Sophos Anti-Virus CustomActions log shows 'Error opening Windows key'

  • Article ID: 57500
  • Rating:
  • 11 customers rated this article 3.1 out of 6
  • Updated: 05 Apr 2013

Issue

The Sophos Anti-Virus CustomActions Log shows:

MSI (s) (38:7C) [TIME]: Executing op: ActionStart(Name=RegisterBufferOverflowProtection,,)
MSI (s) (38:7C) [TIME]: Executing op: CustomActionSchedule(Action=RegisterBufferOverflowProtection, ActionType=1025,Source=BinaryData,Target=RegisterBufferOverflowProtection, CustomActionData=C:\Program Files\Sophos\Sophos Anti-Virus\)
MSI (s) (38:B8) [TIME]: Invoking remote custom action. DLL: C:\WINDOWS\Installer\MSI20.tmp, Entrypoint: RegisterBufferOverflowProtection
MSI (s) (38:7C) [TIME]: User policy value 'DisableRollback' is 0
MSI (s) (38:7C) [TIME]: Machine policy value 'DisableRollback' is 0 Action ended [TIME]: InstallFinalize. Return value 3.

In the C:\Windows\Temp\ folder the Sophos Anti-Virus CustomActions log shows:

[DATE] [TIME] Error opening Windows key
[DATE] [TIME] GetRidOfExistingDetoured - C:\Program Files\Sophos\Sophos Anti-Virus\detoured.dll does not exist, no further action.
[DATE] [TIME] Failed to open the AppInit_DLLs key
[DATE] [TIME] GetRidOfExistingDetoured - C:\Program Files\Sophos\Sophos Anti-Virus\sophos_detoured.dll detoured exists, proceeding to rename it & mark for delete.
...
[DATE] [TIME] Error deleting DesktopMessaging registry key. Returned error was: The system cannot find the file specified.
[DATE] [TIME] RestoreMovedFiles(): Unexpected error 0x00000003 when looking for temporary files
[DATE] [TIME] Unable to create an instance of ComponentManager - SystemInformation cannot be informed of end of update

First seen in

Sophos Endpoint Security and Control

Cause

Registry permissions are incorrectly set on:

For 32 bit operating systems

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

For 64 bit operating systems

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\WindowsNT\CurrentVersion\Windows

What to do

Note: Before continuing please read our warning about editing the registry in article 10388.

  1. Open the Registry Editor (Start | Run | Type regedit.exe | Press return) and browse to the following keys: 
  2. For 32 bit operating systems

    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

    For 64 bit operating systems 

    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
    • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\WindowsNT\CurrentVersion\Windows

  3. Compare the security permissions (to access right-click on the key and select 'Permissions...') of this key to the security permissions listed on the key for a computer that successfully installed the endpoint software. The affected key is likely to have the Everyone group set to 'Deny access' for all permissions.

  4. Correct the permissions on the affected computer and then redeploy endpoint software.
  5. If above fails you could use the Subinacl tool to try to reset registry as follows:
    • Download Subinacl from:
      http://www.microsoft.com/downloads/en/details.aspx?FamilyID=e8ba3e56-d8fe-4a91-93cf-ed6985e3927b&displaylang=en 
    • Once installed, set the permissions back to default by running the command:
      For 32 bit operating systems:
      • "%PROGRAMFILES%\Windows Resource Kits\Tools\subinacl.exe" /nostatistic /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /setowner=Administrators /GRANT=Everyone=F

      For 64 bit operating systems the command will need to be run twice
      • "%PROGRAMFILES%\Windows Resource Kits\Tools\subinacl.exe" /nostatistic /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /setowner=Administrators /GRANT=Everyone=F
      • "%PROGRAMFILES%\Windows Resource Kits\Tools\subinacl.exe" /nostatistic /keyreg "HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\WindowsNT\CurrentVersion\Windows" /setowner=Administrators /GRANT=Everyone=F

You should now be able to continue with the installation.

thank you for the feedback

 
If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent

Comments