This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

many Kernel-EventTracing 0xC0000022 errors caused by SophosNtpService.exe on Windows Servers

On Server 2012 R2 with Exchange and Intercept-X is see the eventlog full with errors caused by Sophos Network Threat Protection Agent.

One error per minute.

Fehler	04.03.2021 12:24:36	Kernel-EventTracing	2	Sitzung
Fehler	04.03.2021 12:23:33	Kernel-EventTracing	2	Sitzung
Fehler	04.03.2021 12:22:30	Kernel-EventTracing	2	Sitzung
Fehler	04.03.2021 12:21:27	Kernel-EventTracing	2	Sitzung
Fehler	04.03.2021 12:20:24	Kernel-EventTracing	2	Sitzung
Fehler	04.03.2021 12:19:21	Kernel-EventTracing	2	Sitzung
Fehler	04.03.2021 12:18:18	Kernel-EventTracing	2	Sitzung
Fehler	04.03.2021 12:17:15	Kernel-EventTracing	2	Sitzung
Fehler	04.03.2021 12:16:12	Kernel-EventTracing	2	Sitzung
Fehler	04.03.2021 12:15:09	Kernel-EventTracing	2	Sitzung
Fehler	04.03.2021 12:14:06	Kernel-EventTracing	2	Sitzung
Fehler	04.03.2021 12:13:03	Kernel-EventTracing	2	Sitzung

Fehler   04.03.2021 10:44:40       Kernel-EventTracing      2              Sitzung

Beim Starten der Sitzung "" ist der folgende Fehler aufgetreten: 0xC0000022.

 

Provider

   [ Name]  Microsoft-Windows-Kernel-EventTracing

   [ Guid]  {B675EC37-BDB6-4648-BC92-F3FDC74D3CA2}

    EventID 2

   Version 0

 

   Level 2

    Task 2

    Opcode 12

    Keywords 0x8000000000000010

   - TimeCreated

    [ SystemTime]  2021-03-04T09:44:40.335409100Z

    EventRecordID 217122

    Correlation

   - Execution

    [ ProcessID]  3032

   [ ThreadID]  13104

    Channel Microsoft-Windows-Kernel-EventTracing/Admin

    Computer Exchangeserver.localdomain.de

 

tasklist |find "3032"

SophosNtpService.exe          3032 Services                   0        29.904 K

This must be a known issue - there has been a similar threat: https://community.sophos.com/intercept-x-endpoint/f/discussions/125059/kernel-eventtracing-id2-error-in-windows-server

What's the root cause?

i-X Versions:



This thread was automatically locked due to age.
Parents Reply
  • I found the solution on this.

    Basically this is caused by incorrect permissions on the netcfgx.0 and netcfgx.1 .etl files in the Windows\Inf folder as already referenced here by the Microsoft blog post.

    But it's wrong in this situation to allow permissions to the "NT AUTHORITY\NETWORK SERVICE" account as written in the Technet blog and suggested by Sophos here.

    You need to add the permissions for the "NT AUTHORITY\LOCAL SERVICE" account.

    Note: this is from German language system. Different usernames than on English systems.
    
    C:\Windows\Inf>cacls netcfgx.0.etl
    C:\Windows\Inf\netcfgx.0.etl NT-AUTORITÄT\Lokaler Dienst:F
                                 NT-AUTORITÄT\SYSTEM:(ID)F
                                 VORDEFINIERT\Administratoren:(ID)F
                                 VORDEFINIERT\Benutzer:(ID)R
                                 ZERTIFIZIERUNGSSTELLE FÜR ANWENDUNGSPAKETE\ALLE ANENDUNGSPAKETE:(ID)R
    
    
    C:\Windows\Inf>cacls netcfgx.1.etl
    C:\Windows\Inf\netcfgx.1.etl NT-AUTORITÄT\Lokaler Dienst:F
                                 NT-AUTORITÄT\SYSTEM:(ID)F
                                 VORDEFINIERT\Administratoren:(ID)F
                                 VORDEFINIERT\Benutzer:(ID)R
                                 ZERTIFIZIERUNGSSTELLE FÜR ANWENDUNGSPAKETE\ALLE ANENDUNGSPAKETE:(ID)R

    Why: because the Sophos NTP Service is running as Local Service, not Network Service.

Children