New ATI Catalyst 5.3 drivers + PG = BSOD

Discussion in 'ProcessGuard' started by Dwarden, Mar 11, 2005.

Thread Status:
Not open for further replies.
  1. Dwarden

    Dwarden Registered Member

    Joined:
    Apr 11, 2003
    Posts:
    176
    Location:
    Czech Republic
    So first little story :)

    1. Get ATI X800 card, use Windows XP Pro Sp2 eng, download ATI Catalyst 5.3 drivers w/o CCC component
    2. Install them (e.g. update from 5.2 like dozen times before from older to newer drivers) ...
    3. Restart
    4. Display Properties > Settings > Advanced > Options (ATI icon by it)
    5. Blue Screen of Death

    ok ... then i hunted what is causing it ... and i found that PG takes part in this bad event :))

    it's evident that ATI Control Panel (atiprbxx.exe) trying install service using rundll32.exe in very WEIRD way and this will cause whole machine to crash (PG enabled or PG in learning mode ... both cause disaster)...

    only way how prevent BSOD is to give rundll32.exe rights to Access Physical Memory ...

    very strange ... anyone got some comments on it ?
     
  2. rickontheweb

    rickontheweb Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    129
    This happens to me also if I give rundll32.exe the right to install a driver/service and don't give it access to physical memory. Happens on the latest 5.2 and I assume still in the latest 5.3 I just installed. I don't use the newer .net control center either.

    Don't give rundll32.exe the right to install driver/services or physical memory and the options panel and the details button inside that panel work just fine. PG will flash that rundll32 tried to install a driver/service, but it doesn't seem to affect the operation of anything if it doesn't.

    Personally I don't give rundll32.exe anything other than termination and modification protection. And I turn off all ATI startup garbage and services since they don't offer me any functional value.

    I have one of those funky laptop ATI chipsets that borrows it's video memory from the standard RAM. I wonder if that has anything to do with it?
     
  3. ShunterAlhena

    ShunterAlhena Registered Member

    Joined:
    Aug 1, 2004
    Posts:
    134
    Location:
    Szigethalom, Hungary
    :S strange, I just migrated from buggy Control Center back to Control Panel. Disabled PG during the installation, then reenabled it. I have SP2, 5.3 etc, so it should be the same scenario.
    However rundll is not listed in the protection list, so it is blocked from physical memory. When I click where you have clicked, PG immediately barks that evil rundll was blocked, but no BSOD. Everything goes fine.
    Might be that you have an X800, and i have a 9600XT? That is seemingly the only difference.
     
  4. rickontheweb

    rickontheweb Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    129
    ShunterAlhena,

    I think you are not seeing any BSOD because you are basically running under the same scenario that I am, in a sense. While you aren't protecting rundll32, you are allowing it to run since the Display properties panel can't open without it. Since rundll32 is not protected on your system OR given extra rights at the same time, it's running without the right to install drivers or access physical memory, so no BSOD, just like on my machine.

    I'm protecting it, but not giving it any special rights at all, so it's a similar situation on both our machines. Rundll32 can't install drivers or access physical memory on both, so we don't BSOD, just a PG warning that it tried to install a driver/service and was blocked.

    The BSOD problem appears to result, as Dwarden noticed, only if you protect rundll32 but then only give it the ability to install drivers and not access physical memory also.

    Of course the solution is quite simple. Don't protect it like you are doing, protect it like I'm doing but don't give it any extra rights, or protect it and make sure it can install driver/service AND access physical memory.
     
  5. ShunterAlhena

    ShunterAlhena Registered Member

    Joined:
    Aug 1, 2004
    Posts:
    134
    Location:
    Szigethalom, Hungary
    You're right. I added rundll32 to the protection list with services but without memory: BSOD. Enabled it to reach memory: nothing. So the problem is evidently what you described, and has nothing to do with your chipset or my 9600.
     
  6. Sim

    Sim Guest

    hmmm weird, i have tried to install 5.2 but even though i enable physical memory and rights to install drivers i still get BSOD when i go to INSTALL the driver, does anyone know why this is happening?

    thanks,

    Simon.
     
  7. rickontheweb

    rickontheweb Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    129
    It's best to uncheck the Protection Enabled feature temporarily on ProcessGuard's Main tab when installing something like ATI video drivers or windows updates. I'll leave it on for most application installs and watch to see if something gets blocked that could harm the installation, reinstalling again if need be with it off.

    Just remember to turn it back on when you are finished and make sure it's from a trusted source etc.
     
  8. Sim

    Sim Guest

    ahhh i see, thing is, i dunno if i can be hassled to try again now, i hate getting BSOD. I sometimes wonder about PG, it really does cause a load of hassle and i really dont know if its worth it anymore, i have nod32, ewido anti-trojan and outpost 2.5 watching my comp perfectly, seems like PG just ****s things up.

    thanks for the reply, any more suggestions would be appreciated.

    Simon.
     
  9. rickontheweb

    rickontheweb Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    129
    Well it looks like you have a decent security "suite" going. But don't forget part of what ProcessGuard does is protect nod32, ewido anti-trojan and outpost 2.5 from termination.
     
  10. Sim

    Sim Guest

    actually, those pieces of software are protected from being terminated by passwords! seems like ive been had by marketing, oh well!

    Simon.
     
  11. rickontheweb

    rickontheweb Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    129
    I enable the password termination prevention features of my security apps as well. I use one of the products you mention as well as others. Many times features do overlap in these security apps. My antivirus product has narrowly defined process execution prevention, read/write/ file/folder locking, buffer overflow protection, even primitive firewall features but I do use those features also for some things even though they overlap with other product features, but as long as they don't interfere, I'd rather have some overlap. To each his own...
     
  12. Sim

    Sim Guest

    you do realise that makes no sense! So its ok to spend good money on software that complicates processes that other applications take care of on their own anyway? Its a saturated market and PG is a perfect example of 'create a threat to prevent a threat' - $$$$$$$$$$$$$. To others thinking of getting PG, just get a trojan hunter that prevents dll injections like ewido and load yourself up with a good AV and firewall, and most importantly - use your head when browsing the net.

    Anyway, shame this thread went so off topic, would have like to know the root cause of the BSOD when installing catalyst!

    Simon.
     
  13. rickontheweb

    rickontheweb Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    129
    Makes perfect sense to me. Ewido, sounds like a great application but I don't own it, and I already own a license to use PG. I try and make the best of what I already own in this "saturated market" like you do. I prefer some feature overlap because not all apps do exactly what I want them to. So I can use what features I like in each.

    I have to admit that apps that are specifically anti-trojan in nature are quite new to me. I've always considered that to be the realm of anti-virus and anti-malware scanners and removers. So in my opinion buying an anti trojan specific app would be redundant for me.

    On the BSOD issue, security related apps have always induced some possible hit in either performance, functionality limitations or introduced possible instability factors. That's been the case since the first antivirus apps for Win95 appeared. We've all seen the "turn off your anti-virus application during installation" messages that come with some applications. Which we all of course ignore. Nothing new here. We all know in the windows world everything doesn't always play nice with everything else.

    Been nice chattin though, it is a "security related forum". Hopefully we didn't go to far off topic. Hope you figure out your BSOD issue. I'll have to take a look at ewido one of these days. Maybe after a current "subscription" expires and I reassess what to use.
     
Thread Status:
Not open for further replies.