Process Hacker and Windows discussion

 
MerleOne
New User
Posts: 0
OS: Win 10 64 bits
Location: Paris

Process Hacker (Latest version, 2.39 ?) & Win 10

01 Nov 2016, 13:01

Hi,
I have come across a strange issue with Process Hacker & Win 10. On 2 different Win 10 PC, a Lenovo X700 and an Asus, after PH is installed and running, the Shutdown, Restart, Sleep button from the menu won't work any longer, most of the time.
After I uninstall PH and reboot, it works again.
Too bad since PH is working fine with Win 8.1 and previous version down to XP...
 
L1Cache
New User
Posts: 2
OS: Windows 10 64bit
Location: United States

Re: Process Hacker (Latest version, 2.39 ?) & Win 10

02 Nov 2016, 09:46

Windows 10 64bit  Version 1607 Build 14393.351

I also have a similar problem with Process Hacker. I noticed that after I had used Process Hacker that when I went to Shutdown or Restart the computer that nothing would happen. If I waited about 4.5 minutes the computer would then shutdown. This only happened if I used Process Hacker at anytime during the Session. If I did not use Process Hacker during a Session it did not happen. I use the Portable Version 2.39 of Process Hacker.

I used a Forced Keyboard Crash to get a memory dump. My system is set to get an active memory dump. Here is a summary of what I found. 

THREAD ffffd28c8822e800  Cid 0368.18c8 in Winlogon had a Critical Section. 

That Critical Section was Owned by  THREAD ffffd28c871b2800  Cid 0368.0170 in Winlogon. 

Thread 170 was waiting on “Waiting for reply to ALPC Message ffffe5888328f360 : queued at port ffffd28c87182090 : owned by process ffffd28c86f51800”. 

Process ffffd28c86f51800 or Svchost.exe was in Sleep and ntdll!NtDelayExecution waiting for a Timer; “ffffd28c871bf540    590fe777 00000002 [10/ 8/2016 02:56:59.768]  thread ffffd28c871bf440” Owned by its own Thread:  thread ffffd28c871bf440.

 
 I also noticed that the Address on the Unknown Object in Thread ffffd28c8822e800 did not appear to be correct.
THREAD ffffd28c8822e800  Cid 0368.18c8  Teb: 000000d818bbd000 Win32Thread: 0000000000000000 WAIT: (WrAlertByThreadId) UserMode Non-Alertable
 00007ff7767effa8  Unknown


Next I ran Verifier on Kprocessor.sys and this is what I got:

BugCheck C4, {e1, ffffed8fe36b0f70, 0, 0}
Probably caused by : kprocesshacker.sys ( kprocesshacker+10e2 )

DRIVER_VERIFIER_DETECTED_VIOLATION (c4)
A device driver attempting to corrupt the system has been caught.  This is
because the driver was specified in the registry as being suspect (by the
administrator) and the kernel has enabled substantial checking of this driver.
If the driver attempts to corrupt the system, bugchecks 0xC4, 0xC1 and 0xA will
be among the most commonly seen crashes.
Arguments:
Arg1: 00000000000000e1, Synchronization object address is bogus or pageable.
Arg2: ffffed8fe36b0f70, Synchronization object address.
Arg3: 0000000000000000
Arg4: 0000000000000000


I hope this helps. By the way thanks for such a great product.
 
MerleOne
New User
Posts: 0
OS: Win 10 64 bits
Location: Paris

Re: Process Hacker (Latest version, 2.39 ?) & Win 10

02 Nov 2016, 17:15

Whoaw, this is what I call deep Windows analysis. Thanks a lot. This also means that the portable version causes the same issue.

I forgot to mention I found a workaround : use the command line to restart or shutdown the PC. In that case it works fine. But sometimes, the old reflexes resurface and I use the menu button and am in trouble...

I do hope PH developers fix this !

Regards,

Merle1
 
User avatar
dmex
Admin
Posts: 1256
Location: Australia

Re: Process Hacker (Latest version, 2.39 ?) & Win 10

02 Nov 2016, 17:19

MerleOne wrote:
the Shutdown, Restart, Sleep button from the menu won't work any longer, most of the time.
That's likely a bug in Windows 10 caused by a recent patch. I've seen that problem on only one machine and that machine never had Process Hacker installed, the issue should have been fixed with KB3197954.
MerleOne wrote:
After I uninstall PH and reboot, it works again.
I've never had that issue on my 3 machines running Windows 10?
L1Cache wrote:
Next I ran Verifier on Kprocessor.sys and this is what I got
The KPH driver includes a 'self-defense security mechanism' that blocks 3rd party software (including Driver Verifier) from being able to communicate with our driver, that causes Driver Verifier to show "violations" that otherwise don't exist.

The other issue with driver verifier is that it's designed for 'device' drivers and not 'software' drivers like KPH and will show a number of false positives. If you wanted to test KPH with driver verifier then you will need to build the driver yourself. We have tested KPH and never found any actual 'violations'.
 
MerleOne
New User
Posts: 0
OS: Win 10 64 bits
Location: Paris

Re: Process Hacker (Latest version, 2.39 ?) & Win 10

02 Nov 2016, 19:39

Thanks. The issue I had with Win10 first appeared in April, so it's not a recent bug and I find it curious it just appeared on a new machine yesterday after PH is installed. That's why I thought it was responsible for this. And indeed, when uninstalled, the Shutdown, Restart, Sleep buttons work again as expected, so I cannot think it's a Windows 10 only issue. All the better if it works on other Win10 PCs, I just wish it would on mine !

Regards,

merle1

PS : I don't seem to receive the confirmation mail for this forum, is there anything to do ?
 
MerleOne
New User
Posts: 0
OS: Win 10 64 bits
Location: Paris

Re: Process Hacker (Latest version, 2.39 ?) & Win 10

02 Nov 2016, 19:43

BTW this update was installed 3 days ago only...

Mise à jour cumulative Windows 10 Version 1607 pour ordinateurs à processeurs x64 (KB3197954).
 
L1Cache
New User
Posts: 2
OS: Windows 10 64bit
Location: United States

Re: Process Hacker (Latest version, 2.39 ?) & Win 10

31 Mar 2017, 05:36

Just curious if any of you guys are still having windows shutdown or restart problems when running Process Hacker in Windows 10? Would you by any chance have VirtualBox installed on your machine?
After Dmex gave me a heads up about Verifier and Kprocessor.sys I looked a a little deeper at the Dump File. The one thing that stood out was when looking at the Stack residue of the kernel thread ffffd28c871bf440.
With the dps command I saw several references to VBoxDrv.sys I changed the startup type for VBoxDrv to disabled. Over the past month of testing without VBoxDrv.sys running I no longer have the shutdown or restart issues when running Process Hacker.

Who is online

Users browsing this forum: No registered users and 4 guests