Having an issue on one of our RDS servers where I'm trying to load up the Endpoint Self Help program (sophosdiag.exe) to check over some communication management settings. However when loading either through the program or via the Endpoint Agent. It loads half of the module and crashes out, doesn't even load up at all when trying to run as administrator.
The following errors come up within Event Viewer when this happens. Is there a way to fix this?
I've ran SFC scannow and dism tools, tried different users and admin accounts. All the same. The following errors come through in Event viewer immediately after crashing.
Faulting application name: SophosDiag.exe, version: 18.104.22.168, time stamp: 0x6144c172Faulting module name: wuapi.dll, version: 7.9.9600.19915, time stamp: 0x5fd8344bException code: 0xc0000005Fault offset: 0x000000000006069eFaulting process ID: 0x729cFaulting application start time: 0x01d8070a82c99a2bFaulting application path: C:\Program Files\Sophos\Endpoint Self Help\SophosDiag.exeFaulting module path: C:\Windows\System32\wuapi.dll
Application: SophosDiag.exeFramework Version: v4.0.30319Description: The process was terminated due to an unhandled exception.Exception Info: System.AccessViolationException
If you open up a PowerShell ISE Window, paste the following:
$updateSession = New-Object -ComObject 'Microsoft.Update.Session'
$updateSearcher = $updateSession.CreateUpdateSearcher()
Given the module referenced is wuapi.dll, which is the Windows Update Client API. I suspect it's due to enumerating the installed patches which SophosDiag does display.
If you stop and disable the Windows Update service it might confirm that, I assume then it might load as it handles this:
Beyond that I would try and get a process dump of SophosDiag.exe when it crashes. Easiest way is to download Procdump (ProcDump - Windows Sysinternals | Microsoft Docs) from Sysinternals/Microsoft to say:
From an admin prompt run:
C:\dumps\procdump.exe -ma -i C:\dumps
launch the SophosDiag,exe so it crashes and you should then have 1, possibly 2 dump files. Only the first is required.
You can run:
to remove the registration as the post-mortem debugger once you have the dump file.
Maybe send it to Support or link it here.
Hi there, Thank you so much for replying and helping. I ran the Powershell ISE script and all updates listed fine, same issue occurred when stopping the Windows Update Service too. I've ran the results of the dmp file and pasted it below. Hopefully that gives some information that you might know instantly or whether I need to log this with support?
Many thanks :)
When you say:
"Same issue occurred when stopping the Windows Update Service too". Is this ESH process crashing? Did that include disabling the service and stopping it?
Hi, Yes I stopped within services.msc then tried to reload ESH. All processes half way loaded again and crashed without warning. So no difference with the service Stopped or Started.
But was the Windows Update service stopped AND disabled. My concern was if the service is started by the COM call from ESH and then fails. If the service is disabled it cannot start.