Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 7 replies
  • Answers 1 answer
  • Subscribers 10 subscribers
  • Views 10198 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Hung Services

CharmingYeti

I have several machines that end up with HMP and Data Recorder not running.  When I try to start them, I am told I can't access them.  I try to restart the Anti-Virus service and I'm denied access.  I am a domain admin on my machines.  I have supervisors getting frustrated with the product because of these odd occurrences that I can't remedy quickly.  Often times it requires reg hacking and that just seems extreme. 

"Error 1053: The service did not respond to the start or control request in a timely fashion."

 

The other one I keep running across is the MCS Agent service hung up in "stopping".  

 

Am I missing something?  ANY kind of info would be helpful.  



This thread was automatically locked due to age.
Parents
  • 0

    The MCS Agent hung on stopping is one I've encountered recently too.  It's tough to resolve because I think that service needs to be running in order to disable tamper protection.  Ideally I'd like to avoid rebooting, since this seems to be happening on production servers.

  • 0 in reply to phl

    The MCS services would need to be started to receive policy from Central to disable TP but if you get the password from Central for the computer and authorise in the UI you can disable Tamper Protection under settings.

  • 0 in reply to jak

    I think at this point my only option is to reboot.  I can't start or stop the MCS Agent service, which needs to be running in order to communicate with Sophos Central.

  • 0 in reply to phl

    That's a first.  I've not seen it in the stopping state. 

    Can you enable trace logging on the MCS Agent - https://community.sophos.com/kb/en-us/119607 - and reproduce this state?  I'd be interested to see the MCSAgent log then, it is under:

    C:\ProgramData\Sophos\Management Communications System\Endpoint\Logs\

    Essentially setting:

    <McsAgent>
          <logLevel>0</logLevel>
    </McsAgent>

    I know you need to disable TP to do this, but this could be done in Safe Mode to get to the bottom of it.

    That said, it may not need tracing on to understand what's happening, can you attach a MCS Agent log here?

    Regards,
    Jak

  • +1 in reply to phl

    There are a few errors in that log:

    2018-07-03T11:51:03.815Z [ 3560] ERROR 2008: [CORC] Failed to set core trigger status key OpenKeyFunction failed. Error: 2. Value name='SOFTWARE\Sophos\EndpointDefense\Monitoring\TriggerCoreStatus'.
    2018-07-03T11:51:03.815Z [ 3560] ERROR 2008: [CORC] Failed to set core trigger status key OpenKeyFunction failed. Error: 2. Value name='SOFTWARE\Sophos\EndpointDefense\Monitoring\TriggerCoreStatus'.
    2018-07-03T11:51:03.861Z [ 3560] ERROR 2008: [NTP] NTP adapter: Caught std::exception in IMEAdapterFactoryImpl::Initialise: Cannot initialise a second adapter without uninitialising the first
    2018-07-03T11:51:03.861Z [ 3560] ERROR 2008: [NTP] NTP adapter: StateObserver already registered! Current observer is overwritten.
    2018-07-03T11:51:09.363Z [ 3532] ERROR 2008: [NTP] NTP adapter: Unknown event observer! Throwing exception.
    2018-07-03T11:51:09.363Z [ 3532] ERROR 2008: [NTP] NTP adapter: Caught std::exception in IMEAdapterImpl::DeRegisterStateObserver: Observer not known.
    2018-07-03T11:51:09.363Z [ 3532] ERROR 2013: Caught unknown exception unloading NTP

    From the NTP and CORC adapter.

    As a bit of background: The Sophos MCS Agent service (McsAgent.exe) loads Adapters (DLLs) that each managed component (SAV, SAU, NTP, etc) registers with the MCS Agent in order to set and get policy of the components.

    They are registered/unregistered under the following reg key by the component at install/uninstall of the comonent, which the agent monitors for changes:
    HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\Remote Management System\ManagementAgent\Adapters\

    As the entries appear/disappear the Agent logs/unloads the adapters.  If you run something like Process Explorer showing the modules loaded by the process you can see them come and go as the adapter key is created/removed.

    What might be interesting, is to stop the MCS agent service and after backing up the adapters registry key to a .reg, delete the NTP and COREC key.  This way the MCSAgent service will load the other DLLs but not the NTP and COREC adatpers.  Does the agent run/stop/start OK without those 2, then you could add just the COREC adapter back and see how that goes and finally the NTP adapter.  Maybe this will allow you to narrow it down to the adapter of a particular component causing problems with the agent.  The agent in itself doesn't really do too much, it's the adapters that do all the work.

    Maybe you could provide the .reg file here to check that all the adapter keys and paths are as expected.

    Regards,
    Jak

Reply
  • +1 in reply to phl

    There are a few errors in that log:

    2018-07-03T11:51:03.815Z [ 3560] ERROR 2008: [CORC] Failed to set core trigger status key OpenKeyFunction failed. Error: 2. Value name='SOFTWARE\Sophos\EndpointDefense\Monitoring\TriggerCoreStatus'.
    2018-07-03T11:51:03.815Z [ 3560] ERROR 2008: [CORC] Failed to set core trigger status key OpenKeyFunction failed. Error: 2. Value name='SOFTWARE\Sophos\EndpointDefense\Monitoring\TriggerCoreStatus'.
    2018-07-03T11:51:03.861Z [ 3560] ERROR 2008: [NTP] NTP adapter: Caught std::exception in IMEAdapterFactoryImpl::Initialise: Cannot initialise a second adapter without uninitialising the first
    2018-07-03T11:51:03.861Z [ 3560] ERROR 2008: [NTP] NTP adapter: StateObserver already registered! Current observer is overwritten.
    2018-07-03T11:51:09.363Z [ 3532] ERROR 2008: [NTP] NTP adapter: Unknown event observer! Throwing exception.
    2018-07-03T11:51:09.363Z [ 3532] ERROR 2008: [NTP] NTP adapter: Caught std::exception in IMEAdapterImpl::DeRegisterStateObserver: Observer not known.
    2018-07-03T11:51:09.363Z [ 3532] ERROR 2013: Caught unknown exception unloading NTP

    From the NTP and CORC adapter.

    As a bit of background: The Sophos MCS Agent service (McsAgent.exe) loads Adapters (DLLs) that each managed component (SAV, SAU, NTP, etc) registers with the MCS Agent in order to set and get policy of the components.

    They are registered/unregistered under the following reg key by the component at install/uninstall of the comonent, which the agent monitors for changes:
    HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\Remote Management System\ManagementAgent\Adapters\

    As the entries appear/disappear the Agent logs/unloads the adapters.  If you run something like Process Explorer showing the modules loaded by the process you can see them come and go as the adapter key is created/removed.

    What might be interesting, is to stop the MCS agent service and after backing up the adapters registry key to a .reg, delete the NTP and COREC key.  This way the MCSAgent service will load the other DLLs but not the NTP and COREC adatpers.  Does the agent run/stop/start OK without those 2, then you could add just the COREC adapter back and see how that goes and finally the NTP adapter.  Maybe this will allow you to narrow it down to the adapter of a particular component causing problems with the agent.  The agent in itself doesn't really do too much, it's the adapters that do all the work.

    Maybe you could provide the .reg file here to check that all the adapter keys and paths are as expected.

    Regards,
    Jak

Children
  • 0 in reply to jak

    I can provide the key, but the problem with your suggestion of stopping the MCS agent service is that it's currently stuck in a "stopping" state and I am unable to either start or stop it.  I have requested authorization to reboot the server, so hopefully it will be as simple as that.

    8037.adapters.txt

    Thank you very much for your help!

Unfiltered HTML