Jump to content

Recommended Posts

Hi all,

just reinstalled Windows 10, and have had several BSOD (Blue Screens, or Bugchecks). Am running Windows 10 1709 (Fall 2017 feature update). All blue screens have shown that within a second of farflt.sys being installed (kernel mode driver), which appears to be a Malwarebytes driver component, I get a system crash (BSOD). Am running Malwarebytes Premium Version 3.3.1.2183.

Analysis of 2 of the 3 BSOD (1 failed to write the dump to disk) give memory management errors, but I already tested my memory over 3 days using memtest86, and tested 2 different slots and 3 different sticks of ram, and after 19 passes on 1 4GB stick and 8 passes on 2X8GB sticks, all came back with no errors. Plus, the BSOD all occurred immediately (within 1 second) of farflt.sys being installed, which suggests to me that this component is a fault. I also suspect that this driver is not installing properly due to the BSOD's, hence the reason why it keeps trying.

Any help on this? I read in another thread to disable ransomware protection, but I thought I'd ask for advice and/or have this reported to see if we can get a fix for it.

Thanks - Justin

Link to post
Share on other sites

  • Staff

Hi @jsljustin - Can you upload the memory dumps to a file share site such as WeTransfer and provide the link to download? If you prefer, send the link to me via Private Message.

I'd like to be able to provide these to our developers for analysis.

In addition, can you provide the logs from the analysis tools detailed in this post?

 

Thank you!

Link to post
Share on other sites

Hi tetonbob,

I got the crashes before I even had a chance to go over all the windows 10 settings, so the windows 10 default was in place (automatic memory dumps). Also, one BSOD failed to write the memory dump (volmgr failure due to whatever reason).

I've attached the mb-check-results.zip file after following the instructions per your link above.

I will get a dump file to you as soon as I can, note that it is a minidump, not a full kernel dump, due to the settings in windows 10 being at their defaults.

Note that an examination of the dump file is not all the evidence. Careful examination of event viewer has shown me that two of the BSOD occurred immediately after the farflt.sys driver was registered in event viewer as installed (within 1 second a bugcheck error was generated in event viewer).

Thanks.

mb-check-results.zip

Link to post
Share on other sites

Hi tetonbob,

I've attached the event viewer log for you. Note that it is the event viewer log for Windows > System, this is the log that is relevant and shows the bugcheck events.

I tried setting the memory dump settings to a full dump, but it requires me to set my pagefile to 16GB which is not the recommended value. I have the pagefile set to the recommended settings for the reason that setting it to 16GB (Automatic management) causes a well known issue where the CPU can run at 99% continuously.

I will post back shortly with the minidump file, see how you go with that. If only absolutely necessary, I can set the pagfile to 16GB and set the dumps to a full memory dump. As for reproducing the problem, that might be tricky. The BSOD occurred twice today so far, only on booting into windows, but it doesn't do it every time.

Thanks.

JustinL_EventLog.zip

Link to post
Share on other sites

Hi again tetonbob,

please find attached a minidump file for (I think) the first of the two BSOD that seemed to be caused by farflt.sys. It does point to memory (memory management) as the cause, but looking at parameter 1 suggests "a corrupt PTE has been detected". You probably would know better than me, but my understanding is that this parameter value can often come about due to page faults or hard page faults.

I actually got similar BSOD not that long ago when trying to update to the latest Windows 10 update, so I did run memtest86 (not memtest86+ which gives false positives at test #7 when using multicore CPU's) - ran it for 19 passes on a known good stick (4GB) to test the motherboard Ram slot 1 - came back with no errors. Then I ran it for 15 hours (8 passes) on the two 8GB sticks (16GB) of ram that I normally use and am using now, again it came back with no errors at all.

Let me know how you go.

Thanks - Justin.

111017-5890-01.zip

Link to post
Share on other sites

  • Staff

Hi Justin. Can you upload the one Kernel dump that is created at C:\MEMORY.DMP ? It's too large for this forum to handle and would need to be uploaded to some file share site.

I understand if you're hesitant to change to Complete memory dump, but the devs really need a full stack to see the entire picture.

If you make the change, and also have Virtual Memory set to automatically manage paging file, it still requests that you assign a specific size?

Link to post
Share on other sites

Hi Bob,

yes, I can set my virtual memory size to automatic, it won't need to be any set size, I just have it set to the recommended (around 2GB) as this avoids the crazy high CPU usage bug.

I'll set it up now and set the dump to a full memory dump. But it will require that I get another BSOD, which may or may not happen, as Windows 10 seems to be somewhat "adaptive" and seems to adjust things if BSOD's are occuring (that has been my experience, anyway).

The only other concern is that sometimes memory dumps don't get written, for whatever reason. But I will try and get a BSOD and full memory dump for you. I will PM you with a link if/when I have what you need.

Thanks.

Edited by jsljustin
Link to post
Share on other sites

Hi Bob,

no worries at all!

It has been many days now without a BSOD at all, I am wondering if it only gets triggered when trying to register / install the farflt.sys driver?

In which case, should I uninstall MBAM 3 premium and then reinstall it again, to see if I can trip up a BSOD? If so, is there a preferred way to uninstall MBAM 3, or is via control-panel OK?

Also, I have set my dumps to a full memory dump, but I am worried as sometimes dumps don't get written - if there is any problem, sometimes the dump file doesn't get written at all (volmgr issues).

Anyway, what do you think?

Thanks - Justin.

Link to post
Share on other sites

  • Staff

Hi Justin. That's an interesting observation.

The farflt driver gets uninstalled and reinstalled if you just exit Malwarebytes via the notification tray icon, and then relaunch it.

You can check that the service is uninstalled after exit by opening a command prompt  and typing the following command, then press Enter:

sc query mbamfarflt

It should return:

[SC] EnumQueryServicesStatus:OpenService FAILED 1060:

The specified service does not exist as an installed service.

Then, when you launch Malwarebytes, all protection services and drivers including farflt are reinstalled, and should be running. If the BSOD is caused solely by the installation and start of the MBAMFarflt driver, then this method should be enough to trigger it.

Link to post
Share on other sites

Hi Bob,

I just tried that - by exiting Malwarebytes, checking via a cmd prompt as you said, then restarting MBAM, but no BSOD.

Maybe it is just coincidence that farflt.sys and the BSOD's I got happened at about the same time?

But note also that the crashes started occuring when I upgraded to the latest Windows (Windows Feature Update 1709).

So I am stumped as to what to do. My system has been stable ever since you requested the full memory dump from a BSOD. Maybe the trick is to not want a BSOD, and then one will happen, lol, as wanting a BSOD seems to make them disappear :lol:

Link to post
Share on other sites

  • Staff

Hi Justin. I do think it may have been a coincidence. Our developer did not see our driver referenced in the dump you did provide, but a complete dump would tell a better tale.

And yes, isn't that the way it goes sometimes? :) Like the noise in your car that disappears when you take it to the mechanic.

Please monitor the situation for a while, and let us know if this happens again. :)

 

Link to post
Share on other sites

Hi Bob,

yes, it might well be just a coincidence - the 2 bugchecks that event viewer was able to catch were preceded both times by farflt.sys being registered a second or two before.

Anyway, sorry if I have had you and MBAM devs barking up the wrong tree. Will let you know if I have further issues.

Thanks again!

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.