search cancel

Windows OS stuck at login post reboot potentially caused by sisnat.exe

book

Article ID: 175859

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

After upgrade of the Endpoint protection post reboot system gets stuck at windows login screen 

SIS log 
it is showing that the registry flush failed several times
-12T21:51:28.350Z WARN  I NAT  SetExecutorInProgress() - Failed to flush the registry key. 0xC000014D = An I/O operation initiated by the Registry failed unrecoverably. The Registry could not read in, or write out, or flush, one of the files that contain the system's image of the Registry.  


From Memory Dump analysis  we can see SISNAT requesting for reboot 

 c ffffd000c7976b00 00007ffa6b79206a nt!KiSystemServiceCopyEnd+0x13                                                                       
 d 00000028d4d4f9d8 00000000613bcb02 ntdll!NtShutdownSystem+0xa                                                                           
 e 00000028d4d4f9e0 00000028d4ea3148 sisnat << shut down request

Environment

windows Server 2012 R2 64 bit 

Cause

There are SEP drivers running in native mode. SISNAT sets their start type to 3 (on-demand) and tries to reboot. This is where there's a deadlock. 

The SEP drivers are set to on-demand start at 
1) during migration, pre-reboot SIS, 
2) SIS running in ccSvcHst when it gets a system shutdown event, and 
3) In SISNAT.

Scenario 1 - succeeds but the month's time before the actual reboot caused some issues. There was likely content updates that caused the SEP driver start types to remediate and changed back to 1 (system start).

Scenario 2 - doesn't get to run because Microsoft set the Windows service timeout to 5 seconds; used to be 30 seconds. Basically, the system will shutdown after 5 seconds and not allow services to finish any shutdown operations.

Scenario 3 - the last attempt by SEP to set the start type to ensure no SEP drivers are running in native mode to complete the migration.

Resolution

This issue is fixed in Symantec Endpoint Protection (SEP) 14.3 RU1. For information on how to obtain the latest build of Symantec Endpoint Protection, see Download the latest version of Symantec software.

Workaround:

Allow scenario 2 to execute to avoid scenario 3 and the deadlock. Setting the Windows service timeout to 30 seconds allows SIS to execute during system shutdown.

Have the customer change the following registry to increase the timeout from 5 seconds (5000 ms) to 30 seconds (30000 ms).

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control 

WaitToKillServiceTimeout = 30000

Note: Symantec is aware of this issue ,we will update this document once the fix is available.

Additional Information

ESCRT-2299