Cannot Start The Ghost Security Unified Driver

Hi Everyone,

I seeem to be in a bit of a pickle (this seems to be happening a lot these days).

I'm running WinXP x64 (my first experience with a 64-bit OS) and I've installed GSS x64 (the 1.3 alpha) and I'm having a problem that occurs when I start my computer: I'm being hit with a "cannot start the Ghost Security Unified Driver. . ." message.

I looked it up in the forums and it seemed like there was a problem with a hotfix that MS released to patch PatchGuard (Ha!). Indeed, the GSS installer told me to remove one of the installed hotfixes when I installed it (which I did) but I'm still getting this error. The dates on the posts I found in the forums were relatively old (end of 2006) so I'm wondering if anyone else has hit this problem and if so how you corrected it?

I went through all of the updates that I have on my box right now and none of them mentioned PatchGuard as a target of a fix and I didn't see the kernel driver files in any of the file lists but there are two that are concerning: KB943055 and Service Pack 2. KB943055 seems to be a security rollup but it looks like it's all for vulnerabilities according to the website but this is the same company tried to sneak in anti-piracy monitoring software behind our backs diguised as a 'critical' software update; I don't know if I can trust them as far as I can throw my 120 pound computer. SP2 is a real worry because its a massive cumulative update. I think either of those may have slipped something in off the radar that's causing GSS not to start.

I'm going to uninstall SP2 right now and see if that resolves my issue and if it does, I'll post back. In the meantime if anyone has any other ideas or insights into any other patches that might be causing issues; I'd be most appreciative for the help.

P

 

HA! This is amuzing. I'm uninstalling Windows XP x64 Service Pack 2 and a message has popped up stating that "Setup detected the following programs on your computer . . . If Service Pack 2 is removed, these programs might not run properly. Do you want to continue?"

The odd thing is that the first application in the list is . . . <DRUM ROLL PLEASE> . . . Ghost Security Suite. Isn't that a kick in the rubber parts?

 

Well, that didn't work. Windows blue screened (BSOD for the search engine) immediately after rebooting when I uninstalled Service Pack 2: "A program tried to write to read only memory" 'ghostsec.sys'. And to add insult to injury, IE is no longer working and neither are any of the other programs I installed after SP 2.

So I'm back to square one - naked, wet and out in the cold. I hate Microsoft. I'm going to format the hard drive and start over from scratch. No application security is just not going to work for me.

Wish me luck.

 

Well, formatting didn't work either. I'm stuck. Once I was back at base before I installed anything I tried to install GSS and it still blue screened with the same message as in the post above.

Help . . . Anyone?

 

Can you send the minidump from the crash to support ( support @ ghostsecurity . com ) ? It's usually in the C:\windows\minidumps folder.

 

Thanks, Jason.

I didn't keep the minidumps but it shouldn't be too hard to reproduce. I'll give it another install and send along any files left over if it goes BOOM!

 

Hi Jason,

I recreated the problem and I've forwarded the mini dump as you requested. This latest crash was with a base XP x64 installed (it's actually Service Pack 1 - don't know where to get true base code). I installed the beta from the Ghost Security web site but didn't apply the 1.3 alpha. For some reason when I tried to apply the alpha; the installer created an uninstall but didn't copy any files to the GhostSecuritySuite directory and I wound up with a GSS directory under Program Files (x32) and under Program Files. I decided to try it without the alpha this morning and was able to reproduce the crash.

Let me know if you need any further information from me and I'll provide what I can.

P

 

Hi Everyone,

The pickle has soured!

I have five external hard drives and with each boot of XP x64, one or more of them was coming up as 'write-protected'. Each time I tried to remove a file from or copy a file to one of the external drives; XP would throw an error message 'Cannot copy xxxxxxx: the drive is write-protected. Remove the write-protection or use another drive." Which drive was write-protected was a crap shoot with each reboot: sometimes only one drive would be inaccessible write-wise, sometimes all of them would be write-protected.

After hours of searching and digging and replacing hardware and unplugging and plugging drives I finally decided to try SP2 again just to make sure that it wasn't some off the wall thing with the OS and low and behold; my drives are no longer coming up as write-protected. So in order to fix the external drive issue I have to be on SP2 but I can't be on SP2 and use GSS. I'm doomed! DOOOOOOOOOOOOMED!

I hope this thread helps someone out; my brain hurts from all this noise and I'd like to think that someone is going to glean something useful from my experience.

Again, thanks for working with me Jason and if you need anything else from me let me know but right now I'm stuck with Service Pack 2 because I can't use my externals and it's 1000 dollars in read only drives vs. 40 dollars in security software. The math is pretty pointed. I'll wait patiently for the next x64 GSS.

P

 

When you install the 1.3 Alpha, is it telling you it has to remove any "Microsoft Kernel patches" ? I've tried 1.3 Alpha on my base test machine (XP64 with SP2) and it worked fine, only after it got rid of the kernel patches.

Was the minidump you sent with the original GSS xp64 or the alpha?

 

Thanks again for the reply, Jason. The mini dump I forwarded along was actually from the original GSS x64.

When I first dove into this on Saturday night last week, I tried installing the GSS 1.3 x64 Alpha. Upon execution; the installer indicated that GSS wouldn't work unless I uninstalled a certain numbered (I can't remember specifically what it said) MS KB hotfix which I did. After the KB was done, I rebooted and launched the Ghost installer again and it went through the install and when it was done, I rebooted again (at the installers request) and when it came back up GSS didn't launch. The program file group was there but none of the shortcuts worked. I went to control panel to remove GSS to reinstall but it wasn't there. So then I went to the GSS folder in "Program Files" to run the uninstaller 'manually' and that's when I found the weirdness with the Alpha version: the ONLY thing in the directory was the uninstaller executable; no SYS, INI or executable files (besides the uninstaller), nothing, only the uninstall executable which explained why the shortcuts weren't working. I looked in the "Program Files (x86)" folder but there was no GSS folder in there at all. So I went back to the "Program Files" folder and ran the GSS Alpha uninstaller and then went back out to the Ghost site and downloaded the original x64 installer and ran it. I hadn't reinstalled the patch from MS yet (I still haven't actually or anything else that looked like it was going to touch the Kernel files - besides SP2 to get my USB drives fixed) so the installer ran cleanly and asked me to reboot which I did. Once the OS was back online, GSS showed up in the taskbar and everything was OK until I launched the first application and then I got the error 'Can't start ghost security unified driver'. I thought maybe something was out of date between the installer and SP2 so I told GSS to check for updates which it did and it said there were updates but when it tried to apply them it was pulling down the wrong GSS verison; it was grabbing the 32Bit version instead of the 64Bit and consequently the update was never making it through.

Another trip out to the Ghost site, then to the forums I downloaded the Alpha again and installed it over the top of the original x64; rebooted as it requested and when I came back in I got the same unified driver error. I tried to update again but GSS told me that it was up to date.

I came back out to the Forums and started searching for the error and that's when I found out the information about the KB that needed to be removed. Knowing I'd uninstalled the one KB that the installer looked for specifically; I thought maybe another update had been applied after the installer was built so I went through and looked at each update file list and didn't see anything about kernel files mentioned. That's was when I started this thread. I then systematically uninstalled each and every update I'd done since I built the OS until I was down to nothing but SP2 and I was still getting the unified driver error. Then I uninstalled SP2 and that resolved the issue with the driver not starting but introduced the issue of the blue screens. Not having too much in the way of installs setup yet; I decided to start clean and formatted the OS drive and reinstalled XP x64 and tried GSS again but still got the blue screens about ghostsec.sys trying to write to memory that was read only. Since then, everything else has been recorded here for posterity.

Unfortunately; I couldn't commit any more time to trying to resolve the problem because I was losing money by working on this as opposed to work so I had to just install my other software and hope for the best until GSS x64 got squared away. And that's where I am now. I'm currently using GhostWall and ESET Smart Security (I know, dual firewalls and all that but they seem to be playing nice so far and I like GhostWall MUCH better than ESET). It's not ideal and I do miss my Ghost but I had to get back to a more productive state of machine.

Let me know if you need anything else from me and I'll do what I can to help.

P

 

If you install GSS x64 that you get from the AppDefend web page, the version will be v1.105. If you then check for updates, it will say some are available. If you download them, BOTH 32-bit and 64-bit exe's and drivers will be downloaded, but only the 64-bit exe and driver will be updated, giving you version v1.110.

You can then download the latest GSS 1.3 alpha x64 from the link on this forum (ie. setupadrd1300a3_x64.exe), which only includes the driver and uninstall exe (no new gss.exe). The new driver, "ghostsec.sys", is installed to C:\WINDOWS\system32\drivers\.

 

What is the MD5 checksum of the ntoskrnl.exe file in C:\WINDOWS\system32\, which works with the 1.3 Alpha, as this is the only file that seems to be updated when the KPP is updated ?

 

Just out of interest, I renamed my existing ntoskrnl.exe file and copied the one from my XP x64 SP1 CD and rebooted. It booted up OK, and GSS said it couldn't find the driver and was attempting to install it. It managed this and said it was trying to start it. After about 10 seconds the system just rebooted with no BSOD. When it rebooted, I shutdown GSS to stop it installing/starting the driver and have been running Windows without problems.

I then did the same by replacing it with ntoskrnl.exe from SP2 (the network install exe), and this time Windows also booted up OK. GSS said it couldn't find the driver and was attempting to install it. It managed this and said it was trying to start it, but it failed with the "Cannot Start The Ghost Security Unified Driver".

This possibly indicates that GSS cannot remove KPP from the SP2 ntoskrnl.exe (the multi-processor version), but that it is causing the reboot with the ntoskrnl.exe from my SP1 CD.

During my investigation into KPP and what files it changed, I found that there are two editions of each Windows Service Pack - one (called GDR) that includes all updates except hotfixes, the other (called QFE) that includes all updates including hotfixes. Each Windows Update patch therefore has two of each file for each Service Pack. The XP x64 kernel also has two types - a uni-processor kernel, and a multi-processor kernel. Therefore, for each KPP update, there are four files for each Windows Service Pack, meaning there are currently 12 versions of the kernel (assuming there is a GDR and QFE release of the initial XP x64, and also that there are no other hotfix updates to the Windows kernel, ntoskrnl.exe).

Could some of the problems be that GSS successfully disables KPP in some of these kernel versions, but not others ?

 

I've done some more experimenting

I did a fresh install of my XP x64 SP1 CD, and when GSS starts the driver it just reboots (No BSOD). I then uninstalled GSS and installed ALL Windows Updates, except SP2 and KB932596 (ie. KPP v3) and rebooted. The ntoskrnl.exe file was exactly the same as the original install. I then installed the KB932596 Windows Update, which changed the ntoskrnl.exe file, and the update had installed the QFE MP (Multi-Processor) version (I am running on a quad core). I then attempted to install the latest GSS 1.3Alpha driver and was notified that I needed to un-install KB932596 first.

So, the only update (excluding hotfixes + SP2) to modify ntoskrnl.exe were the KPP v2 and v3 updates.

I then un-installed KB932596 and installed SP2. When I installed GSS 1.3alpha, the installation went smoothly, but GSS started I just got the error "Cannot Start Ghost Security Unified Driver".

Conclusion: I'm almost certain that each GDR and QFE release of ntoskrnl.exe needs to be addressed regarding KPP for GSS to work properly on all configurations.

As mentioned previously, the only Windows Updates to change ntoskrnl.exe (and potentially KPP with it) are the KPP Updates and SP's. No other Windows Update so far has changed this file (from my limited testing). Therefore, the ability for GSS to alert when this file is about to be changed, with the ability to Allow/Block It, would make GSS much less of a pain to use on XP x64. It would be a bonus then, if during a subsequent GSS Update, GSS notified whether that Update was indeed an update to KPP, or whether it could safely be installed.

I'm guessing that psychosmurf's problem is due to having one of the currently unsupported ntoskrnl.exe kernel files.

Below is a list of ntoskrnl.exe/ntkrnlmp.exe files I've identified, along with their MD5 checksums. Note that ntkrnlmp.exe is just the Multi-Processor version of ntoskrnl.exe, which is used when installed on a multi-core/processor PC; the ntkrnlmp.exe get automatically renamed to ntoskrnl.exe during the update:

Code:

B1E08186348ED662D50118618F012445  ntkrnlmp.exe (from my XP x64 SP1 CD)
97B946D49EE16357535D433CE7096560  ntkrnlmp.exe (After installing SP2 - QFE version is installed)
A98BC54B7CFECF1635EC7AB7188D98B0  ntkrnlmp.exe (After installing KB932596 - QFE version is installed)

HTH

 

Well, if KPP wasn't disabled you will just get random BSOD stating it was KPP causing it. The driver not loading/starting seems to indicate some other issue, maybe a conflict between versions. The AD64 off the main website shouldn't really be used over the most recent version, as that has lots of bug fixes and other changes.

I've tested the last released xP64 version on SP1 and SP2 without any dramas, so it's a bit weird others are having so many problems with it.

 

Hi,

I am also having the same problem with windows XP 32bit version. I have tried reinstalling, but still get the error message.

Thanks

 

Jason - I have PM'd you with some extra information regarding this problem.

 

I have the same symptoms.
The OS I use is XP SP2 32-bit.

I think mine is an installation issue.
Everything worked on this computer before.

Then I decided to install the program in a "non standard" folder.
I installed in z:\ghostsecurity where z: is a subst of c:\Progs

I will uninstall and install in the default Program Files folder and then back in z:

Will come back later today.

 

It is as I suspected.
When the program is installed on c: (Program Files or any other folder), no problem.

When I install in a mapped or subst drive, the driver can't start.

I only have one disk with one partition.

Maybe someone else can try with installing in a different partition, using dynamic disc instead of basic, mountpoint, ...