Windows performance recorder: The system collector properties does not match with the internal state.

Hello,

I am certain that the cause of this error is McAfee. I suspect it jumps into the middle of sequence of events required to successfully collect a trace, and interferes with WPR. Can someone please review the evidence below and tell me if I’m on the right path, before I open a ticket with McAfee?

Environment: Windows 7 SP1 x64 with McAfee Agent 5.0.5.658, McAfee Endpoint Security 10.5, McAfee DLP 10.0.250.92

There are two symptoms of the problem:
1 – you can’t stop NT Kernel Logger; it restarts split second later.
2 – you can’t capture ETW traces via Windows Performance Recorder; you get the “The system collector properties does not match with the internal state” error when you stop capturing.

Steps to recreate # 1:
Right-click on My Computer | Manage
Expand System Tools | Performance | Data Collector Sets | Event Trace Sessions
Right-click on NT Kernel Logger, select Stop
Refresh the view: the logger stops, then restarts split second later

Steps to recreate # 2:
Start Windows Performance Recorder
Select any options under Resource Analysis (like: CPU usage)
Click Start
You will be prompted with “An existing session is already running. Click OK to stop the running session and start the selected profile(s) or Cancel to abort the operation.” message. Click Ok.
Wait few minutes while collection is running.
Click on the Save button
You will be prompted with “The system collector properties does not match with the internal state.” error message.

I’ve attached kernel debugger to target machine and set breakpoints below:

0: kd> bl
 0 e fffff800`0453541c     0001 (0001) nt!EtwpStartTrace
 1 e fffff800`04749c70     0001 (0001) nt!EtwpStartAutoLogger
 2 e fffff800`045371d0     0001 (0001) nt!EtwpStartLogger

Sequence of events:
WPR is starting a trace after I clicked OK to stop existing session:

2: kd> !thread
THREAD fffffa801df65730  Cid 2114.21d4  Teb: 000007fffffaa000 Win32Thread: fffff900c3a2f5c0 RUNNING on processor 2
Not impersonating
DeviceMap                 fffff8a007b1aa60
Owning Process            fffffa801e0cb530       Image:         WPRUI.exe
Attached Process          N/A            Image:         N/A
Wait Start TickCount      102923         Ticks: 0
Context Switch Count      3217           IdealProcessor: 2                 LargeStack
UserTime                  00:00:00.015
KernelTime                00:00:00.202
Win32 Start Address ntdll!TppWorkerThread (0x000000007737f6f0)
Stack Init fffff8800e94dc70 Current fffff8800e94d220
Base fffff8800e94e000 Limit fffff8800e945000 Call 0
Priority 10 BasePriority 8 UnusualBoost 0 ForegroundBoost 2 IoPriority 2 PagePriority 5

Child-SP          RetAddr           : Args to Child                                                           : Call Site
fffff880`0e94d9f8 fffff800`0457952c : 00000000`00000110 00000000`00000000 00000000`02850690 00000000`00001129 : nt!EtwpStartTrace
fffff880`0e94da00 fffff800`042d50d3 : fffffa80`1df65730 0000007f`ffffffff fffffa80`00000110 00000000`02850690 : nt!NtTraceControl+0x26c
fffff880`0e94da70 00000000`773ad57a : 000007fe`ff140fd0 00000000`00413c78 000007fe`ff15b23d 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`0e94dae0)
00000000`0359f238 000007fe`ff140fd0 : 00000000`00413c78 000007fe`ff15b23d 00000000`00000000 00000000`00000000 : ntdll!NtTraceControl+0xa
00000000`0359f240 000007fe`ff140e04 : 00000000`0040f900 00000000`0040f900 00000000`02850690 00000000`00000000 : ADVAPI32!EtwpStartLogger+0x6d
00000000`0359f280 000007fe`e736f990 : 00000000`00409588 00000000`00000001 00000000`00000110 00000000`00000000 : ADVAPI32!StartTraceW+0x4f2
00000000`0359f310 000007fe`e736f61d : 00000000`00405610 00000000`001a9100 000007fe`e7355438 00000000`00405610 : WindowsPerformanceRecorderControl!WindowsPerformanceRecorder::CControlManager::StartEventSession+0x128
00000000`0359f480 000007fe`e736b0cc : 00000000`004134a0 00000000`004092f0 00000000`02843d00 00000000`00409450 : WindowsPerformanceRecorderControl!WindowsPerformanceRecorder::CControlManager::StartNormalOrShutdownRecording+0x269
00000000`0359f540 00000000`6f00a52d : 00000000`001ad820 00000000`02841f08 00000000`001a91b8 00000000`00409370 : WindowsPerformanceRecorderControl!WindowsPerformanceRecorder::CControlManager::Start+0x84
00000000`0359f580 00000000`6f00a19b : 00000000`000ceca0 00000000`02847118 00000000`004093e8 00000000`02841f08 : WindowsPerformanceRecorderUI!WindowsPerformanceRecorder::CStartView::WPRCNormalStartRecording+0x2b5
00000000`0359f630 00000000`6f009ef8 : 00000000`000ceca0 00000000`00000001 00000000`002c0c00 00000000`02847118 : WindowsPerformanceRecorderUI!WindowsPerformanceRecorder::CStartView::StartRecordingThreadProc+0x27f
00000000`0359f6d0 00000000`7738004b : 00000000`02842ae0 000007ff`fffaa000 00000000`0000027f 00000000`00000000 : WindowsPerformanceRecorderUI!WindowsPerformanceRecorder::CStartView::s_StartRecordingThreadProc+0x1c
00000000`0359f700 00000000`7737fc62 : 00000000`00000000 00000000`000ceca0 00000000`00000000 00000000`003050c8 : ntdll!RtlpTpWorkCallback+0x16b
00000000`0359f7e0 00000000`771559cd : 00000000`002c4290 00000001`00010008 00000000`002c4290 00000000`02842ae0 : ntdll!TppWorkerThread+0x6f7
00000000`0359fa70 00000000`7738a561 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : kernel32!BaseThreadInitThunk+0xd
00000000`0359faa0 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x1d

WPR is starting logger:

2: kd> !thread
THREAD fffffa801df65730  Cid 2114.21d4  Teb: 000007fffffaa000 Win32Thread: fffff900c3a2f5c0 RUNNING on processor 2
Not impersonating
DeviceMap                 fffff8a007b1aa60
Owning Process            fffffa801e0cb530       Image:         WPRUI.exe
Attached Process          N/A            Image:         N/A
Wait Start TickCount      102929         Ticks: 0
Context Switch Count      3219           IdealProcessor: 2                 LargeStack
UserTime                  00:00:00.015
KernelTime                00:00:00.296
Win32 Start Address ntdll!TppWorkerThread (0x000000007737f6f0)
Stack Init fffff8800e94dc70 Current fffff8800e94d220
Base fffff8800e94e000 Limit fffff8800e945000 Call 0
Priority 10 BasePriority 8 UnusualBoost 0 ForegroundBoost 2 IoPriority 2 PagePriority 5
Child-SP          RetAddr           : Args to Child                                                           : Call Site
fffff880`0e94d9b8 fffff800`0453545c : 00000000`00000000 fffff800`00000000 00000000`00000000 00000000`00000200 : nt!EtwpStartLogger
fffff880`0e94d9c0 fffff800`0457952c : 00000000`00000000 00000000`00000000 00000000`0283c0c0 00000000`00000000 : nt!EtwpStartTrace+0x40
fffff880`0e94da00 fffff800`042d50d3 : fffffa80`1df65730 fffff880`0e94db60 00000000`00000108 00000000`0283c0c0 : nt!NtTraceControl+0x26c
fffff880`0e94da70 00000000`773ad57a : 000007fe`ff140fd0 00000000`00413af8 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`0e94dae0)
00000000`0359f238 000007fe`ff140fd0 : 00000000`00413af8 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!NtTraceControl+0xa
00000000`0359f240 000007fe`ff140e04 : 00000000`0040f900 00000000`0040f900 00000000`0283c0c0 00000000`00000000 : ADVAPI32!EtwpStartLogger+0x6d
00000000`0359f280 000007fe`e736f990 : 00000000`004094a8 00000000`00000001 00000000`00000108 00000000`00000000 : ADVAPI32!StartTraceW+0x4f2
00000000`0359f310 000007fe`e736f61d : 000007fe`e7355450 00000000`00405610 000007fe`e7355438 00000000`00405610 : WindowsPerformanceRecorderControl!WindowsPerformanceRecorder::CControlManager::StartEventSession+0x128
00000000`0359f480 000007fe`e736b0cc : 00000000`004134a0 00000000`004092f0 00000000`02843d00 00000000`00409450 : WindowsPerformanceRecorderControl!WindowsPerformanceRecorder::CControlManager::StartNormalOrShutdownRecording+0x269
00000000`0359f540 00000000`6f00a52d : 00000000`001ad820 00000000`02841f08 00000000`001a91b8 00000000`00409370 : WindowsPerformanceRecorderControl!WindowsPerformanceRecorder::CControlManager::Start+0x84
00000000`0359f580 00000000`6f00a19b : 00000000`000ceca0 00000000`02847118 00000000`004093e8 00000000`02841f08 : WindowsPerformanceRecorderUI!WindowsPerformanceRecorder::CStartView::WPRCNormalStartRecording+0x2b5
00000000`0359f630 00000000`6f009ef8 : 00000000`000ceca0 00000000`00000001 00000000`002c0c00 00000000`02847118 : WindowsPerformanceRecorderUI!WindowsPerformanceRecorder::CStartView::StartRecordingThreadProc+0x27f
00000000`0359f6d0 00000000`7738004b : 00000000`02842ae0 000007ff`fffaa000 00000000`0000027f 00000000`00000000 : WindowsPerformanceRecorderUI!WindowsPerformanceRecorder::CStartView::s_StartRecordingThreadProc+0x1c
00000000`0359f700 00000000`7737fc62 : 00000000`00000000 00000000`000ceca0 00000000`00000000 00000000`003050c8 : ntdll!RtlpTpWorkCallback+0x16b
00000000`0359f7e0 00000000`771559cd : 00000000`002c4290 00000001`00010008 00000000`002c4290 00000000`02842ae0 : ntdll!TppWorkerThread+0x6f7
00000000`0359fa70 00000000`7738a561 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : kernel32!BaseThreadInitThunk+0xd
00000000`0359faa0 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x1d

Split second later, McAfee is starting a trace:

0: kd> !thread
THREAD fffffa80142c79f0  Cid 0ea4.133c  Teb: 000007ffffec8000 Win32Thread: fffff900c203dc10 RUNNING on processor 0
Not impersonating
DeviceMap                 fffff8a000008aa0
Owning Process            fffffa80106c4b10       Image:         mcshield.exe
Attached Process          N/A            Image:         N/A
Wait Start TickCount      102966         Ticks: 0
Context Switch Count      44156          IdealProcessor: 7                 LargeStack
UserTime                  00:00:07.784
KernelTime                00:00:03.697
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for rc.dat - 
Win32 Start Address rc!RaptorSetLogLevel (0x000007feeb6141d0)
Stack Init fffff8800ddf8c70 Current fffff8800ddf86b0
Base fffff8800ddf9000 Limit fffff8800ddf0000 Call 0
Priority 8 BasePriority 8 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5

Child-SP          RetAddr           : Args to Child                                                           : Call Site
fffff880`0ddf89f8 fffff800`0457952c : 00000000`000000d8 00000000`00000000 00000000`1b518130 ffffffff`88ca6c00 : nt!EtwpStartTrace
fffff880`0ddf8a00 fffff800`042d50d3 : fffffa80`142c79f0 00000000`00000001 fffffa80`000000d8 00000000`1b518130 : nt!NtTraceControl+0x26c
fffff880`0ddf8a70 00000000`773ad57a : 000007fe`ff140fd0 00000000`22841468 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`0ddf8ae0)
00000000`1dfdf628 000007fe`ff140fd0 : 00000000`22841468 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!NtTraceControl+0xa
00000000`1dfdf630 000007fe`ff140e04 : 00000000`228413f0 00000000`228413f0 00000000`1b518130 00000000`00000000 : ADVAPI32!EtwpStartLogger+0x6d
00000000`1dfdf670 000007fe`eb6b66c2 : 00000000`1dfdf7c0 00000000`1a0a87a0 00000000`000000d8 00000000`00000000 : ADVAPI32!StartTraceW+0x4f2
00000000`1dfdf700 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : rc!RaptorSetLogLevel+0x1b7ef2

McAfee is starting logger:

0: kd> !thread
THREAD fffffa80142c79f0  Cid 0ea4.133c  Teb: 000007ffffec8000 Win32Thread: fffff900c203dc10 RUNNING on processor 0
Not impersonating
DeviceMap                 fffff8a000008aa0
Owning Process            fffffa80106c4b10       Image:         mcshield.exe
Attached Process          N/A            Image:         N/A
Wait Start TickCount      102969         Ticks: 0
Context Switch Count      44157          IdealProcessor: 7                 LargeStack
UserTime                  00:00:07.784
KernelTime                00:00:03.728
Win32 Start Address rc!RaptorSetLogLevel (0x000007feeb6141d0)
Stack Init fffff8800ddf8c70 Current fffff8800ddf7b90
Base fffff8800ddf9000 Limit fffff8800ddf0000 Call 0
Priority 8 BasePriority 8 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5
Child-SP          RetAddr           : Args to Child                                                           : Call Site
fffff880`0ddf89b8 fffff800`0453545c : 00000000`00000000 fffff800`00000000 00000000`00000000 00000000`00000200 : nt!EtwpStartLogger
fffff880`0ddf89c0 fffff800`0457952c : 00000000`00000000 00000000`00000000 00000000`1b518130 ffffffff`88ca6c00 : nt!EtwpStartTrace+0x40
fffff880`0ddf8a00 fffff800`042d50d3 : fffffa80`142c79f0 00000000`00000001 fffffa80`000000d8 00000000`1b518130 : nt!NtTraceControl+0x26c
fffff880`0ddf8a70 00000000`773ad57a : 000007fe`ff140fd0 00000000`22841468 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`0ddf8ae0)
00000000`1dfdf628 000007fe`ff140fd0 : 00000000`22841468 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!NtTraceControl+0xa
00000000`1dfdf630 000007fe`ff140e04 : 00000000`228413f0 00000000`228413f0 00000000`1b518130 00000000`00000000 : ADVAPI32!EtwpStartLogger+0x6d
00000000`1dfdf670 000007fe`eb6b66c2 : 00000000`1dfdf7c0 00000000`1a0a87a0 00000000`000000d8 00000000`00000000 : ADVAPI32!StartTraceW+0x4f2
00000000`1dfdf700 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : rc!RaptorSetLogLevel+0x1b7ef2

McAfee module info

3: kd> lmvm rc
start             end                 module name
000007fe`eb480000 000007fe`eba82000   rc         (export symbols)       rc.dat
    Loaded symbol image file: rc.dat
    Image path: C:\Program Files\Common Files\McAfee\Engine\content\rp\1.0.0.2499\x86_64\rc.dat
    Image name: rc.dat
    Timestamp:        Wed May 24 09:56:55 2017 (59259F37)
    CheckSum:         006002C3
    ImageSize:        00602000
    File version:     1.0.0.0
    Product version:  1.0.0.0
    File flags:       0 (Mask 3F)
    File OS:          4 Unknown Win32
    File type:        1.0 App
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      McAfee, Inc.
    ProductName:      McAfee Real Protect
    InternalName:     RealProtect.dll
    OriginalFilename: RealProtect.dll
    ProductVersion:   1.0.0.2499
    FileVersion:      1.0.0.2499
    FileDescription:  McAfee Real Protect
    LegalCopyright:   Copyright © 2017 McAfee, Inc. All rights reserved.

Call stack for the WPRUI thread displaying the error message once you stop data collection and attempt to save.

        THREAD fffffa801df65730  Cid 2114.21d4  Teb: 000007fffffaa000 Win32Thread: fffff900c3a2f5c0 WAIT: (UserRequest) UserMode Non-Alertable
            fffffa801068fc50  SynchronizationEvent
            fffffa8022e14c00  SynchronizationEvent
        Not impersonating
        DeviceMap                 fffff8a007b1aa60
        Owning Process            fffffa801e0cb530       Image:         WPRUI.exe
        Attached Process          N/A            Image:         N/A
        Wait Start TickCount      103972         Ticks: 28 (0:00:00:00.436)
        Context Switch Count      4527           IdealProcessor: 2                 LargeStack
        UserTime                  00:00:00.124
        KernelTime                00:00:01.248
        Win32 Start Address ntdll!TppWorkerThread (0x000000007737f6f0)
        Stack Init fffff8800e94d840 Current fffff8800e94ca50
        Base fffff8800e94e000 Limit fffff8800e945000 Call fffff8800e94d890
        Priority 10 BasePriority 8 UnusualBoost 0 ForegroundBoost 2 IoPriority 2 PagePriority 5

        Child-SP          RetAddr           Call Site
        fffff880`0e94ca90 fffff800`042db142 nt!KiSwapContext+0x7a
        fffff880`0e94cbd0 fffff800`042da65a nt!KiCommitThreadWait+0x1d2
        fffff880`0e94cc60 fffff800`045d0c2f nt!KeWaitForMultipleObjects+0x272
        fffff880`0e94cf20 fffff800`045d0fa6 nt!ObpWaitForMultipleObjects+0x294
        fffff880`0e94d3f0 fffff800`042d50d3 nt!NtWaitForMultipleObjects+0xe5
        fffff880`0e94d640 00000000`773ac2ea nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`0e94d6b0)
        00000000`0359ef18 000007fe`fd3a1430 ntdll!NtWaitForMultipleObjects+0xa
        00000000`0359ef20 00000000`771616e3 KERNELBASE!WaitForMultipleObjectsEx+0xe8
        00000000`0359f020 00000000`77278f8d kernel32!WaitForMultipleObjectsExImplementation+0xb3
        00000000`0359f0b0 000007fe`fb5914e6 USER32!RealMsgWaitForMultipleObjectsEx+0x12a
        00000000`0359f150 000007fe`fb5915ef DUser!CoreSC::Wait+0x62
        00000000`0359f1a0 000007fe`fb591565 DUser!CoreSC::WaitMessage+0x6f
        00000000`0359f1e0 00000000`7727934e DUser!MphWaitMessageEx+0x5c
        00000000`0359f210 00000000`773abc65 USER32!_ClientWaitMessageExMPH+0x1a
        00000000`0359f260 00000000`7727932a ntdll!KiUserCallbackDispatcherContinue (TrapFrame @ 00000000`0359f128)
        00000000`0359f2c8 00000000`77284bb4 USER32!ZwUserWaitMessage+0xa
        00000000`0359f2d0 00000000`77284ed1 USER32!DialogBox2+0x274
        00000000`0359f360 00000000`77284f46 USER32!InternalDialogBox+0x135
        00000000`0359f3c0 00000000`77284f7c USER32!DialogBoxIndirectParamAorW+0x58
        00000000`0359f400 000007fe`fbce1d6e USER32!DialogBoxIndirectParamW+0x18
        00000000`0359f440 000007fe`fbc1de29 Comctl32!SHFusionDialogBoxIndirectParam+0x56
        00000000`0359f490 00000000`6f017d79 Comctl32!CTaskDialog::Show+0x1a1
        00000000`0359f520 00000000`6f017e76 WindowsPerformanceRecorderUI!IsolationAwareTaskDialogIndirect+0xdd
        00000000`0359f550 00000000`6f017f52 WindowsPerformanceRecorderUI!WindowsPerformanceRecorder::Impl::ShowErrorDialog+0xd6
        00000000`0359f630 00000000`6f01c2cd WindowsPerformanceRecorderUI!WindowsPerformanceRecorder::Impl::ShowErrorMessage+0xba
        00000000`0359f6b0 00000000`7738004b WindowsPerformanceRecorderUI!WindowsPerformanceRecorder::CSaveView::SaveStopRecordingThreadProc+0xd1
        00000000`0359f700 00000000`7737fc62 ntdll!RtlpTpWorkCallback+0x16b
        00000000`0359f7e0 00000000`771559cd ntdll!TppWorkerThread+0x6f7
        00000000`0359fa70 00000000`7738a561 kernel32!BaseThreadInitThunk+0xd
        00000000`0359faa0 00000000`00000000 ntdll!RtlUserThreadStart+0x1d

Would you agree McAfee is the problem?

Thank you

Olegas

Windows performance recorder: The system collector properties does not match with the internal state.

Trending Articles

RAMAYAMPET Mandal Sarpanch | Upa-Sarpanch | Ward member Mobile Numbers Medak...

लड़कियां सेक्स के दौरान क्यों करती है उह! आह!लड़कियां सेक्स के दौरान क्यों करती...

Neem Baba Extra Questions Answer Class 6 English Poorvi

Throw Back: 4×4 — Sikilitele (Ft Castro) Prod by JQ

Rajasthan Board 10th Result 2016 Roll No wise & Name Wise

Lowe faces four theft charges

Practice Sheet of Right form of verbs for HSC Students

Mafia, Murder & Mayhem In The Motor City: Detroit Mob Hit Timeline (1937-2007)

The 10 Tennessee Cities With The Largest Black Population For 2021

Materials Around Us Class 6 Worksheet Science Chapter 6

デスクトップヒープの枯渇

Best Suvichar in Hindi |बेस्ट सुविचार |शुभ विचार हिंदी में

Kanulanu Thaake Lyrics and translation | Manam (2014)

Korean Sex Porn Videos: XXX Videos & Free Porn Movies

Teen Shot In Miami Drive-By Dies From Injuries

Download: IQ Muzatasha feat Shy D & Pmj – Ulesi NiFertilizer Yamavuto

Mahakal Attitude Status

Property developer set up cannabis factory to help pay off debts...

♡

KB: How to troubleshoot issues when adding a Hyper-V host in System Center...