Jump to content
A-VT

AppData\Local\Temp\ehdrv.sys failed to load

Recommended Posts

Hello!

I've seen several topics regarding this error in Windows Event System Log but none of them provided definite solution what has to be done to eliminate these errors. So I thought about starting new one.

This message about ehdrv.sys appears in the logs every time I run ESET Online Scanner. Similarily, if I don't run ESET Online Scanner, I never observe these records in the System log.

Seems like this error doesn't directly affect ability to scan local disk and the tool even finds some undesired software. Still the fact that it's been reported for quite a while and I'm not the only person who noticed that raises additional uncertainty. 

In my case it is observed on fresh recently installed Windows 10 Pro 1909 18363.836 with all the lastest updates and available patches. Other antivirus is not installed except for native Windows Defender. But I have to mention that logs of Windows Defender do not contain any records related to ehdrv.sys or ESET in general.

The file ehdrv.sys itself is present in that location and looks valid. It can be read with ordinary user account.

So I have  a couple of questions.

1. Is this a critical issue that this file cannot be loaded? Does it affect quality or speed of scanning?

2. Is there a well-known way to eliminated this error for ESET Online Scanner?

3. How can I help collecting information needed to address this issue?

 

Share this post


Link to post
Share on other sites

More details.

I have disabled everything in Windows Defender:

  • Real-time protection
  • Tamper Protection
  • Memory integrity

And still the same errors are reported to Windows Event System Log.

The file ehdrv.sys exists indeed in the mentioned folder and is readable as normal user.

SHA1: 8C244899A2082C28B24E7B0DA41904B8663B5A8B

 

Logs in AppData\Local\Temp\log.txt don't show problems either.:unsure:

Share this post


Link to post
Share on other sites

The driver is necessary for detection of active rootkits. We do not know the cause of the error, something is preventing the driver from being loaded.

Since the Online Scanner cannot actively protect you from malware and provides only an on-demand scan, it may be already too late when you run it since there's a lot of malware which removes itself after the damage has been done and any subsequent scan cannot detect the malware any more.

Share this post


Link to post
Share on other sites
21 hours ago, A-VT said:

This message about ehdrv.sys appears in the logs every time I run ESET Online Scanner. Similarily, if I don't run ESET Online Scanner, I never observe these records in the System log.

I assume you are referring to Win Event Logs? If so, there are multiple Log files. Post a screen shot with as much detail as possible from the respective Event log entry.

Share this post


Link to post
Share on other sites

Yes indeed! Mind if I start with their XML representation? They should contain all the details.

 

<Event xmlns="hxxp://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}" EventSourceName="Service Control Manager" />
    <EventID Qualifiers="16384">7045</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8080000000000000</Keywords>
    <TimeCreated SystemTime="2020-05-26T16:56:46.965534500Z" />
    <EventRecordID>2049</EventRecordID>
    <Correlation />
    <Execution ProcessID="724" ThreadID="4424" />
    <Channel>System</Channel>
    <Computer>T-DESK</Computer>
    <Security UserID="S-1-5-21-1604541895-5678912345-4567891234-1001" />
  </System>
  <EventData>
    <Data Name="ServiceName">eapihdrv</Data>
    <Data Name="ImagePath">C:\Users\t-user\AppData\Local\Temp\ehdrv.sys</Data>
    <Data Name="ServiceType">kernel mode driver</Data>
    <Data Name="StartType">demand start</Data>
    <Data Name="AccountName">
    </Data>
  </EventData>
</Event>
<Event xmlns="hxxp://schemas.microsoft.com/win/2004/08/events/event"> 
<System> 
<Provider Name="Application Popup" Guid="{47bfa2b7-bd54-4fac-b70b-29021084ca8f}" EventSourceName="Application Popup" /> 
<EventID Qualifiers="16384">26</EventID> 
<Version>0</Version> 
<Level>4</Level> 
<Task>0</Task> 
<Opcode>0</Opcode> 
<Keywords>0x80000000000000</Keywords> 
<TimeCreated SystemTime="2020-05-26T16:56:46.965534500Z" /> 
<EventRecordID>2050</EventRecordID> 
<Correlation /> 
<Execution ProcessID="4" ThreadID="6812" /> 
<Channel>System</Channel> 
<Computer>T-DESK</Computer> 
<Security /> 
</System> 
<EventData> 
<Data /> 
<Data>\??\C:\Users\t-user\AppData\Local\Temp\ehdrv.sys failed to load</Data> 
<Binary>0000000002003000000000001A000040300100C06C0200C000000000000000000000000000000000</Binary> 
</EventData> 
</Event>
<Event xmlns="hxxp://schemas.microsoft.com/win/2004/08/events/event">
<System>
  <Provider Name="Application Popup" Guid="{47bfa2b7-bd54-4fac-b70b-29021084ca8f}" EventSourceName="Application Popup" /> 
  <EventID Qualifiers="49152">1060</EventID> 
  <Version>0</Version> 
  <Level>2</Level> 
  <Task>0</Task> 
  <Opcode>0</Opcode> 
  <Keywords>0x80000000000000</Keywords> 
  <TimeCreated SystemTime="2020-05-26T16:56:46.965534500Z" /> 
  <EventRecordID>2051</EventRecordID> 
  <Correlation /> 
  <Execution ProcessID="4" ThreadID="6812" /> 
  <Channel>System</Channel> 
  <Computer>T-DESK</Computer> 
  <Security /> 
</System>
<EventData>
  <Data /> 
  <Data>\??\C:\Users\t-user\AppData\Local\Temp\ehdrv.sys</Data> 
  <Binary>000000000200300000000000240400C0000000006B0300C000000000000000000000000000000000</Binary> 
</EventData>
</Event>
<Event xmlns="hxxp://schemas.microsoft.com/win/2004/08/events/event">
<System>
  <Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}" EventSourceName="Service Control Manager" /> 
  <EventID Qualifiers="16384">7045</EventID> 
  <Version>0</Version> 
  <Level>4</Level> 
  <Task>0</Task> 
  <Opcode>0</Opcode> 
  <Keywords>0x8080000000000000</Keywords> 
  <TimeCreated SystemTime="2020-05-26T16:56:46.981173700Z" /> 
  <EventRecordID>2053</EventRecordID> 
  <Correlation /> 
  <Execution ProcessID="724" ThreadID="4424" /> 
  <Channel>System</Channel> 
  <Computer>T-DESK</Computer> 
  <Security UserID="S-1-5-21-1604541895-5678912345-4567891234-1001" /> 
  </System>
<EventData>
  <Data Name="ServiceName">eapihdrv</Data> 
  <Data Name="ImagePath">C:\Users\t-user\AppData\Local\Temp\ehdrv.sys</Data> 
  <Data Name="ServiceType">kernel mode driver</Data> 
  <Data Name="StartType">demand start</Data> 
  <Data Name="AccountName" /> 
</EventData>
</Event>
<Event xmlns="hxxp://schemas.microsoft.com/win/2004/08/events/event">
<System>
  <Provider Name="Application Popup" Guid="{47bfa2b7-bd54-4fac-b70b-29021084ca8f}" EventSourceName="Application Popup" /> 
  <EventID Qualifiers="16384">26</EventID> 
  <Version>0</Version> 
  <Level>4</Level> 
  <Task>0</Task> 
  <Opcode>0</Opcode> 
  <Keywords>0x80000000000000</Keywords> 
  <TimeCreated SystemTime="2020-05-26T16:56:46.996807000Z" /> 
  <EventRecordID>2054</EventRecordID> 
  <Correlation /> 
  <Execution ProcessID="4" ThreadID="6460" /> 
  <Channel>System</Channel> 
  <Computer>T-DESK</Computer> 
  <Security /> 
</System>
<EventData>
  <Data /> 
  <Data>\??\C:\Users\t-user\AppData\Local\Temp\ehdrv.sys failed to load</Data> 
  <Binary>0000000002003000000000001A000040300100C06C0200C000000000000000000000000000000000</Binary> 
</EventData>
</Event>


 

 

 

Share this post


Link to post
Share on other sites
1 hour ago, A-VT said:

Yes indeed! Mind if I start with their XML representation? They should contain all the details.

Eset ehdrv.sys is Eset's Helper driver.

The Event log entry is being generated due to Win driver protection which will prevent a kernel mode driver from loading from any directory other than C:\Windows\System32\Drivers directory. I assume this is just some residual code from Eset installed product that was inadvertently left in the Online Scanner version. I would just ignore the Win Event log entries related to it.

Share this post


Link to post
Share on other sites

Thanks! Does it make sense to copy file ehdrv.sys to C:\Windows\System32\Drivers and keep it there? Will this work?

 

Share this post


Link to post
Share on other sites
Posted (edited)
13 hours ago, A-VT said:

Thanks! Does it make sense to copy file ehdrv.sys to C:\Windows\System32\Drivers and keep it there? Will this work?

No.

Edited by itman

Share this post


Link to post
Share on other sites

Thanks for such succinct response. ;)

Can you maybe share any insights on how this driver is used? Does this error mean that none of rootkit are detected by ESET Online Scanner&

Share this post


Link to post
Share on other sites

To my best knowledge the driver is required to detect active rootkits.

Share this post


Link to post
Share on other sites
Posted (edited)
2 hours ago, A-VT said:

Thanks for such succinct response. ;)

Can you maybe share any insights on how this driver is used? Does this error mean that none of rootkit are detected by ESET Online Scanner&

Eset is very "tight lipped" about what its drivers are used for; just like about almost all of their internal protection mechanisms.

My prior testing with Eset yielded that the Eset helper driver is a component of their real-time scanning protection. It's primary purpose is to inject an Eset .dll into select processes when suspect malware activity is detected. This processing is also infrequently invoked and requires continuous monitoring by Eset real-time protection compnent. Since Eset Online Scanner is off-line scanning for malware primarily via signature means, real-time components that would deploy this driver are never invoked. Finally, Eset newer real-time deep behavior inspection and advanced machine learning components have superseded by need for .dll injection monitoring.

As far as rootkit detection goes, they are somewhat of a moot point on Win x(64) based systems due to its built-in kernel patch protection. Additionally, most rootkits manifest at system startup time. Therefore, Eset Online Scanner won't detect this activity unless the malware creator was careless enough to place the rootkit in a disk or memory area readily accessed by both the OS and Eset, and Eset has an existing signature for the rootkit.

My advice is purchase a paid license for either NOD32 or Internet Security which will fullt deploy all Eset protection mechanisms.

Edited by itman

Share this post


Link to post
Share on other sites

Fantastic explanation, thank you!

Share this post


Link to post
Share on other sites
Posted (edited)

I guess I should add that if  rootkit is suspected, the best way of "rooting" them out is to perform a scan with one of the AV's boot-able media scanners such as Eset SysRescue scanner. This is because most use a Linux release which allow scanning of directories and files locked from scanning by the Win OS.

Edited by itman

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...