On-access driver error - Could not obtain an impersonation token. e03d000f or e03d02f0

  • Article ID: 110320
  • Rating:
  • 10 customers rated this article 3.3 out of 6
  • Updated: 19 Jun 2013

Issue

One of the following messages is reported to the console:

e03d000f "The on-access driver was unable to create an impersonation token for file <filename>"

or

e03d02f0 "Could not obtain an impersonation token for a resource shielding event."

First seen in

Sophos Anti-Virus for Windows 2000+

Cause
There are several causes of the alert from a client:

  • It is running low of memory (RAM).
  • One of the kernel pools is exhausted.
  • There is a memory leak in one or more of the drivers - this is not limited to Sophos drivers.
  • One or more processes running on the computer is holding an excessive number of handles.
  • There is a heavy load on the resources of the computer.
  • One or more services have temporarily become unresponsive.
  • The file reported in the message may not have been scanned.

What To Do

The errors mentioned above do not indicate a problem with Sophos Endpoint Security and Control and its ability to scan. As such they can be acknowledged without further action.

If the computer shows an increasing amount of these errors it may be in indication of a larger problem.

Is the error being generated (possibly repeatedly) at a particular time on day?

Check the Windows event logs (Start | Run | Type: eventvwr.msc | Press return) and look for other incidents of this error and/ or further warnings and errors. Also determine what process(es) are putting the computer under load and at what times/ dates the error is generated.  Repeating errors at a particular time of the day could indicate another program/ function, scheduled at that time, is causing the impact on system resources.

Is the pagefile configured correctly?

See the appropriate Microsoft article below:

For further reading see: RAM, Virtual Memory, Pagefile and all that stuff

Is the hard drive of the computer fragmented?

Are the on-access scanner settings too aggressive for the specification of the computer?

Note: Sophos Technical Support does not hold a list of vendor-specific exclusions for third party applications or computer roles. We recommend you contact the particular software vendor for the most precise list.

Technical Information

This issue can be seen on several different computers at different times, spread over a long period of time. The error can appear randomly and then disappear due to the computer(s) in question running low of memory temporarily. This performance issue then impedes Sophos Endpoint Security and Control and its ability to scan in various ways.

Part of the resource shielding process is to create an impersonation token based on the supplied access token or the security context of the current thread. This token is what is then sent to the SAVService (on-access scanner) process.

 
If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent

Comments