Application Control and Change Control driver issues (Windows Update)

Technical Articles ID: KB91257
Last Modified: 2023-12-19 12:45:41 Etc/GMT

Environment

Application and Change Control (ACC) 7.x and later
Microsoft Windows - all versions

Problem

You might experience one or more of the following issues when you use an ACC 7.0.x and later Windows agent:

Crash (blue screen) 3b, 6b
Windows update issues (Hardlink / Solidification)
CMD / PowerShell crashes
Command-line interface (CLI) communication issues when CLI is running the status command
Performance issues
Boot loops

NOTE: Customers in Update / Observe mode might not experience issues until they move to the Enabled (Blocking) mode.

For more information, see the related articles below:

Cause

The issues described in this article are a direct result of changes that have been made to the ACC architecture.

Issues with rename callback, specifically the SetInformationFile for FileHardlinkInformation, have been found. Every time a new hard link is created, a call is made to cctl_process_change with the Boolean hard_link_set in the cctl_path_t context for the new link. This action means that there's a new hard link being created. Logic in cctl_add_inv defers the checksum calculation if the operation is within a transacted operation.

When code is introduced to all hard links of a file, and when all entries in the inventory are updated, checking of hard_link_set is missed. This fact causes an undesired opening and unnecessary processing of the transacted file. In other words, the new hard links are added to the inventory and there's no need to update all other entries. Doing so can result in a race condition that develops during transacted operations. See the "Related Information" section of this article for more information.

Solution

Apply the correct update for your version of ACC:

ACC 8.2.1 Update 5 or later
ACC 8.0.2 Update 1 or later

NOTE: This issue has been corrected in the versions listed above for the client and the latest 8.2.6 / 8.3 extension.

To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged on to subscribe.

IMPORTANT:

Before you perform this workaround, see KB91225 - A system crash without blue screen or a command line interface crash occurs on Windows 10 or Server 2016 systems after placing Application and Change Control in modes other than Disabled.
Resolidify the client systems after you upgrade from a previous version of either Application Control (435 and below) or Major Windows Feature upgrades (example: RS4 to RS5).
Resolidification must be completed after you apply the new extension and sync your clients for the updated rule groups below and before re-enablement.
You still need to resolidify clients if upgrading to a newer client from 8.2.1.143 and earlier and if you didn't resolidify on upgrading to 8.2.1.435.

To resolidify a system:

Create a Client Task (Run Commands) using the following commands (sadmin isn't needed as part of these commands):

bu
config set SoPriority=2
config set MaplCommLostRestart=0
so C:\
config set MaplCommLostRestart=5
config set SoPriority=1
eu

NOTE: Any future product functionality or releases mentioned in the Knowledge Base are intended to outline our general product direction and should not be relied on, either as a commitment, or when making a purchasing decision.

Workaround

If the solution above doesn't work on Update 5:

Disable CatalogCertExtraction:

sadmin config set CatalogCertExtractionDisabled=1

Increase the Trusted Installer Preshutdown timeout.

Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\TrustedInstaller
Name: PreshutdownTimeout
Type: REG_DWORD
Data: 36ee80 (3600000 millisecond)

Start the registry editor (regedit)
Expand the following registry key.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\TrustedInstaller

Right-click the TrustedInstaller and click Permissions.
Check Full Control for Administrators in Group or usernames.
Change the value of PreshutdownTimeout by double-clicking PreshutdownTimeout.
Right-click the TrustedInstaller and click Permissions.
Check out Full Control for Administrators in Group or user names.

Related Information

Hard links
A hard link is the Windows file system representation of a file by which more than one path references a single file in the same volume. This approach is now used for Microsoft Windows 10 February updates. The management of hard links by ACC causes checksum mismatches and other issues during the Microsoft Windows 10 update installations. This issue also occurs with ACC 7.0.x and 8.0.x.

Currently, when modifying the hard links content, the inventory information (checksum, status) is updated only for the current path modified. By default, all files have at least one hard link. The file change event doesn't include the list of hard links associated with that file. Because the inventory information isn't updated for all paths at the same time, executing the same file from a different path results in a checksum-mismatch. This mismatch impacts the Windows update process.

Catalog Cert Extraction
Microsoft Windows binaries can be catalog-signed or can have an embedded signature. ACC uses specific code to extract embedded certificates. The certificates can be extracted in kernel space or user-space. Extraction of embedded certificates occurs quickly and is the only type of signing supported with ACC up until the 7.0.x release.

In ACC 7.0.x, support for reputation-based execution is introduced. In one of the workflows, you can allow or block a file by the reputation of its certificate. Because several files in Microsoft Windows are actually catalog-signed, this feature requires extraction of catalog signatures. Microsoft have provided APIs to extract the catalog certificates for binaries. These APIs are used by ACC. These APIs are slow and significantly affect performance. To mitigate this effect, ACC stores certificates in the inventory, so that once extracted, they can be reused. Storing them in the inventory means that during the inventory merge time, certificates must be extracted once. When an upgrade is run, files are changed, the inventory is merged, and the catalog certificate extraction occurs.

If all reputation is disabled, there's no need to extract the catalog certificates.

sadmin config set CatalogCertExtractionDisabled=1

You must re-enable this feature by using the Run Command in ePO. Create a Client Task (Run Command) using the following commands: (sadmin keyword isn't needed)

bu
config set SoPriority=2
config set MaplCommLostRestart=0
so
config set MaplCommLostRestart=5
config set SoPriority=1
eu

Affected Products

Languages:

This article is available in the following languages:

Knowledge Center

Application Control and Change Control driver issues (Windows Update)

Environment

Problem

Cause

Solution

Workaround

Related Information

Affected Products

Languages:

Title

Title

Knowledge Center

Application Control and Change Control driver issues (Windows Update)

Environment

Problem

Cause

Solution

Workaround

Related Information

Affected Products

Languages:

Choose your region

Title

Title