Forum Discussion
Defender for identity updated itself, now it wont start
I had defender for identity 2.240.18218.5822 working on my DCs for several weeks. Then on September 24th 2024, the ATP sensors auto-updated themselves to 2.240.18224.34815.
Now about half of them won't start anymore and logs are no longer being produced in the Logs folders:
No new logs produced in:
C:\Program Files\Azure Advanced Threat Protection Sensor\2.240.18218.5822\Logs
No Logs folder exists in:
C:\Program Files\Azure Advanced Threat Protection Sensor\2.240.18224.34815
This is the error when the service tries to start.
In the event log:
The Azure Advanced Threat Protection Sensor Updater service terminated unexpectedly. It has done this 303511 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
I tried manually uninstalling and reinstalling on some of the servers but this has not worked.
- EliOfekMicrosoft
Is the updater binary in place as defined in its service definition ?
We need to find out what is holding the sensor updater from starting.
Uninstall/reinstall failed where reinstall failed or just that the service couldn't start?
Maybe check the performance counters like with the previous case? maybe it's related.- RyanP1895Copper Contributor
Hi again. I was really hoping that the problem on all of my devices was the missing counter from the other case. However it isn't that unfortunately.
I have several DCs and have tried a few different things on each. Here is the result of the uninstall on one of my DCs.
Uninstall the sensor from affected DC - fail to uninstall BUT the uninstall does produce logs as below
Azure Advanced Threat Protection Sensor_20241112203019.log
[1F74:1B10][2024-11-12T20:30:18]i001: Burn v3.11.2.4516, Windows v10.0 (Build 14393: Service Pack 0), path: C:\ProgramData\Package Cache\{bbfc6df4-0b62-4ffe-bd96-c0b5393142e9}\Azure ATP Sensor Setup.exe
[1F74:1B10][2024-11-12T20:30:18]i000: Initializing hidden variable 'AccessKey'
[1F74:1B10][2024-11-12T20:30:18]i000: Initializing hidden variable 'ProxyConfiguration'
[1F74:1B10][2024-11-12T20:30:18]i000: Initializing hidden variable 'ProxyUserPassword'
[1F74:1B10][2024-11-12T20:30:18]i000: Initializing string variable 'NetFrameworkCommandLineArguments' to value '/passive /showrmui'
[1F74:1B10][2024-11-12T20:30:18]i009: Command Line: '"-burn.clean.room=C:\ProgramData\Package Cache\{bbfc6df4-0b62-4ffe-bd96-c0b5393142e9}\Azure ATP Sensor Setup.exe" -burn.filehandle.attached=496 -burn.filehandle.self=508 /uninstall'
[1F74:1B10][2024-11-12T20:30:19]i000: Setting string variable 'WixBundleLog' to value 'C:\Users\v-\AppData\Local\Temp\Azure Advanced Threat Protection Sensor_20241112203019.log'
[1F74:1B10][2024-11-12T20:30:19]i000: Setting string variable 'WixBundleManufacturer' to value 'Microsoft Corporation'
[1F74:1B10][2024-11-12T20:30:19]i000: Loading managed bootstrapper application.
[1F74:1B10][2024-11-12T20:30:20]i000: Creating BA thread to run asynchronously.
[1F74:1B10][2024-11-12T20:30:20]i100: Detect begin, 5 packages
[1F74:1B10][2024-11-12T20:30:20]i000: 2024-11-12 19:30:20.9305 Debug DeploymentModel DetectDeploymentAction DetectBegin [\[]Installed=True[\]]
[1F74:1B10][2024-11-12T20:30:20]i000: Registry key not found. Key = 'SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_1_for_KB4019990~31bf3856ad364e35~amd64~~6.1.1.2'
[1F74:1B10][2024-11-12T20:30:20]i000: Setting numeric variable 'Kb4019990Windows2008R2Exists' to value 0
[1F74:1B10][2024-11-12T20:30:20]i000: Registry key not found. Key = 'SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_1_for_KB4019990~31bf3856ad364e35~amd64~~6.2.1.1'
[1F74:1B10][2024-11-12T20:30:20]i000: Setting numeric variable 'Kb4019990Windows2012Exists' to value 0
[1F74:1B10][2024-11-12T20:30:20]i000: Setting string variable 'NetFrameworkRegistryValue' to value '528049'
[1F74:1B10][2024-11-12T20:30:20]i000: Setting string variable 'ServerLevelsServerCoreRegistryValue' to value '1'
[1F74:1B10][2024-11-12T20:30:20]i000: Setting string variable 'ServerLevelsServerGuiShellRegistryValue' to value '1'
[1F74:1B10][2024-11-12T20:30:20]i052: Condition 'Kb4019990Windows2008R2Exists' evaluates to false.
[1F74:1B10][2024-11-12T20:30:20]i052: Condition 'Kb4019990Windows2012Exists' evaluates to false.
[1F74:1B10][2024-11-12T20:30:20]i052: Condition 'NetFrameworkRegistryValue >= 460798' evaluates to true.
[1F74:1B10][2024-11-12T20:30:20]i052: Condition 'NetFrameworkRegistryValue >= 460798' evaluates to true.
[1F74:1B10][2024-11-12T20:30:20]i101: Detected package: Kb4019990Windows2008R2Package, state: Absent, cached: None
[1F74:1B10][2024-11-12T20:30:20]i101: Detected package: Kb4019990Windows2012Package, state: Absent, cached: None
[1F74:1B10][2024-11-12T20:30:20]i101: Detected package: NetFrameworkPackageServer, state: Present, cached: None
[1F74:1B10][2024-11-12T20:30:20]i101: Detected package: NetFrameworkPackageServerCore, state: Present, cached: None
[1F74:1B10][2024-11-12T20:30:20]i101: Detected package: MsiPackage, state: Present, cached: Complete
[1F74:1B10][2024-11-12T20:30:20]i199: Detect complete, result: 0x0
[1F74:1CD4][2024-11-12T20:30:20]i000: 2024-11-12 19:30:20.9461 Debug DeploymentModel .ctor [\[]DeploymentAction=Uninstall[\]]
[1F74:1CD4][2024-11-12T20:30:20]i000: 2024-11-12 19:30:20.9461 Debug DeploymentModel .ctor [\[]IsAfterRestartAndConfigured=False[\]]
[1F74:1CD4][2024-11-12T20:30:21]i000: 2024-11-12 19:30:21.3886 Debug ServiceControllerExtension GetServiceCommandLine [\[]BinaryPathName=ges/h1ktx3zGBYyU1AWznQ==[\]]
[1F74:1CD4][2024-11-12T20:30:21]i000: 2024-11-12 19:30:21.4306 Debug ServiceControllerExtension GetServiceCommandLine [\[]BinaryPathName=ges/h1ktx3zGBYyU1AWznQ==[\]]
[1F74:1CD4][2024-11-12T20:30:24]i000: Setting string variable 'IsConfigured' to value 'True'
[1F74:1B10][2024-11-12T20:30:24]i200: Plan begin, 5 packages, action: Uninstall
[1F74:1B10][2024-11-12T20:30:24]i000: Setting string variable 'WixBundleRollbackLog_MsiPackage' to value 'C:\Users\\AppData\Local\Temp\Azure Advanced Threat Protection Sensor_20241112203019_000_MsiPackage_rollback.log'
[1F74:1B10][2024-11-12T20:30:24]i000: Setting string variable 'WixBundleLog_MsiPackage' to value 'C:\Users\\AppData\Local\Temp\Azure Advanced Threat Protection Sensor_20241112203019_000_MsiPackage.log'
[1F74:1B10][2024-11-12T20:30:24]w321: Skipping dependency registration on package with no dependency providers: NetFrameworkPackageServerCore
[1F74:1B10][2024-11-12T20:30:24]w321: Skipping dependency registration on package with no dependency providers: NetFrameworkPackageServer
[1F74:1B10][2024-11-12T20:30:24]w321: Skipping dependency registration on package with no dependency providers: Kb4019990Windows2012Package
[1F74:1B10][2024-11-12T20:30:24]w321: Skipping dependency registration on package with no dependency providers: Kb4019990Windows2008R2Package
[1F74:1B10][2024-11-12T20:30:24]i201: Planned package: MsiPackage, state: Present, default requested: Absent, ba requested: Absent, execute: Uninstall, rollback: Install, cache: No, uncache: Yes, dependency: Unregister
[1F74:1B10][2024-11-12T20:30:24]i201: Planned package: NetFrameworkPackageServerCore, state: Present, default requested: None, ba requested: None, execute: None, rollback: None, cache: No, uncache: No, dependency: None
[1F74:1B10][2024-11-12T20:30:24]i201: Planned package: NetFrameworkPackageServer, state: Present, default requested: None, ba requested: None, execute: None, rollback: None, cache: No, uncache: No, dependency: None
[1F74:1B10][2024-11-12T20:30:24]i201: Planned package: Kb4019990Windows2012Package, state: Absent, default requested: None, ba requested: None, execute: None, rollback: None, cache: No, uncache: No, dependency: None
[1F74:1B10][2024-11-12T20:30:24]i201: Planned package: Kb4019990Windows2008R2Package, state: Absent, default requested: None, ba requested: None, execute: None, rollback: None, cache: No, uncache: No, dependency: None
[1F74:1B10][2024-11-12T20:30:24]i299: Plan complete, result: 0x0
[1F74:1B10][2024-11-12T20:30:24]i300: Apply begin
[1F74:1B10][2024-11-12T20:30:24]i010: Launching elevated engine process.
[1F74:1B10][2024-11-12T20:30:24]i011: Launched elevated engine process.
[1F74:1B10][2024-11-12T20:30:24]i012: Connected to elevated engine.
[0DF4:1AC4][2024-11-12T20:30:24]i358: Pausing automatic updates.
[0DF4:1AC4][2024-11-12T20:30:24]i359: Paused automatic updates.
[0DF4:1AC4][2024-11-12T20:30:24]i360: Creating a system restore point.
[0DF4:1AC4][2024-11-12T20:30:24]i362: System restore disabled, system restore point not created.
[0DF4:1AC4][2024-11-12T20:30:24]i371: Updating session, registration key: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{bbfc6df4-0b62-4ffe-bd96-c0b5393142e9}, resume: Active, restart initiated: No, disable resume: No
[0DF4:1AC4][2024-11-12T20:30:24]i326: Removed dependency: {bbfc6df4-0b62-4ffe-bd96-c0b5393142e9} on package provider: {4DCC771E-B333-439A-80C5-7BDB9049784A}, package MsiPackage
[0DF4:1AC4][2024-11-12T20:30:24]i329: Removed package dependency provider: {4DCC771E-B333-439A-80C5-7BDB9049784A}, package: MsiPackage
[0DF4:1AC4][2024-11-12T20:30:24]i301: Applying execute package: MsiPackage, action: Uninstall, path: (null), arguments: ' ARPSYSTEMCOMPONENT="1" MSIFASTINSTALL="7" ACCESSKEY="*****" DelayedUpdate="" InstallationPath="C:\Program Files\Azure Advanced Threat Protection Sensor" InstalledVersion="" LogsPath="" PROXYCONFIGURATION="*****" WixBundleOriginalSourceFolder="\\lundinmining.local\NETLOGON\GLB-C-DefenderForIdentitySensor\"'
[0DF4:1AC4][2024-11-12T20:30:29]e000: Error 0x80070643: Failed to uninstall MSI package.
[0DF4:1AC4][2024-11-12T20:30:29]e000: Error 0x80070643: Failed to execute MSI package.
[1F74:1B10][2024-11-12T20:30:29]e000: Error 0x80070643: Failed to configure per-machine MSI package.
[1F74:1B10][2024-11-12T20:30:29]i000: 2024-11-12 19:30:29.2631 Error Model LogError [\[]methodName=BootstrapperApplication_ExecutePackageComplete status=-2147023293 exception=[\]]
[1F74:1B10][2024-11-12T20:30:29]i319: Applied execute package: MsiPackage, result: 0x80070643, restart: None
[1F74:1B10][2024-11-12T20:30:29]e000: Error 0x80070643: Failed to execute MSI package.
[0DF4:1AC4][2024-11-12T20:30:29]i318: Skipped rollback of package: MsiPackage, action: Install, already: Present
[1F74:1B10][2024-11-12T20:30:29]i319: Applied rollback package: MsiPackage, result: 0x0, restart: None
[0DF4:1AC4][2024-11-12T20:30:29]i323: Registering package dependency provider: {4DCC771E-B333-439A-80C5-7BDB9049784A}, version: 2.239.18066.19147, package: MsiPackage
[0DF4:1AC4][2024-11-12T20:30:29]i325: Registering dependency: {bbfc6df4-0b62-4ffe-bd96-c0b5393142e9} on package provider: {4DCC771E-B333-439A-80C5-7BDB9049784A}, package: MsiPackage
[0DF4:1AC4][2024-11-12T20:30:29]i372: Session end, registration key: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{bbfc6df4-0b62-4ffe-bd96-c0b5393142e9}, resume: ARP, restart: None, disable resume: No
[0DF4:1AC4][2024-11-12T20:30:29]i371: Updating session, registration key: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{bbfc6df4-0b62-4ffe-bd96-c0b5393142e9}, resume: ARP, restart initiated: No, disable resume: No
[1F74:1B10][2024-11-12T20:30:29]i399: Apply complete, result: 0x80070643, restart: None, ba requested restart: NoAzure Advanced Threat Protection Sensor_20241112203019_000_MsiPackage.log
=== Verbose logging started: 2024-11-12 20:30:24 Build type: SHIP UNICODE 5.00.10011.00 Calling process: C:\ProgramData\Package Cache\{bbfc6df4-0b62-4ffe-bd96-c0b5393142e9}\Azure ATP Sensor Setup.exe ===
MSI (c) (F4:44) [20:30:24:726]: Resetting cached policy values
MSI (c) (F4:44) [20:30:24:726]: Machine policy value 'Debug' is 0
MSI (c) (F4:44) [20:30:24:726]: ******* RunEngine:
******* Product: {4DCC771E-B333-439A-80C5-7BDB9049784A}
******* Action:
******* CommandLine: **********
MSI (c) (F4:44) [20:30:24:726]: Client-side and UI is none or basic: Running entire install on the server.
MSI (c) (F4:44) [20:30:24:726]: Grabbed execution mutex.
MSI (c) (F4:44) [20:30:25:065]: Cloaking enabled.
MSI (c) (F4:44) [20:30:25:065]: Attempting to enable all disabled privileges before calling Install on Server
MSI (c) (F4:44) [20:30:25:066]: Incrementing counter to disable shutdown. Counter after increment: 0
MSI (s) (CC:AC) [20:30:25:082]: Running installation inside multi-package transaction {4DCC771E-B333-439A-80C5-7BDB9049784A}
MSI (s) (CC:AC) [20:30:25:082]: Grabbed execution mutex.
MSI (s) (CC:24) [20:30:25:082]: Resetting cached policy values
MSI (s) (CC:24) [20:30:25:082]: Machine policy value 'Debug' is 0
MSI (s) (CC:24) [20:30:25:082]: ******* RunEngine:
******* Product: {4DCC771E-B333-439A-80C5-7BDB9049784A}
******* Action:
******* CommandLine: **********
MSI (s) (CC:24) [20:30:25:082]: Machine policy value 'DisableUserInstalls' is 0
MSI (s) (CC:24) [20:30:25:082]: Note: 1: 2203 2: C:\Windows\Installer\inprogressinstallinfo.ipi 3: -2147287038
MSI (s) (CC:24) [20:30:25:097]: SRSetRestorePoint skipped for this transaction.
MSI (s) (CC:24) [20:30:25:097]: MSCOREE not loaded loading copy from system32
MSI (s) (CC:24) [20:30:25:113]: End dialog not enabled
MSI (s) (CC:24) [20:30:25:113]: Original package ==> C:\Windows\Installer\35567.msi
MSI (s) (CC:24) [20:30:25:113]: Package we're running from ==> C:\Windows\Installer\35567.msi
MSI (s) (CC:24) [20:30:25:113]: APPCOMPAT: Uninstall Flags override found.
MSI (s) (CC:24) [20:30:25:129]: APPCOMPAT: Uninstall VersionNT override found.
MSI (s) (CC:24) [20:30:25:129]: APPCOMPAT: Uninstall ServicePackLevel override found.
MSI (s) (CC:24) [20:30:25:129]: APPCOMPAT: looking for appcompat database entry with ProductCode '{4DCC771E-B333-439A-80C5-7BDB9049784A}'.
MSI (s) (CC:24) [20:30:25:129]: APPCOMPAT: no matching ProductCode found in database.
MSI (s) (CC:24) [20:30:25:129]: Note: 1: 2205 2: 3: MsiFileHash
MSI (s) (CC:24) [20:30:25:129]: Machine policy value 'DisablePatch' is 0
MSI (s) (CC:24) [20:30:25:129]: Machine policy value 'AllowLockdownPatch' is 0
MSI (s) (CC:24) [20:30:25:129]: Machine policy value 'DisableLUAPatching' is 0
MSI (s) (CC:24) [20:30:25:129]: Machine policy value 'DisableFlyWeightPatching' is 0
MSI (s) (CC:24) [20:30:25:129]: APPCOMPAT: looking for appcompat database entry with ProductCode '{4DCC771E-B333-439A-80C5-7BDB9049784A}'.
MSI (s) (CC:24) [20:30:25:129]: APPCOMPAT: no matching ProductCode found in database.
MSI (s) (CC:24) [20:30:25:129]: Transforms are not secure.
MSI (s) (CC:24) [20:30:25:129]: Note: 1: 2205 2: 3: Control
MSI (s) (CC:24) [20:30:25:129]: PROPERTY CHANGE: Adding MsiLogFileLocation property. Its value is 'C:\Users\\AppData\Local\Temp\Azure Advanced Threat Protection Sensor_20241112203019_000_MsiPackage.log'.
MSI (s) (CC:24) [20:30:25:129]: Command Line: ARPSYSTEMCOMPONENT=1 MSIFASTINSTALL=7 ACCESSKEY=********** DelayedUpdate= InstallationPath=C:\Program Files\Azure Advanced Threat Protection Sensor InstalledVersion= LogsPath= PROXYCONFIGURATION=********** WixBundleOriginalSourceFolder=\\lundinmining.local\NETLOGON\GLB-C-DefenderForIdentitySensor\ REBOOT=ReallySuppress IGNOREDEPENDENCIES=ALL REMOVE=ALL CURRENTDIRECTORY=C:\Windows\system32 CLIENTUILEVEL=3 MSICLIENTUSESEXTERNALUI=1 CLIENTPROCESSID=3572
MSI (s) (CC:24) [20:30:25:129]: PROPERTY CHANGE: Adding PackageCode property. Its value is '{7B60B234-6673-4B70-9CC0-FB31351A5E65}'.
MSI (s) (CC:24) [20:30:25:129]: Product Code passed to Engine.Initialize: '{4DCC771E-B333-439A-80C5-7BDB9049784A}'
MSI (s) (CC:24) [20:30:25:129]: Product Code from property table before transforms: '{4DCC771E-B333-439A-80C5-7BDB9049784A}'
MSI (s) (CC:24) [20:30:25:129]: Product Code from property table after transforms: '{4DCC771E-B333-439A-80C5-7BDB9049784A}'
MSI (s) (CC:24) [20:30:25:129]: Product registered: entering maintenance mode
MSI (s) (CC:24) [20:30:25:129]: Determined that existing product (either this product or the product being upgraded with a patch) is installed per-machine.
MSI (s) (CC:24) [20:30:25:129]: Product {4DCC771E-B333-439A-80C5-7BDB9049784A} is admin assigned: LocalSystem owns the publish key.
MSI (s) (CC:24) [20:30:25:129]: Product {4DCC771E-B333-439A-80C5-7BDB9049784A} is managed.
MSI (s) (CC:24) [20:30:25:129]: MSI_LUA: Credential prompt not required, user is an admin
MSI (s) (CC:24) [20:30:25:129]: PROPERTY CHANGE: Adding ProductState property. Its value is '5'.
MSI (s) (CC:24) [20:30:25:129]: PROPERTY CHANGE: Adding ProductToBeRegistered property. Its value is '1'.
MSI (s) (CC:24) [20:30:25:129]: Package name retrieved from configuration data: 'Microsoft.Tri.Sensor.Deployment.Package.msi'
MSI (s) (CC:24) [20:30:25:129]: Note: 1: 2205 2: 3: Error
MSI (s) (CC:24) [20:30:25:129]: Note: 1: 2262 2: AdminProperties 3: -2147287038
MSI (s) (CC:24) [20:30:25:129]: Machine policy value 'DisableMsi' is 1
MSI (s) (CC:24) [20:30:25:129]: Machine policy value 'AlwaysInstallElevated' is 0
MSI (s) (CC:24) [20:30:25:129]: User policy value 'AlwaysInstallElevated' is 0
MSI (s) (CC:24) [20:30:25:144]: Product {4DCC771E-B333-439A-80C5-7BDB9049784A} is admin assigned: LocalSystem owns the publish key.
MSI (s) (CC:24) [20:30:25:144]: Product {4DCC771E-B333-439A-80C5-7BDB9049784A} is managed.
MSI (s) (CC:24) [20:30:25:144]: Running product '{4DCC771E-B333-439A-80C5-7BDB9049784A}' with elevated privileges: Product is assigned.
MSI (s) (CC:24) [20:30:25:144]: PROPERTY CHANGE: Adding ARPSYSTEMCOMPONENT property. Its value is '1'.
MSI (s) (CC:24) [20:30:25:144]: PROPERTY CHANGE: Adding MSIFASTINSTALL property. Its value is '7'.
MSI (s) (CC:24) [20:30:25:144]: PROPERTY CHANGE: Adding ACCESSKEY property. Its value is '**********'.
MSI (s) (CC:24) [20:30:25:144]: PROPERTY CHANGE: Adding INSTALLATIONPATH property. Its value is 'C:\Program Files\Azure Advanced Threat Protection Sensor'.
MSI (s) (CC:24) [20:30:25:144]: PROPERTY CHANGE: Adding WIXBUNDLEORIGINALSOURCEFOLDER property. Its value is '\\lundinmining.local\NETLOGON\GLB-C-DefenderForIdentitySensor\'.
MSI (s) (CC:24) [20:30:25:144]: PROPERTY CHANGE: Adding REBOOT property. Its value is 'ReallySuppress'.
MSI (s) (CC:24) [20:30:25:144]: PROPERTY CHANGE: Adding IGNOREDEPENDENCIES property. Its value is 'ALL'.
MSI (s) (CC:24) [20:30:25:144]: PROPERTY CHANGE: Adding REMOVE property. Its value is 'ALL'.
MSI (s) (CC:24) [20:30:25:144]: PROPERTY CHANGE: Adding CURRENTDIRECTORY property. Its value is 'C:\Windows\system32'.
MSI (s) (CC:24) [20:30:25:144]: PROPERTY CHANGE: Adding CLIENTUILEVEL property. Its value is '3'.
MSI (s) (CC:24) [20:30:25:144]: PROPERTY CHANGE: Adding MSICLIENTUSESEXTERNALUI property. Its value is '1'.
MSI (s) (CC:24) [20:30:25:144]: PROPERTY CHANGE: Adding CLIENTPROCESSID property. Its value is '3572'.
MSI (s) (CC:24) [20:30:25:144]: Machine policy value 'DisableAutomaticApplicationShutdown' is 0
MSI (s) (CC:24) [20:30:25:144]: PROPERTY CHANGE: Adding MsiRestartManagerSessionKey property. Its value is '7d9eded80ce6114ca56753fa176eb123'.
MSI (s) (CC:24) [20:30:25:144]: RESTART MANAGER: Session opened.
MSI (s) (CC:24) [20:30:25:144]: PROPERTY CHANGE: Adding MsiSystemRebootPending property. Its value is '1'.
MSI (s) (CC:24) [20:30:25:144]: TRANSFORMS property is now:
MSI (s) (CC:24) [20:30:25:144]: PROPERTY CHANGE: Adding PRODUCTLANGUAGE property. Its value is '1033'.
MSI (s) (CC:24) [20:30:25:144]: PROPERTY CHANGE: Adding VersionDatabase property. Its value is '500'.
MSI (s) (CC:24) [20:30:25:144]: SHELL32::SHGetFolderPath returned: C:\Users\\AppData\Roaming
MSI (s) (CC:24) [20:30:25:144]: SHELL32::SHGetFolderPath returned: C:\Users\\Favorites
MSI (s) (CC:24) [20:30:25:144]: SHELL32::SHGetFolderPath returned: C:\Users\\AppData\Roaming\Microsoft\Windows\Network Shortcuts
MSI (s) (CC:24) [20:30:25:144]: SHELL32::SHGetFolderPath returned: C:\Users\\Documents
MSI (s) (CC:24) [20:30:25:144]: SHELL32::SHGetFolderPath returned: C:\Users\v\AppData\Roaming\Microsoft\Windows\Printer Shortcuts
MSI (s) (CC:24) [20:30:25:144]: SHELL32::SHGetFolderPath returned: C:\Users\\AppData\Roaming\Microsoft\Windows\Recent
MSI (s) (CC:24) [20:30:25:160]: SHELL32::SHGetFolderPath returned: C:\Users\\AppData\Roaming\Microsoft\Windows\SendTo
MSI (s) (CC:24) [20:30:25:160]: SHELL32::SHGetFolderPath returned: C:\Users\\AppData\Roaming\Microsoft\Windows\Templates
MSI (s) (CC:24) [20:30:25:160]: SHELL32::SHGetFolderPath returned: C:\ProgramData
MSI (s) (CC:24) [20:30:25:160]: SHELL32::SHGetFolderPath returned: C:\Users\\AppData\Local
MSI (s) (CC:24) [20:30:25:160]: SHELL32::SHGetFolderPath returned: C:\Users\\Pictures
MSI (s) (CC:24) [20:30:25:160]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools
MSI (s) (CC:24) [20:30:25:160]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
MSI (s) (CC:24) [20:30:25:160]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu\Programs
MSI (s) (CC:24) [20:30:25:160]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu
MSI (s) (CC:24) [20:30:25:160]: SHELL32::SHGetFolderPath returned: C:\Users\Public\Desktop
MSI (s) (CC:24) [20:30:25:160]: SHELL32::SHGetFolderPath returned: C:\Users\\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools
MSI (s) (CC:24) [20:30:25:175]: SHELL32::SHGetFolderPath returned: C:\Users\\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
MSI (s) (CC:24) [20:30:25:175]: SHELL32::SHGetFolderPath returned: C:\Users\\AppData\Roaming\Microsoft\Windows\Start Menu\Programs
MSI (s) (CC:24) [20:30:25:175]: SHELL32::SHGetFolderPath returned: C:\Users\\AppData\Roaming\Microsoft\Windows\Start Menu
MSI (s) (CC:24) [20:30:25:175]: SHELL32::SHGetFolderPath returned: C:\Users\\Desktop
MSI (s) (CC:24) [20:30:25:175]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Templates
MSI (s) (CC:24) [20:30:25:175]: SHELL32::SHGetFolderPath returned: C:\Windows\Fonts
MSI (s) (CC:24) [20:30:25:175]: Note: 1: 2898 2: MS Sans Serif 3: MS Sans Serif 4: 0 5: 16
MSI (s) (CC:24) [20:30:25:175]: MSI_LUA: Setting AdminUser property to 1 because the product is already installed managed and per-machine
MSI (s) (CC:24) [20:30:25:175]: MSI_LUA: Setting MsiRunningElevated property to 1 because the install is already running elevated.
MSI (s) (CC:24) [20:30:25:175]: PROPERTY CHANGE: Adding MsiRunningElevated property. Its value is '1'.
MSI (s) (CC:24) [20:30:25:175]: PROPERTY CHANGE: Adding Privileged property. Its value is '1'.
MSI (s) (CC:24) [20:30:25:175]: Note: 1: 1402 2: HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info 3: 2
MSI (s) (CC:24) [20:30:25:175]: PROPERTY CHANGE: Adding USERNAME property. Its value is 'Lundin Mining'.
MSI (s) (CC:24) [20:30:25:175]: Note: 1: 1402 2: HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info 3: 2
MSI (s) (CC:24) [20:30:25:175]: PROPERTY CHANGE: Adding COMPANYNAME property. Its value is 'Lundin Mining'.
MSI (s) (CC:24) [20:30:25:175]: PROPERTY CHANGE: Adding Installed property. Its value is '00:00:00'.
MSI (s) (CC:24) [20:30:25:175]: PROPERTY CHANGE: Adding DATABASE property. Its value is 'C:\Windows\Installer\35567.msi'.
MSI (s) (CC:24) [20:30:25:175]: PROPERTY CHANGE: Adding OriginalDatabase property. Its value is 'C:\Windows\Installer\35567.msi'.
MSI (s) (CC:24) [20:30:25:175]: Machine policy value 'MsiDisableEmbeddedUI' is 0
MSI (s) (CC:24) [20:30:25:175]: EEUI - Disabling MsiEmbeddedUI due to existing external or embedded UI
MSI (s) (CC:24) [20:30:25:175]: EEUI - Disabling MsiEmbeddedUI for service because it's not a quiet/basic install
MSI (s) (CC:24) [20:30:25:175]: Note: 1: 2205 2: 3: PatchPackage
MSI (s) (CC:24) [20:30:25:175]: Machine policy value 'DisableRollback' is 0
MSI (s) (CC:24) [20:30:25:175]: User policy value 'DisableRollback' is 0
MSI (s) (CC:24) [20:30:25:175]: PROPERTY CHANGE: Adding UILevel property. Its value is '2'.
MSI (s) (CC:24) [20:30:25:175]: PROPERTY CHANGE: Adding MsiUISourceResOnly property. Its value is '1'.
=== Logging started: 2024-11-12 20:30:25 ===
MSI (s) (CC:24) [20:30:25:175]: Note: 1: 2203 2: C:\Windows\Installer\inprogressinstallinfo.ipi 3: -2147287038
MSI (s) (CC:24) [20:30:25:175]: PROPERTY CHANGE: Adding Preselected property. Its value is '1'.
MSI (s) (CC:24) [20:30:25:175]: APPCOMPAT: [DetectVersionLaunchCondition] Launch condition already passes.
MSI (s) (CC:24) [20:30:25:191]: PROPERTY CHANGE: Adding ACTION property. Its value is 'INSTALL'.
MSI (s) (CC:24) [20:30:25:191]: Doing action: INSTALL
MSI (s) (CC:24) [20:30:25:191]: Note: 1: 2205 2: 3: ActionText
Action start 20:30:25: INSTALL.
MSI (s) (CC:24) [20:30:25:191]: Running ExecuteSequence
MSI (s) (CC:24) [20:30:25:191]: Doing action: FindRelatedProducts
MSI (s) (CC:24) [20:30:25:191]: Note: 1: 2205 2: 3: ActionText
MSI (s) (CC:24) [20:30:25:191]: Skipping FindRelatedProducts action: not run in maintenance mode
Action start 20:30:25: FindRelatedProducts.
MSI (s) (CC:24) [20:30:25:191]: Doing action: LaunchConditions
MSI (s) (CC:24) [20:30:25:191]: Note: 1: 2205 2: 3: ActionText
Action ended 20:30:25: FindRelatedProducts. Return value 0.
Action start 20:30:25: LaunchConditions.
MSI (s) (CC:24) [20:30:25:191]: Doing action: ValidateProductID
MSI (s) (CC:24) [20:30:25:191]: Note: 1: 2205 2: 3: ActionText
Action ended 20:30:25: LaunchConditions. Return value 1.
Action start 20:30:25: ValidateProductID.
MSI (s) (CC:24) [20:30:25:191]: Doing action: CostInitialize
MSI (s) (CC:24) [20:30:25:191]: Note: 1: 2205 2: 3: ActionText
Action ended 20:30:25: ValidateProductID. Return value 1.
MSI (s) (CC:24) [20:30:25:191]: Machine policy value 'MaxPatchCacheSize' is 10
MSI (s) (CC:24) [20:30:25:191]: PROPERTY CHANGE: Adding ROOTDRIVE property. Its value is 'C:\'.
MSI (s) (CC:24) [20:30:25:191]: PROPERTY CHANGE: Adding CostingComplete property. Its value is '0'.
MSI (s) (CC:24) [20:30:25:191]: Note: 1: 2205 2: 3: Patch
MSI (s) (CC:24) [20:30:25:191]: Note: 1: 2205 2: 3: PatchPackage
MSI (s) (CC:24) [20:30:25:191]: Note: 1: 2205 2: 3: MsiPatchHeaders
MSI (s) (CC:24) [20:30:25:191]: Note: 1: 2205 2: 3: __MsiPatchFileList
MSI (s) (CC:24) [20:30:25:191]: Note: 1: 2205 2: 3: PatchPackage
MSI (s) (CC:24) [20:30:25:191]: Note: 1: 2228 2: 3: PatchPackage 4: SELECT `DiskId`, `PatchId`, `LastSequence` FROM `Media`, `PatchPackage` WHERE `Media`.`DiskId`=`PatchPackage`.`Media_` ORDER BY `DiskId`
MSI (s) (CC:24) [20:30:25:191]: Note: 1: 2205 2: 3: Patch
Action start 20:30:25: CostInitialize.
MSI (s) (CC:24) [20:30:25:191]: Doing action: FileCost
MSI (s) (CC:24) [20:30:25:191]: Note: 1: 2205 2: 3: ActionText
Action ended 20:30:25: CostInitialize. Return value 1.
MSI (s) (CC:24) [20:30:25:191]: Note: 1: 2205 2: 3: MsiAssembly
Action start 20:30:25: FileCost.
MSI (s) (CC:24) [20:30:25:191]: Doing action: CostFinalize
MSI (s) (CC:24) [20:30:25:191]: Note: 1: 2205 2: 3: ActionText
Action ended 20:30:25: FileCost. Return value 1.
MSI (s) (CC:24) [20:30:25:191]: PROPERTY CHANGE: Adding OutOfDiskSpace property. Its value is '0'.
MSI (s) (CC:24) [20:30:25:191]: PROPERTY CHANGE: Adding OutOfNoRbDiskSpace property. Its value is '0'.
MSI (s) (CC:24) [20:30:25:191]: PROPERTY CHANGE: Adding PrimaryVolumeSpaceAvailable property. Its value is '0'.
MSI (s) (CC:24) [20:30:25:191]: PROPERTY CHANGE: Adding PrimaryVolumeSpaceRequired property. Its value is '0'.
MSI (s) (CC:24) [20:30:25:191]: PROPERTY CHANGE: Adding PrimaryVolumeSpaceRemaining property. Its value is '0'.
MSI (s) (CC:24) [20:30:25:191]: Note: 1: 2205 2: 3: MsiAssembly
MSI (s) (CC:24) [20:30:25:191]: Note: 1: 2228 2: 3: MsiAssembly 4: SELECT `MsiAssembly`.`Attributes`, `MsiAssembly`.`File_Application`, `MsiAssembly`.`File_Manifest`, `Component`.`KeyPath` FROM `MsiAssembly`, `Component` WHERE `MsiAssembly`.`Component_` = `Component`.`Component` AND `MsiAssembly`.`Component_` = ?
MSI (s) (CC:24) [20:30:25:191]: PROPERTY CHANGE: Adding TARGETDIR property. Its value is 'C:'.
MSI (s) (CC:24) [20:30:25:191]: Note: 1: 2205 2: 3: Patch
MSI (s) (CC:24) [20:30:25:191]: Note: 1: 2205 2: 3: Condition
MSI (s) (CC:24) [20:30:25:207]: PROPERTY CHANGE: Modifying TARGETDIR property. Its current value is 'C:'. Its new value: 'C:\'.
MSI (s) (CC:24) [20:30:25:207]: Target path resolution complete. Dumping Directory table...
MSI (s) (CC:24) [20:30:25:207]: Note: target paths subject to change (via custom actions or browsing)
MSI (s) (CC:24) [20:30:25:207]: Dir (target): Key: TARGETDIR , Object: C:\
MSI (s) (CC:24) [20:30:25:207]: PROPERTY CHANGE: Adding INSTALLLEVEL property. Its value is '1'.
Action start 20:30:25: CostFinalize.
MSI (s) (CC:24) [20:30:25:207]: Doing action: MigrateFeatureStates
MSI (s) (CC:24) [20:30:25:207]: Note: 1: 2205 2: 3: ActionText
Action ended 20:30:25: CostFinalize. Return value 1.
MSI (s) (CC:24) [20:30:25:207]: Skipping MigrateFeatureStates action: not run in maintenance mode
Action start 20:30:25: MigrateFeatureStates.
MSI (s) (CC:24) [20:30:25:207]: Doing action: InstallValidate
MSI (s) (CC:24) [20:30:25:207]: Note: 1: 2205 2: 3: ActionText
Action ended 20:30:25: MigrateFeatureStates. Return value 0.
MSI (s) (CC:24) [20:30:25:207]: PROPERTY CHANGE: Deleting MsiRestartManagerSessionKey property. Its current value is '7d9eded80ce6114ca56753fa176eb123'.
MSI (s) (CC:24) [20:30:25:207]: Note: 1: 2205 2: 3: Dialog
MSI (s) (CC:24) [20:30:25:207]: Feature: ProductFeature; Installed: Local; Request: Absent; Action: Absent
MSI (s) (CC:24) [20:30:25:207]: Component: ProductComponent; Installed: Local; Request: Absent; Action: Absent
MSI (s) (CC:24) [20:30:25:207]: Note: 1: 2205 2: 3: Registry
MSI (s) (CC:24) [20:30:25:207]: Note: 1: 2205 2: 3: BindImage
MSI (s) (CC:24) [20:30:25:207]: Note: 1: 2205 2: 3: ProgId
MSI (s) (CC:24) [20:30:25:207]: Note: 1: 2205 2: 3: PublishComponent
MSI (s) (CC:24) [20:30:25:207]: Note: 1: 2205 2: 3: SelfReg
MSI (s) (CC:24) [20:30:25:207]: Note: 1: 2205 2: 3: Extension
MSI (s) (CC:24) [20:30:25:207]: Note: 1: 2205 2: 3: Font
MSI (s) (CC:24) [20:30:25:207]: Note: 1: 2205 2: 3: Shortcut
MSI (s) (CC:24) [20:30:25:207]: Note: 1: 2205 2: 3: Class
MSI (s) (CC:24) [20:30:25:207]: Note: 1: 2205 2: 3: Icon
MSI (s) (CC:24) [20:30:25:207]: Note: 1: 2205 2: 3: TypeLib
Action start 20:30:25: InstallValidate.
MSI (s) (CC:24) [20:30:25:207]: Note: 1: 2205 2: 3: _RemoveFilePath
MSI (s) (CC:24) [20:30:25:207]: PROPERTY CHANGE: Modifying CostingComplete property. Its current value is '0'. Its new value: '1'.
MSI (s) (CC:24) [20:30:25:207]: Note: 1: 2205 2: 3: Registry
MSI (s) (CC:24) [20:30:25:207]: Note: 1: 2205 2: 3: BindImage
MSI (s) (CC:24) [20:30:25:207]: Note: 1: 2205 2: 3: ProgId
MSI (s) (CC:24) [20:30:25:207]: Note: 1: 2205 2: 3: PublishComponent
MSI (s) (CC:24) [20:30:25:207]: Note: 1: 2205 2: 3: SelfReg
MSI (s) (CC:24) [20:30:25:207]: Note: 1: 2205 2: 3: Extension
MSI (s) (CC:24) [20:30:25:207]: Note: 1: 2205 2: 3: Font
MSI (s) (CC:24) [20:30:25:207]: Note: 1: 2205 2: 3: Shortcut
MSI (s) (CC:24) [20:30:25:207]: Note: 1: 2205 2: 3: Class
MSI (s) (CC:24) [20:30:25:207]: Note: 1: 2205 2: 3: Icon
MSI (s) (CC:24) [20:30:25:207]: Note: 1: 2205 2: 3: TypeLib
MSI (s) (CC:24) [20:30:25:207]: Note: 1: 2727 2:
MSI (s) (CC:24) [20:30:25:207]: Note: 1: 2205 2: 3: FilesInUse
MSI (s) (CC:24) [20:30:25:222]: Note: 1: 2727 2:
MSI (s) (CC:24) [20:30:25:222]: Doing action: InstallInitialize
MSI (s) (CC:24) [20:30:25:222]: Note: 1: 2205 2: 3: ActionText
Action ended 20:30:25: InstallValidate. Return value 1.
MSI (s) (CC:24) [20:30:25:222]: Machine policy value 'AlwaysInstallElevated' is 0
MSI (s) (CC:24) [20:30:25:222]: User policy value 'AlwaysInstallElevated' is 0
MSI (s) (CC:24) [20:30:25:222]: BeginTransaction: Locking Server
MSI (s) (CC:24) [20:30:25:222]: Note: 1: 2203 2: C:\Windows\Installer\inprogressinstallinfo.ipi 3: -2147287038
MSI (s) (CC:24) [20:30:25:222]: SRSetRestorePoint skipped for this transaction.
MSI (s) (CC:24) [20:30:25:222]: Note: 1: 2203 2: C:\Windows\Installer\inprogressinstallinfo.ipi 3: -2147287038
MSI (s) (CC:24) [20:30:25:222]: Server not locked: locking for product {4DCC771E-B333-439A-80C5-7BDB9049784A}
MSI (s) (CC:24) [20:30:25:238]: Note: 1: 2205 2: 3: ActionText
MSI (s) (CC:24) [20:30:25:238]: Note: 1: 2205 2: 3: ActionText
MSI (s) (CC:24) [20:30:25:238]: Note: 1: 2205 2: 3: ActionText
Action start 20:30:25: InstallInitialize.
MSI (s) (CC:24) [20:30:25:254]: PROPERTY CHANGE: Deleting ProductToBeRegistered property. Its current value is '1'.
MSI (s) (CC:24) [20:30:25:269]: Note: 1: 2205 2: 3: Icon
MSI (s) (CC:24) [20:30:25:269]: Note: 1: 2228 2: 3: Icon 4: SELECT `Name`, `Data` FROM `Icon`
MSI (s) (CC:24) [20:30:25:269]: Skipping action: InstallCustomAction (condition is false)
MSI (s) (CC:24) [20:30:25:269]: Doing action: UninstallCustomAction
MSI (s) (CC:24) [20:30:25:269]: Note: 1: 2205 2: 3: ActionText
Action ended 20:30:25: InstallInitialize. Return value 1.
MSI (s) (CC:D0) [20:30:25:459]: Invoking remote custom action. DLL: C:\Windows\Installer\MSI2E7B.tmp, Entrypoint: Uninstall
MSI (s) (CC:9C) [20:30:25:475]: Generating random cookie.
MSI (s) (CC:9C) [20:30:25:522]: Created Custom Action Server with PID 5264 (0x1490).
MSI (s) (CC:A8) [20:30:25:600]: Running as a service.
MSI (s) (CC:AC) [20:30:25:600]: Hello, I'm your 64bit Impersonated custom action server.
Action start 20:30:25: UninstallCustomAction.
SFXCA: Extracting custom action to temporary directory: C:\Windows\Installer\MSI2E7B.tmp-\
SFXCA: Binding to CLR version v4.0.30319
Calling custom action Microsoft.Tri.Sensor.Deployment.Package.Actions!Microsoft.Tri.Sensor.Deployment.Package.Actions.CustomActions.Uninstall
Exception thrown by custom action:
System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.IO.FileNotFoundException: Could not find file 'C:\Program Files\Azure Advanced Threat Protection Sensor\2.240.18224.34815\SensorConfiguration.json'.
at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)
at System.IO.FileStream.Init(String path, FileMode mode, FileAccess access, Int32 rights, Boolean useRights, FileShare share, Int32 bufferSize, FileOptions options, SECURITY_ATTRIBUTES secAttrs, String msgPath, Boolean bFromProxy, Boolean useLongPath, Boolean checkHost)
at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize, FileOptions options, String msgPath, Boolean bFromProxy, Boolean useLongPath, Boolean checkHost)
at System.IO.StreamReader..ctor(String path, Encoding encoding, Boolean detectEncodingFromByteOrderMarks, Int32 bufferSize, Boolean checkHost)
at System.IO.File.InternalReadAllText(String path, Encoding encoding, Boolean checkHost)
at Microsoft.Tri.Infrastructure.ConfigurationFile.Load(String filePath)
at Microsoft.Tri.Sensor.Deployment.Package.Actions.UninstallActionGroup..ctor()
at Microsoft.Tri.Sensor.Deployment.Package.Actions.CustomActions.Uninstall(Session session)
--- End of inner exception stack trace ---
at System.RuntimeMethodHandle.InvokeMethod(Object target, Object arguments, Signature sig, Boolean constructor)
at System.Reflection.RuntimeMethodInfo.UnsafeInvokeInternal(Object obj, Object parameters, Object arguments)
at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object parameters, CultureInfo culture)
at Microsoft.Deployment.WindowsInstaller.CustomActionProxy.InvokeCustomAction(Int32 sessionHandle, String entryPoint, IntPtr remotingDelegatePtr)
CustomAction UninstallCustomAction returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)
MSI (s) (CC:24) [20:30:29:216]: Note: 1: 2265 2: 3: -2147287035
MSI (s) (CC:24) [20:30:29:216]: Machine policy value 'DisableRollback' is 0
MSI (s) (CC:24) [20:30:29:216]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2
Action ended 20:30:29: UninstallCustomAction. Return value 3.
MSI (s) (CC:24) [20:30:29:216]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2
MSI (s) (CC:24) [20:30:29:216]: No System Restore sequence number for this installation.
MSI (s) (CC:24) [20:30:29:216]: Unlocking Server
Action ended 20:30:29: INSTALL. Return value 3.
Property(S): UpgradeCode = {EDFB49E0-16FA-4535-B268-BD1B81B15DC2}
Property(S): TARGETDIR = C:\
Property(S): ALLUSERS = 1
Property(S): Manufacturer = Microsoft Corporation
Property(S): ProductCode = {4DCC771E-B333-439A-80C5-7BDB9049784A}
Property(S): ProductLanguage = 1033
Property(S): ProductName = Azure Advanced Threat Protection Sensor
Property(S): ProductVersion = 2.239.18066.19147
Property(S): SecureCustomProperties = WIX_DOWNGRADE_DETECTED;WIX_UPGRADE_DETECTED
Property(S): MsiHiddenProperties = ACCESSKEY;PROXYCONFIGURATION
Property(S): MsiLogFileLocation = C:\Users\\AppData\Local\Temp\Azure Advanced Threat Protection Sensor_20241112203019_000_MsiPackage.log
Property(S): PackageCode = {7B60B234-6673-4B70-9CC0-FB31351A5E65}
Property(S): ProductState = 5
Property(S): ARPSYSTEMCOMPONENT = 1
Property(S): MSIFASTINSTALL = 7
Property(S): ACCESSKEY = **********
Property(S): INSTALLATIONPATH = C:\Program Files\Azure Advanced Threat Protection Sensor
Property(S): WIXBUNDLEORIGINALSOURCEFOLDER = \\lundinmining.local\NETLOGON\GLB-C-DefenderForIdentitySensor\
Property(S): REBOOT = ReallySuppress
Property(S): IGNOREDEPENDENCIES = ALL
Property(S): REMOVE = ALL
Property(S): CURRENTDIRECTORY = C:\Windows\system32
Property(S): CLIENTUILEVEL = 3
Property(S): MSICLIENTUSESEXTERNALUI = 1
Property(S): CLIENTPROCESSID = 3572
Property(S): MsiSystemRebootPending = 1
Property(S): PRODUCTLANGUAGE = 1033
Property(S): VersionDatabase = 500
Property(S): VersionMsi = 5.00
Property(S): VersionNT = 603
Property(S): VersionNT64 = 603
Property(S): WindowsBuild = 9600
Property(S): ServicePackLevel = 0
Property(S): ServicePackLevelMinor = 0
Property(S): MsiNTProductType = 2
Property(S): MsiNTSuiteDataCenter = 1
Property(S): WindowsFolder = C:\Windows\
Property(S): WindowsVolume = C:\
Property(S): System64Folder = C:\Windows\system32\
Property(S): SystemFolder = C:\Windows\SysWOW64\
Property(S): RemoteAdminTS = 1
Property(S): TempFolder = C:\Users\\AppData\Local\Temp\
Property(S): ProgramFilesFolder = C:\Program Files (x86)\
Property(S): CommonFilesFolder = C:\Program Files (x86)\Common Files\
Property(S): ProgramFiles64Folder = C:\Program Files\
Property(S): CommonFiles64Folder = C:\Program Files\Common Files\
Property(S): AppDataFolder = C:\Users\\AppData\Roaming\
Property(S): FavoritesFolder = C:\Users\\Favorites\
Property(S): NetHoodFolder = C:\Users\\AppData\Roaming\Microsoft\Windows\Network Shortcuts\
Property(S): PersonalFolder = C:\Users\\Documents\
Property(S): PrintHoodFolder = C:\Users\\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\
Property(S): RecentFolder = C:\Users\\AppData\Roaming\Microsoft\Windows\Recent\
Property(S): SendToFolder = C:\Users\\AppData\Roaming\Microsoft\Windows\SendTo\
Property(S): TemplateFolder = C:\ProgramData\Microsoft\Windows\Templates\
Property(S): CommonAppDataFolder = C:\ProgramData\
Property(S): LocalAppDataFolder = C:\Users\\AppData\Local\
Property(S): MyPicturesFolder = C:\Users\\Pictures\
Property(S): AdminToolsFolder = C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\
Property(S): StartupFolder = C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Property(S): ProgramMenuFolder = C:\ProgramData\Microsoft\Windows\Start Menu\Programs\
Property(S): StartMenuFolder = C:\ProgramData\Microsoft\Windows\Start Menu\
Property(S): DesktopFolder = C:\Users\Public\Desktop\
Property(S): FontsFolder = C:\Windows\Fonts\
Property(S): GPTSupport = 1
Property(S): OLEAdvtSupport = 1
Property(S): ShellAdvtSupport = 1
Property(S): MsiAMD64 = 6
Property(S): Msix64 = 6
Property(S): Intel = 6
Property(S): PhysicalMemory = 12288
Property(S): VirtualMemory = 8415
Property(S): AdminUser = 1
Property(S): MsiTrueAdminUser = 1
Property(S): LogonUser =
Property(S): UserSID = S-1-5-21-4037986163-3075043171-3260184774-163117
Property(S): UserLanguageID = 1053
Property(S): ComputerName = ZMDC07
Property(S): SystemLanguageID = 1053
Property(S): ScreenX = 1024
Property(S): ScreenY = 768
Property(S): CaptionHeight = 23
Property(S): BorderTop = 1
Property(S): BorderSide = 1
Property(S): MsiTabletPC = 1
Property(S): TextHeight = 16
Property(S): TextInternalLeading = 3
Property(S): ColorBits = 32
Property(S): TTCSupport = 1
Property(S): Time = 20:30:29
Property(S): Date = 2024-11-12
Property(S): MsiNetAssemblySupport = 4.8.3761.0
Property(S): MsiWin32AssemblySupport = 6.3.14393.5786
Property(S): RedirectedDllSupport = 2
Property(S): MsiRunningElevated = 1
Property(S): Privileged = 1
Property(S): USERNAME = Lundin Mining
Property(S): COMPANYNAME = Lundin Mining
Property(S): Installed = 00:00:00
Property(S): DATABASE = C:\Windows\Installer\35567.msi
Property(S): OriginalDatabase = C:\Windows\Installer\35567.msi
Property(S): UILevel = 2
Property(S): MsiUISourceResOnly = 1
Property(S): Preselected = 1
Property(S): ACTION = INSTALL
Property(S): ROOTDRIVE = C:\
Property(S): CostingComplete = 1
Property(S): OutOfDiskSpace = 0
Property(S): OutOfNoRbDiskSpace = 0
Property(S): PrimaryVolumeSpaceAvailable = 0
Property(S): PrimaryVolumeSpaceRequired = 0
Property(S): PrimaryVolumeSpaceRemaining = 0
Property(S): INSTALLLEVEL = 1
MSI (s) (CC:24) [20:30:29:247]: Note: 1: 1725
MSI (s) (CC:24) [20:30:29:247]: Note: 1: 2205 2: 3: Error
MSI (s) (CC:24) [20:30:29:247]: Note: 1: 2228 2: 3: Error 4: SELECT `Message` FROM `Error` WHERE `Error` = 1725
MSI (s) (CC:24) [20:30:29:247]: Note: 1: 2205 2: 3: Error
MSI (s) (CC:24) [20:30:29:247]: Note: 1: 2228 2: 3: Error 4: SELECT `Message` FROM `Error` WHERE `Error` = 1709
MSI (s) (CC:24) [20:30:29:247]: Product: Azure Advanced Threat Protection Sensor -- Removal failed.MSI (s) (CC:24) [20:30:29:247]: Windows Installer removed the product. Product Name: Azure Advanced Threat Protection Sensor. Product Version: 2.239.18066.19147. Product Language: 1033. Manufacturer: Microsoft Corporation. Removal success or error status: 1603.
MSI (s) (CC:24) [20:30:29:247]: Deferring clean up of packages/files, if any exist
MSI (s) (CC:24) [20:30:29:247]: MainEngineThread is returning 1603
MSI (s) (CC:AC) [20:30:29:247]: RESTART MANAGER: Session closed.
MSI (s) (CC:AC) [20:30:29:247]: No System Restore sequence number for this installation.
=== Logging stopped: 2024-11-12 20:30:29 ===
MSI (s) (CC:AC) [20:30:29:263]: User policy value 'DisableRollback' is 0
MSI (s) (CC:AC) [20:30:29:263]: Machine policy value 'DisableRollback' is 0
MSI (s) (CC:AC) [20:30:29:263]: Incrementing counter to disable shutdown. Counter after increment: 0
MSI (s) (CC:AC) [20:30:29:263]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2
MSI (s) (CC:AC) [20:30:29:263]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2
MSI (s) (CC:AC) [20:30:29:263]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied. Counter after decrement: -1
MSI (s) (CC:AC) [20:30:29:263]: Destroying RemoteAPI object.
MSI (s) (CC:9C) [20:30:29:263]: Custom Action Manager thread ending.
MSI (c) (F4:44) [20:30:29:263]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied. Counter after decrement: -1
MSI (c) (F4:44) [20:30:29:263]: MainEngineThread is returning 1603
=== Verbose logging stopped: 2024-11-12 20:30:29 ===- EliOfekMicrosoft
Could not find file 'C:\Program Files\Azure Advanced Threat Protection Sensor\2.240.18224.34815\SensorConfiguration.json'.
You are missing this file.
Copy it from a working sendor, it might reaolve the issue.
- RyanP1895Copper Contributor
Thanks for that and yes. Its was missing. I added it to the install folder and the atp service still wouldnt start. However it did allow me to uninstall the old one.
However upon re-installing, I get the same error as before (0x80070643)
2 logs were produced by this:
Azure Advanced Threat Protection Sensor_20241112214452.log
[06A0:1C80][2024-11-12T21:44:51]i001: Burn v3.11.2.4516, Windows v10.0 (Build 14393: Service Pack 0), path: C:\Users\\AppData\Local\Temp\4\{CBAE67F3-DE17-4F2A-A9AB-610DBAE62012}\.cr\Azure ATP Sensor Setup.exe
[06A0:1C80][2024-11-12T21:44:51]i000: Initializing hidden variable 'AccessKey'
[06A0:1C80][2024-11-12T21:44:51]i000: Initializing hidden variable 'ProxyConfiguration'
[06A0:1C80][2024-11-12T21:44:51]i000: Initializing hidden variable 'ProxyUserPassword'
[06A0:1C80][2024-11-12T21:44:51]i000: Initializing string variable 'NetFrameworkCommandLineArguments' to value '/passive /showrmui'
[06A0:1C80][2024-11-12T21:44:51]i009: Command Line: '"-burn.clean.room=C:\temp\GLB-C-DefenderForIdentitySensor\Azure ATP Sensor Setup.exe" -burn.filehandle.attached=480 -burn.filehandle.self=484'
[06A0:1C80][2024-11-12T21:44:51]i000: Setting string variable 'WixBundleOriginalSource' to value 'C:\temp\GLB-C-DefenderForIdentitySensor\Azure ATP Sensor Setup.exe'
[06A0:1C80][2024-11-12T21:44:51]i000: Setting string variable 'WixBundleOriginalSourceFolder' to value 'C:\temp\GLB-C-DefenderForIdentitySensor\'
[06A0:1C80][2024-11-12T21:44:52]i000: Setting string variable 'WixBundleLog' to value 'C:\Users\\AppData\Local\Temp\Azure Advanced Threat Protection Sensor_20241112214452.log'
[06A0:1C80][2024-11-12T21:44:52]i000: Setting string variable 'WixBundleName' to value 'Azure Advanced Threat Protection Sensor'
[06A0:1C80][2024-11-12T21:44:52]i000: Setting string variable 'WixBundleManufacturer' to value 'Microsoft Corporation'
[06A0:1C80][2024-11-12T21:44:52]i000: Loading managed bootstrapper application.
[06A0:1C80][2024-11-12T21:44:52]i000: Creating BA thread to run asynchronously.
[06A0:1C80][2024-11-12T21:44:53]i100: Detect begin, 5 packages
[06A0:1C80][2024-11-12T21:44:53]i000: 2024-11-12 20:44:53.4025 Debug DeploymentModel DetectDeploymentAction DetectBegin [\[]Installed=False[\]]
[06A0:1C80][2024-11-12T21:44:53]i000: Registry key not found. Key = 'SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_1_for_KB4019990~31bf3856ad364e35~amd64~~6.1.1.2'
[06A0:1C80][2024-11-12T21:44:53]i000: Setting numeric variable 'Kb4019990Windows2008R2Exists' to value 0
[06A0:1C80][2024-11-12T21:44:53]i000: Registry key not found. Key = 'SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_1_for_KB4019990~31bf3856ad364e35~amd64~~6.2.1.1'
[06A0:1C80][2024-11-12T21:44:53]i000: Setting numeric variable 'Kb4019990Windows2012Exists' to value 0
[06A0:1C80][2024-11-12T21:44:53]i000: Setting string variable 'NetFrameworkRegistryValue' to value '528049'
[06A0:1C80][2024-11-12T21:44:53]i000: Setting string variable 'ServerLevelsServerCoreRegistryValue' to value '1'
[06A0:1C80][2024-11-12T21:44:53]i000: Setting string variable 'ServerLevelsServerGuiShellRegistryValue' to value '1'
[06A0:1C80][2024-11-12T21:44:53]i052: Condition 'Kb4019990Windows2008R2Exists' evaluates to false.
[06A0:1C80][2024-11-12T21:44:53]i052: Condition 'Kb4019990Windows2012Exists' evaluates to false.
[06A0:1C80][2024-11-12T21:44:53]i052: Condition 'NetFrameworkRegistryValue >= 460798' evaluates to true.
[06A0:1C80][2024-11-12T21:44:53]i052: Condition 'NetFrameworkRegistryValue >= 460798' evaluates to true.
[06A0:1C80][2024-11-12T21:44:53]i101: Detected package: Kb4019990Windows2008R2Package, state: Absent, cached: None
[06A0:1C80][2024-11-12T21:44:53]i101: Detected package: Kb4019990Windows2012Package, state: Absent, cached: None
[06A0:1C80][2024-11-12T21:44:53]i101: Detected package: NetFrameworkPackageServer, state: Present, cached: None
[06A0:1C80][2024-11-12T21:44:53]i101: Detected package: NetFrameworkPackageServerCore, state: Present, cached: None
[06A0:1C80][2024-11-12T21:44:53]i101: Detected package: MsiPackage, state: Absent, cached: None
[06A0:1C80][2024-11-12T21:44:53]i199: Detect complete, result: 0x0
[06A0:0E30][2024-11-12T21:44:53]i000: 2024-11-12 20:44:53.4182 Debug DeploymentModel .ctor [\[]DeploymentAction=Install[\]]
[06A0:0E30][2024-11-12T21:44:53]i000: 2024-11-12 20:44:53.4963 Debug DeploymentModel .ctor [\[]IsAfterRestartAndConfigured=False[\]]
[06A0:0E30][2024-11-12T21:45:50]i000: 2024-11-12 20:45:50.4192 Info Model ValidateAsync ValidateCreateSensorAsync returned [\[]validateCreateSensorResult=Success[\]]
[06A0:0E30][2024-11-12T21:45:50]i000: Setting string variable 'IsConfigured' to value 'True'
[06A0:0E30][2024-11-12T21:45:50]i000: Setting hidden variable 'AccessKey'
[06A0:0E30][2024-11-12T21:45:50]i000: Unsetting variable 'DelayedUpdate'
[06A0:0E30][2024-11-12T21:45:50]i000: Unsetting variable 'LogsPath'
[06A0:0E30][2024-11-12T21:45:50]i000: Setting hidden variable 'ProxyConfiguration'
[06A0:0E30][2024-11-12T21:45:50]i000: Setting string variable 'InstallationPath' to value 'C:\Program Files\Azure Advanced Threat Protection Sensor'
[06A0:1C80][2024-11-12T21:45:50]i200: Plan begin, 5 packages, action: Install
[06A0:1C80][2024-11-12T21:45:50]i052: Condition 'VersionNT64 = v6.1' evaluates to false.
[06A0:1C80][2024-11-12T21:45:50]w321: Skipping dependency registration on package with no dependency providers: Kb4019990Windows2008R2Package
[06A0:1C80][2024-11-12T21:45:50]i052: Condition 'VersionNT64 = v6.2' evaluates to false.
[06A0:1C80][2024-11-12T21:45:50]w321: Skipping dependency registration on package with no dependency providers: Kb4019990Windows2012Package
[06A0:1C80][2024-11-12T21:45:50]i052: Condition 'ServerLevelsServerCoreRegistryValue <> 1 OR ServerLevelsServerGuiShellRegistryValue = 1' evaluates to true.
[06A0:1C80][2024-11-12T21:45:50]w321: Skipping dependency registration on package with no dependency providers: NetFrameworkPackageServer
[06A0:1C80][2024-11-12T21:45:50]i052: Condition 'ServerLevelsServerCoreRegistryValue = 1 AND ServerLevelsServerGuiShellRegistryValue <> 1' evaluates to false.
[06A0:1C80][2024-11-12T21:45:50]w321: Skipping dependency registration on package with no dependency providers: NetFrameworkPackageServerCore
[06A0:1C80][2024-11-12T21:45:50]i000: Setting string variable 'WixBundleRollbackLog_MsiPackage' to value 'C:\Users\\AppData\Local\Temp\Azure Advanced Threat Protection Sensor_20241112214452_000_MsiPackage_rollback.log'
[06A0:1C80][2024-11-12T21:45:50]i000: Setting string variable 'WixBundleLog_MsiPackage' to value 'C:\Users\\AppData\Local\Temp\Azure Advanced Threat Protection Sensor_20241112214452_000_MsiPackage.log'
[06A0:1C80][2024-11-12T21:45:50]i201: Planned package: Kb4019990Windows2008R2Package, state: Absent, default requested: Absent, ba requested: Absent, execute: None, rollback: None, cache: No, uncache: No, dependency: None
[06A0:1C80][2024-11-12T21:45:50]i201: Planned package: Kb4019990Windows2012Package, state: Absent, default requested: Absent, ba requested: Absent, execute: None, rollback: None, cache: No, uncache: No, dependency: None
[06A0:1C80][2024-11-12T21:45:50]i201: Planned package: NetFrameworkPackageServer, state: Present, default requested: Present, ba requested: Present, execute: None, rollback: None, cache: No, uncache: No, dependency: None
[06A0:1C80][2024-11-12T21:45:50]i201: Planned package: NetFrameworkPackageServerCore, state: Present, default requested: Absent, ba requested: Absent, execute: None, rollback: None, cache: No, uncache: No, dependency: None
[06A0:1C80][2024-11-12T21:45:50]i201: Planned package: MsiPackage, state: Absent, default requested: Present, ba requested: Present, execute: Install, rollback: Uninstall, cache: Yes, uncache: No, dependency: Register
[06A0:1C80][2024-11-12T21:45:50]i299: Plan complete, result: 0x0
[06A0:1C80][2024-11-12T21:45:50]i300: Apply begin
[06A0:1C80][2024-11-12T21:45:50]i010: Launching elevated engine process.
[06A0:1C80][2024-11-12T21:45:53]i011: Launched elevated engine process.
[06A0:1C80][2024-11-12T21:45:53]i012: Connected to elevated engine.
[1A40:1744][2024-11-12T21:45:53]i358: Pausing automatic updates.
[1A40:1744][2024-11-12T21:45:53]i359: Paused automatic updates.
[1A40:1744][2024-11-12T21:45:53]i360: Creating a system restore point.
[1A40:1744][2024-11-12T21:45:53]i362: System restore disabled, system restore point not created.
[1A40:1744][2024-11-12T21:45:53]i370: Session begin, registration key: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{22c54ff7-cc88-43ef-a1b4-2d870f4ca0c9}, options: 0x7, disable resume: No
[1A40:1744][2024-11-12T21:45:53]i000: Caching bundle from: 'C:\Users\\AppData\Local\Temp\4\{78227D59-BBBF-4118-B085-7F3859B9422B}\.be\Azure ATP Sensor Setup.exe' to: 'C:\ProgramData\Package Cache\{22c54ff7-cc88-43ef-a1b4-2d870f4ca0c9}\Azure ATP Sensor Setup.exe'
[1A40:1744][2024-11-12T21:45:54]i320: Registering bundle dependency provider: {22c54ff7-cc88-43ef-a1b4-2d870f4ca0c9}, version: 2.240.18319.21975
[1A40:1744][2024-11-12T21:45:54]i371: Updating session, registration key: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{22c54ff7-cc88-43ef-a1b4-2d870f4ca0c9}, resume: Active, restart initiated: No, disable resume: No
[1A40:1200][2024-11-12T21:45:54]i305: Verified acquired payload: MsiPackage at path: C:\ProgramData\Package Cache\.unverified\MsiPackage, moving to: C:\ProgramData\Package Cache\{DF33D195-E8F2-4AA7-89B2-BE2B97069333}v2.240.18319.21975\Microsoft.Tri.Sensor.Deployment.Package.msi.
[1A40:1200][2024-11-12T21:45:54]i305: Verified acquired payload: cab9C68882706A1052319FE6C1B5DE23439 at path: C:\ProgramData\Package Cache\.unverified\cab9C68882706A1052319FE6C1B5DE23439, moving to: C:\ProgramData\Package Cache\{DF33D195-E8F2-4AA7-89B2-BE2B97069333}v2.240.18319.21975\1.
[1A40:1744][2024-11-12T21:45:54]i323: Registering package dependency provider: {DF33D195-E8F2-4AA7-89B2-BE2B97069333}, version: 2.240.18319.21975, package: MsiPackage
[1A40:1744][2024-11-12T21:45:54]i301: Applying execute package: MsiPackage, action: Install, path: C:\ProgramData\Package Cache\{DF33D195-E8F2-4AA7-89B2-BE2B97069333}v2.240.18319.21975\Microsoft.Tri.Sensor.Deployment.Package.msi, arguments: ' ARPSYSTEMCOMPONENT="1" MSIFASTINSTALL="7" ACCESSKEY="*****" DelayedUpdate="" InstallationPath="C:\Program Files\Azure Advanced Threat Protection Sensor" InstalledVersion="" LogsPath="" PROXYCONFIGURATION="*****" WixBundleOriginalSourceFolder="C:\temp\GLB-C-DefenderForIdentitySensor\"'
[1A40:1744][2024-11-12T21:46:09]e000: Error 0x80070643: Failed to install MSI package.
[1A40:1744][2024-11-12T21:46:09]e000: Error 0x80070643: Failed to execute MSI package.
[06A0:1C80][2024-11-12T21:46:09]e000: Error 0x80070643: Failed to configure per-machine MSI package.
[06A0:1C80][2024-11-12T21:46:09]i000: 2024-11-12 20:46:09.8032 Error Model LogError [\[]methodName=BootstrapperApplication_ExecutePackageComplete status=-2147023293 exception=[\]]
[06A0:1C80][2024-11-12T21:46:09]i319: Applied execute package: MsiPackage, result: 0x80070643, restart: None
[06A0:1C80][2024-11-12T21:46:09]e000: Error 0x80070643: Failed to execute MSI package.
[1A40:1744][2024-11-12T21:46:09]i318: Skipped rollback of package: MsiPackage, action: Uninstall, already: Absent
[06A0:1C80][2024-11-12T21:46:09]i319: Applied rollback package: MsiPackage, result: 0x0, restart: None
[1A40:1744][2024-11-12T21:46:09]i329: Removed package dependency provider: {DF33D195-E8F2-4AA7-89B2-BE2B97069333}, package: MsiPackage
[1A40:1744][2024-11-12T21:46:09]i351: Removing cached package: MsiPackage, from path: C:\ProgramData\Package Cache\{DF33D195-E8F2-4AA7-89B2-BE2B97069333}v2.240.18319.21975\
[1A40:1744][2024-11-12T21:46:09]i372: Session end, registration key: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{22c54ff7-cc88-43ef-a1b4-2d870f4ca0c9}, resume: None, restart: None, disable resume: No
[1A40:1744][2024-11-12T21:46:09]i330: Removed bundle dependency provider: {22c54ff7-cc88-43ef-a1b4-2d870f4ca0c9}
[1A40:1744][2024-11-12T21:46:09]i352: Removing cached bundle: {22c54ff7-cc88-43ef-a1b4-2d870f4ca0c9}, from path: C:\ProgramData\Package Cache\{22c54ff7-cc88-43ef-a1b4-2d870f4ca0c9}\
[1A40:1744][2024-11-12T21:46:09]i371: Updating session, registration key: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{22c54ff7-cc88-43ef-a1b4-2d870f4ca0c9}, resume: None, restart initiated: No, disable resume: No
[06A0:1C80][2024-11-12T21:46:09]i399: Apply complete, result: 0x80070643, restart: None, ba requested restart: NoAzure Advanced Threat Protection Sensor_20241112214452_000_MsiPackage.log
=== Verbose logging started: 2024-11-12 21:45:54 Build type: SHIP UNICODE 5.00.10011.00 Calling process: C:\Users\\AppData\Local\Temp\4\{78227D59-BBBF-4118-B085-7F3859B9422B}\.be\Azure ATP Sensor Setup.exe ===
MSI (c) (40:B0) [21:45:54:458]: Resetting cached policy values
MSI (c) (40:B0) [21:45:54:458]: Machine policy value 'Debug' is 0
MSI (c) (40:B0) [21:45:54:458]: ******* RunEngine:
******* Product: C:\ProgramData\Package Cache\{DF33D195-E8F2-4AA7-89B2-BE2B97069333}v2.240.18319.21975\Microsoft.Tri.Sensor.Deployment.Package.msi
******* Action:
******* CommandLine: **********
MSI (c) (40:B0) [21:45:54:459]: Client-side and UI is none or basic: Running entire install on the server.
MSI (c) (40:B0) [21:45:54:459]: Grabbed execution mutex.
MSI (c) (40:B0) [21:45:54:465]: Cloaking enabled.
MSI (c) (40:B0) [21:45:54:465]: Attempting to enable all disabled privileges before calling Install on Server
MSI (c) (40:B0) [21:45:54:468]: Incrementing counter to disable shutdown. Counter after increment: 0
MSI (s) (08:A0) [21:45:54:475]: Running installation inside multi-package transaction C:\ProgramData\Package Cache\{DF33D195-E8F2-4AA7-89B2-BE2B97069333}v2.240.18319.21975\Microsoft.Tri.Sensor.Deployment.Package.msi
MSI (s) (08:A0) [21:45:54:475]: Grabbed execution mutex.
MSI (s) (08:74) [21:45:54:475]: Resetting cached policy values
MSI (s) (08:74) [21:45:54:475]: Machine policy value 'Debug' is 0
MSI (s) (08:74) [21:45:54:475]: ******* RunEngine:
******* Product: C:\ProgramData\Package Cache\{DF33D195-E8F2-4AA7-89B2-BE2B97069333}v2.240.18319.21975\Microsoft.Tri.Sensor.Deployment.Package.msi
******* Action:
******* CommandLine: **********
MSI (s) (08:74) [21:45:54:475]: Machine policy value 'DisableUserInstalls' is 0
MSI (s) (08:74) [21:45:54:491]: Note: 1: 2203 2: C:\Windows\Installer\inprogressinstallinfo.ipi 3: -2147287038
MSI (s) (08:74) [21:45:54:491]: SRSetRestorePoint skipped for this transaction.
MSI (s) (08:74) [21:45:54:491]: File will have security applied from OpCode.
MSI (s) (08:74) [21:45:54:569]: SOFTWARE RESTRICTION POLICY: Verifying package --> 'C:\ProgramData\Package Cache\{DF33D195-E8F2-4AA7-89B2-BE2B97069333}v2.240.18319.21975\Microsoft.Tri.Sensor.Deployment.Package.msi' against software restriction policy
MSI (s) (08:74) [21:45:54:569]: SOFTWARE RESTRICTION POLICY: C:\ProgramData\Package Cache\{DF33D195-E8F2-4AA7-89B2-BE2B97069333}v2.240.18319.21975\Microsoft.Tri.Sensor.Deployment.Package.msi has a digital signature
MSI (s) (08:74) [21:45:54:725]: SOFTWARE RESTRICTION POLICY: C:\ProgramData\Package Cache\{DF33D195-E8F2-4AA7-89B2-BE2B97069333}v2.240.18319.21975\Microsoft.Tri.Sensor.Deployment.Package.msi is permitted to run at the 'unrestricted' authorization level.
MSI (s) (08:74) [21:45:54:725]: MSCOREE not loaded loading copy from system32
MSI (s) (08:74) [21:45:54:741]: End dialog not enabled
MSI (s) (08:74) [21:45:54:741]: Original package ==> C:\ProgramData\Package Cache\{DF33D195-E8F2-4AA7-89B2-BE2B97069333}v2.240.18319.21975\Microsoft.Tri.Sensor.Deployment.Package.msi
MSI (s) (08:74) [21:45:54:741]: Package we're running from ==> C:\Windows\Installer\8ce8692f.msi
MSI (s) (08:74) [21:45:54:741]: APPCOMPAT: Compatibility mode property overrides found.
MSI (s) (08:74) [21:45:54:741]: APPCOMPAT: looking for appcompat database entry with ProductCode '{DF33D195-E8F2-4AA7-89B2-BE2B97069333}'.
MSI (s) (08:74) [21:45:54:741]: APPCOMPAT: no matching ProductCode found in database.
MSI (s) (08:74) [21:45:54:741]: Machine policy value 'TransformsSecure' is 1
MSI (s) (08:74) [21:45:54:741]: Note: 1: 2205 2: 3: MsiFileHash
MSI (s) (08:74) [21:45:54:741]: Machine policy value 'DisablePatch' is 0
MSI (s) (08:74) [21:45:54:741]: Machine policy value 'AllowLockdownPatch' is 0
MSI (s) (08:74) [21:45:54:741]: Machine policy value 'DisableLUAPatching' is 0
MSI (s) (08:74) [21:45:54:741]: Machine policy value 'DisableFlyWeightPatching' is 0
MSI (s) (08:74) [21:45:54:741]: APPCOMPAT: looking for appcompat database entry with ProductCode '{DF33D195-E8F2-4AA7-89B2-BE2B97069333}'.
MSI (s) (08:74) [21:45:54:741]: APPCOMPAT: no matching ProductCode found in database.
MSI (s) (08:74) [21:45:54:741]: Transforms are not secure.
MSI (s) (08:74) [21:45:54:741]: Note: 1: 2205 2: 3: Control
MSI (s) (08:74) [21:45:54:741]: PROPERTY CHANGE: Adding MsiLogFileLocation property. Its value is 'C:\Users\\AppData\Local\Temp\Azure Advanced Threat Protection Sensor_20241112214452_000_MsiPackage.log'.
MSI (s) (08:74) [21:45:54:741]: Command Line: ARPSYSTEMCOMPONENT=1 MSIFASTINSTALL=7 ACCESSKEY=********** DelayedUpdate= InstallationPath=C:\Program Files\Azure Advanced Threat Protection Sensor InstalledVersion= LogsPath= PROXYCONFIGURATION=********** WixBundleOriginalSourceFolder=C:\temp\GLB-C-DefenderForIdentitySensor\ REBOOT=ReallySuppress CURRENTDIRECTORY=C:\temp\GLB-C-DefenderForIdentitySensor CLIENTUILEVEL=3 MSICLIENTUSESEXTERNALUI=1 CLIENTPROCESSID=6720
MSI (s) (08:74) [21:45:54:741]: PROPERTY CHANGE: Adding PackageCode property. Its value is '{BBAD208E-F5BC-48CB-8E78-310DB24A4232}'.
MSI (s) (08:74) [21:45:54:741]: Product Code passed to Engine.Initialize: ''
MSI (s) (08:74) [21:45:54:741]: Product Code from property table before transforms: '{DF33D195-E8F2-4AA7-89B2-BE2B97069333}'
MSI (s) (08:74) [21:45:54:741]: Product Code from property table after transforms: '{DF33D195-E8F2-4AA7-89B2-BE2B97069333}'
MSI (s) (08:74) [21:45:54:741]: Product not registered: beginning first-time install
MSI (s) (08:74) [21:45:54:741]: Product {DF33D195-E8F2-4AA7-89B2-BE2B97069333} is not managed.
MSI (s) (08:74) [21:45:54:741]: MSI_LUA: Credential prompt not required, user is an admin
MSI (s) (08:74) [21:45:54:741]: PROPERTY CHANGE: Adding ProductState property. Its value is '-1'.
MSI (s) (08:74) [21:45:54:741]: Entering CMsiConfigurationManager::SetLastUsedSource.
MSI (s) (08:74) [21:45:54:741]: User policy value 'SearchOrder' is 'nmu'
MSI (s) (08:74) [21:45:54:741]: Adding new sources is allowed.
MSI (s) (08:74) [21:45:54:741]: PROPERTY CHANGE: Adding PackagecodeChanging property. Its value is '1'.
MSI (s) (08:74) [21:45:54:741]: Package name extracted from package path: 'Microsoft.Tri.Sensor.Deployment.Package.msi'
MSI (s) (08:74) [21:45:54:741]: Package to be registered: 'Microsoft.Tri.Sensor.Deployment.Package.msi'
MSI (s) (08:74) [21:45:54:741]: Note: 1: 2205 2: 3: Error
MSI (s) (08:74) [21:45:54:741]: Note: 1: 2262 2: AdminProperties 3: -2147287038
MSI (s) (08:74) [21:45:54:741]: Machine policy value 'DisableMsi' is 1
MSI (s) (08:74) [21:45:54:741]: Machine policy value 'AlwaysInstallElevated' is 0
MSI (s) (08:74) [21:45:54:741]: User policy value 'AlwaysInstallElevated' is 0
MSI (s) (08:74) [21:45:54:741]: Product installation will be elevated because user is admin and product is being installed per-machine.
MSI (s) (08:74) [21:45:54:741]: Running product '{DF33D195-E8F2-4AA7-89B2-BE2B97069333}' with elevated privileges: Product is assigned.
MSI (s) (08:74) [21:45:54:741]: PROPERTY CHANGE: Adding ARPSYSTEMCOMPONENT property. Its value is '1'.
MSI (s) (08:74) [21:45:54:741]: PROPERTY CHANGE: Adding MSIFASTINSTALL property. Its value is '7'.
MSI (s) (08:74) [21:45:54:741]: PROPERTY CHANGE: Adding ACCESSKEY property. Its value is '**********'.
MSI (s) (08:74) [21:45:54:741]: PROPERTY CHANGE: Adding INSTALLATIONPATH property. Its value is 'C:\Program Files\Azure Advanced Threat Protection Sensor'.
MSI (s) (08:74) [21:45:54:741]: PROPERTY CHANGE: Adding WIXBUNDLEORIGINALSOURCEFOLDER property. Its value is 'C:\temp\GLB-C-DefenderForIdentitySensor\'.
MSI (s) (08:74) [21:45:54:741]: PROPERTY CHANGE: Adding REBOOT property. Its value is 'ReallySuppress'.
MSI (s) (08:74) [21:45:54:741]: PROPERTY CHANGE: Adding CURRENTDIRECTORY property. Its value is 'C:\temp\GLB-C-DefenderForIdentitySensor'.
MSI (s) (08:74) [21:45:54:741]: PROPERTY CHANGE: Adding CLIENTUILEVEL property. Its value is '3'.
MSI (s) (08:74) [21:45:54:741]: PROPERTY CHANGE: Adding MSICLIENTUSESEXTERNALUI property. Its value is '1'.
MSI (s) (08:74) [21:45:54:741]: PROPERTY CHANGE: Adding CLIENTPROCESSID property. Its value is '6720'.
MSI (s) (08:74) [21:45:54:741]: Machine policy value 'DisableAutomaticApplicationShutdown' is 0
MSI (s) (08:74) [21:45:54:741]: PROPERTY CHANGE: Adding MsiRestartManagerSessionKey property. Its value is '601df937026b46449ac301f16dd2624d'.
MSI (s) (08:74) [21:45:54:741]: RESTART MANAGER: Session opened.
MSI (s) (08:74) [21:45:54:741]: PROPERTY CHANGE: Adding MsiSystemRebootPending property. Its value is '1'.
MSI (s) (08:74) [21:45:54:741]: TRANSFORMS property is now:
MSI (s) (08:74) [21:45:54:741]: PROPERTY CHANGE: Adding VersionDatabase property. Its value is '500'.
MSI (s) (08:74) [21:45:54:757]: SHELL32::SHGetFolderPath returned: C:\Users\\AppData\Roaming
MSI (s) (08:74) [21:45:54:757]: SHELL32::SHGetFolderPath returned: C:\Users\\Favorites
MSI (s) (08:74) [21:45:54:757]: SHELL32::SHGetFolderPath returned: C:\Users\\AppData\Roaming\Microsoft\Windows\Network Shortcuts
MSI (s) (08:74) [21:45:54:757]: SHELL32::SHGetFolderPath returned: C:\Users\\Documents
MSI (s) (08:74) [21:45:54:757]: SHELL32::SHGetFolderPath returned: C:\Users\\AppData\Roaming\Microsoft\Windows\Printer Shortcuts
MSI (s) (08:74) [21:45:54:757]: SHELL32::SHGetFolderPath returned: C:\Users\\AppData\Roaming\Microsoft\Windows\Recent
MSI (s) (08:74) [21:45:54:757]: SHELL32::SHGetFolderPath returned: C:\Users\\AppData\Roaming\Microsoft\Windows\SendTo
MSI (s) (08:74) [21:45:54:757]: SHELL32::SHGetFolderPath returned: C:\Users\\AppData\Roaming\Microsoft\Windows\Templates
MSI (s) (08:74) [21:45:54:757]: SHELL32::SHGetFolderPath returned: C:\ProgramData
MSI (s) (08:74) [21:45:54:757]: SHELL32::SHGetFolderPath returned: C:\Users\\AppData\Local
MSI (s) (08:74) [21:45:54:757]: SHELL32::SHGetFolderPath returned: C:\Users\\Pictures
MSI (s) (08:74) [21:45:54:772]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools
MSI (s) (08:74) [21:45:54:772]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
MSI (s) (08:74) [21:45:54:772]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu\Programs
MSI (s) (08:74) [21:45:54:772]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu
MSI (s) (08:74) [21:45:54:772]: SHELL32::SHGetFolderPath returned: C:\Users\Public\Desktop
MSI (s) (08:74) [21:45:54:772]: SHELL32::SHGetFolderPath returned: C:\Users\\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools
MSI (s) (08:74) [21:45:54:772]: SHELL32::SHGetFolderPath returned: C:\Users\\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
MSI (s) (08:74) [21:45:54:772]: SHELL32::SHGetFolderPath returned: C:\Users\\AppData\Roaming\Microsoft\Windows\Start Menu\Programs
MSI (s) (08:74) [21:45:54:772]: SHELL32::SHGetFolderPath returned: C:\Users\\AppData\Roaming\Microsoft\Windows\Start Menu
MSI (s) (08:74) [21:45:54:772]: SHELL32::SHGetFolderPath returned: C:\Users\\Desktop
MSI (s) (08:74) [21:45:54:788]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Templates
MSI (s) (08:74) [21:45:54:788]: SHELL32::SHGetFolderPath returned: C:\Windows\Fonts
MSI (s) (08:74) [21:45:54:788]: Note: 1: 2898 2: MS Sans Serif 3: MS Sans Serif 4: 0 5: 16
MSI (s) (08:74) [21:45:54:788]: MSI_LUA: Setting MsiRunningElevated property to 1 because the install is already running elevated.
MSI (s) (08:74) [21:45:54:788]: PROPERTY CHANGE: Adding MsiRunningElevated property. Its value is '1'.
MSI (s) (08:74) [21:45:54:788]: PROPERTY CHANGE: Adding Privileged property. Its value is '1'.
MSI (s) (08:74) [21:45:54:788]: Note: 1: 1402 2: HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info 3: 2
MSI (s) (08:74) [21:45:54:788]: PROPERTY CHANGE: Adding USERNAME property. Its value is ' Mining'.
MSI (s) (08:74) [21:45:54:788]: Note: 1: 1402 2: HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info 3: 2
MSI (s) (08:74) [21:45:54:788]: PROPERTY CHANGE: Adding COMPANYNAME property. Its value is ' Mining'.
MSI (s) (08:74) [21:45:54:788]: PROPERTY CHANGE: Adding DATABASE property. Its value is 'C:\Windows\Installer\8ce8692f.msi'.
MSI (s) (08:74) [21:45:54:788]: PROPERTY CHANGE: Adding OriginalDatabase property. Its value is 'C:\ProgramData\Package Cache\{DF33D195-E8F2-4AA7-89B2-BE2B97069333}v2.240.18319.21975\Microsoft.Tri.Sensor.Deployment.Package.msi'.
MSI (s) (08:74) [21:45:54:788]: Machine policy value 'MsiDisableEmbeddedUI' is 0
MSI (s) (08:74) [21:45:54:788]: EEUI - Disabling MsiEmbeddedUI due to existing external or embedded UI
MSI (s) (08:74) [21:45:54:788]: EEUI - Disabling MsiEmbeddedUI for service because it's not a quiet/basic install
MSI (s) (08:74) [21:45:54:788]: Note: 1: 2205 2: 3: PatchPackage
MSI (s) (08:74) [21:45:54:788]: Machine policy value 'DisableRollback' is 0
MSI (s) (08:74) [21:45:54:788]: User policy value 'DisableRollback' is 0
MSI (s) (08:74) [21:45:54:788]: PROPERTY CHANGE: Adding UILevel property. Its value is '2'.
MSI (s) (08:74) [21:45:54:788]: PROPERTY CHANGE: Adding MsiUISourceResOnly property. Its value is '1'.
=== Logging started: 2024-11-12 21:45:54 ===
MSI (s) (08:74) [21:45:54:788]: Note: 1: 2203 2: C:\Windows\Installer\inprogressinstallinfo.ipi 3: -2147287038
MSI (s) (08:74) [21:45:54:788]: APPCOMPAT: [DetectVersionLaunchCondition] Launch condition already passes.
MSI (s) (08:74) [21:45:54:788]: PROPERTY CHANGE: Adding ACTION property. Its value is 'INSTALL'.
MSI (s) (08:74) [21:45:54:788]: Doing action: INSTALL
MSI (s) (08:74) [21:45:54:788]: Note: 1: 2205 2: 3: ActionText
Action start 21:45:54: INSTALL.
MSI (s) (08:74) [21:45:54:788]: Running ExecuteSequence
MSI (s) (08:74) [21:45:54:788]: Doing action: FindRelatedProducts
MSI (s) (08:74) [21:45:54:788]: Note: 1: 2205 2: 3: ActionText
Action start 21:45:54: FindRelatedProducts.
MSI (s) (08:74) [21:45:54:788]: Doing action: LaunchConditions
MSI (s) (08:74) [21:45:54:788]: Note: 1: 2205 2: 3: ActionText
Action ended 21:45:54: FindRelatedProducts. Return value 1.
Action start 21:45:54: LaunchConditions.
MSI (s) (08:74) [21:45:54:788]: Doing action: ValidateProductID
MSI (s) (08:74) [21:45:54:788]: Note: 1: 2205 2: 3: ActionText
Action ended 21:45:54: LaunchConditions. Return value 1.
Action start 21:45:54: ValidateProductID.
MSI (s) (08:74) [21:45:54:788]: Doing action: CostInitialize
MSI (s) (08:74) [21:45:54:788]: Note: 1: 2205 2: 3: ActionText
Action ended 21:45:54: ValidateProductID. Return value 1.
MSI (s) (08:74) [21:45:54:788]: Machine policy value 'MaxPatchCacheSize' is 10
MSI (s) (08:74) [21:45:54:788]: PROPERTY CHANGE: Adding ROOTDRIVE property. Its value is 'C:\'.
MSI (s) (08:74) [21:45:54:788]: PROPERTY CHANGE: Adding CostingComplete property. Its value is '0'.
MSI (s) (08:74) [21:45:54:788]: Note: 1: 2205 2: 3: Patch
MSI (s) (08:74) [21:45:54:788]: Note: 1: 2205 2: 3: PatchPackage
MSI (s) (08:74) [21:45:54:788]: Note: 1: 2205 2: 3: MsiPatchHeaders
MSI (s) (08:74) [21:45:54:788]: Note: 1: 2205 2: 3: __MsiPatchFileList
MSI (s) (08:74) [21:45:54:788]: Note: 1: 2205 2: 3: PatchPackage
MSI (s) (08:74) [21:45:54:788]: Note: 1: 2228 2: 3: PatchPackage 4: SELECT `DiskId`, `PatchId`, `LastSequence` FROM `Media`, `PatchPackage` WHERE `Media`.`DiskId`=`PatchPackage`.`Media_` ORDER BY `DiskId`
MSI (s) (08:74) [21:45:54:788]: Note: 1: 2205 2: 3: Patch
Action start 21:45:54: CostInitialize.
MSI (s) (08:74) [21:45:54:788]: Doing action: FileCost
MSI (s) (08:74) [21:45:54:788]: Note: 1: 2205 2: 3: ActionText
Action ended 21:45:54: CostInitialize. Return value 1.
MSI (s) (08:74) [21:45:54:804]: Note: 1: 2205 2: 3: MsiAssembly
Action start 21:45:54: FileCost.
MSI (s) (08:74) [21:45:54:804]: Doing action: CostFinalize
MSI (s) (08:74) [21:45:54:804]: Note: 1: 2205 2: 3: ActionText
Action ended 21:45:54: FileCost. Return value 1.
MSI (s) (08:74) [21:45:54:804]: PROPERTY CHANGE: Adding OutOfDiskSpace property. Its value is '0'.
MSI (s) (08:74) [21:45:54:804]: PROPERTY CHANGE: Adding OutOfNoRbDiskSpace property. Its value is '0'.
MSI (s) (08:74) [21:45:54:804]: PROPERTY CHANGE: Adding PrimaryVolumeSpaceAvailable property. Its value is '0'.
MSI (s) (08:74) [21:45:54:804]: PROPERTY CHANGE: Adding PrimaryVolumeSpaceRequired property. Its value is '0'.
MSI (s) (08:74) [21:45:54:804]: PROPERTY CHANGE: Adding PrimaryVolumeSpaceRemaining property. Its value is '0'.
MSI (s) (08:74) [21:45:54:804]: Note: 1: 2205 2: 3: Patch
MSI (s) (08:74) [21:45:54:804]: Note: 1: 2205 2: 3: Condition
MSI (s) (08:74) [21:45:54:804]: PROPERTY CHANGE: Adding TARGETDIR property. Its value is 'C:\'.
MSI (s) (08:74) [21:45:54:804]: Target path resolution complete. Dumping Directory table...
MSI (s) (08:74) [21:45:54:804]: Note: target paths subject to change (via custom actions or browsing)
MSI (s) (08:74) [21:45:54:804]: Dir (target): Key: TARGETDIR , Object: C:\
MSI (s) (08:74) [21:45:54:804]: PROPERTY CHANGE: Adding INSTALLLEVEL property. Its value is '1'.
MSI (s) (08:74) [21:45:54:804]: Note: 1: 2205 2: 3: MsiAssembly
MSI (s) (08:74) [21:45:54:804]: Note: 1: 2228 2: 3: MsiAssembly 4: SELECT `MsiAssembly`.`Attributes`, `MsiAssembly`.`File_Application`, `MsiAssembly`.`File_Manifest`, `Component`.`KeyPath` FROM `MsiAssembly`, `Component` WHERE `MsiAssembly`.`Component_` = `Component`.`Component` AND `MsiAssembly`.`Component_` = ?
Action start 21:45:54: CostFinalize.
MSI (s) (08:74) [21:45:54:804]: Doing action: MigrateFeatureStates
MSI (s) (08:74) [21:45:54:804]: Note: 1: 2205 2: 3: ActionText
Action ended 21:45:54: CostFinalize. Return value 1.
Action start 21:45:54: MigrateFeatureStates.
MSI (s) (08:74) [21:45:54:804]: Doing action: InstallValidate
MSI (s) (08:74) [21:45:54:804]: Note: 1: 2205 2: 3: ActionText
Action ended 21:45:54: MigrateFeatureStates. Return value 0.
MSI (s) (08:74) [21:45:54:804]: PROPERTY CHANGE: Deleting MsiRestartManagerSessionKey property. Its current value is '601df937026b46449ac301f16dd2624d'.
MSI (s) (08:74) [21:45:54:804]: Note: 1: 2205 2: 3: Dialog
MSI (s) (08:74) [21:45:54:804]: Feature: ProductFeature; Installed: Absent; Request: Local; Action: Local
MSI (s) (08:74) [21:45:54:804]: Component: ProductComponent; Installed: Absent; Request: Local; Action: Local
MSI (s) (08:74) [21:45:54:804]: Note: 1: 2205 2: 3: Registry
MSI (s) (08:74) [21:45:54:804]: Note: 1: 2205 2: 3: BindImage
MSI (s) (08:74) [21:45:54:804]: Note: 1: 2205 2: 3: ProgId
MSI (s) (08:74) [21:45:54:804]: Note: 1: 2205 2: 3: PublishComponent
MSI (s) (08:74) [21:45:54:804]: Note: 1: 2205 2: 3: SelfReg
MSI (s) (08:74) [21:45:54:804]: Note: 1: 2205 2: 3: Extension
MSI (s) (08:74) [21:45:54:804]: Note: 1: 2205 2: 3: Font
MSI (s) (08:74) [21:45:54:804]: Note: 1: 2205 2: 3: Shortcut
MSI (s) (08:74) [21:45:54:804]: Note: 1: 2205 2: 3: Class
MSI (s) (08:74) [21:45:54:804]: Note: 1: 2205 2: 3: Icon
MSI (s) (08:74) [21:45:54:804]: Note: 1: 2205 2: 3: TypeLib
Action start 21:45:54: InstallValidate.
MSI (s) (08:74) [21:45:54:804]: Note: 1: 2205 2: 3: _RemoveFilePath
MSI (s) (08:74) [21:45:54:804]: Note: 1: 2205 2: 3: MsiFileHash
MSI (s) (08:74) [21:45:54:804]: PROPERTY CHANGE: Modifying CostingComplete property. Its current value is '0'. Its new value: '1'.
MSI (s) (08:74) [21:45:54:804]: Note: 1: 2205 2: 3: Registry
MSI (s) (08:74) [21:45:54:804]: Note: 1: 2205 2: 3: BindImage
MSI (s) (08:74) [21:45:54:804]: Note: 1: 2205 2: 3: ProgId
MSI (s) (08:74) [21:45:54:804]: Note: 1: 2205 2: 3: PublishComponent
MSI (s) (08:74) [21:45:54:804]: Note: 1: 2205 2: 3: SelfReg
MSI (s) (08:74) [21:45:54:804]: Note: 1: 2205 2: 3: Extension
MSI (s) (08:74) [21:45:54:804]: Note: 1: 2205 2: 3: Font
MSI (s) (08:74) [21:45:54:804]: Note: 1: 2205 2: 3: Shortcut
MSI (s) (08:74) [21:45:54:804]: Note: 1: 2205 2: 3: Class
MSI (s) (08:74) [21:45:54:804]: Note: 1: 2205 2: 3: Icon
MSI (s) (08:74) [21:45:54:804]: Note: 1: 2205 2: 3: TypeLib
MSI (s) (08:74) [21:45:54:804]: Note: 1: 2727 2:
MSI (s) (08:74) [21:45:54:804]: Note: 1: 2205 2: 3: FilesInUse
MSI (s) (08:74) [21:45:54:819]: Note: 1: 2727 2:
MSI (s) (08:74) [21:45:54:819]: Doing action: InstallInitialize
MSI (s) (08:74) [21:45:54:819]: Note: 1: 2205 2: 3: ActionText
Action ended 21:45:54: InstallValidate. Return value 1.
MSI (s) (08:74) [21:45:54:819]: Machine policy value 'AlwaysInstallElevated' is 0
MSI (s) (08:74) [21:45:54:819]: User policy value 'AlwaysInstallElevated' is 0
MSI (s) (08:74) [21:45:54:819]: BeginTransaction: Locking Server
MSI (s) (08:74) [21:45:54:819]: Note: 1: 2203 2: C:\Windows\Installer\inprogressinstallinfo.ipi 3: -2147287038
MSI (s) (08:74) [21:45:54:819]: SRSetRestorePoint skipped for this transaction.
MSI (s) (08:74) [21:45:54:819]: Note: 1: 2203 2: C:\Windows\Installer\inprogressinstallinfo.ipi 3: -2147287038
MSI (s) (08:74) [21:45:54:819]: Server not locked: locking for product {DF33D195-E8F2-4AA7-89B2-BE2B97069333}
Action start 21:45:54: InstallInitialize.
MSI (s) (08:74) [21:45:54:819]: Doing action: InstallCustomAction
MSI (s) (08:74) [21:45:54:819]: Note: 1: 2205 2: 3: ActionText
Action ended 21:45:54: InstallInitialize. Return value 1.
MSI (s) (08:74) [21:45:54:929]: Invoking remote custom action. DLL: C:\Windows\Installer\MSI4C07.tmp, Entrypoint: Install
MSI (s) (08:7C) [21:45:54:929]: Generating random cookie.
MSI (s) (08:7C) [21:45:54:944]: Created Custom Action Server with PID 8032 (0x1F60).
MSI (s) (08:58) [21:45:55:025]: Running as a service.
MSI (s) (08:58) [21:45:55:035]: Hello, I'm your 64bit Impersonated custom action server.
Action start 21:45:54: InstallCustomAction.
SFXCA: Extracting custom action to temporary directory: C:\Windows\Installer\MSI4C07.tmp-\
SFXCA: Binding to CLR version v4.0.30319
Calling custom action Microsoft.Tri.Sensor.Deployment.Package.Actions!Microsoft.Tri.Sensor.Deployment.Package.Actions.CustomActions.Install
2024-11-12 20:45:58.1401 Debug CustomActions RunActionGroup InstallActionGroup started
2024-11-12 20:45:58.1714 Debug InstallActionGroup Apply started
2024-11-12 20:45:58.1714 Debug CreateDirectoryDeploymentAction Apply started [suppressFailure=False]
2024-11-12 20:45:58.1714 Debug CreateDirectoryDeploymentAction Apply finished
2024-11-12 20:45:58.1714 Debug DownloadMinorDeploymentPackageBytesAction Apply started [suppressFailure=False]
2024-11-12 20:46:01.6873 Debug DownloadMinorDeploymentPackageBytesAction Apply finished
2024-11-12 20:46:01.6873 Debug UnpackDeploymentPackageBytesAction Apply started [suppressFailure=False]
2024-11-12 20:46:03.7628 Debug UnpackDeploymentPackageBytesAction Apply finished
2024-11-12 20:46:03.8566 Debug RunDeployerMajorDeploymentAction Apply started [suppressFailure=False]
2024-11-12 20:46:03.8817 Info RunDeployerMajorDeploymentAction ApplyInternal started [filePath=P3HzAbwBceDUmJ8wG4vFPA== _arguments=T4sYPoIz64FeLb4UnM4vNA==]
2024-11-12 20:46:09.3752 Info RunDeployerMajorDeploymentAction ApplyInternal finished [isSuccessful=False]
2024-11-12 20:46:09.3908 Debug InstallActionGroup Revert started
2024-11-12 20:46:09.3908 Warn InstallActionGroup Revert reverting [rollbackAction=UnpackDeploymentPackageBytesAction index=0 count=3]
2024-11-12 20:46:09.3908 Debug UnpackDeploymentPackageBytesAction Revert started
2024-11-12 20:46:09.4636 Debug UnpackDeploymentPackageBytesAction Revert finished
2024-11-12 20:46:09.4656 Warn InstallActionGroup Revert reverting [rollbackAction=DownloadMinorDeploymentPackageBytesAction index=1 count=3]
2024-11-12 20:46:09.4666 Debug DownloadMinorDeploymentPackageBytesAction Revert started
2024-11-12 20:46:09.4676 Debug DownloadMinorDeploymentPackageBytesAction Revert finished
2024-11-12 20:46:09.4686 Warn InstallActionGroup Revert reverting [rollbackAction=CreateDirectoryDeploymentAction index=2 count=3]
2024-11-12 20:46:09.4706 Debug CreateDirectoryDeploymentAction Revert started
2024-11-12 20:46:09.4716 Debug CreateDirectoryDeploymentAction Revert finished
2024-11-12 20:46:09.4726 Debug InstallActionGroup Revert finished
2024-11-12 20:46:09.4907 Error DeploymentAction Failed to apply InstallActionGroup
Microsoft.Tri.Infrastructure.ExtendedException: Apply failed [Type=RunDeployerMajorDeploymentAction]
at Microsoft.Tri.Sensor.Common.DeploymentAction.Apply(Boolean suppressFailure)
at Microsoft.Tri.Sensor.Common.DeploymentActionGroup.Apply(Boolean suppressFailure)
at Microsoft.Tri.Sensor.Deployment.Package.Actions.CustomActions.RunActionGroup(DeploymentActionGroup deploymentActionGroup, Session session)
2024-11-12 20:46:09.4907 Debug CustomActions RunActionGroup InstallActionGroup finished [result=Failure]
CustomAction InstallCustomAction returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)
MSI (s) (08:74) [21:46:09:662]: Note: 1: 2265 2: 3: -2147287035
MSI (s) (08:74) [21:46:09:693]: Machine policy value 'DisableRollback' is 0
MSI (s) (08:74) [21:46:09:693]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2
Action ended 21:46:09: InstallCustomAction. Return value 3.
MSI (s) (08:74) [21:46:09:693]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2
MSI (s) (08:74) [21:46:09:693]: No System Restore sequence number for this installation.
MSI (s) (08:74) [21:46:09:693]: Unlocking Server
Action ended 21:46:09: INSTALL. Return value 3.
Property(S): UpgradeCode = {EDFB49E0-16FA-4535-B268-BD1B81B15DC2}
Property(S): TARGETDIR = C:\
Property(S): ALLUSERS = 1
Property(S): Manufacturer = Microsoft Corporation
Property(S): ProductCode = {DF33D195-E8F2-4AA7-89B2-BE2B97069333}
Property(S): ProductLanguage = 1033
Property(S): ProductName = Azure Advanced Threat Protection Sensor
Property(S): ProductVersion = 2.240.18319.21975
Property(S): SecureCustomProperties = WIX_DOWNGRADE_DETECTED;WIX_UPGRADE_DETECTED
Property(S): MsiHiddenProperties = ACCESSKEY;PROXYCONFIGURATION
Property(S): MsiLogFileLocation = C:\Users\\AppData\Local\Temp\Azure Advanced Threat Protection Sensor_20241112214452_000_MsiPackage.log
Property(S): PackageCode = {BBAD208E-F5BC-48CB-8E78-310DB24A4232}
Property(S): ProductState = -1
Property(S): PackagecodeChanging = 1
Property(S): ARPSYSTEMCOMPONENT = 1
Property(S): MSIFASTINSTALL = 7
Property(S): ACCESSKEY = **********
Property(S): INSTALLATIONPATH = C:\Program Files\Azure Advanced Threat Protection Sensor
Property(S): WIXBUNDLEORIGINALSOURCEFOLDER = C:\temp\GLB-C-DefenderForIdentitySensor\
Property(S): REBOOT = ReallySuppress
Property(S): CURRENTDIRECTORY = C:\temp\GLB-C-DefenderForIdentitySensor
Property(S): CLIENTUILEVEL = 3
Property(S): MSICLIENTUSESEXTERNALUI = 1
Property(S): CLIENTPROCESSID = 6720
Property(S): MsiSystemRebootPending = 1
Property(S): VersionDatabase = 500
Property(S): VersionMsi = 5.00
Property(S): VersionNT = 603
Property(S): VersionNT64 = 603
Property(S): WindowsBuild = 9600
Property(S): ServicePackLevel = 0
Property(S): ServicePackLevelMinor = 0
Property(S): MsiNTProductType = 2
Property(S): MsiNTSuiteDataCenter = 1
Property(S): WindowsFolder = C:\Windows\
Property(S): WindowsVolume = C:\
Property(S): System64Folder = C:\Windows\system32\
Property(S): SystemFolder = C:\Windows\SysWOW64\
Property(S): RemoteAdminTS = 1
Property(S): TempFolder = C:\Users\\AppData\Local\Temp\
Property(S): ProgramFilesFolder = C:\Program Files (x86)\
Property(S): CommonFilesFolder = C:\Program Files (x86)\Common Files\
Property(S): ProgramFiles64Folder = C:\Program Files\
Property(S): CommonFiles64Folder = C:\Program Files\Common Files\
Property(S): AppDataFolder = C:\Users\\AppData\Roaming\
Property(S): FavoritesFolder = C:\Users\\Favorites\
Property(S): NetHoodFolder = C:\Users\\AppData\Roaming\Microsoft\Windows\Network Shortcuts\
Property(S): PersonalFolder = C:\Users\\Documents\
Property(S): PrintHoodFolder = C:\Users\\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\
Property(S): RecentFolder = C:\Users\\AppData\Roaming\Microsoft\Windows\Recent\
Property(S): SendToFolder = C:\Users\\AppData\Roaming\Microsoft\Windows\SendTo\
Property(S): TemplateFolder = C:\ProgramData\Microsoft\Windows\Templates\
Property(S): CommonAppDataFolder = C:\ProgramData\
Property(S): LocalAppDataFolder = C:\Users\\AppData\Local\
Property(S): MyPicturesFolder = C:\Users\\Pictures\
Property(S): AdminToolsFolder = C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\
Property(S): StartupFolder = C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Property(S): ProgramMenuFolder = C:\ProgramData\Microsoft\Windows\Start Menu\Programs\
Property(S): StartMenuFolder = C:\ProgramData\Microsoft\Windows\Start Menu\
Property(S): DesktopFolder = C:\Users\Public\Desktop\
Property(S): FontsFolder = C:\Windows\Fonts\
Property(S): GPTSupport = 1
Property(S): OLEAdvtSupport = 1
Property(S): ShellAdvtSupport = 1
Property(S): MsiAMD64 = 6
Property(S): Msix64 = 6
Property(S): Intel = 6
Property(S): PhysicalMemory = 12288
Property(S): VirtualMemory = 8279
Property(S): AdminUser = 1
Property(S): MsiTrueAdminUser = 1
Property(S): LogonUser =
Property(S): UserSID = S-1-5-21-4037986163-3075043171-3260184774-163117
Property(S): UserLanguageID = 1053
Property(S): ComputerName = ZMDC07
Property(S): SystemLanguageID = 1053
Property(S): ScreenX = 1024
Property(S): ScreenY = 768
Property(S): CaptionHeight = 23
Property(S): BorderTop = 1
Property(S): BorderSide = 1
Property(S): MsiTabletPC = 1
Property(S): TextHeight = 16
Property(S): TextInternalLeading = 3
Property(S): ColorBits = 32
Property(S): TTCSupport = 1
Property(S): Time = 21:46:09
Property(S): Date = 2024-11-12
Property(S): MsiNetAssemblySupport = 4.8.3761.0
Property(S): MsiWin32AssemblySupport = 6.3.14393.5786
Property(S): RedirectedDllSupport = 2
Property(S): MsiRunningElevated = 1
Property(S): Privileged = 1
Property(S): USERNAME = Mining
Property(S): COMPANYNAME = Mining
Property(S): DATABASE = C:\Windows\Installer\8ce8692f.msi
Property(S): OriginalDatabase = C:\ProgramData\Package Cache\{DF33D195-E8F2-4AA7-89B2-BE2B97069333}v2.240.18319.21975\Microsoft.Tri.Sensor.Deployment.Package.msi
Property(S): UILevel = 2
Property(S): MsiUISourceResOnly = 1
Property(S): ACTION = INSTALL
Property(S): ROOTDRIVE = C:\
Property(S): CostingComplete = 1
Property(S): OutOfDiskSpace = 0
Property(S): OutOfNoRbDiskSpace = 0
Property(S): PrimaryVolumeSpaceAvailable = 0
Property(S): PrimaryVolumeSpaceRequired = 0
Property(S): PrimaryVolumeSpaceRemaining = 0
Property(S): INSTALLLEVEL = 1
MSI (s) (08:74) [21:46:09:756]: Note: 1: 1708
MSI (s) (08:74) [21:46:09:756]: Note: 1: 2205 2: 3: Error
MSI (s) (08:74) [21:46:09:756]: Note: 1: 2228 2: 3: Error 4: SELECT `Message` FROM `Error` WHERE `Error` = 1708
MSI (s) (08:74) [21:46:09:756]: Note: 1: 2205 2: 3: Error
MSI (s) (08:74) [21:46:09:756]: Note: 1: 2228 2: 3: Error 4: SELECT `Message` FROM `Error` WHERE `Error` = 1709
MSI (s) (08:74) [21:46:09:756]: Product: Azure Advanced Threat Protection Sensor -- Installation failed.MSI (s) (08:74) [21:46:09:756]: Windows Installer installed the product. Product Name: Azure Advanced Threat Protection Sensor. Product Version: 2.240.18319.21975. Product Language: 1033. Manufacturer: Microsoft Corporation. Installation success or error status: 1603.
MSI (s) (08:74) [21:46:09:772]: Deferring clean up of packages/files, if any exist
MSI (s) (08:74) [21:46:09:772]: MainEngineThread is returning 1603
MSI (s) (08:A0) [21:46:09:772]: RESTART MANAGER: Session closed.
MSI (s) (08:A0) [21:46:09:772]: No System Restore sequence number for this installation.
=== Logging stopped: 2024-11-12 21:46:09 ===
MSI (s) (08:A0) [21:46:09:787]: User policy value 'DisableRollback' is 0
MSI (s) (08:A0) [21:46:09:787]: Machine policy value 'DisableRollback' is 0
MSI (s) (08:A0) [21:46:09:787]: Incrementing counter to disable shutdown. Counter after increment: 0
MSI (s) (08:A0) [21:46:09:787]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2
MSI (s) (08:A0) [21:46:09:787]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2
MSI (s) (08:A0) [21:46:09:803]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied. Counter after decrement: -1
MSI (s) (08:A0) [21:46:09:803]: Destroying RemoteAPI object.
MSI (s) (08:7C) [21:46:09:803]: Custom Action Manager thread ending.
MSI (c) (40:B0) [21:46:09:803]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied. Counter after decrement: -1
MSI (c) (40:B0) [21:46:09:803]: MainEngineThread is returning 1603
=== Verbose logging stopped: 2024-11-12 21:46:09 ===- EliOfekMicrosoft
This will require the deployer logs. the answer on what broke this time should be there.
I think that it's better at this point to contact support to help you do a "manual cleanup" to make sure you reinstall without any leftovers that might block you.