Jump to content
Dave-H

MB 3.5.1 MBAE Service not installing on Windows XP?

Recommended Posts

Hi Dave,

Thank you for the update.
 

16 hours ago, Dave-H said:

The only anomaly still present, which is still there even after getting rid of EMET, is that the mbamchameleon service will not run as a boot start service, only as a system start service. I tried putting it back to boot start, and it no longer ran on system startup.

Please open Malwarebytes and click Settings > Protection > scroll down and ensure 'Enable self-protection module early start' is turned on.

Once done, please rerun the Malwarebytes Support Tool (Download link: https://downloads.malwarebytes.com/file/mbst) and click Advanced followed by Gather Logs. Upon completion, a file named mbst-grab-results.zip will be saved to your Desktop. Rename this file to mbst-grab-results-prereboot.zip.

Afterwards, please restart the computer. Once restarted, rerun the Malwarebytes Support Tool once more in the same manner. Rename the new mbst-grab-results.zip to mbst-grab-results-postreboot.zip.

Please attach both Zip files so we can take a look at what's going on.

Share this post


Link to post
Share on other sites

Thanks, I've done that and the logs are attached.
I also switched on the enhanced log collection function.

"Enable self-protection module early start" indicates that it is switched on.

Both the log gatherings were done with the mbamchameleon service startup type set in the registry to "system" (type 1) instead of "boot" (type 0) which is the default.

Cheers, Dave.
🙂

 

mbst-grab-results-prereboot.zip

mbst-grab-results-postreboot.zip

Share this post


Link to post
Share on other sites
Posted (edited)

Thank you for the files.

Please turn off the Enable self-protection module early start setting, wait 10 seconds and then turn the setting back on. Once done, rerun the Malwarebytes Support Tool, click Advanced, click Gather Logs and attach the newly created mbst-grab-results.zip (located on your desktop) in a new post.

Afterwards, please download Process Monitor using the link below:
https://docs.microsoft.com/en-us/sysinternals/downloads/procmon

  • Extract the downloaded file and run.
  • Once Process Monitor is running, return to Malwarebytes.
  • Turn off the Enable self-protection module early start setting, wait 10 seconds and then turn the setting back on.
  • Return to Process Monitor. Click File followed by Capture Events to stop the capture.
  • Click File followed by Save. Select a location to save the file and click OK.
  • Please zip up and attach the generated file. If it is too large to attach, please upload the file to WeTransfer.com and copy/paste the link into a post.
Edited by LiquidTension

Share this post


Link to post
Share on other sites

Hi, thanks and sorry for the delay in responding, I was very busy yesterday away from home most of the day!

I switched off  "Enable self-protection module early start", waited 10 seconds, and then it wouldn't turn on again!
Even after a reboot it's still off and won't switch on.

The normal self-protection on/off option is still apparently switched on.

The version of Process Monitor that you gave a link to doesn't work on Windows XP, it needs at least Vista.
I do already have version 3.50, which I suspect is the last that does work on XP, I assume that's OK for any further testing?

Cheers, Dave.
🙂

Share this post


Link to post
Share on other sites

Hi Dave,

Yes, that version should run OK on Windows XP. Whilst not being listed as a supported OS, Process Monitor runs fine on Windows XP for me.

Please run Process Monitor, reproduce the issue with enabling the setting, stop the Process Monitor capture and then attach the zipped up log file.

Share this post


Link to post
Share on other sites

Thanks, yes I looked again and the link you gave is to version 3.50 of course! D'oh!
I guess that is the last version, and runs fine on XP as you say, despite what they say.
I guess being part of Microsoft they're not allowed to acknowledge the existence of XP any more, in fact I'm surprised they haven't remove the reference to Vista now too!

Anyway, I ran Process Monitor, and then tried to switch on the "Enable self-protection module early start" option again, and still nothing appeared to happen.
I stopped the trace and saved the file.
It's here - https://www.4shared.com/file/VGdDwxZrda/Logfile.html

I don't know what it will show though, as I say the function seems to be completely non-functional at the moment.
Cheers, Dave.
🙂

Share this post


Link to post
Share on other sites

Hi again.
I've done a bit more experimenting, and I've managed to get things back to running as they were before.
It appears that the self-protection settings do simply change the start type of the mbamchameleon service.
If self-protection is completely switched off, the service is set to type 4 (disabled).
If it's on but not early start, the service is set to type 2 (automatic), and if the early start is on it's set to type 0 (boot).
That makes perfect sense, but it's that last configuration that doesn't work, the service will not start as a boot service.
Setting it manually to start type 1 (system) seems to work around this, and the service presumably still starts early enough for the early start setting to show as being on.
Why it won't start as a boot type service is a mystery though.
Cheers, Dave.
🙂

Share this post


Link to post
Share on other sites

Hi Dave,

I'm having trouble downloading the ProcMon log. Please could you upload it to WeTransfer: https://wetransfer.com/
Ensure link is selected as the send as type and copy/paste the generated link in a new post.
 

Quote

That makes perfect sense, but it's that last configuration that doesn't work, the service will not start as a boot service.

When the start type is set to 0 (Boot), is MBAMChameleon installed at startup or is the state Disabled?
Please set the start type to Boot, restart the machine and then run the following commands at the Command Prompt. Please attach the generated query.txt file found on your desktop.

sc query mbamchameleon > "%userprofile%\desktop\query.txt"
sc qc mbamchameleon >> "%userprofile%\desktop\query.txt"

 

Edited by LiquidTension

Share this post


Link to post
Share on other sites

Hi again and thanks.
I tried the 4Shared link and it worked fine for me, so I don't know what's wrong there.
Anyway, I have uploaded it to WeTransfer too now. The link is -

https://we.tl/t-u9fzUuVS2g

I set the mbamchameleon service to boot start in the registry, and when I restarted I again got the Windows System Log message that it had failed to start ("The following boot-start or system-start driver(s) failed to load: mbamchameleon.")
It is still set to start type 0 in the registry.
The "enable self-protection module" option in the MB interface is shown as off, and as before if I try to turn it on the interface just permanently freezes and has to be forcibly terminated.
However, after running your two commands, the Windows System Log now says that the service was started ("The mbamchameleon service was successfully sent a start control."), although the MB interface hasn't changed.

The query.txt file is attached.
Cheers, Dave.
🙂

query.txt

Share this post


Link to post
Share on other sites

Hi again.
I've just checked the Windows System Log again, and if the mbamchameleon service is logged as having failed to run, it does in fact then run according to the log, exactly five seconds later!
This delay is presumably what's causing the problem with the interface, as it thinks the service isn't running as it didn't start on boot, but when you try to run it by switching on the self-protection, it can't do it because the service is in fact running by then, and the consequence of trying to switch on a service already switched on causes the interface to crash!
It obviously isn't enabled properly anyway, as I can still change its startup type by editing the registry, which I shouldn't be able to do if it's working properly, as it's one of the registry keys which should be protected by it.
🙂

Share this post


Link to post
Share on other sites

Hi Dave,

Please run the Malwarebytes Support Tool and perform a clean reinstallation of Malwarebytes (Advanced > Clean).

Once done, open Malwarebytes and verify the "Enable self-protection module" setting is On. Run the two commands below:

sc query mbamchameleon > "%userprofile%\desktop\query1.txt"
sc qc mbamchameleon >> "%userprofile%\desktop\query1.txt"


Now turn "Enable self-protection early start" on. What happens? Please avoid manually changing the start type in the registry for now. Afterwards, run the two commands below:

sc query mbamchameleon > "%userprofile%\desktop\query2.txt"
sc qc mbamchameleon >> "%userprofile%\desktop\query2.txt"

 

Please attach query1.txt and query2.txt (found on your desktop).

Share this post


Link to post
Share on other sites

Thanks, but I have already done that procedure many tim

47 minutes ago, LiquidTension said:

Hi Dave,
Please run the Malwarebytes Support Tool and perform a clean reinstallation of Malwarebytes (Advanced > Clean).

Thanks, but I have already done that many times before, and the end result is always the same, I doubt that doing it again will be any different!
After the uninstall and clean the re-installation seems to go fine, but the self-protection module is shown as being completely turned off.
If I try to enable the self-protection module, the interface just immediately and permanently freezes.
I obviously can't alter the early start setting either as the main setting isn't switched on. It's shown as being on, but greyed out.
The only way I've found to fix this is to manually change the mbamchameleon service's start type from "boot" to "system" in the registry.
As I said earlier, the service is actually running eventually when it's set to "boot" but only after an initial error message in the Windows log that it had failed to start.
It's then logged as actually starting about 5 seconds after the error message was logged.
Cheers, Dave.
🙂

Share this post


Link to post
Share on other sites

BTW, we have now moved a long way from my original subject title for this thread!
Would it be possible to change it to something more general like "Malwarebytes Installation Problems on Windows XP"?
🙂

Share this post


Link to post
Share on other sites
Quote

Thanks, but I have already done that many times before, and the end result is always the same, I doubt that doing it again will be any different!

Understood. The purpose is not to resolve the issue, but to start the next set of troubleshooting from a consistent starting point.

Can you enable boot time logging in Process Monitor: https://www.msigeek.com/6231/how-to-enable-system-boot-time-logging-using-process-monitor-tool

Reboot the computer. After the reboot, rerun Process Monitor and click Yes when prompted if you wish to save the collected data. Zip up the generated .pml files and upload to WeTransfer.com.

Share this post


Link to post
Share on other sites

Really sorry about this, but I'm having real trouble getting a boot log out of Process Monitor!
I can set it to produce one, and it seems to be doing all the right things, setting a boot service in the registry to run on the next boot, using PROCMON24.SYS as the driver, but when I reboot, nothing happens and nothing is recorded.
I've looked and looked online, and I can find no reason for this.
There are no error messages being logged, but I can only assume that the temporary boot service that Process Monitor is installing to do this is not actually running for some reason, in the same way as the  mbamchameleon boot service isn't running!
Any ideas?
🙂

Share this post


Link to post
Share on other sites

Greetings,

It's likely due to the fact that the current version is no longer officially supported on Windows XP but I don't know for sure and don't have an XP system to test with at the moment unfortunately.

This is a direct quote from the official Process Monitor page on Microsoft's website:

Runs on:
  • Client: Windows Vista and higher.
  • Server: Windows Server 2008 and higher.

Share this post


Link to post
Share on other sites

Yes, I did wonder about that, and I tried two earlier versions that people online said worked fine with XP, 3.20 and 2.96.
Neither of them worked to log the system boot either!
All the versions I've tried, 3.50, 3.20, and 2.96 seem to work fine when run normally, logging all the system activity as they should, but the boot logging system doesn't seem to do what it should at all.
Another mystery.
🙂
 

Share this post


Link to post
Share on other sites

It could also be that there's another issue with your system preventing it, possibly the same thing preventing the anti-exploit driver from loading though I'm really not sure.

Share this post


Link to post
Share on other sites

Yes, you could well be right, this is all very strange indeed!
Actually the anti-exploit protection, where the original problem was, seems to be fine now, it's the self-preservation module I'm now having issues with!
I must say that I'm now sorely tempted to just leave the self-protection service on system start and not boot start, and hope that it's still doing everything that it should in that mode.
The main program certainly seems to be happy that the early self-preservation protection is enabled in that mode.
Presumably it won't start quite so early in system mode as it will in boot mode, but I don't know how much the delay would be and whether that compromises it in any way.
🙂
 

Share this post


Link to post
Share on other sites

It shouldn't make too much difference and you can verify that it's working by trying to terminate any of Malwarebytes processes using Task Manager (you should get an error/access denied message box because of the self-protection driver blocking it).

Share this post


Link to post
Share on other sites

The registry keys are certainly protected, I get "access denied" if I try to change them, but I can kill MBAMService.exe with Task Manager.
It immediately runs again if I do, but it does terminate.
I don't know if that's expected behaviour.
I can also stop the service using the Services MMC as well, as I mentioned in an earlier post, but I gather from the reply that is expected behaviour.
🙂

Share this post


Link to post
Share on other sites

It is normal to be able to stop the service using Services.msc, but you shouldn't be able to kill it using Task Manager if self-protection is working.

Share this post


Link to post
Share on other sites

I have no issues with Process Monitor boot time logging on Windows XP. It could very well be related to the same issue you're encountering with MBAMChameleon boot start. I'm looking into other potential methods of obtaining similar information. In the meantime, you may want to leave the start type as System.
 

24 minutes ago, Dave-H said:

but I can kill MBAMService.exe with Task Manager.

This is expected. You should find the process automatically restarts.

Share this post


Link to post
Share on other sites

They must have changed it then.  It used to prevent any Malwarebytes process from being terminated this way and would show an access denied dialog/error, otherwise it would be trivial for the bad guys to terminate it then block it from restarting itself which was the entire point of self-protection in the first place.

Share this post


Link to post
Share on other sites

Yes, I did think it was a bit strange that Malwarebytes' main service could be killed so easily!
Anyway, I have now returned the mbamchameleon service to system start, and everything looks OK again.
🙂

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.