Issue with Installing Universal Forwarder 9.2.1 on...

AlirezaGhanavat · ‎03-29-2024

Hi everyone. I'm currently trying to install the Universal Forwarder on a Windows client. I haven't installed any previous versions of the Universal Forwarder on this client before. After reaching the final stages of the installation, unfortunately, it rolls back and displays a message indicating that the installation wizard did not complete. I'm also attaching the AppCrash report for your reference. Could you please provide some guidance on this?

Edit 1: I would like to add that the client is part of a domain, and it is not beneficial whether I perform the installation with the domain admin user or the local admin user, as I still encounter errors.

Version=1
EventType=APPCRASH
EventTime=133562052818303743
ReportType=2
Consent=1
UploadTime=133562052827678946
ReportStatus=268435456
ReportIdentifier=6a213693-13e6-41a8-8c33-245355f1efbf
IntegratorReportIdentifier=5ed072f0-3e6e-4ece-a001-6e76acdb8b27
Wow64Host=34404
NsAppName=splunkd.exe
OriginalFilename=splunkd.exe
AppSessionGuid=000031bc-0000-000c-9fd1-8bb8fa81da01
TargetAppId=W:00061d36d7ec41eb4da589a3b7ff905efd8600000904!00009bb194c1f79d67ef2b5434b1914ec98a520e1989!splunkd.exe
TargetAppVer=2024//03//21:00:03:19!399d613!splunkd.exe
BootId=4294967295
TargetAsId=32379
IsFatal=1
EtwNonCollectReason=1
Response.BucketId=bb8a2b9d5336153e35c1c445cd31e043
Response.BucketTable=4
Response.LegacyBucketId=1567749949376028739
Response.type=4
Sig[0].Name=Application Name
Sig[0].Value=splunkd.exe
Sig[1].Name=Application Version
Sig[1].Value=2306.256.26107.30017
Sig[2].Name=Application Timestamp
Sig[2].Value=65fb7947
Sig[3].Name=Fault Module Name
Sig[3].Value=mimalloc-override.dll
Sig[4].Name=Fault Module Version
Sig[4].Value=0.0.0.0
Sig[5].Name=Fault Module Timestamp
Sig[5].Value=65dfbfa9
Sig[6].Name=Exception Code
Sig[6].Value=c0000005
Sig[7].Name=Exception Offset
Sig[7].Value=0000000000002ad5
DynamicSig[1].Name=OS Version
DynamicSig[1].Value=10.0.20348.2.0.0.400.8
DynamicSig[2].Name=Locale ID
DynamicSig[2].Value=1033
DynamicSig[22].Name=Additional Information 1
DynamicSig[22].Value=c13a
DynamicSig[23].Name=Additional Information 2
DynamicSig[23].Value=c13a0933a69b5a9aa04a609346aaa13d
DynamicSig[24].Name=Additional Information 3
DynamicSig[24].Value=e9e6
DynamicSig[25].Name=Additional Information 4
DynamicSig[25].Value=e9e669e3acebdf636ea1556b4596e7dd
UI[2]=C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
UI[5]=Close
UI[8]=splunkd service stopped working and was closed
UI[9]=A problem caused the application to stop working correctly. Windows will notify you if a solution is available.
UI[10]=&Close
LoadedModule[0]=C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
LoadedModule[1]=C:\Windows\SYSTEM32\ntdll.dll
LoadedModule[2]=C:\Windows\System32\KERNEL32.DLL
LoadedModule[3]=C:\Windows\System32\KERNELBASE.dll
LoadedModule[4]=C:\Windows\System32\CRYPT32.dll
LoadedModule[5]=C:\Windows\System32\ucrtbase.dll
LoadedModule[6]=C:\Windows\System32\bcrypt.dll
LoadedModule[7]=C:\Windows\System32\ADVAPI32.dll
LoadedModule[8]=C:\Windows\System32\msvcrt.dll
LoadedModule[9]=C:\Windows\System32\sechost.dll
LoadedModule[10]=C:\Windows\System32\RPCRT4.dll
LoadedModule[11]=C:\Program Files\SplunkUniversalForwarder\bin\mimalloc-override.dll
LoadedModule[12]=C:\Windows\System32\WS2_32.dll
LoadedModule[13]=C:\Windows\System32\USER32.dll
LoadedModule[14]=C:\Windows\System32\win32u.dll
LoadedModule[15]=C:\Windows\System32\GDI32.dll
LoadedModule[16]=C:\Windows\System32\gdi32full.dll
LoadedModule[17]=C:\Windows\System32\msvcp_win.dll
LoadedModule[18]=C:\Windows\System32\SHELL32.dll
LoadedModule[19]=C:\Windows\System32\ole32.dll
LoadedModule[20]=C:\Windows\System32\combase.dll
LoadedModule[21]=C:\Windows\SYSTEM32\ACTIVEDS.dll
LoadedModule[22]=C:\Windows\SYSTEM32\pdh.dll
LoadedModule[23]=C:\Windows\System32\OLEAUT32.dll
LoadedModule[24]=C:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll
LoadedModule[25]=C:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll
LoadedModule[26]=C:\Windows\SYSTEM32\WINHTTP.dll
LoadedModule[27]=C:\Program Files\SplunkUniversalForwarder\bin\SSLEAY32.dll
LoadedModule[28]=C:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll
LoadedModule[29]=C:\Program Files\SplunkUniversalForwarder\bin\archive.dll
LoadedModule[30]=C:\Program Files\SplunkUniversalForwarder\bin\mimalloc-redirect.dll
LoadedModule[31]=C:\Program Files\SplunkUniversalForwarder\bin\VCRUNTIME140.dll
LoadedModule[32]=C:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll
LoadedModule[33]=C:\Program Files\SplunkUniversalForwarder\bin\LIBEAY32.dll
LoadedModule[34]=C:\Program Files\SplunkUniversalForwarder\bin\MSVCP140.dll
LoadedModule[35]=C:\Windows\SYSTEM32\adsldpc.dll
LoadedModule[36]=C:\Windows\System32\WLDAP32.dll
LoadedModule[37]=C:\Windows\System32\bcryptprimitives.dll
LoadedModule[38]=C:\Program Files\McAfee\Solidcore\SCINJECT_x64.DLL
LoadedModule[39]=C:\Windows\System32\WINTRUST.dll
LoadedModule[40]=C:\Windows\SYSTEM32\NETAPI32.dll
LoadedModule[41]=C:\Windows\SYSTEM32\MPR.dll
LoadedModule[42]=C:\Windows\SYSTEM32\SAMCLI.DLL
LoadedModule[43]=C:\Windows\SYSTEM32\NETUTILS.DLL
LoadedModule[44]=C:\Windows\SYSTEM32\MSASN1.dll
LoadedModule[45]=C:\Windows\SYSTEM32\wkscli.dll
State[0].Key=Transport.DoneStage1
State[0].Value=1
OsInfo[0].Key=vermaj
OsInfo[0].Value=10
OsInfo[1].Key=vermin
OsInfo[1].Value=0
OsInfo[2].Key=verbld
OsInfo[2].Value=20348
OsInfo[3].Key=ubr
OsInfo[3].Value=2322
OsInfo[4].Key=versp
OsInfo[4].Value=0
OsInfo[5].Key=arch
OsInfo[5].Value=9
OsInfo[6].Key=lcid
OsInfo[6].Value=1033
OsInfo[7].Key=geoid
OsInfo[7].Value=244
OsInfo[8].Key=sku
OsInfo[8].Value=8
OsInfo[9].Key=domain
OsInfo[9].Value=1
OsInfo[10].Key=prodsuite
OsInfo[10].Value=400
OsInfo[11].Key=ntprodtype
OsInfo[11].Value=3
OsInfo[12].Key=platid
OsInfo[12].Value=10
OsInfo[13].Key=sr
OsInfo[13].Value=0
OsInfo[14].Key=tmsi
OsInfo[14].Value=222600573
OsInfo[15].Key=osinsty
OsInfo[15].Value=2
OsInfo[16].Key=iever
OsInfo[16].Value=11.1.20348.0-11.0.1000
OsInfo[17].Key=portos
OsInfo[17].Value=0
OsInfo[18].Key=ram
OsInfo[18].Value=32768
OsInfo[19].Key=svolsz
OsInfo[19].Value=99
OsInfo[20].Key=wimbt
OsInfo[20].Value=0
OsInfo[21].Key=blddt
OsInfo[21].Value=210507
OsInfo[22].Key=bldtm
OsInfo[22].Value=1500
OsInfo[23].Key=bldbrch
OsInfo[23].Value=fe_release
OsInfo[24].Key=bldchk
OsInfo[24].Value=0
OsInfo[25].Key=wpvermaj
OsInfo[25].Value=0
OsInfo[26].Key=wpvermin
OsInfo[26].Value=0
OsInfo[27].Key=wpbuildmaj
OsInfo[27].Value=0
OsInfo[28].Key=wpbuildmin
OsInfo[28].Value=0
OsInfo[29].Key=osver
OsInfo[29].Value=10.0.20348.2322.amd64fre.fe_release.210507-1500
OsInfo[30].Key=buildflightid
OsInfo[31].Key=edition
OsInfo[31].Value=ServerDatacenter
OsInfo[32].Key=ring
OsInfo[32].Value=Retail
OsInfo[33].Key=expid
OsInfo[34].Key=fconid
OsInfo[35].Key=containerid
OsInfo[36].Key=containertype
OsInfo[37].Key=edu
OsInfo[37].Value=0
OsInfo[38].Key=servicinginprogress
OsInfo[38].Value=0
FriendlyEventName=Stopped working
ConsentKey=APPCRASH
AppName=splunkd service
AppPath=C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
NsPartner=windows
NsGroup=windows8
ApplicationIdentity=C750D84D7F48DB77161DC8FC07E09CE5
MetadataHash=1491437884

CheongKing168

I am also having issue to install UF v9.2.1 on one of my servers. .
Did a uninstallation of old version and install the new installer with admin rights.
Disable antivirus also .
But still failed

Any advise what can I do next???

gcusello

Hi @CheongKing168 ,

try to reinstall the old version, to understand if the issue is related to the UF version or to environment.

Then open a case to Splunk Support.

One additional info: which Windows version are you using?

Ciao.

Giuseppe

CheongKing168

Hi!

I did uninstall the old version.. Clean up the folders and registry. Disable McAfee Antivirus too.

Did the installation again.. and still hit the same issue..

Tried to install back the old version.. It now encounter the same issue as the new version installation..

My OS is Windows Server 2016 Standard.

gcusello

Hi @CheongKing168 ,

installing the old version you know that the issue is on the environment and not on the new version.

Windows 2016 is a certified OS, so this shouldn't be the issue.

Disabling McAfee, this isn't the issue.

I suppose that you already checked the available disk space and the grants of the user used for the installation.

as I said, the only hint is to open a case to Splunk Support: they can analyze the installation logs to understand where's the issue.

Ciao.

Giuseppe

gcusello · ‎03-30-2024

Hi @AlirezaGhanavat,

at first, which user are you using to install the UF? has it the grants to install an app?

have you an antivirus?

Anyway, in these cases I always open a case to Splunk Support.

Ciao.

Giuseppe

AlirezaGhanavat

I have followed all the necessary guidelines. The operating system is Windows Server 2022, and I have installed it on a machine that didn't previously have UF installed. I have completely disabled the antivirus. I have performed the installation twice, once with the domain admin and once with the local admin. Each time, I encountered the same issue. The latest installable version on these machines is 9.0.1, and subsequent versions (up to 9.2.1) encounter the same error.

Issue with Installing Universal Forwarder 9.2.1 on Windows

universal forwarder

Windows

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!

Index This | Forward, I’m heavy; backward, I’m not. What am I?