cancel
Showing results for 
Search instead for 
Did you mean: 

What Is NTDLL.SYS?

I am tracking down a series of server crashes that involve device driver NTDLL.SYS.  I have not been able to find any such file or driver, but circumstantial evidence points to McAfee VirusScan.. 

Is ntdll.sys part of any McAfee product, such as VirusScan 8.8 or the McAfee Agent?

If ntdll.sys is a McAfee file, why is it that I cannot find this file anywhere on the affected system, or any others where VirusScan Enterprise is installed, for that matter?

Thanks for your attention,

Charlie

4 Replies
Reliable Contributor catdaddy
Reliable Contributor
Report Inappropriate Content
Message 2 of 5

Re: What Is NTDLL.SYS?

​,

                        I am assuming you are referring to the Corporate product? I am moving this for better exposure and better assistance.

Cliff
McAfee Volunteer
Reliable Contributor catdaddy
Reliable Contributor
Report Inappropriate Content
Message 3 of 5

Re: What Is NTDLL.SYS?

Successfully moved from Community Support to VirusScan Enterprise . Discussions

Cliff
McAfee Volunteer
McAfee Employee moekhass
McAfee Employee
Report Inappropriate Content
Message 4 of 5

Re: What Is NTDLL.SYS?

Charlie, ntdll.sys is a Microsoft Windows file. Did you install recent updates/drivers on those systems? Or recent McAfee software update?

PS C:\Users\hassanmk> Get-ItemProperty C:\Windows\System32\ntdll.dll |format-list

    Directory: C:\Windows\System32

Name           : ntdll.dll

Length         : 1886344

CreationTime   : 1/12/2017 8:35:32 PM

LastWriteTime  : 11/11/2016 5:13:03 AM

LastAccessTime : 1/12/2017 8:35:32 PM

Mode           : -a----

LinkType       : HardLink

Target         : {C:\Windows\WinSxS\amd64_microsoft-windows-ntdll_31bf3856ad364e35_10.0.14393.479_none_9292708a9a2cd04b

                 \ntdll.dll}

VersionInfo    : File:             C:\Windows\System32\ntdll.dll

                 InternalName:     ntdll.dll

                 OriginalFilename: ntdll.dll.mui

                 FileVersion:      10.0.14393.206 (rs1_release.160915-0644)

                 FileDescription:  NT Layer DLL

                 Product:          Microsoft® Windows® Operating System

                 ProductVersion:   10.0.14393.206

                 Debug:            False

                 Patched:          False

                 PreRelease:       False

                 PrivateBuild:     False

                 SpecialBuild:     False

                 Language:         English (United States)

Re: What Is NTDLL.SYS?

The thing that I am trying to identify is ntdll.SYS, not ntdll.dll.  So far, I am unable to find any file named ntdll.sys.  Yet it shows up in crash dump files as a third-party driver.  There is some indication that ntdll.sys is part of the McAfee Complete EndPoint Protection Business stack, probably VirusScan Enterprise.  Right now I am simply trying to confirm or deny that ntdll.sys is a McAfee product, and beyond that, find out what this device driver is and what it is a part of.

- Charlie

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community