This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

many Kernel-EventTracing 0xC0000022 errors caused by SophosNtpService.exe on Windows Servers

On Server 2012 R2 with Exchange and Intercept-X is see the eventlog full with errors caused by Sophos Network Threat Protection Agent.

One error per minute.

Fehler	04.03.2021 12:24:36	Kernel-EventTracing	2	Sitzung
Fehler	04.03.2021 12:23:33	Kernel-EventTracing	2	Sitzung
Fehler	04.03.2021 12:22:30	Kernel-EventTracing	2	Sitzung
Fehler	04.03.2021 12:21:27	Kernel-EventTracing	2	Sitzung
Fehler	04.03.2021 12:20:24	Kernel-EventTracing	2	Sitzung
Fehler	04.03.2021 12:19:21	Kernel-EventTracing	2	Sitzung
Fehler	04.03.2021 12:18:18	Kernel-EventTracing	2	Sitzung
Fehler	04.03.2021 12:17:15	Kernel-EventTracing	2	Sitzung
Fehler	04.03.2021 12:16:12	Kernel-EventTracing	2	Sitzung
Fehler	04.03.2021 12:15:09	Kernel-EventTracing	2	Sitzung
Fehler	04.03.2021 12:14:06	Kernel-EventTracing	2	Sitzung
Fehler	04.03.2021 12:13:03	Kernel-EventTracing	2	Sitzung

Fehler   04.03.2021 10:44:40       Kernel-EventTracing      2              Sitzung

Beim Starten der Sitzung "" ist der folgende Fehler aufgetreten: 0xC0000022.

 

Provider

   [ Name]  Microsoft-Windows-Kernel-EventTracing

   [ Guid]  {B675EC37-BDB6-4648-BC92-F3FDC74D3CA2}

    EventID 2

   Version 0

 

   Level 2

    Task 2

    Opcode 12

    Keywords 0x8000000000000010

   - TimeCreated

    [ SystemTime]  2021-03-04T09:44:40.335409100Z

    EventRecordID 217122

    Correlation

   - Execution

    [ ProcessID]  3032

   [ ThreadID]  13104

    Channel Microsoft-Windows-Kernel-EventTracing/Admin

    Computer Exchangeserver.localdomain.de

 

tasklist |find "3032"

SophosNtpService.exe          3032 Services                   0        29.904 K

This must be a known issue - there has been a similar threat: https://community.sophos.com/intercept-x-endpoint/f/discussions/125059/kernel-eventtracing-id2-error-in-windows-server

What's the root cause?

i-X Versions:



This thread was automatically locked due to age.
Parents Reply
  • my I know why instaling Sophos Endpoint is causing this? MS is suggesting the following:

    Takeown /f c:\windows\inf  
    icacls c:\windows\inf /grant "NT AUTHORITY\NETWORK SERVICE":"(OI)(CI)(F)"  
    icacls c:\windows\inf\netcfgx.0.etl /grant "NT AUTHORITY\NETWORK SERVICE":F  
    icacls c:\windows\inf\netcfgx.1.etl /grant "NT AUTHORITY\NETWORK SERVICE":F
    
    These commands grant the necessary file permissions to prevent the error logging in this scenario.


    Is the Sophos Endpoint installer setting wrong permissions on those system files?

Children