EDR: Windows Sensor Fails to Get Process Info HrError[0x80070490]
search cancel

EDR: Windows Sensor Fails to Get Process Info HrError[0x80070490]

book

Article ID: 287643

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

  • Windows EDR sensor fails to obtain information from cb driver.
  • Sensor.LOG contains one or all of the following messages:
    • (e): Failed to get process context HrError[0x80070490]
    • (e): DeviceIoControl failed [0x30] HrError[0x80070490]
    • (e): Failed to get proc info from driver <PID>

Environment

  • EDR Windows Sensors: Version 7.x

Cause

The EDR sensor was packaging a protobuf event and asked the EDR kernel driver for information about a particular process (PID is in the error message).  The driver does not have the information and this error is logged. 

Resolution

  • Usually no action is required, the error is informational for tracking that process.

Additional Information

This occurs if the process is terminated prior to the EDR driver loading or the process was terminated and removed from the EDR process cache.
Powered by Wolken Software