File Share Encryption

Some of our users inadvertently applied the patch KB2393802 and after doing so, started having very strange behavior with their encrypted drives.  The user would log in at the BootGuard screen and into Windows (XP sp3) as per normal however, after the first reboot after that, the user's network password no longer worked at the BootGuard screen.  A WDRT was provided which allowed the user to boot to a Windows GINA where they logged in with their network ID and password, then the computer would blue screen and reboot again.  The original user could no longer successfully log into the computer however, a user who had never logged into that computer before could log in (after using a WDRT) successfully with no ill effects. The new user could log in at the BootGuard screen with no problems.  If the original user attempted to log in, the computer would blue screen.  The only solution we've found so far is to log in by whatever means necessary and uninstall the patch. Once that's done, everything works again.  Has anyone seen this before?

We're looking into this. However, it seems to be a fairly common issue with the update from Microsoft. This may indicate that it is a general problem, not an incompatibility with Whole Disk Encryption.

See http://www.google.com/search?q=KB2393802. Currently the first two pages are dominated by links about problems with this update.

Bryan

We have had several machines with the issue.  pgpwded.sys is causeing the blue screen after the windows update was installed.  Uninstalling KB2393802 from safemode fixes the issue.  We even reimaged a test machine it worked fine with the update without pgp installed. Reimaged again, installed PGP, then the update and got the blue screen.

Have just been dealing with microsoft through premier online and have been working a case on this one.  XPproSP3 with PGP 9.9.1 installed.  it appears to crash against PGPwded.sys   upgraded to 10.0.3 - system restarted 2-3 times and then BSOD again.

Thanks for the updates.

The engineering team has tested this update repeatedly across a number of versions and hasn't been able to duplicate it at this time. Maybe a combination of factors is required to generate this error.

Could you provide some additional information on your configuration, including:

1. Did you install the KB from WSUS, manual download, or automatic updates?
2. What version of Windows (if you haven't already mentioned it above)? 32- or 64-bit?
3. What version and build of PGP WDE? If not on the latest version (10.1.1), is it possible to upgrade and try again?
4. What specific laptop hardware make and model?
5. Which anti-virus software is running? Any other apps that might be unusual or could hook into the kernel?

Thanks,
Bryan

We have this issue only with laptops using Windows XP Professional 32bit and PGP WDE 10.0.2 (Build 13) (PGP SDK 4.0.0). Our Windows 7 Professional laptops have not been affected (they are updated regularly). These are various model laptops, but mostly newer HP Elitebooks and Probooks. We use Trend Officescan for antivirus (it is kept up to date). Users reported thier password no longer worked from the PGP login screen. We were able to use the administrator password then CTRL+ALT+DEL to get them logged in. Some users reported even after doing that, a BSOD occurs sometime after logging back in. These updates were installed via automatic updates. 

Thanks for any help

Here is the information for the machines:

Windows XP Professional 32bit

PGP 9.12.0 build 1035 sdx 1.12.0

It is effecting only our Lenovo x201 and t410

We also use Trend Officescan for antivirus. 

Out updates came in from Automatic updates and we use the single sign on, so no Ctrl-Alt-Del screen

May not be for everyone.

We upgraded our Keyserver to latest 3 version.  So far we are getting calls from our Users with 10.0.2 pgp client (WinXP SP3 Lenovo T410s)

We uninstalled KB2393802 via safemode.

Restarted.

Installed new 10.1.1

Restarted.

Reinstalled KB2393802

Restarted once more.  No problems so far.

I have a dozen HP laptops (ProBooks, Compaq's, etc.) running 32 bit XP SP3 and they all had the same problem after installing KB2393802 with PGP WDE 9.9 through 10.0.3.  The instructions above from jguzman are working for me so far.  Thanks!

Did you have to decrypt then re-encrypt to upgrade PGP?

Great to hear... tm797.

We didn't have to decrypt/re-encrypt just installed the new 10.1.1 client on top of 10.0.2. 

But according to PGP before the switch to Symantec Support the Technician said you cannot go from 3.1 from 3.0 directly on the Keyserver.

You have to go to 3.0.1 or 3.0.2 (we upgraded first to 3.0.2) on the keyserver then we did 3.1.  Then we pushed out 10.1.1 clients.

While upgrading to 10.1.1 seems to have resolved the issue, I did a decrypt and re-encrypt on one of my 12 laptops with this issue and got the same BSOD.  If you upgrade to 10.1.1 and do nothing else, your machine will probalby run fine.  But when I ran a decrypt after upgrading to 10.1.1, I got a BSOD about half way through.  Then when starting the re-encrypt this morning, I got it again.  The dump file has the same parameters as the original issue after installing KB2393802, so there still seems to be an issue with the Windows Kernel and pgpwded.sys.  The laptop restarted properly from the BSOD and is continuing to re-encrypt, but Symantec needs to take another look at this.

The laptop with the issue is a HP ProBook 4520s, running 32-bit XP SP3, fully patched, with SEP11 and PGP WDE 10.1.1.  Now the BSOD occurs when decrypting and encrypting the whole disk, which is better than getting the original BSOD that prevented proper startup of the machine.

Thanks for posting the information above. After reviewing a number of memory dump files, our engineering team has determined the following:

• Windows XP leaves approximately 12,000 bytes of shared stack space for kernel modules to share.
• Windows provides no way to identify available stack space; it just BSODs when the stack overruns.
• PGP WDE 10.0.2 and below use approximately 600 bytes of stack space.
• In the PGP WDE 10.1, we proactively reduced this to approximately 100 bytes of stack space.
• KB 2393802 leaves less stack space available in the Windows kernel for other kernel modules to use.
• PGP WDE (pgpwded.sys) is generally the last driver loaded. As a result, when we try to grab our modest stack space, the blue screen will display our driver name as the responsible driver.
• In our testing, almost every system suffering from this problem used the Intel graphics driver. This uses about 7,000 bytes(!) of stack space. Without this single driver using over half of this available shared resource, there would be plenty of room for the WDE driver.

The above explains a number of items:

• Why the problem occurs on some systems but not others
• Why it occurs without PGP WDE installed
• Why it occurs most often on Win XP
• Why we did not see this in our testing

Our current recommendation is to upgrade to PGP WDE 10.1.1; the lower stack utilization allows it to fit in the reduced area. Thus far, we have not seen a case where this did not fix the problem; the reduction in available stack space from the MS patch must be less than 500 bytes.

As said in a message above, there is no need to decrypt your disk before upgrading to 10.1, though we do recommend a backup as a basic best practice.

Also, we have not been able to duplicate this on Windows 7. If you have seen this issue on Win7, please post here and let us know if we can reach out to you to see what's happening.

Unfortunately, this is a difficult situation for a software vendor like us. We're doing the right thing in minimizing our use of the stack - in fact, we proactively reduced it further before this issue even occurred. However, a combination of other programs' behavior and our position in the driver loading process (probably because we were installed last) makes Windows crash with the finger pointing at us.

Please leave a note here if you use the Intel graphics driver and have seen this issue. I'll be reaching out to Intel to see if they can update their video driver to minimize stack usage.

My apologies to anyone affected by this issue.

Bryan Gillson

Bryan are you also contacting Microsoft?

How do I upgrade PGP Desktop WDE? Do I have to upgrade the server first? I create the installs for my laptops from the server. When I try to update the server, it finds no updates.

What version(s) of the Intel graphics driver were they using during their tests?

After upgrading and allowing the patch to reinstall now we're seeing the systems go into a hard crash, with a black screen and a flashing cursor, just after entering your password. Any ideas what may be causing this or how to stop it or recover from it.

I hadn't considered it, but it's worth a shot. We have a good relationship with them.

The cynic in me says that their response will be "it's my kernal and I'll allocate what I want to", but they can actually be fairly understanding when given the right information. Thanks for the suggestion.

Yes, you will need to update the server first. You should find a PUP update to PGP Universal 3.1.1 in Symantec FileConnect. It contains an update to the embedded copies of Desktop.

Note that we no longer use the PGP Update Server after the transition to Symantec systems, so all updates will now be on FileConnect.

If you haven't logged into FileConnect yet, you will need a Symantec customer number (they call it a serial number). Either you've received this in an email, or you should contact Customer Care for the information for your company. Contact info is here: http://www.symantec.com/business/support/assistance_care.jsp

Needless to say, please follow all best practices before updating your server, including backups, reading the release notes, etc. If you're on PGP Universal version 3.1, the update should be seamless; 3.0.x, pretty straightforward; 2.x, it's a big deal.

Timon0x31, sorry you're still having trouble. First, remove the MSFT KB patch and see if the system returns to normal booting.

Then, please open a support case and report the problem. Make sure they know you're running 10.1.1, still have an issue with the MSFT KB2393802 patch, and provide your operating system version, hardware make and model, and other info.

It's /possible/ that this is a different issue. Are you running XP or Win7? An HP laptop?

Unfortunately I don't have the version number. A comment in our tracker identifies the driver as igxpmp32.sys, but does not specify the version.

Bryan

FYI, you don't even get to the point where you can select SafeMode. As soon as you enter your password in the PGP screen you go to a black screen with a flashing cursor in the upper left corner. This is happening on Lenovo ThinkPad, the THREE that I have are all T410's but other in the company are also failing. Does not seem to happen on other notebooks.

Some of you that are still experiencing this problem. Including those that are on PGP Desktop 10.1.x. Please provide us with as much of the following details from the affected computers as possible:

- Operating System and Service Pack level

- What version of PGP Desktop you are running. As well as the setup of your environment. Such as: PGP Desktop with Universal version 3.x or PGP Desktop in a Standalone Configuration (no PGP Universal Server)

- What make/model of computer you have

- When the problem started occuring? (ie. after MS update, or after a driver update).

- What version of Intel Graphics driver you are running (or if you have another Graphics card and driver version)

- What Antivirus client and version you are running

- Steps to reproduce the problem

- Are you using PGP Desktop in a SSO (Single-Sign-On) configuration with Bootguard or just using a PGP passphrase

- Does uninstalling the KB 2393802 resolve your issue?

- Whether an update of PGP Desktop 10.1 or disabling SSO resolves the issue you are seeing

I would also suggest that you look at your hardware manufacturers website to see if there are any updates to your Intel Graphics card driver.

The more information we can get on this issue the better. Unfortunately, the issue isn't widespread enough that we can re-produce the problem here with our testing and we need as much information as possible to help us get to the bottom of the problem.