many Kernel-EventTracing 0xC0000022 errors caused by SophosNtpService.exe on Windows Servers

Hi LHerzog

Error : Session "" failed to start with the following error: 0xC0000022 | Source: Kernel-EventTracing | Event ID: 2 |Level: Error |

From reviewing the logs and seeing the error, It seems that it is not a Sophos issue, but one that is outlined in the following KB by Microsoft. Let me know if it helps. 

https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/kernel-event-id-2-msft-netLbfoteamnic-class

I also am having this issue on a Windows 2012 R2 server that does not use NIC teaming. Any word on this?

Complete silcence here by Sophos.

I guess they are just waiting for Server 2012 R2 to get out of maintenance. Then it would be easy to say it is unsupported.

I found the solution on this.

Basically this is caused by incorrect permissions on the netcfgx.0 and netcfgx.1 .etl files in the Windows\Inf folder as already referenced here by the Microsoft blog post.

But it's wrong in this situation to allow permissions to the "NT AUTHORITY\NETWORK SERVICE" account as written in the Technet blog and suggested by Sophos here.

You need to add the permissions for the "NT AUTHORITY\LOCAL SERVICE" account.

Note: this is from German language system. Different usernames than on English systems.

C:\Windows\Inf>cacls netcfgx.0.etl
C:\Windows\Inf\netcfgx.0.etl NT-AUTORITÄT\Lokaler Dienst:F
                             NT-AUTORITÄT\SYSTEM:(ID)F
                             VORDEFINIERT\Administratoren:(ID)F
                             VORDEFINIERT\Benutzer:(ID)R
                             ZERTIFIZIERUNGSSTELLE FÜR ANWENDUNGSPAKETE\ALLE ANENDUNGSPAKETE:(ID)R


C:\Windows\Inf>cacls netcfgx.1.etl
C:\Windows\Inf\netcfgx.1.etl NT-AUTORITÄT\Lokaler Dienst:F
                             NT-AUTORITÄT\SYSTEM:(ID)F
                             VORDEFINIERT\Administratoren:(ID)F
                             VORDEFINIERT\Benutzer:(ID)R
                             ZERTIFIZIERUNGSSTELLE FÜR ANWENDUNGSPAKETE\ALLE ANENDUNGSPAKETE:(ID)R

Why: because the Sophos NTP Service is running as Local Service, not Network Service.

I found the solution on this.

Basically this is caused by incorrect permissions on the netcfgx.0 and netcfgx.1 .etl files in the Windows\Inf folder as already referenced here by the Microsoft blog post.

But it's wrong in this situation to allow permissions to the "NT AUTHORITY\NETWORK SERVICE" account as written in the Technet blog and suggested by Sophos here.

You need to add the permissions for the "NT AUTHORITY\LOCAL SERVICE" account.

Note: this is from German language system. Different usernames than on English systems.

C:\Windows\Inf>cacls netcfgx.0.etl
C:\Windows\Inf\netcfgx.0.etl NT-AUTORITÄT\Lokaler Dienst:F
                             NT-AUTORITÄT\SYSTEM:(ID)F
                             VORDEFINIERT\Administratoren:(ID)F
                             VORDEFINIERT\Benutzer:(ID)R
                             ZERTIFIZIERUNGSSTELLE FÜR ANWENDUNGSPAKETE\ALLE ANENDUNGSPAKETE:(ID)R


C:\Windows\Inf>cacls netcfgx.1.etl
C:\Windows\Inf\netcfgx.1.etl NT-AUTORITÄT\Lokaler Dienst:F
                             NT-AUTORITÄT\SYSTEM:(ID)F
                             VORDEFINIERT\Administratoren:(ID)F
                             VORDEFINIERT\Benutzer:(ID)R
                             ZERTIFIZIERUNGSSTELLE FÜR ANWENDUNGSPAKETE\ALLE ANENDUNGSPAKETE:(ID)R

Why: because the Sophos NTP Service is running as Local Service, not Network Service.

Noticed today that file modified ACLs of the two files get overwritten after some time so the "NT AUTHORITY\LOCAL SERVICE" account gets removed and the errors appear again following the ACL change.

Congrats on your detailed work on this issue. Hope this information give an idea for our digital security solutions provider.
I wonder if this issue occurs on other server versions like 2016 and 2019.

I've not seen this on those two Server versions yet. But just today I had struggle with all those thousands of Alerts in the eventlog of a server I hat do check. Its hard to find the problem you are actually looking for if the whole Administrative Events to 98% only consists of Kernel-EventTracing 0xC0000022 errors.