ElasticEndpoint service registration in Windows stuck after uninstall

Elastic Security Endpoint Security
1

Hi,

after removing the Elastic Agent with Endpoint Security the service registration of ElasticEndpoint is stuck in Windows. In services I can see Elastic Endpoint, with "Failed to read description. Error code 2". Also sc query elasticendpoint returns the service.

OS is Windows 2021R2. All Elastic software used are version 8.1.1.

"sc delete" returns access denied. I have no entries in "HKLM\SYSTEM\CurrentControlSet\Services. Tried multiple tools to remove the service or run a command prompt as SYSTEM or TrustedInstaller.

Tried fixing it from safe boot, but the Elastic Endpoint registration is not visible?

"endpoint-security.exe uninstall" cannot remove the service, also due to access denied (see log below).

Any ideas how to fix this? As long as I cannot remove this registration, I cannot reinstall Endpoint Security.

2022-04-06 13:06:30: info: Main.cpp:284 Executing uninstall
2022-04-06 13:06:30: debug: Service.cpp:817 PPL is supported. This process is unprotected. (TrustLevelSid: absent)
2022-04-06 13:06:30: error: Util.cpp:578 Unexpected failure querying service protection configuration: 2
2022-04-06 13:06:30: trace: Util.cpp:623 Function returned error status (Failure in an external software component)
2022-04-06 13:06:30: warning: Util.cpp:1136 Error encountered while unprotecting service for uninstall
2022-04-06 13:06:30: error: Service.cpp:329 OpenServiceW(ElasticEndpointDriver)failed with error 1060
2022-04-06 13:06:30: trace: Service.cpp:330 Function returned error status (Failure in an external software component) because of system status (1060/The specified service does not exist as an installed service.)
2022-04-06 13:06:30: trace: Service.cpp:389 Function returned error status (Failure in an external software component)
2022-04-06 13:06:30: error: Service.cpp:187 DeleteService(ElasticEndpoint) failed with error 5
2022-04-06 13:06:30: trace: Service.cpp:188 Function returned error status (Failure in an external software component) because of system status (5/Access is denied.)
2022-04-06 13:06:30: warning: Util.cpp:1174 Endpoint service scheduled for deletion at next reboot.
2022-04-06 13:06:30: error: Service.cpp:178 OpenServiceW(ElasticEndpointDriver)failed with error 1060
2022-04-06 13:06:30: trace: Service.cpp:179 Function returned error status (Failure in an external software component) because of system status (1060/The specified service does not exist as an installed service.)
2022-04-06 13:06:30: error: Util.cpp:1197 Endpoint driver service was unable tobe deleted or scheduled for deletion.
2022-04-06 13:06:30: error: Service.cpp:329 OpenServiceW(ElasticELAMDriver) failed with error 1060
2022-04-06 13:06:30: trace: Service.cpp:330 Function returned error status (Failure in an external software component) because of system status (1060/The specified service does not exist as an installed service.)
2022-04-06 13:06:30: trace: Service.cpp:389 Function returned error status (Failure in an external software component)
2022-04-06 13:06:30: error: Service.cpp:178 OpenServiceW(ElasticELAMDriver) failed with error 1060
2022-04-06 13:06:30: trace: Service.cpp:179 Function returned error status (Failure in an external software component) because of system status (1060/The specified service does not exist as an installed service.)
2022-04-06 13:06:30: error: Util.cpp:1223 ELAM driver service was unable to be deleted or scheduled for deletion.
2022-04-06 13:06:30: trace: Util.cpp:351 Function returned error status (Failedto delete registry key)
2022-04-06 13:06:30: trace: File.cpp:920 Function returned error status (Failure in an external software component)
2022-04-06 13:06:30: trace: File.cpp:920 Function returned error status (Failure in an external software component)
2022-04-06 13:06:30: trace: File.cpp:920 Function returned error status (Failure in an external software component)
2022-04-06 13:06:30: trace: File.cpp:920 Function returned error status (Failure in an external software component)
2022-04-06 13:06:30: trace: File.cpp:920 Function returned error status (Failure in an external software component)
2022-04-06 13:06:30: trace: File.cpp:920 Function returned error status (Failure in an external software component)
2022-04-06 13:06:30: trace: File.cpp:699 Function returned error status (I/O error) because of system status (3/The system cannot find the path specified.)
2022-04-06 13:06:30: trace: File.cpp:699 Function returned error status (I/O error) because of system status (2/The system cannot find the file specified.)
2022-04-06 13:06:30: error: Util.cpp:578 Unexpected failure querying service protection configuration: 2
2022-04-06 13:06:30: trace: Util.cpp:710 Function returned error status (Failure in an external software component)
2022-04-06 13:06:30: trace: File.cpp:395 Function returned error status (Not found)
2022-04-06 13:06:30: trace: File.cpp:874 Function returned error status (Not found)
2022-04-06 13:06:30: trace: File.cpp:426 Function returned error status (Not found)
2022-04-06 13:06:30: trace: File.cpp:874 Function returned error status (Not found)
2022-04-06 13:06:30: trace: File.cpp:426 Function returned error status (Not found)
2022-04-06 13:06:30: trace: File.cpp:874 Function returned error status (Not found)
2022-04-06 13:06:30: trace: File.cpp:426 Function returned error status (Not found)
2022-04-06 13:06:30: trace: File.cpp:874 Function returned error status (Not found)
2022-04-06 13:06:30: warning: InstallLib.cpp:272 System reboot required to finish uninstall
2

Oops... I overlooked 2 lines in the output :frowning:

2022-04-06 13:06:30: warning: Util.cpp:1174 Endpoint service scheduled for deletion at next reboot.

2022-04-06 13:06:30: warning: InstallLib.cpp:272 System reboot required to finish uninstall

So after a reboot the registration seems to be removed (finally :slight_smile:)

Now lets see if I can reinstall the agent with endpoint...

3

MichelV,

Unfortunately it'd appear you've run up against an unfortunate known issue that was specific to 8.1.1 and Windows 2012 R2 / Windows 8.1. The issue is referenced here and detailed here.

During install our Endpoint is configured to run as a Protected Process Lite (PPL) through the Service Control Manager (SCM). Unfortunately, for the 8.1.1 release, the signing issue noted in the links above prevent our service process from successfully starting as a PPL process. Unfortunately once a service is configured to run as PPL with the SCM, only a process running at or above PPL would be able to delete the service to clean up a failed install. And as our signing issue prevented us from running as PPL, we're unable to delete the service from the SCM.

Fortunately, as you noted, a reboot should clean up the issue (we delete the service keys) as discovered. This could be verified before reboot using the reg command:

Screen Shot 2022-04-06 at 10.46.45 AM
Screen Shot 2022-04-06 at 10.46.45 AM1123×183 38.8 KB

Unfortunately, further attempts to install 8.1.1 on the host will fail in the same way, but 8.1.2 has a fix and should not encounter the same issue.

Sorry for the trouble.

-Ben

1 Like
4

Ah ok, thank you for the info.

I have been googling for a while but I guess I did not use the right query to get to those pages. (And I admit I am guilty of not reading the release notes before installation).

1 Like
5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.