This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

vcredist_x86.exe 2008 installation fails on Server with Intercept-X

When installing this old, legitimate Microsoft file on two different Server 2022 machines:

Microsoft Visual C++ 2008 Redistributable Setup

v 9.0.30729.5677

https://download.microsoft.com/download/5/D/8/5D8C65CB-C849-4025-8E95-C3966CAFD8AE/vcredist_x86.exe

https://www.virustotal.com/gui/file/8742bcbf24ef328a72d2a27b693cc7071e38d3bb4b9b44dec42aa3d2c8d61d92?nocache=1

Installation fails als long as all Sophos shields are up.

When disabling all engines with self-help tool, installation succeeds. This is true for both machines.

Nothing is logged in Sophos EP GUI.

What Sophos log file should be checked to see what's going on and beeing blocked?

error logged by application:

[1C50:21C4][2022-02-08T15:06:10]i301: Applying execute package: vc9redist_kb2538243, action: Install, path: C:\ProgramData\Package Cache\470640AA4BB7DB8E69196B5EDB0010933569E98D\visual_studio_runtime9_KB\vcredist_x86.exe, arguments: '"C:\ProgramData\Package Cache\470640AA4BB7DB8E69196B5EDB0010933569E98D\visual_studio_runtime9_KB\vcredist_x86.exe" /q'
[1C50:21C4][2022-02-08T15:06:15]e000: Error 0x80070643: Process returned error: 0x643
[1C50:21C4][2022-02-08T15:06:15]e000: Error 0x80070643: Failed to execute EXE package.
[08EC:27DC][2022-02-08T15:06:15]e000: Error 0x80070643: Failed to configure per-machine EXE package.
[08EC:27DC][2022-02-08T15:06:15]i319: Applied execute package: vc9redist_kb2538243, result: 0x80070643, restart: None
[08EC:27DC][2022-02-08T15:06:15]e000: Error 0x80070643: Failed to execute EXE package.
[1C50:21C4][2022-02-08T15:06:15]i351: Removing cached package: vc9redist_kb2538243, from path: C:\ProgramData\Package Cache\470640AA4BB7DB8E69196B5EDB0010933569E98D\
[08EC:27DC][2022-02-08T15:06:15]i000: ApplyExecuteComplete, result: -2147023293
[08EC:27DC][2022-02-08T15:06:15]i000: LastErrorMessage: 

0x80070643

-2147023293

This program setup is required by different software like Lexware financial office pro (latest 2022 version).

Core Agent 2.20.11 BETA
Sophos Intercept X 2.0.24 BETA
Server Protection 10.8.11.4 BETA
Managed Threat Response 2.3.0.68


This thread was automatically locked due to age.
Parents
  • 0x80070643 (WIN32: 1603 ERROR_INSTALL_FAILURE) -- 2147944003 (-2147023293) = Fatal error during installation.

    Not too much help. I would suggest see if you have the log files:

    %temp%\dd_vcredistMSI4DBD.txt

    %temp%\dd_vcredistUI4DBD.txt

    I'd probably run Process Monitor at the same time to correlate the log with the events.

    The above files should be in the temp directory of the user that ran the installer. Do they show an issue?  Can you attach them?

  • Hi and thanks for your reply.

    UI Log:

    [02/08/22,15:06:12] Entering CMsiInstaller::BeginInstall
    [02/08/22,15:06:14] ***ERROR EVENT*** : Custom Action Failure:Action ended 15:06:14: InstallFinalize. Return value 3..
    [02/08/22,15:06:14] ***ERROR EVENT*** : See Windows Install log  for details.
    [02/08/22,15:06:14] ***ERROR EVENT*** : Custom Action Failure:Action ended 15:06:14: INSTALL. Return value 3..
    [02/08/22,15:06:14] ***ERROR EVENT*** : See Windows Install log  for details.
    [02/08/22,15:06:14] Entering CMsiInstaller::SuppressReboot
    [02/08/22,15:06:14] Leaving CMsiInstaller::SuppressReboot
    [02/08/22,15:06:14] Entering CMsiInstaller::Stop
    [02/08/22,15:06:14] Leaving CMsiInstaller::WorkerThread
    [02/08/22,15:06:14] Leaving CMsiInstaller::Stop
    [02/08/22,15:06:14] Leaving  CSilentNavigator::Start
    [02/08/22,15:06:14] Process returning code 1603

    MSI Log:

    MSI (s) (C8:5C) [15:06:14:733]: Executing op: ComponentUnregister(ComponentId={86C9D5AA-F00C-4921-B3F2-C60AF92E2844},ProductKey={9BE518E6-ECC6-35A9-88E4-87755C07200F},BinaryType=0,)
    MSI (s) (C8:5C) [15:06:14:733]: Executing op: End(Checksum=0,ProgressTotalHDWord=0,ProgressTotalLDWord=0)
    MSI (s) (C8:5C) [15:06:14:733]: Error in rollback skipped.	Return: 5
    MSI (s) (C8:5C) [15:06:14:733]: Entering MsiProvideAssembly. AssemblyName: policy.9.0.Microsoft.VC90.OpenMP,version="9.0.30729.6161",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86",type="win32-policy", AppContext: , InstallMode: -4
    MSI (s) (C8:5C) [15:06:14:733]: Pathbuf: 0, pcchPathBuf: 0
    MSI (s) (C8:5C) [15:06:14:733]: MsiProvideAssembly is returning: 1607
    MSI (s) (C8:5C) [15:06:14:733]: Entering MsiProvideAssembly. AssemblyName: policy.9.0.Microsoft.VC90.OpenMP,version="9.0.30729.6161",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86",type="win32-policy", AppContext: , InstallMode: -4
    MSI (s) (C8:5C) [15:06:14:733]: Pathbuf: 0, pcchPathBuf: 0
    MSI (s) (C8:5C) [15:06:14:733]: MsiProvideAssembly is returning: 1607
    MSI (s) (C8:5C) [15:06:14:733]: Assembly Error:There is not enough space on the disk.
    
    MSI (s) (C8:5C) [15:06:14:733]: Note: 1: 1935 2: {7DA2C406-77D0-34F4-9B9E-42E9E9DAE3F7} 3: 0x80070070 4: IAssemblyCache 5: UninstallAssembly 6: policy.9.0.Microsoft.VC90.OpenMP,version="9.0.30729.6161",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86",type="win32-policy" 
    MSI (s) (C8:5C) [15:06:14:733]: Assembly Error (sxs): Please look into Component Based Servicing Log located at %windir%\logs\cbs\cbs.log to get more diagnostic information.
    MSI (s) (C8:5C) [15:06:14:733]: Entering MsiProvideAssembly. AssemblyName: Microsoft.VC90.OpenMP,version="9.0.30729.6161",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86",type="win32", AppContext: , InstallMode: -4
    MSI (s) (C8:5C) [15:06:14:733]: Pathbuf: 0, pcchPathBuf: 0

    CBS Log:

    2022-02-08 15:06:14, Error                 CSI    00000005@2022/2/8:14:06:14.467 (F) onecore\base\wcp\sil\ntsystem.cpp(505): Error STATUS_DISK_FULL originated in function SetObjectSecurity expression: Status
    [gle=0x80004005]
    2022-02-08 15:06:14, Error                 CSI    00000006 (F) STATUS_DISK_FULL #216# from Windows::Rtl::SystemImplementation::DirectFileSystemProvider::SysSetSecurityObject(...)[gle=0xd000007f]
    2022-02-08 15:06:14, Error                 CSI    00000007 (F) STATUS_DISK_FULL #214# from Windows::Rtl::SystemImplementation::CSystemObject::SetSecurityInfo(...)[gle=0xd000007f]
    2022-02-08 15:06:14, Error                 SXS    WIL Origination: onecore\base\servicing\turbostack\lib\fusion.cpp(220)\TurboStack.dll!00007FFB7198F345: (caller: 00007FFB719935AC) Exception(1) tid(30bc) C000007F An operation failed because the disk was full.
    If this is a thinly provisioned volume the physical storage backing this volume has been exhausted.

    Disk full? and when I disable Sophos Endpoint protection, it works...

Reply
  • Hi and thanks for your reply.

    UI Log:

    [02/08/22,15:06:12] Entering CMsiInstaller::BeginInstall
    [02/08/22,15:06:14] ***ERROR EVENT*** : Custom Action Failure:Action ended 15:06:14: InstallFinalize. Return value 3..
    [02/08/22,15:06:14] ***ERROR EVENT*** : See Windows Install log  for details.
    [02/08/22,15:06:14] ***ERROR EVENT*** : Custom Action Failure:Action ended 15:06:14: INSTALL. Return value 3..
    [02/08/22,15:06:14] ***ERROR EVENT*** : See Windows Install log  for details.
    [02/08/22,15:06:14] Entering CMsiInstaller::SuppressReboot
    [02/08/22,15:06:14] Leaving CMsiInstaller::SuppressReboot
    [02/08/22,15:06:14] Entering CMsiInstaller::Stop
    [02/08/22,15:06:14] Leaving CMsiInstaller::WorkerThread
    [02/08/22,15:06:14] Leaving CMsiInstaller::Stop
    [02/08/22,15:06:14] Leaving  CSilentNavigator::Start
    [02/08/22,15:06:14] Process returning code 1603

    MSI Log:

    MSI (s) (C8:5C) [15:06:14:733]: Executing op: ComponentUnregister(ComponentId={86C9D5AA-F00C-4921-B3F2-C60AF92E2844},ProductKey={9BE518E6-ECC6-35A9-88E4-87755C07200F},BinaryType=0,)
    MSI (s) (C8:5C) [15:06:14:733]: Executing op: End(Checksum=0,ProgressTotalHDWord=0,ProgressTotalLDWord=0)
    MSI (s) (C8:5C) [15:06:14:733]: Error in rollback skipped.	Return: 5
    MSI (s) (C8:5C) [15:06:14:733]: Entering MsiProvideAssembly. AssemblyName: policy.9.0.Microsoft.VC90.OpenMP,version="9.0.30729.6161",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86",type="win32-policy", AppContext: , InstallMode: -4
    MSI (s) (C8:5C) [15:06:14:733]: Pathbuf: 0, pcchPathBuf: 0
    MSI (s) (C8:5C) [15:06:14:733]: MsiProvideAssembly is returning: 1607
    MSI (s) (C8:5C) [15:06:14:733]: Entering MsiProvideAssembly. AssemblyName: policy.9.0.Microsoft.VC90.OpenMP,version="9.0.30729.6161",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86",type="win32-policy", AppContext: , InstallMode: -4
    MSI (s) (C8:5C) [15:06:14:733]: Pathbuf: 0, pcchPathBuf: 0
    MSI (s) (C8:5C) [15:06:14:733]: MsiProvideAssembly is returning: 1607
    MSI (s) (C8:5C) [15:06:14:733]: Assembly Error:There is not enough space on the disk.
    
    MSI (s) (C8:5C) [15:06:14:733]: Note: 1: 1935 2: {7DA2C406-77D0-34F4-9B9E-42E9E9DAE3F7} 3: 0x80070070 4: IAssemblyCache 5: UninstallAssembly 6: policy.9.0.Microsoft.VC90.OpenMP,version="9.0.30729.6161",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86",type="win32-policy" 
    MSI (s) (C8:5C) [15:06:14:733]: Assembly Error (sxs): Please look into Component Based Servicing Log located at %windir%\logs\cbs\cbs.log to get more diagnostic information.
    MSI (s) (C8:5C) [15:06:14:733]: Entering MsiProvideAssembly. AssemblyName: Microsoft.VC90.OpenMP,version="9.0.30729.6161",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86",type="win32", AppContext: , InstallMode: -4
    MSI (s) (C8:5C) [15:06:14:733]: Pathbuf: 0, pcchPathBuf: 0

    CBS Log:

    2022-02-08 15:06:14, Error                 CSI    00000005@2022/2/8:14:06:14.467 (F) onecore\base\wcp\sil\ntsystem.cpp(505): Error STATUS_DISK_FULL originated in function SetObjectSecurity expression: Status
    [gle=0x80004005]
    2022-02-08 15:06:14, Error                 CSI    00000006 (F) STATUS_DISK_FULL #216# from Windows::Rtl::SystemImplementation::DirectFileSystemProvider::SysSetSecurityObject(...)[gle=0xd000007f]
    2022-02-08 15:06:14, Error                 CSI    00000007 (F) STATUS_DISK_FULL #214# from Windows::Rtl::SystemImplementation::CSystemObject::SetSecurityInfo(...)[gle=0xd000007f]
    2022-02-08 15:06:14, Error                 SXS    WIL Origination: onecore\base\servicing\turbostack\lib\fusion.cpp(220)\TurboStack.dll!00007FFB7198F345: (caller: 00007FFB719935AC) Exception(1) tid(30bc) C000007F An operation failed because the disk was full.
    If this is a thinly provisioned volume the physical storage backing this volume has been exhausted.

    Disk full? and when I disable Sophos Endpoint protection, it works...

Children