Failed to load vulnerable driver

[ryanbentley]

Turla Driver Loader v1.0.0 started (c) 2016 TDL Project Supported x64 OS : 7 and above

Ldr: Windows v10.0 build 10586 SCM: Vulnerable driver load failure

DebugView doesn't show anything. I've also tried using DSEFix, and that also fails to load.

[hfiref0x]

Not enough information. Profile it launch with ProcMon. In any case it doesn't look like TDL/DSEFix problem but likely your software configuration.

[ryanbentley]

Furutaka.exe vboxdrv_exploitable.sys dummy.sys

This is how I'm launching it. What information would you like from ProcMon? I'd really appreciate getting this to work on my machine. Thanks in advance!

[hfiref0x]

There is no need in launching vbox driver. It will be loaded by program self.

You should call it: furutaka.exe dummy.sys Actually if you run furutaka.exe without parameters it will output help with run example:

c:\tools\tdl.exe Turla Driver Loader v1.0.0 started (c) 2016 TDL Project Supported x64 OS : 7 and above

Ldr: Windows v6.3 build 9600 Usage: loader drivertoload e.g. loader mydrv.sys

[ryanbentley]

Furutaka.exe dummy.sys Turla Driver Loader v1.0.0 started (c) 2016 TDL Project Supported x64 OS : 7 and above

Ldr: Windows v10.0 build 10586 SCM: Vulnerable driver load failure

Trying DSEFix also;

[6060] [DF] DSEFix v1.1.0 started [6060] DF 2014 - 2015 DSEFix Project [6060] [DF] Supported x64 OS : Vista / 7 / 8 / 8.1 / 10 [6060] [DF] DSE will be disabled [6060] [DF] Failed to load vulnerable driver

[hfiref0x]

Reboot machine and make sure no vboxdrv.sys is loaded before running tdl (elevated cmd -> net stop vboxdrv.sys). If tdl still fails then run sysinternals procmon with filter set on tdl application name and post log result somewhere.

[ryanbentley]

I've attached the ProcMon log file to this comment.

https://www.dropbox.com/s/pnjss8f5k0a8zl4/Logfile.PML?dl=0

[hfiref0x]

It seems program execution stopped at SCM driver installation.

Check if you can create key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VBoxDrv

Probably you have software that block driver installation. We can get better results if you include "services.exe" in ProcMon filters (this process is running SCM operations).

[ryanbentley]

I can create the key manually without issues.

I don't run any anti-virus, except Windows Defender.

Here's another log with services.exe included:

https://www.dropbox.com/s/po2owprvotqzeyx/Logfile2.PML?dl=1

[hfiref0x]

11:21:53,5302778 services.exe 696 RegOpenKey HKLM\System\CurrentControlSet\Services\VBoxDrv NAME NOT FOUND Desired Access: Read 11:21:53,5302954 services.exe 696 RegOpenKey HKLM\System\CurrentControlSet\Services\VBoxDrv NAME NOT FOUND Desired Access: Read 11:21:53,5303041 services.exe 696 RegOpenKey HKLM\System\CurrentControlSet\Services\VBoxDrv NAME NOT FOUND Desired Access: Read 11:21:53,5303178 services.exe 696 RegOpenKey HKLM\System\CurrentControlSet\Services\VBoxDrv NAME NOT FOUND Desired Access: Read

Something prevented SCM from creating this key.

You can try manually export this registry data, however I don't know if it will work.

REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VBoxDrv] "Type"=dword:00000001 "Start"=dword:00000001 "ErrorControl"=dword:00000001 "ImagePath"=hex(2):5c,53,79,73,74,65,6d,52,6f,6f,74,5c,73,79,73,74,65,6d,33,32,\ 5c,44,52,49,56,45,52,53,5c,56,42,6f,78,44,72,76,2e,73,79,73,00 "DisplayName"="VirtualBox Service"

It is not necessarily maybe AV but also (since this loader used by various game hacks) game anticheat/whatever countermeasure.

[ryanbentley]

I've manually inserted the registry data, and you can see that in the latest log. Regardless of this, it still fails:

https://www.dropbox.com/s/9cqv8lbyux9vrzs/Logfile3.PML?dl=1

[hfiref0x]

Ok. 1) insert registry data again 2) restart machine (so SCM can recognize it), make sure registry data in place after reboot 3) copy vboxdrv_exploitable.sys as vboxdrv.sys to c:\windows\system32\drivers 4) run cmd.exe elevated 5) net start vboxdrv

[hfiref0x]

This is how log looks on clean 14361 Windows 10 install.

8:54:37.4893961 AM services.exe 556 RegOpenKey HKLM\System\CurrentControlSet\Services\VBoxDrv REPARSE Desired Access: Read 8:8:54:37.4894126 AM services.exe 556 RegOpenKey HKLM\System\CurrentControlSet\Services\VBoxDrv SUCCESS Desired Access: Read 8:54:37.4894266 AM services.exe 556 RegQueryValue HKLM\System\CurrentControlSet\Services\VBoxDrv\ObjectName NAME NOT FOUND Length: 80 8:8:54:37.4894359 AM services.exe 556 RegQueryValue HKLM\System\CurrentControlSet\Services\VBoxDrv\Type SUCCESS Type: REG_DWORD, Length: 4, Data: 1 8:8:54:37.4894450 AM services.exe 556 RegQueryKey HKLM\System\CurrentControlSet\Services\VBoxDrv SUCCESS Query: Basic, Name: VBoxDrv 8:8:54:37.4894577 AM services.exe 556 RegCloseKey HKLM\System\CurrentControlSet\Services\VBoxDrv SUCCESS 8:8:54:37.4966187 AM services.exe 556 RegOpenKey HKLM\System\CurrentControlSet\Services\VBoxDrv SUCCESS Desired Access: Write 8:8:54:37.4966451 AM services.exe 556 RegSetValue HKLM\System\CurrentControlSet\Services\VBoxDrv\DeleteFlag SUCCESS Type: REG_DWORD, Length: 4, Data: 1 8:8:54:37.4966837 AM services.exe 556 RegSetValue HKLM\System\CurrentControlSet\Services\VBoxDrv\Start SUCCESS Type: REG_DWORD, Length: 4, Data: 4 8:8:54:37.4967145 AM services.exe 556 RegQueryKey HKLM\System\CurrentControlSet\Services\VBoxDrv SUCCESS Query: HandleTags, HandleTags: 0x0 8:54:37.4967253 AM services.exe 556 RegOpenKey HKLM\System\CurrentControlSet\Services\VBoxDrv\StartOverride NAME NOT FOUND Desired Access: Maximum Allowed 8:8:54:37.4967508 AM services.exe 556 RegCloseKey HKLM\System\CurrentControlSet\Services\VBoxDrv SUCCESS 8:8:54:37.4968336 AM services.exe 556 RegOpenKey HKLM\System\CurrentControlSet\Services REPARSE Desired Access: Read, Delete 8:54:37.4968469 AM services.exe 556 RegOpenKey HKLM\System\CurrentControlSet\Services SUCCESS Desired Access: Read, Delete 8:54:37.4968588 AM services.exe 556 RegOpenKey HKLM\System\CurrentControlSet\Services\VBoxDrv SUCCESS Desired Access: Read, Delete 8:8:54:37.4968678 AM services.exe 556 RegQueryKey HKLM\System\CurrentControlSet\Services\VBoxDrv SUCCESS Query: Full, SubKeys: 0, Values: 6 8:8:54:37.4968771 AM services.exe 556 RegCloseKey HKLM\System\CurrentControlSet\Services\VBoxDrv SUCCESS 8:8:54:37.4968836 AM services.exe 556 RegOpenKey HKLM\System\CurrentControlSet\Services\VBoxDrv SUCCESS Desired Access: Read, Delete 8:8:54:37.4968923 AM services.exe 556 RegDeleteKey HKLM\System\CurrentControlSet\Services\VBoxDrv SUCCESS

[ryanbentley]

After restarting, VBoxDrv is running at the moment, no issues. However:

\driver>Furutaka.exe dummy.sys Turla Driver Loader v1.0.0 started (c) 2016 TDL Project Supported x64 OS : 7 and above

Ldr: Windows v10.0 build 10586 Ldr: Active VirtualBox found in system, attempt unload it SCM: VBoxDrv driver unloaded SCM: Vulnerable driver load failure

https://www.dropbox.com/s/ljbgp351bafubuz/Logfile4.PML?dl=1

[ryanbentley]

Do you think it's an issue with Windows build 10586? You are using an insider version and it's working fifne. What are my next steps?

[hfiref0x]

I think you have 3rd party driver loaded and using CmRegisterCallback filter to monitor access to the registry keys. Can you post complete list of loaded drivers?

Also I will do a special version with different load driver method and give it to you for test. I suppose this filter works for registry access only if caller is in services.exe context.

[hfiref0x]

https://www.sendspace.com/file/iqemw7

Run it as usual. Watch debug messages with DbgView if it failed. It is slightly changed version with direct driver load without SCM.

pwd 12345

[ryanbentley]

1394ohci, 1394 OHCI Compliant Host Controller, Driver, Stopped, Demand start, 3ware, 3ware, Driver, Stopped, Demand start, ACPI, Microsoft ACPI Driver, Driver, Running, Boot start, acpiex, Microsoft ACPIEx Driver, Driver, Running, Boot start, acpipagr, ACPI Processor Aggregator Driver, Driver, Stopped, Demand start, AcpiPmi, ACPI Power Meter Driver, Driver, Stopped, Demand start, acpitime, ACPI Wake Alarm Driver, Driver, Stopped, Demand start, ADP80XX, ADP80XX, Driver, Stopped, Demand start, AFD, Ancillary Function Driver for Winsock, Driver, Running, System start, agp440, Intel AGP Bus Filter, Driver, Stopped, Demand start, ahcache, Application Compatibility Cache, Driver, Running, System start, xboxgip, Xbox Game Input Protocol Driver, Driver, Stopped, Demand start, WUDFWpdFs, WUDFWpdFs, Driver, Stopped, Demand start, AmdK8, AMD K8 Processor Driver, Driver, Stopped, Demand start, AmdPPM, AMD Processor Driver, Driver, Stopped, Demand start, amdsata, amdsata, Driver, Stopped, Demand start, amdsbs, amdsbs, Driver, Stopped, Demand start, amdxata, amdxata, Driver, Stopped, Demand start, AppID, AppID Driver, Driver, Stopped, Demand start, WUDFRd, WUDFRd, Driver, Stopped, Demand start, WudfPf, User Mode Driver Frameworks Platform Driver, Driver, Running, Demand start, ws2ifsl, Winsock IFS Driver, Driver, Stopped, Disabled, WpdUpFltr, WPD Upper Class Filter Driver, Driver, Stopped, Demand start, wpcfltr, Family Safety Filter Driver, Driver, Stopped, Demand start, arcsas, Adaptec SAS/SATA-II RAID Storport's Miniport Driver, Driver, Stopped, Demand start, AsyncMac, RAS Asynchronous Media Driver, Driver, Stopped, Demand start, atapi, IDE Channel, Driver, Stopped, Demand start, WmiAcpi, Microsoft Windows Management Interface for ACPI, Driver, Running, Demand start, WinVerbs, WinVerbs Service, Driver, Stopped, Demand start, WINUSB, WinUsb Driver, Driver, Stopped, Demand start, b06bdrv, Broadcom NetXtreme II VBD, Driver, Stopped, Demand start, BasicDisplay, BasicDisplay, Driver, Running, System start, BasicRender, BasicRender, Driver, Running, System start, bcmfn, bcmfn Service, Driver, Stopped, Demand start, bcmfn2, bcmfn2 Service, Driver, Stopped, Demand start, WinMad, WinMad Service, Driver, Stopped, Demand start, Beep, Beep, Driver, Running, System start, WindowsTrustedRTProxy, Microsoft Windows Trusted Runtime Secure Service, Driver, Running, Boot start, WindowsTrustedRT, Windows Trusted Execution Environment Class Extension, Driver, Running, Boot start, WFPLWFS, Microsoft Windows Filtering Platform, Driver, Running, Boot start, WdNisDrv, Windows Defender Network Inspection System Driver, Driver, Running, Demand start, wdiwifi, WDI Driver Framework, Driver, Stopped, Demand start, Wdf01000, Kernel Mode Driver Frameworks service, Driver, Running, Boot start, BthAvrcpTg, Bluetooth Audio/Video Remote Control HID, Driver, Stopped, Demand start, BthHFEnum, Bluetooth Hands-Free Audio and Call Control HID Enumerator, Driver, Stopped, Demand start, bthhfhid, Bluetooth Hands-Free Call Control HID, Driver, Stopped, Demand start, WdBoot, Windows Defender Boot Driver, Driver, Stopped, Boot start, BTHMODEM, Bluetooth Modem Communications Driver, Driver, Stopped, Demand start, wanarpv6, Remote Access IPv6 ARP Driver, Driver, Stopped, Demand start, buttonconverter, Service for Portable Device Control devices, Driver, Stopped, Demand start, CapImg, HID driver for CapImg touch screen, Driver, Stopped, Demand start, wanarp, Remote Access IP ARP Driver, Driver, Stopped, Demand start, WacomPen, Wacom Serial Pen HID Driver, Driver, Stopped, Demand start, cdrom, CD-ROM Driver, Driver, Stopped, System start, vwififlt, Virtual WiFi Filter Driver, Driver, Running, System start, circlass, Consumer IR Devices, Driver, Stopped, Demand start, CLFS, Common Log (CLFS), Driver, Running, Boot start, vwifibus, Virtual Wi-Fi Bus Driver, Driver, Stopped, Demand start, CmBatt, Microsoft ACPI Control Method Battery Driver, Driver, Stopped, Demand start, cmudaxp, ASUS Xonar DSX Audio Interface, Driver, Running, Demand start, CNG, CNG, Driver, Running, Boot start, cnghwassist, CNG Hardware Assist algorithm provider, Driver, Stopped, Disabled, CompositeBus, Composite Bus Enumerator Driver, Driver, Running, Demand start, VSTXRAID, VIA StorX Storage RAID Controller Windows Driver, Driver, Stopped, Demand start, condrv, Console Driver, Driver, Running, Demand start, vsmraid, vsmraid, Driver, Stopped, Demand start, vpci, Microsoft Hyper-V Virtual PCI Bus, Driver, Stopped, Demand start, CSC, Offline Files Driver, Driver, Running, System start, volsnap, Storage volumes, Driver, Running, Boot start, dam, Desktop Activity Moderator Driver, Driver, Stopped, System start, volmgrx, Dynamic Volume Manager, Driver, Running, Boot start, volmgr, Volume Manager Driver, Driver, Running, Boot start, VMBusHID, VMBusHID, Driver, Stopped, Demand start, vmbus, Virtual Machine Bus, Driver, Stopped, Demand start, VIAHdAudAddService, VIA High Definition Audio Driver Service, Driver, Running, Demand start, vhf, Virtual HID Framework (VHF) Driver, Driver, Stopped, Demand start, vhdmp, vhdmp, Driver, Stopped, Demand start, VerifierExt, VerifierExt, Driver, Stopped, Demand start, vdrvroot, Microsoft Virtual Drive Enumerator, Driver, Running, Boot start, VBoxDrv, VirtualBox Service, Driver, Stopped, System start, disk, Disk Driver, Driver, Running, Boot start, DlYPToSlTPqfIXJXSfSeFRFSjxCklKyDTPADdWkXucQqrQmISPTlhFcyQXUaCuj, DlYPToSlTPqfIXJXSfSeFRFSjxCklKyDTPADdWkXucQqrQmISPTlhFcyQXUaCuj, Driver, Stopped, Demand start, USBXHCI, USB xHCI Compliant Host Controller, Driver, Stopped, Demand start, dmvsc, dmvsc, Driver, Stopped, Demand start, usbuhci, Microsoft USB Universal Host Controller Miniport Driver, Driver, Stopped, Demand start, USBSTOR, USB Mass Storage Driver, Driver, Stopped, Demand start, usbser, Microsoft USB Serial Driver, Driver, Stopped, Demand start, usbprint, Microsoft USB PRINTER Class, Driver, Stopped, Demand start, usbohci, Microsoft USB Open Host Controller Miniport Driver, Driver, Stopped, Demand start, drmkaud, Microsoft Trusted Audio Drivers, Driver, Stopped, Demand start, USBHUB3, SuperSpeed Hub, Driver, Stopped, Demand start, usbhub, Microsoft USB Standard Hub Driver, Driver, Running, Demand start, DXGKrnl, LDDM Graphics Subsystem, Driver, Running, Demand start, usbehci, Microsoft USB 2.0 Enhanced Host Controller Miniport Driver, Driver, Running, Demand start, usbcir, eHome Infrared Receiver (USBCIR), Driver, Stopped, Demand start, ebdrv, QLogic 10 Gigabit Ethernet Adapter VBD, Driver, Stopped, Demand start, usbccgp, Microsoft USB Generic Parent Driver, Driver, Running, Demand start, EhStorClass, Enhanced Storage Filter Driver, Driver, Running, Boot start, EhStorTcgDrv, Microsoft driver for storage devices supporting IEEE 1667 and TCG protocols, Driver, Stopped, Demand start, UrsSynopsys, Synopsys USB Role-Switch Driver, Driver, Stopped, Demand start, UrsCx01000, USB Role-Switch Support Library, Driver, Stopped, Demand start, ErrDev, Microsoft Hardware Error Device Driver, Driver, Stopped, Demand start, ESEADriver2, ESEADriver2, Driver, Running, System start, UrsChipidea, Chipidea USB Role-Switch Driver, Driver, Stopped, Demand start, UmPass, Microsoft UMPass Driver, Driver, Stopped, Demand start, umbus, UMBus Enumerator Driver, Driver, Running, Demand start, uliagpkx, Uli AGP Bus Filter, Driver, Stopped, Demand start, ufxsynopsys, USB Synopsys Controller, Driver, Stopped, Demand start, fdc, Floppy Disk Controller Driver, Driver, Stopped, Demand start, UfxChipidea, USB Chipidea Controller, Driver, Stopped, Demand start, Ufx01000, USB Function Class Extension, Driver, Stopped, Demand start, fEdkgrpaTPHsohrqwUEPclFSvpqZgxLpPhIrAFZwikuxdZrGFaILPEHHKeGkEHy, fEdkgrpaTPHsohrqwUEPclFSvpqZgxLpPhIrAFZwikuxdZrGFaILPEHHKeGkEHy, Driver, Stopped, Demand start, UEFI, Microsoft UEFI Driver, Driver, Stopped, Demand start, UdeCx, USB Device Emulation Support Library, Driver, Stopped, Demand start, Ucx01000, USB Host Support Library, Driver, Stopped, Demand start, UcmUcsi, USB Connector Manager UCSI Client, Driver, Stopped, Demand start, flpydisk, Floppy Disk Driver, Driver, Stopped, Demand start, UcmCx0101, USB Connector Manager KMDF Class Extension, Driver, Stopped, Demand start, UASPStor, USB Attached SCSI (UAS) Driver, Driver, Stopped, Demand start, uagp35, Microsoft AGPv3.5 Filter, Driver, Stopped, Demand start, tunnel, Microsoft Tunnel Miniport Adapter Driver, Driver, Running, Demand start, fvevol, BitLocker Drive Encryption Filter Driver, Driver, Running, Boot start, gagp30kx, Microsoft Generic AGPv3.0 Filter for K8 Processor Platforms, Driver, Stopped, Demand start, gencounter, Microsoft Hyper-V Generation Counter, Driver, Stopped, Demand start, genericusbfn, Generic USB Function Class, Driver, Stopped, Demand start, TsUsbGD, Remote Desktop Generic USB Device, Driver, Stopped, Demand start, GPIOClx0101, Microsoft GPIO Class Extension Driver, Driver, Stopped, Demand start, tsusbflt, Remote Desktop USB Hub Class Filter Driver, Driver, Stopped, Demand start, GpuEnergyDrv, GPU Energy Driver, Driver, Running, System start, TPM, TPM, Driver, Stopped, Demand start, terminpt, Microsoft Remote Desktop Input Driver, Driver, Stopped, Demand start, HdAudAddService, Microsoft 1.1 UAA Function Driver for High Definition Audio Service, Driver, Stopped, Demand start, HDAudBus, Microsoft UAA Bus Driver for High Definition Audio, Driver, Running, Demand start, HidBatt, HID UPS Battery Driver, Driver, Stopped, Demand start, HidBth, Microsoft Bluetooth HID Miniport, Driver, Stopped, Demand start, hidi2c, Microsoft I2C HID Miniport Driver, Driver, Stopped, Demand start, hidinterrupt, Common Driver for HID Buttons implemented with interrupts, Driver, Stopped, Demand start, HidIr, Microsoft Infrared HID Driver, Driver, Stopped, Demand start, tdx, NetIO Legacy TDI Support Driver, Driver, Running, System start, HidUsb, Microsoft HID Class Driver, Driver, Running, Demand start, tcpipreg, TCP/IP Registry Compatibility, Driver, Running, Auto start, HpSAMD, HpSAMD, Driver, Stopped, Demand start, HTTP, HTTP Service, Driver, Running, Demand start, hwpolicy, Hardware Policy Driver, Driver, Stopped, Boot start, hyperkbd, hyperkbd, Driver, Stopped, Demand start, i8042prt, PS/2 Keyboard and Mouse Port Driver, Driver, Stopped, Demand start, iai2c, Intel(R) Serial IO I2C Host Controller, Driver, Stopped, Demand start, iaLPSS2i_I2C, Intel(R) Serial IO I2C Driver v2, Driver, Stopped, Demand start, iaLPSSi_GPIO, Intel(R) Serial IO GPIO Controller Driver, Driver, Stopped, Demand start, iaLPSSi_I2C, Intel(R) Serial IO I2C Controller Driver, Driver, Stopped, Demand start, iaStorAV, Intel(R) SATA RAID Controller Windows, Driver, Stopped, Demand start, iaStorV, Intel RAID Controller Windows 7, Driver, Stopped, Demand start, ibbus, Mellanox InfiniBand Bus/AL (Filter Driver), Driver, Stopped, Demand start, Tcpip6, @todo.dll,-100;Microsoft IPv6 Protocol Driver, Driver, Stopped, Demand start, Tcpip, TCP/IP Protocol Driver, Driver, Running, Boot start, Synth3dVsc, Synth3dVsc, Driver, Stopped, Demand start, intelide, intelide, Driver, Stopped, Demand start, intelpep, Intel(R) Power Engine Plug-in Driver, Driver, Stopped, Demand start, intelppm, Intel Processor Driver, Driver, Running, Demand start, swenum, Software Bus Driver, Driver, Running, Demand start, IpFilterDriver, IP Traffic Filter Driver, Driver, Stopped, Demand start, storvsc, storvsc, Driver, Stopped, Demand start, IPMIDRV, IPMIDRV, Driver, Stopped, Demand start, IPNAT, IP Network Address Translator, Driver, Stopped, Demand start, IRENUM, IR Bus Enumerator, Driver, Stopped, Demand start, isapnp, isapnp, Driver, Stopped, Demand start, iScsiPrt, iScsiPort Driver, Driver, Stopped, Demand start, kbdclass, Keyboard Class Driver, Driver, Running, Demand start, kbdhid, Keyboard HID Driver, Driver, Running, Demand start, kdnic, Microsoft Kernel Debug Network Miniport (NDIS 6.20), Driver, Running, Demand start, storufs, Microsoft Universal Flash Storage (UFS) Driver, Driver, Stopped, Demand start, KSecDD, KSecDD, Driver, Running, Boot start, KSecPkg, KSecPkg, Driver, Running, Boot start, ksthunk, Kernel Streaming Thunks, Driver, Running, Demand start, stornvme, Microsoft Standard NVM Express Driver, Driver, Stopped, Demand start, storflt, Microsoft Hyper-V Storage Accelerator, Driver, Stopped, Demand start, storahci, Microsoft Standard SATA AHCI Driver, Driver, Running, Boot start, stexstor, stexstor, Driver, Stopped, Demand start, SpbCx, Simple Peripheral Bus Support Library, Driver, Stopped, Demand start, lltdio, Link-Layer Topology Discovery Mapper I/O Driver, Driver, Running, Auto start, spaceport, Storage Spaces Driver, Driver, Running, Boot start, SiSRaid4, SiSRaid4, Driver, Stopped, Demand start, LSI_SAS, LSI_SAS, Driver, Stopped, Demand start, LSI_SAS2i, LSI_SAS2i, Driver, Stopped, Demand start, LSI_SAS3i, LSI_SAS3i, Driver, Stopped, Demand start, LSI_SSS, LSI_SSS, Driver, Stopped, Demand start, SiSRaid2, SiSRaid2, Driver, Stopped, Demand start, sfloppy, High-Capacity Floppy Disk Drive, Driver, Stopped, Demand start, sermouse, Serial Mouse Driver, Driver, Stopped, Demand start, megasas, megasas, Driver, Stopped, Demand start, megasr, megasr, Driver, Stopped, Demand start, MEIx64, Intel(R) Management Engine Interface , Driver, Running, Demand start, Serial, Serial port driver, Driver, Stopped, Demand start, Serenum, Serenum Filter Driver, Driver, Stopped, Demand start, mlx4_bus, Mellanox ConnectX Bus Enumerator, Driver, Stopped, Demand start, MMCSS, Multimedia Class Scheduler, Driver, Running, Auto start, Modem, Modem, Driver, Stopped, Demand start, monitor, monitor, Driver, Running, Demand start, mouclass, Mouse Class Driver, Driver, Running, Demand start, mouhid, Mouse HID Driver, Driver, Running, Demand start, mountmgr, Mount Point Manager, Driver, Running, Boot start, SerCx2, Serial UART Support Library, Driver, Stopped, Demand start, mpsdrv, Windows Firewall Authorization Driver, Driver, Running, Demand start, SerCx, Serial UART Support Library, Driver, Stopped, Demand start, sdstor, SD Storage Port Driver, Driver, Stopped, Demand start, sdbus, sdbus, Driver, Stopped, Demand start, scfilter, Smart card PnP Class Filter Driver, Driver, Stopped, Demand start, sbp2port, SBP-2 Transport/Protocol Bus Driver, Driver, Stopped, Demand start, MsBridge, Microsoft MAC Bridge, Driver, Stopped, Demand start, s3cap, s3cap, Driver, Stopped, Demand start, rzudd, Razer Mouse Driver, Driver, Stopped, Demand start, msgpiowin32, Common Driver for Buttons, DockMode and Laptop/Slate Indicator, Driver, Stopped, Demand start, mshidkmdf, Pass-through HID to KMDF Filter Driver, Driver, Stopped, Demand start, mshidumdf, Pass-through HID to UMDF Driver, Driver, Stopped, Demand start, msisadrv, msisadrv, Driver, Running, Boot start, rzpnk, rzpnk, Driver, Running, Auto start, rzpmgrk, rzpmgrk, Driver, Running, Auto start, MSKSSRV, Microsoft Streaming Service Proxy, Driver, Stopped, Demand start, MSPCLOCK, Microsoft Streaming Clock Proxy, Driver, Stopped, Demand start, MSPQM, Microsoft Streaming Quality Manager Proxy, Driver, Stopped, Demand start, MsRPC, MsRPC, Driver, Stopped, Demand start, mssmbios, Microsoft System Management BIOS Driver, Driver, Running, System start, MSTEE, Microsoft Streaming Tee/Sink-to-Sink Converter, Driver, Stopped, Demand start, MTConfig, Microsoft Input Configuration Driver, Driver, Stopped, Demand start, rzendpt, rzendpt, Driver, Stopped, Demand start, mvumis, mvumis, Driver, Stopped, Demand start, MXtmVhQMQjgDAEEjVrUvgHSOtOKuUfemyHeQruIMkVDtsuaYVhtdfeQyURwehih, MXtmVhQMQjgDAEEjVrUvgHSOtOKuUfemyHeQruIMkVDtsuaYVhtdfeQyURwehih, Driver, Stopped, Demand start, NativeWifiP, NativeWiFi Filter, Driver, Stopped, Demand start, rt640x64, Realtek RT640 NT Driver, Driver, Running, Demand start, rspndr, Link-Layer Topology Discovery Responder, Driver, Running, Auto start, rdyboost, ReadyBoost, Driver, Running, Boot start, ndfltr, NetworkDirect Service, Driver, Stopped, Demand start, NDIS, NDIS System Driver, Driver, Running, Boot start, NdisCap, Microsoft NDIS Capture, Driver, Stopped, Demand start, NdisImPlatform, Microsoft Network Adapter Multiplexor Protocol, Driver, Stopped, Demand start, NdisTapi, Remote Access NDIS TAPI Driver, Driver, Stopped, Demand start, Ndisuio, NDIS Usermode I/O Protocol, Driver, Stopped, Demand start, NdisVirtualBus, Microsoft Virtual Network Adapter Enumerator, Driver, Running, Demand start, NdisWan, Remote Access NDIS WAN Driver, Driver, Stopped, Demand start, ndiswanlegacy, Remote Access LEGACY NDIS WAN Driver, Driver, Stopped, Demand start, ndproxy, @%SystemRoot%\system32\drivers\todo.sys,-101;NDIS Proxy, Driver, Stopped, Demand start, Ndu, Windows Network Data Usage Monitoring Driver, Driver, Running, Auto start, RdpVideoMiniport, Remote Desktop Video Miniport Driver, Driver, Stopped, Demand start, NetBT, NetBT, Driver, Running, System start, RDPDR, Remote Desktop Device Redirector Driver, Driver, Stopped, Demand start, rdpbus, Remote Desktop Device Redirector Bus Driver, Driver, Running, Demand start, RasSstp, WAN Miniport (SSTP), Driver, Stopped, Demand start, RasPppoe, Remote Access PPPOE Driver, Driver, Stopped, Demand start, Rasl2tp, WAN Miniport (L2TP), Driver, Stopped, Demand start, RasAgileVpn, WAN Miniport (IKEv2), Driver, Stopped, Demand start, RasAcd, Remote Access Auto Connection Driver, Driver, Stopped, Demand start, QWAVEdrv, QWAVE driver, Driver, Running, Demand start, Psched, QoS Packet Scheduler, Driver, Running, System start, npsvctrig, Named pipe service trigger provider, Driver, Running, System start, Processor, Processor Driver, Driver, Stopped, Demand start, nsiproxy, NSI Proxy Service Driver, Driver, Running, System start, PptpMiniport, WAN Miniport (PPTP), Driver, Stopped, Demand start, Null, Null, Driver, Running, System start, NVHDA, Service for NVIDIA High Definition Audio Driver, Driver, Running, Demand start, nvlddmkm, nvlddmkm, Driver, Running, Demand start, percsas3i, percsas3i, Driver, Stopped, Demand start, nvraid, nvraid, Driver, Stopped, Demand start, nvstor, nvstor, Driver, Stopped, Demand start, NvStreamKms, NvStreamKms, Driver, Running, Demand start, percsas2i, percsas2i, Driver, Stopped, Demand start, PEAUTH, PEAUTH, Driver, Stopped, Demand start, pdc, pdc, Driver, Running, Boot start, nvvad_WaveExtensible, NVIDIA Virtual Audio Device (Wave Extensible) (WDM), Driver, Running, Demand start, nv_agp, NVIDIA nForce AGP Bus Filter, Driver, Stopped, Demand start, pcw, Performance Counters for Windows Driver, Driver, Running, Boot start, pcmcia, pcmcia, Driver, Stopped, Demand start, pciide, pciide, Driver, Stopped, Demand start, pci, PCI Bus Driver, Driver, Running, Boot start, partmgr, Partition Manager, Driver, Running, Boot start, Parport, Parallel port driver, Driver, Stopped, Demand start, xinputhid, XINPUT HID Filter Driver, Driver, Stopped, Demand start,

[hfiref0x]

ESEADriver2, ESEADriver2, Driver, Running, System start

What is this?

[ryanbentley]

You're right, that was the cause of the issue. It's an anti-cheat, that I didn't realize I had running (not used ESEA in months)

[hfiref0x]

From VT I see this driver packed and this automatically makes it suspicious. And from Google I see it often causes PatchGuard bugchecks. It will be probably better for you to get rid of it.

[ryanbentley]

Thank you for taking the time to help track down the problem. :+1:

[hfiref0x]

No problem, closing this issue.