Forum Discussion
Solved
ATP Sensor failed upgrade to 2.198.16173.18440 on Win2012
Hi all, I have a customer running multiple AD Domain Controllers on windows server 2012, 2016 and 2019. ATP sensor version 2.197.16100.44617 was working fine, but a few days ago it started automatic ...
- This issue was escalated via several channels and should have been resolved by now.
Is the sensor still crashing on startup ?
EliOfek
Microsoft
MicrosoftRNalivaika Check the sensor local logs to looks for errors about what is failing it.
https://learn.microsoft.com/en-us/defender-for-identity/troubleshooting-using-logs
If possible paste here the failing call stack and error message.
Another option is to open a support case (might be faster...)
Here is the error message from Tri.Sensor log file:
''2023-02-28 08:21:47.7639 Debug EtwListener SetState Creating
2023-02-28 08:21:47.9043 Error EtwTraceDataHelper+NativeMethods System.EntryPointNotFoundException: Unable to find an entry point named 'TdhEnumerateManifestProviderEvents' in DLL 'tdh.dll'.
at TdhStatus Microsoft.Tri.Sensor.EtwTraceDataHelper+NativeMethods.TdhEnumerateManifestProviderEvents(Guid providerGuid, ProviderEventInfo* providerEventInfo, ref int bufferSize)
at IDictionary<EtwEventTypeId, IReadOnlyCollection<EtwEventPropertyInfo>> Microsoft.Tri.Sensor.EtwTraceDataHelper.CreateEtwEventPropertyInfosMappingFromProviderManifest(EtwEventTypeId[] etwEventTypeIds)+(IGrouping<Guid, EtwEventTypeId> groupedEventsByProviderId) => { }
at IEnumerable<TResult> System.Linq.Enumerable.SelectManyIterator<TSource, TResult>(IEnumerable<TSource> source, Func<TSource, IEnumerable<TResult>> selector)+MoveNext()
at Dictionary<TKey, TElement> System.Linq.Enumerable.ToDictionary<TSource, TKey, TElement>(IEnumerable<TSource> source, Func<TSource, TKey> keySelector, Func<TSource, TElement> elementSelector, IEqualityComparer<TKey> comparer)
at Dictionary<TKey, TValue> MoreLinq.MoreEnumerable.ToDictionary<TKey, TValue>(IEnumerable<KeyValuePair<TKey, TValue>> source, IEqualityComparer<TKey> comparer)
at void Microsoft.Tri.Sensor.EtwListener.AddProviderEvents(EtwListenerConfiguration configuration, IEtwEventActivityTranslator etwEventActivityTranslator, IMetricManager metricManager, SensorType sensorType)
at new Microsoft.Tri.Sensor.EtwListener(IConfigurationManager configurationManager, IEtwEventActivityTranslator etwEventActivityTranslator, IMetricManager metricManager, IResearchEnablementEtwEventActivityTranslator researchEnablementEtwEventActivityTranslator, IWorkspaceApplicationSensorApiJsonProxy workspaceApplicationSensorApiJsonProxy)
at object lambda_method(Closure, object[])
at object Autofac.Core.Activators.Reflection.ConstructorParameterBinding.Instantiate()
at void Microsoft.Tri.Infrastructure.ModuleManager.AddModules(Type[] moduleTypes)
at new Microsoft.Tri.Sensor.SensorModuleManager()
at ModuleManager Microsoft.Tri.Sensor.SensorService.CreateModuleManager()
at async Task Microsoft.Tri.Infrastructure.Service.OnStartAsync()
at void Microsoft.Tri.Infrastructure.TaskExtension.Await(Task task)
at void Microsoft.Tri.Infrastructure.Service.OnStart(string[] args)
2023-02-28 08:22:02.4213 Debug ConfigurationManager SetState Creating''
here is the error message from updater log file:
''2023-02-28 08:21:26.4843 Error ServiceControllerExtension ChangeServiceStatus failed to change service status [name=AATPSensor status=Running Exception=System.ServiceProcess.TimeoutException: Time out has expired and the operation has not been completed.
at System.ServiceProcess.ServiceController.WaitForStatus(ServiceControllerStatus desiredStatus, TimeSpan timeout)
at Microsoft.Tri.Infrastructure.ServiceControllerExtension.ChangeServiceStatus(String name, ServiceControllerStatus status, TimeSpan timeout, Nullable`1 awaitedStatus)]''
''2023-02-28 08:21:47.7639 Debug EtwListener SetState Creating
2023-02-28 08:21:47.9043 Error EtwTraceDataHelper+NativeMethods System.EntryPointNotFoundException: Unable to find an entry point named 'TdhEnumerateManifestProviderEvents' in DLL 'tdh.dll'.
at TdhStatus Microsoft.Tri.Sensor.EtwTraceDataHelper+NativeMethods.TdhEnumerateManifestProviderEvents(Guid providerGuid, ProviderEventInfo* providerEventInfo, ref int bufferSize)
at IDictionary<EtwEventTypeId, IReadOnlyCollection<EtwEventPropertyInfo>> Microsoft.Tri.Sensor.EtwTraceDataHelper.CreateEtwEventPropertyInfosMappingFromProviderManifest(EtwEventTypeId[] etwEventTypeIds)+(IGrouping<Guid, EtwEventTypeId> groupedEventsByProviderId) => { }
at IEnumerable<TResult> System.Linq.Enumerable.SelectManyIterator<TSource, TResult>(IEnumerable<TSource> source, Func<TSource, IEnumerable<TResult>> selector)+MoveNext()
at Dictionary<TKey, TElement> System.Linq.Enumerable.ToDictionary<TSource, TKey, TElement>(IEnumerable<TSource> source, Func<TSource, TKey> keySelector, Func<TSource, TElement> elementSelector, IEqualityComparer<TKey> comparer)
at Dictionary<TKey, TValue> MoreLinq.MoreEnumerable.ToDictionary<TKey, TValue>(IEnumerable<KeyValuePair<TKey, TValue>> source, IEqualityComparer<TKey> comparer)
at void Microsoft.Tri.Sensor.EtwListener.AddProviderEvents(EtwListenerConfiguration configuration, IEtwEventActivityTranslator etwEventActivityTranslator, IMetricManager metricManager, SensorType sensorType)
at new Microsoft.Tri.Sensor.EtwListener(IConfigurationManager configurationManager, IEtwEventActivityTranslator etwEventActivityTranslator, IMetricManager metricManager, IResearchEnablementEtwEventActivityTranslator researchEnablementEtwEventActivityTranslator, IWorkspaceApplicationSensorApiJsonProxy workspaceApplicationSensorApiJsonProxy)
at object lambda_method(Closure, object[])
at object Autofac.Core.Activators.Reflection.ConstructorParameterBinding.Instantiate()
at void Microsoft.Tri.Infrastructure.ModuleManager.AddModules(Type[] moduleTypes)
at new Microsoft.Tri.Sensor.SensorModuleManager()
at ModuleManager Microsoft.Tri.Sensor.SensorService.CreateModuleManager()
at async Task Microsoft.Tri.Infrastructure.Service.OnStartAsync()
at void Microsoft.Tri.Infrastructure.TaskExtension.Await(Task task)
at void Microsoft.Tri.Infrastructure.Service.OnStart(string[] args)
2023-02-28 08:22:02.4213 Debug ConfigurationManager SetState Creating''
here is the error message from updater log file:
''2023-02-28 08:21:26.4843 Error ServiceControllerExtension ChangeServiceStatus failed to change service status [name=AATPSensor status=Running Exception=System.ServiceProcess.TimeoutException: Time out has expired and the operation has not been completed.
at System.ServiceProcess.ServiceController.WaitForStatus(ServiceControllerStatus desiredStatus, TimeSpan timeout)
at Microsoft.Tri.Infrastructure.ServiceControllerExtension.ChangeServiceStatus(String name, ServiceControllerStatus status, TimeSpan timeout, Nullable`1 awaitedStatus)]''
- EliOfekTricky one. Open a support case for this one. it will need to be escalated to the product group probably.
working with ms support is anything other than fast 🙂 sent them logs more than a week ago, still zero progress...
- EliOfekThis issue was escalated via several channels and should have been resolved by now.
Is the sensor still crashing on startup ?
- ok, thank you
Hi RNalivaika,
What was the solution?
I had similar one some time ago.
Error ServiceControllerExtension Failed to change service status [name=AATPSensor status=Running Exception=System.ServiceProcess.TimeoutException: Time out has expired and the operation has not been completed.Microsoft.Tri.Sensor-Errors.log file pointed to an error with the WinPcap or NPF driver.
As WinPcap is no longer supported then probably Npcap could be re-installed.
