EDR Sensor: Upgrade Error: Unable to update ELAM driver HrError[0x80070003]
search cancel

EDR Sensor: Upgrade Error: Unable to update ELAM driver HrError[0x80070003]

book

Article ID: 288119

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

  • Windows Sensor fails to upgrade
  • Sensor.log error contains:
ExtractResourceToFile failed for 'cbedrelam' -> 'C:\Windows\ELAMBKUP\cbedrelam.sys' HrError[0x80070003]
Tid[1898] 2021-03-08 21:51:55 (i): Unable to update ELAM driver HrError[0x80070003]

 

Environment

  • EDR Sensor: 6.x - 7.x
  • Microsoft Windows: All Supported Versions
  • Early Launch Antimalware (ELAM) in use

Cause

Third-party products that make use of "Early Launch Antimalware" (ELAM)  drivers are required to keep a copy of the driver in this ELAMBKUP folder. The EDR Sensor installer requires that this folder exists in order to work.

Resolution

The overall solution is to ensure a directory exists at the location specified in the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\EarlyLaunch.

Full Steps:
  1. Check to see if a registry key exists at: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\EarlyLaunch
  2. If the EarlyLaunch registry key DOES exist, note its location and *CREATE* a directory at that location. (Just make an empty folder)
  3. If the EaryLaunch registry key does NOT exist, then create a registry value for it and set it to a non-existent directory. (eg. C\Windows\ELAMBKUP). Create that same directory on the filesystem.
  4. Attempt the sensor upgrade.
Powered by Wolken Software