Jump to content

Blue Screen of Death in ekbdflt.sys: ESET OPP Keyboard Filter


Recommended Posts

Hello,

I have been fighting constantly for the last 3 days with Blue Screens. 

Going through all of the dumps, I finally see the issue is ekbdflt.sys: ESET OPP Keyboard Filter

Has anyone had this issue? How can I disable the keyboard filter? What does it even do?

 

Thanks. Here are the dump files of the error:

 

https://www.sendspace.com/file/d74qi7

https://www.sendspace.com/file/fij2n4

https://www.sendspace.com/file/u40jrn

Link to comment
Share on other sites

  • ESET Moderators

Hello,

 

I checked the dumps and in 3 of 4 the HIDCLASS.SYS seems to be the culprit of the crash and ekbdflt.sys is not even in the stack.

Can you please enable full memory dumps and provide me with a full memory dump, after it crashes again so we can analyze it properly as minidumps often do not contain the necessary information to analyze the issue.

 

Regards, P.R.

can you please enable full memory dumps and provide me with a full memory dump, after it crashes again.

Link to comment
Share on other sites

Hi, I have received another BSOD, this time with complete dumps enabled.
 
This time, ekbdflt is still at the top of the stack. Here is the complete memory dump.
 
 
This happened as I was shutting down my computer. I reinstalled my keyboard software and drivers already, and ESET.  Is there any way to disable the keyboard service while you guys fix it? If not, my only temporary fix is to uninstall Eset until a fix can be found.
 
I ran MemTest and it didn't find any RAM errors.
 
Here's the stack (ekbdflt in bold)

 

ffffaa00`aec1b478 fffff802`b7b57629 : 00000000`0000000a 00000000`00000040 00000000`00000002 00000000`00000001 : nt!KeBugCheckEx
ffffaa00`aec1b480 fffff802`b7b55c07 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiBugCheckDispatch+0x69
ffffaa00`aec1b5c0 fffff802`b7bd56bd : fffff802`b7dbf280 00000000`00000000 00000000`00000000 fffff802`b7a64d1d : nt!KiPageFault+0x247
ffffaa00`aec1b750 fffff802`b7a75b69 : 00000000`00000000 ffffce8f`b1cb2040 ffffce8f`b16127e0 000000fd`2cf2b137 : nt!KiAcquireSpinLockInstrumented+0x55
ffffaa00`aec1b7a0 fffff802`0b3b71bf : ffffce8f`b1cb2040 00000000`00000000 ffffce8f`b0e1e010 fffff802`b7b8b110 : nt!KeAcquireSpinLockRaiseToDpc+0x39
ffffaa00`aec1b7d0 fffff802`b7a2a992 : ffffce8f`b1183010 00000000`00000000 ffffce8f`b0e1e000 fffff802`0b3b7150 : HIDCLASS!HidpCancelReadIrp+0x6f
ffffaa00`aec1b820 fffff802`0a10afbd : ffffce8f`b1cb2100 ffffce8f`a37481b0 ffffce8f`b0e1e010 ffffce8f`00000000 : nt!IoCancelIrp+0x6e
ffffaa00`aec1b860 fffff802`0a112085 : ffffffff`ffb3b4c0 ffffce8f`a37481b0 ffffaa00`aec1b929 ffffce8f`b1704590 : kbdhid!KbdHid_PnP+0x16d
ffffaa00`aec1b8d0 ffffffff`ffb3b4c0 : ffffce8f`a37481b0 ffffaa00`aec1b929 ffffce8f`b1704590 00000000`00000000 : ekbdflt+0x2085
Edited by p1r473
Link to comment
Share on other sites

Hi, no, I don't have any other anti keylogger currently enabled.

This started happening last week when I upgraded to the latest Eset smart security.

Is there a way to turn off the anti keylogger module? Maybe some change was made to it in the most recent version?

Edited by p1r473
Link to comment
Share on other sites

You could try to create a user HIPS rule to block its loading. Don't know if Eset would ignore the rule since its for one of its own driver. Before trying that, go into HIPS advanced setup and remove it from the "list of drivers always allowed to load" and see it that does the trick. You also might have to do both of these actions.

 

Don't be surprised that Eset's banking protection no longer works after doing the above.

Edited by itman
Link to comment
Share on other sites

There is also one other possibility for this issue.

 

If you had another security product installed previously and removed it prior to installing Eset, it may have had a kernel mode anti-keylogger driver associated with the product. That driver might not have been removed for some reason when you uninstalled the product. Two kernel mode anti-keylogger drivers would produce conflicts such as you are experiencing. 

 

I would also run an Eset repair or do an uninstall/reinstall to see if that corrects the issue.

Link to comment
Share on other sites

  • ESET Moderators

Hello,

 

I will let the dump check by devs, but again it is only a kernel minidump "Loading Dump File [*120916-12046-01.dmp] Mini Kernel Dump File: Only registers and stack trace are available"

 

Please enable complete memory dump as described here: hxxp://support.eset.com/kb3496/?locale=en_US(select option Complete memory dump) as we will probably need it for analysis.

System restart is required, after you capture a complete memory dump, you can disable the Banking and payment protection to prevent further BSODs.

 

Regards, P.R.

Link to comment
Share on other sites

Hello,

 

I will let the dump check by devs, but again it is only a kernel minidump "Loading Dump File [*120916-12046-01.dmp] Mini Kernel Dump File: Only registers and stack trace are available"

 

Please enable complete memory dump as described here: hxxp://support.eset.com/kb3496/?locale=en_US(select option Complete memory dump) as we will probably need it for analysis.

System restart is required, after you capture a complete memory dump, you can disable the Banking and payment protection to prevent further BSODs.

 

Regards, P.R.

Hi Peter, complete memory dump is enabled, but I guess I still pulled c:\windows\minidump\* instead of c:\windows\memory.dmp (which doesnt exist currently)

I will leave banking enabled, and attempt to get another BSOD, Hopefully it provides the full thing this time

 

I will post back when it BSODs again

Edited by p1r473
Link to comment
Share on other sites

  • ESET Moderators

Hello,

 

the full memory dump should be located directly in Windows root so C:\Windows\memory.dmp

 

O.K. please let us know, once you will have the complete dump.

The Dev responsible for the OPP told me that he did not find anything pointing on us in the minidump, so the complete may shed more light on it.

 

Regards, P.R.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...