search cancel

SCSP / DCS:SA Reboot loop with IPS enabled or how to tune services that SMSS.EXE calls at boot up.


Article ID: 161865


Updated On:


Critical System Protection Data Center Security Server Critical System Protection Client Edition Data Center Security Server Advanced


   A reboot loop may happen on a system if one or more of its critical service gets put into a nopriv Pset during boot up. Since some critical services are required for boot up and the driver loads before the services to capture events there may not be any events to show what happened during the boot process. At this point the only way to capture the events and see the details is to put the IPS policy into log only mode this way the Warning events that are blocking the critical services will get logged as an allow.

  In the event below we see SMSS.EXE is starting EmcOMvolexp.exe this service is being put into svc_nopriv_ps and were it cannot do anything as this system appears to be running off of a SAN it fails to boot and gets caught in a reboot loop.

PPST,6,2015-04-05 00:12:06.937 Z-0400,W,,GR,532d4a9f598510f53bec646ce0b60a9c,i,,,NT AUTHORITY\SYSTEM,0,C:\WINDOWS\system32\EmcOMvolexp.exe,440,,\??\C:\WINDOWS\system32\EmcOMvolexp.exe ,create,svc_nopriv_ps,412,,,,\SystemRoot\System32\smss.exe,,,C:\WINDOWS\SYSTEM32\SMSS.EXE,444,,


   SMSS.EXE will often start process at boot time and if these process are not properly tuned then they may fall into svc_nopriv_ps.


  To resolve the issue in the above example, tune the policy to allow the process to run at boot time.


Applies To