Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 1 reply
  • Subscribers 12 subscribers
  • Views 699 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Heal service fails to install - Service cannot start in a timely manner

Chris_H2

Hi,

I have two endpoints (servers) in my environment that fail to install the Server Protection software. Both fail at trying to install the Health service. Both fail to start within a timely manner (error 1053). I am running the installer as an admin. I have tried with both Tamper Protection enabled and disabled at the registry level of the endpoint to no avail. The rest of my environment installed flawlessly.

Am I missing something here?

Attached is the Health Service installer log (sorry, it's in a code snippet).

Regards,

Chris

2021-09-10T04:07:01.257Z [ 4124: 5600] [v2.7.28.0] INFO  Begin product setup
2021-09-10T04:07:01.258Z [ 4124: 5600] [v2.7.28.0] INFO  Begin install
2021-09-10T04:07:01.259Z [ 4124: 5600] [v2.7.28.0] INFO  Service Sophos Health Service is missing or incorrectly configured: disabling tamper protection and creating/configuring service
2021-09-10T04:07:01.259Z [ 4124: 5600] [v2.7.28.0] INFO  Health Event Store dbName C:\ProgramData\Sophos\Health\Event Store\Database\events.db
2021-09-10T04:07:01.259Z [ 4124: 5600] [v2.7.28.0] INFO  Health DB attributes : exists false, isDirectory false
2021-09-10T04:07:01.262Z [ 4124: 5600] [v2.7.28.0] INFO  SHS not installed. Start clean install.
2021-09-10T04:07:01.262Z [ 4124: 5600] [v2.7.28.0] INFO  Executing step: Stop service step without disabling tamper protection for service: Sophos Health Service
2021-09-10T04:07:01.262Z [ 4124: 5600] [v2.7.28.0] INFO  Service Sophos Health Service does not exist.
2021-09-10T04:07:01.262Z [ 4124: 5600] [v2.7.28.0] INFO  Executing step: SHS service installer
2021-09-10T04:07:01.262Z [ 4124: 5600] [v2.7.28.0] INFO  Executing step: Tamper protection of the SHS component will be set to: OFF 
2021-09-10T04:07:01.262Z [ 4124: 5600] [v2.7.28.0] INFO  Tamper protection component key for SHS does not exist. Component tamper protection will remain off.
2021-09-10T04:07:01.262Z [ 4124: 5600] [v2.7.28.0] INFO  Executing step: CreateOrUpdate service step: Sophos Health Service
2021-09-10T04:07:01.262Z [ 4124: 5600] [v2.7.28.0] INFO  Service Sophos Health Service does not exist: creating it
2021-09-10T04:07:01.462Z [ 4124: 5600] [v2.7.28.0] INFO  Executing step: SHS directory installer
2021-09-10T04:07:01.462Z [ 4124: 5600] [v2.7.28.0] INFO  Executing step: Create directory C:\Program Files (x86)\Sophos\Health and all parent directories
2021-09-10T04:07:01.465Z [ 4124: 5600] [v2.7.28.0] INFO  Executing step: Create directory C:\ProgramData\Sophos\Health\Event Store and all parent directories
2021-09-10T04:07:01.466Z [ 4124: 5600] [v2.7.28.0] INFO  Executing step: CreateDirectory(C:\ProgramData\Sophos\Health\Event Store\Database)
2021-09-10T04:07:01.467Z [ 4124: 5600] [v2.7.28.0] INFO  Executing step: CreateDirectory(C:\ProgramData\Sophos\Health\Event Store\Error)
2021-09-10T04:07:01.468Z [ 4124: 5600] [v2.7.28.0] INFO  Executing step: CreateDirectory(C:\ProgramData\Sophos\Health\Event Store\Incoming)
2021-09-10T04:07:01.469Z [ 4124: 5600] [v2.7.28.0] INFO  Executing step: CreateDirectory(C:\ProgramData\Sophos\Health\Event Store\Temp)
2021-09-10T04:07:01.470Z [ 4124: 5600] [v2.7.28.0] INFO  Executing step: CreateDirectory(C:\ProgramData\Sophos\Health\Event Store\Trail)
2021-09-10T04:07:01.470Z [ 4124: 5600] [v2.7.28.0] INFO  Executing step: Tamper protection will be updated for the main component, if rollback is triggered.
2021-09-10T04:07:01.471Z [ 4124: 5600] [v2.7.28.0] INFO  Tamper protection main component key does not exist. Nothing to be done, if rollback is triggered.
2021-09-10T04:07:01.471Z [ 4124: 5600] [v2.7.28.0] INFO  Executing step: CopyFile(C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\shs\integrity.dat, C:\Program Files (x86)\Sophos\Health\integrity.dat)
2021-09-10T04:07:01.473Z [ 4124: 5600] [v2.7.28.0] INFO  Executing step: CreateRegistryKey(HKLM\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Components\SHS, 64)
2021-09-10T04:07:01.473Z [ 4124: 5600] [v2.7.28.0] INFO  Executing step: Tamper protection will be updated for the main component.
2021-09-10T04:07:01.475Z [ 4124: 5600] [v2.7.28.0] INFO  Waiting for operation to succeed within 60000ms.
2021-09-10T04:07:01.475Z [ 4124: 5600] [v2.7.28.0] INFO  Tamper protection for the main component has been updated.
2021-09-10T04:07:01.475Z [ 4124: 5600] [v2.7.28.0] INFO  Executing step: Tamper protection of the SHS component will be set to: ON 
2021-09-10T04:07:01.475Z [ 4124: 5600] [v2.7.28.0] INFO  Waiting for operation to succeed within 60000ms.
2021-09-10T04:07:01.475Z [ 4124: 5600] [v2.7.28.0] INFO  Tamper protection of the SHS component has been set to: ON 
2021-09-10T04:07:01.475Z [ 4124: 5600] [v2.7.28.0] INFO  Executing step: SHS file installer
2021-09-10T04:07:01.475Z [ 4124: 5600] [v2.7.28.0] INFO  Executing step: CopyFile(C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\shs\SophosHealth.exe, C:\Program Files (x86)\Sophos\Health\SophosHealth.exe)
2021-09-10T04:07:01.500Z [ 4124: 5600] [v2.7.28.0] INFO  Executing step: CopyFile(C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\shs\SophosHealthClient.exe, C:\Program Files (x86)\Sophos\Health\SophosHealthClient.exe)
2021-09-10T04:07:01.508Z [ 4124: 5600] [v2.7.28.0] INFO  Executing step: CopyFile(C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\shs\sof.dat, C:\Program Files (x86)\Sophos\Health\sof.dat)
2021-09-10T04:07:01.510Z [ 4124: 5600] [v2.7.28.0] INFO  Executing step: CopyFile(C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\shs\Uninstall.exe, C:\Program Files (x86)\Sophos\Health\Uninstall.exe)
2021-09-10T04:07:01.531Z [ 4124: 5600] [v2.7.28.0] INFO  Executing step: SHS adapter installer
2021-09-10T04:07:01.531Z [ 4124: 5600] [v2.7.28.0] INFO  Executing step: Unloading adapter
2021-09-10T04:07:01.531Z [ 4124: 5600] [v2.7.28.0] INFO  Executing step: DeleteRegistryKey(HKLM\Software\Sophos\Remote Management System\ManagementAgent\Adapters\SHS, 32)
2021-09-10T04:07:01.531Z [ 4124: 5600] [v2.7.28.0] INFO  Executing step: WaitForLockedFile(C:\Program Files (x86)\Sophos\Health\ShsAdapter.dll, 60, WaitOnInstallToUnlock)
2021-09-10T04:07:01.531Z [ 4124: 5600] [v2.7.28.0] INFO  Waiting for operation to succeed within 60000ms.
2021-09-10T04:07:01.531Z [ 4124: 5600] [v2.7.28.0] INFO  Executing step: CopyFile(C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\shs\ShsAdapter.dll, C:\Program Files (x86)\Sophos\Health\ShsAdapter.dll)
2021-09-10T04:07:01.543Z [ 4124: 5600] [v2.7.28.0] INFO  Executing step: WaitForLockedFile(C:\Program Files (x86)\Sophos\Health\ShsAdapter.dll, 60, WaitOnRollbackToUnlock)
2021-09-10T04:07:01.543Z [ 4124: 5600] [v2.7.28.0] INFO  Executing step: CreateRegistryKey(HKLM\Software\Sophos\Remote Management System\ManagementAgent\Adapters\SHS, 32)
2021-09-10T04:07:01.543Z [ 4124: 5600] [v2.7.28.0] INFO  Executing step: SetRegistryValue(HKLM\Software\Sophos\Remote Management System\ManagementAgent\Adapters\SHS, 32, DllPath, C:\Program Files (x86)\Sophos\Health\ShsAdapter.dll)
2021-09-10T04:07:01.543Z [ 4124: 5600] [v2.7.28.0] INFO  Executing step: SHS registry key Installer
2021-09-10T04:07:01.543Z [ 4124: 5600] [v2.7.28.0] INFO  Executing step: CreateRegistryKey(HKLM\Software\Sophos\Health, 32)
2021-09-10T04:07:01.544Z [ 4124: 5600] [v2.7.28.0] INFO  Existing security permissions before resetting permissions: D:PAI(A;CI;KR;;;BU)(A;CI;KA;;;BA)(A;CI;KA;;;SY)(A;CIIO;KA;;;CO)(A;CI;KR;;;AC)
2021-09-10T04:07:01.544Z [ 4124: 5600] [v2.7.28.0] INFO  Executing step: CreateRegistryKey(HKLM\Software\Sophos\Health\Application, 32)
2021-09-10T04:07:01.545Z [ 4124: 5600] [v2.7.28.0] INFO  Executing step: SetRegistryValue(HKLM\Software\Sophos\Health\Application, 32, AdminIsolationEventFamilyId, none)
2021-09-10T04:07:01.545Z [ 4124: 5600] [v2.7.28.0] INFO  Executing step: CreateRegistryKey(HKLM\Software\Sophos\Health\Logging, 32)
2021-09-10T04:07:01.545Z [ 4124: 5600] [v2.7.28.0] INFO  Executing step: CreateRegistryKey(HKLM\Software\Sophos\Health\ProcessNotification, 32)
2021-09-10T04:07:01.545Z [ 4124: 5600] [v2.7.28.0] INFO  Existing security permissions before resetting permissions: D:PAI(A;OICI;KA;;;BA)(A;OICI;KA;;;SY)(A;OICI;KA;;;LS)(A;OICI;KR;;;BU)
2021-09-10T04:07:01.545Z [ 4124: 5600] [v2.7.28.0] INFO  Executing step: CreateRegistryKey(HKLM\Software\Sophos\Health\ThreatNotification, 32)
2021-09-10T04:07:01.546Z [ 4124: 5600] [v2.7.28.0] INFO  Executing step: CreateRegistryKey(HKLM\Software\Sophos\Health\Status, 32)
2021-09-10T04:07:01.546Z [ 4124: 5600] [v2.7.28.0] INFO  Executing step: CreateRegistryKey(HKLM\Software\Sophos\Health\PersistedStatus, 32)
2021-09-10T04:07:01.546Z [ 4124: 5600] [v2.7.28.0] INFO  Executing step: CreateRegistryKey(HKLM\Software\Sophos\Telemetry\Plugins\Health, 32)
2021-09-10T04:07:01.547Z [ 4124: 5600] [v2.7.28.0] INFO  Executing step: SetRegistryValue(HKLM\Software\Sophos\Telemetry\Plugins\Health, 32, Cmd, SophosHealthClient.exe --telemetry)
2021-09-10T04:07:01.547Z [ 4124: 5600] [v2.7.28.0] INFO  Executing step: SetRegistryValue(HKLM\Software\Sophos\Telemetry\Plugins\Health, 32, Path, C:\Program Files (x86)\Sophos\Health\SophosHealthClient.exe)
2021-09-10T04:07:01.547Z [ 4124: 5600] [v2.7.28.0] INFO  Executing step: SHS add remove program key installer
2021-09-10T04:07:01.547Z [ 4124: 5600] [v2.7.28.0] INFO  Executing step: CreateRegistryKey(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5E8436D5-3688-4007-94C7-55D017275F89}, 32)
2021-09-10T04:07:01.547Z [ 4124: 5600] [v2.7.28.0] INFO  Executing step: SetRegistryValue(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5E8436D5-3688-4007-94C7-55D017275F89}, 32, AuthorizedCDFPrefix, )
2021-09-10T04:07:01.548Z [ 4124: 5600] [v2.7.28.0] INFO  Executing step: SetRegistryValue(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5E8436D5-3688-4007-94C7-55D017275F89}, 32, Comments, Sophos Health)
2021-09-10T04:07:01.548Z [ 4124: 5600] [v2.7.28.0] INFO  Executing step: SetRegistryValue(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5E8436D5-3688-4007-94C7-55D017275F89}, 32, Contact, Sophos Technical Support)
2021-09-10T04:07:01.548Z [ 4124: 5600] [v2.7.28.0] INFO  Executing step: SetRegistryValue(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5E8436D5-3688-4007-94C7-55D017275F89}, 32, DisplayName, Sophos Health)
2021-09-10T04:07:01.548Z [ 4124: 5600] [v2.7.28.0] INFO  Executing step: SetRegistryValue(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5E8436D5-3688-4007-94C7-55D017275F89}, 32, DisplayVersion, 2.7.28.0)
2021-09-10T04:07:01.549Z [ 4124: 5600] [v2.7.28.0] INFO  Executing step: SetRegistryValue(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5E8436D5-3688-4007-94C7-55D017275F89}, 32, EstimatedSize, 4947)
2021-09-10T04:07:01.549Z [ 4124: 5600] [v2.7.28.0] INFO  Executing step: SetRegistryValue(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5E8436D5-3688-4007-94C7-55D017275F89}, 32, HelpLink, http://www.sophos.com/support)
2021-09-10T04:07:01.549Z [ 4124: 5600] [v2.7.28.0] INFO  Executing step: SetRegistryValue(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5E8436D5-3688-4007-94C7-55D017275F89}, 32, InstallDate, 20210910)
2021-09-10T04:07:01.549Z [ 4124: 5600] [v2.7.28.0] INFO  Executing step: SetRegistryValue(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5E8436D5-3688-4007-94C7-55D017275F89}, 32, InstallLocation, C:\Program Files (x86)\Sophos\Health)
2021-09-10T04:07:01.549Z [ 4124: 5600] [v2.7.28.0] INFO  Executing step: SetRegistryValue(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5E8436D5-3688-4007-94C7-55D017275F89}, 32, InstallSource, C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\shs)
2021-09-10T04:07:01.550Z [ 4124: 5600] [v2.7.28.0] INFO  Executing step: SetRegistryValue(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5E8436D5-3688-4007-94C7-55D017275F89}, 32, Language, 1033)
2021-09-10T04:07:01.550Z [ 4124: 5600] [v2.7.28.0] INFO  Executing step: SetRegistryValue(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5E8436D5-3688-4007-94C7-55D017275F89}, 32, ModifyPath, )
2021-09-10T04:07:01.550Z [ 4124: 5600] [v2.7.28.0] INFO  Executing step: SetRegistryValue(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5E8436D5-3688-4007-94C7-55D017275F89}, 32, NoModify, 1)
2021-09-10T04:07:01.550Z [ 4124: 5600] [v2.7.28.0] INFO  Executing step: SetRegistryValue(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5E8436D5-3688-4007-94C7-55D017275F89}, 32, NoRepair, 1)
2021-09-10T04:07:01.550Z [ 4124: 5600] [v2.7.28.0] INFO  Executing step: SetRegistryValue(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5E8436D5-3688-4007-94C7-55D017275F89}, 32, Publisher, Sophos Limited)
2021-09-10T04:07:01.551Z [ 4124: 5600] [v2.7.28.0] INFO  Executing step: SetRegistryValue(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5E8436D5-3688-4007-94C7-55D017275F89}, 32, UninstallString, "C:\Program Files (x86)\Sophos\Health\Uninstall.exe")
2021-09-10T04:07:01.551Z [ 4124: 5600] [v2.7.28.0] INFO  Executing step: SetRegistryValue(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5E8436D5-3688-4007-94C7-55D017275F89}, 32, URLInfoAbout, http://www.sophos.com)
2021-09-10T04:07:01.551Z [ 4124: 5600] [v2.7.28.0] INFO  Executing step: SetRegistryValue(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5E8436D5-3688-4007-94C7-55D017275F89}, 32, VersionMajor, 2)
2021-09-10T04:07:01.551Z [ 4124: 5600] [v2.7.28.0] INFO  Executing step: SetRegistryValue(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5E8436D5-3688-4007-94C7-55D017275F89}, 32, VersionMinor, 7)
2021-09-10T04:07:01.552Z [ 4124: 5600] [v2.7.28.0] INFO  Executing step: SetRegistryValue(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5E8436D5-3688-4007-94C7-55D017275F89}, 32, SystemComponent, 1)
2021-09-10T04:07:01.552Z [ 4124: 5600] [v2.7.28.0] INFO  Executing step: Start tamper-protected service step: Sophos Health Service
2021-09-10T04:07:01.552Z [ 4124: 5600] [v2.7.28.0] INFO  Querying configuration of service: Sophos Health Service
2021-09-10T04:07:02.192Z [ 4124: 5600] [v2.7.28.0] ERROR Exception starting tamper protected service: StartService failed with error 1053: The service did not respond to the start or control request in a timely fashion.

2021-09-10T04:07:02.192Z [ 4124: 5600] [v2.7.28.0] WARN  Cannot determine service PID; service is in invalid state
2021-09-10T04:07:02.193Z [ 4124: 5600] [v2.7.28.0] INFO  StopCommand key was set
2021-09-10T04:07:02.193Z [ 4124: 5600] [v2.7.28.0] INFO  Waiting 60000ms for service stop
2021-09-10T04:07:02.193Z [ 4124: 5600] [v2.7.28.0] INFO  Waiting for operation to succeed within 60000ms.
2021-09-10T04:07:02.193Z [ 4124: 5600] [v2.7.28.0] INFO  Service has stopped.
2021-09-10T04:07:02.193Z [ 4124: 5600] [v2.7.28.0] INFO  StopCommand key was removed
2021-09-10T04:07:02.193Z [ 4124: 5600] [v2.7.28.0] WARN  StartService failed with error 1053: The service did not respond to the start or control request in a timely fashion.

2021-09-10T04:07:02.193Z [ 4124: 5600] [v2.7.28.0] ERROR Failed step: Start tamper-protected service step: Sophos Health Service, rolling back previous steps
2021-09-10T04:07:02.193Z [ 4124: 5600] [v2.7.28.0] INFO  Rolling back step: SHS add remove program key installer
2021-09-10T04:07:02.193Z [ 4124: 5600] [v2.7.28.0] INFO  Rolling back step: SetRegistryValue(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5E8436D5-3688-4007-94C7-55D017275F89}, 32, SystemComponent, 1)
2021-09-10T04:07:02.194Z [ 4124: 5600] [v2.7.28.0] INFO  Rolling back step: SetRegistryValue(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5E8436D5-3688-4007-94C7-55D017275F89}, 32, VersionMinor, 7)
2021-09-10T04:07:02.194Z [ 4124: 5600] [v2.7.28.0] INFO  Rolling back step: SetRegistryValue(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5E8436D5-3688-4007-94C7-55D017275F89}, 32, VersionMajor, 2)
2021-09-10T04:07:02.194Z [ 4124: 5600] [v2.7.28.0] INFO  Rolling back step: SetRegistryValue(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5E8436D5-3688-4007-94C7-55D017275F89}, 32, URLInfoAbout, http://www.sophos.com)
2021-09-10T04:07:02.194Z [ 4124: 5600] [v2.7.28.0] INFO  Rolling back step: SetRegistryValue(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5E8436D5-3688-4007-94C7-55D017275F89}, 32, UninstallString, "C:\Program Files (x86)\Sophos\Health\Uninstall.exe")
2021-09-10T04:07:02.194Z [ 4124: 5600] [v2.7.28.0] INFO  Rolling back step: SetRegistryValue(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5E8436D5-3688-4007-94C7-55D017275F89}, 32, Publisher, Sophos Limited)
2021-09-10T04:07:02.194Z [ 4124: 5600] [v2.7.28.0] INFO  Rolling back step: SetRegistryValue(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5E8436D5-3688-4007-94C7-55D017275F89}, 32, NoRepair, 1)
2021-09-10T04:07:02.195Z [ 4124: 5600] [v2.7.28.0] INFO  Rolling back step: SetRegistryValue(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5E8436D5-3688-4007-94C7-55D017275F89}, 32, NoModify, 1)
2021-09-10T04:07:02.195Z [ 4124: 5600] [v2.7.28.0] INFO  Rolling back step: SetRegistryValue(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5E8436D5-3688-4007-94C7-55D017275F89}, 32, ModifyPath, )
2021-09-10T04:07:02.195Z [ 4124: 5600] [v2.7.28.0] INFO  Rolling back step: SetRegistryValue(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5E8436D5-3688-4007-94C7-55D017275F89}, 32, Language, 1033)
2021-09-10T04:07:02.195Z [ 4124: 5600] [v2.7.28.0] INFO  Rolling back step: SetRegistryValue(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5E8436D5-3688-4007-94C7-55D017275F89}, 32, InstallSource, C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\shs)
2021-09-10T04:07:02.195Z [ 4124: 5600] [v2.7.28.0] INFO  Rolling back step: SetRegistryValue(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5E8436D5-3688-4007-94C7-55D017275F89}, 32, InstallLocation, C:\Program Files (x86)\Sophos\Health)
2021-09-10T04:07:02.196Z [ 4124: 5600] [v2.7.28.0] INFO  Rolling back step: SetRegistryValue(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5E8436D5-3688-4007-94C7-55D017275F89}, 32, InstallDate, 20210910)
2021-09-10T04:07:02.196Z [ 4124: 5600] [v2.7.28.0] INFO  Rolling back step: SetRegistryValue(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5E8436D5-3688-4007-94C7-55D017275F89}, 32, HelpLink, http://www.sophos.com/support)
2021-09-10T04:07:02.196Z [ 4124: 5600] [v2.7.28.0] INFO  Rolling back step: SetRegistryValue(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5E8436D5-3688-4007-94C7-55D017275F89}, 32, EstimatedSize, 4947)
2021-09-10T04:07:02.196Z [ 4124: 5600] [v2.7.28.0] INFO  Rolling back step: SetRegistryValue(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5E8436D5-3688-4007-94C7-55D017275F89}, 32, DisplayVersion, 2.7.28.0)
2021-09-10T04:07:02.196Z [ 4124: 5600] [v2.7.28.0] INFO  Rolling back step: SetRegistryValue(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5E8436D5-3688-4007-94C7-55D017275F89}, 32, DisplayName, Sophos Health)
2021-09-10T04:07:02.196Z [ 4124: 5600] [v2.7.28.0] INFO  Rolling back step: SetRegistryValue(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5E8436D5-3688-4007-94C7-55D017275F89}, 32, Contact, Sophos Technical Support)
2021-09-10T04:07:02.196Z [ 4124: 5600] [v2.7.28.0] INFO  Rolling back step: SetRegistryValue(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5E8436D5-3688-4007-94C7-55D017275F89}, 32, Comments, Sophos Health)
2021-09-10T04:07:02.197Z [ 4124: 5600] [v2.7.28.0] INFO  Rolling back step: SetRegistryValue(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5E8436D5-3688-4007-94C7-55D017275F89}, 32, AuthorizedCDFPrefix, )
2021-09-10T04:07:02.197Z [ 4124: 5600] [v2.7.28.0] INFO  Rolling back step: CreateRegistryKey(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5E8436D5-3688-4007-94C7-55D017275F89}, 32)
2021-09-10T04:07:02.197Z [ 4124: 5600] [v2.7.28.0] INFO  Rolling back step: SHS registry key Installer
2021-09-10T04:07:02.197Z [ 4124: 5600] [v2.7.28.0] INFO  Rolling back step: SetRegistryValue(HKLM\Software\Sophos\Telemetry\Plugins\Health, 32, Path, C:\Program Files (x86)\Sophos\Health\SophosHealthClient.exe)
2021-09-10T04:07:02.197Z [ 4124: 5600] [v2.7.28.0] INFO  Rolling back step: SetRegistryValue(HKLM\Software\Sophos\Telemetry\Plugins\Health, 32, Cmd, SophosHealthClient.exe --telemetry)
2021-09-10T04:07:02.197Z [ 4124: 5600] [v2.7.28.0] INFO  Rolling back step: CreateRegistryKey(HKLM\Software\Sophos\Telemetry\Plugins\Health, 32)
2021-09-10T04:07:02.198Z [ 4124: 5600] [v2.7.28.0] INFO  Rolling back step: CreateRegistryKey(HKLM\Software\Sophos\Health\PersistedStatus, 32)
2021-09-10T04:07:02.198Z [ 4124: 5600] [v2.7.28.0] INFO  Rolling back step: CreateRegistryKey(HKLM\Software\Sophos\Health\Status, 32)
2021-09-10T04:07:02.198Z [ 4124: 5600] [v2.7.28.0] INFO  Rolling back step: CreateRegistryKey(HKLM\Software\Sophos\Health\ThreatNotification, 32)
2021-09-10T04:07:02.198Z [ 4124: 5600] [v2.7.28.0] INFO  Rolling back step: CreateRegistryKey(HKLM\Software\Sophos\Health\ProcessNotification, 32)
2021-09-10T04:07:02.198Z [ 4124: 5600] [v2.7.28.0] INFO  Rolling back step: CreateRegistryKey(HKLM\Software\Sophos\Health\Logging, 32)
2021-09-10T04:07:02.199Z [ 4124: 5600] [v2.7.28.0] INFO  Rolling back step: SetRegistryValue(HKLM\Software\Sophos\Health\Application, 32, AdminIsolationEventFamilyId, none)
2021-09-10T04:07:02.199Z [ 4124: 5600] [v2.7.28.0] INFO  Rolling back step: CreateRegistryKey(HKLM\Software\Sophos\Health\Application, 32)
2021-09-10T04:07:02.199Z [ 4124: 5600] [v2.7.28.0] INFO  Rolling back step: CreateRegistryKey(HKLM\Software\Sophos\Health, 32)
2021-09-10T04:07:02.199Z [ 4124: 5600] [v2.7.28.0] INFO  Rolling back step: SHS adapter installer
2021-09-10T04:07:02.199Z [ 4124: 5600] [v2.7.28.0] INFO  Rolling back step: SetRegistryValue(HKLM\Software\Sophos\Remote Management System\ManagementAgent\Adapters\SHS, 32, DllPath, C:\Program Files (x86)\Sophos\Health\ShsAdapter.dll)
2021-09-10T04:07:02.199Z [ 4124: 5600] [v2.7.28.0] INFO  Rolling back step: CreateRegistryKey(HKLM\Software\Sophos\Remote Management System\ManagementAgent\Adapters\SHS, 32)
2021-09-10T04:07:02.200Z [ 4124: 5600] [v2.7.28.0] INFO  Rolling back step: WaitForLockedFile(C:\Program Files (x86)\Sophos\Health\ShsAdapter.dll, 60, WaitOnRollbackToUnlock)
2021-09-10T04:07:02.200Z [ 4124: 5600] [v2.7.28.0] INFO  Waiting for operation to succeed within 60000ms.
2021-09-10T04:07:02.316Z [ 4124: 5600] [v2.7.28.0] INFO  Retrying operation. Counter: 1
2021-09-10T04:07:02.327Z [ 4124: 5600] [v2.7.28.0] INFO  Rolling back step: CopyFile(C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\shs\ShsAdapter.dll, C:\Program Files (x86)\Sophos\Health\ShsAdapter.dll)
2021-09-10T04:07:02.328Z [ 4124: 5600] [v2.7.28.0] INFO  Rolling back step: Unloading adapter
2021-09-10T04:07:02.328Z [ 4124: 5600] [v2.7.28.0] INFO  Rolling back step: WaitForLockedFile(C:\Program Files (x86)\Sophos\Health\ShsAdapter.dll, 60, WaitOnInstallToUnlock)
2021-09-10T04:07:02.328Z [ 4124: 5600] [v2.7.28.0] INFO  Rolling back step: DeleteRegistryKey(HKLM\Software\Sophos\Remote Management System\ManagementAgent\Adapters\SHS, 32)
2021-09-10T04:07:02.328Z [ 4124: 5600] [v2.7.28.0] INFO  Rolling back step: SHS file installer
2021-09-10T04:07:02.328Z [ 4124: 5600] [v2.7.28.0] INFO  Rolling back step: CopyFile(C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\shs\Uninstall.exe, C:\Program Files (x86)\Sophos\Health\Uninstall.exe)
2021-09-10T04:07:02.329Z [ 4124: 5600] [v2.7.28.0] INFO  Rolling back step: CopyFile(C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\shs\sof.dat, C:\Program Files (x86)\Sophos\Health\sof.dat)
2021-09-10T04:07:02.329Z [ 4124: 5600] [v2.7.28.0] INFO  Rolling back step: CopyFile(C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\shs\SophosHealthClient.exe, C:\Program Files (x86)\Sophos\Health\SophosHealthClient.exe)
2021-09-10T04:07:02.330Z [ 4124: 5600] [v2.7.28.0] INFO  Rolling back step: CopyFile(C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\shs\SophosHealth.exe, C:\Program Files (x86)\Sophos\Health\SophosHealth.exe)
2021-09-10T04:07:02.378Z [ 4124: 5600] [v2.7.28.0] WARN  DeleteFile: C:\Program Files (x86)\Sophos\Health\SophosHealth.exe, failed with error 32: The process cannot access the file because it is being used by another process.

2021-09-10T04:07:02.378Z [ 4124: 5600] [v2.7.28.0] WARN  MoveFile of C:\Program Files (x86)\Sophos\Health\SophosHealth.exe to C:\Windows\TEMP\ea29e5d4f0a822fe4f6d5662745f5a30a15a4b34d1ac4d5d62b90380e30a0450.tmp failed with error 32: The process cannot access the file because it is being used by another process.

2021-09-10T04:07:02.378Z [ 4124: 5600] [v2.7.28.0] INFO  Rolling back step: Tamper protection of the SHS component will be set to: ON 
2021-09-10T04:07:02.378Z [ 4124: 5600] [v2.7.28.0] INFO  Waiting for operation to succeed within 60000ms.
2021-09-10T04:07:03.412Z [ 4124: 5600] [v2.7.28.0] INFO  Retrying operation. Counter: 1
2021-09-10T04:07:04.413Z [ 4124: 5600] [v2.7.28.0] INFO  Retrying operation. Counter: 2
2021-09-10T04:07:05.416Z [ 4124: 5600] [v2.7.28.0] INFO  Retrying operation. Counter: 3
2021-09-10T04:07:06.432Z [ 4124: 5600] [v2.7.28.0] INFO  Retrying operation. Counter: 4
2021-09-10T04:07:07.441Z [ 4124: 5600] [v2.7.28.0] INFO  Retrying operation. Counter: 5
2021-09-10T04:07:08.442Z [ 4124: 5600] [v2.7.28.0] INFO  Retrying operation. Counter: 6
2021-09-10T04:07:09.458Z [ 4124: 5600] [v2.7.28.0] INFO  Retrying operation. Counter: 7
2021-09-10T04:07:10.543Z [ 4124: 5600] [v2.7.28.0] INFO  Retrying operation. Counter: 8
2021-09-10T04:07:11.557Z [ 4124: 5600] [v2.7.28.0] INFO  Retrying operation. Counter: 9
2021-09-10T04:07:12.572Z [ 4124: 5600] [v2.7.28.0] INFO  Retrying operation. Counter: 10
2021-09-10T04:07:13.588Z [ 4124: 5600] [v2.7.28.0] INFO  Retrying operation. Counter: 11
2021-09-10T04:07:14.595Z [ 4124: 5600] [v2.7.28.0] INFO  Retrying operation. Counter: 12
2021-09-10T04:07:15.599Z [ 4124: 5600] [v2.7.28.0] INFO  Retrying operation. Counter: 13
2021-09-10T04:07:16.632Z [ 4124: 5600] [v2.7.28.0] INFO  Retrying operation. Counter: 14
2021-09-10T04:07:17.640Z [ 4124: 5600] [v2.7.28.0] INFO  Retrying operation. Counter: 15
2021-09-10T04:07:18.645Z [ 4124: 5600] [v2.7.28.0] INFO  Retrying operation. Counter: 16
2021-09-10T04:07:19.661Z [ 4124: 5600] [v2.7.28.0] INFO  Retrying operation. Counter: 17
2021-09-10T04:07:20.663Z [ 4124: 5600] [v2.7.28.0] INFO  Retrying operation. Counter: 18
2021-09-10T04:07:21.676Z [ 4124: 5600] [v2.7.28.0] INFO  Retrying operation. Counter: 19
2021-09-10T04:07:22.692Z [ 4124: 5600] [v2.7.28.0] INFO  Retrying operation. Counter: 20
2021-09-10T04:07:23.707Z [ 4124: 5600] [v2.7.28.0] INFO  Retrying operation. Counter: 21
2021-09-10T04:07:24.720Z [ 4124: 5600] [v2.7.28.0] INFO  Retrying operation. Counter: 22
2021-09-10T04:07:25.736Z [ 4124: 5600] [v2.7.28.0] INFO  Retrying operation. Counter: 23
2021-09-10T04:07:26.751Z [ 4124: 5600] [v2.7.28.0] INFO  Retrying operation. Counter: 24
2021-09-10T04:07:27.766Z [ 4124: 5600] [v2.7.28.0] INFO  Retrying operation. Counter: 25
2021-09-10T04:07:28.782Z [ 4124: 5600] [v2.7.28.0] INFO  Retrying operation. Counter: 26
2021-09-10T04:07:29.782Z [ 4124: 5600] [v2.7.28.0] INFO  Retrying operation. Counter: 27
2021-09-10T04:07:30.782Z [ 4124: 5600] [v2.7.28.0] INFO  Retrying operation. Counter: 28
2021-09-10T04:07:31.784Z [ 4124: 5600] [v2.7.28.0] INFO  Retrying operation. Counter: 29
2021-09-10T04:07:32.785Z [ 4124: 5600] [v2.7.28.0] INFO  Retrying operation. Counter: 30
2021-09-10T04:07:33.800Z [ 4124: 5600] [v2.7.28.0] INFO  Retrying operation. Counter: 31
2021-09-10T04:07:34.815Z [ 4124: 5600] [v2.7.28.0] INFO  Retrying operation. Counter: 32
2021-09-10T04:07:35.830Z [ 4124: 5600] [v2.7.28.0] INFO  Retrying operation. Counter: 33
2021-09-10T04:07:36.892Z [ 4124: 5600] [v2.7.28.0] INFO  Retrying operation. Counter: 34
2021-09-10T04:07:37.894Z [ 4124: 5600] [v2.7.28.0] INFO  Retrying operation. Counter: 35
2021-09-10T04:07:38.908Z [ 4124: 5600] [v2.7.28.0] INFO  Retrying operation. Counter: 36
2021-09-10T04:07:39.909Z [ 4124: 5600] [v2.7.28.0] INFO  Retrying operation. Counter: 37
2021-09-10T04:07:40.927Z [ 4124: 5600] [v2.7.28.0] INFO  Retrying operation. Counter: 38
2021-09-10T04:07:41.942Z [ 4124: 5600] [v2.7.28.0] INFO  Retrying operation. Counter: 39
2021-09-10T04:07:42.947Z [ 4124: 5600] [v2.7.28.0] INFO  Retrying operation. Counter: 40
2021-09-10T04:07:43.962Z [ 4124: 5600] [v2.7.28.0] INFO  Retrying operation. Counter: 41
2021-09-10T04:07:44.978Z [ 4124: 5600] [v2.7.28.0] INFO  Retrying operation. Counter: 42
2021-09-10T04:07:45.979Z [ 4124: 5600] [v2.7.28.0] INFO  Retrying operation. Counter: 43
2021-09-10T04:07:46.995Z [ 4124: 5600] [v2.7.28.0] INFO  Retrying operation. Counter: 44
2021-09-10T04:07:47.995Z [ 4124: 5600] [v2.7.28.0] INFO  Retrying operation. Counter: 45
2021-09-10T04:07:49.009Z [ 4124: 5600] [v2.7.28.0] INFO  Retrying operation. Counter: 46
2021-09-10T04:07:50.025Z [ 4124: 5600] [v2.7.28.0] INFO  Retrying operation. Counter: 47
2021-09-10T04:07:51.038Z [ 4124: 5600] [v2.7.28.0] INFO  Retrying operation. Counter: 48
2021-09-10T04:07:52.040Z [ 4124: 5600] [v2.7.28.0] INFO  Retrying operation. Counter: 49
2021-09-10T04:07:53.072Z [ 4124: 5600] [v2.7.28.0] INFO  Retrying operation. Counter: 50
2021-09-10T04:07:54.086Z [ 4124: 5600] [v2.7.28.0] INFO  Retrying operation. Counter: 51
2021-09-10T04:07:55.090Z [ 4124: 5600] [v2.7.28.0] INFO  Retrying operation. Counter: 52
2021-09-10T04:07:56.184Z [ 4124: 5600] [v2.7.28.0] INFO  Retrying operation. Counter: 53
2021-09-10T04:07:57.307Z [ 4124: 5600] [v2.7.28.0] INFO  Retrying operation. Counter: 54
2021-09-10T04:07:58.314Z [ 4124: 5600] [v2.7.28.0] INFO  Retrying operation. Counter: 55
2021-09-10T04:07:59.330Z [ 4124: 5600] [v2.7.28.0] INFO  Retrying operation. Counter: 56
2021-09-10T04:08:00.338Z [ 4124: 5600] [v2.7.28.0] INFO  Retrying operation. Counter: 57
2021-09-10T04:08:01.351Z [ 4124: 5600] [v2.7.28.0] INFO  Retrying operation. Counter: 58
2021-09-10T04:08:02.508Z [ 4124: 5600] [v2.7.28.0] INFO  Retrying operation. Counter: 59
2021-09-10T04:08:02.508Z [ 4124: 5600] [v2.7.28.0] ERROR Timed out waiting for operation.
2021-09-10T04:08:02.508Z [ 4124: 5600] [v2.7.28.0] ERROR Waiting for SHS component tamper protection rollback acknowledgment timed out
2021-09-10T04:08:02.508Z [ 4124: 5600] [v2.7.28.0] WARN  Waiting for SHS component tamper protection rollback acknowledgment timed out
2021-09-10T04:08:02.508Z [ 4124: 5600] [v2.7.28.0] INFO  Rolling back step: Tamper protection will be updated for the main component.
2021-09-10T04:08:02.508Z [ 4124: 5600] [v2.7.28.0] INFO  Rolling back step: CreateRegistryKey(HKLM\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Components\SHS, 64)
2021-09-10T04:08:02.509Z [ 4124: 5600] [v2.7.28.0] INFO  Rolling back step: CopyFile(C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\shs\integrity.dat, C:\Program Files (x86)\Sophos\Health\integrity.dat)
2021-09-10T04:08:02.587Z [ 4124: 5600] [v2.7.28.0] INFO  Rolling back step: Tamper protection will be updated for the main component, if rollback is triggered.
2021-09-10T04:08:02.587Z [ 4124: 5600] [v2.7.28.0] INFO  Nothing to be done at Rollback. Tamper protection for the main component was off.
2021-09-10T04:08:02.587Z [ 4124: 5600] [v2.7.28.0] INFO  Rolling back step: SHS directory installer
2021-09-10T04:08:02.587Z [ 4124: 5600] [v2.7.28.0] INFO  Rolling back step: CreateDirectory(C:\ProgramData\Sophos\Health\Event Store\Trail)
2021-09-10T04:08:02.588Z [ 4124: 5600] [v2.7.28.0] INFO  Rolling back step: CreateDirectory(C:\ProgramData\Sophos\Health\Event Store\Temp)
2021-09-10T04:08:02.588Z [ 4124: 5600] [v2.7.28.0] INFO  Rolling back step: CreateDirectory(C:\ProgramData\Sophos\Health\Event Store\Incoming)
2021-09-10T04:08:02.589Z [ 4124: 5600] [v2.7.28.0] INFO  Rolling back step: CreateDirectory(C:\ProgramData\Sophos\Health\Event Store\Error)
2021-09-10T04:08:02.589Z [ 4124: 5600] [v2.7.28.0] INFO  Rolling back step: CreateDirectory(C:\ProgramData\Sophos\Health\Event Store\Database)
2021-09-10T04:08:02.589Z [ 4124: 5600] [v2.7.28.0] INFO  Rolling back step: Create directory C:\ProgramData\Sophos\Health\Event Store and all parent directories
2021-09-10T04:08:02.590Z [ 4124: 5600] [v2.7.28.0] INFO  Rolling back step: Create directory C:\Program Files (x86)\Sophos\Health and all parent directories
2021-09-10T04:08:02.590Z [ 4124: 5600] [v2.7.28.0] WARN  RemoveDirectory for C:\Program Files (x86)\Sophos\Health failed with error: 145: The directory is not empty.

2021-09-10T04:08:02.590Z [ 4124: 5600] [v2.7.28.0] INFO  Rolling back step: SHS service installer
2021-09-10T04:08:02.590Z [ 4124: 5600] [v2.7.28.0] INFO  Rolling back step: CreateOrUpdate service step: Sophos Health Service
2021-09-10T04:08:02.590Z [ 4124: 5600] [v2.7.28.0] INFO  Service Sophos Health Service was created: rollback -> deleting it
2021-09-10T04:08:02.595Z [ 4124: 5600] [v2.7.28.0] INFO  Waiting 60000ms for service deletion
2021-09-10T04:08:02.595Z [ 4124: 5600] [v2.7.28.0] INFO  Waiting for operation to succeed within 60000ms.
2021-09-10T04:08:02.596Z [ 4124: 5600] [v2.7.28.0] INFO  Successfully deleted service: Sophos Health Service
2021-09-10T04:08:02.596Z [ 4124: 5600] [v2.7.28.0] INFO  Rolling back step: Tamper protection of the SHS component will be set to: OFF 
2021-09-10T04:08:02.596Z [ 4124: 5600] [v2.7.28.0] INFO  Rolling back step: Stop service step without disabling tamper protection for service: Sophos Health Service
2021-09-10T04:08:02.596Z [ 4124: 5600] [v2.7.28.0] INFO  Service was already missing or stopped
2021-09-10T04:08:02.596Z [ 4124: 5600] [v2.7.28.0] WARN  Failed composite step
2021-09-10T04:08:02.596Z [ 4124: 5600] [v2.7.28.0] INFO  Execution failed
2021-09-10T04:08:02.596Z [ 4124: 5600] [v2.7.28.0] ERROR Action failed
2021-09-10T04:08:02.597Z [ 4124: 5600] [v2.7.28.0] INFO  End product setup



This thread was automatically locked due to age.
Parents
  • +1

    Found the issue. Permissions of the ProgramData folder were messed up completely.

    CACLS should be (FYI): 

    C:\ProgramData BUILTIN\Administrators:(OI)(CI)F
    NT AUTHORITY\SYSTEM:(OI)(CI)F
    BUILTIN\Users:(OI)(CI)R
    CREATOR OWNER:(OI)(CI)(IO)F
    BUILTIN\Users:(CI)(special access:)
                                      SYNCHRONIZE
                                      FILE_WRITE_DATA
                                      FILE_APPEND_DATA
                                      FILE_WRITE_EA
                                      FILE_WRITE_ATTRIBUTES

Reply
  • +1

    Found the issue. Permissions of the ProgramData folder were messed up completely.

    CACLS should be (FYI): 

    C:\ProgramData BUILTIN\Administrators:(OI)(CI)F
    NT AUTHORITY\SYSTEM:(OI)(CI)F
    BUILTIN\Users:(OI)(CI)R
    CREATOR OWNER:(OI)(CI)(IO)F
    BUILTIN\Users:(CI)(special access:)
                                      SYNCHRONIZE
                                      FILE_WRITE_DATA
                                      FILE_APPEND_DATA
                                      FILE_WRITE_EA
                                      FILE_WRITE_ATTRIBUTES

Children
No Data
Unfiltered HTML