Issue
The Sophos Anti-Virus CustomActions Log shows:
MSI (s) (38:7C) [TIME]: Executing op: ActionStart(Name=RegisterBufferOverflowProtection,,)
MSI (s) (38:7C) [TIME]: Executing op: CustomActionSchedule(Action=RegisterBufferOverflowProtection, ActionType=1025,Source=BinaryData,Target=RegisterBufferOverflowProtection, CustomActionData=C:\Program Files\Sophos\Sophos Anti-Virus\)
MSI (s) (38:B8) [TIME]: Invoking remote custom action. DLL: C:\WINDOWS\Installer\MSI20.tmp, Entrypoint: RegisterBufferOverflowProtection
MSI (s) (38:7C) [TIME]: User policy value 'DisableRollback' is 0
MSI (s) (38:7C) [TIME]: Machine policy value 'DisableRollback' is 0 Action ended [TIME]: InstallFinalize. Return value 3.
In the C:\Windows\Temp\ folder the Sophos Anti-Virus CustomActions log shows:
[DATE] [TIME] Error opening Windows key
[DATE] [TIME] GetRidOfExistingDetoured - C:\Program Files\Sophos\Sophos Anti-Virus\detoured.dll does not exist, no further action.
[DATE] [TIME] Failed to open the AppInit_DLLs key
[DATE] [TIME] GetRidOfExistingDetoured - C:\Program Files\Sophos\Sophos Anti-Virus\sophos_detoured.dll detoured exists, proceeding to rename it & mark for delete.
...
[DATE] [TIME] Error deleting DesktopMessaging registry key. Returned error was: The system cannot find the file specified.
[DATE] [TIME] RestoreMovedFiles(): Unexpected error 0x00000003 when looking for temporary files
[DATE] [TIME] Unable to create an instance of ComponentManager - SystemInformation cannot be informed of end of update
First seen in
Sophos Endpoint Security and Control
Cause
Registry permissions are incorrectly set on:
For 32 bit operating systems
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
For 64 bit operating systems
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
- HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\WindowsNT\CurrentVersion\Windows
What to do
Note: Before continuing please read our warning about editing the registry in article 10388.
- Open the Registry Editor (Start | Run | Type
regedit.exe | Press return) and browse to the following keys: For 32 bit operating systems
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
For 64 bit operating systems
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
- HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\WindowsNT\CurrentVersion\Windows
- Compare the security permissions (to access right-click on the key and select 'Permissions...') of this key to the security permissions listed on the key for a computer that successfully installed the endpoint software. The affected key is likely to have the Everyone group set to 'Deny access' for all permissions.
- Correct the permissions on the affected computer and then redeploy endpoint software.
If above fails you could use the Subinacl tool to try to reset registry as follows:
- Download Subinacl from:
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=e8ba3e56-d8fe-4a91-93cf-ed6985e3927b&displaylang=en - Once installed, set the permissions back to default by running the command:
For 32 bit operating systems: "%PROGRAMFILES%\Windows Resource Kits\Tools\subinacl.exe" /nostatistic /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /setowner=Administrators /GRANT=Everyone=F
For 64 bit operating systems the command will need to be run twice "%PROGRAMFILES%\Windows Resource Kits\Tools\subinacl.exe" /nostatistic /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /setowner=Administrators /GRANT=Everyone=F"%PROGRAMFILES%\Windows Resource Kits\Tools\subinacl.exe" /nostatistic /keyreg "HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\WindowsNT\CurrentVersion\Windows" /setowner=Administrators /GRANT=Everyone=F
You should now be able to continue with the installation.
