Advisory: Support Portal Maintenance. Login is currently unavailable, more info available here.
Hi Guys,I run the Windows Insider Preview on a PC at home and after updating to Build 21277.1000 this morning the PC began constantly crashing logging into the PC (would load to login screen fine and stay there - crash was about 30 seconds after logging in) with a familiar Green Screen stop crash and bugcheck. A quick troubleshoot and I found that its definitely being caused by Sophos Intercept X Endpoint and I have disabled it in startup.Any ideas how to fix or do I need to wait until a new version of the Intercept X Client?Cheers
Hi Dread
What is the version of the Intercept X you are running? Under the event logs, do you see any specific error related to Sophos? You can try using this cumulative hotfix and see if it helps.
Shweta
Hi Shweta, thanks for the quick reply!Checking Sophos Central - the product versions installed onto this PC is:
Do you have a memory dump, either in \windows\memory.dmp or \windows\minidump\ that corresponds to these?
If so, can you load it into WinDbg (can get it from the Store or by downloading the SDK) and attach the contents of the window?
Hi there, I just wanted to chime in because I'm also seeing the same error in my environment as Dread. Computers running the Windows 10 insider build 21277 will GSOD after login, unless 'Sophos Endpoint Agent' is disabled on startup. However, if the user launches Sophos Endpoint Agent afterwards, the computer will GSOD again.
We're also running version 2.10.8 of Intercept X. I disabled tamper protection and applied the hotfix in your link, but the computer still GSODs upon launch of Sophos Endpoint Agent. Do you have any other suggestions?
I've attached the contents of WinDbg's analysis of both C:\Windows\MEMORY.DMP and the dump available in C:\Windows\Minidump .
from C:\Windows\MEMORY.DMP
Microsoft (R) Windows Debugger Version 10.0.20153.1000 AMD64 Copyright (c) Microsoft Corporation. All rights reserved. Loading Dump File [C:\Windows\MEMORY.DMP] Kernel Bitmap Dump File: Active memory is available Dump completed successfully, progress percentage: 100 ************* Path validation summary ************** Response Time (ms) Location Deferred srv* Symbol search path is: srv* Executable search path is: Windows 10 Kernel Version 21277 MP (8 procs) Free x64 Product: WinNt, suite: TerminalServer SingleUserTS Edition build lab: 21277.1000.amd64fre.rs_prerelease.201207-1443 Machine Name: Kernel base = 0xfffff807`6d200000 PsLoadedModuleList = 0xfffff807`6de33b30 Debug session time: Tue Jan 5 13:32:02.391 2021 (UTC - 8:00) System Uptime: 0 days 0:00:57.064 Loading Kernel Symbols ............................................................... ................................................................ ................................................................ ............................. Loading User Symbols ..................................... Loading unloaded module list ............ For analysis of this file, run !analyze -v nt!KeBugCheckEx: fffff807`6d619060 48894c2408 mov qword ptr [rsp+8],rcx ss:0018:fffff90d`ca3f7810=00000000000000ef 4: kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* CRITICAL_PROCESS_DIED (ef) A critical system process died Arguments: Arg1: ffffd30421ee8080, Process object or thread object Arg2: 0000000000000000, If this is 0, a process died. If this is 1, a thread died. Arg3: 0000000000000000 Arg4: 0000000000000000 Debugging Details: ------------------ KEY_VALUES_STRING: 1 Key : Analysis.CPU.mSec Value: 3437 Key : Analysis.DebugAnalysisProvider.CPP Value: Create: 8007007e on DESKTOP-UK4FQDV Key : Analysis.DebugData Value: CreateObject Key : Analysis.DebugModel Value: CreateObject Key : Analysis.Elapsed.mSec Value: 3445 Key : Analysis.Memory.CommitPeak.Mb Value: 93 Key : Analysis.System Value: CreateObject Key : Dump.Attributes.FilterDumpFile Value: 1 Key : WER.OS.Branch Value: rs_prerelease Key : WER.OS.Timestamp Value: 2020-12-07T14:43:00Z Key : WER.OS.Version Value: 10.0.21277.1000 ADDITIONAL_XML: 1 OS_BUILD_LAYERS: 1 DUMP_FILE_ATTRIBUTES: 0x1040 Filter Dump BUGCHECK_CODE: ef BUGCHECK_P1: ffffd30421ee8080 BUGCHECK_P2: 0 BUGCHECK_P3: 0 BUGCHECK_P4: 0 PROCESS_NAME: svchost.exe CRITICAL_PROCESS: svchost.exe ERROR_CODE: (NTSTATUS) 0x376f5080 - <Unable to get error code text> BLACKBOXBSD: 1 (!blackboxbsd) BLACKBOXNTFS: 1 (!blackboxntfs) BLACKBOXPNP: 1 (!blackboxpnp) BLACKBOXWINLOGON: 1 STACK_TEXT: fffff90d`ca3f7808 fffff807`6db6c90a : 00000000`000000ef ffffd304`21ee8080 00000000`00000000 00000000`00000000 : nt!KeBugCheckEx fffff90d`ca3f7810 fffff807`6da6e6d3 : ffffd304`21ee8080 ffffd304`28ac9378 00000000`00000000 fffff807`6d4fd3ef : nt!PspCatchCriticalBreak+0x11a fffff90d`ca3f78b0 fffff807`6d8f819c : ffffd304`21ee84b8 00000000`00000000 ffffd304`21ee8080 00007ffa`5908e001 : nt!PspTerminateAllThreads+0x174c8b fffff90d`ca3f7920 fffff807`6d8f7110 : ffffffff`ffffffff ffffd304`2a1d30c0 ffffd304`376f5080 00000000`80000001 : nt!PspTerminateProcess+0xe0 fffff90d`ca3f7960 fffff807`6d62b2f5 : ffffd304`000004b4 ffffd304`376f5080 ffffd304`21ee8080 ffffd304`00000000 : nt!NtTerminateProcess+0xb0 fffff90d`ca3f79e0 00007ffa`91a97174 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x25 000000d2`06bff258 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!NtTerminateProcess+0x14 SYMBOL_NAME: ntdll!NtTerminateProcess+14 MODULE_NAME: ntdll IMAGE_NAME: ntdll.dll STACK_COMMAND: .thread ; .cxr ; kb BUCKET_ID_FUNC_OFFSET: 14 FAILURE_BUCKET_ID: 0xEF_svchost.exe_BUGCHECK_CRITICAL_PROCESS_376f5080_ntdll!NtTerminateProcess OS_VERSION: 10.0.21277.1000 BUILDLAB_STR: rs_prerelease OSPLATFORM_TYPE: x64 OSNAME: Windows 10 FAILURE_ID_HASH: {1f98d8f1-0ced-5a9a-8bb5-5da6943fc861} Followup: MachineOwner ---------
from the dump available in C:\Windows\Minidump
Microsoft (R) Windows Debugger Version 10.0.20153.1000 AMD64 Copyright (c) Microsoft Corporation. All rights reserved. Loading Dump File [C:\Windows\Minidump\010521-9546-01.dmp] Mini Kernel Dump File: Only registers and stack trace are available ************* Path validation summary ************** Response Time (ms) Location Deferred srv* Symbol search path is: srv* Executable search path is: Windows 10 Kernel Version 21277 MP (8 procs) Free x64 Product: WinNt, suite: TerminalServer SingleUserTS Edition build lab: 21277.1000.amd64fre.rs_prerelease.201207-1443 Machine Name: Kernel base = 0xfffff807`6d200000 PsLoadedModuleList = 0xfffff807`6de33b30 Debug session time: Tue Jan 5 13:32:02.391 2021 (UTC - 8:00) System Uptime: 0 days 0:00:57.064 Loading Kernel Symbols ............................................................... ................................................................ ................................................................ ............................. Loading User Symbols Loading unloaded module list ............ For analysis of this file, run !analyze -v nt!KeBugCheckEx: fffff807`6d619060 48894c2408 mov qword ptr [rsp+8],rcx ss:0018:fffff90d`ca3f7810=00000000000000ef 4: kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* CRITICAL_PROCESS_DIED (ef) A critical system process died Arguments: Arg1: ffffd30421ee8080, Process object or thread object Arg2: 0000000000000000, If this is 0, a process died. If this is 1, a thread died. Arg3: 0000000000000000 Arg4: 0000000000000000 Debugging Details: ------------------ KEY_VALUES_STRING: 1 Key : Analysis.CPU.mSec Value: 5093 Key : Analysis.DebugAnalysisProvider.CPP Value: Create: 8007007e on DESKTOP-UK4FQDV Key : Analysis.DebugData Value: CreateObject Key : Analysis.DebugModel Value: CreateObject Key : Analysis.Elapsed.mSec Value: 21744 Key : Analysis.Memory.CommitPeak.Mb Value: 82 Key : Analysis.System Value: CreateObject Key : WER.OS.Branch Value: rs_prerelease Key : WER.OS.Timestamp Value: 2020-12-07T14:43:00Z Key : WER.OS.Version Value: 10.0.21277.1000 ADDITIONAL_XML: 1 OS_BUILD_LAYERS: 1 BUGCHECK_CODE: ef BUGCHECK_P1: ffffd30421ee8080 BUGCHECK_P2: 0 BUGCHECK_P3: 0 BUGCHECK_P4: 0 PROCESS_NAME: svchost.exe CRITICAL_PROCESS: svchost.exe ERROR_CODE: (NTSTATUS) 0x376f5080 - <Unable to get error code text> BLACKBOXBSD: 1 (!blackboxbsd) BLACKBOXNTFS: 1 (!blackboxntfs) BLACKBOXPNP: 1 (!blackboxpnp) BLACKBOXWINLOGON: 1 CUSTOMER_CRASH_COUNT: 1 STACK_TEXT: fffff90d`ca3f7808 fffff807`6db6c90a : 00000000`000000ef ffffd304`21ee8080 00000000`00000000 00000000`00000000 : nt!KeBugCheckEx fffff90d`ca3f7810 fffff807`6da6e6d3 : ffffd304`21ee8080 ffffd304`28ac9378 00000000`00000000 fffff807`6d4fd3ef : nt!PspCatchCriticalBreak+0x11a fffff90d`ca3f78b0 fffff807`6d8f819c : ffffd304`21ee84b8 00000000`00000000 ffffd304`21ee8080 00007ffa`5908e001 : nt!PspTerminateAllThreads+0x174c8b fffff90d`ca3f7920 fffff807`6d8f7110 : ffffffff`ffffffff ffffd304`2a1d30c0 ffffd304`376f5080 00000000`80000001 : nt!PspTerminateProcess+0xe0 fffff90d`ca3f7960 fffff807`6d62b2f5 : ffffd304`000004b4 ffffd304`376f5080 ffffd304`21ee8080 ffffd304`00000000 : nt!NtTerminateProcess+0xb0 fffff90d`ca3f79e0 00007ffa`91a97174 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x25 000000d2`06bff258 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ffa`91a97174 SYMBOL_NAME: nt!PspCatchCriticalBreak+11a MODULE_NAME: nt IMAGE_NAME: ntkrnlmp.exe IMAGE_VERSION: 10.0.21277.1000 STACK_COMMAND: .thread ; .cxr ; kb BUCKET_ID_FUNC_OFFSET: 11a FAILURE_BUCKET_ID: 0xEF_svchost.exe_BUGCHECK_CRITICAL_PROCESS_376f5080_nt!PspCatchCriticalBreak OS_VERSION: 10.0.21277.1000 BUILDLAB_STR: rs_prerelease OSPLATFORM_TYPE: x64 OSNAME: Windows 10 FAILURE_ID_HASH: {a02b1c70-8dbe-b3af-aefe-af6b2a744809} Followup: MachineOwner ---------
When you say "unless 'Sophos Endpoint Agent' is disabled on startup", are you talking about just here:
All this does is run the Sophos UI.exe which is the tray icon and client UI. The key being:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sophos UI.exe ="C:\Program Files\Sophos\Sophos UI\Sophos UI.exe" /hidden
It seems bizarre that a small user mode application can cause this.
From the info provided, without the dump file to be able to run other commands it's hard to say much. There is a thread in a svchost.exe process seemingly terminating a CRITICAL_PROCESS: svchost.exe. From the stack it's hard to glean the origin of the stack.
Currently installing Windows 10 insider build 21277 to see if I see the same.
Yes, that's what I disabled in the Startup pane in Task Manager. If I leave it enabled then shortly after login the computer will GSOD. Alternatively if you just launch Sophos Endpoint Agent from within the Sophos folder in the Start Menu, then that will also cause a GSOD.
Should I be running other commands against the dump file? I'm not very experienced with performing analysis on them but I can follow instructions if you have any suggestions.
Apologies for the delay getting back to this - I blame the Christmas/New Years period :)I had to disable ALL Sophos Services from Startup via the MSConfig.exe, Selective Startup and disabling all Sophos Services there for the system to boot safely.System still running fine up to today, just haven't had a chance to play with it ... I may have also been playing the crap out of Watch Dogs Legion ... :)
Hi Dread and N Zhu
Windows Insider Build is Beta version release however I would like to know if you are seeing the error as mentioned in this link, where there is a pop-up notification stating "Your PC ran into a problem and will restart in 1 min"? We might also need to find the exact Sophos component which is causing the issue here with the help of this article.
Could you leave it disabled in the startup items and disable Tamper Protection on the computer, reboot and then launch "sophos ui.exe". Does that help?