This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Windows Insider Build 21277.1000 - Green Screen Crash

Hi Guys,

I run the Windows Insider Preview on a PC at home and after updating to Build 21277.1000 this morning the PC began constantly crashing logging into the PC (would load to login screen fine and stay there - crash was about 30 seconds after logging in) with a familiar Green Screen stop crash and bugcheck. A quick troubleshoot and I found that its definitely being caused by Sophos Intercept X Endpoint and I have disabled it in startup.

Any ideas how to fix or do I need to wait until a new version of the Intercept X Client?

Cheers



This thread was automatically locked due to age.
  • That works, thank you! Sophos can now be part of startup without incurring GSODs. However, is it feasible to leave Tamper Protection disabled long-term? What are the ramifications of doing so?

  • Well Tamper Protection stops people (or I guess malicious processes if they've got passed the execution stage) from stopping services and general fiddling.

    I did reproduce it today and I found it quite odd.

    CRITICAL_PROCESS_DIED (ef) - "A critical system process died" is the bugcheck code.

    The critical process that is dying is the svchost process that hosts the "RPCSS" service.  I.e. 'C:\WINDOWS\system32\svchost.exe -k RPCSS -p'

    A thread in this process is the the one calling kebugcheckex.  This thread seems to be throwing an exception in RPCRT4!BCACHE::Free+0x96. The disassembly has:

    00007fff`e36c52b3 488d0daeda0a00 lea rcx,[RPCRT4!`string' (00007fff`e3772d68)]
    00007fff`e36c52ba 48ff154f9f0a00 call qword ptr [RPCRT4!_imp_DbgPrint (00007fff`e376f210)]

    The string at 00007fff`e3772d68 contains:
     "RPC: BCache corruption detected at 0x%p."

    Which might offer something and quite odd that a RPC call into RPCSS can crash it.

    The thread is servicing a RPC call from the "C:\Program Files\Sophos\Sophos UI\savapi.exe" process, that is the "client" end of the RPC call into RPCSS.

    The Sophos UI.exe process is activating the COM server that is SAVAPI.exe, which is why it appears to happen when Sophos UI.exe starts up. It's more about what savapi.exe is doing as a result as it "talks" to RPCSS.

    If you disable Tamper Protection and rename savapi.exe to savapi.exe.off, re-enable Tamper Protection I think this would also work.  I'm just surprised a user mode process, issuing a standard RPC COM call can crash RPCSS which in turn brings down the computer as it's a critical process.  

    The fact that disabling TP helps suggests that the Sophosed.sys driver might be involved as that is responsible for tamper protection and being a driver, they are the components that are usually cause such issues. 

    A user mode process on it's own can't cause a bugcheck.

    I think you might have to create a ticket with Sophos.

  • I also experienced this issue on my Insider test systems  as of 21277. Turning off Tamper Protection prior to restarting the systems allowed a normal restart. I was later able to turn Tamper Protection back on without a crash. I have reported this to Sophos, although they are of course not claiming to support 21277 at this time, which is reasonable.

  • Hello, I was seeing this with 21277, i.e. the BSOD, the next insider release, it wouldn't bugcheck the machine but the svchost process that was hosting RPCSS would hit the roof in terms of CPU when the Sophos UI.exe process was launched due to it launching savapi.exe. In the version 21296 that was released yesterday, it all seems well having put Sophos UI.exe back to launch at logon.  I can only think there was a bug in the Windows release as the Sophos components haven't changed.  Did anyone else see the same behaviour?

  • Spoke to soon, the svchost process hosting RPCSS goes crazy when the Sophos UI.exe is launched with Windows Insider build 21296.  Does anyone else see this behaviour?  I.e. no longer bugchecking as before but now this behaviour?

  • I updated to Windows Insider 21296 and tested with Tamper Protection turned back on. The system crashed when Sophos starts up as it has been doing since 21277, so the issue is not fixed as of the 21296 Windows release.

  • I just updated to Windows Build 21296 and turned Tamper Protection back on. After a reboot, Sophos starts up and crashes the system as it did with 21277, so this issue is not fixed by the latest Windows Insider update.

  • This issue is still occurring on build 21322.

  • Hi everyone, 

    We're aware of this issue and are currently working with Microsoft on a fix. We'll update this thread as more information is available.

    Thanks,
    Yashraj Singha
    Manager | Global Community Support
    Are you a Sophos Partner? | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • Is there any update on this as it's been 2 months without a response.