Re: splunk-winhostmon.exe gets "access is denied"

MikaJustasACN · ‎02-05-2019

Hi All, having an issue with splunk winhostinfo input. All works fine and then randomly the following errors kick in: ERROR ExecProcessor - Couldn't start command ""c:\Program Files\SplunkUniversalForwarder\bin\splunk-winhostinfo.exe"": Access is denied. After the error, it will not even try it again, like it is locked for good. Running 6.6.4 UF. Any idea? Even if it fails, I would expect it to retry on the next scheduled time. Now the only solution is to restart UF.

ccl0utier · ‎02-05-2019

I assume you've already checked things like Antivirus & Firewalling?

Reading elsewhere it would seem the newer versions (6.6.7+ of the UF) have a fix to restart the winhostmon.exe based input after such a failure, so your solution would likely be to upgrade your UFs.

MikaJustasACN · ‎02-06-2019

I have not seen anywhere documented about 6.6.7+, at least in fixed issues it does not exist. I read somewhere that people had issues with version 5.x. Do you have source of where you found this?

ccl0utier · ‎02-06-2019

This is mentioned by a colleague here:

https://answers.splunk.com/answers/716685/splunk-universal-forwarder-suddenly-stop-receiving.html

I've also checked internally, and this issue was reported as SPL-155042and might have had to do with Symantec Endpoint protection blocking the process. If you use that, it might be worth disabling it via a rule to whitelist the UF input executables. It was confirmed that upgrading to the versions listed below fixed the issue.

The fix to restart the various Windows inputs on a UF was SPL-144368, included in versions 6.5.8+, 6.6.7+. That should also be in any 7.x versions.

splunk-winhostmon.exe gets "access is denied"

Detecting Remote Code Executions With the Splunk Threat Research Team

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

.conf24 | Session Scheduler is Live!!