Ghostwall & Win XP 64 Problem / Bug Request

Discussion in 'Other Ghost Security Software' started by devo.uk, Jan 11, 2006.

Thread Status:
Not open for further replies.
  1. devo.uk

    devo.uk Registered Member

    Joined:
    Jan 11, 2006
    Posts:
    2
    Hi...

    I wonder if you can help me..
    I have installed ghostwall and i have a windows xp 64 machine and found a possible error..

    I have something called browser sentinal running which monitor spyware, registry changes, etc..


    I have installed ghostwall .. and found that a under that browser sentinal referered to the ghostwall driver /service file as

    \windows\system32\drivers\ghstwl64.sys

    when i went to the directory there is no such file, the closes file i found was ghstwall.sys

    i search the registry and found the legacy entry and the reference is to ghstwall

    and then under HLMK \services\ghstwall its referenced at ghstwl64.sys again but there is no such file

    i then went in to system properties : drivers : show hidden drivers :
    you can see under non pnp devices the ghostwall entry..

    and try and stop / restart the service it fails to do in a timely fashion .. (m$ words not mine ... mine are basically hangs )

    1) is there a way of logging the install so i can you send you to check if the install is correct..

    2) is there a file missing ghstwl64.sys

    3) should it install anything in to the \windows\wow64 directory

    4) should i just copy the ghstwall.sys and rename it ghstwl64.sys

    I might know nothing and everything is ok.. but i thought i would let you know.. as i dont know if u had a win64 test enviroment..

    Thanks for your time

    devo:uk
     
  2. Disciple

    Disciple Registered Member

    Joined:
    Nov 14, 2002
    Posts:
    292
    Location:
    Ellijay, Georgia - USA
    Have you checked the properties for ghstwall.sys, specifically the version tab? There could be a possibility that when queried it is returning a different internal name that what you see on the screen. It doesn't happen often, but I have seen it.
     
  3. devo.uk

    devo.uk Registered Member

    Joined:
    Jan 11, 2006
    Posts:
    2
    yep.. unfortunately there are no properties for the .sys driver show...

    I reinstalled again to check

    i used browser sentinal to watch for new system items and it show the following

    new driver : ghostsec
    Ghost Security Unified Driver
    Kernel Driver
    F:\program files (x86)\\GhostSecuritySuite\ghostsec.sys
    File Version 1.005

    new driver : ghstwall
    F:\WINDOWS\system32\drivers\ghstwl64.sys
    Kernel Driver
    File is not found

    here are the registry enteries

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_GHSTWALL]
    "NextInstance"=dword:00000001

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_GHSTWALL\0000]
    "Service"="ghstwall"
    "Legacy"=dword:00000001
    "ConfigFlags"=dword:00000000
    "Class"="LegacyDriver"
    "ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
    "DeviceDesc"="ghstwall"

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_GHSTWALL\0000\Control]
    "*NewlyCreated*"=dword:00000000
    "ActiveService"="ghstwall"


    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ghstwall]
    "Type"=dword:00000001
    "Start"=dword:00000002
    "ErrorControl"=dword:00000001
    "ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,46,00,3a,00,5c,00,57,00,49,00,4e,00,\
    44,00,4f,00,57,00,53,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,\
    00,5c,00,64,00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,67,00,68,00,73,00,\
    74,00,77,00,6c,00,36,00,34,00,2e,00,73,00,79,00,73,00,00,00
    "DisplayName"="ghstwall"
    "WOW64"=dword:00000001

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ghstwall\Security]
    "Security"=hex:01,00,14,80,b8,00,00,00,c4,00,00,00,14,00,00,00,30,00,00,00,02,\
    00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
    00,00,02,00,88,00,06,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
    05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
    20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,04,00,00,00,00,\
    00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,06,00,00,00,00,00,14,00,00,01,\
    00,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,00,18,00,fd,01,02,00,01,02,00,\
    00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,00,00,00,00,00,05,12,00,00,00,\
    01,01,00,00,00,00,00,05,12,00,00,00

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ghstwall\Enum]
    "0"="Root\\LEGACY_GHSTWALL\\0000"
    "Count"=dword:00000001
    "NextInstance"=dword:00000001


    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_GHSTWALL]
    "NextInstance"=dword:00000001

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_GHSTWALL\0000]
    "Service"="ghstwall"
    "Legacy"=dword:00000001
    "ConfigFlags"=dword:00000000
    "Class"="LegacyDriver"
    "ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
    "DeviceDesc"="ghstwall"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_GHSTWALL\0000\Control]
    "*NewlyCreated*"=dword:00000000
    "ActiveService"="ghstwall"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ghstwall]
    "Type"=dword:00000001
    "Start"=dword:00000002
    "ErrorControl"=dword:00000001
    "ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,46,00,3a,00,5c,00,57,00,49,00,4e,00,\
    44,00,4f,00,57,00,53,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,\
    00,5c,00,64,00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,67,00,68,00,73,00,\
    74,00,77,00,6c,00,36,00,34,00,2e,00,73,00,79,00,73,00,00,00
    "DisplayName"="ghstwall"
    "WOW64"=dword:00000001

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ghstwall\Security]
    "Security"=hex:01,00,14,80,b8,00,00,00,c4,00,00,00,14,00,00,00,30,00,00,00,02,\
    00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
    00,00,02,00,88,00,06,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
    05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
    20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,04,00,00,00,00,\
    00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,06,00,00,00,00,00,14,00,00,01,\
    00,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,00,18,00,fd,01,02,00,01,02,00,\
    00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,00,00,00,00,00,05,12,00,00,00,\
    01,01,00,00,00,00,00,05,12,00,00,00

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ghstwall\Enum]
    "0"="Root\\LEGACY_GHSTWALL\\0000"
    "Count"=dword:00000001
    "NextInstance"=dword:00000001


    So i not too sure if it working or not.. if the file is required... but would like to get it working...


    any ideas o_O?
     
  4. Disciple

    Disciple Registered Member

    Joined:
    Nov 14, 2002
    Posts:
    292
    Location:
    Ellijay, Georgia - USA
    My only other idea would be to send an email to Jason, mailto:support@ghostsecurity.com, outline your question and include a link to this thread. That way he will have all of the info you have provided available.
     
  5. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi devo.uk. In my X64 I can see that the system driver is working by going to Start - Accessories - System Tools - System information - Software Environment - System drivers, ghstwall is shown as a started kernel driver

    HTH Pilli :)
     
Thread Status:
Not open for further replies.