1 2 Previous Next 12 Replies Latest reply: Jun 28, 2013 11:58 AM by brentil RSS

    HIPS8 + W7 SP1 == Fatal Error C0000022

    brentil

      I've got a thread over at the MS Technet forums where we've narrowed down that having HIPS8 on a W7 machine (64bit or 32bit) will break the installation of SP1 for said OS.

       

      http://social.technet.microsoft.com/Forums/en-US/w7itproinstall/thread/e92f68c7- c02f-46bb-8fc4-b58a0431842e

       

      In essence during the pre-boot process of the SP instllation it is failing to write out a new registry hive area and this is only failing on machines running HIPS8.  This results in a Fatal Error C0000022 which I've replicated on about 6 machines out of a tesbed of 12 and the common link for the broken ones are HIPS8.  I spun up a ton of VMs to do testing against and proved this as well.

       

       

      The 32bit machine had signature set 3740 and the 64bit machines had 3709 because the 64bit update process is broken.

       

      https://community.mcafee.com/message/170441#170441

       

      I'm in the process of setting up a test machine to test signature set 3753 to see if it resolves this issue or not.

        • 1. HIPS8 + W7 SP1 == Fatal Error C0000022
          brentil

          Of note this can be fixed by pressing F8 and loading into Safe Mode.  The SP1 installation will complete and reboot the computer and "seems" to function as normal afterwards.

          • 2. HIPS8 + W7 SP1 == Fatal Error C0000022
            Kary Tankink

            I would suggest: KB54778 - Applying OS Patches when Host Intrusion Prevention agent is enabled in protect mode

            • 3. HIPS8 + W7 SP1 == Fatal Error C0000022
              brentil

              I will review that information and test it agaisnt the W7 SP1 isntalls to see if it resolves it.  The install process works perfectly fine with HIPS7 running though, only HIPS8 so it's something that should still be reviewed by McAfee in my opinion.

              • 4. HIPS8 + W7 SP1 == Fatal Error C0000022
                brentil

                Actually I just verified that HIPS8 on all of these machines are already in adaptive mode.  There are no new policies being made or any blocks/warnings being thrown during this entire process.

                • 5. HIPS8 + W7 SP1 == Fatal Error C0000022
                  brentil

                  I've run through a series of test systems over and over again now with different configurations.

                   

                  • No HIPS - SP1 Success
                  • HIPS7 - SP1 Success
                  • HIPS8 3709 32bit/64bit - Fatal Error C0000022 & No HIPS alerts reported
                  • HIPS8 3753 32bit (since it fails to install on 64bit) - Fatal Error C0000022 & No HIPS alerts reported
                  • HIPS8 Adaptive Mode - Fatal Error C0000022 & No HIPS alerts reported
                  • HIPS8 Adaptive Mode and Low/Warning Mode - SP1 Success & No Detection
                  • HIPS8 Services Disabled - SP1 Success

                   

                  Every time a system fails it is always on the same registry key.  In W7 Gold this hive does not exist and is being created by the SP1 installer.

                   

                  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RdpVideoMiniport\Security

                   

                  However I did just get one of the machines that failed after getting it to fix itself in Safe mode to drop an alert finally when I let it load in safe mode with networking.

                   

                  Signature ID 3829

                  POQEXEC.EXE

                   

                  I've just added a rule for it and I'm going to test another deployment.

                  • 6. Re: HIPS8 + W7 SP1 == Fatal Error C0000022
                    brentil

                    Nope, that didn't do it.  It still Fatal Error C0000022's with that setting in place.  Booting that machine in safe mode now to see if it throws another alert.

                     

                    So far the only solution is HIPS Off or HIPS in Log mode only.

                     

                    Message was edited by: brentil on 2/25/11 8:31:26 AM GMT-05:00
                    • 7. Re: HIPS8 + W7 SP1 == Fatal Error C0000022
                      brentil

                      The install finally fixed itself and made it to Windows and in doing so has now feed 4 more items into the ePO system.

                       

                      Signature ID 111 - NETCFG.EXE

                      Signature ID 1148 - SVCHOST.EXE

                      Signature ID 111 - DRVINST.EXE

                      Signature ID 850 - SERVICES.EXE

                       

                      However I'm not sure which of these are just post SP items or things related to installation.  Going to permit them and try again...

                      • 8. Re: HIPS8 + W7 SP1 == Fatal Error C0000022
                        brentil

                        I was looking over settings again and came across the "Startup IPS protection enabled" which is enabled.  I had compeltely forgotten about this setting which is new to HIPS8 I believe and it's enabled.  I'm betting this is the issue since it puts a set of hard blocks on files and registry settings prior to system booting which is when this issues occures.  I've changed this setting now and retesting.

                        • 9. Re: HIPS8 + W7 SP1 == Fatal Error C0000022
                          brentil

                          Yup that did it.  Disaling the "Startup IPS protection enabled" setting allows the W7 SP1 to install to completion.

                           

                          Since this seems to be more of an admin selection item it should be added to a McAfee tech doc alerting users to disable this setting during SP installation.  Oddly this setting has been set since we started testing this product since it came out and this is the first item that has caused this issue.

                          1 2 Previous Next