Execute Protect enable problem

Discussion in 'Trojan Defence Suite' started by traineewanabee, Oct 9, 2004.

Thread Status:
Not open for further replies.
  1. traineewanabee

    traineewanabee Registered Member

    Joined:
    Oct 9, 2004
    Posts:
    5
    Hi,

    Is this anyone who can spare a moment to help resolve a problem I have with "execution protection" enabled in TDS? I would greatly appreciate it.

    I have sent this problem to tech support, but I have not been told how to resolve it.

    Basically whenever I enable execution protection I get the message that exec protect components have been installed, then following MS error: occurs & logged in the Application Logs as -

    =====
    Run Once wrapper error
    appname: runonce. exe
    AppVer : 6.0.2900.2180
    Modname: unknown
    ModVer : 0.0.0.0
    offset: 734305be
    =====

    Then the following message occurs when an app starts from the desktop or once when the system tray apps load on win start.

    ====
    Application popup: Explorer.EXE - Application Error : The instruction at "0x734305be" referenced memory at "0x734305be". The memory could not be "read".

    Click on OK to terminate the program
    Click on CANCEL to debug the program
    =====

    I'm using XPPro SP2.


    Now I did somehow fix it by playing around with WG. I told tech support I fixed it, but I wasn't sure how I did. (Isn't that the way most tech support problems are solved anyway!! :D )

    However I wanted to have a "clean" a system as possible so I reformatted the drive, installed XPPro & SP2 , System Works 2003, NAV 2004, ZAP & TDS . I stopped ZAP & NAV from loading before installing TDS .

    Alas the same problem occurred, I created logs of the above errors with Fillmon , I could see nothing obvious, although a "Butter Overflow" when the second error occurs (ie. when a faulty app starts ) .

    I've sent the logs to tech support, however I have not heard from them, either I've confused them or they are too busy working on TDS4 (hopefully the latter!)

    I've reinstalled PG but I still can't get rid of the errors. And also I want to be a bit careful when using PG until I understand it more. I think I could get it to work by modifying the default learn permisssion for "runonce.exe" & "execprot.exe" but I don't wish to get them more permissions than they need and also I would perfer to find out what is causing the execprot error in the first place.

    A memory dump occurs & the desktop reloads whenever the explorer.exe error occurs, so needless to say it gets a bit anoying :doubt: , although exec prot seems to be running ok.

    And the problem(all errors) goes away when "execution protection" is disabled. I have the key in the dir, and able to update successfully, so I presume the key is not corrupted.

    ====
    While I'm at it, where are the Private Forums to log into?
    While I'm at it (2), I think PE is one of the best internet utils I've come accross, certainly helping demystifying connections, well done DiamondCS, however I noticed that TDS's local port scanner picked up tcp port 1027 as in use but PE didn't show it anywhere, any ideas why not?




    Regards
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi there traineewanabee, welcome to the forum.
    Hope you don't mind, but your problems are far beyond my understanding what is going on and what is the problem causing it.
    I'm just used of installing TDS, after reboot install in TDS the exec protec and all is fine.
    Suppose you have a registered version to be able to install exec protec.
    I'm not used to clean installs, reformats and all that.
    If you simply uninstall exec protec is then everythjing back to normal?
    Did you have WormGuard protecting or temporary disabled when insgtalling any other software?
    For many systems it is no problem at all but for some it is necessary to disable WormGuard temporary for new installs, while on some XP systems with or without SP2 there can be unexpected problems with WormGuard so it's really hard to say.
    I just don't know what you're experiencing and if it has to do with TDS' exec protection or a program it wants to stop ferom execution.

    For the DiamondCS forums use the link in my signature, subscribe to the forums; for access to the private forums for which a TDS registration license is needed send an email to support@diamondcs.com.au with your registration info (name, email)
     
  3. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    To add to Jooske's reply. Please disable TDS3's autostart and then start TDS manually after boot up.
    Are you running TDS3 from a user account? If you are then TDS3 needs to run Via the "ran as" administrator command.

    Regarding Proces Guard, Version 3's new learning mode and driver enhancements will cure many of the V2 problems :)

    HTH Pilli
     
  4. traineewanabee

    traineewanabee Registered Member

    Joined:
    Oct 9, 2004
    Posts:
    5
    Thanks Jooske & Pilli for your replies,

    Well it's an odd problem that definitely only occurs when I enable execprot, I've tested it dozens of times, same thing & always goes away as soon as I disable it.


    I don't have WG, but have PE & PG, I figured I didn't need it.

    But the funny thing is that exec protect seems to be working, I see it in PG alerts. So it seems, it's just the messages, which are a problem. As when I run Leaktest, it is logged by TDS, but the errors aren't.

    I guess there is a (memory?)conflict of some type as opposed to execprot detecting something.

    Yes I start it manually with admin permissions in a user a/c & also manually in the admin a/c & exactly the same errors. I'm using the current PG 3 beta 2 & tried enabling it a number of times in learn mode, but makes no difference.

    When I enable execprot in learn mode, the PG alert logs show

    regsvr32.exe was allowed to start
    rundll32.exe was allowed to start
    runonce.exe was allowed to start
    execprot.exe was allowed to start
    grpconv.exe was allowed to start
    dwwin.exe was allowed to start

    With dwwin.exe the debugger,I'm not sure what grpconv.exe does.

    Regards
     
  5. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi again traineewanabee, I'm guessing here but I assume you have added the NAV 2004 processes to Process Guard?
    ZA does not usualy require to be on the PG protection list as it has it's own low level guard.
    Are you running on NTFS or FAT?
    There maybe some driver contention somewhere and you need to ensure that explorer.ex has the following extra allows - Install Global hooks & Access Physical memory.
    DrWatson may need the modify allow. This may require a reboot to ensure the above are applied.

    Regarding grpconf.exe I found the following link:
    http://www.liutilities.com/products/wintaskspro/processlibrary/grpconv/

    HTH Pilli
     
  6. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Last edited: Oct 12, 2004
  7. traineewanabee

    traineewanabee Registered Member

    Joined:
    Oct 9, 2004
    Posts:
    5
    Hi Pilli & Jooske,

    Thanks again for the replies.
    Pilli ,
    - yes I have nav2004 in PG, I'm able to run it ok.
    - ZA is in the list, it doesn't seem to be causing a problem so I'll leave it there

    for the time being.
    - NTFS
    - I set explorer.exe with Install Global Hooks & Access Physical Memory & rebooted,

    but still get the error.

    However grpconv.exe has got me puzzelled why it is running? since I've never had win95 on

    this machine, its a tablet pc. However something is activating it & I suppose it is somehow

    linked to the explorer error. When I find out why, I might be able to solve this problem.


    Jooske,
    - That's also got me puzzlled! Well the errors definitely only starts when I enable

    "execute protection" & disappears when I disable it. Maybe exeprot.exe is not at fault, I

    just saw it appear frequently in the Altert list of PG after I enabled "execute protection",

    and stopped when I disabled it. So maybe I'm making the wrong conclusion.

    - Well I renamed execprot.exe & I still get the same error, so I suppose it is not

    execprot.exe causing the problem. While it was being called all the time I don't know.

    I've ended up removing PG as I got the blue screen of death when I changed csrss.exe

    to securley handle close window closure.(why csrss.exe because it kept showing up in filemon

    logs with buffer overflow errors it seems about the same time as the errors I keep getting).

    Ah well I'll have to keep looking.



    Again thanks for your time.


    Regards
     
  8. traineewanabee

    traineewanabee Registered Member

    Joined:
    Oct 9, 2004
    Posts:
    5
    First sorry about the previous post, with all the blank lines etc., I should have checked it before posting.

    Well I'm making a bit of progress. Although I'm still getting the "runonce wrapper" error every time I enable "Execution Protection", I have narrowed down when I get the "explore.exe memory read" errors as follows:

    - After enabling & then starting a shortcut on the desktop
    - Or run a program from the program menu.
    - Or when win loads the system tray, and I did not disable "Execution Protection when I quit TDS, and the PC reboots or I log out & log into another user(eg. from use to admin).

    However the error stops when I either start an app on the Start Menu,(from the most often use list) or if I start an app through My Computer on the Desktop.

    Having said that, execprot does seem to be loading when I view processes, I can see it "hook" into explorer exe.

    However, something must be amiss, otherwise I wouldn't get these errors. I've disabled all Norton's services & firewalls & reinstalled TDS & have latter system files than required. And I reload TDS after enabling. I've just about run out of ideas. o_O

    Regards
     
  9. Open Source

    Open Source Registered Member

    Joined:
    Jun 12, 2003
    Posts:
    50
    Location:
    The Net
    Did you add extra rules to worm guard?

    I experience similar problems when i updated to sp-2 and had advance rules in WG.

    Another problem i had was a dirty install of tds writing over the previous version caused similar problems because tds left remnants behind on a previous install.

    Another time the error was caused because i re-enable exe protection and disabled it many times like playing with a yo yo.

    Same with worm guard protection.

    like a Little child playing with an on an off switch in the house.

    Have you done Similar things?
     
  10. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi traineewanabee, Have you considered using msconfig?
    Then going to the start up list and disabling each item in turn to see what application may be causing the problem
    Here is how to run msconfig if you do not already know :)
    Start - Run - type msconfig press return and open the start up tab.

    Another possibility is a corrupt system file.

    Pilli
     
  11. Open Source

    Open Source Registered Member

    Joined:
    Jun 12, 2003
    Posts:
    50
    Location:
    The Net
    un install sp2 re install sp2 see if that fix's it.
     
Thread Status:
Not open for further replies.