PG 2.0 conflicting with my backup software!

Discussion in 'ProcessGuard' started by LuckMan212, Sep 6, 2004.

Thread Status:
Not open for further replies.
  1. LuckMan212

    LuckMan212 Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    252
    Hi I installed PG 2.0 (regged) on my XP Pro SP2 system yesterday. Fairly uneventful, the install went smoothly and PG began "learning" my apps. I added the 3 NOD32 executables to the allow list and things were going well.

    Then I woke up this morning and found my backup software (Dantz Retrospect 6.5) had failed. The way the backup software works is there is a "server" that has the tape drive and main backup software, and this communicates with a "client" daemon running on my machine which is the one with all the DiamondCS stuff on it. Pretty standard arrangement i think. Anyway, I got the following error message in the backup server's Log:

    "Trouble reading files, error -1010 (API request bad)" and
    "Can’t use Open File Backup – error 1017"

    /edit: I forgot to mention, the PG Log shows no blocked attempts, or anything (plus it is in "learn mode" still anyway.)

    Additionally, I began getting the following error in my Event Log:

    "The Computer Browser service terminated with the following error:
    This operation returned because the timeout period expired. "

    This happens after a few minutes of starting the Computer Browser service, it dies again. I can manually start it again, but it will die in a few minutes again, which makes it impossible to browse network shares on my LAN. I never had this before, and all I did yesterday was install Port Explorer, Process Guard and TDS-3 (all regged versions) so one of them may be causing this conflict.

    Any idears?
     
    Last edited: Sep 6, 2004
  2. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Try disabling Process Guard and repeat your backup procedure. That should either eliminate or show PG as the cause. Also look through your PG logs for anything noteworthy.

    Nick
     
  3. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi LuckMan212, If you know what the main backup process(s) .exe's are try adding them to the Process Guard protection list with the Allow Service/ install driver flag. Then watch the PG window log for any other Allow flags that the backup service needs.
    Also check that the .exe's are on the checksum list with the always allow enabled.
    I am not familiar with your particular backup program but others may be able to give you more advice.

    HTH Pilli
     
  4. LuckMan212

    LuckMan212 Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    252
    OK I tried disabling PG, and running the backup is now successful. So it is definitely PG causing the conflict. :doubt:

    now what? I need this backup software (paid over $2,200.00 for it) but I really want PG's protection too. Adding the .exe of the backup daemon to PGs exclude list had no effect (didn't think it would, since like I said above there were no blocked attempts in the PG log window previously)

    DCS- help!
     
  5. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Sorry I was replying before your edit :)

    Not sure what you mean by that? Process Guard does not have an exclude function as such but you may have meant either the protection list or the checksum list?
    Are you sure that the .exe(s) that you selected are the actual ones that start the BU service?
    Have you initiated any of the General Block tabs? If so try removing them one at a time to see which one may be causing the problem.

    Thanks. Pilli
     
  6. LuckMan212

    LuckMan212 Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    252
    by the exclude list I meant adding the backup sw .exe to:
    blocked privs: NONE
    allowed privs: everything checked

    how would I know this? there is nothing in PG's log indicating that something tried to run or do something that was denied, if that's what you're asking.

    as for the general protection options, I have none of them checked at the moment. I was going to enable them after I finished "learn mode"
     
  7. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    That is the protection list and the block / allow flags. :)

    Task Manager may give you a clue, look to see if there are any other processes that stand out as being associated with the BU process.

    Another thought occurred - What firewall are you using? It may give us a clue.

    Thanks. Pilli
     
  8. LuckMan212

    LuckMan212 Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    252
    I am not running a software firewall on my PC. I have a hardware firewall. The backup server is on my LAN and thus does not need internet access to get to my PC. As for other processes there are some that I saw in Task Manager but I added them and gave them all full privs and it didn't help.

    **question** am I wrong or shouldn't everything that PG blocks show up in the log somewhere? How can I know what program, service, driver etc is being blocked or conflicting with my backup software unless it gets logged?

    Anyway, as soon as I disable PG, my backups run normally. :'(
    With PG enabled, the backup gets 99% of the way through, and then fails doing something called "saving volume snapshot". I believe this is related to 2 key microsoft services:

    "Volume Shadow Copy" -
    C:\WINDOWS\System32\vssvc.exe

    -and-

    "MS Software Shadow Copy Provider" -
    C:\WINDOWS\system32\dllhost.exe /Processid:{68A23E6E-1D69-49ED-BF33-C5B638F525C8}

    Maybe this will give a clue, of what the conflict might be. I know these are fairly low-level services used for hard drive access. The backup software uses them to allow it to back up "open files" meaning Outlook .pst files, open SQL databases, etc. I tried giving vssvc.exe full privileges as well but that did not help.
     
    Last edited: Sep 6, 2004
  9. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    OK about the firewall.

    Yes the logs usually show any process that tries to access a protected list program and usually what process is trying to do the accessing, in this way one can usually discern what Allow flags are necessaryand even what programs to add to your protected list.

    Regarding the BU failure, will will have to await a DCS reply, Jason may have other possibilities for you to try.

    I can add that the latest version of Process Guard is being beta tested and does address some anomalies with other low level programs.
     
  10. LuckMan212

    LuckMan212 Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    252
    SOLUTION FOUND!!

    OK I figured out how to turn on advanced/debug log level in my backup software, and got this:

    Code:
    T-29: TPCFile::OriginalFilePath = \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\WINDOWS\system32\pghash.dat
    T-29: TPCFile::FilePath = \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\WINDOWS\system32\pghash.dat
    T-29: TPCFile::OriginalFilePath = \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\WINDOWS\system32\pguard.dat
    T-29: TPCFile::FilePath = \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\WINDOWS\system32\pguard.dat
    necoDispatch: transaction 29: result -1,010
    xopFlush: flushing any remaining data
    arxAccept: accept up to the indicated archive address -490340352, mark 1332099
    soctSetThread: socket thread now 0x5ec
    soccOpen: socket send buffer size is 65,536
    soccOpen: socket recv buffer size is 65,536
    soccCallback: connected
    smtpOpen: connection established "localhost"
    soctPreDispose: maximum queue depth was 1
    Trouble reading files, error -1010 (API request bad)
    9/6/2004 4:58:05 PM: Execution incomplete


    So I found the 2 culprit files!! "pguard.dat" and "pghash.dat". As a test, I tried opening one of those files in Notepad.exe. I got an unknown OS error, so I guess this is done as a precaution by PG to keep other trojans from getting at its "goods". Nice one, but this should most definitely be documented somewhere! (maybe they didn't document it so as to keep it secret from trojan writers??) anyway once i added these 2 files to my backup software's "Exclude" list, the backup was able to complete successfully! :)

    Still my comments would be: please log this to the console of PG (i.e., "ACCESS DENIED while XXXXX.exe tried to open pghash.dat for READ" or something similar. Would have saved me a few hours of hair-pulling! (and believe me I ain't got much hair left to spare!) :)
     
  11. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Well done! Yes, pguard.dat and PGhash.dat are protected whilst procguard.sys is running. Excluding them from your normal back up is the way.
    Or disabling Process Guard during the BU process would be the unsecure option.
    Adding a not about this in the help file is a very good suggestion.

    Thanks for reporting how you fixed the problem, as this type of feedback is very helpful to the developers.

    Cheers. Pilli
     
  12. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,054
    Hi Luckman212

    I also use Dantz Retropect 6.5 Professional, but only on a single computer backing up to a hard disk. I also use Raxco's First Defense-ISR which a snapshot imaging program for rollbacks. I have found:

    To do a full Retrospect backup, I disable FDISR's Preboot, DCS Wormguard,Process Guard, and my antivirus. Seems like went I don't do this retrospect is hit or miss. Mostly miss since SP2.

    When I use FDISR I also disable wormguard,PG and my antivirus.

    I found doing this just seems to make everything play better. Don't know the ramifications of doing this across a LAN. ALso I don't do scheduled backups, but do them manually at the end of the day.

    Pete
     
  13. LuckMan212

    LuckMan212 Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    252
    Thanks for the tips Pete.

    I am a huge fan of Raxco software I think Perfectdisk is the best defrag bar none.

    I had not heard of FirstDefense-ISR. How do you like it? It seems to be another contestant in the Norton Ghost, Acronis TrueImage (what I use now), PQI DriveImage, etc arena. I am curious how you think this stands up against those as truthfully, I find that Acronis has a number of shortcomings.
     
  14. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,054
    I also love Raxco software, and there tech support is great. On a par with DCS.

    Re FDISR I love it, but it is not a replacement for things like Ghost, TI etc. Doesn't protect against drive failure. What it does is make up to 10 bootable snapshots on your main drive. So if your drive uses 10gig, then each snapshot is 10gig. What is neat is you can boot into the other snapshots, and work in them like your main system. It is great for beta testing. If something you do messes up the system, you just boot back to a good snapshot,and copy over the trash. Check it out, its neat.
     
Thread Status:
Not open for further replies.