[.03] BSOD caused by Sandboxie

Listing issues addressed in beta version 4.07
Arcanez
Posts: 16
Joined: Mon Mar 12, 2012 1:45 pm

[.03] BSOD caused by Sandboxie

Post by Arcanez » Thu Oct 31, 2013 6:53 am

It seems like Sandboxie causes my Computer to bsod (page fault in nonpaged area). The bluescreen has always come up when opening IE in Sandboxie. Right after I click on the IE Icon in the taskbar the machine crashes with the bluescreen. However this does not always happen. I have looked into the Memory.dmp file and this is what it says:


Microsoft (R) Windows Debugger Version 6.3.9600.16384 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Windows\MEMORY.DMP]
Kernel Bitmap Dump File: Only kernel address space is available

Symbol search path is: *** Invalid ***
****************************************************************************
* Symbol loading may be unreliable without a symbol search path. *
* Use .symfix to have the debugger choose a symbol path. *
* After setting your symbol path, use .reload to refresh symbol locations. *
****************************************************************************
Executable search path is:
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
* *
* The Symbol Path can be set by: *
* using the _NT_SYMBOL_PATH environment variable. *
* using the -y <symbol_path> argument when starting the debugger. *
* using .sympath and .sympath+ *
*********************************************************************
*** ERROR: Symbol file could not be found. Defaulted to export symbols for ntkrnlmp.exe -
Windows 8 Kernel Version 9600 MP (8 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 9600.16404.amd64fre.winblue_gdr.130913-2141
Machine Name:
Kernel base = 0xfffff800`b6c80000 PsLoadedModuleList = 0xfffff800`b6f44990
Debug session time: Thu Oct 31 11:43:14.489 2013 (UTC + 1:00)
System Uptime: 0 days 0:25:10.179
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
* *
* The Symbol Path can be set by: *
* using the _NT_SYMBOL_PATH environment variable. *
* using the -y <symbol_path> argument when starting the debugger. *
* using .sympath and .sympath+ *
*********************************************************************
*** ERROR: Symbol file could not be found. Defaulted to export symbols for ntkrnlmp.exe -
Loading Kernel Symbols
...............................................................
...........................................................Page 13ad53 not present in the dump file. Type ".hh dbgerr004" for details
.Page 13b6b5 not present in the dump file. Type ".hh dbgerr004" for details
....
...................
Loading User Symbols
PEB is paged out (Peb.Ldr = 00007ff6`de22f018). Type ".hh dbgerr001" for details
Loading unloaded module list
.......

************* Symbol Loading Error Summary **************
Module name Error
ntkrnlmp The system cannot find the file specified

You can troubleshoot most symbol related issues by turning on symbol loading diagnostics (!sym noisy) and repeating the command that caused symbols to be loaded.
You should also verify that your symbol search path (.sympath) is correct.
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 50, {ffffc00010ef0000, 0, fffff800b6dda525, 0}

*** ERROR: Module load completed but symbols could not be loaded for SbieDrv.sys
***** Kernel symbols are WRONG. Please fix symbols to do analysis.

*************************************************************************
*** ***
*** ***
*** Either you specified an unqualified symbol, or your debugger ***
*** doesn't have full symbol information. Unqualified symbol ***
*** resolution is turned off by default. Please either specify a ***
*** fully qualified symbol module!symbolname, or enable resolution ***
*** of unqualified symbols by typing ".symopt- 100". Note that ***
*** enabling unqualified symbol resolution with network symbol ***
*** server shares in the symbol path may cause the debugger to ***
*** appear to hang for long periods of time when an incorrect ***
*** symbol name is typed or the network symbol server is down. ***
*** ***
*** For some commands to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Either you specified an unqualified symbol, or your debugger ***
*** doesn't have full symbol information. Unqualified symbol ***
*** resolution is turned off by default. Please either specify a ***
*** fully qualified symbol module!symbolname, or enable resolution ***
*** of unqualified symbols by typing ".symopt- 100". Note that ***
*** enabling unqualified symbol resolution with network symbol ***
*** server shares in the symbol path may cause the debugger to ***
*** appear to hang for long periods of time when an incorrect ***
*** symbol name is typed or the network symbol server is down. ***
*** ***
*** For some commands to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Either you specified an unqualified symbol, or your debugger ***
*** doesn't have full symbol information. Unqualified symbol ***
*** resolution is turned off by default. Please either specify a ***
*** fully qualified symbol module!symbolname, or enable resolution ***
*** of unqualified symbols by typing ".symopt- 100". Note that ***
*** enabling unqualified symbol resolution with network symbol ***
*** server shares in the symbol path may cause the debugger to ***
*** appear to hang for long periods of time when an incorrect ***
*** symbol name is typed or the network symbol server is down. ***
*** ***
*** For some commands to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
Probably caused by : SbieDrv.sys ( SbieDrv+1ca95 )

Followup: MachineOwner
---------


System info:
win8.1 x64
IE 11
Sandboxie 4.06 64bit
EMET 4.0
Crucial m4 SSD
Gigabyte 990FXA UD5
FX8350
MSI R9 280x
8GB 1866Mhz DDR3
Last edited by Arcanez on Thu Oct 31, 2013 7:34 am, edited 1 time in total.

nsb
Posts: 15
Joined: Fri Nov 16, 2012 1:34 pm

Post by nsb » Thu Oct 31, 2013 7:26 am

this is the same error reported previously in this thread,
http://www.sandboxie.com/phpbb/viewtopic.php?t=16752 :(

Can i ask you if you have EMET?

Arcanez
Posts: 16
Joined: Mon Mar 12, 2012 1:45 pm

Post by Arcanez » Thu Oct 31, 2013 7:27 am

nsb wrote:this is the same error reported previously in this thread,
http://www.sandboxie.com/phpbb/viewtopic.php?t=16752 :(

Can i ask you if you have EMET?
Yes, I do. Forgot to mention it. I have EMET 4.0 installed. I have read the Topic that you posted and I disabled fast Startup of Windows.

nsb
Posts: 15
Joined: Fri Nov 16, 2012 1:34 pm

Post by nsb » Thu Oct 31, 2013 7:41 am

Arcanez wrote: yes, I do. Forgot to mention it. I have EMET 4.0 installed.
so do i...
Arcanez wrote: I have read the Topic that you posted and I disabled fast Startup of Windows.
do you have a more informative memory dump?

Are you logged in as standard user?

scarid
Posts: 23
Joined: Wed Jul 17, 2013 9:18 am

Post by scarid » Thu Oct 31, 2013 7:44 am

I also have this problem but I don't use EMET. My user account is just member of the local Users group.

doktornotor
Posts: 205
Joined: Mon Apr 05, 2010 8:40 am

Post by doktornotor » Thu Oct 31, 2013 8:21 am

Never seen this with EMET 4.0 and W8.1

Windows 7/8/8.1 x64
Windows Firewall (behind pfSense router), Avast Free 2014
Sandboxie, AppLocker, EMET 4.1

Arcanez
Posts: 16
Joined: Mon Mar 12, 2012 1:45 pm

Post by Arcanez » Thu Oct 31, 2013 9:06 am

nsb wrote:
Arcanez wrote: yes, I do. Forgot to mention it. I have EMET 4.0 installed.
so do i...
Arcanez wrote: I have read the Topic that you posted and I disabled fast Startup of Windows.
do you have a more informative memory dump?

Are you logged in as standard user?
I always log on as a standard user. Whenever I have to do administrative things I use a dos box with admin privileges and do everything from there.

tzuk
Sandboxie Founder
Sandboxie Founder
Posts: 16076
Joined: Tue Jun 22, 2004 12:57 pm

Post by tzuk » Thu Oct 31, 2013 4:09 pm

There are a few similar problem reports about crashes. Usually close to the time when Windows finishes the start up sequence. I made some change that may have an effect, so please hold on until the next beta (which will be version 4.07.02) and we'll see if it makes a difference.
tzuk

balloonshark
Posts: 51
Joined: Tue Apr 28, 2009 1:49 am

Post by balloonshark » Fri Nov 01, 2013 6:54 am

Good to hear you may have found something tzuk.

Since disabling fast startup and waiting for all of my icons to load in the system tray I've only had one BSOD since September 15th. Unfortunately it usually takes about 4 minutes for everything to load because a couple items are on delayed startup.

Here are my hardware specs. Perhaps there is something in common.

i5-4670K, Hyper 212 Evo, ASRock Z87 Extreme6, Sapphire Vapor-X Radeon HD 7970 Ghz Edition 3GB, 120GB Samsung 840 Series SSD, 1TB WD Blue HDD, Team Vulcan DDR3 1600 2x4GB, Corsair CX600 PSU, Asus 24x DVD Burner, Corsair Carbide 500R case, Windows 8 Pro 64 bit.

I'm not using EMET and I do use a standard user account. It's a local account.
Windows 8 64 bit, Standard User Account, Online Armor 7, Emsisoft Anti-Malware, Sandboxie paid, Firefox and Pale Moon with NoScript and Adblock Plus, Shadow Defender (on demand), Hitman Pro (on demand), Macrium Reflect Free.

Arcanez
Posts: 16
Joined: Mon Mar 12, 2012 1:45 pm

Post by Arcanez » Fri Nov 01, 2013 7:49 am

I have disabled the fast Startup but unfortunately I got another bsod when I started my Computer this morning. One Thing I recognized though was that it seems like the Crash does only occur when I try to Launch Internet Explorer sandboxed right after the Startup sequence of Windows. When I click on Media Player or VLC Player right after the Windows Startup These work programs work just fine under sandboxie. I haven't seen this Crash with any other program but Internet Explorer so far.

A good Thing with this bsod is though that you can be sure that you don't have any serious Hardware issues. Let's see what the future beta Version Looks like in this regard. Until then I might have to wait some time after the Startup sequence before running Internet Explorer.

Thanks Tzuk and Keep it going! :wink:

doktornotor
Posts: 205
Joined: Mon Apr 05, 2010 8:40 am

Post by doktornotor » Fri Nov 01, 2013 8:08 am

Arcanez wrote:One Thing I recognized though was that it seems like the Crash does only occur when I try to Launch Internet Explorer sandboxed right after the Startup sequence of Windows
Have this one installed? http://www.microsoft.com/en-us/download ... x?id=40852

Windows 7/8/8.1 x64
Windows Firewall (behind pfSense router), Avast Free 2014
Sandboxie, AppLocker, EMET 4.1

zhanghaixia
Posts: 1
Joined: Sat Nov 02, 2013 3:22 am
Contact:

Post by zhanghaixia » Sat Nov 02, 2013 3:25 am

It seems like Sandboxie causes my Pc to Buy FUT 14 Coins PC bsod (page mistake in nonpaged area). The bluescreen has always come up when starting IE in Sandboxie. Right after I simply simply select the IE Symbol in the taskbar the device accidents with the bluescreen.

tzuk
Sandboxie Founder
Sandboxie Founder
Posts: 16076
Joined: Tue Jun 22, 2004 12:57 pm

Post by tzuk » Wed Nov 06, 2013 6:03 am

Please check if version 4.07.02 makes any difference. Keep in mind the change I did is a guess and will not necessarily fix the problem.

http://www.sandboxie.com/phpbb/viewtopic.php?t=16838
tzuk

tzuk
Sandboxie Founder
Sandboxie Founder
Posts: 16076
Joined: Tue Jun 22, 2004 12:57 pm

Post by tzuk » Fri Nov 08, 2013 5:02 am

Version 4.07.03 includes the same fix and also should not cause problems with Internet Explorer.
tzuk

balloonshark
Posts: 51
Joined: Tue Apr 28, 2009 1:49 am

Post by balloonshark » Fri Nov 08, 2013 8:14 am

Thanks tzuk. I will give this version a try. Should I re-enable fast startup which is default for a Windows 8 install?
Windows 8 64 bit, Standard User Account, Online Armor 7, Emsisoft Anti-Malware, Sandboxie paid, Firefox and Pale Moon with NoScript and Adblock Plus, Shadow Defender (on demand), Hitman Pro (on demand), Macrium Reflect Free.

Locked

Who is online

Users browsing this forum: No registered users and 1 guest