Hello all im using COMODO since a few days and i must say i love this Firewall, its perfect. But i got 1 problem with it, everytime my comp runs together with COMODO Firewall my svchost.exe crashes after some time… it seems to crash at random times. Once it took 24 hours to crash, the other time it only took 30 seconds after i turned the Computer on. I tried putting the svchost as trusted application and put it into “My Own Safe Files” list. It keeps on crashing for no reason. It wouldn’t be a problem if my Sound Driver wouldnt crash together with svchost. All applications that i had running will still work with sound but if i start a new application it won’t have sound that’s why i never close winamp anymore, just mute it. If i check Sounds in Control Panel it shows me that there is no sound card until i reboot computer.
Heres my System:
Operating System: Windows XP Professional (5.1 Build 2600)
Mainboard: ASRock 939 Dual SATA-2
Processor: AMD Athlon 64 3000+
Graphic Card: PCI-Xpress Radeon X800 GT
Sound card: Realtek AC97
COMODO Firewall Version 3.0.15.277
I’ve experienced the same thing. At first I thought it had to do with the latest Realtek HD Audio drivers I installed around the first time I tried CFP, but the other day I uninstall CFP and the crashes with svchost.exe stopped completely. When svchost.exe does crash it affects a few things but most notably programs that use audio (like Winamp) lose the ability to query the system default output for sound.
OS: Windows XP x64 SP2
Mobo: Gigabyte GA-M61PM-S2
CPU: AMD X2 3800+
Video: ATI X800GTO
Sound: Realtek Azalia HD
CFP: 3.0.16.295 (but the previous version had the same problem)
Do you have your PC connected to a LAN? Do you have any network shares enabled on your computer? Are connected to any network shares on another computer on your LAN?
For me, the answer to the above three questions is “YES” and the last time svchost.exe crashed (after I reinstalled CFP) I checked the Event Viewer. At almost the exact same time the Security log showed an Event 538, which seems to be related to anonymous connections from other computers related to shares. Screenshot is attached.
On this PC I only have one folder shared, with permissions set for full control for all users (including anonymous). I wouldn’t normally have such a share configured but I have a feeling it’s related.
First thing I tried was disabling the share on this computer. After a little while, svchost.exe crashed again, but I saw no corresponding Event 538 in the log. Then I disconnected all the mapped drives and haven’t had a crash since.
So apparently the issue comes up (for me) when I have mapped drives to network shares on other computers in the LAN.
To be sure that your svchost.exe is not infected do a clean windows install .
Svchost.exe(to this you can add Ctfmon.exe and Lsas.exe) is usually very easy infected if you run your computer with no firewall or you execute “unknown” aplications.
Sugestions:
After you install Windows ,create the folowing rules in the Firewall module for svchost ,Alow only outbound(use the outbound only preset) .To this also add Block all rule for Lsas.exe and Block all rule for Explorer.exe.
I ran it all day with no shares connected or enabled and unfortunately 8 minutes ago I had another crash of svchost.exe, after which I came here to check for a response from FloriaN~.
So maybe it isn’t share related but this time I did have the Event 538 the exact same time as the crash again. I’ll try to get a crash dump next time it happens (always at least once a day with CFP installed).
@Sm3K3R: I have a habit of reformatting and reinstalling Windows every 6 months or so, and one of the first things I install is a firewall (now CFP, formerly OFP) followed by Symantec AntiVirus. The last time happened to coincide with a new Realtek driver for my onboard audio so I thought it was to blame, but I also switched to CFP around that time and only have the svchost.exe crash with CFP installed.
So when svchost crash you need to find what svchost process crashed hovering all the remaining ones.
After a reboot you need to repeat this procedure again and you’ll find what services were loaded by the crashed svchost.
You can post a list here.
Using this list as a reference you can do a manual restore point and disable all unneded services loaded by that svchost process.
This issue could not be related to any specific service but to svchost itself.
Only after few crashes it will possible to say if this issue is related to a specific group of services.
Throubleshooting this will require a lot of efforts. :-X
So I let CFP update itself to 3.0.17.304 earlier today. I just got the crash again, with Event 538 in the log at the same time.
Since I know it affects audio, I checked Services, and Windows Audio wasn’t running. I started it manually (it’s set to Automatic so it should be running), then rebooted. Attached is a screenshot from Process Explorer that shows all the services running under this instance of svchost.exe, which includes Windows Audio and Themes, two services I can most readily see are affected by the crash.
Since two days ago I’ve been running without any shares or connected to any shares. My old computer was still trying to map the now defunct “share” folder on this computer. I have just recently disconnected that drive so it should no longer try to map on restart.
Dr Watson doesn’t come up when svchost.exe crashes, I just get the dialog asking me if I want to debug the crash with VS2008’s debugger, which I cancel. The path to the dump shows no files in that directory.
I don’t know how many services you can disable there but I guess that audio and themes and “help and support” could be a good start.
Secondary logon, task schedulers can be tested later.
Workstation and server should affect only networking.
Anyway please create a restore point and attept to progressively disable as much services you can until it will be possible to narrow down the possible culprits.
BTW do you use a uxtheme patch or non MS certified (digitally signed) skins? Does this happens regarless you are connected over the internet or not?
Does this affects 3.0.17 too?
Yes, I use a patched uxtheme.dll and tcpip.sys for using unofficial themes and avoiding the Event 4226 error.
Due to the unknown interval of the crash, and the fact it only occurs with CFP installed, I find it more reasonable to just uninstall CFP instead of jumping through hoops and disabling services I use regularly. I don’t have system restore enabled, I don’t play on enabling it.
Perhaps when the next version of CFP is released I’ll try it again, but since I’ve had this issue with (and only with) the last 3 or 4 versions of CFP I’m giving it up for now.
I know them both and I assure you there is no way a developer can reproduce something that occurs on a specific machine without a good amount of info. If an issue cannot be reproduced it cannot be fixed.
I guess I should add this to the bugreport board stickies.
BTW not all patches are born equal nor they apply to whatever ms file revision is released after the patch was created.
Sorry for “Bumping” this up but i didn’t think it would get any Reply (first Reply was an month after i posted ~sigh~). I recently bought a new Computer and thought “let’s try COMODO firewall again” at first it worked really good without any crashes but just a bit later my Svchost crashed again and with it my Sound
It’s a different Sound Card this time and it still crashes.
For the info i was using a fresh install of Windows, with my usual programs for sound (Winamp), no skins/modifications on Windows and System Restore disabled~. I will attempt to format my computer now and install COMODO once again. And this time i will check which Process is causing the crash
I just reinstalled Windows, so far no crashes. But it usually took some time and i still had the latest Version on my comp from when i used it before (i double checked with website its same).
it is 3.0.25.378 which i downloaded right after i got my new comp and it still crashed, but now after re-formatting it stopped crashing apparently (at least for now, who knows if it will crash again). :BNC
It crashed today when i was about to turn comp off and get ready for work, i attached a screenshot of the process explorer thingy (it seems like it had something to do with Windows Security Center/Automatic Updates) also here is the error log or whatever:
Files that made it crash or are affected (not sure):
C:\DOCUME~1\Test\LOCALS~1\Temp\WER1b4b.dir00\svchost.exe.mdmp
C:\DOCUME~1\Test\LOCALS~1\Temp\WER1b4b.dir00\appcompat.txt
COMODO Firewall and Defense+ Event Viewer are empty.
edit: after checking on what netapi32.dll is used for i came up with that its used for Windows to get information/updates from a Microsoft Network. So i guess thats it hmm… even though my Windows Update is deactivated.
Why are you running 2 firewalls. I see Active Armor Firewall and I also see a Windows Security Center notification running. Why is that? If you using Nvidia’s firewall then you do not need Comodo. I also see an ATI entry. Are you using an ATI card on an Nvidia mobo? Why don’t you try shutting off the Nvidia firewall cause I have read and heard its garbage.
my new board is from Nvidia, i just took the old ATI graphic card over since i custom build it. Windows Firewall is off, and since when do Mainboards have their own Firewall? o.o
edit: i just noticed that Active Armor thing too, didn’t really pay attention to it. But that’s not the Problem anyway since this crash happened even before i got that new Nvidia board and i will try to shut the Nvidia crap off.
edit2: the Windows Security Notice is because i am not using a Anti Virus program at the moment since i just format my comp + i have System restore and Auto update turned off.
and i still had the latest Version on my comp from when i used it before (i double checked with website its same).