ESET Insiders stackz 112 Posted July 19, 2019 ESET Insiders Share Posted July 19, 2019 (edited) Win 7x64EIS 12.2.23.0 I'm having a problem with getting the firewall and associated network protections to function. An error is logged: An error occurred during installation of the epfwlwf driver. I've tried (twice) removing EIS in safe mode using the ESET uninstaller and installing from scratch, but still the error remains. Any feedback to troubleshoot the problem would be appreciated. I enabled advanced logging, rebooted, disabled logging and ran ESET Log Collector. Logs attached. eis_logs.zip Edited July 19, 2019 by stackz added logs Link to comment Share on other sites More sharing options...
ESET Insiders stackz 112 Posted July 20, 2019 Author ESET Insiders Share Posted July 20, 2019 (edited) I think I've found the problem through using a process monitor bootlog. Ekrn.exe first looks for epfwlwf.sys in the directory C:\Windows\System32\Drivers If the driver is not found, Ekrn then (and finally) looks for the driver in "C:\Program Files\ESET\ESET Smart Security\Drivers\epfwlwf\EpfwLwf.sys". Obviously this path does not exist, hence installation fails. I created the path "C:\Program Files\ESET\ESET Smart Security\Drivers\epfwlwf\EpfwLwf.sys" then rebooted and installation of epfwlwf succeeded. Edited July 25, 2019 by stackz Link to comment Share on other sites More sharing options...
ESET Insiders stackz 112 Posted July 21, 2019 Author ESET Insiders Share Posted July 21, 2019 I may have spoken to soon. Even though Process Explorer shows epfwlwf.sys loaded under System, Windows event logs show the following error: Service Control Manager EventID 7026 The following boot-start or system-start driver(s) failed to load: EpfwLWF Link to comment Share on other sites More sharing options...
Administrators Marcos 5,050 Posted July 21, 2019 Administrators Share Posted July 21, 2019 Try disabling Self-defense, rebooting the machine and installing the driver manually after right-clicking C:\Program Files\ESET\ESET Security\Drivers\epfwlwf\EpfwLwf.inf and selecting "Install". Link to comment Share on other sites More sharing options...
ESET Insiders stackz 112 Posted July 21, 2019 Author ESET Insiders Share Posted July 21, 2019 2 hours ago, Marcos said: Try disabling Self-defense, rebooting the machine and installing the driver manually after right-clicking C:\Program Files\ESET\ESET Security\Drivers\epfwlwf\EpfwLwf.inf and selecting "Install". Unfortunately this results in an install error: The INF file you selected does not support this method of installation Link to comment Share on other sites More sharing options...
itman 1,655 Posted July 21, 2019 Share Posted July 21, 2019 6 hours ago, stackz said: I may have spoken to soon. Even though Process Explorer shows epfwlwf.sys loaded under System, Windows event logs show the following error: Service Control Manager EventID 7026 The following boot-start or system-start driver(s) failed to load: EpfwLWF This indicates to me that epfwlwf.sys is installed and not loading at boot time; but thereafter. I suspect that the associated reg. key "Start" value might be improperly set. Eset on Win 10 doesn't use this driver. So I have shown a screen shot of a like Eset driver associated service reg. key location and Start value setting. If epfwlwf service reg. key Start value is not set to "1", you can do so and see if that resolves the Event 7026 creation. Warning: Only do the above if the Type setting for the reg. key shows a value of "1". Link to comment Share on other sites More sharing options...
itman 1,655 Posted July 21, 2019 Share Posted July 21, 2019 There's also possibly another dimension to this problem. @Marcos is not EpfwLWF.sys, Eset's network adapter mini-port filter driver that Eset stopped using releases ago in favor of Windows Filtering Platform use? In other words, the question is if this driver should be installed in the first place? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,050 Posted July 21, 2019 Administrators Share Posted July 21, 2019 Yes, it's supposed to be installed on Windows 7. Link to comment Share on other sites More sharing options...
itman 1,655 Posted July 21, 2019 Share Posted July 21, 2019 (edited) Here's how we can verify that EpfwLWF.sys is properly loaded. Had to "comb the deep recesses of my brain" for Win 7 memories which I rather not remember.😅 Refer to the below screen shot in regards to your network adapter. Under the "This connection uses the following items" should be something titled "NDIS Eset Mini-port Filter" or some wording similar to that. If it exists, assume the driver has been loaded and is functioning properly and just ignore the Event Log entry. Additionally if the driver wasn't properly loaded, Eset's SSL/TLS protocol filtering processing wouldn't be functional. Edited July 21, 2019 by itman Link to comment Share on other sites More sharing options...
ESET Insiders stackz 112 Posted July 22, 2019 Author ESET Insiders Share Posted July 22, 2019 (edited) It would seem from my findings that it is Ekrn that initiates the loading of epfwlwf.sys and not the Service Control Manager. If I remove the directory tree that I created - "C:\Program Files\ESET\ESET Smart Security\Drivers\epfwlwf\EpfwLwf.sys" then epfwlwf is never loaded. Edited July 22, 2019 by stackz Link to comment Share on other sites More sharing options...
Administrators Marcos 5,050 Posted July 22, 2019 Administrators Share Posted July 22, 2019 C:\Program Files\ESET\ESET Smart Security\Drivers was created during installation of an older ESET Smart Security and it's a folder from which ekrn installs drivers. However, a correct folder should be C:\Program Files\ESET\ESET Security\Drivers. I'd recommend uninstalling ESET, making sure that the ESET Smart Security folder doesn't exist and then installing the latest version of EIS from scratch. Link to comment Share on other sites More sharing options...
ESET Insiders stackz 112 Posted July 22, 2019 Author ESET Insiders Share Posted July 22, 2019 5 hours ago, Marcos said: I'd recommend uninstalling ESET, making sure that the ESET Smart Security folder doesn't exist and then installing the latest version of EIS from scratch. I tried that and I'm back where I started with no firewall. Personal firewall: An error occurred during installation of the epfwlwf driver. Link to comment Share on other sites More sharing options...
ESET Insiders stackz 112 Posted July 22, 2019 Author ESET Insiders Share Posted July 22, 2019 I've finally got everything up and running. There was an old epfwlwf driver package in the driverstore's file repository. Once this package was removed, EIS installed successfully. Link to comment Share on other sites More sharing options...
itman 1,655 Posted July 22, 2019 Share Posted July 22, 2019 There's a simply way to verify what directory epfwlwf.sys is loading from. Refer to the above registry screen shot. Find the entry for epfwlwf. Refer to the "ImagePath" entry. If it shows C:\Program Files\ESET\Eset Security\Drivers, then that is where the driver will be loaded from. Note that driver loading and use of it are two different things. I examined the Start Type setting value for my network adapter and it's "3', i.e. Load on Demand or manual. Obviously the network adapter has to be initialized prior to the assignment of Eset's NDIS mini-port filter to it. This is where ekrn.exe use might come into play. So it might be that there is a bug/issue here where possibly some residual registry entry or the like that ekrn.exe refers to, and it is set to C:\Program Files\ESET\ESET Smart Security\Drivers versus C:\Program Files\ESET\ESET Security\Drivers? Link to comment Share on other sites More sharing options...
itman 1,655 Posted July 22, 2019 Share Posted July 22, 2019 2 hours ago, stackz said: I've finally got everything up and running. There was an old epfwlwf driver package in the driverstore's file repository. Once this package was removed, EIS installed successfully. Might be the Eset stand-alone uninstaller no longer checks for old Smart Security install residual entries. Believe that is a reasonable assumption since it hasn't existed since ver. 10. Link to comment Share on other sites More sharing options...
Recommended Posts