Win7 freeze, Event ID 36887 from "scan file system"

[DSperber]

I have been chasing the much talked about "system freeze" on three different Win7 Pro x64 machines on my home LAN for about 7 months now, with no success at resolving. One of the two original homebuilt ASUS-board machines (P8Z77-V Pro) has now physically "died", having to be physically replaced by a brand new "retail" machine (Lenovo Skylake M910t i7-6700 CPU). So I now two active machines again, with the other homebuilt ASUS-board machine (Z170-Deluxe Skylake i7-6700 CPU), both of which are still exhibiting the freeze.  That means even the brand new M910t is freezing, suggesting something in common in my environment/LAN, most likely the common software installed on ALL machines.

The "freeze" symptoms are well known across the Internet, namely human interfaces mouse, keyboard, screen all freeze, but Windows mostly continues to run including displayed system time progressing.  Shared drives hosted by the frozen machine continue to be accessible at least for a limited time to other machines on the network (as mapped network drives on those other machines) via Windows Explorer or other active programs utilizing network drives.  Eventually the semi-active frozen machine now finally drops off and becomes completely inaccessible on the network, and only a hard-boot (i.e. hole power button for 5 seconds to shut down, wait, and then re-start) is the "recovery" method.

The freeze cannot be made to occur on-demand, but instead occurs seemingly randomly. While the freezes may be machine-independent to begin with, eventually the other machine may also freeze. Studying the Event Log on both machines suggests there might be a periodic network handshake that finally fails in some fatal way, thereby now bringing down the second machine.  The freeze can occur one or more times each day either in rapid succession or with many hours in between.  Or a machine might "accidentally" remain up and operating normally for 1-3 days before an eventual freeze again takes it down.

I have been studying the Event Log closely, and have observed that Malwarebytes Premium daily scan at 6:30AM seems to ALWAYS produce two "error" entries in the log for event ID 36887, with "the following fatal alert was received 70" typically reported first followed by "the following fatal alert was received 40" reported second. I can reproduce this pair of errors "on demand" simply by running the scan manually specifically when the "scan file system" item is reached, so I'm 100% certain these two errors are coming from MBAM.

What are these errors from??

 

All machines run the latest MBAM 3.7.1.2838, component package 1.0.538, update package 1.0.9734, at least as of today 3/18/2019. They also all run Microsoft Security Essentials as their AV. They also all run Windows Media Center, including having internal TV tuner cards (from both cablecard-enabled Ceton and Hauppauge for OTA/ATSC). They also all support remote access through both RealVNC Server 6.4.0 as well as Team Viewer 14.1.18533.  They also all use Logitech MX-type wireless mouse including Setpoint software installed. They also all have APC UPS battery backup units to support temporary power outages including Powerchute Personal software installed. All have DisplayCal Profile Loader software installed to maintain "color management ICM profiles" loaded properly to the two Eizo 24" monitors on each machine.

They also all run several 3rd-party software products that auto-start at Windows boot: (a) Clockwise to set clock at midnight, schedule appointment alarms, etc, (b) PERFMON.MSC to monitor total CPU processor percentage, (c) Aida64 hardware monitor, and (d) DUMeter upload/download monitor.

I have tried all types of things to alter the environment, including not running one or more of the background software products, changing to wired mice and different USB keyboards, altering system power plan parameters, running with and without screensaver as well as power-save for monitors, etc.  Nothing has worked to solve the problem.  So it's still something else that is the culprit.

I have four Windows Media Center "extenders" around my house (supporting four HDTV's), which I use to connect to both of the WMC-enabled machines in order to watch recorded programs. I have tried leaving the extenders on (rather than closing/disonnecting them when TV watching is finished), in order to "keep the PC active" with its continual handshake with the extender, hoping to minimize or eliminate any opportunity to "freeze", but to no avail.  So it's still something else that is the culprit.

My next try will be to uninstall MBAM Premium, and see what happens.

 

[Malwarebytes]

***This is an automated reply***

Hi,

Thanks for posting in the Malwarebytes 3 Help forum.

 

If you are having technical issues with our Windows product, please do the following: 

Spoiler

If you haven’t already done so, please run the Malwarebytes Support Tool and then attach the logs in your next reply:

NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

1. Download Malwarebytes Support Tool
2. Once the file is downloaded, open your Downloads folder/location of the downloaded file
3. Double-click mb-support-X.X.X.XXXX.exe to run the program
   • You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
4. Place a checkmark next to Accept License Agreement and click Next
5. You will be presented with a page stating, "Get Started!"
6. Click the Advanced tab
   
    
7. Click the Gather Logs button
   
    
8. A progress bar will appear and the program will proceed with getting logs from your computer
   
    
9. Upon completion, click a file named mbst-grab-results.zip will be saved to your Desktop. Click OK
   
    
10. Please attach the file in your next reply. Before submitting your reply, be sure to enable "Notify me of replies" like so:
       

Click "Reveal Hidden Contents" below for details on how to attach a file:
 

Spoiler

To save attachments, please click the link as shown below. You can click and drag the files to this bar or you can click the choose files, then browse to where your files are located, select them and click the Open button.

 

One of our experts will be able to assist you shortly.

 

If you are having licensing issues, please do the following: 

Spoiler

For any of these issues:

• Renewals
• Refunds (including double billing)
• Cancellations
• Update Billing Info
• Multiple Transactions
• Consumer Purchases
• Transaction Receipt

Please contact our support team at https://support.malwarebytes.com/community/consumer/pages/contact-us to get help

If you need help looking up your license details, please head here: https://support.malwarebytes.com/docs/DOC-1264 

 

Thanks in advance for your patience.

-The Malwarebytes Forum Team

[DSperber]

I also note that I have two Win10 laptops (Lenovo Thinkpad P70 and W530) and neither of these has EVER exhibited the freeze symptom despite running all of the exact same 3rd-party vendor software product array (including MBAM Premium) as the two Win7 desktop PCs. They both run Windows Defender (in Win10), rather than Microsoft Security Essentials (which really is Windows Defender's predecessor for Win7).

Of course the Win10 laptops are not Win7 WMC-enabled, and do not have the TV tuner cards inside.  They also don't have Logitech mice supported by Setpoint software, nor do they have APC UPS backup supported by Powerchute software.

I also note that I remotely support 24 machines for friends and family, constituting a mix of Win7, Win8.1 and Win10 machines, both desktop and laptop.  Mostly these are one-machine locations (i.e. without multiple machines on a home LAN) but in one case there are two machines on a home LAN.  ALL of these machines run exactly the same 3rd-party vendor software product array (including MBAM Premium, MSE or Windows Defender, RealVNC Server and Team Viewer, etc.) and NONE of these machines has EVER exhibited the freeze symptom!!! Of course NONE of these other 100%-perfect always-up 24/7 for weeks or months machines runs Windows Media Center.

So naturally I'm suspicious of WMC.  But I've been running WMC on my home desktop PCs problem-free 100% 24/7 since 2010 and never had a freeze, until sometime after summer 2018. I can be pretty sure about that approximate timeframe because I know I recorded the Winter Olympics in February 2018 for 2-weeks solid on multiple channels, all without a problem. And then during July 2018 for 3 weeks solid on NBCSN I recorded the Tour de France bike race, again without a problem.  So the "freeze" started sometime after July and has persisted on every one of my Win7 desktop machines.

I thought it might be related to the ASUS and Lenovo (and other manufacturer) BIOS updates rolled out through the first half of 2018 to offset the Sceptre/Meltdown vulnerability, as this was also accompanied by MS Windows updates to match. Seemed that this hardware/OS update was critical, as was its timing relating to the "birth" of the freeze symptom.  But I don't know.

[DSperber]

Just updated MBAM to component package 1.0.563, update package 1.0.9736.

As far as Windows Media Center and extenders go, I had all these years simply been powering off the extenders when I was  done watching TV at that location. Since each extender is actually connecting to the HTPC "server" using Remote Desktop Protocol and is therefore an RDP session, powering off the extender is really a "sudden disconnect" of the RDP "client". This results in an Event Log ID 117 "warning" entry from Windows Media Center for "Session Enforcement".  This is then followed by a User Profile Service Event Log ID 1350 "warning" entry regarding unloading the Registry Hive (for the RDP user) which Windows detected was "still in use".

I thought that if I instead first performed a "close" at the extender (something I'd never done before) and then powered-off, that this would gracefully terminate the RDP session, and perhaps that might have some effect in mitigating the freeze symptom. Nope, no effect.  Doesn't seem to matter that the extender RDP session is terminated abruptly and unexpectedly through power-off, or whether the RDP session is logged off before disconnecting through power-off. Freeze still can and has occurred afterwards.

Doesn't matter if WMC recording is in progress, a freeze of keyboard/mouse/screen can still occur. So it's not simply that the machine is "idle" or not.  In fact after a freeze while recording the recording will typically continue on until its scheduled stop.  Remarkable.

Also, the freeze can occur when WMC playback at an extender is in progress.  In this state playback just persists and cannot be controlled through the WMC remote. Apparently WMC back at the HTPC is no longer responding to any remote control input from the extender, and the only option remaining is to use the power-off button on the remote to turn off the extender.  The HTPC is still frozen.

 

[exile360]

Thanks for all this great info.  I will be sure to report it to the team for review and hopefully they will be successful in replicating and correcting the issue.  I suspect you may be right that Windows Media Center/Remote Desktop etc. may be the unique factor triggering these ongoing issues.

[DSperber]

Just wanted to be sure my wordy posts were clear...

Yes, I have been chasing a "freeze" symptom for many months now.  But that wasn't the reason for my thread here.

The reason for my thread is that while closely monitoring the Windows Event Log for any diagnostic and forensic clues which might be helpful in resolving the freeze problem, I happened to notice a pair of 36887 errors in the Event Log occurring regularly, every day. And these errors occur EXACTLY when the daily MBAM scan is running and it reaches the "scan file system" point.  That's when I instantly see two new 36887 errors appear on the Event Log.

Obviously something MBAM is doing as part of the "scan file system" function, either when it starts or when it runs and finds something but obviously EVERY DAY the same trigger occurs.  So every day the same pare of 36887 errors is created.

And that is the reason for this thread on the Malwarebytes support forum, to report the daily occurrence of this 36887 error so that your engineers can look into it and if not fix whatever is causing it at least explain why it is happening, perhaps only to my machine.

My "freeze" issue... well that's something else entirely. Despite my best and most valiant efforts and detective work, I still have not been able to cure it.  It persists on both of my Win7 HTPC machines running Windows Media Center, and I still cannot find either the cause and fix it, or a 100% successful workaround gimmick to overcome and suppress it.  My problem, not yours.

[exile360]

Have you tried disabling Ransomware Protection in Malwarebytes?  This particular component monitors filesystem activity closely (including I/O/write operations like those that would occur when watching/recording TV via MCE).  It might be worth a try disabling it to see if that makes any difference.  Risk of infection when disabling that particular component is rather low anyway since it is much more of a reactionary solution than a proactive one as it awaits live ransomware activity from an already installed threat to try and detect and stop it before it is able to encrypt the files on your system; the other modules, especially Exploit Protection and Web Protection would be far more likely to stop any ransomware threat much earlier in the attack process due to the fact that the vast majority (if not all) of ransomware threats rely on exploits and the like to infiltrate systems in the first place.

[LiquidTension]

Hi @DSperber,

The Schannel error you're seeing is typically related to network communication between a client and server.

Here's a user who reported seeing the same error: https://forums.malwarebytes.com/topic/236708-scan-produces-schannel-error/

Note that this user also has Microsoft Security Essentials installed. Could you try disabling/uninstalling MSE and then check if the error is still exhibited during/after running a scan with Malwarebytes.

It would also help if we could obtain some troubleshooting logs to see if any errors in Malwarebytes' service logging coincide with the errors in your Event Log. Steps on how to provide the logs can be found here: https://forums.malwarebytes.com/topic/190532-having-problems-using-malwarebytes-please-follow-these-steps/

[DSperber]

2 hours ago, exile360 said:

Have you tried disabling Ransomware Protection in Malwarebytes?  This particular component monitors filesystem activity closely (including I/O/write operations like those that would occur when watching/recording TV via MCE).  It might be worth a try disabling it to see if that makes any difference.

Just gave this a try, disabling Ransomware Protection in MBAM and then doing a scan.

Unfortunately it made no difference. Same results. As soon as the "scan file system" section was reached and started, the two 36887 errors got generated.

So that (or whatever derives from that being on or off) doesn't seem to be the issue.

I will now try the suggestion from @LiquidTension, and disable MSE, to see if that eliminates the errors.

[DSperber]

19 minutes ago, LiquidTension said:

Hi @DSperber,

The Schannel error you're seeing is typically related to network communication between a client and server.

Here's a user who reported seeing the same error: https://forums.malwarebytes.com/topic/236708-scan-produces-schannel-error/

Note that this user also has Microsoft Security Essentials installed. Could you try disabling/uninstalling MSE and then check if the error is still exhibited during/after running a scan with Malwarebytes.

It would also help if we could obtain some troubleshooting logs to see if any errors in Malwarebytes' service logging coincide with the errors in your Event Log. Steps on how to provide the logs can be found here: https://forums.malwarebytes.com/topic/190532-having-problems-using-malwarebytes-please-follow-these-steps/

Nope... disabling MSE also doesn't prevent these 36887 errors.

I will work on getting your a troubleshooting log a bit later today, following those instructions.

[exile360]

Yes, I'm using MSE alongside Malwarebytes here myself and I've seen no such errors.  Whatever it is that may be causing this issue, I suspect it's far more unique than that.

[DSperber]

Just ran your support tool to generate the logs.

See attached.

mbst-grab-results.zip

[LiquidTension]

Thanks for the file.

The Schannel Event Log errors coincide with the following Malwarebytes events:

03/18/19    " 10:36:43.018"    2566754    0350    1cbc    WARNING    MBAMChameleon    PreProcHandleOperationRoutine    "mbamwatchdog.c"    725    "ObjCallback: Process (\Device\HarddiskVolume15\Windows\System32\services.exe) thread access for protected process \Device\HarddiskVolume15\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe with access 10"
03/18/19    " 10:36:43.206"    2566942    02a4    17a0    WARNING    MBAMChameleon    PreProcHandleOperationRoutine    "mbamwatchdog.c"    725    "ObjCallback: Process (\Device\HarddiskVolume15\Windows\System32\csrss.exe) thread access for protected process \Device\HarddiskVolume15\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe with access 1fffff"

These events originate from the Self-Protection component in Malwarebytes. They're normal/expected. As a test, try disabling Self-Protection in Malwarebytes and check if the Schannel errors still appear.

To do so:

• Open Malwarebytes.
• Click Settings.
• Click Protection.
• Scroll down to Startup Options and turn the Self-Protection module setting off.

Edited March 20, 2019 by LiquidTension

[DSperber]

These messages are categorized as "error" (not "warning") in Windows Event Log. That suggests to the user a more significant problem, rather than just highlighting a condition that may or mey not be something serious, or simply providing indicative information.  Not as significant as "critical", but the text of the message is a bit scary: "the following fatal alert was received: 40".

If these are "normal" and to be expected from "self protection" being enabled, why generate the messages at all?

 

[LiquidTension]

I apologise for the confusion - I believe you've misinterpreted my post.

I am not claiming the events logged to the System log are warnings. I am referring to the Malwarebytes service internal logging. As I mentioned, the Malwarebytes Self-Protection logging (in one of Malwarebytes' own log files) coincides at the same time as the Schannel errors you're seeing in the Event log.

Therefore, as a means of troubleshooting and narrowing down the specific source of the Schannel errors, I recommend temporarily disabling Self-Protection, rerunning a scan and checking if the Schannel errors still occur. If they don't, we've successfully narrowed down the specific source of the errors. This will help help us investigate exactly why those errors are being logged to the System log.

[DSperber]

Well, I'm afraid I am unable to reproduce additional test results after temporarily disabling Self-Protection on the particular Win7 machine we have been focused on in this thread, which has been producing the 36887 errors from scans.  i have uninstalled Malwarebytes Premium on this machine.

After fighting unsuccessfully with my "freeze" symptom (mentioned at the start of the thread) for 8 months now I finally decided that the very suspicious and coincidental IDENTICAL ISSUE reported late last year in Malwarebytes was just too coincidental to ignore.  Despite the fact that you believe you have found and corrected the defect which was responsible to the worldwide "freeze" in many (but not all) Win7 systems using Malwarebytes, and despite the fact that I am right up-to-date with the latest software version which in theory includes the correction, I still am dubious that you have found and fixed EVERYTHING involved with that "freeze" symptom.

In fact, I believe you have actually NOT fully investigated the interaction of Malwarebytes with Windows Media Center Win7 machines of which I currently have two, and had one more which has now died, all three of which exhibited the "random freeze" symptom which started about 8 months ago or so and has continued unresolved to this day (or rather until two days ago, if I'm lucky).  I believe therefore that whatever was causing the random occasional Win7 freeze when using Malwarebytes has NOT been completely corrected, and in fact is STILL infecting all three of my own WMC Win7 machines.

So needing to take some new action not previously tried over the past 8 months, two days ago I decided to uninstall Malwarebytes Premium on the particular WMC Win7 system which we have been studying here in this thread, for the 36887 error produced from scan. I also uninstalled Microsoft Security Essentials, which I have been using as my anti-virus product on ALL Win7 machines I have EVER built for myself or built-out for friends and family.

Instead, I have now purchased and installed a 5-seat license for Bitdefender Total Security 2019. I myself have four machines (two Win7 WMC machines and two Win10 laptops), and I have taken the same course of action on all of them: (a) uninstall Malwarebytes, uninstall MSE on Win7 machines, and install Bitdefender, and (b) uninstall Malwarebytes on Win10 machines, along with replacing the standard Windows Defender with Bitdefender.

After two and a half days of problem-free freeze-free operation on my primary WMC HTPC Win7 machine (M910t, which is the machine we've been talking about in this thread), I just today decided to power back up my second WMC HTPC Win7 machine (Z170) which had been powered off and offline for a week while I concentrated trying to get M910t stable after a frustrating last 8 months of nothing but failure. By disabling Z170 temporarily I was hoping to see if I could just get M910t working without any other network machines to handshake with.

I mention that 2 1/2 days of freeze-free performance is something I have not achieved in the past many months, so this is a huge accomplishment. Now it may only be coincidental and temporary, and the freeze may actually still show up, dashing all of my current hopes and beliefs that Malwarebytes (and its admitted "freeze-causing defect") has been the culprit all along for my unique WMC Win7 machines.  But for the moment, with Malwarebytes+MSE out and with Bitdefender in, I have had my M910t run freeze-free for longer than at any time in the past 8 months, although admittedly 2 1/2 days isn't that great yet as "real proof".

Now before performing this same "surgery" of replacing all my MBAM + MSE(Win7) and MBAM + Windows Defender (Win10) anti-virus and anti-malware protection on all of my machines, I did attempt to investigate the 36887 error and relevance to "self-protection" being on or off in MBAM.  Well, it turns the Z170 HTPC does not produce the 36887 error!  And yet it's a WMC HTPC Win7 system, just like M910t.  But no 36887 error.

Also, I did have a dual-boot Win7 system available on my P70 laptop (along with Win10), and it too is NOT producing the 36887 error.  Obviously the laptop is not a WMC HTPC, but for whatever explanation there is no 36887 error here either.

Which means only M910t is (or was) producing the 36887 error, and "self-protection" was certainly on.  But now that I've uninstalled MBAM on this (and ALL other as well) machine I cannot retry the test you ask for with self-protection temporarily turned off.  Sorry.

Nevertheless, at this moment I'm at 2 3/4 days up freeze-free on M910t, and about 1 hour up freeze-free on Z170. I attribute this completely to the removal of MBAM and MSE, and the installation of Bitdefender. I will continue to go forward using both of these machines completely normally as I always have done and will continue to do, running all applications and software that I ALWAYS did before the freeze began 8 months ago and I began to not run software or Windows tweaks that I felt might be responsible for the freeze. I now am strongly of the opinion it has been MBAM all along which was responsible for whatever changed in my two Win7 desktop WMC HTPC machines 8 months ago wich brought on the freeze initially, and which has continued to be present even in a brand new Lenovo M910t WMC HTPC which was installed to replace one of my original two HTPC machines which died in December (from being powered off/on too much because of freezing constantly!).

 

Bottom line: I'm sorry I can't provide you with the additional data point on the M910t which is the only Win7 system which is generating the 36887 error at "scan file system".  My other two Win7 systems(one also a WMC HTPC and the other a Lenovo P70 laptop) do not generate the 36887 when MBAM scans.

But the good news, for me anyway, is that I may have finally found "the culprit" responsible for the freeze attacking my two Win7 desktop machines for the past 8 months. And that culprit appears to be MBAM.  It's gone now, replaced by Bitdefender.

[DSperber]

I'm now almost at 4 days freeze-free on the M910t WMC Win7 desktop machine.

Yesterday I got cocky, and brought back up my Z170 WMC Win7 desktop machine, which I'd put to sleep last week in order to isolate the M910t on the network without any outside handshakes or other possible contributors to the freeze symptom. I brought it back up, and then quickly repeated the uninstall of both Malwarebytes Premium 3.7.1 along with MSE, replacing the two of them with Bitdefender Total Security 2019.

And not entirely surprising at this point, the M910t continued to operate freeze-free since Wednesday morning, and the Z170 has also now been freeze-free for 1 1/2 days since Friday morning.  This is absolutely unheard of for me for the past 8 months. I know it's still early and maybe a bit premature to believe I may finally have excised the "culprit" (that being MBAM and its well known "Win7 freeze" defect born late last year and reported globally, presumably now fully corrected), but I'm at the moment in extreme thrill state.

So not only are there no longer any 36887 errors on the Event Log on M910t (since MBAM is no longer around to scan daily), but I'm even sleeping better, since I find myself not getting up every two hours in the middle of the night to see if a freeze has just occurred or not (i.e. whether the most recent tweak or change I've tried in an attempt to finally isolate the long-elusive culprit was finally successful or just another failure).

Almost 4 days in now with MBAM uninstalled, it sure does look very much like this was it.  Perhaps something about the fact that the Ceton TV Tuner card and network-like drivers uses TCPIP to communicate makes this particular Win7 configuration unique, and rare or unknown to the Malwarebytes engineers who chased down the Win7 freeze symptom late last year resulting in some sort of product fix which presumably solved the problem.  Maybe the WMC hardware/software situation with Ceton TV tuner card was never looked at closely if at all.

Anyway, fingers still crossed.  Clock is still ticking.

[exile360]

That's great news, thanks for the update!

I'm glad you seem to have resolved the freeze issue finally.  I did report the issue to the team and highlighted the fact that your use of your specific TV viewing/recording hardware may have been the unique contributing factor so hopefully that will get them to the right place to find and fix the issue once and for all, but in the meantime I'm glad that at least you're now able to operate your devices without fear of freezing up in the middle of things.

[LiquidTension]

We're looking into potential issues with WMC and similar software.

In the case of the freezing on your machines, I suspect it may actually be related to Macrium Reflect Home Edition. Is this installed on all affected machines or just the machine you ran the Malwarebytes Support Tool on?

We've recently been able to reproduce a system freeze that occurs when both software are installed (and verified Macrium is the cause by forcing a blue screen once the freeze occurs and analysing the generated memory dump). Like you, a few other Windows 7 users have also reported still experiencing a system freeze with the latest version of Malwarebytes installed. They too have Macrium Reflect installed.

We were able to mitigate the freeze from occurring by configuring a folder exclusion for %programdata%\Malwarebytes in Macrium's backup settings.

[DSperber]

Thank you for this fascinating update on the freeze issue.

And just an update from me, namely that ever since last' Wednesday's uninstall of MBAM+MSE on both my Win7 HTPC machines, and the corresponding install of Bitdefender Total Security 2019, both machines have continued to remain up continuously 24/7 and without a single freeze. My M910t is now approaching a full 7 days, which is truly the first time I've seen that kind of long-term stability since last summer.

In passing I mention that this Lenovo M910t Skylake Win7 HTPC machine (born two months ago, as a replacement for its 6-year old homebuilt P8Z77 ASUS-based predecessor (which died in late December from being hard-powered off and on too many times) took over as my one "operating" HTPC from my other larger homebuilt Z170 Skylake ASUS-based HTPC, when I simply could not keep the Z170 up and operating unfrozen either.  Obviously an HTPC which functions as a 24/7 DVR for TV recording/viewing has to have 100% stability, and neither of these machines was providing that. So I simply reinstated the new M910t as a functioning HTPC housing the older/smaller Ceton (4-tuner) and Hauppauge(2-tuner)  TV tuner cards I had transplanted from the now-dead P8Z77 ASUS machine. Temporarily I de-commissioned the newer/larger Z170 with its Ceton (6-tuner) and Hauupauge (4-tuner) TV tuner cards until I could focus on the M910t and get to back to 100% stability.

So that appears to be where I am today. At just about a week of 100% freeze-free operation I am just about ready to declare victory. I believe I have finally emerged victorious.  Sometime in the future I will very likely return to using the larger Z170 machine with its additional available TV tuners and deactivate M910t from its current active service.  But for now the M910t is still perfectly adequate... and 100% reliable.

 

I find it very interesting that you include Macrium Reflect Home Edition running in the machine side-by-side with MBAM as another contributing factor to the freeze, in addition to the particular HTPC hardware/software. And the fact that you were able to determine this from your own forced-blue-screen dumps following a freeze, well that's pretty amazing detective work Congratulations. Yes, all of this is certainly running on ALL of my HTPC machines which ALL exhibited the freeze. But I also mention that the freeze didn't occur either "on-demand" or due to any particular set of one or more active/running programs, or even when Macrium Reflect was running a scheduled backup... although obviously its "Macrium Reflect Utility Service" is always running.

But the occurrence of the freeze was genuinely completely random over time as far as my own experiments concluded, in the sense that it wasn't one particular thing or combination of things which I could do which WOULD trigger the freeze. Could be in the middle of the night when nothing but background services and programs were running, or it could be during the day when I had many actively open programs and Firefox tabs in use. Also, the freeze didn't just happen after many hours or days of non-freeze seemingly normal operation. It could occur one or more times per day, or I might be able to run for maybe 1-2 days before the next freeze.  But also I could re-boot after a freeze and immediately freeze again even before the Windows desktop could completely refresh and get stable.

Furthermore, I mention that I have been using MBAM FOREVER, on both of my HTPCs and ALL MACHINES I'VE EVERY HAD for the past 8 years or so, and never saw a freeze until sometime after last summer. So obviously whatever truly caused it was from something you brought out in the software sometime after last summer.

Until you mention it here, I had never connected MBAM with Macrium Reflect as another relevant "clue" to what made my machines unique, but that's certainly true. However I also run this combination of MBAM and Macrium Reflect and MSE software on EVERY SINGLE ONE OF THE OTHER WIN7 MACHINES I MAINTAIN FOR FRIENDS/FAMILY. Sure there are other differences in all of these other Win7 machines, mostly that NONE OF THEM ARE HTPC machines but rather simply just ordinary home-use Win7 machines. That's why it was so hard for me to get a grasp on what really made my own THREE WIN7 MACHINES freeze the same way whereas nobody else's did, and that it therefore MUST have been the additional HTPC hardware/software. Never considered a deeper combination also with Macrium Reflect's presence to bring out the symptom. Fascinating.

Anyway, to aid in your ongoing research, I mention that the Ceton TV Tuner card and its driver/software is kind of unique. It actually operates as a "network device" based on TCPIP. The card has an IP address of 192.168.200.2, with a "DHCP server" of 182.168.200.1. It shows up in "Network & Sharing Center" as an actual "network". So "recording" appears as "network download" traffic from the card to the PC, similar as any other Internet "download" from the outside world appears as "network download" traffic. I thought the freeze might have somehow been tied to this "network" implementation of the hardware/software function. I br ing this up because some of the reboot-after-freeze situations which either took much longer to stabilize, or perhaps never even completed before another freeze occurred, seemed to coincide with the "network" object in the System Tray not being back in its normal active state with "internet access" once again available. There was sometimes that little red addition to the icon, and "no internet access" as its state, which suggested some kind of interference with TCPIP and/or network adapters during the system restart after a freeze.

You seem to have a good appreciation for the fact there's apparently still something not quite 100% completely resolved yet about exactly what it is about MBAM and the other installed software and hardware which make up the environment which brings out any exposure to the freeze symptom, whereas many/most other "normal" (i.e less complex?) environments obviously no longer seem to be vulnerable. Perhaps HTPC WMC machines are more susceptible than any other, as evidenced by my own THREE DIFFERENT HTPC MACHINES (age 6 years, 2 years, and 2 months) from two different motherboard manufacturers, all of which exhibited the freeze symptom.

If/when you do genuinely discover what still has seemingly gone still unfixed in MBAM (for these outlier unique hardware/software setups) since you brought out early this year what you thought were the fixes for the problem you had obviously created sometime late last year with something you had changed or enhanced in the product, please do post the announcement of that discovery on this thread... for closure, and information to all.

Thanks for your continued and ongoing focus on this. Note that I STILL continue to go forward with MBAM+MSE on ALL of the other "ordinary" Win7 machines I maintain for friends and family. It's only on my own "special" Win7 HTPC machines where I've been motivated to install Bitdefender.  I clearly needed a genuine 100% solution, right now.

[LiquidTension]

Thanks again for the information.

Would you be willing to help us determine the source of the freezes on your machines? This would involve reinstalling Malwarebytes on one of the machines, reproducing the freeze and carrying out some steps to generate a memory dump for us to analyse.

[DSperber]

Not a problem. My ASUS HTPC machine is currently "under-utilized". I can certainly survive without it because it is not at the moment being used for actual new recordings. I do not do any critical work on it (and if necessary there is a Win10 laptop with its own dedicated mouse right next to it which shares the keyboard and monitor also used by the Win7 desktop).

In other words I would be glad to temporarily uninstall Bitdefender and reinstall MBAM + MSE on this ASUS machine (with both Ceton and Hauppauge TV tuner cards, and also Macrium Reflect) and see how long it remains un-frozen. I don't think it will "bring down" my other second M910t HTPC (which IS currently crucial to my TV pleasure) where I would leave Bitdefender installed.  My own experience is that even when I completely shut down my non-critcial ASUS HTPC so that I was now only running ONE machine M910t (which still had MBAM + MSE at the time), that M910t exhibited the freeze... all by itself, and without any possible interaction from ASUS on the network.

So I believe I could probably be able to recreate a spontaneous freeze again on ASUS (with MBAM + MSE reinstalled) while M910t (with Bitdefender) remains stable.  At least it's reasonable to expect the freeze to reappear, but I can't guarantee or predict.

I also have two monitors on the machine, if you wanted me to run some program with output always on the screen.  Or, if you want to provide me with some other diagnostic tools or techniques to force a BSOD after the freeze in order to get a dump (which I would then send to you), I could do that as well.  I'd like to be as helpful as I can, since I believe my M910t machine is hopefully now "cured" and 100% stable as my HTPC.  And that leaves ASUS to be a "lab animal" if I can contribute that.

Let me know. You have my email address (from forum registration, and my MBAM licenses) if you want to communicate privately.

[LiquidTension]

Thanks very much. We appreciate your willingness to assist.

Here are steps on how you can configure the machine to force a blue screen. This will result in creation of a memory dump that we will analyse.

Enable Forced BSOD

• Download enable_forced_bsod.reg using the link below:
  → https://malwarebytes.box.com/s/8rxpxrwm4jmdz95dg5p1kudymdl4vtzm
• Open your Downloads folder or location of the downloaded enable_forced_bsod.reg file.
• Double-click enable_forced_bsod.reg and click Run followed by Yes if prompted by User Account Control.
• Click Yes when prompted to continue.
• Click OK.
• Restart your computer.
   

Also, verify the computer is configured to generate a full memory dump. Details on this can be found below (the article applies to Windows 7 as well as 10):
https://www.tenforums.com/tutorials/5560-configure-windows-10-create-minidump-bsod.html
 

Afterwards, please do the following:

• Install the latest version of Malwarebytes: https://downloads.malwarebytes.com/file/mb3
• Activate your Premium license and configure the program in the same manner as before it was uninstalled.
• Revert any other changes to the machine so that it resembles the same state it was when the freezes were occurring (excluding the above changes). 

At this point, wait for the machine to freeze or perform actions that would typically induce a freeze.

Once the machine has frozen, hold down the rightmost Ctrl key on your keyboard and press the Scroll Lock key twice.
This will force your machine to blue screen. After the computer has rebooted, open the C:\Windows folder and verify a file named MEMORY.dmp is present.

Right-click MEMORY.dmp and click Send to followed by Compressed (zipped) folder. If prompted to save the file to your Desktop, click Yes.
Upon completion, upload the Zip file to a file hosting service (e.g. Google Drive, OneDrive, WeTransfer.com, etc) and provide a download link in your next reply.

[DSperber]

I will do this today.

As far as trying to revert ASUS to how it looked when it was last exhibiting a freeze (which still hasn't happened again since 3/20, i.e. 12 days ago, on either ASUS or M910t, ever since uninstalling MBAM+MSE and installing Bitdefender), I will also reinstate (or leave reinstated as it is right now) all of the following:

(1) screensaver after 5 minutes and "turn off display" after 15 minutes (this all has already been turned back on with Bitdefender)

(2) map network drive letters on ASUS for partitions hosted by M910t (this has already been turned back on with Bitdefender)

(3) reinstall Team Viewer software

(4) reinstall Dyn Updater software

(5) continue to run Macrium Reflect Home, NovaBACKUP, Aida64, DUMeter, PERFMON (for "total processor %")

I'll report as soon as a freeze occurs again, if it does. Note that now stable-again M910t (my production HTPC at the moment) is still going to be running with Bitdefender, whereas before it too was running with MBAM.  There definitely seemed to be a "sympathetic behavior" previously when MBAM was on both machines and a freeze could occur on one or the other machine. Seemed that inevitably a freeze on one machine would very likely eventually cause a freeze on the other machine as well, as both machines were on the same network and seemed to handshake regularly (like every 12 minutes at least) based on examining the Event Log and errors that appeared when freezes had occurred.

I believe you must know that the "freeze" isn't really a true frozen Windows, although eventually that might occur. It's really just a symptomatic freeze of mouse, keyboard, and certain onscreen outputs from some application programs but not necessarily all screen outputs (e.g. Windows onscreen clock time seems to still progress). In the background Windows Explorer on the system is often still communicating with the other non-frozen network machines (until the frozen system does eventually lock up to be non-responsive overall, though it actually might still be "alive") so that mapped network drive access from non-frozen machines could still work. Even during this semi-alive/frozen state the machine would NOT respond to network access from the outside world (e.g. through Team Viewer or RealVNC).  So it's a very complex "freeze" state.

Again, I'll get back to you if I can get the freeze dump.

[DSperber]

17 hours ago, LiquidTension said:

At this point, wait for the machine to freeze or perform actions that would typically induce a freeze.

Once the machine has frozen, hold down the rightmost Ctrl key on your keyboard and press the Scroll Lock key twice.
This will force your machine to blue screen. After the computer has rebooted, open the C:\Windows folder and verify a file named MEMORY.dmp is present.

Right-click MEMORY.dmp and click Send to followed by Compressed (zipped) folder. If prompted to save the file to your Desktop, click Yes.
Upon completion, upload the Zip file to a file hosting service (e.g. Google Drive, OneDrive, WeTransfer.com, etc) and provide a download link in your next reply.

Just a question about how to force the BSOD once a freeze occurs.

If the mouse and keyboard are unresponsive, are you saying that in fact the system will still recognize that I've held down right-CTRL and pressed SCROLL LOCK twice?  This sequence of keystrokes will actually be seen, even though my normal use of keyboard is frozen?

Anyway, everything is complete now:

(1)  The two REG files have been merged (one to enable forced BSOD, and the other to enable "complete memory dump")

(2) my PAGEFILE has been changed from "system managed" to "custom", and then enlarged to 32800MB (I have 32GB of memory, so 32800 should be more than large enough to hold the complete dump + 1MB header)

(3) I've uninstalled Bitdefender and reinstalled the very latest MBAM, MSE, Team Viewer and Dyn Updater. I realized I didn't want to keep screensaver because I need to be able to see several things on the screen at all times so that I can visually recognize when a freeze has actually occurred because certain things on the screen are no longer updating properly when the freeze has struck. So screensaver has again been disabled, and "turn off display after 15 minutes" also set to NEVER. This shouldn't impact whether or not a freeze will strike.

(4) both ASUS and M910t have once again been configured for "map network drive" so that all partitions on each machine is instantly visible by drive letter using Windows Explorer on the other machine.

 

So this is just where I was software-wise on ASUS back while still seeing freezes and fighting with it at least every day or two if not more than one time per day.

Let's see what happens.