Blue screen error shows pgpwde.sys as the culprit after installing KB2393802 security patch

book

Article ID: 154177

calendar_today

Updated On:

Products

Symantec Products

Issue/Introduction

The hard disk is encrypted using Whole Disk Encryption with PGP Desktop 9.x or 10.x software. Once the hard disk is encrypted and Microsoft KB 2393802 is installed the machine goes into a constant reboot cycle. If the reboot upon failure option is disabled a blue screen system error is displayed which indicates there is a problem in pgpwde.sys.

Blue screen with an error code stating a problem in the pgpwde.sys driver.

Some machines had the following exception code logged:

stop 0x0000007f (0x000000008, 0x,ba350d70, 0x00000000, 0x00000000)

Cause

This windows KB update applies a patch to the windows kernel

  • Windows XP leaves approximately 12,000 bytes of shared stack space for kernel modules to share.
  • Windows provides no way to identify available stack space; it just BSODs when the stack overruns.
  • PGP WDE 10.0.2 and below use approximately 600 bytes of stack space.
  • In the PGP WDE 10.1, we proactively reduced this to approximately 100 bytes of stack space.
  • KB 2393802 leaves less stack space available in the Windows kernel for other kernel modules to use.
  • PGP WDE (pgpwded.sys) is generally the last driver loaded. As a result, when we try to grab our modest stack space, the blue screen will display our driver name as the responsible driver.
  • In our testing, almost every system suffering from this problem used the Intel graphics driver. This uses about 7,000 bytes of stack space. Without this single driver using over half of this available shared resource, there would be plenty of room for the WDE driver.

We have also found the following Intel Graphics graphics card driver versions to be a culprit as well:

  • 6.14.10.5179 - this driver version is most common to be affected
  • 6.14.10.5220
  • 6.14.10.5225
  • 6.14.10.5294

Resolution

Our recommendations are to upgrade to PGP WDE 10.1.1; the lower stack utilization allows it to fit in the reduced area. Thus far, we have not seen a case where this did not fix the problem; the reduction in available stack space from the MS patch must be less than 500 bytes. You should also proactively upgrade your Intel Graphics driver to one of the known good versions listed below.

Known good versions of the Intel Graphics driver to update to are:

  • 6.14.10.5313
  • 6.14.10.5303
  • 6.14.10.5218

A quick workaround would be disabling MEMLOCK feature. (Go to registry , find MEMLOCK pgp key, set to 0, reboot) . This can mean a security exposure since key´s passphrase in system memory will be allocated unencrypted.

Anyway, all PGP  features and components will work as usual.


Applies To

Most commonly affected operating system - Windows XP Service Pack 3

Microsoft patch applies to Windows Vista and Windows 7 as well PGP  Desktop 9x and 10.x family

Intel Integrated Graphics Card