CIS interferes with process cloning [293]

The bug/issue

  1. What you did: Tried to create a dump of notepad.exe with Sysinternals ProcDump with process reflection enabled (-r).
  2. What actually happened or you actually saw: notepad.exe is cloned, but guard32.dll causes a deadlock. This also causes ProcDump to hang.
  3. What you expected to happen or see: notepad.exe is cloned, ProcDump finishes, cloned notepad.exe terminates.
  4. How you tried to fix it & what happened: Set D+ security level to Disabled. Didn’t work. Enabled “Deactivate Defense+ permanently” and restarted. No guard32 anymore, and ProcDump works correctly.
  5. If its an application compatibility problem have you tried the application fixes?:
  6. Details (exact version) of any application involved with download link: ProcDump v2.01
  7. Whether you can make the problem happen again, and if so exact steps to make it happen: Open Notepad, run “procdump -r notepad.exe”
  8. Any other information (eg your guess regarding the cause, with reasons): guard32.dll causes a deadlock.

Files appended

  1. Screenshots illustrating the bug:
  2. Screenshots of related event logs or the active processes list:
  3. A CIS config report or file.
  4. Crash or freeze dump file: Dump of cloned notepad.exe.

Your set-up

  1. CIS version, AV database version & configuration used: 5.0.163652.1142. AV not installed. Image Execution Control is disabled. Shellcode injection detection disabled.
  2. Have you updated (without uninstall) from CIS 3 or 4, if so have you tried reinstalling?: Yes, no.
  3. Have you imported a config from a previous version of CIS, if so have U tried a preset config?: No.
  4. Defense+ and Sandbox OR Firewall security level: Safe Mode, Safe Mode.
  5. OS version, service pack, no of bits, UAC setting, & account type: Windows 7, 32-bit, UAC enabled.
  6. Other security and utility software running: None.
  7. Virtual machine used (Please do NOT use Virtual box): None.

[attachment deleted by admin]

There is some information on how to create memory dumps here. You’ll need to substitute the alternative syinternals tool you are using for process explorer in the instructions. You can also try temporarily disabling Defence plus by moving the D+ security level slider to ‘disabled’ under D+ settings. If this does work for you please tell us which works. If not please make a bug report using the guidance below.

Many thanks for your help in anticipation


We would very much appreciate it if you would edit your first post to create an issue report in line with the bug forum guidelines and format here. You can copy and paste the format from this topic.

To understand the reasons why we ask you to follow these guidelines please see below.

Bugs/issues can be impossible or very time consuming to fix if developers don’t have enough information to reproduce them. Since CIS is free, development time is limited. So if you want your issue fixed, please use the format below to describe it.

To avoid clutter, issues not described in the format below your post will not be moved to the ‘moderator verified’ issues topic. This means that the developers may not look at it.

Best wishes and many thanks in anticipation


THanks for an excellent bug report.

Forwarding to verified now.

Best wishes