Hello everyone,
It seems since Deep Security Manager update performed by our security team on a server, our supervision does not work anymore. We are receiving error like this in Event Viewer :
Faulting application name: NaCl64.exe, version: 2.1.2.32, time stamp: 0x00000000
Faulting module name: ntdll.dll, version: 10.0.14393.3986, time stamp: 0x5f77fd0d
Exception code: 0xc0000005
Fault offset: 0x000000000003469c
Faulting process id: 0x20
Faulting application start time: 0x01d703a91e57082b
Faulting application path: C:\Program Files\XX\XX\XX\NaCl64.exe
Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
Report Id: 5e97f4df-a29d-419b-ac0d-395618532ede
Faulting package full name:
Application is runned by a service launched by local system account.
According to what I read on forums, it seems there is a permission issue.
To test it, I configured service to run with my admin account -> It worked perfectly after that but we want to keep initial config.
So we checked
- NTFS rights -> Nothing suspicious
- Local policy “log on as a service” -> Nothing either
- gpresult -> Nothing suspicious but as I don’t know every rule I might missed something.
Question -> Do you have any idea of what else to check ?
Below is WER report :
Version=1
EventType=APPCRASH
EventTime=132579566119256819
ReportType=2
Consent=1
UploadTime=132579575533127660
ReportIdentifier=f49e6b11-705c-11eb-9690-0050569e252f
IntegratorReportIdentifier=0c30ecaa-6a33-4c10-89a2-389385525278
NsAppName=NaCl64.exe
AppSessionGuid=00002c9c-0000-0036-7185-bbb66904d701
TargetAppId=W:0006489a5b316168b3a74c79dcdce0e4005a00000904!000035a06307c2ea70f65a20b6f89eb6ad05cdf42001!NaCl64.exe
TargetAppVer=1970//01//01:00:00:00!16101!NaCl64.exe
BootId=4294967295
Response.type=4
Sig[0].Name=Application Name
Sig[0].Value=NaCl64.exe
Sig[1].Name=Application Version
Sig[1].Value=2.1.2.32
Sig[2].Name=Application Timestamp
Sig[2].Value=00000000
Sig[3].Name=Fault Module Name
Sig[3].Value=ntdll.dll
Sig[4].Name=Fault Module Version
Sig[4].Value=10.0.14393.4225
Sig[5].Name=Fault Module Timestamp
Sig[5].Value=60124392
Sig[6].Name=Exception Code
Sig[6].Value=c0000005
Sig[7].Name=Exception Offset
Sig[7].Value=000000000003472c
DynamicSig[1].Name=OS Version
DynamicSig[1].Value=10.0.14393.2.0.0.272.7
DynamicSig[2].Name=Locale ID
DynamicSig[2].Value=1033
DynamicSig[22].Name=Additional Information 1
DynamicSig[22].Value=3df7
DynamicSig[23].Name=Additional Information 2
DynamicSig[23].Value=3df737fb699df369502c79ca27a65141
DynamicSig[24].Name=Additional Information 3
DynamicSig[24].Value=8dc3
DynamicSig[25].Name=Additional Information 4
DynamicSig[25].Value=8dc39f7e120aec04564d7c0e96489aad
UI[2]=C:\Program Files\XX\XX\XX\NaCl64.exe
UI[5]=Check online for a solution (recommended)
UI[6]=Check for a solution later (recommended)
UI[7]=Close
UI[8]=Nagios Client 'NaCl' v2.1.2 build 32 stopped working and was closed
UI[9]=A problem caused the application to stop working correctly. Windows will notify you if a solution is available.
UI[10]=&Close
LoadedModule[0]=C:\Program Files\XX\XX\XX\NaCl64.exe
LoadedModule[1]=C:\Windows\SYSTEM32\ntdll.dll
LoadedModule[2]=C:\Windows\System32\KERNEL32.DLL
LoadedModule[3]=C:\Windows\System32\KERNELBASE.dll
LoadedModule[4]=C:\Windows\System32\ADVAPI32.dll
LoadedModule[5]=C:\Windows\System32\msvcrt.dll
LoadedModule[6]=C:\Windows\System32\sechost.dll
LoadedModule[7]=C:\Windows\System32\RPCRT4.dll
LoadedModule[8]=C:\Windows\System32\USER32.dll
LoadedModule[9]=C:\Windows\System32\win32u.dll
LoadedModule[10]=C:\Windows\System32\GDI32.dll
LoadedModule[11]=C:\Windows\System32\gdi32full.dll
LoadedModule[12]=C:\Windows\system32\tmumh\20019\AddOn\8.53.0.1066\TmUmEvt64.dll
LoadedModule[13]=C:\Windows\System32\PSAPI.DLL
LoadedModule[14]=C:\Windows\system32\tmumh\20019\TmMon\2.8.0.1045\tmmon64.dll
LoadedModule[15]=C:\Program Files\XX\XX\XX\NaCl64.dll
LoadedModule[16]=C:\Windows\System32\SHELL32.dll
LoadedModule[17]=C:\Windows\System32\cfgmgr32.dll
LoadedModule[18]=C:\Windows\System32\windows.storage.dll
LoadedModule[19]=C:\Windows\System32\combase.dll
LoadedModule[20]=C:\Windows\System32\ucrtbase.dll
LoadedModule[21]=C:\Windows\System32\bcryptPrimitives.dll
LoadedModule[22]=C:\Windows\System32\powrprof.dll
LoadedModule[23]=C:\Windows\System32\shlwapi.dll
LoadedModule[24]=C:\Windows\System32\kernel.appcore.dll
LoadedModule[25]=C:\Windows\System32\shcore.dll
LoadedModule[26]=C:\Windows\System32\profapi.dll
LoadedModule[27]=C:\Windows\System32\WS2_32.dll
LoadedModule[28]=C:\Windows\SYSTEM32\NETAPI32.dll
LoadedModule[29]=C:\Windows\SYSTEM32\WININET.dll
LoadedModule[30]=C:\Windows\SYSTEM32\NETUTILS.DLL
LoadedModule[31]=C:\Windows\SYSTEM32\SRVCLI.DLL
LoadedModule[32]=C:\Windows\SYSTEM32\SAMCLI.DLL
State[0].Key=Transport.DoneStage1
State[0].Value=1
FriendlyEventName=Stopped working
ConsentKey=APPCRASH
AppName=Nagios Client 'NaCl' v2.1.2 build 32
AppPath=C:\Program Files\XX\XX\XX\NaCl64.exe
NsPartner=windows
NsGroup=windows8
ApplicationIdentity=1C113DBAC7045F86122AE3B2757C6282
MetadataHash=1481117901