PuterCare 4 Posted September 11, 2019 Share Posted September 11, 2019 I have had this issue with 2 endpoints since yesterday, each used a different Agent as they are different clients and the same agent worked fine on multiple other systems at each client. When running the bat file on some Windows boxes as admin, the CMD box opens saying installing then Windows Script Host pops up (image attached). It says the issue was line 184 of uacinstall.vbs, code 80070002. Any ideas how to resolve? Thanks Link to comment Share on other sites More sharing options...
Administrators Marcos 5,298 Posted September 11, 2019 Administrators Share Posted September 11, 2019 Please provide a Procmon log from the time when the batch Live installer is run. Looks like the vbs file could not be created in the temporary folder probably due to insufficient permissions or some security measures preventing vbs and other files potentially carrying malware in the system temp folder. Link to comment Share on other sites More sharing options...
PuterCare 4 Posted September 11, 2019 Author Share Posted September 11, 2019 Log attached, thanks. Logfile.zip Link to comment Share on other sites More sharing options...
PuterCare 4 Posted September 13, 2019 Author Share Posted September 13, 2019 Any ideas? Thanks Link to comment Share on other sites More sharing options...
PuterCare 4 Posted September 19, 2019 Author Share Posted September 19, 2019 Bump Link to comment Share on other sites More sharing options...
Administrators Marcos 5,298 Posted September 19, 2019 Administrators Share Posted September 19, 2019 The file C:\Users\Jamie Jarvis\AppData\Local\Temp\uacinstall.vbs was dropped and wscript.exe read it successfully. Couldn't it be a policy or another 3rd party software that would block execution of VBS scripts from temporary folders? If you put your own vbs script in that folder, are you able execute it? Link to comment Share on other sites More sharing options...
PuterCare 4 Posted September 19, 2019 Author Share Posted September 19, 2019 It is a standalone workgroup computer with no policies in place, I don't think there is any software on there that would block (unless it is Windows doing it). I will see if I can find a script that I can put in there and try to run. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,298 Posted September 19, 2019 Administrators Share Posted September 19, 2019 You can try creating a simple test file test.vbs with the following code inside: wscript.echo "Hello" Link to comment Share on other sites More sharing options...
PuterCare 4 Posted September 19, 2019 Author Share Posted September 19, 2019 (edited) I did as you suggested and the test vbs ran fine from temp, I then copied all of the Eset files from %temp% to a new folder on C:\ and ran the vbs from an elevated CMD and the same issue occurred. Any other ideas? Thanks Edited September 19, 2019 by PuterCare Link to comment Share on other sites More sharing options...
PuterCare 4 Posted September 20, 2019 Author Share Posted September 20, 2019 I now have 4 different systems with this same issue, all from different offices, not domain connected and no policies applied. All other systems in all 4 offices work fine. Any idea on the cause or what more I can do to try and fix? Thanks Link to comment Share on other sites More sharing options...
Administrators Marcos 5,298 Posted September 20, 2019 Administrators Share Posted September 20, 2019 If I understand it correctly, you're unable to run uacinstall.vbs neither from the temp folder nor any other folder but if you give a VBS script a different name, it can run. Correct? Link to comment Share on other sites More sharing options...
PuterCare 4 Posted September 22, 2019 Author Share Posted September 22, 2019 On 9/20/2019 at 11:57 PM, Marcos said: If I understand it correctly, you're unable to run uacinstall.vbs neither from the temp folder nor any other folder but if you give a VBS script a different name, it can run. Correct? Yes that’s right. I think the uacinstall.vbs script runs but it then fails as per the screenshot on my original post. It is the same error on all 4 systems. Other scripts run fine so it doesn’t seem to be the computers blocking scripts from running, it seems to be something specific to the uacinstall script. I opened in notepad++ and checked line 184 but nothing obvious there to cause a problem, but this is outside of my skill set so might be missing something. Link to comment Share on other sites More sharing options...
PuterCare 4 Posted September 24, 2019 Author Share Posted September 24, 2019 Is there anything else I can try? Link to comment Share on other sites More sharing options...
ESET Staff MartinK 384 Posted September 24, 2019 ESET Staff Share Posted September 24, 2019 Could you please provide more details of system you are trying to execute this script? We somehow run out of ideas as no similar issues were reported. Could you possibly provide some non-sensitive part of line 184 that is failing? Asking just to be sure which part of script is failing as it might be different in your environment. Link to comment Share on other sites More sharing options...
Most Valued Members ewong 8 Posted October 3, 2019 Most Valued Members Share Posted October 3, 2019 I'm not entirely sure if I'm repeating the correct steps (I use GPO and not the live installer); but, the downloaded ESMCAgentInstaller.bat (assuming this is the file that PuterCare is talking about) and seeing as this batch file creates a vbs file in the tempdir, my guess is that it can't find the sha1sum.exe file. PuterCare, after running and getting that error, does sha1sum.exe exist in the %TMP% folder? Link to comment Share on other sites More sharing options...
PuterCare 4 Posted October 3, 2019 Author Share Posted October 3, 2019 (edited) Sorry for the delay, I was no longer working on that client site so took time to get back onto an affected system. It is Windows 10 Pro x64 1903, I have identical systems in the same office that work perfectly. Across 4 different offices with different hardware and different agent installers I have a single machine in each office that has exactly the same problem. All other offices have no issues at all, really puzzling! I just ran SFC and rebooted - same issue. Line 184 reads: exitCode = WshShell.Run(command, 0, True) ewong - yes there is a sha1sum.exe created in %temp% when the bat file is ran. There is also the agent_x64.msi, two certificate files, uacinstall.vbs. Edited October 3, 2019 by PuterCare Link to comment Share on other sites More sharing options...
Administrators Marcos 5,298 Posted October 3, 2019 Administrators Share Posted October 3, 2019 Just to make sure, isnt't ESET Endpoint already installed with some extra antiransomware HIPS rules in place? Link to comment Share on other sites More sharing options...
PuterCare 4 Posted October 3, 2019 Author Share Posted October 3, 2019 EES is already installed, no changes to the default config (by me at least) and it is already installed on the other systems where the agent install works however EES is a common denominator between all the systems with an issue so will disable protection and try again! Link to comment Share on other sites More sharing options...
PuterCare 4 Posted October 3, 2019 Author Share Posted October 3, 2019 I disabled protection, and then disabled HIPS in the advanced settings (although the toggle in the normal settings remained on and green) and it still failed. I am going to remove EES and try again. Link to comment Share on other sites More sharing options...
PuterCare 4 Posted October 3, 2019 Author Share Posted October 3, 2019 I removed EES, rebooted, ran the bat file and had the same issue. I then disabled Windows Defender realtime and the same issue again. Link to comment Share on other sites More sharing options...
PuterCare 4 Posted October 3, 2019 Author Share Posted October 3, 2019 I ran the AIO installer and the agent and program have installed successfully. I do need to try and fix this issue though so the agent can be installed independently so if you have any more ideas please let me know. Thanks Link to comment Share on other sites More sharing options...
ESET Staff MartinK 384 Posted October 3, 2019 ESET Staff Share Posted October 3, 2019 My last idea is that problem is caused by "space" in path to script. It is stored in user's temp directory which contains space in absolute path (Not clear from screenshot but is it actually space in name of user?). If there is a space, special escaping would be required. Any chance you used different user on machines where it works? Is it possible to use other user (Administrator) to run installer? Link to comment Share on other sites More sharing options...
ESET Staff MartinK 384 Posted October 3, 2019 ESET Staff Share Posted October 3, 2019 6 hours ago, PuterCare said: I do need to try and fix this issue though so the agent can be installed independently so if you have any more ideas please let me know. Thanks Just a sidenote: are you aware that in ESMC 7.0 you can create also AGENT-only all-in-one installer? It will install just AGENT and it won't be downloading installer as it will be already included in executable file. Link to comment Share on other sites More sharing options...
PuterCare 4 Posted October 3, 2019 Author Share Posted October 3, 2019 18 minutes ago, MartinK said: My last idea is that problem is caused by "space" in path to script. It is stored in user's temp directory which contains space in absolute path (Not clear from screenshot but is it actually space in name of user?). If there is a space, special escaping would be required. Any chance you used different user on machines where it works? Is it possible to use other user (Administrator) to run installer? In the case of todays system, there is a space in the local username therefore the path to the %temp% dir has a space in it. This sounds like a credible cause, when I set up users I don't use spaces but some systems at different offices were not set up by me. I will try this out when I am next able to get onto an affected machine and see if it helps! Link to comment Share on other sites More sharing options...
PuterCare 4 Posted October 8, 2019 Author Share Posted October 8, 2019 I think you've solved it! I was at another affected office today and that user had a space in their name, I created a temp user account with no space and the agent installed successfully. Thanks for your help on this, is the best method to use the AIO agent installer for such systems? Link to comment Share on other sites More sharing options...
Recommended Posts