I managed to reproduce it (after making a nice backup
).
Situation:
I run IEPrivacykeeper
http://www.unhsolutions.net/IE-Privacy-Keeper/index.html to cleanup some stuff on shutdown, i removed a few d+ entries from this tool so it will pop up at system shutdown.
I shutdown my system with a shortcut to C:\Windows\System32\shutdown.exe /s /t 00
The pop up appears asking me to allow IEPrivacykeeper Interprocess memory access to another application... i wait a few seconds and press APPLY with Remember.
The system shuts down normally without any abnormal message.
I start my system again and after login i get pop up's i normally don't have so i check the d+ policy.
Almost empty only some 20 entries.
I fire regedit and take a look at the registry key:
[HKEY_LOCAL_MACHINE\System\Software\Comodo\Firewall Pro\Configurations\0\HIPS\Policy]
"Num"=dword:00000021 (33 decimal).
My backup file however shows:
[HKEY_LOCAL_MACHINE\System\Software\Comodo\Firewall Pro\Configurations\0\HIPS\Policy]
"Num"=dword:000000eb (235 decimal).
i made some screenshots and put a sysinternals procmon on cfp and clicked right mouse on the cfp, exit.
Shutting down cfp takes over 2 minutes with heavy cpu load.
(0) shows the corrupted policy.
(1) shows the registry still knows 232 rules (starts at 0).
(2) shows heavy cpu load on "exit".
(3) shows the registry after shutdown now knows only 34 rules.
(4) contains a partial procmon pml file of the cfp shutdown.
Author