Need to report a possible bug between windows 7 and Malwarebytes Premium

[advancedcompute]

Need to report a possible bug between windows 7 and Malware bytes Premium. We are a tech Bench partner. We have encountered over 12 of our customers reporting. The following:

All systems running Windows 7 as well as Malware bytes Premium latest version. Windows 7 updates are disabled but Microsoft defender was running either in background  or fully enabled and sill updating. On or about 5/15/2024 either a Microsoft defender update (signature update) or a Malwerbytes update was installed. the result was upon shutdown or reboot command and consequent reboot. The following message is displayed:

"LogonUI.exe- Entry Point Not Found

The procedure point ProcessPrng could not be located in the dynamic link library bcryptprimitives.dll

We have traced the issue and there are several entries:

Please advise. Most of the systems are Critical process systems and that is why they are still using Widows 7.

[AdvancedSetup]

Good day @advancedcompute

Edited my post. I'm told you were asked to come here to the forums for a post

 

Edited May 23 by AdvancedSetup
Updated information

[AdvancedSetup]

Do you have a Windows 7 system that is either not having this issue or is not running Malwarebytes so we can check differences?

 

Let me get a set of logs from one of the system affected, please.

 

 

To begin, please do the following so that we may take a closer look at your installation for troubleshooting:

NOTE: The tools and the information obtained are safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

• Download the Malwarebytes Support Tool
• In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
• In the User Account Control pop-up window, click Yes to continue the installation
• Run the MBST Support Tool
• In the left navigation pane of the Malwarebytes Support Tool, click Advanced
• In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine
• A zip file named mbst-grab-results.zip will be saved to the Public desktop, please upload that file on your next reply

Thank you

 

[advancedcompute]

This is a log grab from one of the affected systems attached. We have a system in our office with windows 7 and is running Malwarebytes Teams. It IS Not affected at this time and was just updated to the new yesterday to the newest teams version. We will send a log grab from that for you as well.

We just got 3 more reports of the same issue.

mbst-grab-results.zip

[advancedcompute]

Collected files from Our unaffected Windows 7 system attached.

Addition.txt FRST.txt Shortcut.txt

[Porthos]

37 minutes ago, advancedcompute said:

one of the affected systems attached.

 

That log shows you are NOT on the current version of Malwarebytes like the unaffected one is.

On the affected one that you posted the log for, do the following. DO NOT use REVO.

Let's use the same support tool and do a clean uninstall and reinstall.

Please close all browsers and programs before running the tool.

Once done, it will attempt to reinstall Malwarebytes. After the reinstall installation restart the computer.

 

[EveryDayTech]

I work for a software company that has access to several customers still on Windows 7 and Server 2008. Every single one of these machines are doing this starting this past week. I found this thread on google. Only one customer has Malwarebytes. Seems like either an attack or a ticking time bomb in microsoft code. DISM and SFC wont fix it. 

[lmacri]

I know nothing about the Rust programming language, but could this error be related to Rust ending support for Win 7 and Win 8.x with the release of Rust v1.76 in Feb 2024?  See the announcement in the Rust Windows Support Schedule 2024.

According to a 24-Mar-2024 post by Nadahar in How to make RustDesk builds work on Windows 7 (and probably Windows 8) any executable compiled with Rust v1.76 or higher will now throw the error "The procedure entry point ProcessPrng could not be located in the dynamic link library bcryptprimitives.dll" when it runs on machines with these older OSs.

Edited May 27 by lmacri

[EveryDayTech]

53 minutes ago, lmacri said:

I know nothing about the Rust programming language, but could this error be related to Rust ending support for Win 7 and Win 8.x with the release of Rust v1.76 in Feb 2024?  See the announcement in the Rust Windows Support Schedule 2024.

According to a 24-Mar-2024 post by Nadahar in How to make RustDesk builds work on Windows 7 (and probably Windows 8) any executable compiled with Rust v1.76 or higher will now throw the error "The procedure entry point ProcessPrng could not be located in the dynamic link library bcryptprimitives.dll" when it runs on machines with these older OSs.

Thanks for this, when i get control of the console of a machine Tuesday I will give it a shot. I think I figured out the install process though, let me know if you better this.
 

Download rustup 64 bit
https://www.rust-lang.org/tools/install

run, select option 2
hit Y, ignore visual studio requirement
once done, dont restart
open commandprompt
put the following command in
rustup default 1.75.0-x86_64-pc-windows-msvc

[AdvancedSetup]

I seriously do not believe it is related or has anything to do with it. Windows 7 did not ship with Rust and there was no link to download, update, or recommend Rust directly from Microsoft in the past that I recall.

That is a very unique program that the vast majority of Windows 7 probably does not have installed.

 

Edited May 29 by AdvancedSetup
Updated information

[AdvancedSetup]

Possibly see if this update works @EveryDayTech  @advancedcompute

 

https://catalog.update.microsoft.com/Search.aspx?q=Windows-7+x64+2024-04

 

 

Edited May 28 by AdvancedSetup
Updated information

[AdvancedSetup]

Those are the updates from April 2024 for Windows 7

Here are the ones for May 2024 for Windows 7

https://catalog.update.microsoft.com/Search.aspx?q=Windows-7+x64+2024-05

 

[z3r0c00l]

I'm having the same issues on all my server 2008r2 servers. I found that the event ID for the alert is 26 and only happens when logging in/out or on reboots. I reboot 1 of the servers daily and was able to narrow down that the issue first appeared on 5/11. There were no windows updates installed on that date however I did update the screenconnect agent to 24.1.7.8892. I was able to confirm that the connectwise screenconnect agent is causing the problem by uninstalling the agent and reboot, issue goes away. If I reinstall the agent the problem comes back. I opened a ticket with connectwise and they said they are working on releasing a fix soon. As server 2008 and 2008r2 are affected I would bet win 7 machines are too. Hope this helps as it was driving me nuts as well.

[wizdude]

2 hours ago, z3r0c00l said:

however I did update the screenconnect agent to 24.1.7.8892. I was able to confirm that the connectwise screenconnect agent is causing the problem by uninstalling the agent and reboot, issue goes away.

talk about timing. had the same issue today on an old 2008R2 box we are trying to decommission and experienced the same problem. living with it until a fix/patch from connectwise comes along, or when we are finished with the old box and switch it off - whichever comes first. thanks for posting :-)

cheers, wizdude

 

[AdvancedSetup]

@advancedcompute

Please see above note about Screenconnect

 

[EveryDayTech]

On 5/30/2024 at 1:13 AM, AdvancedSetup said:

@advancedcompute

Please see above note about Screenconnect

Confirmed, was definitely screenconnect, and their latest update does not resolve either. Thank you everyone for coming together to figure this out.

 

[SpongeWorthy]

See build 24.1.8 here...

https://docs.connectwise.com/ConnectWise_ScreenConnect_Documentation/ConnectWise_ScreenConnect_release_notes/Release_notes_archive

 

[EveryDayTech]

Connectwise responded to my case today

"Unfortunately we had registered this as a known issue with id : Issue #SCP-38742 Win7 Embedded and Server 2008 64 bit show LoginUI error on shutdown and reboot (24.1.7) and the fix patch version for the known issue is : 24.1.9.8915."

Edited June 1 by AdvancedSetup
Corrected font issue

[MWSTAVEN]

What ended up working to fix: LogonUL.exe – Entry Point Not Found. The procedure entry point ProcessPrng could not be located in the dynamic link library bcryptprimitives.dll? Really important to see the fix. An 80-year-old woman needs help with this.

[advancedcompute]

Oddly enough we traced this out to the same end. As our own windows 7 pro system accesses Screen Connect host but does not run the client. However we also disabled Microsoft Windows defender years ago and use Malwarebytes exclusively. We were not effected.

We have checked all effected systems and found that Microsoft had updated it's Microsoft Windows defender signatures just before this issue

appeared. Is it possible the two are linked? See the attached excerpt from Connect Wise. We were unable to remove the Microsoft Windows defender signatures up to the fail date to test this. But if the Microsoft Windows defender signatures update wrongfully blocked the "Authentication package" then the two maybe linked to this problem. Windows server does run Microsoft Windows defender. We do not have any windows 2008r2 servers. It would be interesting to check and see if an defender update occurred on them.

 

 

[advancedcompute]

In update to the ScreenConnect update all our current effected windows 7 clients are using:

ScreenConnect checked your version against the latest version to see if you are up to date. If you are not up to date, ScreenConnect checked to see whether your license permits you to upgrade.

Your Version:

24.1.7.8892

[Nocturnal]

We've been having this issue on two Server 2008R2 servers that had both Malwarebytes Endpoint and ScreenConnect installed. Thank you for the info. We're still waiting for a fix from Screen Connect I take it?

[jrw2k]

Confirmed, an issue with screen connect on Server 2008 R2...

[David H. Lipman]

Please note that this sub-forum, Malwarebytes for Windows Support Forum, is for the retail product, not the business product(s).

Malwarebytes for Business Support  --->  Malwarebytes Endpoint Security

[AdvancedSetup]

Business Support

https://support.threatdown.com/hc/en-us