September 15th, 2018: I encountered an issue on multiple models of Lenovo laptops where, after the laptop\’s inactivity timer induced a sleep event, upon waking the laptop I was presented with a BSOD stating PDC_WATCHDOG_TIMEOUT (NOTE: PDC stands for \”Power Dependency Coordinator\”).
The issue was easily reproduce-able by setting the laptop\’s sleep time to be 1 minute, and then waiting a minute and then waking the laptop.
A little bit of research turned up this Microsoft answers forum post: Microsoft Surface Pro (2017) BSOD PDC_WATCHDOG_TIMEOUT pdc.sys with Trend Micro Anti Virus.
While this post specified \”Microsoft Surface Pro (2017)\”, the \”with Trend Micro Anti Virus\” caught my eye, as all affected laptops were running Trend Micro OfficeScan 11. (Note: All laptops were also running Windows 10 Creators Update (1703)).
According to a reply to the initial forum post:
the issue is because [Trend Micro] Behaviour Monitoring is unable to handle events from sleep mode
Simply disabling sleep mode was not an option due to end-user preferences.
So I chose to test the following instructions:
1. Rename AEGIS drivers and create a folder with same name:
c:\\windows\\system32\\drivers\\tmcomm.sys
c:\\windows\\system32\\drivers\\tmactmon.sys
c:\\windows\\system32\\drivers\\tmevtmgr.sys(ps: For example, take tmcomm.sys and rename it as tmcomm.sys.bak; then create a folder named tmcomm.sys)
2. Create the following registry key entry:
[HKEY_LOCAL_MACHINE\\SOFTWARE\\TrendMicro\\aegis]
PowerMonitorTime=dword:0x10
Please note, should you follow these instructions, it will disable the Trend Micro AEGIS (Behavior Monitoring Service) driver. What does this driver do? Per the following links, Behavior Monitoring and Blocking malicious activities using Behavior Monitoring in OfficeScan (OSCE):
Behavior Monitoring constantly monitors endpoints for unusual modifications to the operating system or on installed software. Behavior Monitoring protects endpoints through Malware Behavior Blocking and Event Monitoring. Complementing these two features are a user-configured exception list and the Certified Safe Software Service.
Important:
– Behavior Monitoring does not support Windows XP or Windows 2003 64-bit platforms.
– Behavior Monitoring does support Windows Vista 64-bit platforms with SP1 or later.
– By default, Behavior Monitoring is disabled on all versions of Windows Server 2003, Windows Server 2008, and Windows Server 2012. Before enabling Behavior Monitoring on these server platforms, read the guidelines and best practices outlined in OfficeScan Agent Services.
and
Behavior Monitoring controls access to external storage devices and network resources, regulating potential avenues for data leakage or malware infection. Through the Client Self Protection feature, Behavior Monitoring also enhances endpoint protection by keeping security-related processes always up and running, and by protecting the OfficeScan client files and registry keys.
After performing the above steps, regarding the tmcomm, tmacmon, and tmevtmgr sys files, I was no longer able to reproduce the issue.
This was not a permanent resolution as it breaks an important function within the anti-virus service.
UPDATE: It appears that Trend now has a patch to resolve this issue – Blue Screen of Death (BSoD) occurs when Microsoft Surface Pro exits sleep mode. The patch will be rolled out to address the issue, and once it is completed, I will re-evaluate.
UPDATE 2019-01-18: Trend Micro OfficeScan 12 has been rolling out for a few months now and it appears to have resolved the issues. All systems with AEGIS disabled have now been reverted, I am no longer able to reproduce BSODs using the steps described at the beginning of this article.
UPDATE 2022-04-16: Looking back on this, after having some more involved experiences with Windows 10\’s modern standby and fast startup, and trying to get Linux installs to correctly go to sleep and wake up, I believe that disabling modern standby – per these instructions, How to Unlock Power Plans on Surface Device – would have neatly resolved the issue without introducing a temporary decrease in security.