Kas Ob. 126 Posted yesterday at 12:24 PM 2 minutes ago, Roger Cigol said: @Kas Ob. My actual app is a 32 bit exe - will the 64bit WinObjEx64 still be ok to help us (you!) get to the bottom of this ? It doesn't matter, and yes it will help if no object with that name exist then the problem is in the middle between use mode and user-mode driver. Share this post Link to post
Kas Ob. 126 Posted yesterday at 12:28 PM Expanding a little on drivers and services, internally all drivers are called services and they configured and launched from one location in the registry Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services Except the OS kernel itself which loaded and hardcoded to load at very first step of boot, all are defined there. So when an error says service it could be a driver. Share this post Link to post
Roger Cigol 114 Posted yesterday at 12:28 PM Just now, Kas Ob. said: It doesn't matter, and yes it will help if no object with that name exist then the problem is in the middle between use mode and user-mode driver. Thank you, Kas. I have downloaded WinObjEx (exe) and run it. I click on the search (magnifier glass) icon and then enter MyMutex1 and click on Find. It says no objects found. I get the same result if repeat but with search only for "Mutant" in the drop down. Share this post Link to post
Kas Ob. 126 Posted yesterday at 12:38 PM Just now, Roger Cigol said: Thank you, Kas. I have downloaded WinObjEx (exe) and run it. I click on the search (magnifier glass) icon and then enter MyMutex1 and click on Find. It says no objects found. I get the same result if repeat but with search only for "Mutant" in the drop down. Well this means, it is definitely a broken driver, and again such driver is there to perform a job, it could be attached to another service like (just as example) System Restore or it might have its own configuration/policy like security and its access. So what i suggest is to go back to my first post in this thread, and run SFC, yes as dumb as it sound, also check if compatibility service is running and the application doesn't have any, also check the target file path (location and upper directory(s)) have security, see i know it work sometimes but, is there something had changed it dynamically ? like at this moment causing such resource to be wrongly handled, Handles are stored in kernel in tables and cloned there, but it could depend on filters on the way (in and out), and that what you want to pin point if a buggy driver (yes it is a driver or filter driver) caused this and depleted its own resources. Share this post Link to post
Roger Cigol 114 Posted yesterday at 12:49 PM 7 minutes ago, Kas Ob. said: it is definitely a broken driver, and again such driver is there to perform a job, So is this suspect driver related to file handling ? or could it be any driver on the machine ? Share this post Link to post
Kas Ob. 126 Posted yesterday at 12:56 PM Just now, Roger Cigol said: this suspect driver related to file handling This is it a driver running out resource, either by being a buggy/outdated or it does belong to bigger software like an antivirus but the rest of the software is not there to continue processing something, it could be uninstalled software that had a driver leftover, running rouge. I can say something around 100% sure. for more testing please Run (As Administrator) AutoRuns https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns with Then see what reside in the both sections Services and Drivers, easy to check the Provider/Publisher. Share this post Link to post
Roger Cigol 114 Posted yesterday at 12:59 PM 9 minutes ago, Kas Ob. said: and run SFC, yes as dumb as it sound Running SFC did not sound dumb to me (either at the time you posted it, or now). This was done at end of January, after we had done a full "check for updates" iteration round a few times (until it said "all up to date"). Share this post Link to post
Roger Cigol 114 Posted yesterday at 01:10 PM Auto run: If I look for coloured entries - which are the ones with "not verified"..... In Services I see one: Sense Windows Defender Advanced Threat Protection Service: Windows Defender Advanced Threat Protection service helps protect against advanced threats by monitoring and reporting security events that happen on the computer. (Not Verified) Microsoft Corporation C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe Mon Feb 10 16:31:35 2025 In Drivers I see three: BthA2dp Microsoft Bluetooth A2dp driver: Bluetooth A2DP Driver (Not Verified) Microsoft Corporation C:\Windows\System32\drivers\BthA2dp.sys Sat Dec 7 09:07:47 2019 BthHFEnum Microsoft Bluetooth Hands-Free Profile driver: Bluetooth Hands-Free Audio and Call Control HID Enumerator (Not Verified) Microsoft Corporation C:\Windows\System32\drivers\bthhfenum.sys Sat Dec 7 09:07:47 2019 Adobe Type Manager File not found: atmfd.dll The first two are in subcategory: HKLM\System\CurrentControlSet\Services The last one is in subcategory: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Font drivers Share this post Link to post
Roger Cigol 114 Posted yesterday at 01:12 PM Why would this kind of problem mean that only my application is affected? When the problem happens it is still possible to read and write files to the directories using windows explorer (eg right click and create a new text file). Share this post Link to post
Kas Ob. 126 Posted 20 hours ago The blackout is striking again, two days out of power, now back to 3 hours on and something between 3-6 or even 9 hours off. 4 hours ago, Roger Cigol said: Why would this kind of problem mean that only my application is affected? When the problem happens it is still possible to read and write files to the directories using windows explorer (eg right click and create a new text file). Defender easily can do it and even worse. What is standout for me, is why it is not verified ?!! while other are OK, but yet it might not be a big deal https://security.stackexchange.com/questions/224829/does-a-lack-of-verified-signatures-for-windows-defender-indicate-malware https://learn.microsoft.com/en-us/archive/msdn-technet-forums/a7e41613-43aa-4c9b-b117-46d0f9420bf7#986960c6-d417-4747-8020-e06f3bf6e1fb As what could go wrong ? the answer here makes sense (pun intended) https://answers.microsoft.com/en-us/windows/forum/all/is-it-okay-if-the-windows-defender-service-is-not/2d1dbf86-06cc-4c5c-a415-75fa0b878cff Quote The Windows Defender Advanced Threat Protection Service ("Sense") probably has no use on a standalone system. It's used with Microsoft Defender for Endpoint Security in an enterprise environment. As others have stated, the errors you get when starting the Sense service are normal on a standalone computer. No action is needed on your part. So, as a theory, Sense at some point was allowed to upload samples in such case it could marked/flagged your application and may be your certificate too, and waiting for a response to either red or green flag it, in mean time it will be allowed to work under inspection with full logging/tracking/tracing up to a point where it deplete a specific amount of resources, it shouldn't be reaching such limit but it is, though it is a theory. Try to change the name of the EXE and how it does reach that device, i mean if you have self updating exe then override it, build a new exe with different paths if possible, and try again. OR, allow defender to take its samples if case it is misconfigured or had some policy changes, ask if someone tweaked defender, or even just try to stop it and restart it. Share this post Link to post
Remy Lebeau 1501 Posted 18 hours ago 8 hours ago, Roger Cigol said: An update: by adding code to get the Windows error code following a failed attempt to open a text file I have now got an error number : 1450 A quick google search reveals Error 1450 = Insufficient system resources exist to complete the requested service So what resources is it short of, I wonder? I am currently trying to get a remote connection to the PC in question before they close down (and restart) the application.... Hard to say. I find it very unlikely that file I/O would report that particular error. It would be helpful to see your actual file I/O and error handling code. I wonder if something is sitting in between your file I/O and error handling that might be affecting the error code unexpectedly. When retrieving the OS error code, you need to retrieve it as close to the failed API call as possible, you can't make any other system calls first. All the more reason why I don't like using IOUtils with all the extra overhead it has, particularly any memory cleanup. Share this post Link to post
Kas Ob. 126 Posted 2 hours ago @Roger Cigol Here another thing to try Download and run Api Monitor from http://www.rohitab.com/apimonitor Use the correct bit version with your EXE and put the filter as shown in this screenshot Run your exe or you can attach it at anytime, so you are not limited to monitor everything, you can leave the exe running alone until the problem manifest, then attach the monitor and capture the log. After capturing the log, compare it with log from your own device and see where the failure exist after that you can share with us important pieces of the failure. Give extra attention to the failed API calls and their passed parameters, this is important, also as the monitor log record the handles and result so a comparison might narrow the failure origin. Feel free to expand the the API logging list for your own running EXE and that one device, you might find it useful reporting many failed API or wrong doing or repeated calls, also you can record SyncObjs API like Low Level APIs eg.RtlCriticalSectionxxxx... Mutex,Events... like these Share this post Link to post