p1r473 0 Posted December 8, 2016 Share Posted December 8, 2016 Hello, I have been fighting constantly for the last 3 days with Blue Screens. Going through all of the dumps, I finally see the issue is ekbdflt.sys: ESET OPP Keyboard Filter Has anyone had this issue? How can I disable the keyboard filter? What does it even do? Thanks. Here are the dump files of the error: https://www.sendspace.com/file/d74qi7 https://www.sendspace.com/file/fij2n4 https://www.sendspace.com/file/u40jrn Link to comment Share on other sites More sharing options...
ESET Moderators Peter Randziak 1,130 Posted December 8, 2016 ESET Moderators Share Posted December 8, 2016 Hello, I checked the dumps and in 3 of 4 the HIDCLASS.SYS seems to be the culprit of the crash and ekbdflt.sys is not even in the stack. Can you please enable full memory dumps and provide me with a full memory dump, after it crashes again so we can analyze it properly as minidumps often do not contain the necessary information to analyze the issue. Regards, P.R. can you please enable full memory dumps and provide me with a full memory dump, after it crashes again. Link to comment Share on other sites More sharing options...
p1r473 0 Posted December 8, 2016 Author Share Posted December 8, 2016 (edited) I am enabling full memory dumps and will post back when it BSODs again Edited December 10, 2016 by p1r473 Link to comment Share on other sites More sharing options...
p1r473 0 Posted December 10, 2016 Author Share Posted December 10, 2016 (edited) Hi, I have received another BSOD, this time with complete dumps enabled. This time, ekbdflt is still at the top of the stack. Here is the complete memory dump. https://www.sendspace.com/file/n6wbwy This happened as I was shutting down my computer. I reinstalled my keyboard software and drivers already, and ESET. Is there any way to disable the keyboard service while you guys fix it? If not, my only temporary fix is to uninstall Eset until a fix can be found. I ran MemTest and it didn't find any RAM errors. Here's the stack (ekbdflt in bold) ffffaa00`aec1b478 fffff802`b7b57629 : 00000000`0000000a 00000000`00000040 00000000`00000002 00000000`00000001 : nt!KeBugCheckEx ffffaa00`aec1b480 fffff802`b7b55c07 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiBugCheckDispatch+0x69 ffffaa00`aec1b5c0 fffff802`b7bd56bd : fffff802`b7dbf280 00000000`00000000 00000000`00000000 fffff802`b7a64d1d : nt!KiPageFault+0x247 ffffaa00`aec1b750 fffff802`b7a75b69 : 00000000`00000000 ffffce8f`b1cb2040 ffffce8f`b16127e0 000000fd`2cf2b137 : nt!KiAcquireSpinLockInstrumented+0x55 ffffaa00`aec1b7a0 fffff802`0b3b71bf : ffffce8f`b1cb2040 00000000`00000000 ffffce8f`b0e1e010 fffff802`b7b8b110 : nt!KeAcquireSpinLockRaiseToDpc+0x39 ffffaa00`aec1b7d0 fffff802`b7a2a992 : ffffce8f`b1183010 00000000`00000000 ffffce8f`b0e1e000 fffff802`0b3b7150 : HIDCLASS!HidpCancelReadIrp+0x6f ffffaa00`aec1b820 fffff802`0a10afbd : ffffce8f`b1cb2100 ffffce8f`a37481b0 ffffce8f`b0e1e010 ffffce8f`00000000 : nt!IoCancelIrp+0x6e ffffaa00`aec1b860 fffff802`0a112085 : ffffffff`ffb3b4c0 ffffce8f`a37481b0 ffffaa00`aec1b929 ffffce8f`b1704590 : kbdhid!KbdHid_PnP+0x16d ffffaa00`aec1b8d0 ffffffff`ffb3b4c0 : ffffce8f`a37481b0 ffffaa00`aec1b929 ffffce8f`b1704590 00000000`00000000 : ekbdflt+0x2085 Edited December 10, 2016 by p1r473 Link to comment Share on other sites More sharing options...
itman 1,659 Posted December 10, 2016 Share Posted December 10, 2016 Are you running any other realtime security software with anti-keylogger capability? Link to comment Share on other sites More sharing options...
p1r473 0 Posted December 10, 2016 Author Share Posted December 10, 2016 (edited) Hi, no, I don't have any other anti keylogger currently enabled. This started happening last week when I upgraded to the latest Eset smart security. Is there a way to turn off the anti keylogger module? Maybe some change was made to it in the most recent version? Edited December 10, 2016 by p1r473 Link to comment Share on other sites More sharing options...
itman 1,659 Posted December 10, 2016 Share Posted December 10, 2016 (edited) You could try to create a user HIPS rule to block its loading. Don't know if Eset would ignore the rule since its for one of its own driver. Before trying that, go into HIPS advanced setup and remove it from the "list of drivers always allowed to load" and see it that does the trick. You also might have to do both of these actions. Don't be surprised that Eset's banking protection no longer works after doing the above. Edited December 10, 2016 by itman Link to comment Share on other sites More sharing options...
p1r473 0 Posted December 11, 2016 Author Share Posted December 11, 2016 Peter Randziak, any possibility of an official fix? If not, I am afraid I will have to switch to a different product Link to comment Share on other sites More sharing options...
itman 1,659 Posted December 11, 2016 Share Posted December 11, 2016 There is also one other possibility for this issue. If you had another security product installed previously and removed it prior to installing Eset, it may have had a kernel mode anti-keylogger driver associated with the product. That driver might not have been removed for some reason when you uninstalled the product. Two kernel mode anti-keylogger drivers would produce conflicts such as you are experiencing. I would also run an Eset repair or do an uninstall/reinstall to see if that corrects the issue. Link to comment Share on other sites More sharing options...
p1r473 0 Posted December 11, 2016 Author Share Posted December 11, 2016 I did a reinstall of Eset already but sadly did not stop the blue screens. Link to comment Share on other sites More sharing options...
ESET Moderators Peter Randziak 1,130 Posted December 12, 2016 ESET Moderators Share Posted December 12, 2016 Hello, I will let the dump check by devs, but again it is only a kernel minidump "Loading Dump File [*120916-12046-01.dmp] Mini Kernel Dump File: Only registers and stack trace are available" Please enable complete memory dump as described here: hxxp://support.eset.com/kb3496/?locale=en_US(select option Complete memory dump) as we will probably need it for analysis. System restart is required, after you capture a complete memory dump, you can disable the Banking and payment protection to prevent further BSODs. Regards, P.R. Link to comment Share on other sites More sharing options...
p1r473 0 Posted December 12, 2016 Author Share Posted December 12, 2016 (edited) Hello, I will let the dump check by devs, but again it is only a kernel minidump "Loading Dump File [*120916-12046-01.dmp] Mini Kernel Dump File: Only registers and stack trace are available" Please enable complete memory dump as described here: hxxp://support.eset.com/kb3496/?locale=en_US(select option Complete memory dump) as we will probably need it for analysis. System restart is required, after you capture a complete memory dump, you can disable the Banking and payment protection to prevent further BSODs. Regards, P.R. Hi Peter, complete memory dump is enabled, but I guess I still pulled c:\windows\minidump\* instead of c:\windows\memory.dmp (which doesnt exist currently) I will leave banking enabled, and attempt to get another BSOD, Hopefully it provides the full thing this time I will post back when it BSODs again Edited December 12, 2016 by p1r473 Link to comment Share on other sites More sharing options...
ESET Moderators Peter Randziak 1,130 Posted December 12, 2016 ESET Moderators Share Posted December 12, 2016 Hello, the full memory dump should be located directly in Windows root so C:\Windows\memory.dmp O.K. please let us know, once you will have the complete dump. The Dev responsible for the OPP told me that he did not find anything pointing on us in the minidump, so the complete may shed more light on it. Regards, P.R. Link to comment Share on other sites More sharing options...
p1r473 0 Posted December 15, 2016 Author Share Posted December 15, 2016 Hi, I have private messaged you a link to the complete dump. Link to comment Share on other sites More sharing options...
Recommended Posts