Endpoint Standard: What are these "The operation failed" events with NtQuerySystemInformation being called?
book
Article ID: 290583
calendar_today
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Issue/Introduction
There are quite a few Events in the Console showing "NtQuerySystemInformation" where it shows "The operation failed". Are these times where the Sensor has blocked something?
Environment
Carbon Black Cloud Console: All Versions
Endpoint Standard Events
Carbon Black Cloud Sensor: All Versions
Microsoft Windows: All Supported Versions
Resolution
No. These are indications that the system call itself has failed, but not that the Sensor enforced a Policy Action (indicated by ttp:POLICY_DENY or ttp:POLICY_TERMINATE). This can be completely normal behavior of the system as there will typically be additional attempts to run the call which then succeed.
Additional Information
There are many reasons this system call can fail, the Sensor is typically just reporting the failure to run the call successfully