Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
SOLVED

AATPSensor Service stuck in starting process

Copper Contributor

Hi, We have AATP installed on 6 servers within our company and running ok on 5 of them.

There is this server that the AATPSensor service is stuck in starting status.

 

I've tried stopping the service and/or Microsoft.Tri.Sensor.exe without success, sometimes it keeps trying to open multiple process of the Microsoft.Tri.Sensor.exe but all of them gets stuck opening.

 

There is no Microsoft.Tri.Sensor-Errors.log being created and on the Microsoft.Tri.Sensor.Updater-Errors.log it only shows the following:

"2019-03-29 12:43:43.5677 Error ServiceControllerExtension Failed to change service status [name=AATPSensor status=Running Exception=System.ServiceProcess.TimeoutException: Time out has expired and the operation has not been completed.
at System.ServiceProcess.ServiceController.WaitForStatus(ServiceControllerStatus desiredStatus, TimeSpan timeout) at Microsoft.Tri.Infrastructure.ServiceControllerExtension.ChangeServiceStatus(String name, ServiceControllerStatus status, TimeSpan timeout, Nullable`1 awaitedStatus)]"

 

I've tried uninstall/reinstall sensor but every time it tries to starts gets stuck.

I've verified and make sure credentials are correct on AATP portal.

 

Any tips or help would be greatly appreciated. Thanks in advanced!

8 Replies

@JCordova 

Hi, this can be from any number of reasons, from an AV blocking the process to a resource issue

Can you please share the entire log folder?

 

@JCordova , look at: Microsoft.Tri.Sensor-Errors.log 
It is probably crashing, the latest error before the crash should tell you what the problem is.

best response confirmed by JCordova (Copper Contributor)
Solution

 

Hi, finally after some days (about 3) the AATP was able to create the Microsoft.Tri.Sensor-Errors.log file and pointed me to an error with the WinPcap or NPF driver.

 

Just reinstalled the WinPcap driver, rebooted the server and voila the AATP Sensor started running like charm!

 

***** This needs to be added to the support/troubleshoot documentation as the AATP error log took days to generate the error log and hence if it's already as an option for users to verify in advanced, users like me would tackle this right away*****

@Or Tsemah @Eli Ofek 

@JCordova Can you explain - how come only after 3 days you saw the log?

Wasn't the file created from the first crash? I was under the impression it was, but you previously looked in another file...

That was the difficult part of it and I mentioned it on the 3rd paragraph “There is no Microsoft.Tri.Sensor-Errors.log being created...”

So not sure why it took so long to create, but it wasn’t being created.

@JCordova , Can you share with me (in a private message) your  workspace ID, and name of sensor machine (all in text format)?

You can get those form the AATP console UI by pressing on the question mark in the toolbar.

 

Hi all.

Where is this logfile located? I finally was able to install the agent using a scheduled task under 'system'  now the agent is started on my physical DC's, but starting on my virtual ones... and no logfile to be found..  Regards, Ben

look for the sensor EXE location, it should have a "Logs" subfolder.
1 best response

Accepted Solutions
best response confirmed by JCordova (Copper Contributor)
Solution

 

Hi, finally after some days (about 3) the AATP was able to create the Microsoft.Tri.Sensor-Errors.log file and pointed me to an error with the WinPcap or NPF driver.

 

Just reinstalled the WinPcap driver, rebooted the server and voila the AATP Sensor started running like charm!

 

***** This needs to be added to the support/troubleshoot documentation as the AATP error log took days to generate the error log and hence if it's already as an option for users to verify in advanced, users like me would tackle this right away*****

@Or Tsemah @Eli Ofek 

View solution in original post