Realtime module not functional

[kamiran.asia 5]

Hi dears

We Have problem with one of our servers.

We have an offline server that Real Time module suddenly change to not functional status ,

Re-installation in clean mode with ESET Uninstall tool from safe mode not solve the Issue.

Upgrading to latest version not solve the issue.

* ESET Log collector file is created from that server.

[Marcos 5,074]

No ELC logs were attached.

[kamiran.asia 5]

1 hour ago, Marcos said:

No ESET Log Collector logs were attached.

I send it via PM dear macros.

[Marcos 5,074]

The system is in a weird state IMAGE_STATE_UNDEPLOYABLE. I'm just consulting it with developers but this could be the reason for real-time protection not being activated. An expected state is IMAGE_STATE_COMPLETE.

[kamiran.asia 5]

We are waiting for your update.

[Marcos 5,074]

Just now, kamiran.asia said:

We are waiting for your update.

I was right, real-time protection doesn't activate because of the image state IMAGE_STATE_UNDEPLOYABLE. There's something wrong with Windows, it should be in IMAGE_STATE_COMPLETE state.

[kamiran.asia 5]

2 minutes ago, Marcos said:

I was right, real-time protection doesn't activate because of the image state IMAGE_STATE_UNDEPLOYABLE. There's something wrong with Windows, it should be in IMAGE_STATE_COMPLETE state.

And what can be the reason of IMAGE_STATE_UNDEPLOYABLE  ?

[Marcos 5,074]

25 minutes ago, kamiran.asia said:

And what can be the reason of IMAGE_STATE_UNDEPLOYABLE  ?

I'm sorry, we have no clue. I've tried googling for possible reasons to no avail. We've had several cases like this (usually with even a different image state) when we could only suggest reinstalling the OS.

[itman 1,659]

2 hours ago, kamiran.asia said:

And what can be the reason of IMAGE_STATE_UNDEPLOYABLE  ?

https://social.technet.microsoft.com/Forums/en-US/3eb137b8-f074-48a6-aa5a-33ec192e5422/imagestateundeployable-on-some-systems?forum=configmanagerosd

[itman 1,659]

Also McAfee has an article on how to reset the affected registry key back to IMAGE_STATE_COMPLETE. Note that by doing so is at your own risk since the IMAGE_STATE_UNDEPLOYABLE status indicates an unsuccessful OS deployment:

Quote

Cause

This issue happens when a Windows configuration setting makes your Windows installation look like it is still in ‘factory mode’. When Windows is in factory mode, its initial setup is incomplete.

This incorrect Windows setting adversely affects how Windows completes its initial setup, which is also known as its Out of Box Experience (OOBE). Our software waits for the OOBE setup to complete before running, but the incorrect setting in the registry makes our software think that the Windows initial setup has not finished. The result is the problem described above.

https://service.mcafee.com/webcenter/portal/oracle/webcenter/page/scopedMD/s55728c97_466d_4ddb_952d_05484ea932c6/Page29.jspx?wc.contextURL=%2Fspaces%2Fcp&locale=en-US&articleId=TS102833&_afrLoop=1087443705220366&leftWidth=0%&showFooter=false&showHeader=false&rightWidth=0%&centerWidth=100%#!%40%40%3FshowFooter%3Dfalse%26locale%3Den-US%26_afrLoop%3D1087443705220366%26articleId%3DTS102833%26leftWidth%3D0%25%26showHeader%3Dfalse%26wc.contextURL%3D%2Fspaces%2Fcp%26rightWidth%3D0%25%26centerWidth%3D100%25%26_adf.ctrl-state%3Dugptswwfq_9 

I suspect the OOBE issue that affects McAfee successful installation might also be affecting Eset successful installation/operation.

Edited May 15, 2019 by itman

[Marcos 5,074]

This registry value should be controlled by Windows each time it starts. Forcing a value manually may have unforseeable effects on the system. There are good reasons why it's checked.

[kamiran.asia 5]

5 hours ago, itman said:

Also McAfee has an article on how to reset the affected registry key back to IMAGE_STATE_COMPLETE. Note that by doing so is at your own risk since the IMAGE_STATE_UNDEPLOYABLE status indicates an unsuccessful OS deployment:

https://service.mcafee.com/webcenter/portal/oracle/webcenter/page/scopedMD/s55728c97_466d_4ddb_952d_05484ea932c6/Page29.jspx?wc.contextURL=%2Fspaces%2Fcp&locale=en-US&articleId=TS102833&_afrLoop=1087443705220366&leftWidth=0%&showFooter=false&showHeader=false&rightWidth=0%&centerWidth=100%#!%40%40%3FshowFooter%3Dfalse%26locale%3Den-US%26_afrLoop%3D1087443705220366%26articleId%3DTS102833%26leftWidth%3D0%25%26showHeader%3Dfalse%26wc.contextURL%3D%2Fspaces%2Fcp%26rightWidth%3D0%25%26centerWidth%3D100%25%26_adf.ctrl-state%3Dugptswwfq_9 

I suspect the OOBE issue that affects McAfee successful installation might also be affecting Eset successful installation/operation.

Thank you , We will try this solution tomorrow .

[kamiran.asia 5]

18 hours ago, Marcos said:

I was right, real-time protection doesn't activate because of the image state IMAGE_STATE_UNDEPLOYABLE. There's something wrong with Windows, it should be in IMAGE_STATE_COMPLETE state.

today The State Key automatically changed to IMAGE_STATE_COMPLETE , So Real Time work probably, We can not find witch program or event changed this key yet.

But The problem solved automatically.

 

Thanks all ( @Marcos & @itman ) for perfect troubleshoot and perfect solutions.

[kamiran.asia 5]

After 1 Hour again problem accrued, We manually change "state" to complete  but still ESET Real Time is not functional even after Restart ,

 

ESET Log Collector log at this state :

https://wetransfer.com/downloads/7c2edd14989ce24f78402a5a285a35c120190516061226/6b5a84b79563121de9f9ebe714684d1820190516061226/339928

[Marcos 5,074]

We don't need ELC logs. You'd better create a dump of ekrn through the advanced setup -> tools -> diagnostics. However, whether real-time protection starts or not does not depend on the registry value but on the state that the OS reports. The registry value just tells what state it the system is in, however, we've seen that the actual state often differs from what is in the registry.

[itman 1,659]

6 hours ago, kamiran.asia said:

After 1 Hour again problem accrued, We manually change "state" to complete  but still ESET Real Time is not functional even after Restart ,

Note the following: Quote   IMAGE_STATE _UNDEPLOYABLE This is the default state for an image in a given phase of Windows Setup that is not yet complete. If a process queries the IMAGE_STATE value and IMG_UNDEPLOYABLE is returned, the image is in one of the following states: Setup is currently running and has not fully completed the phase. Once a given phase is complete, the IMAGE_STATE will be set to an appropriate completion value.   If queried online when Setup is not running, there was a failure when completing a Setup phase. This image must be reinstalled.   If queried offline, the image did not finish a phase and will never be deployable.   https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-8.1-and-8/hh824815(v=win.10) Next, what IMAGE_STATE_COMPLETE really means. Did you run sysprep prior to the image being deployed to the server? Quote This image is not deployable to a computer that has a different hardware configuration because it is now hardware-dependent. To deploy this image to a computer that has a different hardware configuration, you must run sysprep /generalize.

Edited May 16, 2019 by itman

[itman 1,659]

DISM might or might not fix the Image State issue on the server. You will have to research this on your own since it is out of the scope of this forum. Here is one among many TechNet postings on the subject:  

Quote

Researching the error and looking at CBS.log pointed me to CBS store corruption so I ran sfc /scannow and that came back clean. I then ran dism /online /scanhealth and it said that there was repairable damage.

https://social.technet.microsoft.com/Forums/en-US/d1a5ed7b-2537-4cad-b586-8680cbb6c512/cbs-store-corruption-on-server-2016-repair-with-dism-gets-error-0x800f081f-quotthe-source-files?forum=ws2016

[kamiran.asia 5]

On 5/16/2019 at 11:53 AM, Marcos said:

We don't need ESET Log Collector logs. You'd better create a dump of ekrn through the advanced setup -> tools -> diagnostics. However, whether real-time protection starts or not does not depend on the registry value but on the state that the OS reports. The registry value just tells what state it the system is in, however, we've seen that the actual state often differs from what is in the registry.

This is the diagnostic data that our customer send to our support unit:

https://wetransfer.com/downloads/544e8169a482b7efcee7f7c0b0e85ba320190518042256/856d459a267914f66f52810f095e48de20190518042256/4a6572

[Marcos 5,074]

I consider this case closed. The only solution we can advise is reinstalling the OS.

[kamiran.asia 5]

7 minutes ago, Marcos said:

I consider this case closed. The only solution we can advise is reinstalling the OS. 

It seems that this problem have a special reason , today we receive another report from another server with the same problem, We will send the ESET Log Collector log and Ekr dump soon.

[kamiran.asia 5]

22 hours ago, Marcos said:

I consider this case closed. The only solution we can advise is reinstalling the OS.

Again thank all for corporation and assistance ,

As we mentioned problem is not limited to one server.

Another Server in the same Network & same Customer :

ESET Log Collector Log + EKR Dump :

https://wetransfer.com/downloads/da5ac063870b0f34c40a50aee5d5f93e20190519040857/2a842cbc9ae41c70019183577dcb365920190519040857/3902f3

 

Did you think that it's an OS Problem while 2 Server in same time have same problem?

These 2 servers are very important and they can not reinstall OS easily.

[kamiran.asia 5]

On 5/16/2019 at 5:12 PM, itman said:

Note the following: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-8.1-and-8/hh824815(v=win.10) Next, what IMAGE_STATE_COMPLETE really means. Did you run sysprep prior to the image being deployed to the server?

These 2 servers are working about 1 Year and ESET were working probably , This Problem accrued suddenly.

So we think they could not use sysprep recently.

[itman 1,659]

7 hours ago, kamiran.asia said:

These 2 servers are working about 1 Year and ESET were working probably , This Problem accrued suddenly.

So we think they could not use sysprep recently.

It is very possible that a recent Win Server OS update is causing this issue. This seems reasonable to me since as you stated, the problem manifested recently and is affecting multiple servers.

You really need to contact Microsoft about the IMAGE_STATE _UNDEPLOYABLE issue.

[kamiran.asia 5]

16 hours ago, itman said:

It is very possible that a recent Win Server OS update is causing this issue. This seems reasonable to me since as you stated, the problem manifested recently and is affecting multiple servers.

You really need to contact Microsoft about the IMAGE_STATE _UNDEPLOYABLE issue.

Dear ITman For your info , This 2 Server are offline and have no internet access for OS update

[Marcos 5,074]

The problem with the machine from which the latest logs were taken is that you have an old eamonm.sys driver from v4.5 running. Did you upgrade to EFSW v7 from EFSW v4.5? If so, a restart is needed after installation for new drivers to get loaded. Did you reboot the server? If so, please uninstall EFSW completely, make sure there is no eamonm.sys driver in c:\windows\system32\drivers and install EFSW v7 from scratch.