JozefG

I had similar issue on my personal laptop even without ESET product installed. Can't remember the exact solution but playing with sign-in options in OS settings (disabling whatever is enabled like auto sign-in after update), solved the issue for me.

Since some time ago (around Win10 RS3), windows automatically logs you in and immediately locks, so you are unlocking your PC not logging in. That could be why the hive is loaded before what you see as login. @Andrej Kuk @Jamie Reader@hack-the-planet what are the products used and their versions?

Please try to switch to prerelease update channel. There is configuration module 2099.7, which should help with the issue. It is scheduled to be released on Monday.

Glad to hear that. The 2099.7 version is scheduled for full release on Monday.

That is a version of operating system. But I can see that you are using 10.0 on one of the previous screenshots. That is a bit strange, we are closing the handle to those files when we get notification from system that user is logging off. It is asynchronous notification so maybe there is some race. Testers have tested that the handle is closed on log off. Can you please write down some steps for replication?

What version of server product are you using?

Are you by any chance behind a mirror? You might have to update it first. Something that I forgot to mention about the 2099.7, due to technical reasons it will work only on business products v10+.

Can you try to switch to prerelease update channel to get Configuration module 2099.7 and see if it helps?

@mkrupa do you have by any chance a couple years old FDE policy containing proxy password and applying it together with some newly created one? If so could you try to recreate that policy from scratch and see if it helps? We noticed some issue in Agents with latest Configuration module.

Can you please share what version of Configuration Module you have?

Tried to investigate the issue more. After checking our WSC module logs I was suspecting the read request (point no.2) to being somehow involved, as its time was very close to logged events. Using custom built 1038 without the read request issue still persists. Next I disabled startup scan as someone was mentioning it earlier in this thread. Still no luck and issue persists.

Windows security center service is a delayed start service by default. We have quite elaborate waiting system for that service. 1. We have a system notification registered for start of `wscsvc` service. 2. When notified by system, we try to ask via WSC API if there are some data. If it is still initializing it returns `ERROR_SERVICE_NOT_ACTIVE` 3. If that happens we register a notification to the WSC itself, to tell us when it is ready. Otherwise we start issuing requests. 4. If the initialization took more time and notification comes from WSC, we start issuing requests. Events (error) with Id 16 are expected and according to the specification from MS. If our application changes certificate, the request to update status fails with certain error. When this error occurs we are obliged to register again and then report requested status. You can see that in event log those 2 errors with Id 16 are followed by Id 15 Events (informational) that we successfully reported status. Events (errors) with Id 18 and 19, are from initialization of the `wscsvc` service itself. Actually just checking that I got those errors on my machine too on 20.11.2023, probably reboot after upgrade to new Endpoint v11. It might have been just a coincidence. Also logged 0x8007000D (should be something like `ERROR_INVALID_DATA`) is not coming from our provider requests, since the errors are followed by event with Id 1 (start of the service) and even with Id 15 (successful reports of status).

Windows security service has delayed start which means until it is running these sections are empty. Does it show anything after some time? Other option is that there are failures logged in our event log or in Windows Event log.

@Vangelis Try to remove this registry key and see if it helps. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run\egui

Please collect logs via Logcollector and provide also Boot Process monitor log. You can send me link to logs in PM.

@Crunch Bootlog was correctly saved now, but it confirmed what I saw in Logfile.pml from previous run. Security Center service failed to establish connection with WMI because it is not running.

@Crunch thanks for the logs. Even though Bootlog.pml was corrupted/incorrectly closed. Logfile.pml contained the start of wscsvc So the issue in your case is that WSC cannot initialize its connection with WMI. Most probably due to fact that there is no WMI service running. Also there is no WMI Provider Host application running. What does running this command from command prompt say? wmic /namespace:\\root\SecurityCenter2 Path AntivirusProduct GET displayName,ProductState

@Crunch you can generate such log by following steps here https://support.eset.com/en/kb6308-using-process-monitor-to-create-log-files#boot_logs It seems that you are experiencing very nasty issue API calls are returning ERROR_DISK_OPERATION_FAILED. Most probably due to failure during initialization of WSC service.

@Crunch Could you collect new set of logs? Hopefully we could find solution for those errors. Edit: It would be great if you provide also process monitor log from boot stopped after the notifications start popping up. That could really help me with investigation.

@waluigiguatemala Does your issue with newer versions lie within Advanced Setup?

Do I understand it correctly that if Shadow Defender's Shadow Mode is not active it does work correctly? From the description of Shadow Mode it looks like it may prevent some things to be done correctly.

They were some things that it should recognize, but due to some other things missing it failed to detect them. Glad to hear that either way your logs helped us identify some places to improve in Uninstaller.

Which version was installed? Was MalwareBytes installed alongside ESET or afterwards? According to Windows event logs MSI found multiple installations. These events from around same time. Windows Installer installed the product. Product Name: ESET NOD32 Antivirus. Product Version: 4.0.68.0. Product Language: 1051. Manufacturer: ESET, spol s r. o.. Installation success or error status: 1603. Windows Installer reconfigured the product. Product Name: ESET Security. Product Version: 11.2.49.0. Product Language: 1033. Manufacturer: ESET, spol. s r.o.. Reconfiguration success or error status: 1603.

@Prayer1 Which version of ESET product do you have installed? Are you asking about postponing ESET updates to newest product version?

@SeriousHoax @itman are you having these issues with Security Center integration module 1029? If so please provide logs.