Sophos Installation Failure

Very odd, I've not seen that before. When the installer runs, the SophoUI component is installed. The logs for the component's installer go to the installing user's temp directory, e.g. %temp%, E.g.

%temp%\Sophos UI Install Log 2024-03-14 10-42-05Z.txt

At the bottom of the log, it details that it is going to start the Sophos Ui.exe process for all active sessions:

2024-03-14T10:42:05.870Z [ 6888: 6884] I Commit step: Start UI in all sessions
2024-03-14T10:42:05.870Z [ 6888: 6884] W AdjustTokenPrivileges did not adjust all specified privileges. Last error: 1300
2024-03-14T10:42:05.886Z [ 6888: 6884] W WTSQueryUserToken failed to get user for session 2
2024-03-14T10:42:06.042Z [ 6888: 6884] I Opened UI in session 2
2024-03-14T10:42:06.042Z [ 6888: 6884] I Sophos UI 2.10.672 Installer completed successfully.
2024-03-14T10:42:06.042Z [ 6888: 6884] I Succeeded: Sophos UI 2.10.672 Installer
2024-03-14T10:42:06.042Z [ 6888: 6884] I Action was successful; reboot is not required

A Process Monitor log of the install shows Explorer.exe is the Parent of the Sophos UI.exe process:

10:42:06.0285184 Explorer.EXE 8448 Process Create C:\Program Files\Sophos\Sophos UI\Sophos UI.exe SUCCESS PID: 7824, Command line: "C:\Program Files\Sophos\Sophos UI\Sophos UI.exe" /hidden

10:42:06.0285233 Sophos UI.exe 7824 Process Start SUCCESS Parent PID: 8448, Command line: "C:\Program Files\Sophos\Sophos UI\Sophos UI.exe" /hidden, Current directory: C:\Windows\system32\, Environment:

Anything useful in the sophos UI install log around this time?

Did you manage to resolve this problem ? i ask because i have this same error on some computers. in the installation logs i only see a permission error for a Sophos Registry.

Hello Ghost_10 ,

We appreciate your reaching out to the Sophos Community Forum.

Is there any third-party AV installed on the device? This might happen due to third-party AV installed on the device. 

Also, can you please run this command "fltmc"  on the affected device(don't use (" ") while running the command) and help me with the output so we can check.

Regards, 

Hello Rutvik Chavda 

The only sophos service that does not complete the installation is "Sophos Endpoint UI"

There is no other AV installed.

below is the output of the "fltmc" command:

Are you able to share the full contents of the "Sophos UI Install Log" located in the %temp% directory? You can use the "Insert > Code" function when posting a reply to make the logs easier to parse. 

If the logs you shared above are from taken from this log-file, could you try checking if the registry permissions are the same on this device/in this location as others where the installation has succeeded? 

2024-06-11T22:33:59.535Z [ 5200:12256] W OpenKey(HKLM\SOFTWARE\Classes\TypeLib\{4920465E-064D-4C21-8070-ADCBD3A3DE94}\1.0\0\win64) failed: Access is denied. (5)