Endpoint Standard: What are these "The operation failed" events with NtQuerySystemInformation being called?
search cancel

Endpoint Standard: What are these "The operation failed" events with NtQuerySystemInformation being called?

book

Article ID: 290583

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense)

Issue/Introduction

There are quite a few Events in the Console showing "NtQuerySystemInformation" where it shows "The operation failed". Are these times where the Sensor has blocked something?

Environment

  • Carbon Black Cloud Console: All Versions
    • Endpoint Standard Events
  • Carbon Black Cloud Sensor: All Versions
  • Microsoft Windows: All Supported Versions

Resolution

No. These are indications that the system call itself has failed, but not that the Sensor enforced a Policy Action (indicated by ttp:POLICY_DENY or ttp:POLICY_TERMINATE). This can be completely normal behavior of the system as there will typically be additional attempts to run the call which then succeed.

Additional Information

There are many reasons this system call can fail, the Sensor is typically just reporting the failure to run the call successfully