Sorry, I think you misunderstood.
------------------------------------------------------------------------------
RECAP:
taskkill /f /pid 4 returns "Access Denied"
taskkill /f /s localhost /pid 4 returns "Success"
This puzzles me because they are logically the same command.
------------------------------------------------------------------------------
Examining the system, I'm noticing that when the above command results in "Success" the entire system becomes unstable/weird, but only machines on my network with McAfee (likely any AV with a mapping to ntoskrnl.exe or even a handle to it) tools
are BSOD'ing. Examination of the logs show the best indicator of system instability or otherwise weirdness is the sppsvc returning 0x5 ("Access Denied") which will immediately return that exit code after being run (manually started via sc or by waiting
for it to automatically restart).
------------------------------------------------------------------------------
sc start sppsvc attempts to start the SPP service manually
sc query sppsvc will return WIN32_EXIT_CODE 5 (0x5) -- Access Denied
This is the best indicator of system weirdness. Anywhere between 1-6 days later the machine BSOD's
------------------------------------------------------------------------------
Reboots/crashes solve the problem except that it's bad for uptime to be rebooting servers and workstations in a game of whack-a-mole. I believe that if the first two commands would behave the same that this state could be avoided. My suspicion is that ntoskrnl.exe
is getting killed and restarted and anything that had a mapping to that area of memory (mostly drivers) will now fault and BSOD the machine. This is most apparent with AV tools. If my suspicion is true, then this should be considered a bug if only because
the machine behaves differently when performing the same actions (logically).
-
Edited by
MadigonLIVE
Wednesday, October 23, 2013 2:12 PM
-
Marked as answer by
Andy QiMicrosoft contingent staff, Moderator
Monday, November 04, 2013 4:43 PM