[.03] BSOD caused by Sandboxie
FYI it didn't. On the contrary, they worsened, at least in my own scenario:tzuk wrote:If you have more crashes with fast startup enabled, and if you don't mind turning it back on, then I would say yes. But again, I don't know if version 4.07.03 actually fixes the BSOD problem.
Windows 8 Pro x86
Sandboxie 4.07.03
No fast startup
No EMET
I guess the culprit is SbieDrv.sys according to Nirsoft's BluescreenView
Windows 8.1 x64/x86 EN | Sandboxie latest beta or stable | All software latest versions unless stated otherwise
hi, tzuk:
what about this dump?
Could it help you to identify the issue?
0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: ffffc00009a8200c, memory referenced.
Arg2: 0000000000000000, value 0 = read operation, 1 = write operation.
Arg3: fffff800c396269a, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 0000000000000000, (reserved)
Debugging Details:
------------------
READ_ADDRESS: ffffc00009a8200c Paged pool
FAULTING_IP:
nt!memcpy+21a
fffff800`c396269a f30f6f4402f0 movdqu xmm0,xmmword ptr [rdx+rax-10h]
MM_INTERNAL_CODE: 0
DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT
BUGCHECK_STR: AV
PROCESS_NAME: chrome.exe
CURRENT_IRQL: 0
ANALYSIS_VERSION: 6.3.9600.16384 (debuggers(dbg).130821-1623) amd64fre
TRAP_FRAME: ffffd0003c2c80c0 -- (.trap 0xffffd0003c2c80c0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=ffffc00010ed578c rbx=0000000000000000 rcx=fffffffffffffff4
rdx=fffffffff8bac890 rsi=0000000000000000 rdi=0000000000000000
rip=fffff800c396269a rsp=ffffd0003c2c8258 rbp=ffffc00010ed5368
r8=00000000000002c0 r9=0000000000000006 r10=0000000000000000
r11=ffffc00010ed54c0 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz ac pe cy
nt!memcpy+0x21a:
fffff800`c396269a f30f6f4402f0 movdqu xmm0,xmmword ptr [rdx+rax-10h] ds:ffffc000`09a8200c=????????????????????????????????
Resetting default scope
LAST_CONTROL_TRANSFER: from fffff800c396afd8 to fffff800c3955ca0
STACK_TEXT:
ffffd000`3c2c7ed8 fffff800`c396afd8 : 00000000`00000050 ffffc000`09a8200c 00000000`00000000 ffffd000`3c2c80c0 : nt!KeBugCheckEx
ffffd000`3c2c7ee0 fffff800`c38690fd : 00000000`00000000 ffffe000`01194080 ffffd000`3c2c80c0 00000000`00000001 : nt! ?? ::FNODOBFM::`string'+0x4e48
ffffd000`3c2c7f80 fffff800`c395ff2f : 00000000`00000000 00000000`00000000 ffffd000`3c2c8300 ffffd000`3c2c80c0 : nt!MmAccessFault+0x7ed
ffffd000`3c2c80c0 fffff800`c396269a : fffff800`c3bbdcda ffffc000`10ed5002 ffffc000`10ed5060 ffffe000`00b5ea70 : nt!KiPageFault+0x12f
ffffd000`3c2c8258 fffff800`c3bbdcda : ffffc000`10ed5002 ffffc000`10ed5060 ffffe000`00b5ea70 00000000`000007ff : nt!memcpy+0x21a
ffffd000`3c2c8260 fffff800`c3cc8c91 : ffffc000`04d9d3f0 ffffd000`3c2c8390 00000000`00000000 00000000`00000078 : nt!SepDuplicateToken+0x346
ffffd000`3c2c8320 fffff800`c3c01003 : ffffc000`054cf060 00000000`00000000 ffffc000`054cf590 00000000`000007ff : nt!SepSetLogonSessionToken+0x81
ffffd000`3c2c83a0 fffff800`c3e1deef : 00000000`00000003 00000000`00000000 ffffc000`00000002 ffffc000`0000000d : nt!SepFilterToken+0x55b
ffffd000`3c2c84b0 fffff800`03fe3a95 : 00000000`00000000 ffffc000`03c77560 00000000`00000000 00000000`00000000 : nt!SeFilterToken+0xbf
ffffd000`3c2c8530 fffff800`03fe4462 : ffffc000`09a818f0 ffffc000`00000000 ffffc000`099292e0 ffffc000`09164280 : SbieDrv+0x1ca95
ffffd000`3c2c85d0 fffff800`03fe4629 : ffffc000`10e4d8f0 ffffd000`3c2c86c8 ffffd000`3c2c8600 ffffc000`10e540d0 : SbieDrv+0x1d462
ffffd000`3c2c8620 fffff800`03fdac6a : ffffc000`10e540d0 ffffd000`3c2c86c8 ffffd000`3c2c86c8 ffffd000`3c2c87a0 : SbieDrv+0x1d629
ffffd000`3c2c8670 fffff800`c3baad8e : ffffe000`01194080 ffffe000`01194080 ffffd000`3c2c87a0 fffff800`c3ae3e50 : SbieDrv+0x13c6a
ffffd000`3c2c86a0 fffff800`c3c5b0cc : 00000000`ffb56000 ffffd000`3c2c8740 ffffe000`00993080 00000000`00000000 : nt!PsCallImageNotifyRoutines+0x12e
ffffd000`3c2c8710 fffff800`c3c5adb5 : 00000000`ffb5d000 00000000`ffb5d000 ffffe000`00993080 ffffe000`01194080 : nt!DbgkCreateThread+0x168
ffffd000`3c2c8950 fffff800`c395c3f5 : fffff800`c3af6180 00000000`00000000 fffff800`c3c5ad0c ffffe000`01194080 : nt!PspUserThreadStartup+0xa9
ffffd000`3c2c89c0 fffff800`c395c377 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiStartUserThread+0x16
ffffd000`3c2c8b00 00007ffc`9fed43b4 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiStartUserThreadReturn
00000000`0061fc78 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ffc`9fed43b4
STACK_COMMAND: kb
FOLLOWUP_IP:
SbieDrv+1ca95
fffff800`03fe3a95 85c0 test eax,eax
SYMBOL_STACK_INDEX: 9
SYMBOL_NAME: SbieDrv+1ca95
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: SbieDrv
IMAGE_NAME: SbieDrv.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 525e8f90
FAILURE_BUCKET_ID: AV_SbieDrv+1ca95
BUCKET_ID: AV_SbieDrv+1ca95
ANALYSIS_SOURCE: KM
FAILURE_ID_HASH_STRING: km:av_sbiedrv+1ca95
FAILURE_ID_HASH: {90030c0e-167c-96c0-3d18-5bad6b90e84c}
Followup: MachineOwner
---------
what about this dump?
Could it help you to identify the issue?
0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: ffffc00009a8200c, memory referenced.
Arg2: 0000000000000000, value 0 = read operation, 1 = write operation.
Arg3: fffff800c396269a, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 0000000000000000, (reserved)
Debugging Details:
------------------
READ_ADDRESS: ffffc00009a8200c Paged pool
FAULTING_IP:
nt!memcpy+21a
fffff800`c396269a f30f6f4402f0 movdqu xmm0,xmmword ptr [rdx+rax-10h]
MM_INTERNAL_CODE: 0
DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT
BUGCHECK_STR: AV
PROCESS_NAME: chrome.exe
CURRENT_IRQL: 0
ANALYSIS_VERSION: 6.3.9600.16384 (debuggers(dbg).130821-1623) amd64fre
TRAP_FRAME: ffffd0003c2c80c0 -- (.trap 0xffffd0003c2c80c0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=ffffc00010ed578c rbx=0000000000000000 rcx=fffffffffffffff4
rdx=fffffffff8bac890 rsi=0000000000000000 rdi=0000000000000000
rip=fffff800c396269a rsp=ffffd0003c2c8258 rbp=ffffc00010ed5368
r8=00000000000002c0 r9=0000000000000006 r10=0000000000000000
r11=ffffc00010ed54c0 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz ac pe cy
nt!memcpy+0x21a:
fffff800`c396269a f30f6f4402f0 movdqu xmm0,xmmword ptr [rdx+rax-10h] ds:ffffc000`09a8200c=????????????????????????????????
Resetting default scope
LAST_CONTROL_TRANSFER: from fffff800c396afd8 to fffff800c3955ca0
STACK_TEXT:
ffffd000`3c2c7ed8 fffff800`c396afd8 : 00000000`00000050 ffffc000`09a8200c 00000000`00000000 ffffd000`3c2c80c0 : nt!KeBugCheckEx
ffffd000`3c2c7ee0 fffff800`c38690fd : 00000000`00000000 ffffe000`01194080 ffffd000`3c2c80c0 00000000`00000001 : nt! ?? ::FNODOBFM::`string'+0x4e48
ffffd000`3c2c7f80 fffff800`c395ff2f : 00000000`00000000 00000000`00000000 ffffd000`3c2c8300 ffffd000`3c2c80c0 : nt!MmAccessFault+0x7ed
ffffd000`3c2c80c0 fffff800`c396269a : fffff800`c3bbdcda ffffc000`10ed5002 ffffc000`10ed5060 ffffe000`00b5ea70 : nt!KiPageFault+0x12f
ffffd000`3c2c8258 fffff800`c3bbdcda : ffffc000`10ed5002 ffffc000`10ed5060 ffffe000`00b5ea70 00000000`000007ff : nt!memcpy+0x21a
ffffd000`3c2c8260 fffff800`c3cc8c91 : ffffc000`04d9d3f0 ffffd000`3c2c8390 00000000`00000000 00000000`00000078 : nt!SepDuplicateToken+0x346
ffffd000`3c2c8320 fffff800`c3c01003 : ffffc000`054cf060 00000000`00000000 ffffc000`054cf590 00000000`000007ff : nt!SepSetLogonSessionToken+0x81
ffffd000`3c2c83a0 fffff800`c3e1deef : 00000000`00000003 00000000`00000000 ffffc000`00000002 ffffc000`0000000d : nt!SepFilterToken+0x55b
ffffd000`3c2c84b0 fffff800`03fe3a95 : 00000000`00000000 ffffc000`03c77560 00000000`00000000 00000000`00000000 : nt!SeFilterToken+0xbf
ffffd000`3c2c8530 fffff800`03fe4462 : ffffc000`09a818f0 ffffc000`00000000 ffffc000`099292e0 ffffc000`09164280 : SbieDrv+0x1ca95
ffffd000`3c2c85d0 fffff800`03fe4629 : ffffc000`10e4d8f0 ffffd000`3c2c86c8 ffffd000`3c2c8600 ffffc000`10e540d0 : SbieDrv+0x1d462
ffffd000`3c2c8620 fffff800`03fdac6a : ffffc000`10e540d0 ffffd000`3c2c86c8 ffffd000`3c2c86c8 ffffd000`3c2c87a0 : SbieDrv+0x1d629
ffffd000`3c2c8670 fffff800`c3baad8e : ffffe000`01194080 ffffe000`01194080 ffffd000`3c2c87a0 fffff800`c3ae3e50 : SbieDrv+0x13c6a
ffffd000`3c2c86a0 fffff800`c3c5b0cc : 00000000`ffb56000 ffffd000`3c2c8740 ffffe000`00993080 00000000`00000000 : nt!PsCallImageNotifyRoutines+0x12e
ffffd000`3c2c8710 fffff800`c3c5adb5 : 00000000`ffb5d000 00000000`ffb5d000 ffffe000`00993080 ffffe000`01194080 : nt!DbgkCreateThread+0x168
ffffd000`3c2c8950 fffff800`c395c3f5 : fffff800`c3af6180 00000000`00000000 fffff800`c3c5ad0c ffffe000`01194080 : nt!PspUserThreadStartup+0xa9
ffffd000`3c2c89c0 fffff800`c395c377 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiStartUserThread+0x16
ffffd000`3c2c8b00 00007ffc`9fed43b4 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiStartUserThreadReturn
00000000`0061fc78 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ffc`9fed43b4
STACK_COMMAND: kb
FOLLOWUP_IP:
SbieDrv+1ca95
fffff800`03fe3a95 85c0 test eax,eax
SYMBOL_STACK_INDEX: 9
SYMBOL_NAME: SbieDrv+1ca95
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: SbieDrv
IMAGE_NAME: SbieDrv.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 525e8f90
FAILURE_BUCKET_ID: AV_SbieDrv+1ca95
BUCKET_ID: AV_SbieDrv+1ca95
ANALYSIS_SOURCE: KM
FAILURE_ID_HASH_STRING: km:av_sbiedrv+1ca95
FAILURE_ID_HASH: {90030c0e-167c-96c0-3d18-5bad6b90e84c}
Followup: MachineOwner
---------
i don't think so...tzuk wrote:Is this dump for a crash caused by version 4.07.03 ?
The dump, infact, is pasted from this thread:
http://www.sandboxie.com/phpbb/viewtopic.php?t=16752
-
- Posts: 51
- Joined: Tue Apr 28, 2009 1:49 am
Thanks. I enabled fastboot yesterday. I will keep using 4.07.03 and see how it goes.tzuk wrote:If you have more crashes with fast startup enabled, and if you don't mind turning it back on, then I would say yes. But again, I don't know if version 4.07.03 actually fixes the BSOD problem.
Windows 8 64 bit, Standard User Account, Online Armor 7, Emsisoft Anti-Malware, Sandboxie paid, Firefox and Pale Moon with NoScript and Adblock Plus, Shadow Defender (on demand), Hitman Pro (on demand), Macrium Reflect Free.
-
- Posts: 51
- Joined: Tue Apr 28, 2009 1:49 am
Just had a BSOD with 4.07.03. I have the "complete memory dump" file if you want me to zip it and upload it. I also have the contents of the sandbox which is only 1.72KB zipped.
From WhoCrashed:
On Tue 11/19/2013 6:12:57 AM GMT your computer crashed
crash dump file: C:\Windows\Minidump\111913-12828-01.dmp
This was probably caused by the following module: ntoskrnl.exe (nt+0x5A440)
Bugcheck code: 0x50 (0xFFFFF8A0091A906C, 0x0, 0xFFFFF8010845649A, 0x0)
Error: PAGE_FAULT_IN_NONPAGED_AREA
file path: C:\Windows\system32\ntoskrnl.exe
product: Microsoft® Windows® Operating System
company: Microsoft Corporation
description: NT Kernel & System
Bug check description: This indicates that invalid system memory has been referenced.
This appears to be a typical software driver bug and is not likely to be caused by a hardware problem.
The crash took place in the Windows kernel. Possibly this problem is caused by another driver that cannot be identified at this time.
On Tue 11/19/2013 6:12:57 AM GMT your computer crashed
crash dump file: C:\Windows\memory.dmp
This was probably caused by the following module: sbiedrv.sys (SbieDrv+0x1D015)
Bugcheck code: 0x50 (0xFFFFF8A0091A906C, 0x0, 0xFFFFF8010845649A, 0x0)
Error: PAGE_FAULT_IN_NONPAGED_AREA
file path: C:\Program Files\Sandboxie\SbieDrv.sys
product: Sandboxie
company: Sandboxie Holdings, LLC
description: Sandboxie Kernel Mode Driver
Bug check description: This indicates that invalid system memory has been referenced.
This appears to be a typical software driver bug and is not likely to be caused by a hardware problem.
A third party driver was identified as the probable root cause of this system error. It is suggested you look for an update for the following driver: sbiedrv.sys (Sandboxie Kernel Mode Driver, Sandboxie Holdings, LLC).
Google query: Sandboxie Holdings, LLC PAGE_FAULT_IN_NONPAGED_AREA
From WhoCrashed:
On Tue 11/19/2013 6:12:57 AM GMT your computer crashed
crash dump file: C:\Windows\Minidump\111913-12828-01.dmp
This was probably caused by the following module: ntoskrnl.exe (nt+0x5A440)
Bugcheck code: 0x50 (0xFFFFF8A0091A906C, 0x0, 0xFFFFF8010845649A, 0x0)
Error: PAGE_FAULT_IN_NONPAGED_AREA
file path: C:\Windows\system32\ntoskrnl.exe
product: Microsoft® Windows® Operating System
company: Microsoft Corporation
description: NT Kernel & System
Bug check description: This indicates that invalid system memory has been referenced.
This appears to be a typical software driver bug and is not likely to be caused by a hardware problem.
The crash took place in the Windows kernel. Possibly this problem is caused by another driver that cannot be identified at this time.
On Tue 11/19/2013 6:12:57 AM GMT your computer crashed
crash dump file: C:\Windows\memory.dmp
This was probably caused by the following module: sbiedrv.sys (SbieDrv+0x1D015)
Bugcheck code: 0x50 (0xFFFFF8A0091A906C, 0x0, 0xFFFFF8010845649A, 0x0)
Error: PAGE_FAULT_IN_NONPAGED_AREA
file path: C:\Program Files\Sandboxie\SbieDrv.sys
product: Sandboxie
company: Sandboxie Holdings, LLC
description: Sandboxie Kernel Mode Driver
Bug check description: This indicates that invalid system memory has been referenced.
This appears to be a typical software driver bug and is not likely to be caused by a hardware problem.
A third party driver was identified as the probable root cause of this system error. It is suggested you look for an update for the following driver: sbiedrv.sys (Sandboxie Kernel Mode Driver, Sandboxie Holdings, LLC).
Google query: Sandboxie Holdings, LLC PAGE_FAULT_IN_NONPAGED_AREA
Windows 8 64 bit, Standard User Account, Online Armor 7, Emsisoft Anti-Malware, Sandboxie paid, Firefox and Pale Moon with NoScript and Adblock Plus, Shadow Defender (on demand), Hitman Pro (on demand), Macrium Reflect Free.
-
- Posts: 51
- Joined: Tue Apr 28, 2009 1:49 am
If I'm in my standard user account is it normal for Sandboxie to write to my admin account sandbox file C:\Sandbox\SuperUser\ ?
Maybe it is part of the problem or a result of the BSOD. It doesn't happen often as I've been keeping an occasional eye on it for a while.
I was in my admin account the day before the BSOD and I'm pretty sure I checked my "surfbox" sandbox was deleted even though I didn't use it. It had to write to that file sometime after the BSOD as I saved the entire Sandbox folder after the BSOD.
Maybe it is part of the problem or a result of the BSOD. It doesn't happen often as I've been keeping an occasional eye on it for a while.
I was in my admin account the day before the BSOD and I'm pretty sure I checked my "surfbox" sandbox was deleted even though I didn't use it. It had to write to that file sometime after the BSOD as I saved the entire Sandbox folder after the BSOD.
Windows 8 64 bit, Standard User Account, Online Armor 7, Emsisoft Anti-Malware, Sandboxie paid, Firefox and Pale Moon with NoScript and Adblock Plus, Shadow Defender (on demand), Hitman Pro (on demand), Macrium Reflect Free.
Yes it is significant, issue has been addressed and solved.nsb wrote:I'd like to know if the latest change has finally solved the problem although the silence of the last two weeks with regard to this subject should be significant,
txs
Windows 8.1 x64/x86 EN | Sandboxie latest beta or stable | All software latest versions unless stated otherwise
-
- Posts: 51
- Joined: Tue Apr 28, 2009 1:49 am
Version .04 has been installed since Nov. 26th and so far so good. In the past I have went as long as 1 1/2 months between BSOD's so I guess we will see. It's encouraging that others have also been BSOD free!
P.S. I also kept faststartup enabled the entire time.
P.S. I also kept faststartup enabled the entire time.
Windows 8 64 bit, Standard User Account, Online Armor 7, Emsisoft Anti-Malware, Sandboxie paid, Firefox and Pale Moon with NoScript and Adblock Plus, Shadow Defender (on demand), Hitman Pro (on demand), Macrium Reflect Free.
Who is online
Users browsing this forum: No registered users and 0 guests