Jump to content

Archived

This topic is now archived and is closed to further replies.

Zardoc

Update 11.1.42 Event error ScRegSetValueExW

Recommended Posts

Since update 11.1.42 an error in event log has started showing up.

ScRegSetValueExW Event 7006 Access denied.

After searching the web, I found that this error is often related to anti virus software. Kaspersky, AVG etc. have had this error. So my guess is that Eset must know the fix.

I haven't noticed any functional issues but an error related to my Antivirus software is not something that I take lightly.

So, Marcos, I created a specific post for this problem. Can you please explain the problem?

BTW, I used uninstaller to remove and reinstall software. Problem disappears for a few hours then returns.

 

Included, original install logs.

 

 

Logs 2018-04-03_05-27-48.png

Share this post


Link to post
Share on other sites

I'm not getting those records in the system event log after upgrade to v11.1.42.1. If you clear the ESET event log, are those errors logged again after a computer restart?

Share this post


Link to post
Share on other sites

Here's what I believe is causing the ScRegSetValueExW Event 7006 Access denied event.

Eset has two services dependent upon ekrn.exe; ekrn and ekrnEpFw which is titled Eset firewall helper service.

The ekrn service is set to Automatic which means it is started up as part of the Windows boot process.

The ekrnEpFw service is set to manual which means it won't start until the service dependency i.e. ekrn.exe is started.

I believe the Windows Service Control Manager which manages all Windows services execution assumes manually started processes will occur sometime after the boot process has fully completed. For starters, it is unusual to have two services started by a non-Windows process. Microsoft designed svchost.exe to do that.

What I believe is happening is the ekrnEpFw service is trying to start up during the boot process due to ekrn.exe having begun execution. However when the ekrn service starts up, it does so as a protected process. When ekrnEpFw service starts up and due to its manual startup type, Service Control Manager is trying to write to its associated registry key. It can't do so since ekrn.exe which is running has prevented via its self-protection feature any writes to the registry key.^_^

Things to explore. Perhaps make both services start Automatic - not sure of this one. Create a separate protected program to start ekrnEpFw service running as a child process to ekrn.exe? Additionally, both services are attempting to set ekrn.exe as a protected process which might also be the cause of the issue. Also the ekrnEpFw service has a dependency of the Base Filtering Engine service being started whereas the ekrn service has no dependancies. What needs exploring is if the ekrnEpFw service was set to Automatic but not protected and the ekrn.exe set to Manual but protected, would it change ekrn.exe to protected mode?

Share this post


Link to post
Share on other sites
5 hours ago, Marcos said:

I'm not getting those records in the system event log after upgrade to v11.1.42.1. If you clear the ESET event log, are those errors logged again after a computer restart?

No it does not.

 

1 hour ago, itman said:

Here's what I believe is causing the ScRegSetValueExW Event 7006 Access denied event.

Eset has two services dependent upon ekrn.exe; ekrn and ekrnEpFw which is titled Eset firewall helper service.

The ekrn service is set to Automatic which means it is started up as part of the Windows boot process.

The ekrnEpFw service is set to manual which means it won't start until the service dependency i.e. ekrn.exe is started.

I believe the Windows Service Control Manager which manages all Windows services execution assumes manually started processes will occur sometime after the boot process has fully completed. For starters, it is unusual to have two services started by a non-Windows process. Microsoft designed svchost.exe to do that.

What I believe is happening is the ekrnEpFw service is trying to start up during the boot process due to ekrn.exe having begun execution. However when the ekrn service starts up, it does so as a protected process. When ekrnEpFw service starts up and due to its manual startup type, Service Control Manager is trying to write to its associated registry key. It can't do so since ekrn.exe which is running has prevented via its self-protection feature any writes to the registry key.^_^

Things to explore. Perhaps make both services start Automatic - not sure of this one. Create a separate protected program to start ekrnEpFw service running as a child process to ekrn.exe? Additionally, both services are attempting to set ekrn.exe as a protected process which might also be the cause of the issue. Also the ekrnEpFw service has a dependency of the Base Filtering Engine service being started whereas the ekrn service has no dependancies. What needs exploring is if the ekrnEpFw service was set to Automatic but not protected and the ekrn.exe set to Manual but protected, would it change ekrn.exe to protected mode?

Unfortunately, the ekrnEpfw service is protected and can't be modified. :(

Share this post


Link to post
Share on other sites

Ekrnepfw is not a service but a driver. Does temporarily disabling Self-defense and rebooting the machine makes a difference? If not, what about disabling HIPS completely followed by a reboot?

Share this post


Link to post
Share on other sites
12 minutes ago, Marcos said:

Ekrnepfw is not a service but a driver.

It isn't on my 11.1.42.1 installation which indeed might be the problem?

Eset_ekrnEpfw.thumb.png.bbe9201ba5860bc81787d7e72b9b956f.png

Share this post


Link to post
Share on other sites

There is no ekrnEpfw driver present either in C:\Program Files\Eset or the Windows driver directories. I suspect this registry key needs to be deleted?

Share this post


Link to post
Share on other sites

I'm sorry, I confused it with epfwwfp.sys. Ekrnepfw.dll is just a dll that is loaded by ekrn.exe and is located in the ESET install folder.

Share this post


Link to post
Share on other sites
1 hour ago, Marcos said:

Does temporarily disabling Self-defense and rebooting the machine makes a difference?

Yes, with Self-defense disabled the error is not present.

Share this post


Link to post
Share on other sites
1 hour ago, Marcos said:

Ekrnepfw is not a service but a driver. Does temporarily disabling Self-defense and rebooting the machine makes a difference? If not, what about disabling HIPS completely followed by a reboot?

So, then, what is this service?

 

ekrnEpfw 2018-04-03_20-18-09.png

Share this post


Link to post
Share on other sites
13 hours ago, Zardoc said:

So, then, what is this service?

Since it is dependent upon the BFE service, I would say it's the interface between Eset's network protection Windows firewall use option and the Windows firewall. 

Eset can't load ekrnEpfw.dll when ekrn.exe starts up at boot time since it loads as one of the first processes. At that time the BFE service hasn't loaded yet. Complicating matters is ekrn.exe now runs as protected process - light(PPL) on Win 8.1 and 10. This prevents any process modification activities including conventional .dll injection after a process has started.

Share this post


Link to post
Share on other sites

I confirm that ESET Firewall Helper is a legitimate service added in v11.1.42.

Share this post


Link to post
Share on other sites
19 hours ago, Marcos said:

I confirm that ESET Firewall Helper is a legitimate service added in v11.1.42.

But obviously, it (or another part of 11.1.42) does not work correctly. Otherwise there won't be errors in the eventlog. I can find these on my Windows 7, Windows 10 and WHS2011 boxes. So, are these being looked into for fixing?

Share this post


Link to post
Share on other sites

OK, so now we all agree it's a service and that this issue is a known problem with antivirus software.

My specialty is building machines and optimizing them. I don't have any knowledge in programming or maintenance of antivirus software.

This is one of the few software services that not only do I pay for but have to participate actively in it's maintenance.

 

Now I don't have any idea why I have this error but like I mentioned before, I pay for this service to fully protect my machine and even if I don't see any known issues with the software, it is very disconcerting knowing that it is flagging an error.

Some people don't believe in antivirus software but It gives me piece of mind when it works. Now it's not working properly.

 

Marcos, what's the fix please?

Share this post


Link to post
Share on other sites

Why do you think there's a correlation between the ScRegSetValueExW Event 7006 and the ESET Firewall Helper service given that you confirmed that disabling Self-defense makes it go away?

With Self-defense enabled, try enabling logging of all blocked operations in the advanced HIPS setup. When the event 7006 occurs, disable logging, collect logs with ELC and provide me with the generated archive.

Share this post


Link to post
Share on other sites
1 hour ago, Marcos said:

Why do you think there's a correlation between the ScRegSetValueExW Event 7006 and the ESET Firewall Helper service given that you confirmed that disabling Self-defense makes it go away?

With Self-defense enabled, try enabling logging of all blocked operations in the advanced HIPS setup. When the event 7006 occurs, disable logging, collect logs with ELC and provide me with the generated archive.

From what I can tell from this post, this event occurs on various machines and various configurations. Obviously disabling self-defense makes it go away. Thus, there seems to be problem with the self-defense mechanism in 11.1.42.1. I assume this can be easily reproduced in a developer's test environment. At least I am not an beta tester for NOD32...

Share this post


Link to post
Share on other sites

Here is the HIPS record for the "error" that occurs during the boot process:

C:\Windows\System32\services.exe;Modify registry;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\ekrn\FailureActions;blocked;Self-Defense: Registry with full protection;

 

Share this post


Link to post
Share on other sites
1 hour ago, stackz said:

Here is the HIPS record for the "error" that occurs during the boot process:


C:\Windows\System32\services.exe;Modify registry;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\ekrn\FailureActions;blocked;Self-Defense: Registry with full protection;

 

Also as noted in my previously posted reply, this is occurring because the erknEpfw service is set to Manual startup status. The OS will access the associated service reg. key to indicate the service has entered the active state. Eset's self-protection of the same registry key which is actually enabled when the ekrn service starts is preventing this activity.

I believe at least setting erknEpfw service to Automatic should be attempted since I suspect, but am not sure ,that like reg. key updating is not performed. Eset should test this assumption on their end. Otherwise, the only other solution is for Eset to not activate protection of the ekrn service reg. key until the erknEpfw service has started. This does create a possible security vulnerability in that a hacker could create his own service set to run his malware program to disable ekrn service prior to its reg. key being set to protected status.

Share this post


Link to post
Share on other sites

Marcos,

What's the fix?

Share this post


Link to post
Share on other sites

Hi,

There's a problem that is regularly re-appearing on some systems since version 9 and that could be related. Explanations are contained in an old thread that the current version of the forum software refuses to display (the thread URL is rejected). So please remove all the spaces in the URL below or google with these keywords :  samoréen hips drivers safe mode . The first answer will be the right one.

h t t ps:// forum.eset.com / topic / 9431 - solution-hips-disabled-after-90402-update/

I don't know why but sometimes, some ESET drivers cannot be installed. You have to install them manually in Safe Mode. I had to do this multiple times since version 9. Not with all updates, though. Never got any answer from the support about this issue.

Share this post


Link to post
Share on other sites

Hi,

Thanks for your reply, but I'd really like Marcos give a clear answer as to what a final fix is.

Share this post


Link to post
Share on other sites
24 minutes ago, Zardoc said:

Thanks for your reply, but I'd really like Marcos give a clear answer as to what a final fix is.

Your choice. This is also what I wanted 2 years ago when I wanted explanations about possible reasons for which some drivers wouldn't install. I had to find the fix myself. I guess you're more patient than I am. However, the procedure I have suggested is harmless. Either it fixes he problem or it does nothing. No risk.

Share this post


Link to post
Share on other sites

Also, note that the messages you get in the Events log are the same as those I got when I encountered this issue.

Share this post


Link to post
Share on other sites
19 hours ago, Samoréen said:

Also, note that the messages you get in the Events log are the same as those I got when I encountered this issue.

So, unfortunately, I tried your fix and it does not work.

I backed up to version 11.0.159.9 and no issues to report.

I really am fed up of wasting almost an hour every month to deal with issues concerning updates with my AV. I've been a long time user of NOD (since the days Aryeh was with the MVP program) and I remember that it wasn't the case with NOD in the beginning. At least if someone could explain the problem and the solution expected would be appreciated.

The new business attitude: ''The bigger you get the less you care.''

Share this post


Link to post
Share on other sites
Quote

Currently 11.0.159 is the latest version. We plan to release a newer version 11.1.X soon and your ESET will update automatically then.

Go figure. :(

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×