Endpoint Encryption

 View Only

  • 1.  .pgd file changes by just right-clicking on it

    Posted May 11, 2014 08:07 AM

    Hi,

    I'm facing a strange issue. I have virtual disk file in .pgd file. It is not mounted. If I just right-click it in Windows Explorer, the file changes. I see its last modification time changes to current time. I don't even select anything in context menu! This is a problem for me because I want to store this file on Google Drive. But such changes cause syncronization with google servers. File is large enough (50 MB), so it is very undesirable.

    I used SysInternals Process Monitor to trace what changes the file. Here is call stack on write operation:

    0    fltmgr.sys    FltRequestOperationStatusCallback + 0xeb5    0x88392aeb    C:\Windows\system32\drivers\fltmgr.sys
    1    fltmgr.sys    FltGetIrpName + 0xc5c    0x883959f0    C:\Windows\system32\drivers\fltmgr.sys
    2    fltmgr.sys    FltGetIrpName + 0x116d    0x88395f01    C:\Windows\system32\drivers\fltmgr.sys
    3    fltmgr.sys    FltGetIrpName + 0x1626    0x883963ba    C:\Windows\system32\drivers\fltmgr.sys
    4    ntkrnlpa.exe    IofCallDriver + 0x64    0x82e41c1e    C:\Windows\system32\ntkrnlpa.exe
    5    ntkrnlpa.exe    NtSetEvent + 0x2c1    0x83035bf9    C:\Windows\system32\ntkrnlpa.exe
    6    ntkrnlpa.exe    NtWriteFile + 0x6ee    0x8307b9a0    C:\Windows\system32\ntkrnlpa.exe
    7    ntkrnlpa.exe    ZwYieldExecution + 0xb86    0x82e488c6    C:\Windows\system32\ntkrnlpa.exe
    8    ntdll.dll    NtWriteFile + 0xc    0x77cf6ab4    C:\Windows\SYSTEM32\ntdll.dll
    9    KERNELBASE.dll    WriteFile + 0x5f    0x75d97634    C:\Windows\system32\KERNELBASE.dll
    10    kernel32.dll    WriteFile + 0x4e    0x771c54f4    C:\Windows\system32\kernel32.dll
    11    PGPdskEn.dll    PGPdiskGetSupportedDiskAlgorithms + 0x100f0    0x70a14bb0    C:\Windows\system32\PGPdskEn.dll
    12    PGPdskEn.dll    PGPdiskGetSupportedDiskAlgorithms + 0xf04d    0x70a13b0d    C:\Windows\system32\PGPdskEn.dll
    13    PGPdskEn.dll    PGPdiskEngineInitLibrary + 0x5994    0x709fc9a4    C:\Windows\system32\PGPdskEn.dll
    14    PGPdskEn.dll    PGPdiskEngineInitLibrary + 0x1747    0x709f8757    C:\Windows\system32\PGPdskEn.dll
    15    PGPdskEn.dll    PGPdiskCloseDisk + 0x55    0x70a01fb5    C:\Windows\system32\PGPdskEn.dll
    16    PGPmn.dll    PGPmn.dll + 0x543d    0x637f543d    C:\Windows\system32\PGPmn.dll
    17    PGPmn.dll    PGPmn.dll + 0x4f8d    0x637f4f8d    C:\Windows\system32\PGPmn.dll
    18    SHELL32.dll    SHCreateShellItemArrayFromDataObject + 0x76b    0x7629b46a    C:\Windows\system32\SHELL32.dll
    19    SHELL32.dll    SHCreateShellItemArrayFromDataObject + 0x11a8    0x7629bea7    C:\Windows\system32\SHELL32.dll
    20    SHELL32.dll    Ordinal788 + 0x810f    0x764b7450    C:\Windows\system32\SHELL32.dll
    21    SHELL32.dll    Ordinal788 + 0xb221    0x764ba562    C:\Windows\system32\SHELL32.dll
    22    EXPLORERFRAME.dll    Ordinal134 + 0x12ff1    0x6f1a5f13    C:\Windows\system32\EXPLORERFRAME.dll
    23    EXPLORERFRAME.dll    Ordinal134 + 0xd2ce    0x6f1a01f0    C:\Windows\system32\EXPLORERFRAME.dll
    24    SHELL32.dll    Ordinal788 + 0x52d    0x764af86e    C:\Windows\system32\SHELL32.dll
    25    SHELL32.dll    Ordinal788 + 0xe56    0x764b0197    C:\Windows\system32\SHELL32.dll
    26    SHELL32.dll    Ordinal860 + 0xf22    0x76290ad7    C:\Windows\system32\SHELL32.dll
    27    SHELL32.dll    Ordinal787 + 0x845    0x762f8274    C:\Windows\system32\SHELL32.dll
    28    USER32.dll    gapfnScSendMessage + 0x1cf    0x773cc4e7    C:\Windows\system32\USER32.dll
    29    USER32.dll    gapfnScSendMessage + 0x2cf    0x773cc5e7    C:\Windows\system32\USER32.dll
    30    USER32.dll    PeekMessageA + 0x18c    0x773c1b31    C:\Windows\system32\USER32.dll
    31    USER32.dll    CallWindowProcW + 0x1b    0x773c1b57    C:\Windows\system32\USER32.dll
    32    DUser.dll    GetGadgetTicket + 0x5cf    0x74733fc3    C:\Windows\system32\DUser.dll
    33    USER32.dll    gapfnScSendMessage + 0x1cf    0x773cc4e7    C:\Windows\system32\USER32.dll
    34    USER32.dll    gapfnScSendMessage + 0x2cf    0x773cc5e7    C:\Windows\system32\USER32.dll
    35    USER32.dll    GetScrollBarInfo + 0xfd    0x773c4f0e    C:\Windows\system32\USER32.dll
    36    USER32.dll    GetScrollBarInfo + 0x16c    0x773c4f7d    C:\Windows\system32\USER32.dll
    37    ntdll.dll    KiUserCallbackDispatcher + 0x2e    0x77cf702e    C:\Windows\SYSTEM32\ntdll.dll
    38    win32k.sys    EngAlphaBlend + 0x16af    0x94e2e556    C:\Windows\System32\win32k.sys
    39    win32k.sys    EngMulDiv + 0x2226    0x94e35e95    C:\Windows\System32\win32k.sys
    40    win32k.sys    EngLpkInstalled + 0x3b45    0x94e3b316    C:\Windows\System32\win32k.sys
    41    win32k.sys    EngLpkInstalled + 0x3bf4    0x94e3b3c5    C:\Windows\System32\win32k.sys
    42    win32k.sys    EngAlphaBlend + 0x33e0    0x94e30287    C:\Windows\System32\win32k.sys
    43    win32k.sys    EngBitBlt + 0x1df0    0x94e3d417    C:\Windows\System32\win32k.sys
    44    win32k.sys    EngUnmapFontFileFD + 0x29a4    0x94e08117    C:\Windows\System32\win32k.sys
    45    win32k.sys    EngBitBlt + 0x1cac    0x94e3d2d3    C:\Windows\System32\win32k.sys
    46    ntkrnlpa.exe    ZwYieldExecution + 0xb86    0x82e488c6    C:\Windows\system32\ntkrnlpa.exe
    47    USER32.dll    GetScrollBarInfo + 0x140    0x773c4f51    C:\Windows\system32\USER32.dll
    48    USER32.dll    DefWindowProcW + 0x100    0x773c517d    C:\Windows\system32\USER32.dll
    49    USER32.dll    DefWindowProcW + 0xbb    0x773c5138    C:\Windows\system32\USER32.dll
    50    UxTheme.dll    UxTheme.dll + 0x1e60    0x749b1e60    C:\Windows\system32\UxTheme.dll
    51    UxTheme.dll    UxTheme.dll + 0x1f20    0x749b1f20    C:\Windows\system32\UxTheme.dll
    52    USER32.dll    SetPropW + 0x1fe    0x773c5fc3    C:\Windows\system32\USER32.dll
    53    EXPLORERFRAME.dll    DllCanUnloadNow + 0x19378    0x6f0f9056    C:\Windows\system32\EXPLORERFRAME.dll
    54    USER32.dll    gapfnScSendMessage + 0x1cf    0x773cc4e7    C:\Windows\system32\USER32.dll
    55    USER32.dll    gapfnScSendMessage + 0x2cf    0x773cc5e7    C:\Windows\system32\USER32.dll
    56    USER32.dll    PeekMessageA + 0x18c    0x773c1b31    C:\Windows\system32\USER32.dll
    57    USER32.dll    CallWindowProcW + 0x1b    0x773c1b57    C:\Windows\system32\USER32.dll
    58    DUser.dll    DUser.dll + 0x2ab7    0x74732ab7    C:\Windows\system32\DUser.dll
    59    USER32.dll    gapfnScSendMessage + 0x1cf    0x773cc4e7    C:\Windows\system32\USER32.dll
    60    USER32.dll    gapfnScSendMessage + 0x2cf    0x773cc5e7    C:\Windows\system32\USER32.dll
    61    USER32.dll    PeekMessageA + 0x18c    0x773c1b31    C:\Windows\system32\USER32.dll
    62    USER32.dll    CallWindowProcW + 0x1b    0x773c1b57    C:\Windows\system32\USER32.dll
    63    comctl32.dll    DPA_Sort + 0x2aa    0x74b5f443    C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
    64    comctl32.dll    DefSubclassProc + 0x92    0x74b5f5ee    C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
    65    comctl32.dll    DefSubclassProc + 0x46    0x74b5f5a2    C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
    66    EXPLORERFRAME.dll    DllCanUnloadNow + 0x608d    0x6f0e5d6b    C:\Windows\system32\EXPLORERFRAME.dll
    67    EXPLORERFRAME.dll    DllCanUnloadNow + 0x601a    0x6f0e5cf8    C:\Windows\system32\EXPLORERFRAME.dll
    68    comctl32.dll    DefSubclassProc + 0x92    0x74b5f5ee    C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
    69    comctl32.dll    DefSubclassProc + 0x46    0x74b5f5a2    C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
    70    EXPLORERFRAME.dll    DllCanUnloadNow + 0x7b01    0x6f0e77df    C:\Windows\system32\EXPLORERFRAME.dll
    71    EXPLORERFRAME.dll    DllCanUnloadNow + 0x7aa9    0x6f0e7787    C:\Windows\system32\EXPLORERFRAME.dll
    72    comctl32.dll    DefSubclassProc + 0x92    0x74b5f5ee    C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
    73    comctl32.dll    DefSubclassProc + 0x46    0x74b5f5a2    C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
    74    comctl32.dll    ImageList_GetIcon + 0x71d    0x74b5b64b    C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
    75    comctl32.dll    DefSubclassProc + 0x92    0x74b5f5ee    C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
    76    comctl32.dll    DPA_Sort + 0x2f7    0x74b5f490    C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
    77    USER32.dll    gapfnScSendMessage + 0x1cf    0x773cc4e7    C:\Windows\system32\USER32.dll
    78    USER32.dll    gapfnScSendMessage + 0x2cf    0x773cc5e7    C:\Windows\system32\USER32.dll
    79    USER32.dll    gapfnScSendMessage + 0x901    0x773ccc19    C:\Windows\system32\USER32.dll
    80    USER32.dll    DispatchMessageW + 0xf    0x773ccc70    C:\Windows\system32\USER32.dll
    81    EXPLORERFRAME.dll    DllCanUnloadNow + 0x2ca8d    0x6f10c76b    C:\Windows\system32\EXPLORERFRAME.dll
    82    EXPLORERFRAME.dll    DllCanUnloadNow + 0x30fd5    0x6f110cb3    C:\Windows\system32\EXPLORERFRAME.dll
    83    EXPLORERFRAME.dll    DllCanUnloadNow + 0x3127f    0x6f110f5d    C:\Windows\system32\EXPLORERFRAME.dll
    84    EXPLORERFRAME.dll    DllCanUnloadNow + 0x3122c    0x6f110f0a    C:\Windows\system32\EXPLORERFRAME.dll
    85    EXPLORERFRAME.dll    DllCanUnloadNow + 0xc18    0x6f0e08f6    C:\Windows\system32\EXPLORERFRAME.dll
    86    SHELL32.dll    Ordinal767 + 0x433    0x762f63bb    C:\Windows\system32\SHELL32.dll
    87    SHELL32.dll    DAD_SetDragImage + 0x732    0x762f8c43    C:\Windows\system32\SHELL32.dll
    88    SHELL32.dll    DAD_SetDragImage + 0x866    0x762f8d77    C:\Windows\system32\SHELL32.dll
    89    SHLWAPI.dll    IUnknown_QueryService + 0x15a    0x76f043c0    C:\Windows\system32\SHLWAPI.dll
    90    kernel32.dll    BaseThreadInitThunk + 0x12    0x771bee1c    C:\Windows\system32\kernel32.dll
    91    ntdll.dll    RtlInitializeExceptionChain + 0xef    0x77d137eb    C:\Windows\SYSTEM32\ntdll.dll
    92    ntdll.dll    RtlInitializeExceptionChain + 0xc2    0x77d137be    C:\Windows\SYSTEM32\ntdll.dll



  • 2.  RE: .pgd file changes by just right-clicking on it

    Broadcom Employee
    Posted Aug 18, 2014 09:28 AM

    Hi, bi11ybob

    Although this is an old thread I have just tried to test *.pgd file not mounted on Windows 7 created by managed SED 10.3.1 client and I can replicate this behaviour.

    Don't have any further explanation why this is happening apart from the fact that the file is a part of the PGP aka SED and it is constantly being queried from the pgp process pgpdesk.exe (operation Createfile, Close File, Query Open, Query Directory on Process Monitor).

    I can't confirm If this is per design and if yes or not have some hidden meaning but if you wish to know more I guess you should open a case with Symantec for further investigation.