Jump to content

The ekrn service failed to start / Patch Tuesday Windows Updates


Recommended Posts

Hi everyone

I am busy testing/installing the latest Windows Updates on Windows Server 2016. After the reboot I noticed that ESET (Server Security 9.0.12013.0) did not start. I am setting this in the Event Viewer.

The ekrn service failed to start due to the following error: 
The service did not respond to the start or control request in a timely fashion.

image.thumb.png.fe047c601d8f6603df1b868f2663f9a1.png

 

Is anyone else seeing this?

 

Link to comment
Share on other sites

Yes, it's prevalent - see Reddit below:
ESET Server Security for Microsoft Windows Server does not start with after December Windows Updates released yesterday (12-13-22)

 

Edited by MarcFL
Link to comment
Share on other sites

You can try starting the Eset service in Windows services and if not, rebooting the server which helped a user on Reddit.

See: https://www.reddit.com/r/sysadmin/comments/zkmwww/patch_tuesday_megathread_20221213/j06ofmq/

 

Edited by MarcFL
Link to comment
Share on other sites

I was unable to start the ESET Service manually. Rebooting the server a second time helped.

Yesterday this affected every single server we updated (more than 10). Today I updated three more servers (same image, same OS, same ESET version) and I have not run into this problem so far. What changed? 

Link to comment
Share on other sites

  • ESET Moderators

Hello guys,

thank you for your reports.

Can you please provide us with 1. Process monitor log from the boot time with advanced output enabled capturing events in the system during a boot, when the issue manifests and 2. output from the ESET Log Collector took afterwards?

Once you have the logs, please send a private message to me and @TomasP with the download details to check.

Thank you, Peter

Link to comment
Share on other sites

  • Administrators

It appears that on system with low HW configuration the system is so busy installing the Windows update that the start of other services may time out. However, once the Windows update has been installed the issue should resolve automatically and services should not timeout any more.

Link to comment
Share on other sites

  • ESET Moderators

Hello guys,

so the issue won't happen after the reboot, the logs can be obtained only if you enable the logging for the reboot, which will apply the Windows updates.

The issue is related to performance and as Marcos mentioned, the restart the system after few minutes as the patch will be processed so there would be no performance issues on the following reboot.

Peter

Link to comment
Share on other sites

We also have ~40 win servers VMs with the same error message. And this is just the first batch. Is there a way to prevent this from happening? We have hundreds of VMs ready for automated win update deployment and we really can not handle them all individually afterwards.

Link to comment
Share on other sites

  • Administrators
5 minutes ago, Sec-C said:

We also have ~40 win servers VMs with the same error message. And this is just the first batch. Is there a way to prevent this from happening? We have hundreds of VMs ready for automated win update deployment and we really can not handle them all individually afterwards.

Not without not installing the updates. The problem has been allegedly reported from other AV vendors too and Microsoft confirmed that lower hw configuration or other reasons causing services to load slower account for said issues.

Do you continue to experience the issue after installing the updates and rebooting the machines?

Link to comment
Share on other sites

  • ESET Moderators

So I recommend to monitor the application of the Windows patches more closely than usually.

As mentioned above, the performance seems to be the key so if possible, make sure that the servers have enough processing power when the restart to apply the patches is to come.

The status of ESET security solution is being reported to the management console, so if it fails to start on some of the servers the restart after few minutes of run will resolve it.

Peter

Link to comment
Share on other sites

Well, the four servers I tested on (from Reddit thread above) are indeed older servers (E3-1225 V5 with 16 GB) so yeah, no way to speed them up. But since this is the first time this has happened so I hope it's only for this time. On my newer servers the updates worked fine.

Link to comment
Share on other sites

  • ESET Insiders

This happened to me on Server 2019 and Server 2022.  I have almost 60 VM's so not going to install Windows Updates until something other than yet another reboot fixes it.

Link to comment
Share on other sites

2 hours ago, Marcos said:

Do you continue to experience the issue after installing the updates and rebooting the machines?

We tried starting the eset service manually on ~10 machines.  There where no more obvious errors afterwards. We have not tried additional reboots, since we need the machines online. Is there a way to make the agent try starting the security product?

Link to comment
Share on other sites

3 minutes ago, Sec-C said:

We tried starting the eset service manually on ~10 machines.  There where no more obvious errors afterwards. We have not tried additional reboots, since we need the machines online. Is there a way to make the agent try starting the security product?

Managed to get the service started by run-command task from ESET PROTECT with command:

net start "ESET Service"

 this was only on a test VM though, uncertain if there are any unwanted side effects.  

Edited by Mitchell
Link to comment
Share on other sites

We also have same issues - Win2016 and above. There ase no problems to start service later.

Guy, how to set some notification for this special event in Eset Protect to send mail message?

Link to comment
Share on other sites

  • Administrators
13 hours ago, MarcFL said:

Question for Eset:  Why THIS month of Win updates?   Something must be different.

It's a question for Microsoft to determine what was different since ESET was not the only vendor affected.

The update generates a lot of disk activity inside C:\Windows\WinSxS\Catalogs by Cl.dll checking file hashes (generates more than 20,000 file opens).

Link to comment
Share on other sites

On 12/16/2022 at 2:30 AM, heh said:

how to set some notification for this special event in Eset Protect to send mail message?

This. How do I get a notification set up to alert me about this? I don't see any built in notifications for this specific scenario.

Link to comment
Share on other sites

Anyone? We have people updating servers and not checking for Eset afterwards and then servers are left to run unprotected until someone just happens to notice days later. We need a notification for when this happens. How do I set this up?

Link to comment
Share on other sites

You can create a dynamic group with the following condition:

image.thumb.png.991a4affc34677b6c3b3b1bc2ed6438c.png

 

and then create a "dynamic group changes" notification for that: 

image.png.e59c490dd50d4c60bf1e4a04f6b639aa.png

 

You could also trigger the previously mentioned "run command" task using a joined dynamic group trigger or scheduled trigger on that group to "auto heal" affected systems. (but as previously mentioned, A reboot is probably preferred) 

Link to comment
Share on other sites

On 12/16/2022 at 12:22 PM, Marcos said:

It's a question for Microsoft to determine what was different since ESET was not the only vendor affected.

The update generates a lot of disk activity inside C:\Windows\WinSxS\Catalogs by Cl.dll checking file hashes (generates more than 20,000 file opens).

I don't know that it is a question for Microsoft to determine.  From the linked thread, only one other AV vendor was mentioned.  A bigger question is why is ESET not attempting to restart itself given the settings for the service is to always attempt to restart itself?

Link to comment
Share on other sites

On 12/29/2022 at 11:37 AM, Marcos said:

It's Windows itself that restarts services in case of a crash provided they are configured so.

Fair enough on the restarting of the service. Based on your statement of Microsoft needing to look at this would indicate that ESET is not investigating this on their end?

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...