Logoff/Logon causes RUNDLL and other Access Errors (v x32)[Fixed]

After doing a clean install, when I log off and then log back on again, I get several access denied messages. This does not happen when booting the system, only when logging off and then logging on again. Turning off D+ solves the problem, but that is not a solution for me.

Would those of you that have the time, try logging off and then on again and report back if you are seeing this problem and also if you did a clean install or update? My errors all have to do with rundll and two other programs. Thanks

I remember reading that rundll processing had changed, but I did not expect this. :slight_smile:

Edited: this problem occurs randomly. Usually takes a number of tries to make it appear.


IBM T41 Laptop
Intel(R) Pentium(R) M processor 1700MHz
1GB Memory
Windows XP + SP2 + WUS security Fixes
Symantec Antivirus Corporate Edition

[attachment deleted by admin]

In defence+ settings make sure the ‘Block all the unknown requests if the application is closed’ box is not ticked.

You could also try putting D+ into Training mode and then log off and back on and see if this helps. Put D+ back on to a higher setting after trying this.

Been there done that. Does not matter what mode except disabled. On a clean install “block all the unknown requests if the application is closed” is not enabled by default. I just checked and it is not enabled. I did not have this problem on my previous installation. New logic … new bugs :frowning:

Also, none of these access denied errors show up in the D+ logs.

Do you get any errors when logging off/on?


Changing rundll32.exe to be used as a “Windows System Application” gets rid of the rundll errors, but I’m not comfortable with this change. This assumption may be incorrect because the problem is random.

The other two programs above TClockEx and Statbar will still not start after logoff/logon The two programs are normally launched via the Run registry key. If I start them manually after the errors, they work fine.


I have the firewall on two XP systems and a Vista system and there have been no problems with any of them so far. Did a clean install on one XP system and an update on the other. The vista system was also updated.


OK, I uninstalled and did a new clean install. I waited for defense is learning to quiet down and tried again. Same problem. Same programs. I did find out though that doing logoff/logon multiple times would not always cause a problem. Since the problem always happend to me on the first try, I did not bother trying a number of times until now. Maybe it is a timing problem. I have no idea. Try about five or six times and see if you can get the problem to appear.

Al (I have an uneasy feeling this is becoming more of a ■■■■ shoot) Adric

Are you using StatBar?

If so there have been reported errors to do with time synchronization and also some other odd errors. Might be worth your while disabling StatBar if you have it and see what difference this makes.


Sorry, I can’t do without Statbar. ;D

Where have you seen problems reported on Statbar? I did not think that many people used it .Anyway, 304 is the first time I am seeing such behavior.

p.s. I don’t have time synchronization enabled in Statbar.


I remember seeing a few issues on some forum or other - the time sync problem is mentioned on Statbar website.

If you disable it temporarily and everything works after that then maybe we can figure out a way around the problem.


As edited above, I do not have time synchronization enabled in statbar. Besides, disabling statbar would still leave TClockEx. to deal with which I will try to verify shortly.

Verified. With stabar disabled, still having rundll and tclockex errors.


Only one more test.

Disable D+ monitor setting and enable them one at time to see if one of them is related tho this issue.

Maybe some error popups are due to a monitor setting while other errors to another monitor setting.

[attachment deleted by admin]

Disabling all monitor settings in D+ left me with only the Rundll errors. Enabling the Windows/WinEvent Hooks brought back the TClockEx error and enabling Window Messages brought back the StatBar error. Right now, I can consistently logoff/logon and produce these errors. Yesterday it was random.


Do you have Image execution control level set to “normal”? If not, try to set it to that mode to see if this change anything.

If it is already set to “normal”, can you create system restore point, and disable apps/services/dlls/drivers (excluding microsoft items and hardware drivers) from starting automatically (e. g. with the help of Autoruns)?
Then re-enable each of them by turn to the point errors appear. This may help to find out what exe/dll/sys are in confict with D+.

I don’t see a conflict here, but a bug :). If I logon fast enough after logoff, the error may or may not appear. Also, I have never seen this error after booting. Execution Control is set to normal. I previously tried all the other settings and that did not have any effect.

I already mentioned that TClockEx and StatBar were being started via:



The RUNDLL access errors are being caused by three DLL programs being started via:


All three DLLs are considered safe by CFP because I cannot add them to either My Pending Files
nor My Own Safe Files.

The remaining EXE programs being started from the HKLM registry key do not show any errors. Only
the ones being started from the HKCU registry key show errors.


A work-around for this problem was as follows:

  1. Manually added C:\Program Files\ThinkPad\Utilities* directory to Allowed Applications for rundll32.exe
    Note: I should not have to do this manually. Either D+ is learning should have added the rules or I should have received rundll32 alerts when loading to allow or block

  2. Manually added Allow Windows Messages to Process Access Rights for StatBar.
    Note: either D+ is learning or an Alert should have appeared for this rule addition

  3. Created Rule for TClockEx by launching the application manually.
    Note: No D+ is learning nor Alerts appear for rule creation when TClockEx is launched automatically

Al (Why are D+ is learning or action alerts not always appearing?) Adric

Clean-installed 309 and D+ is no longer complaining when logging off and then on again. It seems that “D+ is learning” is not always able to create all rules it has learned during boot. Even though I did see “D+ is learning” for TClockEx during boot, no rule was created. When I logged off/on “D+ is learning” for TClockEx popped up again and this time a rule was created. This did not happen previously and caused the errors that I discussed in this thread.

I still don’t like the behavior that “D+ is learning” sometimes misses creating rules until another learning instance for the application is activated, but it’s better than before.