Knowledge Center

Bugcheck 0x5 INVALID_PROCESS_ATTACH_ATTEMPT (when running Windows 2008, VSE 8.7i with Patch 4, and terminal services)
Technical Articles ID:   KB70384
Last Modified:  10/14/2011


McAfee VirusScan Enterprise 8.7i
Microsoft Windows Vista
Microsoft Windows 2008


A blue screen error occurs sporadically when VirusScan Enterprise 8.7i with Patch 4 is installed on systems with Windows 2008 and terminal services such as Citrix terminal services or Windows Vista with Fast-User-Switching and where multi-language support has been enabled:


The Stack Text looks similar to the following:

aa279938 81633409 00000005 85e0a158 85eb6020 nt!KeBugCheckEx+0x1e
aa279964 95af3f8b 85e0a158 aa2799ac aa279990 nt!KeAttachProcess+0x86
aa279974 95b87f00 aa2799ac 816fc005 aa2799e4 win32k!ATTACHOBJ::ATTACHOBJ+0x23
aa279990 95b87c27 ff17a008 816fc005 ff1e4cf0 win32k!PDEVOBJ::DestroyFont+0x62
aa2799b4 95b40462 00000000 aa2799dc 00000001 win32k!RFONTOBJ::vDeleteRFONT+0x33
aa2799e8 95b41262 ffa08028 ffa0e1b0 00000000 win32k!vRestartKillEudcRFONTs+0x83
aa279a04 95b411b4 ffa0e1c8 00000000 00000001 win32k!vRestartKillEudcRFONTs+0x2a3
aa279a34 95a7ebd1 00000001 00000000 00001138 win32k!vUnlinkAllEudcFromRFONTList+0x7d9
aa279a48 95b401e6 00000000 00001138 a6153000 win32k!GreEnableEUDC+0x70
aa279a64 95b41a92 95b42157 00000000 a6153d70 win32k!CleanUpEUDC+0x36
aa279a68 95b42157 00000000 a6153d70 a6153000 win32k!GdiMultiUserFontCleanup+0x5
aa279a80 95b42bfa a6153d70 a6153000 818de56c win32k!MultiUserNtGreCleanup+0x1f
aa279a8c 818de56c 00000000 85e99590 00000001 win32k!Win32KDriverUnload+0x1d
aa279ae0 8180108a 85eb61f0 81747d00 aa279b18 nt!MiDereferenceSessionFinal+0xc6
aa279af0 816a2737 85eb6020 85e99558 85eb6190 nt!MiDereferenceSession+0x3e
aa279b18 818003c3 00000000 00000000 85eb6020 nt!MmCleanProcessAddressSpace+0x70f
aa279b3c 818009bf 00000000 00000000 00000000 nt!PspExitProcess+0x274
aa279b74 8183ce84 85eb6020 819cf26c 85eb6008 nt!PspProcessDelete+0x148
aa279b90 81653dcc 85eb6020 00000000 8c5a73c8 nt!ObpRemoveObjectRoutine+0x13d
aa279bb8 8c57ed7d 85eb7efc 8c5a7388 8c5a73c8 nt!ObfDereferenceObject+0xa1
aa279bd4 8c57f1bc 8c5a73c8 84f55b60 00001101 mfehidk!PROCESSINFO_::Release+0x165
aa279bf4 8c57fe92 00000000 aa279c38 00001138 mfehidk!CheckForSignalledProcesses+0xb7
aa279c0c 8c56cce8 00001138 85ffbc78 8ccc2eb0 mfehidk!ProcessInfoProcessExited+0x88
aa279c24 8c56d30a aa279c38 0000000c 85e99558 mfehidk!CONTROLDEVICE::InternalProcessNotifyEx+0x45
aa279c44 818001e8 85ffbc78 00001138 00000000 mfehidk!CONTROLDEVICE::ProcessNotifyRoutineEx+0x46
aa279c74 818275c1 00000001 b564d1bc 85ffa078 nt!PspExitProcess+0x99
aa279cdc 8180406f 00000000 85e99558 85e99501 nt!PspExitThread+0x574
aa279cf4 816c2f7a 85ffa078 aa279d20 aa279d2c nt!PsExitSpecialApc+0x22
aa279d4c 81659d26 00000001 00000000 aa279d64 nt!KiDeliverApc+0x1dc
aa279d4c 76fa5e74 00000001 00000000 aa279d64 nt!KiServiceExit+0x56
WARNING: Frame IP not in any known module. Following frames may be wrong.
00acfbf4 00000000 00000000 00000000 00000000 0x76fa5e74

System Change

Installed Patch 4 for VirusScan Enterprise 8.7i.


McAfee has identified a bug in Win32k.sys when using the gpepCSRSS variable. This bug is exposed by McAfee code. The root cause for this issue is still not entirely clear, but McAfee has noted that affected environments have additional language support, evident in the running process CONIME.EXE. This issue also involves a timing factor, but occurs only when users are logging off.


This issue is resolved with Patch 5 or later for VirusScan Enterprise (VSE) 8.7i.

McAfee product software, upgrades, maintenance releases, and documentation are available from the Product Downloads site at: http://www.mcafee.com/us/downloads/downloads.aspx.

 You will need a valid Grant Number for access. KB56057 provides additional information about the Product Downloads site, as well as alternate locations for some products.


If you want to remain on Patch 4 for VSE 8.7i, install Hotfix 629330 (HF629330 ) for Patch 4.

Hotfixes are created to address specific issues and are not posted publicly, but are available by contacting Technical Support.

For Technical Support contact details:
Go to http://www.mcafee.com/us/about/contact-us.aspx#ht=tab-techsupport and select your country from the drop-down list.

Log in to the ServicePortal at https://support.mcafee.com:
  • If you are a registered user, type your User Id and Password, and click Log In.
  • If you are not a registered user, click Register and complete the required fields. Your password and login instructions will be emailed to you.

Rate this document

Did this article resolve your issue?

Please provide any comments below

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms

Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.