Star-Force, an interesting find.

Discussion in 'ProcessGuard' started by Rowne, May 26, 2006.

Thread Status:
Not open for further replies.
  1. Rowne

    Rowne Registered Member

    Joined:
    May 26, 2006
    Posts:
    3
    First of all, I'll ask you not to form an opinion that I'm one of those supposedly self-serving StarForce haters until I'm done because I've found something very interesting about their drivers which is, in fact, reproducible.

    This is related to ProcessGuard too, so it's not in the wrong forum.

    Anyway, after having accidentally bought my first game with Star-Force embedded in it a couple of days back, I worked to manually remove its essence from my computer. I missed a couple of files though that aren't mentioned in most of the manual uninstallation instructions and thanks to that, it somehow managed to redistribute itself.

    Now having thought I'd uninstalled Star-Force, I thought I'd set myself up to protect myself from it via ProcessGuard. I added Protect.exe to the list and set it to Deny Always but just in case, I figured I'd add it to the security list for that extra level of protection.

    The moment I did this, I had a bluescreen.

    Apparently because I was 'tampering' with protect.exe, I don't know. I tried rebooting, bluescreen.

    The only thing I could do to stop it was renaming my ProcessGuard folder, via DOS, so that it wouldn't be there on reboot. That worked. I found the driver and I uninstalled it, this time making thouroughly sure that it's gone.

    I'm hoping that this time when I start ProcessGuard, it won't bluescreen, at least it shouldn't if I'm understanding this correctly. If it does though, how might I go about removing an entry from ProcessGuard's list without actually starting the application? Perhaps a way to wipe the configuration and start fresh, even?

    I ask this just in case I start up the program and I find myself with another bluescreen, I doubt I will but one never knows to be honest, I don't know what Star-Force is doing with its latest version so I don't trust them.

    I'll report back with what I find after I've tried it.

    As I said though, I invite anyone with a very recent Star-Force protected game (Dreamfall UK in my case) to install the game and then try adding Protect.exe to their security list. You won't even have to check any options, you won't have to tell it not to modify or anything like that. It's just the moment you select to add it from the context menu, poof, bluescreen!

    That's pretty damning evidence if you ask me.

    Anyway, I just wanted to let you guys know so you wouldn't fall into the same pit-trap. Bluescreens perturb me greatly because my PC, under normal circumstances (unless it's forced to) never crashes. Ever. I'm very careful about my software, I mostly go with open-source and I stay well away from malware and I keep myself protected with the best to ensure that aswell (most of the software mentioned in this forum, including the likes of Nod32).

    I think to force a computer to bluescreen under these conditions (and no, I didn't have any games open or running) is very wrong and to be honest, I wouldn't mind betting it's grounds for a legal suit to be filed against them by the developers of PG.

    Anyway, I won't say anything other than that, draw your own conclusions but please, before you dismiss me, try it yourself.

    ---

    Just to clarify; I'm using the latest (3.150) full version of ProcessGuard. I purchased it using the same email address that I used to sign up to this forum with.

    ---

    I hope I'll get at least some response to this anyway because I think that the probability that adding applications to PG's protection could cause an otherwise sturdy and unflappable computer -- which has never crashed in the time it's been running since its build -- to hard-lock simply by adding a process to its protection list is a disturbing prospect.

    Basically I'm just looking for some advice here. I did buy ProcessGuard and it might still hard-lock once I reactivate it. If you could at least tell me how I could remove the offending process, I'd be happy.

    I'm sorry to impose anyway, I know a lot of bad stuff has been said about Star-Force and I don't know what I can do to convince anyone I'm genuine. I'm just looking for help solving a problem here that I can't solve. I'd just like to know that if I do start PG again and it does hard-lock again (for the third or fourth time), I'll have a way to rectify the situation waiting for me.

    I'm pretty good with working with the registry andsoforth and I'm nothing to sneeze at as far as software configuration is concerned. That's why I'm wondering where the PG config information is stored, so I'll remove the right thing.
     
    Last edited: May 26, 2006
  2. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Welcome to the forums Rowne,
    You can clear PG's configuration by starting Windows in Safe Mode and deleting the pguard.dat and pghash.dat files in the Windows \System32 folder.
    The current latest version is 3.300 beta 4, see the ProcessGuard v3.3b4 (final) ready thread - DiamondCS haven't been keeping their website as up-to-date as they should be.
    A rogue driver (be it StarForce or anything else) can do anything on your system, including crashing it. While this could be a conflict between PG and SF, I'd suspect it more likely that SF's driver just wasn't written to cope gracefully with its system access being restricted by PG.

    For future reference, you can see a list of Starforce-protected games at the Boycott Starforce webpage.
     
  3. Rowne

    Rowne Registered Member

    Joined:
    May 26, 2006
    Posts:
    3
    Thanks much, I really do appreciate that.

    I'm almost afraid to try this again because bluescreens aren't something I relish. I'll give it a go later though and at least I know that if it still happens, I'll have a way around it. I really am appreciative of the reply because I hadn't seen this coming and I do like ProcessGuard.

    For the record though, Protect.exe actually isn't a driver, at all. It's simply the program that installs the Star-Force drivers. The problem is is that if the drivers perceive that anything is tampering with their protection, they'll crash the system (which is precisely what happened to me). Now they claim that that only happens if one of their games is running, I claim that's bull because it was happening to me on boot and I'm fairly sure that I'm not running their game or executing their protect executable (I checked) on boot.

    So this is something you fellows may want to investigate or you may want to leave it be, I honestly don't know. All I do know is that protect.exe is a standard, executable process like any other and blocking it off shouldn't cause the target machine to bluescreen and hard-lock.

    I'm just leaving this here anyway as a warning for other people, so if other people encounter this problem then they'll know what to do about it.
     
  4. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Did you give this program permission to install drivers? If not, then PG would have blocked this action by default - so if you wish to allow StarForce to install, then you need to either set the "Install Drivers" permission for Protect.exe in PG's Protection list or disable the global Block Rootkit... option (the latter is the easier option to take when installing new software).
    If you posted on the Starforce forum, then do please include a link to it (I'd be interested to see if Dennis Zhidkov threatens to report you to the FBI :D).
    If you are blocking protect.exe, then what exactly is trying to run it? If it is a driver, then it is most likely that it simply couldn't properly handle the "access denied" message it receives when PG blocks access. If so, this would be a case for Security Technologies to resolve rather than DiamondCS (note that only Wayne and Gavin here are DiamondCS entities - everyone else here is just a groupie... :)).
     
  5. Rowne

    Rowne Registered Member

    Joined:
    May 26, 2006
    Posts:
    3
    Oh, don't get me wrong. I wasn't suggesting that this is a problem for DiamondCS to solve at all. What I was thinking is more along the lines of; perhaps in the next release, there could be a blacklist of programs like this, which could cause serious issues if ProcessGuard tries to interact with them, so if it's in learning mode it won't add them by default and if the user tries to add it, they'll be warned first before it goes through.

    Just a thought, anyway.

    Actually, heh ... I am going to report this on the Star-Force forums. I suspect that it'll be covered up and deleted, which is their usual methodus operandi when they're not slagging people. I'll see what they have to say about it.
     
  6. some made up name

    some made up name Registered Member

    Joined:
    Jan 31, 2006
    Posts:
    60
    Just out of interest, what was the information shown on the bluescreen? if it went by too quick (ie. autorebooted) ... turn that off in 'system properties' -> 'advanced' -> 'startup and recovery settings' there is an 'automatically restart' checkbox that should be cleared.
     
Thread Status:
Not open for further replies.