cancel
Showing results for 
Search instead for 
Did you mean: 
brentil
Level 12

HIPS8 + W7 SP1 == Fatal Error C0000022

Jump to solution

I've got a thread over at the MS Technet forums where we've narrowed down that having HIPS8 on a W7 machine (64bit or 32bit) will break the installation of SP1 for said OS.

http://social.technet.microsoft.com/Forums/en-US/w7itproinstall/thread/e92f68c7-c02f-46bb-8fc4-b58a0...

In essence during the pre-boot process of the SP instllation it is failing to write out a new registry hive area and this is only failing on machines running HIPS8.  This results in a Fatal Error C0000022 which I've replicated on about 6 machines out of a tesbed of 12 and the common link for the broken ones are HIPS8.  I spun up a ton of VMs to do testing against and proved this as well.

The 32bit machine had signature set 3740 and the 64bit machines had 3709 because the 64bit update process is broken.

https://community.mcafee.com/message/170441#170441

I'm in the process of setting up a test machine to test signature set 3753 to see if it resolves this issue or not.

0 Kudos
1 Solution

Accepted Solutions
brentil
Level 12

Re: HIPS8 + W7 SP1 == Fatal Error C0000022

Jump to solution

Yup that did it.  Disaling the "Startup IPS protection enabled" setting allows the W7 SP1 to install to completion.

Since this seems to be more of an admin selection item it should be added to a McAfee tech doc alerting users to disable this setting during SP installation.  Oddly this setting has been set since we started testing this product since it came out and this is the first item that has caused this issue.

12 Replies
brentil
Level 12

HIPS8 + W7 SP1 == Fatal Error C0000022

Jump to solution

Of note this can be fixed by pressing F8 and loading into Safe Mode.  The SP1 installation will complete and reboot the computer and "seems" to function as normal afterwards.

0 Kudos
McAfee Employee

HIPS8 + W7 SP1 == Fatal Error C0000022

Jump to solution

I would suggest: KB54778 - Applying OS Patches when Host Intrusion Prevention agent is enabled in protect mode

0 Kudos
brentil
Level 12

HIPS8 + W7 SP1 == Fatal Error C0000022

Jump to solution

I will review that information and test it agaisnt the W7 SP1 isntalls to see if it resolves it.  The install process works perfectly fine with HIPS7 running though, only HIPS8 so it's something that should still be reviewed by McAfee in my opinion.

0 Kudos
brentil
Level 12

HIPS8 + W7 SP1 == Fatal Error C0000022

Jump to solution

Actually I just verified that HIPS8 on all of these machines are already in adaptive mode.  There are no new policies being made or any blocks/warnings being thrown during this entire process.

0 Kudos
brentil
Level 12

HIPS8 + W7 SP1 == Fatal Error C0000022

Jump to solution

I've run through a series of test systems over and over again now with different configurations.

  • No HIPS - SP1 Success
  • HIPS7 - SP1 Success
  • HIPS8 3709 32bit/64bit - Fatal Error C0000022 & No HIPS alerts reported
  • HIPS8 3753 32bit (since it fails to install on 64bit) - Fatal Error C0000022 & No HIPS alerts reported
  • HIPS8 Adaptive Mode - Fatal Error C0000022 & No HIPS alerts reported
  • HIPS8 Adaptive Mode and Low/Warning Mode - SP1 Success & No Detection
  • HIPS8 Services Disabled - SP1 Success

Every time a system fails it is always on the same registry key.  In W7 Gold this hive does not exist and is being created by the SP1 installer.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RdpVideoMiniport\Security

However I did just get one of the machines that failed after getting it to fix itself in Safe mode to drop an alert finally when I let it load in safe mode with networking.

Signature ID 3829

POQEXEC.EXE

I've just added a rule for it and I'm going to test another deployment.

0 Kudos
Highlighted
brentil
Level 12

Re: HIPS8 + W7 SP1 == Fatal Error C0000022

Jump to solution

Nope, that didn't do it.  It still Fatal Error C0000022's with that setting in place.  Booting that machine in safe mode now to see if it throws another alert.

So far the only solution is HIPS Off or HIPS in Log mode only.

Message was edited by: brentil on 2/25/11 8:31:26 AM GMT-05:00
0 Kudos
brentil
Level 12

Re: HIPS8 + W7 SP1 == Fatal Error C0000022

Jump to solution

The install finally fixed itself and made it to Windows and in doing so has now feed 4 more items into the ePO system.

Signature ID 111 - NETCFG.EXE

Signature ID 1148 - SVCHOST.EXE

Signature ID 111 - DRVINST.EXE

Signature ID 850 - SERVICES.EXE

However I'm not sure which of these are just post SP items or things related to installation.  Going to permit them and try again...

0 Kudos
brentil
Level 12

Re: HIPS8 + W7 SP1 == Fatal Error C0000022

Jump to solution

I was looking over settings again and came across the "Startup IPS protection enabled" which is enabled.  I had compeltely forgotten about this setting which is new to HIPS8 I believe and it's enabled.  I'm betting this is the issue since it puts a set of hard blocks on files and registry settings prior to system booting which is when this issues occures.  I've changed this setting now and retesting.

0 Kudos
brentil
Level 12

Re: HIPS8 + W7 SP1 == Fatal Error C0000022

Jump to solution

Yup that did it.  Disaling the "Startup IPS protection enabled" setting allows the W7 SP1 to install to completion.

Since this seems to be more of an admin selection item it should be added to a McAfee tech doc alerting users to disable this setting during SP installation.  Oddly this setting has been set since we started testing this product since it came out and this is the first item that has caused this issue.