Thomas Fincke 0 Posted April 11, 2023 Share Posted April 11, 2023 Hello, I have been having a problem with 2 terminal servers (2012 R2) for about 2 weeks (it occurred on 29/03 with both and then on 9/4 with one and on 11/04 with the other). ESET is not in the taskbar and the following entries can be found in the event log: The time limit (240000 ms) was reached while waiting for a transaction response from service ekrn. and The timeout (240000 ms) was reached while waiting for a transaction response from service ekrnEpfw. The servers are then relatively difficult to operate and the message appears when logging off: Please wait for "Notification text for system events". The message is probably displayed for hours by the users, but also by the administrator when logging off. Solution with only a stop of the machine (which also takes 10 minutes or more) and a subsequent start. Scans with ESET, MSERT, Maleware, AdwCleaner have brought no results. The logs do not provide any further information either. Does anyone have the same problem? Are the servers hacked or are there problems with the current version? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,259 Posted April 11, 2023 Administrators Share Posted April 11, 2023 What version of ESET Server Security do you have installed? Is it the latest v10.0.12010.0? Does uninstalling ESET and installing the latest version from scratch make a difference? Link to comment Share on other sites More sharing options...
Thomas Fincke 0 Posted April 11, 2023 Author Share Posted April 11, 2023 4 minutes ago, Marcos said: What version of ESET Server Security do you have installed? Is it the latest v10.0.12010.0? Does uninstalling ESET and installing the latest version from scratch make a difference? Hello, it is the latest version 10.0.12010.0 Link to comment Share on other sites More sharing options...
Administrators Marcos 5,259 Posted April 11, 2023 Administrators Share Posted April 11, 2023 To start off, please provide: 1, A Procmon boot log saved in an unfiltered PML format and compressed 2, Logs collected with ESET Log Collector Prior to generating the PML log, make sure to temporarily disable Protected service in the HIPS setup and reboot the server. If the logs are too big to upload here, upload them to a file sharing service and drop me a private message with download links. Link to comment Share on other sites More sharing options...
GDELAVAQUERIE 0 Posted April 14, 2023 Share Posted April 14, 2023 Hello Thomas, did you find a tips for your problem except stop machine ? I have the same problem for the second time on several servers (physical and virtual) after 5-6 days (Thursday or Friday). Link to comment Share on other sites More sharing options...
Thomas Fincke 0 Posted April 14, 2023 Author Share Posted April 14, 2023 Hello, unfortunately I don't have a solution yet, but maybe it really is an ESET problem then. I have now reinstalled ESET on a server and continue to monitor. Link to comment Share on other sites More sharing options...
GDELAVAQUERIE 0 Posted April 14, 2023 Share Posted April 14, 2023 Thomas, You haven't had a return of the problem since the last forced restart or reinstallation of ESET? Your servers have how many days of activity? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,259 Posted April 14, 2023 Administrators Share Posted April 14, 2023 51 minutes ago, GDELAVAQUERIE said: Hello Thomas, did you find a tips for your problem except stop machine ? I have the same problem for the second time on several servers (physical and virtual) after 5-6 days (Thursday or Friday). Please provide logs collected with ESET Log Collector. In Thomas' logs I noticed catalog errors only from April 11: CatalogDB: 10:56:10 11.04.2023: catadnew.cpp at line #1534 encountered error 0x800700c1 Link to comment Share on other sites More sharing options...
Administrators Marcos 5,259 Posted April 14, 2023 Administrators Share Posted April 14, 2023 We suggest repairing the catalog db as per https://social.technet.microsoft.com/wiki/contents/articles/13827.windows-server-2008-event-id-257-system-catalog-database-integrity.aspx and monitoring the situation then. Link to comment Share on other sites More sharing options...
Thomas Fincke 0 Posted April 14, 2023 Author Share Posted April 14, 2023 2 hours ago, GDELAVAQUERIE said: Thomas, You haven't had a return of the problem since the last forced restart or reinstallation of ESET? Your servers have how many days of activity? The last reboot I did was on 11.04. (that was also the last time the problem existed). I have reinstalled ESET today. The problems occurred so far on 29.03. and 11.04. with this server. Since 11.04. no longer, but only a little time has passed. Link to comment Share on other sites More sharing options...
GDELAVAQUERIE 0 Posted April 14, 2023 Share Posted April 14, 2023 4 hours ago, Marcos said: Please provide logs collected with ESET Log Collector. In Thomas' logs I noticed catalog errors only from April 11: CatalogDB: 10:56:10 11.04.2023: catadnew.cpp at line #1534 encountered error 0x800700c1 I performed the operation on one of my servers as a witness. However, I had no error in my log. thank Marcos Link to comment Share on other sites More sharing options...
Thomas Fincke 0 Posted April 14, 2023 Author Share Posted April 14, 2023 At the moment I have the problem again on a server. However, the collector does not seem to work. Link to comment Share on other sites More sharing options...
GDELAVAQUERIE 0 Posted April 14, 2023 Share Posted April 14, 2023 20 minutes ago, Thomas Fincke said: However, the collector does not seem to work. Indeed, the problem does not only impact the SENS service but also the Office suite, Windows Explorer, the RDS collection,... Link to comment Share on other sites More sharing options...
Thomas Fincke 0 Posted April 14, 2023 Author Share Posted April 14, 2023 46 minutes ago, GDELAVAQUERIE said: Indeed, the problem does not only impact the SENS service but also the Office suite, Windows Explorer, the RDS collection,... I've also read that Kaspersky can also cause this problem. Did you have Kaspersky on these servers before? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,259 Posted April 14, 2023 Administrators Share Posted April 14, 2023 Did you follow the above instructions for repairing the catalog db which might be the culprit? Link to comment Share on other sites More sharing options...
Thomas Fincke 0 Posted April 14, 2023 Author Share Posted April 14, 2023 2 minutes ago, Marcos said: Did you follow the above instructions for repairing the catalog db which might be the culprit? Not on the server that has the problems now. The tutorial is for 2008, does it also work on the 2012 R2? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,259 Posted April 15, 2023 Administrators Share Posted April 15, 2023 Yes, the instructions are valid for any Windows OS. Link to comment Share on other sites More sharing options...
GDELAVAQUERIE 0 Posted April 16, 2023 Share Posted April 16, 2023 The problem now appears on servers without an RDS role. Same symptom: Session gets stuck with 4-5 processes. The Winlogon process is blocked by the SENS service ID (2023-04-16_16h00_07.png). The SENS service is waiting for EKRN.EXE (2023-04-16_16h00_47.png). On this servers, I kill the SENS service prosess, the sessions close. But, other problems are always present after reconnect (don't open explorer, gui ESET, ...) even with SENS Service stopped. I discovered another symptom: unable to query ESET WMIs but Windows WMIs work. Link to comment Share on other sites More sharing options...
GDELAVAQUERIE 0 Posted April 16, 2023 Share Posted April 16, 2023 On 4/14/2023 at 6:01 PM, Thomas Fincke said: I've also read that Kaspersky can also cause this problem. Did you have Kaspersky on these servers before? No, only ESET. Link to comment Share on other sites More sharing options...
sdenis 0 Posted April 17, 2023 Share Posted April 17, 2023 Good morning , Under Windows 2019, I encounter the same problem as you and see the same elements as gdelavaquerie in the task manager. Here are more details about the issue: 04/05/23: windows update on 3 RDS servers 04/07/23: Session blocked with a message indicating to wait for the system event notification service (SENS) => reboot server => ok 04/12/23 => User session blocked again => uninstallation of Eset on 2 of the 3 servers. 04/16/23 => User sessions blocked on the only server with Eset Eset is latest version, ekrn.exe blocks processes here is the list of updates installed since 04/05/23: KB4486153 Servicing stack 10.0.17763.4121 KB5022504 KB5023702 Adobe reader 23.001.20143 Bonjour , Sous windows 2019, je rencontre le même problème que vous et constate les même éléments que gdelavaquerie dans le gestionnaire de tache. Voici plus de détails sur le problème : 05/04/23 : mise à jour windows sur 3 serveurs RDS 07/04/23 : Session bloquée avec un message indiquant d'attendre le service de notification d'évenements systèmes (SENS) => reboot server => ok 12/04/23 => Session utilisateurs bloquées de nouveau => désinstallation de Eset sur 2 des 3 serveurs. 16/04/23 => Sessions utilisateurs bloquées sur le seul serveur avec Eset Eset est en dernière version, ekrn.exe bloque les processus voici la liste des mises à jours installés depuis le 05/04/23 : KB4486153 Servicing stack 10.0.17763.4121 KB5022504 KB5023702 Adobe reader 23.001.20143 Link to comment Share on other sites More sharing options...
Administrators Marcos 5,259 Posted April 17, 2023 Administrators Share Posted April 17, 2023 If the system doesn't start with ESET installed, please follow the instructions at https://forum.eset.com/topic/36081-server-problem-after-reboot-elam: Configure Windows to generate complete memory dumps as per https://support.eset.com/en/kb380 Reproduce the system lockup Manually trigger a crash according to the above KB Rename eelam.sys driver in safe mode (ekrn will not load and protect the server) Compress the memory dump and supply it to me in a compressed form along with logs collected with ESET Log Collector. Link to comment Share on other sites More sharing options...
GDELAVAQUERIE 0 Posted April 19, 2023 Share Posted April 19, 2023 Hi, For information, we have downgraded 2 servers to V9 for testing. We wait Thursday-Friday for the return of the bugs. Link to comment Share on other sites More sharing options...
MickZe 0 Posted April 24, 2023 Share Posted April 24, 2023 Experiencing the same issue. Server 2012 R2 in remote desktop deployement. Performance degradation and occasionally logoff sessions getting stuck on "Please wait for "Notification text for system events"" I've opened a support ticket, if it's not resolved by Wednesday we will uninstall ESET during out maintenance window to see if ESET is to blame Link to comment Share on other sites More sharing options...
Administrators Marcos 5,259 Posted April 24, 2023 Administrators Share Posted April 24, 2023 19 minutes ago, MickZe said: Experiencing the same issue. Performance degradation and occasionally logoff sessions getting stuck on "Please wait for "Notification text for system events"" This topic is about ekrn.exe not starting with Windows at times, your issue seems to be different. As for performance degradation, does pausing real-time protection for a while make a difference? Link to comment Share on other sites More sharing options...
Thomas Fincke 0 Posted April 24, 2023 Author Share Posted April 24, 2023 I already think that it is the same problem. Perhaps I have expressed myself in a misleading way. We don't have problems starting ESET, but the programme crashes and we then have problems logging off. After a hard restart, ESET works again. Link to comment Share on other sites More sharing options...
Recommended Posts