1 2 3 Previous Next 20 Replies Latest reply on Jan 21, 2014 8:59 AM by selvan

    [BEX64] - Log Reaches Maximum Size, Crashes Explorer

    conductorwho

      Hey folks, got another Explorer Buffer Overflow. I've correlated the overflow to when McAfee reaches its maximum log size.

       

      Under these circumstances (i.e. just MS Word, an idle Skype Client, or the like being open) McAfee's icon briefly disappearing from my task tray and I experience no crash.Under these circumstances McAfee's icon briefly disappearing from my task tray and I experience no crash.Under normal circumstances, I'd simply get this notification in my Event Viewer:

      ---

      The maximum file size for session "McAfee.{E4367DA7-2B80-47f3-86D2-7626A18FC6F4}" has been reached. As a result, events might be lost (not logged) to file "C:\ProgramData\McAfee\MCLOGS\ETW\mclogs.etl". The maximum files size is currently set to 16777216 bytes.

       

      Session "McAfee.{E4367DA7-2B80-47f3-86D2-7626A18FC6F4}" stopped due to the following error: 0xC0000188

      ---

      However, if I'm on a voice call using Skype--or, more frequently, when playing videogames that override the desktop window manager when the log fills up, Explorer hangs, crashes, and then restarts. This is a copy of one of the problem details:

      ---

      Problem Event Name:          BEX64

      Application Name:          Explorer.EXE

      Application Version:          6.1.7601.17567

      Application Timestamp:          4d672ee4

      Fault Module Name:          StackHash_1b07

      Fault Module Version:          0.0.0.0

      Fault Module Timestamp:          00000000

      Exception Offset:          000007fee27f4050

      Exception Code:          c0000005

      Exception Data:          0000000000000008

      OS Version:          6.1.7601.2.1.0.768.3

      Locale ID:          1033

      Additional Information 1:          1b07

      Additional Information 2:          1b0751a1f84a6b627f942116525ee10f

      Additional Information 3:          cbdd

      Additional Information 4:          cbdd38469b2edd83a71f76dbcf2340a1

       

      ---

       

      I ran McAfee Virtual Technician, and it says my my install of Total Protection is A-OK. This problem doesn't seem to have gone away even when I ran CCleaner--despite the fact it did clean up my log files, it didn't stop the crashes from happening. I haven't found any information about this problem on the internet, either.

       

      That being said, is there some way to configure McAfee such that when the log reaches its maximum size it'll overwrite the existing content, or for it to have a larger maximum log size? Or for that matter can anyone even make heads or tails of the problem event error?

       

      To anyone who can solve this--thanks in advance!

        • 1. Re: [BEX64] - Log Reaches Maximum Size, Crashes Explorer
          Peter M

          There's a solved Microsoft thread on this here:  http://answers.microsoft.com/en-us/windows/forum/windows_vista-system/problem-ev ent-name-bex64-application-name/1125d6bf-6481-4fe8-9b6d-a67e7f611fc6

           

          That BEX64 thing isn't behaving correctly and I'm not sure what exactly it belongs to.

           

          Maybe Technical Support would be the best spot to solve this if that article doesn't help.

           

          It's free by phone or online chat and linked under Useful Links at the top of this page.

           

           

           

          Message was edited by: Ex_Brit on 23/10/13 6:45:22 EDT AM
          • 2. Re: [BEX64] - Log Reaches Maximum Size, Crashes Explorer
            conductorwho

            A bit of an update on this situation--Explorer experienced another one of these BEX64 crashes when I had a youtube video playing in Chrome at the same time the log reached its maximum size. I'm thinking I'll give Tech Support a holler, this is definitely not supposed to happen.

            • 3. Re: [BEX64] - Log Reaches Maximum Size, Crashes Explorer
              Hayton

              So far as I can make out, BEX64 is Microsoft-speak for APPCRASH.  The two Event Names occur in similar contexts. BEX64 can happen with just about anything, including explorer.exe

               

              There are some suggestions here, including from David Candy, which are worth looking at. You haven't said what the OS is but if it's a laptop I'm assuming Windows 7 or later - so these suggestions would be relevant.

               

              http://answers.microsoft.com/en-us/windows/forum/windows_vista-system/problem-ev ent-name-bex64-application-name/1125d6bf-6481-4fe8-9b6d-a67e7f611fc6

              1 of 1 people found this helpful
              • 4. Re: [BEX64] - Log Reaches Maximum Size, Crashes Explorer
                conductorwho

                This is really beginning to perplex me. I just had a Explorer appcrash with only the desktop active, and my computer was idle at the time. As always, MVT shows I am experiencing no issues. I would contact tech support, but again I'm umbrella'd in under my parents' plan and don't know all the contact information they entered.

                 

                I've tried everything suggested in the David's posts. Running FixIt did not appear to stop the BEX64 crashes, and neither did a clean boot. My understanding of the issue, however, is that McAfee's Error Tracing Log file exceeds its write buffer, triggering an AppCrash in Windows Explorer.

                 

                If I understand correctly, the StackHash_#### fault module indicates some kind of heap corruption, or something due to Windows' built-in DEP system. I doubt that's an advisable course of action though.

                 

                EDIT: I ran a system health check with the built-in Microsoft application, and these were two things that came up:


                Symptom:Missing Events in Event Log
                Details:Investigate why 16% (4,119) events were lost during data collection. The settings for Event Tracing for Windows (ETW) maximum buffers and buffer size may not be optimal depending on which data sets are being collected.
                Related:Event Tracing for Windows

                Informational
                Symptom:

                The Security Center has not recorded an anti-virus product.

                Cause:The Security Center is unable to identify an active anti-virus application. Either there is no anti-virus product installed or it is not recognized.
                Resolution:1. Verify that an anti-virus product is installed.

                2. If an anti-virus product is installed and functioning configure Security Center to stop monitoring anti-virus status.
                Related:Anti-virus

                 

                Because it's the McAfee ETW system causing an overflow, and because Security Center isn't recognising an AV product (despite the fact McAfee has been installed for over 5 months now) I have a suspicion these two are correlated...

                 

                Message was edited by: conductorwho Reason: Ran a Health Check, two informational events might hint at my problem.  on 11/3/13 12:47:22 AM CDT
                • 5. Re: [BEX64] - Log Reaches Maximum Size, Crashes Explorer
                  Hayton

                  A couple of questions :

                   

                  - Are you running EMET?

                  - How much memory have you got installed?

                  - What OS are you running? If it's Win7 or Vista the following is a workaround, if it's a DEP-related problem. Of course, it doesn't address the underlying issue.

                   

                  (from http://group-mail.com/microsoft-windows/windows-7-and-vista-stackhash-or-appcras h-error-fix/)

                   

                  Here is a Windows 7 and Vista StackHash and Appcrash Fix

                  1. Click on the Start menu and then go to the Control Panel 

                  2. Click on System Maintenance and then System 

                  3. Choose Advanced System Settings. 

                  4. Under System Properties, select Settings from the Performance section at the top. 

                  5. Click on the Data Execution Prevention tab. 

                  6. Select “Turn on DEP for all programs and services except those I select”. 

                  7. Find the executable file for the application that triggered the error. 

                  8. Select the application causing the error and click Open to add it to your DEP Exceptions list. 

                  9. Click OK to save your new settings.

                   

                   

                  Error 0xC0000188 has been noted in a thread on the Skype forum. As here, it seems to be triggered when a log file fills up. The answer to that little problem should be easy - change the settings so that when the maximum number of log file entries is reached some of the old ones are discarded to make room. You can do that for Windows Event Logs, I don't know if it's possible for McAfee logs.

                   

                  The AppCrash (BEX64) would seem to be happening at least in part because too many applications are running for the system to cope with. It may also be that the ones you're running are in some way conflicting with each other, with the OS, or with Mcafee. You'd need to run a debugger to sort that one out. StackHash messages imply that there isn't enough available information to provide a normal stack trace.

                   

                  There's a long discussion about some of this at

                  http://tdistler.com/2009/04/10/stackhash-and-application-crashes-on-windows

                  1 of 1 people found this helpful
                  • 6. Re: [BEX64] - Log Reaches Maximum Size, Crashes Explorer
                    conductorwho

                    Answers to those questions:

                    1. This is probably the first time I've heard of EMET. What is it?

                    2. My computer's got 6038 MB (~6GB) of RAM installed.

                    3. My OS is Windows 7, and if I recall correctly GeekSquad installed SP2 on it at some point.

                     

                    If all else fails, I'll just create a DEP exception for Explorer, but I'm sure there's a way to sort out the memory issues. The 'too many applications' bit might also be due to some odd Chrome / Skype conflict or due to some of the games/programs I'm running (the biggest 'offender' seems to be the Microsoft Trainsim Developers' Kit) but in the past several crashes only Chrome, Skype, Wordpad, or some permutation thereof has been operating.

                     

                    I opened PerfMon, and found that there was an event for my current McAfee session. One of the session options was to enable circular logging.

                    CircularLog.jpg

                    Now, I'm not sure if it'd "stick" for all McAfee log sessions, but herein may lie the issue. The log reaches its write buffer, and if memory is insufficient it crashes Explorer. HOWEVER, if the log file was circular, new entries would be appended to the log file without overflowing into Explorer and triggering a StackHash error.

                    • 7. Re: [BEX64] - Log Reaches Maximum Size, Crashes Explorer
                      Hayton

                      EMET - Microsoft's Enhanced Mitigation Experience Toolkit.

                      You might want to read an independent review of it before diving in to Microsoft's explanation, so read

                      http://krebsonsecurity.com/2013/06/windows-security-101-emet-4-0/ first.

                       

                      6Gb of memory is plenty, and more than enough. In some cases AppCrash is caused by too little memory. Not here, I think, although system resources are another matter - handles, threads, and so forth. If the machine is not an old one that becomes a less likely cause, and low-level program conflicts becomes more likely.

                       

                      Yes, always make busy log files circular. Otherwise they just grow like Topsy and you get the log-file-full problem. A pity McAfee logs (in particular) don't have that set by default. I don't see the problem because I delete them when they start getting too large. They re-create themselves, so I'm not bothered about losing historical data.

                       

                      I'm wondering if Windows is trying to add entries to the file even after it's full and causing a buffer overflow - it depends how quickly the OS detects a problem with a disk file, but disk operations are going to be an order of magnitude or two slower than memory operations. That sort of condition should always be detected and remediated, but a buffer overflow can cause major problems depending on what part of memory gets overwritten and what's in the overflow. Whatever. If you fix the log file issue wait a while and see if there are any remaining problems.

                      • 8. Re: [BEX64] - Log Reaches Maximum Size, Crashes Explorer
                        conductorwho

                        I attempted to apply the "circular" property to the log file via Performance Monitor, but it would not let me apply the parameters. I think I'll give deleting the log files a try first, and if that works I'll chime in here. As they're self-replicating, removing one shouldn't be a problem, right?

                         

                         

                        I'm wondering if Windows is trying to add entries to the file even after it's full and causing a buffer overflow

                         

                        That sounds about right. It attempts to write to the file but overruns the file buffer, triggering an Appcrash in Explorer.

                         

                        BTW, I've set up an idea for an option to set the ETW logs to "circular" here--https://community.mcafee.com/ideas/1682.

                         

                        Message was edited by: conductorwho on 11/3/13 5:47:43 PM CST
                        • 9. Re: [BEX64] - Log Reaches Maximum Size, Crashes Explorer
                          Hayton

                          conductorwho wrote:

                           

                          I attempted to apply the "circular" property to the log file via Performance Monitor, but it would not let me apply the parameters.

                           

                          As they're self-replicating, removing one shouldn't be a problem, right?

                           

                          Ah. You have to turn off Access Protection first in Security Center; McAfee protects its own files jealously. And removing them shouldn't be a problem - leastways, I get rid of them with CCleaner and it never says it can't delete them. If you're going to do it manually let me know if you get a can't-do-this message.

                          BTW, I've set up an idea for an option to set the ETW logs to "circular" here--https://community.mcafee.com/ideas/1682.

                           

                          I saw that one go in. Good move. I hope the McAfee people haven't lost interest in their baby, that section was their idea.

                           

                           

                          Edit : And that only leaves the other issues. For this one I haven't got an answer. Not recognised? Hmm. Pass on that for now.

                           

                          Symptom:

                          The Security Center has not recorded an anti-virus product.

                          Cause:The Security Center is unable to identify an active anti-virus application. Either there is no anti-virus product installed or it is not recognized.
                          Resolution:1. Verify that an anti-virus product is installed.

                          2. If an anti-virus product is installed and functioning configure Security Center to stop monitoring anti-virus status.
                          Related:Anti-virus

                           

                           

                          Message was edited by: Hayton on 04/11/13 01:11:36 GMT
                          1 2 3 Previous Next