Avast WEBforum

Avast Products => Avast Free Antivirus / Pro Antivirus / Internet Security/ Premier => Topic started by: blue2 on May 09, 2008, 03:04:34 AM

Title: Ashavast.exe - stalls as local user, causes multiple processes, runs CPU to 100%
Post by: blue2 on May 09, 2008, 03:04:34 AM
I've recently installed Avast Home build 4.8.1169. It installed without a problem and seems to run fine with one exception: the Avast icon on the desktop which links to Ashavast.exe CANNOT be run as a local user. So I can't access the program interface, although I can access everything else via the system tray.

If the desktop icon is clicked on multiple times, it will open multiple processes of Ashavast.exe in task manager. When I had three open, the CPU was at 100% without any apparent activity, other than this process being stalled.

As Ashavast.exe can be run as the administrator or via the "Run As" command, it appears to be an issue with permissions and not with the application itself. Just in case, I tried the Repair option in Add/Remove, but that made no difference. So while I can right click and scan a file by the context menu, I can't schedule a scan without administrator permission?

Is this by design, a bug, a permission problem caused by using an optional skin, or something else?

Title: Re: Ashavast.exe
Post by: Lisandro on May 09, 2008, 03:13:59 AM
ashAvast.exe needs admin rights, or elevation in Vista.
ashQuick.exe (the context menu scanning) doesn't.
It's not a but, it's like it works.
Do you have Vista or XP?
Title: Re: Ashavast.exe - stalls as local user, causes multiple processes, runs CPU to
Post by: blue2 on May 09, 2008, 03:24:37 AM
Thanks for that quick reply. Sorry, forgot to mention this was installed under XP Pro SP2, although I understand that SP3 won't be a problem.

I imagined that this might be by design, but could find no mention of it in the help file or through a quick google search. It's possible that I added the desktop link to All Users and the program perhaps defaults only to administrator.

What confused me was why I'd have to be an administrator or use the "Run As' command while a local user to schedule a scan? I wanted to have less knowledgeable members of my family run as local users, and it would still be nice to have them get into the habit of scheduling scans.

P.S. It would also be nice if this is by design, to NOT allow the process to even be opened. I got it up to 5 instances of ashavast.exe and I imagine that one could simply lock up a system by installing the icon on a local user profile that does not have permission to run it.
Title: Re: Ashavast.exe - stalls as local user, causes multiple processes, runs CPU to 100%
Post by: Lisandro on May 09, 2008, 02:33:57 PM
What confused me was why I'd have to be an administrator or use the "Run As' command while a local user to schedule a scan?
In Home version, there isn't a schedule possible... Are you using Windows Scheduler for it and ashquick.exe?
Scheduling is only available in Pro version.
Title: Re: Ashavast.exe - stalls as local user, causes multiple processes, runs CPU to
Post by: blue2 on May 09, 2008, 03:26:30 PM
Sorry, by "schedule" I meant to schedule a boot scan, or to run a HDD scan on a habitual basis (not as a formally scheduled task).

I assume one could use the Quick Scan via right click context menu to scan the entire HDD but was not sure if that uses the pre-set default configurations (e.g. scan archives, use heuristics, etc.)

I'll remove the Avast desktop icon from local user profiles because I don't think it's a good idea that it opens a process even though it can't continue without Admin. permission. As I demonstrated, a naive user could easily click on it many times and open up several processes that lock up the CPU, which can't be a good thing.
Title: Re: Ashavast.exe - stalls as local user, causes multiple processes, runs CPU to 100%
Post by: igor on May 09, 2008, 04:02:21 PM
No, ashAvast does not need administrator privileges, and it can be run under restricted user, as far as I know.

Please try to generate the dump of the frozen process (as described e.g. here (http://forum.avast.com/index.php?topic=33616.msg281371#msg281371), just change the process name) and send it to our FTP.
Thanks.
Title: Re: Ashavast.exe - stalls as local user, causes multiple processes, runs CPU to
Post by: Lisandro on May 09, 2008, 04:03:35 PM
Sorry, by "schedule" I meant to schedule a boot scan, or to run a HDD scan on a habitual basis (not as a formally scheduled task).
Common users can't schedule the boot time scanning. But also is not a thing for daily basis...
But I think they can run a scanning into Windows, can't they?

I assume one could use the Quick Scan via right click context menu to scan the entire HDD but was not sure if that uses the pre-set default configurations (e.g. scan archives, use heuristics, etc.)
It's better to use the interface and run the scanning from there.
Although, ashQuick uses the deepest sensitivity, scanning archives.
Title: Re: Ashavast.exe - stalls as local user, causes multiple processes, runs CPU to
Post by: blue2 on May 09, 2008, 05:40:04 PM
No, ashAvast does not need administrator privileges, and it can be run under restricted user, as far as I know.

Please try to generate the dump of the frozen process (as described e.g. here (http://forum.avast.com/index.php?topic=33616.msg281371#msg281371), just change the process name) and send it to our FTP.
Thanks.


Well, it seemed odd to me to have an AV that would prevent a local user from running a scan. I could understand why you wouldn't want processes to be killed under a local user account (so malware couldn't turn off AV functionality).

Is the hangrep.exe  a standalone app or does it get installed/removed in Add/Remove programs? Can it be installed AND run under a local user account, since that is where the issue is occurring?
Title: Re: Ashavast.exe - stalls as local user, causes multiple processes, runs CPU to 100%
Post by: igor on May 09, 2008, 06:06:31 PM
It's just a standalone executable, and I don't see a reason why it shouldn't work (to dump executables the current user has started).

You may have to disable avast! self-defence feature from the Administrator account first (avast! settings / Troubleshooting page) - the process couldn't be dumped without it, I guess.
Now, I hope that disabling the self-defense won't "solve" the problem ;)
Title: Re: Ashavast.exe - stalls as local user, causes multiple processes, runs CPU to
Post by: blue2 on May 09, 2008, 06:23:41 PM
Yes, it would be funny if that "solved" the problem. One never knows...

I checked the security settings on ahavast.exe and all users have permissions. I then thought I could probably find what DLLs are called and change the permissions on each of these to see which one might be the offending one requiring escalated permission. But messy fixes like that, particularly with an AV program, have the habit of causing unexpected, and usually undesirable, consequences.

Thanks for the suggestions. When I'm in the front of the other machine, I'll run the suggested hang executable and see what it generates.
Title: Re: Ashavast.exe - stalls as local user, causes multiple processes, runs CPU to
Post by: blue2 on May 11, 2008, 05:35:47 PM
Sorry for the dealy. Now that I have had access to the friend's machine I installed Avast on, I've created the dump file (ashAvast.exe.dmp) of the Ashavast process that stalls under a local user profile. I even deactivated all skins, but this too makes no difference.

However, following Vik's procedures, I am unable to upload this to your FTP site via your website (I don't use FTP) via drag and drop. Do you have an email or another way to upload this?

Thank you.
Title: Re: Ashavast.exe - stalls as local user, causes multiple processes, runs CPU to 100%
Post by: DavidR on May 11, 2008, 05:55:10 PM
What browser are you using ?
With firefox the drag and drop doesn't seem to work, but with IE or one of the IE clones the drag and drop does seem to work.
Title: Re: Ashavast.exe - stalls as local user, causes multiple processes, runs CPU to
Post by: blue2 on May 11, 2008, 05:59:10 PM
Good suggestion. I'll try that right now.
Title: Re: Ashavast.exe - stalls as local user, causes multiple processes, runs CPU to
Post by: blue2 on May 11, 2008, 06:04:01 PM
No luck. Tying to drag and drop to your web link using both Firefox and IE 7 results in a dialog box to save the file rather than uploading it to your FTP server via the web.
Title: Re: Ashavast.exe - stalls as local user, causes multiple processes, runs CPU to
Post by: DavidR on May 11, 2008, 07:35:58 PM
Not my site I'm just an avast user like you.

Do you get something like this (my example IE6) when you paste the ftp link ftp://ftp.avast.com/incoming/ into IE7 address bar and click, see image ?

If so dragging the file from its location in windows explorer into the right pane, arrowed, in IE7 and it should upload automatically, you won't be able to see it in the folder that it has been uploaded to as you don't have permissions for that.
Title: Re: Ashavast.exe - stalls as local user, causes multiple processes, runs CPU to 100%
Post by: igor on May 11, 2008, 07:40:48 PM
Using the command-line FTP from Windows is not that hard:

1. start ftp.exe (e.g. from Start Menu / Run)

Now, type the following (excluding the numbers in the beginning of the lines, <enter> means Enter key):
2. lcd <local_directory_with_the_dump_file><enter>
3. open ftp.avast.com<enter>
4. anonymous<enter>
5. guest<enter>
6. bi<enter>
7. ha<enter>
8. cd incoming<enter>
9. put <dump_file_name><enter>
10. bye
Title: Re: Ashavast.exe - stalls as local user, causes multiple processes, runs CPU to
Post by: blue2 on May 11, 2008, 08:26:48 PM
Using the command-line FTP from Windows is not that hard:


Thank you. That worked fine. I just don't use DOS commands often enough to remember any of them.

DavidR, thanks for the suggestion. However, using FTP via the weblink did NOT work for me with either Firefox or IE7. Both opened a "Do you want to save file" dialog when I attempted to drag and drop the file. As I also had to open up my firewall ruleset to allow each outgoing FTP connection, I imagine I would have been been prompted to open an FTP port if FTP via the weblink had worked.

Once the dmp file has been looked over, will something get posted here? I can always suggest that those whose machines I've installed Avast run scans as administrator, but I was trying to avoid that.
Title: Re: Ashavast.exe - stalls as local user, causes multiple processes, runs CPU to 100%
Post by: DavidR on May 11, 2008, 09:39:46 PM
That is the idea and the reason for using a unique file name so it can be linked to the topic. Once you upload it successfully, post that fact in the topic and give the name of the uploaded dmp file.
Title: Re: Ashavast.exe - stalls as local user, causes multiple processes, runs CPU to
Post by: blue2 on May 12, 2008, 04:24:21 AM
Perhaps I missed it, but didn't remember anyone indicating to use a unique file name for the dmp file or even to link it to this thread. That's why I asked how the file would ever lead back here. ;)  I'm only trying to help out a friend whose machines I installed Avast on, and it's easier if the procedures to be followed are spelled out.

The file has now been uploaded again, this time with the filename blue2_Ashavast.exe.dmp.

And again, I appreciate any help that can be provided on why the scan engine won't run using local user privileges under XP Pro SP2.
Title: Re: Ashavast.exe - stalls as local user, causes multiple processes, runs CPU to 100%
Post by: Lisandro on May 12, 2008, 11:40:28 PM
Perhaps you should test the latest 4.8.1195 version.
Title: Re: Ashavast.exe - stalls as local user, causes multiple processes, runs CPU to 100%
Post by: Vlk on May 12, 2008, 11:45:36 PM
1195 should resolve the issue.
Title: Re: Ashavast.exe - stalls as local user, causes multiple processes, runs CPU to
Post by: blue2 on May 13, 2008, 12:49:55 AM
Thanks for that suggestion. I'll be happy to update to 4.8.1195 if it has now been officially released. That can just be updated via the interface in the installed version as long as the self-defense is turned off?

Did anyone else have an issue about not being able to run scans as a local user under XP Pro SP2? I was just surprised to not see it mentioned anywhere, and there apparently was some difference of opinion even in this thread about whether administrator privileges were required or not. So even if the new build resolves the issues, for learning purposes. I'd still be curious to know what caused the issue with Ashavast stalling.

Thanks again!
Title: Re: Ashavast.exe - stalls as local user, causes multiple processes, runs CPU to 100%
Post by: Vlk on May 13, 2008, 12:54:09 AM
You don't need to turn anything off (self-defense) to perform the program update.
Just click Updating -> Program Update and you should be all set.

Thanks
Vlk
Title: Re: Ashavast.exe - stalls as local user, causes multiple processes, runs CPU to
Post by: blue2 on May 13, 2008, 01:04:40 AM
Ok, great. Thanks Vik. That sounds like it should be painless enough!

By chance, do you happen to have any further insight about the privilege issue? Will someone still look over the dmp file to let us know if it might be caused by an unforseen conflict with something else...(fingers crossed)?

Title: Re: Ashavast.exe - stalls as local user, causes multiple processes, runs CPU to
Post by: blue2 on May 13, 2008, 09:48:04 AM
I just updated to build 4.8.1195, however the problem has persisted.

Scans still cannot be run as a local user under XP Pro SP2.

So could the technicians kindly look over the dump file previously provided (blue2_Ashavast.exe.dmp) so we can determine what is causing the Ashavast.exe process to stall when the desktop icon is clicked as a local user, maxing out the CPU at 100% when it does.

Thank you!
Title: Re: Ashavast.exe - stalls as local user, causes multiple processes, runs CPU to 100%
Post by: Vlk on May 13, 2008, 11:25:08 AM
Unfortunately, the dump is of no use as the processing is taking place in kernel mode (which is not included in the dump).

The only way to properly analyze the problem is to create a full dump of the system when the problem is simulated.
The procedure is described here: http://support.avast.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=71

BTW one thing to check: when you right click the shortcut (the icon) that you use to launch avast, select Properties and go to the Compatibility page, isn't the "Run this program in compatibility mode" box checked?.

Thanks
Vlk
Title: Re: Ashavast.exe - stalls as local user, causes multiple processes, runs CPU to
Post by: blue2 on May 13, 2008, 12:45:02 PM
Ok, thanks for that quick reply, Vik. Once I have access to the machine this afternoon I'll check if compatibility mode is enabled.

But I'm tempted to remove it completely, along with the skins that were installed, and then just reinstall the new build alone (no skins, and not updating the build). Perhaps that will be a quicker way to resolve the privilege issue.

Would you suggest Add/Remove, then using the aswclear.exe utility to be sure it's been fully removed?

Thanks again.
Title: Re: Ashavast.exe - stalls as local user, causes multiple processes, runs CPU to
Post by: Vlk on May 13, 2008, 12:48:46 PM
Would you suggest Add/Remove, then using the aswclear.exe utility to be sure it's been fully removed?

It won't hurt. :)
Title: Re: Ashavast.exe - stalls as local user, causes multiple processes, runs CPU to
Post by: blue2 on May 13, 2008, 09:34:54 PM
No luck.

I uninstalled Avast. Rebooted. Then ran the aswclear.exe utility. Rebooted. Used CCCleaner to remove any registry references to Avast. Then regedit to manually search the registry to be sure no remnants were left. Then re-installed the new build without any skins. And the issue persists.

As administrator everything works as it should. But as a local user, only the context scan and the system tray functions work. The desktop or start menu shortcut to Avast (ashavast.exe) will not open, freezes the CPU at 99%, and because the process can't be killed, the only solution is a reboot. (Not very practical.)

Before the reboot occurs, there is an indication that Active Skin Helper cannot shut down. Perhaps this is a natural outcome of the stalled process.

When I check the security settings of the actual Avast.exe file, it indicates Read as well as Read and Execute for ALL USERS.

When I check the Properties / Compatibility of Avast.exe, the "Run this program in compatibility mode" box is NOT checked. Were you suggesting that it should be as the program is running on XP Pro SP2, and not a previous OS.

If I use the "Run As" administrator command on the local user desktop icon, it will open perfectly. So it surely seems to me that this is a privilege related issue.

Are there any known conflicts that would cause such an issue, and don't the Avast techs have any idea of what to look at as there are NO system anomalies aside from this local user issue after installing Avast?

Title: Re: Ashavast.exe - stalls as local user, causes multiple processes, runs CPU to
Post by: blue2 on May 14, 2008, 07:48:07 PM
Any further word on this?

In addition to the questions in my previous post, does ashavast.exe invoke certain DLLS that require escalated privileges to run?  Since I installed Avast on a friend's machine and have everything pretty well locked down, perhaps it invokes something that is prevented from running.

Since it happens when no other application is running, does not happen with the Avast system tray functions, does not happen with the Avast context menu functions, does not happen on an administrator account, and ONLY happens on a local user account, I would think that pretty well limits where the issue might be coming from. What Ashavast functions could require escalated privileges to run?

I'd just hesitate installing this on any other friends' systems, if I can't get any closer to understanding this after several days of removal, system cleaning, and re-installation with an updated build have apparently done nothing. Thanks.
Title: Re: Ashavast.exe - stalls as local user, causes multiple processes, runs CPU to 100%
Post by: Vlk on May 14, 2008, 07:53:06 PM
Well, as I said in Reply #25, the only "scientific" method to understand what's going on would be to have a full dump.

Do you think you could try getting us one?

Thanks
Vlk
Title: Re: Ashavast.exe - stalls as local user, causes multiple processes, runs CPU to
Post by: blue2 on May 14, 2008, 09:01:13 PM
Yes, I did read over that procedure, but since it involved modifying someone else's registry and then intentionally blue-screening their machine, I wanted to do a little digging first before going that route. (Am I correct in assuming that this key could be added and then removed without ill effect?)

I've gone through quite a number of steps already (removal, system cleaning, installation of new build, checking event viewer, checking Avast FAQs, providing a dump of the stalled process, etc.) as they've been suggested, and they lead no closer to figuring about what might be happening. I initially was told that Ashavast requires admin privileges to run, and that was later corrected. So I'd still like to have some idea about:

- What does the Ashavast executable require to run?

- When the process is stalled, I have to kill Active Skin Helper to shut down. Is this an outcome of the stalled process or the problem?

- When I check the security settings of the actual Avast.exe file, it indicates Read as well as Read and Execute for ALL USERS. Is that correct and is there any other file whose privileges I should be checking?

- Why would running functions as a local user via the System Tray work but the same functions not work via Ashavast.exe? Logic says it's not the function causing the issue, but something else.

- Are there any known conflicts with other applications?

Any answers your technical team would have would be appreciated. I have the sneaking suspicion that even when a full system dump is created, there won't be a definitive answer...
Title: Re: Ashavast.exe - stalls as local user, causes multiple processes, runs CPU to
Post by: alanrf on May 14, 2008, 10:17:58 PM
Since I am a user of WinXP Pro as well I thought I would see if I can reproduce the problem too.

I created a limited user account.   I logged on as that limited user account. 

I created a shortcut for ashAvast.exe on the desktop.

I start avast from the shorcut on the desktop, avast starts immediately, completes a memory scan and the simple user interface opens, I can run scans, change the avast skin etc.  I can also perform all those tasks by right clicking the systray icon and starting avast from the menu.   

When I logoff it shuts down the limited user session normally.

Is there some condition I have missed?     
Title: Re: Ashavast.exe - stalls as local user, causes multiple processes, runs CPU to
Post by: blue2 on May 14, 2008, 10:39:32 PM
No, Alanrf, I don't think you've missed anything, and thanks for trying this.

I installed this on a friend's machine, so I don't have continual access. As administrator, I can run everything in Avast without problem (both the previous build and the current release). As a limited user, I can run everything from the system tray EXCEPT "Start Avast! Antivirus". That simply starts the process Ashavast.exe, which remains constant at 100% CPU. When I try, I cannot terminate the process. So I have no choice but reboot.

When I click on the Avast desktop icon as a limited user (The program installs it by default as a desktop icon for all users which lead me to believe that limited users should have privileges to run it.), it opens the Ashavst.exe process which stalls exactly as when run from the system tray.

If I use "Run as" administrator while on the limited user account, it runs perfectly. So this suggests to me that it is "simply" a permission issue of some kind, NOT a functional issue. It will run but only if it has admin privileges.

Title: Re: Ashavast.exe - stalls as local user, causes multiple processes, runs CPU to
Post by: alanrf on May 14, 2008, 10:51:55 PM
I understand that you are away from the system but can you recall if you have avast set to perform the memory scan on starting avast or have you turned that off? 

In other words is it the memory scan that appears to stall or the opening of the avast simple user interface? 

My reason for asking is that I did (some time back) encounter a condition where the memory scan would complete and the opening of the simple user interface would stall.   

Title: Re: Ashavast.exe - stalls as local user, causes multiple processes, runs CPU to
Post by: blue2 on May 14, 2008, 11:41:51 PM
Good thought. I had initially set it with memory scan on startup, but tried it with memory scan turned off as well. It made no difference. When I click the desktop icon, it simply doesn't open. It just starts the Ashavast.exe process which is clearly stalled.

If I then try to terminate that process in task manager, I then get a "Unable to Terminate Process. Access is Denied" message. I find that odd, since if I started the process as a limited user and it did not run, why would I be denied access to terminate it? That again leads me to think this is a privilege related issue of some kind.

It's running under XP Pro SP2, with Kerio 2.15 firewall, Spybot Search & Destroy (NO Resident Teatimer enabled), and Spyware Blaster. There aren't a lot of startup process running aside from various Thinkpad related ones and Acronis True Image.
Title: Re: Ashavast.exe - stalls as local user, causes multiple processes, runs CPU to
Post by: alanrf on May 15, 2008, 12:53:21 AM
The process termination "access denied" is almost certainly coming from the new self-protection feature of avast 4.8.

About the only difference in configuration between me and the problem system is that I just run with the Windows XP firewall.

One oddity I notice in the skins management makes suggest that next time you have access to this system it might be worth un-checking "Enable skins for Simple User Interface" in the avast Program Settings before logging on the limited user and seeing if that makes any difference.
Title: Re: Ashavast.exe - stalls as local user, causes multiple processes, runs CPU to 100%
Post by: Vlk on May 15, 2008, 09:13:54 AM
Well, blue2 previously sent me a dump of the stuck ashAvast.exe process, and it was clear that it was dumped during a normal request to read a registry value. I reckon it must be blocked (or, 'spinned', as CPU usage is high) from the other side of the mirror, i.e. from the kernel mode. That's why I said I'd need a full dump to analyse the problem.

One more thing you could try: in Task Manager, Performance page, open the View menu and check "Show kernel times". This will add a new red line to the chart, indicating the CPU time spent in the kernel mode. If you then simulate the problem, does the red line also go to 100%? (proving that the "fun" is taking place in kernel mode, instead of the ashServ.exe process itself).

Thanks
Vlk
Title: Re: Ashavast.exe - stalls as local user, causes multiple processes, runs CPU to
Post by: blue2 on May 15, 2008, 11:31:32 AM
I've been able to access the system again. As one of the first tests I did, I un-checked "Enable skins for Simple User Interface", as well as the memory startup test, the Explorer skin setting, etc. It made no difference.

While Ashavast.exe seems to keep CPU at 100% (a straight green line), the Kernel process (red line) is high, but not at 100%:
Title: Re: Ashavast.exe - stalls as local user, causes multiple processes, runs CPU to
Post by: blue2 on May 15, 2008, 05:22:05 PM
As there are a good 5 or 6 threads on the top page of this forum from people reporting issues with the latest Avast build causing 100% CPU usage, is it possible that this new build is not as stable as reported, at least for some users? I realize that these may all be different issues, but I've rarely encountered stalled AV processes before (usually activation, conflicts or slow scanning issues, all of which Avast seems to do well).

I personally use a different AV and have experience with several others. Is it possible that the self defense module or the completeness of the product (e.g. rootkit scanning) is creating unreliability on some systems?

I will try to get access to the machine again tonight and create a complete dump. But I hope that after doing so, some answers and a solution will result, as I've invested more time on this than on any other installation.
Title: Re: Ashavast.exe - stalls as local user, causes multiple processes, runs CPU to
Post by: blue2 on May 18, 2008, 05:06:04 PM
It would be most appreciated if the Avast technical team could provide some brief explanations to a few unanswered questions to get a little closer to resolving this issue:

-- What does the Ashavast executable require to run?
-- When the process is stalled, I have to kill Active Skin Helper to shut down. Is this an outcome of the stalled process or the problem?
-- When I check the security settings of the actual Avast.exe file, it indicates Read as well as Read and Execute for ALL USERS. Is that correct and is there any other file whose privileges I should be checking?
-- Why would all functions from the System Tray run except for the Avast function that lanches Ashavast.exe?
-- Are there any known conflicts with other applications? (e.g. Spybot Search & Destroy (with Teatimer disabled), SpywareBlaster, Kerio 2.15, etc.)
-- While Ashavast.exe seems to keep CPU at 100% (a straight green line), the Kernel process (red line) is high, but not at 100%. It seems to increase and decrease cyclically. Does that suggest anything?

Any insights that could be provided would be helpful. As previously indicated, since others report different issues with a similar symptom (100% CPU usage), is this related to an errant module or setting? Thank you.
Title: Re: Ashavast.exe - stalls as local user, causes multiple processes, runs CPU to
Post by: igor on May 18, 2008, 09:04:29 PM
-- What does the Ashavast executable require to run?

Nothing special... don't know what exactly you mean.

-- When the process is stalled, I have to kill Active Skin Helper to shut down. Is this an outcome of the stalled process or the problem?

Unknown.

-- When I check the security settings of the actual Avast.exe file, it indicates Read as well as Read and Execute for ALL USERS. Is that correct and is there any other file whose privileges I should be checking?

Yes, it's correct... and I somehow don't think the problem is connected to privileges for avast! files (though I may be wrong, of course)

-- Why would all functions from the System Tray run except for the Avast function that lanches Ashavast.exe?

Must be somehow connected with the Ashavast.exe itself, but what's so special about it - is unknown.
Try to run
ashQuick.exe "*STRT-MEM-SHORT"
- does it work/finish?

-- Are there any known conflicts with other applications? (e.g. Spybot Search & Destroy (with Teatimer disabled), SpywareBlaster, Kerio 2.15, etc.)

No.

As previously indicated, since others report different issues with a similar symptom (100% CPU usage), is this related to an errant module or setting?

Don't think so - but until the cause is fully understood, it's really hard to say.
Title: Re: Ashavast.exe - stalls as local user, causes multiple processes, runs CPU to
Post by: blue2 on May 18, 2008, 11:49:11 PM
Thanks for the reply Igor.

What I was asking is if the Ashavast.exe executable requires specific DLLS to run different than other Avast executables, and which may require elevated priviledges to run. For example, one CANNOT run ImgBurn as a limited user, because you receive the error "'You need Administrative privileges to use SPTI'". Then there is a workaround to change the privileges on SPTI if necessary.

By try to "run" ashQuick.exe "*STRT-MEM-SHORT" - does it work/finish?" do you mean type that line as written at the run command or something else?

What is this "Active Skin Helper" process that has to be shut down to close the Ashavast process in order to reboot when the machine is stalled? I don't find anything with this name on my system and a google search reveals only three occurences of this phrase, with mine being the only one spelled exactly this way. So is this an underlying process of Ashavast.exe because I'd like to understand where this comes from if I have to shut it down manually?

Thanks.
Title: Re: Ashavast.exe - stalls as local user, causes multiple processes, runs CPU to 100%
Post by: Lisandro on May 19, 2008, 01:15:52 AM
Ashavast.exe executable requires specific DLLS to run different than other Avast executables, and which may require elevated priviledges to run.
Yes, it needs.

By try to "run" ashQuick.exe "*STRT-MEM-SHORT" - does it work/finish?" do you mean type that line as written at the run command or something else?
Yes, you've got it. You need to open a cmd window and go (browse) to the avast folder and run the command from there. Or run:
"path of the ashquick file\ashquick.exe" "*STRT-MEM-SHORT"
Title: Re: Ashavast.exe - stalls as local user, causes multiple processes, runs CPU to
Post by: igor on May 19, 2008, 12:43:08 PM
What I was asking is if the Ashavast.exe executable requires specific DLLS to run different than other Avast executables, and which may require elevated priviledges to run.

No, there's nothing special about Ashavast.exe (at least I'm not aware of anything); it uses the same DLLs as other avast! executables.

By try to "run" ashQuick.exe "*STRT-MEM-SHORT" - does it work/finish?" do you mean type that line as written at the run command?

Yes.

What is this "Active Skin Helper" process that has to be shut down to close the Ashavast process in order to reboot when the machine is stalled? I don't find anything with this name on my system and a google search reveals only three occurences of this phrase, with mine being the only one spelled exactly this way. So is this an underlying process of Ashavast.exe because I'd like to understand where this comes from if I have to shut it down manually?

Honestly, I have no idea what it is - it's not avast!'s own process.
ActiveSkin is the 3rd party skinning library used by avast! GUI. It is possible that it needs to spawn a special process sometimes to do something... but I must say I've never heard of it (it's not running under normal circumstances - at least not for longer periods) - so I don't have any more info on that.
Title: Re: Ashavast.exe - stalls as local user, causes multiple processes, runs CPU to
Post by: blue2 on May 27, 2008, 06:03:29 PM
Sorry for the delay but I've been traveling.

Try to run ashQuick.exe "*STRT-MEM-SHORT" - does it work/finish?
When I try to "run" ashQuick.exe "*STRT-MEM-SHORT"  from a limited user profile, it opens two pop up windows but indicates 0 files scanned. It does NOT show any progress in running the memory test as it normally does when it is run as an administrator. So it does NOT seem to run.


One more thing you could try: in Task Manager, Performance page, open the View menu and check "Show kernel times". This will add a new red line to the chart, indicating the CPU time spent in the kernel mode. If you then simulate the problem, does the red line also go to 100%? (proving that the "fun" is taking place in kernel mode, instead of the ashServ.exe process itself).
I previously provided a screenshot showing that the kernel times are high, but not at 100%.


Unfortunately, the dump is of no use as the processing is taking place in kernel mode (which is not included in the dump).

The only way to properly analyze the problem is to create a full dump of the system when the problem is simulated. The procedure is described here: http://support.avast.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=71
Well, it's done, but not without creating its own issues (as I had suspected it would). I followed the procedure exactly as described, though your procedures ought to clearly mention, as is customary, to back up the registry before making ANY such modifications.

I saved the original registry key, then created the new DWord value, blue screened the machine and created the memory dump. I then rebooted, replaced the key with the original one and rebooted. And the Logon screen appeared but the trackpoint was frozen. I tried safe mode with command prompt but that too left me without any functionality. So I had no way to get back to the registry.

In the end, I booted from a clone of the drive from a week ago, and copied all the user files as well as the memory dump on the "stuck drive" to the clone. Then I re-cloned back to the original drive.

NOT exactly what I'd call fun, nor the kind of additional troubles I'd like to create when trying to analyze why a program isn't working properly. I will now upload the dump file with the name blue2memory.dmp, but I sure hope that after all this trouble, it was worth it and shows something of value.
Title: Re: Ashavast.exe - stalls as local user, causes multiple processes, runs CPU to 100%
Post by: Vlk on May 29, 2008, 01:53:30 PM
Hi blue2,

thanks for the dump.

Just to recap - is the problem taking place even with the avast self-defense module turned off?

Thanks
Vlk
Title: Re: Ashavast.exe - stalls as local user, causes multiple processes, runs CPU to
Post by: blue2 on May 29, 2008, 02:04:38 PM
Hello Vik,

Yes, thanks, but I'll try it once again to be sure: disabling it, rebooting under administrator, then switching to limited user profile and testing it again. (I've had a few instances where changes didn't take if the reboot wasn't done to the Admin profile first).

As you see, the dump was 650 MB, and I needed to find a 2 1/2 hour window to ftp this to you!

blue2


Title: Re: Ashavast.exe - stalls as local user, causes multiple processes, runs CPU to
Post by: blue2 on May 29, 2008, 02:39:58 PM
Just tried it again, with self defense, memory scan and rootkit scan all turned off. It made no difference. The Ashavast.exe still stalls as a limited user every time.
Title: Re: Ashavast.exe - stalls as local user, causes multiple processes, runs CPU to 100%
Post by: Lisandro on May 29, 2008, 03:47:34 PM
Blue2, sorry the thread is long now, but do you use a firewall? Which one? Do you have any other antivirus installed in your system?  Did you have in the past? Any other security programs that could interfere?
Title: Re: Ashavast.exe - stalls as local user, causes multiple processes, runs CPU to
Post by: blue2 on May 29, 2008, 04:37:52 PM
Yes, Tech, this machine has the following:

- Firewall Kerio 2.15 (rule based)
- Spybot Search & Destroy (with TeaTimer resident protection DISABLED)
- Spyware Blaster (which should not interfere)
- AdAware (on demand)
- There is NO other AV installed

The machine had KAV on it at one time, but it was removed, followed by the KAV removal tool, followed by CC Cleaner (to remove any traces that might have remained).

I would doubt the issue is caused by a previous AV install, since it works fine as Administrator, works for quick scans as a limited user, but stall as a limited user if the Ashavast.exe process is started. If, of course, I use "Run as" and run Ashavast.exe with administrator privileges while a limited user, it runs fine. That is what lead me to think that this is a permission related issue of some kind, and one would want to know what is requiring elevated permission before it runs correctly.
Title: Re: Ashavast.exe - stalls as local user, causes multiple processes, runs CPU to 100%
Post by: Lisandro on May 29, 2008, 04:41:40 PM
followed by CC Cleaner (to remove any traces that might have remained).
Just to point out... this is a myth... CCleaner is a very superficial registry cleaner.

That is what lead me to think that this is a permission related issue of some kind, and one would want to know what is requiring elevated permission before it runs correctly.
Did you tweak the common user access rights?
If you create another, just temporary, user account, will it work there?

Which is the path where you've installed avast?
Title: Re: Ashavast.exe - stalls as local user, causes multiple processes, runs CPU to
Post by: blue2 on May 29, 2008, 04:54:43 PM
Yes, I realize that CC Cleaner is not very aggressive as a registry cleaner, but removal of KAV, followed by their removal tool, followed by CC Cleaner should remove it. And if it did not, I don't think it would just affect limited users but all profiles.

I have not touched user access rights and I also installed Avast in its default location. I tried removing it,  using the Avast cleaning tool, and then manually installing the newer 4.8.1195 build, but that also did nothing.

So I hope the 650MB memory dump provides some clues...
Title: Re: Ashavast.exe - stalls as local user, causes multiple processes, runs CPU to 100%
Post by: Lisandro on May 29, 2008, 05:01:25 PM
I tried removing it,  using the Avast cleaning tool
You need to use the Control Panel before...

and then manually installing the newer 4.8.1195 build
The latest is 4.8.1201.
Title: Re: Ashavast.exe - stalls as local user, causes multiple processes, runs CPU to
Post by: blue2 on May 29, 2008, 05:29:48 PM
"I tried removing it, using the Avast cleaning tool" are two separate steps indicated by the "," in between them. To spell it out further:
- I removed it via Add/Remove. Rebooted.
- Then used the Avast cleaning tool. Rebooted.
- Then deleted the program folder. Then used CC Cleaner to remove any traces found.
- Then installed the newer build. Rebooted.
And nothing changed.

After trying to fix this with two Avast builds, what makes you think the third build will do the trick?

I would have thought that there was a point to creating the 650MB dump file, modifying the registry, crashing the computer, creating several hours of work to re-install the computer back to where it was, and tying up the computer for 2 1/2 hours ftping the dump file. If the answer would be as simple as to install the latest build, I surely would have started there!

Perhaps the new build will create other problems, which is why I don't like "testing" products, but don't install them until I know that they are stable and reliable.


Title: Re: Ashavast.exe - stalls as local user, causes multiple processes, runs CPU to 100%
Post by: Lisandro on May 29, 2008, 05:34:14 PM
After trying to fix this with two Avast builds, what makes you think the third build will do the trick?
From one build to another, they try to solve problems... don't they? ???

Vlk explains how to create a dump file here: http://forum.avast.com/index.php?topic=22636.msg187340#msg187340 and here: http://forum.avast.com/index.php?topic=23283.msg193594#msg193594  ;)

Also, check the folder <avast>\data\log
Are there any files called unpXXXX there  (where XXXX is a random number)?
If so, send them to vlk (at) avast.com
They may contain more information about the problem (maybe a link to this thread).
Title: Re: Ashavast.exe - stalls as local user, causes multiple processes, runs CPU to
Post by: blue2 on May 29, 2008, 06:00:33 PM
Haphazardly trying newer Avast builds in the hopes that one of them will solve a problem that the new build isn't designed to address is not worth the trouble or risks it may create. Plenty of newer builds bring with them newer problems. I've seen this with NAV, I've seen this with KAV, I've seen this with MS, and I don't think it would be any different with Avast.

I already followed the precise instructions to the letter to create the dump file. It caused me several hours of work after the registry modification prevented the machine from rebooting. That is why I hesitated to do it in the first place.

I will check to see if there are any log files, but again I would hope that the 650MB dump file provides the answer.
Title: Re: Ashavast.exe - stalls as local user, causes multiple processes, runs CPU to
Post by: blue2 on May 29, 2008, 06:40:13 PM
There are four unpxxx minidump files in the log folder, but they are all of 0kb, so not much to be learned here I'm afraid.
Title: Re: Ashavast.exe - stalls as local user, causes multiple processes, runs CPU to 100%
Post by: Vlk on May 29, 2008, 06:44:09 PM
1. there's no need for new dump files, I was just asking if the problem is solved by disabling the self defense or not.

2. please try the following: log on using the non-admin account that has the problem, disable avast self defense, run Regedit, navigate to HKEY_CURRENT_USER\Software\ALWIL Software\Avast\4.0 and create a new string value called "CurrentSkin" (without the quotation marks). Make the value data "silver panel.asws" (again, without the quotation marks). Re-enable the self defense module, and see if it resolves the problem.


Thanks
Vlk
   
Title: Re: Ashavast.exe - stalls as local user, causes multiple processes, runs CPU to
Post by: blue2 on May 29, 2008, 08:27:50 PM
Vik, I just tried what you suggested.

Since I can't get into Avast settings from limited user, I had to sign on as Admin to disable self-defense.

Then signed off and signed on as local user to change the Avast\4.0 key you indicated. And it gave me an "Error Opening Key" message. I can navigate to the "Avast" level of that branch, but NOT to "4.0".

Just in case, I rebooted and tried it again, but no luck.

So, does this suggest some type of privilege issue?
Title: Re: Ashavast.exe - stalls as local user, causes multiple processes, runs CPU to 100%
Post by: DavidR on May 29, 2008, 08:47:36 PM
Surely you would have the same problem editing registry entries as a limited user and that isn't an avast issue but a windows restriction.

I can't recall if you can even edit user keys in a limited user account ???

So you may have to do those edits from an account with admin privileges.
Title: Re: Ashavast.exe - stalls as local user, causes multiple processes, runs CPU to 100%
Post by: igor on May 29, 2008, 08:48:10 PM
If you check the permissions to this key in regedit - what does it show?
Title: Re: Ashavast.exe - stalls as local user, causes multiple processes, runs CPU to
Post by: blue2 on May 29, 2008, 09:04:36 PM
That is EXACTLY, step by step, the procedure I followed the last time. See my reply #28 of two weeks ago.

I assume I should disable self-defense before attempting to uninstall.

I will try this one more time with the new build, if this is what Vik suggests is the best approach. I've followed everyone's suggestions over the past two weeks, but what takes a few minutes to suggest, sometimes takes hours of work to implement, on a machine that I don't have constant access to.

I'm not as well versed as you all in this program, but I've solved a pretty good number of computer problems by starting from the most logical culprits, instead of just blindly installing new builds. I said at the very beginning that I had the distinct impression this was some kind of privilege issue. I could set the privileges of the program to all users but that seemed to me to be compromising the security of the program.

I installed this as a favor for a friend, and did not expect to have the installation of Avast take more time than it would take to clean up an infected system.

Igor, I will check the permissions on this key now.
Title: Re: Ashavast.exe - stalls as local user, causes multiple processes, runs CPU to
Post by: blue2 on May 29, 2008, 09:21:17 PM
DavidR, I didn't even get to edit this key. I merely tried to view the key for the current user and could not. I think that is rather odd.

I'm no registry expert, but how could one possibly edit the key of the current user while under the Administrator account, which is not the current (limited) user?

Igor, when I check the permissions of the 4.0 branch, it states "You do not have permission to view the current permission settings for 4.0, but you can make permission changes." when I then click "Ok", it shows nothing, no users, no permission settings. When I move up the branch to Avast or ALWIL software, it clearly shows the permissions of the local user as well as the system and administrator.

Now what could possibly have caused this issue?
Title: Re: Ashavast.exe - stalls as local user, causes multiple processes, runs CPU to 100%
Post by: Vlk on May 29, 2008, 09:59:09 PM
Can you please try to access the key from Windows Safe Mode?
No part of avast is running in Safe Mode so we can easily conclude if the key is made inaccessible by avast itself or something else.

Thanks
Vlk
Title: Re: Ashavast.exe - stalls as local user, causes multiple processes, runs CPU to
Post by: blue2 on May 29, 2008, 11:49:13 PM
Vik, if I boot into Safe Mode, I can of course only log in as Admin not as a local user. In safe mode, in the Admin account, I can navigate to the HKCU key without problem, and see the three sub-branches (ahsLogV, ashSimp2 and ashUInt, just as I normally see for this key as the Admin. But it does not show me the permissions for the limited user account since the current user is then the Admin.

Did I not understand something?
Title: Re: Ashavast.exe - stalls as local user, causes multiple processes, runs CPU to 100%
Post by: Vlk on May 30, 2008, 12:42:33 AM
Oops, sorry, forgot we're talking about HKCU, not HKLM.

What you could try to do is mount the HKCU hive of the non-admin while logged on as an admin (either from the Safe Mode, or from a regular Windows mode).

To do this, navigate e.g. to HKEY_USERS, go to menu File ->Load Hive, and navigate to C:\Documents And Settings\<name-of-the-non-admin-account>. Then select the file ntuser.dat. This should make regedit load the HKCU hive of that user to a new key inside HKU.

Having done that, please try to navigate to the Software\ALWIL Software\Avast\4.0 branch. Is that possible?

Thanks
Vlk
Title: Re: Ashavast.exe - stalls as local user, causes multiple processes, runs CPU to
Post by: blue2 on May 30, 2008, 10:39:42 AM
Just to confirm, am I only mounting the local user hive while the Admin, just to see if I can navigate to that 4.0 key and see what it's permissions are? Or am I attempting to add the previously suggested additional value to the 4.0 key in the local user hive of the registry?

You can understand my hesitation. A registry error like before (to add the value to create the dump file), created a good half a day of work when the system wouldn't load. In which case, it'd be easier to try the latest build. But if there is some kind of privilege issue, and the two previous builds had this issue, it's likely that whatever caused it, will cause it again in the latest build.

Since this thread has become quite long, let me just reiterate the two symptoms I thought significant:

1. I can't get the Ashavast.exe process to run as limited user, but can as admin or using "run as" as limited user. Other functions (quick scan, udpate, etc.) work fine as local user. As local user, Ashavast.exe stalls, does not open, and the process runs CPU at 100%. If I click it again, it opens a second Ashavast.exe process, both stalled.

2. If I then try to terminate the process in task manager, I get an "Unable to Terminate Process. Access is Denied" message. The only way to terminate is to reboot. And that displays an "Active Skin Helper can't shut down" message and I need to kill Active Skin Helper to force the reboot.

This is what led me to question whether this is a permission issue and if the way that Active Skin Helper is being called by Avast is somehow invoking something else (a dll perhaps) that requires elevated privileges to run, thereby hanging the process. I tried installing without skins and using only the simple user interface, but it made no difference.

Did the full memory dump indicate anything more specific? Did it indicate what was hung, e.g. dependent dlls?
Title: Re: Ashavast.exe - stalls as local user, causes multiple processes, runs CPU to 100%
Post by: Vlk on May 30, 2008, 12:00:44 PM
Primarily, the point is to find out if the hive isn't corrupted.
Secondly, it would be interesting to find out what its access permissions are.

Thanks
Vlk
Title: Re: Ashavast.exe - stalls as local user, causes multiple processes, runs CPU to
Post by: blue2 on June 01, 2008, 07:14:47 PM
I'm sorry, but I don't understand what you’re asking. It's going to require a little more guidance, since an oversight results in hours of needless work.

Just in case, I’ve tried the latest Avast build. As suspected, it was not a "magic" solution.  The process was: uninstalled the present build, rebooted, used the clear utility, rebooted, then swept the registry for ALWIL/Avast.  I still saw a limited user key HKEY_CURRENT_USER\Software\ALWIL Software\Avast\4.0, but could NOT get to the 4.0 level nor could I delete the key. Then I rebooted, installed the latest build (without any skins, simple user interface), rebooted. No problem as admin but the program still hangs as local user.

-- Now how could an Avast key be created that can't be removed? It’s unlikely to have been "corrupted" by anything since Avast was the last thing installed. I even held off installing XP SP3 for that reason. If something could corrupt it without trying, that makes me wonder what malware could do!

I've used the Hang Rep utility and FTP’d a full 650mb memory dump.

-- No one ever answered my question of whether that showed anything?

You suggestion: “mount the HKCU hive of the non-admin while logged on as an admin (either from the Safe Mode, or from a regular Windows mode).

To do this, navigate e.g. to HKEY_USERS, go to menu File ->Load Hive, and navigate to C:\Documents And Settings\<name-of-the-non-admin-account>. Then select the file ntuser.dat. This should make regedit load the HKCU hive of that user to a new key inside HKU.

Having done that, please try to navigate to the Software\ALWIL Software\Avast\4.0 branch”

-- What exactly does that mean? Is that simply “reading” the local hive while running as administrator in safe mode, or is that “writing” changes” to the registry, that might have undesirable consequences?

-- Again, am I only mounting the local user hive while the Admin, just to see if I can navigate to that 4.0 key and see what it's permissions are? Or am I attempting to add your previously suggested additional value to the 4.0 key in the local user hive of the registry?

I don't fiddle around in the registry UNLESS there is a specific key to modify. Once you start talking about hives, it is not clear to me if this is reversable or not. The last suggested registry modification I followed forced me to reinstall, so I'd like to be sure we understand each other.

And nothing that has been suggested thus far indicates to me that my suspicion that this is a permission-related issue is incorrect. If so, your programming team must surely know what the underlying program privileges are to see what could be screwed up and to explain how?

Thanks.
Title: Re: Ashavast.exe - stalls as local user, causes multiple processes, runs CPU to
Post by: igor on June 01, 2008, 08:02:59 PM
-- Now how could an Avast key be created that can't be removed? It’s unlikely to have been "corrupted" by anything since Avast was the last thing installed. I even held off installing XP SP3 for that reason. If something could corrupt it without trying, that makes me wonder what malware could do!

The registry hive itself may be corrupted (might have been corrupted before avast! was installed, who knows) - in that case, all kinds of strange things might happen.

I've used the Hang Rep utility and FTP’d a full 650mb memory dump.
-- No one ever answered my question of whether that showed anything?

The dump revealed a strange piece of code (I guess it can be called a bug) that causes the reported 100% CPU usage. However, this bug manifests only if a specific registry value cannot be read from avast! key.
Now, this may happen if somebody deleted the key/value manually - but that's not the case here. So, the primary cause here must be something else.

You suggestion: “mount the HKCU hive of the non-admin while logged on as an admin (either from the Safe Mode, or from a regular Windows mode).

To do this, navigate e.g. to HKEY_USERS, go to menu File ->Load Hive, and navigate to C:\Documents And Settings\<name-of-the-non-admin-account>. Then select the file ntuser.dat. This should make regedit load the HKCU hive of that user to a new key inside HKU.

Having done that, please try to navigate to the Software\ALWIL Software\Avast\4.0 branch”

-- What exactly does that mean? Is that simply “reading” the local hive while running as administrator in safe mode, or is that “writing” changes” to the registry, that might have undesirable consequences?

If you just navigate to the key (or display its permissions), no writing operation will occur.

-- Again, am I only mounting the local user hive while the Admin, just to see if I can navigate to that 4.0 key and see what it's permissions are? Or am I attempting to add your previously suggested additional value to the 4.0 key in the local user hive of the registry?

Well, if the permission shows something strange (but again - who would set the special permission there? It's HKEY_CURRENT_USER, i.e. the restricuted user should have full access rights there), there's no need to create anything. If the permissions seem OK, it would be interesting to try to create the key (as Admin). If this fails, I'd say it's a sign that the registry hive is corrupted.

I don't fiddle around in the registry UNLESS there is a specific key to modify. Once you start talking about hives, it is not clear to me if this is reversable or not. The last suggested registry modification I followed forced me to reinstall, so I'd like to be sure we understand each other.

Of course, you can back up the Ntuser.dat file before loading the hive into regedit.
Honestly, I don't see any way how changes (even corruption) of a limited user account registry hive could cause the system to fail to boot - this hive is not touched/loaded if you log on as a different user.

And nothing that has been suggested thus far indicates to me that my suspicion that this is a permission-related issue is incorrect. If so, your programming team must surely know what the underlying program privileges are to see what could be screwed up and to explain how?

As I wrote above - any user normally has all rights for "his" HKEY_CURRENT_USER hive. In your case, it seems that the user isn't able even to read/browse this key - it's very strange. avast! doesn't set any restriction on its keys... so unless somebody (user, or some other software) changed the permissions itself, there shouldn't be any problem here.
Title: Re: Ashavast.exe - stalls as local user, causes multiple processes, runs CPU to
Post by: blue2 on June 02, 2008, 07:55:19 PM
As administrator I've loaded the limited user hive in HKEY_USERS. (The hive IS written and remains unless one knows to go back to the menu under HKEY_USERS and selects "unload hive". I didn't know but figured it out. But that's what I meant before about unforseen consequences if procedures are not spelled out PRECISELY.)

When the limited user hive is loaded, the permissions are only Admin, Restricted, System and S-1-5-21...., so that's why it can't be changed as a local user.
--> So is there a way to load this hive as admin, make the necessary changes, and then replace the actual limited user hive with this modified temporary hive? Or is there some other suggested procedure to follow?

When I look at this limited user hive, the branch goes Software\ALWIL Sofware\Avast\4.0\ and then there are sub-branches for ashSimp and ashUint. However, when I look at the adminstrator branch, the branch ends at 4.0 without these two sub-branches.
-->Is that the way it is supposed to be?

On the administrator hive, in Software I see Symantec\ with branches to Common and Systemworks, and also Software\Symantec\Norton Utilities. Both of these branches have permissions to all users, but both will not let me delete them. To get rid of Norton I had used both Add\Remove, the Norton Removal Tool and also swept the registry for Norton\Symantec\NAV.
-- >Is there a procedure to delete keys that won't permit deletion?

Now there is only one additional thought that occured to me. I had changed the SID on the machine using NewSID (which then changes the SID ids for each user). Is it possible that when the SID id for the limited user account changed, it somehow caused an issue, but only with security apps? Are they "tied" to SIDs somehow? Other than this, I see no evidence of hive "corruption" in event viewer.

P.S. By the way, the machine was previously prevented from rebooting not because I was asked to read something in the local hive, but rather asked to add a registry value to create a full dump and then intentionally blue screen the machine and reboot. That did not work as intended...
Title: Re: Ashavast.exe - stalls as local user, causes multiple processes, runs CPU to
Post by: blue2 on June 03, 2008, 01:04:03 AM
Well, some progress.

I've gotten Avast to work as a limited user simply by loading the local hive as admin, navigating to the Avast\4.0 key and changing the limited user account permission to FULL CONTROL. Then when I logged on as the limited user, the changes took effect and Avast worked.
-->Is that correct as I don't want to make an error and compromise the machine's security? Meaning, on the HKCU hive while a limited user, should that user have full control over those Avast keys? Is there some further testing that should be done to be sure that it is working correctly?

On this limited user hive, the branch goes Software\ALWIL Sofware\Avast\4.0\ and then there are sub-branches for ashSimp and ashUint. However, on the adminstrator hive, the branch ends at 4.0 WITHOUT these two sub-branches.
-->Is that correct?

On the administrator hive, in Software I see Symantec\ with branches to Common and Systemworks, and also Software\Symantec\Norton Utilities. Both of these branches have permissions to all users, but will not let me delete them. I don't think these had any effect on the issue, and it's odd that they are still there since I had used Add\Remove, the Norton Removal Tool and swept the registry for Norton\Symantec\NAV.
-- >Is there some other procedure to delete these keys that won't permit deletion?

Thanks.