A Windows 7 black screen.

Hi all,
I’ll try to keep this as short as possible. (Took longer to perform this than type it out. Well…almost.) :wink:
I started my desktop PC (WIN7 HP) performed my usual duties, such as checking my web mail etc etc.

I decided to manually update my AV apps. (Malwarebytes, SUPERAntispyware, Spyware Blaster, Avast does auto updates),
then I manually updated Comodo firewall. Version 8.2.0.4674
(I do manual updates coz I had a minor glitch a while ago.)
Comodo said that it needed to re-boot the PC.
I delayed that operation.

I then proceeded to carry on with a few other things.
Afterwards I re-booted the PC…BUT (This is where it gets a tad weird),

The Welcome screen & Windows boot up all looked “normal.”
Except that all I ended up with was a black screen with my animated cursor doing it’s thing.
I waited for a while, but nothing appeared.
So…I went through the following…

Tried to load in F8 safe mode with networking & tried to find what was wrong. Result = Windows reported that it could not repair the files/system.
Tried a System Restore in F8 safe mode. Result = Nothing doing there either.

I tried to do a Windows Repair using my retail WIN7 disc. Result = Nothing doing.
Oh yes. A peek into the Event Viewer through the 3 finger exercise, revealed that I there was
“NO OS to be found on this disc.” ( My “C” drive…Really?)

By now, things are getting rather fruitless, as far as I was concerned,
so, I called my IT guy.
He duly arrived a few Hrs later & I explained the sequence of events.

We checked various things, such as virus logs, virus vaults, etc., etc.
Nothing was found to be hiding or interfering with anything nor was anything suss found.

He then managed to open Comodo in Windows safe mode & proceeded to examine the files &
all the features of Comodo.
Upon opening the Sand Box…Guess what he/we found?

Right at the top of the list was… wait for it…wait…for…it…

Comodo.exe…[edit]or a derivative there-of[/edit]…along with all my “normally run at start-up” programs.

He then proceeded to try to uninstall Comodo from Programs & Features.
This “partially” worked.
We tried to find the Comodo “un-installer” for version 8, but could not find anything.

Anyway, after firing up my laptop, we found the installer for Comodo, D/L’d it,
transferred it over to the PC.

We made sure, after a few re-boots & a thorough registry check & clean, that Comodo was nowhere to be found.
We installed Comodo CIS firewall, did some reconfiguring & re-booted the PC.

I am now typing this on that/this fully functioning PC with Comodo just
“doing it’s thing, as all good firewalls, should.”

NOW! The question.

Why/how the H%&& did Comodo’s Sandbox end up placing the Comodo.exe, [edit]or a derivative there-of[/edit], into that Sand Box, along with all my normal start up programs?

If anyone can answer that, I & my IT guy will be most happy to hear/read.

Sorry for the long post, but it was a rather involved process & took about 5 Hrs all up.
Check here, check there…re-boot…yada yada yada.

Thanks for reading & hoping for a reason WHY?

Ta muchly.

Hi,

First of all I’m wondering where you found that cmdagent.exe was sandboxed? In other words, what do you mean exactly by “Upon opening the Sand Box…”?

The only thing on top of my mind that could cause this is Comodo Firewall got corrupted during the update, but that doesn’t mean there could be other reasons.

Hi there,
Sorry but…I’m not exactly sure how he found the Sand Box & all my Programs in it but he did.
I think I was making a cuppa at the time & was very surprised when he showed me the list.

Everything was restrained in there…hence, the black screen, coz nothing was allowed to load.

Don’t ask me. I’m not up to figuring out how this stuff functions or doesn’t. :slight_smile:

Alright, well except corruption I don’t know how that could have happened, they shouldn’t have been sandboxed.

Do you know what Comodo executable got sandboxed? Comodo.exe is not an existing executable.

Good point, I for some reason read that as cmdagent.exe … Don’t know why.

Hi Eric & Sanya,
Thanks for the responses & the Q?
No. I’m sorry, but we did not write down or memorise the files name.
(I should have taken a screen shot for verification, but we didn’t think of that, ATT. Bummer!)

I’m pretty sure that it was not comodo.exe, as you say. (Non existent file.)

I’m sure it contained comodo but not really sure of which file. :wink:
We were both very surprised/astonished to see the ref; to comodo in there.

The one thing I did notice, was that even when still running in Safe Mode, every program we opened
had the green border around them.

It was bizarre to see all the start up programs in there.

I cannot re-produce the “glitch/error” either & I do not want to try.
:slight_smile:

Thanks for any more input as to why it happened would be appreciated.

Regards, TR…

As far as I know there aren’t any CIS executables that are named the full “comodo” they are usually called something like “cis[something].exe” or “cmd[something].exe”. If you saw the application “cmdvirth.exe” then that is supposed to be sandboxed but if you saw any other CIS executable in there then they shouldn’t have been there.

That is very weird, CIS is not supposed to run in Safe Mode I think, I mean I think it shouldn’t even be able to! Windows Safe Mode shouldn’t have loaded it nor the drivers at all which confuse me since that shouldn’t be a thing that CIS could change.

I can’t tell you exactly what happened in your case, but to me it sounds like some sort of corruption either of CIS or Windows or both, but then again it might have been something else.

Green borders in Windows Safe Mode? No Comodo processes should normally start in Safe Mode. That would be a problem with Windows its self if it let that happen.

As to the black screen you saw. You stated you could get into Windows by calling Task Manager. Did you get to see the desktop etc? It looks like explorer.exe was not started.

If all regular processes got sandboxed it looks like CFP sandboxed all executables. A reboot might have solved that.

Hi again,
The exact sequence of events & the processes that I ran through are a little “sketchy”, due to the many confusing results.

But, I can say that I never got to the desk top.

&, numerous re-boots achieved absolutely the same result.

A black screen with my animated cursor in the centre.

A Control/Alt/Delete brings a lovely Window’s blue screen, as you know.

There are 5 Options in the centre.
1/. Lock this Comp.
2/. Switch user.
3/. Log off.
4/. Change a Password.
5/. Start Task Manager. (This is what I selected but when closed, it reverted to the black screen as per.)
At the lower RHS are the “Power Options.”

&, Yes, I know the “file naming procedure.”
Once more, I should have either written it down or taken a screen shot, but did neither. (Rats.)

T’is a weird one for sure. I have no idea how it happened but Comodo has been functioning O.K. for
years & was fine before I manually updated it.

Thanks.

Regs, TR…

We checked various things, such as virus logs, virus vaults, etc., etc. Nothing was found to be hiding or interfering with anything nor was anything suss found.

He then managed to open Comodo in Windows safe mode & proceeded to examine the files &
all the features of Comodo.

How did your IT guy get into Windows of Safe Mode?

Hi Eric,
Again, I’m not sure exactly how it all transpired.
Things were rather confusing, what with all his activity of trying this ‘n’ that.

The one thing I forgot to try, was, when in the Task Manager, to try to open Win Explorer. (explorer.exe)

Might have been a quicker way to find out what went awry.

&, upon checking the Sand Box now, I can see that “cmdvirth.exe” is indeed in there.

It may have been that file that we saw…Not knowing what files Comodo puts where &/or for what reason.
I’ve never delved into it’s innards, coz it just works.

Thanks for continuing with this investigation.

Regards, TR…

[edit]

I just checked the Event Viewer & found that cmdagent was in ERROR, 9 times on the 4th Sept. & 3 times on the 7th July.
There was a WARNING & an ERROR on the 7th June for cistray.
(These are related to the tray icon showing a X in it. Comodo’s “Fix it” did not, but a re-boot restored Comodo.)

This may possibly explain when the error occurred, (on the 4th), possibly due to a corrupt def update.
Not sure.
[edit]

What were the error messages for cmdagent.exe that were reported? Is it a repetitive error?

Hi Eric,

The Errors were as follows & started at 7.58 PM, (my Aus. time) & finished at 8.47 PM.
as per this Event Viewer example & all are the same.
I believe that this was when/after I did the manual updates of the A/V & Comodo.
The 3 from the 4th of July are the same as well.
There was also one more from the 19th May.

Log Name: COMODO Internet Security Source: cmdagent Date: 4/09/2015 8:47:53 PM Event ID: 1 Task Category: (24) Level: Error Keywords: Classic User: N/A Computer: XXXX Description: The description for Event ID 1 from source cmdagent cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event:

Fail to open XML doc in CreateRecognizers. Error Code: 0x80070003 (The system cannot find the path specified.)

the message resource is present but the message is not found in the string/message table

Event Xml:



1
2
24
0x80000000000000

17
COMODO Internet Security
XXXXX



Fail to open XML doc in CreateRecognizers. Error Code: 0x80070003 (The system cannot find the path specified.)


&, I just talked to Marius, my IT guy & he said that he opened explorer.exe (I was not looking over his shoulder ATT), from the Task Manager,
was able to get to Desk Top BUT, when he tried to open Window’s Services, it did so (another But here),
it was Sand Boxed by Comodo.

The 1st & 2nd attempts to un-install Comodo (Progs & Feats), did not complete when we tried,
but the Event Viewer shows that it did complete.

Strange stuff.

Oh yes, Last night I just tried to open all my programs to check, (Photo & Video editors/Web Cam/Cam Studio etc., etc.)
& Comodo sand boxed almost all of them.
I had to add them to the Trusted list in the Firewall.

All seems to be fine again.
Just a tad curious as to what caused it.

Some more Event Viewer logs from Window’s Applications…

I hope that these will help.

Log Name: Application Source: Microsoft-Windows-RestartManager Date: 4/09/2015 10:42:21 PM Event ID: 10010 Task Category: None Level: Warning Keywords: User: XXXXX\Me Computer: XXXX Description: Application 'C:\Windows\explorer.exe' (pid 1572) cannot be restarted - Application SID does not match Conductor SID.. Event Xml: 10010 0 3 0 0 0x8000000000000000 126995 Application XXXX 0 1572 C:\Windows\explorer.exe Windows Explorer 0 4 1 67108865 1 ======================================================================================

Log Name: Application
Source: Microsoft-Windows-RestartManager
Date: 4/09/2015 10:42:20 PM
Event ID: 10010
Task Category: None
Level: Warning
Keywords:
User: XXXX\Me
Computer: XXXX
Description:
Application ‘C:\Program Files\COMODO\COMODO Internet Security\cis.exe’ (pid 636) cannot be restarted

  • Application SID does not match Conductor SID…
    Event Xml:



    10010
    0
    3
    0
    0
    0x8000000000000000

    126992


    Application
    XXXX




    0
    636
    C:\Program Files\COMODO\COMODO Internet Security\cis.exe
    COMODO Internet Security
    0
    0
    1
    67108865
    1



    ===============================================================================================

Log Name: Application
Source: MsiInstaller
Date: 4/09/2015 10:43:26 PM
Event ID: 11306
Task Category: None
Level: Error
Keywords: Classic
User: XXXX\Me
Computer: XXXX
Description:
Product: COMODO Internet Security – Error 1306. Another application has exclusive access to the file
‘C:\ProgramData\Comodo\Firewall Pro\cisdata.sdb’. Please shut down all other applications, then click Retry.
Event Xml:



11306
2
0
0x80000000000000

127008
Application
XXXX



Product: COMODO Internet Security – Error 1306. Another application has exclusive access to the
file ‘C:\ProgramData\Comodo\Firewall Pro\cisdata.sdb’. Please shut down all other applications, then click Retry.
(NULL)
(NULL)
(NULL)
(NULL)
(NULL)


7B43433642314242342D344530362D344135422D413136362D4233373142353531333234427D


=================================================================================================

There are others that show all my Start-up programs, stopped.

Still reckon it was a corrupt update.
:slight_smile:

A reboot might have solved the sandboxing of all programs getting started.

The 1st & 2nd attempts to un-install Comodo (Progs & Feats), did not complete when we tried, but the Event Viewer shows that it did complete.

Strange stuff.

Oh yes, Last night I just tried to open all my programs to check, (Photo & Video editors/Web Cam/Cam Studio etc., etc.)
& Comodo sand boxed almost all of them.
I had to add them to the Trusted list in the Firewall.

All seems to be fine again.
Just a tad curious as to what caused it.

If the reboot did not solve it using System Restore to go back a little bit may have done the trick in case the configuration got corrupted (configurations are stored in the registry). Or if you have a back up of your configuration trying to restore that would have been worth a try.

In case of a troubled uninstall you can follow Most Effective Way to Reinstall CIS to Avoid/Fix Problems by my colleague Chiron. The linked clean up tool also runs in Safe Mode.

Hi Eric,

You said…

A reboot might have solved the sandboxing of all programs getting started.

& If the reboot did not solve it using System Restore to go back a little bit may have done the trick in case the configuration got corrupted.

I tried both of these, many times & all I ended up with was the black screen.

I think it was the fact that explorer.exe was not running that was the major cause of the black screen.

If I had just used the Task Manager to re-start explorer.exe, things may have been easier to solve.
I was probably a little hasty with my re-actions after the multiple updates & seeing nothing on the screen.

I’ve never had any problems like this before, so was very surprised by it all.

As I mentioned, even booting the PC up from the original retail version of my WIN7 disc & trying to run a repair sequence & it not able to do so…?
Along with no OS found?

These results had me more than scratching my head.

Anyway, sheesa all sweet now.

If you have any further thoughts, whack 'em in here, please.

Most interested as to exactly what caused it to kill/inhibit, (most probably the cause), explorer.exe.

Thank you & Sanya for your suggestions & assistance with this “problem.”

Much appreciated.

Regards, TR.

ps. Whilst typing this out…Guess what wanted to auto update?

Yep. Good ol’ Comodo CIS. (Do I dare to allow it?)
http://fc01.deviantart.net/fs44/f/2009/141/d/0/_omgomg__by_nillemotes.gif

http://fc01.deviantart.net/fs30/f/2008/048/2/2/Dont_click_by_DogOnFire.gif



:wink:

Hi,

after reading the whole post I think this wasn’t a Comodo error, it ended up as one but it really wasn’t.

Your Event Log states “Application SID does not match Conductor SID” which got Comodo to react and Sandbox the Application bot something else changed the SID.
I think one of your other Security Softwares (assuming Avast) got corrupted and got the SandBox to react.
You also write “Result = Windows reported that it could not repair the files/system” which means you have a corrupted File System or a faulty HardDrive which could have caused the corruption in the executables…
A reboot could not have fixed that because the reboot was what caused it.
Every HardDrve has “good sectors” in reserve which automatically “replace” bad sectors, but when the HardDrive runs out of the “good sectors” it can’t replace anything and the data gets written on the “bad sectors” which causes corruption and programs not running.
The second indicator that you Drive has a Problem is that the Windows DVD could not find a system…
You could try to “read out” what S.M.A.R.T is saying about the condition of your drive…

Just my opinion…

Thanks

LordRayden

Hi LordRayden,
Thank you for your thoughts on the matter. Much appreciated.

Some relevant info…

My 500 Gig HDD is brand new, (about 4 weeks old), & I’ve run “spinrite” on it, just last week.
As expected…no errors were found. (I run it about every 2 or 3 months.)

It’s possible, as you say, that Avast’s update was corrupted & caused the error,
but Avast has been running fine since the “fix” was initiated. (Old Comodo removal = New Comodo re-installation.)
I know Avast does auto-updates err umm, hourly/3 hourly/whenever it feels like it, but I’ve never had a problem with it.
(Might be lucky?)
All same for the other A/V’s.

I did have a small problem with a Comodo auto-update a couple of years ago & was able to rectify that, no probs.
(Can’t remember the exact error.)

There’s one thing I can say about Comodo & that is, that occasionally, just occasionally, upon starting the PC
I notice that the Comodo SysTray icon has an x in it.
Comodo’s “Fix it” cannot “repair itself” so a PC re-boot is required.

Other than those “glitches”, I’ve had no probs with any of the installed apps.

I use Acronis True Image to back-up my “C” drive every week &
I create a System Restore point before & after any new installation.
I don’t trust them all to go smoothly. :slight_smile:

Anyway, thanks again for your suggestions.

May do a bit more checking etc.

Regards, TR…

ps. Comodo’s update went fine. :wink:

pps. A check using “sfc /verifyonly” brought a “no file errors.”