GUI is suspended

Discussion in 'ESET NOD32 Antivirus' started by kencl, Dec 14, 2012.

Thread Status:
Not open for further replies.
  1. kencl

    kencl Registered Member

    Joined:
    Oct 8, 2004
    Posts:
    8
    Location:
    Victoria, BC, CANADA
    Hi Folks,

    I'm working on a fresh build under Windows 8 Pro. For some reason, egui.exe is suspended at boot up every time. This means that the GUI itself never shows up, and neither does the task bar icon. The Windows Explorer context menu option (Scan with ESET NOD32 Antivirus) shows up, but when used nothing happens. Also, I cannot "end task" in Windows Task Manager - again, nothing happens when I try. I have already uninstalled and installed once to no avail.

    I'm using the first retail version of Windows 8 Pro, EAV downloaded as of 13 Dec '12 (The file version of C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe is 5.2.15.0). It's the 30 day trial version.

    How should I proceed from here?

    Thanks.
     
  2. P_R_

    P_R_ Eset Staff Account

    Joined:
    Jul 25, 2012
    Posts:
    62
    Location:
    Slovakia
    Hello,

    this is the first time, that I encountered such issue, so it wouldn't be a general problem.

    Could you please try it with version 6, which is fully compatible with Windows8?
    This version will be released in January.
     
  3. Geosoft

    Geosoft Registered Member

    Joined:
    Jan 7, 2009
    Posts:
    270
    Location:
    Toronto, Ontario, Canada
    Just wanted to chime in that I also had the same problem over the weekend with the 6 RC and the latest 5.2 release. I was able to fix it by reinstalling and disabling HIPS.

    I think I read something on the ESET KB somewhere that this can happen.
     
  4. mprezgot

    mprezgot Registered Member

    Joined:
    Jan 14, 2006
    Posts:
    31
    Location:
    Kingston, ON CANADA
    What's HIPS? Same problem here on fresh install of Windows 8. I can access initially GUI right after install, but nothing happens after reboot.
     
  5. Geosoft

    Geosoft Registered Member

    Joined:
    Jan 7, 2009
    Posts:
    270
    Location:
    Toronto, Ontario, Canada
    That happened with me too. Fresh install of Windows 8 and you cant access the GUI after rebooting unless you disable HIPS on the initial install. It also had an added effect of preventing other apps from loading in my task bar and at some point, freezing my computer from loading any other apps even though I had control of the keyboard/mouse.

    HIPS can be found in Setup -> Enter advanced setup -> Computer -> HIPS
     
  6. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    If somebody is able to reproduce it reliably, enable logging of blocked operations in the advanced HIPS setup, reproduce the problem and then post here the appropriate records from the HIPS log.
     
  7. Geosoft

    Geosoft Registered Member

    Joined:
    Jan 7, 2009
    Posts:
    270
    Location:
    Toronto, Ontario, Canada
    I tried that. The problem is that you cannot get the GUI to load again so you can see the HIPS logs. You have to completely uninstall the app to use windows again.

    If there's a way to debug the output to a plain text logfile, maybe I can recover it while in safe mode.
     
  8. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    If restarting Windows doesn't help, rename C:\Windows\System32\drivers\ehdrv.sys in safe mode. After booting to normal mode, you should be able to access the HIPS log and see the blocked operations.
     
  9. Geosoft

    Geosoft Registered Member

    Joined:
    Jan 7, 2009
    Posts:
    270
    Location:
    Toronto, Ontario, Canada
    Bad news. I did HIPS logging and it didn't record any activity. I did create a dump file of the process and currently generating sysinspector logs. I'll PM you with a link for the files shortly.
     
  10. Geosoft

    Geosoft Registered Member

    Joined:
    Jan 7, 2009
    Posts:
    270
    Location:
    Toronto, Ontario, Canada
    It was requested that I post version numbers of the modules installed:

    Code:
    Virus signature database: 7863 (20130105)
    Update module: 1040 (20120313)
    Antivirus and antispyware scanner module: 1375 (20121207)
    Advanced heuristics module: 1138 (20121210)
    Archive support module: 1158 (20121203)
    Cleaner module: 1059 (20121212)
    Anti-Stealth support module: 1036 (20121123)
    ESET SysInspector module: 1229 (20121107)
    Real-time file system protection module: 1007 (20111129)
    Translation support module: 1099 (20121107)
    HIPS support module: 1061 (20121206)
    Internet protection module: 1051 (20121203)
    Database module: 1024 (20121016)
    
     
  11. lizardvdx

    lizardvdx Registered Member

    Joined:
    Dec 16, 2012
    Posts:
    15
    Geosoft,

    Are you on pre-release updates?
    If so - I think better is to get modules from release servers - you have to downgrade modules - don't know if there is other way to do it without deinstallation of product, and instalation it again from live installer (not from standalone one).
     
  12. Bob241963

    Bob241963 Registered Member

    Joined:
    Dec 3, 2012
    Posts:
    17
    Location:
    Canada

    this is not a new issue, there are threads here on this problem dating back to November 2012

    https://www.wilderssecurity.com/showthread.php?t=335252&highlight=eset
     
  13. agoretsky

    agoretsky Eset Staff Account

    Joined:
    Apr 4, 2006
    Posts:
    4,032
    Location:
    California
    Hello,

    Please enable pre-release updates as per ESET Knowledgebase Article #2357, "Enabling Pre-Release Updates" and perform an update to allow it to download new modules. This should update the HIPS module to v1063.

    Does that solve the issue on the computer?

    Regards,

    Aryeh Goretsky
     
  14. Geosoft

    Geosoft Registered Member

    Joined:
    Jan 7, 2009
    Posts:
    270
    Location:
    Toronto, Ontario, Canada
    I'll give this a shot when I get home tonight and provide an update.
     
  15. Geosoft

    Geosoft Registered Member

    Joined:
    Jan 7, 2009
    Posts:
    270
    Location:
    Toronto, Ontario, Canada
    Hi Aryeh,

    I tried the 1063 HIPS update and unfortunately it did not resolve this particular problem. For now, I have used 'process hacker' to disable the ehdrv service.
     
  16. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Those having issues with gui on Windows 8, please answer the following questions to help us better understand under what circumstances it manifests:
    1. If you've got more computers with Windows 8, does the issue manifest on all of them or only on some of them?
    2. What edition of Windows 8 is affected?
    3. Was Windows 8 installed on a freshly formatted disk? If it was an upgrade from an older version of Windows, which of the upgrade paths mentioned here did you use? (ie. what version of Windows was previously installed and what files were chosen to be preserved?)
    4. Was everything alright after installing EAV/ESS and the gui issue began manifesting just after the next computer restart ?
     
  17. bwb1

    bwb1 Registered Member

    Joined:
    Mar 20, 2010
    Posts:
    113
    Location:
    UK
    1. On both tower and lap top.
    2. W8Pro x 64 and W8 Pro x 32 to above computers.
    3. Came with W8 installed new- Upgrade from W7 Home Premium retaining all files.
    4. On installation ESS was ok but problems happened right after first reboot.
    To reprise my problems;
    -Cannot access GUI at all/programme icons for other items not available and programmes do not run.
    -Flickering Action Centre icon message.
    - Problems still exist with all other security killed, so had to uninstall ESS two months ago.
     
  18. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Further to my previous post, we'd need you to:
    - check the Task manager and see if egui.exe is running
    - create a SysInspector log, upload it to a safe location and PM me the download link. (this can be done even with ESET uninstalled)
     
  19. Geosoft

    Geosoft Registered Member

    Joined:
    Jan 7, 2009
    Posts:
    270
    Location:
    Toronto, Ontario, Canada
    1) I only got 1 computer that's running Windows 8 in my house. I tried to emulate the issue at work on a VM, but I couldn't replicate the problem.
    2) I'm currently on Windows 8 Pro (I need my remote desktop) =)
    3) Windows 8 was installed on a fresh installation/formatted disk.
    4) ESET runs perfectly fine when ESET is first installed. There isn't any problems running the application on installation because (at least from what I can deduce) the HIPS driver doesn't start until the computer is rebooted. This is evident when you attempt to do an update directly after an installation and you get an error message along the lines of "communication error with the HIPS driver"
    5) When you reboot with HIPS enabled and login, you do see the egui.exe process running in the Process tab. But, if you go to the Details tab, you will see the process is suspended. Furthermore to this, any other applications you have to autorun on startup (such as VPN clients, Skype, Steam, etc.) are not able to start and show up in the system tray of the desktop. I have encountered cases where I cannot launch other applications, but this does not always happen just rarely.
    6) I generated my SysInspector log in that ZIP file I PM'd, but SysInspector was not running during the egui.exe suspended issue. I also attempted to do a dump file of the egui.exe process when it was encountering the suspended problem, but the file size was 0. I think the memory usage was near 0 (literally a few KBs) when I checked the process on the process tab.
     
  20. mercutioferguson

    mercutioferguson Registered Member

    Joined:
    Jan 6, 2013
    Posts:
    4
    Location:
    Philippines
    Geosoft,

    1. Can you perform deinstallation of product (this is important to deinstall it first), then reboot, and install it again from live_installer (start from V5 link you can find on this page: http://kb.eset.com/esetkb/index?page=content&id=SOLN2788&_ref=zap) ?

    2. Be default you should be on release servers. So do not change it. Perform update. Copy here all modules versions you have, here you have mine:

    Virus signature database: 7883 (20130111)
    Update module: 1041 (20120430)
    Antivirus and antispyware scanner module: 1375 (20121207)
    Advanced heuristics module: 1138 (20121210)
    Archive support module: 1158 (20121203)
    Cleaner module: 1059 (20121212)
    Anti-Stealth support module: 1032 (20120806)
    ESET SysInspector module: 1229 (20121107)
    Translation support module: 1099 (20121107)
    HIPS support module: 1063 (20130107)
    Internet protection module: 1049 (2012101:cool:
    Database module: 1024 (20121016)

    Check if you have same eset configuration (I'm on W8 x64) and give here an feedback.
     
  21. Geosoft

    Geosoft Registered Member

    Joined:
    Jan 7, 2009
    Posts:
    270
    Location:
    Toronto, Ontario, Canada
    Hi Everyone,

    While I thank everyone for their recommendations and basic information on how to reinstall a product (not just in this thread, but in PMs too) I am very well aware on how ESET works. I'm a beta tester of software for various companies, as well have signed several NDAs.

    As part of my troubleshooting, I have done several reinstalls of the product.

    If you look through my posts, you can tell I know how to troubleshoot a problem.

    Examples:
    https://www.wilderssecurity.com/showthread.php?t=320492
    https://www.wilderssecurity.com/showthread.php?t=308036
    https://www.wilderssecurity.com/showthread.php?p=1868480#post1868480
    https://www.wilderssecurity.com/showthread.php?t=331789
    https://www.wilderssecurity.com/showthread.php?t=327972
    https://www.wilderssecurity.com/showthread.php?t=328121
     
  22. mercutioferguson

    mercutioferguson Registered Member

    Joined:
    Jan 6, 2013
    Posts:
    4
    Location:
    Philippines
    Geosoft,

    I believe that everyone here have a good intentions :) and I believe in your knowledge/ablilities.
    Are modules you have installed somehow different then mine (I've posted)? Can you post it again?
    I've asked you for reinstallation just to have same versions as I have, since for me everything works as it should.

    Also I have a question regarding this communication with hips driver message.. is it happening all the time, during all updates or just once during installation?


    Regards
     
  23. Geosoft

    Geosoft Registered Member

    Joined:
    Jan 7, 2009
    Posts:
    270
    Location:
    Toronto, Ontario, Canada
    I finally did some mucking around today troubleshooting this problem. It took awhile, but with the help of Process Hacker I was able to resume the egui.exe process.

    Code:
    2013-01-12 12:22:57 PM	C:\Windows\System32\csrss.exe	Get access to another application	C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe	some access blocked	SelfDefense: Protect ekrn and egui processes	Terminate/suspend another application
    2013-01-12 12:22:57 PM	C:\Windows\System32\csrss.exe	Get access to another application	C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe	some access blocked	SelfDefense: Protect ekrn and egui processes	Terminate/suspend another application
    2013-01-12 12:22:57 PM	C:\Windows\System32\csrss.exe	Get access to another application	C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe	some access blocked	SelfDefense: Protect ekrn and egui processes	Terminate/suspend another application
    2013-01-12 12:22:57 PM	C:\Windows\System32\csrss.exe	Get access to another application	C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe	some access blocked	SelfDefense: Protect ekrn and egui processes	Terminate/suspend another application
    2013-01-12 12:22:57 PM	C:\Windows\System32\csrss.exe	Get access to another application	C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe	some access blocked	SelfDefense: Protect ekrn and egui processes	Terminate/suspend another application
    2013-01-12 12:22:57 PM	C:\Windows\System32\csrss.exe	Get access to another application	C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe	some access blocked	SelfDefense: Protect ekrn and egui processes	Terminate/suspend another application
    2013-01-12 12:22:57 PM	C:\Windows\System32\csrss.exe	Get access to another application	C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe	some access blocked	SelfDefense: Protect ekrn and egui processes	Terminate/suspend another application
    2013-01-12 12:22:57 PM	C:\Windows\System32\csrss.exe	Get access to another application	C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe	some access blocked	SelfDefense: Protect ekrn and egui processes	Terminate/suspend another application
    2013-01-12 12:22:57 PM	C:\Windows\System32\svchost.exe	Get access to another application	C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe	some access blocked	SelfDefense: Protect ekrn and egui processes	Modify state of another application
    2013-01-12 12:22:57 PM	C:\Windows\System32\csrss.exe	Get access to another application	C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe	some access blocked	SelfDefense: Protect ekrn and egui processes	Terminate/suspend another application
    2013-01-12 12:22:57 PM	C:\Program Files\Process Hacker 2\ProcessHacker.exe	Get access to another application	C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe	some access blocked	SelfDefense: Protect ekrn and egui processes	Terminate/suspend another application
    2013-01-12 12:22:30 PM	C:\Windows\System32\csrss.exe	Get access to another application	C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe	some access blocked	SelfDefense: Protect ekrn and egui processes	Terminate/suspend another application
    2013-01-12 12:22:29 PM	C:\Windows\explorer.exe	Get access to another application	C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe	some access blocked	SelfDefense: Protect ekrn and egui processes	Terminate/suspend another application,Modify state of another application
    2013-01-12 12:22:13 PM	C:\Windows\System32\services.exe	Modify startup settings	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DeviceAssociationService\Start	allowed	Automatic mode	
    2013-01-12 12:22:13 PM	C:\Windows\System32\services.exe	Modify startup settings	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DeviceAssociationService\Start	allowed	Automatic mode	
    2013-01-12 12:22:09 PM	C:\Windows\System32\csrss.exe	Get access to another application	C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe	some access blocked	SelfDefense: Protect ekrn and egui processes	Terminate/suspend another application
    2013-01-12 12:22:08 PM	C:\Windows\System32\taskhostex.exe	Modify startup settings	HKEY_USERS\S-1-5-21-3363106976-1724946033-2902058823-1001\Software\Microsoft\Windows\CurrentVersion\Run\internat.exe	allowed	Automatic mode	
    2013-01-12 12:22:08 PM	C:\Windows\System32\csrss.exe	Get access to another application	C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe	some access blocked	SelfDefense: Protect ekrn and egui processes	Terminate/suspend another application
    
     
  24. Geosoft

    Geosoft Registered Member

    Joined:
    Jan 7, 2009
    Posts:
    270
    Location:
    Toronto, Ontario, Canada
    Ok... did more testing by creating test rules. None of the registry rules corrected the issue, and the test rules I create does not override the Self-Defense module. So, I disabled Self-Defense and left HIPS running and I have normal operations again.

    Code:
    2013-01-12 12:51:21 PM	C:\Windows\System32\svchost.exe	Get access to another application	C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe	some access blocked	SelfDefense: Protect ekrn and egui processes	Terminate/suspend another application,Modify state of another application
    2013-01-12 12:50:17 PM	C:\Windows\System32\csrss.exe	Get access to another application	C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe	some access blocked	SelfDefense: Protect ekrn and egui processes	Terminate/suspend another application
    2013-01-12 12:50:17 PM	C:\Windows\System32\csrss.exe	Get access to another application	C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe	some access blocked	SelfDefense: Protect ekrn and egui processes	Terminate/suspend another application
    2013-01-12 12:50:17 PM	C:\Windows\System32\csrss.exe	Get access to another application	C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe	some access blocked	SelfDefense: Protect ekrn and egui processes	Terminate/suspend another application
    2013-01-12 12:50:17 PM	C:\Windows\System32\csrss.exe	Get access to another application	C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe	some access blocked	SelfDefense: Protect ekrn and egui processes	Terminate/suspend another application
    2013-01-12 12:50:17 PM	C:\Windows\System32\csrss.exe	Get access to another application	C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe	some access blocked	SelfDefense: Protect ekrn and egui processes	Terminate/suspend another application
    2013-01-12 12:50:17 PM	C:\Windows\System32\csrss.exe	Get access to another application	C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe	some access blocked	SelfDefense: Protect ekrn and egui processes	Terminate/suspend another application
    2013-01-12 12:50:17 PM	C:\Windows\System32\csrss.exe	Get access to another application	C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe	some access blocked	SelfDefense: Protect ekrn and egui processes	Terminate/suspend another application
    2013-01-12 12:50:17 PM	C:\Windows\System32\csrss.exe	Get access to another application	C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe	some access blocked	SelfDefense: Protect ekrn and egui processes	Terminate/suspend another application
    2013-01-12 12:50:17 PM	C:\Windows\System32\svchost.exe	Get access to another application	C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe	some access blocked	SelfDefense: Protect ekrn and egui processes	Modify state of another application
    2013-01-12 12:50:17 PM	C:\Windows\System32\csrss.exe	Get access to another application	C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe	some access blocked	SelfDefense: Protect ekrn and egui processes	Terminate/suspend another application
    2013-01-12 12:50:17 PM	C:\Program Files\Process Hacker 2\ProcessHacker.exe	Get access to another application	C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe	some access blocked	SelfDefense: Protect ekrn and egui processes	Terminate/suspend another application
    2013-01-12 12:50:04 PM	C:\Windows\System32\csrss.exe	Get access to another application	C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe	some access blocked	SelfDefense: Protect ekrn and egui processes	Terminate/suspend another application
    2013-01-12 12:50:04 PM	C:\Windows\explorer.exe	Get access to another application	C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe	some access blocked	SelfDefense: Protect ekrn and egui processes	Terminate/suspend another application,Modify state of another application
    2013-01-12 12:49:51 PM	C:\Windows\System32\taskhostex.exe	Modify startup settings	HKEY_USERS\S-1-5-21-3363106976-1724946033-2902058823-1001\Software\Microsoft\Windows\CurrentVersion\Run\internat.exe	allowed	Test Rule 3	
    2013-01-12 12:49:43 PM	C:\Windows\System32\services.exe	Modify startup settings	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DeviceAssociationService\Start	allowed	Test Rule	
    2013-01-12 12:49:41 PM	C:\Windows\System32\csrss.exe	Get access to another application	C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe	some access blocked	SelfDefense: Protect ekrn and egui processes	Terminate/suspend another application
    2013-01-12 12:49:41 PM	C:\Windows\System32\services.exe	Modify startup settings	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DeviceAssociationService\Start	allowed	Test Rule	
    2013-01-12 12:49:41 PM	C:\Windows\System32\csrss.exe	Get access to another application	C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe	some access blocked	SelfDefense: Protect ekrn and egui processes	Terminate/suspend another application
    2013-01-12 12:48:06 PM	C:\Windows\System32\csrss.exe	Get access to another application	C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe	some access blocked	SelfDefense: Protect ekrn and egui processes	Terminate/suspend another application
    
    So... which is the guilty process? csrss.exe, services.exe or explorer.exe. If "Modify state of another application" includes suspending and resuming processes, maybe explorer.exe rule needs to be modified, but obviously comes which huge risks.
     
    Last edited: Jan 12, 2013
  25. Geosoft

    Geosoft Registered Member

    Joined:
    Jan 7, 2009
    Posts:
    270
    Location:
    Toronto, Ontario, Canada
    Well, I just uninstalled the RC, and installed 6.0.306.0 this morning (over remote desktop mind you) and I'm no longer seeing issues when rebooting my computer.

    Looks like this might be an RC bug? I'll make some confirmation when I get home tonight.
     
Thread Status:
Not open for further replies.