PG 2.0 - Learning mode and lock-ups

Discussion in 'ProcessGuard' started by BlueZannetti, Mar 28, 2004.

Thread Status:
Not open for further replies.
  1. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    On a couple of my PC's (XP Pro) I've noticed that PG has spontaneously reverted away from learning mode. Are there some built in constraints to learning mode that I haven't gleaned from the help file yet? I assumed that I would have to actively disable learning mode to shut it off.

    On another topic, on my own PC (also XP Pro) in which I had disabled learning mode after covering my commonly used apps, I returned to it after times long enough for the OS to disconnect from the current session. In both cases the PC was exhibiting a total lock up. Mouse movements were fine, but I couldn't get to a logon dialog screen and Crtl-Alt-Del was unresponsive. The only recovery was via a power cycle. I thought that I had everything covered, apparently not. The latest example was overnight. Typically during off hours I run AV scans and do any automated updates. If PG requests user input to changes during these activities (and let's assume that my login session has disconnected from the console) what happens? I have had PG pop up with a dialog box before I've logged in previously, but that was during a reboot. Does that dialog box time out after a wait period and lock the PC? Sorry for the vagueness, but that's all I've seen thus far.

    Blue
     
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    H BlueZannetti, KLearning mode is set to disabled after the first reboot.
    Regarding you overnight problems, I believe there were processes started that you had not run during learning mode or after it was swir=tched off and some scheduled task has caused the secure desktop to run thus locking up the processs.
    A way round this might be to enable "Block all new and changed" this will throw up a pop up but should not freeze your pc but just the programme that is trying to start.

    HTH Pilli
     
  3. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    I thought I explicitly turned it back on after this - but I'm not sure of that....

    Right now I'm trying to figure this one out, it's occurred on the last few reboots...
     

    Attached Files:

  4. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Again BlueZannetti Hmm not sure of that one, those error reorts are usually hard to fathom but it appears that something is having an argument with Process Guard, can you please inform us what your OS is and what programmes start with windows? This may help us.

    Thanks Pilli
     
  5. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Obviously I'm going through some version x.0 growing pains here.

    The OS is XP Pro SP1 and it's up to date on all patches.

    On start-up I have KAV WS, TDS-3, Outpost Pro 2.1, Mialwasher Pro 4.0, PG 2.0, and Acronis TrueImage. NOD32 is set for scheduled demand scanning only, but I have it loading at startup with AMON and IMON disabled.

    The problems really started appearing after I updated Mailwasher from ver. 3.4 to 4.0. Not sure if this is pertinent or not, but the timing of everything makes me suspicious. I received a couple more PG errors - first a failure which disabled PG's protection, then an indication that the protected programs list was hammered (see image below). Right now I'm leaning towards a fresh reinstall.

    Blue
     

    Attached Files:

  6. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    From my own experience, I know that, KAV, NOD32, Outpost2, MW3.4 & TDS3 are no problem.
    I have Close Message Handling enabled on OP2, TDS3 and NOD32 but not on KAV or Mailwasher as they have there own protection, KAV's is very good and Mailwasher always throws up a do you want to close so they do not really require Close Message Handling as they already address the problem IMHO.

    I think that the learning mode requires quite a bit of time to catch all of the running processes unless you are very thorough with running all your programmes.

    Addig programmes slowly to the protected list helps as it gives one the chance to note Process Guard's logs and make the necessary adjustments.

    Regarding your screenshot - Drag the number column to the left and open up the program column to see what is what :)

    HTH Pilli
     
  7. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Whatever was there looks to be gone now...., here's a revised shot

    Blue
     

    Attached Files:

  8. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    Can you upload your pguard.dat file (in your SYSTEM32 folder) BlueZannetti ?

    -Jason-
     
  9. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Sure, although the board here doesn't like anything aside from images. Here's a picture from my hex editor. Everything not shown for the remainder (17 kb) of the file is a continuation of the nulls.

    Blue
     

    Attached Files:

  10. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Just "save as" pguard.txt and you can upload load it - Cheers :)
     
  11. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    OK - here it is, really the same as before. I have PG installed on 4 machines, basically the same configurations. My PC is the only one that has displayed major problems and it does seem coincident with the Mailwasher upgrade. I usually shutdown the PG GUI on installs like this (if it's running), I didn't this time. It also looks like a defrag operation and launch of a screensaver occurred around the period of the problem according to the log file. These are the only entries near times where I took the initial screen shots above

    28 Mar 09:43:37 - [EXECUTION] c:\windows\system32\defrag.exe with commandline "c:\windows\system32\defrag.exe" -p 3f8 -s 00000a24 -b c: was ALLOWED to run
    28 Mar 09:43:38 - [EXECUTION] c:\windows\system32\dfrgntfs.exe with commandline dfrgntfs.exe -embedding was ALLOWED to run
    28 Mar 09:48:22 - [EXECUTION] c:\windows\system32\nikons~1.scr with commandline c:\windows\system32\nikons~1.scr /s was ALLOWED to run
    28 Mar 10:35:34 - [EXECUTION] c:\windows\system32\logonui.exe with commandline logonui.exe /status was ALLOWED to run
    28 Mar 10:37:49 - [EXECUTION] c:\program files\processguard\procguard.exe with commandline "c:\program files\processguard\procguard.exe" was ALLOWED to run
    28 Mar 10:38:16 - [EXECUTION] c:\windows\system32\logonui.exe with commandline logonui.exe /status /shutdown was ALLOWED to run
    28 Mar 10:39:27 - Initializing Process Guard over 2 steps. If either step fails some protection may not be active.
    28 Mar 10:39:28 - [1 of 2] Success: Driver is active and secure.
    28 Mar 10:39:28 - [2 of 2] Success: Process Guard's Protection is currently Enabled.
    28 Mar 10:39:28 - General Protection Options
    28 Mar 10:39:28 - [1 of 4] Block End-Task is disabled.
    28 Mar 10:39:28 - [2 of 4] Block Appinit registry key is disabled.
    28 Mar 10:39:28 - [3 of 4] Block Drivers/Services is disabled.
    28 Mar 10:39:28 - [4 of 4] Block Global Hooks is disabled.

    I'm going to wipe the slate clean on this one and start with a pristine install. If the problem is reproducible, I'll see it within the next couple of days. I think we're chasing ghosts right now.

    Blue
     

    Attached Files:

  12. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    OK, I've done the clean install. So far, the only messages of those listed above that I've seen again is one instance of the "Defends your system from malware" error dialog box.

    1. There does seem to be some instability, though. On reboots, I frequently see a PROCESS_HAS_LOCKED_PAGES BSOD. If I try to track the situation, I get STOP: 0x000000CB (0x804EC092,0x804EC2D9,0x823AFE28,0x00000001) DRIVER_LEFT_LOCKED_PAGES_IN_PROCESS

    2. I've had one instance of the Execution Protection dialog box appearing without any entries appearing in the Allow, Allow Once, Block, Block Always buttons. None of the "empty" buttons were functional. My only recourse was to power cycle. Before and after this instance the dialog box was normal without any changes made to the system.

    3. I still get occasional disabling of PG. It is usually a failure in the second step of initialization, although I have seen it in both steps, i.e.
    28 Mar 18:50:33 - [1 of 2] Failure: Driver is not correctly installed or active.
    28 Mar 18:50:33 - [2 of 2] Failure: Process Guard's Protection is currently Disabled. Enable it in the Protection menu.

    4. In some cases, the XP Event Viewer under Administrative Tools indicates application errors related to procguard.exe (Faulting application procguard.exe, version 2.0.0.0, faulting module procguard.exe, version 2.0.0.0, fault address 0x00010642.)

    5. I have also run across another instance where I was completely locked out of the system after leaving it idle for a while. My session was disconnected from the console. The last entry in the log before a "cycle the power" reboot was

    28 Mar 22:26:37 - [EXECUTION] c:\windows\system32\nikons~1.scr with commandline c:\windows\system32\nikons~1.scr /s was ALLOWED to run

    which is a screensaver I use. (this item added ~ 12:20 AM 3/29/04)

    In any event, that's what I'm observing thus far.

    Blue
     
  13. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    I've noticed that KAV hasn't successfully run or updated since PG2.0 was installed

    Blue
     
  14. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Blue, You may not like this suggestion but it may cure your problems.

    Disable Process Guard protection

    Firstly got to Start - Run and type chkdsk /f - This will get rid of any broken or corrupted files and will run after a reboot.

    Defragment your hard drive.

    Close the procguard.exe GUI, in Task Manager terminate DCSuserprot.exe.
    Uninstall Process Guard & reboot.

    Using regedit delete all pocess guards enties using procguard as the search criteria.
    Reboot. You will have to right click the legacy entries to change their permissions to Allow
    Delete pguard.dat & pghash.dat from the system32 folder and all files in your Process Guard folder except for your keyfile.
    Disable all your running programmes - Re-install Process Guard version 2 -
    Accept the default processes - Leave in learning mode (default) and start all your normal programmes including their update functions. When you are satisfied that you have tried all your programmes reboot.

    Learning mode will be Off

    This is the best way to ensure a clean install & hopefully you will have a stable Process Guard
     
  15. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Well, it's better than the status quo. I'll give it a try tonight.

    I recently defraged my hard drive, but I'll redo that. I hadn't cleaned the registry out, so that will be done. I had cleaned out the ProcessGuard folder and had removed pguard.data and pghash.dat from a safe mode boot prior to the last install. I was close to your last suggestion. Hadn't initiated all update functions, but I had covered most of them and did have learning mode off during most of the recent problems.

    I'll let you know how this attempt turns out. No other family members have complained yet, so I assume my PC is the only one acting a tad disagreeable here.

    Blue
     
  16. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    I think I traced my problems lastr night to a corrupted KAV Workstation. Uninstalled PG, cleaned the system of all traces of PG, and got the PROCESS_HAS_LOCKED_PAGES BSOD when I tried to Exit the KAV WS Control Centre. Tried a repair of KAV from Add/Remove Programs and it was obvious something wasn't right. The lack of scheduled scans and updates since the PG install was the tipoff KAV might be involved in many of the issues noted above. Not sure of the cause of all this since my other 3 systems have been behaving fine.

    I ended up reinstalling both KAV WS and Outpost Pro since they were both showing flaky behavior. After a couple of miscues, ended up doing the reinstalls of both with PG placed in learning mode (probably could have just disabled PG also). So far, things seem to be stable. Didn't lock up overnight.

    Blue
     
  17. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Blue, Well done! :) It is strange how these unrelated events all seem to happen together when you least expect them :(
    Hopefully your PC will settle down again and all will be well. :)

    Enjoy a Karma cookie for all your troubles ;)
     
  18. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Thanks to all and yum on the cookie - great with morning coffee - and things coming together and all, well that's karma, isn't it?.

    I had seen the PROCESS_HAS_LOCKED_PAGES BSOD a couple of times before the PG 2.0 upgrade, so I'm pretty sure PG wasn't the direct cause of my problems, it simply exacerbated the situation, got into a bit of a tiff with KAV and, as you thought, they were probably fighting it out in the background. This view is also consistent with my 3 other PC's showing no symptoms at all (that all have KAV WS and Outpost Pro and one has NOD32 configured the same way as my PC).

    We'll see how things pan out today, but so far, so good.

    Blue
     
Thread Status:
Not open for further replies.