Error: StartService(), Cannot start the driver: A device attached to the system is not functioning.

[anthonws]

Windows 10 x64 (Insider) Surface Book 2, 16GB RAM VSM enabled: Yes Cred. Guard enabled: Yes HVCI enabled: No

C:\Windows\Temp>winpmem.exe -o c:\Windows\Temp\test.dmp -ddd
2020-05-23 16:19:46 I This is The WinPmem memory imager. version 3.3rc2
2020-05-23 16:19:46 D Creating intermediate directories C:\
2020-05-23 16:19:46 D Creating intermediate directories C:\Users\
2020-05-23 16:19:46 D Creating intermediate directories C:\Users\USER\
2020-05-23 16:19:46 D Creating intermediate directories C:\Users\USER\AppData\
2020-05-23 16:19:46 D Creating intermediate directories C:\Users\USER\AppData\Local\
2020-05-23 16:19:46 D Creating intermediate directories C:\Users\USER\AppData\Local\Temp\
2020-05-23 16:19:46 I Extracted 45368 bytes into C:\Users\USER\AppData\Local\Temp\pme861B.tmp
2020-05-23 16:19:46 I Driver Unloaded.
2020-05-23 16:19:46 E Error: StartService(), Cannot start the driver: A device attached to the system is not functioning.

2020-05-23 16:19:46 I Trying to load non-attestation signed driver.
2020-05-23 16:19:46 D Creating intermediate directories C:\
2020-05-23 16:19:46 D Creating intermediate directories C:\Users\
2020-05-23 16:19:46 D Creating intermediate directories C:\Users\USER\
2020-05-23 16:19:46 D Creating intermediate directories C:\Users\USER\AppData\
2020-05-23 16:19:46 D Creating intermediate directories C:\Users\USER\AppData\Local\
2020-05-23 16:19:46 D Creating intermediate directories C:\Users\USER\AppData\Local\Temp\
2020-05-23 16:19:46 I Extracted 36176 bytes into C:\Users\USER\AppData\Local\Temp\pme867A.tmp
2020-05-23 16:19:47 I Driver Unloaded.
2020-05-23 16:19:47 E Error: StartService(), Cannot start the driver: A device attached to the system is not functioning.

IO_ERROR: at win_pmem.cc: 695
2020-05-23 16:19:47 E Imaging failed with error: IO_ERROR
2020-05-23 16:19:47 I Removed C:\Users\USER\AppData\Local\Temp\pme861B.tmp
2020-05-23 16:19:47 I Removed C:\Users\USER\AppData\Local\Temp\pme867A.tm
```p

[scudette]

I did hear there were some issues loading the driver on Windows insider edition - Maybe Microsoft tightened down driver loading this the new version?

Is there any clue in the event log why the driver won't load?

[ilay122]

@scudette Had the same problem on Version 2004 (Os Build 10.0.19041.329)

[scudette]

Ah interesting - it looks like it is unable to import a function it needs. Possibly one of the acquisition methods is no longer possible since the function it needs is not exported.

[ilay122]

@scudette actually no, that log is being printed before the GetProcAddress stuff. It fails to find the Kernel Base used in the GetProcAddress. You should probably use NtQuerySystemInformation with the SystemModuleInformation to get the kernel base It does not print "Fetching API ..."

[scudette]

Hmm yeah good point. The reason is calls getprocaddress in the first place is to try to be somewhat sneaky to try and prevent kernel mode rootkits from identifying that we are an imaging application by looking at import tables.

Maybe this is too complicated and we should stop doing that. I can prepare a fix but I am not able to sign the new driver. We could maybe ask our friends at binalyze to sign it again?

[igorrogov]

Hello everyone,

Is there any progress on this issue?

I've just got Windows 10 2004 update and winpmem has stopped working giving the same error (or maybe it's a different one?):

>winpmem.exe -ddd -o r:\tmp\image.tmp
2020-07-20 17:33:55 I This is The WinPmem memory imager. version 3.3rc2
2020-07-20 17:33:55 D Creating intermediate directories C:\
2020-07-20 17:33:55 D Creating intermediate directories C:\Users\
2020-07-20 17:33:55 D Creating intermediate directories C:\Users\igorr\
2020-07-20 17:33:55 D Creating intermediate directories C:\Users\igorr\AppData\
2020-07-20 17:33:55 D Creating intermediate directories C:\Users\igorr\AppData\Local\
2020-07-20 17:33:55 D Creating intermediate directories C:\Users\igorr\AppData\Local\Temp\
2020-07-20 17:33:55 I Extracted 45368 bytes into C:\Users\igorr\AppData\Local\Temp\pme82B9.tmp
2020-07-20 17:33:55 I Driver Unloaded.
2020-07-20 17:33:55 E Error: StartService(), Cannot start the driver: A device attached to the system is not functioning.

2020-07-20 17:33:55 I Trying to load non-attestation signed driver.
2020-07-20 17:33:55 D Creating intermediate directories C:\
2020-07-20 17:33:55 D Creating intermediate directories C:\Users\
2020-07-20 17:33:55 D Creating intermediate directories C:\Users\igorr\
2020-07-20 17:33:55 D Creating intermediate directories C:\Users\igorr\AppData\
2020-07-20 17:33:55 D Creating intermediate directories C:\Users\igorr\AppData\Local\
2020-07-20 17:33:55 D Creating intermediate directories C:\Users\igorr\AppData\Local\Temp\
2020-07-20 17:33:55 I Extracted 36176 bytes into C:\Users\igorr\AppData\Local\Temp\pme82D9.tmp
2020-07-20 17:33:55 I Driver Unloaded.
2020-07-20 17:33:55 E Error: StartService(), Cannot start the driver: Windows cannot verify the digital signature for this file. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

IO_ERROR: at win_pmem.cc: 695
2020-07-20 17:33:55 E Imaging failed with error: IO_ERROR
2020-07-20 17:33:56 I Removed C:\Users\igorr\AppData\Local\Temp\pme82B9.tmp
2020-07-20 17:33:56 I Removed C:\Users\igorr\AppData\Local\Temp\pme82D9.tmp

[ilay122]

@scudette don't know if it still matters but you can also use RtlPcToFileHeader with RtlPcToFileHeader as the parameter to get the kernel base, and by doing that have a REALLY minor change to the kernel module.

[scudette]

@ilay122 Thanks - https://docs.microsoft.com/en-us/windows/win32/api/winnt/nf-winnt-rtlpctofileheader indicates that this function is a userspace function so wont work in a kernel module.

I dont think it is worth obfuscating anyway - I will remove that code and go back to basics.

[ilay122]

@scudette sure, do what you think is right. But ntoskrnl.exe does export RtlPcToFileHeader and I have used it before.

[scudette]

@ilay122 Ah ok good to know! If it is available then it would be obviously the easiest solution :-) Thanks for the tip :+1:

[EccoTheFlintstone]

Any news on this fix?

[scudette]

Sorry not just yet. I will have to port the project to the latest VS to make it work with the latest DDK so it might be a bit more complex than I first thought. Hoping to make some progress soon.

Mike Cohen Digital Paleontologist, Velocidex Enterprises M ‭+61 470 238 491‬ <‭+61+470+238+491‬> E mike@velocidex.com mike@velocidex.com

On Thu, Aug 27, 2020 at 10:53 PM EccoTheFlintstone notifications@github.com wrote:

Any news on this fix?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/Velocidex/c-aff4/issues/144#issuecomment-681929767, or unsubscribe https://github.com/notifications/unsubscribe-auth/AA5NRIV3BSFUT4KWQ42S733SCZJOFANCNFSM4NIPXVAA .

[anudedeus]

Hi all, I just confirmed that Winpmem 3.3rc3 has this issue on ANY Windows 10 version 2004.

Basically, I created a brand new VM using the Win 10 v.2004 ISO and the right out of the box Winpmem was failing to start the driver. After that, I had my existing VMs with Windows 10 v.1909 where Winpmem always worked, and to confirm the issue I decided to execute the upgrade to version 2004, and immediately after the first restart Winpmem was failing to load the driver. In the end, I've confirmed it fails in Windows 10 Enterprise and Windows 10 Professional for Workstations editions.

I have attached a screenshot just to confirm the Windows build number and also Winpmem output

I'll be very interested in seeing a fix for this issue, and I'll be happy to test any new release in the same VMs to confirm if the issue persists.

Regards, Alex Automated QA Engineer

[scudette]

There has been a lot of work done on Winpmem by Viviane here https://github.com/Velocidex/WinPmem and it is almost ready for the next release. The new code not only works on all architectures but it is also significantly faster.

[igorrogov]

Just an update: 4.0rc1 release mentioned above fixes the problem with Win10 2004 update, but it doesn't support VSM mode yet. So if you have a PC with both Win10 2004 and VSM, there is no solution for that yet.

[ilay122]

@igorrogov why would not it work? the driver loaded fine on my PC, which has HYPER-V and VSM enabled. Reading memory was also working. or maybe I don't understand what you mean by VSM mode ?

I have Windows Version 2004, 19041.508 (intel x64)

[scudette]

Just to clarify. VSM (sometimes called memory guard) uses a hypervisor and in that case reading memory actually fails. The imager has to go back and mark certain pages as unreadable.

This is now fixed in the rc2 binary in the release page so have a go a testing it. You will see when a page is unreadable the progress symbol will be an x icterus l instead of a .

[ber999]

error win_pmem.cc: 695 again

-

System

- Provider [ Name] Service Control Manager [ Guid] {555908d1-a6d7-4695-8e1e-26931d2012f4} [ EventSourceName] Service Control Manager

- EventID 7000 [ Qualifiers] 49152

Version 0

Level 2

Task 0

Opcode 0

Keywords 0x8080000000000000

- TimeCreated [ SystemTime] 2022-06-11T07:17:54.6947851Z

EventRecordID 93674

Correlation

- Execution [ ProcessID] 952 [ ThreadID] 6944

Channel System

Computer HP-4730-W-10

Security

-

EventData

param1

pmem

param2

%%31

70006D0065006D000000

---

Binäre Daten:

In Wörtern

0000: 006D0070 006D0065 0000

In Bytes

0000: 70 00 6D 00 65 00 6D 00 p.m.e.m.
0008: 00 00 ..

[chadbrewbaker]

I'm getting the same error on windows-latest Github worker instance.

[scudette]

The winpmem project moved here https://github.com/Velocidex/WinPmem

[Lao-Shen]

I believe this is a driver naming conflict. When Windows' pmem driver (located at C:\Windows\System32\Drivers\pmem.sys) is running, the winpmem_mini_x64_rc2.exe service cannot start because the driver included with winpmem_mini_x64_rc2.exe is also named pmem. When the Windows pmem driver is not active, winpmem_mini_x64_rc2.exe runs normally.

[Lao-Shen]

我相信这是驱动程序命名冲突。当 Windows 的 pmem 驱动程序（位于 C：\Windows\System32\Drivers\pmem.sys）运行时，winpmem_mini_x64_rc2.exe服务无法启动，因为 winpmem_mini_x64_rc2.exe 附带的驱动程序也命名为 pmem。当 Windows pmem 驱动程序未处于活动状态时，winpmem_mini_x64_rc2.exe正常运行。

When winpmem_mini_x64_rc2.exe is not working, you can run sc query pmem in PowerShell to check if Windows' pmem is running. However, I cannot stop it unless I restart the system.