ATP sensor on Server 2016 DC crashing.

Question

Currently we went through&nbsp; a process of upgrading our DCs to 2016 after doing this and going through process of installing ATP sensor on the servers we are having the service crash or stay in a starting state.&nbsp;&nbsp;I get the following errors as well.&nbsp;Application logEvent ID 1008The Open Procedure for service "WmiApRpl" in DLL "C:\Windows\system32\wbem\wmiaprpl.dll" failed. Performance data for this service will not be available. The first four bytes (DWORD) of the Data section contains the error code.&nbsp;The Open Procedure for service "Lsa" in DLL "C:\Windows\System32\Secur32.dll" failed. Performance data for this service will not be available. The first four bytes (DWORD) of the Data section contains the error code.&nbsp;Event ID 2004Unable to open the Server service performance object. The first four bytes (DWORD) of the Data section contains the status code.&nbsp;System LogEvent ID 7032The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Azure Advanced Threat Protection Sensor service, but this action failed with the following error:The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.&nbsp;Event Id 7031The Azure Advanced Threat Protection Sensor service terminated unexpectedly. It has done this 385 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.&nbsp;&nbsp;I can't seem to find anything regarding this or if I am missing something.&nbsp; The prereq doesn't seem to show anything special missing so i am stumped.&nbsp;&nbsp; Any help is welcome.&nbsp;&nbsp;Thanks,&nbsp;&nbsp;&nbsp;

tony escamilla · Answer

EliOfek&nbsp;&nbsp;Thanks for the assist. I guess to help others.&nbsp; In my case a 3rd party app was pushing out Nmap and along with it came Npcap.&nbsp; I hadn't noticed because it wasn't by the typical methods of installs we utilize. As well as there was no trace of Nmap itself.&nbsp; Once I ran ProcMon once again with some slight modifications to the filter as suggested by&nbsp;EliOfek&nbsp; &nbsp;I was able to find the culprit and fix my issue.&nbsp; The problem is now gone and I have documentation for historical sake.&nbsp;&nbsp;&nbsp;Thanks again.&nbsp;

or tsemah · Answer

Tony escamilla&nbsp;
Hi Tony,
Can you share the Log files for troubleshooting?
https://docs.microsoft.com/en-us/azure-advanced-threat-protection/troubleshooting-atp-using-logs
&nbsp;

eliofek · Answer

Tony escamilla&nbsp;, Also, can you make sure the Pla service is running correctly on the machine?

jomalin · Answer

I have had this issue pop up recently. Lots of 1008 errors and the ATP sensor wouldn't start and would error in the ATP portal for no communication. Server 2012R2

1008, Perflib

The Open Procedure for service "WmiApRpl" in DLL "C:\Windows\system32\wbem\wmiaprpl.dll" failed. Performance data for this service will not be available. The first four bytes (DWORD) of the Data section contains the error code.

The Open Procedure for service "Lsa" in DLL "C:\Windows\System32\Secur32.dll" failed. Performance data for this service will not be available. The first four bytes (DWORD) of the Data section contains the error code.

The Open Procedure for service ".NETFramework" in DLL "C:\Windows\system32\mscoree.dll" failed. Performance data for this service will not be available. The first four bytes (DWORD) of the Data section contains the error code.

Looking in the log located at "C:\Program Files\Azure Advanced Threat Protection Sensor\2.105.7563.11519\Logs\Microsoft.Tri.Sensor.log" I see this error

2020-01-22 12:31:49.1675 Warn PcapLibraryHelper Verify [Packet.dll-ProductName=WinPcap Packet.dll-ProductVersion=4.1.0.2980 wpcap.dll-ProductName=WinPcap wpcap.dll-ProductVersion=4.1.0.2980]
2020-01-22 12:31:49.4018 Error WinPcapDeviceList SharpPcap.PcapException: No interfaces found! Make sure libpcap/WinPcap is properly installed on the local machine.
at List<WinPcapDevice> SharpPcap.WinPcap.WinPcapDeviceList.Devices(string rpcapString, RemoteAuthentication remoteAuthentication)
at void SharpPcap.WinPcap.WinPcapDeviceList.Refresh()
at WinPcapDeviceList SharpPcap.WinPcap.WinPcapDeviceList.get_Instance()
at new Microsoft.Tri.Sensor.NetworkListener(IBufferPool bufferPool, IConfigurationManager configurationManager, IMetricManager metricManager, INetworkAdaptersManager networkAdaptersManager, IParsingOrchestrator parsingOrchestrator, IWorkspaceApplicationSensorApiJsonProxy workspaceApplicationSensorApiJsonProxy)
at object lambda_method(Closure, object[])
at object Autofac.Core.Activators.Reflection.ConstructorParameterBinding.Instantiate()
at void Microsoft.Tri.Infrastructure.ModuleManager.AddModules(Type[] moduleTypes)
at new Microsoft.Tri.Sensor.SensorModuleManager()
at ModuleManager Microsoft.Tri.Sensor.SensorService.CreateModuleManager()
at async Task Microsoft.Tri.Infrastructure.Service.OnStartAsync()
at void Microsoft.Tri.Infrastructure.TaskExtension.Await(Task task)
at void Microsoft.Tri.Infrastructure.Service.OnStart(string[] args)

I downloaded and installed npcap, restarted the sensor and everything cleared up.

Is there an issue with the ATP sensors install of WinPcap?

eliofek · Answer

jomalin&nbsp;, the sensor should work fine with both most of the time.
Currently the default is winpcap, and if you require nic teaming support then we need npcap,
but you can work with npcap just fine even without teaming.
We are also considering at some point to make npcap the default and not winpcap.
&nbsp;
As to why winpcap did not work for your case, it's hard to tell, usually it means there is another product installed that is also using winpcap but with a configuration we do not support.
If you would like to research it a support call might be in order, but if npcap just work for you, I guess that would be a waste of your time...
&nbsp;
Eli

Forum Discussion

ATP sensor on Server 2016 DC crashing.

10 Replies

Resources