[Win7SP1 x64] BSOD while using Android Emulators

[MoonWalker]

Hello gentlemen. I'm having a lot of issues lately while running android emulators. I already tried 2 different emulators (running multiple instances of them) and after a short while a BSOD appears. I have various friends using both emulators and they never have issues, so I assume is something that have to do with my system.

Here you can see 4 bluescreens (with the error codes that appeared) that my laptop has shown so far: Screenshot by Lightshot


Some information that might be useful: when I decreased the amount of RAM given to each instance of the emulator (I created 6 instances of them. I usually have running 5 or 6) from 1024mb to 512mb, it tooks more time to BSOD (like 1 hour, instead of 5 minutes)


· OS: Windows 7 SP1 X64
· Is the OS an OEM version (came pre-installed on system) or full retail version (YOU purchased it from retailer)?: W7 installed by me, updated to SP1 via windows update
· Age of system (hardware): I think 5 years
· Age of OS installation: I think 1.5 years

Laptop model: HP-Dv76c43cl (disk updated from HDD to before OS installation). I use 2 monitors plugged to the laptop (one on the HDMI and other one on the VGA port), and I don't use the laptop monitor· RAM: 16 gb
· CPU: intel i7-26700QM
· Video Card: Intel HD Graphics 3000

After running the Sysnative BSOD Dump, it got stuck here (after waiting 40min). So I manually zipped the files, are attached down here.


Files:
Dropbox - SysnativeFileCollectionApp.rar


I'll be looking forward to your response, have a great day! :)

 

[axe0]

Re: BSOD while using Android Emulators

This looks suspicous

3: kd> knL
 # Child-SP          RetAddr           Call Site
00 fffff880`70ec52e8 fffff800`0307cf29 nt!KeBugCheckEx
01 fffff880`70ec52f0 fffff800`0307bba0 nt!KiBugCheckDispatch+0x69
02 fffff880`70ec5430 fffff800`03093694 nt!KiPageFault+0x260
03 fffff880`70ec55c0 fffff800`03071683 nt!IopCompleteRequest+0xc64
04 fffff880`70ec5690 fffff800`03082e3d nt!KiDeliverApc+0x1e3
05 fffff880`70ec5710 fffff800`0308545f nt!KiCommitThreadWait+0x3dd
06 fffff880`70ec57a0 fffff880`0a979749 nt!KeWaitForSingleObject+0x19f
07 fffff880`70ec5840 fffffa80`123e6400 [COLOR="#FF0000"]natsec[/COLOR]+0x4749
08 fffff880`70ec5848 fffff880`00000000 0xfffffa80`123e6400
09 fffff880`70ec5850 00000000`00000000 0xfffff880`00000000


3: kd> lmvm natsec
Browse full module list
start             end                 module name
fffff880`0a975000 fffff880`0a983000   natsec   T (no symbols)           
    Loaded symbol image file: natsec.sys
    Image path: \??\[COLOR="#FF0000"]C:\Windows\natsec.sys[/COLOR]
    Image name: natsec.sys
    Browse all global symbols  functions  data
    Timestamp:        Wed Jul  5 17:23:58 2017 (595D048E)
    CheckSum:         00013DB0
    ImageSize:        0000E000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4

I can't find anything about this driver.
Unless I'm wrong and looking in the wrong direction, this kind of drivers don't use file properties and I don't assume you know what this driver belongs to?, so I would suggest to visit our Security Arena.

 

[MoonWalker]

Re: BSOD while using Android Emulators

Hello axe0, and thanks for your response

"this kind of drivers don't use file properties and I don't assume you know what this driver belongs to?"

The fact that they don't use file properties, Q1) means that the couldn't cause the BSOD? (sorry, I didn't get the idea). And you're right: I don't know to what driver belong to natsec.sys

Q2) May be the Emulators installed something that has to be with this ?

Q3) Is there a way to stop or disable this service? (natsec.sys) to see if I still get the BSOD without it

I would suggest to visit our Security Arena.

I scan sometimes PC often with Avira and Malwarebites, with no results in threats (I think last scan was 2-3 months ago). But I just made another scan with malwarebites and this was found:


May be has something related to the issue (all these files are already deleted)


I'm at your disposal for the next step axe0 :)

 

[axe0]

Re: BSOD while using Android Emulators

This driver is likely the cause of the crashes, not the definitive since we can only provide the most likely cause.

If the file properties of the driver is empty it usually indicates malware, malware doesn't use signatures to stay more off the radar.

Have you checked the file properties of this driver?

Note about 'this kind of drivers'. I'm only making an assumption it may be malware related. I don't have any actual proof that it truly is malware.

 

[MichaelB]

Re: BSOD while using Android Emulators

a driver which is placed in Windows directory itself is never a good one.
it also loads at the highest position, right after BlueStacks (Android Emulator)
The minidumps are to small to tell more about it nor some pice of code :\

 

[MoonWalker]

Re: BSOD while using Android Emulators

I really appreciate your help axe0 and MichaelB.

Have you checked the file properties of this driver?

Q) How can I check this?



What I did is to search natsec on the regedit, this is what I've found:




What do you think gentlemen?, might be this another piece that could help us unveil the mystery?

 

[axe0]

Re: BSOD while using Android Emulators

Go to C:\Windows, locate the file natsec.sys, right click on it and choose properties.
In the properties, go to the tab 'Details', make a screenshot of it and post it.

 

[MoonWalker]

Re: BSOD while using Android Emulators

I have selected "Show hidden files, folders, and drives", but the file doesn't appear on C:\Windows . Weird



What do you recommend axe0?

 

[Sysnative Windows Update]

Re: BSOD while using Android Emulators

Make sure that the box next to Hide protected operating system files (Recommended) is unchecked.

 

[MoonWalker]

Re: BSOD while using Android Emulators

Thanks softwaremaniac for your reply!. The box was checked, so I unchecked it but the file still doesn't appear.




What do you think might be the cause?

 

[MichaelB]

Re: BSOD while using Android Emulators

I really appreciate your help axe0 and MichaelB.

Have you checked the file properties of this driver?

Q) How can I check this?



What I did is to search natsec on the regedit, this is what I've found:

View attachment 28319


What do you think gentlemen?, might be this another piece that could help us unveil the mystery?

as the "Service" gets started manually or started by another pice of software, i guess its a virtual driver.

May be you configured neo_vpn i also found to establish a gate or whatever
You can disable this natsec.sys by changing Start to 4 in the shown Registry-path or try to uninstall neo_vpn

do you need neo_vpn?
https://www.softether.org/5-download

 

[MoonWalker]

Re: BSOD while using Android Emulators

Interesting MichaelB,

May be you configured neo_vpn i also found to establish a gate or whatever

I don't use neo_vpn. I use a chinese VPN: 掘金网 - 挂机宝,无极VPN,变机宝,内网屏幕墙,屏幕同步专家,局域网管理,软件开发,游戏工作室 . The VPN work in conjunction with all the emulator instances.
Q) Do you think this might be the issue Michael?

You can disable this natsec.sys by changing Start to 4 in the shown Registry-path or try to uninstall neo_vpn

This might work MichaelB. Should I change this path to the number "4" and that's it?

try to uninstall neo_vpn

It's not an installer but a .exe file (portable I think)




Useful information:
I just opened the VPN + the emulator instances, and after that I went to see if the natsec.sys was created on C:\Windows but it wasn't, the funny thing is that after a a couple mins the BSOD appeared again. Even when I didn't saw the natsec.sys file created. So I assume may be the BSOD appears when this file is created (and that's why I didn't saw it)

Here are the files:
Dropbox - SysnativeFileCollectionApp (1).rar




Good Tuesday!

 

[MichaelB]

Re: BSOD while using Android Emulators

Hi,
i mean, change the Value of Start from 3 to 4 :huh:

However, i guess there is something in your system i wouldn't trust

this belongs to microsoft and usualy is signed by Microsoft and for a patched Win7 up to current

fffff880`0ee00000 fffff880`0ee71000 spsys spsys.sys Mon May 11 19:20:58 2009 (4A085E7A)

although loaded it shows no header!

2: kd> lmvm spsys
Browse full module list
start             end                 module name
fffff880`0ee00000 fffff880`0ee71000   spsys      (deferred)             
    Image path: \SystemRoot\system32\drivers\spsys.sys
    Image name: spsys.sys
    Browse all global symbols  functions  data
    Timestamp:        Mon May 11 19:20:58 2009 (4A085E7A)
    CheckSum:         00072214
    ImageSize:        00071000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4

sic!

On a not tempered? file / recent dump , it comes out with the complete header

0: kd> lmvm spsys
Browse full module list
start             end                 module name
fffff880`0945e000 fffff880`094cf000   spsys      (deferred)             
    Image path: \SystemRoot\system32\drivers\spsys.sys
    Image name: spsys.sys
    Browse all global symbols  functions  data
    Timestamp:        Mon May 11 19:20:58 2009 (4A085E7A)
    CheckSum:         00072214
    ImageSize:        00071000
    File version:     6.1.7127.0
    Product version:  6.1.7127.0
    File flags:       8 (Mask 3F) Private
    File OS:          40004 NT Win32
    File type:        3.0 Driver
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Microsoft Corporation
    ProductName:      Microsoft® Windows® Operating System
    InternalName:     spsys.sys
    OriginalFilename: spsys.sys
    ProductVersion:   6.1.7127.0
    FileVersion:      6.1.7127.0 (fbl_security_bugfix(sepbld-s).090511-0943)
    FileDescription:  security processor
    LegalCopyright:   © Microsoft Corporation. All rights reserved.

neo_vpn is loaded too :huh:

2: kd> lmDvmneo_vpn
Browse full module list
start             end                 module name
fffff880`04c85000 fffff880`04c91000   neo_vpn    (deferred)             
    Image path: \SystemRoot\system32\DRIVERS\neo_vpn.sys
    Image name: neo_vpn.sys
    Browse all global symbols  functions  data
    Timestamp:        Fri Jul 15 15:18:06 2016 (5788E28E)
    CheckSum:         000112F1
    ImageSize:        0000C000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4

at this time i would stay away from the chinees VPN if possible and try another as it seems to crash your system whenever it starts, by
the way it seems to be WeChat the popular WhatsApp there and i would not trust these little thing. :thumbsdown2:
nor can i read where to download :noidea:

if anyone has other findings for this dump, tell us pls.

 

[MoonWalker]

Thanks MichaelB!,

i mean, change the Value of Start from 3 to 4 :huh:

However, i guess there is something in your system i wouldn't trust

this belongs to microsoft and usualy is signed by Microsoft and for a patched Win7 up to current

fffff880`0ee00000 fffff880`0ee71000 spsys spsys.sys Mon May 11 19:20:58 2009 (4A085E7A)

although loaded it shows no header!

Sorry, I didn't get this (I don't understand what's happening there). Q) Is this something wrong with my system beyond the chinese VPN?, or is the chinese VPN the responsible?

--------------------

I just tested it today without the chinese VPN and no BSOD so far. I'll give it a try for longer time and I'll let you what happens :)

 

[jcgriff2]

Re: BSOD while using Android Emulators

3: kd> lmvm natsec
Browse full module list
start end module name
fffff880`0a975000 fffff880`0a983000 natsec T (no symbols)
Loaded symbol image file: natsec.sys
Image path: \??\C:\Windows\natsec.sys
Image name: natsec.sys
Browse all global symbols functions data
Timestamp: Wed Jul 5 17:23:58 2017 (595D048E)
CheckSum: 00013DB0
ImageSize: 0000E000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
[/CODE]
I can't find anything about this driver.
Unless I'm wrong and looking in the wrong direction, this kind of drivers don't use file properties and I don't assume you know what this driver belongs to?, so I would suggest to visit our Security Arena.

I can't find any info on this driver either. Could it be dynamically allocated? (created by an app as it executes; then the driver disappears when finished).

@ MoonWalker - go to \windows\system32\drivers, look for natsec.sys and see what the Properties tab + Detail tabs say. Any company information? This is of course only if you find the file.

Also, bring up an Admin CMD prompt; copy/paste this command into it:

cd\ & where /r c:\ /f /t natsec.sys >0 & start notepad 0

A Notepad will open. If it contains anything, copy/paste it into your post. If it's blank, please be sure to tell us.

The WHERE command you're running may appear to hang (curser on next line; blinking; screen appears frozen), but it's not. Sometimes, it can take 15-30 minutes to search your system for a single file. So give it at least 30 minutes (if it appears to be "hanging").

EDIT: Give it an hour if necessary. I just ran a test on my system (core i7; 12 GB RAM) and it took 47 minutes for the WHERE command search to complete. Make sure the VPN is on.

I need the Sysnative/jcgriff2 app output zip file but am having trouble getting it from Dropbox.

Please ATTACH it to your next post.

Run Driver Verifier. Be sure to have the VPN on if you believe that to be the origin of natsec.sys.

Driver Verifier - BSOD related - Windows 10, 8.1, 8, 7 & Vista

D/V must run for 24 hours minimum or until BSOD. If BSOD occurs, get the dump (\windows\minidump); copy to Documents; zip it up and ATTACH to post.

Regards. . .

jcgriff2