Forum Discussion

RyanP1895's avatar
RyanP1895
Copper Contributor
Nov 12, 2024

Defender for identity updated itself, now it wont start

I had defender for identity 2.240.18218.5822 working on my DCs for several weeks. Then on September 24th 2024, the ATP sensors auto-updated themselves to 2.240.18224.34815.

Now about half of them won't start anymore and logs are no longer being produced in the Logs folders:

No new logs produced in:

C:\Program Files\Azure Advanced Threat Protection Sensor\2.240.18218.5822\Logs

 

No Logs folder exists in:

C:\Program Files\Azure Advanced Threat Protection Sensor\2.240.18224.34815

 

This is the error when the service tries to start.

In the event log:

The Azure Advanced Threat Protection Sensor Updater service terminated unexpectedly.  It has done this 303511 time(s).  The following corrective action will be taken in 5000 milliseconds: Restart the service.

 

I tried manually uninstalling and reinstalling on some of the servers but this has not worked.

  • Is the updater binary in place as defined in its service definition ?
    We need to find out what is holding the sensor updater from starting.
    Uninstall/reinstall failed where reinstall failed or just that the service couldn't start?
    Maybe check the performance counters like with the previous case? maybe it's related.

    • RyanP1895's avatar
      RyanP1895
      Copper Contributor

      Hi again. I was really hoping that the problem on all of my devices was the missing counter from the other case. However it isn't that unfortunately.

      I have several DCs and have tried a few different things on each. Here is the result of the uninstall on one of my DCs.

      Uninstall the sensor from affected DC - fail to uninstall BUT the uninstall does produce logs as below

      Azure Advanced Threat Protection Sensor_20241112203019.log

      [1F74:1B10][2024-11-12T20:30:18]i001: Burn v3.11.2.4516, Windows v10.0 (Build 14393: Service Pack 0), path: C:\ProgramData\Package Cache\{bbfc6df4-0b62-4ffe-bd96-c0b5393142e9}\Azure ATP Sensor Setup.exe
      [1F74:1B10][2024-11-12T20:30:18]i000: Initializing hidden variable 'AccessKey'
      [1F74:1B10][2024-11-12T20:30:18]i000: Initializing hidden variable 'ProxyConfiguration'
      [1F74:1B10][2024-11-12T20:30:18]i000: Initializing hidden variable 'ProxyUserPassword'
      [1F74:1B10][2024-11-12T20:30:18]i000: Initializing string variable 'NetFrameworkCommandLineArguments' to value '/passive /showrmui'
      [1F74:1B10][2024-11-12T20:30:18]i009: Command Line: '"-burn.clean.room=C:\ProgramData\Package Cache\{bbfc6df4-0b62-4ffe-bd96-c0b5393142e9}\Azure ATP Sensor Setup.exe" -burn.filehandle.attached=496 -burn.filehandle.self=508 /uninstall'
      [1F74:1B10][2024-11-12T20:30:19]i000: Setting string variable 'WixBundleLog' to value 'C:\Users\v-\AppData\Local\Temp\Azure Advanced Threat Protection Sensor_20241112203019.log'
      [1F74:1B10][2024-11-12T20:30:19]i000: Setting string variable 'WixBundleManufacturer' to value 'Microsoft Corporation'
      [1F74:1B10][2024-11-12T20:30:19]i000: Loading managed bootstrapper application.
      [1F74:1B10][2024-11-12T20:30:20]i000: Creating BA thread to run asynchronously.
      [1F74:1B10][2024-11-12T20:30:20]i100: Detect begin, 5 packages
      [1F74:1B10][2024-11-12T20:30:20]i000: 2024-11-12 19:30:20.9305 Debug DeploymentModel DetectDeploymentAction DetectBegin [\[]Installed=True[\]]
      [1F74:1B10][2024-11-12T20:30:20]i000: Registry key not found. Key = 'SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_1_for_KB4019990~31bf3856ad364e35~amd64~~6.1.1.2'
      [1F74:1B10][2024-11-12T20:30:20]i000: Setting numeric variable 'Kb4019990Windows2008R2Exists' to value 0
      [1F74:1B10][2024-11-12T20:30:20]i000: Registry key not found. Key = 'SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_1_for_KB4019990~31bf3856ad364e35~amd64~~6.2.1.1'
      [1F74:1B10][2024-11-12T20:30:20]i000: Setting numeric variable 'Kb4019990Windows2012Exists' to value 0
      [1F74:1B10][2024-11-12T20:30:20]i000: Setting string variable 'NetFrameworkRegistryValue' to value '528049'
      [1F74:1B10][2024-11-12T20:30:20]i000: Setting string variable 'ServerLevelsServerCoreRegistryValue' to value '1'
      [1F74:1B10][2024-11-12T20:30:20]i000: Setting string variable 'ServerLevelsServerGuiShellRegistryValue' to value '1'
      [1F74:1B10][2024-11-12T20:30:20]i052: Condition 'Kb4019990Windows2008R2Exists' evaluates to false.
      [1F74:1B10][2024-11-12T20:30:20]i052: Condition 'Kb4019990Windows2012Exists' evaluates to false.
      [1F74:1B10][2024-11-12T20:30:20]i052: Condition 'NetFrameworkRegistryValue >= 460798' evaluates to true.
      [1F74:1B10][2024-11-12T20:30:20]i052: Condition 'NetFrameworkRegistryValue >= 460798' evaluates to true.
      [1F74:1B10][2024-11-12T20:30:20]i101: Detected package: Kb4019990Windows2008R2Package, state: Absent, cached: None
      [1F74:1B10][2024-11-12T20:30:20]i101: Detected package: Kb4019990Windows2012Package, state: Absent, cached: None
      [1F74:1B10][2024-11-12T20:30:20]i101: Detected package: NetFrameworkPackageServer, state: Present, cached: None
      [1F74:1B10][2024-11-12T20:30:20]i101: Detected package: NetFrameworkPackageServerCore, state: Present, cached: None
      [1F74:1B10][2024-11-12T20:30:20]i101: Detected package: MsiPackage, state: Present, cached: Complete
      [1F74:1B10][2024-11-12T20:30:20]i199: Detect complete, result: 0x0
      [1F74:1CD4][2024-11-12T20:30:20]i000: 2024-11-12 19:30:20.9461 Debug DeploymentModel .ctor [\[]DeploymentAction=Uninstall[\]]
      [1F74:1CD4][2024-11-12T20:30:20]i000: 2024-11-12 19:30:20.9461 Debug DeploymentModel .ctor [\[]IsAfterRestartAndConfigured=False[\]]
      [1F74:1CD4][2024-11-12T20:30:21]i000: 2024-11-12 19:30:21.3886 Debug ServiceControllerExtension GetServiceCommandLine [\[]BinaryPathName=ges/h1ktx3zGBYyU1AWznQ==[\]]
      [1F74:1CD4][2024-11-12T20:30:21]i000: 2024-11-12 19:30:21.4306 Debug ServiceControllerExtension GetServiceCommandLine [\[]BinaryPathName=ges/h1ktx3zGBYyU1AWznQ==[\]]
      [1F74:1CD4][2024-11-12T20:30:24]i000: Setting string variable 'IsConfigured' to value 'True'
      [1F74:1B10][2024-11-12T20:30:24]i200: Plan begin, 5 packages, action: Uninstall
      [1F74:1B10][2024-11-12T20:30:24]i000: Setting string variable 'WixBundleRollbackLog_MsiPackage' to value 'C:\Users\\AppData\Local\Temp\Azure Advanced Threat Protection Sensor_20241112203019_000_MsiPackage_rollback.log'
      [1F74:1B10][2024-11-12T20:30:24]i000: Setting string variable 'WixBundleLog_MsiPackage' to value 'C:\Users\\AppData\Local\Temp\Azure Advanced Threat Protection Sensor_20241112203019_000_MsiPackage.log'
      [1F74:1B10][2024-11-12T20:30:24]w321: Skipping dependency registration on package with no dependency providers: NetFrameworkPackageServerCore
      [1F74:1B10][2024-11-12T20:30:24]w321: Skipping dependency registration on package with no dependency providers: NetFrameworkPackageServer
      [1F74:1B10][2024-11-12T20:30:24]w321: Skipping dependency registration on package with no dependency providers: Kb4019990Windows2012Package
      [1F74:1B10][2024-11-12T20:30:24]w321: Skipping dependency registration on package with no dependency providers: Kb4019990Windows2008R2Package
      [1F74:1B10][2024-11-12T20:30:24]i201: Planned package: MsiPackage, state: Present, default requested: Absent, ba requested: Absent, execute: Uninstall, rollback: Install, cache: No, uncache: Yes, dependency: Unregister
      [1F74:1B10][2024-11-12T20:30:24]i201: Planned package: NetFrameworkPackageServerCore, state: Present, default requested: None, ba requested: None, execute: None, rollback: None, cache: No, uncache: No, dependency: None
      [1F74:1B10][2024-11-12T20:30:24]i201: Planned package: NetFrameworkPackageServer, state: Present, default requested: None, ba requested: None, execute: None, rollback: None, cache: No, uncache: No, dependency: None
      [1F74:1B10][2024-11-12T20:30:24]i201: Planned package: Kb4019990Windows2012Package, state: Absent, default requested: None, ba requested: None, execute: None, rollback: None, cache: No, uncache: No, dependency: None
      [1F74:1B10][2024-11-12T20:30:24]i201: Planned package: Kb4019990Windows2008R2Package, state: Absent, default requested: None, ba requested: None, execute: None, rollback: None, cache: No, uncache: No, dependency: None
      [1F74:1B10][2024-11-12T20:30:24]i299: Plan complete, result: 0x0
      [1F74:1B10][2024-11-12T20:30:24]i300: Apply begin
      [1F74:1B10][2024-11-12T20:30:24]i010: Launching elevated engine process.
      [1F74:1B10][2024-11-12T20:30:24]i011: Launched elevated engine process.
      [1F74:1B10][2024-11-12T20:30:24]i012: Connected to elevated engine.
      [0DF4:1AC4][2024-11-12T20:30:24]i358: Pausing automatic updates.
      [0DF4:1AC4][2024-11-12T20:30:24]i359: Paused automatic updates.
      [0DF4:1AC4][2024-11-12T20:30:24]i360: Creating a system restore point.
      [0DF4:1AC4][2024-11-12T20:30:24]i362: System restore disabled, system restore point not created.
      [0DF4:1AC4][2024-11-12T20:30:24]i371: Updating session, registration key: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{bbfc6df4-0b62-4ffe-bd96-c0b5393142e9}, resume: Active, restart initiated: No, disable resume: No
      [0DF4:1AC4][2024-11-12T20:30:24]i326: Removed dependency: {bbfc6df4-0b62-4ffe-bd96-c0b5393142e9} on package provider: {4DCC771E-B333-439A-80C5-7BDB9049784A}, package MsiPackage
      [0DF4:1AC4][2024-11-12T20:30:24]i329: Removed package dependency provider: {4DCC771E-B333-439A-80C5-7BDB9049784A}, package: MsiPackage
      [0DF4:1AC4][2024-11-12T20:30:24]i301: Applying execute package: MsiPackage, action: Uninstall, path: (null), arguments: ' ARPSYSTEMCOMPONENT="1" MSIFASTINSTALL="7" ACCESSKEY="*****" DelayedUpdate="" InstallationPath="C:\Program Files\Azure Advanced Threat Protection Sensor" InstalledVersion="" LogsPath="" PROXYCONFIGURATION="*****" WixBundleOriginalSourceFolder="\\lundinmining.local\NETLOGON\GLB-C-DefenderForIdentitySensor\"'
      [0DF4:1AC4][2024-11-12T20:30:29]e000: Error 0x80070643: Failed to uninstall MSI package.
      [0DF4:1AC4][2024-11-12T20:30:29]e000: Error 0x80070643: Failed to execute MSI package.
      [1F74:1B10][2024-11-12T20:30:29]e000: Error 0x80070643: Failed to configure per-machine MSI package.
      [1F74:1B10][2024-11-12T20:30:29]i000: 2024-11-12 19:30:29.2631 Error Model LogError [\[]methodName=BootstrapperApplication_ExecutePackageComplete status=-2147023293 exception=[\]]
      [1F74:1B10][2024-11-12T20:30:29]i319: Applied execute package: MsiPackage, result: 0x80070643, restart: None
      [1F74:1B10][2024-11-12T20:30:29]e000: Error 0x80070643: Failed to execute MSI package.
      [0DF4:1AC4][2024-11-12T20:30:29]i318: Skipped rollback of package: MsiPackage, action: Install, already: Present
      [1F74:1B10][2024-11-12T20:30:29]i319: Applied rollback package: MsiPackage, result: 0x0, restart: None
      [0DF4:1AC4][2024-11-12T20:30:29]i323: Registering package dependency provider: {4DCC771E-B333-439A-80C5-7BDB9049784A}, version: 2.239.18066.19147, package: MsiPackage
      [0DF4:1AC4][2024-11-12T20:30:29]i325: Registering dependency: {bbfc6df4-0b62-4ffe-bd96-c0b5393142e9} on package provider: {4DCC771E-B333-439A-80C5-7BDB9049784A}, package: MsiPackage
      [0DF4:1AC4][2024-11-12T20:30:29]i372: Session end, registration key: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{bbfc6df4-0b62-4ffe-bd96-c0b5393142e9}, resume: ARP, restart: None, disable resume: No
      [0DF4:1AC4][2024-11-12T20:30:29]i371: Updating session, registration key: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{bbfc6df4-0b62-4ffe-bd96-c0b5393142e9}, resume: ARP, restart initiated: No, disable resume: No
      [1F74:1B10][2024-11-12T20:30:29]i399: Apply complete, result: 0x80070643, restart: None, ba requested restart:  No

       

       

      Azure Advanced Threat Protection Sensor_20241112203019_000_MsiPackage.log

       

      === Verbose logging started: 2024-11-12  20:30:24  Build type: SHIP UNICODE 5.00.10011.00  Calling process: C:\ProgramData\Package Cache\{bbfc6df4-0b62-4ffe-bd96-c0b5393142e9}\Azure ATP Sensor Setup.exe ===
      MSI (c) (F4:44) [20:30:24:726]: Resetting cached policy values
      MSI (c) (F4:44) [20:30:24:726]: Machine policy value 'Debug' is 0
      MSI (c) (F4:44) [20:30:24:726]: ******* RunEngine:
                 ******* Product: {4DCC771E-B333-439A-80C5-7BDB9049784A}
                 ******* Action: 
                 ******* CommandLine: **********
      MSI (c) (F4:44) [20:30:24:726]: Client-side and UI is none or basic: Running entire install on the server.
      MSI (c) (F4:44) [20:30:24:726]: Grabbed execution mutex.
      MSI (c) (F4:44) [20:30:25:065]: Cloaking enabled.
      MSI (c) (F4:44) [20:30:25:065]: Attempting to enable all disabled privileges before calling Install on Server
      MSI (c) (F4:44) [20:30:25:066]: Incrementing counter to disable shutdown. Counter after increment: 0
      MSI (s) (CC:AC) [20:30:25:082]: Running installation inside multi-package transaction {4DCC771E-B333-439A-80C5-7BDB9049784A}
      MSI (s) (CC:AC) [20:30:25:082]: Grabbed execution mutex.
      MSI (s) (CC:24) [20:30:25:082]: Resetting cached policy values
      MSI (s) (CC:24) [20:30:25:082]: Machine policy value 'Debug' is 0
      MSI (s) (CC:24) [20:30:25:082]: ******* RunEngine:
                 ******* Product: {4DCC771E-B333-439A-80C5-7BDB9049784A}
                 ******* Action: 
                 ******* CommandLine: **********
      MSI (s) (CC:24) [20:30:25:082]: Machine policy value 'DisableUserInstalls' is 0
      MSI (s) (CC:24) [20:30:25:082]: Note: 1: 2203 2: C:\Windows\Installer\inprogressinstallinfo.ipi 3: -2147287038 
      MSI (s) (CC:24) [20:30:25:097]: SRSetRestorePoint skipped for this transaction.
      MSI (s) (CC:24) [20:30:25:097]: MSCOREE not loaded loading copy from system32
      MSI (s) (CC:24) [20:30:25:113]: End dialog not enabled
      MSI (s) (CC:24) [20:30:25:113]: Original package ==> C:\Windows\Installer\35567.msi
      MSI (s) (CC:24) [20:30:25:113]: Package we're running from ==> C:\Windows\Installer\35567.msi
      MSI (s) (CC:24) [20:30:25:113]: APPCOMPAT: Uninstall Flags override found.
      MSI (s) (CC:24) [20:30:25:129]: APPCOMPAT: Uninstall VersionNT override found.
      MSI (s) (CC:24) [20:30:25:129]: APPCOMPAT: Uninstall ServicePackLevel override found.
      MSI (s) (CC:24) [20:30:25:129]: APPCOMPAT: looking for appcompat database entry with ProductCode '{4DCC771E-B333-439A-80C5-7BDB9049784A}'.
      MSI (s) (CC:24) [20:30:25:129]: APPCOMPAT: no matching ProductCode found in database.
      MSI (s) (CC:24) [20:30:25:129]: Note: 1: 2205 2:  3: MsiFileHash 
      MSI (s) (CC:24) [20:30:25:129]: Machine policy value 'DisablePatch' is 0
      MSI (s) (CC:24) [20:30:25:129]: Machine policy value 'AllowLockdownPatch' is 0
      MSI (s) (CC:24) [20:30:25:129]: Machine policy value 'DisableLUAPatching' is 0
      MSI (s) (CC:24) [20:30:25:129]: Machine policy value 'DisableFlyWeightPatching' is 0
      MSI (s) (CC:24) [20:30:25:129]: APPCOMPAT: looking for appcompat database entry with ProductCode '{4DCC771E-B333-439A-80C5-7BDB9049784A}'.
      MSI (s) (CC:24) [20:30:25:129]: APPCOMPAT: no matching ProductCode found in database.
      MSI (s) (CC:24) [20:30:25:129]: Transforms are not secure.
      MSI (s) (CC:24) [20:30:25:129]: Note: 1: 2205 2:  3: Control 
      MSI (s) (CC:24) [20:30:25:129]: PROPERTY CHANGE: Adding MsiLogFileLocation property. Its value is 'C:\Users\\AppData\Local\Temp\Azure Advanced Threat Protection Sensor_20241112203019_000_MsiPackage.log'.
      MSI (s) (CC:24) [20:30:25:129]: Command Line: ARPSYSTEMCOMPONENT=1 MSIFASTINSTALL=7 ACCESSKEY=********** DelayedUpdate= InstallationPath=C:\Program Files\Azure Advanced Threat Protection Sensor InstalledVersion= LogsPath= PROXYCONFIGURATION=********** WixBundleOriginalSourceFolder=\\lundinmining.local\NETLOGON\GLB-C-DefenderForIdentitySensor\ REBOOT=ReallySuppress IGNOREDEPENDENCIES=ALL REMOVE=ALL CURRENTDIRECTORY=C:\Windows\system32 CLIENTUILEVEL=3 MSICLIENTUSESEXTERNALUI=1 CLIENTPROCESSID=3572 
      MSI (s) (CC:24) [20:30:25:129]: PROPERTY CHANGE: Adding PackageCode property. Its value is '{7B60B234-6673-4B70-9CC0-FB31351A5E65}'.
      MSI (s) (CC:24) [20:30:25:129]: Product Code passed to Engine.Initialize:           '{4DCC771E-B333-439A-80C5-7BDB9049784A}'
      MSI (s) (CC:24) [20:30:25:129]: Product Code from property table before transforms: '{4DCC771E-B333-439A-80C5-7BDB9049784A}'
      MSI (s) (CC:24) [20:30:25:129]: Product Code from property table after transforms:  '{4DCC771E-B333-439A-80C5-7BDB9049784A}'
      MSI (s) (CC:24) [20:30:25:129]: Product registered: entering maintenance mode
      MSI (s) (CC:24) [20:30:25:129]: Determined that existing product (either this product or the product being upgraded with a patch) is installed per-machine.
      MSI (s) (CC:24) [20:30:25:129]: Product {4DCC771E-B333-439A-80C5-7BDB9049784A} is admin assigned: LocalSystem owns the publish key.
      MSI (s) (CC:24) [20:30:25:129]: Product {4DCC771E-B333-439A-80C5-7BDB9049784A} is managed.
      MSI (s) (CC:24) [20:30:25:129]: MSI_LUA: Credential prompt not required, user is an admin
      MSI (s) (CC:24) [20:30:25:129]: PROPERTY CHANGE: Adding ProductState property. Its value is '5'.
      MSI (s) (CC:24) [20:30:25:129]: PROPERTY CHANGE: Adding ProductToBeRegistered property. Its value is '1'.
      MSI (s) (CC:24) [20:30:25:129]: Package name retrieved from configuration data: 'Microsoft.Tri.Sensor.Deployment.Package.msi'
      MSI (s) (CC:24) [20:30:25:129]: Note: 1: 2205 2:  3: Error 
      MSI (s) (CC:24) [20:30:25:129]: Note: 1: 2262 2: AdminProperties 3: -2147287038 
      MSI (s) (CC:24) [20:30:25:129]: Machine policy value 'DisableMsi' is 1
      MSI (s) (CC:24) [20:30:25:129]: Machine policy value 'AlwaysInstallElevated' is 0
      MSI (s) (CC:24) [20:30:25:129]: User policy value 'AlwaysInstallElevated' is 0
      MSI (s) (CC:24) [20:30:25:144]: Product {4DCC771E-B333-439A-80C5-7BDB9049784A} is admin assigned: LocalSystem owns the publish key.
      MSI (s) (CC:24) [20:30:25:144]: Product {4DCC771E-B333-439A-80C5-7BDB9049784A} is managed.
      MSI (s) (CC:24) [20:30:25:144]: Running product '{4DCC771E-B333-439A-80C5-7BDB9049784A}' with elevated privileges: Product is assigned.
      MSI (s) (CC:24) [20:30:25:144]: PROPERTY CHANGE: Adding ARPSYSTEMCOMPONENT property. Its value is '1'.
      MSI (s) (CC:24) [20:30:25:144]: PROPERTY CHANGE: Adding MSIFASTINSTALL property. Its value is '7'.
      MSI (s) (CC:24) [20:30:25:144]: PROPERTY CHANGE: Adding ACCESSKEY property. Its value is '**********'.
      MSI (s) (CC:24) [20:30:25:144]: PROPERTY CHANGE: Adding INSTALLATIONPATH property. Its value is 'C:\Program Files\Azure Advanced Threat Protection Sensor'.
      MSI (s) (CC:24) [20:30:25:144]: PROPERTY CHANGE: Adding WIXBUNDLEORIGINALSOURCEFOLDER property. Its value is '\\lundinmining.local\NETLOGON\GLB-C-DefenderForIdentitySensor\'.
      MSI (s) (CC:24) [20:30:25:144]: PROPERTY CHANGE: Adding REBOOT property. Its value is 'ReallySuppress'.
      MSI (s) (CC:24) [20:30:25:144]: PROPERTY CHANGE: Adding IGNOREDEPENDENCIES property. Its value is 'ALL'.
      MSI (s) (CC:24) [20:30:25:144]: PROPERTY CHANGE: Adding REMOVE property. Its value is 'ALL'.
      MSI (s) (CC:24) [20:30:25:144]: PROPERTY CHANGE: Adding CURRENTDIRECTORY property. Its value is 'C:\Windows\system32'.
      MSI (s) (CC:24) [20:30:25:144]: PROPERTY CHANGE: Adding CLIENTUILEVEL property. Its value is '3'.
      MSI (s) (CC:24) [20:30:25:144]: PROPERTY CHANGE: Adding MSICLIENTUSESEXTERNALUI property. Its value is '1'.
      MSI (s) (CC:24) [20:30:25:144]: PROPERTY CHANGE: Adding CLIENTPROCESSID property. Its value is '3572'.
      MSI (s) (CC:24) [20:30:25:144]: Machine policy value 'DisableAutomaticApplicationShutdown' is 0
      MSI (s) (CC:24) [20:30:25:144]: PROPERTY CHANGE: Adding MsiRestartManagerSessionKey property. Its value is '7d9eded80ce6114ca56753fa176eb123'.
      MSI (s) (CC:24) [20:30:25:144]: RESTART MANAGER: Session opened.
      MSI (s) (CC:24) [20:30:25:144]: PROPERTY CHANGE: Adding MsiSystemRebootPending property. Its value is '1'.
      MSI (s) (CC:24) [20:30:25:144]: TRANSFORMS property is now: 
      MSI (s) (CC:24) [20:30:25:144]: PROPERTY CHANGE: Adding PRODUCTLANGUAGE property. Its value is '1033'.
      MSI (s) (CC:24) [20:30:25:144]: PROPERTY CHANGE: Adding VersionDatabase property. Its value is '500'.
      MSI (s) (CC:24) [20:30:25:144]: SHELL32::SHGetFolderPath returned: C:\Users\\AppData\Roaming
      MSI (s) (CC:24) [20:30:25:144]: SHELL32::SHGetFolderPath returned: C:\Users\\Favorites
      MSI (s) (CC:24) [20:30:25:144]: SHELL32::SHGetFolderPath returned: C:\Users\\AppData\Roaming\Microsoft\Windows\Network Shortcuts
      MSI (s) (CC:24) [20:30:25:144]: SHELL32::SHGetFolderPath returned: C:\Users\\Documents
      MSI (s) (CC:24) [20:30:25:144]: SHELL32::SHGetFolderPath returned: C:\Users\v\AppData\Roaming\Microsoft\Windows\Printer Shortcuts
      MSI (s) (CC:24) [20:30:25:144]: SHELL32::SHGetFolderPath returned: C:\Users\\AppData\Roaming\Microsoft\Windows\Recent
      MSI (s) (CC:24) [20:30:25:160]: SHELL32::SHGetFolderPath returned: C:\Users\\AppData\Roaming\Microsoft\Windows\SendTo
      MSI (s) (CC:24) [20:30:25:160]: SHELL32::SHGetFolderPath returned: C:\Users\\AppData\Roaming\Microsoft\Windows\Templates
      MSI (s) (CC:24) [20:30:25:160]: SHELL32::SHGetFolderPath returned: C:\ProgramData
      MSI (s) (CC:24) [20:30:25:160]: SHELL32::SHGetFolderPath returned: C:\Users\\AppData\Local
      MSI (s) (CC:24) [20:30:25:160]: SHELL32::SHGetFolderPath returned: C:\Users\\Pictures
      MSI (s) (CC:24) [20:30:25:160]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools
      MSI (s) (CC:24) [20:30:25:160]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
      MSI (s) (CC:24) [20:30:25:160]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu\Programs
      MSI (s) (CC:24) [20:30:25:160]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu
      MSI (s) (CC:24) [20:30:25:160]: SHELL32::SHGetFolderPath returned: C:\Users\Public\Desktop
      MSI (s) (CC:24) [20:30:25:160]: SHELL32::SHGetFolderPath returned: C:\Users\\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools
      MSI (s) (CC:24) [20:30:25:175]: SHELL32::SHGetFolderPath returned: C:\Users\\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
      MSI (s) (CC:24) [20:30:25:175]: SHELL32::SHGetFolderPath returned: C:\Users\\AppData\Roaming\Microsoft\Windows\Start Menu\Programs
      MSI (s) (CC:24) [20:30:25:175]: SHELL32::SHGetFolderPath returned: C:\Users\\AppData\Roaming\Microsoft\Windows\Start Menu
      MSI (s) (CC:24) [20:30:25:175]: SHELL32::SHGetFolderPath returned: C:\Users\\Desktop
      MSI (s) (CC:24) [20:30:25:175]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Templates
      MSI (s) (CC:24) [20:30:25:175]: SHELL32::SHGetFolderPath returned: C:\Windows\Fonts
      MSI (s) (CC:24) [20:30:25:175]: Note: 1: 2898 2: MS Sans Serif 3: MS Sans Serif 4: 0 5: 16 
      MSI (s) (CC:24) [20:30:25:175]: MSI_LUA: Setting AdminUser property to 1 because the product is already installed managed and per-machine
      MSI (s) (CC:24) [20:30:25:175]: MSI_LUA: Setting MsiRunningElevated property to 1 because the install is already running elevated.
      MSI (s) (CC:24) [20:30:25:175]: PROPERTY CHANGE: Adding MsiRunningElevated property. Its value is '1'.
      MSI (s) (CC:24) [20:30:25:175]: PROPERTY CHANGE: Adding Privileged property. Its value is '1'.
      MSI (s) (CC:24) [20:30:25:175]: Note: 1: 1402 2: HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info 3: 2 
      MSI (s) (CC:24) [20:30:25:175]: PROPERTY CHANGE: Adding USERNAME property. Its value is 'Lundin Mining'.
      MSI (s) (CC:24) [20:30:25:175]: Note: 1: 1402 2: HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info 3: 2 
      MSI (s) (CC:24) [20:30:25:175]: PROPERTY CHANGE: Adding COMPANYNAME property. Its value is 'Lundin Mining'.
      MSI (s) (CC:24) [20:30:25:175]: PROPERTY CHANGE: Adding Installed property. Its value is '00:00:00'.
      MSI (s) (CC:24) [20:30:25:175]: PROPERTY CHANGE: Adding DATABASE property. Its value is 'C:\Windows\Installer\35567.msi'.
      MSI (s) (CC:24) [20:30:25:175]: PROPERTY CHANGE: Adding OriginalDatabase property. Its value is 'C:\Windows\Installer\35567.msi'.
      MSI (s) (CC:24) [20:30:25:175]: Machine policy value 'MsiDisableEmbeddedUI' is 0
      MSI (s) (CC:24) [20:30:25:175]: EEUI - Disabling MsiEmbeddedUI due to existing external or embedded UI
      MSI (s) (CC:24) [20:30:25:175]: EEUI - Disabling MsiEmbeddedUI for service because it's not a quiet/basic install
      MSI (s) (CC:24) [20:30:25:175]: Note: 1: 2205 2:  3: PatchPackage 
      MSI (s) (CC:24) [20:30:25:175]: Machine policy value 'DisableRollback' is 0
      MSI (s) (CC:24) [20:30:25:175]: User policy value 'DisableRollback' is 0
      MSI (s) (CC:24) [20:30:25:175]: PROPERTY CHANGE: Adding UILevel property. Its value is '2'.
      MSI (s) (CC:24) [20:30:25:175]: PROPERTY CHANGE: Adding MsiUISourceResOnly property. Its value is '1'.
      === Logging started: 2024-11-12  20:30:25 ===
      MSI (s) (CC:24) [20:30:25:175]: Note: 1: 2203 2: C:\Windows\Installer\inprogressinstallinfo.ipi 3: -2147287038 
      MSI (s) (CC:24) [20:30:25:175]: PROPERTY CHANGE: Adding Preselected property. Its value is '1'.
      MSI (s) (CC:24) [20:30:25:175]: APPCOMPAT: [DetectVersionLaunchCondition] Launch condition already passes.
      MSI (s) (CC:24) [20:30:25:191]: PROPERTY CHANGE: Adding ACTION property. Its value is 'INSTALL'.
      MSI (s) (CC:24) [20:30:25:191]: Doing action: INSTALL
      MSI (s) (CC:24) [20:30:25:191]: Note: 1: 2205 2:  3: ActionText 
      Action start 20:30:25: INSTALL.
      MSI (s) (CC:24) [20:30:25:191]: Running ExecuteSequence
      MSI (s) (CC:24) [20:30:25:191]: Doing action: FindRelatedProducts
      MSI (s) (CC:24) [20:30:25:191]: Note: 1: 2205 2:  3: ActionText 
      MSI (s) (CC:24) [20:30:25:191]: Skipping FindRelatedProducts action: not run in maintenance mode
      Action start 20:30:25: FindRelatedProducts.
      MSI (s) (CC:24) [20:30:25:191]: Doing action: LaunchConditions
      MSI (s) (CC:24) [20:30:25:191]: Note: 1: 2205 2:  3: ActionText 
      Action ended 20:30:25: FindRelatedProducts. Return value 0.
      Action start 20:30:25: LaunchConditions.
      MSI (s) (CC:24) [20:30:25:191]: Doing action: ValidateProductID
      MSI (s) (CC:24) [20:30:25:191]: Note: 1: 2205 2:  3: ActionText 
      Action ended 20:30:25: LaunchConditions. Return value 1.
      Action start 20:30:25: ValidateProductID.
      MSI (s) (CC:24) [20:30:25:191]: Doing action: CostInitialize
      MSI (s) (CC:24) [20:30:25:191]: Note: 1: 2205 2:  3: ActionText 
      Action ended 20:30:25: ValidateProductID. Return value 1.
      MSI (s) (CC:24) [20:30:25:191]: Machine policy value 'MaxPatchCacheSize' is 10
      MSI (s) (CC:24) [20:30:25:191]: PROPERTY CHANGE: Adding ROOTDRIVE property. Its value is 'C:\'.
      MSI (s) (CC:24) [20:30:25:191]: PROPERTY CHANGE: Adding CostingComplete property. Its value is '0'.
      MSI (s) (CC:24) [20:30:25:191]: Note: 1: 2205 2:  3: Patch 
      MSI (s) (CC:24) [20:30:25:191]: Note: 1: 2205 2:  3: PatchPackage 
      MSI (s) (CC:24) [20:30:25:191]: Note: 1: 2205 2:  3: MsiPatchHeaders 
      MSI (s) (CC:24) [20:30:25:191]: Note: 1: 2205 2:  3: __MsiPatchFileList 
      MSI (s) (CC:24) [20:30:25:191]: Note: 1: 2205 2:  3: PatchPackage 
      MSI (s) (CC:24) [20:30:25:191]: Note: 1: 2228 2:  3: PatchPackage 4: SELECT `DiskId`, `PatchId`, `LastSequence` FROM `Media`, `PatchPackage` WHERE `Media`.`DiskId`=`PatchPackage`.`Media_` ORDER BY `DiskId`  
      MSI (s) (CC:24) [20:30:25:191]: Note: 1: 2205 2:  3: Patch 
      Action start 20:30:25: CostInitialize.
      MSI (s) (CC:24) [20:30:25:191]: Doing action: FileCost
      MSI (s) (CC:24) [20:30:25:191]: Note: 1: 2205 2:  3: ActionText 
      Action ended 20:30:25: CostInitialize. Return value 1.
      MSI (s) (CC:24) [20:30:25:191]: Note: 1: 2205 2:  3: MsiAssembly 
      Action start 20:30:25: FileCost.
      MSI (s) (CC:24) [20:30:25:191]: Doing action: CostFinalize
      MSI (s) (CC:24) [20:30:25:191]: Note: 1: 2205 2:  3: ActionText 
      Action ended 20:30:25: FileCost. Return value 1.
      MSI (s) (CC:24) [20:30:25:191]: PROPERTY CHANGE: Adding OutOfDiskSpace property. Its value is '0'.
      MSI (s) (CC:24) [20:30:25:191]: PROPERTY CHANGE: Adding OutOfNoRbDiskSpace property. Its value is '0'.
      MSI (s) (CC:24) [20:30:25:191]: PROPERTY CHANGE: Adding PrimaryVolumeSpaceAvailable property. Its value is '0'.
      MSI (s) (CC:24) [20:30:25:191]: PROPERTY CHANGE: Adding PrimaryVolumeSpaceRequired property. Its value is '0'.
      MSI (s) (CC:24) [20:30:25:191]: PROPERTY CHANGE: Adding PrimaryVolumeSpaceRemaining property. Its value is '0'.
      MSI (s) (CC:24) [20:30:25:191]: Note: 1: 2205 2:  3: MsiAssembly 
      MSI (s) (CC:24) [20:30:25:191]: Note: 1: 2228 2:  3: MsiAssembly 4:  SELECT `MsiAssembly`.`Attributes`, `MsiAssembly`.`File_Application`, `MsiAssembly`.`File_Manifest`,  `Component`.`KeyPath` FROM `MsiAssembly`, `Component` WHERE  `MsiAssembly`.`Component_` = `Component`.`Component` AND `MsiAssembly`.`Component_` = ? 
      MSI (s) (CC:24) [20:30:25:191]: PROPERTY CHANGE: Adding TARGETDIR property. Its value is 'C:'.
      MSI (s) (CC:24) [20:30:25:191]: Note: 1: 2205 2:  3: Patch 
      MSI (s) (CC:24) [20:30:25:191]: Note: 1: 2205 2:  3: Condition 
      MSI (s) (CC:24) [20:30:25:207]: PROPERTY CHANGE: Modifying TARGETDIR property. Its current value is 'C:'. Its new value: 'C:\'.
      MSI (s) (CC:24) [20:30:25:207]: Target path resolution complete. Dumping Directory table...
      MSI (s) (CC:24) [20:30:25:207]: Note: target paths subject to change (via custom actions or browsing)
      MSI (s) (CC:24) [20:30:25:207]: Dir (target): Key: TARGETDIR    , Object: C:\
      MSI (s) (CC:24) [20:30:25:207]: PROPERTY CHANGE: Adding INSTALLLEVEL property. Its value is '1'.
      Action start 20:30:25: CostFinalize.
      MSI (s) (CC:24) [20:30:25:207]: Doing action: MigrateFeatureStates
      MSI (s) (CC:24) [20:30:25:207]: Note: 1: 2205 2:  3: ActionText 
      Action ended 20:30:25: CostFinalize. Return value 1.
      MSI (s) (CC:24) [20:30:25:207]: Skipping MigrateFeatureStates action: not run in maintenance mode
      Action start 20:30:25: MigrateFeatureStates.
      MSI (s) (CC:24) [20:30:25:207]: Doing action: InstallValidate
      MSI (s) (CC:24) [20:30:25:207]: Note: 1: 2205 2:  3: ActionText 
      Action ended 20:30:25: MigrateFeatureStates. Return value 0.
      MSI (s) (CC:24) [20:30:25:207]: PROPERTY CHANGE: Deleting MsiRestartManagerSessionKey property. Its current value is '7d9eded80ce6114ca56753fa176eb123'.
      MSI (s) (CC:24) [20:30:25:207]: Note: 1: 2205 2:  3: Dialog 
      MSI (s) (CC:24) [20:30:25:207]: Feature: ProductFeature; Installed: Local;   Request: Absent;   Action: Absent
      MSI (s) (CC:24) [20:30:25:207]: Component: ProductComponent; Installed: Local;   Request: Absent;   Action: Absent
      MSI (s) (CC:24) [20:30:25:207]: Note: 1: 2205 2:  3: Registry 
      MSI (s) (CC:24) [20:30:25:207]: Note: 1: 2205 2:  3: BindImage 
      MSI (s) (CC:24) [20:30:25:207]: Note: 1: 2205 2:  3: ProgId 
      MSI (s) (CC:24) [20:30:25:207]: Note: 1: 2205 2:  3: PublishComponent 
      MSI (s) (CC:24) [20:30:25:207]: Note: 1: 2205 2:  3: SelfReg 
      MSI (s) (CC:24) [20:30:25:207]: Note: 1: 2205 2:  3: Extension 
      MSI (s) (CC:24) [20:30:25:207]: Note: 1: 2205 2:  3: Font 
      MSI (s) (CC:24) [20:30:25:207]: Note: 1: 2205 2:  3: Shortcut 
      MSI (s) (CC:24) [20:30:25:207]: Note: 1: 2205 2:  3: Class 
      MSI (s) (CC:24) [20:30:25:207]: Note: 1: 2205 2:  3: Icon 
      MSI (s) (CC:24) [20:30:25:207]: Note: 1: 2205 2:  3: TypeLib 
      Action start 20:30:25: InstallValidate.
      MSI (s) (CC:24) [20:30:25:207]: Note: 1: 2205 2:  3: _RemoveFilePath 
      MSI (s) (CC:24) [20:30:25:207]: PROPERTY CHANGE: Modifying CostingComplete property. Its current value is '0'. Its new value: '1'.
      MSI (s) (CC:24) [20:30:25:207]: Note: 1: 2205 2:  3: Registry 
      MSI (s) (CC:24) [20:30:25:207]: Note: 1: 2205 2:  3: BindImage 
      MSI (s) (CC:24) [20:30:25:207]: Note: 1: 2205 2:  3: ProgId 
      MSI (s) (CC:24) [20:30:25:207]: Note: 1: 2205 2:  3: PublishComponent 
      MSI (s) (CC:24) [20:30:25:207]: Note: 1: 2205 2:  3: SelfReg 
      MSI (s) (CC:24) [20:30:25:207]: Note: 1: 2205 2:  3: Extension 
      MSI (s) (CC:24) [20:30:25:207]: Note: 1: 2205 2:  3: Font 
      MSI (s) (CC:24) [20:30:25:207]: Note: 1: 2205 2:  3: Shortcut 
      MSI (s) (CC:24) [20:30:25:207]: Note: 1: 2205 2:  3: Class 
      MSI (s) (CC:24) [20:30:25:207]: Note: 1: 2205 2:  3: Icon 
      MSI (s) (CC:24) [20:30:25:207]: Note: 1: 2205 2:  3: TypeLib 
      MSI (s) (CC:24) [20:30:25:207]: Note: 1: 2727 2:  
      MSI (s) (CC:24) [20:30:25:207]: Note: 1: 2205 2:  3: FilesInUse 
      MSI (s) (CC:24) [20:30:25:222]: Note: 1: 2727 2:  
      MSI (s) (CC:24) [20:30:25:222]: Doing action: InstallInitialize
      MSI (s) (CC:24) [20:30:25:222]: Note: 1: 2205 2:  3: ActionText 
      Action ended 20:30:25: InstallValidate. Return value 1.
      MSI (s) (CC:24) [20:30:25:222]: Machine policy value 'AlwaysInstallElevated' is 0
      MSI (s) (CC:24) [20:30:25:222]: User policy value 'AlwaysInstallElevated' is 0
      MSI (s) (CC:24) [20:30:25:222]: BeginTransaction: Locking Server
      MSI (s) (CC:24) [20:30:25:222]: Note: 1: 2203 2: C:\Windows\Installer\inprogressinstallinfo.ipi 3: -2147287038 
      MSI (s) (CC:24) [20:30:25:222]: SRSetRestorePoint skipped for this transaction.
      MSI (s) (CC:24) [20:30:25:222]: Note: 1: 2203 2: C:\Windows\Installer\inprogressinstallinfo.ipi 3: -2147287038 
      MSI (s) (CC:24) [20:30:25:222]: Server not locked: locking for product {4DCC771E-B333-439A-80C5-7BDB9049784A}
      MSI (s) (CC:24) [20:30:25:238]: Note: 1: 2205 2:  3: ActionText 
      MSI (s) (CC:24) [20:30:25:238]: Note: 1: 2205 2:  3: ActionText 
      MSI (s) (CC:24) [20:30:25:238]: Note: 1: 2205 2:  3: ActionText 
      Action start 20:30:25: InstallInitialize.
      MSI (s) (CC:24) [20:30:25:254]: PROPERTY CHANGE: Deleting ProductToBeRegistered property. Its current value is '1'.
      MSI (s) (CC:24) [20:30:25:269]: Note: 1: 2205 2:  3: Icon 
      MSI (s) (CC:24) [20:30:25:269]: Note: 1: 2228 2:  3: Icon 4: SELECT `Name`, `Data` FROM `Icon` 
      MSI (s) (CC:24) [20:30:25:269]: Skipping action: InstallCustomAction (condition is false)
      MSI (s) (CC:24) [20:30:25:269]: Doing action: UninstallCustomAction
      MSI (s) (CC:24) [20:30:25:269]: Note: 1: 2205 2:  3: ActionText 
      Action ended 20:30:25: InstallInitialize. Return value 1.
      MSI (s) (CC:D0) [20:30:25:459]: Invoking remote custom action. DLL: C:\Windows\Installer\MSI2E7B.tmp, Entrypoint: Uninstall
      MSI (s) (CC:9C) [20:30:25:475]: Generating random cookie.
      MSI (s) (CC:9C) [20:30:25:522]: Created Custom Action Server with PID 5264 (0x1490).
      MSI (s) (CC:A8) [20:30:25:600]: Running as a service.
      MSI (s) (CC:AC) [20:30:25:600]: Hello, I'm your 64bit Impersonated custom action server.
      Action start 20:30:25: UninstallCustomAction.
      SFXCA: Extracting custom action to temporary directory: C:\Windows\Installer\MSI2E7B.tmp-\
      SFXCA: Binding to CLR version v4.0.30319
      Calling custom action Microsoft.Tri.Sensor.Deployment.Package.Actions!Microsoft.Tri.Sensor.Deployment.Package.Actions.CustomActions.Uninstall
      Exception thrown by custom action:
      System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.IO.FileNotFoundException: Could not find file 'C:\Program Files\Azure Advanced Threat Protection Sensor\2.240.18224.34815\SensorConfiguration.json'.
         at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)
         at System.IO.FileStream.Init(String path, FileMode mode, FileAccess access, Int32 rights, Boolean useRights, FileShare share, Int32 bufferSize, FileOptions options, SECURITY_ATTRIBUTES secAttrs, String msgPath, Boolean bFromProxy, Boolean useLongPath, Boolean checkHost)
         at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize, FileOptions options, String msgPath, Boolean bFromProxy, Boolean useLongPath, Boolean checkHost)
         at System.IO.StreamReader..ctor(String path, Encoding encoding, Boolean detectEncodingFromByteOrderMarks, Int32 bufferSize, Boolean checkHost)
         at System.IO.File.InternalReadAllText(String path, Encoding encoding, Boolean checkHost)
         at Microsoft.Tri.Infrastructure.ConfigurationFile.Load(String filePath)
         at Microsoft.Tri.Sensor.Deployment.Package.Actions.UninstallActionGroup..ctor()
         at Microsoft.Tri.Sensor.Deployment.Package.Actions.CustomActions.Uninstall(Session session)
         --- End of inner exception stack trace ---
         at System.RuntimeMethodHandle.InvokeMethod(Object target, Object arguments, Signature sig, Boolean constructor)
         at System.Reflection.RuntimeMethodInfo.UnsafeInvokeInternal(Object obj, Object parameters, Object arguments)
         at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object parameters, CultureInfo culture)
         at Microsoft.Deployment.WindowsInstaller.CustomActionProxy.InvokeCustomAction(Int32 sessionHandle, String entryPoint, IntPtr remotingDelegatePtr)
      CustomAction UninstallCustomAction returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)
      MSI (s) (CC:24) [20:30:29:216]: Note: 1: 2265 2:  3: -2147287035 
      MSI (s) (CC:24) [20:30:29:216]: Machine policy value 'DisableRollback' is 0
      MSI (s) (CC:24) [20:30:29:216]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2 
      Action ended 20:30:29: UninstallCustomAction. Return value 3.
      MSI (s) (CC:24) [20:30:29:216]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2 
      MSI (s) (CC:24) [20:30:29:216]: No System Restore sequence number for this installation.
      MSI (s) (CC:24) [20:30:29:216]: Unlocking Server
      Action ended 20:30:29: INSTALL. Return value 3.
      Property(S): UpgradeCode = {EDFB49E0-16FA-4535-B268-BD1B81B15DC2}
      Property(S): TARGETDIR = C:\
      Property(S): ALLUSERS = 1
      Property(S): Manufacturer = Microsoft Corporation
      Property(S): ProductCode = {4DCC771E-B333-439A-80C5-7BDB9049784A}
      Property(S): ProductLanguage = 1033
      Property(S): ProductName = Azure Advanced Threat Protection Sensor
      Property(S): ProductVersion = 2.239.18066.19147
      Property(S): SecureCustomProperties = WIX_DOWNGRADE_DETECTED;WIX_UPGRADE_DETECTED
      Property(S): MsiHiddenProperties = ACCESSKEY;PROXYCONFIGURATION
      Property(S): MsiLogFileLocation = C:\Users\\AppData\Local\Temp\Azure Advanced Threat Protection Sensor_20241112203019_000_MsiPackage.log
      Property(S): PackageCode = {7B60B234-6673-4B70-9CC0-FB31351A5E65}
      Property(S): ProductState = 5
      Property(S): ARPSYSTEMCOMPONENT = 1
      Property(S): MSIFASTINSTALL = 7
      Property(S): ACCESSKEY = **********
      Property(S): INSTALLATIONPATH = C:\Program Files\Azure Advanced Threat Protection Sensor
      Property(S): WIXBUNDLEORIGINALSOURCEFOLDER = \\lundinmining.local\NETLOGON\GLB-C-DefenderForIdentitySensor\
      Property(S): REBOOT = ReallySuppress
      Property(S): IGNOREDEPENDENCIES = ALL
      Property(S): REMOVE = ALL
      Property(S): CURRENTDIRECTORY = C:\Windows\system32
      Property(S): CLIENTUILEVEL = 3
      Property(S): MSICLIENTUSESEXTERNALUI = 1
      Property(S): CLIENTPROCESSID = 3572
      Property(S): MsiSystemRebootPending = 1
      Property(S): PRODUCTLANGUAGE = 1033
      Property(S): VersionDatabase = 500
      Property(S): VersionMsi = 5.00
      Property(S): VersionNT = 603
      Property(S): VersionNT64 = 603
      Property(S): WindowsBuild = 9600
      Property(S): ServicePackLevel = 0
      Property(S): ServicePackLevelMinor = 0
      Property(S): MsiNTProductType = 2
      Property(S): MsiNTSuiteDataCenter = 1
      Property(S): WindowsFolder = C:\Windows\
      Property(S): WindowsVolume = C:\
      Property(S): System64Folder = C:\Windows\system32\
      Property(S): SystemFolder = C:\Windows\SysWOW64\
      Property(S): RemoteAdminTS = 1
      Property(S): TempFolder = C:\Users\\AppData\Local\Temp\
      Property(S): ProgramFilesFolder = C:\Program Files (x86)\
      Property(S): CommonFilesFolder = C:\Program Files (x86)\Common Files\
      Property(S): ProgramFiles64Folder = C:\Program Files\
      Property(S): CommonFiles64Folder = C:\Program Files\Common Files\
      Property(S): AppDataFolder = C:\Users\\AppData\Roaming\
      Property(S): FavoritesFolder = C:\Users\\Favorites\
      Property(S): NetHoodFolder = C:\Users\\AppData\Roaming\Microsoft\Windows\Network Shortcuts\
      Property(S): PersonalFolder = C:\Users\\Documents\
      Property(S): PrintHoodFolder = C:\Users\\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\
      Property(S): RecentFolder = C:\Users\\AppData\Roaming\Microsoft\Windows\Recent\
      Property(S): SendToFolder = C:\Users\\AppData\Roaming\Microsoft\Windows\SendTo\
      Property(S): TemplateFolder = C:\ProgramData\Microsoft\Windows\Templates\
      Property(S): CommonAppDataFolder = C:\ProgramData\
      Property(S): LocalAppDataFolder = C:\Users\\AppData\Local\
      Property(S): MyPicturesFolder = C:\Users\\Pictures\
      Property(S): AdminToolsFolder = C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\
      Property(S): StartupFolder = C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
      Property(S): ProgramMenuFolder = C:\ProgramData\Microsoft\Windows\Start Menu\Programs\
      Property(S): StartMenuFolder = C:\ProgramData\Microsoft\Windows\Start Menu\
      Property(S): DesktopFolder = C:\Users\Public\Desktop\
      Property(S): FontsFolder = C:\Windows\Fonts\
      Property(S): GPTSupport = 1
      Property(S): OLEAdvtSupport = 1
      Property(S): ShellAdvtSupport = 1
      Property(S): MsiAMD64 = 6
      Property(S): Msix64 = 6
      Property(S): Intel = 6
      Property(S): PhysicalMemory = 12288
      Property(S): VirtualMemory = 8415
      Property(S): AdminUser = 1
      Property(S): MsiTrueAdminUser = 1
      Property(S): LogonUser = 
      Property(S): UserSID = S-1-5-21-4037986163-3075043171-3260184774-163117
      Property(S): UserLanguageID = 1053
      Property(S): ComputerName = ZMDC07
      Property(S): SystemLanguageID = 1053
      Property(S): ScreenX = 1024
      Property(S): ScreenY = 768
      Property(S): CaptionHeight = 23
      Property(S): BorderTop = 1
      Property(S): BorderSide = 1
      Property(S): MsiTabletPC = 1
      Property(S): TextHeight = 16
      Property(S): TextInternalLeading = 3
      Property(S): ColorBits = 32
      Property(S): TTCSupport = 1
      Property(S): Time = 20:30:29
      Property(S): Date = 2024-11-12
      Property(S): MsiNetAssemblySupport = 4.8.3761.0
      Property(S): MsiWin32AssemblySupport = 6.3.14393.5786
      Property(S): RedirectedDllSupport = 2
      Property(S): MsiRunningElevated = 1
      Property(S): Privileged = 1
      Property(S): USERNAME = Lundin Mining
      Property(S): COMPANYNAME = Lundin Mining
      Property(S): Installed = 00:00:00
      Property(S): DATABASE = C:\Windows\Installer\35567.msi
      Property(S): OriginalDatabase = C:\Windows\Installer\35567.msi
      Property(S): UILevel = 2
      Property(S): MsiUISourceResOnly = 1
      Property(S): Preselected = 1
      Property(S): ACTION = INSTALL
      Property(S): ROOTDRIVE = C:\
      Property(S): CostingComplete = 1
      Property(S): OutOfDiskSpace = 0
      Property(S): OutOfNoRbDiskSpace = 0
      Property(S): PrimaryVolumeSpaceAvailable = 0
      Property(S): PrimaryVolumeSpaceRequired = 0
      Property(S): PrimaryVolumeSpaceRemaining = 0
      Property(S): INSTALLLEVEL = 1
      MSI (s) (CC:24) [20:30:29:247]: Note: 1: 1725 
      MSI (s) (CC:24) [20:30:29:247]: Note: 1: 2205 2:  3: Error 
      MSI (s) (CC:24) [20:30:29:247]: Note: 1: 2228 2:  3: Error 4: SELECT `Message` FROM `Error` WHERE `Error` = 1725 
      MSI (s) (CC:24) [20:30:29:247]: Note: 1: 2205 2:  3: Error 
      MSI (s) (CC:24) [20:30:29:247]: Note: 1: 2228 2:  3: Error 4: SELECT `Message` FROM `Error` WHERE `Error` = 1709 
      MSI (s) (CC:24) [20:30:29:247]: Product: Azure Advanced Threat Protection Sensor -- Removal failed.

      MSI (s) (CC:24) [20:30:29:247]: Windows Installer removed the product. Product Name: Azure Advanced Threat Protection Sensor. Product Version: 2.239.18066.19147. Product Language: 1033. Manufacturer: Microsoft Corporation. Removal success or error status: 1603.

      MSI (s) (CC:24) [20:30:29:247]: Deferring clean up of packages/files, if any exist
      MSI (s) (CC:24) [20:30:29:247]: MainEngineThread is returning 1603
      MSI (s) (CC:AC) [20:30:29:247]: RESTART MANAGER: Session closed.
      MSI (s) (CC:AC) [20:30:29:247]: No System Restore sequence number for this installation.
      === Logging stopped: 2024-11-12  20:30:29 ===
      MSI (s) (CC:AC) [20:30:29:263]: User policy value 'DisableRollback' is 0
      MSI (s) (CC:AC) [20:30:29:263]: Machine policy value 'DisableRollback' is 0
      MSI (s) (CC:AC) [20:30:29:263]: Incrementing counter to disable shutdown. Counter after increment: 0
      MSI (s) (CC:AC) [20:30:29:263]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2 
      MSI (s) (CC:AC) [20:30:29:263]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2 
      MSI (s) (CC:AC) [20:30:29:263]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied.  Counter after decrement: -1
      MSI (s) (CC:AC) [20:30:29:263]: Destroying RemoteAPI object.
      MSI (s) (CC:9C) [20:30:29:263]: Custom Action Manager thread ending.
      MSI (c) (F4:44) [20:30:29:263]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied.  Counter after decrement: -1
      MSI (c) (F4:44) [20:30:29:263]: MainEngineThread is returning 1603
      === Verbose logging stopped: 2024-11-12  20:30:29 ===

       

      • EliOfek's avatar
        EliOfek
        Icon for Microsoft rankMicrosoft

        Could not find file 'C:\Program Files\Azure Advanced Threat Protection Sensor\2.240.18224.34815\SensorConfiguration.json'.

         

         

        You are missing this file.

        Copy it from a working sendor, it might reaolve the issue.

  • RyanP1895's avatar
    RyanP1895
    Copper Contributor

    Thanks for that and yes. Its was missing. I added it to the install folder and the atp service still wouldnt start. However it did allow me to uninstall the old one.

    However upon re-installing, I get the same error as before (0x80070643)

    2 logs were produced by this:

    Azure Advanced Threat Protection Sensor_20241112214452.log

    [06A0:1C80][2024-11-12T21:44:51]i001: Burn v3.11.2.4516, Windows v10.0 (Build 14393: Service Pack 0), path: C:\Users\\AppData\Local\Temp\4\{CBAE67F3-DE17-4F2A-A9AB-610DBAE62012}\.cr\Azure ATP Sensor Setup.exe
    [06A0:1C80][2024-11-12T21:44:51]i000: Initializing hidden variable 'AccessKey'
    [06A0:1C80][2024-11-12T21:44:51]i000: Initializing hidden variable 'ProxyConfiguration'
    [06A0:1C80][2024-11-12T21:44:51]i000: Initializing hidden variable 'ProxyUserPassword'
    [06A0:1C80][2024-11-12T21:44:51]i000: Initializing string variable 'NetFrameworkCommandLineArguments' to value '/passive /showrmui'
    [06A0:1C80][2024-11-12T21:44:51]i009: Command Line: '"-burn.clean.room=C:\temp\GLB-C-DefenderForIdentitySensor\Azure ATP Sensor Setup.exe" -burn.filehandle.attached=480 -burn.filehandle.self=484'
    [06A0:1C80][2024-11-12T21:44:51]i000: Setting string variable 'WixBundleOriginalSource' to value 'C:\temp\GLB-C-DefenderForIdentitySensor\Azure ATP Sensor Setup.exe'
    [06A0:1C80][2024-11-12T21:44:51]i000: Setting string variable 'WixBundleOriginalSourceFolder' to value 'C:\temp\GLB-C-DefenderForIdentitySensor\'
    [06A0:1C80][2024-11-12T21:44:52]i000: Setting string variable 'WixBundleLog' to value 'C:\Users\\AppData\Local\Temp\Azure Advanced Threat Protection Sensor_20241112214452.log'
    [06A0:1C80][2024-11-12T21:44:52]i000: Setting string variable 'WixBundleName' to value 'Azure Advanced Threat Protection Sensor'
    [06A0:1C80][2024-11-12T21:44:52]i000: Setting string variable 'WixBundleManufacturer' to value 'Microsoft Corporation'
    [06A0:1C80][2024-11-12T21:44:52]i000: Loading managed bootstrapper application.
    [06A0:1C80][2024-11-12T21:44:52]i000: Creating BA thread to run asynchronously.
    [06A0:1C80][2024-11-12T21:44:53]i100: Detect begin, 5 packages
    [06A0:1C80][2024-11-12T21:44:53]i000: 2024-11-12 20:44:53.4025 Debug DeploymentModel DetectDeploymentAction DetectBegin [\[]Installed=False[\]]
    [06A0:1C80][2024-11-12T21:44:53]i000: Registry key not found. Key = 'SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_1_for_KB4019990~31bf3856ad364e35~amd64~~6.1.1.2'
    [06A0:1C80][2024-11-12T21:44:53]i000: Setting numeric variable 'Kb4019990Windows2008R2Exists' to value 0
    [06A0:1C80][2024-11-12T21:44:53]i000: Registry key not found. Key = 'SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_1_for_KB4019990~31bf3856ad364e35~amd64~~6.2.1.1'
    [06A0:1C80][2024-11-12T21:44:53]i000: Setting numeric variable 'Kb4019990Windows2012Exists' to value 0
    [06A0:1C80][2024-11-12T21:44:53]i000: Setting string variable 'NetFrameworkRegistryValue' to value '528049'
    [06A0:1C80][2024-11-12T21:44:53]i000: Setting string variable 'ServerLevelsServerCoreRegistryValue' to value '1'
    [06A0:1C80][2024-11-12T21:44:53]i000: Setting string variable 'ServerLevelsServerGuiShellRegistryValue' to value '1'
    [06A0:1C80][2024-11-12T21:44:53]i052: Condition 'Kb4019990Windows2008R2Exists' evaluates to false.
    [06A0:1C80][2024-11-12T21:44:53]i052: Condition 'Kb4019990Windows2012Exists' evaluates to false.
    [06A0:1C80][2024-11-12T21:44:53]i052: Condition 'NetFrameworkRegistryValue >= 460798' evaluates to true.
    [06A0:1C80][2024-11-12T21:44:53]i052: Condition 'NetFrameworkRegistryValue >= 460798' evaluates to true.
    [06A0:1C80][2024-11-12T21:44:53]i101: Detected package: Kb4019990Windows2008R2Package, state: Absent, cached: None
    [06A0:1C80][2024-11-12T21:44:53]i101: Detected package: Kb4019990Windows2012Package, state: Absent, cached: None
    [06A0:1C80][2024-11-12T21:44:53]i101: Detected package: NetFrameworkPackageServer, state: Present, cached: None
    [06A0:1C80][2024-11-12T21:44:53]i101: Detected package: NetFrameworkPackageServerCore, state: Present, cached: None
    [06A0:1C80][2024-11-12T21:44:53]i101: Detected package: MsiPackage, state: Absent, cached: None
    [06A0:1C80][2024-11-12T21:44:53]i199: Detect complete, result: 0x0
    [06A0:0E30][2024-11-12T21:44:53]i000: 2024-11-12 20:44:53.4182 Debug DeploymentModel .ctor [\[]DeploymentAction=Install[\]]
    [06A0:0E30][2024-11-12T21:44:53]i000: 2024-11-12 20:44:53.4963 Debug DeploymentModel .ctor [\[]IsAfterRestartAndConfigured=False[\]]
    [06A0:0E30][2024-11-12T21:45:50]i000: 2024-11-12 20:45:50.4192 Info  Model ValidateAsync ValidateCreateSensorAsync returned [\[]validateCreateSensorResult=Success[\]]
    [06A0:0E30][2024-11-12T21:45:50]i000: Setting string variable 'IsConfigured' to value 'True'
    [06A0:0E30][2024-11-12T21:45:50]i000: Setting hidden variable 'AccessKey'
    [06A0:0E30][2024-11-12T21:45:50]i000: Unsetting variable 'DelayedUpdate'
    [06A0:0E30][2024-11-12T21:45:50]i000: Unsetting variable 'LogsPath'
    [06A0:0E30][2024-11-12T21:45:50]i000: Setting hidden variable 'ProxyConfiguration'
    [06A0:0E30][2024-11-12T21:45:50]i000: Setting string variable 'InstallationPath' to value 'C:\Program Files\Azure Advanced Threat Protection Sensor'
    [06A0:1C80][2024-11-12T21:45:50]i200: Plan begin, 5 packages, action: Install
    [06A0:1C80][2024-11-12T21:45:50]i052: Condition 'VersionNT64 = v6.1' evaluates to false.
    [06A0:1C80][2024-11-12T21:45:50]w321: Skipping dependency registration on package with no dependency providers: Kb4019990Windows2008R2Package
    [06A0:1C80][2024-11-12T21:45:50]i052: Condition 'VersionNT64 = v6.2' evaluates to false.
    [06A0:1C80][2024-11-12T21:45:50]w321: Skipping dependency registration on package with no dependency providers: Kb4019990Windows2012Package
    [06A0:1C80][2024-11-12T21:45:50]i052: Condition 'ServerLevelsServerCoreRegistryValue <> 1 OR ServerLevelsServerGuiShellRegistryValue = 1' evaluates to true.
    [06A0:1C80][2024-11-12T21:45:50]w321: Skipping dependency registration on package with no dependency providers: NetFrameworkPackageServer
    [06A0:1C80][2024-11-12T21:45:50]i052: Condition 'ServerLevelsServerCoreRegistryValue = 1 AND ServerLevelsServerGuiShellRegistryValue <> 1' evaluates to false.
    [06A0:1C80][2024-11-12T21:45:50]w321: Skipping dependency registration on package with no dependency providers: NetFrameworkPackageServerCore
    [06A0:1C80][2024-11-12T21:45:50]i000: Setting string variable 'WixBundleRollbackLog_MsiPackage' to value 'C:\Users\\AppData\Local\Temp\Azure Advanced Threat Protection Sensor_20241112214452_000_MsiPackage_rollback.log'
    [06A0:1C80][2024-11-12T21:45:50]i000: Setting string variable 'WixBundleLog_MsiPackage' to value 'C:\Users\\AppData\Local\Temp\Azure Advanced Threat Protection Sensor_20241112214452_000_MsiPackage.log'
    [06A0:1C80][2024-11-12T21:45:50]i201: Planned package: Kb4019990Windows2008R2Package, state: Absent, default requested: Absent, ba requested: Absent, execute: None, rollback: None, cache: No, uncache: No, dependency: None
    [06A0:1C80][2024-11-12T21:45:50]i201: Planned package: Kb4019990Windows2012Package, state: Absent, default requested: Absent, ba requested: Absent, execute: None, rollback: None, cache: No, uncache: No, dependency: None
    [06A0:1C80][2024-11-12T21:45:50]i201: Planned package: NetFrameworkPackageServer, state: Present, default requested: Present, ba requested: Present, execute: None, rollback: None, cache: No, uncache: No, dependency: None
    [06A0:1C80][2024-11-12T21:45:50]i201: Planned package: NetFrameworkPackageServerCore, state: Present, default requested: Absent, ba requested: Absent, execute: None, rollback: None, cache: No, uncache: No, dependency: None
    [06A0:1C80][2024-11-12T21:45:50]i201: Planned package: MsiPackage, state: Absent, default requested: Present, ba requested: Present, execute: Install, rollback: Uninstall, cache: Yes, uncache: No, dependency: Register
    [06A0:1C80][2024-11-12T21:45:50]i299: Plan complete, result: 0x0
    [06A0:1C80][2024-11-12T21:45:50]i300: Apply begin
    [06A0:1C80][2024-11-12T21:45:50]i010: Launching elevated engine process.
    [06A0:1C80][2024-11-12T21:45:53]i011: Launched elevated engine process.
    [06A0:1C80][2024-11-12T21:45:53]i012: Connected to elevated engine.
    [1A40:1744][2024-11-12T21:45:53]i358: Pausing automatic updates.
    [1A40:1744][2024-11-12T21:45:53]i359: Paused automatic updates.
    [1A40:1744][2024-11-12T21:45:53]i360: Creating a system restore point.
    [1A40:1744][2024-11-12T21:45:53]i362: System restore disabled, system restore point not created.
    [1A40:1744][2024-11-12T21:45:53]i370: Session begin, registration key: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{22c54ff7-cc88-43ef-a1b4-2d870f4ca0c9}, options: 0x7, disable resume: No
    [1A40:1744][2024-11-12T21:45:53]i000: Caching bundle from: 'C:\Users\\AppData\Local\Temp\4\{78227D59-BBBF-4118-B085-7F3859B9422B}\.be\Azure ATP Sensor Setup.exe' to: 'C:\ProgramData\Package Cache\{22c54ff7-cc88-43ef-a1b4-2d870f4ca0c9}\Azure ATP Sensor Setup.exe'
    [1A40:1744][2024-11-12T21:45:54]i320: Registering bundle dependency provider: {22c54ff7-cc88-43ef-a1b4-2d870f4ca0c9}, version: 2.240.18319.21975
    [1A40:1744][2024-11-12T21:45:54]i371: Updating session, registration key: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{22c54ff7-cc88-43ef-a1b4-2d870f4ca0c9}, resume: Active, restart initiated: No, disable resume: No
    [1A40:1200][2024-11-12T21:45:54]i305: Verified acquired payload: MsiPackage at path: C:\ProgramData\Package Cache\.unverified\MsiPackage, moving to: C:\ProgramData\Package Cache\{DF33D195-E8F2-4AA7-89B2-BE2B97069333}v2.240.18319.21975\Microsoft.Tri.Sensor.Deployment.Package.msi.
    [1A40:1200][2024-11-12T21:45:54]i305: Verified acquired payload: cab9C68882706A1052319FE6C1B5DE23439 at path: C:\ProgramData\Package Cache\.unverified\cab9C68882706A1052319FE6C1B5DE23439, moving to: C:\ProgramData\Package Cache\{DF33D195-E8F2-4AA7-89B2-BE2B97069333}v2.240.18319.21975\1.
    [1A40:1744][2024-11-12T21:45:54]i323: Registering package dependency provider: {DF33D195-E8F2-4AA7-89B2-BE2B97069333}, version: 2.240.18319.21975, package: MsiPackage
    [1A40:1744][2024-11-12T21:45:54]i301: Applying execute package: MsiPackage, action: Install, path: C:\ProgramData\Package Cache\{DF33D195-E8F2-4AA7-89B2-BE2B97069333}v2.240.18319.21975\Microsoft.Tri.Sensor.Deployment.Package.msi, arguments: ' ARPSYSTEMCOMPONENT="1" MSIFASTINSTALL="7" ACCESSKEY="*****" DelayedUpdate="" InstallationPath="C:\Program Files\Azure Advanced Threat Protection Sensor" InstalledVersion="" LogsPath="" PROXYCONFIGURATION="*****" WixBundleOriginalSourceFolder="C:\temp\GLB-C-DefenderForIdentitySensor\"'
    [1A40:1744][2024-11-12T21:46:09]e000: Error 0x80070643: Failed to install MSI package.
    [1A40:1744][2024-11-12T21:46:09]e000: Error 0x80070643: Failed to execute MSI package.
    [06A0:1C80][2024-11-12T21:46:09]e000: Error 0x80070643: Failed to configure per-machine MSI package.
    [06A0:1C80][2024-11-12T21:46:09]i000: 2024-11-12 20:46:09.8032 Error Model LogError [\[]methodName=BootstrapperApplication_ExecutePackageComplete status=-2147023293 exception=[\]]
    [06A0:1C80][2024-11-12T21:46:09]i319: Applied execute package: MsiPackage, result: 0x80070643, restart: None
    [06A0:1C80][2024-11-12T21:46:09]e000: Error 0x80070643: Failed to execute MSI package.
    [1A40:1744][2024-11-12T21:46:09]i318: Skipped rollback of package: MsiPackage, action: Uninstall, already: Absent
    [06A0:1C80][2024-11-12T21:46:09]i319: Applied rollback package: MsiPackage, result: 0x0, restart: None
    [1A40:1744][2024-11-12T21:46:09]i329: Removed package dependency provider: {DF33D195-E8F2-4AA7-89B2-BE2B97069333}, package: MsiPackage
    [1A40:1744][2024-11-12T21:46:09]i351: Removing cached package: MsiPackage, from path: C:\ProgramData\Package Cache\{DF33D195-E8F2-4AA7-89B2-BE2B97069333}v2.240.18319.21975\
    [1A40:1744][2024-11-12T21:46:09]i372: Session end, registration key: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{22c54ff7-cc88-43ef-a1b4-2d870f4ca0c9}, resume: None, restart: None, disable resume: No
    [1A40:1744][2024-11-12T21:46:09]i330: Removed bundle dependency provider: {22c54ff7-cc88-43ef-a1b4-2d870f4ca0c9}
    [1A40:1744][2024-11-12T21:46:09]i352: Removing cached bundle: {22c54ff7-cc88-43ef-a1b4-2d870f4ca0c9}, from path: C:\ProgramData\Package Cache\{22c54ff7-cc88-43ef-a1b4-2d870f4ca0c9}\
    [1A40:1744][2024-11-12T21:46:09]i371: Updating session, registration key: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{22c54ff7-cc88-43ef-a1b4-2d870f4ca0c9}, resume: None, restart initiated: No, disable resume: No
    [06A0:1C80][2024-11-12T21:46:09]i399: Apply complete, result: 0x80070643, restart: None, ba requested restart:  No

     

    Azure Advanced Threat Protection Sensor_20241112214452_000_MsiPackage.log

    === Verbose logging started: 2024-11-12  21:45:54  Build type: SHIP UNICODE 5.00.10011.00  Calling process: C:\Users\\AppData\Local\Temp\4\{78227D59-BBBF-4118-B085-7F3859B9422B}\.be\Azure ATP Sensor Setup.exe ===
    MSI (c) (40:B0) [21:45:54:458]: Resetting cached policy values
    MSI (c) (40:B0) [21:45:54:458]: Machine policy value 'Debug' is 0
    MSI (c) (40:B0) [21:45:54:458]: ******* RunEngine:
               ******* Product: C:\ProgramData\Package Cache\{DF33D195-E8F2-4AA7-89B2-BE2B97069333}v2.240.18319.21975\Microsoft.Tri.Sensor.Deployment.Package.msi
               ******* Action: 
               ******* CommandLine: **********
    MSI (c) (40:B0) [21:45:54:459]: Client-side and UI is none or basic: Running entire install on the server.
    MSI (c) (40:B0) [21:45:54:459]: Grabbed execution mutex.
    MSI (c) (40:B0) [21:45:54:465]: Cloaking enabled.
    MSI (c) (40:B0) [21:45:54:465]: Attempting to enable all disabled privileges before calling Install on Server
    MSI (c) (40:B0) [21:45:54:468]: Incrementing counter to disable shutdown. Counter after increment: 0
    MSI (s) (08:A0) [21:45:54:475]: Running installation inside multi-package transaction C:\ProgramData\Package Cache\{DF33D195-E8F2-4AA7-89B2-BE2B97069333}v2.240.18319.21975\Microsoft.Tri.Sensor.Deployment.Package.msi
    MSI (s) (08:A0) [21:45:54:475]: Grabbed execution mutex.
    MSI (s) (08:74) [21:45:54:475]: Resetting cached policy values
    MSI (s) (08:74) [21:45:54:475]: Machine policy value 'Debug' is 0
    MSI (s) (08:74) [21:45:54:475]: ******* RunEngine:
               ******* Product: C:\ProgramData\Package Cache\{DF33D195-E8F2-4AA7-89B2-BE2B97069333}v2.240.18319.21975\Microsoft.Tri.Sensor.Deployment.Package.msi
               ******* Action: 
               ******* CommandLine: **********
    MSI (s) (08:74) [21:45:54:475]: Machine policy value 'DisableUserInstalls' is 0
    MSI (s) (08:74) [21:45:54:491]: Note: 1: 2203 2: C:\Windows\Installer\inprogressinstallinfo.ipi 3: -2147287038 
    MSI (s) (08:74) [21:45:54:491]: SRSetRestorePoint skipped for this transaction.
    MSI (s) (08:74) [21:45:54:491]: File will have security applied from OpCode.
    MSI (s) (08:74) [21:45:54:569]: SOFTWARE RESTRICTION POLICY: Verifying package --> 'C:\ProgramData\Package Cache\{DF33D195-E8F2-4AA7-89B2-BE2B97069333}v2.240.18319.21975\Microsoft.Tri.Sensor.Deployment.Package.msi' against software restriction policy
    MSI (s) (08:74) [21:45:54:569]: SOFTWARE RESTRICTION POLICY: C:\ProgramData\Package Cache\{DF33D195-E8F2-4AA7-89B2-BE2B97069333}v2.240.18319.21975\Microsoft.Tri.Sensor.Deployment.Package.msi has a digital signature
    MSI (s) (08:74) [21:45:54:725]: SOFTWARE RESTRICTION POLICY: C:\ProgramData\Package Cache\{DF33D195-E8F2-4AA7-89B2-BE2B97069333}v2.240.18319.21975\Microsoft.Tri.Sensor.Deployment.Package.msi is permitted to run at the 'unrestricted' authorization level.
    MSI (s) (08:74) [21:45:54:725]: MSCOREE not loaded loading copy from system32
    MSI (s) (08:74) [21:45:54:741]: End dialog not enabled
    MSI (s) (08:74) [21:45:54:741]: Original package ==> C:\ProgramData\Package Cache\{DF33D195-E8F2-4AA7-89B2-BE2B97069333}v2.240.18319.21975\Microsoft.Tri.Sensor.Deployment.Package.msi
    MSI (s) (08:74) [21:45:54:741]: Package we're running from ==> C:\Windows\Installer\8ce8692f.msi
    MSI (s) (08:74) [21:45:54:741]: APPCOMPAT: Compatibility mode property overrides found.
    MSI (s) (08:74) [21:45:54:741]: APPCOMPAT: looking for appcompat database entry with ProductCode '{DF33D195-E8F2-4AA7-89B2-BE2B97069333}'.
    MSI (s) (08:74) [21:45:54:741]: APPCOMPAT: no matching ProductCode found in database.
    MSI (s) (08:74) [21:45:54:741]: Machine policy value 'TransformsSecure' is 1
    MSI (s) (08:74) [21:45:54:741]: Note: 1: 2205 2:  3: MsiFileHash 
    MSI (s) (08:74) [21:45:54:741]: Machine policy value 'DisablePatch' is 0
    MSI (s) (08:74) [21:45:54:741]: Machine policy value 'AllowLockdownPatch' is 0
    MSI (s) (08:74) [21:45:54:741]: Machine policy value 'DisableLUAPatching' is 0
    MSI (s) (08:74) [21:45:54:741]: Machine policy value 'DisableFlyWeightPatching' is 0
    MSI (s) (08:74) [21:45:54:741]: APPCOMPAT: looking for appcompat database entry with ProductCode '{DF33D195-E8F2-4AA7-89B2-BE2B97069333}'.
    MSI (s) (08:74) [21:45:54:741]: APPCOMPAT: no matching ProductCode found in database.
    MSI (s) (08:74) [21:45:54:741]: Transforms are not secure.
    MSI (s) (08:74) [21:45:54:741]: Note: 1: 2205 2:  3: Control 
    MSI (s) (08:74) [21:45:54:741]: PROPERTY CHANGE: Adding MsiLogFileLocation property. Its value is 'C:\Users\\AppData\Local\Temp\Azure Advanced Threat Protection Sensor_20241112214452_000_MsiPackage.log'.
    MSI (s) (08:74) [21:45:54:741]: Command Line: ARPSYSTEMCOMPONENT=1 MSIFASTINSTALL=7 ACCESSKEY=********** DelayedUpdate= InstallationPath=C:\Program Files\Azure Advanced Threat Protection Sensor InstalledVersion= LogsPath= PROXYCONFIGURATION=********** WixBundleOriginalSourceFolder=C:\temp\GLB-C-DefenderForIdentitySensor\ REBOOT=ReallySuppress CURRENTDIRECTORY=C:\temp\GLB-C-DefenderForIdentitySensor CLIENTUILEVEL=3 MSICLIENTUSESEXTERNALUI=1 CLIENTPROCESSID=6720 
    MSI (s) (08:74) [21:45:54:741]: PROPERTY CHANGE: Adding PackageCode property. Its value is '{BBAD208E-F5BC-48CB-8E78-310DB24A4232}'.
    MSI (s) (08:74) [21:45:54:741]: Product Code passed to Engine.Initialize:           ''
    MSI (s) (08:74) [21:45:54:741]: Product Code from property table before transforms: '{DF33D195-E8F2-4AA7-89B2-BE2B97069333}'
    MSI (s) (08:74) [21:45:54:741]: Product Code from property table after transforms:  '{DF33D195-E8F2-4AA7-89B2-BE2B97069333}'
    MSI (s) (08:74) [21:45:54:741]: Product not registered: beginning first-time install
    MSI (s) (08:74) [21:45:54:741]: Product {DF33D195-E8F2-4AA7-89B2-BE2B97069333} is not managed.
    MSI (s) (08:74) [21:45:54:741]: MSI_LUA: Credential prompt not required, user is an admin
    MSI (s) (08:74) [21:45:54:741]: PROPERTY CHANGE: Adding ProductState property. Its value is '-1'.
    MSI (s) (08:74) [21:45:54:741]: Entering CMsiConfigurationManager::SetLastUsedSource.
    MSI (s) (08:74) [21:45:54:741]: User policy value 'SearchOrder' is 'nmu'
    MSI (s) (08:74) [21:45:54:741]: Adding new sources is allowed.
    MSI (s) (08:74) [21:45:54:741]: PROPERTY CHANGE: Adding PackagecodeChanging property. Its value is '1'.
    MSI (s) (08:74) [21:45:54:741]: Package name extracted from package path: 'Microsoft.Tri.Sensor.Deployment.Package.msi'
    MSI (s) (08:74) [21:45:54:741]: Package to be registered: 'Microsoft.Tri.Sensor.Deployment.Package.msi'
    MSI (s) (08:74) [21:45:54:741]: Note: 1: 2205 2:  3: Error 
    MSI (s) (08:74) [21:45:54:741]: Note: 1: 2262 2: AdminProperties 3: -2147287038 
    MSI (s) (08:74) [21:45:54:741]: Machine policy value 'DisableMsi' is 1
    MSI (s) (08:74) [21:45:54:741]: Machine policy value 'AlwaysInstallElevated' is 0
    MSI (s) (08:74) [21:45:54:741]: User policy value 'AlwaysInstallElevated' is 0
    MSI (s) (08:74) [21:45:54:741]: Product installation will be elevated because user is admin and product is being installed per-machine.
    MSI (s) (08:74) [21:45:54:741]: Running product '{DF33D195-E8F2-4AA7-89B2-BE2B97069333}' with elevated privileges: Product is assigned.
    MSI (s) (08:74) [21:45:54:741]: PROPERTY CHANGE: Adding ARPSYSTEMCOMPONENT property. Its value is '1'.
    MSI (s) (08:74) [21:45:54:741]: PROPERTY CHANGE: Adding MSIFASTINSTALL property. Its value is '7'.
    MSI (s) (08:74) [21:45:54:741]: PROPERTY CHANGE: Adding ACCESSKEY property. Its value is '**********'.
    MSI (s) (08:74) [21:45:54:741]: PROPERTY CHANGE: Adding INSTALLATIONPATH property. Its value is 'C:\Program Files\Azure Advanced Threat Protection Sensor'.
    MSI (s) (08:74) [21:45:54:741]: PROPERTY CHANGE: Adding WIXBUNDLEORIGINALSOURCEFOLDER property. Its value is 'C:\temp\GLB-C-DefenderForIdentitySensor\'.
    MSI (s) (08:74) [21:45:54:741]: PROPERTY CHANGE: Adding REBOOT property. Its value is 'ReallySuppress'.
    MSI (s) (08:74) [21:45:54:741]: PROPERTY CHANGE: Adding CURRENTDIRECTORY property. Its value is 'C:\temp\GLB-C-DefenderForIdentitySensor'.
    MSI (s) (08:74) [21:45:54:741]: PROPERTY CHANGE: Adding CLIENTUILEVEL property. Its value is '3'.
    MSI (s) (08:74) [21:45:54:741]: PROPERTY CHANGE: Adding MSICLIENTUSESEXTERNALUI property. Its value is '1'.
    MSI (s) (08:74) [21:45:54:741]: PROPERTY CHANGE: Adding CLIENTPROCESSID property. Its value is '6720'.
    MSI (s) (08:74) [21:45:54:741]: Machine policy value 'DisableAutomaticApplicationShutdown' is 0
    MSI (s) (08:74) [21:45:54:741]: PROPERTY CHANGE: Adding MsiRestartManagerSessionKey property. Its value is '601df937026b46449ac301f16dd2624d'.
    MSI (s) (08:74) [21:45:54:741]: RESTART MANAGER: Session opened.
    MSI (s) (08:74) [21:45:54:741]: PROPERTY CHANGE: Adding MsiSystemRebootPending property. Its value is '1'.
    MSI (s) (08:74) [21:45:54:741]: TRANSFORMS property is now: 
    MSI (s) (08:74) [21:45:54:741]: PROPERTY CHANGE: Adding VersionDatabase property. Its value is '500'.
    MSI (s) (08:74) [21:45:54:757]: SHELL32::SHGetFolderPath returned: C:\Users\\AppData\Roaming
    MSI (s) (08:74) [21:45:54:757]: SHELL32::SHGetFolderPath returned: C:\Users\\Favorites
    MSI (s) (08:74) [21:45:54:757]: SHELL32::SHGetFolderPath returned: C:\Users\\AppData\Roaming\Microsoft\Windows\Network Shortcuts
    MSI (s) (08:74) [21:45:54:757]: SHELL32::SHGetFolderPath returned: C:\Users\\Documents
    MSI (s) (08:74) [21:45:54:757]: SHELL32::SHGetFolderPath returned: C:\Users\\AppData\Roaming\Microsoft\Windows\Printer Shortcuts
    MSI (s) (08:74) [21:45:54:757]: SHELL32::SHGetFolderPath returned: C:\Users\\AppData\Roaming\Microsoft\Windows\Recent
    MSI (s) (08:74) [21:45:54:757]: SHELL32::SHGetFolderPath returned: C:\Users\\AppData\Roaming\Microsoft\Windows\SendTo
    MSI (s) (08:74) [21:45:54:757]: SHELL32::SHGetFolderPath returned: C:\Users\\AppData\Roaming\Microsoft\Windows\Templates
    MSI (s) (08:74) [21:45:54:757]: SHELL32::SHGetFolderPath returned: C:\ProgramData
    MSI (s) (08:74) [21:45:54:757]: SHELL32::SHGetFolderPath returned: C:\Users\\AppData\Local
    MSI (s) (08:74) [21:45:54:757]: SHELL32::SHGetFolderPath returned: C:\Users\\Pictures
    MSI (s) (08:74) [21:45:54:772]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools
    MSI (s) (08:74) [21:45:54:772]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
    MSI (s) (08:74) [21:45:54:772]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu\Programs
    MSI (s) (08:74) [21:45:54:772]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu
    MSI (s) (08:74) [21:45:54:772]: SHELL32::SHGetFolderPath returned: C:\Users\Public\Desktop
    MSI (s) (08:74) [21:45:54:772]: SHELL32::SHGetFolderPath returned: C:\Users\\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools
    MSI (s) (08:74) [21:45:54:772]: SHELL32::SHGetFolderPath returned: C:\Users\\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
    MSI (s) (08:74) [21:45:54:772]: SHELL32::SHGetFolderPath returned: C:\Users\\AppData\Roaming\Microsoft\Windows\Start Menu\Programs
    MSI (s) (08:74) [21:45:54:772]: SHELL32::SHGetFolderPath returned: C:\Users\\AppData\Roaming\Microsoft\Windows\Start Menu
    MSI (s) (08:74) [21:45:54:772]: SHELL32::SHGetFolderPath returned: C:\Users\\Desktop
    MSI (s) (08:74) [21:45:54:788]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Templates
    MSI (s) (08:74) [21:45:54:788]: SHELL32::SHGetFolderPath returned: C:\Windows\Fonts
    MSI (s) (08:74) [21:45:54:788]: Note: 1: 2898 2: MS Sans Serif 3: MS Sans Serif 4: 0 5: 16 
    MSI (s) (08:74) [21:45:54:788]: MSI_LUA: Setting MsiRunningElevated property to 1 because the install is already running elevated.
    MSI (s) (08:74) [21:45:54:788]: PROPERTY CHANGE: Adding MsiRunningElevated property. Its value is '1'.
    MSI (s) (08:74) [21:45:54:788]: PROPERTY CHANGE: Adding Privileged property. Its value is '1'.
    MSI (s) (08:74) [21:45:54:788]: Note: 1: 1402 2: HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info 3: 2 
    MSI (s) (08:74) [21:45:54:788]: PROPERTY CHANGE: Adding USERNAME property. Its value is ' Mining'.
    MSI (s) (08:74) [21:45:54:788]: Note: 1: 1402 2: HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info 3: 2 
    MSI (s) (08:74) [21:45:54:788]: PROPERTY CHANGE: Adding COMPANYNAME property. Its value is ' Mining'.
    MSI (s) (08:74) [21:45:54:788]: PROPERTY CHANGE: Adding DATABASE property. Its value is 'C:\Windows\Installer\8ce8692f.msi'.
    MSI (s) (08:74) [21:45:54:788]: PROPERTY CHANGE: Adding OriginalDatabase property. Its value is 'C:\ProgramData\Package Cache\{DF33D195-E8F2-4AA7-89B2-BE2B97069333}v2.240.18319.21975\Microsoft.Tri.Sensor.Deployment.Package.msi'.
    MSI (s) (08:74) [21:45:54:788]: Machine policy value 'MsiDisableEmbeddedUI' is 0
    MSI (s) (08:74) [21:45:54:788]: EEUI - Disabling MsiEmbeddedUI due to existing external or embedded UI
    MSI (s) (08:74) [21:45:54:788]: EEUI - Disabling MsiEmbeddedUI for service because it's not a quiet/basic install
    MSI (s) (08:74) [21:45:54:788]: Note: 1: 2205 2:  3: PatchPackage 
    MSI (s) (08:74) [21:45:54:788]: Machine policy value 'DisableRollback' is 0
    MSI (s) (08:74) [21:45:54:788]: User policy value 'DisableRollback' is 0
    MSI (s) (08:74) [21:45:54:788]: PROPERTY CHANGE: Adding UILevel property. Its value is '2'.
    MSI (s) (08:74) [21:45:54:788]: PROPERTY CHANGE: Adding MsiUISourceResOnly property. Its value is '1'.
    === Logging started: 2024-11-12  21:45:54 ===
    MSI (s) (08:74) [21:45:54:788]: Note: 1: 2203 2: C:\Windows\Installer\inprogressinstallinfo.ipi 3: -2147287038 
    MSI (s) (08:74) [21:45:54:788]: APPCOMPAT: [DetectVersionLaunchCondition] Launch condition already passes.
    MSI (s) (08:74) [21:45:54:788]: PROPERTY CHANGE: Adding ACTION property. Its value is 'INSTALL'.
    MSI (s) (08:74) [21:45:54:788]: Doing action: INSTALL
    MSI (s) (08:74) [21:45:54:788]: Note: 1: 2205 2:  3: ActionText 
    Action start 21:45:54: INSTALL.
    MSI (s) (08:74) [21:45:54:788]: Running ExecuteSequence
    MSI (s) (08:74) [21:45:54:788]: Doing action: FindRelatedProducts
    MSI (s) (08:74) [21:45:54:788]: Note: 1: 2205 2:  3: ActionText 
    Action start 21:45:54: FindRelatedProducts.
    MSI (s) (08:74) [21:45:54:788]: Doing action: LaunchConditions
    MSI (s) (08:74) [21:45:54:788]: Note: 1: 2205 2:  3: ActionText 
    Action ended 21:45:54: FindRelatedProducts. Return value 1.
    Action start 21:45:54: LaunchConditions.
    MSI (s) (08:74) [21:45:54:788]: Doing action: ValidateProductID
    MSI (s) (08:74) [21:45:54:788]: Note: 1: 2205 2:  3: ActionText 
    Action ended 21:45:54: LaunchConditions. Return value 1.
    Action start 21:45:54: ValidateProductID.
    MSI (s) (08:74) [21:45:54:788]: Doing action: CostInitialize
    MSI (s) (08:74) [21:45:54:788]: Note: 1: 2205 2:  3: ActionText 
    Action ended 21:45:54: ValidateProductID. Return value 1.
    MSI (s) (08:74) [21:45:54:788]: Machine policy value 'MaxPatchCacheSize' is 10
    MSI (s) (08:74) [21:45:54:788]: PROPERTY CHANGE: Adding ROOTDRIVE property. Its value is 'C:\'.
    MSI (s) (08:74) [21:45:54:788]: PROPERTY CHANGE: Adding CostingComplete property. Its value is '0'.
    MSI (s) (08:74) [21:45:54:788]: Note: 1: 2205 2:  3: Patch 
    MSI (s) (08:74) [21:45:54:788]: Note: 1: 2205 2:  3: PatchPackage 
    MSI (s) (08:74) [21:45:54:788]: Note: 1: 2205 2:  3: MsiPatchHeaders 
    MSI (s) (08:74) [21:45:54:788]: Note: 1: 2205 2:  3: __MsiPatchFileList 
    MSI (s) (08:74) [21:45:54:788]: Note: 1: 2205 2:  3: PatchPackage 
    MSI (s) (08:74) [21:45:54:788]: Note: 1: 2228 2:  3: PatchPackage 4: SELECT `DiskId`, `PatchId`, `LastSequence` FROM `Media`, `PatchPackage` WHERE `Media`.`DiskId`=`PatchPackage`.`Media_` ORDER BY `DiskId`  
    MSI (s) (08:74) [21:45:54:788]: Note: 1: 2205 2:  3: Patch 
    Action start 21:45:54: CostInitialize.
    MSI (s) (08:74) [21:45:54:788]: Doing action: FileCost
    MSI (s) (08:74) [21:45:54:788]: Note: 1: 2205 2:  3: ActionText 
    Action ended 21:45:54: CostInitialize. Return value 1.
    MSI (s) (08:74) [21:45:54:804]: Note: 1: 2205 2:  3: MsiAssembly 
    Action start 21:45:54: FileCost.
    MSI (s) (08:74) [21:45:54:804]: Doing action: CostFinalize
    MSI (s) (08:74) [21:45:54:804]: Note: 1: 2205 2:  3: ActionText 
    Action ended 21:45:54: FileCost. Return value 1.
    MSI (s) (08:74) [21:45:54:804]: PROPERTY CHANGE: Adding OutOfDiskSpace property. Its value is '0'.
    MSI (s) (08:74) [21:45:54:804]: PROPERTY CHANGE: Adding OutOfNoRbDiskSpace property. Its value is '0'.
    MSI (s) (08:74) [21:45:54:804]: PROPERTY CHANGE: Adding PrimaryVolumeSpaceAvailable property. Its value is '0'.
    MSI (s) (08:74) [21:45:54:804]: PROPERTY CHANGE: Adding PrimaryVolumeSpaceRequired property. Its value is '0'.
    MSI (s) (08:74) [21:45:54:804]: PROPERTY CHANGE: Adding PrimaryVolumeSpaceRemaining property. Its value is '0'.
    MSI (s) (08:74) [21:45:54:804]: Note: 1: 2205 2:  3: Patch 
    MSI (s) (08:74) [21:45:54:804]: Note: 1: 2205 2:  3: Condition 
    MSI (s) (08:74) [21:45:54:804]: PROPERTY CHANGE: Adding TARGETDIR property. Its value is 'C:\'.
    MSI (s) (08:74) [21:45:54:804]: Target path resolution complete. Dumping Directory table...
    MSI (s) (08:74) [21:45:54:804]: Note: target paths subject to change (via custom actions or browsing)
    MSI (s) (08:74) [21:45:54:804]: Dir (target): Key: TARGETDIR    , Object: C:\
    MSI (s) (08:74) [21:45:54:804]: PROPERTY CHANGE: Adding INSTALLLEVEL property. Its value is '1'.
    MSI (s) (08:74) [21:45:54:804]: Note: 1: 2205 2:  3: MsiAssembly 
    MSI (s) (08:74) [21:45:54:804]: Note: 1: 2228 2:  3: MsiAssembly 4:  SELECT `MsiAssembly`.`Attributes`, `MsiAssembly`.`File_Application`, `MsiAssembly`.`File_Manifest`,  `Component`.`KeyPath` FROM `MsiAssembly`, `Component` WHERE  `MsiAssembly`.`Component_` = `Component`.`Component` AND `MsiAssembly`.`Component_` = ? 
    Action start 21:45:54: CostFinalize.
    MSI (s) (08:74) [21:45:54:804]: Doing action: MigrateFeatureStates
    MSI (s) (08:74) [21:45:54:804]: Note: 1: 2205 2:  3: ActionText 
    Action ended 21:45:54: CostFinalize. Return value 1.
    Action start 21:45:54: MigrateFeatureStates.
    MSI (s) (08:74) [21:45:54:804]: Doing action: InstallValidate
    MSI (s) (08:74) [21:45:54:804]: Note: 1: 2205 2:  3: ActionText 
    Action ended 21:45:54: MigrateFeatureStates. Return value 0.
    MSI (s) (08:74) [21:45:54:804]: PROPERTY CHANGE: Deleting MsiRestartManagerSessionKey property. Its current value is '601df937026b46449ac301f16dd2624d'.
    MSI (s) (08:74) [21:45:54:804]: Note: 1: 2205 2:  3: Dialog 
    MSI (s) (08:74) [21:45:54:804]: Feature: ProductFeature; Installed: Absent;   Request: Local;   Action: Local
    MSI (s) (08:74) [21:45:54:804]: Component: ProductComponent; Installed: Absent;   Request: Local;   Action: Local
    MSI (s) (08:74) [21:45:54:804]: Note: 1: 2205 2:  3: Registry 
    MSI (s) (08:74) [21:45:54:804]: Note: 1: 2205 2:  3: BindImage 
    MSI (s) (08:74) [21:45:54:804]: Note: 1: 2205 2:  3: ProgId 
    MSI (s) (08:74) [21:45:54:804]: Note: 1: 2205 2:  3: PublishComponent 
    MSI (s) (08:74) [21:45:54:804]: Note: 1: 2205 2:  3: SelfReg 
    MSI (s) (08:74) [21:45:54:804]: Note: 1: 2205 2:  3: Extension 
    MSI (s) (08:74) [21:45:54:804]: Note: 1: 2205 2:  3: Font 
    MSI (s) (08:74) [21:45:54:804]: Note: 1: 2205 2:  3: Shortcut 
    MSI (s) (08:74) [21:45:54:804]: Note: 1: 2205 2:  3: Class 
    MSI (s) (08:74) [21:45:54:804]: Note: 1: 2205 2:  3: Icon 
    MSI (s) (08:74) [21:45:54:804]: Note: 1: 2205 2:  3: TypeLib 
    Action start 21:45:54: InstallValidate.
    MSI (s) (08:74) [21:45:54:804]: Note: 1: 2205 2:  3: _RemoveFilePath 
    MSI (s) (08:74) [21:45:54:804]: Note: 1: 2205 2:  3: MsiFileHash 
    MSI (s) (08:74) [21:45:54:804]: PROPERTY CHANGE: Modifying CostingComplete property. Its current value is '0'. Its new value: '1'.
    MSI (s) (08:74) [21:45:54:804]: Note: 1: 2205 2:  3: Registry 
    MSI (s) (08:74) [21:45:54:804]: Note: 1: 2205 2:  3: BindImage 
    MSI (s) (08:74) [21:45:54:804]: Note: 1: 2205 2:  3: ProgId 
    MSI (s) (08:74) [21:45:54:804]: Note: 1: 2205 2:  3: PublishComponent 
    MSI (s) (08:74) [21:45:54:804]: Note: 1: 2205 2:  3: SelfReg 
    MSI (s) (08:74) [21:45:54:804]: Note: 1: 2205 2:  3: Extension 
    MSI (s) (08:74) [21:45:54:804]: Note: 1: 2205 2:  3: Font 
    MSI (s) (08:74) [21:45:54:804]: Note: 1: 2205 2:  3: Shortcut 
    MSI (s) (08:74) [21:45:54:804]: Note: 1: 2205 2:  3: Class 
    MSI (s) (08:74) [21:45:54:804]: Note: 1: 2205 2:  3: Icon 
    MSI (s) (08:74) [21:45:54:804]: Note: 1: 2205 2:  3: TypeLib 
    MSI (s) (08:74) [21:45:54:804]: Note: 1: 2727 2:  
    MSI (s) (08:74) [21:45:54:804]: Note: 1: 2205 2:  3: FilesInUse 
    MSI (s) (08:74) [21:45:54:819]: Note: 1: 2727 2:  
    MSI (s) (08:74) [21:45:54:819]: Doing action: InstallInitialize
    MSI (s) (08:74) [21:45:54:819]: Note: 1: 2205 2:  3: ActionText 
    Action ended 21:45:54: InstallValidate. Return value 1.
    MSI (s) (08:74) [21:45:54:819]: Machine policy value 'AlwaysInstallElevated' is 0
    MSI (s) (08:74) [21:45:54:819]: User policy value 'AlwaysInstallElevated' is 0
    MSI (s) (08:74) [21:45:54:819]: BeginTransaction: Locking Server
    MSI (s) (08:74) [21:45:54:819]: Note: 1: 2203 2: C:\Windows\Installer\inprogressinstallinfo.ipi 3: -2147287038 
    MSI (s) (08:74) [21:45:54:819]: SRSetRestorePoint skipped for this transaction.
    MSI (s) (08:74) [21:45:54:819]: Note: 1: 2203 2: C:\Windows\Installer\inprogressinstallinfo.ipi 3: -2147287038 
    MSI (s) (08:74) [21:45:54:819]: Server not locked: locking for product {DF33D195-E8F2-4AA7-89B2-BE2B97069333}
    Action start 21:45:54: InstallInitialize.
    MSI (s) (08:74) [21:45:54:819]: Doing action: InstallCustomAction
    MSI (s) (08:74) [21:45:54:819]: Note: 1: 2205 2:  3: ActionText 
    Action ended 21:45:54: InstallInitialize. Return value 1.
    MSI (s) (08:74) [21:45:54:929]: Invoking remote custom action. DLL: C:\Windows\Installer\MSI4C07.tmp, Entrypoint: Install
    MSI (s) (08:7C) [21:45:54:929]: Generating random cookie.
    MSI (s) (08:7C) [21:45:54:944]: Created Custom Action Server with PID 8032 (0x1F60).
    MSI (s) (08:58) [21:45:55:025]: Running as a service.
    MSI (s) (08:58) [21:45:55:035]: Hello, I'm your 64bit Impersonated custom action server.
    Action start 21:45:54: InstallCustomAction.
    SFXCA: Extracting custom action to temporary directory: C:\Windows\Installer\MSI4C07.tmp-\
    SFXCA: Binding to CLR version v4.0.30319
    Calling custom action Microsoft.Tri.Sensor.Deployment.Package.Actions!Microsoft.Tri.Sensor.Deployment.Package.Actions.CustomActions.Install
    2024-11-12 20:45:58.1401 Debug CustomActions RunActionGroup InstallActionGroup started
    2024-11-12 20:45:58.1714 Debug InstallActionGroup Apply started
    2024-11-12 20:45:58.1714 Debug CreateDirectoryDeploymentAction Apply started [suppressFailure=False]
    2024-11-12 20:45:58.1714 Debug CreateDirectoryDeploymentAction Apply finished
    2024-11-12 20:45:58.1714 Debug DownloadMinorDeploymentPackageBytesAction Apply started [suppressFailure=False]
    2024-11-12 20:46:01.6873 Debug DownloadMinorDeploymentPackageBytesAction Apply finished
    2024-11-12 20:46:01.6873 Debug UnpackDeploymentPackageBytesAction Apply started [suppressFailure=False]
    2024-11-12 20:46:03.7628 Debug UnpackDeploymentPackageBytesAction Apply finished
    2024-11-12 20:46:03.8566 Debug RunDeployerMajorDeploymentAction Apply started [suppressFailure=False]
    2024-11-12 20:46:03.8817 Info  RunDeployerMajorDeploymentAction ApplyInternal started [filePath=P3HzAbwBceDUmJ8wG4vFPA== _arguments=T4sYPoIz64FeLb4UnM4vNA==]
    2024-11-12 20:46:09.3752 Info  RunDeployerMajorDeploymentAction ApplyInternal finished [isSuccessful=False]
    2024-11-12 20:46:09.3908 Debug InstallActionGroup Revert started
    2024-11-12 20:46:09.3908 Warn  InstallActionGroup Revert reverting [rollbackAction=UnpackDeploymentPackageBytesAction index=0 count=3]
    2024-11-12 20:46:09.3908 Debug UnpackDeploymentPackageBytesAction Revert started
    2024-11-12 20:46:09.4636 Debug UnpackDeploymentPackageBytesAction Revert finished
    2024-11-12 20:46:09.4656 Warn  InstallActionGroup Revert reverting [rollbackAction=DownloadMinorDeploymentPackageBytesAction index=1 count=3]
    2024-11-12 20:46:09.4666 Debug DownloadMinorDeploymentPackageBytesAction Revert started
    2024-11-12 20:46:09.4676 Debug DownloadMinorDeploymentPackageBytesAction Revert finished
    2024-11-12 20:46:09.4686 Warn  InstallActionGroup Revert reverting [rollbackAction=CreateDirectoryDeploymentAction index=2 count=3]
    2024-11-12 20:46:09.4706 Debug CreateDirectoryDeploymentAction Revert started
    2024-11-12 20:46:09.4716 Debug CreateDirectoryDeploymentAction Revert finished
    2024-11-12 20:46:09.4726 Debug InstallActionGroup Revert finished
    2024-11-12 20:46:09.4907 Error DeploymentAction Failed to apply InstallActionGroup
    Microsoft.Tri.Infrastructure.ExtendedException: Apply failed [Type=RunDeployerMajorDeploymentAction]
       at Microsoft.Tri.Sensor.Common.DeploymentAction.Apply(Boolean suppressFailure)
       at Microsoft.Tri.Sensor.Common.DeploymentActionGroup.Apply(Boolean suppressFailure)
       at Microsoft.Tri.Sensor.Deployment.Package.Actions.CustomActions.RunActionGroup(DeploymentActionGroup deploymentActionGroup, Session session)
    2024-11-12 20:46:09.4907 Debug CustomActions RunActionGroup InstallActionGroup finished [result=Failure]
    CustomAction InstallCustomAction returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)
    MSI (s) (08:74) [21:46:09:662]: Note: 1: 2265 2:  3: -2147287035 
    MSI (s) (08:74) [21:46:09:693]: Machine policy value 'DisableRollback' is 0
    MSI (s) (08:74) [21:46:09:693]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2 
    Action ended 21:46:09: InstallCustomAction. Return value 3.
    MSI (s) (08:74) [21:46:09:693]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2 
    MSI (s) (08:74) [21:46:09:693]: No System Restore sequence number for this installation.
    MSI (s) (08:74) [21:46:09:693]: Unlocking Server
    Action ended 21:46:09: INSTALL. Return value 3.
    Property(S): UpgradeCode = {EDFB49E0-16FA-4535-B268-BD1B81B15DC2}
    Property(S): TARGETDIR = C:\
    Property(S): ALLUSERS = 1
    Property(S): Manufacturer = Microsoft Corporation
    Property(S): ProductCode = {DF33D195-E8F2-4AA7-89B2-BE2B97069333}
    Property(S): ProductLanguage = 1033
    Property(S): ProductName = Azure Advanced Threat Protection Sensor
    Property(S): ProductVersion = 2.240.18319.21975
    Property(S): SecureCustomProperties = WIX_DOWNGRADE_DETECTED;WIX_UPGRADE_DETECTED
    Property(S): MsiHiddenProperties = ACCESSKEY;PROXYCONFIGURATION
    Property(S): MsiLogFileLocation = C:\Users\\AppData\Local\Temp\Azure Advanced Threat Protection Sensor_20241112214452_000_MsiPackage.log
    Property(S): PackageCode = {BBAD208E-F5BC-48CB-8E78-310DB24A4232}
    Property(S): ProductState = -1
    Property(S): PackagecodeChanging = 1
    Property(S): ARPSYSTEMCOMPONENT = 1
    Property(S): MSIFASTINSTALL = 7
    Property(S): ACCESSKEY = **********
    Property(S): INSTALLATIONPATH = C:\Program Files\Azure Advanced Threat Protection Sensor
    Property(S): WIXBUNDLEORIGINALSOURCEFOLDER = C:\temp\GLB-C-DefenderForIdentitySensor\
    Property(S): REBOOT = ReallySuppress
    Property(S): CURRENTDIRECTORY = C:\temp\GLB-C-DefenderForIdentitySensor
    Property(S): CLIENTUILEVEL = 3
    Property(S): MSICLIENTUSESEXTERNALUI = 1
    Property(S): CLIENTPROCESSID = 6720
    Property(S): MsiSystemRebootPending = 1
    Property(S): VersionDatabase = 500
    Property(S): VersionMsi = 5.00
    Property(S): VersionNT = 603
    Property(S): VersionNT64 = 603
    Property(S): WindowsBuild = 9600
    Property(S): ServicePackLevel = 0
    Property(S): ServicePackLevelMinor = 0
    Property(S): MsiNTProductType = 2
    Property(S): MsiNTSuiteDataCenter = 1
    Property(S): WindowsFolder = C:\Windows\
    Property(S): WindowsVolume = C:\
    Property(S): System64Folder = C:\Windows\system32\
    Property(S): SystemFolder = C:\Windows\SysWOW64\
    Property(S): RemoteAdminTS = 1
    Property(S): TempFolder = C:\Users\\AppData\Local\Temp\
    Property(S): ProgramFilesFolder = C:\Program Files (x86)\
    Property(S): CommonFilesFolder = C:\Program Files (x86)\Common Files\
    Property(S): ProgramFiles64Folder = C:\Program Files\
    Property(S): CommonFiles64Folder = C:\Program Files\Common Files\
    Property(S): AppDataFolder = C:\Users\\AppData\Roaming\
    Property(S): FavoritesFolder = C:\Users\\Favorites\
    Property(S): NetHoodFolder = C:\Users\\AppData\Roaming\Microsoft\Windows\Network Shortcuts\
    Property(S): PersonalFolder = C:\Users\\Documents\
    Property(S): PrintHoodFolder = C:\Users\\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\
    Property(S): RecentFolder = C:\Users\\AppData\Roaming\Microsoft\Windows\Recent\
    Property(S): SendToFolder = C:\Users\\AppData\Roaming\Microsoft\Windows\SendTo\
    Property(S): TemplateFolder = C:\ProgramData\Microsoft\Windows\Templates\
    Property(S): CommonAppDataFolder = C:\ProgramData\
    Property(S): LocalAppDataFolder = C:\Users\\AppData\Local\
    Property(S): MyPicturesFolder = C:\Users\\Pictures\
    Property(S): AdminToolsFolder = C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\
    Property(S): StartupFolder = C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
    Property(S): ProgramMenuFolder = C:\ProgramData\Microsoft\Windows\Start Menu\Programs\
    Property(S): StartMenuFolder = C:\ProgramData\Microsoft\Windows\Start Menu\
    Property(S): DesktopFolder = C:\Users\Public\Desktop\
    Property(S): FontsFolder = C:\Windows\Fonts\
    Property(S): GPTSupport = 1
    Property(S): OLEAdvtSupport = 1
    Property(S): ShellAdvtSupport = 1
    Property(S): MsiAMD64 = 6
    Property(S): Msix64 = 6
    Property(S): Intel = 6
    Property(S): PhysicalMemory = 12288
    Property(S): VirtualMemory = 8279
    Property(S): AdminUser = 1
    Property(S): MsiTrueAdminUser = 1
    Property(S): LogonUser = 
    Property(S): UserSID = S-1-5-21-4037986163-3075043171-3260184774-163117
    Property(S): UserLanguageID = 1053
    Property(S): ComputerName = ZMDC07
    Property(S): SystemLanguageID = 1053
    Property(S): ScreenX = 1024
    Property(S): ScreenY = 768
    Property(S): CaptionHeight = 23
    Property(S): BorderTop = 1
    Property(S): BorderSide = 1
    Property(S): MsiTabletPC = 1
    Property(S): TextHeight = 16
    Property(S): TextInternalLeading = 3
    Property(S): ColorBits = 32
    Property(S): TTCSupport = 1
    Property(S): Time = 21:46:09
    Property(S): Date = 2024-11-12
    Property(S): MsiNetAssemblySupport = 4.8.3761.0
    Property(S): MsiWin32AssemblySupport = 6.3.14393.5786
    Property(S): RedirectedDllSupport = 2
    Property(S): MsiRunningElevated = 1
    Property(S): Privileged = 1
    Property(S): USERNAME =  Mining
    Property(S): COMPANYNAME =  Mining
    Property(S): DATABASE = C:\Windows\Installer\8ce8692f.msi
    Property(S): OriginalDatabase = C:\ProgramData\Package Cache\{DF33D195-E8F2-4AA7-89B2-BE2B97069333}v2.240.18319.21975\Microsoft.Tri.Sensor.Deployment.Package.msi
    Property(S): UILevel = 2
    Property(S): MsiUISourceResOnly = 1
    Property(S): ACTION = INSTALL
    Property(S): ROOTDRIVE = C:\
    Property(S): CostingComplete = 1
    Property(S): OutOfDiskSpace = 0
    Property(S): OutOfNoRbDiskSpace = 0
    Property(S): PrimaryVolumeSpaceAvailable = 0
    Property(S): PrimaryVolumeSpaceRequired = 0
    Property(S): PrimaryVolumeSpaceRemaining = 0
    Property(S): INSTALLLEVEL = 1
    MSI (s) (08:74) [21:46:09:756]: Note: 1: 1708 
    MSI (s) (08:74) [21:46:09:756]: Note: 1: 2205 2:  3: Error 
    MSI (s) (08:74) [21:46:09:756]: Note: 1: 2228 2:  3: Error 4: SELECT `Message` FROM `Error` WHERE `Error` = 1708 
    MSI (s) (08:74) [21:46:09:756]: Note: 1: 2205 2:  3: Error 
    MSI (s) (08:74) [21:46:09:756]: Note: 1: 2228 2:  3: Error 4: SELECT `Message` FROM `Error` WHERE `Error` = 1709 
    MSI (s) (08:74) [21:46:09:756]: Product: Azure Advanced Threat Protection Sensor -- Installation failed.

    MSI (s) (08:74) [21:46:09:756]: Windows Installer installed the product. Product Name: Azure Advanced Threat Protection Sensor. Product Version: 2.240.18319.21975. Product Language: 1033. Manufacturer: Microsoft Corporation. Installation success or error status: 1603.

    MSI (s) (08:74) [21:46:09:772]: Deferring clean up of packages/files, if any exist
    MSI (s) (08:74) [21:46:09:772]: MainEngineThread is returning 1603
    MSI (s) (08:A0) [21:46:09:772]: RESTART MANAGER: Session closed.
    MSI (s) (08:A0) [21:46:09:772]: No System Restore sequence number for this installation.
    === Logging stopped: 2024-11-12  21:46:09 ===
    MSI (s) (08:A0) [21:46:09:787]: User policy value 'DisableRollback' is 0
    MSI (s) (08:A0) [21:46:09:787]: Machine policy value 'DisableRollback' is 0
    MSI (s) (08:A0) [21:46:09:787]: Incrementing counter to disable shutdown. Counter after increment: 0
    MSI (s) (08:A0) [21:46:09:787]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2 
    MSI (s) (08:A0) [21:46:09:787]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2 
    MSI (s) (08:A0) [21:46:09:803]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied.  Counter after decrement: -1
    MSI (s) (08:A0) [21:46:09:803]: Destroying RemoteAPI object.
    MSI (s) (08:7C) [21:46:09:803]: Custom Action Manager thread ending.
    MSI (c) (40:B0) [21:46:09:803]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied.  Counter after decrement: -1
    MSI (c) (40:B0) [21:46:09:803]: MainEngineThread is returning 1603
    === Verbose logging stopped: 2024-11-12  21:46:09 ===

     

     

    • EliOfek's avatar
      EliOfek
      Icon for Microsoft rankMicrosoft

      This will require the deployer logs. the answer on what broke this time should be there.
      I think that it's better at this point to contact support to help you do a "manual cleanup" to make sure you reinstall without any leftovers that might block you.

Resources