Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 9 replies
  • Subscribers 3 subscribers
  • Views 20170 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Multiple components fail to install.

Christian Pennington

Hey all,

I'm an IT tech trying to deploy Sophos and ran into an issue with one specific laptop. Sophos Central shows that the PC has failed to be protected in addition to failing to install ntp. However, when I launch Health, I can see under the Installed Components that about 6 components failed to install as well. I'm not at the PC at the moment so I can't say which ones specifically. I do have the latest logs attached.

I also found an article about disabling AutoUpdate and renaming some folders, but I couldn't disable AutoUpdate because, for some reason, access was denied.

Any help will be much appreciated.

Sophos Anti-Virus Major Install Log_170718_035853.txt

Fullscreen 3678.Sophos Anti-Virus Major CustomActions Log_170718_035853.txt Download 
2017-07-18 10:58:57 ExtractClassicConfig: Action started

2017-07-18 10:58:57 ExtractClassicConfig: Action succeeded

2017-07-18 10:58:58 PreInstallChecks: Action started

2017-07-18 10:58:58 PreInstallChecks: Action succeeded

2017-07-18 10:58:58 SetBootDriverStartupProperty: Action started

2017-07-18 10:58:58 SetBootDriverStartupProperty: Boot driver: not installed.

2017-07-18 10:58:58 SetBootDriverStartupProperty: Action succeeded

2017-07-18 10:58:58 SetClassFilterPresentProperty: Action started

2017-07-18 10:58:58 SetClassFilterPresentProperty: Setting class filter present property to: 1

2017-07-18 10:58:58 SetClassFilterPresentProperty: Action succeeded

2017-07-18 10:58:58 SetDriverProperty: Action started

2017-07-18 10:58:58 SetDriverProperty: PROCESSOR_ARCHITECTURE environment variable is: x86

2017-07-18 10:58:58 SetDriverProperty: Action succeeded

2017-07-18 10:58:58 SetProcessorProperties: Action started

2017-07-18 10:58:58 SetProcessorProperties: Action succeeded

2017-07-18 10:58:58 SetRestoreExcludedProcessesProperty: Action started

2017-07-18 10:58:58 SetRestoreExcludedProcessesProperty: SetRestoreExcludedProcessesProperty

2017-07-18 10:58:58 SetRestoreExcludedProcessesProperty: PROCESSOR_ARCHITECTURE environment variable is: x86

2017-07-18 10:58:58 SetRestoreExcludedProcessesProperty: Action succeeded

2017-07-18 10:59:04 CheckRegForNullDACLs: Action started

2017-07-18 10:59:04 CheckRegForNullDACLs: Action succeeded

2017-07-18 10:59:04 WaitForSAVService: Action started

2017-07-18 10:59:04 WaitForSAVService: WaitForSAVService: Walking system processes...

2017-07-18 10:59:04 WaitForSAVService: WaitForSAVService: Finished walking system processes.

2017-07-18 10:59:04 WaitForSAVService: Action succeeded

2017-07-18 10:59:05 CheckUninstallDrivers: Action started

2017-07-18 10:59:05 CheckUninstallDrivers: IsServiceInstalled: Unable to get a handle to requested service SAVOnAccess control. Returning false.

2017-07-18 10:59:05 CheckUninstallDrivers: IsServiceInstalled: Unable to get a handle to requested service SAVOnAccess filter. Returning false.

2017-07-18 10:59:05 CheckUninstallDrivers: Action succeeded

2017-07-18 10:59:05 DeleteIDEs: Action started

2017-07-18 10:59:05 DeleteIDEs: Action succeeded

2017-07-18 10:59:05 DeleteBDLs: Action started

2017-07-18 10:59:05 DeleteBDLs: Action succeeded

2017-07-18 10:59:05 DeleteHIPSConfig: Action started

2017-07-18 10:59:05 DeleteHIPSConfig: Action succeeded

2017-07-18 10:59:05 UpdateSavAdapterDll: Action started

2017-07-18 10:59:15 UpdateSavAdapterDll: Action succeeded

2017-07-18 10:59:15 UpdateDesktopMessaging: Action started

2017-07-18 10:59:15 UpdateDesktopMessaging: UpdateDesktopMessaging: Could not delete SAVPlugin registry key(2)

2017-07-18 10:59:15 UpdateDesktopMessaging: Action succeeded

2017-07-18 10:59:15 CopyOtherFiles: Action started

2017-07-18 10:59:15 CopyOtherFiles: CopyOtherFiles custom action - Copying other driver files

2017-07-18 10:59:15 CopyOtherFiles: Copying class filter source: C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\savxp\drivers\sdcfilter\win7_i386\SDCFILTER.INF, target: C:\Program Files\Sophos\Sophos Anti-Virus\

2017-07-18 10:59:15 CopyOtherFiles: Copying boot driver source: C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\savxp\drivers\boottasks\win7_i386\SOPHOSBOOTDRIVER.INF, target: C:\Program Files\Sophos\Sophos Anti-Virus\

2017-07-18 10:59:15 CopyOtherFiles: Copying kms source: C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\savxp\drivers\kms\win7_i386\SKMSCAN.INF, target: C:\Program Files\Sophos\Sophos Anti-Virus\

2017-07-18 10:59:15 CopyOtherFiles: GetRidOfExistingDetoured - C:\Program Files\Sophos\Sophos Anti-Virus\sophos_detoured.dll detoured exists, proceeding to rename it & mark for delete.

2017-07-18 10:59:15 CopyOtherFiles: PROCESSOR_ARCHITECTURE environment variable is: x86

2017-07-18 10:59:15 CopyOtherFiles: Copying boot tasks source: C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\savxp\drivers\boottasks\win7_i386\SophosBootTasks.exe, target: C:\Windows\system32\

2017-07-18 10:59:15 CopyOtherFiles: Action succeeded

2017-07-18 10:59:15 RegisterBufferOverflowProtection: Action started

2017-07-18 10:59:15 RegisterBufferOverflowProtection: BopsUnregister: could not get short path to DLL. It will not be unregistered.

2017-07-18 10:59:15 RegisterBufferOverflowProtection: GetRidOfExistingDetoured - C:\Program Files\Sophos\Sophos Anti-Virus\detoured.dll does not exist, no further action.

2017-07-18 10:59:15 RegisterBufferOverflowProtection: BOPS path already exists

2017-07-18 10:59:15 RegisterBufferOverflowProtection: PROCESSOR_ARCHITECTURE environment variable is: x86

2017-07-18 10:59:15 RegisterBufferOverflowProtection: Action succeeded

2017-07-18 10:59:15 RestoreExcludedProcesses: Action started

2017-07-18 10:59:15 RestoreExcludedProcesses: RestoreExcludedProcesses

2017-07-18 10:59:15 RestoreExcludedProcesses: Empty excluded processes property. Nothing to be done.

2017-07-18 10:59:15 RestoreExcludedProcesses: Action succeeded

2017-07-18 10:59:15 InstallDriverFromInf: Action started

2017-07-18 10:59:15 InstallDriverFromInf: Executing RunInfSection with DefaultInstall and DefaultInstall.Services

2017-07-18 10:59:15 InstallDriverFromInf: Running inf file C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\savxp\drivers\onaccess\win7_i386\SAVONACCESSDRIV.INF with installFileSection DefaultInstall

2017-07-18 10:59:16 InstallDriverFromInf: Action succeeded

2017-07-18 10:59:16 InstallClassFilterFromInf: Action started

2017-07-18 10:59:16 InstallClassFilterFromInf: Executing RunInfSection with DefaultInstall and DefaultInstall.Services

2017-07-18 10:59:16 InstallClassFilterFromInf: Running inf file C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\savxp\drivers\sdcfilter\win7_i386\sdcfilter.inf with installFileSection DefaultInstall

2017-07-18 10:59:16 InstallClassFilterFromInf: Action succeeded

2017-07-18 10:59:16 InstallDriverFromInf: Action started

2017-07-18 10:59:16 InstallDriverFromInf: Executing RunInfSection with DefaultInstall and DefaultInstall.Services

2017-07-18 10:59:16 InstallDriverFromInf: Running inf file C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\savxp\drivers\boottasks\win7_i386\SOPHOSBOOTDRIVER.INF with installFileSection DefaultInstall

2017-07-18 10:59:16 InstallDriverFromInf: Action succeeded

2017-07-18 10:59:16 InstallDriverFromInf: Action started

2017-07-18 10:59:16 InstallDriverFromInf: Executing RunInfSection with DefaultInstall and DefaultInstall.Services

2017-07-18 10:59:16 InstallDriverFromInf: Running inf file C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\savxp\drivers\kms\win7_i386\skmscan.inf with installFileSection DefaultInstall

2017-07-18 10:59:16 InstallDriverFromInf: Action succeeded

2017-07-18 10:59:16 StartDriverServices: Action started

2017-07-18 10:59:16 StartDriverServices: Action succeeded

2017-07-18 10:59:20 UninstallDriverFromInf: Action started

2017-07-18 10:59:20 UninstallDriverFromInf: Executing RunInfSection with DefaultUninstall and DefaultUninstall.Services

2017-07-18 10:59:20 UninstallDriverFromInf: Running inf file C:\Program Files\Sophos\Sophos Anti-Virus\skmscan.inf with installFileSection DefaultUninstall

2017-07-18 10:59:20 UninstallDriverFromInf: Action succeeded

2017-07-18 10:59:20 UninstallDriverFromInf: Action started

2017-07-18 10:59:20 UninstallDriverFromInf: Executing RunInfSection with DefaultUninstall and DefaultUninstall.Services

2017-07-18 10:59:20 UninstallDriverFromInf: Running inf file C:\Program Files\Sophos\Sophos Anti-Virus\SAVONACCESSDRIV.INF with installFileSection DefaultUninstall

2017-07-18 10:59:20 UninstallDriverFromInf: Action succeeded

2017-07-18 10:59:20 UninstallDriverFromInf: Action started

2017-07-18 10:59:20 UninstallDriverFromInf: Executing RunInfSection with DefaultUninstall and DefaultUninstall.Services

2017-07-18 10:59:20 UninstallDriverFromInf: Running inf file C:\Program Files\Sophos\Sophos Anti-Virus\SOPHOSBOOTDRIVER.INF with installFileSection DefaultUninstall

2017-07-18 10:59:20 UninstallDriverFromInf: Action succeeded

2017-07-18 10:59:20 UpdateDesktopMessaging: Action started

2017-07-18 10:59:20 UpdateDesktopMessaging: UpdateDesktopMessaging: Could not delete SAVPlugin registry key(2)

2017-07-18 10:59:20 UpdateDesktopMessaging: Action succeeded

2017-07-18 10:59:20 RollbackUpdateSavAdapterDll: Action started

2017-07-18 10:59:20 RollbackUpdateSavAdapterDll: Action succeeded

2017-07-18 10:59:20 DeleteOtherFiles: Action started

2017-07-18 10:59:20 DeleteOtherFiles: Unable to get list of engine files from C:\Program Files\Sophos\Sophos Anti-Virus\engsync.upd

2017-07-18 10:59:20 Error deleting file: C:\Program Files\Sophos\Sophos Anti-Virus\sophos_detoured.dll.stf00 with error: Access is denied.



2017-07-18 10:59:20 DeleteOtherFiles: GetRidOfExistingDetoured - C:\Program Files\Sophos\Sophos Anti-Virus\sophos_detoured.dll detoured exists, proceeding to rename it & mark for delete.

2017-07-18 10:59:20 DeleteOtherFiles: PROCESSOR_ARCHITECTURE environment variable is: x86

2017-07-18 10:59:20 DeleteOtherFiles: GetRidOfExistingDetoured - C:\Program Files\Sophos\Sophos Anti-Virus\detoured.dll does not exist, no further action.

2017-07-18 10:59:20 DeleteOtherFiles: Deleting config file folder

2017-07-18 10:59:20 DeleteOtherFiles: Failed to delete config folder, 2

2017-07-18 10:59:20 Error deleting file: C:\ProgramData\Sophos\Sophos Anti-Virus\\Infected\Low with error: Access is denied.



2017-07-18 10:59:20 DeleteOtherFiles: Action succeeded

2017-07-18 10:59:20 ForceDeleteUserPlugin: Action started

2017-07-18 10:59:20 ForceDeleteUserPlugin: Error deleting DesktopMessaging registry key. Returned error was: The system cannot find the file specified.



2017-07-18 10:59:20 ForceDeleteUserPlugin: Error deleting user pluging registry key. Returned error was: The system cannot find the file specified.



2017-07-18 10:59:20 ForceDeleteUserPlugin: Action succeeded

2017-07-18 10:59:21 ForceDeleteFiles: Action started

2017-07-18 10:59:21 ForceDeleteFiles: Action succeeded

2017-07-18 10:59:21 RunErrorScripts: Action started

2017-07-18 10:59:21 RunErrorScripts: Action succeeded

2017-07-18 10:59:21 RestoreMovedFiles: Action started

2017-07-18 10:59:21 RestoreMovedFiles: Action succeeded

2017-07-18 10:59:21 SetUpdateFailed: Action started

2017-07-18 10:59:21 SetUpdateFailed: Unable to create an instance of ComponentManager - SystemInformation cannot be informed of end of update

2017-07-18 10:59:21 SetUpdateFailed: Action succeeded



This thread was automatically locked due to age.
Parents
  • 0

    MSI (s) (08:BC) [10:59:17:854]: Executing op: ActionStart(Name=RegisterEventManifest,,)
    MSI (s) (08:BC) [10:59:17:854]: Executing op: CustomActionSchedule(Action=RegisterEventManifest,ActionType=3073,Source=BinaryData,Target=CAQuietExec,CustomActionData="wevtutil.exe" im "C:\Program Files\Sophos\Sophos Anti-Virus\Instrumentation.man")
    MSI (s) (08:00) [10:59:17:854]: Invoking remote custom action. DLL: C:\Windows\Installer\MSI6849.tmp, Entrypoint: CAQuietExec
    CAQuietExec: Error 0x800700ff: Command line returned an error.
    CAQuietExec: Error 0x800700ff: CAQuietExec Failed
    CustomAction RegisterEventManifest returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)

    Can you run wevtutil.exe on this computer?

    Does running:
    where wevtutil.exe

    find it in the "path" and if so, is it in the same path as a working computer?

    Regards,

    Jak

  • 0 in reply to jak

    Ok, I ran it again and yes, both show the same path as being C:\Windows\System32\wevtutil.exe".

     

    Thanks,

    Christian

  • 0 in reply to Christian Pennington

    Sorry about the name of the exe, I've updated my post.

    In that case I would run Process Monitor whist an install is taking place.  You can then see this process (wevtutil.exe) get started.  

    Note: I assume that this is a 32-bit process on a 64-bit computer so it may well be that the process is the 32-bit version from C:\windows\syswow64\.  Maybe that one is missing?  Either way the PML log will help to see what is called.

    You can check for the exit code of the wevtutil.exe process, the command line that got executed and if any of the file/registry operations of this process failed.  Things like ACCESS DENIED for example.  You can easily locate the process from the Process Tree view after making the capture of the failed install.

    If needs be, capturing the PML of a working computer to compare the differences maybe the next option but I'm sure it will be obvious from the failed log why there is an issue.

    Regards,

    Jak

Reply
  • 0 in reply to Christian Pennington

    Sorry about the name of the exe, I've updated my post.

    In that case I would run Process Monitor whist an install is taking place.  You can then see this process (wevtutil.exe) get started.  

    Note: I assume that this is a 32-bit process on a 64-bit computer so it may well be that the process is the 32-bit version from C:\windows\syswow64\.  Maybe that one is missing?  Either way the PML log will help to see what is called.

    You can check for the exit code of the wevtutil.exe process, the command line that got executed and if any of the file/registry operations of this process failed.  Things like ACCESS DENIED for example.  You can easily locate the process from the Process Tree view after making the capture of the failed install.

    If needs be, capturing the PML of a working computer to compare the differences maybe the next option but I'm sure it will be obvious from the failed log why there is an issue.

    Regards,

    Jak

Children
  • 0 in reply to jak

    I've just now had time to get back to this.

    It's a 32-bit process on a 32-bit computer, so that shouldn't be the issue.

    When filtering the PML to show processes with paths containing the .exe, I found a ton of WerFault.exe processes. Some of which were trying to access the .exe in the registry but the result was always "NAME NOT FOUND".

    I decided a search in Explorer for the .exe itself might be useful and found a few .wer logs. Here's an excerpt:

    UI[2]=C:\Windows\system32\wevtutil.exe
    UI[5]=Check online for a solution (recommended)
    UI[6]=Check for a solution later (recommended)
    UI[7]=Close
    UI[8]=Eventing Command Line Utility stopped working and was closed
    UI[9]=A problem caused the application to stop working correctly. Windows will notify you if a solution is available.
    UI[10]=&Close

    There are 4 more logs detailing the same thing over the course of the installation process.

    Let me know if you need more info.

    Thanks,

    Christian

  • 0 in reply to Christian Pennington

    So the wevutil process is crashing.  In that case I would suggest:

    1. Download procdump - https://docs.microsoft.com/en-us/sysinternals/downloads/procdump

    2. Create the directory C:\dumps

    3. Copy procdump to it as it's as good a place as any for it.

    4. In an administrative command prompt run the following commands:

    CD C:\dumps

    procdump -ma -i c:\dumps

    5. Re run the installer.

    Hopefully when wevutil crashes you will get a dump file under C:\dumps

    6. You can uninstall procdump as the default postmoterm debugger using the command:

    procdump -u

    If you could somehow share the dump file, best to zip it, I could take a look.

    Regards,

    Jak

  • 0 in reply to jak

    I apologize for the sporadic responses. The environment I work in can make it difficult to get control of someone's PC for an extended period of time.

    The files are too big to upload (even when zipped individually), according to the site. Is there another way I could get them to you?

     

    Thanks,

    Christian

  • 0 in reply to Christian Pennington

    If you have a cloud storage account, they usually allow you to create a specific directory which can be shared with a unique link.

    OneDrive, Google Drive for example.

    Regards,

    Jak

  • 0 in reply to jak

    I ultimately decided to re-image the PC. Getting access to the device itself once a week wasn't enough time. Sophos finally installed with no hiccups.

    I appreciate your help with this.

     

    -Christian

Unfiltered HTML