[.03] BSOD caused by Sandboxie

Listing issues addressed in beta version 4.07
tzuk
Sandboxie Founder
Sandboxie Founder
Posts: 16076
Joined: Tue Jun 22, 2004 12:57 pm

Post by tzuk » Sat Nov 09, 2013 12:26 pm

If you have more crashes with fast startup enabled, and if you don't mind turning it back on, then I would say yes. But again, I don't know if version 4.07.03 actually fixes the BSOD problem.
tzuk

Mr.X
Posts: 596
Joined: Sat Jul 13, 2013 9:34 am
Location: Mexico

Post by Mr.X » Sun Nov 10, 2013 12:05 pm

tzuk wrote:If you have more crashes with fast startup enabled, and if you don't mind turning it back on, then I would say yes. But again, I don't know if version 4.07.03 actually fixes the BSOD problem.
FYI it didn't. On the contrary, they worsened, at least in my own scenario:
Windows 8 Pro x86
Sandboxie 4.07.03
No fast startup
No EMET

I guess the culprit is SbieDrv.sys according to Nirsoft's BluescreenView
Windows 8.1 x64 EN | Sandboxie latest beta or stable | All software latest versions unless stated otherwise

tzuk
Sandboxie Founder
Sandboxie Founder
Posts: 16076
Joined: Tue Jun 22, 2004 12:57 pm

Post by tzuk » Mon Nov 11, 2013 11:12 am

Alright. I might have to undo that change then. But first, let's wait a few more days to see if anyone else reports anything.
tzuk

nsb
Posts: 15
Joined: Fri Nov 16, 2012 1:34 pm

Post by nsb » Mon Nov 11, 2013 11:55 am

hi, tzuk:
what about this dump?

Could it help you to identify the issue?








0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: ffffc00009a8200c, memory referenced.
Arg2: 0000000000000000, value 0 = read operation, 1 = write operation.
Arg3: fffff800c396269a, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 0000000000000000, (reserved)

Debugging Details:
------------------


READ_ADDRESS: ffffc00009a8200c Paged pool

FAULTING_IP:
nt!memcpy+21a
fffff800`c396269a f30f6f4402f0 movdqu xmm0,xmmword ptr [rdx+rax-10h]

MM_INTERNAL_CODE: 0

DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT

BUGCHECK_STR: AV

PROCESS_NAME: chrome.exe

CURRENT_IRQL: 0

ANALYSIS_VERSION: 6.3.9600.16384 (debuggers(dbg).130821-1623) amd64fre

TRAP_FRAME: ffffd0003c2c80c0 -- (.trap 0xffffd0003c2c80c0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=ffffc00010ed578c rbx=0000000000000000 rcx=fffffffffffffff4
rdx=fffffffff8bac890 rsi=0000000000000000 rdi=0000000000000000
rip=fffff800c396269a rsp=ffffd0003c2c8258 rbp=ffffc00010ed5368
r8=00000000000002c0 r9=0000000000000006 r10=0000000000000000
r11=ffffc00010ed54c0 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz ac pe cy
nt!memcpy+0x21a:
fffff800`c396269a f30f6f4402f0 movdqu xmm0,xmmword ptr [rdx+rax-10h] ds:ffffc000`09a8200c=????????????????????????????????
Resetting default scope

LAST_CONTROL_TRANSFER: from fffff800c396afd8 to fffff800c3955ca0

STACK_TEXT:
ffffd000`3c2c7ed8 fffff800`c396afd8 : 00000000`00000050 ffffc000`09a8200c 00000000`00000000 ffffd000`3c2c80c0 : nt!KeBugCheckEx
ffffd000`3c2c7ee0 fffff800`c38690fd : 00000000`00000000 ffffe000`01194080 ffffd000`3c2c80c0 00000000`00000001 : nt! ?? ::FNODOBFM::`string'+0x4e48
ffffd000`3c2c7f80 fffff800`c395ff2f : 00000000`00000000 00000000`00000000 ffffd000`3c2c8300 ffffd000`3c2c80c0 : nt!MmAccessFault+0x7ed
ffffd000`3c2c80c0 fffff800`c396269a : fffff800`c3bbdcda ffffc000`10ed5002 ffffc000`10ed5060 ffffe000`00b5ea70 : nt!KiPageFault+0x12f
ffffd000`3c2c8258 fffff800`c3bbdcda : ffffc000`10ed5002 ffffc000`10ed5060 ffffe000`00b5ea70 00000000`000007ff : nt!memcpy+0x21a
ffffd000`3c2c8260 fffff800`c3cc8c91 : ffffc000`04d9d3f0 ffffd000`3c2c8390 00000000`00000000 00000000`00000078 : nt!SepDuplicateToken+0x346
ffffd000`3c2c8320 fffff800`c3c01003 : ffffc000`054cf060 00000000`00000000 ffffc000`054cf590 00000000`000007ff : nt!SepSetLogonSessionToken+0x81
ffffd000`3c2c83a0 fffff800`c3e1deef : 00000000`00000003 00000000`00000000 ffffc000`00000002 ffffc000`0000000d : nt!SepFilterToken+0x55b
ffffd000`3c2c84b0 fffff800`03fe3a95 : 00000000`00000000 ffffc000`03c77560 00000000`00000000 00000000`00000000 : nt!SeFilterToken+0xbf
ffffd000`3c2c8530 fffff800`03fe4462 : ffffc000`09a818f0 ffffc000`00000000 ffffc000`099292e0 ffffc000`09164280 : SbieDrv+0x1ca95
ffffd000`3c2c85d0 fffff800`03fe4629 : ffffc000`10e4d8f0 ffffd000`3c2c86c8 ffffd000`3c2c8600 ffffc000`10e540d0 : SbieDrv+0x1d462
ffffd000`3c2c8620 fffff800`03fdac6a : ffffc000`10e540d0 ffffd000`3c2c86c8 ffffd000`3c2c86c8 ffffd000`3c2c87a0 : SbieDrv+0x1d629
ffffd000`3c2c8670 fffff800`c3baad8e : ffffe000`01194080 ffffe000`01194080 ffffd000`3c2c87a0 fffff800`c3ae3e50 : SbieDrv+0x13c6a
ffffd000`3c2c86a0 fffff800`c3c5b0cc : 00000000`ffb56000 ffffd000`3c2c8740 ffffe000`00993080 00000000`00000000 : nt!PsCallImageNotifyRoutines+0x12e
ffffd000`3c2c8710 fffff800`c3c5adb5 : 00000000`ffb5d000 00000000`ffb5d000 ffffe000`00993080 ffffe000`01194080 : nt!DbgkCreateThread+0x168
ffffd000`3c2c8950 fffff800`c395c3f5 : fffff800`c3af6180 00000000`00000000 fffff800`c3c5ad0c ffffe000`01194080 : nt!PspUserThreadStartup+0xa9
ffffd000`3c2c89c0 fffff800`c395c377 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiStartUserThread+0x16
ffffd000`3c2c8b00 00007ffc`9fed43b4 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiStartUserThreadReturn
00000000`0061fc78 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ffc`9fed43b4


STACK_COMMAND: kb

FOLLOWUP_IP:
SbieDrv+1ca95
fffff800`03fe3a95 85c0 test eax,eax

SYMBOL_STACK_INDEX: 9

SYMBOL_NAME: SbieDrv+1ca95

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: SbieDrv

IMAGE_NAME: SbieDrv.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 525e8f90

FAILURE_BUCKET_ID: AV_SbieDrv+1ca95

BUCKET_ID: AV_SbieDrv+1ca95

ANALYSIS_SOURCE: KM

FAILURE_ID_HASH_STRING: km:av_sbiedrv+1ca95

FAILURE_ID_HASH: {90030c0e-167c-96c0-3d18-5bad6b90e84c}

Followup: MachineOwner
---------

tzuk
Sandboxie Founder
Sandboxie Founder
Posts: 16076
Joined: Tue Jun 22, 2004 12:57 pm

Post by tzuk » Tue Nov 12, 2013 3:02 am

No I'm afraid the dump doesn't say exactly why this happened. Is this dump for a crash caused by version 4.07.03 ?
tzuk

nsb
Posts: 15
Joined: Fri Nov 16, 2012 1:34 pm

Post by nsb » Tue Nov 12, 2013 6:04 am

tzuk wrote:Is this dump for a crash caused by version 4.07.03 ?
i don't think so...

The dump, infact, is pasted from this thread:
http://www.sandboxie.com/phpbb/viewtopic.php?t=16752

balloonshark
Posts: 51
Joined: Tue Apr 28, 2009 1:49 am

Post by balloonshark » Tue Nov 12, 2013 7:57 am

tzuk wrote:If you have more crashes with fast startup enabled, and if you don't mind turning it back on, then I would say yes. But again, I don't know if version 4.07.03 actually fixes the BSOD problem.
Thanks. I enabled fastboot yesterday. I will keep using 4.07.03 and see how it goes.
Windows 8 64 bit, Standard User Account, Online Armor 7, Emsisoft Anti-Malware, Sandboxie paid, Firefox and Pale Moon with NoScript and Adblock Plus, Shadow Defender (on demand), Hitman Pro (on demand), Macrium Reflect Free.

balloonshark
Posts: 51
Joined: Tue Apr 28, 2009 1:49 am

Post by balloonshark » Tue Nov 19, 2013 1:54 am

Just had a BSOD with 4.07.03. I have the "complete memory dump" file if you want me to zip it and upload it. I also have the contents of the sandbox which is only 1.72KB zipped.

From WhoCrashed:

On Tue 11/19/2013 6:12:57 AM GMT your computer crashed
crash dump file: C:\Windows\Minidump\111913-12828-01.dmp
This was probably caused by the following module: ntoskrnl.exe (nt+0x5A440)
Bugcheck code: 0x50 (0xFFFFF8A0091A906C, 0x0, 0xFFFFF8010845649A, 0x0)
Error: PAGE_FAULT_IN_NONPAGED_AREA
file path: C:\Windows\system32\ntoskrnl.exe
product: Microsoft® Windows® Operating System
company: Microsoft Corporation
description: NT Kernel & System
Bug check description: This indicates that invalid system memory has been referenced.
This appears to be a typical software driver bug and is not likely to be caused by a hardware problem.
The crash took place in the Windows kernel. Possibly this problem is caused by another driver that cannot be identified at this time.



On Tue 11/19/2013 6:12:57 AM GMT your computer crashed
crash dump file: C:\Windows\memory.dmp
This was probably caused by the following module: sbiedrv.sys (SbieDrv+0x1D015)
Bugcheck code: 0x50 (0xFFFFF8A0091A906C, 0x0, 0xFFFFF8010845649A, 0x0)
Error: PAGE_FAULT_IN_NONPAGED_AREA
file path: C:\Program Files\Sandboxie\SbieDrv.sys
product: Sandboxie
company: Sandboxie Holdings, LLC
description: Sandboxie Kernel Mode Driver
Bug check description: This indicates that invalid system memory has been referenced.
This appears to be a typical software driver bug and is not likely to be caused by a hardware problem.
A third party driver was identified as the probable root cause of this system error. It is suggested you look for an update for the following driver: sbiedrv.sys (Sandboxie Kernel Mode Driver, Sandboxie Holdings, LLC).
Google query: Sandboxie Holdings, LLC PAGE_FAULT_IN_NONPAGED_AREA
Windows 8 64 bit, Standard User Account, Online Armor 7, Emsisoft Anti-Malware, Sandboxie paid, Firefox and Pale Moon with NoScript and Adblock Plus, Shadow Defender (on demand), Hitman Pro (on demand), Macrium Reflect Free.

tzuk
Sandboxie Founder
Sandboxie Founder
Posts: 16076
Joined: Tue Jun 22, 2004 12:57 pm

Post by tzuk » Tue Nov 19, 2013 2:36 am

Alright. I'll undo the change.
tzuk

balloonshark
Posts: 51
Joined: Tue Apr 28, 2009 1:49 am

Post by balloonshark » Tue Nov 19, 2013 6:07 am

If I'm in my standard user account is it normal for Sandboxie to write to my admin account sandbox file C:\Sandbox\SuperUser\ ?

Maybe it is part of the problem or a result of the BSOD. It doesn't happen often as I've been keeping an occasional eye on it for a while.

I was in my admin account the day before the BSOD and I'm pretty sure I checked my "surfbox" sandbox was deleted even though I didn't use it. It had to write to that file sometime after the BSOD as I saved the entire Sandbox folder after the BSOD.
Windows 8 64 bit, Standard User Account, Online Armor 7, Emsisoft Anti-Malware, Sandboxie paid, Firefox and Pale Moon with NoScript and Adblock Plus, Shadow Defender (on demand), Hitman Pro (on demand), Macrium Reflect Free.

tzuk
Sandboxie Founder
Sandboxie Founder
Posts: 16076
Joined: Tue Jun 22, 2004 12:57 pm

Post by tzuk » Mon Nov 25, 2013 1:59 pm

I have another change in version 4.07.04 that will hopefully fix this problem. Please let me know if it makes a difference.
tzuk

nsb
Posts: 15
Joined: Fri Nov 16, 2012 1:34 pm

Post by nsb » Tue Dec 10, 2013 12:45 pm

I'd like to know if the latest change has finally solved the problem although the silence of the last two weeks with regard to this subject should be significant,
txs

Mr.X
Posts: 596
Joined: Sat Jul 13, 2013 9:34 am
Location: Mexico

Post by Mr.X » Tue Dec 10, 2013 5:28 pm

nsb wrote:I'd like to know if the latest change has finally solved the problem although the silence of the last two weeks with regard to this subject should be significant,
txs
Yes it is significant, issue has been addressed and solved.
Windows 8.1 x64 EN | Sandboxie latest beta or stable | All software latest versions unless stated otherwise

tzuk
Sandboxie Founder
Sandboxie Founder
Posts: 16076
Joined: Tue Jun 22, 2004 12:57 pm

Post by tzuk » Wed Dec 11, 2013 3:16 am

That's good news! Thanks.
tzuk

balloonshark
Posts: 51
Joined: Tue Apr 28, 2009 1:49 am

Post by balloonshark » Thu Dec 12, 2013 8:05 am

Version .04 has been installed since Nov. 26th and so far so good. In the past I have went as long as 1 1/2 months between BSOD's so I guess we will see. It's encouraging that others have also been BSOD free!

P.S. I also kept faststartup enabled the entire time.
Windows 8 64 bit, Standard User Account, Online Armor 7, Emsisoft Anti-Malware, Sandboxie paid, Firefox and Pale Moon with NoScript and Adblock Plus, Shadow Defender (on demand), Hitman Pro (on demand), Macrium Reflect Free.

Locked

Who is online

Users browsing this forum: No registered users and 1 guest