Summary
This article introduces how to collect the UMH logs for an application/process crash issue caused by the UMH module.
UMH is an engine in OSCE that supports the enhanced ransomware solution. It is installed in the Common Client Solution Framework (CCSF) service as a module. It provides API events for other modules, such as Behavior Monitoring, Predictive Machine Learning, etc. Those modules will make decisions according to the provided API events from UMH.
Below is the installation path for UMH in OSCE:
<OfficeScan Agent Installation Path>\CCSF\MODULE\20019\
UMH has been involved since OfficeScan 11.0 Service Pack 1 Critical Patch 6054 (Ransomware CP) and OfficeScan XG.
Details
To collect the UMH logs:
- Find out which process hangs because of UMH.
- Reproduce the problem and collect the user-mode dump for the process:
- For all Windows platforms (Run As Administrator)
- Download Process Explorer from the following link: Process Explorer v16.12.
- Right-click on the process, then go to Create Dump > Create Full Dump.
- For Windows Vista and above:
- Open the Task Manager.
- Right-click on the process, then select "Create dump file".
- For all Windows platforms (Run As Administrator)
- Export the DLL information for the process (Run As Administrator):
- Open Process Explorer.
- Open the View list and select Show Processes From All Users and Show Lower Pane.
- Still on the view list, go to Lower Pane View and select DLLs.
- Choose the process and click "Save as..." under File to save the DLLs information.
- Get the UMH-related binary files:
- <OSCE installation path>\CCSF\module\20019
- %windir%\system32\tmumh
- %windir%\syswow64\tmumh
- %windir%\system32\drivers\tmumh.sys
- Get the UMH-related registry keys:
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tmumh
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\GlobalFlag
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
