Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community

Sensor service keeps restarting (after auto upgrade)

Copper Contributor

Hi all,

I've installed multiple Azure ATP Sensor Setup yesterday on Windows 2019 and 2022 servers. But one is failing to report in the console today.

I've checked the system and the AATPSensor service is always in the starting / stopped / starting state.

The Tri.Sensor-Errors.log shows this:

2024-02-08 13:35:20.1835 Error RegistryKey System.OutOfMemoryException: Exception of type 'System.OutOfMemoryException' was thrown.
   at object Microsoft.Win32.RegistryKey.InternalGetValue(string name, object defaultValue, bool doNotExpand, bool checkSecurity)
   at object Microsoft.Win32.RegistryKey.GetValue(string name)
   at byte[] System.Diagnostics.PerformanceMonitor.GetData(string item)
   at byte[] System.Diagnostics.PerformanceCounterLib.GetPerformanceData(string item)
   at Hashtable System.Diagnostics.PerformanceCounterLib.get_CategoryTable()
   at CategorySample System.Diagnostics.PerformanceCounterLib.GetCategorySample(string category)
   at CategorySample System.Diagnostics.PerformanceCounterLib.GetCategorySample(string machine, string category)
   at string[] System.Diagnostics.PerformanceCounterCategory.GetCounterInstances(string categoryName, string machineName)
   at new Microsoft.Tri.Infrastructure.MetricManager(IConfigurationManager configurationManager)
   at object lambda_method(Closure, object[])
   at object Autofac.Core.Activators.Reflection.ConstructorParameterBinding.Instantiate()
   at void Microsoft.Tri.Infrastructure.ModuleManager.AddModules(Type[] moduleTypes)
   at new Microsoft.Tri.Sensor.SensorModuleManager()
   at ModuleManager Microsoft.Tri.Sensor.SensorService.CreateModuleManager()
   at async Task Microsoft.Tri.Infrastructure.Service.OnStartAsync()
   at void Microsoft.Tri.Infrastructure.TaskExtension.Await(Task task)
   at void Microsoft.Tri.Infrastructure.Service.OnStart(string[] args)
2024-02-08 13:35:29.0122 Error RegistryKey System.OutOfMemoryException: Exception of type 'System.OutOfMemoryException' was thrown.
   at object Microsoft.Win32.RegistryKey.InternalGetValue(string name, object defaultValue, bool doNotExpand, bool checkSecurity)
   at object Microsoft.Win32.RegistryKey.GetValue(string name)
   at byte[] System.Diagnostics.PerformanceMonitor.GetData(string item)
   at byte[] System.Diagnostics.PerformanceCounterLib.GetPerformanceData(string item)
   at Hashtable System.Diagnostics.PerformanceCounterLib.get_CategoryTable()
   at CategorySample System.Diagnostics.PerformanceCounterLib.GetCategorySample(string category)
   at CategorySample System.Diagnostics.PerformanceCounterLib.GetCategorySample(string machine, string category)
   at string[] System.Diagnostics.PerformanceCounterCategory.GetCounterInstances(string categoryName, string machineName)
   at new Microsoft.Tri.Infrastructure.MetricManager(IConfigurationManager configurationManager)
   at object lambda_method(Closure, object[])
   at object Autofac.Core.Activators.Reflection.ConstructorParameterBinding.Instantiate()
   at void Microsoft.Tri.Infrastructure.ModuleManager.AddModules(Type[] moduleTypes)
   at new Microsoft.Tri.Sensor.SensorModuleManager()
   at ModuleManager Microsoft.Tri.Sensor.SensorService.CreateModuleManager()
   at async Task Microsoft.Tri.Infrastructure.Service.OnStartAsync()
   at void Microsoft.Tri.Infrastructure.TaskExtension.Await(Task task)
   at void Microsoft.Tri.Infrastructure.Service.OnStart(string[] args)
2024-02-08 13:35:37.9346 Error RegistryKey System.OutOfMemoryException: Exception of type 'System.OutOfMemoryException' was thrown.

I've tried rebooting the server, but that didn't fix the problem.

Then I removed the installation, and reinstalled the sensor.

That didn't help, either.

Looks like there was an update installed after the initial setup yesterday, since there were two folders in C:\Program Files\Azure Advanced Threat Protection Sensor :

2.227.17547.62185

2.228.17612.22841

 

I also tried to solve the problem with a re-downloaded installer package from today (was a different size) but that didn't help. The version installed is the second one from above now.

 

Any hints on the error message?

Thanks in advance

Chris

 

 

 

 

5 Replies

@ChrisVie 
Please run from a powershell session on the failing machine this command:

(New-Object System.Diagnostics.PerformanceCounterCategory("Network Interface")).GetInstanceNames()


And let me know the result.

I can't see any relation to version 2.228, it looks like we are failing when trying to look up instances
of the "Network Interface" perf counter category.

I am guessing something is wrong with this category registration, that fails the interface we are using.
The powershell command above does (almost) the same thing, so if there is an OS issue it should manifest there as well...

@Eli Ofek 
Hi Eli,

thanks for the update. I ran the command, here's the output:

Intel[R] PRO_1000 EB Network Connection with I_O Acceleration

 

Regards

Chris

 

It seems to work from powershell.
So either its related to running as local system or specific to dotnet interface.
Did you try to reboot the machine ?

Hello@Eli Ofek ,

I did multiple reboots, but none fixed the problem.

The error persists, even after uninstalling the sensor, rebooting, installing again. There is no error message from the installer, but the log still shows the same messages:

 

2024-02-14 05:48:51.2504 Error RegistryKey System.OutOfMemoryException: Exception of type 'System.OutOfMemoryException' was thrown.
   at object Microsoft.Win32.RegistryKey.InternalGetValue(string name, object defaultValue, bool doNotExpand, bool checkSecurity)
   at object Microsoft.Win32.RegistryKey.GetValue(string name)
   at byte[] System.Diagnostics.PerformanceMonitor.GetData(string item)
   at byte[] System.Diagnostics.PerformanceCounterLib.GetPerformanceData(string item)
   at Hashtable System.Diagnostics.PerformanceCounterLib.get_CategoryTable()
   at CategorySample System.Diagnostics.PerformanceCounterLib.GetCategorySample(string category)
   at CategorySample System.Diagnostics.PerformanceCounterLib.GetCategorySample(string machine, string category)
   at string[] System.Diagnostics.PerformanceCounterCategory.GetCounterInstances(string categoryName, string machineName)
   at new Microsoft.Tri.Infrastructure.MetricManager(IConfigurationManager configurationManager)
   at object lambda_method(Closure, object[])
   at object Autofac.Core.Activators.Reflection.ConstructorParameterBinding.Instantiate()
   at void Microsoft.Tri.Infrastructure.ModuleManager.AddModules(Type[] moduleTypes)
   at new Microsoft.Tri.Sensor.SensorModuleManager()
   at ModuleManager Microsoft.Tri.Sensor.SensorService.CreateModuleManager()
   at async Task Microsoft.Tri.Infrastructure.Service.OnStartAsync()
   at void Microsoft.Tri.Infrastructure.TaskExtension.Await(Task task)
   at void Microsoft.Tri.Infrastructure.Service.OnStart(string[] args)
2024-02-14 05:49:00.2698 Error RegistryKey System.OutOfMemoryException: Exception of type 'System.OutOfMemoryException' was thrown.
   at object Microsoft.Win32.RegistryKey.InternalGetValue(string name, object defaultValue, bool doNotExpand, bool checkSecurity)
   at object Microsoft.Win32.RegistryKey.GetValue(string name)
   at byte[] System.Diagnostics.PerformanceMonitor.GetData(string item)
   at byte[] System.Diagnostics.PerformanceCounterLib.GetPerformanceData(string item)
   at Hashtable System.Diagnostics.PerformanceCounterLib.get_CategoryTable()
   at CategorySample System.Diagnostics.PerformanceCounterLib.GetCategorySample(string category)
   at CategorySample System.Diagnostics.PerformanceCounterLib.GetCategorySample(string machine, string category)
   at string[] System.Diagnostics.PerformanceCounterCategory.GetCounterInstances(string categoryName, string machineName)
   at new Microsoft.Tri.Infrastructure.MetricManager(IConfigurationManager configurationManager)
   at object lambda_method(Closure, object[])
   at object Autofac.Core.Activators.Reflection.ConstructorParameterBinding.Instantiate()
   at void Microsoft.Tri.Infrastructure.ModuleManager.AddModules(Type[] moduleTypes)
   at new Microsoft.Tri.Sensor.SensorModuleManager()
   at ModuleManager Microsoft.Tri.Sensor.SensorService.CreateModuleManager()
   at async Task Microsoft.Tri.Infrastructure.Service.OnStartAsync()
   at void Microsoft.Tri.Infrastructure.TaskExtension.Await(Task task)
   at void Microsoft.Tri.Infrastructure.Service.OnStart(string[] args)

 

 

UPDATE: After installing CU2024-02 (KB5034768) and rebooting again, the error seems to be fixed, the sensor is up and running on the Microsoft Defender for Identity page. The service is started, no more errors in the logs. Strange, the reboots before didn't help. But problem solved, thanks for your help!

 

Regards

Chris

 

Did you check if there are updates?