file_protector.sys caused SYSTEM_SERVICE_EXCEPTION on Windows 11 Pro
Background: I'm using Windows Driver Verifier to track down another, probably unrelated problem, but in the process it has uncovered bugs in file_protector.sys as well.
A memory.dmp was produced, and WhoCrashed analyzes it thusly:
crash dump file: C:\Windows\MEMORY.DMP This was probably caused by the following module: file_protector.sys (file_protector+0x66EC0) Bugcheck code: 0x3B (0x80000003, 0xFFFFF8047F824048, 0xFFFF97039F01E3D0, 0x0) Error: SYSTEM_SERVICE_EXCEPTION file path: C:\Windows\system32\drivers\file_protector.sys product: Acronis File Protector company: Acronis International GmbH description: Acronis File Protector Bug check description: This indicates that an exception happened while executing a routine that transitions from non-privileged code to privileged code.
Unfortunately this memory dump is quite large, 13.1 GB, and as it appears to be a full memory dump from my entire system it probably contains personal information, so I'm disinclined to share it here. I will also send this to Acronis support so they know about it, and I'll save the memory dump in case there are manual debugging commands anyone would like me to run.
From my reading, this cause code (0x80000003) indicates that either a breakpoint was encountered or an assertion failed inside file_protector.sys, and because there's no kernel debugger attached (because I'm not an Acronis engineer troubleshooting drivers), this causes a crash.
My guess is disabling Acronis protection would probably work around the driver bug; however, this would also leave backups vulnerable to ransomware.
I'm seeing the same thing on fully updated Windows 10 version 21H2 19044.1654. I've seen it a half dozen times since the 14th of the month. (Like yourself, I even ran the minidumps through WinDBG with loading the correct public symbols).
I thought I'd worked around it by disabling "active protection" but the file_protector.sys driver is still loading (confirmed by checking with SysInternals Autoruns). I just disabled it via SysInternals Autoruns. At least the Acronis main GUI still loads so we'll see if Acronis backup tasks succeed.
When I enable Microsoft's Windows driver verifier tool with the standard setting selection and "all drivers." (I do not have any unsigned drivers installed)
On every boot with driver verifier enabled Windows crashes the moment Acronis loads it's system tray icon and all the dumps indicate file_protector.sys was the last thing in the stack.
I do not have any third party Antivirus Installed (just Windows in-built Real-Time Protection that is on by default with Windows)
For driver verifier to flag file_protector.sys every time it loads I have to wonder if Acronis even leverages that awesome free tool that Microsoft provides for developers to test their code. Acronis, please provide updates as to resolving these frequent Windows crashes that strong evidence suggests is tied to your file_protector.sys driver.
Dan Lee wrote:I'm seeing the same thing on fully updated Windows 10 version 21H2 19044.1654. I've seen it a half dozen times since the 14th of the month. (Like yourself, I even ran the minidumps through WinDBG with loading the correct public symbols).
I thought I'd worked around it by disabling "active protection" but the file_protector.sys driver is still loading (confirmed by checking with SysInternals Autoruns). I just disabled it via SysInternals Autoruns. At least the Acronis main GUI still loads so we'll see if Acronis backup tasks succeed.
When I enable Microsoft's Windows driver verifier tool with the standard setting selection and "all drivers." (I do not have any unsigned drivers installed)
On every boot with driver verifier enabled Windows crashes the moment Acronis loads it's system tray icon and all the dumps indicate file_protector.sys was the last thing in the stack.
I do not have any third party Antivirus Installed (just Windows in-built Real-Time Protection that is on by default with Windows)
On my system it doesn't crash as aggressively as that with Driver Verifier turned on, though I also am suspicious that Acronis might be the culprit in random OS hangs/freezes that have been happening to me since early April after a Windows update. Performing an "in-place upgrade" reinstall of Windows 11 failed to resolve the problem, so I'm currently in the process of stripping out every piece of third-party software that I can, including Acronis and my AV solution (ESET).
I've found that file_protector.sys runs as a filesystem filter, and one that cannot be detached without a reboot. While it's yet to be proven that this is the definitive cause of the trouble I've been having, I can only imagine what might happen if the filter driver behaves badly while Windows is trying to access its swap file or load a driver, for example.
In any case, it's yet another in a long, obnoxious series of egregious and fatal bugs in Acronis CPHO. These kinds of problems should have been detected and fixed long before the product was ever introduced into the marketplace.
You may be on to something regarding Microsoft patch Tuesday. I installed my monthly updates on the 12th... a couple days before the frequent crashes begin. I don't install the optional "preview update" that is the beta of the following months update. Even if it is associated with that, I expect the Acronis developers test the coming months updates ahead of time to avert a potential potential logjam on patch Tuesday.
Sorry to hear about your misery having to try and rule out drivers and apps one by one...that's no fun. I'm lucky I haven't observed any crashes since I disabled file_protector.sys via the Microsoft Sysinternals Autoruns tool.
Good to know file_protector.sys runs as a filesystem filter. If I recall correctly, ntfs.sys was also present in kernel stack when I was analyzing the crash dumps, so that makes sense. Fortunately, most of my volumes are REFS with integrity checking enabled, yet that isn't an option for Windows boot drives for the time being.
On your Windows is ESET/Acronis correctly detecting one another so that only one was actively running?
https://kb.acronis.com/content/67117
I've been using Acronis on all my family PCs since 2006. I always used the business offering (recently Acronis Backup 11.7 which doesn't have any anti-virus stuff built in) but recently I decided to give this 2021 home edition a shot. Unless I'm mistaken, even the business product now has all this AntiVirus/Malware/Ransomware stuff bundled into the product. Acronis please confirm?
Dan Lee wrote:Unless I'm mistaken, even the business product now has all this AntiVirus/Malware/Ransomware stuff bundled into the product. Acronis please confirm?
Not speaking for Acronis, but in my testing Acronis Cyber Protect 15 includes AntiVirus/Malware/Ransomware and also has a module that manages software updates.
Ian
I wish Acronis would just allow a custom installation for those of us who prefer to use our own anti-malware solutions that would disable all their protection cruft and not even install it... basically what TrueImage used to be before they discontinued it. I shouldn't have to go digging through filesystem filters or use the Sysinternals autoruns to disable the cruft after the fact.
I don't WANT an all-in-one solution. I just want reliable backups. Nothing else. I'm very happy with my existing anti-virus software.
Nicklas Johnson wrote:I wish Acronis would just allow a custom installation for those of us who prefer to use our own anti-malware solutions that would disable all their protection cruft and not even install it... basically what TrueImage used to be before they discontinued it. I shouldn't have to go digging through filesystem filters or use the Sysinternals autoruns to disable the cruft after the fact.
I don't WANT an all-in-one solution. I just want reliable backups. Nothing else. I'm very happy with my existing anti-virus software.
Nicklas, that should be an option with the new incarnation of ACPHO when Acronis have finished doing a complete rewrite of the application later this year but will be subscription only and I doubt that users will see any reduced price for not using their Cyber Protect features if they opt to not install them!
Steve Smith wrote:Nicklas, that should be an option with the new incarnation of ACPHO when Acronis have finished doing a complete rewrite of the application later this year but will be subscription only and I doubt that users will see any reduced price for not using their Cyber Protect features if they opt to not install them!
Going to a subscription software model is a guarantee that I won't be a customer any longer.
I shouldn't have to keep paying someone year after year after year just to make backups. That's beyond stupid.
does any of you has an hack in mind to avoid the driver protector.sys automatically loaded in memory? I am having 2 BSOD a day....
There is no hack to my knowledge!
The current Beta for the new ACPHO 2023 is now offering a modular install that allows users to not install either Acronis Active Protection or Cyber Protection features, keeping only the basic core Backup & Recovery features (plus Vulnerability scanning - which can be turned off in the settings if necessary). ACPHO is subscription only!
The alternative is to look for a different solution!
enrico scotti wrote:does any of you has an hack in mind to avoid the driver protector.sys automatically loaded in memory? I am having 2 BSOD a day....
What I did was use the Sysinternals "Autoruns" tool, located where file_protector.sys was being loaded, and disabled it so it would no longer be. It requires a reboot after disabling it.
The forum won't allow me to post a link to Autoruns, so just google for "sysinternals autoruns," download it, unzip it, and run Autoruns as an administrator. Then search for "file_protector" and uncheck the 'enabled' checkbox. Then reboot.
I'm not going to pay every year to keep backup software working on my computer when the fundamentals of running backup tasks do not change annually.
Hi Nicklas, Thank you for the hack. I am quite familiar with Autoruns64, so I followed your suggestion but unfortunately it was not enough: in fact, according to the software "whocrashed", the cause of my daily BSOD is the driver: "ngscan.sys". I deactived also this one, keeping fingers crossed. These BSOD are not only annoying, but also dangerous for the system stability, I suppose...
Obviously the protection is fully deactivated by the pushers in Acronis, but they are useless...
Unfortunately I, too, am getting this BSOD now weekly and it's always this ngscan.sys. I can't seem to disable it and I'm getting to the point of not wanting to use this new Acronis anymore, even though I've been promoting their B/U solution for over 20 years as the most reliable and simple-to-use alternative. But now they're trying to be everything, and it's conflicting either with eSetNod32 or MalwareBytes -- both of which I've relied upon for almost as many years as Acronis True Image -- or probably something in the latest Windows update. I have both Windows 10 and 11 on multiple systems, and I've been using Windows since 2.1 when you were lucky if it booted up -- 1985ish. Hopefully, Acronis will come up with something a bit more reliable.
Frank, see Acronis Cyber Protect Home Office: how to install | Knowledge Base and use the option to perform a Custom Install where you can elect not to install the Protection feature(s) and not have the underlying modules for the same.
Frank McNally wrote:Unfortunately I, too, am getting this BSOD now weekly and it's always this ngscan.sys. I can't seem to disable it and I'm getting to the point of not wanting to use this new Acronis anymore, even though I've been promoting their B/U solution for over 20 years as the most reliable and simple-to-use alternative. But now they're trying to be everything, and it's conflicting either with eSetNod32 or MalwareBytes -- both of which I've relied upon for almost as many years as Acronis True Image -- or probably something in the latest Windows update. I have both Windows 10 and 11 on multiple systems, and I've been using Windows since 2.1 when you were lucky if it booted up -- 1985ish. Hopefully, Acronis will come up with something a bit more reliable.
Hello!
I raised a ticket with our support so we can investigate the issue. The ticket is 06204923.
You can expect a reply from our support as soon as possible.
Best regards.