Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Collecting logs for the User-Mode Hooking (UMH) module for an application hang issue

    • Updated:
    • 28 Dec 2016
    • Product/Version:
    • OfficeScan 10.6
    • OfficeScan 11.0
    • OfficeScan XG.All
    • Platform:
    • Windows 10
    • Windows 2003 32-Bit
    • Windows 2003 64-Bit
    • Windows 2008 32-Bit
    • Windows 2008 64-Bit
    • Windows 2012
    • Windows 7 32-Bit
    • Windows 7 64-Bit
    • Windows 8 32-Bit
    • Windows 8 64-Bit
    • Windows 8.1 32-Bit
    • Windows 8.1 64-Bit
    • Windows XP Professional
Summary

This article introduces how to collect the UMH logs for an application/process crash issue caused by the UMH module.

UMH is an engine in OSCE that supports the enhanced ransomware solution. It is installed in the Common Client Solution Framework (CCSF) service as a module. It provides API events for other modules, such as Behavior Monitoring, Predictive Machine Learning, etc. Those modules will make decisions according to the provided API events from UMH.

Below is the installation path for UMH in OSCE:

<OfficeScan Agent Installation Path>\CCSF\MODULE\20019\

UMH has been involved since OfficeScan 11.0 Service Pack 1 Critical Patch 6054 (Ransomware CP) and OfficeScan XG.

Details
Public

To collect the UMH logs:

  1. Find out which process hangs because of UMH.
  2. Reproduce the problem and collect the user-mode dump for the process:
    • For all Windows platforms (Run As Administrator)
      1. Download Process Explorer from the following link: Process Explorer v16.12.
      2. Right-click on the process, then go to Create Dump > Create Full Dump.

        Create full dump

    • For Windows Vista and above:
      1. Open the Task Manager.
      2. Right-click on the process, then select "Create dump file".

        Create dump file

  3. Export the DLL information for the process (Run As Administrator):
    1. Open Process Explorer.
    2. Open the View list and select Show Processes From All Users and Show Lower Pane.
    3. Still on the view list, go to Lower Pane View and select DLLs.

      Process Explorer

    4. Choose the process and click "Save as..." under File to save the DLLs information.

      Save DLLs information

  4. Get the UMH-related binary files:
    • <OSCE installation path>\CCSF\module\20019
    • %windir%\system32\tmumh
    • %windir%\syswow64\tmumh
    • %windir%\system32\drivers\tmumh.sys
  5. Get the UMH-related registry keys:
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tmumh
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\GlobalFlag
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
Premium
Internal
Rating:
Category:
Troubleshoot
Solution Id:
1115439
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.