JozefG
-
Posts
65 -
Joined
-
Last visited
-
Days Won
1
Posts posted by JozefG
-
-
On 1/7/2024 at 9:49 AM, Marcos said:
Honestly it is not clear to me why Windows would load and unload user's registry hive before login. The issue that we solved was with releasing the handle upon logoff. How can we reproduce it?
Since some time ago (around Win10 RS3), windows automatically logs you in and immediately locks, so you are unlocking your PC not logging in. That could be why the hive is loaded before what you see as login.
@Andrej Kuk @Jamie Reader@hack-the-planet what are the products used and their versions?
-
Please try to switch to prerelease update channel. There is configuration module 2099.7, which should help with the issue. It is scheduled to be released on Monday.
-
Glad to hear that. The 2099.7 version is scheduled for full release on Monday.
-
That is a version of operating system. But I can see that you are using 10.0 on one of the previous screenshots.
That is a bit strange, we are closing the handle to those files when we get notification from system that user is logging off. It is asynchronous notification so maybe there is some race. Testers have tested that the handle is closed on log off.
Can you please write down some steps for replication?
-
What version of server product are you using?
-
Are you by any chance behind a mirror? You might have to update it first.
Something that I forgot to mention about the 2099.7, due to technical reasons it will work only on business products v10+.
-
Can you try to switch to prerelease update channel to get Configuration module 2099.7 and see if it helps?
-
-
Can you please share what version of Configuration Module you have?
-
Tried to investigate the issue more. After checking our WSC module logs I was suspecting the read request (point no.2) to being somehow involved, as its time was very close to logged events. Using custom built 1038 without the read request issue still persists.
Next I disabled startup scan as someone was mentioning it earlier in this thread. Still no luck and issue persists.
-
Windows security center service is a delayed start service by default. We have quite elaborate waiting system for that service.
1. We have a system notification registered for start of `wscsvc` service.
2. When notified by system, we try to ask via WSC API if there are some data. If it is still initializing it returns `ERROR_SERVICE_NOT_ACTIVE`
3. If that happens we register a notification to the WSC itself, to tell us when it is ready. Otherwise we start issuing requests.
4. If the initialization took more time and notification comes from WSC, we start issuing requests.
Events (error) with Id 16 are expected and according to the specification from MS. If our application changes certificate, the request to update status fails with certain error. When this error occurs we are obliged to register again and then report requested status. You can see that in event log those 2 errors with Id 16 are followed by Id 15 Events (informational) that we successfully reported status.
Events (errors) with Id 18 and 19, are from initialization of the `wscsvc` service itself. Actually just checking that I got those errors on my machine too on 20.11.2023, probably reboot after upgrade to new Endpoint v11. It might have been just a coincidence. Also logged 0x8007000D (should be something like `ERROR_INVALID_DATA`) is not coming from our provider requests, since the errors are followed by event with Id 1 (start of the service) and even with Id 15 (successful reports of status).
-
Windows security service has delayed start which means until it is running these sections are empty. Does it show anything after some time?
Other option is that there are failures logged in our event log or in Windows Event log.
-
@Vangelis Try to remove this registry key and see if it helps.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run\egui
-
Please collect logs via Logcollector and provide also Boot Process monitor log. You can send me link to logs in PM.
-
@Crunch Bootlog was correctly saved now, but it confirmed what I saw in Logfile.pml from previous run.
Security Center service failed to establish connection with WMI because it is not running.
-
@Crunch thanks for the logs. Even though Bootlog.pml was corrupted/incorrectly closed. Logfile.pml contained the start of wscsvc So the issue in your case is that WSC cannot initialize its connection with WMI. Most probably due to fact that there is no WMI service running. Also there is no WMI Provider Host application running.
What does running this command from command prompt say?
wmic /namespace:\\root\SecurityCenter2 Path AntivirusProduct GET displayName,ProductState
-
@Crunch you can generate such log by following steps here https://support.eset.com/en/kb6308-using-process-monitor-to-create-log-files#boot_logs
It seems that you are experiencing very nasty issue API calls are returning ERROR_DISK_OPERATION_FAILED. Most probably due to failure during initialization of WSC service.
-
@Crunch Could you collect new set of logs? Hopefully we could find solution for those errors.
Edit: It would be great if you provide also process monitor log from boot stopped after the notifications start popping up. That could really help me with investigation.
-
On 7/5/2021 at 4:56 AM, waluigiguatemala said:
Hello, how are you all? I would like to expose this problem, for days the Nod 32 Antivirus has been updated to the latest version that is available, that should not have happened because I did not want to install that version, what I did was uninstall that last version reinstall the old version it was version 8 the same thing happened, the last version was reinstalled, I would like to ask what solution they give me because I do not want to have a current version because those versions are difficult for me to understand, I want to have the old version I find it easy to use, this happened to me in Windows 10 64-bit
@waluigiguatemala Does your issue with newer versions lie within Advanced Setup?
-
Do I understand it correctly that if Shadow Defender's Shadow Mode is not active it does work correctly?
From the description of Shadow Mode it looks like it may prevent some things to be done correctly.
Quote'Shadow Mode' redirects each system change to a virtual environment with no change to your real environment.
-
16 hours ago, itman said:
As such, would they recognized by Eset's off-line dedicated uninstaller tool?
They were some things that it should recognize, but due to some other things missing it failed to detect them.
16 hours ago, Matto91 said:after removal I could install ESET once again, which means this topic may be closed
Glad to hear that either way your logs helped us identify some places to improve in Uninstaller.
-
Which version was installed?
Was MalwareBytes installed alongside ESET or afterwards?
According to Windows event logs MSI found multiple installations. These events from around same time.
Windows Installer installed the product. Product Name: ESET NOD32 Antivirus. Product Version: 4.0.68.0. Product Language: 1051. Manufacturer: ESET, spol s r. o.. Installation success or error status: 1603. Windows Installer reconfigured the product. Product Name: ESET Security. Product Version: 11.2.49.0. Product Language: 1033. Manufacturer: ESET, spol. s r.o.. Reconfiguration success or error status: 1603.
-
@Prayer1 Which version of ESET product do you have installed?
Are you asking about postponing ESET updates to newest product version?
-
@SeriousHoax @itman are you having these issues with Security Center integration module 1029?
If so please provide logs.
Long black screen duration before windows login screen
in ESET Internet Security & ESET Smart Security Premium
Posted
I had similar issue on my personal laptop even without ESET product installed. Can't remember the exact solution but playing with sign-in options in OS settings (disabling whatever is enabled like auto sign-in after update), solved the issue for me.