This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos System Protection installation failed

During re-installation of Sophos on a Windows 10 client (upgraded to Win10 1803 before) the component 'Sophos System Protection' fails to install.
Have tried complete deinstallation and installation, without success.

 

The log file for Sophos System Protection setup shows a problem during action SetupSspUserAccount:

MSI (s) (FC:6C) [09:56:46:662]: Running Script: C:\WINDOWS\Installer\MSID5E6.tmp
MSI (s) (FC:6C) [09:56:46:662]: PROPERTY CHANGE: Adding UpdateStarted property. Its value is '1'.
MSI (s) (FC:6C) [09:56:46:672]: Note: 1: 2265 2:  3: -2147287035
MSI (s) (FC:6C) [09:56:46:672]: Machine policy value 'DisableRollback' is 0
MSI (s) (FC:6C) [09:56:46:672]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2
MSI (s) (FC:6C) [09:56:46:672]: Executing op: Header(Signature=1397708873,Version=500,Timestamp=1293373208,LangId=1033,Platform=0,ScriptType=1,ScriptMajorVersion=21,ScriptMinorVersion=4,ScriptAttributes=1)
Action start 09:56:46: InstallFinalize.
MSI (s) (FC:6C) [09:56:46:672]: Executing op: ProductInfo(ProductKey={1093B57D-A613-47F3-90CF-0FD5C5DCFFE6},ProductName=Sophos System Protection,PackageName=SophosSystemProtection.msi,Language=1033,Version=16973825,Assignment=1,ObsoleteArg=0,ProductIcon=sspIcon.ico,,PackageCode={3B1063C9-3F76-41B5-9648-FC64C7BC4D79},,,InstanceType=0,LUASetting=0,RemoteURTInstalls=0,ProductDeploymentFlags=3)
MSI (s) (FC:6C) [09:56:46:672]: Executing op: DialogInfo(Type=0,Argument=1033)
MSI (s) (FC:6C) [09:56:46:672]: Executing op: DialogInfo(Type=1,Argument=Sophos System Protection)
MSI (s) (FC:6C) [09:56:46:672]: Executing op: RollbackInfo(,RollbackAction=Rollback,RollbackDescription=Rolling back action:,RollbackTemplate=[1],CleanupAction=RollbackCleanup,CleanupDescription=Removing backup files,CleanupTemplate=File: [1])
MSI (s) (FC:6C) [09:56:46:672]: Executing op: SetBaseline(Baseline=0,)
MSI (s) (FC:6C) [09:56:46:672]: Executing op: SetBaseline(Baseline=1,)
MSI (s) (FC:6C) [09:56:46:672]: Executing op: ActionStart(Name=ProcessComponents,Description=Updating component registration,)
MSI (s) (FC:6C) [09:56:46:672]: Executing op: ProgressTotal(Total=13,Type=1,ByteEquivalent=24000)
MSI (s) (FC:6C) [09:56:46:672]: Executing op: ComponentRegister(ComponentId={96CAB1A6-E3C3-42BC-B1AC-57552F6DE27B},KeyPath=C:\Program Files (x86)\Sophos\Sophos System Protection\,State=3,,Disk=1,SharedDllRefCount=0,BinaryType=0)
MSI (s) (FC:6C) [09:56:46:672]: Executing op: ComponentRegister(ComponentId={EE372818-51C3-4B29-B0AD-9AA8740EAA1F},KeyPath=C:\Program Files (x86)\Sophos\Sophos System Protection\ssp.exe,State=3,,Disk=1,SharedDllRefCount=0,BinaryType=0)
MSI (s) (FC:6C) [09:56:46:672]: WIN64DUALFOLDERS: Substitution in 'C:\Program Files (x86)\Sophos\Sophos System Protection\ssp.exe' folder had been blocked by the 1 mask argument (the folder pair's iSwapAttrib member = 0).
MSI (s) (FC:6C) [09:56:46:672]: Executing op: ComponentRegister(ComponentId={EFB99B6F-FB73-4F3E-9FE6-A64F479DF970},KeyPath=C:\Program Files (x86)\Sophos\Sophos System Protection\scf.dat,State=3,,Disk=1,SharedDllRefCount=0,BinaryType=0)
MSI (s) (FC:6C) [09:56:46:672]: WIN64DUALFOLDERS: Substitution in 'C:\Program Files (x86)\Sophos\Sophos System Protection\scf.dat' folder had been blocked by the 1 mask argument (the folder pair's iSwapAttrib member = 0).
MSI (s) (FC:6C) [09:56:46:672]: Executing op: ComponentRegister(ComponentId={AEA712C0-6555-4FB1-A4CC-1806B1F94B45},KeyPath=02:\Software\Sophos\SystemProtection\PipeName,State=3,,Disk=1,SharedDllRefCount=0,BinaryType=0)
MSI (s) (FC:6C) [09:56:46:672]: Executing op: ComponentRegister(ComponentId={CD73DBF6-732F-4699-A9B6-968BDB1BC054},KeyPath=02:\Software\Sophos\SystemProtection\LOG\File,State=3,,Disk=1,SharedDllRefCount=0,BinaryType=0)
MSI (s) (FC:6C) [09:56:46:672]: Executing op: ComponentRegister(ComponentId={5F071C66-51B7-4406-8165-4E3D9E70C42F},KeyPath=C:\ProgramData\Sophos\Sophos System Protection\Config\,State=3,,Disk=1,SharedDllRefCount=0,BinaryType=0)
MSI (s) (FC:6C) [09:56:46:682]: Executing op: ComponentRegister(ComponentId={46D9C339-FF13-4CE0-B519-E5BFE7F2BC77},KeyPath=C:\ProgramData\Sophos\Sophos System Protection\Config\SSP.conf,State=3,,Disk=1,SharedDllRefCount=0,BinaryType=0)
MSI (s) (FC:6C) [09:56:46:682]: Executing op: ComponentRegister(ComponentId={89C06DC7-B12C-4311-9BDF-1FDA75734164},KeyPath=C:\ProgramData\Sophos\Sophos System Protection\Config\FBA.conf,State=3,,Disk=1,SharedDllRefCount=0,BinaryType=0)
MSI (s) (FC:6C) [09:56:46:682]: Executing op: ComponentRegister(ComponentId={F56BEF81-6CB2-4FEE-930F-6C93D6A28E0C},KeyPath=C:\ProgramData\Sophos\Sophos System Protection\Config\PIA.conf,State=3,,Disk=1,SharedDllRefCount=0,BinaryType=0)
MSI (s) (FC:6C) [09:56:46:682]: Executing op: ComponentRegister(ComponentId={F2B22387-9B39-4788-AEB6-B9551324FF17},KeyPath=C:\ProgramData\Sophos\Sophos System Protection\Config\SXA.conf,State=3,,Disk=1,SharedDllRefCount=0,BinaryType=0)
MSI (s) (FC:6C) [09:56:46:682]: Executing op: ComponentRegister(ComponentId={BAAE170A-5F93-4FF6-9782-3F017EC4C4B1},KeyPath=C:\ProgramData\Sophos\Sophos System Protection\Config\EPH.conf,State=3,,Disk=1,SharedDllRefCount=0,BinaryType=0)
MSI (s) (FC:6C) [09:56:46:682]: Executing op: ComponentRegister(ComponentId={216A2A33-1146-472F-9635-107BFE94723A},KeyPath=C:\ProgramData\Sophos\Sophos System Protection\Logs\,State=3,,Disk=1,SharedDllRefCount=0,BinaryType=0)
MSI (s) (FC:6C) [09:56:46:682]: Executing op: ComponentRegister(ComponentId={EF1063A8-7B97-4CD0-A2CC-4BA27645908D},KeyPath=C:\ProgramData\Sophos\Sophos System Protection\Data\,State=3,,Disk=1,SharedDllRefCount=0,BinaryType=0)
MSI (s) (FC:6C) [09:56:46:682]: Executing op: ActionStart(Name=StopServices,Description=Stopping services,Template=Service: [1])
MSI (s) (FC:6C) [09:56:46:682]: Executing op: ProgressTotal(Total=1,Type=1,ByteEquivalent=1300000)
MSI (s) (FC:6C) [09:56:46:682]: Executing op: ServiceControl(,Name=sophossps,Action=2,Wait=1,)
MSI (s) (FC:6C) [09:56:46:682]: Executing op: ActionStart(Name=RemoveRegistryValues,Description=Removing system registry values,Template=Key: [1], Name: [2])
MSI (s) (FC:6C) [09:56:46:682]: Executing op: ProgressTotal(Total=1,Type=1,ByteEquivalent=13200)
MSI (s) (FC:6C) [09:56:46:682]: Executing op: RegOpenKey(Root=-2147483646,Key=Software\Sophos\AutoUpdate\Products\SSP,,BinaryType=0,,)
MSI (s) (FC:6C) [09:56:46:682]: Executing op: RegRemoveKey()
MSI (s) (FC:6C) [09:56:46:682]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE32\Software\Sophos\AutoUpdate\Products\SSP 3: 2
MSI (s) (FC:6C) [09:56:46:682]: Executing op: ActionStart(Name=CreateFolders,Description=Creating folders,Template=Folder: [1])
MSI (s) (FC:6C) [09:56:46:682]: Executing op: FolderCreate(Folder=C:\ProgramData\Sophos\Sophos System Protection\Data\,Foreign=0,,)
MSI (s) (FC:6C) [09:56:46:692]: Executing op: FolderCreate(Folder=C:\Program Files (x86)\Sophos\Sophos System Protection\,Foreign=0,SecurityDescriptor=BinaryData,)
MSI (s) (FC:6C) [09:56:46:692]: Executing op: FolderCreate(Folder=C:\ProgramData\Sophos\Sophos System Protection\Config\,Foreign=0,,)
MSI (s) (FC:6C) [09:56:46:692]: Executing op: FolderCreate(Folder=C:\ProgramData\Sophos\Sophos System Protection\Logs\,Foreign=0,,)
MSI (s) (FC:6C) [09:56:46:692]: Executing op: ActionStart(Name=InstallFiles,Description=Copying new files,Template=File: [1],  Directory: [9],  Size: [6])
MSI (s) (FC:6C) [09:56:46:702]: Executing op: ProgressTotal(Total=2503768,Type=0,ByteEquivalent=1)
MSI (s) (FC:6C) [09:56:46:702]: Executing op: SetTargetFolder(Folder=C:\ProgramData\Sophos\Sophos System Protection\Config\)
MSI (s) (FC:6C) [09:56:46:702]: Executing op: SetSourceFolder(Folder=1\Sophos\vouvuy1l\Config\|Sophos\Sophos System Protection\Config\)
MSI (s) (FC:6C) [09:56:46:702]: Executing op: ChangeMedia(,MediaPrompt=Please insert the disk: ,,BytesPerTick=65536,CopierType=0,,,,,,IsFirstPhysicalMedia=1)
MSI (s) (FC:6C) [09:56:46:702]: Executing op: FileCopy(SourceName=b3y1tuan.con|EPH.conf,SourceCabKey=EPH.conf,DestName=EPH.conf,Attributes=512,FileSize=144,PerTick=65536,,VerifyMedia=1,,,,,CheckCRC=0,,,InstallMode=58982400,HashOptions=0,HashPart1=1516603993,HashPart2=-1089115480,HashPart3=177560312,HashPart4=-460236261,,)
MSI (s) (FC:6C) [09:56:46:702]: File: C:\ProgramData\Sophos\Sophos System Protection\Config\EPH.conf;    To be installed;    Won't patch;    No existing file
MSI (s) (FC:6C) [09:56:46:702]: Source for file 'EPH.conf' is uncompressed, at 'C:\ProgramData\Sophos\AutoUpdate\cache\ssp\Sophos\Sophos System Protection\Config\'.
MSI (s) (FC:6C) [09:56:46:702]: Executing op: FileCopy(SourceName=-hs0uyul.con|FBA.conf,SourceCabKey=FBA.conf,DestName=FBA.conf,Attributes=512,FileSize=131,PerTick=65536,,VerifyMedia=1,,,,,CheckCRC=0,,,InstallMode=58982400,HashOptions=0,HashPart1=541071961,HashPart2=-1557347812,HashPart3=1112832803,HashPart4=-1762817671,,)
MSI (s) (FC:6C) [09:56:46:702]: File: C:\ProgramData\Sophos\Sophos System Protection\Config\FBA.conf;    To be installed;    Won't patch;    No existing file
MSI (s) (FC:6C) [09:56:46:702]: Source for file 'FBA.conf' is uncompressed, at 'C:\ProgramData\Sophos\AutoUpdate\cache\ssp\Sophos\Sophos System Protection\Config\'.
MSI (s) (FC:6C) [09:56:46:702]: Executing op: FileCopy(SourceName=gxaaofii.con|PIA.conf,SourceCabKey=PIA.conf,DestName=PIA.conf,Attributes=512,FileSize=184,PerTick=65536,,VerifyMedia=1,,,,,CheckCRC=0,,,InstallMode=58982400,HashOptions=0,HashPart1=587898439,HashPart2=1822813661,HashPart3=227107488,HashPart4=-1758655495,,)
MSI (s) (FC:6C) [09:56:46:702]: File: C:\ProgramData\Sophos\Sophos System Protection\Config\PIA.conf;    To be installed;    Won't patch;    No existing file
MSI (s) (FC:6C) [09:56:46:702]: Source for file 'PIA.conf' is uncompressed, at 'C:\ProgramData\Sophos\AutoUpdate\cache\ssp\Sophos\Sophos System Protection\Config\'.
MSI (s) (FC:6C) [09:56:46:702]: Executing op: SetTargetFolder(Folder=C:\Program Files (x86)\Sophos\Sophos System Protection\)
MSI (s) (FC:6C) [09:56:46:702]: Executing op: SetSourceFolder(Folder=1\Sophos\qgiys5c8\|Sophos\Sophos System Protection\)
MSI (s) (FC:6C) [09:56:46:702]: Executing op: FileCopy(SourceName=scf.dat,SourceCabKey=scf.dat,DestName=scf.dat,Attributes=512,FileSize=2871,PerTick=65536,,VerifyMedia=1,,,,SecurityDescriptor=BinaryData,CheckCRC=0,,,InstallMode=58982400,HashOptions=0,HashPart1=-1146186632,HashPart2=-1463422420,HashPart3=-996623114,HashPart4=1599061152,,)
MSI (s) (FC:6C) [09:56:46:702]: File: C:\Program Files (x86)\Sophos\Sophos System Protection\scf.dat;    To be installed;    Won't patch;    No existing file
MSI (s) (FC:6C) [09:56:46:702]: Source for file 'scf.dat' is uncompressed, at 'C:\ProgramData\Sophos\AutoUpdate\cache\ssp\Sophos\Sophos System Protection\'.
MSI (s) (FC:6C) [09:56:46:702]: File will have security applied from OpCode.
MSI (s) (FC:6C) [09:56:46:702]: Executing op: SetTargetFolder(Folder=C:\ProgramData\Sophos\Sophos System Protection\Config\)
MSI (s) (FC:6C) [09:56:46:702]: Executing op: SetSourceFolder(Folder=1\Sophos\vouvuy1l\Config\|Sophos\Sophos System Protection\Config\)
MSI (s) (FC:6C) [09:56:46:702]: Executing op: FileCopy(SourceName=fpw3kto9.con|SSP.conf,SourceCabKey=SSP.conf,DestName=SSP.conf,Attributes=512,FileSize=449,PerTick=65536,,VerifyMedia=1,,,,,CheckCRC=0,,,InstallMode=58982400,HashOptions=0,HashPart1=-85885172,HashPart2=610031430,HashPart3=-1045786140,HashPart4=1490204841,,)
MSI (s) (FC:6C) [09:56:46:702]: File: C:\ProgramData\Sophos\Sophos System Protection\Config\SSP.conf;    To be installed;    Won't patch;    No existing file
MSI (s) (FC:6C) [09:56:46:702]: Source for file 'SSP.conf' is uncompressed, at 'C:\ProgramData\Sophos\AutoUpdate\cache\ssp\Sophos\Sophos System Protection\Config\'.
MSI (s) (FC:6C) [09:56:46:702]: Executing op: SetTargetFolder(Folder=C:\Program Files (x86)\Sophos\Sophos System Protection\)
MSI (s) (FC:6C) [09:56:46:702]: Executing op: SetSourceFolder(Folder=1\Sophos\qgiys5c8\|Sophos\Sophos System Protection\)
MSI (s) (FC:6C) [09:56:46:702]: Executing op: FileCopy(SourceName=ssp.exe,SourceCabKey=ssp.exe,DestName=ssp.exe,Attributes=512,FileSize=2499872,PerTick=65536,,VerifyMedia=1,,,,SecurityDescriptor=BinaryData,CheckCRC=0,Version=1.3.1.2,Language=2057,InstallMode=58982400,,,,,,,)
MSI (s) (FC:6C) [09:56:46:702]: File: C:\Program Files (x86)\Sophos\Sophos System Protection\ssp.exe;    To be installed;    Won't patch;    No existing file
MSI (s) (FC:6C) [09:56:46:702]: Source for file 'ssp.exe' is uncompressed, at 'C:\ProgramData\Sophos\AutoUpdate\cache\ssp\Sophos\Sophos System Protection\'.
MSI (s) (FC:6C) [09:56:46:712]: File will have security applied from OpCode.
MSI (s) (FC:6C) [09:56:46:712]: Executing op: SetTargetFolder(Folder=C:\ProgramData\Sophos\Sophos System Protection\Config\)
MSI (s) (FC:6C) [09:56:46:712]: Executing op: SetSourceFolder(Folder=1\Sophos\vouvuy1l\Config\|Sophos\Sophos System Protection\Config\)
MSI (s) (FC:6C) [09:56:46:712]: Executing op: FileCopy(SourceName=hy6kgivw.con|SXA.conf,SourceCabKey=SXA.conf,DestName=SXA.conf,Attributes=512,FileSize=117,PerTick=65536,,VerifyMedia=1,,,,,CheckCRC=0,,,InstallMode=58982400,HashOptions=0,HashPart1=1443997366,HashPart2=1950740203,HashPart3=-1509326715,HashPart4=-1802581291,,)
MSI (s) (FC:6C) [09:56:46:712]: File: C:\ProgramData\Sophos\Sophos System Protection\Config\SXA.conf;    To be installed;    Won't patch;    No existing file
MSI (s) (FC:6C) [09:56:46:712]: Source for file 'SXA.conf' is uncompressed, at 'C:\ProgramData\Sophos\AutoUpdate\cache\ssp\Sophos\Sophos System Protection\Config\'.
MSI (s) (FC:6C) [09:56:46:712]: Executing op: CacheSizeFlush(,)
MSI (s) (FC:6C) [09:56:46:712]: Executing op: ActionStart(Name=WriteRegistryValues,Description=Writing system registry values,Template=Key: [1], Name: [2], Value: [3])
MSI (s) (FC:6C) [09:56:46:712]: Executing op: ProgressTotal(Total=3,Type=1,ByteEquivalent=13200)
MSI (s) (FC:6C) [09:56:46:712]: Executing op: RegOpenKey(Root=-2147483646,Key=Software\Sophos\SystemProtection,SecurityDescriptor=BinaryData,BinaryType=0,,)
MSI (s) (FC:6C) [09:56:46:712]: Executing op: RegAddValue(Name=PipeName,Value=\\.\Pipe\qpbmcrvmgnyboezmbkzyjvdyoaacgawssnbjlwvmvrfomdmlmh,)
MSI (s) (FC:6C) [09:56:46:712]: Executing op: RegOpenKey(Root=-2147483646,Key=Software\Sophos\SystemProtection\LOG,SecurityDescriptor=BinaryData,BinaryType=0,,)
MSI (s) (FC:6C) [09:56:46:712]: Executing op: RegAddValue(Name=File,Value=C:\ProgramData\Sophos\Sophos System Protection\Logs\,)
MSI (s) (FC:6C) [09:56:46:712]: Executing op: RegAddValue(Name=Level,Value=1,)
MSI (s) (FC:6C) [09:56:46:712]: Executing op: ActionStart(Name=InstallServices,Description=Installing new services,Template=Service: [2])
MSI (s) (FC:6C) [09:56:46:712]: Executing op: ProgressTotal(Total=1,Type=1,ByteEquivalent=1300000)
MSI (s) (FC:6C) [09:56:46:712]: Executing op: ServiceInstall(Name=sophossps,DisplayName=Sophos System Protection Service,ImagePath="C:\Program Files (x86)\Sophos\Sophos System Protection\ssp.exe",ServiceType=16,StartType=2,ErrorControl=32769,,Dependencies=[~],,StartName=NT AUTHORITY\NetworkService,Password=**********,Description=Sophos System Protection Service,,)
MSI (s) (FC:6C) [09:56:46:712]: Executing op: ActionStart(Name=RequestUnrestrictedSSPSid,,)
MSI (s) (FC:6C) [09:56:46:712]: Executing op: CustomActionSchedule(Action=RequestUnrestrictedSSPSid,ActionType=1025,Source=BinaryData,Target=RequestUnrestrictedSSPSid,)
MSI (s) (FC:6C) [09:56:46:722]: Invoking remote custom action. DLL: C:\WINDOWS\Installer\MSID6A5.tmp, Entrypoint: RequestUnrestrictedSSPSid
MSI (s) (FC:6C) [09:56:46:752]: Executing op: ActionStart(Name=ApplyPermissionsToFolders,,)
RequestUnrestrictedSSPSid:  Initialized.
MSI (s) (FC:6C) [09:56:46:752]: Executing op: CustomActionSchedule(Action=ApplyPermissionsToFolders,ActionType=1025,Source=BinaryData,Target=ApplyPermissionsToFolders,CustomActionData=C:\ProgramData\Sophos\Sophos System Protection\|C:\ProgramData\Sophos\Sophos System Protection\Logs\|C:\ProgramData\Sophos\Sophos System Protection\Config\|C:\ProgramData\Sophos\Sophos System Protection\Data\)
MSI (s) (FC:68) [09:56:46:752]: Invoking remote custom action. DLL: C:\WINDOWS\Installer\MSID6D5.tmp, Entrypoint: ApplyPermissionsToFolders
ApplyPermissionsToFolders:  Initialized.
ApplyPermissionsToFolders:  Done: 007ABCE0Index: 0

ApplyPermissionsToFolders:  Done: 007A9DF8Index: 1

ApplyPermissionsToFolders:  Done: 007A9E70Index: 2

MSI (s) (FC:6C) [09:56:46:772]: Executing op: ActionStart(Name=RollbackServiceConfig,,)
ApplyPermissionsToFolders:  Done: 007A9EE8Index: 3

MSI (s) (FC:6C) [09:56:46:772]: Executing op: CustomActionSchedule(Action=RollbackServiceConfig,ActionType=3329,Source=BinaryData,Target=RollbackServiceConfig,CustomActionData=SchedServiceConfig)
MSI (s) (FC:6C) [09:56:46:782]: Executing op: ActionStart(Name=ExecServiceConfig,,)
MSI (s) (FC:6C) [09:56:46:782]: Executing op: CustomActionSchedule(Action=ExecServiceConfig,ActionType=3073,Source=BinaryData,Target=ExecServiceConfig,CustomActionData=SchedServiceConfig€sophossps€1€restart€restart€none€1€120€€)
MSI (s) (FC:AC) [09:56:46:782]: Invoking remote custom action. DLL: C:\WINDOWS\Installer\MSID6F5.tmp, Entrypoint: ExecServiceConfig
MSI (s) (FC:6C) [09:56:46:802]: Executing op: ActionStart(Name=SetupSspUserAccountRollback,,)
MSI (s) (FC:6C) [09:56:46:802]: Executing op: CustomActionSchedule(Action=SetupSspUserAccountRollback,ActionType=1281,Source=BinaryData,Target=CleanUpSsspUserAccount,CustomActionData=NT SERVICE\sophossps)
MSI (s) (FC:6C) [09:56:46:802]: Executing op: ActionStart(Name=SetupSspUserAccount,,)
MSI (s) (FC:6C) [09:56:46:802]: Executing op: CustomActionSchedule(Action=SetupSspUserAccount,ActionType=1025,Source=BinaryData,Target=SetupSspUserAccount,CustomActionData=NT SERVICE\sophossps)
MSI (s) (FC:4C) [09:56:46:802]: Invoking remote custom action. DLL: C:\WINDOWS\Installer\MSID706.tmp, Entrypoint: SetupSspUserAccount
SetupSspUserAccount:  Initialized.
SetupSspUserAccount:  LoadAccount(SophosSSPUser) failed (error 1332)
SetupSspUserAccount:  Granting permissions to user "NT SERVICE\sophossps"
CustomAction SetupSspUserAccount returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)
MSI (s) (FC:6C) [09:56:49:272]: Note: 1: 2265 2:  3: -2147287035
MSI (s) (FC:6C) [09:56:49:272]: User policy value 'DisableRollback' is 0
MSI (s) (FC:6C) [09:56:49:272]: Machine policy value 'DisableRollback' is 0
Action ended 09:56:49: InstallFinalize. Return value 3.
MSI (s) (FC:6C) [09:56:49:272]: Executing op: Header(Signature=1397708873,Version=500,Timestamp=1293373208,LangId=1033,Platform=0,ScriptType=2,ScriptMajorVersion=21,ScriptMinorVersion=4,ScriptAttributes=1)
MSI (s) (FC:6C) [09:56:49:272]: Executing op: DialogInfo(Type=0,Argument=1033)
MSI (s) (FC:6C) [09:56:49:272]: Executing op: DialogInfo(Type=1,Argument=Sophos System Protection)
MSI (s) (FC:6C) [09:56:49:272]: Executing op: RollbackInfo(,RollbackAction=Rollback,RollbackDescription=Rolling back action:,RollbackTemplate=[1],CleanupAction=RollbackCleanup,CleanupDescription=Removing backup files,CleanupTemplate=File: [1])
MSI (s) (FC:6C) [09:56:49:272]: Executing op: ActionStart(Name=SetupSspUserAccount,,)
MSI (s) (FC:6C) [09:56:49:272]: Executing op: ProductInfo(ProductKey={1093B57D-A613-47F3-90CF-0FD5C5DCFFE6},ProductName=Sophos System Protection,PackageName=SophosSystemProtection.msi,Language=1033,Version=16973825,Assignment=1,ObsoleteArg=0,ProductIcon=sspIcon.ico,,PackageCode={3B1063C9-3F76-41B5-9648-FC64C7BC4D79},,,InstanceType=0,LUASetting=0,RemoteURTInstalls=0,ProductDeploymentFlags=3)
MSI (s) (FC:6C) [09:56:49:272]: Executing op: ActionStart(Name=SetupSspUserAccountRollback,,)
MSI (s) (FC:6C) [09:56:49:272]: Executing op: CustomActionRollback(Action=SetupSspUserAccountRollback,ActionType=1281,Source=BinaryData,Target=CleanUpSsspUserAccount,CustomActionData=NT SERVICE\sophossps)
MSI (s) (FC:90) [09:56:49:282]: Invoking remote custom action. DLL: C:\WINDOWS\Installer\MSIE0AC.tmp, Entrypoint: CleanUpSsspUserAccount
CleanUpSsspUserAccount:  Initialized.
CustomAction SetupSspUserAccountRollback returned actual error code 1603 but will be translated to success due to continue marking
MSI (s) (FC:6C) [09:56:49:622]: Executing op: ActionStart(Name=ExecServiceConfig,,)
MSI (s) (FC:6C) [09:56:49:622]: Executing op: ActionStart(Name=RollbackServiceConfig,,)
MSI (s) (FC:6C) [09:56:49:622]: Executing op: CustomActionRollback(Action=RollbackServiceConfig,ActionType=3329,Source=BinaryData,Target=RollbackServiceConfig,CustomActionData=SchedServiceConfig)
MSI (s) (FC:24) [09:56:49:622]: Invoking remote custom action. DLL: C:\WINDOWS\Installer\MSIE204.tmp, Entrypoint: RollbackServiceConfig
MSI (s) (FC:6C) [09:56:49:652]: Executing op: ActionStart(Name=ApplyPermissionsToFolders,,)
MSI (s) (FC:6C) [09:56:49:652]: Executing op: ActionStart(Name=RequestUnrestrictedSSPSid,,)
MSI (s) (FC:6C) [09:56:49:652]: Executing op: ActionStart(Name=InstallServices,Description=Installing new services,Template=Service: [2])
MSI (s) (FC:6C) [09:56:49:652]: Executing op: ServiceControl(,Name=sophossps,Action=8,,)
MSI (s) (FC:6C) [09:56:49:652]: Executing op: ActionStart(Name=WriteRegistryValues,Description=Writing system registry values,Template=Key: [1], Name: [2], Value: [3])
MSI (s) (FC:6C) [09:56:49:652]: Executing op: RegOpenKey(Root=-2147483646,Key=Software\Sophos\SystemProtection\LOG,,BinaryType=0,,)
MSI (s) (FC:6C) [09:56:49:652]: Executing op: RegRemoveValue(Name=Level,Value=1,)
MSI (s) (FC:6C) [09:56:49:652]: Executing op: RegCreateKey()
MSI (s) (FC:6C) [09:56:49:652]: Executing op: RegRemoveValue(Name=File,Value=C:\ProgramData\Sophos\Sophos System Protection\Logs\,)
MSI (s) (FC:6C) [09:56:49:652]: Executing op: RegRemoveKey()
MSI (s) (FC:6C) [09:56:49:652]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE32\Software\Sophos\SystemProtection\LOG 3: 2
MSI (s) (FC:6C) [09:56:49:652]: Executing op: RegOpenKey(Root=-2147483646,Key=Software\Sophos\SystemProtection,SecurityDescriptor=BinaryData,BinaryType=0,,)
MSI (s) (FC:6C) [09:56:49:652]: Executing op: RegRemoveValue(Name=PipeName,Value=\\.\Pipe\qpbmcrvmgnyboezmbkzyjvdyoaacgawssnbjlwvmvrfomdmlmh,)
MSI (s) (FC:6C) [09:56:49:652]: Executing op: RegCreateKey()
MSI (s) (FC:6C) [09:56:49:652]: Executing op: ActionStart(Name=InstallFiles,Description=Copying new files,Template=File: [1],  Directory: [9],  Size: [6])
MSI (s) (FC:6C) [09:56:49:652]: Executing op: SetTargetFolder(Folder=C:\ProgramData\Sophos\Sophos System Protection\Config\)
MSI (s) (FC:6C) [09:56:49:652]: Executing op: FileRemove(,FileName=C:\ProgramData\Sophos\Sophos System Protection\Config\SXA.conf,,)
MSI (s) (FC:6C) [09:56:49:652]: Executing op: SetTargetFolder(Folder=C:\Program Files (x86)\Sophos\Sophos System Protection\)
MSI (s) (FC:6C) [09:56:49:652]: Executing op: FileRemove(,FileName=C:\Program Files (x86)\Sophos\Sophos System Protection\ssp.exe,,)
MSI (s) (FC:6C) [09:56:49:662]: Executing op: SetTargetFolder(Folder=C:\ProgramData\Sophos\Sophos System Protection\Config\)
MSI (s) (FC:6C) [09:56:49:662]: Executing op: FileRemove(,FileName=C:\ProgramData\Sophos\Sophos System Protection\Config\SSP.conf,,)
MSI (s) (FC:6C) [09:56:49:662]: Executing op: SetTargetFolder(Folder=C:\Program Files (x86)\Sophos\Sophos System Protection\)
MSI (s) (FC:6C) [09:56:49:662]: Executing op: FileRemove(,FileName=C:\Program Files (x86)\Sophos\Sophos System Protection\scf.dat,,)
MSI (s) (FC:6C) [09:56:49:672]: Executing op: SetTargetFolder(Folder=C:\ProgramData\Sophos\Sophos System Protection\Config\)
MSI (s) (FC:6C) [09:56:49:672]: Executing op: FileRemove(,FileName=C:\ProgramData\Sophos\Sophos System Protection\Config\PIA.conf,,)
MSI (s) (FC:6C) [09:56:49:672]: Executing op: FileRemove(,FileName=C:\ProgramData\Sophos\Sophos System Protection\Config\FBA.conf,,)
MSI (s) (FC:6C) [09:56:49:672]: Executing op: FileRemove(,FileName=C:\ProgramData\Sophos\Sophos System Protection\Config\EPH.conf,,)
MSI (s) (FC:6C) [09:56:49:672]: Executing op: ActionStart(Name=CreateFolders,Description=Creating folders,Template=Folder: [1])
MSI (s) (FC:6C) [09:56:49:672]: Executing op: FolderRemove(Folder=C:\ProgramData\Sophos\Sophos System Protection\Logs\,Foreign=0)
MSI (s) (FC:6C) [09:56:49:682]: Note: 1: 2318 2:  
MSI (s) (FC:6C) [09:56:49:682]: Note: 1: 2318 2:  
MSI (s) (FC:6C) [09:56:49:682]: Executing op: FolderRemove(Folder=C:\ProgramData\Sophos\Sophos System Protection\Config\,Foreign=0)
MSI (s) (FC:6C) [09:56:49:682]: Note: 1: 2318 2:  
MSI (s) (FC:6C) [09:56:49:682]: Note: 1: 2318 2:  
MSI (s) (FC:6C) [09:56:49:682]: Executing op: FolderRemove(Folder=C:\Program Files (x86)\Sophos\Sophos System Protection\,Foreign=0)
MSI (s) (FC:6C) [09:56:49:682]: Note: 1: 2318 2:  
MSI (s) (FC:6C) [09:56:49:692]: Executing op: FolderRemove(Folder=C:\ProgramData\Sophos\Sophos System Protection\Data\,Foreign=0)
MSI (s) (FC:6C) [09:56:49:692]: Note: 1: 2318 2:  
MSI (s) (FC:6C) [09:56:49:692]: Note: 1: 2318 2:  
MSI (s) (FC:6C) [09:56:49:692]: Note: 1: 2318 2:  
MSI (s) (FC:6C) [09:56:49:692]: Executing op: ActionStart(Name=RemoveRegistryValues,Description=Removing system registry values,Template=Key: [1], Name: [2])
MSI (s) (FC:6C) [09:56:49:692]: Executing op: RegOpenKey(Root=-2147483646,Key=Software\Sophos\AutoUpdate\Products\SSP,,BinaryType=0,,)
MSI (s) (FC:6C) [09:56:49:692]: Executing op: RegRemoveKey()
MSI (s) (FC:6C) [09:56:49:692]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE32\Software\Sophos\AutoUpdate\Products\SSP 3: 2
MSI (s) (FC:6C) [09:56:49:692]: Executing op: ActionStart(Name=StopServices,Description=Stopping services,Template=Service: [1])
MSI (s) (FC:6C) [09:56:49:692]: Executing op: ActionStart(Name=ProcessComponents,Description=Updating component registration,)
MSI (s) (FC:6C) [09:56:49:692]: Executing op: ComponentUnregister(ComponentId={EF1063A8-7B97-4CD0-A2CC-4BA27645908D},ProductKey={1093B57D-A613-47F3-90CF-0FD5C5DCFFE6},BinaryType=0,)
MSI (s) (FC:6C) [09:56:49:692]: Executing op: ComponentUnregister(ComponentId={216A2A33-1146-472F-9635-107BFE94723A},ProductKey={1093B57D-A613-47F3-90CF-0FD5C5DCFFE6},BinaryType=0,)
MSI (s) (FC:6C) [09:56:49:692]: Executing op: ComponentUnregister(ComponentId={BAAE170A-5F93-4FF6-9782-3F017EC4C4B1},ProductKey={1093B57D-A613-47F3-90CF-0FD5C5DCFFE6},BinaryType=0,)
MSI (s) (FC:6C) [09:56:49:702]: Executing op: ComponentUnregister(ComponentId={F2B22387-9B39-4788-AEB6-B9551324FF17},ProductKey={1093B57D-A613-47F3-90CF-0FD5C5DCFFE6},BinaryType=0,)
MSI (s) (FC:6C) [09:56:49:702]: Executing op: ComponentUnregister(ComponentId={F56BEF81-6CB2-4FEE-930F-6C93D6A28E0C},ProductKey={1093B57D-A613-47F3-90CF-0FD5C5DCFFE6},BinaryType=0,)
MSI (s) (FC:6C) [09:56:49:702]: Executing op: ComponentUnregister(ComponentId={89C06DC7-B12C-4311-9BDF-1FDA75734164},ProductKey={1093B57D-A613-47F3-90CF-0FD5C5DCFFE6},BinaryType=0,)
MSI (s) (FC:6C) [09:56:49:702]: Executing op: ComponentUnregister(ComponentId={46D9C339-FF13-4CE0-B519-E5BFE7F2BC77},ProductKey={1093B57D-A613-47F3-90CF-0FD5C5DCFFE6},BinaryType=0,)
MSI (s) (FC:6C) [09:56:49:702]: Executing op: ComponentUnregister(ComponentId={5F071C66-51B7-4406-8165-4E3D9E70C42F},ProductKey={1093B57D-A613-47F3-90CF-0FD5C5DCFFE6},BinaryType=0,)
MSI (s) (FC:6C) [09:56:49:702]: Executing op: ComponentUnregister(ComponentId={CD73DBF6-732F-4699-A9B6-968BDB1BC054},ProductKey={1093B57D-A613-47F3-90CF-0FD5C5DCFFE6},BinaryType=0,)
MSI (s) (FC:6C) [09:56:49:702]: Executing op: ComponentUnregister(ComponentId={AEA712C0-6555-4FB1-A4CC-1806B1F94B45},ProductKey={1093B57D-A613-47F3-90CF-0FD5C5DCFFE6},BinaryType=0,)
MSI (s) (FC:6C) [09:56:49:702]: Executing op: ComponentUnregister(ComponentId={EFB99B6F-FB73-4F3E-9FE6-A64F479DF970},ProductKey={1093B57D-A613-47F3-90CF-0FD5C5DCFFE6},BinaryType=0,)
MSI (s) (FC:6C) [09:56:49:702]: Executing op: ComponentUnregister(ComponentId={EE372818-51C3-4B29-B0AD-9AA8740EAA1F},ProductKey={1093B57D-A613-47F3-90CF-0FD5C5DCFFE6},BinaryType=0,)
MSI (s) (FC:6C) [09:56:49:702]: Executing op: ComponentUnregister(ComponentId={96CAB1A6-E3C3-42BC-B1AC-57552F6DE27B},ProductKey={1093B57D-A613-47F3-90CF-0FD5C5DCFFE6},BinaryType=0,)
MSI (s) (FC:6C) [09:56:49:702]: Executing op: End(Checksum=0,ProgressTotalHDWord=0,ProgressTotalLDWord=0)
MSI (s) (FC:6C) [09:56:49:702]: Error in rollback skipped.    Return: 5
MSI (s) (FC:6C) [09:56:49:702]: Note: 1: 2318 2:  
MSI (s) (FC:6C) [09:56:49:712]: No System Restore sequence number for this installation.
MSI (s) (FC:6C) [09:56:49:712]: Unlocking Server
MSI (s) (FC:6C) [09:56:49:712]: PROPERTY CHANGE: Deleting UpdateStarted property. Its current value is '1'.
Action ended 09:56:49: INSTALL. Return value 3.

This issue has occurred on two different client PCs after upgrade to Windows 10 1803 with consecutve re-installation of Sophos Endpoint Protection.
Appreciate your help, thank you.



This thread was automatically locked due to age.
Parents
  • Hello Clemens Feige,

    please check the Sophos Anti-Virus (Major) CustomActions log where it talks about SetupSspUserAccount. The actual error is recorded there.

    Christian

  • Hello Christian,

    latest custom actions log file is of 9:25 AM (attached here), but no info about SetupSspUserAccount.
    There exists a Sophos Anti-Virus Major Install Log too which is about 3 MB.

    Here is the snippet about SetupSspUserAccount:

    MSI (s) (40:B8) [09:25:41:845]: Invoking remote custom action. DLL: C:\WINDOWS\Installer\MSI6192.tmp, Entrypoint: SetSAVServiceSID
    MSI (s) (40:0C) [09:25:41:855]: Executing op: ActionStart(Name=AddSIPSSubmitterUserAccountRollback,,)
    MSI (s) (40:0C) [09:25:41:855]: Executing op: CustomActionSchedule(Action=AddSIPSSubmitterUserAccountRollback,ActionType=1281,Source=BinaryData,Target=RemoveSIPSManagementUser,CustomActionData=NT SERVICE\SAVService)
    MSI (s) (40:0C) [09:25:41:855]: Executing op: ActionStart(Name=AddSIPSSubmitterUserAccount,,)
    MSI (s) (40:0C) [09:25:41:855]: Executing op: CustomActionSchedule(Action=AddSIPSSubmitterUserAccount,ActionType=1025,Source=BinaryData,Target=AddSIPSManagementUser,CustomActionData=NT SERVICE\SAVService)
    MSI (s) (40:3C) [09:25:41:855]: Invoking remote custom action. DLL: C:\WINDOWS\Installer\MSI6193.tmp, Entrypoint: AddSIPSManagementUser
    AddSIPSManagementUser Enter (234)
    MSI (s) (40:0C) [09:25:41:865]: Executing op: ActionStart(Name=SetupSspUserAccountRollback,,)
    AddSIPSManagementUser Exit (283)
    MSI (s) (40:0C) [09:25:41:865]: Executing op: CustomActionSchedule(Action=SetupSspUserAccountRollback,ActionType=1345,Source=BinaryData,Target=CleanUpSsspUserAccount,CustomActionData=NT SERVICE\SAVService)
    MSI (s) (40:0C) [09:25:41:865]: Executing op: ActionStart(Name=SetupSspUserAccount,,)
    MSI (s) (40:0C) [09:25:41:865]: Executing op: CustomActionSchedule(Action=SetupSspUserAccount,ActionType=1089,Source=BinaryData,Target=SetupSspUserAccount,CustomActionData=NT SERVICE\SAVService)
    MSI (s) (40:74) [09:25:41:865]: Invoking remote custom action. DLL: C:\WINDOWS\Installer\MSI61A3.tmp, Entrypoint: SetupSspUserAccount
    SetupSspUserAccount:  Initialized.
    SetupSspUserAccount:  LoadAccount(SophosSSPUser) failed (error 1332)
    SetupSspUserAccount:  Granting permissions to user "NT SERVICE\SAVService"
    MSI (s) (40:0C) [09:25:42:445]: Executing op: ActionStart(Name=SetServiceSecurity,,)
    CustomAction SetupSspUserAccount returned actual error code 1603 but will be translated to success due to continue marking
    MSI (s) (40:0C) [09:25:42:445]: Executing op: CustomActionSchedule(Action=SetServiceSecurity,ActionType=1025,Source=BinaryData,Target=SetServiceSecurity,)
    MSI (s) (40:60) [09:25:42:445]: Invoking remote custom action. DLL: C:\WINDOWS\Installer\MSI63E6.tmp, Entrypoint: SetServiceSecurity
    MSI (s) (40:0C) [09:25:42:455]: Executing op: ActionStart(Name=SetServiceRecoveryActions,,)
    MSI (s) (40:0C) [09:25:42:455]: Executing op: CustomActionSchedule(Action=SetServiceRecoveryActions,ActionType=1025,Source=BinaryData,Target=SetServiceRecoveryActions,)
    MSI (s) (40:F0) [09:25:42:455]: Invoking remote custom action. DLL: C:\WINDOWS\Installer\MSI63F7.tmp, Entrypoint: SetServiceRecoveryActions

    Is this somehow helpful?

    2018-08-23 09:25:16 ExtractClassicConfig: Action started
    
    2018-08-23 09:25:16 ExtractClassicConfig: Action succeeded
    
    2018-08-23 09:25:16 PreInstallChecks: Action started
    
    2018-08-23 09:25:16 PreInstallChecks: Action succeeded
    
    2018-08-23 09:25:16 SetBootDriverStartupProperty: Action started
    
    2018-08-23 09:25:16 SetBootDriverStartupProperty: Boot driver: not installed.
    
    2018-08-23 09:25:16 SetBootDriverStartupProperty: Action succeeded
    
    2018-08-23 09:25:16 SetClassFilterPresentProperty: Action started
    
    2018-08-23 09:25:16 SetClassFilterPresentProperty: Setting class filter present property to: 0
    
    2018-08-23 09:25:16 SetClassFilterPresentProperty: Action succeeded
    
    2018-08-23 09:25:16 SetDriverProperty: Action started
    
    2018-08-23 09:25:16 SetDriverProperty: PROCESSOR_ARCHITECTURE environment variable is: AMD64
    
    2018-08-23 09:25:16 SetDriverProperty: Action succeeded
    
    2018-08-23 09:25:16 SetProcessorProperties: Action started
    
    2018-08-23 09:25:16 SetProcessorProperties: Action succeeded
    
    2018-08-23 09:25:16 SetRestoreExcludedProcessesProperty: Action started
    
    2018-08-23 09:25:16 SetRestoreExcludedProcessesProperty: SetRestoreExcludedProcessesProperty
    
    2018-08-23 09:25:16 SetRestoreExcludedProcessesProperty: PROCESSOR_ARCHITECTURE environment variable is: AMD64
    
    2018-08-23 09:25:16 SetRestoreExcludedProcessesProperty: Action succeeded
    
    2018-08-23 09:25:23 CheckRegForNullDACLs: Action started
    
    2018-08-23 09:25:23 CheckRegForNullDACLs: Action succeeded
    
    2018-08-23 09:25:23 WaitForSAVService: Action started
    
    2018-08-23 09:25:23 WaitForSAVService: WaitForSAVService: Walking system processes...
    
    2018-08-23 09:25:23 WaitForSAVService: WaitForSAVService: Finished walking system processes.
    
    2018-08-23 09:25:23 WaitForSAVService: Action succeeded
    
    2018-08-23 09:25:23 CheckUninstallDrivers: Action started
    
    2018-08-23 09:25:23 CheckUninstallDrivers: IsServiceInstalled: Unable to get a handle to requested service SAVOnAccess control. Returning false.
    
    2018-08-23 09:25:23 CheckUninstallDrivers: IsServiceInstalled: Unable to get a handle to requested service SAVOnAccess filter. Returning false.
    
    2018-08-23 09:25:23 CheckUninstallDrivers: Action succeeded
    
    2018-08-23 09:25:23 DeleteIDEs: Action started
    
    2018-08-23 09:25:23 DeleteIDEs: Action succeeded
    
    2018-08-23 09:25:23 DeleteBDLs: Action started
    
    2018-08-23 09:25:23 DeleteBDLs: Action succeeded
    
    2018-08-23 09:25:23 DeleteHIPSConfig: Action started
    
    2018-08-23 09:25:23 DeleteHIPSConfig: Action succeeded
    
    2018-08-23 09:25:23 UpdateSavAdapterDll: Action started
    
    2018-08-23 09:25:33 UpdateSavAdapterDll: Action succeeded
    
    2018-08-23 09:25:33 UpdateDesktopMessaging: Action started
    
    2018-08-23 09:25:33 UpdateDesktopMessaging: UpdateDesktopMessaging: Could not delete SAVPlugin registry key(2)
    
    2018-08-23 09:25:33 UpdateDesktopMessaging: Action succeeded
    
    2018-08-23 09:25:33 CopyOtherFiles: Action started
    
    2018-08-23 09:25:33 CopyOtherFiles: CopyOtherFiles custom action - Copying other driver files
    
    2018-08-23 09:25:33 CopyOtherFiles: Copying class filter source: C:\ProgramData\Sophos\AutoUpdate\cache\savxp\drivers\sdcfilter\win7_amd64\SDCFILTER.INF, target: C:\Program Files (x86)\Sophos\Sophos Anti-Virus\
    
    2018-08-23 09:25:33 CopyOtherFiles: Copying boot driver source: C:\ProgramData\Sophos\AutoUpdate\cache\savxp\drivers\boottasks\win7_amd64\SOPHOSBOOTDRIVER.INF, target: C:\Program Files (x86)\Sophos\Sophos Anti-Virus\
    
    2018-08-23 09:25:33 CopyOtherFiles: GetRidOfExistingDetoured - C:\Program Files (x86)\Sophos\Sophos Anti-Virus\sophos_detoured.dll does not exist, no further action.
    
    2018-08-23 09:25:33 CopyOtherFiles: PROCESSOR_ARCHITECTURE environment variable is: AMD64
    
    2018-08-23 09:25:33 CopyOtherFiles: GetRidOfExistingDetoured - C:\Program Files (x86)\Sophos\Sophos Anti-Virus\sophos_detoured_x64.dll does not exist, no further action.
    
    2018-08-23 09:25:33 CopyOtherFiles: Copying boot tasks source: C:\ProgramData\Sophos\AutoUpdate\cache\savxp\drivers\boottasks\win7_amd64\SophosBootTasks.exe, target: C:\WINDOWS\system32\
    
    2018-08-23 09:25:33 CopyOtherFiles: Action succeeded
    
    2018-08-23 09:25:33 RegisterBufferOverflowProtection: Action started
    
    2018-08-23 09:25:33 RegisterBufferOverflowProtection: BopsUnregister: could not get short path to DLL. It will not be unregistered.
    
    2018-08-23 09:25:33 RegisterBufferOverflowProtection: GetRidOfExistingDetoured - C:\Program Files (x86)\Sophos\Sophos Anti-Virus\detoured.dll does not exist, no further action.
    
    2018-08-23 09:25:33 RegisterBufferOverflowProtection: PROCESSOR_ARCHITECTURE environment variable is: AMD64
    
    2018-08-23 09:25:33 RegisterBufferOverflowProtection: Action succeeded
    
    2018-08-23 09:25:33 RestoreExcludedProcesses: Action started
    
    2018-08-23 09:25:33 RestoreExcludedProcesses: RestoreExcludedProcesses
    
    2018-08-23 09:25:33 RestoreExcludedProcesses: Empty excluded processes property. Nothing to be done.
    
    2018-08-23 09:25:33 RestoreExcludedProcesses: Action succeeded
    
    2018-08-23 09:25:33 StartDriverServices: Action started
    
    2018-08-23 09:25:33 StartDriverServices: IsServiceRunning: Unable to get a handle to requested service skmscan. Returning false.
    
    2018-08-23 09:25:33 StartDriverServices: Unable to get a handle to kms service - service will not be started until next reboot
    
    2018-08-23 09:25:33 StartDriverServices: Action succeeded
    
    2018-08-23 09:25:34 CreateUserGroups: Action started
    
    2018-08-23 09:25:34 CreateUserGroups: Local name of well-known group Administrators is Administratoren
    
    2018-08-23 09:25:34 CreateUserGroups: Local name of well-known group PowerUsers is Hauptbenutzer
    
    2018-08-23 09:25:34 CreateUserGroups: Local name of well-known group Users is Benutzer
    
    2018-08-23 09:25:34 CreateUserGroups: Failed to add the members of group PowerUsers to SophosPowerUser group
    
    2018-08-23 09:25:34 CreateUserGroups: Adding LOCAL SYSTEM to the SophosAdministrator role in the machine file
    
    2018-08-23 09:25:37 CreateUserGroups: Action succeeded
    
    2018-08-23 09:25:37 PurgeIOfficeAVCache: Action started
    
    2018-08-23 09:25:37 PurgeIOfficeAVCache: PROCESSOR_ARCHITECTURE environment variable is: AMD64
    
    2018-08-23 09:25:37 PurgeIOfficeAVCache: PROCESSOR_ARCHITECTURE environment variable is: AMD64
    
    2018-08-23 09:25:37 PurgeIOfficeAVCache: PROCESSOR_ARCHITECTURE environment variable is: AMD64
    
    2018-08-23 09:25:37 PurgeIOfficeAVCache: PROCESSOR_ARCHITECTURE environment variable is: AMD64
    
    2018-08-23 09:25:37 PurgeIOfficeAVCache: PROCESSOR_ARCHITECTURE environment variable is: AMD64
    
    2018-08-23 09:25:37 PurgeIOfficeAVCache: PROCESSOR_ARCHITECTURE environment variable is: AMD64
    
    2018-08-23 09:25:37 PurgeIOfficeAVCache: Action succeeded
    
    2018-08-23 09:25:37 EnableAttachmentScanning: Action started
    
    2018-08-23 09:25:37 EnableAttachmentScanning: ScanWithAntiVirus value is already set to 3
    
    2018-08-23 09:25:37 EnableAttachmentScanning: Action succeeded
    
    2018-08-23 09:25:37 AddDomainGroups: Action started
    
    2018-08-23 09:25:37 AddDomainGroups: Action succeeded
    
    2018-08-23 09:25:41 SetSAVAdminUpdateBegin: Action started
    
    2018-08-23 09:25:41 SetSAVAdminUpdateBegin: Action succeeded
    
    2018-08-23 09:25:41 UpdateSAVI: Action started
    
    2018-08-23 09:25:41 UpdateSAVI: About to wait for event Global\!$_SAVI_!$$!_EVENT_$!__ReadyForUpdate
    
    2018-08-23 09:25:41 UpdateSAVI: WaitForSAVIEvent: Could not open memory mapped file Global\!$_SAVI_!$$!_MMMF_$!__
    
    2018-08-23 09:25:41 UpdateSAVI: Successfully waited for event Global\!$_SAVI_!$$!_EVENT_$!__ReadyForUpdate
    
    2018-08-23 09:25:41 UpdateSAVI: UpdateRequest signalled
    
    2018-08-23 09:25:41 UpdateSAVI: About to wait for event Global\!$_SAVI_!$$!_EVENT_$!__Suspended
    
    2018-08-23 09:25:41 UpdateSAVI: WaitForSAVIEvent: Could not open memory mapped file Global\!$_SAVI_!$$!_MMMF_$!__
    
    2018-08-23 09:25:41 UpdateSAVI: Successfully waited for event Global\!$_SAVI_!$$!_EVENT_$!__Suspended
    
    2018-08-23 09:25:41 UpdateSAVI: MSCM version orig:  new: 0.3.0.90
    
    2018-08-23 09:25:41 UpdateSAVI: Copying MSCM from: C:\ProgramData\Sophos\AutoUpdate\cache\savxp\savmscm.dll to: C:\Program Files (x86)\Sophos\Sophos Anti-Virus\savmscm.dll
    
    2018-08-23 09:25:41 UpdateSAVI: Registered MSCM
    
    2018-08-23 09:25:41 UpdateSAVI: SAVI dll was installed successfully
    
    2018-08-23 09:25:41 UpdateSAVI: Action succeeded
    
    2018-08-23 09:25:41 SetFolderPermissions: Action started
    
    2018-08-23 09:25:41 SetFolderPermissions: We are running on XP or higher - adding LocalService to permissions on config files
    
    2018-08-23 09:25:41 SetFolderPermissions: We are running on XP or higher - adding LocalService to permissions on config files
    
    2018-08-23 09:25:41 SetFolderPermissions: Unable to add set access permissions on the Data Control Log directory
    
    2018-08-23 09:25:41 SetFolderPermissions: Unable to add set access permissions on the Data Control directory
    
    2018-08-23 09:25:41 SetFolderPermissions: Action succeeded
    
    2018-08-23 09:25:41 SetServiceXP: Action started
    
    2018-08-23 09:25:41 SetServiceXP: Action succeeded
    
    2018-08-23 09:25:41 CreateTamperProtectionRegKey: Action started
    
    2018-08-23 09:25:41 CreateTamperProtectionRegKey: Action succeeded
    
    2018-08-23 09:25:41 SetSAVServiceSID: Action started
    
    2018-08-23 09:25:41 SetSAVServiceSID: PROCESSOR_ARCHITECTURE environment variable is: AMD64
    
    2018-08-23 09:25:41 SetSAVServiceSID: Action succeeded
    
    2018-08-23 09:25:42 SetServiceSecurity: Action started
    
    2018-08-23 09:25:42 SetServiceSecurity: Adding SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP to SavService launch permissions
    
    2018-08-23 09:25:42 SetServiceSecurity: Adding SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP to SavService launch permissions
    
    2018-08-23 09:25:42 SetServiceSecurity: Action succeeded
    
    2018-08-23 09:25:42 SetServiceRecoveryActions: Action started
    
    2018-08-23 09:25:42 SetServiceRecoveryActions: Action succeeded
    
    2018-08-23 09:25:42 InstallDeviceControl: Action started
    
    2018-08-23 09:25:42 InstallDeviceControl: PROCESSOR_ARCHITECTURE environment variable is: AMD64
    
    2018-08-23 09:25:42 InstallDeviceControl: Action succeeded
    
    2018-08-23 09:25:42 SetAdminGroupDescription: Action started
    
    2018-08-23 09:25:42 SetAdminGroupDescription: Action succeeded
    
    2018-08-23 09:25:42 SetPowerGroupDescription: Action started
    
    2018-08-23 09:25:42 SetPowerGroupDescription: Action succeeded
    
    2018-08-23 09:25:42 SetUserGroupDescription: Action started
    
    2018-08-23 09:25:42 SetUserGroupDescription: Action succeeded
    
    2018-08-23 09:25:42 SetOnAccessGroupDescription: Action started
    
    2018-08-23 09:25:42 SetOnAccessGroupDescription: Action succeeded
    
    2018-08-23 09:25:42 DisablePUADetection: Action started
    
    2018-08-23 09:25:42 DisablePUADetection: Action succeeded
    
    2018-08-23 09:25:42 DeleteExpiredCaches: Action started
    
    2018-08-23 09:25:42 DeleteExpiredCaches: Action succeeded
    
    2018-08-23 09:25:42 EnableJournals: Action started
    
    2018-08-23 09:25:42 EnableJournals: Checking journal for active volumes.
    
    2018-08-23 09:25:42 EnableJournals: Journaling already enabled for on \\?\Volume{71d7ecc7-fb2a-11e1-90a3-806e6f6e6963}\
    
    2018-08-23 09:25:42 EnableJournals: Journaling already enabled for on \\?\Volume{71d7ecc8-fb2a-11e1-90a3-806e6f6e6963}\
    
    2018-08-23 09:25:42 EnableJournals: Action succeeded
    
    2018-08-23 09:25:42 DisableWebProtection: Action started
    
    2018-08-23 09:25:42 DisableWebProtection: DisableWebProtection: OK
    
    2018-08-23 09:25:42 DisableWebProtection: Action succeeded
    
    2018-08-23 09:25:42 DisableSxlLookups: Action started
    
    2018-08-23 09:25:42 DisableSxlLookups: DisableSxlLookups: OK
    
    2018-08-23 09:25:42 DisableSxlLookups: Action succeeded
    
    2018-08-23 09:25:42 CheckSNMPDLLPresence: Action started
    
    2018-08-23 09:25:42 CheckSNMPDLLPresence: Action succeeded
    
    2018-08-23 09:25:42 UpdateSXLServerList: Action started
    
    2018-08-23 09:25:42 UpdateSXLServerList: LoadSophtainerData: GetSophtainerSection(C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SXLConfig.dat) returned 0. (180 bytes returned)
    
    
    2018-08-23 09:25:42 UpdateSXLServerList: ExtractSXLServerConf: 0, 4, 4
    
    2018-08-23 09:25:42 UpdateSXLServerList: Action succeeded
    
    2018-08-23 09:25:42 ApplySAVControlFile: Action started
    
    2018-08-23 09:25:42 ApplySAVControlFile: Reading SAVControlFile from C:\ProgramData\Sophos\AutoUpdate\cache\savxp\savcontrol
    
    2018-08-23 09:25:42 ApplySAVControlFile: `anonymous-namespace'::GetBoolValue: Value /FeatureControl/EnableBOPS in savcontrol json file not found, assumed default
    
    2018-08-23 09:25:42 ApplySAVControlFile: Writing machine file C:\ProgramData\Sophos\Sophos Anti-Virus\Config\machine.xml
    
    2018-08-23 09:25:42 ApplySAVControlFile: Action succeeded
    
    2018-08-23 09:25:42 GenerateSavMachineId: Action started
    
    2018-08-23 09:25:42 GenerateSavMachineId: Sav machine id = 627661AB-F769-4327-81BA-5AC87FAC3F78
    
    2018-08-23 09:25:42 GenerateSavMachineId: Action succeeded
    
    2018-08-23 09:25:42 SetSAVAdminUpdateComplete: Action started
    
    2018-08-23 09:25:42 SetSAVAdminUpdateComplete: Action succeeded
    
    2018-08-23 09:25:42 RunPreLaunchScripts: Action started
    
    2018-08-23 09:25:42 RunPreLaunchScripts: RunPreLaunchScripts: No entries.
    
    2018-08-23 09:25:42 RunPreLaunchScripts: Action succeeded
    
    2018-08-23 09:25:43 BootDriverStartup: Action started
    
    2018-08-23 09:25:43 BootDriverStartup: Boot driver restored: disabled
    
    2018-08-23 09:25:43 BootDriverStartup: Action succeeded
    
    2018-08-23 09:25:43 RegisterDCIfEnabled: Action started
    
    2018-08-23 09:25:43 RegisterDCIfEnabled: isDCEnabled: node not found: /configuration/components/DeviceControlManager/settings/enabled
    
    2018-08-23 09:25:43 RegisterDCIfEnabled: Action succeeded
    
    2018-08-23 09:25:43 StartSAVServices: Action started
    
    2018-08-23 09:25:55 StartSAVServices: Action succeeded
    
    2018-08-23 09:25:56 ConfigureSAV: Action started
    
    2018-08-23 09:25:56 ConfigureSAV: Policy files unchanged - ConfigureSAV will not be called
    
    2018-08-23 09:25:56 ConfigureSAV: Action succeeded
    
    2018-08-23 09:25:56 SetInstallationComplete: Action started
    
    2018-08-23 09:25:56 SetInstallationComplete: Action succeeded
    
    2018-08-23 09:25:56 CreateSavAdapterDllRegistryEntry: Action started
    
    2018-08-23 09:25:56 CreateSavAdapterDllRegistryEntry: Action succeeded
    
    2018-08-23 09:25:56 RunAfterScripts: Action started
    
    2018-08-23 09:25:56 RunAfterScripts: Action succeeded
    
    2018-08-23 09:25:56 CopySAVSyncFile: Action started
    
    2018-08-23 09:25:56 CopySAVSyncFile: Action succeeded
    
    

Reply
  • Hello Christian,

    latest custom actions log file is of 9:25 AM (attached here), but no info about SetupSspUserAccount.
    There exists a Sophos Anti-Virus Major Install Log too which is about 3 MB.

    Here is the snippet about SetupSspUserAccount:

    MSI (s) (40:B8) [09:25:41:845]: Invoking remote custom action. DLL: C:\WINDOWS\Installer\MSI6192.tmp, Entrypoint: SetSAVServiceSID
    MSI (s) (40:0C) [09:25:41:855]: Executing op: ActionStart(Name=AddSIPSSubmitterUserAccountRollback,,)
    MSI (s) (40:0C) [09:25:41:855]: Executing op: CustomActionSchedule(Action=AddSIPSSubmitterUserAccountRollback,ActionType=1281,Source=BinaryData,Target=RemoveSIPSManagementUser,CustomActionData=NT SERVICE\SAVService)
    MSI (s) (40:0C) [09:25:41:855]: Executing op: ActionStart(Name=AddSIPSSubmitterUserAccount,,)
    MSI (s) (40:0C) [09:25:41:855]: Executing op: CustomActionSchedule(Action=AddSIPSSubmitterUserAccount,ActionType=1025,Source=BinaryData,Target=AddSIPSManagementUser,CustomActionData=NT SERVICE\SAVService)
    MSI (s) (40:3C) [09:25:41:855]: Invoking remote custom action. DLL: C:\WINDOWS\Installer\MSI6193.tmp, Entrypoint: AddSIPSManagementUser
    AddSIPSManagementUser Enter (234)
    MSI (s) (40:0C) [09:25:41:865]: Executing op: ActionStart(Name=SetupSspUserAccountRollback,,)
    AddSIPSManagementUser Exit (283)
    MSI (s) (40:0C) [09:25:41:865]: Executing op: CustomActionSchedule(Action=SetupSspUserAccountRollback,ActionType=1345,Source=BinaryData,Target=CleanUpSsspUserAccount,CustomActionData=NT SERVICE\SAVService)
    MSI (s) (40:0C) [09:25:41:865]: Executing op: ActionStart(Name=SetupSspUserAccount,,)
    MSI (s) (40:0C) [09:25:41:865]: Executing op: CustomActionSchedule(Action=SetupSspUserAccount,ActionType=1089,Source=BinaryData,Target=SetupSspUserAccount,CustomActionData=NT SERVICE\SAVService)
    MSI (s) (40:74) [09:25:41:865]: Invoking remote custom action. DLL: C:\WINDOWS\Installer\MSI61A3.tmp, Entrypoint: SetupSspUserAccount
    SetupSspUserAccount:  Initialized.
    SetupSspUserAccount:  LoadAccount(SophosSSPUser) failed (error 1332)
    SetupSspUserAccount:  Granting permissions to user "NT SERVICE\SAVService"
    MSI (s) (40:0C) [09:25:42:445]: Executing op: ActionStart(Name=SetServiceSecurity,,)
    CustomAction SetupSspUserAccount returned actual error code 1603 but will be translated to success due to continue marking
    MSI (s) (40:0C) [09:25:42:445]: Executing op: CustomActionSchedule(Action=SetServiceSecurity,ActionType=1025,Source=BinaryData,Target=SetServiceSecurity,)
    MSI (s) (40:60) [09:25:42:445]: Invoking remote custom action. DLL: C:\WINDOWS\Installer\MSI63E6.tmp, Entrypoint: SetServiceSecurity
    MSI (s) (40:0C) [09:25:42:455]: Executing op: ActionStart(Name=SetServiceRecoveryActions,,)
    MSI (s) (40:0C) [09:25:42:455]: Executing op: CustomActionSchedule(Action=SetServiceRecoveryActions,ActionType=1025,Source=BinaryData,Target=SetServiceRecoveryActions,)
    MSI (s) (40:F0) [09:25:42:455]: Invoking remote custom action. DLL: C:\WINDOWS\Installer\MSI63F7.tmp, Entrypoint: SetServiceRecoveryActions

    Is this somehow helpful?

    2018-08-23 09:25:16 ExtractClassicConfig: Action started
    
    2018-08-23 09:25:16 ExtractClassicConfig: Action succeeded
    
    2018-08-23 09:25:16 PreInstallChecks: Action started
    
    2018-08-23 09:25:16 PreInstallChecks: Action succeeded
    
    2018-08-23 09:25:16 SetBootDriverStartupProperty: Action started
    
    2018-08-23 09:25:16 SetBootDriverStartupProperty: Boot driver: not installed.
    
    2018-08-23 09:25:16 SetBootDriverStartupProperty: Action succeeded
    
    2018-08-23 09:25:16 SetClassFilterPresentProperty: Action started
    
    2018-08-23 09:25:16 SetClassFilterPresentProperty: Setting class filter present property to: 0
    
    2018-08-23 09:25:16 SetClassFilterPresentProperty: Action succeeded
    
    2018-08-23 09:25:16 SetDriverProperty: Action started
    
    2018-08-23 09:25:16 SetDriverProperty: PROCESSOR_ARCHITECTURE environment variable is: AMD64
    
    2018-08-23 09:25:16 SetDriverProperty: Action succeeded
    
    2018-08-23 09:25:16 SetProcessorProperties: Action started
    
    2018-08-23 09:25:16 SetProcessorProperties: Action succeeded
    
    2018-08-23 09:25:16 SetRestoreExcludedProcessesProperty: Action started
    
    2018-08-23 09:25:16 SetRestoreExcludedProcessesProperty: SetRestoreExcludedProcessesProperty
    
    2018-08-23 09:25:16 SetRestoreExcludedProcessesProperty: PROCESSOR_ARCHITECTURE environment variable is: AMD64
    
    2018-08-23 09:25:16 SetRestoreExcludedProcessesProperty: Action succeeded
    
    2018-08-23 09:25:23 CheckRegForNullDACLs: Action started
    
    2018-08-23 09:25:23 CheckRegForNullDACLs: Action succeeded
    
    2018-08-23 09:25:23 WaitForSAVService: Action started
    
    2018-08-23 09:25:23 WaitForSAVService: WaitForSAVService: Walking system processes...
    
    2018-08-23 09:25:23 WaitForSAVService: WaitForSAVService: Finished walking system processes.
    
    2018-08-23 09:25:23 WaitForSAVService: Action succeeded
    
    2018-08-23 09:25:23 CheckUninstallDrivers: Action started
    
    2018-08-23 09:25:23 CheckUninstallDrivers: IsServiceInstalled: Unable to get a handle to requested service SAVOnAccess control. Returning false.
    
    2018-08-23 09:25:23 CheckUninstallDrivers: IsServiceInstalled: Unable to get a handle to requested service SAVOnAccess filter. Returning false.
    
    2018-08-23 09:25:23 CheckUninstallDrivers: Action succeeded
    
    2018-08-23 09:25:23 DeleteIDEs: Action started
    
    2018-08-23 09:25:23 DeleteIDEs: Action succeeded
    
    2018-08-23 09:25:23 DeleteBDLs: Action started
    
    2018-08-23 09:25:23 DeleteBDLs: Action succeeded
    
    2018-08-23 09:25:23 DeleteHIPSConfig: Action started
    
    2018-08-23 09:25:23 DeleteHIPSConfig: Action succeeded
    
    2018-08-23 09:25:23 UpdateSavAdapterDll: Action started
    
    2018-08-23 09:25:33 UpdateSavAdapterDll: Action succeeded
    
    2018-08-23 09:25:33 UpdateDesktopMessaging: Action started
    
    2018-08-23 09:25:33 UpdateDesktopMessaging: UpdateDesktopMessaging: Could not delete SAVPlugin registry key(2)
    
    2018-08-23 09:25:33 UpdateDesktopMessaging: Action succeeded
    
    2018-08-23 09:25:33 CopyOtherFiles: Action started
    
    2018-08-23 09:25:33 CopyOtherFiles: CopyOtherFiles custom action - Copying other driver files
    
    2018-08-23 09:25:33 CopyOtherFiles: Copying class filter source: C:\ProgramData\Sophos\AutoUpdate\cache\savxp\drivers\sdcfilter\win7_amd64\SDCFILTER.INF, target: C:\Program Files (x86)\Sophos\Sophos Anti-Virus\
    
    2018-08-23 09:25:33 CopyOtherFiles: Copying boot driver source: C:\ProgramData\Sophos\AutoUpdate\cache\savxp\drivers\boottasks\win7_amd64\SOPHOSBOOTDRIVER.INF, target: C:\Program Files (x86)\Sophos\Sophos Anti-Virus\
    
    2018-08-23 09:25:33 CopyOtherFiles: GetRidOfExistingDetoured - C:\Program Files (x86)\Sophos\Sophos Anti-Virus\sophos_detoured.dll does not exist, no further action.
    
    2018-08-23 09:25:33 CopyOtherFiles: PROCESSOR_ARCHITECTURE environment variable is: AMD64
    
    2018-08-23 09:25:33 CopyOtherFiles: GetRidOfExistingDetoured - C:\Program Files (x86)\Sophos\Sophos Anti-Virus\sophos_detoured_x64.dll does not exist, no further action.
    
    2018-08-23 09:25:33 CopyOtherFiles: Copying boot tasks source: C:\ProgramData\Sophos\AutoUpdate\cache\savxp\drivers\boottasks\win7_amd64\SophosBootTasks.exe, target: C:\WINDOWS\system32\
    
    2018-08-23 09:25:33 CopyOtherFiles: Action succeeded
    
    2018-08-23 09:25:33 RegisterBufferOverflowProtection: Action started
    
    2018-08-23 09:25:33 RegisterBufferOverflowProtection: BopsUnregister: could not get short path to DLL. It will not be unregistered.
    
    2018-08-23 09:25:33 RegisterBufferOverflowProtection: GetRidOfExistingDetoured - C:\Program Files (x86)\Sophos\Sophos Anti-Virus\detoured.dll does not exist, no further action.
    
    2018-08-23 09:25:33 RegisterBufferOverflowProtection: PROCESSOR_ARCHITECTURE environment variable is: AMD64
    
    2018-08-23 09:25:33 RegisterBufferOverflowProtection: Action succeeded
    
    2018-08-23 09:25:33 RestoreExcludedProcesses: Action started
    
    2018-08-23 09:25:33 RestoreExcludedProcesses: RestoreExcludedProcesses
    
    2018-08-23 09:25:33 RestoreExcludedProcesses: Empty excluded processes property. Nothing to be done.
    
    2018-08-23 09:25:33 RestoreExcludedProcesses: Action succeeded
    
    2018-08-23 09:25:33 StartDriverServices: Action started
    
    2018-08-23 09:25:33 StartDriverServices: IsServiceRunning: Unable to get a handle to requested service skmscan. Returning false.
    
    2018-08-23 09:25:33 StartDriverServices: Unable to get a handle to kms service - service will not be started until next reboot
    
    2018-08-23 09:25:33 StartDriverServices: Action succeeded
    
    2018-08-23 09:25:34 CreateUserGroups: Action started
    
    2018-08-23 09:25:34 CreateUserGroups: Local name of well-known group Administrators is Administratoren
    
    2018-08-23 09:25:34 CreateUserGroups: Local name of well-known group PowerUsers is Hauptbenutzer
    
    2018-08-23 09:25:34 CreateUserGroups: Local name of well-known group Users is Benutzer
    
    2018-08-23 09:25:34 CreateUserGroups: Failed to add the members of group PowerUsers to SophosPowerUser group
    
    2018-08-23 09:25:34 CreateUserGroups: Adding LOCAL SYSTEM to the SophosAdministrator role in the machine file
    
    2018-08-23 09:25:37 CreateUserGroups: Action succeeded
    
    2018-08-23 09:25:37 PurgeIOfficeAVCache: Action started
    
    2018-08-23 09:25:37 PurgeIOfficeAVCache: PROCESSOR_ARCHITECTURE environment variable is: AMD64
    
    2018-08-23 09:25:37 PurgeIOfficeAVCache: PROCESSOR_ARCHITECTURE environment variable is: AMD64
    
    2018-08-23 09:25:37 PurgeIOfficeAVCache: PROCESSOR_ARCHITECTURE environment variable is: AMD64
    
    2018-08-23 09:25:37 PurgeIOfficeAVCache: PROCESSOR_ARCHITECTURE environment variable is: AMD64
    
    2018-08-23 09:25:37 PurgeIOfficeAVCache: PROCESSOR_ARCHITECTURE environment variable is: AMD64
    
    2018-08-23 09:25:37 PurgeIOfficeAVCache: PROCESSOR_ARCHITECTURE environment variable is: AMD64
    
    2018-08-23 09:25:37 PurgeIOfficeAVCache: Action succeeded
    
    2018-08-23 09:25:37 EnableAttachmentScanning: Action started
    
    2018-08-23 09:25:37 EnableAttachmentScanning: ScanWithAntiVirus value is already set to 3
    
    2018-08-23 09:25:37 EnableAttachmentScanning: Action succeeded
    
    2018-08-23 09:25:37 AddDomainGroups: Action started
    
    2018-08-23 09:25:37 AddDomainGroups: Action succeeded
    
    2018-08-23 09:25:41 SetSAVAdminUpdateBegin: Action started
    
    2018-08-23 09:25:41 SetSAVAdminUpdateBegin: Action succeeded
    
    2018-08-23 09:25:41 UpdateSAVI: Action started
    
    2018-08-23 09:25:41 UpdateSAVI: About to wait for event Global\!$_SAVI_!$$!_EVENT_$!__ReadyForUpdate
    
    2018-08-23 09:25:41 UpdateSAVI: WaitForSAVIEvent: Could not open memory mapped file Global\!$_SAVI_!$$!_MMMF_$!__
    
    2018-08-23 09:25:41 UpdateSAVI: Successfully waited for event Global\!$_SAVI_!$$!_EVENT_$!__ReadyForUpdate
    
    2018-08-23 09:25:41 UpdateSAVI: UpdateRequest signalled
    
    2018-08-23 09:25:41 UpdateSAVI: About to wait for event Global\!$_SAVI_!$$!_EVENT_$!__Suspended
    
    2018-08-23 09:25:41 UpdateSAVI: WaitForSAVIEvent: Could not open memory mapped file Global\!$_SAVI_!$$!_MMMF_$!__
    
    2018-08-23 09:25:41 UpdateSAVI: Successfully waited for event Global\!$_SAVI_!$$!_EVENT_$!__Suspended
    
    2018-08-23 09:25:41 UpdateSAVI: MSCM version orig:  new: 0.3.0.90
    
    2018-08-23 09:25:41 UpdateSAVI: Copying MSCM from: C:\ProgramData\Sophos\AutoUpdate\cache\savxp\savmscm.dll to: C:\Program Files (x86)\Sophos\Sophos Anti-Virus\savmscm.dll
    
    2018-08-23 09:25:41 UpdateSAVI: Registered MSCM
    
    2018-08-23 09:25:41 UpdateSAVI: SAVI dll was installed successfully
    
    2018-08-23 09:25:41 UpdateSAVI: Action succeeded
    
    2018-08-23 09:25:41 SetFolderPermissions: Action started
    
    2018-08-23 09:25:41 SetFolderPermissions: We are running on XP or higher - adding LocalService to permissions on config files
    
    2018-08-23 09:25:41 SetFolderPermissions: We are running on XP or higher - adding LocalService to permissions on config files
    
    2018-08-23 09:25:41 SetFolderPermissions: Unable to add set access permissions on the Data Control Log directory
    
    2018-08-23 09:25:41 SetFolderPermissions: Unable to add set access permissions on the Data Control directory
    
    2018-08-23 09:25:41 SetFolderPermissions: Action succeeded
    
    2018-08-23 09:25:41 SetServiceXP: Action started
    
    2018-08-23 09:25:41 SetServiceXP: Action succeeded
    
    2018-08-23 09:25:41 CreateTamperProtectionRegKey: Action started
    
    2018-08-23 09:25:41 CreateTamperProtectionRegKey: Action succeeded
    
    2018-08-23 09:25:41 SetSAVServiceSID: Action started
    
    2018-08-23 09:25:41 SetSAVServiceSID: PROCESSOR_ARCHITECTURE environment variable is: AMD64
    
    2018-08-23 09:25:41 SetSAVServiceSID: Action succeeded
    
    2018-08-23 09:25:42 SetServiceSecurity: Action started
    
    2018-08-23 09:25:42 SetServiceSecurity: Adding SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP to SavService launch permissions
    
    2018-08-23 09:25:42 SetServiceSecurity: Adding SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP to SavService launch permissions
    
    2018-08-23 09:25:42 SetServiceSecurity: Action succeeded
    
    2018-08-23 09:25:42 SetServiceRecoveryActions: Action started
    
    2018-08-23 09:25:42 SetServiceRecoveryActions: Action succeeded
    
    2018-08-23 09:25:42 InstallDeviceControl: Action started
    
    2018-08-23 09:25:42 InstallDeviceControl: PROCESSOR_ARCHITECTURE environment variable is: AMD64
    
    2018-08-23 09:25:42 InstallDeviceControl: Action succeeded
    
    2018-08-23 09:25:42 SetAdminGroupDescription: Action started
    
    2018-08-23 09:25:42 SetAdminGroupDescription: Action succeeded
    
    2018-08-23 09:25:42 SetPowerGroupDescription: Action started
    
    2018-08-23 09:25:42 SetPowerGroupDescription: Action succeeded
    
    2018-08-23 09:25:42 SetUserGroupDescription: Action started
    
    2018-08-23 09:25:42 SetUserGroupDescription: Action succeeded
    
    2018-08-23 09:25:42 SetOnAccessGroupDescription: Action started
    
    2018-08-23 09:25:42 SetOnAccessGroupDescription: Action succeeded
    
    2018-08-23 09:25:42 DisablePUADetection: Action started
    
    2018-08-23 09:25:42 DisablePUADetection: Action succeeded
    
    2018-08-23 09:25:42 DeleteExpiredCaches: Action started
    
    2018-08-23 09:25:42 DeleteExpiredCaches: Action succeeded
    
    2018-08-23 09:25:42 EnableJournals: Action started
    
    2018-08-23 09:25:42 EnableJournals: Checking journal for active volumes.
    
    2018-08-23 09:25:42 EnableJournals: Journaling already enabled for on \\?\Volume{71d7ecc7-fb2a-11e1-90a3-806e6f6e6963}\
    
    2018-08-23 09:25:42 EnableJournals: Journaling already enabled for on \\?\Volume{71d7ecc8-fb2a-11e1-90a3-806e6f6e6963}\
    
    2018-08-23 09:25:42 EnableJournals: Action succeeded
    
    2018-08-23 09:25:42 DisableWebProtection: Action started
    
    2018-08-23 09:25:42 DisableWebProtection: DisableWebProtection: OK
    
    2018-08-23 09:25:42 DisableWebProtection: Action succeeded
    
    2018-08-23 09:25:42 DisableSxlLookups: Action started
    
    2018-08-23 09:25:42 DisableSxlLookups: DisableSxlLookups: OK
    
    2018-08-23 09:25:42 DisableSxlLookups: Action succeeded
    
    2018-08-23 09:25:42 CheckSNMPDLLPresence: Action started
    
    2018-08-23 09:25:42 CheckSNMPDLLPresence: Action succeeded
    
    2018-08-23 09:25:42 UpdateSXLServerList: Action started
    
    2018-08-23 09:25:42 UpdateSXLServerList: LoadSophtainerData: GetSophtainerSection(C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SXLConfig.dat) returned 0. (180 bytes returned)
    
    
    2018-08-23 09:25:42 UpdateSXLServerList: ExtractSXLServerConf: 0, 4, 4
    
    2018-08-23 09:25:42 UpdateSXLServerList: Action succeeded
    
    2018-08-23 09:25:42 ApplySAVControlFile: Action started
    
    2018-08-23 09:25:42 ApplySAVControlFile: Reading SAVControlFile from C:\ProgramData\Sophos\AutoUpdate\cache\savxp\savcontrol
    
    2018-08-23 09:25:42 ApplySAVControlFile: `anonymous-namespace'::GetBoolValue: Value /FeatureControl/EnableBOPS in savcontrol json file not found, assumed default
    
    2018-08-23 09:25:42 ApplySAVControlFile: Writing machine file C:\ProgramData\Sophos\Sophos Anti-Virus\Config\machine.xml
    
    2018-08-23 09:25:42 ApplySAVControlFile: Action succeeded
    
    2018-08-23 09:25:42 GenerateSavMachineId: Action started
    
    2018-08-23 09:25:42 GenerateSavMachineId: Sav machine id = 627661AB-F769-4327-81BA-5AC87FAC3F78
    
    2018-08-23 09:25:42 GenerateSavMachineId: Action succeeded
    
    2018-08-23 09:25:42 SetSAVAdminUpdateComplete: Action started
    
    2018-08-23 09:25:42 SetSAVAdminUpdateComplete: Action succeeded
    
    2018-08-23 09:25:42 RunPreLaunchScripts: Action started
    
    2018-08-23 09:25:42 RunPreLaunchScripts: RunPreLaunchScripts: No entries.
    
    2018-08-23 09:25:42 RunPreLaunchScripts: Action succeeded
    
    2018-08-23 09:25:43 BootDriverStartup: Action started
    
    2018-08-23 09:25:43 BootDriverStartup: Boot driver restored: disabled
    
    2018-08-23 09:25:43 BootDriverStartup: Action succeeded
    
    2018-08-23 09:25:43 RegisterDCIfEnabled: Action started
    
    2018-08-23 09:25:43 RegisterDCIfEnabled: isDCEnabled: node not found: /configuration/components/DeviceControlManager/settings/enabled
    
    2018-08-23 09:25:43 RegisterDCIfEnabled: Action succeeded
    
    2018-08-23 09:25:43 StartSAVServices: Action started
    
    2018-08-23 09:25:55 StartSAVServices: Action succeeded
    
    2018-08-23 09:25:56 ConfigureSAV: Action started
    
    2018-08-23 09:25:56 ConfigureSAV: Policy files unchanged - ConfigureSAV will not be called
    
    2018-08-23 09:25:56 ConfigureSAV: Action succeeded
    
    2018-08-23 09:25:56 SetInstallationComplete: Action started
    
    2018-08-23 09:25:56 SetInstallationComplete: Action succeeded
    
    2018-08-23 09:25:56 CreateSavAdapterDllRegistryEntry: Action started
    
    2018-08-23 09:25:56 CreateSavAdapterDllRegistryEntry: Action succeeded
    
    2018-08-23 09:25:56 RunAfterScripts: Action started
    
    2018-08-23 09:25:56 RunAfterScripts: Action succeeded
    
    2018-08-23 09:25:56 CopySAVSyncFile: Action started
    
    2018-08-23 09:25:56 CopySAVSyncFile: Action succeeded
    
    

Children
  • Hello Clemens Feige,

    the custom actions log
    twice wrong, must be the heat, I was thinking of the AV log, any this Ca goes anyway to the main log.
    Seems the Granting permissions to user "NT SERVICE\sophossps" fails, can't say if (and where) the actual error is logged. You say you re-installed after upgrading Windows - did you uninstall all Sophos components before upgrading? If not, why did you have to reinstall? Is SSP shown as installed under Programs and Features?

    Christian

  • Hello Christian,

    I have uninstalled Sophos after the upgrade to Win10 1803.
    Sophos was installed new because the firewall was not functional anymore after the upgrade to Win10 1803.
    Now the firewall works well but Sophos System Protection cannot be installed.

    I tried (all after the upgrade):

     1.
     First, all components were uninstalled in correct order according KB 12360.
     After restart it was tried to install, while all components are installed properly with exception of the Sophos System Protection.
     It is also not listed anymore in Programs and Features on both affected PCs.

     2.
     Second, it was tried to reinstall while incomplete installation remains on PC.
     Also this won't fix the issue.

     3.
     Again a complete deinstallation and install process was tried without success.
     Error message in log is always the same.

     

    Is it correct that there exists no cleanup tool anymore like it was provided by Sophos support years ago?

  • Hello Clemens Feige,

    no cleanup tool anymore
    this is the case. The Windows Installer is used to install the product so it has to be used for uninstall as well.

    Glancing again at the log in your original post - this isn't the complete log, is it? Looks like MSI is already rolling back (I have no SSP log to compare to yours at hand at the moment), the error at Granting permissions might be a red herring. Is there perhaps another earlier error that causes the rollback?

    Christian

  • Hello Christian,

    you are correct - it was not the whole file.

    All steps before have return value of 1.

    Here is a further snippet of steps which are done before:

    ...
    Action ended 15:08:59: InstallValidate. Return value 1.
    Action start 15:08:59: RemoveExistingProducts.
    MSI (s) (5C:5C) [15:08:59:019]: Doing action: InstallInitialize
    MSI (s) (5C:5C) [15:08:59:019]: Note: 1: 2205 2:  3: ActionText
    Action ended 15:08:59: RemoveExistingProducts. Return value 1.
    MSI (s) (5C:5C) [15:08:59:019]: Machine policy value 'AlwaysInstallElevated' is 0
    MSI (s) (5C:5C) [15:08:59:019]: User policy value 'AlwaysInstallElevated' is 0
    MSI (s) (5C:5C) [15:08:59:019]: BeginTransaction: Locking Server
    MSI (s) (5C:5C) [15:08:59:019]: Note: 1: 2203 2: C:\WINDOWS\Installer\inprogressinstallinfo.ipi 3: -2147287038
    MSI (s) (5C:5C) [15:08:59:019]: SRSetRestorePoint skipped for this transaction.
    MSI (s) (5C:5C) [15:08:59:019]: Note: 1: 2203 2: C:\WINDOWS\Installer\inprogressinstallinfo.ipi 3: -2147287038
    MSI (s) (5C:5C) [15:08:59:019]: Server not locked: locking for product {1093B57D-A613-47F3-90CF-0FD5C5DCFFE6}
    Action start 15:08:59: InstallInitialize.
    MSI (s) (5C:5C) [15:08:59:029]: Doing action: ProcessComponents
    MSI (s) (5C:5C) [15:08:59:029]: Note: 1: 2205 2:  3: ActionText
    Action ended 15:08:59: InstallInitialize. Return value 1.
    MSI (s) (5C:5C) [15:08:59:029]: Note: 1: 2205 2:  3: MsiPatchCertificate
    MSI (s) (5C:5C) [15:08:59:029]: LUA patching is disabled: missing MsiPatchCertificate table
    MSI (s) (5C:5C) [15:08:59:029]: Resolving source.
    MSI (s) (5C:5C) [15:08:59:029]: Resolving source to launched-from source.
    MSI (s) (5C:5C) [15:08:59:029]: Setting launched-from source as last-used.
    MSI (s) (5C:5C) [15:08:59:029]: PROPERTY CHANGE: Adding SourceDir property. Its value is 'C:\ProgramData\Sophos\AutoUpdate\cache\ssp\'.
    MSI (s) (5C:5C) [15:08:59:029]: PROPERTY CHANGE: Adding SOURCEDIR property. Its value is 'C:\ProgramData\Sophos\AutoUpdate\cache\ssp\'.
    MSI (s) (5C:5C) [15:08:59:029]: PROPERTY CHANGE: Adding SourcedirProduct property. Its value is '{1093B57D-A613-47F3-90CF-0FD5C5DCFFE6}'.
    MSI (s) (5C:5C) [15:08:59:029]: SOURCEDIR ==> C:\ProgramData\Sophos\AutoUpdate\cache\ssp\
    MSI (s) (5C:5C) [15:08:59:029]: SOURCEDIR product ==> {1093B57D-A613-47F3-90CF-0FD5C5DCFFE6}
    MSI (s) (5C:5C) [15:08:59:029]: Determining source type
    MSI (s) (5C:5C) [15:08:59:029]: Source type from package 'SophosSystemProtection.msi': 0
    MSI (s) (5C:5C) [15:08:59:029]: SECREPAIR: Hash Database: C:\WINDOWS\Installer\SourceHash{1093B57D-A613-47F3-90CF-0FD5C5DCFFE6}
    MSI (s) (5C:5C) [15:08:59:029]: Note: 1: 2262 2: SourceHash 3: -2147287038
    MSI (s) (5C:5C) [15:08:59:029]: SECREPAIR: New Hash Database creation complete.
    MSI (s) (5C:5C) [15:08:59:059]: Source path resolution complete. Dumping Directory table...
    MSI (s) (5C:5C) [15:08:59:059]: Dir (source): Key: TARGETDIR    , Object: C:\ProgramData\Sophos\AutoUpdate\cache\ssp\    , LongSubPath:     , ShortSubPath:
    MSI (s) (5C:5C) [15:08:59:059]: Dir (source): Key: WindowsFolder    , Object: C:\ProgramData\Sophos\AutoUpdate\cache\ssp\    , LongSubPath:     , ShortSubPath:
    MSI (s) (5C:5C) [15:08:59:059]: Dir (source): Key: INSTALLDIR.4D96E9F9_7E7B_4556_8D25_ABEE814FE4E0    , Object: C:\ProgramData\Sophos\AutoUpdate\cache\ssp\    , LongSubPath:     , ShortSubPath:
    MSI (s) (5C:5C) [15:08:59:059]: Dir (source): Key: ProgramFilesFolder    , Object: C:\ProgramData\Sophos\AutoUpdate\cache\ssp\    , LongSubPath:     , ShortSubPath:
    MSI (s) (5C:5C) [15:08:59:059]: Dir (source): Key: Sophos    , Object: C:\ProgramData\Sophos\AutoUpdate\cache\ssp\Sophos\    , LongSubPath: Sophos\    , ShortSubPath:
    MSI (s) (5C:5C) [15:08:59:059]: Dir (source): Key: INSTALLDIR    , Object: C:\ProgramData\Sophos\AutoUpdate\cache\ssp\Sophos\Sophos System Protection\    , LongSubPath: Sophos\Sophos System Protection\    , ShortSubPath: Sophos\qgiys5c8\
    MSI (s) (5C:5C) [15:08:59:059]: Dir (source): Key: CommonAppDataFolder    , Object: C:\ProgramData\Sophos\AutoUpdate\cache\ssp\    , LongSubPath:     , ShortSubPath:
    MSI (s) (5C:5C) [15:08:59:059]: Dir (source): Key: AppDataSophos    , Object: C:\ProgramData\Sophos\AutoUpdate\cache\ssp\Sophos\    , LongSubPath: Sophos\    , ShortSubPath:
    MSI (s) (5C:5C) [15:08:59:059]: Dir (source): Key: AppDataSsp    , Object: C:\ProgramData\Sophos\AutoUpdate\cache\ssp\Sophos\Sophos System Protection\    , LongSubPath: Sophos\Sophos System Protection\    , ShortSubPath: Sophos\vouvuy1l\
    MSI (s) (5C:5C) [15:08:59:059]: Dir (source): Key: Logs    , Object: C:\ProgramData\Sophos\AutoUpdate\cache\ssp\Sophos\Sophos System Protection\Logs\    , LongSubPath: Sophos\Sophos System Protection\Logs\    , ShortSubPath: Sophos\vouvuy1l\Logs\
    MSI (s) (5C:5C) [15:08:59:059]: Dir (source): Key: Config    , Object: C:\ProgramData\Sophos\AutoUpdate\cache\ssp\Sophos\Sophos System Protection\Config\    , LongSubPath: Sophos\Sophos System Protection\Config\    , ShortSubPath: Sophos\vouvuy1l\Config\
    MSI (s) (5C:5C) [15:08:59:059]: Dir (source): Key: Data    , Object: C:\ProgramData\Sophos\AutoUpdate\cache\ssp\Sophos\Sophos System Protection\Data\    , LongSubPath: Sophos\Sophos System Protection\Data\    , ShortSubPath: Sophos\vouvuy1l\Data\
    MSI (s) (5C:5C) [15:08:59:059]: Note: 1: 2205 2:  3: ActionText
    MSI (s) (5C:5C) [15:08:59:059]: Note: 1: 2205 2:  3: ActionText
    MSI (s) (5C:5C) [15:08:59:059]: Note: 1: 2205 2:  3: ActionText
    Action start 15:08:59: ProcessComponents.
    MSI (s) (5C:5C) [15:08:59:059]: Doing action: UnpublishFeatures
    MSI (s) (5C:5C) [15:08:59:059]: Note: 1: 2205 2:  3: ActionText
    Action ended 15:08:59: ProcessComponents. Return value 1.
    Action start 15:08:59: UnpublishFeatures.
    MSI (s) (5C:5C) [15:08:59:059]: Skipping action: StopSspServiceRollback.SetProperty (condition is false)
    MSI (s) (5C:5C) [15:08:59:059]: Skipping action: StopSspServiceRollback (condition is false)
    MSI (s) (5C:5C) [15:08:59:059]: Skipping action: StopSspService.SetProperty (condition is false)
    MSI (s) (5C:5C) [15:08:59:059]: Skipping action: StopSspService (condition is false)
    MSI (s) (5C:5C) [15:08:59:059]: Doing action: StopServices
    MSI (s) (5C:5C) [15:08:59:059]: Note: 1: 2205 2:  3: ActionText
    Action ended 15:08:59: UnpublishFeatures. Return value 1.
    Action start 15:08:59: StopServices.
    MSI (s) (5C:5C) [15:08:59:059]: Skipping action: CleanUpShsUserAccountRollback.SetProperty (condition is false)
    MSI (s) (5C:5C) [15:08:59:059]: Skipping action: CleanUpShsUserAccountRollback (condition is false)
    MSI (s) (5C:5C) [15:08:59:059]: Skipping action: CleanUpShsUserAccount.SetProperty (condition is false)
    MSI (s) (5C:5C) [15:08:59:059]: Skipping action: CleanUpShsUserAccount (condition is false)
    MSI (s) (5C:5C) [15:08:59:059]: Skipping action: CleanUpSsspUserAccountRollback.SetPropertyVistaOrLater (condition is false)
    MSI (s) (5C:5C) [15:08:59:059]: Skipping action: CleanUpSsspUserAccountRollback.SetPropertyXp (condition is false)
    MSI (s) (5C:5C) [15:08:59:059]: Skipping action: CleanUpSsspUserAccountRollback (condition is false)
    MSI (s) (5C:5C) [15:08:59:059]: Skipping action: CleanUpSsspUserAccount.SetPropertyVistaOrLater (condition is false)
    MSI (s) (5C:5C) [15:08:59:059]: Skipping action: CleanUpSsspUserAccount.SetPropertyXp (condition is false)
    MSI (s) (5C:5C) [15:08:59:059]: Skipping action: CleanUpSsspUserAccount (condition is false)
    MSI (s) (5C:5C) [15:08:59:059]: Skipping action: ApplyPermissionsToFoldersOnRollback.SetProperty (condition is false)
    MSI (s) (5C:5C) [15:08:59:059]: Skipping action: ApplyPermissionsToFoldersOnRollback (condition is false)
    MSI (s) (5C:5C) [15:08:59:059]: Skipping action: RequestUnrestrictedSSPSidOnRollback (condition is false)
    MSI (s) (5C:5C) [15:08:59:059]: Doing action: DeleteServices
    MSI (s) (5C:5C) [15:08:59:059]: Note: 1: 2205 2:  3: ActionText
    Action ended 15:08:59: StopServices. Return value 1.
    Action start 15:08:59: DeleteServices.
    MSI (s) (5C:5C) [15:08:59:069]: Doing action: RemoveRegistryValues
    MSI (s) (5C:5C) [15:08:59:069]: Note: 1: 2205 2:  3: ActionText
    Action ended 15:08:59: DeleteServices. Return value 1.
    Action start 15:08:59: RemoveRegistryValues.
    MSI (s) (5C:5C) [15:08:59:069]: Doing action: RemoveFiles
    MSI (s) (5C:5C) [15:08:59:069]: Note: 1: 2205 2:  3: ActionText
    Action ended 15:08:59: RemoveRegistryValues. Return value 1.
    Action start 15:08:59: RemoveFiles.
    MSI (s) (5C:5C) [15:08:59:069]: Skipping action: CleanupData.SetProperty (condition is false)
    MSI (s) (5C:5C) [15:08:59:069]: Skipping action: CleanupData (condition is false)
    MSI (s) (5C:5C) [15:08:59:069]: Skipping action: CleanupLogs.SetProperty (condition is false)
    MSI (s) (5C:5C) [15:08:59:069]: Skipping action: CleanupLogs (condition is false)
    MSI (s) (5C:5C) [15:08:59:069]: Doing action: RemoveFolders
    MSI (s) (5C:5C) [15:08:59:069]: Note: 1: 2205 2:  3: ActionText
    Action ended 15:08:59: RemoveFiles. Return value 1.
    Action start 15:08:59: RemoveFolders.
    MSI (s) (5C:5C) [15:08:59:069]: Doing action: CreateFolders
    MSI (s) (5C:5C) [15:08:59:069]: Note: 1: 2205 2:  3: ActionText
    Action ended 15:08:59: RemoveFolders. Return value 1.
    Action start 15:08:59: CreateFolders.
    MSI (s) (5C:5C) [15:08:59:069]: Using well known SID for Everyone
    MSI (s) (5C:5C) [15:08:59:069]: Finished allocating new user SID
    MSI (s) (5C:5C) [15:08:59:069]: Using well known SID for Administrators
    MSI (s) (5C:5C) [15:08:59:069]: Finished allocating new user SID
    MSI (s) (5C:5C) [15:08:59:069]: Using well known SID for System
    MSI (s) (5C:5C) [15:08:59:069]: Finished allocating new user SID
    MSI (s) (5C:5C) [15:08:59:069]: Doing action: InstallFiles
    MSI (s) (5C:5C) [15:08:59:069]: Note: 1: 2205 2:  3: ActionText
    Action ended 15:08:59: CreateFolders. Return value 1.
    Action start 15:08:59: InstallFiles.
    MSI (s) (5C:5C) [15:08:59:069]: Note: 1: 2205 2:  3: Patch
    MSI (s) (5C:5C) [15:08:59:069]: Note: 1: 2228 2:  3: Patch 4: SELECT `Patch`.`File_`, `Patch`.`Header`, `Patch`.`Attributes`, `Patch`.`Sequence`, `Patch`.`StreamRef_` FROM `Patch` WHERE `Patch`.`File_` = ? AND `Patch`.`#_MsiActive`=? ORDER BY `Patch`.`Sequence`
    MSI (s) (5C:5C) [15:08:59:069]: Note: 1: 2205 2:  3: MsiSFCBypass
    MSI (s) (5C:5C) [15:08:59:069]: Note: 1: 2228 2:  3: MsiSFCBypass 4: SELECT `File_` FROM `MsiSFCBypass` WHERE `File_` = ?
    MSI (s) (5C:5C) [15:08:59:069]: Note: 1: 2205 2:  3: MsiPatchHeaders
    MSI (s) (5C:5C) [15:08:59:069]: Note: 1: 2228 2:  3: MsiPatchHeaders 4: SELECT `Header` FROM `MsiPatchHeaders` WHERE `StreamRef` = ?
    MSI (s) (5C:5C) [15:08:59:069]: Note: 1: 2205 2:  3: PatchPackage
    MSI (s) (5C:5C) [15:08:59:069]: Note: 1: 2205 2:  3: MsiPatchHeaders
    MSI (s) (5C:5C) [15:08:59:069]: Note: 1: 2205 2:  3: PatchPackage
    MSI (s) (5C:5C) [15:08:59:069]: Doing action: RandomisePipeName
    MSI (s) (5C:5C) [15:08:59:069]: Note: 1: 2205 2:  3: ActionText
    Action ended 15:08:59: InstallFiles. Return value 1.
    MSI (s) (5C:78) [15:08:59:079]: Invoking remote custom action. DLL: C:\WINDOWS\Installer\MSIC6DD.tmp, Entrypoint: GenerateRandString
    MSI (s) (5C:80) [15:08:59:079]: Generating random cookie.
    MSI (s) (5C:80) [15:08:59:079]: Created Custom Action Server with PID 3472 (0xD90).
    MSI (s) (5C:18) [15:08:59:099]: Running as a service.
    MSI (s) (5C:18) [15:08:59:099]: Hello, I'm your 32bit Elevated Non-remapped custom action server.
    Action start 15:08:59: RandomisePipeName.
    MSI (s) (5C!FC) [15:08:59:129]: PROPERTY CHANGE: Adding GeneratedRandString property. Its value is 'mxwtptttykduyvxjbzhqupxkxxvebmcsixhvdhcjxonzhsspmk'.
    GenerateRandString:  Initialized.
    MSI (s) (5C:5C) [15:08:59:129]: Doing action: WriteRegistryValues
    MSI (s) (5C:5C) [15:08:59:129]: Note: 1: 2205 2:  3: ActionText
    Action ended 15:08:59: RandomisePipeName. Return value 1.
    Action start 15:08:59: WriteRegistryValues.
    MSI (s) (5C:5C) [15:08:59:129]: Doing action: InstallServices
    MSI (s) (5C:5C) [15:08:59:129]: Note: 1: 2205 2:  3: ActionText
    Action ended 15:08:59: WriteRegistryValues. Return value 1.
    Action start 15:08:59: InstallServices.
    MSI (s) (5C:5C) [15:08:59:129]: Doing action: RequestUnrestrictedSSPSid
    MSI (s) (5C:5C) [15:08:59:129]: Note: 1: 2205 2:  3: ActionText
    Action ended 15:08:59: InstallServices. Return value 1.
    Action start 15:08:59: RequestUnrestrictedSSPSid.
    MSI (s) (5C:5C) [15:08:59:129]: Doing action: ApplyPermissionsToFolders.SetProperty
    MSI (s) (5C:5C) [15:08:59:129]: Note: 1: 2205 2:  3: ActionText
    Action ended 15:08:59: RequestUnrestrictedSSPSid. Return value 1.
    MSI (s) (5C:5C) [15:08:59:129]: PROPERTY CHANGE: Adding ApplyPermissionsToFolders property. Its value is 'C:\ProgramData\Sophos\Sophos System Protection\|C:\ProgramData\Sophos\Sophos System Protection\Logs\|C:\ProgramData\Sophos\Sophos System Protection\Config\|C:\ProgramData\Sophos\Sophos System Protection\Data\'.
    Action start 15:08:59: ApplyPermissionsToFolders.SetProperty.
    MSI (s) (5C:5C) [15:08:59:129]: Doing action: ApplyPermissionsToFolders
    MSI (s) (5C:5C) [15:08:59:129]: Note: 1: 2205 2:  3: ActionText
    Action ended 15:08:59: ApplyPermissionsToFolders.SetProperty. Return value 1.
    Action start 15:08:59: ApplyPermissionsToFolders.
    MSI (s) (5C:5C) [15:08:59:139]: Doing action: SchedServiceConfig
    MSI (s) (5C:5C) [15:08:59:139]: Note: 1: 2205 2:  3: ActionText
    Action ended 15:08:59: ApplyPermissionsToFolders. Return value 1.
    MSI (s) (5C:D4) [15:08:59:139]: Invoking remote custom action. DLL: C:\WINDOWS\Installer\MSIC71D.tmp, Entrypoint: SchedServiceConfig
    MSI (s) (5C!48) [15:08:59:159]: PROPERTY CHANGE: Adding RollbackServiceConfig property. Its value is 'SchedServiceConfig'.
    Action start 15:08:59: SchedServiceConfig.
    MSI (s) (5C!48) [15:08:59:159]: Doing action: RollbackServiceConfig
    MSI (s) (5C!48) [15:08:59:159]: Note: 1: 2205 2:  3: ActionText
    Action start 15:08:59: RollbackServiceConfig.
    MSI (s) (5C!48) [15:08:59:159]: PROPERTY CHANGE: Adding ExecServiceConfig property. Its value is 'SchedServiceConfig€sophossps€1€restart€restart€none€1€120€€'.
    Action ended 15:08:59: RollbackServiceConfig. Return value 1.
    MSI (s) (5C!48) [15:08:59:159]: Doing action: ExecServiceConfig
    MSI (s) (5C!48) [15:08:59:159]: Note: 1: 2205 2:  3: ActionText
    Action start 15:08:59: ExecServiceConfig.
    Action ended 15:08:59: ExecServiceConfig. Return value 1.
    MSI (s) (5C:5C) [15:08:59:169]: Doing action: SetupSspUserAccountRollback.SetPropertyVistaOrLater
    MSI (s) (5C:5C) [15:08:59:169]: Note: 1: 2205 2:  3: ActionText
    Action ended 15:08:59: SchedServiceConfig. Return value 1.
    MSI (s) (5C:5C) [15:08:59:169]: PROPERTY CHANGE: Adding SetupSspUserAccountRollback property. Its value is 'NT SERVICE\sophossps'.
    Action start 15:08:59: SetupSspUserAccountRollback.SetPropertyVistaOrLater.
    MSI (s) (5C:5C) [15:08:59:169]: Skipping action: SetupSspUserAccountRollback.SetPropertyXp (condition is false)
    MSI (s) (5C:5C) [15:08:59:169]: Doing action: SetupSspUserAccountRollback
    MSI (s) (5C:5C) [15:08:59:169]: Note: 1: 2205 2:  3: ActionText
    Action ended 15:08:59: SetupSspUserAccountRollback.SetPropertyVistaOrLater. Return value 1.
    Action start 15:08:59: SetupSspUserAccountRollback.
    MSI (s) (5C:5C) [15:08:59:169]: Doing action: SetupSspUserAccount.SetPropertyVistaOrLater
    MSI (s) (5C:5C) [15:08:59:169]: Note: 1: 2205 2:  3: ActionText
    Action ended 15:08:59: SetupSspUserAccountRollback. Return value 1.
    MSI (s) (5C:5C) [15:08:59:169]: PROPERTY CHANGE: Adding SetupSspUserAccount property. Its value is 'NT SERVICE\sophossps'.
    Action start 15:08:59: SetupSspUserAccount.SetPropertyVistaOrLater.
    MSI (s) (5C:5C) [15:08:59:169]: Skipping action: SetupSspUserAccount.SetPropertyXp (condition is false)
    MSI (s) (5C:5C) [15:08:59:169]: Doing action: SetupSspUserAccount
    MSI (s) (5C:5C) [15:08:59:169]: Note: 1: 2205 2:  3: ActionText
    Action ended 15:08:59: SetupSspUserAccount.SetPropertyVistaOrLater. Return value 1.
    Action start 15:08:59: SetupSspUserAccount.
    MSI (s) (5C:5C) [15:08:59:169]: Doing action: SetupShsUserAccountRollback.SetProperty
    MSI (s) (5C:5C) [15:08:59:169]: Note: 1: 2205 2:  3: ActionText
    Action ended 15:08:59: SetupSspUserAccount. Return value 1.
    MSI (s) (5C:5C) [15:08:59:169]: PROPERTY CHANGE: Adding SetupShsUserAccountRollback property. Its value is 'NT SERVICE\sophossps'.
    Action start 15:08:59: SetupShsUserAccountRollback.SetProperty.
    MSI (s) (5C:5C) [15:08:59:169]: Doing action: SetupShsUserAccountRollback
    MSI (s) (5C:5C) [15:08:59:169]: Note: 1: 2205 2:  3: ActionText
    Action ended 15:08:59: SetupShsUserAccountRollback.SetProperty. Return value 1.
    Action start 15:08:59: SetupShsUserAccountRollback.
    MSI (s) (5C:5C) [15:08:59:179]: Doing action: SetupShsUserAccount.SetProperty
    MSI (s) (5C:5C) [15:08:59:179]: Note: 1: 2205 2:  3: ActionText
    Action ended 15:08:59: SetupShsUserAccountRollback. Return value 1.
    MSI (s) (5C:5C) [15:08:59:179]: PROPERTY CHANGE: Adding SetupShsUserAccount property. Its value is 'NT SERVICE\sophossps;GENERIC_READ'.
    Action start 15:08:59: SetupShsUserAccount.SetProperty.
    MSI (s) (5C:5C) [15:08:59:179]: Doing action: SetupShsUserAccount
    MSI (s) (5C:5C) [15:08:59:179]: Note: 1: 2205 2:  3: ActionText
    Action ended 15:08:59: SetupShsUserAccount.SetProperty. Return value 1.
    Action start 15:08:59: SetupShsUserAccount.
    MSI (s) (5C:5C) [15:08:59:179]: Doing action: StartServices
    MSI (s) (5C:5C) [15:08:59:179]: Note: 1: 2205 2:  3: ActionText
    Action ended 15:08:59: SetupShsUserAccount. Return value 1.
    Action start 15:08:59: StartServices.
    MSI (s) (5C:5C) [15:08:59:179]: Doing action: StartSspServiceRollback.SetProperty
    MSI (s) (5C:5C) [15:08:59:179]: Note: 1: 2205 2:  3: ActionText
    Action ended 15:08:59: StartServices. Return value 1.
    MSI (s) (5C:5C) [15:08:59:179]: PROPERTY CHANGE: Adding StartSspServiceRollback property. Its value is 'sophossps'.
    Action start 15:08:59: StartSspServiceRollback.SetProperty.
    MSI (s) (5C:5C) [15:08:59:179]: Doing action: StartSspServiceRollback
    MSI (s) (5C:5C) [15:08:59:179]: Note: 1: 2205 2:  3: ActionText
    Action ended 15:08:59: StartSspServiceRollback.SetProperty. Return value 1.
    Action start 15:08:59: StartSspServiceRollback.
    MSI (s) (5C:5C) [15:08:59:179]: Doing action: StartSspService.SetProperty
    MSI (s) (5C:5C) [15:08:59:179]: Note: 1: 2205 2:  3: ActionText
    Action ended 15:08:59: StartSspServiceRollback. Return value 1.
    MSI (s) (5C:5C) [15:08:59:189]: PROPERTY CHANGE: Adding StartSspService property. Its value is 'sophossps'.
    Action start 15:08:59: StartSspService.SetProperty.
    MSI (s) (5C:5C) [15:08:59:189]: Doing action: StartSspService
    MSI (s) (5C:5C) [15:08:59:189]: Note: 1: 2205 2:  3: ActionText
    Action ended 15:08:59: StartSspService.SetProperty. Return value 1.
    Action start 15:08:59: StartSspService.
    MSI (s) (5C:5C) [15:08:59:189]: Doing action: RegisterUser
    MSI (s) (5C:5C) [15:08:59:189]: Note: 1: 2205 2:  3: ActionText
    Action ended 15:08:59: StartSspService. Return value 1.
    Action start 15:08:59: RegisterUser.
    MSI (s) (5C:5C) [15:08:59:189]: Doing action: RegisterProduct
    MSI (s) (5C:5C) [15:08:59:189]: Note: 1: 2205 2:  3: ActionText
    Action ended 15:08:59: RegisterUser. Return value 1.
    Action start 15:08:59: RegisterProduct.
    MSI (s) (5C:5C) [15:08:59:189]: PROPERTY CHANGE: Adding ProductToBeRegistered property. Its value is '1'.
    MSI (s) (5C:5C) [15:08:59:189]: Doing action: PublishFeatures
    MSI (s) (5C:5C) [15:08:59:189]: Note: 1: 2205 2:  3: ActionText
    Action ended 15:08:59: RegisterProduct. Return value 1.
    Action start 15:08:59: PublishFeatures.
    MSI (s) (5C:5C) [15:08:59:189]: Doing action: PublishProduct
    MSI (s) (5C:5C) [15:08:59:189]: Note: 1: 2205 2:  3: ActionText
    Action ended 15:08:59: PublishFeatures. Return value 1.
    Action start 15:08:59: PublishProduct.
    MSI (s) (5C:5C) [15:08:59:189]: Skipping action: WixFailWhenDeferred (condition is false)
    MSI (s) (5C:5C) [15:08:59:189]: Doing action: InstallFinalize
    MSI (s) (5C:5C) [15:08:59:189]: Note: 1: 2205 2:  3: ActionText
    Action ended 15:08:59: PublishProduct. Return value 1.

    --> Now the posted snippet follows (of course this is a newer run here).

    Note that in the snippet of the initial post the first error occurs in the middle not at the end:

    ...
    SetupSspUserAccount:  Initialized.
    SetupSspUserAccount:  LoadAccount(SophosSSPUser) failed (error 1332)
    SetupSspUserAccount:  Granting permissions to user "NT SERVICE\sophossps"
    CustomAction SetupSspUserAccount returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)
    MSI (s) (FC:6C) [09:56:49:272]: Note: 1: 2265 2:  3: -2147287035
    MSI (s) (FC:6C) [09:56:49:272]: User policy value 'DisableRollback' is 0
    MSI (s) (FC:6C) [09:56:49:272]: Machine policy value 'DisableRollback' is 0
    Action ended 09:56:49: InstallFinalize. Return value 3.
    ...

     

    Best regards

  • Hello Clemens Feige,

    first of all the first error occurs in the middle not at the end: MSI logs can be confusing as they are not like most other logs. The Installer goes through several phases. Depending on the amount of logging requested it lists its actions and their result, finally dumping dumping the Properties and providing a summary result. In case of a failure during execution it initiates a rollback and the error is followed by a listing of the rollback actions and finally a summary of the error and a final result. Thus it looks like there are two (or sometimes more) errors with the actual error "in the middle".

    This doesn't help with your problem though. I've rummaged through old logs and I'm afraid I have no advice as I haven't encountered this error. As already mentioned I think you have to contact Support. Just one more question - are there any occurrences of sophossps in the registry?     

    Christian

  • Hello Christian,

    this is what I tried to make clear with my last post (refer to the end of the post): the error I have considered all the time was this one in the middle, not after rollback.
    I am a little familiar with MSI logs, next time I try to split the log fragments into more parts to make clear which problem I've observed or like to discuss.

    I have generated a support ticket to resolve this problem, thank you for your help.

     

    The advice to search for registry keys gives the solution:
    The key "HKLM\SOFTWARE\WOW6432Node\Sophos\SystemProtection\Users" was not accessible.

    Solution:

    1. Deinstall Sophos components according KB 12360.
    2. Acquire user permission of key and set full rights for administrators.
    3. Delete key structure "HKLM\SOFTWARE\WOW6432Node\Sophos".
    4. Reinstall Sophos.