Thread Info
  • State Verified Answer
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 15 replies
  • Subscribers 16 subscribers
  • Views 14139 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

many Kernel-EventTracing 0xC0000022 errors caused by SophosNtpService.exe on Windows Servers

LHerzog

On Server 2012 R2 with Exchange and Intercept-X is see the eventlog full with errors caused by Sophos Network Threat Protection Agent.

One error per minute.

Fehler	04.03.2021 12:24:36	Kernel-EventTracing	2	Sitzung
Fehler	04.03.2021 12:23:33	Kernel-EventTracing	2	Sitzung
Fehler	04.03.2021 12:22:30	Kernel-EventTracing	2	Sitzung
Fehler	04.03.2021 12:21:27	Kernel-EventTracing	2	Sitzung
Fehler	04.03.2021 12:20:24	Kernel-EventTracing	2	Sitzung
Fehler	04.03.2021 12:19:21	Kernel-EventTracing	2	Sitzung
Fehler	04.03.2021 12:18:18	Kernel-EventTracing	2	Sitzung
Fehler	04.03.2021 12:17:15	Kernel-EventTracing	2	Sitzung
Fehler	04.03.2021 12:16:12	Kernel-EventTracing	2	Sitzung
Fehler	04.03.2021 12:15:09	Kernel-EventTracing	2	Sitzung
Fehler	04.03.2021 12:14:06	Kernel-EventTracing	2	Sitzung
Fehler	04.03.2021 12:13:03	Kernel-EventTracing	2	Sitzung

Fehler   04.03.2021 10:44:40       Kernel-EventTracing      2              Sitzung

Beim Starten der Sitzung "" ist der folgende Fehler aufgetreten: 0xC0000022.

 

Provider

   [ Name]  Microsoft-Windows-Kernel-EventTracing

   [ Guid]  {B675EC37-BDB6-4648-BC92-F3FDC74D3CA2}

    EventID 2

   Version 0

 

   Level 2

    Task 2

    Opcode 12

    Keywords 0x8000000000000010

   - TimeCreated

    [ SystemTime]  2021-03-04T09:44:40.335409100Z

    EventRecordID 217122

    Correlation

   - Execution

    [ ProcessID]  3032

   [ ThreadID]  13104

    Channel Microsoft-Windows-Kernel-EventTracing/Admin

    Computer Exchangeserver.localdomain.de

 

tasklist |find "3032"

SophosNtpService.exe          3032 Services                   0        29.904 K

This must be a known issue - there has been a similar threat: https://community.sophos.com/intercept-x-endpoint/f/discussions/125059/kernel-eventtracing-id2-error-in-windows-server

What's the root cause?

i-X Versions:



This thread was automatically locked due to age.
Parents Reply Children
  • +1 in reply to LHerzog

    I found the solution on this.

    Basically this is caused by incorrect permissions on the netcfgx.0 and netcfgx.1 .etl files in the Windows\Inf folder as already referenced here by the Microsoft blog post.

    But it's wrong in this situation to allow permissions to the "NT AUTHORITY\NETWORK SERVICE" account as written in the Technet blog and suggested by Sophos here.

    You need to add the permissions for the "NT AUTHORITY\LOCAL SERVICE" account.

    Note: this is from German language system. Different usernames than on English systems.

C:\Windows\Inf>cacls netcfgx.0.etl
C:\Windows\Inf\netcfgx.0.etl NT-AUTORITÄT\Lokaler Dienst:F
                             NT-AUTORITÄT\SYSTEM:(ID)F
                             VORDEFINIERT\Administratoren:(ID)F
                             VORDEFINIERT\Benutzer:(ID)R
                             ZERTIFIZIERUNGSSTELLE FÜR ANWENDUNGSPAKETE\ALLE ANENDUNGSPAKETE:(ID)R


C:\Windows\Inf>cacls netcfgx.1.etl
C:\Windows\Inf\netcfgx.1.etl NT-AUTORITÄT\Lokaler Dienst:F
                             NT-AUTORITÄT\SYSTEM:(ID)F
                             VORDEFINIERT\Administratoren:(ID)F
                             VORDEFINIERT\Benutzer:(ID)R
                             ZERTIFIZIERUNGSSTELLE FÜR ANWENDUNGSPAKETE\ALLE ANENDUNGSPAKETE:(ID)R

    Why: because the Sophos NTP Service is running as Local Service, not Network Service.

  • 0 in reply to LHerzog

    Noticed today that file modified ACLs of the two files get overwritten after some time so the "NT AUTHORITY\LOCAL SERVICE" account gets removed and the errors appear again following the ACL change.

  • 0 in reply to LHerzog

    Congrats on your detailed work on this issue. Hope this information give an idea for our digital security solutions provider.
    I wonder if this issue occurs on other server versions like 2016 and 2019.

  • 0 in reply to Can carmack

    I've not seen this on those two Server versions yet. But just today I had struggle with all those thousands of Alerts in the eventlog of a server I hat do check. Its hard to find the problem you are actually looking for if the whole Administrative Events to 98% only consists of Kernel-EventTracing 0xC0000022 errors.

Unfiltered HTML