Windows 7 Home Premium 64-bit
Microsoft Office Starter 2010
Starting Words Starter 2010 gives a splwow64.exe application error: “The application was unable to start correctly (0xc0000005).” I have determined that Word is starting this process, which is a Windows system application that allows 32-bit processes to perform printing functionality. Excel Starter 2010 gives the same error but only when you actually attempt to print. Both applications are then unable to print.
I have found that Defence+ is the source of the problem because the problem disappears if I disable it using the “Deactivate the Defence+ permanently” option. But this is the only way to remove the problem. Setting the Defence+ security level to disabled does not stop the problem. I have not been able to find any other way to prevent whatever Defence+ is doing. I have put both Excel and Word into the Defence+ rules as trusted applications but this makes no difference.
I suspect part of the issue may be due to the somewhat exotic way in which Office Starter seems to be installed. The Windows Start Button entries actually launch a “Virtualization Handler”. The actual Word and Excel executable appear to be located in a Q “drive” but this is not a disk partition and even an administrator has no access rights to it. Because of this Defence+ will not allow me to add the Excel or Word executables to the trusted applications list.
I trust these applications so how do I stop Defence+ from interfering with them?
I would like to see d+ logs (CIS → d+ → view d+ events)
you can meanwhile try to see if adding it CIS —> Defense+ —> Defense+ Settings —> Execution control Settings —> Detect shellcode injections (i.e. Buffer overflow protection) —> Exclusions —> Add —> Browse… helps
Changing the Defense+ Security Level doesn’t make any difference: training mode, clean mode, even disabled makes no difference.
There are no entries in the event log for this.
Completely disabling Execution control Settings makes no difference.
I cannot add directories to exclusion rules because the “path” to the processes are in a “drive” that is not accessible to COMODO - see my first entry about the exotic nature of the installation.
In fact the only thing that makes any difference is using the option to completely de-active Defense+. I believe the key thing about this is that the COMODO code isn’t loaded into the process at all.
I believe the error code 0xc0000005 means access violation - ie the process is crashing on start up.
For these reasons my suspicion is that this is actually a bug in COMODO. I suspect that COMODO cannot cope with not being able to access the file path of the parent process and is crashing the process as a result. I don’t have any concrete evidence for this, though. But that is why I opened this as a bug report.
Could you try to put the whole Q drive in a new group of Protected Files and Folders. To do that : Defense+ > Computer Security Policy > Potected Files and Flders > Goup > give it a name > apply
You’ll find your new group at the bottom of the list. Then right click on add files here > add > existing items > choose Q > drag to selected items > apply.
In Protected files and Folders : add > group > choose your new group > ok
In Computer Security Policy > Defense + rules > add > select > files group > choose your new group and give it the predefined policy installer/updater
Normally, Def+ will now let everything on drive Q run without problem.
NB: you’ll maybe will have also to click in Def+ Settings > sandbox settings :
automatically detect installers/updaters and run them outside the sandbox
automatically trust files from trusted installers
I’ve applied the changes you suggested. I’m afraid it still did not make any difference.
One interesting thing to note, though: in the dialog to add files to the group, the Q: drive was not listed at all, only the C: (hard drive partition) and D: (DVD) drives. I typed the drive path in manually instead.
Thank you Peterle for clarifying what the Q: drive actually is. The article makes it clear that the Q: drive is not readable by other software by design.
I don’t really consider this a solution. The PC in question is a Dell laptop newly purchased by my mother-in-law, which I am configuring for her. It came pre-installed with Microsoft Office Starter and this is perfect for her needs. It also came pre-installed with an internet security system which I don’t rate so I have replaced it with COMODO for the firewall and another package for the anti-virus.
Honestly, I am more likely to de-activate Defense+ than remove Office.
I still think this is a bug in Defense+, albeit because it’s being presented with a new mechanism that it hasn’t previously had to cope with.
For info, I have reported it as a bug. It turns out the problem with my first attempt was probably that I didn’t use the right format. This has now been moved to the verified section. The topic is here:
Just for the record - this solution worked perfectly for me.
My issue was Word Starter 2010 would not recognize any printers as being installed when Defense+ was in Safe mode, but in Clean PC mode everything worked fine. In Safe mode D+ would flag certain Word files as Unrecognized Files no matter how many times I would “Move to > Trusted Files” that file.
Thank you Boris, D+ is now running in Safe mode and my printers are working perfectly!