Jump to content
BrianInWA

Win 10 BSOD System_service_Exception in mwac.sys

Recommended Posts

Since upgrading to version 3.4.0.2380 a few days ago my Win 10 Pro 64-bit system has been blue screening with SYSTEM_SERVICE_EXCEPTION in the mwac.sys driver. It happens a few times each day, even when I'm not browsing (in Chrome); today I was editing a reply in Outlook when it dumped. Perfmon report and SysnativeFileCollectionApp zips are attached. Thanks for any help!
  

Perfmon Report.zip

SysnativeFileCollectionApp.zip

Edited by BrianInWA
clean up text for readability

Share this post


Link to post
Share on other sites
39 minutes ago, BrianInWA said:

Thanks for any help!

:welcome:

Let's try and get some other logs as well so the team can review them and see if they can tell what may be causing your issues.... Please use an Administrator account when doing the following,

  1. FIRST: Create and obtain Farbar Recovery Scan Tool (FRST) logs
  2. Download FRST and save it to your desktop. Tell any program that blocks it to ignore or allow. It IS SAFE. It contains no info that can identify or harm you.
  3. NOTE: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit
  4. Double-click to run FRST and when the tool opens click "Yes" to the disclaimer
  5. Press the "Scan" button
  6. This will produce two files in the same location (directory) as FRST: FRST.txt and Addition.txt
    NOTE: These two files will be collected by the MB-Check Tool and added to the zip file for you
  7. NEXT: Create and obtain an mb-check log
  8. Download MB-Check and save to your desktop
  9. Double-click to run MB-Check and within a few second the command window will open, then click "OK"
  10. This will produce one log file on your desktop: mb-check-results.zip
  11. Attach this file to your forum post by clicking on the "Drag files here to attach, or choose files..." or simply drag the file to the attachment area

Share this post


Link to post
Share on other sites
2 hours ago, BrianInWA said:

Attached mb-check-results.zip as requested.

mb-check-results.zip

First off,
 

Quote

 

Compatibility Flag Settings:
=================================

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\appCompatFlags\Layers
    C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe    REG_SZ        ~ RUNASADMIN


 

Go to the folder C:\Program Files\Malwarebytes\Anti-Malware\
Find the file mbam.exe and right click on it and choose Properties
In the window that pops up click on Compatibility Tab
Remove ALL checkmarks. Malwarebytes has issues when you change these settings.

Share this post


Link to post
Share on other sites

Do you have driver verifier on by chance? Can you also please perform the following steps in case this happens again, so we can get a full memory dump of the issue? Thanks!

  1. Right-click My Computer, and then click Properties.
  2. Click the Advanced tab.
  3. Under Startup and Recovery, click Settings.
  4. Make sure that Complete memory dump is selected under Writing Debugging Information.
  5. Click Ok and reboot

Now if the crash happens again, there should be a file created at c:\Windows\memory.dmp. Please either upload this file here or, if it's too big, email it to dcollins@malwarebytes.com

Edited by dcollins

Share this post


Link to post
Share on other sites

Reply to Porthos: 

Between 8/17/15 and 3/14/16 I opened no fewer than four support cases to address a chronic performance problem: Case 820485, Case 841097, Case 927247, Case 981365.

MY DESCRIPTION: “I’ve seen MBAM.exe consume 75-90% of an AMD Athlon 64 X2 5000+ (dual-core) for hours at a time. During that time it does little or no disk or network I/O and remains basically constant in terms of private memory. The system is usable but performs like it’s dipped in a vat of cold molasses…

This happens EVERY time Windows starts – whether on a restart or a cold re-boot.

Please pass along to your QA folks my VIRTUAL CERTAINTY that this problem arises because the initialization is taking place under an account lacking Admin access (for whatever reason). My inclination is to totally uninstall MBAM (except for the Premium license key) and then reinstall under an account that’s a confirmed member of the Administrators group. (I may have ‘run as Admin’ for the previous install, I can’t remember.)”

MB SUPPORT RESPONSE: “Ok, thanks for the update, as far as I know QA cannot replicate this in any way.” ==> Basically “we give up” after 6 months elapsed, 4 support cases and me telling them what the problem was!

So on my own I finally figured out (via Sysinternals Procmon) that the product directory hierarchy had been created under an account other than the Local Admin, and the scanner was stupidly logging file access errors and retrying forever (as if the access problem would somehow go away) – killing the CPU in the process.

Of course I immediately ran MBAM-CLEAN and then reinstalled MBAM under a Local Admin account. No effect, likely because the product directory hierarchy had been created under an account other than Local Admin and was not fully removed by the uninstall, so the scanner kept bouncing off it forever. Grrrr…

The only thing that finally worked was to force the scanner to run under a local admin account. You are seeing the result of that. If I remove the startup flag the whole damn problem will start again. Not gonna happen. To reiterate, the current failure (which has been reported by many others) showed up for the first time on a new machine just last week following the upgrade I cited earlier. I’ll bet you money that flag turns out NOT to be at the root of the problem.

Edited by BrianInWA
Failed to capture full message.

Share this post


Link to post
Share on other sites

@BrianInWA thanks for the detail there, can you send me a PM with your case numbers so I can look into them?

As for that registry key being set, it has no bearing on how Malwarebytes scans files. That registry key tells mbam.exe to run as an administrator, but mbam.exe is just the UI piece. All it does is allow you to interact with the service (mbamservice.exe) which should be running under the local system account. I'm not saying there isn't issues, as obviously you wouldn't be reporting problems if everything was working fine, just stating that the registry key you linked has no bearing on changing what files are scanned.

All this being said, to uncover what exactly what caused the blue screen on your machine, a full memory dump would be extremely helpful. Instructions for that can be found in my post just above your latest reply.

Share this post


Link to post
Share on other sites
26 minutes ago, BrianInWA said:

MY DESCRIPTION: “I’ve seen MBAM.exe consume 75-90% of an AMD Athlon 64 X2 5000+ (dual-core) for hours at a time. During that time it does little or no disk or network I/O and remains basically constant in terms of private memory. The system is usable but performs like it’s dipped in a vat of cold molasses…

 

The above is not this machine with blue screening.  Let's not confuse the issues.

The machine in question here is below.

Quote

Processor: AMD Ryzen 7 1700 Eight-Core Processor
Percentage of memory in use: 22%
Total physical RAM: 16330.74 MB
Available physical RAM: 12697.38 MB
Total Virtual: 16530.74 MB
Available Virtual: 12199.26 MB

 

@dcollins

Edited by Porthos

Share this post


Link to post
Share on other sites

Porthos: The quoted case was (as I clearly noted) from 2015 -- almost 2 1/2 years ago. Yes, I have a new mobo now, but the system image is the same. It's actually a little annoying that you assumed I didn't know which computer I'm sitting in front of...

Share this post


Link to post
Share on other sites
3 minutes ago, BrianInWA said:

It's actually a little annoying that you assumed I didn't know which computer I'm sitting in front of...

That was not completely directed at you but to Devin just in case he missed it. :)

Share this post


Link to post
Share on other sites

dcollins: As you suggested I turned on driver verifier and also requested a complete memory dump. The latter turned out to open a whole can of worms as my machine has 16 GB of RAM and the pagefile was way too small...

After restarting I got repeated stopcodes saying Driver Verifier had detected a problem with ahcache.sys. Finally broke out of that loop by booting to safe made and turning off Verifier. For some reason I'm not seeing a created dumpfile (lookin in C:\Windows) so will try to figure out what went wrong there. Possible it's balking at the 16 GB, tho set the max pagefile size at 17,000 MB...

My case numbers from 2015/16 are in Post #6. Repeating them here: Case 820485, Case 841097, Case 927247, Case 981365.

More when I track down the dumpfile. Oh, and Malwarebytes is now starting in "Free" mode, even though I've been licensed for Premium for years. Sigh...

Share this post


Link to post
Share on other sites

dcollins: I've checked in all the usual places and there's no new dumpfile to be found. However (even after restarting) Malwarebytes 3 will not return to Premium mode. If I reenter my original key/ID it complains about "too many devices activated"... This is pretty important: I need the protection, and anyway with the Web Protection feature turned off I'm guessing I won't be experiencing more BSODs anytime soon.

Any guidance on how to get past this, so I'm at least back to where I started 8 hour ago?

Bedtime now; will check back with you in the AM. Thanks.

Share this post


Link to post
Share on other sites

You can turn off Driver Verifier, I was just checking if you had it turned on before. A new memory.dmp will only be created if the computer blue screens again, so you can keep using your computer as normal once you have turned on the full memory dump option. If the blue screen happens again, then please try grabbing that memory.dmp file.

I sent you a PM about your license issue.

Share this post


Link to post
Share on other sites

Thanks for your help so far Devin. Task Manager says my system ran all night, so I guess I'm stable with MB3 disabled (though seriously exposed to threats). I'll definitely look for a (probably massive) dmpfile if and when I blue screen again. If it's anywhere close to memory size I'm not sure how I'll get it to you...

I wasn't aware that this forum offered a PM feature; sorry about posting directly earlier rather than using PM as you requested. I will check your PM next.

Regards, Brian

Share this post


Link to post
Share on other sites

Your key should be able to be used again.

On another note, we believe we have found the cause of the blue screen and hope to have a new version to test soon. Thanks for your help!

Edited by dcollins

Share this post


Link to post
Share on other sites

@BrianInWA Can you please try the following steps for us?

  1. Turn Web Protection Off under Settings -> Protection in Malwarebytes
  2. Install Wireshark using all the default options
  3. Launch Wireshark and you should see a list of interfaces. If you use Wireless, choose the wireless interface, if you use a cable, choose Local Area Connection
  4. Start browsing the internet like normally and you should see a bunch of lines show up in the Wireshark application
  5. Keep using the internet as normal for 5-10 minutes
  6. After 5-10 minutes, click the red square in the top left corner to stop capturing
  7. Click File -> Save and save the file somewhere
  8. Zip up the file and message it to me please

Share this post


Link to post
Share on other sites

hi BrianInWA and Nosferatu_UK -- Have you installed 3.4 Beta 2 (3.4.2 - released yesterday, Feb. 23)?  You might try installing it to see if it resolves the BSOD.  Thanks.

Share this post


Link to post
Share on other sites

Yup, running version shown below (installed yesterday). Seems to be stable as long as Web Protection is disabled.

Brian

Version Snapshot.png

Share this post


Link to post
Share on other sites

@BrianInWA can you please try enabling Web Protection? We have made a fix for BSOD related to Web Protection and it would be great if you can provide your feedback if Web Protection is stable on your system.

Thanks!

Share this post


Link to post
Share on other sites

Are you sure about that? I re-enabled Web Protection immediately after installing the 2/23 release (4..2.2?) and my machine crashed within 10 minutes. The dump file from that is already uploaded; have you studied it?

I'll re enable WP (again) if you insist, but why exactly should I expect a different outcome?

Brian

Share this post


Link to post
Share on other sites

@BrianInWA I just got word from our staff member that you are still facing issues with Web Protection and we have received necessary files from you recently. Please ignore my earlier request.

Share this post


Link to post
Share on other sites

Can you please try the following:

  1. Open Malwarebytes
  2. Navigate to Settings -> Application
  3. Under the Windows Action Center section, please choose the option Always register Malwarebytes in the Windows Action Center
  4. Navigate to Settings -> Protection
  5. Turn on Web Protection
  6. Reboot
  7. Use your computer as normal

We believe this issue is due to a compatibility issue with Windows Defender and want to try and confirm that. This setting will help us do that.

Share this post


Link to post
Share on other sites

@dcollins Just made the setting changes and restarted. You'll definitely hear back from me (with a new dumpfile) if there's a regression; otherwise you should interpret no news as good news...

Thanks, Brian

Share this post


Link to post
Share on other sites

Sad to report that it ran for only 15 minutes following the reboot with WP enabled; crashed with different stopcode this time (see below).
Am uploading the compressed zip to Filemail as usual. ETA 1:26

IRQL-NLOE-Crash.jpg

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.