program.
Hey @EASTER. While the app lockdown concept is pretty simple (intercept process creation and notify the user), there are a bunch of steps involved and some can fail along the way. Things such as low memory situations or possible disk IO problems will cause the notification process to be aborted. So at these various points that may fail they will need to return some value which will ultimately filter back to the decision point of "allow/deny this process." In the event of an error, while rare, we just wanted to provide an expected result should one occur. If you absolutely do not want a process to run unless you are notified, you'll want to select the 'Block' option. If you want a process to run in the event of an error, select 'Allow.' And if you want lockdown mode to turn off in the event of an error, then you can select that option too.
Got it. Also got blue screened today LoL Guess it's a good idea to remember next time to disengage self-protection before running a third party Defrag operation to disk. No Issues! A screen shot/recorder app refused to show window today too, added to exemptions and then window opened on desktop to run normally. Then next up a "Portable" cleaner app exhibited a same no window loading (watching process monitor it loads and is rapidly unloaded) <-Nice safety work! Adding that Folder + Process too this time to Exemptions like before but it still refused to display window unlike the screenshot app. Solution was to temporarily un tick Protection->Ransomware to free up that spiderman glue you guys use to prevent ransomware in-the-face boxes to take focus. This in effect immediately caused the (2) windows from the Portable Cleaner app (apparently held back) to show up normally as expected. Very Tight! The architecture is well thought out within this program and very formidable but then that's to be expected in order to meet the challenges of what might try to come at it in the many faces & forms of ransomware trickery. By the way, with that portable cleaner app the first time that RansomOff locked out the window from loading and the conflict of trying to load the window I would say against the shield to prevent it caused a blue screen. Short lived one time anomaly since I took to turning off Ransomware Only Protection to get the application's window to finally show. Like you mentioned earlier on another discussion Windows in this respect appears can be quirky and since it's but a brief disable to get it to run, nothing is lost by bypassing protection momentarily or longer to free up the window of some apps. Just wanted to pitch this out there for others to see if they happen on a same sort of this result if similar and what they can do should the Exemptions List not release that program's window. On a different note HeiDef- There sure is plenty to chew on with this latest release. Very tight architecture throughout.
Did you happen to get a memory dump of your blue screen? We've been running RO all day on three test machines but still haven't gotten it to crash yet and we'd really like to get this bug taken care of before it affects too many others (some who may be less forgiving then the folks on here). Can you also name the specific screen shot and cleaner apps you are using? We'd like to see what's holding them up. Thanks.
http://www.r-wipe.com/ + https://www.zdsoft.com/screen-recorder/ so far. Neither are not heavily used however was surprised when their respective windows failed to open. Earlier I had installed an updated DirectX which had me thinking it might be the reason but later learned it was RansomOff nice tight window/focus element holding them back. I posted to see if anyone else who might use these similar apps or some other portable type screen apps were experiencing something similar. As indicated it's as simple as to temporarily uncheck/untick Protection-> Ransomware to release the grip. Then when done re-enable again. It's funny in a way since this app is such a firm shield against some of the worse of the worse of ransomwares so the trade off is nil to such a small matter on just a few screenie apps like discovered today. If another blue shows i'll be sure to hold it for review next time. It really was only a minor interruption and best of all never got a single bsod in all the malware test shoved at it in testing, and those results is what matters most IMO.
I have also been asked if I can recreate the dump, which seems to be caused after update to the new version. That is quite time consuming (images, etc.) but may try that later. I am tempted to try a fresh install first, though that doesn't really help find the problem if it works. In my case, the BSOD occurred at or before the RO task bar icon appeared, so I could not disable protections. Out of interest, in Folder Protection did you have a drive protected that was disconnected? (One theory of mine ). Anyway, I hope your zip file reveals something.
Yeah it acted a bit queasy for me in that at one point I had tried to fix the window problem by Quit the app. Trouble was I couldn't find a way to restart RansomOff without a full system restart which is ok with me anyway. AS I am sure it is by design assigned in a manner to keep it on a certain track to avoid tamper etc. This is code that needs guarded. That windows focus issue on me is actually trivial and really means nothing since it's as simple as throwing a switch 0ff/0n again but I didn't want it to slip past attention in case it might become some cause for concern or criticism with another user's applications which they might actually depend on coming out the way they expect the first time. I'm 100% confident they can and will fine tune the driver(s) to whatever adjustments will work best or reroute/rewire some internals to better synchronize whatever it takes to put these run ins behind. As to it's combative/defensive capabilities vs. some really heavy ransomware it's proven so far to hold it's ground quite well under the worse of those.
cruelsister gave a big thumbs up to RO recently at MT. I uninstalled AppCheckPro and installed RO last night, and so far no issues. Have not played with RO's various tweaks yet.
Note be sure to check your system if you want full dumps. Many are default so you only get minidumps. It does involve editing the registry. so BACKUPS are advised
Yes - or CP>System>Advanced System Settings>Startup & Recovery Settings ... set to Complete Memory Dump (sometimes Kernel Memory Dump may be enough?). Edit: I am in the process of sending a 'Page fault in nonpaged area' HDRansomOffDrv.sys BSOD dump to HD. Hope it will help.
Note if not set up for it, that setting panel may not show the memory dump. In that case there is a registry setting that needs to be changed. Google it for instructions.
We just rolled back on the website to version 5.2017.139.8295 and disabled auto-updates for the time being so any new users do not download the current version with this BSOD issue. Hopefully we identify the issue shortly and get a new update released. Thanks for everyone's patience with this and again apologies for the inconvenience.
Here is what has been happening when I install the latest RO as Sunday! * I have five computers! Windows 10 Creators * 3 of the computers install but, when I reboot/restart the take a lot longer starting back up! * 2 of the computers will not boot at all said that ntfs.sys is missing and boot page header is missing. Not happy! Blue Screen of Death! U mm! * Waiting on Windows 10 CD/DVD to install the OS. * Then I have to reinstall the update for Windows 10 Creators. * Hoping that the OS will reinstall back on the 2 computers, that will not boot. *
