Yes,

I meant 238. I have tried going from 225 to 238 as well and am experiencing the same problem. I do have on machine that is working properly with the csauser.dll module failure, but I am not sure what the difference is.

I also am trying to use a builder appclass rule to add any application that accesses either explorer or csauser.dll to be added to the dynamic app

Joshua,

Do you have any uncommon or custom software installed on the failing hosts?

There is a way to exclude applications from CSA if you can figure out which app is causing it to fail.

http://www.cisco.com/en/US/products/sw/secursw/ps5057/products_configuration_example09186a00805f0c18

Try putting a host in a group that doesn't have any system API rules and see if it helps.

Don't worry too much about the version mismatch. It should still work fine until you figure it out.

Good luck.

Tom

Sorry for the delayed response. I had to open a TAC ticket because I could not figure out if a subprocess was causing csauser.dll to crash explorer.

I sent them a kernel memory dump. Because the crash did not officially create a Blue Screen of Death I was forced to manually create one. This is something new I learned and very useful to analyze code. It works with Win 2k,XP, and Server 2000/2003. This is only available to PC's that have a PS2 connected keyboard. For usb keyboards you will have to request a hotfix from microsoft:

To enable this features, you'll need to edit registry and reboot the computer after edit.

Open the

"HKLM\SYSTEM\CurrentControlSet\Services\i8042prt\Parameters" reg key,

add the REG_DWORD CrashOnCtrlScroll value, and set it to 1.

After reboot you will manually “crash” the system.

To view BSOD, press and hold right key, and press key twice.

The STOP screen contain following massage..

*** STOP: 0x000000E2 (0x00000000,0x00000000,0x00000000)

The end-user manually generated the crashdump.

Once that was done, I sent my dmp to Cisco and they found that it was caused by an explorer launched process that monitored printer usage. The software is called Print Audit 5. I created a kernel protection exception rule for that process and now everything works normally. I hope the above registry entry can help anyone else who is experiencing any type of crash with csa in order to pinpoint the underlying process

Nice job Joshua,

Thanks for the update.

Tom

Let me second Tom's congratulations for a job well done. I have included the "Print Audit 5" in my Cheatsheet under the heading of Bugs.

Thanks. I rate it a 5.

Best,

Paul

Wow, i have been struggling with print audit 5 all afternoon and as a last resort searched for it here. Thanks. i should be able to get the audit underway now