WSA went haywire when uninstalling game

Discussion in 'Prevx Releases' started by GSL, Dec 13, 2013.

Thread Status:
Not open for further replies.
  1. GSL

    GSL Registered Member

    Joined:
    Sep 16, 2011
    Posts:
    79
    [Solved]WSA went haywire when uninstalling game

    Was uninstalling a mmorpg and noticed the removal took way too long so I decided to launch task manager and saw 1 of WRSA.exe process consumed a whopping 851MB of ram:

    wsa.jpg

    Using the latest version of WSA AV v8.04.42 on 32-bit Windows 7 Ultimate SP1 PC.
     
    Last edited: Dec 14, 2013
  2. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Wow - that definitely is wrong. Could you right click the process and click "Create Dump File", then copy the dump file and send it to us to look into closer?
     
  3. GSL

    GSL Registered Member

    Joined:
    Sep 16, 2011
    Posts:
    79
    Sure but I immediately terminate the process when it took up that much ram and restarted WSA which everything appeared to function normally now so is it ok to create a dump?
     
  4. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    I'd need to get the memory dump while the issue is occurring. It's possible that the logs will be helpful at least - could you try saving a log and send it to my username at gmail.com?

    Thanks!
     
  5. GSL

    GSL Registered Member

    Joined:
    Sep 16, 2011
    Posts:
    79
    Noted and Sent.
     
  6. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Thanks, the log gives me what I need - because the uninstaller is untrusted in our database (it has yet to be whitelisted), WSA journaled all of the changes it was making while it was making them, hence the high RAM usage. The CPU usage is due to the processing and saving of this event data, which would finish after some time.

    The fix for this is to have our threat team whitelist the uninstaller/installer, which I'm having them do as we speak.

    Thanks!
     
  7. Techfox1976

    Techfox1976 Registered Member

    Joined:
    Jul 22, 2010
    Posts:
    749
    Terminate the system WRSA.exe application?

    So... How did you do this?

    WSA disallows forced external termination of its processes from a kernel level. Even when "Protect against process termination" is not set (in that case it catches the attempt, blocks it anyway, and asks if you want to).

    If you were able to kill it from Task Manager, then something got realllllllly broken at the kernel level.
     
  8. GSL

    GSL Registered Member

    Joined:
    Sep 16, 2011
    Posts:
    79
    Thank you for the help and the detailed explanation:thumb:

    It was done via the tray icon by shutting down WSA which the processes didn't quit and took too long to unload the resources in my case.
     
Thread Status:
Not open for further replies.