Getting this FP with CTP4 doing a search in the registry with RegeditX Crawler. Second search performed no problem. Logboeknaam: Application Bron: HitmanPro.Alert Datum: 13-06-17 23:29:47 Gebeurtenis-id:911 Taakcategorie: (9) Niveau: Fout Trefwoorden: Klassiek Gebruiker: n.v.t. Computer: xxxxxxxx Beschrijving: Mitigation CredGuard Platform 6.1.7601/x86 v710 06_25 PID 1544 Application C:\Program Files\RegEditX\RxCrawler.exe Description RegEditX Crawler 3.0 \REGISTRY\MACHINE\SAM\SAM Process Trace 1 C:\Program Files\RegEditX\RxCrawler.exe [1544] "C:\Program Files\RegEditX\rxcrawler.exe" -SingleInstance 2 C:\Windows\regedit.exe [4256] regedit.exe 3 C:\Program Files\RegEditX\RegEditX.exe [3424] 4 C:\Windows\explorer.exe [5164] 5 C:\Windows\System32\userinit.exe [5576] 6 C:\Windows\System32\winlogon.exe [5708] winlogon.exe 7 C:\Windows\System32\smss.exe [1424] \SystemRoot\System32\smss.exe 00000000 0000004c Thumbprint eebfee85859808e7c4774d74e7e4095fd8f71735cd7abbf4ab79ce401862e5f2 Gebeurtenis-XML: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="HitmanPro.Alert" /> <EventID Qualifiers="0">911</EventID> <Level>2</Level> <Task>9</Task> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2017-06-13T21:29:47.000000000Z" /> <EventRecordID>20681</EventRecordID> <Channel>Application</Channel> <Computer>norbert-m</Computer> <Security /> </System> <EventData> <Data>C:\Program Files\RegEditX\RxCrawler.exe</Data> <Data>CredGuard</Data> <Data>Mitigation CredGuard Platform 6.1.7601/x86 v710 06_25 PID 1544 Application C:\Program Files\RegEditX\RxCrawler.exe Description RegEditX Crawler 3.0 \REGISTRY\MACHINE\SAM\SAM Process Trace 1 C:\Program Files\RegEditX\RxCrawler.exe [1544] "C:\Program Files\RegEditX\rxcrawler.exe" -SingleInstance 2 C:\Windows\regedit.exe [4256] regedit.exe 3 C:\Program Files\RegEditX\RegEditX.exe [3424] 4 C:\Windows\explorer.exe [5164] 5 C:\Windows\System32\userinit.exe [5576] 6 C:\Windows\System32\winlogon.exe [5708] winlogon.exe 7 C:\Windows\System32\smss.exe [1424] \SystemRoot\System32\smss.exe 00000000 0000004c Thumbprint eebfee85859808e7c4774d74e7e4095fd8f71735cd7abbf4ab79ce401862e5f2</Data> </EventData> </Event>
@Peter2150 Btw.: Do you get a "Anti-VM" Mitigation after the tray-application (beta) from FIDES has been started? (see below)
Mitigation PrivGuard Platform 10.0.14393/x64 v710 06_4e PID 9288 Application C:\Program Files\Sandboxie\SandboxieCrypto.exe Description Sandboxie COM Services (CryptSvc) 5.20 Sweep Code Injection 00000000001E0000-00000000001E6000 24KB C:\Program Files\Sandboxie\SbieSvc.exe [1980] 00000000001F0000-00000000001F1000 4KB 00007FFE60AF9000-00007FFE60AFA000 4KB 1 C:\Program Files\Sandboxie\SbieSvc.exe [1980] 2 C:\Windows\System32\services.exe [932]
The mitigation "Credential Theft Protection" is responsible for this. It is preventing you from accessing the credentials which are stored in the registry key \REGISTRY\MACHINE\SAM\SAM. To get no alert from HMP.A, try to turn the mitigation off before you do a search in the registry.
Did anyone on Windows 10 CU have trouble with patch tuesday? I needed to manually download and install the updates, and then it failed, with a BSOD. I uninstalled it, tried again without security softs, and it worked. Not sure if problem was HMPA 710, or Kaspersky Internet Security 2018
Some applications want to find out if they are running in a VM or in a sandbox (="sandbox-aware"). If this happens, the mitigation Vaccination triggers an alert. It happened only once so i guess you can leave it that way. Or follow the advice mentioned above: #286
I spoke too soon. Yesterday there were four "application errors" within a 60-minute time span, all like the following: Code: Faulting application name: IEXPLORE.EXE, version: 11.0.9600.18639, time stamp: 0x58d6bb0d Faulting module name: hmpalert.dll, version: 3.7.0.709, time stamp: 0x59316cee Exception code: 0xc0000005 Fault offset: 0x0004e26f Faulting process id: 0x314 Faulting application start time: 0x01d2e52a137b3c6c Faulting application path: C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE Faulting module path: C:\Windows\SysWOW64\hmpalert.dll Report Id: 529c5d9c-5150-11e7-b9a9-4c72b91da94f
Hi Erik! Mitigation CredGuard Platform 10.0.14393/x64 v710 06_25 PID 5852 Application C:\Program Files (x86)\Soft Organizer\HelperFor64Bits.exe Description HelperFor64Bits.exe \REGISTRY\MACHINE\SAM\SAM Process Trace 1 C:\Program Files (x86)\Soft Organizer\HelperFor64Bits.exe [5852] RpcCapture RegSnapShot64CallParamsMmf-5116-74334976-103444527733 2 C:\Program Files (x86)\Soft Organizer\SoftOrganizer.exe [5116] 3 C:\Windows\explorer.exe [3680] 4 C:\Windows\System32\userinit.exe [3412] Thumbprint 6b4190af73c2d017cf3d7aa463df5c565f3cf041397d2b6db246a1cd41d0ee0b
Is there a way to white list my keyboard so I don't get a notification of the USB keyboard module with every login? Even if I disable the module I still get the screen alert I have a IR USB connected to a USB slot of the keyboard, that is used for the wireless mouse
I am updated now to 710 and the crashes continue. Code: Problem signature: Problem Event Name: APPCRASH Application Name: hmpalert.exe Application Version: 3.7.0.710 Application Timestamp: 593adfaa Fault Module Name: hmpalert.exe Fault Module Version: 3.7.0.710 Fault Module Timestamp: 593adfaa Exception Code: 40000015 Exception Offset: 0023c9f1 OS Version: 6.1.7601.2.1.0.768.3 Locale ID: 1033 Additional Information 1: 202e Additional Information 2: 202ebd24078c8a8d508d256df40c3e2d Additional Information 3: 78ce Additional Information 4: 78ce6fce26317a4c02a360aaa8d5d037 From the Event Viewer: Code: Faulting application name: hmpalert.exe, version: 3.7.0.710, time stamp: 0x593adfaa Faulting module name: hmpalert.exe, version: 3.7.0.710, time stamp: 0x593adfaa Exception code: 0x40000015 Fault offset: 0x0023c9f1 Faulting process id: 0xd74 Faulting application start time: 0x01d2e6609fc2014e Faulting application path: C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe Faulting module path: C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe Report Id: ea7d12aa-52e3-11e7-854a-4c72b91da94f
The only way to clean the number of Alerts is to clear the Windows Application Log in Windows Event Viewer.
Only with chrome and SBIE: Platform 10.0.14393/x64 v710 06_4e PID 12140 Application C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Description Google Chrome 59 Sweep Code Injection 00000000008C0000-00000000008C6000 24KB C:\Program Files\Sandboxie\SbieSvc.exe [1532] 00000000008D0000-00000000008D1000 4KB 00007FFAB9A19000-00007FFAB9A1A000 4KB 000001C5A6940000-000001C5A6941000 4KB C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [7164] 00007FFAB9A46000-00007FFAB9A47000 4KB 00007FFAB9A48000-00007FFAB9A49000 4KB 1 C:\Program Files\Sandboxie\SbieSvc.exe [1532] 2 C:\Windows\System32\services.exe [932] 1 C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [7164] 2 C:\Windows\explorer.exe [5608] 3 C:\Windows\System32\userinit.exe [5260] Process Trace 1 C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [12140] "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1604 --primordial-pipe-token=0D4BA418C5F3C900700B2A1B687DD6EB --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visi 2 C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [7164] 3 C:\Windows\explorer.exe [5608] 4 C:\Windows\System32\userinit.exe [5260]