Process Hacker and Windows discussion

 
Almighty1
Member
Posts: 30
Location: San Francisco, California USA

Unable to kill nsbu.exe ever since 3.0.797 nightly build

28 Jul 2017, 18:19

I have been unable to kill the nsbu.exe (Norton Security with Backup) ever since nightly build 3.0.774 which includes the current 3.0.816 using the binaries package as it basically gives the Access is Denied error in the screenshot below.
2017-07-28_11-15-56.jpg
2017-07-28_11-14-18.jpg
nsbu.exe has 2 processes and before with 3.0.767 and earlier, it was able to kill it without issues so the problem only occurs with the nightly builds 3.0.774, 3.0.782, 3.0.788, 3.0.790, 3.0.797, 3.0.803 and 3.0.816 as I just tested all the versions in the binary packages to verify which versions worked and which doesn't. I need to use Process Hacker to kill nsbu.exe because I like others have the disable AutoProtect option greyed out so sometimes it will keep deleting the process hacker files like the kprocesshacker.sys and ProcessHacker.exe as soon as I unzip it because some people marked the files as untrusted. I had to use the Terminator plug-in binaries from viksoftru's personal build of YandexDisk mentioned in the following thread with the default options on one of the nsbu.exe which is the only way I can successfully kill the processes successfully.

viewtopic.php?f=14&t=2314
 
User avatar
dmex
Admin
Posts: 1244
Location: Australia

Re: Unable to kill nsbu.exe ever since 3.0.797 nightly build

28 Jul 2017, 21:17

Almighty1 wrote:
28 Jul 2017, 18:19
I like others have the disable AutoProtect option greyed out so sometimes it will keep deleting the process hacker files like the kprocesshacker.sys and ProcessHacker.exe as soon as I unzip it because some people marked the files as untrusted.
Dunno about that, I wasn't able to reproduce this behavior :?
Almighty1 wrote:
28 Jul 2017, 18:19
before with 3.0.767 and earlier, it was able to kill it without issues so the problem only occurs with the nightly builds 3.0.774, 3.0.782, 3.0.788, 3.0.790, 3.0.797, 3.0.803 and 3.0.816 as I just tested all the versions in the binary packages to verify which versions worked and which doesn't.
I setup two fresh virtual machines with Windows 7 and Windows 10 and installed Norton Security with Backup version 22.10.0.85 and the nightly version 3.0.816 was able to terminate Norton successfully... It doesn't appear to be a problem with Norton or at least I wasn't able to reproduce this issue.

For security reasons... Process Hacker won't be able to terminate Norton when the driver integrity checks are unable to verify the ProcessHacker.exe signature.

1) If you're using the binary packages are you extracting all files into a folder or are you running directly from the zip?
2) Does the folder contain the "processhacker.sig" file?
 
Almighty1
Member
Posts: 30
Location: San Francisco, California USA

Re: Unable to kill nsbu.exe ever since 3.0.797 nightly build

28 Jul 2017, 21:40

I forgot to mention I was running Windows 10 Home Edition x64 with Creators Update. I normally extract the binary packages to a folder of the same name and then run it, never knew you can run files from the zip itself. Yes, the folder contains the processhacker.sig file. I don't create any files that the unzipped archive didn't already have.
 
Almighty1
Member
Posts: 30
Location: San Francisco, California USA

Re: Unable to kill nsbu.exe ever since 3.0.797 nightly build

29 Jul 2017, 03:26

Just a update, seems like everything works fine once I rebooted. Not sure what happened.
 
User avatar
dmex
Admin
Posts: 1244
Location: Australia

Re: Unable to kill nsbu.exe ever since 3.0.797 nightly build

29 Jul 2017, 04:30

Almighty1 wrote:
29 Jul 2017, 03:26
Just a update, seems like everything works fine once I rebooted. Not sure what happened.
Lol, that was my next question :p:

I'll close the ticket :thumbup:
 
Almighty1
Member
Posts: 30
Location: San Francisco, California USA

Re: Unable to kill nsbu.exe ever since 3.0.797 nightly build

29 Jul 2017, 04:37

Somehow I think 767 must have been the version I first ran after the previous reboot. Been meaning to ask one other question as I noticed in the Readme file, it says in the registry,
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\KProcessHacker3\Parameters\SecurityLevel should be set to 2 which was how I've had it for the past few years but for the nightly builds, should this be set to 0 instead or would 2 be fine and this is only if PH is not running as Admin right but doesn't matter if I run PH as Admin.
 
User avatar
dmex
Admin
Posts: 1244
Location: Australia

Re: Unable to kill nsbu.exe ever since 3.0.797 nightly build

29 Jul 2017, 05:02

Almighty1 wrote:
29 Jul 2017, 04:37
SecurityLevel should be set to 2 which was how I've had it for the past few years but for the nightly builds, should this be set to 0 instead or would 2 be fine and this is only if PH is not running as Admin right but doesn't matter if I run PH as Admin.
2 is the best value since it requires administrative privileges in addition to the signature checking... If you change the value then you can use the driver without administrative privileges but this reduces security.
 
Almighty1
Member
Posts: 30
Location: San Francisco, California USA

Re: Unable to kill nsbu.exe ever since 3.0.797 nightly build

31 Jul 2017, 11:00

Thanks, I have another question. Since I am running the binaries version of PH, is there another way to get it to completely load so it can kill nsbu.exe without rebooting since I thought when I quit running the previous version and run the newer ProcessHacker.exe, it would have given the correct permissions in the kernel unless there is some service running somewhere.
 
User avatar
dmex
Admin
Posts: 1244
Location: Australia

Re: Unable to kill nsbu.exe ever since 3.0.797 nightly build

31 Jul 2017, 11:18

Almighty1 wrote:
31 Jul 2017, 11:00
I thought when I quit running the previous version and run the newer ProcessHacker.exe, it would have given the correct permissions in the kernel unless there is some service running somewhere.
The updater does the whole process of updating the driver and you don't need to reboot... It shouldn't happen again but if it does you can just execute "sc stop kprocesshacker3" and the driver will be reset without a reboot :thumbup:
 
Almighty1
Member
Posts: 30
Location: San Francisco, California USA

Re: Unable to kill nsbu.exe ever since 3.0.797 nightly build

31 Jul 2017, 11:24

Just tried that before running ProcessHacker.exe and when I try to kill nsbu.exe, I still get the Access is Denied error on the versions after 816 as 816 was the version I ran after rebooting.
 
User avatar
dmex
Admin
Posts: 1244
Location: Australia

Re: Unable to kill nsbu.exe ever since 3.0.797 nightly build

31 Jul 2017, 11:40

Almighty1 wrote:
31 Jul 2017, 11:24
when I try to kill nsbu.exe, I still get the Access is Denied error on the versions after 816 as 816 was the version I ran after rebooting.
Why are you getting access denied again? :?

The driver and the signature checks have not changed since March 2016 and every version since that date has used the same driver and the same signature so something has to be interfering with the signature checks and causing them to fail... Are you using something other than Norton as your security software?
 
Almighty1
Member
Posts: 30
Location: San Francisco, California USA

Re: Unable to kill nsbu.exe ever since 3.0.797 nightly build

31 Jul 2017, 12:06

No idea, it seems like I can run all versions from the first one used after the reboot and earlier, just the versions after that isn't working. Not using anything other than Norton other than Malware Bytes 3.
 
Almighty1
Member
Posts: 30
Location: San Francisco, California USA

Re: Unable to kill nsbu.exe ever since 3.0.797 nightly build

31 Jul 2017, 12:57

Played around with it some more and basically this is what happens originally...
On the last reboot, whatever version I run first which in this case is 816 and earlier builds will be able to kill nsbu.exe without issues.
If I try to use a later build than the version after rebooting being 816 which in this case is 843 and 845, it will report access is denied when trying to kill the nsbu.exe process.
So I basically goto Norton's settings and have to disable the Norton Tamper Protection and then I can successfully kill nsbu.exe without issues.
When nsbu.exe is run again, Norton Tamper Protection is still disabled so enabling it will still cause the Access is Denied when killing nsbu.exe. Somehow on Windows 10 Home Edition x64 with Creators Update, one can only kill nsbu.exe with Norton Tamper Protection enabled with the first version run after the reboot and earlier builds.
 
User avatar
dmex
Admin
Posts: 1244
Location: Australia

Re: Unable to kill nsbu.exe ever since 3.0.797 nightly build

31 Jul 2017, 13:30

Almighty1 wrote:
31 Jul 2017, 12:57
one can only kill nsbu.exe with Norton Tamper Protection enabled with the first version run after the reboot and earlier builds.
Based on the above:
1) Older versions can successfully terminate nsbu.exe when 'Norton Tamper Protection' is enabled.
2) Newer versions can successfully terminate nsbu.exe when 'Norton Tamper Protection' is disabled.

Is that correct?
 
Almighty1
Member
Posts: 30
Location: San Francisco, California USA

Re: Unable to kill nsbu.exe ever since 3.0.797 nightly build

31 Jul 2017, 13:36

Not exactly. If I reboot and run 845 as a example, it will be able to successfully terminate nsbu.exe with Norton Tamper Protection enabled. so basically it's a <=845.
>845 because 845 was the version used after rebooting, will not be able to successfully terminate nsbu.exe unless Norton Tamper Protection is disabled. Only way to get the >845 to work with Norton Tamper Protection enabled is to reboot and run that version of PH.
 
User avatar
dmex
Admin
Posts: 1244
Location: Australia

Re: Unable to kill nsbu.exe ever since 3.0.797 nightly build

31 Jul 2017, 13:46

Almighty1 wrote:
31 Jul 2017, 13:36
reboot and run that version of PH.
Download 845 from here:
https://ci.appveyor.com/project/process ... /artifacts

Download 843 from here:
https://ci.appveyor.com/project/process ... /artifacts

1) Enable "Norton Tamper Protection"
2) Reboot and run build 843 as administrator (Hacker menu > Shows details for all processes)
3) Exit build 843.
4) Open an elevated command prompt (make sure command prompt has 'Administrator' in the window title)
5) Execute:
sc stop KProcessHacker3
sc delete KProcessHacker3
6) Make sure you see "[SC] DeleteService SUCCESS"
7) Run build 845
8) Try kill nsbu.exe

Let me know if build 845 is able to kill nsbu.exe after running 843 and without rebooting.
 
Almighty1
Member
Posts: 30
Location: San Francisco, California USA

Re: Unable to kill nsbu.exe ever since 3.0.797 nightly build

31 Jul 2017, 15:23

1) Rebooted system after enabling Norton Tamper Protection in Norton Security with Backup
2) Downloaded processhacker-3.0.843-bin.zip and extracted to processhacker-3.0.843-bin folder on desktop
3) Downloaded processhacker-3.0.845-bin.zip and extracted to processhacker-3.0.845-bin folder on desktop
4) Run processhacker-3.0.843-bin\x64\ProcessHacker.exe with Run as administrator by right clicking on ProcessHacker.exe file. I don't have a Show details for all Processes under the hacker menu.
2017-07-31_8-11-33.jpg
5) Exit build 843
6) Open an elevated command prompt - made sure command prompt has 'Administrator' in the window title
7) Execute:
sc stop KProcessHacker3
sc delete KProcessHacker3
8) Didn't see "[SC] DeleteService SUCCESS" as the error is as follows:
C:\WINDOWS\system32>sc delete KProcessHacker3
[SC] OpenService FAILED 1060:

The specified service does not exist as an installed service.


C:\WINDOWS\system32>
2017-07-31_8-17-20.jpg
9) Run build 845 by running processhacker-3.0.845-bin\x64\ProcessHacker.exe with Run as administrator by right clicking on ProcessHacker.exe file.
10) Try to kill nsbu.exe
Both of the nsbu.exe processes got killed in build 845 after running 843 without rebooting. I think this works because I didn't use 843 to kill the nsbu.exe before step 5.
 
User avatar
dmex
Admin
Posts: 1244
Location: Australia

Re: Unable to kill nsbu.exe ever since 3.0.797 nightly build

31 Jul 2017, 16:49

Almighty1 wrote:
31 Jul 2017, 15:23
Didn't see "[SC] DeleteService SUCCESS" as the error is as follows:
C:\WINDOWS\system32>sc delete KProcessHacker3
[SC] OpenService FAILED 1060:
Error 1060: ERROR_SERVICE_DOES_NOT_EXIST (The specified service does not exist as an installed service)

The driver was deleted which is exactly what the 'delete' command would have done anyway and you don't need to worry about that error :thumbup:
Almighty1 wrote:
31 Jul 2017, 15:23
Both of the nsbu.exe processes got killed in build 845 after running 843 without rebooting. I think this works because I didn't use 843 to kill the nsbu.exe before step 5.
If you can give it a try then it would help me narrow down the problem, just remember to delete the driver before running a different version.
 
Almighty1
Member
Posts: 30
Location: San Francisco, California USA

Re: Unable to kill nsbu.exe ever since 3.0.797 nightly build

31 Jul 2017, 18:58

Thanks dmex. I think what needs to be done is as follows is to leave the system running 845 for now without rebooting until the next nightly build comes out which we will call X for now.
Then basically do the following:
1) Exit build 845
2) Open an elevated command prompt - made sure command prompt has 'Administrator' in the window title
3) Execute:
sc stop KProcessHacker3
sc delete KProcessHacker3
4) Run build X by running processhacker-3.0.X-bin\x64\ProcessHacker.exe with Run as administrator by right clicking on ProcessHacker.exe file.
5) Try to kill nsbu.exe under version X and see if it works.
 
Almighty1
Member
Posts: 30
Location: San Francisco, California USA

Re: Unable to kill nsbu.exe ever since 3.0.797 nightly build

01 Aug 2017, 08:15

Just saw build 846 is out so will try the experiment as mentioned in post #19 above to see what happens. Have not rebooted yet since using 845 which is still running now.
So here we go.

1) Downloaded 846 as processhacker-3.0.846-bin.zip and extracted to processhacker-3.0.846-bin folder on desktop
2) exit build 845
3) Open an elevated command prompt - made sure command prompt has 'Administrator' in the window title
4) Execute:
sc stop KProcessHacker3
sc delete KProcessHacker3
with results as seen below:
2017-08-01_1-11-16.jpg
5) Run build 846 by running processhacker-3.0.X-bin\x64\ProcessHacker.exe with Run as administrator by right clicking on ProcessHacker.exe file.
6) Try to kill nsbu.exe under Build 846 and see if it works. Not working:
2017-08-01_1-13-57.jpg
Trying with Norton Tamper Protection disabled, the previous workaround which kills both nsbu.exe processes without issues.
Trying with Norton Tamper Protection enabled, build 831 which was the build before 843 to test the less or equal to build 843 theory which kills both nsbu.exe processes without issues.

Who is online

Users browsing this forum: No registered users and 2 guests