PG becomes totally disabled by itself!

Discussion in 'ProcessGuard' started by mekon, Jun 3, 2004.

Thread Status:
Not open for further replies.
  1. mekon

    mekon Registered Member

    Joined:
    Apr 3, 2004
    Posts:
    10
    Interesting one this. Ran Shields up 3 or 4 weeks back, from GRC.com to check the ports. Not long after when trying to shut down XP the machine got into a restart cycle and would'nt shut down. Had to switch it off in the end. Eventually I got it to reboot OK. No Reinstalls or anything. But checking the security I found that PG had ben totally disabled, all the extra protection items disabled, .exe prompt disabled, and all I had left in the list of protected programs were 18 Installer (.exe) icons, no details of the programs or anything. Ran virusscanner (Mc Afee version 8.0) and A squared freebie trojanscanner but no problems showing on the machine. All a bit weird. Not to worry, probably an XP thing. I uninstalled PG in safe mode and reinstalled it and it's been going ok since then. But I'd be interested in knowing if anybody else has had a similar problem. Keep on Processing. Mekon.
     
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Mekon, Several users have reported losing their protected list or rather the items appear as blanks, not sure as yet what is causing the problem.
    One thing to do when you have your protected and checksum lists as you like them is to back up pguard.dat and pghash.dat - You will need to disable Process Guard whilst copying those two files either to a .zip file or another location. They can be found in the *:\windows\system32\ folder.

    BTW are or were you an "Eagle" fan :)

    HTH Pilli
     
  3. TheQuest

    TheQuest Registered Member

    Joined:
    Jun 9, 2003
    Posts:
    2,301
    Location:
    Kent. UK by the sea
    Hi, Pilli

    I have had it happen five times. o_O

    And I believe it as to do with Dr Watson doing something and shuts down PG.

    Why or how I do not know.

    Possible GMH on PG and Dr Watson knock if flat.

    I a have now taken Dr Watson off the protection list [not sure if it's safe to do so[ there by default]] to see if it happens again.

    Log said PG tried to perform Illegal operation. [or similar words]

    Hope this helps.
    Take Care,
    TheQuest :cool:
     
  4. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi TheQuest, You may be onto something there but it may also be to do with XP's flakey error reporting - Many users turn this off as it can be problematical.

    Start - Control panel, Administrative tools - Services - Error reporting service - Right click for properties and change "Start up Type" to Disabled.

    Worth a try ;) Pilli
     
  5. TheQuest

    TheQuest Registered Member

    Joined:
    Jun 9, 2003
    Posts:
    2,301
    Location:
    Kent. UK by the sea
    Hi, Pilli

    Thanks for your reply.

    Not that Pilli, turned off about 35 services as per Black Viper's pdf, plus some others,

    ie:- Nvidia display driver service which is the same [similar] to windows error reporting service, also IMAPI CD-burning COM [useing Nero]

    Take Care,
    TheQuest :cool:
     
  6. TheQuest

    TheQuest Registered Member

    Joined:
    Jun 9, 2003
    Posts:
    2,301
    Location:
    Kent. UK by the sea
    Hi, Pilli or DiamondCS


    Just Happened again would you belive it. o_O [one foot in the grave voice :D ]

    Here is the log edited the data as there is so much of it, have available if need.


    ============================================================================================
    [UK TIME] for your info

    Event Type: Information
    Event Source: DrWatson
    Event Category: None
    Event ID: 4097
    Date: 04/06/2004
    Time: 09:19:33
    User: N/A
    Computer: Removed by me.
    Description:
    The application, C:\Program Files\Removed by me.\procguard.exe, generated an application error The error occurred on 06/04/2004 @ 09:19:33.375 The exception generated was c0000005 at address 00410642 (procguard)

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
    Data:


    ============================================================================================

    Take Care,
    TheQuest :cool:
     
  7. hmm

    hmm Guest

    my free version of PG is disabled on every restart
    i use Mcafee too

    i am not sure why it happens, but i am uninstalling PG anyway because the free version is unusable
     
  8. TheQuest

    TheQuest Registered Member

    Joined:
    Jun 9, 2003
    Posts:
    2,301
    Location:
    Kent. UK by the sea
    Hi, hmm

    Welcome to Wilders Security Forums and DiamondCS Process Guard Forum.

    I am not useing Mcafee see sig.

    Take Care.
    TheQuest :cool:

    Edit:- Sorry your talking about Mekon setup.
     
  9. hmm

    hmm Guest

    i just noticed the two EXEs in the "program protection" tab are empty
    there is only an icon under "process name" (the white window icon used for EXEs by default)
    nothing under process path
    and "None" under Blocked Privileges

    PG still recognizes the first blank exe in the list as it's own ("because this is the free version of Process Guard, you cannot remove dcsuserprot.exe from the list")
     
  10. TheQuest

    TheQuest Registered Member

    Joined:
    Jun 9, 2003
    Posts:
    2,301
    Location:
    Kent. UK by the sea
    Hi, hmm

    Do you mean like in post #1 and Pilli answer in #2

    Take care,
    TheQuest :cool:
     
  11. hmm

    hmm Guest

    ummm yeah maybe
    i just wanted to report it so it can be fixed
    i already uninstalled PG
     
  12. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hmm, Not sure what is going on, we will have to wait and see if the DCS team can come up with something.
    Would you plaese post any error reports, PG log events, protection list, OS etc. that may be of help to Jason for analysis.

    Thanks & enjoy your weekend - Pilli :)
     
  13. hmm

    hmm Guest

    it's too late for that as i already uninstalled PG, but i will reinstall it now and see if this problem happens again in next couple of days
    (i will uninstall it afterwards because i am too cheap to buy PG :p and the free version is useless)
     
  14. TheQuest

    TheQuest Registered Member

    Joined:
    Jun 9, 2003
    Posts:
    2,301
    Location:
    Kent. UK by the sea
    Hi,

    Is the cause possibly the Indexing Service starting up.

    Should not unless the disk is Idle.

    And Process Guard tries to stop it and there is a clash with DrW and DrW wins.



    Just another thought.

    Take Care All,
    TheQuest :cool:
     
  15. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    Hi, Pilli/TheQuest:

    For what it's worth, I have not had any probs, touch wood.

    However, I have a truckload of services turned off, including ALL error reporting sevices, etc. with Dr. Watson on BLOCK ALWAYS in PG

    Cheers, TAS
     
  16. TheQuest

    TheQuest Registered Member

    Joined:
    Jun 9, 2003
    Posts:
    2,301
    Location:
    Kent. UK by the sea
    Hi, Tassie_Devils

    Thanks TAS, but I have tried that. :(

    Stranger and Stranger.

    There must be a reson. ;)

    This is Windows we are talking about. :D :D :D

    Take Care,
    TheQuest :cool:

    Edit: Seriously there could be any one bit of software to be the cause. :doubt:
     
  17. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Strange for sure, I only had the disappearing protected list once during beta testing and that was when I was having hardware problems. Since correcting the problems PG /Winows has been as solid as a rock.
     
  18. TheQuest

    TheQuest Registered Member

    Joined:
    Jun 9, 2003
    Posts:
    2,301
    Location:
    Kent. UK by the sea
    Hi, Pilli

    Thanks for your reply.

    I dont know, system hardware never had anything wrong [not a hint]
    and drivers for them seem to be trouble free, only two sound and grapfics,

    Take Care,
    TheQuest :cool:

    PS: Forgot chipset drivers, keyboard and mouse drivers [disabled at the moment to see if they are the culprit.
    I think I'll do a clean Install with the newest drivers and no keyboard and mouse on Sunday.
    Glad I have removable HDD's.

    Sorry to go on [bla bla bla] ;)
     
  19. mekon

    mekon Registered Member

    Joined:
    Apr 3, 2004
    Posts:
    10
    Hi. Mekon here, Yes Pilli, I was an Eagle fan , Dan Dare Pilot of the Future. Given my age away though. Doh. Never expected to see so many replies , so soon. Only been computing since last July, and it's nice to see how many folks out there are willing to help. I will back up the 2 files suggested. It's beginning to look like it's yet another "XP" thing. Theres so much stuff that Bill's got running by default, but I'll disable the error reporting and Doc Watson. (I've had a prob with him before).It's probably best to disable these processes one at a time and let PG run for a couple of weeks or so before trying the next one, unless it breaks again before that. Guest says he's going to remove the free version caus its no good. I would'nt say that caus it stops .exe's running unless you allow em, so if someone planted a dialler or something on your system at least it would be stopped at the .exe prompt panel. I've got my full version of PG on a fresh, clean install of XP. No MS updates. Just Firewall (zone alarm), Mc afee 8.0, Spybot S&D, A squared Trojanscanner, and of course PG with .exe protection set, and all other protection enabled except global hooks. I'm using the machine with XP on it as a server and doing most of my work on Redhat Fedora Core I networked thro XP. As i'm not doing much on XP it'll be interesting to see if this prob is due to one of Bill's little interefering processes that is causing this problem. Sorry about the huge posting. Mekon.
     
  20. mekon

    mekon Registered Member

    Joined:
    Apr 3, 2004
    Posts:
    10
    To. The Quest. Re, indexing starting up at disc idle. I don't think it's that caus I've been running Seti at Home for months on the drive that had the problem, and that uses 100% CPU. If you open another app it just fills up what's left to 100%. So the CPU is working flat out all the time. Mekon.
     
  21. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Mekon, glad you have got back to us. :)
    Adding Process Guard on a fresh install is definately the best way to go IMHO. It is much easier to see what is happening as you add your apps etc. Though two weeks in learning mode should not be necessary :) once the core system services / drivers are listed on the checksum list, though, as I have said before, for me it was a few reboots before all the system stuff staballised.
    I use SafeXP and XP-Antispy to get rid of XP's multitude of unwanted services etc.

    Dan Dare!! .... Dandy, Beano ..... :)
     
  22. jwcca

    jwcca Registered Member

    Joined:
    Dec 6, 2003
    Posts:
    716
    Location:
    Toronto
    Hi folks, I don't think that it's an XP thing because I just now had it happen for the third time. And I also don't think that it's a hard disk problem. I saw the error message as I was booting up and when I look at the File log, it appears that PG is starting up twice, the first time succeeds and the second fails.

    I can PM the entire log if that would help....
    Jim



    First time, during bootup:
    -------------------------------------------
    6 Jun 13:30:24 - Initializing Process Guard over 2 steps. If either step fails some protection may not be active.
    6 Jun 13:30:24 - [1 of 2] Success: Driver is active and secure.
    6 Jun 13:30:24 - [2 of 2] Success: Process Guard's Protection is currently Enabled.
    6 Jun 13:30:24 - General Protection Options
    6 Jun 13:30:24 - [1 of 4] Block End-Task is enabled.
    6 Jun 13:30:24 - [2 of 4] Block Appinit registry key is enabled.
    6 Jun 13:30:24 - [3 of 4] Block Drivers/Services is enabled.
    6 Jun 13:30:24 - [4 of 4] Block Global Hooks is enabled.
    ----------------------------------------------------
    followed by all the other startup programs, and then
    --------------------------------------------------------
    6 Jun 13:30:51 - [EXECUTION] c:\appssoft\security\dcs\tds\dcsmutex.exe with commandline c:\appssoft\security\dcs\tds\dcsmutex.exe diamond computer systems pty. ltd.
    was ALLOWED to run
    6 Jun 13:30:51 - [EXECUTION] c:\appssoft\security\dcs\pg\procguard.exe with commandline "c:\appssoft\security\dcs\pg\procguard.exe" -minimize was ALLOWED to run
    ----------------------------
    then the bad news, note the time...
    ----------------------------
    6 Jun 13:33:43 - Process Guard GUI was shut down
    --------------------------
    Second attempt to start PG and I assume the first is still running
    ---------------------------
    6 Jun 13:34:21 - Initializing Process Guard over 2 steps. If either step fails some protection may not be active.
    6 Jun 13:34:21 - [1 of 2] Success: Driver is active and secure.
    6 Jun 13:34:21 - [2 of 2] Failure: Process Guard's Protection is currently Disabled. Enable it in the Protection menu.
    6 Jun 13:34:21 - General Protection Options
    6 Jun 13:34:21 - [1 of 4] Block End-Task is disabled.
    6 Jun 13:34:21 - [2 of 4] Block Appinit registry key is disabled.
    6 Jun 13:34:21 - [3 of 4] Block Drivers/Services is disabled.
    6 Jun 13:34:21 - [4 of 4] Block Global Hooks is disabled.
    6 Jun 13:34:41 - Process Guard Protection was Enabled
    6 Jun 13:34:47 - Block End Task has been enabled
    6 Jun 13:34:50 - Block AppInit has been enabled
    6 Jun 13:34:53 - Block Drivers has been enabled
    6 Jun 13:34:57 - Block Global Hooks has been enabled
    6 Jun 13:35:01 - Program Checksum has been enabled
    6 Jun 13:35:55 - [EXECUTION] c:\appssoft\security\dcs\tds\ext.sys\execprot.exe with commandline c:\appssoft\security\dcs\tds\ext.sys\execprot.exe tds|tdsdll-test:c:\winnt\explorer.exe was ALLOWED to run
    6 Jun 13:35:55 - [EXECUTION] c:\winnt\explorer.exe with commandline "c:\winnt\explorer.exe" was ALLOWED to run
    6 Jun 13:37:11 - [EXECUTION] c:\winnt\system32\cidaemon.exe with commandline cidaemon.exe downleveldaemon "c:\system volume information\catalog.wci" 196672l 536l was ALLOWED to run
    -------------------------------------------------
    the following was me opening the text backup of PG so that I could add the processes back
    ---------------------------------------------------
    6 Jun 13:38:04 - [EXECUTION] c:\appssoft\security\dcs\tds\ext.sys\execprot.exe with commandline c:\appssoft\security\dcs\tds\ext.sys\execprot.exe tds|tdsdll-test:e:\appssoft\security\dcs\pg\process list backup v8.txt was ALLOWED to run
     
  23. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi JW Clements, Have you got TDS3 on autostart? This may be causing a timing error. This can be problematical on some PC's better to start TDS manually after a reboot.

    HTH Pilli.
     
  24. jwcca

    jwcca Registered Member

    Joined:
    Dec 6, 2003
    Posts:
    716
    Location:
    Toronto
     
  25. mekon

    mekon Registered Member

    Joined:
    Apr 3, 2004
    Posts:
    10
    Thanks Pilli for the couple of tools to get rid of unwanted sevices. No doubt this will be to the annoyance of Uncle Bill. But Hey! So what. I also posted a reply to another forum your on regarding winsta.dll using svchost.exe to shut down PG. I looked in Win32 and that .dll is there even though I hav'nt DLd APT1.9. Looking on the protected processes list in PG, there is one instance of svchost.exe with the usual blocks but with everything enabled on the allow list including Getinfo and Read, which does'nt make sense as they ar'nt even on the block list. Theres also a lot of other system stuff that is the same usual blocks but everything allowed. I was just wondering whether winsta.dll was killing PG by means of this instance of svchost.exe, and might be the answer to the whole problem. svchost.exe still has terminate allowed and i'm gonna leave it as it is, just to see whether this does cause another PG disablement. If it does I;ll reinstall it and then remove terminate off the allow list for svchost.exe and see how that goes. Mekon.


    Mysteries, Mysteries, So many Mysteries.
     
Thread Status:
Not open for further replies.