Every program wants to access system in memory

Hello, this is my first post on the forum. I have been using comodo for over 2 years and never had any problems with it up until now.

The first alert I get from Comodo when launching any new program is “program.exe is trying to access System in memory”. It does not effect the program in any way. Regardless if I allow or deny, the program will act the same but will freeze until I answer.

It started happening 3-4 months ago.
I am sure that my computer is not infected and I could not find any suspicious processes or services running.

Windows 7 Home edition 64bit
Comodo Internet Security Premium 5.12.256249.2599

Is your hips set to safemode or paranoid mode.?

It is on safe mode with enhanced protection mode checked.

Here are screens of all the settings:

What programs is this happening with? Are you getting the alerts also for programs you did not get alerts for until recent?

Do you make D+ rules for programs yourself or do you let CIS use a default rule for trusted applications?

It is happening with new programs that have never been run before. Programs that have been run before that started happening are not giving me those alerts.

I am using the predefined policies (Trusted Application, Installer or Updater) for most applications and infrequently make custom rules for certain applications.

Since the programs already installed did not start showing up in the logs I conclude there is nothing wrong the installation of CIS.

Those new programs probably all use memory access techniques. Remember that techniques being used by a program do not denote it is malicious. Some techniques are more dangerous than others from a security point of view but the techniques in its self do not indicate a program is malicious.

The old programs mostly had “Trusted application” status so they did not give any alerts because they weren’t supposed too.
And almost none of the new programs use memory access techniques.

I just created a bat file on my desktop and put in only the line “echo test”. When I ran it, it asked for memory access.

The batch file you made should not trigger memory access. I tested it on my CIS v6.2 install to be 100% sure.

I would say something is up with your installation. What I want you to do is to import a factory default Proactive Configuration and activate it. When importing it give it an applicable name so you don’t overwrite an existing configuration. Name if f.e. CIS - Proactive Configuration Clean. The factory default configurations can be found in the CIS installation folder.

After doing this let us know how things go.

Still getting those alerts with the factory settings. :frowning:

Can you please run Diagnostics and see what that comes up with and attach the report to your post? Could you also show us a couple of screenshot of the D+ logs? That is just to get a taste about what’s going on on your system.

Can you also check if guard32.dll is present in the system32 folder?

Do you remember what programs you installed around the time the problem started happening? Also make sure that there are no left overs of previously uninstalled security programs around. Not all uninstallers do a proper job. Left over applications, drivers or services can cause all sort of “interesting effects”.

Try using removal tools for those programs to remove them. Here is a list of removal tools for common av programs: ESET Knowledgebase .

The diagnostics did not report a problem.
guard64.dll is present in the system32 folder. (there is no guard32 but I guess it’s ok since it’s a 64 bit system)

D+ log: http://i38.servimg.com/u/f38/13/13/40/49/cmd10.png
taskhost.exe is blocked as intrusion. Never noticed that before.
b.bat is the batch file with the echo line.

No other security program was installed. Comodo was installed from start on this system.

The System process is special because it doesn’t host an executable image like other processes. It exists solely to host operating system threads for the memory manager, cache manager, and other subsystems, as well as device driver threads. These threads execute entirely in kernel mode.

The System process is a special type of process on Vista called a “protected process” that doesn’t allow any access to its threads or memory. Protected processes were introduced to support Digital Rights Management (DRM) so that hi-definition content providers can store content encryption keys with a reduced risk of an administrative user using DRM-stripping tools to reach into the process and read the keys.

I’ve never seen resource access to ‘system’ for any system resource since I began using v4 in Jan 2010 except for external entities making connection attempts. My AT&T DSL modem periodically would poll my system, i.e., the NIC, on port 135. With my AT&T UVerse modem/router/wireless gateway, I don’t have to screen for pings sourced from the modem to host Windows Operating System or modem traffic on port 135 to System anymore (it was the only rule I needed for it). I just have to let multicast (IGMP) out by Windows Operating System (dest IP addr I digress.

I suspect either a third-party device driver or application to be the cause of this phenomena. You changed something in the system configuration 3-4 months ago. Any chance you activated some enhanced security inherent to Win7, e.g. advanced DEP?

Where are you seeing that? ON the ‘summary’ tab in the firewall section? Its not in the log you posted. But that’s D+. I think that alert is logged if taskhost.exe is blocked from IP connection attempt (for whatever reason). If I was a betting man I’d guess it was a loopback connection attempt.

TASKHOST is a generic process which acts as a host for processes that run from DLLs rather than EXEs. At startup TASKHOST checks the Services portion of the Registry to construct a list of DLL-based services that it needs to load, and then loads them. There can be many instances of TASKHOST running, as there will be one instance of TASKHOST for every DLL-based service or grouping of services

I bet that’s MS’ new & improved runDLL as exe under a wrapper akin to the infamous SVCHost.

I forgot to mention something really important. :S

5 months ago I did a complete hardware change. The mainboard along with all other components was changed. The only thing that was left from the old computer was the hard drive with this OS.
I continued using this OS on the new hardware. Used the sysprep utility to transfer the OS to the new hardware. It is possible that comodo started giving me those alerts then but I am not really sure.

There was also a period a week after the hardware change when I was getting random BSODs once or twice a day with the error MEMORY_MANAGEMENT. I did a ram test and it showed errors. I was about to go and replace the ram stick but the BSODs stopped so I never did that. It lasted for 10 days and just suddenly stopped the same way it started.

Yes, on the summary tab there is a counter for blocked intrusions. (“Defense+ has blocked X intrusions”). Every time taskhost.exe makes an entry in the log, the counter increases.

DEP is disabled completely via the boot parameter.

First off, you don’t want DEP completely disabled. Did you turn that off after sysprep, or has that always been off? How’d you do that sysprep with a single drive? Never having used sysprep I’m curious.

Do you have enhanced-protection mode enabled?

If you intend to transfer a Windows image to a different computer, you must run the sysprep command with the /generalize option, even if the computer has the same hardware configuration. The sysprep /generalize command removes unique information from your Windows installation, which enables you to reuse that image on different computers.

I’m unfamiliar with the particulars of sysprep; I’m of the old-school persuasion. I.e., for a planned platform migration I launch regedit and removing sub-keys in:


See if there’s anything here that jumps out at you:

Have you tried re-installing CIS? If not, that’s something I’d consider in your position. Given your previous BSOD with respect to memory issues, you need to be familiar with my recent experiences review my last post here):


Before doing CIS uninstall your duck needs to be completely in a row.

DEP has always been off. Some software that I used back than required DEP to be disabled.

I had one drive with 2 volumes, one with win 7 which I was using daily and the other with XP which I used for testing purposes. I used sysprep on the main volume with windows 7 and reinstalled XP. None of the limitations that you posted “jump out”.
Basically when you run sysprep, you have the option “Enter System Out-Of-Box Experience” and if you select it, it will shut down and the next time you boot the OS, Windows Setup will start. It will be the same as when you start the OS for the first time after installation. It will detect and install all the devices and remove most of the old drivers.

I have enhanced protection mode enabled.

I have uninstalled cis one month ago and installed it again, hoping that it would fix my problem but it didn’t. I have also noticed that without comodo the startup time of the OS had been dramatically improved. With cis, after typing the username, the welcome screen stays for about 30 seconds and then the blank desktop background stays for another 30 seconds but it can sometimes wait up to 2 minutes. Without cis, it is barely 10 seconds.

Some software required DEP disabled? O RLY? What, you got an ‘I love you’ messg in your eMail that insisted that DEP had to be disabled before opening it or sumpin" :wink:

You really want it enabled for the O/S at least. Furthermore, you can specify for which specific app not to have it enabled. Lets just set that aside from now.

30 second hang-times you indicate during boot is just way too long. Something just ain’t right. I’m guessing that you’re logging in as a user. Does this problem occur if you log in as administrator?

See what version AV defs are installed by looking in ‘about’ on the summary tab. It should show something other than ‘0’ I’d imagine it would be; else your AV defs won’t update. I’m sure you’d complain 'bout that.

It appears in the log you posted the issue hadn’t occured for 24 hours after the last one, i.e., 13 Jul 5 @ 13:14. Could you post a new one after rebooting. Highlight the last entry in the log before rebooting.

Its o.k. to kick me on asking about ‘enhanced protection’. Although EricJH didn’t say anything about it, try turning ‘enhanced protection’ mode off.

Are you running TrinityCore?

With DEP & enhanced protection both off, and the prollem continues, try stopping all the services related to the SQL server and prevent them from starting up by setting them to manual in services.msc.

I am logging as administrator. Virus signature db is 16572.
Here is the new log: http://i38.servimg.com/u/f38/13/13/40/49/untitl10.png
Everything above the highlighted entry including it is after the last boot.

It’s Solid Core. The SQL server is not the problem since I installed it less than 3 weeks ago.

I had disabled enhanced protection mode and was still getting the memory alerts. However, without EPM there was no delay in loading explorer.exe. The desktop elements appeared immediately after the welcome screen (there was no blank desktop in between). I rebooted 4 times just to make sure. Then I re-enabled EPM and there was still no delay for the next 2 reboots.

I looked at the D+ logs you provided and I see nothing alarming in them. From what I understood you would have a lot memory access attempts by many programs. But that is not the case. In short, there is nothing to worry about.

I am not familiar with sysprep so I cannot comment on how that would be of influence or not. When changing motherboard and maintaining an OS I always follow How to install a new motherboard without reinstalling Windows from Ars Technica. I know from experience that when changing motherboard brutally the OS will be belly up within days; I once did this going from a motherboard with VIA KT 333 to one with VIA KT 600 chipset.

If the memory test showed errors your memory is faulty. In that case simply replace your ram; make sure to check if it is still under warranty. Unless you had your system overclocked and later reverted the overclock I suspect the memory instability is still there. I have noticed it can lay low for a while. My advice is to test your memory with no overclocks and when the test shows errors it is faulty and needs to be replaced.

Ad to the delays upon boot that appear to be related with CIS. Please make sure there are no leftovers of security programs you had installed in the past. A possible left over can cause all sort of “strange effects”. Please run clean up tools for all security programs you had in the past. A list can be found here at the Eset website: ESET Knowledgebase .

You can also try Soluto to see how much time each process take during boot.