Unable to install STAS service ("account name is invalid")

I'm trying re-install STAS on a DC, but when I try to specify the account to run the service as, I'm getting a Fatal Error.

"the Account name is invalid or does not exist, or the passwords is invalid for the account name specified".

Of course, I've verified the original service account used, as well as tried my domain admin account and creating a new service account. I've verified their passwords and that I can log in with them. I've verified that they have been granted the "log on as a service" right. 

I've tried running ProcessMonitor to see if I get access denied to registry keys somewhere, but the only thing I get is for the configSTAS.exe process  that's querying a key under wow6432node\microsoft\ctf. 

Has anyone else run into this? Any suggestions?

  • I had the same issue on a DC - I ended up exporting the config from another STAS and then importing it to this instance and loading that and it worked.

    Like you no matter what I put it wouldn't accept it.

  • In reply to M8ey:

    Thanks. That's what I ended up doing as well. Even with the service installed, I still can't change the user through the STAS gui.  Testing the WMI connection to a workstation, I get "Parameter is incorrect", even though I can successfully query WMI on the workstation through wmic command line. I suspect that the 2 problems are related.

  • In reply to JamesGolden:

    Parameter is incorrect"

    Ha yeah that too.

    Also trying to sync config from a good STAS to the bad STAS fails as does checking connectivity.


    I never did work it out - reinstalling etc did nothing.

  • In reply to M8ey:

    And the strangest thing is seeing the service trying to log into workstations with a username of 'mohit". I can't find where that's even coming from. Needless to say it's not working; not finding the users.

    I've got a customer I want to roll this and XG out to but they are heavy users of user and group filtering. So this is worrisome.


    ERROR [0x1758] 2/12/2020 12:33:37 : wrkstpoll_workerthread_wmi: couldnt connected to WMI Namespace '\\192.168.xx.xxx\root\cimv2': 0x800706ba

    DEBUG [0x1758] 2/12/2020 12:33:38 : wrkstpoll_workerthread_wmi: connecting to WMI Namespace '\\192.168.xxx.xxx\root\cimv2'

    MSG [0x1758] 2/12/2020 12:33:38 : wrkstpoll_workerthread_wmi: username:.\mohit



  • In reply to JamesGolden:

    What i have noticed is when you try to configure STAS to run under as a service account or use a AD user to logon as a service and publish a GPO, this logon as a service can affect other systems that currently have logon as a service setup locally on their pc's, servers. Sophos advice to run STAS under a domain admin account to logon as a service which most IT admins will not favour. As sophos continue to evolve with new security concepts and address existing issues i am hoping for a better solution.

    I followed this guide initially to setup STAS




  • James,

    Did you try to search Sophos in the registry?

    Uninstalling stas suite should remove everything.

    Did you check if you have something insieme c:\programdata\sophos or something similar?

    Take note programdata is hidden by default.

  • In reply to lara20:

    Thanks for the article. Great Post!

    I've used STAS with a UTM before. I've just never run into problems installing the stas agent itself.

  • In reply to lferrara:

    Just to be certain I uninstalled and went through the registry, program files, and programdata again.  I manually deleted a few entries from the registry, but it did a good job of cleaning up after itself everywhere else. Tried reinstalling, but hit the same roadblock when specifying a user account to use for the service to log in with.

    And now, after going through the reinstall, importing the service back into the registry, since it won't install the service during the install, the stas agent and collector test won't even pass. 

    I'm considering rebuilding the DC, but I really hate to have to go through that.

  • In reply to JamesGolden:

    I recall I managed to sign in with my domain\administer account and get it loaded - then changed it to my domain/stas account.


    Have you tried that?

  • In reply to JamesGolden:


    If it does not work, open a ticket with the support. Rebuilding a dc is always a pain.