BUG - Constant disk read/write while Bitdefender is installed

13

Comments

  • Sergiu C.
    Sergiu C.
    edited October 2018


    36 minutes ago, svenohrberg said:



    Well, it's getting more and more weird. BitDefender did install via BitDefender Central, and it did keep my former settings, but now my PC is NOT showing up in BD Central? I have a 3 PC licens, and my laptop and my wife's laptop is there, but my gamerrig is gone. When looking at my account in my gamerrig, I can see that I'm using 3 products, but only 2 of them can now be seen in BD Central !?!



    Hi, 



    Please try again to login to the product on your PC:


    - open Bitdefender > click on My Account > click Switch Account and enter the credentials for your Bitdefender Central account. 



    As mentioned above by /index.php?/profile/7193-chrisj/&do=hovercard" data-mentionid="7193" href="<___base_url___>/index.php?/profile/7193-chrisj/" id="ips_uid_7346_12" rel="">@chrisj , the update is being released through regular update channels as well, the reinstallation is only used to force the app to update to the latest version sooner.


    This particular issue is not solved in this build (23.0.14.61) however. 


  • That did not help. "My subscriptions" shows 3/3 licens used, but only 2 computers shows up in "My devices".


    BTW why is my subscription showing "ACTIVE"? I don't have automatic renewal to my license??

    bitd1.png

    bitd2.png


  • Here is a pic of the 2 computernames on bitdefender-central and my computername, along with the facts, that I have used 3 licenses.


    If I want to clean install my gamerrig, when the new 1809 image is comming out, how do I disable the installation on the PC that is NOT showing in BitDefender central? If this is not disabled, I don't have any licence for the newinstalled windows allthough it is the same PC.


     

    bitd3.jpg

  • ricky1973
    ricky1973
    edited November 2018


    Hi everybody; I just updated BD2019 to the build 23.0.14.61; it looks like the problem of the topic' subject has not been solved yet; just for your knowledge... I hope this trouble will be solved soon.


  • Latest update just installed 23.0.14.61 has made no difference to this issue and it feels significantly sluggish especially at the boot process.



    On 10/9/2018 at 11:25 AM, CătălinC said:



    We have new build - 23.0.11.48


    Can we see what changes this version have?


    Thank you!



     

  • Green456
    Green456
    edited November 2018


    On 10/31/2018 at 11:54 AM, BDAlexS said:



    The feedback I'm getting is that the issue is BD with bitlocker enabled if people can confirm.



    Hi Alex,



    You was asking before regarding Process Monitor. Sorry for showing up so late. But anyways the problem is still here.


    Today I took some time to make screen shots and I could not reproduce the stack anymore where I saw the BitDefender module. It has disappeared.


    I did some more research and checked for anything wmiprvse.exe is doing while we have the christmas tree lightning in effect.


    I had the suspicion before that it was related to encrypted drives as it seems WMI is enumerating those drives at this stage and possibly retrieving whatever info it needs.


    I looked for any failed registry or file operation and on close examination it seems that the (Microsoft) executable is querying a for a registry value having the path HKLM\Software\Policies\Microsoft\New Key #1\RDVConfigureBDE, which seems to be located usually in HKLM\Software\Policies\Microsoft\FVE and not New Key #1. After creating the value as a REG_DWORD of 0 it stopped flickering. Here is more explanations about what this registry value does: https://blogs.technet.microsoft.com/askpfeplat/2013/06/09/how-to-enable-user-based-controlenforcement-of-bitlocker-on-removable-data-drives/.


    If one is using bitlocker to encrypt currently it is probably better to be careful and read it. Unfortunately I am relatively clueless about bitlocker.


    I have not yet had time to compare the procmon result to a system without bitdefender installed, when the problem does not show up, to check for example if the registry value reappears at that location after removing bit defender or if possibly wmiprvse.exe's registry path is correct, without going to "New Key #1".


    Maybe this could serve as another workaround that is more persistent. I will try now if it persists and update soon.



    Step 1: Start ProcMon.Exe (https://docs.microsoft.com/en-us/sysinternals/downloads/procmon)


    Step 2: Make sure to add wmiprvse.exe:


    bd1.thumb.jpg.794b1f2f37a124a84d87c83a391af785.jpg


    Step 3: Capture events by clicking on File -> Capture Events


    bd2.thumb.jpg.ad1b20bcaad711d35e43fcb214d38fcc.jpg


    bd3.jpg


    Update: After a reboot the workaround is indeed persistent. As said before take some precaution if you should be using Windows bitlocker to encrypt disk volumes, before making this change. For whatever reason the value set before under "New Key #1" is moving to the Policies\Microsoft\FVE key, where it seems it should go to originally. What is funny now is that I can control the lightning via this value, setting it to 0 and the lightning stops, setting it to 1 and it begins again. Now we could create some cool light effects with that method! ;)

  • Green456
    Green456
    edited November 2018


    Update 2: OK, all that New Key #1 stuff is not really needed. One can directly set HKLM\Software\Microsoft\Policies\Microsoft\FVE\RDVConfigureBDE to (REG_DWORD) 0.




    1. At first there was no FVE key on my system as below:


    reg1.thumb.jpg.ea0dfe24c12ad44269e78d0f79f0c04b.jpg


    2. Found a key not found error with procmon:


    reg2.thumb.jpg.1b6ba540c0486479d270b3b9ffacf326.jpg


    3. Created the FVE key that was not found before: reg3.thumb.jpg.15a7e22920ba0329542d6b9aca117cdb.jpg


    4. Now procmon looked like this, checking for a strange registry path, I think it is a problem with procmon itself! LOL very confusing:

    reg4.thumb.jpg.b7740de8a702203ce8e7fb32681b845c.jpg


    5. I Create the value in the correct FVE key:

    reg6.thumb.jpg.2ae0f19c242bc48065cb2841fcb8a127.jpg



    6. The drive access stops



    So no need to use "New Key #1". We can see in the procmon log that at first it opens the FVE key, then it queries a value (with a wrong path) and then the key is closed. Am not sure if that is procmon or maybe caused by BD. Procmon is resolving the existing registry handle into a path I guess at this stage and then appending a backslash and the value name RDVConfigureBDE.



    Another interesting test would be to see how this log looks without BD installed. If this New Key #1 thing exists too in procmon.


     


     

  • Green456
    Green456
    edited November 2018


    This behavior could be normal due to the way regedit creates keys. At first the key is created as "New Key #1" and then renamed to the desired name. Could be some caching issue in either bd or procmon or maybe procmon is not tracking the API call that renames it, leading to the invalid path in the procmon log.


     


    The default for this value is 1 by the way, if this value is not set. Setting it to 0 aborts whatever WMI is doing at this stage, regarding encrypted drive infos, causing the drive access to stop in turn. Just another workaround.

  • Green456
    Green456
    edited November 2018


    OK, now I took some more time and tested ProcMon.Exe on a system without BitDefender installed and if creating a new key with regedit the same "New Key #1" thing is shown. So this is a procmon problem with the way it resolves handles into paths and how regedit creates new keys, just wasn't fully aware of it.


  • Awesome research /index.php?/profile/215110-green456/&do=hovercard" data-mentionid="215110" href="<___base_url___>/index.php?/profile/215110-green456/" rel="">@Green456!


    Any comments from BD? 


    (Or will I get another moderator warning for this/post get deleted ?)

  • EJS
    EJS
    edited November 2018


    BD has no idea how to communicate with its customers, I think that is no different now....

  • hpw
    hpw
    edited November 2018


    On 11/3/2018 at 2:09 AM, Green456 said:



    This behavior could be normal due to the way regedit creates keys. At first the key is created as "New Key #1" and then renamed to the desired name. Could be some caching issue in either bd or procmon or maybe procmon is not tracking the API call that renames it, leading to the invalid path in the procmon log.


     


    The default for this value is 1 by the way, if this value is not set. Setting it to 0 aborts whatever WMI is doing at this stage, regarding encrypted drive infos, causing the drive access to stop in turn. Just another workaround.



     


    Well, tested this on my Labtop with HKLM\Software\Microsoft\Policies\Microsoft\FVE\RDVConfigureBDE to (REG_DWORD) 0 ...


    Any plug-in of USB Sticks gets ignored... :wacko:... removed the DWORD key and rebooted and now USB gets recognized again ..


    IMHO opinion, it's may a MS issue where the WMI gets into a loop.. BD should get in touch with MS as soon as possible while worldwide all disk gets :ph34r:


    Hp


     

  • Green456
    Green456
    edited November 2018


    3 hours ago, hpw said:



     


    Well, tested this on my Labtop with HKLM\Software\Microsoft\Policies\Microsoft\FVE\RDVConfigureBDE to (REG_DWORD) 0 ...


    Any plug-in of USB Sticks gets ignored... :wacko:... removed the DWORD key and rebooted and now USB gets recognized again ..


    IMHO opinion, it's may a MS issue where the WMI gets into a loop.. BD should get in touch with MS as soon as possible while worldwide all disk gets :ph34r:


    Hp


     



    Are you sure? All this does is stop WMI from looking for bitlocker protected devices. The drive should not disappear at all during this process. Was your thumb drive possibly bitlocker encrypted? Mine is still working. You can even change the key at run time without a reboot to turn the lights on and off. The detection of USB devices happens somewhere totally else and below, encryption is much more on top of this.



    Maybe BD has the time to compare both runs to see if there is any difference with wmiprvse.exe's behavior with BD installed and with BD uninstalled.



    Did anyone try a bitlocker encrypted thumb drive on BD?



    And yes, WMIPRVSE.EXE gets into a loop because it looks for encrypted drives (opening the device, sending some IO controls to the driver). It only does that if bitlocker is enabled, therefore no loop if value is set to 0.



  • 4 hours ago, Green456 said:



    Are you sure? All this does is stop WMI from looking for bitlocker protected devices. The drive should not disappear at all during this process. Was your thumb drive possibly bitlocker encrypted? Mine is still working. You can even change the key at run time without a reboot to turn the lights on and off. The detection of USB devices happens somewhere totally else and below, encryption is much more on top of this.



    Maybe BD has the time to compare both runs to see if there is any difference with wmiprvse.exe's behavior with BD installed and with BD uninstalled.



    Did anyone try a bitlocker encrypted thumb drive on BD?



    And yes, WMIPRVSE.EXE gets into a loop because it looks for encrypted drives (opening the device, sending some IO controls to the driver). It only does that if bitlocker is enabled, therefore no loop if value is set to 0.



    OK,


    New boot new behavior as using 1809 :D


    1. The USB stick is pure NTFS


    2.Applied the DWORD value again and reboot


    3. Did the test again and the USB gets recognized


    4. BUT the DISK READING was still present


    5. applied the WMI pause what helped me on my single SSD Disk


     Cheers


    Hp


     


     

  • Green456
    Green456
    edited November 2018


    3 hours ago, hpw said:



    OK,


    New boot new behavior as using 1809 :D


    1. The USB stick is pure NTFS


    2.Applied the DWORD value again and reboot


    3. Did the test again and the USB gets recognized


    4. BUT the DISK READING was still present


    5. applied the WMI pause what helped me on my single SSD Disk


     Cheers


    Hp


     



    Can you try to run procmon and upload a screenshot as I did? All file and registry access of WMIPRVSE.EXE. You should see any disk access. Just to make sure it is the same pattern of device IO controls repetitively being sent to the drive. Before the open/device, io control and close you should see that it checks if the mentioned value exists or is set to 1. That should not be OS dependent. Am using a USB thumb drive at this very moment too. Very strange. I used a Windows7 by the way. Can try later what happens on a Windows10.



  • 3 hours ago, hpw said:



    OK,


    New boot new behavior as using 1809 :D


    1. The USB stick is pure NTFS


    2.Applied the DWORD value again and reboot


    3. Did the test again and the USB gets recognized


    4. BUT the DISK READING was still present


    5. applied the WMI pause what helped me on my single SSD Disk


     Cheers


    Hp


     


     



    Hi HP,



    This is my bad. The correct path for the value is here:  HKLM\Software\Policies\Microsoft\FVE\RDVConfigureBDE and not HKLM\Microsoft\.



    I posted it incorrectly one time in one of the postings above.




    I just tried it with 1803 and it had the same problem (on my surface pro). This device has nothing installed except Office and Windows 10 (1803) and BD.



    I think if you try it with that registry path again it should work. Sorry :)



  • 14 hours ago, Green456 said:



    Hi HP,



    This is my bad. The correct path for the value is here:  HKLM\Software\Policies\Microsoft\FVE\RDVConfigureBDE and not HKLM\Microsoft\.



    I posted it incorrectly one time in one of the postings above.




    I just tried it with 1803 and it had the same problem (on my surface pro). This device has nothing installed except Office and Windows 10 (1803) and BD.



    I think if you try it with that registry path again it should work. Sorry :)



     


    Hi again,


    well I had the key already at this position....


    Also, started the latest Procmon even in admin mode and no events given.


    On my system 1809, 0.1% Disk activity seen on Taskmanager on Registry & System process. Added them by PID and showed no traces.


    May somethings is broken ... and behaviors are OS release dependent and may that's why BD has no solution while various issues are on varios OS releases... Just a guess.


    Hp


     


     


  • By 8 November, it will officially have been at least 2 months since the issue was first reported on this forum.


    Still no end in sight. <img class=" data-emoticon="" src="https://us.v-cdn.net/6031943/uploads/ipb_attachments/emoticons/default_angry.png" title=":angry:" />


  • same!


    Windows 10 home 64 Build 18.09, Bitdefender  Total Security 2019 Build 23.0.14.61 Engine 7.78132.

    When switch WLAN, or LAN on, vsserv.exe 30% CPU. When switch Wlan/Lan off, then vsserv.exe  0.13% CPU Last (!)

    restartwmi.bat not work.


    Firefox https to local printer not work. Certificat.  Install fake.cert not work.


    I am very disappointed.

    The fastest scanner in the test is now the slowest. Too bad.


     

  • Green456
    Green456
    edited November 2018


    12 hours ago, hpw said:



     


    Hi again,


    well I had the key already at this position....


    Also, started the latest Procmon even in admin mode and no events given.


    On my system 1809, 0.1% Disk activity seen on Taskmanager on Registry & System process. Added them by PID and showed no traces.


    May somethings is broken ... and behaviors are OS release dependent and may that's why BD has no solution while various issues are on varios OS releases... Just a guess.


    Hp


     


     



    Strange. Procmon works on Windows 10. At least up to Windows 10 (1803), I am sure the new build is supported too. Did you select "Capture events..." from the menu to start capturing? Did you set the filter correctly? Once you produce a trace we can see what is happening and if it is the same problem at all. Another poster above confirmed it is working.



  • On 11/6/2018 at 12:25 AM, Green456 said:



    Strange. Procmon works on Windows 10. At least up to Windows 10 (1803), I am sure the new build is supported too. Did you select "Capture events..." from the menu to start capturing? Did you set the filter correctly? Once you produce a trace we can see what is happening and if it is the same problem at all. Another poster above confirmed it is working.



    OK,


    have ProcMon now running.... and after setting FVE... :P


     


    1. HKLM\Software\Policies\Microsoft\FVE  = Success


    2. HKLM\SOFTWARE\Policies\Microsoft\FVE\AllowSystemVolumeEncryption = NAME NOT FOUND <img class=" data-emoticon="" src="https://us.v-cdn.net/6031943/uploads/ipb_attachments/emoticons/default_laugh.png" title=":lol:" />


     


    what do you have here? Also googled without success


     


    While running 1809 Pro...


     


    Cheers


    Hp


     


     


  • Hi, 



    We've released a new update that addresses this issue. the build number will not be changed, and the update has not been released to all our users yet, but we'll let you know once this has been done. 



    Thank you. 



  • 21 minutes ago, Sergiu C. said:



    Hi, 



    We've released a new update that addresses this issue. the build number will not be changed, and the update has not been released to all our users yet, but we'll let you know once this has been done. 



    Thank you. 



     


    You may have indeed a very strange development practice...


    >> the build number will not be changed,


    And how a turtle may identify what kind of fish we have :ph34r:


    Hp


  • Hello,


    I tried about an hour ago.


    Nothing has changed for me.


    I will try again tomorrow.


    Dan



  • 2 hours ago, hpw said:



     


    You may have indeed a very strange development practice...


    >> the build number will not be changed,


    And how a turtle may identify what kind of fish we have :ph34r:


    Hp



    An update without changing the build number?


    Huh??

  • jibi049
    edited November 2018


    What?! No build change ?


    You can at least change the last number to .62 or anything else but it's a nonsense to update a product without changing its version number. As a developer I'm a bit confused. Or you did some change to the scan engine ?


    More information would be welcome


  • I have tried again ... just in case.


    No changes, no changes at all.


    It is getting harder and harder to promote your products ...


    Dan, very disappointed Dan :(

    Capture.JPG

  • DAN57150
    DAN57150
    edited November 2018


    Hello,


    The problem is solved ... at last.


    That IS good news !


    Dan, happy Dan :)


  • The same for me


    Thank you for your work even if it was a bit long.


  • Hello, 



    We have started releasing the update to all our customers, you should receive it the next time Bitdefender checks for an update on your computer. The update requires a computer restart to be successfully installed.

     


    You can also follow these steps:


    - right click on the Bitdefender icon in the system tray


    - choose Update


    - once the update is completed restart your computer. 



    As mentioned, the build number will not be changing, as build changes are reserved for our major updates that occur about once per month. You can however check the version of the following file, to see if the update was installed on your PC:


     


    - go to C:\Program Files\Bitdefender\Bitdefender Security


    - look for the file called RansomwareRecoverAl.dll 


    - right click on it and choose Properties > Details


    - file version should be 23.0.14.62 


     


    Thank you! 



  • 1 hour ago, Sergiu C. said:



    Hello, 



    We have started releasing the update to all our customers, you should receive it the next time Bitdefender checks for an update on your computer. The update requires a computer restart to be successfully installed.

     


    You can also follow these steps:


    - right click on the Bitdefender icon in the system tray


    - choose Update


    - once the update is completed restart your computer. 



    As mentioned, the build number will not be changing, as build changes are reserved for our major updates that occur about once per month. You can however check the version of the following file, to see if the update was installed on your PC:


     


    - go to C:\Program Files\Bitdefender\Bitdefender Security


    - look for the file called RansomwareRecoverAl.dll 


    - right click on it and choose Properties > Details


    - file version should be 23.0.14.62 


     


    Thank you! 



     


    OK,  now removed the FVE stuff before SW update...


    1.  PC (Win10 1809) Updated and did get the new DLL dated from 8-Nov-2018 14:19


    2.  PC (win 10 1809) was a long time not online,


         - Updated and did not get the DLL yet


        - Then rebooted and updated, while requires at least the mentioned reboot


        - getting a very long restart screen .... :rolleyes:


        - log in and then mira mira... the nice stinking fish is gone forever :wub:


    hp


     


     



  • 1 hour ago, Sergiu C. said:



    Hello, 



    We have started releasing the update to all our customers, you should receive it the next time Bitdefender checks for an update on your computer. The update requires a computer restart to be successfully installed.

     


    You can also follow these steps:


    - right click on the Bitdefender icon in the system tray


    - choose Update


    - once the update is completed restart your computer. 



    As mentioned, the build number will not be changing, as build changes are reserved for our major updates that occur about once per month. You can however check the version of the following file, to see if the update was installed on your PC:


     


    - go to C:\Program Files\Bitdefender\Bitdefender Security


    - look for the file called RansomwareRecoverAl.dll 


    - right click on it and choose Properties > Details


    - file version should be 23.0.14.62 


     


    Thank you! 



     


    Just applied the update now via the tray icon. Can also confirm the issue appears to be resolved now.


  • Yes. Finally the constant read-bug is gone, farewell, and we will NOT miss you!


    BitDefender is back on track :-)


  • I can also confirm that it's fixed - tested before & after with an external HD on 5 computers, Win7 & Win10.


  • is this update addressing only this bug or any chance it will also fix other issues? (like not able to scan/print)



  • 13 minutes ago, RKL said:



    is this update addressing only this bug or any chance it will also fix other issues? (like not able to scan/print)



    It also addresses an issue related to viewing the scan log, though I haven't seen any reports on the forum, no other fixes. 



    We did have an issue with canon printers but that was fixed in a previous update. 



    I see you have a different issue for the print issue, I will reply there with more details on potential solutions. 



    Thanks!



  • 1 hour ago, coldlinks@mail.com said:



     


    Just applied the update now via the tray icon. Can also confirm the issue appears to be resolved now.



     



    34 minutes ago, svenohrberg said:



    Yes. Finally the constant read-bug is gone, farewell, and we will NOT miss you!


    BitDefender is back on track :-)



     



    32 minutes ago, chrisj said:



    I can also confirm that it's fixed - tested before & after with an external HD on 5 computers, Win7 & Win10.



    Thank you all for confirming! 

  • komtur
    komtur ✭✭
    edited November 2018


    OK. The problem is resolved after update and restart. But build number in my case is still 23.0.14.61;)


    I haven't read exactly from this happiness. It's about the version of a particular file. Everything is fine. :D


  • Good about time  I can now stop using Linux. Perhaps we can have two months or more free added to our licenses eh?


  • Just got the update and the problem is resolved! Good job!



    PS: Can you re-enable the bug for the 24st of December? To have some christmas lightning effect??



  • 10 hours ago, BDAlexS said:



    Good about time  I can now stop using Linux. Perhaps we can have two months or more free added to our licenses eh?



    Hi, 



    Yes, this is something that we wanted to do. Please send me a private message with your email address for the Bitdefender Central account, and ticket ID (if you had opened one), and I will make sure this happens. 



    Thanks! 


  • I can also confirm that the update has stopped the "Constant Disk Read/Write" issue.  Thank you.



    9 hours ago, Sergiu C. said:



    Hi, 



    Yes, this is something that we wanted to do. Please send me a private message with your email address for the Bitdefender Central account, and ticket ID (if you had opened one), and I will make sure this happens. 



    Thanks! 



    So are we all going to get 2 Months added to our licenses or just some of us?


    Again thank you fixing this issue.


  • I followed Sergiu's directions and received immediate, favorable response.


     


  • .. also recieved 3 month to licence, fair enough after all this troubles


     


    thanks!



  • 15 hours ago, Doug said:



    I followed Sergiu's directions and received immediate, favorable response.


     



    Hi,


    This may be a stupid question but I did not find how to send a private message to Sergiu as he suggested ?... :(


    Thanks in advance for an helpful answer !


  • Hello,


    You sign in


    You click on Sergiu's avatar (B)


    You click on "message" ...


    Dan

    Capture.JPG


  • I have send Sergiu a PM yesterday with my emailadress used in my license and in BitDefender Central, but there is not anything added to my account. Still 129 days left. Why is it only some people getting this?



  • 2 minutes ago, svenohrberg said:



    I have send Sergiu a PM yesterday with my emailadress used in my license and in BitDefender Central, but there is not anything added to my account. Still 129 days left. Why is it only some people getting this?



    I only sent mine yesterday too, and have not had a response either..

    But seriously man - it's the weekend and people live in different timezones! - I don't expected it to be sorted for a little while this is an admin task. People are allowed weekends off.

    You've still got 129 days so I can't imagine why you think it's urgent.


  • The additional time showed up immediately in BD Central, but took another day to show up in "My Account" on the dashboard. Looks like one sys had to sync with another. Check BD Central first.

This discussion has been closed.