Solved

SEP on Windows XP Embedded

Posted on 2015-01-20
21
331 Views
Last Modified: 2015-01-28
I am trying to install Symantec Endpoint Protection on several production PCs with Windows XP embedded. The instyallation fails every time. Symantec has said that the Filter Manager service is not installed and sent the following instructions -

Error



Cannot detect File System Filter Manager Driver.  This product requires File System Filter Manager Driver in order to function.



Environment



Attempting to install SEP-XPE on Windows XP Embedded machine with a factory default image.



Cause



The fltmgr.sys and fltlib.sys files are missing, and thus unregistered.



Solution



1.From a regular Windows XP install copy these two files to a thumb drive:  c:\windows\system32\fltmgr.sys and c:windows\system32\drivers\fltlib.dll
 
2.Paste the two files to the target XP Embedded machine, in the same directories they were copied from.
 
3.Create the following registry keys (a .reg file can be made to make this easier):

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FltMgr]
"Description"="File System Filter Manager Driver"
"DisplayName"="FltMgr"
"ErrorControl"=dword:00000001
"Group"="FSFilter Infrastructure"
"ImagePath"=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,00,\
72,00,69,00,76,00,65,00,72,00,73,00,5c,00,66,00,6c,00,74,00,6d,00,67,00,72,\
00,2e,00,73,00,79,00,73,00,00,00
"Start"=dword:00000000
"Type"=dword:00000002
"Tag"=dword:00000001
"AttachWhenLoaded"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FltMgr\Enum]
"0"="Root\\LEGACY_FLTMGR\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001
 
4.Commit the image.
 
5.Reboot machine.
 
You can now install the SEP-XPE agent.


I perfored the steps listed above but still could not install SEP. Then they sent these additional instructions -

4. Merge in more registry entries using a RegEdit running as SYSTEM (psexec -sid c:\windows\regedit.exe):
 
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_FLTMGR]
"NextInstance"=dword:00000001
 
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_FLTMGR\0000]
"Service"="FltMgr"
"Legacy"=dword:00000001
"ConfigFlags"=dword:00000020
"Class"="LegacyDriver"
"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc"="FltMgr"
 
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_FLTMGR\0000\Control]
"ActiveService"="FltMgr"
 
5. Reboot the machine


Fiirst of all, I am Not exactly sure what this means -
"Merge in more registry entries using a RegEdit running as SYSTEM (psexec -sid c:\windows\regedit.exe):"

Second, I tried creating a .reg file as I had before but when I tried to load it to the registry I got an "error accessing registry" message. If I tried using regedit to add the Keys I got an "error writng to the registry" message.

Can anyone help me get the filter manager installed? I ahve already tried this link - http://support.microsoft.com/KB/914882 - but it is for SP2 and we have SP3.

Please help!

Robert
0
Comment
Question by:RobertEhinger
  • 11
  • 10
21 Comments
 
LVL 5

Accepted Solution

by:
Dawid Fusek earned 500 total points
ID: 40560644
ok Robert,

Here what You need to know.

When You run any program it's run with logged user's permissions (if you don't run as a other user/administrator), and even when this user is an administrator it's still doesn't have access to everything in the system, access to everything has a user SYSTEM, which You can't log on (or run as) normally and it don't have and don't need any password, but there are a method of running a program with SYSTEM user's permissions, the simply and official method and tool for that is Microsoft SysInternals PSEXEC tool, what You can download here:
http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx

Then you have to install psexec tool and it asks you to install a service and will run that service on SYTSTEM user's account and via that service running with SYSTEM user's permissions it can run any program with SYSTEM's permissions what you have to do with regedit.exe to add some valules to registry.

Command "psexec -sid c:\windows\regedit.exe" should be used to run regedit.exe with system permission's and then you have to manually add new registry entries (what you receive from symc) with merging it with existing registry entries, so it mean that add a new entries and overwrite existing entries with new one.

You can also, which will be faster use a command "psexec -sid c:\windows\regedit.exe /s newdata.reg" to import a new registry entries (where newdata.reg will be a text file with that new registry entries) to the registry, also can use "psexec -sid c:\windows\reg.exe import newdata.reg" command, do the same.

What XP Embedded language and version you have (x32 or x64 bit ...)??? I think that XP Embedded is only 32 bit, isn't it?
I can share you correct XP files, they are also probably available in the internet if one search little deeper, but never sure it's not modified/virused one.

regards
NTShad0w
0
 

Author Comment

by:RobertEhinger
ID: 40560777
It is the 32 bit version. Is the command entered from a command prompt? And where do I save the newdata.reg file.
0
 
LVL 5

Assisted Solution

by:Dawid Fusek
Dawid Fusek earned 500 total points
ID: 40560967
yes, command/-s U have to type from cli (command prompt), you can run cli by click menu start and then run and then type "cmd.exe" command (and press enter), then into this window you copy and paste final command.

But before it, you have to create a new text file with a name newdata.txt in a c:\temp folder ("mkdir c:\temp" first if it not exists), then cd c:\temp and then from cli change a data to newdata.reg (rename newdata.txt newdata.reg)  and paste there all you receive from symc support, I create this file for you (in 1st attachment), I can't test it for myself because I don't have XP Embedded OS, so I believe that You paste exactly what you receive by symc support.

But REMEMBER mate, that modifying registry especially with SYSTEM user's permission is VERY RISKY operation and you need to have a backup of machine where U do it (do it on test machine) and it's rather require advanced IT knowledge and skills to do it safe especially by manual creating, deleting and adding a keys or any data in the registry database of a system.

So check it first on your test machine, try that it working and SEP installing correctly and then check all your applications, and then if all working ok you may implement it on the rest of WinXP Embedded.

In second attachment (can't add it here because of extension restriction so add a link to download it below) there is a compressed (zip) file with 2 required files from WinXP x32 EN with correct folders structure, extract it to c:\temp and then copy to correct locations in your windows folder. Link is here:
https://chent.myvnc.com:35943/ginger/xp_embedded/WinXP_x32_Embedded_SEP_required_dll.zip


kind regards
NTShad0w
newdata.reg
0
 

Author Comment

by:RobertEhinger
ID: 40561124
One more question - do I first need to download Microsoft SysInternals PSEXEC tool on all the XP embedded machines?
0
 
LVL 5

Assisted Solution

by:Dawid Fusek
Dawid Fusek earned 500 total points
ID: 40561151
mate,

first test it on single test machine,

Then You have to do it on all machines where you want to install SEP... I think you may need to ask some IT stuff for help with that because manually doing it on more than 10 machines will be really frustrating and time consuming, and also in lot of cases very hard to accomplished. It can be done via some professional app distribution software or probably via GPO in Active Directory with some more advanced scripts I think, not sure about this using system account privileges via GPO (installing PSEXEC).

regards
NTShad0w
0
 

Author Comment

by:RobertEhinger
ID: 40564976
OK, I have 5 machines with this issue. I don't really have a "test" machine as such so I will need to select the PC that will cause the least amount of disruption if this doesn't work. ALso, backing up the current registry will be vital.

Now, back to my earlier question - do I first need to download Microsoft SysInternals PSEXEC tool on all the XP embedded machines?
0
 

Author Comment

by:RobertEhinger
ID: 40569240
SO I tried the instructions above and I get the following error - 'psexec' is not recognized as an internal or external command,

I have tried putting the PSEXEC tools in the C:\Windows directory and the C:\Windows\System32 directory and get the same result. What am I doing wrong here.

Thank you in advance for your help.

Robert
0
 

Author Comment

by:RobertEhinger
ID: 40569260
This is everthing I tried and the results -

Saved the PSEXEC tool to the C:\Windows directory and extracted to the C:\Windows\PSTools directory. Tried  to install psexec tool and but was not asked  to install any services. I just saw the command prompt window flash briefly on the screen.  I tried running the command  psexec -sid c:\windows\regedit.exe as instructed and got the 'psexec' is not recognized as an internal or external command error.
So I then Saved the PSEXEC tool to the C:\Windows\System32 directory and extracted to the C:\Windows\System32 \PSTools directory. Tried running the command again and got the same error.
I then modified the path to psexec -sid c:\windows\System32\regedit.exe but the same error resulted. I also tried modifying the command to psexec -sid c:\windows\System32\PSTools\regedit.exe and psexec -sid c:\windows\PSTools\regedit.exe but with the same result.

What am I doing wrong and how do I go about fixing it?

Thank you!!
0
 
LVL 5

Assisted Solution

by:Dawid Fusek
Dawid Fusek earned 500 total points
ID: 40569263
"Now, back to my earlier question - do I first need to download Microsoft SysInternals PSEXEC tool on all the XP embedded machines?"


YES

"O I tried the instructions above and I get the following error - 'psexec' is not recognized as an internal or external command,

I have tried putting the PSEXEC tools in the C:\Windows directory and the C:\Windows\System32 directory and get the same result. What am I doing wrong here."


PsExec.exe  tool should be copied to some directory like "c:\program files\systinternals\"
Then to run it, you have to go to that folder from cli/cmd (so when inside cli/cmd type cd "c:\program files\systinternals\") and then you may type a psexec -sid ...... command
when you will run it, it will install service "PSEXESVC" for a while and unistall it after successfully exit command.

hmm, I'm not sure why you have to do it alone mate, it's rather it support work in my opinion.

best regards
NTShad0w
0
 

Author Comment

by:RobertEhinger
ID: 40569443
Let me make sure I understand -

First I change the directory using the cd command to where sysinternals resides, i.e., cd c:\program files\systinternals\ then I press ENTER.

Then I use the psexec -sid c:\windows\regedit.exe and press ENTER to get into the registry editor.

The reason I must go it alone is because 1) I am desktop IT support  but I have never used these tools before and 2) the people I contact for help don't seem too familiar with this process either.
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 5

Assisted Solution

by:Dawid Fusek
Dawid Fusek earned 500 total points
ID: 40569730
Mate,

don't understand me wrong mate, but I'm not a person that is flexible to describe full detailed steps for all (extremaly natural for me) operations to do something in IT environment because of my way of thinking that make just hard for me (really, like for users is hard to understand my way of thinking and doing IT Pro stuff), so easy example:
- I say, download some tool name from site www name... and it's end for me, rest is something that I really not flexible to describe (not sure why, it's just a fact)
- then I can describe to You what you have to run with exact command but it's hard for me to describe how to run this command exactly when you don't do it thousand's of times (like most IT pro)
So please try to understand me that sometimes I may just skip some sort of operations because of I don't understand (yep) that I do it so automatically and naturally that for someone that not do it min hundreds of times may not be clear how to fully done it. because of that I suggest to use some IT stuff.
Also observe that symc IT support give you also an instruction without all steps which it's normal for our IT environment because 1 it's not necessary and 2 it's sometimes really hard ald take long time and it's hard to rean and understand for us (IT Pro) full way how to do some simple tasks that we are doing automatically, also I may give you easy example, in theory it's possible to describe one in a book how to start and fly and also land a plain.... but I don't think that with such description more than 5% of such "pilots" will even start a plain and if they start most of them will not land but crash, it's same situation in my opinion.

But I may help you directly on your computer by connecting to it and while seeing a desktop I may do the operations on one XP Embedded and learn you how to do it on the others (and first to check that what's symantec send to you it's working). to do it use a skype and find me (NTShad0w , there is ZERO between "d" and "w")... you see, I don't describing to you how to run a skype and where to click to add a user and how to start conversation, that operations are probably easy for you (and me also) but it will be hard (for me) and long to describe it fully :P. Sure agter we are doing it remotely we have to describe here a solution and steps what was done.

But if you don't want to do it remotely, or it's just impossible (because for example these XP Embedded not have internet and normal LAN connection) then I will try to describe it to you here...

First you need to have created text file with reg entries (and renamed it to newdata.reg) and write it to samo location, for example c:\temp\ (which you have to create first..:P). You may also download my file and extract it to correct location, it's in zip.


"First I change the directory using the cd command to where sysinternals resides, i.e., cd c:\program files\systinternals\ then I press ENTER."

NO/YES, but when using cd command use "" when typing directory or filenames with SPACE, "program files", so here you have to give a command cd "c:\program files\sysinternals\" then press enter, so you will be in that folder, of course first when you download psexec.exe (which is pstools.zip file) you have to unpack psexec.exe from this zip file to folder "c:\program files\sysinternals\". To extract it from ZIP file you need a WinZIP or WinRAR installed and then use it to extract a zip file in correct location ("c:\program files\sysinternals\").

And then use the command "psexec -sid c:\windows\regedit.exe /s newdata.reg" (while you are in c:\program files\sysinternal\ folder, what you have to do it before)

hmm, get me on skype (but not call, just write please) so I'l ltry to do it remotely and teach you how to do it, if that solution is working, then you may simultanously see what I doing and asks what you don't understand.
I'm online for up to 3 hours from now, and then maybe after 12 hours, I don't check your timezone.

best regards
NTShad0w
0
 

Author Comment

by:RobertEhinger
ID: 40569766
I think I understand what you are describing and I will give it another shot tomorrow. Remote help won't work because proxy settings prevent remote access - can be extremely frustrating.
0
 
LVL 5

Assisted Solution

by:Dawid Fusek
Dawid Fusek earned 500 total points
ID: 40569774
hmm,

check that TeamViewer work:
www.teamviewer.com

Download it, install it, start it and check that it connects ("Ready to connect" in the left/down side of started application window).
You can also config there a proxy settings Extras\Options\General\network Settings\Proxy Settings\Configure and there you will have proxy ip (or name) proxy port, and user and password.

when connected should display your ID and password.

Also, I can teach you how to do it while you are at home... and will show to you on your workstation (hope you have win 7 or win xp, and then we will try to do the steps without modyfying your registry at all) or we may do it from other side, that you will connect to me (my virtual win xp, not embedded version but operations will be the same) via teamviewer and I will show you how to done it, hmm?

regards
NTShad0w
0
 

Author Comment

by:RobertEhinger
ID: 40569790
I am familiar with teamviewer and I know it is blocked by our proxy server. The only remote access allowed is proprietary software developed  by our programmers. I will let you know what happens after I try again tomorrow.
0
 
LVL 5

Assisted Solution

by:Dawid Fusek
Dawid Fusek earned 500 total points
ID: 40569837
ok mate,

keep me up to date, and remember I may show it to you when you will be at home with your laptop.

regards
NTShad0w
0
 

Author Comment

by:RobertEhinger
ID: 40572915
I was able to get to the system account using the commands provided. I also copied the files you sent to the appropriate locations. Unfortunately that did not solve the problem. Apparently the fltmgr is still not installed.
0
 
LVL 5

Assisted Solution

by:Dawid Fusek
Dawid Fusek earned 500 total points
ID: 40573330
ahmm mate,

we forgot to register these files to registry,

go to cmd/cli (menu start/run/, type "cmd" and press ENTER) and type commands:
regsvr32 fltlib.dll
regsvr32 fltMgr.sys

this command should work from any folder and without any path to dll and sys files.
And keep me up to date.

regards
NTShad0w
0
 

Author Comment

by:RobertEhinger
ID: 40575018
When I tried again to install SEP I was unsuccessful. I checked the registry and found that the changes that I thought had been made were not. What I ended up doing in order to get the registry edited was, rather than just double clicking on the .reg files or using the psexec -sid c:\windows\regedit.exe /s newdata.reg command you suggested, I used the psexec -sid c:\windows\regedit.exe command and then the Import function from the file menu to Import the changes. Once that was done I was able to get the registry changed. Thank you for all of your help.
0
 
LVL 5

Assisted Solution

by:Dawid Fusek
Dawid Fusek earned 500 total points
ID: 40575163
" I used the psexec -sid c:\windows\regedit.exe command and then the Import function from the file menu to Import the changes. Once that was done I was able to get the registry changed. Thank you for all of your help."

Good creativity mate !!!

So I understand that after reg changed SEP install was successfull ???

regards
NTShad0w
0
 

Author Comment

by:RobertEhinger
ID: 40575222
Yes it was and, of course, adding the .sys and .dll files to the correct locations.
0
 
LVL 5

Expert Comment

by:Dawid Fusek
ID: 40575446
ok, I also understand that they needs registration (via regsrv32 command) in the registry before install...?

I'm glad we solve it finally mate.

best regards
NTShad0w
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Healthcare organizations in the United States must adhere to the guidance of both the HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act) for securing and protec…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now