Endpoint Standard: wmiprvse.exe Blocked by Cb Defense for trying to modify registry key 077B0BFA804941D4B86DDDC31668BA3C
search cancel

Endpoint Standard: wmiprvse.exe Blocked by Cb Defense for trying to modify registry key 077B0BFA804941D4B86DDDC31668BA3C

book

Article ID: 289687

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense)

Issue/Introduction

  • A relevant event will show The application C:\windows\system32\wbem\wmiprvse.exe attempted to modify the Windows Registry Key\Value Name = "\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\98113471A04147740B565CE52B278F1E\077B0BFA804941D4B86DDDC31668BA3C". The operation was blocked by Cb Defense.
  • Confer log will see several events related to Windows SCCM and install events related to an earlier version of the sensor than that which is installed
  • Similar to lines such as: \device\harddiskvolume4\windows\ccmcache\r\installer_vista_win7_win8-64-3.2.1.51.msi  

Environment

  • Endpoint Standard Sensor 3.x
  • Windows endpoints (all supported versions). 

Cause

There is an SCCM job running attempting to downgrade the sensor and this is hitting the sensor 'downgrade protection' protecting the keys from being written by SCCM, when it attempts to downgrade to an older version of the sensor than that which currently installed. 

Resolution

There are currently no downgrade/rollback possibilities in 3.6.x and below and the only option is to uninstall/reinstall.
Powered by Wolken Software