Hello,

I am getting the following error "The ScRegSetValueExW call failed for FailureCommand with the following error: Access is denied." on all 2008r2 boxes that have the System Center Endpoint Protection client update 4.7.209.0.

It doesn't seem to affect the actual machine but still would like to resolve this.

Hi,

The error means something tried to access a section of the registry it's not allowed to.

Most likely an issue that can be ignored if you are not having problem. If you are truly curious and want the root cause resolved then you may have to play detective and explore what may have changed within the time the event notification reflects.

Best Regards,

Joyce 

Hi, we have exactly the same problem here on 2008R2 (majority with SQL Services) Servers after client update 4.7.209.0

This event seems to appear when the patterns are updated.

It clearly doesn't affect the machine but the Monitoring Team isn't so happy ;) Any idea to resolve this ?

Hi, we have exactly the same problem here on 2008R2 (majority with SQL Services) Servers after client update 4.7.209.0

This event seems to appear when the patterns are updated.

It clearly doesn't affect the machine but the Monitoring Team isn't so happy ;) Any idea to resolve this ?

Yeah, I hope someone from Microsoft can chime in on this. I had to tune our alerts with custom conditions that are available through SQL Sentry, so that we don't get these alerts in particular. But still really curious as to how to resolve this as this happened after the Client update. This issue was also in 4.7.205.0 that they revoked last month.

Hi,

Thank you for your reply. Yes I have found that it has to do with permissions to the registry but in all cases from the research seems like Kasperski, avast and AVG have seen this issue before. Now Endpoint is having this issue as well. Just wondering when, it will be fixed. If the issue can be resolved on my end I would like to know how.

Just don't want to hide this issue under the rug. Its just that people aren't noticing it. But sounds like it happens on all 2008 r2 boxes.

Oh and the only thing that has changed is the update and installation of client version 4.7.209.0 (Note: 4.7.205.0 had this issue as well)

• Edited by m3koval 15 hours 56 minutes ago

Hi,

Thank you for your reply. Yes I have found that it has to do with permissions to the registry but in all cases from the research seems like Kasperski, avast and AVG have seen this issue before. Now Endpoint is having this issue as well. Just wondering when, it will be fixed. If the issue can be resolved on my end I would like to know how.

Just don't want to hide this issue under the rug. Its just that people aren't noticing it. But sounds like it happens on all 2008 r2 boxes.

Oh and the only thing that has changed is the update and installation of client version 4.7.209.0 (Note: 4.7.205.0 had this issue as well)

• Edited by m3koval Tuesday, March 24, 2015 3:20 PM

Hi,

Thank you for your reply. Yes I have found that it has to do with permissions to the registry but in all cases from the research seems like Kasperski, avast and AVG have seen this issue before. Now Endpoint is having this issue as well. Just wondering when, it will be fixed. If the issue can be resolved on my end I would like to know how.

Just don't want to hide this issue under the rug. Its just that people aren't noticing it. But sounds like it happens on all 2008 r2 boxes.

Oh and the only thing that has changed is the update and installation of client version 4.7.209.0 (Note: 4.7.205.0 had this issue as well)

• Edited by m3koval Tuesday, March 24, 2015 3:20 PM

Hi,

Thank you for your reply. Yes I have found that it has to do with permissions to the registry but in all cases from the research seems like Kasperski, avast and AVG have seen this issue before. Now Endpoint is having this issue as well. Just wondering when, it will be fixed. If the issue can be resolved on my end I would like to know how.

Just don't want to hide this issue under the rug. Its just that people aren't noticing it. But sounds like it happens on all 2008 r2 boxes.

Oh and the only thing that has changed is the update and installation of client version 4.7.209.0 (Note: 4.7.205.0 had this issue as well)

• Edited by m3koval Tuesday, March 24, 2015 3:20 PM

Hi,

Thank you for your reply. Yes I have found that it has to do with permissions to the registry but in all cases from the research seems like Kasperski, avast and AVG have seen this issue before. Now Endpoint is having this issue as well. Just wondering when, it will be fixed. If the issue can be resolved on my end I would like to know how.

Just don't want to hide this issue under the rug. Its just that people aren't noticing it. But sounds like it happens on all 2008 r2 boxes.

Oh and the only thing that has changed is the update and installation of client version 4.7.209.0 (Note: 4.7.205.0 had this issue as well)

• Edited by m3koval Tuesday, March 24, 2015 3:20 PM

Hi,

Thank you for your reply. Yes I have found that it has to do with permissions to the registry but in all cases from the research seems like Kasperski, avast and AVG have seen this issue before. Now Endpoint is having this issue as well. Just wondering when, it will be fixed. If the issue can be resolved on my end I would like to know how.

Just don't want to hide this issue under the rug. Its just that people aren't noticing it. But sounds like it happens on all 2008 r2 boxes.

Oh and the only thing that has changed is the update and installation of client version 4.7.209.0 (Note: 4.7.205.0 had this issue as well)

• Edited by m3koval Tuesday, March 24, 2015 3:20 PM

Hi,

Thank you for your reply. Yes I have found that it has to do with permissions to the registry but in all cases from the research seems like Kasperski, avast and AVG have seen this issue before. Now Endpoint is having this issue as well. Just wondering when, it will be fixed. If the issue can be resolved on my end I would like to know how.

Just don't want to hide this issue under the rug. Its just that people aren't noticing it. But sounds like it happens on all 2008 r2 boxes.

Oh and the only thing that has changed is the update and installation of client version 4.7.209.0 (Note: 4.7.205.0 had this issue as well)

• Edited by m3koval Tuesday, March 24, 2015 3:20 PM

Hi,

Can you please let me know when this error is being generated?

Please run Procmon to see what is getting denied access to the registry.

Best Regards,

Joyce

Hi,

This alert is in event manager. It happens a few times a day (2-5 times). First message:

The ScRegSetValueExW call failed for Start with the following error:
Access is denied.

Then

The ScRegSetValueExW call failed for FailureCommand with the following error:
Access is denied.

This does not happen at all the same time.... so I will try and run procmon but I am not sure what all that will give me.

Hi,

Have you tried to run the Promon when the error happens? Anything helpful?

Best Regards,

Joyce

We also (and a lot of other end users) have this problem on Windows 7 and Windows Server 2008 R2.

When we disable the Enable behavior monitoring in the settings of SCEP and
reboot the computer/server the errors don't appear anymore in the event viewer.

It seems that SCEP blocks the registry settings/values of the following keys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MsMpSvc\Start
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MsMpSvc\FailureActions

I verified this in the following log file of clients with the issue:
C:\ProgramData\Microsoft\Microsoft Antimalware\Support\MPLog-xxxxx20xx-xxxxx.log

These log contains the following entries:
TelemetryName:Behavior:Win32/MpTamperBlockSrv.E
TelemetryName:Behavior:Win32/MpTamperBlockSrv.D

So it seems that it is SCEP itself which is preventing changes to the registry keys which it needs to change.
I noticed that this behaviour started with the update of the engine from version 1.1.11502.0 to version 1.1.11602.

We also (and a lot of other end users) have this problem on Windows 7 and Windows Server 2008 R2.

When we disable the Enable behavior monitoring in the settings of SCEP and
reboot the computer/server the errors don't appear anymore in the event viewer.

It seems that SCEP blocks the registry settings/values of the following keys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MsMpSvc\Start
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MsMpSvc\FailureActions

I verified this in the following log file of clients with the issue:
C:\ProgramData\Microsoft\Microsoft Antimalware\Support\MPLog-xxxxx20xx-xxxxx.log

These log contains the following entries:
TelemetryName:Behavior:Win32/MpTamperBlockSrv.E
TelemetryName:Behavior:Win32/MpTamperBlockSrv.D

So it seems that it is SCEP itself which is preventing changes to the registry keys which it needs to change.
I noticed that this behaviour started with the update of the engine from version 1.1.11502.0 to version 1.1.11602.

• Proposed as answer by DiscoveryX 16 hours 37 minutes ago

We also (and a lot of other end users) have this problem on Windows 7 and Windows Server 2008 R2.

When we disable the Enable behavior monitoring in the settings of SCEP and
reboot the computer/server the errors don't appear anymore in the event viewer.

It seems that SCEP blocks the registry settings/values of the following keys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MsMpSvc\Start
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MsMpSvc\FailureActions

I verified this in the following log file of clients with the issue:
C:\ProgramData\Microsoft\Microsoft Antimalware\Support\MPLog-xxxxx20xx-xxxxx.log

These log contains the following entries:
TelemetryName:Behavior:Win32/MpTamperBlockSrv.E
TelemetryName:Behavior:Win32/MpTamperBlockSrv.D

So it seems that it is SCEP itself which is preventing changes to the registry keys which it needs to change.
I noticed that this behaviour started with the update of the engine from version 1.1.11502.0 to version 1.1.11602.

• Proposed as answer by DiscoveryX Tuesday, May 19, 2015 2:42 PM

We also (and a lot of other end users) have this problem on Windows 7 and Windows Server 2008 R2.

When we disable the Enable behavior monitoring in the settings of SCEP and
reboot the computer/server the errors don't appear anymore in the event viewer.

It seems that SCEP blocks the registry settings/values of the following keys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MsMpSvc\Start
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MsMpSvc\FailureActions

I verified this in the following log file of clients with the issue:
C:\ProgramData\Microsoft\Microsoft Antimalware\Support\MPLog-xxxxx20xx-xxxxx.log

These log contains the following entries:
TelemetryName:Behavior:Win32/MpTamperBlockSrv.E
TelemetryName:Behavior:Win32/MpTamperBlockSrv.D

So it seems that it is SCEP itself which is preventing changes to the registry keys which it needs to change.
I noticed that this behaviour started with the update of the engine from version 1.1.11502.0 to version 1.1.11602.

• Proposed as answer by DiscoveryX Tuesday, May 19, 2015 2:42 PM

We also (and a lot of other end users) have this problem on Windows 7 and Windows Server 2008 R2.

When we disable the Enable behavior monitoring in the settings of SCEP and
reboot the computer/server the errors don't appear anymore in the event viewer.

It seems that SCEP blocks the registry settings/values of the following keys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MsMpSvc\Start
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MsMpSvc\FailureActions

I verified this in the following log file of clients with the issue:
C:\ProgramData\Microsoft\Microsoft Antimalware\Support\MPLog-xxxxx20xx-xxxxx.log

These log contains the following entries:
TelemetryName:Behavior:Win32/MpTamperBlockSrv.E
TelemetryName:Behavior:Win32/MpTamperBlockSrv.D

So it seems that it is SCEP itself which is preventing changes to the registry keys which it needs to change.
I noticed that this behaviour started with the update of the engine from version 1.1.11502.0 to version 1.1.11602.

• Proposed as answer by DiscoveryX Tuesday, May 19, 2015 2:42 PM

We also (and a lot of other end users) have this problem on Windows 7 and Windows Server 2008 R2.

When we disable the Enable behavior monitoring in the settings of SCEP and
reboot the computer/server the errors don't appear anymore in the event viewer.

It seems that SCEP blocks the registry settings/values of the following keys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MsMpSvc\Start
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MsMpSvc\FailureActions

I verified this in the following log file of clients with the issue:
C:\ProgramData\Microsoft\Microsoft Antimalware\Support\MPLog-xxxxx20xx-xxxxx.log

These log contains the following entries:
TelemetryName:Behavior:Win32/MpTamperBlockSrv.E
TelemetryName:Behavior:Win32/MpTamperBlockSrv.D

So it seems that it is SCEP itself which is preventing changes to the registry keys which it needs to change.
I noticed that this behaviour started with the update of the engine from version 1.1.11502.0 to version 1.1.11602.

• Proposed as answer by DiscoveryX Tuesday, May 19, 2015 2:42 PM

Seems to be related to the updated SCEP engine. Seeing the same error on my servers. Also having some issues deploying the client to new machines. I think there might be some issues with the latest release.

Hi,

I was able to fix it with Microsoft fix it: https://support.microsoft.com/en-us/mats/program_install_and_uninstall?wa=wsignin1.0. With the help of this application I have chosen "Problems with uninstall" then according to what SCEP installation told me it was preventing the install I chose exactly those programs (I had the old Forefront protection installed), I think it was MOM 2005 and Microsoft antimalware service and Microsoft antimalware status service. After those 3 apps were gone I was able to install SCEP 2012 Client without issues.