App Control: Multiple GUID In The Registry Health Check FailureId[1010]
search cancel

App Control: Multiple GUID In The Registry Health Check FailureId[1010]

book

Article ID: 286596

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

The Agent is reporting failed Health Checks similar to:
Carbon Black App Control Agent detected a problem: Carbon Black App Control Agent has multiple GUID in the registry key [SOFTWARE\Classes\Installer\UpgradeCodes\BE699B28D1B16A04D9F1AA3A0C28A1C9] - expected[304D10CA0DAEE634D99BFBEE43FD4229], actual[304D10CA0DAEE634D99BFBEE43FD4229|18633383D60BA99428F49BE443CC1879]. Options[00000003] TotalFailures[3] FailureId[1010]

Environment

  • App Control Agent: Version 8.9.0+
  • Microsoft Windows: All Supported Versions

Cause

The original Agent installation files were not persisted on the endpoint, or the files were removed at some point. Typically these files exist in C:\Windows\Installer\ and when deployed via SCCM or similar the option to persist the installation media was not enabled.

When the installation media does not exist, during the next upgrade Windows Installer will make a "best effort" to remove the related files. This can result in registry keys or other miscellaneous files being left behind.

Resolution

  1. Open a command prompt on the endpoint and issue the following command:
    "C:\Program Files (x86)\Bit9\Parity Agent\DasCLI.exe" status
  2. Verify the Version Information returned shows the same versions for: CLI, Agent, Kernel. Example:
    CLI:        8.9.2.1616 9/29/2023 1:09:34 PM
    Agent:      8.9.2.1616 9/29/2023 1:09:34 PM
    Kernel:     8.9.2.1616 9/29/2023 1:09:34 PM

Additional Information

  • This Health Check was introduced with the release of Agent version 8.9.0.
  • If the versions do not match, this is typically caused by forcing the upgrade through by disabling Tamper Protection.
  • If the versions match, this is typically caused by the original installation media (ex: Policy-Installer.msi) not being cached on the endpoint.

Attachments

AgentRegClean.ps1 get_app