4 Replies Latest reply on Apr 7, 2017 11:10 AM by csavage

    What Is NTDLL.SYS?


      I am tracking down a series of server crashes that involve device driver NTDLL.SYS.  I have not been able to find any such file or driver, but circumstantial evidence points to McAfee VirusScan.. 


      Is ntdll.sys part of any McAfee product, such as VirusScan 8.8 or the McAfee Agent?


      If ntdll.sys is a McAfee file, why is it that I cannot find this file anywhere on the affected system, or any others where VirusScan Enterprise is installed, for that matter?


      Thanks for your attention,


        • 1. Re: What Is NTDLL.SYS?


                                  I am assuming you are referring to the Corporate product? I am moving this for better exposure and better assistance.

          • 3. Re: What Is NTDLL.SYS?
            Moe Hassan

            Charlie, ntdll.sys is a Microsoft Windows file. Did you install recent updates/drivers on those systems? Or recent McAfee software update?


            PS C:\Users\hassanmk> Get-ItemProperty C:\Windows\System32\ntdll.dll |format-list



                Directory: C:\Windows\System32




            Name           : ntdll.dll

            Length         : 1886344

            CreationTime   : 1/12/2017 8:35:32 PM

            LastWriteTime  : 11/11/2016 5:13:03 AM

            LastAccessTime : 1/12/2017 8:35:32 PM

            Mode           : -a----

            LinkType       : HardLink

            Target         : {C:\Windows\WinSxS\amd64_microsoft-windows-ntdll_31bf3856ad364e35_10.0.14393.47 9_none_9292708a9a2cd04b


            VersionInfo    : File:             C:\Windows\System32\ntdll.dll

                             InternalName:     ntdll.dll

                             OriginalFilename: ntdll.dll.mui

                             FileVersion:      10.0.14393.206 (rs1_release.160915-0644)

                             FileDescription:  NT Layer DLL

                             Product:          Microsoft® Windows® Operating System

                             ProductVersion:   10.0.14393.206

                             Debug:            False

                             Patched:          False

                             PreRelease:       False

                             PrivateBuild:     False

                             SpecialBuild:     False

                             Language:         English (United States)

            1 of 1 people found this helpful
            • 4. Re: What Is NTDLL.SYS?

              The thing that I am trying to identify is ntdll.SYS, not ntdll.dll.  So far, I am unable to find any file named ntdll.sys.  Yet it shows up in crash dump files as a third-party driver.  There is some indication that ntdll.sys is part of the McAfee Complete EndPoint Protection Business stack, probably VirusScan Enterprise.  Right now I am simply trying to confirm or deny that ntdll.sys is a McAfee product, and beyond that, find out what this device driver is and what it is a part of.


              - Charlie