MSI installer starts when you open Windows Explorer or other applications
Last Modified: 5/10/2023
Affected Products
Languages:
This article is available in the following languages:
Trellix CEO, Bryan Palma, explains the critical need for security that’s always learning.
As per Gartner, "XDR is an emerging technology that can offer improved threat prevention, detection and response."
Trellix announced the establishment of the Trellix Advanced Research Center to advance global threat intelligence.
Trellix Advanced Research Center analyzes threat data on ransomware, nation-states, sectors, vectors, LotL, MITRE ATT&CK techniques, and emails.
As of May 14, 2024, Knowledge Base (KB) articles will only be published and updated in our new Trellix Thrive Knowledge space.
Log in to the Thrive Portal using your OKTA credentials and start searching the new space. Legacy KB IDs are indexed and you will be able to find them easily just by typing the legacy KB ID.
MSI installer starts when you open Windows Explorer or other applications
Technical Articles ID:
KB92217
Last Modified: 5/10/2023 Environment
Endpoint Security (ENS) Threat Prevention 10.x
Problem 1
When you open a Windows Explorer window ( The presence of a large number of The following is an example of a <date/time> [9940] [GenericCustomAction] CLIENTPROCESSID obtained from msi. Value : 19504 <date/time> [9940] [GenericCustomAction] SUPPORTDIR obtained from msi. Value : C:\Users\\AppData\Local\Temp\{21A798B9-A5A1-49D7-9F96-CC8B14F7EAEF} <date/time> [9940] [GenericCustomAction] McAfee CustomAction : Begin GainMsiExclusion <date/time> [9940] [GenericCustomAction] The PID obtained is not msiexec.exe. This could indicate a control panel uninstall. <date/time> [9940] [GenericCustomAction] Process name : explorer.exe <date/time> [9940] [GenericCustomAction] Let us get the PID of parent process of custom action now! ... <date/time> [9940] [GenericCustomAction] RegQueryValueEx passed. The path of szInstallDir64 : C:\Program Files\McAfee\Endpoint Security\ <date/time> [9940] [GenericCustomAction] "C:\Users\\AppData\Local\Temp\{21A798B9-A5A1-49D7-9F96-CC8B14F7EAEF}\MfeEpAac.exe" -add -rootlocation "C:\Program Files\McAfee\Endpoint Security" -rootlocation "C:\Program Files (x86)\McAfee\Endpoint Security" -folder "C:\ProgramData\McAfee\Endpoint Security" -MsiPID 20420 <date/time>[9940] [GenericCustomAction] RunCommandLine: "C:\Users\\AppData\Local\Temp\{21A798B9-A5A1-49D7-9F96-CC8B14F7EAEF}\MfeEpAac.exe" -add -rootlocation "C:\Program Files\McAfee\Endpoint Security" -rootlocation "C:\Program Files (x86)\McAfee\Endpoint Security" -folder "C:\ProgramData\McAfee\Endpoint Security" -MsiPID 20420 <date/time> [9940] [GenericCustomAction] RunCommandLine: Launching process failed: 740 <date/time> [9940] [GenericCustomAction] !> Error - Could not run command to install app: 183 Problem 2
Another symptom of this issue is a pop-up message reporting that the file You see a large number of Also, the Windows Application Log contains a message similar to the following: Problem 3
Another symptom of this issue is a result of missing third-party dependencies. You might see a large number of The Windows Application Log contains a message similar to the following: System Change
You've recently upgraded an existing ENS installation, have a new ENS installation, or required third-party dependencies have been removed.
Cause
This issue occurs because files are missing from the installation directory. These files might not have been properly copied or replaced during the initial installation or upgrade process. This situation causes the installer to try to complete a previously started installation process. This issue may also occur when required third-party dependencies are removed, either by another piece of software, or manually. In this situation, there may not have been any changes made to ENS that trigger this. Solution
Repair the existing version of ENS on the system using either of the following options. Use the Endpoint Product Removal (EPR) tool to repair ENS: EPR can call the ENS For instructions to run EPR at the command line using the Run "
Affected ProductsLanguages:This article is available in the following languages: |
|