This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

many Kernel-EventTracing 0xC0000022 errors caused by SophosNtpService.exe on Windows Servers

On Server 2012 R2 with Exchange and Intercept-X is see the eventlog full with errors caused by Sophos Network Threat Protection Agent.

One error per minute.

Fehler	04.03.2021 12:24:36	Kernel-EventTracing	2	Sitzung
Fehler	04.03.2021 12:23:33	Kernel-EventTracing	2	Sitzung
Fehler	04.03.2021 12:22:30	Kernel-EventTracing	2	Sitzung
Fehler	04.03.2021 12:21:27	Kernel-EventTracing	2	Sitzung
Fehler	04.03.2021 12:20:24	Kernel-EventTracing	2	Sitzung
Fehler	04.03.2021 12:19:21	Kernel-EventTracing	2	Sitzung
Fehler	04.03.2021 12:18:18	Kernel-EventTracing	2	Sitzung
Fehler	04.03.2021 12:17:15	Kernel-EventTracing	2	Sitzung
Fehler	04.03.2021 12:16:12	Kernel-EventTracing	2	Sitzung
Fehler	04.03.2021 12:15:09	Kernel-EventTracing	2	Sitzung
Fehler	04.03.2021 12:14:06	Kernel-EventTracing	2	Sitzung
Fehler	04.03.2021 12:13:03	Kernel-EventTracing	2	Sitzung

Fehler   04.03.2021 10:44:40       Kernel-EventTracing      2              Sitzung

Beim Starten der Sitzung "" ist der folgende Fehler aufgetreten: 0xC0000022.

 

Provider

   [ Name]  Microsoft-Windows-Kernel-EventTracing

   [ Guid]  {B675EC37-BDB6-4648-BC92-F3FDC74D3CA2}

    EventID 2

   Version 0

 

   Level 2

    Task 2

    Opcode 12

    Keywords 0x8000000000000010

   - TimeCreated

    [ SystemTime]  2021-03-04T09:44:40.335409100Z

    EventRecordID 217122

    Correlation

   - Execution

    [ ProcessID]  3032

   [ ThreadID]  13104

    Channel Microsoft-Windows-Kernel-EventTracing/Admin

    Computer Exchangeserver.localdomain.de

 

tasklist |find "3032"

SophosNtpService.exe          3032 Services                   0        29.904 K

This must be a known issue - there has been a similar threat: https://community.sophos.com/intercept-x-endpoint/f/discussions/125059/kernel-eventtracing-id2-error-in-windows-server

What's the root cause?

i-X Versions:



This thread was automatically locked due to age.
Parents Reply
  • Hi,

    this issue is exclusively caused by the PID of the Sophos process: SophosNtpService.exe

    I don't think this is a Microsoft issue. Maybe SophosNtpService triggering some Windows component or itself acting like a teaming device?

    This is a standard VM with no teaming, just a virtual vmxnet3 adapter.

Children
  • I am getting this on my server 2012 R2 systems as well.  Any progress on this problem?   I first noticed it on some servers which used MS Network Load Balancing, but I see it on others that don't have this.  All instances seem to have started on 3/7 in the early afternoon. 

  • Hi  about the Start Date of the issue - in our case it is limited by the default size of the eventlog that contains them. it's only 1MB. It may have been there much longer.

  • LHerzog, I had that suspicion.  I restored an event file from a few weeks ago and yup its full of those events.  So, nothing new.  Thought it was because this is a newer thread, and it was just coincidence on our side we had an application issue start around the same time as the oldest entry of these logs.  Also, I don't see this happening on any 2019 servers.