Jump to content

KERNEL_AUTO_BOOST_LOCK_ACQUISITION_WITH_RAISED_IRQL


Recommended Posts

 

Hi,

blue screen since one week on a server :

System Information (local)
--------------------------------------------------------------------------------

Computer name: SERVAGC
Windows version: Windows Server 2016 , 10.0, version 1607, build: 14393
Windows dir: C:\Windows
Hardware: PRIMERGY TX1310 M3, FUJITSU, D3521-A1
CPU: GenuineIntel Intel(R) Xeon(R) CPU E3-1225 v6 @ 3.30GHz Intel8664, level: 6
4 logical processors, active mask: 15
RAM: 16994754560 bytes (15,8GB)


--------------------------------------------------------------------------------
Crash Dump Analysis
--------------------------------------------------------------------------------

Crash dumps are enabled on your computer. 

Crash dump directories: 
C:\Windows
C:\Windows\Minidump

On Thu 06/06/2019 16:58:06 your computer crashed or a problem was reported
crash dump file: C:\Windows\Minidump\060619-22062-01.dmp
This was probably caused by the following module: ntoskrnl.exe (nt+0x149F90) 
Bugcheck code: 0x192 (0xFFFFF8008CBD8940, 0xFFFF8A0A1AA2C2A8, 0x2, 0x0)
Error: KERNEL_AUTO_BOOST_LOCK_ACQUISITION_WITH_RAISED_IRQL
file path: C:\Windows\system32\ntoskrnl.exe
product: Microsoft® Windows® Operating System
company: Microsoft Corporation
description: NT Kernel & System
Bug check description: This indicates that a lock tracked by AutoBoost was acquired while executing at DISPATCH_LEVEL or above. 
This bug check belongs to the crash dump test that you have performed with WhoCrashed or other software. It means that a crash dump file was properly written out. 
The crash took place in the Windows kernel. Possibly this problem is caused by another driver that cannot be identified at this time. 

On Thu 06/06/2019 16:58:06 your computer crashed or a problem was reported
crash dump file: C:\Windows\MEMORY.DMP
This was probably caused by the following module: farflt.sys (farflt+0x367B) 
Bugcheck code: 0x192 (0xFFFFF8008CBD8940, 0xFFFF8A0A1AA2C2A8, 0x2, 0x0)
Error: KERNEL_AUTO_BOOST_LOCK_ACQUISITION_WITH_RAISED_IRQL
file path: C:\Windows\system32\drivers\farflt.sys
product: Malwarebytes Anti-Ransomware Protection
company: Malwarebytes
description: Malwarebytes Anti-Ransomware Protection
Bug check description: This indicates that a lock tracked by AutoBoost was acquired while executing at DISPATCH_LEVEL or above. 
This bug check belongs to the crash dump test that you have performed with WhoCrashed or other software. It means that a crash dump file was properly written out. 
A third party driver was identified as the probable root cause of this system error. It is suggested you look for an update for the following driver: farflt.sys (Malwarebytes Anti-Ransomware Protection, Malwarebytes). 
Google query: farflt.sys Malwarebytes KERNEL_AUTO_BOOST_LOCK_ACQUISITION_WITH_RAISED_IRQL

--------------------------------------------------------------------------------
Conclusion
--------------------------------------------------------------------------------

2 crash dumps have been found and analyzed. A third party driver has been identified to be causing system crashes on your computer. It is strongly suggested that you check for updates for these drivers on their company websites. Click on the links below to search with Google for updates for these drivers: 

farflt.sys (Malwarebytes Anti-Ransomware Protection, Malwarebytes)

If no updates for these drivers are available, try searching with Google on the names of these drivers in combination with the errors that have been reported for these drivers. Include the brand and model name of your computer as well in the query. This often yields interesting results from discussions on the web by users who have been experiencing similar problems.


Read the topic general suggestions for troubleshooting system crashes for more information. 

Note that it's not always possible to state with certainty whether a reported driver is responsible for crashing your system or that the root cause is in another module. Nonetheless it's suggested you look for updates for the products that these drivers belong to and regularly visit Windows update or enable automatic updates for Windows. In case a piece of malfunctioning hardware is causing trouble, a search with Google on the bug check errors together with the model name and brand of your computer may help you investigate this further. 

Thanks,

Vincent.
 

Link to post
Share on other sites

I'm having the same issue. My server is Windows Server 2016 Std.

There is a report of the same issue in a Microsoft TechNet post:

"Just in case someone  else is seeing this issue

Windows Server 2016 14393.2972 and above will BSOD-Kernel Auto Boost Lock Acquisition With Raised IRQL in fltmgr.sys if you have Malwarebytes anti-ransomware installed

Can confirm with product 0.9.18.806-1.1.219

Not sure if this affects the all in one solution"

I get numerous event 0 arising in MB3Service and one in MBAMService.

And I can MAKE it happen when I start Windows Backup to a USB3 External Drive.

Link to post
Share on other sites

I have Windows Server 2016 Std

I just started getting the BSOD-Kernel Auto Boost Lock Acquisition With Raised IRQL in fltmgr.sys 2 days ago.

I can replicate if I image my C: system drive to a network location.  D: which is a partition on the same physical drive works.

Product 0.9.18.806

Not sure this is related.

Link to post
Share on other sites

I can confirm that this problem has also affected my server running Server 2016 STD.  My BSOD started on Monday, 6/3/19.  The crash would happen when our database server would attempt to start (SQL Anywhere for Eaglesoft by Patterson Dental).  Removing only the Anti-Ransomware module fixes the problem.  MBAM and Anti-Exploit are still installed.

Link to post
Share on other sites

We see it on a bunch of Dell 5580's. It seems to have started around 5/30 for us after we pushed windows patches. We typically do not install full MWB on servers only Laptops but we DO have anti-ransomeware on a few servers and so far i have no reports of them going down.. This issue is affecting about 30 machines at this time. Remediation is so far to remove MWB completely and we are installing Symantec.

Link to post
Share on other sites

Literally typing up a response to your post and my machine blue sceened. I have been running with File Protection unchecked and it has been up for about 24 hours. I am going to have to un install.

I hate putting Symantec back on machines. We are in the process of moving from Symantec to MWB Enterprise now that they are considered a full fledged AV. I opened a ticket two days ago and no response and no response to these posts. I don't know whats going on. It doesn't give me warm and fuzzies. I am going to call SHI as we buy it through them and see if they can get somewhere. CEO just stopped me in the hallway telling me his machine blue screened during a meeting. It is starting to feel like a Monday.

This is from my machine.

image.png.ebca94718f76508d9810c208f6ac93f3.png

Link to post
Share on other sites

6 minutes ago, DScherer said:

Bill, are you saying removing Anti ransomeware solves the issue for you?

As far as I can tell, that's the case.  I just completed running Windows Backup on the server and that application INVARIABLY spawned that BSOD.

I left the Anti-Malware and Anti-Exploit products on the server and we're not having any problems so far.

Hope this helps...

 

Link to post
Share on other sites

I can confirm this solution too.

I have since reinstalled just the Anti-Malware and Anti-Exploit and NOT Anti-Ransomware and I have been able to do the backups (Macrium Reflect Server Plus) which would always trigger the BSOD.

I don't normally use Windows Backup, but did try when I was experiencing this issue and I can confirm it caused this BSOD for me as well.

Link to post
Share on other sites

If the agents on all of yours cases have not mentioned it yet, this is a bug with any Windows 1607 on 14393 build and ARW. For the moment, disable the Ransomware protection real-time. A fix to the engine will be coming shortly, targeted for the middle of next week.

Link to post
Share on other sites

I sure am glad to have come across this thread.  I spent most of yesterday troubleshooting an RDS 2016 Std that appeared to have random crash dumps starting 6/4.  When I decided to just move the users to another RDS 2016 Server I had in reserve I generated the same crashdump while setting up user profiles.  It appeared to be triggered by large file transfers.  Then I had the same problem with my own VM running RDS 2016.  I have several other servers running RDS 2012R2 with no problems.  I am running MalwareBytes Enterprise.  I am proceeding to disable the Ransomware protection and test the servers.  I will also submit an incident to support.

Link to post
Share on other sites

4 hours ago, BillPeavy said:

Dylion,

I've not seen this documented anywhere.  Can you point it out please?

Thanks,

 

 

In my case Window Server is in the requirements (Endpoint Security Quick Start Guide.pdf) :

Capture.PNG

Link to post
Share on other sites

MBMC's admin guide lists the compatibility for the Managed Client communicator portion. To understand the compatibility for each of the protection pieces, it is best to read the admin guides for those individual items.

Anti-Ransomware 0.9 Admin Guide:
Operating System: Windows 10 (32/64-bit), Windows 8.1 (32/64-bit), Windows 8 (32/64-bit), Windows 7 (32/64-bit) • CPU:  800 MHz or faster • RAM:  1024 MB • Free Disk Space:  100 MB • Recommended Screen Resolution: 1024x768 or higher • Active Internet connection 

Anti-Ransomware 0.9 Administrator Guide.pdf Anti-Malware for Business 1.80 Administrator Guide.pdf Anti-Exploit Unmanaged Client 1.12 Administrator Guide.pdf Management Console Administrator Guide.pdf

Link to post
Share on other sites

An overwhelming majority of attacks originate from your user's workstations. MBARW on the server will not stop an attack that is not within its own memory. The best position to protect the servers is to cover all endpoints, and reconsider BYOD type policies if security software is not deployed to those machines.

Link to post
Share on other sites

On 6/12/2019 at 11:43 AM, djacobson said:

MBMC's admin guide lists the compatibility for the Managed Client communicator portion. To understand the compatibility for each of the protection pieces, it is best to read the admin guides for those individual items.

Anti-Ransomware 0.9 Admin Guide:
Operating System: Windows 10 (32/64-bit), Windows 8.1 (32/64-bit), Windows 8 (32/64-bit), Windows 7 (32/64-bit) • CPU:  800 MHz or faster • RAM:  1024 MB • Free Disk Space:  100 MB • Recommended Screen Resolution: 1024x768 or higher • Active Internet connection 

Anti-Ransomware 0.9 Administrator Guide.pdfUnavailable Anti-Malware for Business 1.80 Administrator Guide.pdfUnavailable Anti-Exploit Unmanaged Client 1.12 Administrator Guide.pdfUnavailable Management Console Administrator Guide.pdfUnavailable

Thanks for this information.  When I originally licensed MBES, I remember being told it would work with Windows Server 2016.

That said, it seems to me that several users would have been saved grief had MBARW made at least a minimal effort to see if it was being installed on an unsupported OS.
Almost every software in my experience tests for compatibility with the OS -- why not MBARW?

Anyway, thanks for your clarification.

Link to post
Share on other sites

  • 7 months later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.