LSASS deadlock with PGP WDE (10.2.0 MP3 [2317])

Obviously, PGP Whole Disk Encryption is one of the greatest menaces ever let loose on mankind.

Not only will it give SSDs a special “burn over” (you wanted “Whole Disk”, so shut up) and slows them down to a USB 1.1 crawl, it is also apparently not so transparent as they want you to believe. It’s About box does unfortunately not support Copy & Paste, so I cannot associate the developers names with my point of grief.

PCs usually fail when two or more menaces combine to make your live sad and miserable. Today, it is ClearCase and PGP WDE.

While trying to install the ClearCase 7.1.2.7 fixpack on my 8540w, the update process stalls halfway through. A check with Resource Monitor’s “Analyze Wait Chain” reveals that LSASS is deadlocked.

This means that I cannot start any process or access any file which would require authentication. Also, I cannot logoff, or restart the system.

When I capture a dump of lsass.exe and have a look, this is what I see:

0:000> !locks
CritSec ntdll!LdrpLoaderLock+0 at 0000000077c57490
WaiterWoken No
LockCount 2
RecursionCount 1
OwningThread ef4
EntryCount 0
ContentionCount 13
*** Locked

CritSec PGPpwflt!NPPasswordChangeNotify+90080 at 000007feec301910
WaiterWoken No
LockCount 0
RecursionCount 1
OwningThread ef4
EntryCount 0
ContentionCount 0
*** Locked

Scanned 1650 critical sections
0:000> ~
. 0 Id: 358.368 Suspend: 0 Teb: 000007ff`fffdc000 Unfrozen
1 Id: 358.370 Suspend: 0 Teb: 000007ff`fffd9000 Unfrozen
2 Id: 358.374 Suspend: 0 Teb: 000007ff`fffd7000 Unfrozen
3 Id: 358.378 Suspend: 0 Teb: 000007ff`fffd5000 Unfrozen
4 Id: 358.38c Suspend: 0 Teb: 000007ff`fffac000 Unfrozen
5 Id: 358.850 Suspend: 0 Teb: 000007ff`fffa6000 Unfrozen
6 Id: 358.13f4 Suspend: 0 Teb: 000007ff`fffa0000 Unfrozen
7 Id: 358.13f8 Suspend: 0 Teb: 000007ff`fff9e000 Unfrozen
8 Id: 358.159c Suspend: 0 Teb: 000007ff`fffd3000 Unfrozen
9 Id: 358.ef4 Suspend: 0 Teb: 000007ff`fffde000 Unfrozen
10 Id: 358.177c Suspend: 0 Teb: 000007ff`fffae000 Unfrozen
0:000> ~9 kb
RetAddr : Args to Child : Call Site
000007fe`fe2e10dc : 00000000`02e568c0 00000000`00000000 ffffffff`fffffffe 00000000`00000000 : ntdll!ZwWaitForSingleObject+0xa
000007fe`ec1287a4 : 00000000`02e57b10 000007fe`ec1ef250 00000000`00000000 00000000`00000dfc : KERNELBASE!WaitForSingleObjectEx+0x79
000007fe`ec1456b2 : 000007fe`ec2ced60 00000000`00000000 00000000`022b15c0 00000000`022b15e0 : PGPwdesdk!PGP::WDESDK::ExtendedWDRT::~ExtendedWDRT+0x17504
000007fe`ec2ced6a : 000007fe`ec2ced60 00000000`0151fbb0 00000000`00000000 00000000`77b476e1 : PGPwdesdk!PGP::WDESDK::cleanup+0x52
000007fe`ec27ec6d : 00000000`00000000 00000000`f922f068 00000000`00010000 00000000`77b432a4 : PGPpwflt!NPPasswordChangeNotify+0x5d4da
000007fe`ec27b4fe : 00000000`00000000 00000000`00000000 000007fe`00000001 00000000`77b7a050 : PGPpwflt!NPPasswordChangeNotify+0xd3dd
000007fe`ec27b671 : 00000000`0000001e 00000000`00000018 00000000`00000000 00000000`00000410 : PGPpwflt!NPPasswordChangeNotify+0x9c6e
00000000`77b42652 : 00000000`0042d250 00000000`77b79ff0 000007fe`ec27b6b8 00000000`77c52670 : PGPpwflt!NPPasswordChangeNotify+0x9de1
00000000`77b43b2a : 00000000`00000000 00000000`01a2e140 00000000`00000000 00000000`0042d250 : ntdll!LdrpUnloadDll+0x27d
000007fe`fe2e91a5 : 000007fe`ec270000 000007fe`fdd8fa00 00000000`00000000 000007fe`fe2e1582 : ntdll!LdrUnloadDll+0x4a
000007fe`fa222836 : 00000000`015b5370 00000000`0156c708 000007fe`fdd8fa00 00000000`00000000 : KERNELBASE!FreeLibrary+0x1d

As far as I can tell, this looks like somebody is blocking in a destructor while holding the loader lock.
That’s where “Transparency” goes down the drain.

Advertisements
This entry was posted in Computers and Internet, System Management. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s