Jump to content

Event ID 5 Kernel-General error in Windows 10 Event Viewer

M1ke

By M1ke
in Malwarebytes for Windows Support Forum

 Share

Recommended Posts

M1ke

M1ke

Posted
Posted

On a cleanly installed (not upgraded from a previous install) Windows 10 Pro (64-bit) with Malwarebytes Pro I am seeing this error:

Event ID: 5  {Registry Hive Recovered} Registry hive (file): '\??\C:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware\S-1-5-21-3788415297-386881794-3068972913-1001-0-ntuser.dat' was corrupted and it has been recovered. Some data might have been lost.

This error coincides daily with the MBAM scheduled scan times.  

A search of the internet and this forum provided limited information on the error, one of which was uninstalling and reinstalling Malwatebytes Anti-Malware.  I accomplished that using the Malwarebytes Clean Uninstall Tool but the issue persists.

I have completed a system integrity check and CHKDSK without errors.  

Any assistance appreciated.

Link to post
Share on other sites
daledoc1

daledoc1

Posted
Posted

Hello and :welcome:, @M1ke

I'm not sure of the significance of those errors.

We will need to wait for a developer, QA team member or other staff member to weigh in.

Until then, it would help to see a bit more information about both your MBAM installation and the system as a whole.

I suggest that you please follow the advice here: Diagnostic Logs
Then, please ATTACH all 3 logs to your next reply.
The 3 logs are: FRST.txt, Addition.txt and CheckResults.txt

Additional data, such as a log from VEW or a similar utility may be needed.  But those 3 preliminary logs will be a good start.

Thanks,

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Hello @M1ke

Difficult to say for sure what caused it without more analysis. We open the .dat files (user profile hives) to scan for malware. Either in opening or closing the file there was some type of error. We'll go through a few things and see if we can either find or correct the issue.

A few things.

I notice in the logs that someone has installed settings in the hosts file designed to bypass or pirate at least Adobe software. As we do not condone piracy I'd like to ask you to please remove those settings so that we can continue on here and see what's up.

Also, just a quick cursory note. It looks like you're running what appears to be VPN software through a compatibility setting. I would highly recommend that you do not run it in compatibility mode unless it just will not run. If you want you can modify the shortcut and on the Advanced set that to "Run as administrator" but when setting compatibility mode that can affect other underlying event driving operations on the computer that don't normally need to be set.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\appCompatFlags\Layers
    C:\Program Files\pia_manager\pia_manager.exe   REG_SZ        RUNASADMIN
    E:\Applications\Portable Apps\DirectoryMonitor2_Portable\DirectoryMonitor.exe  REG_SZ        ~ RUNASADMIN

In theory they should not be affecting MBAM, but just not a good practice to run things in compatibility mode unless you really have to.

Also note that this setting could potentially be quite dangerous as well. Basically, it means any files infected or not that you've downloaded here, we will not scan. If some file from uTorrent kicked off a file encryption Trojan, you could potentially lose all your data permanently. I'd really suggest not excluding. You don't have to set it to automatic removal, but at least leave as a scanned area, that way if something were there we could at least alert you, and then you could make up your own mind if it was a risk you're will to take by keeping the file or not.

Malware Exclusions:
===================
Category: Folder, Exclusion: D:\uTorrent Downloads\_Complete\Apps
Category: Folder, Exclusion: E:\Applications

 

You also have at least one or more unsigned drivers. On Windows 10 you really should not be running unsigned drivers from any manufacturer if possible.

Again, not sure who put the settings on this computer, but If you can please review your hosts file and clean it up and any other items that might indicate piracy I'd greatly appreciate it so that we can proceed to see what's causing this issue.

Piracy Policy


Thanks

Ron

 

 

 

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.