TechSpot

"Ntoskrnl.exe" has changed since the last time you opened it' - ?

By ms13381
Sep 21, 2006
  1. I keep on getting the following message from my firewall (Sygate 5.6) at startup:

    "Ntoskrnl.exe" has changed since the last time you opened it. This could be
    because you have updated it recently. Do you want to allow it access to the
    network?


    Detailed information from the firewall:

    The executable has changed since the last time you used: C:\WINDOWS\System32\ntoskrnl.exe
    File Version : 5.1.2600.1634
    File Description : Jądro i system NT
    File Path : C:\WINDOWS\System32\ntoskrnl.exe
    Process ID : 0x4 (Heximal) 4 (Decimal)

    Connection origin : local initiated
    Protocol : UDP
    Local Address : 10.0.0.26
    Local Port : 138
    Remote Name :
    Remote Address : 10.0.0.255
    Remote Port : 138 (NETBIOS-DGM - Browsing datagram responses of NetBIOS over TCP/IP)

    Ethernet packet details:
    Ethernet II (Packet Length: 244)
    Destination: ff-ff-ff-ff-ff-ff
    Source: 00-15-f2-9e-42-0a
    Type: IP (0x0800)
    Internet Protocol
    Version: 4
    Header Length: 20 bytes
    Flags:
    .0.. = Don't fragment: Not set
    ..0. = More fragments: Not set
    Fragment offset:0
    Time to live: 128
    Protocol: 0x11 (UDP - User Datagram Protocol)
    Header checksum: 0xd723 (Correct)
    Source: 10.0.0.26
    Destination: 10.0.0.255
    User Datagram Protocol
    Source port: 138
    Destination port: 138
    Length: 8
    Checksum: 0xaf57 (Correct)
    Data (196 Bytes)
    Binary dump of the packet:
    0000: FF FF FF FF FF FF 00 15 : F2 9E 42 0A 08 00 45 00 | ..........B...E.
    0010: 00 D8 01 26 00 00 80 11 : 23 D7 0A 00 00 1A 0A 00 | ...&....#.......
    0020: 00 FF 00 8A 00 8A 00 C4 : 57 AF 11 02 80 0D 0A 00 | ........W.......
    0030: 00 1A 00 8A 00 AE 00 00 : 20 45 4E 45 42 46 43 46 | ........ ENEBFCF
    0040: 45 45 42 43 41 43 41 43 : 41 43 41 43 41 43 41 43 | EEBCACACACACACAC
    0050: 41 43 41 43 41 43 41 41 : 41 00 20 45 4E 46 44 45 | ACACACAAA. ENFDE
    0060: 49 45 50 45 4E 45 46 43 : 41 43 41 43 41 43 41 43 | IEPENEFCACACACAC
    0070: 41 43 41 43 41 43 41 43 : 41 42 4F 00 FF 53 4D 42 | ACACACACABO..SMB
    0080: 25 00 00 00 00 00 00 00 : 00 00 00 00 00 00 00 00 | %...............
    0090: 00 00 00 00 00 00 00 00 : 00 00 00 00 11 00 00 14 | ................
    00A0: 00 00 00 00 00 00 00 00 : 00 E8 03 00 00 00 00 00 | ................
    00B0: 00 00 00 14 00 56 00 03 : 00 01 00 01 00 02 00 25 | .....V.........%
    00C0: 00 5C 4D 41 49 4C 53 4C : 4F 54 5C 42 52 4F 57 53 | .\MAILSLOT\BROWS
    00D0: 45 00 08 01 20 0F 01 10 : 1A 5C 00 00 00 00 00 00 | E... ....\......
    00E0: 4D 41 52 54 41 00 20 4D : 6F 7A 69 6C 6C 61 2F 34 | MARTA. Mozilla/4
    00F0: 2E 30 20 28 : | .0 (

    I also used to have random BSOD's and restarts and minidump files refer to ntoskrnl.exe as well. I've just done a full reinstalation of Win Xp and I had one restart so far and keep getting this message from the firewall at startup.

    Could anyone explain what it means?
     
  2. Vigilante

    Vigilante TechSpot Paladin Posts: 1,666

    Have you been doing any updates? Especial a service pack? If you just reloaded, and are doing updates, you might just allow it.
    As far as I know, that file isn't supposed to change. If you suspect virus activity already, try running an online scan from www.bitdefender.com.
     
  3. ms13381

    ms13381 TS Rookie Topic Starter

    Hello,
    I've just installed my XP yesterday and done some critical updates (no SP2 yet), but it appears each time I turn on my computer. I also checked and found 6 (!) files called "ntoskrnl.exe" in my computer - could there be a virus that pretends to be ntoskrnl.exe?

    [​IMG]

    I keep on having BSODs or restarts connected somehow with ntoskrnl.exe (even after formatting my HD and reinstalling WinXP) so I have no idea what it is..
     
  4. Vigilante

    Vigilante TechSpot Paladin Posts: 1,666

    That picture is to small to read.

    Please attach a ZIP of your 5 or so recent minidumps. It is normal to have a few copies of any particular system file, for backups and restore data etc...

    Also a crash might blame ntoskrnl even though it's really something else. Such as bad RAM or hard drive.

    Scan your RAM with memtest86, and run the hard drive test from your hard drive manufacturer's web site.
     
  5. ms13381

    ms13381 TS Rookie Topic Starter

    Dumps from before the re-install are here (I kept copies):
    http://rapidshare.de/files/33974478/Minidump.zip.html

    Sorry about the picture, it looked ok..I attached it to this post.

    I scanned my RAM (memtest, Prime95) and no errors were found. I checked the hard drive but only with checkdisk so I'll try with something else...
     
  6. Vigilante

    Vigilante TechSpot Paladin Posts: 1,666

    The copies of ntoskrnl look legit. The system32 version is the real one. The Driver Cache one is for Windows File Protection backup. The other 4 look like their indeed from patches. Unless I'm missing something, I think you're fine there.

    Next, I only had time to check one minidump, for now. But make sure your CPU is running at a good temperature and not getting hot. Then look for a newer BIOS upgrade from your motherboard manufacturer. Specifically if a new BIOS has a "microcode" update.
     
  7. ms13381

    ms13381 TS Rookie Topic Starter

    Hi,
    I updated my bios to the newest version 2 days ago. The temperature of my CPU is 40-45 degrees (C), I don't know if it's ok?

    Another strange thing is that I'm getting a new message with the one about ntoskrnl.exe that another file (ndis.sys or ndisio.sys) also changed. I think that file was also mentioned in my BSOD error messages and in the minidumps.. So could it mean something or is it just a coincidence?
     
  8. Vigilante

    Vigilante TechSpot Paladin Posts: 1,666

    45c is alright, 10 more and it would be getting hot.

    Coincidence or not, well, you should not be getting BSODs in the first place!

    I have rarely ever seen these core Windows system files become compromised, very rare indeed. It is more likely a fault somewhere else, that filters into these files because they are the last in the chain.
    In other words, a lot of crashes with these system files either means you have a really messed up copy of Windows, or some kind of hardware problem. It is quite likely not the fault of these files specifically.

    Hopefully Howard or CPC can check these minidumps, I won't be able to until tonight. Continue to scan all your hardware for errors as much as you can, try to see if the BSODs are predictable, can you MAKE one happen by doing certain things? What things?
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...