3 Blue Screens in 12 Hours since PG Installed

Discussion in 'ProcessGuard' started by DAMOX, Jun 28, 2004.

Thread Status:
Not open for further replies.
  1. DAMOX

    DAMOX Registered Member

    Joined:
    Aug 31, 2003
    Posts:
    21
    Hopefully someone has someone has some ideas on why my computer has been crashing periodically since installing Process Guard.

    Event Type: Information
    Event Source: Save Dump
    Event Category: None
    Event ID: 1001
    Date: 6/27/2004
    Time: 8:28:20 PM
    User: N/A
    Computer: WHITEHORSE
    Description:
    The computer has rebooted from a bugcheck. The bugcheck was: 0x0000001e (0xc0000005, 0x80460bcb, 0x00000000, 0x00000003). Microsoft Windows 2000 [v15.2195]. A dump was saved in: C:\WINNT\Minidump\Mini062704-03.dmp.

    The first crash was on my first boot up after install. The second occurred coincidentally while opening a firefox browser window. The 3rd when I was away from the computer - not sure what was going on then. Before today, I don't remember ever having a blue screen on this computer, though I possibly could have had one a couple of years ago.

    Checking the event viewer, I don't see any unusual or significant events around the time of the crashes.


    OS: Win2K SP4

    NIC: 3C905BTX

    Other Programs Running:

    TDS-3.2.0
    Worm Gurad
    Norton Anti-Virus 2003
    Wall Watcher
    In CD
    Clipmate 6
    Webshots
    I Hate Spam (Module loading but program is disabled)
    No Personal Firewall

    I access the internet via cable.

    Thanks for any help you can give.

    One more thing, this is my first post ever at Wilders. I logged in, and then while I was writing the post, I somehow was logged out, because when I hit the submit button, I had to log in again, and of course my post was lost, so I had to rewrite it! What's up with that?

    Dan
     
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Damox, It is very important that you install Process Guard on a clean machine also that no other non essential services / programs are running such as Worm Guard, your AV etc.

    Uninstall PG by disabling protection then running the uninstaller, reboot and re-install after disabling other programs as stated above.

    Leave in learning mode and try all your programs - Re-boot and then only add programs slowly noting what allows etc. each program needs by wathing the Process Guard log then make the necessary changes.

    HTH Pilli
     
  3. DAMOX

    DAMOX Registered Member

    Joined:
    Aug 31, 2003
    Posts:
    21
    OK I'll try that. I am certain my computer is clean, but I'll try disabling all other services. Thanks for the help Pilli.

    Dan
     
  4. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    If I recall correctly, the standard learning mode lasts from the initial use point until the next reboot. If a user turns learning mode on at a later time, it's active until the user disables it. The only reason I mention this is that I had some automated updating and screensaver issues that were hard to debug since I'd leave the machine with everything fine and return to a complete lockup some time later. Putting PG back into learning mode help me figure out what was occurring and eliminate the lockups.

    Blue
     
  5. DAMOX

    DAMOX Registered Member

    Joined:
    Aug 31, 2003
    Posts:
    21
    That's an interesting point. When I first booted up after iinstalling pg on this system, it seemed to only stay in learning mode for a short time. It seemed like only 20 - 30 minutes before I noticed it was no longer in the learning mode. Not knowing much about the program, I figured it was normal so I let it go. Thanks Blue.

    Dan
     
  6. DAMOX

    DAMOX Registered Member

    Joined:
    Aug 31, 2003
    Posts:
    21
    I did just like you suggested. I disabled or removed from startup just about every process/program I could and then rebooted. When I restarted, only essential processes were running. I then installed Process Guard and rebooted. I had forgotten to copy the key to the Process Guard folder, so I had to reboot a second time. I spent about 1 hour opening various programs and every thing was going smoothly until I opened Outlook (I have the version that comes with Office XP) a second time. Suddenly the system blue screened. Same error as I'd previously gotten. I booted back up, and put it back in the "Learning" mode. Admittedly, I had forgotten to manually put it in the Learning Mode when I first began adding programs and processes. I noticed that one particular item is being logged continuously. The log shows that a Microsoft program, CTFMON.exe which is known as the "Cicero Loader", continually . . . "tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\winnt\explorer.exe [464]"

    LIutilities describes this as "A service that handles the Alternative User Input Text Processor (TIP) and the Microsoft Office Language Bar. It provides text input support for speech recognition, handwriting recognition, keyboard, translation, and other alternative user input technologies."

    That may be the problem. I am not sure, and I am not sure what to do about it. In the past, I had previously removed reference to this file from the run key, but it keeps showing back up.

    which LIutilities describes as "A service that handles the Alternative User Input Text Processor (TIP) and the Microsoft Office Language Bar. It provides text input support for speech recognition, handwriting recognition, keyboard, translation, and other alternative user input technologies."

    What do you think?
     
  7. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi DAMOX,

    CFTmon can be safely added to the protection list, it is used by many programmes. I would use just the standard first four blocks but some programs require Allow Global Hooks. I have not got CFTmon on my list and I do see some (one or two log lines) per session - I ignore them ;)

    I have Outlook proper and have Outlook.exe in my protection list with the following attributes.
    First four block flage
    No allows
    No options

    Pilli
     
  8. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,042
    Ctfmon.exe shouldn't cause any problem once you set it up in Process Guard.
    It also bugged me because I couldn't get rid of it. You turn it off, take it out of the autostart and back it comes. This is because in outlook or one of the office programs you have either alternate text or speech recognition turned on. It took me some searching in outlook to figure out how to turn it off, and unfortunately, I now can't find where I did it. I believe it is related to the language bar. Get it turned off in outlook and you will have seen it's last.
     
  9. DAMOX

    DAMOX Registered Member

    Joined:
    Aug 31, 2003
    Posts:
    21
    Thanks guys,

    Pilli, The reason I mentioned CTFMON is I was wondering if that was the cause of my crashes. That may not be what is causing the Blue Screens, but I thought I'd check. My computer has only crashed once since re-installing PG, but that's because I've had PG in the learning mode since the crash. I just turned off the learning mode. We'll see what happens. The reason I thought the culprit might be CTFMON is because as I stated, it is continually trying to make changes to explorer and PG is denying it permission. Kind of like a war going on there. As far as I can tell, there is no way to allow just one program permission to set. It's either all or nothing. You mentioned adding "Outlook proper" and Outlook.exe. Outlook proper . . . I don't know off hand without a bunch of research, what file to add for that.

    Now that I've turned learning mode off, we'll see how long it takes before it Blue Screens again. I like process guard, but the Blue Screens are obviously not acceptable.

    Peter, Unfortunately, turning off the language bar doesn't stop CTFMON.exe. I did figure out how to turn off the language bar, but CTFMON keeps coming back. That may not be what is causing the Blue Screens, but I thought I'd check.

    Thanks again,

    Dan
     
  10. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,042
    Hi Dan

    It is not turning of the Language bar itself, but turning of the text and speech services. Once they are turned off in the office app's ctfmon will disappear. But as long as they are on it will keep coming back. Note this should cause you any problems relative to Process Guard. It didn't for me. Just annoyed me cause I wanted it gone.

    Pete
     
  11. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Damox, You will find the outlook.exe in the Path usually:
    *:\progrm files\microsoft office\office10\outlook.exe

    It is very good practice to ensure that any internet enabled programs such as Outlook are in your protection list :)

    Pilli
     
  12. DAMOX

    DAMOX Registered Member

    Joined:
    Aug 31, 2003
    Posts:
    21
    Hi Pilli,

    First, thanks for all your help. Maybe I misunderstood, but you said, "I have Outlook proper and have Outlook.exe in my protection list with the following attributes". I can find outlook.exe no problem, I just didn't know what you meant by Outlook proper.

    Thanks again,

    Dan
     
  13. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    OK, DAMOX, A lot of ppl think of outlook express or OE being MS's main email client, so Office Outlook is often referred to as Outllook proper.

    :)
     
  14. DAMOX

    DAMOX Registered Member

    Joined:
    Aug 31, 2003
    Posts:
    21
    Well I am happy to report that the Blue Screens seemed to have stopped. I've been up and running with PG for 24 hours with only one Blue Screen, and that was about an hour after installation. I think it was the clean install and leaving pg in the learning mode for a while. So it looks like things are good! Thanks guys for your help, mucho appreciation!

    Dan
     
  15. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Fingers crossed that Process Guard and your PC have stabalised now. :)
     
  16. DAMOX

    DAMOX Registered Member

    Joined:
    Aug 31, 2003
    Posts:
    21
    This morning I had two more Blue Screens. The first thing I did was go into Outlook, and the system crashed immediately. I booted up, and another program, "Clipmate 6.0" wanted to run an update. Ran the update and it finished, and then a few seconds later the system crashed again. After reboot, I put PG back in Learning Mode. I also noticed that even though I wasn't running office, that CTFMON was continually being logged as described previously. There were probably about 15 entries in 30 seconds. I went to task manager to end task on CTFMON.exe (I don't have that blocked in PG) but "Permission Denied".

    A little background on that. . . in the beginning, I had been able to end task on CTFMON even when Office products were open and running. Yesterday, however, I removed "Alternative User Input" from "Text Services" in the Control Panel, thinking that might stop CTFMON.exe from running. Instead, it somehow became more protective and I couldn't even "End Task" on it? Now that is bizarre! So, this morning, after the two crashes, I decided, "I don't care if this file is causing the crashes or not, it is not going to run!" So I figured out how to uninstall the "Alternate User Input Feature" from Office. Microsoft has an article that also includes unregistering two dll files. That done, I rebooted and guess what . . . "CTFMON.exe" was still running after reboot! Again, I couldn't end task, but I renamed it and removed it from the registry, and rebooted again, and regardless of whether this resolves my Blue Screens, I am happy to say, CTFMON has been defeated!

    I've taken PG out of the learning mode and will wait to see what happens! Hopefully the Blue Screens are behind me, but I guess we'll wait and see!

    Thanks again, I'll let you know what happens!


    Thanks again Pilli, and everyone else, I'll let you know what happens!
     
  17. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    OK DAMOX, Not sure why your CFTmon is behaving so badly. Funnily enough I have been using Firefox browser instead of Avant for the last couple of days and have had no CFTmon events logged (I think this is due to "mouse Guestures) which require CFTmon. I do not have the speech parts allowed in Office either.

    Here's hoping you stop the BSOD's :doubt:
     
  18. DAMOX

    DAMOX Registered Member

    Joined:
    Aug 31, 2003
    Posts:
    21
    "Not sure why your CFTmon is behaving so badly."

    Well I was wondering what version of Office you might be running. That could make a difference. I am currently running Office XP with SP3. I have just recently switched to FireFox because of the security problems with IE. I have decided that until Microsoft comes out with a secure browser, I won't be using theirs.

    After uninstalling the Alternate User Input Feature and eleminating ctfmon.exe, I took PG out of the "Learning Mode" and set the last of the 3 global options. Process Guard has been running without incident ever since. It looks like that was the problem!

    I would like to ask one other question. The General Protection Option, "Block End Task from terminating applications", does that prevent programs from ending a task or just the user? If it is blocking programs then I can see that it is truly a useful feature.

    Thank again for your help Pilli!

    Dan
     
  19. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Programs, To test process Guards anti termination abilities please go here.
    http://www.diamondcs.com.au/index.php?page=apt

    You can download Advanced Process Termination and test for yourself, it is free :)

    Remember, to pass all 9 tests you will have to enable Close Message Handling & the four Global blocks. Try it one or two particular programs such as Port Explorer or TDS3
     
  20. DAMOX

    DAMOX Registered Member

    Joined:
    Aug 31, 2003
    Posts:
    21
    I am sad to say that the Blue Screens have come back! Everything had been running fine for a couple of days now, but then yesterday I encountered a Doctor Watson Error. Several programs shut down, so I decided to reboot the system. but since it was just before bed I decided to shut it down for the night (I normally let it run 24 hours). This morning after booting I walked away from the system for time, and when I came back I clicked on Outlook . . . the system crashed again! I received the same Stop Error as I first described. I rebooted and everything seemed fine again. But, about 8 hours later I was using FireFox and the system Blue Screened again! After rebooting I didn't log on for about 2 hours or so. However, as soon as logged on, and things began to settle down, I only had to move the mouse and the system crashed again! Unfortunately I have no indication as to why the system is Blue Screening. I think I'll have to uninstall Process Guard from this system, until I have time to reload the OS. I've been planning to upgrade to XP for some time, but I don't have time right now! I will probably try Process Gurad on another system and see what happens. I know my experience is unique, but at this point, I am not too keen on Process Guard. However, as I said I will try another system!

    This probably doesn't have anything to do with it, but for a couple of days now, I've been getting this error in the Event Log every time I boot:

    Event Type: Error
    Event Source: Service Control Manager
    Event Category: None
    Event ID: 7006
    Date: 7/1/2004
    Time: 1:38:04 AM
    User: N/A
    Computer: WHITEHORSE
    Description:
    The ScRegSetValueExW call failed for ImagePath with the following error:
    The system cannot find the file specified.

    I haven't been able to find anything on it. Just wondering if it is anything you might know about.

    Also, I have a question . . . what do you do about things like this:


    c:\winnt\system32\services.exe [236] Tried to modify an existing driver/service named navex15

    c:\winnt\system32\services.exe [236] Tried to modify an existing driver/service named naveng

    If this is legitmate activity, which I believe it is, I see no way to enable this but then again I am not that familiar with Process Guard!

    I appreciate your help in this matter,

    Dan
     
  21. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    This thread should help:

    https://www.wilderssecurity.com/showthread.php?t=29904&highlight=Norton services.exe

    Nick
     
Thread Status:
Not open for further replies.