search

wazuh / wazuh

Wazuh - The Open Source Security Platform. Unified XDR and SIEM protection for endpoints and cloud workloads.
https://wazuh.com/
Other
10.42k stars 1.6k forks source link

Manual Windows Wazuh agent upgrade hangs/fails #13928

Closed elwali10 closed 2 years ago

elwali10 commented 2 years ago

Hello team,

Upgrading the Wazuh agent in Windows server 2016 manually(by clicking on the package MSI and using the WUI) from 4.3.1 to 4.3.3 fails.

Steps to reproduce:

  1. Create two Windows users (Users A & B) with permissions to install packages (Admins).

  2. log in as a user A and install the Wazuh agent 4.3.1

  3. Switch to the user B then upgrade manually using the MSI package to 4.3.3.

  4. The upgrade process hangs.

Regards, Elwali

DFolchA commented 2 years ago

UPDATE

We have been investigating this issue, and we were able to upgrade a Windows package using a different user following the process described in the issue:

  1. Log in as a user A
  2. Install the Wazuh agent
  3. Log out and log in as user B
  4. Upgrade the package to a newer version

Test Windows 2016

https://user-images.githubusercontent.com/19505384/177350553-70d7a69b-c875-40e1-8f91-00c245e33813.mp4

Test Windows 2012

https://user-images.githubusercontent.com/19505384/177359449-b9fa12db-9d65-4be1-9838-a19de25a7792.mp4

We found, however, that users other than Administrator need to be granted permissions manually to access the contents of C:\Program Files (x86)\ossec-agent. This causes as shown in the video the installation GUI to not be able to show the manage agent interface.

DFolchA commented 2 years ago

UPDATE

4.3.1 -> 4.3.3

https://user-images.githubusercontent.com/19505384/177808126-8fa74add-f14d-4860-a494-ccb64a9746b8.mp4

elwali10 commented 2 years ago

UPDATE

Generated installation log:

Installer log ``` === Verbose logging started: 7/8/2022 5:44:02 Build type: SHIP UNICODE 5.00.10011.00 Calling process: C:\Windows\System32\msiexec.exe === MSI (c) (9C:60) [05:44:02:458]: Font created. Charset: Req=0, Ret=0, Font: Req=MS Shell Dlg, Ret=MS Shell Dlg MSI (c) (9C:60) [05:44:02:458]: Font created. Charset: Req=0, Ret=0, Font: Req=MS Shell Dlg, Ret=MS Shell Dlg MSI (c) (9C:B0) [05:44:02:537]: Resetting cached policy values MSI (c) (9C:B0) [05:44:02:537]: Machine policy value 'Debug' is 0 MSI (c) (9C:B0) [05:44:02:537]: ******* RunEngine: ******* Product: C:\Users\Administrator\Downloads\wazuh-agent-4.3.3-1(1).msi ******* Action: ******* CommandLine: ********** MSI (c) (9C:B0) [05:44:02:552]: Machine policy value 'DisableUserInstalls' is 0 MSI (c) (9C:B0) [05:44:02:583]: SOFTWARE RESTRICTION POLICY: Verifying package --> 'C:\Users\Administrator\Downloads\wazuh-agent-4.3.3-1(1).msi' against software restriction policy MSI (c) (9C:B0) [05:44:02:583]: SOFTWARE RESTRICTION POLICY: C:\Users\Administrator\Downloads\wazuh-agent-4.3.3-1(1).msi has a digital signature MSI (c) (9C:B0) [05:44:02:756]: SOFTWARE RESTRICTION POLICY: C:\Users\Administrator\Downloads\wazuh-agent-4.3.3-1(1).msi is permitted to run at the 'unrestricted' authorization level. MSI (c) (9C:B0) [05:44:02:770]: Cloaking enabled. MSI (c) (9C:B0) [05:44:02:770]: Attempting to enable all disabled privileges before calling Install on Server MSI (c) (9C:B0) [05:44:02:787]: End dialog not enabled MSI (c) (9C:B0) [05:44:02:787]: Original package ==> C:\Users\Administrator\Downloads\wazuh-agent-4.3.3-1(1).msi MSI (c) (9C:B0) [05:44:02:787]: Package we're running from ==> C:\Users\Administrator\Downloads\wazuh-agent-4.3.3-1(1).msi MSI (c) (9C:B0) [05:44:02:787]: APPCOMPAT: Compatibility mode property overrides found. MSI (c) (9C:B0) [05:44:02:787]: APPCOMPAT: looking for appcompat database entry with ProductCode '{74876D42-37ED-44FD-B662-AC2F5842BA6A}'. MSI (c) (9C:B0) [05:44:02:787]: APPCOMPAT: no matching ProductCode found in database. MSI (c) (9C:B0) [05:44:02:787]: MSCOREE not loaded loading copy from system32 MSI (c) (9C:B0) [05:44:02:787]: Machine policy value 'TransformsSecure' is 1 MSI (c) (9C:B0) [05:44:02:787]: Machine policy value 'DisablePatch' is 0 MSI (c) (9C:B0) [05:44:02:787]: Machine policy value 'AllowLockdownPatch' is 0 MSI (c) (9C:B0) [05:44:02:787]: Machine policy value 'DisableLUAPatching' is 0 MSI (c) (9C:B0) [05:44:02:787]: Machine policy value 'DisableFlyWeightPatching' is 0 MSI (c) (9C:B0) [05:44:02:787]: APPCOMPAT: looking for appcompat database entry with ProductCode '{74876D42-37ED-44FD-B662-AC2F5842BA6A}'. MSI (c) (9C:B0) [05:44:02:787]: APPCOMPAT: no matching ProductCode found in database. MSI (c) (9C:B0) [05:44:02:787]: Transforms are not secure. MSI (c) (9C:B0) [05:44:02:787]: PROPERTY CHANGE: Adding MsiLogFileLocation property. Its value is 'C:\Users\Administrator\Downloads\installer.log'. MSI (c) (9C:B0) [05:44:02:787]: Command Line: CURRENTDIRECTORY=C:\Users\Administrator\Downloads CLIENTUILEVEL=0 CLIENTPROCESSID=924 MSI (c) (9C:B0) [05:44:02:787]: PROPERTY CHANGE: Adding PackageCode property. Its value is '{3EE25BFD-362E-4468-8A16-3733B5C6BD64}'. MSI (c) (9C:B0) [05:44:02:787]: Product Code passed to Engine.Initialize: '' MSI (c) (9C:B0) [05:44:02:787]: Product Code from property table before transforms: '{74876D42-37ED-44FD-B662-AC2F5842BA6A}' MSI (c) (9C:B0) [05:44:02:787]: Product Code from property table after transforms: '{74876D42-37ED-44FD-B662-AC2F5842BA6A}' MSI (c) (9C:B0) [05:44:02:787]: Product not registered: beginning first-time install MSI (c) (9C:B0) [05:44:02:787]: PROPERTY CHANGE: Adding ProductState property. Its value is '-1'. MSI (c) (9C:B0) [05:44:02:787]: Entering CMsiConfigurationManager::SetLastUsedSource. MSI (c) (9C:B0) [05:44:02:787]: User policy value 'SearchOrder' is 'nmu' MSI (c) (9C:B0) [05:44:02:787]: Adding new sources is allowed. MSI (c) (9C:B0) [05:44:02:787]: PROPERTY CHANGE: Adding PackagecodeChanging property. Its value is '1'. MSI (c) (9C:B0) [05:44:02:787]: Package name extracted from package path: 'wazuh-agent-4.3.3-1(1).msi' MSI (c) (9C:B0) [05:44:02:787]: Package to be registered: 'wazuh-agent-4.3.3-1(1).msi' MSI (c) (9C:B0) [05:44:02:787]: Note: 1: 2262 2: AdminProperties 3: -2147287038 MSI (c) (9C:B0) [05:44:02:787]: Machine policy value 'DisableMsi' is 1 MSI (c) (9C:B0) [05:44:02:787]: Machine policy value 'AlwaysInstallElevated' is 0 MSI (c) (9C:B0) [05:44:02:787]: User policy value 'AlwaysInstallElevated' is 0 MSI (c) (9C:B0) [05:44:02:787]: Product installation will be elevated because user is admin and product is being installed per-machine. MSI (c) (9C:B0) [05:44:02:787]: Running product '{74876D42-37ED-44FD-B662-AC2F5842BA6A}' with elevated privileges: Product is assigned. MSI (c) (9C:B0) [05:44:02:787]: PROPERTY CHANGE: Adding CURRENTDIRECTORY property. Its value is 'C:\Users\Administrator\Downloads'. MSI (c) (9C:B0) [05:44:02:787]: PROPERTY CHANGE: Adding CLIENTUILEVEL property. Its value is '0'. MSI (c) (9C:B0) [05:44:02:787]: PROPERTY CHANGE: Adding CLIENTPROCESSID property. Its value is '924'. MSI (c) (9C:B0) [05:44:02:787]: TRANSFORMS property is now: MSI (c) (9C:B0) [05:44:02:787]: PROPERTY CHANGE: Adding VersionDatabase property. Its value is '200'. MSI (c) (9C:B0) [05:44:02:787]: SHELL32::SHGetFolderPath returned: C:\Users\Administrator\AppData\Roaming MSI (c) (9C:B0) [05:44:02:787]: SHELL32::SHGetFolderPath returned: C:\Users\Administrator\Favorites MSI (c) (9C:B0) [05:44:02:787]: SHELL32::SHGetFolderPath returned: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Network Shortcuts MSI (c) (9C:B0) [05:44:02:787]: SHELL32::SHGetFolderPath returned: C:\Users\Administrator\Documents MSI (c) (9C:B0) [05:44:02:787]: SHELL32::SHGetFolderPath returned: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Printer Shortcuts MSI (c) (9C:B0) [05:44:02:787]: SHELL32::SHGetFolderPath returned: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent MSI (c) (9C:B0) [05:44:02:787]: SHELL32::SHGetFolderPath returned: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\SendTo MSI (c) (9C:B0) [05:44:02:787]: SHELL32::SHGetFolderPath returned: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Templates MSI (c) (9C:B0) [05:44:02:787]: SHELL32::SHGetFolderPath returned: C:\ProgramData MSI (c) (9C:B0) [05:44:02:787]: SHELL32::SHGetFolderPath returned: C:\Users\Administrator\AppData\Local MSI (c) (9C:B0) [05:44:02:787]: SHELL32::SHGetFolderPath returned: C:\Users\Administrator\Pictures MSI (c) (9C:B0) [05:44:02:787]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools MSI (c) (9C:B0) [05:44:02:787]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup MSI (c) (9C:B0) [05:44:02:787]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu\Programs MSI (c) (9C:B0) [05:44:02:787]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu MSI (c) (9C:B0) [05:44:02:787]: SHELL32::SHGetFolderPath returned: C:\Users\Public\Desktop MSI (c) (9C:B0) [05:44:02:787]: SHELL32::SHGetFolderPath returned: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools MSI (c) (9C:B0) [05:44:02:787]: SHELL32::SHGetFolderPath returned: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup MSI (c) (9C:B0) [05:44:02:787]: SHELL32::SHGetFolderPath returned: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs MSI (c) (9C:B0) [05:44:02:787]: SHELL32::SHGetFolderPath returned: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu MSI (c) (9C:B0) [05:44:02:787]: SHELL32::SHGetFolderPath returned: C:\Users\Administrator\Desktop MSI (c) (9C:B0) [05:44:02:802]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Templates MSI (c) (9C:B0) [05:44:02:802]: SHELL32::SHGetFolderPath returned: C:\Windows\Fonts MSI (c) (9C:B0) [05:44:02:802]: Note: 1: 2898 2: MS Sans Serif 3: MS Sans Serif 4: 0 5: 16 MSI (c) (9C:B0) [05:44:02:802]: MSI_LUA: Setting MsiRunningElevated property to 1 because the install is already running elevated. MSI (c) (9C:B0) [05:44:02:802]: PROPERTY CHANGE: Adding MsiRunningElevated property. Its value is '1'. MSI (c) (9C:B0) [05:44:02:802]: PROPERTY CHANGE: Adding Privileged property. Its value is '1'. MSI (c) (9C:B0) [05:44:02:802]: Note: 1: 1402 2: HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info 3: 2 MSI (c) (9C:B0) [05:44:02:802]: PROPERTY CHANGE: Adding USERNAME property. Its value is 'Windows User'. MSI (c) (9C:B0) [05:44:02:802]: Note: 1: 1402 2: HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info 3: 2 MSI (c) (9C:B0) [05:44:02:802]: PROPERTY CHANGE: Adding DATABASE property. Its value is 'C:\Users\Administrator\Downloads\wazuh-agent-4.3.3-1(1).msi'. MSI (c) (9C:B0) [05:44:02:802]: PROPERTY CHANGE: Adding OriginalDatabase property. Its value is 'C:\Users\Administrator\Downloads\wazuh-agent-4.3.3-1(1).msi'. MSI (c) (9C:B0) [05:44:02:802]: Machine policy value 'MsiDisableEmbeddedUI' is 0 MSI (c) (9C:B0) [05:44:02:802]: PROPERTY CHANGE: Adding SourceDir property. Its value is 'C:\Users\Administrator\Downloads\'. MSI (c) (9C:B0) [05:44:02:802]: PROPERTY CHANGE: Adding SOURCEDIR property. Its value is 'C:\Users\Administrator\Downloads\'. MSI (c) (9C:60) [05:44:02:802]: PROPERTY CHANGE: Adding VersionHandler property. Its value is '5.00'. === Logging started: 7/8/2022 5:44:02 === MSI (c) (9C:B0) [05:44:02:818]: Note: 1: 2205 2: 3: PatchPackage MSI (c) (9C:B0) [05:44:02:818]: Machine policy value 'DisableRollback' is 0 MSI (c) (9C:B0) [05:44:02:818]: User policy value 'DisableRollback' is 0 MSI (c) (9C:B0) [05:44:02:818]: PROPERTY CHANGE: Adding UILevel property. Its value is '5'. MSI (c) (9C:B0) [05:44:02:818]: Note: 1: 2203 2: C:\Windows\Installer\inprogressinstallinfo.ipi 3: -2147287038 MSI (c) (9C:B0) [05:44:02:818]: Note: 1: 2205 2: 3: LaunchCondition MSI (c) (9C:B0) [05:44:02:818]: Note: 1: 2228 2: 3: LaunchCondition 4: SELECT `Condition` FROM `LaunchCondition` MSI (c) (9C:B0) [05:44:02:818]: APPCOMPAT: [DetectVersionLaunchCondition] Failed to initialize pRecErr. MSI (c) (9C:B0) [05:44:02:833]: PROPERTY CHANGE: Adding ACTION property. Its value is 'INSTALL'. MSI (c) (9C:B0) [05:44:02:833]: Doing action: INSTALL MSI (c) (9C:B0) [05:44:02:833]: Note: 1: 2205 2: 3: ActionText Action 5:44:02: INSTALL. Action start 5:44:02: INSTALL. MSI (c) (9C:B0) [05:44:02:833]: UI Sequence table 'InstallUISequence' is present and populated. MSI (c) (9C:B0) [05:44:02:833]: Running UISequence MSI (c) (9C:B0) [05:44:02:833]: PROPERTY CHANGE: Adding EXECUTEACTION property. Its value is 'INSTALL'. MSI (c) (9C:B0) [05:44:02:833]: Doing action: FindRelatedProducts MSI (c) (9C:B0) [05:44:02:833]: Note: 1: 2205 2: 3: ActionText Action 5:44:02: FindRelatedProducts. Searching for related applications Action start 5:44:02: FindRelatedProducts. FindRelatedProducts: Found application: {6061DE66-243A-4D4D-BCC4-3A446B583112} MSI (c) (9C:B0) [05:44:02:833]: PROPERTY CHANGE: Adding WIX_UPGRADE_DETECTED property. Its value is '{6061DE66-243A-4D4D-BCC4-3A446B583112}'. MSI (c) (9C:B0) [05:44:02:833]: PROPERTY CHANGE: Adding MIGRATE property. Its value is '{6061DE66-243A-4D4D-BCC4-3A446B583112}'. Action ended 5:44:02: FindRelatedProducts. Return value 1. MSI (c) (9C:B0) [05:44:02:833]: Doing action: PrepareDlg MSI (c) (9C:B0) [05:44:02:833]: Note: 1: 2205 2: 3: ActionText Action 5:44:02: PrepareDlg. Action start 5:44:02: PrepareDlg. Info 2898.For WixUI_Font_Normal textstyle, the system created a 'Tahoma' font, in 0 character set, of 13 pixels height. Info 2898.For WixUI_Font_Bigger textstyle, the system created a 'Tahoma' font, in 0 character set, of 19 pixels height. Action 5:44:02: PrepareDlg. Dialog created Action ended 5:44:02: PrepareDlg. Return value 1. MSI (c) (9C:B0) [05:44:02:880]: Doing action: AppSearch MSI (c) (9C:B0) [05:44:02:880]: Note: 1: 2205 2: 3: ActionText Action 5:44:02: AppSearch. Searching for installed applications Action start 5:44:02: AppSearch. AppSearch: Property: MAJORVERSION, Signature: CurrentMajorVersion MSI (c) (9C:B0) [05:44:02:880]: Note: 1: 2262 2: Signature 3: -2147287038 MSI (c) (9C:B0) [05:44:02:880]: PROPERTY CHANGE: Modifying MAJORVERSION property. Its current value is '0'. Its new value: '#10'. AppSearch: Property: BUILDVERSION, Signature: BuildVersion MSI (c) (9C:B0) [05:44:02:880]: Note: 1: 2262 2: Signature 3: -2147287038 MSI (c) (9C:B0) [05:44:02:880]: PROPERTY CHANGE: Modifying BUILDVERSION property. Its current value is '0'. Its new value: '14393'. AppSearch: Property: APPLICATIONFOLDER, Signature: WazuhInstallDirProperty MSI (c) (9C:B0) [05:44:02:896]: Note: 1: 2262 2: Signature 3: -2147287038 MSI (c) (9C:B0) [05:44:02:896]: PROPERTY CHANGE: Adding APPLICATIONFOLDER property. Its value is 'C:\Program Files (x86)\ossec-agent\'. AppSearch: Property: OSSECINSTALLED, Signature: OssecInstalled MSI (c) (9C:B0) [05:44:02:896]: Note: 1: 2262 2: Signature 3: -2147287038 MSI (c) (9C:B0) [05:44:02:896]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE32\System\CurrentControlSet\Services\OssecSvc 3: 2 AppSearch: Property: WAZUHINSTALLED, Signature: WazuhInstalled MSI (c) (9C:B0) [05:44:02:896]: Note: 1: 2262 2: Signature 3: -2147287038 MSI (c) (9C:B0) [05:44:02:896]: PROPERTY CHANGE: Adding WAZUHINSTALLED property. Its value is 'Wazuh'. Action ended 5:44:02: AppSearch. Return value 1. MSI (c) (9C:B0) [05:44:02:896]: Doing action: ValidateProductID MSI (c) (9C:B0) [05:44:02:896]: Note: 1: 2205 2: 3: ActionText Action 5:44:02: ValidateProductID. Action start 5:44:02: ValidateProductID. Action ended 5:44:02: ValidateProductID. Return value 1. MSI (c) (9C:B0) [05:44:02:896]: Doing action: CostInitialize MSI (c) (9C:B0) [05:44:02:896]: Note: 1: 2205 2: 3: ActionText Action 5:44:02: CostInitialize. Computing space requirements Action start 5:44:02: CostInitialize. MSI (c) (9C:B0) [05:44:02:896]: Machine policy value 'MaxPatchCacheSize' is 10 MSI (c) (9C:B0) [05:44:02:912]: PROPERTY CHANGE: Adding ROOTDRIVE property. Its value is 'C:\'. MSI (c) (9C:B0) [05:44:02:912]: PROPERTY CHANGE: Adding CostingComplete property. Its value is '0'. Action ended 5:44:02: CostInitialize. Return value 1. MSI (c) (9C:B0) [05:44:02:912]: Doing action: FileCost MSI (c) (9C:B0) [05:44:02:912]: Note: 1: 2205 2: 3: ActionText Action 5:44:02: FileCost. Computing space requirements Action start 5:44:02: FileCost. MSI (c) (9C:B0) [05:44:02:912]: Note: 1: 2205 2: 3: MsiAssembly MSI (c) (9C:B0) [05:44:02:912]: Note: 1: 2205 2: 3: Class MSI (c) (9C:B0) [05:44:02:912]: Note: 1: 2205 2: 3: Extension MSI (c) (9C:B0) [05:44:02:912]: Note: 1: 2205 2: 3: TypeLib Action ended 5:44:02: FileCost. Return value 1. MSI (c) (9C:B0) [05:44:02:912]: Doing action: WixSetDefaultPerUserFolder MSI (c) (9C:B0) [05:44:02:912]: Note: 1: 2205 2: 3: ActionText Action 5:44:02: WixSetDefaultPerUserFolder. Action start 5:44:02: WixSetDefaultPerUserFolder. MSI (c) (9C:B0) [05:44:02:912]: PROPERTY CHANGE: Adding WixPerUserFolder property. Its value is 'C:\Users\Administrator\AppData\Local\Apps\ossec-agent'. Action ended 5:44:02: WixSetDefaultPerUserFolder. Return value 1. MSI (c) (9C:B0) [05:44:02:912]: Doing action: WixSetDefaultPerMachineFolder MSI (c) (9C:B0) [05:44:02:912]: Note: 1: 2205 2: 3: ActionText Action 5:44:02: WixSetDefaultPerMachineFolder. Action start 5:44:02: WixSetDefaultPerMachineFolder. MSI (c) (9C:B0) [05:44:02:912]: PROPERTY CHANGE: Adding WixPerMachineFolder property. Its value is 'C:\Program Files (x86)\ossec-agent'. Action ended 5:44:02: WixSetDefaultPerMachineFolder. Return value 1. MSI (c) (9C:B0) [05:44:02:912]: Skipping action: WixSetPerUserFolder (condition is false) MSI (c) (9C:B0) [05:44:02:912]: Skipping action: WixSetPerMachineFolder (condition is false) MSI (c) (9C:B0) [05:44:02:912]: Doing action: CostFinalize MSI (c) (9C:B0) [05:44:02:912]: Note: 1: 2205 2: 3: ActionText Action 5:44:02: CostFinalize. Computing space requirements Action start 5:44:02: CostFinalize. MSI (c) (9C:B0) [05:44:02:926]: PROPERTY CHANGE: Adding OutOfDiskSpace property. Its value is '0'. MSI (c) (9C:B0) [05:44:02:926]: PROPERTY CHANGE: Adding OutOfNoRbDiskSpace property. Its value is '0'. MSI (c) (9C:B0) [05:44:02:926]: PROPERTY CHANGE: Adding PrimaryVolumeSpaceAvailable property. Its value is '0'. MSI (c) (9C:B0) [05:44:02:926]: PROPERTY CHANGE: Adding PrimaryVolumeSpaceRequired property. Its value is '0'. MSI (c) (9C:B0) [05:44:02:926]: PROPERTY CHANGE: Adding PrimaryVolumeSpaceRemaining property. Its value is '0'. MSI (c) (9C:B0) [05:44:02:926]: Note: 1: 2205 2: 3: Patch MSI (c) (9C:B0) [05:44:02:926]: Note: 1: 2205 2: 3: Condition MSI (c) (9C:B0) [05:44:02:926]: PROPERTY CHANGE: Adding TARGETDIR property. Its value is 'C:\'. MSI (c) (9C:B0) [05:44:02:926]: PROPERTY CHANGE: Adding ProgramMenuDir property. Its value is 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OSSEC\'. MSI (c) (9C:B0) [05:44:02:926]: PROPERTY CHANGE: Adding UPGRADE property. Its value is 'C:\Program Files (x86)\ossec-agent\upgrade\'. MSI (c) (9C:B0) [05:44:02:926]: PROPERTY CHANGE: Adding INCOMING property. Its value is 'C:\Program Files (x86)\ossec-agent\incoming\'. MSI (c) (9C:B0) [05:44:02:926]: PROPERTY CHANGE: Adding SYSCHECK property. Its value is 'C:\Program Files (x86)\ossec-agent\syscheck\'. MSI (c) (9C:B0) [05:44:02:926]: PROPERTY CHANGE: Adding RIDS property. Its value is 'C:\Program Files (x86)\ossec-agent\rids\'. MSI (c) (9C:B0) [05:44:02:926]: PROPERTY CHANGE: Adding WODLES property. Its value is 'C:\Program Files (x86)\ossec-agent\wodles\'. MSI (c) (9C:B0) [05:44:02:926]: PROPERTY CHANGE: Adding LOGS property. Its value is 'C:\Program Files (x86)\ossec-agent\logs\'. MSI (c) (9C:B0) [05:44:02:926]: PROPERTY CHANGE: Adding BOOKMARKS property. Its value is 'C:\Program Files (x86)\ossec-agent\bookmarks\'. MSI (c) (9C:B0) [05:44:02:926]: PROPERTY CHANGE: Adding TMP property. Its value is 'C:\Program Files (x86)\ossec-agent\tmp\'. MSI (c) (9C:B0) [05:44:02:926]: PROPERTY CHANGE: Adding QUEUE property. Its value is 'C:\Program Files (x86)\ossec-agent\queue\'. MSI (c) (9C:B0) [05:44:02:926]: PROPERTY CHANGE: Adding LOGCOLLECTOR property. Its value is 'C:\Program Files (x86)\ossec-agent\queue\logcollector\'. MSI (c) (9C:B0) [05:44:02:926]: PROPERTY CHANGE: Adding FIM property. Its value is 'C:\Program Files (x86)\ossec-agent\queue\fim\'. MSI (c) (9C:B0) [05:44:02:926]: PROPERTY CHANGE: Adding FIM_DB property. Its value is 'C:\Program Files (x86)\ossec-agent\queue\fim\db\'. MSI (c) (9C:B0) [05:44:02:926]: PROPERTY CHANGE: Adding DIFF property. Its value is 'C:\Program Files (x86)\ossec-agent\queue\diff\'. MSI (c) (9C:B0) [05:44:02:926]: PROPERTY CHANGE: Adding SYSCOLLECTOR property. Its value is 'C:\Program Files (x86)\ossec-agent\queue\syscollector\'. MSI (c) (9C:B0) [05:44:02:926]: PROPERTY CHANGE: Adding SYSCOLLECTOR_DB property. Its value is 'C:\Program Files (x86)\ossec-agent\queue\syscollector\db\'. MSI (c) (9C:B0) [05:44:02:926]: PROPERTY CHANGE: Adding RULESET property. Its value is 'C:\Program Files (x86)\ossec-agent\ruleset\'. MSI (c) (9C:B0) [05:44:02:926]: PROPERTY CHANGE: Adding SECURITY_CONFIGURATION_ASSESSMENT property. Its value is 'C:\Program Files (x86)\ossec-agent\ruleset\sca\'. MSI (c) (9C:B0) [05:44:02:926]: PROPERTY CHANGE: Adding SHARED property. Its value is 'C:\Program Files (x86)\ossec-agent\shared\'. MSI (c) (9C:B0) [05:44:02:926]: PROPERTY CHANGE: Adding ACTIVE_RESPONSE property. Its value is 'C:\Program Files (x86)\ossec-agent\active-response\'. MSI (c) (9C:B0) [05:44:02:926]: PROPERTY CHANGE: Adding BIN property. Its value is 'C:\Program Files (x86)\ossec-agent\active-response\bin\'. MSI (c) (9C:B0) [05:44:02:926]: Target path resolution complete. Dumping Directory table... MSI (c) (9C:B0) [05:44:02:926]: Note: target paths subject to change (via custom actions or browsing) MSI (c) (9C:B0) [05:44:02:926]: Dir (target): Key: TARGETDIR , Object: C:\ MSI (c) (9C:B0) [05:44:02:926]: Dir (target): Key: WindowsFolder , Object: C:\Windows\ MSI (c) (9C:B0) [05:44:02:926]: Dir (target): Key: ProgramMenuFolder , Object: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ MSI (c) (9C:B0) [05:44:02:926]: Dir (target): Key: ProgramMenuDir , Object: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OSSEC\ MSI (c) (9C:B0) [05:44:02:926]: Dir (target): Key: ProgramFilesFolder , Object: C:\Program Files (x86)\ MSI (c) (9C:B0) [05:44:02:926]: Dir (target): Key: APPLICATIONFOLDER , Object: C:\Program Files (x86)\ossec-agent\ MSI (c) (9C:B0) [05:44:02:926]: Dir (target): Key: UPGRADE , Object: C:\Program Files (x86)\ossec-agent\upgrade\ MSI (c) (9C:B0) [05:44:02:926]: Dir (target): Key: INCOMING , Object: C:\Program Files (x86)\ossec-agent\incoming\ MSI (c) (9C:B0) [05:44:02:926]: Dir (target): Key: SYSCHECK , Object: C:\Program Files (x86)\ossec-agent\syscheck\ MSI (c) (9C:B0) [05:44:02:926]: Dir (target): Key: RIDS , Object: C:\Program Files (x86)\ossec-agent\rids\ MSI (c) (9C:B0) [05:44:02:926]: Dir (target): Key: WODLES , Object: C:\Program Files (x86)\ossec-agent\wodles\ MSI (c) (9C:B0) [05:44:02:926]: Dir (target): Key: LOGS , Object: C:\Program Files (x86)\ossec-agent\logs\ MSI (c) (9C:B0) [05:44:02:926]: Dir (target): Key: BOOKMARKS , Object: C:\Program Files (x86)\ossec-agent\bookmarks\ MSI (c) (9C:B0) [05:44:02:926]: Dir (target): Key: TMP , Object: C:\Program Files (x86)\ossec-agent\tmp\ MSI (c) (9C:B0) [05:44:02:926]: Dir (target): Key: QUEUE , Object: C:\Program Files (x86)\ossec-agent\queue\ MSI (c) (9C:B0) [05:44:02:926]: Dir (target): Key: LOGCOLLECTOR , Object: C:\Program Files (x86)\ossec-agent\queue\logcollector\ MSI (c) (9C:B0) [05:44:02:926]: Dir (target): Key: FIM , Object: C:\Program Files (x86)\ossec-agent\queue\fim\ MSI (c) (9C:B0) [05:44:02:926]: Dir (target): Key: FIM_DB , Object: C:\Program Files (x86)\ossec-agent\queue\fim\db\ MSI (c) (9C:B0) [05:44:02:926]: Dir (target): Key: DIFF , Object: C:\Program Files (x86)\ossec-agent\queue\diff\ MSI (c) (9C:B0) [05:44:02:926]: Dir (target): Key: SYSCOLLECTOR , Object: C:\Program Files (x86)\ossec-agent\queue\syscollector\ MSI (c) (9C:B0) [05:44:02:926]: Dir (target): Key: SYSCOLLECTOR_DB , Object: C:\Program Files (x86)\ossec-agent\queue\syscollector\db\ MSI (c) (9C:B0) [05:44:02:926]: Dir (target): Key: RULESET , Object: C:\Program Files (x86)\ossec-agent\ruleset\ MSI (c) (9C:B0) [05:44:02:926]: Dir (target): Key: SECURITY_CONFIGURATION_ASSESSMENT , Object: C:\Program Files (x86)\ossec-agent\ruleset\sca\ MSI (c) (9C:B0) [05:44:02:926]: Dir (target): Key: SHARED , Object: C:\Program Files (x86)\ossec-agent\shared\ MSI (c) (9C:B0) [05:44:02:926]: Dir (target): Key: ACTIVE_RESPONSE , Object: C:\Program Files (x86)\ossec-agent\active-response\ MSI (c) (9C:B0) [05:44:02:926]: Dir (target): Key: BIN , Object: C:\Program Files (x86)\ossec-agent\active-response\bin\ MSI (c) (9C:B0) [05:44:02:926]: PROPERTY CHANGE: Adding INSTALLLEVEL property. Its value is '1'. MSI (c) (9C:B0) [05:44:02:926]: Note: 1: 2205 2: 3: MsiAssembly MSI (c) (9C:B0) [05:44:02:926]: Note: 1: 2228 2: 3: MsiAssembly 4: SELECT `MsiAssembly`.`Attributes`, `MsiAssembly`.`File_Application`, `MsiAssembly`.`File_Manifest`, `Component`.`KeyPath` FROM `MsiAssembly`, `Component` WHERE `MsiAssembly`.`Component_` = `Component`.`Component` AND `MsiAssembly`.`Component_` = ? MSI (c) (9C:B0) [05:44:03:005]: Disallowing installation of component: {26C3265E-EFC8-488D-8D19-397A0C44C071} since the keyfile exists and the component is marked to never overwrite existing installations MSI (c) (9C:B0) [05:44:03:005]: Disallowing installation of component: {10245598-2EE7-4EDB-A114-5398F01A21F9} since the keyfile exists and the component is marked to never overwrite existing installations Action ended 5:44:03: CostFinalize. Return value 1. MSI (c) (9C:B0) [05:44:03:021]: Doing action: MigrateFeatureStates MSI (c) (9C:B0) [05:44:03:021]: Note: 1: 2205 2: 3: ActionText Action 5:44:03: MigrateFeatureStates. Migrating feature states from related applications Action start 5:44:03: MigrateFeatureStates. MSI (c) (9C:B0) [05:44:03:021]: Migrating feature settings from product(s) '{6061DE66-243A-4D4D-BCC4-3A446B583112}' MSI (c) (9C:B0) [05:44:03:021]: MigrateFeatureStates: based on existing product, setting feature 'MainFeature' to 'Local' state. MSI (c) (9C:B0) [05:44:03:036]: Disallowing installation of component: {10245598-2EE7-4EDB-A114-5398F01A21F9} since the keyfile exists and the component is marked to never overwrite existing installations MSI (c) (9C:B0) [05:44:03:036]: Disallowing installation of component: {26C3265E-EFC8-488D-8D19-397A0C44C071} since the keyfile exists and the component is marked to never overwrite existing installations Action ended 5:44:03: MigrateFeatureStates. Return value 1. MSI (c) (9C:B0) [05:44:03:099]: Skipping action: WelcomeDlg (condition is false) MSI (c) (9C:B0) [05:44:03:099]: Doing action: AdvancedWelcomeEulaDlg MSI (c) (9C:B0) [05:44:03:099]: Note: 1: 2205 2: 3: ActionText Action 5:44:03: AdvancedWelcomeEulaDlg. Action start 5:44:03: AdvancedWelcomeEulaDlg. Info 2898.For WixUI_Font_Title textstyle, the system created a 'Tahoma' font, in 0 character set, of 14 pixels height. Action 5:44:03: AdvancedWelcomeEulaDlg. Dialog created MSI (c) (9C:D8) [05:44:03:412]: PROPERTY CHANGE: Modifying CostingComplete property. Its current value is '0'. Its new value: '1'. MSI (c) (9C:D8) [05:44:03:412]: Note: 1: 2205 2: 3: BindImage MSI (c) (9C:D8) [05:44:03:412]: Note: 1: 2205 2: 3: ProgId MSI (c) (9C:D8) [05:44:03:412]: Note: 1: 2205 2: 3: PublishComponent MSI (c) (9C:D8) [05:44:03:412]: Note: 1: 2205 2: 3: SelfReg MSI (c) (9C:D8) [05:44:03:412]: Note: 1: 2205 2: 3: Extension MSI (c) (9C:D8) [05:44:03:412]: Note: 1: 2205 2: 3: Font MSI (c) (9C:D8) [05:44:03:412]: Note: 1: 2205 2: 3: Class MSI (c) (9C:D8) [05:44:03:412]: Note: 1: 2205 2: 3: TypeLib MSI (c) (9C:D8) [05:44:03:412]: Note: 1: 2727 2: MSI (c) (9C:60) [05:44:06:599]: PROPERTY CHANGE: Adding LicenseAccepted property. Its value is '1'. Action ended 5:44:07: AdvancedWelcomeEulaDlg. Return value 1. MSI (c) (9C:B0) [05:44:07:395]: Skipping action: MaintenanceWelcomeDlg (condition is false) MSI (c) (9C:B0) [05:44:07:395]: Skipping action: ResumeDlg (condition is false) MSI (c) (9C:B0) [05:44:07:395]: Doing action: ProgressDlg MSI (c) (9C:B0) [05:44:07:395]: Note: 1: 2205 2: 3: ActionText Action 5:44:07: ProgressDlg. Action start 5:44:07: ProgressDlg. Action 5:44:07: ProgressDlg. Dialog created Action ended 5:44:07: ProgressDlg. Return value 1. MSI (c) (9C:B0) [05:44:07:458]: Doing action: ExecuteAction MSI (c) (9C:B0) [05:44:07:458]: Note: 1: 2205 2: 3: ActionText Action 5:44:07: ExecuteAction. Action start 5:44:07: ExecuteAction. MSI (c) (9C:B0) [05:44:07:458]: PROPERTY CHANGE: Adding SECONDSEQUENCE property. Its value is '1'. MSI (c) (9C:B0) [05:44:07:552]: Grabbed execution mutex. MSI (c) (9C:B0) [05:44:07:552]: Incrementing counter to disable shutdown. Counter after increment: 0 MSI (c) (9C:B0) [05:44:07:552]: Switching to server: MAJORVERSION="#10" BUILDVERSION="14393" APPLICATIONFOLDER="C:\Program Files (x86)\ossec-agent\" WAZUHINSTALLED="Wazuh" BIN="C:\Program Files (x86)\ossec-agent\active-response\bin\" ACTIVE_RESPONSE="C:\Program Files (x86)\ossec-agent\active-response\" SHARED="C:\Program Files (x86)\ossec-agent\shared\" SECURITY_CONFIGURATION_ASSESSMENT="C:\Program Files (x86)\ossec-agent\ruleset\sca\" SYSCOLLECTOR="C:\Program Files (x86)\ossec-agent\queue\syscollector\" TMP="C:\Program Files (x86)\ossec-agent\tmp\" QUEUE="C:\Program Files (x86)\ossec-agent\queue\" DIFF="C:\Program Files (x86)\ossec-agent\queue\diff\" FIM="C:\Program Files (x86)\ossec-agent\queue\fim\" FIM_DB="C:\Program Files (x86)\ossec-agent\queue\fim\db\" SYSCOLLECTOR_DB="C:\Program Files (x86)\ossec-agent\queue\syscollector\db\" LOGCOLLECTOR="C:\Program Files (x86)\ossec-agent\queue\logcollector\" RULESET="C:\Program Files (x86)\ossec-agent\ruleset\" BOOKMARKS="C:\Program Files (x86)\ossec-agent\bookmarks\" LOGS="C:\Program Files (x86)\ossec-agent\logs\" WODLES="C:\Program File MSI (s) (A8:20) [05:44:07:567]: Running installation inside multi-package transaction C:\Users\Administrator\Downloads\wazuh-agent-4.3.3-1(1).msi MSI (s) (A8:20) [05:44:07:567]: Grabbed execution mutex. MSI (s) (A8:88) [05:44:07:567]: Resetting cached policy values MSI (s) (A8:88) [05:44:07:567]: Machine policy value 'Debug' is 0 MSI (s) (A8:88) [05:44:07:567]: ******* RunEngine: ******* Product: C:\Users\Administrator\Downloads\wazuh-agent-4.3.3-1(1).msi ******* Action: INSTALL ******* CommandLine: ********** MSI (s) (A8:88) [05:44:07:567]: Machine policy value 'DisableUserInstalls' is 0 MSI (s) (A8:88) [05:44:07:615]: Note: 1: 2203 2: C:\Windows\Installer\inprogressinstallinfo.ipi 3: -2147287038 MSI (s) (A8:88) [05:44:07:615]: Machine policy value 'LimitSystemRestoreCheckpointing' is 0 MSI (s) (A8:88) [05:44:07:615]: Note: 1: 1715 2: Wazuh Agent MSI (s) (A8:88) [05:44:07:615]: Calling SRSetRestorePoint API. dwRestorePtType: 0, dwEventType: 102, llSequenceNumber: 0, szDescription: "Installed Wazuh Agent". MSI (s) (A8:88) [05:44:07:615]: The call to SRSetRestorePoint API failed. Returned status: 0. GetLastError() returned: 127 MSI (s) (A8:88) [05:44:07:633]: File will have security applied from OpCode. MSI (s) (A8:88) [05:44:07:677]: SOFTWARE RESTRICTION POLICY: Verifying package --> 'C:\Users\Administrator\Downloads\wazuh-agent-4.3.3-1(1).msi' against software restriction policy MSI (s) (A8:88) [05:44:07:694]: SOFTWARE RESTRICTION POLICY: C:\Users\Administrator\Downloads\wazuh-agent-4.3.3-1(1).msi has a digital signature MSI (s) (A8:88) [05:44:07:739]: SOFTWARE RESTRICTION POLICY: C:\Users\Administrator\Downloads\wazuh-agent-4.3.3-1(1).msi is permitted to run at the 'unrestricted' authorization level. MSI (s) (A8:88) [05:44:07:739]: MSCOREE not loaded loading copy from system32 MSI (s) (A8:88) [05:44:07:756]: End dialog not enabled MSI (s) (A8:88) [05:44:07:756]: Original package ==> C:\Users\Administrator\Downloads\wazuh-agent-4.3.3-1(1).msi MSI (s) (A8:88) [05:44:07:756]: Package we're running from ==> C:\Windows\Installer\17b51.msi MSI (s) (A8:88) [05:44:07:756]: APPCOMPAT: Compatibility mode property overrides found. MSI (s) (A8:88) [05:44:07:756]: APPCOMPAT: looking for appcompat database entry with ProductCode '{74876D42-37ED-44FD-B662-AC2F5842BA6A}'. MSI (s) (A8:88) [05:44:07:756]: APPCOMPAT: no matching ProductCode found in database. MSI (s) (A8:88) [05:44:07:770]: Machine policy value 'TransformsSecure' is 1 MSI (s) (A8:88) [05:44:07:770]: Machine policy value 'DisablePatch' is 0 MSI (s) (A8:88) [05:44:07:770]: Machine policy value 'AllowLockdownPatch' is 0 MSI (s) (A8:88) [05:44:07:770]: Machine policy value 'DisableLUAPatching' is 0 MSI (s) (A8:88) [05:44:07:770]: Machine policy value 'DisableFlyWeightPatching' is 0 MSI (s) (A8:88) [05:44:07:770]: APPCOMPAT: looking for appcompat database entry with ProductCode '{74876D42-37ED-44FD-B662-AC2F5842BA6A}'. MSI (s) (A8:88) [05:44:07:770]: APPCOMPAT: no matching ProductCode found in database. MSI (s) (A8:88) [05:44:07:770]: Transforms are not secure. MSI (s) (A8:88) [05:44:07:770]: PROPERTY CHANGE: Adding MsiLogFileLocation property. Its value is 'C:\Users\Administrator\Downloads\installer.log'. MSI (s) (A8:88) [05:44:07:770]: Command Line: MAJORVERSION=#10 BUILDVERSION=14393 APPLICATIONFOLDER=C:\Program Files (x86)\ossec-agent\ WAZUHINSTALLED=Wazuh BIN=C:\Program Files (x86)\ossec-agent\active-response\bin\ ACTIVE_RESPONSE=C:\Program Files (x86)\ossec-agent\active-response\ SHARED=C:\Program Files (x86)\ossec-agent\shared\ SECURITY_CONFIGURATION_ASSESSMENT=C:\Program Files (x86)\ossec-agent\ruleset\sca\ SYSCOLLECTOR=C:\Program Files (x86)\ossec-agent\queue\syscollector\ TMP=C:\Program Files (x86)\ossec-agent\tmp\ QUEUE=C:\Program Files (x86)\ossec-agent\queue\ DIFF=C:\Program Files (x86)\ossec-agent\queue\diff\ FIM=C:\Program Files (x86)\ossec-agent\queue\fim\ FIM_DB=C:\Program Files (x86)\ossec-agent\queue\fim\db\ SYSCOLLECTOR_DB=C:\Program Files (x86)\ossec-agent\queue\syscollector\db\ LOGCOLLECTOR=C:\Program Files (x86)\ossec-agent\queue\logcollector\ RULESET=C:\Program Files (x86)\ossec-agent\ruleset\ BOOKMARKS=C:\Program Files (x86)\ossec-agent\bookmarks\ LOGS=C:\Program Files (x86)\ossec-agent\logs\ WODLES=C:\Program Files (x86)\ossec-agent\wodles\ RIDS=C:\Program Fi MSI (s) (A8:88) [05:44:07:770]: PROPERTY CHANGE: Adding PackageCode property. Its value is '{3EE25BFD-362E-4468-8A16-3733B5C6BD64}'. MSI (s) (A8:88) [05:44:07:770]: Product Code passed to Engine.Initialize: '' MSI (s) (A8:88) [05:44:07:770]: Product Code from property table before transforms: '{74876D42-37ED-44FD-B662-AC2F5842BA6A}' MSI (s) (A8:88) [05:44:07:770]: Product Code from property table after transforms: '{74876D42-37ED-44FD-B662-AC2F5842BA6A}' MSI (s) (A8:88) [05:44:07:770]: Product not registered: beginning first-time install MSI (s) (A8:88) [05:44:07:770]: Product {74876D42-37ED-44FD-B662-AC2F5842BA6A} is not managed. MSI (s) (A8:88) [05:44:07:770]: MSI_LUA: Credential prompt not required, user is an admin MSI (s) (A8:88) [05:44:07:770]: PROPERTY CHANGE: Adding ProductState property. Its value is '-1'. MSI (s) (A8:88) [05:44:07:770]: Entering CMsiConfigurationManager::SetLastUsedSource. MSI (s) (A8:88) [05:44:07:770]: User policy value 'SearchOrder' is 'nmu' MSI (s) (A8:88) [05:44:07:770]: Adding new sources is allowed. MSI (s) (A8:88) [05:44:07:770]: PROPERTY CHANGE: Adding PackagecodeChanging property. Its value is '1'. MSI (s) (A8:88) [05:44:07:770]: Package name extracted from package path: 'wazuh-agent-4.3.3-1(1).msi' MSI (s) (A8:88) [05:44:07:770]: Package to be registered: 'wazuh-agent-4.3.3-1(1).msi' MSI (s) (A8:88) [05:44:07:770]: Note: 1: 2262 2: AdminProperties 3: -2147287038 MSI (s) (A8:88) [05:44:07:770]: Machine policy value 'DisableMsi' is 1 MSI (s) (A8:88) [05:44:07:770]: Machine policy value 'AlwaysInstallElevated' is 0 MSI (s) (A8:88) [05:44:07:770]: User policy value 'AlwaysInstallElevated' is 0 MSI (s) (A8:88) [05:44:07:770]: Product installation will be elevated because user is admin and product is being installed per-machine. MSI (s) (A8:88) [05:44:07:770]: Running product '{74876D42-37ED-44FD-B662-AC2F5842BA6A}' with elevated privileges: Product is assigned. MSI (s) (A8:88) [05:44:07:770]: PROPERTY CHANGE: Modifying MAJORVERSION property. Its current value is '0'. Its new value: '#10'. MSI (s) (A8:88) [05:44:07:770]: PROPERTY CHANGE: Modifying BUILDVERSION property. Its current value is '0'. Its new value: '14393'. MSI (s) (A8:88) [05:44:07:770]: PROPERTY CHANGE: Adding APPLICATIONFOLDER property. Its value is 'C:\Program Files (x86)\ossec-agent\'. MSI (s) (A8:88) [05:44:07:770]: PROPERTY CHANGE: Adding WAZUHINSTALLED property. Its value is 'Wazuh'. MSI (s) (A8:88) [05:44:07:770]: PROPERTY CHANGE: Adding BIN property. Its value is 'C:\Program Files (x86)\ossec-agent\active-response\bin\'. MSI (s) (A8:88) [05:44:07:770]: PROPERTY CHANGE: Adding ACTIVE_RESPONSE property. Its value is 'C:\Program Files (x86)\ossec-agent\active-response\'. MSI (s) (A8:88) [05:44:07:770]: PROPERTY CHANGE: Adding SHARED property. Its value is 'C:\Program Files (x86)\ossec-agent\shared\'. MSI (s) (A8:88) [05:44:07:770]: PROPERTY CHANGE: Adding SECURITY_CONFIGURATION_ASSESSMENT property. Its value is 'C:\Program Files (x86)\ossec-agent\ruleset\sca\'. MSI (s) (A8:88) [05:44:07:770]: PROPERTY CHANGE: Adding SYSCOLLECTOR property. Its value is 'C:\Program Files (x86)\ossec-agent\queue\syscollector\'. MSI (s) (A8:88) [05:44:07:770]: PROPERTY CHANGE: Adding TMP property. Its value is 'C:\Program Files (x86)\ossec-agent\tmp\'. MSI (s) (A8:88) [05:44:07:770]: PROPERTY CHANGE: Adding QUEUE property. Its value is 'C:\Program Files (x86)\ossec-agent\queue\'. MSI (s) (A8:88) [05:44:07:770]: PROPERTY CHANGE: Adding DIFF property. Its value is 'C:\Program Files (x86)\ossec-agent\queue\diff\'. MSI (s) (A8:88) [05:44:07:770]: PROPERTY CHANGE: Adding FIM property. Its value is 'C:\Program Files (x86)\ossec-agent\queue\fim\'. MSI (s) (A8:88) [05:44:07:770]: PROPERTY CHANGE: Adding FIM_DB property. Its value is 'C:\Program Files (x86)\ossec-agent\queue\fim\db\'. MSI (s) (A8:88) [05:44:07:770]: PROPERTY CHANGE: Adding SYSCOLLECTOR_DB property. Its value is 'C:\Program Files (x86)\ossec-agent\queue\syscollector\db\'. MSI (s) (A8:88) [05:44:07:770]: PROPERTY CHANGE: Adding LOGCOLLECTOR property. Its value is 'C:\Program Files (x86)\ossec-agent\queue\logcollector\'. MSI (s) (A8:88) [05:44:07:770]: PROPERTY CHANGE: Adding RULESET property. Its value is 'C:\Program Files (x86)\ossec-agent\ruleset\'. MSI (s) (A8:88) [05:44:07:770]: PROPERTY CHANGE: Adding BOOKMARKS property. Its value is 'C:\Program Files (x86)\ossec-agent\bookmarks\'. MSI (s) (A8:88) [05:44:07:770]: PROPERTY CHANGE: Adding LOGS property. Its value is 'C:\Program Files (x86)\ossec-agent\logs\'. MSI (s) (A8:88) [05:44:07:770]: PROPERTY CHANGE: Adding WODLES property. Its value is 'C:\Program Files (x86)\ossec-agent\wodles\'. MSI (s) (A8:88) [05:44:07:770]: PROPERTY CHANGE: Adding RIDS property. Its value is 'C:\Program Files (x86)\ossec-agent\rids\'. MSI (s) (A8:88) [05:44:07:770]: PROPERTY CHANGE: Adding SYSCHECK property. Its value is 'C:\Program Files (x86)\ossec-agent\syscheck\'. MSI (s) (A8:88) [05:44:07:770]: PROPERTY CHANGE: Adding INCOMING property. Its value is 'C:\Program Files (x86)\ossec-agent\incoming\'. MSI (s) (A8:88) [05:44:07:770]: PROPERTY CHANGE: Adding UPGRADE property. Its value is 'C:\Program Files (x86)\ossec-agent\upgrade\'. MSI (s) (A8:88) [05:44:07:770]: PROPERTY CHANGE: Adding TARGETDIR property. Its value is 'C:\'. MSI (s) (A8:88) [05:44:07:770]: PROPERTY CHANGE: Adding WIX_UPGRADE_DETECTED property. Its value is '{6061DE66-243A-4D4D-BCC4-3A446B583112}'. MSI (s) (A8:88) [05:44:07:770]: PROPERTY CHANGE: Adding CURRENTDIRECTORY property. Its value is 'C:\Users\Administrator\Downloads'. MSI (s) (A8:88) [05:44:07:770]: PROPERTY CHANGE: Adding CLIENTUILEVEL property. Its value is '0'. MSI (s) (A8:88) [05:44:07:770]: PROPERTY CHANGE: Adding CLIENTPROCESSID property. Its value is '924'. MSI (s) (A8:88) [05:44:07:770]: PROPERTY CHANGE: Adding USERNAME property. Its value is 'Windows User'. MSI (s) (A8:88) [05:44:07:770]: PROPERTY CHANGE: Adding SOURCEDIR property. Its value is 'C:\Users\Administrator\Downloads\'. MSI (s) (A8:88) [05:44:07:770]: PROPERTY CHANGE: Adding ACTION property. Its value is 'INSTALL'. MSI (s) (A8:88) [05:44:07:770]: PROPERTY CHANGE: Adding EXECUTEACTION property. Its value is 'INSTALL'. MSI (s) (A8:88) [05:44:07:770]: PROPERTY CHANGE: Adding MIGRATE property. Its value is '{6061DE66-243A-4D4D-BCC4-3A446B583112}'. MSI (s) (A8:88) [05:44:07:770]: PROPERTY CHANGE: Adding SECONDSEQUENCE property. Its value is '1'. MSI (s) (A8:88) [05:44:07:770]: PROPERTY CHANGE: Adding ROOTDRIVE property. Its value is 'C:\'. MSI (s) (A8:88) [05:44:07:770]: PROPERTY CHANGE: Adding INSTALLLEVEL property. Its value is '1'. MSI (s) (A8:88) [05:44:07:770]: PROPERTY CHANGE: Adding ADDLOCAL property. Its value is 'MainFeature'. MSI (s) (A8:88) [05:44:07:770]: Machine policy value 'DisableAutomaticApplicationShutdown' is 0 MSI (s) (A8:88) [05:44:07:770]: PROPERTY CHANGE: Adding MsiRestartManagerSessionKey property. Its value is 'f151e44178d62645bc59119b6556d707'. MSI (s) (A8:88) [05:44:07:770]: RESTART MANAGER: Session opened. MSI (s) (A8:88) [05:44:07:770]: Engine has iefSecondSequence set to true. MSI (s) (A8:88) [05:44:07:770]: TRANSFORMS property is now: MSI (s) (A8:88) [05:44:07:770]: PROPERTY CHANGE: Deleting SOURCEDIR property. Its current value is 'C:\Users\Administrator\Downloads\'. MSI (s) (A8:88) [05:44:07:770]: PROPERTY CHANGE: Adding VersionDatabase property. Its value is '200'. MSI (s) (A8:88) [05:44:07:786]: SHELL32::SHGetFolderPath returned: C:\Users\Administrator\AppData\Roaming MSI (s) (A8:88) [05:44:07:786]: SHELL32::SHGetFolderPath returned: C:\Users\Administrator\Favorites MSI (s) (A8:88) [05:44:07:786]: SHELL32::SHGetFolderPath returned: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Network Shortcuts MSI (s) (A8:88) [05:44:07:786]: SHELL32::SHGetFolderPath returned: C:\Users\Administrator\Documents MSI (s) (A8:88) [05:44:07:786]: SHELL32::SHGetFolderPath returned: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Printer Shortcuts MSI (s) (A8:88) [05:44:07:786]: SHELL32::SHGetFolderPath returned: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent MSI (s) (A8:88) [05:44:07:786]: SHELL32::SHGetFolderPath returned: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\SendTo MSI (s) (A8:88) [05:44:07:786]: SHELL32::SHGetFolderPath returned: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Templates MSI (s) (A8:88) [05:44:07:786]: SHELL32::SHGetFolderPath returned: C:\ProgramData MSI (s) (A8:88) [05:44:07:802]: SHELL32::SHGetFolderPath returned: C:\Users\Administrator\AppData\Local MSI (s) (A8:88) [05:44:07:802]: SHELL32::SHGetFolderPath returned: C:\Users\Administrator\Pictures MSI (s) (A8:88) [05:44:07:802]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools MSI (s) (A8:88) [05:44:07:802]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup MSI (s) (A8:88) [05:44:07:802]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu\Programs MSI (s) (A8:88) [05:44:07:802]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu MSI (s) (A8:88) [05:44:07:802]: SHELL32::SHGetFolderPath returned: C:\Users\Public\Desktop MSI (s) (A8:88) [05:44:07:818]: SHELL32::SHGetFolderPath returned: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools MSI (s) (A8:88) [05:44:07:818]: SHELL32::SHGetFolderPath returned: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup MSI (s) (A8:88) [05:44:07:818]: SHELL32::SHGetFolderPath returned: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs MSI (s) (A8:88) [05:44:07:818]: SHELL32::SHGetFolderPath returned: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu MSI (s) (A8:88) [05:44:07:818]: SHELL32::SHGetFolderPath returned: C:\Users\Administrator\Desktop MSI (s) (A8:88) [05:44:07:818]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Templates MSI (s) (A8:88) [05:44:07:818]: SHELL32::SHGetFolderPath returned: C:\Windows\Fonts MSI (s) (A8:88) [05:44:07:818]: Note: 1: 2898 2: MS Sans Serif 3: MS Sans Serif 4: 0 5: 16 MSI (s) (A8:88) [05:44:07:833]: MSI_LUA: Setting MsiRunningElevated property to 1 because the install is already running elevated. MSI (s) (A8:88) [05:44:07:833]: PROPERTY CHANGE: Adding MsiRunningElevated property. Its value is '1'. MSI (s) (A8:88) [05:44:07:833]: PROPERTY CHANGE: Adding Privileged property. Its value is '1'. MSI (s) (A8:88) [05:44:07:833]: Note: 1: 1402 2: HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info 3: 2 MSI (s) (A8:88) [05:44:07:833]: PROPERTY CHANGE: Adding DATABASE property. Its value is 'C:\Windows\Installer\17b51.msi'. MSI (s) (A8:88) [05:44:07:833]: PROPERTY CHANGE: Adding OriginalDatabase property. Its value is 'C:\Users\Administrator\Downloads\wazuh-agent-4.3.3-1(1).msi'. MSI (s) (A8:88) [05:44:07:833]: Machine policy value 'MsiDisableEmbeddedUI' is 0 MSI (s) (A8:88) [05:44:07:833]: EEUI - Disabling MsiEmbeddedUI for service because it's not a quiet/basic install MSI (s) (A8:88) [05:44:07:833]: Note: 1: 2205 2: 3: PatchPackage MSI (s) (A8:88) [05:44:07:833]: Machine policy value 'DisableRollback' is 0 MSI (s) (A8:88) [05:44:07:833]: User policy value 'DisableRollback' is 0 MSI (s) (A8:88) [05:44:07:833]: PROPERTY CHANGE: Adding UILevel property. Its value is '5'. MSI (s) (A8:88) [05:44:07:833]: PROPERTY CHANGE: Adding Preselected property. Its value is '1'. MSI (s) (A8:88) [05:44:07:833]: Note: 1: 2205 2: 3: LaunchCondition MSI (s) (A8:88) [05:44:07:833]: Note: 1: 2228 2: 3: LaunchCondition 4: SELECT `Condition` FROM `LaunchCondition` MSI (s) (A8:88) [05:44:07:833]: APPCOMPAT: [DetectVersionLaunchCondition] Failed to initialize pRecErr. MSI (s) (A8:88) [05:44:07:833]: Doing action: INSTALL MSI (s) (A8:88) [05:44:07:833]: Note: 1: 2205 2: 3: ActionText Action 5:44:07: INSTALL. Action start 5:44:07: INSTALL. MSI (s) (A8:88) [05:44:07:833]: Running ExecuteSequence MSI (s) (A8:88) [05:44:07:833]: Doing action: FindRelatedProducts MSI (s) (A8:88) [05:44:07:833]: Note: 1: 2205 2: 3: ActionText Action 5:44:07: FindRelatedProducts. Searching for related applications Action start 5:44:07: FindRelatedProducts. MSI (s) (A8:88) [05:44:07:833]: Skipping FindRelatedProducts action: already done on client side Action ended 5:44:07: FindRelatedProducts. Return value 0. MSI (s) (A8:88) [05:44:07:833]: Doing action: AppSearch MSI (s) (A8:88) [05:44:07:833]: Note: 1: 2205 2: 3: ActionText Action 5:44:07: AppSearch. Searching for installed applications Action start 5:44:07: AppSearch. MSI (s) (A8:88) [05:44:07:849]: Skipping AppSearch action: already done on client side Action ended 5:44:07: AppSearch. Return value 0. MSI (s) (A8:88) [05:44:07:849]: Skipping action: CheckSvcRunning_OssecSvc (condition is false) MSI (s) (A8:88) [05:44:07:849]: Doing action: ValidateProductID MSI (s) (A8:88) [05:44:07:849]: Note: 1: 2205 2: 3: ActionText Action 5:44:07: ValidateProductID. Action start 5:44:07: ValidateProductID. Action ended 5:44:07: ValidateProductID. Return value 1. MSI (s) (A8:88) [05:44:07:849]: Doing action: CostInitialize MSI (s) (A8:88) [05:44:07:849]: Note: 1: 2205 2: 3: ActionText Action 5:44:07: CostInitialize. Computing space requirements Action start 5:44:07: CostInitialize. MSI (s) (A8:88) [05:44:07:849]: Machine policy value 'MaxPatchCacheSize' is 10 MSI (s) (A8:88) [05:44:07:849]: PROPERTY CHANGE: Adding CostingComplete property. Its value is '0'. MSI (s) (A8:88) [05:44:07:849]: Note: 1: 2205 2: 3: Patch MSI (s) (A8:88) [05:44:07:849]: Note: 1: 2205 2: 3: PatchPackage MSI (s) (A8:88) [05:44:07:849]: Note: 1: 2205 2: 3: MsiPatchHeaders MSI (s) (A8:88) [05:44:07:849]: Note: 1: 2205 2: 3: __MsiPatchFileList MSI (s) (A8:88) [05:44:07:849]: Note: 1: 2205 2: 3: PatchPackage MSI (s) (A8:88) [05:44:07:849]: Note: 1: 2228 2: 3: PatchPackage 4: SELECT `DiskId`, `PatchId`, `LastSequence` FROM `Media`, `PatchPackage` WHERE `Media`.`DiskId`=`PatchPackage`.`Media_` ORDER BY `DiskId` MSI (s) (A8:88) [05:44:07:849]: Note: 1: 2205 2: 3: Patch Action ended 5:44:07: CostInitialize. Return value 1. MSI (s) (A8:88) [05:44:07:849]: Doing action: FileCost MSI (s) (A8:88) [05:44:07:849]: Note: 1: 2205 2: 3: ActionText Action 5:44:07: FileCost. Computing space requirements Action start 5:44:07: FileCost. MSI (s) (A8:88) [05:44:07:864]: Note: 1: 2205 2: 3: MsiAssembly MSI (s) (A8:88) [05:44:07:864]: Note: 1: 2205 2: 3: Class MSI (s) (A8:88) [05:44:07:864]: Note: 1: 2205 2: 3: Extension MSI (s) (A8:88) [05:44:07:864]: Note: 1: 2205 2: 3: TypeLib Action ended 5:44:07: FileCost. Return value 1. MSI (s) (A8:88) [05:44:07:864]: Doing action: WixSetDefaultPerUserFolder MSI (s) (A8:88) [05:44:07:864]: Note: 1: 2205 2: 3: ActionText Action 5:44:07: WixSetDefaultPerUserFolder. Action start 5:44:07: WixSetDefaultPerUserFolder. MSI (s) (A8:88) [05:44:07:864]: PROPERTY CHANGE: Adding WixPerUserFolder property. Its value is 'C:\Users\Administrator\AppData\Local\Apps\ossec-agent'. Action ended 5:44:07: WixSetDefaultPerUserFolder. Return value 1. MSI (s) (A8:88) [05:44:07:864]: Doing action: WixSetDefaultPerMachineFolder MSI (s) (A8:88) [05:44:07:864]: Note: 1: 2205 2: 3: ActionText Action 5:44:07: WixSetDefaultPerMachineFolder. Action start 5:44:07: WixSetDefaultPerMachineFolder. MSI (s) (A8:88) [05:44:07:864]: PROPERTY CHANGE: Adding WixPerMachineFolder property. Its value is 'C:\Program Files (x86)\ossec-agent'. Action ended 5:44:07: WixSetDefaultPerMachineFolder. Return value 1. MSI (s) (A8:88) [05:44:07:864]: Skipping action: WixSetPerUserFolder (condition is false) MSI (s) (A8:88) [05:44:07:864]: Skipping action: WixSetPerMachineFolder (condition is false) MSI (s) (A8:88) [05:44:07:864]: Doing action: CostFinalize MSI (s) (A8:88) [05:44:07:864]: Note: 1: 2205 2: 3: ActionText Action 5:44:07: CostFinalize. Computing space requirements Action start 5:44:07: CostFinalize. MSI (s) (A8:88) [05:44:07:864]: PROPERTY CHANGE: Adding OutOfDiskSpace property. Its value is '0'. MSI (s) (A8:88) [05:44:07:864]: PROPERTY CHANGE: Adding OutOfNoRbDiskSpace property. Its value is '0'. MSI (s) (A8:88) [05:44:07:864]: PROPERTY CHANGE: Adding PrimaryVolumeSpaceAvailable property. Its value is '0'. MSI (s) (A8:88) [05:44:07:864]: PROPERTY CHANGE: Adding PrimaryVolumeSpaceRequired property. Its value is '0'. MSI (s) (A8:88) [05:44:07:864]: PROPERTY CHANGE: Adding PrimaryVolumeSpaceRemaining property. Its value is '0'. MSI (s) (A8:88) [05:44:07:864]: Note: 1: 2205 2: 3: Patch MSI (s) (A8:88) [05:44:07:864]: Note: 1: 2205 2: 3: Condition MSI (s) (A8:88) [05:44:07:864]: PROPERTY CHANGE: Adding ProgramMenuDir property. Its value is 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OSSEC\'. MSI (s) (A8:88) [05:44:07:864]: Target path resolution complete. Dumping Directory table... MSI (s) (A8:88) [05:44:07:864]: Note: target paths subject to change (via custom actions or browsing) MSI (s) (A8:88) [05:44:07:864]: Dir (target): Key: TARGETDIR , Object: C:\ MSI (s) (A8:88) [05:44:07:864]: Dir (target): Key: WindowsFolder , Object: C:\Windows\ MSI (s) (A8:88) [05:44:07:864]: Dir (target): Key: ProgramMenuFolder , Object: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ MSI (s) (A8:88) [05:44:07:864]: Dir (target): Key: ProgramMenuDir , Object: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OSSEC\ MSI (s) (A8:88) [05:44:07:864]: Dir (target): Key: ProgramFilesFolder , Object: C:\Program Files (x86)\ MSI (s) (A8:88) [05:44:07:864]: Dir (target): Key: APPLICATIONFOLDER , Object: C:\Program Files (x86)\ossec-agent\ MSI (s) (A8:88) [05:44:07:864]: Dir (target): Key: UPGRADE , Object: C:\Program Files (x86)\ossec-agent\upgrade\ MSI (s) (A8:88) [05:44:07:864]: Dir (target): Key: INCOMING , Object: C:\Program Files (x86)\ossec-agent\incoming\ MSI (s) (A8:88) [05:44:07:864]: Dir (target): Key: SYSCHECK , Object: C:\Program Files (x86)\ossec-agent\syscheck\ MSI (s) (A8:88) [05:44:07:864]: Dir (target): Key: RIDS , Object: C:\Program Files (x86)\ossec-agent\rids\ MSI (s) (A8:88) [05:44:07:864]: Dir (target): Key: WODLES , Object: C:\Program Files (x86)\ossec-agent\wodles\ MSI (s) (A8:88) [05:44:07:864]: Dir (target): Key: LOGS , Object: C:\Program Files (x86)\ossec-agent\logs\ MSI (s) (A8:88) [05:44:07:864]: Dir (target): Key: BOOKMARKS , Object: C:\Program Files (x86)\ossec-agent\bookmarks\ MSI (s) (A8:88) [05:44:07:864]: Dir (target): Key: TMP , Object: C:\Program Files (x86)\ossec-agent\tmp\ MSI (s) (A8:88) [05:44:07:864]: Dir (target): Key: QUEUE , Object: C:\Program Files (x86)\ossec-agent\queue\ MSI (s) (A8:88) [05:44:07:864]: Dir (target): Key: LOGCOLLECTOR , Object: C:\Program Files (x86)\ossec-agent\queue\logcollector\ MSI (s) (A8:88) [05:44:07:864]: Dir (target): Key: FIM , Object: C:\Program Files (x86)\ossec-agent\queue\fim\ MSI (s) (A8:88) [05:44:07:864]: Dir (target): Key: FIM_DB , Object: C:\Program Files (x86)\ossec-agent\queue\fim\db\ MSI (s) (A8:88) [05:44:07:864]: Dir (target): Key: DIFF , Object: C:\Program Files (x86)\ossec-agent\queue\diff\ MSI (s) (A8:88) [05:44:07:864]: Dir (target): Key: SYSCOLLECTOR , Object: C:\Program Files (x86)\ossec-agent\queue\syscollector\ MSI (s) (A8:88) [05:44:07:864]: Dir (target): Key: SYSCOLLECTOR_DB , Object: C:\Program Files (x86)\ossec-agent\queue\syscollector\db\ MSI (s) (A8:88) [05:44:07:864]: Dir (target): Key: RULESET , Object: C:\Program Files (x86)\ossec-agent\ruleset\ MSI (s) (A8:88) [05:44:07:864]: Dir (target): Key: SECURITY_CONFIGURATION_ASSESSMENT , Object: C:\Program Files (x86)\ossec-agent\ruleset\sca\ MSI (s) (A8:88) [05:44:07:864]: Dir (target): Key: SHARED , Object: C:\Program Files (x86)\ossec-agent\shared\ MSI (s) (A8:88) [05:44:07:864]: Dir (target): Key: ACTIVE_RESPONSE , Object: C:\Program Files (x86)\ossec-agent\active-response\ MSI (s) (A8:88) [05:44:07:864]: Dir (target): Key: BIN , Object: C:\Program Files (x86)\ossec-agent\active-response\bin\ MSI (s) (A8:88) [05:44:07:864]: Note: 1: 2205 2: 3: MsiAssembly MSI (s) (A8:88) [05:44:07:864]: Note: 1: 2228 2: 3: MsiAssembly 4: SELECT `MsiAssembly`.`Attributes`, `MsiAssembly`.`File_Application`, `MsiAssembly`.`File_Manifest`, `Component`.`KeyPath` FROM `MsiAssembly`, `Component` WHERE `MsiAssembly`.`Component_` = `Component`.`Component` AND `MsiAssembly`.`Component_` = ? MSI (s) (A8:88) [05:44:07:881]: Disallowing installation of component: {26C3265E-EFC8-488D-8D19-397A0C44C071} since the keyfile exists and the component is marked to never overwrite existing installations MSI (s) (A8:88) [05:44:07:881]: Disallowing installation of component: {10245598-2EE7-4EDB-A114-5398F01A21F9} since the keyfile exists and the component is marked to never overwrite existing installations Action ended 5:44:07: CostFinalize. Return value 1. MSI (s) (A8:88) [05:44:07:896]: Doing action: MigrateFeatureStates MSI (s) (A8:88) [05:44:07:896]: Note: 1: 2205 2: 3: ActionText Action 5:44:07: MigrateFeatureStates. Migrating feature states from related applications Action start 5:44:07: MigrateFeatureStates. MSI (s) (A8:88) [05:44:07:896]: Skipping MigrateFeatureStates action: already done on client side Action ended 5:44:07: MigrateFeatureStates. Return value 0. MSI (s) (A8:88) [05:44:07:896]: Doing action: InstallValidate MSI (s) (A8:88) [05:44:07:896]: Note: 1: 2205 2: 3: ActionText Action 5:44:07: InstallValidate. Validating install Action start 5:44:07: InstallValidate. MSI (s) (A8:88) [05:44:07:896]: PROPERTY CHANGE: Deleting MsiRestartManagerSessionKey property. Its current value is 'f151e44178d62645bc59119b6556d707'. MSI (s) (A8:88) [05:44:07:896]: Feature: MainFeature; Installed: Absent; Request: Local; Action: Local MSI (s) (A8:88) [05:44:07:896]: Component: REGISTRY_INSTALL_DIR; Installed: Absent; Request: Local; Action: Local MSI (s) (A8:88) [05:44:07:896]: Component: AGENT_AUTH.EXE; Installed: Absent; Request: Local; Action: Local MSI (s) (A8:88) [05:44:07:896]: Component: LIBWAZUHEXT_DLL; Installed: Absent; Request: Local; Action: Local MSI (s) (A8:88) [05:44:07:896]: Component: LIBWAZUHSHARED_DLL; Installed: Absent; Request: Local; Action: Local MSI (s) (A8:88) [05:44:07:896]: Component: DBSYNC_DLL; Installed: Absent; Request: Local; Action: Local MSI (s) (A8:88) [05:44:07:896]: Component: RSYNC_DLL; Installed: Absent; Request: Local; Action: Local MSI (s) (A8:88) [05:44:07:896]: Component: SYSINFO_DLL; Installed: Absent; Request: Local; Action: Local MSI (s) (A8:88) [05:44:07:896]: Component: SYSCOLLECTOR_DLL; Installed: Absent; Request: Local; Action: Local MSI (s) (A8:88) [05:44:07:896]: Component: LOCAL_INTERNAL_OPTIONS.CONF; Installed: Absent; Request: Local; Action: Null MSI (s) (A8:88) [05:44:07:896]: Component: OSSEC.CONF; Installed: Absent; Request: Local; Action: Null MSI (s) (A8:88) [05:44:07:896]: Component: INTERNAL_OPTIONS.CONF; Installed: Absent; Request: Local; Action: Local MSI (s) (A8:88) [05:44:07:896]: Component: LICENSE.TXT; Installed: Absent; Request: Local; Action: Local MSI (s) (A8:88) [05:44:07:896]: Component: LIBWINPTHREAD_1.DLL; Installed: Absent; Request: Local; Action: Local MSI (s) (A8:88) [05:44:07:896]: Component: LIBGCC_S_SJLJ_1.DLL; Installed: Absent; Request: Local; Action: Local MSI (s) (A8:88) [05:44:07:896]: Component: MANAGE_AGENTS.EXE; Installed: Absent; Request: Local; Action: Local MSI (s) (A8:88) [05:44:07:896]: Component: WAZUH_AGENT_EVENTCHANNEL.EXE; Installed: Absent; Request: Local; Action: Local MSI (s) (A8:88) [05:44:07:896]: Component: WAZUH_AGENT.EXE; Installed: Absent; Request: Local; Action: Null MSI (s) (A8:88) [05:44:07:896]: Component: WAZUH_AGENT_UPGRADE_OSSEC.EXE; Installed: Absent; Request: Local; Action: Local MSI (s) (A8:88) [05:44:07:896]: Component: WAZUH_AGENT_UPGRADE_OSSEC_NOEC.EXE; Installed: Absent; Request: Local; Action: Null MSI (s) (A8:88) [05:44:07:896]: Component: VISTA_SEC.TXT; Installed: Absent; Request: Local; Action: Local MSI (s) (A8:88) [05:44:07:896]: Component: WIN32UI.EXE; Installed: Absent; Request: Local; Action: Local MSI (s) (A8:88) [05:44:07:896]: Component: REMOVE_OLD_NSIS; Installed: Absent; Request: Local; Action: Local MSI (s) (A8:88) [05:44:07:896]: Component: HELP_WIN.TXT; Installed: Absent; Request: Local; Action: Local MSI (s) (A8:88) [05:44:07:896]: Component: VERSION; Installed: Absent; Request: Local; Action: Local MSI (s) (A8:88) [05:44:07:896]: Component: REVISION; Installed: Absent; Request: Local; Action: Local MSI (s) (A8:88) [05:44:07:896]: Component: WPK_ROOT.PEM; Installed: Absent; Request: Local; Action: Local MSI (s) (A8:88) [05:44:07:896]: Component: WXP_CONF_LOCALFILE; Installed: Absent; Request: Local; Action: Null MSI (s) (A8:88) [05:44:07:896]: Component: WXP_CONF_PROFILE; Installed: Absent; Request: Local; Action: Null MSI (s) (A8:88) [05:44:07:896]: Component: WXP_CONF_SYSCHECK; Installed: Absent; Request: Local; Action: Null MSI (s) (A8:88) [05:44:07:896]: Component: W2003_CONF_LOCALFILE; Installed: Absent; Request: Local; Action: Null MSI (s) (A8:88) [05:44:07:896]: Component: W2003_CONF_PROFILE; Installed: Absent; Request: Local; Action: Null MSI (s) (A8:88) [05:44:07:896]: Component: W2003_CONF_SYSCHECK; Installed: Absent; Request: Local; Action: Null MSI (s) (A8:88) [05:44:07:896]: Component: WVISTA_CONF_PROFILE; Installed: Absent; Request: Local; Action: Null MSI (s) (A8:88) [05:44:07:896]: Component: W2008_CONF_PROFILE; Installed: Absent; Request: Local; Action: Null MSI (s) (A8:88) [05:44:07:896]: Component: W7_CONF_PROFILE; Installed: Absent; Request: Local; Action: Null MSI (s) (A8:88) [05:44:07:896]: Component: W2008R2_CONF_PROFILE; Installed: Absent; Request: Local; Action: Null MSI (s) (A8:88) [05:44:07:896]: Component: W8_CONF_PROFILE; Installed: Absent; Request: Local; Action: Null MSI (s) (A8:88) [05:44:07:896]: Component: W2012_CONF_PROFILE; Installed: Absent; Request: Local; Action: Null MSI (s) (A8:88) [05:44:07:896]: Component: W8.1_CONF_PROFILE; Installed: Absent; Request: Local; Action: Null MSI (s) (A8:88) [05:44:07:896]: Component: W2012R2_CONF_PROFILE; Installed: Absent; Request: Local; Action: Null MSI (s) (A8:88) [05:44:07:896]: Component: W10_CONF_PROFILE; Installed: Absent; Request: Local; Action: Null MSI (s) (A8:88) [05:44:07:896]: Component: W2016_CONF_PROFILE; Installed: Absent; Request: Local; Action: Local MSI (s) (A8:88) [05:44:07:896]: Component: W2019_CONF_PROFILE; Installed: Absent; Request: Local; Action: Null MSI (s) (A8:88) [05:44:07:896]: Component: RESTART_WAZUH.EXE; Installed: Absent; Request: Local; Action: Local MSI (s) (A8:88) [05:44:07:896]: Component: ROUTE_NULL.EXE; Installed: Absent; Request: Local; Action: Local MSI (s) (A8:88) [05:44:07:896]: Component: NETSH.EXE; Installed: Absent; Request: Local; Action: Local MSI (s) (A8:88) [05:44:07:896]: Component: REMOVE_OLD_AR; Installed: Absent; Request: Local; Action: Local MSI (s) (A8:88) [05:44:07:896]: Component: ACTIVE_RESPONSES.LOG; Installed: Absent; Request: Local; Action: Local MSI (s) (A8:88) [05:44:07:896]: Component: ROOTKIT_FILES.TXT; Installed: Absent; Request: Local; Action: Local MSI (s) (A8:88) [05:44:07:896]: Component: ROOTKIT_TROJANS.TXT; Installed: Absent; Request: Local; Action: Local MSI (s) (A8:88) [05:44:07:896]: Component: WIN_APPLICATIONS_RCL.TXT; Installed: Absent; Request: Local; Action: Local MSI (s) (A8:88) [05:44:07:896]: Component: WIN_AUDIT_RCL.TXT; Installed: Absent; Request: Local; Action: Local MSI (s) (A8:88) [05:44:07:896]: Component: WIN_MALWARE_RCL.TXT; Installed: Absent; Request: Local; Action: Local MSI (s) (A8:88) [05:44:07:896]: Component: REMOVE_OLD_POLICIES; Installed: Absent; Request: Local; Action: Local MSI (s) (A8:88) [05:44:07:896]: Component: SCA_WIN_AUDIT.YML; Installed: Absent; Request: Local; Action: Local MSI (s) (A8:88) [05:44:07:896]: Component: SCA_WIN10; Installed: Absent; Request: Local; Action: Null MSI (s) (A8:88) [05:44:07:896]: Component: SCA_WIN2012R2; Installed: Absent; Request: Local; Action: Null MSI (s) (A8:88) [05:44:07:896]: Component: SCA_WIN2016; Installed: Absent; Request: Local; Action: Local MSI (s) (A8:88) [05:44:07:896]: Component: SCA_WIN2019; Installed: Absent; Request: Local; Action: Null MSI (s) (A8:88) [05:44:07:896]: Component: SYSCOLLECTOR_NORM_CONFIG; Installed: Absent; Request: Local; Action: Local MSI (s) (A8:88) [05:44:07:896]: Component: StartMenuShortcuts; Installed: Absent; Request: Local; Action: Local MSI (s) (A8:88) [05:44:07:896]: Component: CMP_ACTIVE_RESPONSE; Installed: Absent; Request: Local; Action: Local MSI (s) (A8:88) [05:44:07:896]: Component: CMP_TMP; Installed: Absent; Request: Local; Action: Local MSI (s) (A8:88) [05:44:07:896]: Component: CMP_QUEUE; Installed: Absent; Request: Local; Action: Local MSI (s) (A8:88) [05:44:07:896]: Component: CMP_DIFF; Installed: Absent; Request: Local; Action: Local MSI (s) (A8:88) [05:44:07:896]: Component: CMP_FIM; Installed: Absent; Request: Local; Action: Local MSI (s) (A8:88) [05:44:07:896]: Component: CMP_FIM_DB; Installed: Absent; Request: Local; Action: Local MSI (s) (A8:88) [05:44:07:896]: Component: CMP_SYSCOLLECTOR; Installed: Absent; Request: Local; Action: Local MSI (s) (A8:88) [05:44:07:896]: Component: CMP_SYSCOLLECTOR_DB; Installed: Absent; Request: Local; Action: Local MSI (s) (A8:88) [05:44:07:896]: Component: CMP_LOGCOLLECTOR; Installed: Absent; Request: Local; Action: Local MSI (s) (A8:88) [05:44:07:896]: Component: CMP_RULESET; Installed: Absent; Request: Local; Action: Local MSI (s) (A8:88) [05:44:07:896]: Component: CMP_SECURITY_CONFIGURATION_ASSESSMENT; Installed: Absent; Request: Local; Action: Local MSI (s) (A8:88) [05:44:07:896]: Component: CMP_BOOKMARKS; Installed: Absent; Request: Local; Action: Local MSI (s) (A8:88) [05:44:07:896]: Component: CMP_LOGS; Installed: Absent; Request: Local; Action: Local MSI (s) (A8:88) [05:44:07:896]: Component: CMP_WODLES; Installed: Absent; Request: Local; Action: Local MSI (s) (A8:88) [05:44:07:896]: Component: CMP_RIDS; Installed: Absent; Request: Local; Action: Local MSI (s) (A8:88) [05:44:07:896]: Component: CMP_SYSCHECK; Installed: Absent; Request: Local; Action: Local MSI (s) (A8:88) [05:44:07:896]: Component: CMP_INCOMING; Installed: Absent; Request: Local; Action: Local MSI (s) (A8:88) [05:44:07:896]: Component: CMP_UPGRADE; Installed: Absent; Request: Local; Action: Local MSI (s) (A8:88) [05:44:07:896]: Component: CMP_SHARED; Installed: Absent; Request: Local; Action: Local MSI (s) (A8:88) [05:44:07:896]: Component: __REGISTRY_INSTALL_DIR65; Installed: Null; Request: Local; Action: Local MSI (s) (A8:88) [05:44:07:896]: Component: __StartMenuShortcuts65; Installed: Null; Request: Local; Action: Local MSI (s) (A8:88) [05:44:07:896]: Note: 1: 2205 2: 3: BindImage MSI (s) (A8:88) [05:44:07:896]: Note: 1: 2205 2: 3: ProgId MSI (s) (A8:88) [05:44:07:896]: Note: 1: 2205 2: 3: PublishComponent MSI (s) (A8:88) [05:44:07:896]: Note: 1: 2205 2: 3: SelfReg MSI (s) (A8:88) [05:44:07:896]: Note: 1: 2205 2: 3: Extension MSI (s) (A8:88) [05:44:07:896]: Note: 1: 2205 2: 3: Font MSI (s) (A8:88) [05:44:07:896]: Note: 1: 2205 2: 3: Class MSI (s) (A8:88) [05:44:07:896]: Note: 1: 2205 2: 3: TypeLib MSI (s) (A8:88) [05:44:08:130]: PROPERTY CHANGE: Modifying CostingComplete property. Its current value is '0'. Its new value: '1'. MSI (s) (A8:88) [05:44:08:130]: Note: 1: 2205 2: 3: BindImage MSI (s) (A8:88) [05:44:08:130]: Note: 1: 2205 2: 3: ProgId MSI (s) (A8:88) [05:44:08:130]: Note: 1: 2205 2: 3: PublishComponent MSI (s) (A8:88) [05:44:08:130]: Note: 1: 2205 2: 3: SelfReg MSI (s) (A8:88) [05:44:08:130]: Note: 1: 2205 2: 3: Extension MSI (s) (A8:88) [05:44:08:130]: Note: 1: 2205 2: 3: Font MSI (s) (A8:88) [05:44:08:130]: Note: 1: 2205 2: 3: Class MSI (s) (A8:88) [05:44:08:130]: Note: 1: 2205 2: 3: TypeLib MSI (s) (A8:88) [05:44:08:130]: Note: 1: 2727 2: MSI (s) (A8:88) [05:44:08:130]: Note: 1: 2205 2: 3: FilesInUse MSI (s) (A8:88) [05:44:08:149]: Note: 1: 2727 2: Action ended 5:44:08: InstallValidate. Return value 1. MSI (s) (A8:88) [05:44:08:149]: Doing action: InstallInitialize MSI (s) (A8:88) [05:44:08:149]: Note: 1: 2205 2: 3: ActionText Action 5:44:08: InstallInitialize. Action start 5:44:08: InstallInitialize. MSI (s) (A8:88) [05:44:08:149]: Machine policy value 'AlwaysInstallElevated' is 0 MSI (s) (A8:88) [05:44:08:149]: User policy value 'AlwaysInstallElevated' is 0 MSI (s) (A8:88) [05:44:08:149]: BeginTransaction: Locking Server MSI (s) (A8:88) [05:44:08:149]: Note: 1: 2203 2: C:\Windows\Installer\inprogressinstallinfo.ipi 3: -2147287038 MSI (s) (A8:88) [05:44:08:149]: Note: 1: 1715 2: Wazuh Agent MSI (s) (A8:88) [05:44:08:149]: Calling SRSetRestorePoint API. dwRestorePtType: 0, dwEventType: 102, llSequenceNumber: 0, szDescription: "Installed Wazuh Agent". MSI (s) (A8:88) [05:44:08:149]: The call to SRSetRestorePoint API failed. Returned status: 0. GetLastError() returned: 127 MSI (s) (A8:88) [05:44:08:149]: Note: 1: 2203 2: C:\Windows\Installer\inprogressinstallinfo.ipi 3: -2147287038 MSI (s) (A8:88) [05:44:08:149]: Server not locked: locking for product {74876D42-37ED-44FD-B662-AC2F5842BA6A} Action ended 5:44:08: InstallInitialize. Return value 1. MSI (s) (A8:88) [05:44:08:192]: Skipping action: SetAgentGroup (condition is false) MSI (s) (A8:88) [05:44:08:192]: Skipping action: SetAgentName (condition is false) MSI (s) (A8:88) [05:44:08:192]: Skipping action: SetRegistrationCA (condition is false) MSI (s) (A8:88) [05:44:08:192]: Skipping action: SetRegistrationCertificate (condition is false) MSI (s) (A8:88) [05:44:08:192]: Skipping action: SetRegistrationKet (condition is false) MSI (s) (A8:88) [05:44:08:192]: Skipping action: SetRegistrationPassword (condition is false) MSI (s) (A8:88) [05:44:08:192]: Skipping action: SetRegistrationPort (condition is false) MSI (s) (A8:88) [05:44:08:192]: Skipping action: SetRegistrationServer (condition is false) MSI (s) (A8:88) [05:44:08:192]: Skipping action: SetWazuhKeepAlive (condition is false) MSI (s) (A8:88) [05:44:08:192]: Skipping action: SetWazuhManager (condition is false) MSI (s) (A8:88) [05:44:08:192]: Skipping action: SetWazuhManagerPort (condition is false) MSI (s) (A8:88) [05:44:08:192]: Skipping action: SetWazuhManagerProtocol (condition is false) MSI (s) (A8:88) [05:44:08:192]: Skipping action: SetWazuhTimeReconnect (condition is false) MSI (s) (A8:88) [05:44:08:192]: Doing action: SetCustomActionDataValue MSI (s) (A8:88) [05:44:08:192]: Note: 1: 2205 2: 3: ActionText Action 5:44:08: SetCustomActionDataValue. Action start 5:44:08: SetCustomActionDataValue. MSI (s) (A8:88) [05:44:08:192]: PROPERTY CHANGE: Adding CustomAction_InstallerScripts property. Its value is '"C:\Program Files (x86)\ossec-agent\"/+/""/+/""/+/""/+/""/+/""/+/""/+/""/+/""/+/""/+/""/+/""/+/""/+/""/+/""/+/""'. Action ended 5:44:08: SetCustomActionDataValue. Return value 1. MSI (s) (A8:88) [05:44:08:192]: Doing action: CustomAction_InstallerScripts MSI (s) (A8:88) [05:44:08:192]: Note: 1: 2205 2: 3: ActionText Action 5:44:08: CustomAction_InstallerScripts. Action start 5:44:08: CustomAction_InstallerScripts. MSI (s) (A8:88) [05:44:08:192]: Note: 1: 2205 2: 3: MsiPatchCertificate MSI (s) (A8:88) [05:44:08:192]: LUA patching is disabled: missing MsiPatchCertificate table MSI (s) (A8:88) [05:44:08:192]: Resolving source. MSI (s) (A8:88) [05:44:08:192]: Resolving source to launched-from source. MSI (s) (A8:88) [05:44:08:192]: Setting launched-from source as last-used. MSI (s) (A8:88) [05:44:08:192]: PROPERTY CHANGE: Adding SourceDir property. Its value is 'C:\Users\Administrator\Downloads\'. MSI (s) (A8:88) [05:44:08:192]: PROPERTY CHANGE: Adding SOURCEDIR property. Its value is 'C:\Users\Administrator\Downloads\'. MSI (s) (A8:88) [05:44:08:192]: PROPERTY CHANGE: Adding SourcedirProduct property. Its value is '{74876D42-37ED-44FD-B662-AC2F5842BA6A}'. MSI (s) (A8:88) [05:44:08:192]: SOURCEDIR ==> C:\Users\Administrator\Downloads\ MSI (s) (A8:88) [05:44:08:192]: SOURCEDIR product ==> {74876D42-37ED-44FD-B662-AC2F5842BA6A} MSI (s) (A8:88) [05:44:08:192]: SECREPAIR: CryptAcquireContext succeeded MSI (s) (A8:88) [05:44:08:192]: Determining source type MSI (s) (A8:88) [05:44:08:192]: Source type from package 'wazuh-agent-4.3.3-1(1).msi': 2 MSI (s) (A8:88) [05:44:08:208]: SECREPAIR: Hash Database: C:\Windows\Installer\SourceHash{74876D42-37ED-44FD-B662-AC2F5842BA6A} MSI (s) (A8:88) [05:44:08:208]: SECREPAIR: SourceHash database file already exists. Deleting it. MSI (s) (A8:88) [05:44:08:208]: Note: 1: 2262 2: SourceHash 3: -2147287038 MSI (s) (A8:88) [05:44:08:223]: SECREPAIR: New Hash Database creation complete. MSI (s) (A8:88) [05:44:08:287]: Source path resolution complete. Dumping Directory table... MSI (s) (A8:88) [05:44:08:287]: Dir (source): Key: TARGETDIR , Object: C:\Users\Administrator\Downloads\ , LongSubPath: , ShortSubPath: MSI (s) (A8:88) [05:44:08:287]: Dir (source): Key: WindowsFolder , Object: C:\Users\Administrator\Downloads\ , LongSubPath: , ShortSubPath: MSI (s) (A8:88) [05:44:08:287]: Dir (source): Key: ProgramMenuFolder , Object: C:\Users\Administrator\Downloads\ , LongSubPath: , ShortSubPath: MSI (s) (A8:88) [05:44:08:287]: Dir (source): Key: ProgramMenuDir , Object: C:\Users\Administrator\Downloads\ , LongSubPath: OSSEC\ , ShortSubPath: MSI (s) (A8:88) [05:44:08:287]: Dir (source): Key: ProgramFilesFolder , Object: C:\Users\Administrator\Downloads\ , LongSubPath: PFiles\ , ShortSubPath: MSI (s) (A8:88) [05:44:08:287]: Dir (source): Key: APPLICATIONFOLDER , Object: C:\Users\Administrator\Downloads\ , LongSubPath: PFiles\ossec-agent\ , ShortSubPath: PFiles\fjokbowa\ MSI (s) (A8:88) [05:44:08:287]: Dir (source): Key: UPGRADE , Object: C:\Users\Administrator\Downloads\ , LongSubPath: PFiles\ossec-agent\upgrade\ , ShortSubPath: PFiles\fjokbowa\upgrade\ MSI (s) (A8:88) [05:44:08:287]: Dir (source): Key: INCOMING , Object: C:\Users\Administrator\Downloads\ , LongSubPath: PFiles\ossec-agent\incoming\ , ShortSubPath: PFiles\fjokbowa\incoming\ MSI (s) (A8:88) [05:44:08:287]: Dir (source): Key: SYSCHECK , Object: C:\Users\Administrator\Downloads\ , LongSubPath: PFiles\ossec-agent\syscheck\ , ShortSubPath: PFiles\fjokbowa\syscheck\ MSI (s) (A8:88) [05:44:08:287]: Dir (source): Key: RIDS , Object: C:\Users\Administrator\Downloads\ , LongSubPath: PFiles\ossec-agent\rids\ , ShortSubPath: PFiles\fjokbowa\rids\ MSI (s) (A8:88) [05:44:08:287]: Dir (source): Key: WODLES , Object: C:\Users\Administrator\Downloads\ , LongSubPath: PFiles\ossec-agent\wodles\ , ShortSubPath: PFiles\fjokbowa\wodles\ MSI (s) (A8:88) [05:44:08:287]: Dir (source): Key: LOGS , Object: C:\Users\Administrator\Downloads\ , LongSubPath: PFiles\ossec-agent\logs\ , ShortSubPath: PFiles\fjokbowa\logs\ MSI (s) (A8:88) [05:44:08:287]: Dir (source): Key: BOOKMARKS , Object: C:\Users\Administrator\Downloads\ , LongSubPath: PFiles\ossec-agent\bookmarks\ , ShortSubPath: PFiles\fjokbowa\ecn_axgq\ MSI (s) (A8:88) [05:44:08:287]: Dir (source): Key: TMP , Object: C:\Users\Administrator\Downloads\ , LongSubPath: PFiles\ossec-agent\tmp\ , ShortSubPath: PFiles\fjokbowa\tmp\ MSI (s) (A8:88) [05:44:08:287]: Dir (source): Key: QUEUE , Object: C:\Users\Administrator\Downloads\ , LongSubPath: PFiles\ossec-agent\queue\ , ShortSubPath: PFiles\fjokbowa\queue\ MSI (s) (A8:88) [05:44:08:287]: Dir (source): Key: LOGCOLLECTOR , Object: C:\Users\Administrator\Downloads\ , LongSubPath: PFiles\ossec-agent\queue\logcollector\ , ShortSubPath: PFiles\fjokbowa\queue\c-7jkeo6\ MSI (s) (A8:88) [05:44:08:287]: Dir (source): Key: FIM , Object: C:\Users\Administrator\Downloads\ , LongSubPath: PFiles\ossec-agent\queue\fim\ , ShortSubPath: PFiles\fjokbowa\queue\fim\ MSI (s) (A8:88) [05:44:08:287]: Dir (source): Key: FIM_DB , Object: C:\Users\Administrator\Downloads\ , LongSubPath: PFiles\ossec-agent\queue\fim\db\ , ShortSubPath: PFiles\fjokbowa\queue\fim\db\ MSI (s) (A8:88) [05:44:08:287]: Dir (source): Key: DIFF , Object: C:\Users\Administrator\Downloads\ , LongSubPath: PFiles\ossec-agent\queue\diff\ , ShortSubPath: PFiles\fjokbowa\queue\diff\ MSI (s) (A8:88) [05:44:08:287]: Dir (source): Key: SYSCOLLECTOR , Object: C:\Users\Administrator\Downloads\ , LongSubPath: PFiles\ossec-agent\queue\syscollector\ , ShortSubPath: PFiles\fjokbowa\queue\bnp5_md3\ MSI (s) (A8:88) [05:44:08:287]: Dir (source): Key: SYSCOLLECTOR_DB , Object: C:\Users\Administrator\Downloads\ , LongSubPath: PFiles\ossec-agent\queue\syscollector\db\ , ShortSubPath: PFiles\fjokbowa\queue\bnp5_md3\db\ MSI (s) (A8:88) [05:44:08:287]: Dir (source): Key: RULESET , Object: C:\Users\Administrator\Downloads\ , LongSubPath: PFiles\ossec-agent\ruleset\ , ShortSubPath: PFiles\fjokbowa\ruleset\ MSI (s) (A8:88) [05:44:08:287]: Dir (source): Key: SECURITY_CONFIGURATION_ASSESSMENT , Object: C:\Users\Administrator\Downloads\ , LongSubPath: PFiles\ossec-agent\ruleset\sca\ , ShortSubPath: PFiles\fjokbowa\ruleset\sca\ MSI (s) (A8:88) [05:44:08:287]: Dir (source): Key: SHARED , Object: C:\Users\Administrator\Downloads\ , LongSubPath: PFiles\ossec-agent\shared\ , ShortSubPath: PFiles\fjokbowa\shared\ MSI (s) (A8:88) [05:44:08:287]: Dir (source): Key: ACTIVE_RESPONSE , Object: C:\Users\Administrator\Downloads\ , LongSubPath: PFiles\ossec-agent\active-response\ , ShortSubPath: PFiles\fjokbowa\9pxtresz\ MSI (s) (A8:88) [05:44:08:287]: Dir (source): Key: BIN , Object: C:\Users\Administrator\Downloads\ , LongSubPath: PFiles\ossec-agent\active-response\bin\ , ShortSubPath: PFiles\fjokbowa\9pxtresz\bin\ MSI (s) (A8:88) [05:44:08:287]: Note: 1: 2205 2: 3: ActionText MSI (s) (A8:88) [05:44:08:287]: Note: 1: 2205 2: 3: ActionText MSI (s) (A8:88) [05:44:08:287]: Note: 1: 2205 2: 3: ActionText Action 5:44:08: GenerateScript. Generating script operations for action: GenerateScript: CustomAction_InstallerScripts Action ended 5:44:08: CustomAction_InstallerScripts. Return value 1. MSI (s) (A8:88) [05:44:08:302]: Skipping action: StopOssecService (condition is false) MSI (s) (A8:88) [05:44:08:302]: Skipping action: DeleteOssecService (condition is false) MSI (s) (A8:88) [05:44:08:302]: Doing action: ProcessComponents MSI (s) (A8:88) [05:44:08:302]: Note: 1: 2205 2: 3: ActionText Action 5:44:08: ProcessComponents. Updating component registration Action start 5:44:08: ProcessComponents. ProcessComponents: Action ended 5:44:08: ProcessComponents. Return value 1. MSI (s) (A8:88) [05:44:08:317]: Doing action: UnpublishFeatures MSI (s) (A8:88) [05:44:08:317]: Note: 1: 2205 2: 3: ActionText Action 5:44:08: UnpublishFeatures. Unpublishing Product Features Action start 5:44:08: UnpublishFeatures. Action ended 5:44:08: UnpublishFeatures. Return value 1. MSI (s) (A8:88) [05:44:08:333]: Doing action: SchedSecureObjectsRollback MSI (s) (A8:88) [05:44:08:333]: Note: 1: 2205 2: 3: ActionText Action 5:44:08: SchedSecureObjectsRollback. Action start 5:44:08: SchedSecureObjectsRollback. MSI (s) (A8:44) [05:44:08:349]: Invoking remote custom action. DLL: C:\Windows\Installer\MSI5266.tmp, Entrypoint: SchedSecureObjectsRollback MSI (s) (A8:04) [05:44:08:349]: Generating random cookie. MSI (s) (A8:04) [05:44:08:349]: Created Custom Action Server with PID 2076 (0x81C). MSI (s) (A8:90) [05:44:08:411]: Running as a service. MSI (s) (A8:90) [05:44:08:427]: Hello, I'm your 32bit Impersonated custom action server. SchedSecureObjectsRollback: Entering SchedSecureObjectsRollback in C:\Windows\Installer\MSI5266.tmp, version 3.11.4516.0 MSI (s) (A8!4C) [05:44:08:442]: Note: 1: 2753 2: OSSEC.CONF MSI (s) (A8!4C) [05:44:08:442]: Note: 1: 2753 2: OSSEC.CONF SchedSecureObjectsRollback: Error 0x8007007b: Unable to schedule rollback for object: SchedSecureObjectsRollback: Failed to store ACL rollback information with error 0x8007007b - continuing Action ended 5:44:08: SchedSecureObjectsRollback. Return value 1. MSI (s) (A8:88) [05:44:08:458]: Doing action: StopServices MSI (s) (A8:88) [05:44:08:458]: Note: 1: 2205 2: 3: ActionText Action 5:44:08: StopServices. Stopping services Action start 5:44:08: StopServices. StopServices: Service: Stopping services Action ended 5:44:08: StopServices. Return value 1. MSI (s) (A8:88) [05:44:08:458]: Doing action: DeleteServices MSI (s) (A8:88) [05:44:08:458]: Note: 1: 2205 2: 3: ActionText Action 5:44:08: DeleteServices. Deleting services Action start 5:44:08: DeleteServices. Action ended 5:44:08: DeleteServices. Return value 1. MSI (s) (A8:88) [05:44:08:474]: Doing action: RemoveRegistryValues MSI (s) (A8:88) [05:44:08:474]: Note: 1: 2205 2: 3: ActionText Action 5:44:08: RemoveRegistryValues. Removing system registry values Action start 5:44:08: RemoveRegistryValues. RemoveRegistryValues: Key: Removing system registry values, Name: Action ended 5:44:08: RemoveRegistryValues. Return value 1. MSI (s) (A8:88) [05:44:08:474]: Doing action: RemoveShortcuts MSI (s) (A8:88) [05:44:08:474]: Note: 1: 2205 2: 3: ActionText Action 5:44:08: RemoveShortcuts. Removing shortcuts Action start 5:44:08: RemoveShortcuts. Action ended 5:44:08: RemoveShortcuts. Return value 1. MSI (s) (A8:88) [05:44:08:474]: Doing action: RemoveFiles MSI (s) (A8:88) [05:44:08:474]: Note: 1: 2205 2: 3: ActionText Action 5:44:08: RemoveFiles. Removing files Action start 5:44:08: RemoveFiles. RemoveFiles: File: Removing files, Directory: Action ended 5:44:08: RemoveFiles. Return value 1. MSI (s) (A8:88) [05:44:08:490]: Doing action: WixSchedInternetShortcuts MSI (s) (A8:88) [05:44:08:490]: Note: 1: 2205 2: 3: ActionText Action 5:44:08: WixSchedInternetShortcuts. Action start 5:44:08: WixSchedInternetShortcuts. MSI (s) (A8:C0) [05:44:08:505]: Invoking remote custom action. DLL: C:\Windows\Installer\MSI5303.tmp, Entrypoint: WixSchedInternetShortcuts WixSchedInternetShortcuts: Entering WixSchedInternetShortcuts in C:\Windows\Installer\MSI5303.tmp, version 3.11.4516.0 WixSchedInternetShortcuts: Adding folder 'ProgramMenuDir', component 'StartMenuShortcuts' to the CreateFolder table MSI (s) (A8!9C) [05:44:08:552]: PROPERTY CHANGE: Adding WixRollbackInternetShortcuts property. Its value is 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OSSEC\Documentation.lnk€https://documentation.wazuh.com€0€€0'. MSI (s) (A8!9C) [05:44:08:552]: PROPERTY CHANGE: Adding WixCreateInternetShortcuts property. Its value is 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OSSEC\Documentation.lnk€https://documentation.wazuh.com€0€€0'. Action ended 5:44:08: WixSchedInternetShortcuts. Return value 1. MSI (s) (A8:88) [05:44:08:568]: Doing action: RemoveFolders MSI (s) (A8:88) [05:44:08:568]: Note: 1: 2205 2: 3: ActionText Action 5:44:08: RemoveFolders. Removing folders Action start 5:44:08: RemoveFolders. Action ended 5:44:08: RemoveFolders. Return value 1. MSI (s) (A8:88) [05:44:08:568]: Doing action: CreateFolders MSI (s) (A8:88) [05:44:08:568]: Note: 1: 2205 2: 3: ActionText Action 5:44:08: CreateFolders. Creating folders Action start 5:44:08: CreateFolders. CreateFolders: Folder: Creating folders Action ended 5:44:08: CreateFolders. Return value 1. MSI (s) (A8:88) [05:44:08:584]: Doing action: InstallFiles MSI (s) (A8:88) [05:44:08:584]: Note: 1: 2205 2: 3: ActionText Action 5:44:08: InstallFiles. Copying new files Action start 5:44:08: InstallFiles. InstallFiles: File: Copying new files, Directory: , Size: MSI (s) (A8:88) [05:44:08:584]: Note: 1: 2205 2: 3: Patch MSI (s) (A8:88) [05:44:08:584]: Note: 1: 2228 2: 3: Patch 4: SELECT `Patch`.`File_`, `Patch`.`Header`, `Patch`.`Attributes`, `Patch`.`Sequence`, `Patch`.`StreamRef_` FROM `Patch` WHERE `Patch`.`File_` = ? AND `Patch`.`#_MsiActive`=? ORDER BY `Patch`.`Sequence` MSI (s) (A8:88) [05:44:08:584]: Note: 1: 2205 2: 3: MsiSFCBypass MSI (s) (A8:88) [05:44:08:584]: Note: 1: 2228 2: 3: MsiSFCBypass 4: SELECT `File_` FROM `MsiSFCBypass` WHERE `File_` = ? MSI (s) (A8:88) [05:44:08:584]: Note: 1: 2205 2: 3: MsiPatchHeaders MSI (s) (A8:88) [05:44:08:584]: Note: 1: 2228 2: 3: MsiPatchHeaders 4: SELECT `Header` FROM `MsiPatchHeaders` WHERE `StreamRef` = ? MSI (s) (A8:88) [05:44:08:598]: Note: 1: 2205 2: 3: PatchPackage MSI (s) (A8:88) [05:44:08:598]: Note: 1: 2205 2: 3: MsiPatchHeaders MSI (s) (A8:88) [05:44:08:598]: Note: 1: 2205 2: 3: PatchPackage MSI (s) (A8:88) [05:44:08:631]: Note: 1: 2205 2: 3: Patch MSI (s) (A8:88) [05:44:08:631]: Note: 1: 2228 2: 3: Patch 4: SELECT `Patch`.`Sequence`, `Patch`.`PatchSize`, `Patch`.`Attributes`, `Patch`.`Header`, `Patch`.`StreamRef_` FROM `File`,`Patch`,`Component` WHERE `File`=? AND `File`=`File_` AND `Component`=`Component_` ORDER BY `Patch`.`Sequence` Action ended 5:44:08: InstallFiles. Return value 1. MSI (s) (A8:88) [05:44:08:755]: Doing action: CreateShortcuts MSI (s) (A8:88) [05:44:08:755]: Note: 1: 2205 2: 3: ActionText Action 5:44:08: CreateShortcuts. Creating shortcuts Action start 5:44:08: CreateShortcuts. CreateShortcuts: Shortcut: Creating shortcuts MSI (s) (A8:88) [05:44:08:755]: Note: 1: 2205 2: 3: MsiShortcutProperty MSI (s) (A8:88) [05:44:08:755]: Note: 1: 2205 2: 3: MsiShortcutProperty Action ended 5:44:08: CreateShortcuts. Return value 1. MSI (s) (A8:88) [05:44:08:755]: Doing action: WixRollbackInternetShortcuts MSI (s) (A8:88) [05:44:08:755]: Note: 1: 2205 2: 3: ActionText Action 5:44:08: WixRollbackInternetShortcuts. Action start 5:44:08: WixRollbackInternetShortcuts. WixRollbackInternetShortcuts: Action ended 5:44:08: WixRollbackInternetShortcuts. Return value 1. MSI (s) (A8:88) [05:44:08:755]: Doing action: WixCreateInternetShortcuts MSI (s) (A8:88) [05:44:08:755]: Note: 1: 2205 2: 3: ActionText Action 5:44:08: WixCreateInternetShortcuts. Action start 5:44:08: WixCreateInternetShortcuts. WixCreateInternetShortcuts: Action ended 5:44:08: WixCreateInternetShortcuts. Return value 1. MSI (s) (A8:88) [05:44:08:772]: Doing action: WriteRegistryValues MSI (s) (A8:88) [05:44:08:772]: Note: 1: 2205 2: 3: ActionText Action 5:44:08: WriteRegistryValues. Writing system registry values Action start 5:44:08: WriteRegistryValues. WriteRegistryValues: Key: Writing system registry values, Name: , Value: Action ended 5:44:08: WriteRegistryValues. Return value 1. MSI (s) (A8:88) [05:44:08:786]: Doing action: InstallServices MSI (s) (A8:88) [05:44:08:786]: Note: 1: 2205 2: 3: ActionText Action 5:44:08: InstallServices. Installing new services Action start 5:44:08: InstallServices. InstallServices: Service: Action ended 5:44:08: InstallServices. Return value 1. MSI (s) (A8:88) [05:44:08:786]: Doing action: SchedSecureObjects MSI (s) (A8:88) [05:44:08:786]: Note: 1: 2205 2: 3: ActionText Action 5:44:08: SchedSecureObjects. Action start 5:44:08: SchedSecureObjects. MSI (s) (A8:E4) [05:44:08:821]: Invoking remote custom action. DLL: C:\Windows\Installer\MSI542D.tmp, Entrypoint: SchedSecureObjects SchedSecureObjects: Entering SchedSecureObjects in C:\Windows\Installer\MSI542D.tmp, version 3.11.4516.0 MSI (s) (A8!CC) [05:44:08:833]: Note: 1: 2753 2: OSSEC.CONF MSI (s) (A8!CC) [05:44:08:833]: Note: 1: 2753 2: OSSEC.CONF Action ended 5:44:08: SchedSecureObjects. Return value 1. MSI (s) (A8:88) [05:44:08:833]: Doing action: StartServices MSI (s) (A8:88) [05:44:08:833]: Note: 1: 2205 2: 3: ActionText Action 5:44:08: StartServices. Starting services Action start 5:44:08: StartServices. StartServices: Service: Starting services Action ended 5:44:08: StartServices. Return value 1. MSI (s) (A8:88) [05:44:08:848]: Doing action: RegisterUser MSI (s) (A8:88) [05:44:08:848]: Note: 1: 2205 2: 3: ActionText Action 5:44:08: RegisterUser. Registering user Action start 5:44:08: RegisterUser. Action ended 5:44:08: RegisterUser. Return value 1. MSI (s) (A8:88) [05:44:08:848]: Doing action: RegisterProduct MSI (s) (A8:88) [05:44:08:848]: Note: 1: 2205 2: 3: ActionText Action 5:44:08: RegisterProduct. Registering product Action start 5:44:08: RegisterProduct. RegisterProduct: Registering product MSI (s) (A8:88) [05:44:08:848]: PROPERTY CHANGE: Adding ProductToBeRegistered property. Its value is '1'. Action ended 5:44:08: RegisterProduct. Return value 1. MSI (s) (A8:88) [05:44:08:848]: Doing action: PublishFeatures MSI (s) (A8:88) [05:44:08:848]: Note: 1: 2205 2: 3: ActionText Action 5:44:08: PublishFeatures. Publishing Product Features Action start 5:44:08: PublishFeatures. PublishFeatures: Feature: Publishing Product Features Action ended 5:44:08: PublishFeatures. Return value 1. MSI (s) (A8:88) [05:44:08:864]: Doing action: PublishProduct MSI (s) (A8:88) [05:44:08:864]: Note: 1: 2205 2: 3: ActionText Action 5:44:08: PublishProduct. Publishing product information Action start 5:44:08: PublishProduct. PublishProduct: Action ended 5:44:08: PublishProduct. Return value 1. MSI (s) (A8:88) [05:44:08:880]: Doing action: InstallExecute MSI (s) (A8:88) [05:44:08:880]: Note: 1: 2205 2: 3: ActionText Action 5:44:08: InstallExecute. Action start 5:44:08: InstallExecute. MSI (s) (A8:88) [05:44:08:880]: Running Script: C:\Windows\Installer\MSI5236.tmp MSI (s) (A8:88) [05:44:08:880]: PROPERTY CHANGE: Adding UpdateStarted property. Its value is '1'. MSI (s) (A8:88) [05:44:08:896]: Note: 1: 2265 2: 3: -2147287035 MSI (s) (A8:88) [05:44:08:896]: Machine policy value 'DisableRollback' is 0 MSI (s) (A8:88) [05:44:08:896]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2 MSI (s) (A8:88) [05:44:08:896]: Executing op: Header(Signature=1397708873,Version=500,Timestamp=1424502149,LangId=1033,Platform=0,ScriptType=1,ScriptMajorVersion=21,ScriptMinorVersion=4,ScriptAttributes=1) MSI (s) (A8:88) [05:44:08:896]: Executing op: ProductInfo(ProductKey={74876D42-37ED-44FD-B662-AC2F5842BA6A},ProductName=Wazuh Agent,PackageName=wazuh-agent-4.3.3-1(1).msi,Language=1033,Version=67305475,Assignment=1,ObsoleteArg=0,ProductIcon=icon.ico,,PackageCode={3EE25BFD-362E-4468-8A16-3733B5C6BD64},,,InstanceType=0,LUASetting=0,RemoteURTInstalls=0,ProductDeploymentFlags=3) MSI (s) (A8:88) [05:44:08:896]: Executing op: DialogInfo(Type=0,Argument=1033) MSI (s) (A8:88) [05:44:08:896]: Executing op: DialogInfo(Type=1,Argument=Wazuh Agent) MSI (s) (A8:88) [05:44:08:896]: Executing op: RollbackInfo(,RollbackAction=Rollback,RollbackDescription=Rolling back action:,RollbackTemplate=[1],CleanupAction=RollbackCleanup,CleanupDescription=Removing backup files,CleanupTemplate=File: [1]) MSI (s) (A8:88) [05:44:08:896]: Executing op: SetBaseline(Baseline=0,) MSI (s) (A8:88) [05:44:08:896]: Executing op: SetBaseline(Baseline=1,) MSI (s) (A8:88) [05:44:08:896]: Executing op: ActionStart(Name=CustomAction_InstallerScripts,,) Action 5:44:08: CustomAction_InstallerScripts. MSI (s) (A8:88) [05:44:08:912]: Executing op: CustomActionSchedule(Action=CustomAction_InstallerScripts,ActionType=3590,Source= ' Script for configuration Windows agent. ' Copyright (C) 2015, Wazuh Inc. ' ' This program is free software; you can redistribute it and/or modify ' it under the terms of the GNU General Public License as published by ' the Free Software Foundation; either version 3 of the License, or ' (at your option) any later version. ' ' This program is distributed in the hope that it will be useful, ' but WITHOUT ANY WARRANTY; without even the implied warranty of ' MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ' GNU General Public License for more details. ' ' You should have received a copy of the GNU General Public License ' along with this program; if not, write to the Free Software Foundation, ' Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA ' ' ------------------------------------------------' On Error Resume Next public function config() Const ForReading = 1 Const ForWriting = 2 ' Custom parameters strA MSI (s) (A8:88) [05:44:08:912]: Executing op: ActionStart(Name=ProcessComponents,Description=Updating component registration,) Action 5:44:08: ProcessComponents. Updating component registration MSI (s) (A8:88) [05:44:08:912]: Executing op: ProgressTotal(Total=80,Type=1,ByteEquivalent=24000) MSI (s) (A8:88) [05:44:08:912]: Executing op: ComponentRegister(ComponentId={63E18998-4DBB-4C34-A1AD-09AA809A1C15},KeyPath=C:\Program Files (x86)\ossec-agent\,State=3,,Disk=1,SharedDllRefCount=0,BinaryType=0) 1: {74876D42-37ED-44FD-B662-AC2F5842BA6A} 2: {63E18998-4DBB-4C34-A1AD-09AA809A1C15} 3: C:\Program Files (x86)\ossec-agent\ MSI (s) (A8:88) [05:44:08:912]: Executing op: ComponentRegister(ComponentId={F99FEE7C-A021-4D43-9119-98A8D72EAB65},KeyPath=C:\Program Files (x86)\ossec-agent\agent-auth.exe,State=3,,Disk=1,SharedDllRefCount=0,BinaryType=0) 1: {74876D42-37ED-44FD-B662-AC2F5842BA6A} 2: {F99FEE7C-A021-4D43-9119-98A8D72EAB65} 3: C:\Program Files (x86)\ossec-agent\agent-auth.exe MSI (s) (A8:88) [05:44:08:927]: WIN64DUALFOLDERS: Substitution in 'C:\Program Files (x86)\ossec-agent\agent-auth.exe' folder had been blocked by the 1 mask argument (the folder pair's iSwapAttrib member = 0). MSI (s) (A8:88) [05:44:08:927]: Executing op: ComponentRegister(ComponentId={31F7B5FA-9678-427B-9536-88AAA897A82A},KeyPath=C:\Program Files (x86)\ossec-agent\libwazuhext.dll,State=3,,Disk=1,SharedDllRefCount=0,BinaryType=0) 1: {74876D42-37ED-44FD-B662-AC2F5842BA6A} 2: {31F7B5FA-9678-427B-9536-88AAA897A82A} 3: C:\Program Files (x86)\ossec-agent\libwazuhext.dll MSI (s) (A8:88) [05:44:08:927]: WIN64DUALFOLDERS: Substitution in 'C:\Program Files (x86)\ossec-agent\libwazuhext.dll' folder had been blocked by the 1 mask argument (the folder pair's iSwapAttrib member = 0). MSI (s) (A8:88) [05:44:08:927]: Executing op: ComponentRegister(ComponentId={A40D7FB4-8D7B-440E-B7CB-1D8CB1E277E6},KeyPath=C:\Program Files (x86)\ossec-agent\libwazuhshared.dll,State=3,,Disk=1,SharedDllRefCount=0,BinaryType=0) 1: {74876D42-37ED-44FD-B662-AC2F5842BA6A} 2: {A40D7FB4-8D7B-440E-B7CB-1D8CB1E277E6} 3: C:\Program Files (x86)\ossec-agent\libwazuhshared.dll MSI (s) (A8:88) [05:44:08:927]: WIN64DUALFOLDERS: Substitution in 'C:\Program Files (x86)\ossec-agent\libwazuhshared.dll' folder had been blocked by the 1 mask argument (the folder pair's iSwapAttrib member = 0). MSI (s) (A8:88) [05:44:08:927]: Executing op: ComponentRegister(ComponentId={E6DD27ED-1579-4369-B83D-FD618894B56C},KeyPath=C:\Program Files (x86)\ossec-agent\dbsync.dll,State=3,,Disk=1,SharedDllRefCount=0,BinaryType=0) 1: {74876D42-37ED-44FD-B662-AC2F5842BA6A} 2: {E6DD27ED-1579-4369-B83D-FD618894B56C} 3: C:\Program Files (x86)\ossec-agent\dbsync.dll MSI (s) (A8:88) [05:44:08:927]: WIN64DUALFOLDERS: Substitution in 'C:\Program Files (x86)\ossec-agent\dbsync.dll' folder had been blocked by the 1 mask argument (the folder pair's iSwapAttrib member = 0). MSI (s) (A8:88) [05:44:08:927]: Executing op: ComponentRegister(ComponentId={9F23B2D8-609D-43F6-BB90-7C81A5DF5A67},KeyPath=C:\Program Files (x86)\ossec-agent\rsync.dll,State=3,,Disk=1,SharedDllRefCount=0,BinaryType=0) 1: {74876D42-37ED-44FD-B662-AC2F5842BA6A} 2: {9F23B2D8-609D-43F6-BB90-7C81A5DF5A67} 3: C:\Program Files (x86)\ossec-agent\rsync.dll MSI (s) (A8:88) [05:44:08:927]: WIN64DUALFOLDERS: Substitution in 'C:\Program Files (x86)\ossec-agent\rsync.dll' folder had been blocked by the 1 mask argument (the folder pair's iSwapAttrib member = 0). MSI (s) (A8:88) [05:44:08:927]: Executing op: ComponentRegister(ComponentId={1D244B64-E1C3-4BED-A4CF-9C25E3B3BA0F},KeyPath=C:\Program Files (x86)\ossec-agent\sysinfo.dll,State=3,,Disk=1,SharedDllRefCount=0,BinaryType=0) 1: {74876D42-37ED-44FD-B662-AC2F5842BA6A} 2: {1D244B64-E1C3-4BED-A4CF-9C25E3B3BA0F} 3: C:\Program Files (x86)\ossec-agent\sysinfo.dll MSI (s) (A8:88) [05:44:08:927]: WIN64DUALFOLDERS: Substitution in 'C:\Program Files (x86)\ossec-agent\sysinfo.dll' folder had been blocked by the 1 mask argument (the folder pair's iSwapAttrib member = 0). MSI (s) (A8:88) [05:44:08:927]: Executing op: ComponentRegister(ComponentId={7CE63D8B-C959-43CC-A7B6-4226414EBADB},KeyPath=C:\Program Files (x86)\ossec-agent\syscollector.dll,State=3,,Disk=1,SharedDllRefCount=0,BinaryType=0) 1: {74876D42-37ED-44FD-B662-AC2F5842BA6A} 2: {7CE63D8B-C959-43CC-A7B6-4226414EBADB} 3: C:\Program Files (x86)\ossec-agent\syscollector.dll MSI (s) (A8:88) [05:44:08:927]: WIN64DUALFOLDERS: Substitution in 'C:\Program Files (x86)\ossec-agent\syscollector.dll' folder had been blocked by the 1 mask argument (the folder pair's iSwapAttrib member = 0). MSI (s) (A8:88) [05:44:08:927]: Executing op: ComponentRegister(ComponentId={10245598-2EE7-4EDB-A114-5398F01A21F9},KeyPath=C:\Program Files (x86)\ossec-agent\local_internal_options.conf,State=3,,Disk=1,SharedDllRefCount=0,BinaryType=0) 1: {74876D42-37ED-44FD-B662-AC2F5842BA6A} 2: {10245598-2EE7-4EDB-A114-5398F01A21F9} 3: C:\Program Files (x86)\ossec-agent\local_internal_options.conf MSI (s) (A8:88) [05:44:08:927]: WIN64DUALFOLDERS: Substitution in 'C:\Program Files (x86)\ossec-agent\local_internal_options.conf' folder had been blocked by the 1 mask argument (the folder pair's iSwapAttrib member = 0). MSI (s) (A8:88) [05:44:08:927]: Executing op: ComponentRegister(ComponentId={10245598-2EE7-4EDB-A114-5398F01A21F9},KeyPath=C:\Program Files (x86)\ossec-agent\local_internal_options.conf,State=3,ProductKey={00000000-0000-0000-0000-000000000000},Disk=1,SharedDllRefCount=0,BinaryType=0) 1: {00000000-0000-0000-0000-000000000000} 2: {10245598-2EE7-4EDB-A114-5398F01A21F9} 3: C:\Program Files (x86)\ossec-agent\local_internal_options.conf MSI (s) (A8:88) [05:44:08:927]: WIN64DUALFOLDERS: Substitution in 'C:\Program Files (x86)\ossec-agent\local_internal_options.conf' folder had been blocked by the 1 mask argument (the folder pair's iSwapAttrib member = 0). MSI (s) (A8:88) [05:44:08:927]: Executing op: ComponentRegister(ComponentId={26C3265E-EFC8-488D-8D19-397A0C44C071},KeyPath=C:\Program Files (x86)\ossec-agent\ossec.conf,State=3,,Disk=1,SharedDllRefCount=0,BinaryType=0) 1: {74876D42-37ED-44FD-B662-AC2F5842BA6A} 2: {26C3265E-EFC8-488D-8D19-397A0C44C071} 3: C:\Program Files (x86)\ossec-agent\ossec.conf MSI (s) (A8:88) [05:44:08:943]: WIN64DUALFOLDERS: Substitution in 'C:\Program Files (x86)\ossec-agent\ossec.conf' folder had been blocked by the 1 mask argument (the folder pair's iSwapAttrib member = 0). MSI (s) (A8:88) [05:44:08:943]: Executing op: ComponentRegister(ComponentId={26C3265E-EFC8-488D-8D19-397A0C44C071},KeyPath=C:\Program Files (x86)\ossec-agent\ossec.conf,State=3,ProductKey={00000000-0000-0000-0000-000000000000},Disk=1,SharedDllRefCount=0,BinaryType=0) 1: {00000000-0000-0000-0000-000000000000} 2: {26C3265E-EFC8-488D-8D19-397A0C44C071} 3: C:\Program Files (x86)\ossec-agent\ossec.conf MSI (s) (A8:88) [05:44:08:943]: WIN64DUALFOLDERS: Substitution in 'C:\Program Files (x86)\ossec-agent\ossec.conf' folder had been blocked by the 1 mask argument (the folder pair's iSwapAttrib member = 0). MSI (s) (A8:88) [05:44:08:943]: Executing op: ComponentRegister(ComponentId={D2F2A5B9-1A98-4BB8-8AC4-D948CA97DD0E},KeyPath=C:\Program Files (x86)\ossec-agent\internal_options.conf,State=3,,Disk=1,SharedDllRefCount=0,BinaryType=0) 1: {74876D42-37ED-44FD-B662-AC2F5842BA6A} 2: {D2F2A5B9-1A98-4BB8-8AC4-D948CA97DD0E} 3: C:\Program Files (x86)\ossec-agent\internal_options.conf MSI (s) (A8:88) [05:44:08:943]: WIN64DUALFOLDERS: Substitution in 'C:\Program Files (x86)\ossec-agent\internal_options.conf' folder had been blocked by the 1 mask argument (the folder pair's iSwapAttrib member = 0). MSI (s) (A8:88) [05:44:08:943]: Executing op: ComponentRegister(ComponentId={556F08A0-D372-4BB5-BC44-73CE45957084},KeyPath=C:\Program Files (x86)\ossec-agent\LICENSE.txt,State=3,,Disk=1,SharedDllRefCount=0,BinaryType=0) 1: {74876D42-37ED-44FD-B662-AC2F5842BA6A} 2: {556F08A0-D372-4BB5-BC44-73CE45957084} 3: C:\Program Files (x86)\ossec-agent\LICENSE.txt MSI (s) (A8:88) [05:44:08:943]: WIN64DUALFOLDERS: Substitution in 'C:\Program Files (x86)\ossec-agent\LICENSE.txt' folder had been blocked by the 1 mask argument (the folder pair's iSwapAttrib member = 0). MSI (s) (A8:88) [05:44:08:943]: Executing op: ComponentRegister(ComponentId={C15C5883-00FB-41D7-B9E6-53C8BC30761F},KeyPath=C:\Program Files (x86)\ossec-agent\libwinpthread-1.dll,State=3,,Disk=1,SharedDllRefCount=0,BinaryType=0) 1: {74876D42-37ED-44FD-B662-AC2F5842BA6A} 2: {C15C5883-00FB-41D7-B9E6-53C8BC30761F} 3: C:\Program Files (x86)\ossec-agent\libwinpthread-1.dll MSI (s) (A8:88) [05:44:08:943]: WIN64DUALFOLDERS: Substitution in 'C:\Program Files (x86)\ossec-agent\libwinpthread-1.dll' folder had been blocked by the 1 mask argument (the folder pair's iSwapAttrib member = 0). MSI (s) (A8:88) [05:44:08:959]: Executing op: ComponentRegister(ComponentId={27BDCB9A-F89F-4009-A789-1F779EB05697},KeyPath=C:\Program Files (x86)\ossec-agent\libgcc_s_sjlj-1.dll,State=3,,Disk=1,SharedDllRefCount=0,BinaryType=0) 1: {74876D42-37ED-44FD-B662-AC2F5842BA6A} 2: {27BDCB9A-F89F-4009-A789-1F779EB05697} 3: C:\Program Files (x86)\ossec-agent\libgcc_s_sjlj-1.dll MSI (s) (A8:88) [05:44:08:959]: WIN64DUALFOLDERS: Substitution in 'C:\Program Files (x86)\ossec-agent\libgcc_s_sjlj-1.dll' folder had been blocked by the 1 mask argument (the folder pair's iSwapAttrib member = 0). MSI (s) (A8:88) [05:44:08:959]: Executing op: ComponentRegister(ComponentId={C15C5883-00FB-41D7-B7E6-53C8BC30761F},KeyPath=C:\Program Files (x86)\ossec-agent\manage_agents.exe,State=3,,Disk=1,SharedDllRefCount=0,BinaryType=0) 1: {74876D42-37ED-44FD-B662-AC2F5842BA6A} 2: {C15C5883-00FB-41D7-B7E6-53C8BC30761F} 3: C:\Program Files (x86)\ossec-agent\manage_agents.exe MSI (s) (A8:88) [05:44:08:959]: WIN64DUALFOLDERS: Substitution in 'C:\Program Files (x86)\ossec-agent\manage_agents.exe' folder had been blocked by the 1 mask argument (the folder pair's iSwapAttrib member = 0). MSI (s) (A8:88) [05:44:08:959]: Executing op: ComponentRegister(ComponentId={044E7997-12B6-4178-BD00-B90500DBA53F},KeyPath=C:\Program Files (x86)\ossec-agent\wazuh-agent.exe,State=3,,Disk=1,SharedDllRefCount=0,BinaryType=0) 1: {74876D42-37ED-44FD-B662-AC2F5842BA6A} 2: {044E7997-12B6-4178-BD00-B90500DBA53F} 3: C:\Program Files (x86)\ossec-agent\wazuh-agent.exe MSI (s) (A8:88) [05:44:08:959]: WIN64DUALFOLDERS: Substitution in 'C:\Program Files (x86)\ossec-agent\wazuh-agent.exe' folder had been blocked by the 1 mask argument (the folder pair's iSwapAttrib member = 0). MSI (s) (A8:88) [05:44:08:959]: Executing op: ComponentRegister(ComponentId={5CCEA6DC-8434-4137-9486-55AE3949266B},,State=-7,,Disk=1,SharedDllRefCount=0,BinaryType=0) 1: {74876D42-37ED-44FD-B662-AC2F5842BA6A} 2: {5CCEA6DC-8434-4137-9486-55AE3949266B} MSI (s) (A8:88) [05:44:08:959]: Executing op: ComponentRegister(ComponentId={FB49A2F0-3433-47D4-A668-4139718AFDAC},KeyPath=C:\Program Files (x86)\ossec-agent\wazuh-agent.exe,State=3,,Disk=1,SharedDllRefCount=2,BinaryType=0) 1: {74876D42-37ED-44FD-B662-AC2F5842BA6A} 2: {FB49A2F0-3433-47D4-A668-4139718AFDAC} 3: C:\Program Files (x86)\ossec-agent\wazuh-agent.exe MSI (s) (A8:88) [05:44:08:959]: WIN64DUALFOLDERS: Substitution in 'C:\Program Files (x86)\ossec-agent\wazuh-agent.exe' folder had been blocked by the 1 mask argument (the folder pair's iSwapAttrib member = 0). MSI (s) (A8:88) [05:44:08:959]: Executing op: ComponentRegister(ComponentId={B19AF43F-43AD-40D2-95B7-512E429DF099},,State=-7,,Disk=1,SharedDllRefCount=0,BinaryType=0) 1: {74876D42-37ED-44FD-B662-AC2F5842BA6A} 2: {B19AF43F-43AD-40D2-95B7-512E429DF099} MSI (s) (A8:88) [05:44:08:959]: Executing op: ComponentRegister(ComponentId={20EF5801-369B-4EC2-87A2-59DCE56308D9},KeyPath=C:\Program Files (x86)\ossec-agent\vista_sec.txt,State=3,,Disk=1,SharedDllRefCount=0,BinaryType=0) 1: {74876D42-37ED-44FD-B662-AC2F5842BA6A} 2: {20EF5801-369B-4EC2-87A2-59DCE56308D9} 3: C:\Program Files (x86)\ossec-agent\vista_sec.txt MSI (s) (A8:88) [05:44:08:959]: WIN64DUALFOLDERS: Substitution in 'C:\Program Files (x86)\ossec-agent\vista_sec.txt' folder had been blocked by the 1 mask argument (the folder pair's iSwapAttrib member = 0). MSI (s) (A8:88) [05:44:08:959]: Executing op: ComponentRegister(ComponentId={E7ACBC6F-D8A0-410B-B8D2-2AD9F5152BA0},KeyPath=C:\Program Files (x86)\ossec-agent\win32ui.exe,State=3,,Disk=1,SharedDllRefCount=0,BinaryType=0) 1: {74876D42-37ED-44FD-B662-AC2F5842BA6A} 2: {E7ACBC6F-D8A0-410B-B8D2-2AD9F5152BA0} 3: C:\Program Files (x86)\ossec-agent\win32ui.exe MSI (s) (A8:88) [05:44:08:959]: WIN64DUALFOLDERS: Substitution in 'C:\Program Files (x86)\ossec-agent\win32ui.exe' folder had been blocked by the 1 mask argument (the folder pair's iSwapAttrib member = 0). MSI (s) (A8:88) [05:44:08:959]: Executing op: ComponentRegister(ComponentId={3536239B-022D-4A9B-A7F8-2F64132115ED},KeyPath=C:\Program Files (x86)\ossec-agent\,State=3,,Disk=1,SharedDllRefCount=0,BinaryType=0) 1: {74876D42-37ED-44FD-B662-AC2F5842BA6A} 2: {3536239B-022D-4A9B-A7F8-2F64132115ED} 3: C:\Program Files (x86)\ossec-agent\ MSI (s) (A8:88) [05:44:08:973]: Executing op: ComponentRegister(ComponentId={21A074CB-3BFB-45D2-A0EC-D59293950DD9},KeyPath=C:\Program Files (x86)\ossec-agent\help.txt,State=3,,Disk=1,SharedDllRefCount=0,BinaryType=0) 1: {74876D42-37ED-44FD-B662-AC2F5842BA6A} 2: {21A074CB-3BFB-45D2-A0EC-D59293950DD9} 3: C:\Program Files (x86)\ossec-agent\help.txt MSI (s) (A8:88) [05:44:08:973]: WIN64DUALFOLDERS: Substitution in 'C:\Program Files (x86)\ossec-agent\help.txt' folder had been blocked by the 1 mask argument (the folder pair's iSwapAttrib member = 0). MSI (s) (A8:88) [05:44:08:973]: Executing op: ComponentRegister(ComponentId={8DC3D417-5663-4E53-9D8F-2CFA08A2627C},KeyPath=C:\Program Files (x86)\ossec-agent\VERSION,State=3,,Disk=1,SharedDllRefCount=0,BinaryType=0) 1: {74876D42-37ED-44FD-B662-AC2F5842BA6A} 2: {8DC3D417-5663-4E53-9D8F-2CFA08A2627C} 3: C:\Program Files (x86)\ossec-agent\VERSION MSI (s) (A8:88) [05:44:08:973]: WIN64DUALFOLDERS: Substitution in 'C:\Program Files (x86)\ossec-agent\VERSION' folder had been blocked by the 1 mask argument (the folder pair's iSwapAttrib member = 0). MSI (s) (A8:88) [05:44:08:973]: Executing op: ComponentRegister(ComponentId={89440258-B50F-4926-8068-D1444E31F8E0},KeyPath=C:\Program Files (x86)\ossec-agent\REVISION,State=3,,Disk=1,SharedDllRefCount=0,BinaryType=0) 1: {74876D42-37ED-44FD-B662-AC2F5842BA6A} 2: {89440258-B50F-4926-8068-D1444E31F8E0} 3: C:\Program Files (x86)\ossec-agent\REVISION MSI (s) (A8:88) [05:44:08:973]: WIN64DUALFOLDERS: Substitution in 'C:\Program Files (x86)\ossec-agent\REVISION' folder had been blocked by the 1 mask argument (the folder pair's iSwapAttrib member = 0). MSI (s) (A8:88) [05:44:08:973]: Executing op: ComponentRegister(ComponentId={EABF8773-57B9-4CD8-A862-87B0E060DBF8},KeyPath=C:\Program Files (x86)\ossec-agent\wpk_root.pem,State=3,,Disk=1,SharedDllRefCount=0,BinaryType=0) 1: {74876D42-37ED-44FD-B662-AC2F5842BA6A} 2: {EABF8773-57B9-4CD8-A862-87B0E060DBF8} 3: C:\Program Files (x86)\ossec-agent\wpk_root.pem MSI (s) (A8:88) [05:44:08:973]: WIN64DUALFOLDERS: Substitution in 'C:\Program Files (x86)\ossec-agent\wpk_root.pem' folder had been blocked by the 1 mask argument (the folder pair's iSwapAttrib member = 0). MSI (s) (A8:88) [05:44:08:973]: Executing op: ComponentRegister(ComponentId={F2258AB6-A976-4333-A957-3CD0662C82D2},,State=-7,,Disk=1,SharedDllRefCount=0,BinaryType=0) 1: {74876D42-37ED-44FD-B662-AC2F5842BA6A} 2: {F2258AB6-A976-4333-A957-3CD0662C82D2} MSI (s) (A8:88) [05:44:08:973]: Executing op: ComponentRegister(ComponentId={31F19F56-4549-4D80-924E-ED2F7B0CA74E},,State=-7,,Disk=1,SharedDllRefCount=0,BinaryType=0) 1: {74876D42-37ED-44FD-B662-AC2F5842BA6A} 2: {31F19F56-4549-4D80-924E-ED2F7B0CA74E} MSI (s) (A8:88) [05:44:08:973]: Executing op: ComponentRegister(ComponentId={EFE11D65-FF03-41B8-B4FE-82BDC522F0E9},,State=-7,,Disk=1,SharedDllRefCount=0,BinaryType=0) 1: {74876D42-37ED-44FD-B662-AC2F5842BA6A} 2: {EFE11D65-FF03-41B8-B4FE-82BDC522F0E9} MSI (s) (A8:88) [05:44:08:973]: Executing op: ComponentRegister(ComponentId={D0CCDE58-2593-48FF-85CC-E681B78DCEFE},,State=-7,,Disk=1,SharedDllRefCount=0,BinaryType=0) 1: {74876D42-37ED-44FD-B662-AC2F5842BA6A} 2: {D0CCDE58-2593-48FF-85CC-E681B78DCEFE} MSI (s) (A8:88) [05:44:08:973]: Executing op: ComponentRegister(ComponentId={5F70333D-BA3F-4722-BE78-3FF67FE216F9},,State=-7,,Disk=1,SharedDllRefCount=0,BinaryType=0) 1: {74876D42-37ED-44FD-B662-AC2F5842BA6A} 2: {5F70333D-BA3F-4722-BE78-3FF67FE216F9} MSI (s) (A8:88) [05:44:08:990]: Executing op: ComponentRegister(ComponentId={B89F2D95-F0FA-4B51-B680-42F430F2EB82},,State=-7,,Disk=1,SharedDllRefCount=0,BinaryType=0) 1: {74876D42-37ED-44FD-B662-AC2F5842BA6A} 2: {B89F2D95-F0FA-4B51-B680-42F430F2EB82} MSI (s) (A8:88) [05:44:08:990]: Executing op: ComponentRegister(ComponentId={06CBBBCB-0D20-4EEA-9E5A-854A9A34DEFE},,State=-7,,Disk=1,SharedDllRefCount=0,BinaryType=0) 1: {74876D42-37ED-44FD-B662-AC2F5842BA6A} 2: {06CBBBCB-0D20-4EEA-9E5A-854A9A34DEFE} MSI (s) (A8:88) [05:44:08:990]: Executing op: ComponentRegister(ComponentId={89BC9CB1-065E-4808-8B8F-70C22F500B4A},,State=-7,,Disk=1,SharedDllRefCount=0,BinaryType=0) 1: {74876D42-37ED-44FD-B662-AC2F5842BA6A} 2: {89BC9CB1-065E-4808-8B8F-70C22F500B4A} MSI (s) (A8:88) [05:44:08:990]: Executing op: ComponentRegister(ComponentId={6D58D297-5AAD-4B44-BBE0-D8691998267A},,State=-7,,Disk=1,SharedDllRefCount=0,BinaryType=0) 1: {74876D42-37ED-44FD-B662-AC2F5842BA6A} 2: {6D58D297-5AAD-4B44-BBE0-D8691998267A} MSI (s) (A8:88) [05:44:08:990]: Executing op: ComponentRegister(ComponentId={6EF6AD1F-B740-48E4-BDFD-7B396E2CB3E0},,State=-7,,Disk=1,SharedDllRefCount=0,BinaryType=0) 1: {74876D42-37ED-44FD-B662-AC2F5842BA6A} 2: {6EF6AD1F-B740-48E4-BDFD-7B396E2CB3E0} MSI (s) (A8:88) [05:44:09:005]: Executing op: ComponentRegister(ComponentId={A23E9242-A5CC-4171-8A25-791AB93D8DE0},,State=-7,,Disk=1,SharedDllRefCount=0,BinaryType=0) 1: {74876D42-37ED-44FD-B662-AC2F5842BA6A} 2: {A23E9242-A5CC-4171-8A25-791AB93D8DE0} MSI (s) (A8:88) [05:44:09:005]: Executing op: ComponentRegister(ComponentId={757D2306-1821-462F-B4CC-1ED947FC8AA2},,State=-7,,Disk=1,SharedDllRefCount=0,BinaryType=0) 1: {74876D42-37ED-44FD-B662-AC2F5842BA6A} 2: {757D2306-1821-462F-B4CC-1ED947FC8AA2} MSI (s) (A8:88) [05:44:09:005]: Executing op: ComponentRegister(ComponentId={AF637857-14A3-437E-9D23-CDFB4453CFA8},,State=-7,,Disk=1,SharedDllRefCount=0,BinaryType=0) 1: {74876D42-37ED-44FD-B662-AC2F5842BA6A} 2: {AF637857-14A3-437E-9D23-CDFB4453CFA8} MSI (s) (A8:88) [05:44:09:005]: Executing op: ComponentRegister(ComponentId={D1E8FBD0-3382-43E4-81FD-EE168402DF94},,State=-7,,Disk=1,SharedDllRefCount=0,BinaryType=0) 1: {74876D42-37ED-44FD-B662-AC2F5842BA6A} 2: {D1E8FBD0-3382-43E4-81FD-EE168402DF94} MSI (s) (A8:88) [05:44:09:005]: Executing op: ComponentRegister(ComponentId={5FD334C9-8EA1-4575-826C-C18804A2BEA7},,State=-7,,Disk=1,SharedDllRefCount=0,BinaryType=0) 1: {74876D42-37ED-44FD-B662-AC2F5842BA6A} 2: {5FD334C9-8EA1-4575-826C-C18804A2BEA7} MSI (s) (A8:88) [05:44:09:005]: Executing op: ComponentRegister(ComponentId={CDE13E2B-04F7-435A-9CDB-894FA55F932E},KeyPath=C:\Program Files (x86)\ossec-agent\profile.template,State=3,,Disk=1,SharedDllRefCount=0,BinaryType=0) 1: {74876D42-37ED-44FD-B662-AC2F5842BA6A} 2: {CDE13E2B-04F7-435A-9CDB-894FA55F932E} 3: C:\Program Files (x86)\ossec-agent\profile.template MSI (s) (A8:88) [05:44:09:005]: WIN64DUALFOLDERS: Substitution in 'C:\Program Files (x86)\ossec-agent\profile.template' folder had been blocked by the 1 mask argument (the folder pair's iSwapAttrib member = 0). MSI (s) (A8:88) [05:44:09:005]: Executing op: ComponentRegister(ComponentId={7D21C1E6-7307-43C8-9EA8-47202379DF37},,State=-7,,Disk=1,SharedDllRefCount=0,BinaryType=0) 1: {74876D42-37ED-44FD-B662-AC2F5842BA6A} 2: {7D21C1E6-7307-43C8-9EA8-47202379DF37} MSI (s) (A8:88) [05:44:09:005]: Executing op: ComponentRegister(ComponentId={5A405DD9-F4FF-4313-B242-A28DE03611CA},KeyPath=C:\Program Files (x86)\ossec-agent\active-response\bin\restart-wazuh.exe,State=3,,Disk=1,SharedDllRefCount=0,BinaryType=0) 1: {74876D42-37ED-44FD-B662-AC2F5842BA6A} 2: {5A405DD9-F4FF-4313-B242-A28DE03611CA} 3: C:\Program Files (x86)\ossec-agent\active-response\bin\restart-wazuh.exe MSI (s) (A8:88) [05:44:09:022]: WIN64DUALFOLDERS: Substitution in 'C:\Program Files (x86)\ossec-agent\active-response\bin\restart-wazuh.exe' folder had been blocked by the 1 mask argument (the folder pair's iSwapAttrib member = 0). MSI (s) (A8:88) [05:44:09:022]: Executing op: ComponentRegister(ComponentId={249F3287-B69D-46F0-9EB8-3FED24998E07},KeyPath=C:\Program Files (x86)\ossec-agent\active-response\bin\route-null.exe,State=3,,Disk=1,SharedDllRefCount=0,BinaryType=0) 1: {74876D42-37ED-44FD-B662-AC2F5842BA6A} 2: {249F3287-B69D-46F0-9EB8-3FED24998E07} 3: C:\Program Files (x86)\ossec-agent\active-response\bin\route-null.exe MSI (s) (A8:88) [05:44:09:022]: WIN64DUALFOLDERS: Substitution in 'C:\Program Files (x86)\ossec-agent\active-response\bin\route-null.exe' folder had been blocked by the 1 mask argument (the folder pair's iSwapAttrib member = 0). MSI (s) (A8:88) [05:44:09:022]: Executing op: ComponentRegister(ComponentId={292E9082-56BE-4258-9224-7F36A59CA433},KeyPath=C:\Program Files (x86)\ossec-agent\active-response\bin\netsh.exe,State=3,,Disk=1,SharedDllRefCount=0,BinaryType=0) 1: {74876D42-37ED-44FD-B662-AC2F5842BA6A} 2: {292E9082-56BE-4258-9224-7F36A59CA433} 3: C:\Program Files (x86)\ossec-agent\active-response\bin\netsh.exe MSI (s) (A8:88) [05:44:09:022]: WIN64DUALFOLDERS: Substitution in 'C:\Program Files (x86)\ossec-agent\active-response\bin\netsh.exe' folder had been blocked by the 1 mask argument (the folder pair's iSwapAttrib member = 0). MSI (s) (A8:88) [05:44:09:022]: Executing op: ComponentRegister(ComponentId={E1915364-2E49-4B74-8DF9-5D6CC3B27DF0},KeyPath=C:\Program Files (x86)\ossec-agent\active-response\bin\,State=3,,Disk=1,SharedDllRefCount=0,BinaryType=0) 1: {74876D42-37ED-44FD-B662-AC2F5842BA6A} 2: {E1915364-2E49-4B74-8DF9-5D6CC3B27DF0} 3: C:\Program Files (x86)\ossec-agent\active-response\bin\ MSI (s) (A8:88) [05:44:09:036]: Executing op: ComponentRegister(ComponentId={249F3287-B69D-46F0-8888-3FED24998E07},KeyPath=C:\Program Files (x86)\ossec-agent\active-response\active-responses.log,State=3,,Disk=1,SharedDllRefCount=0,BinaryType=0) 1: {74876D42-37ED-44FD-B662-AC2F5842BA6A} 2: {249F3287-B69D-46F0-8888-3FED24998E07} 3: C:\Program Files (x86)\ossec-agent\active-response\active-responses.log MSI (s) (A8:88) [05:44:09:036]: WIN64DUALFOLDERS: Substitution in 'C:\Program Files (x86)\ossec-agent\active-response\active-responses.log' folder had been blocked by the 1 mask argument (the folder pair's iSwapAttrib member = 0). MSI (s) (A8:88) [05:44:09:036]: Executing op: ComponentRegister(ComponentId={FE45C8B7-CD37-4E13-B6CA-5838771DF2C2},KeyPath=C:\Program Files (x86)\ossec-agent\shared\rootkit_files.txt,State=3,,Disk=1,SharedDllRefCount=0,BinaryType=0) 1: {74876D42-37ED-44FD-B662-AC2F5842BA6A} 2: {FE45C8B7-CD37-4E13-B6CA-5838771DF2C2} 3: C:\Program Files (x86)\ossec-agent\shared\rootkit_files.txt MSI (s) (A8:88) [05:44:09:036]: WIN64DUALFOLDERS: Substitution in 'C:\Program Files (x86)\ossec-agent\shared\rootkit_files.txt' folder had been blocked by the 1 mask argument (the folder pair's iSwapAttrib member = 0). MSI (s) (A8:88) [05:44:09:036]: Executing op: ComponentRegister(ComponentId={6A2D5202-A610-4E00-B6E3-41FA24EA8B88},KeyPath=C:\Program Files (x86)\ossec-agent\shared\rootkit_trojans.txt,State=3,,Disk=1,SharedDllRefCount=0,BinaryType=0) 1: {74876D42-37ED-44FD-B662-AC2F5842BA6A} 2: {6A2D5202-A610-4E00-B6E3-41FA24EA8B88} 3: C:\Program Files (x86)\ossec-agent\shared\rootkit_trojans.txt MSI (s) (A8:88) [05:44:09:036]: WIN64DUALFOLDERS: Substitution in 'C:\Program Files (x86)\ossec-agent\shared\rootkit_trojans.txt' folder had been blocked by the 1 mask argument (the folder pair's iSwapAttrib member = 0). MSI (s) (A8:88) [05:44:09:036]: Executing op: ComponentRegister(ComponentId={833B42BC-7BEF-4801-A91D-737774F05800},KeyPath=C:\Program Files (x86)\ossec-agent\shared\win_applications_rcl.txt,State=3,,Disk=1,SharedDllRefCount=0,BinaryType=0) 1: {74876D42-37ED-44FD-B662-AC2F5842BA6A} 2: {833B42BC-7BEF-4801-A91D-737774F05800} 3: C:\Program Files (x86)\ossec-agent\shared\win_applications_rcl.txt MSI (s) (A8:88) [05:44:09:036]: WIN64DUALFOLDERS: Substitution in 'C:\Program Files (x86)\ossec-agent\shared\win_applications_rcl.txt' folder had been blocked by the 1 mask argument (the folder pair's iSwapAttrib member = 0). MSI (s) (A8:88) [05:44:09:036]: Executing op: ComponentRegister(ComponentId={DB5DA081-B508-43CF-B83B-97649697636D},KeyPath=C:\Program Files (x86)\ossec-agent\shared\win_audit_rcl.txt,State=3,,Disk=1,SharedDllRefCount=0,BinaryType=0) 1: {74876D42-37ED-44FD-B662-AC2F5842BA6A} 2: {DB5DA081-B508-43CF-B83B-97649697636D} 3: C:\Program Files (x86)\ossec-agent\shared\win_audit_rcl.txt MSI (s) (A8:88) [05:44:09:036]: WIN64DUALFOLDERS: Substitution in 'C:\Program Files (x86)\ossec-agent\shared\win_audit_rcl.txt' folder had been blocked by the 1 mask argument (the folder pair's iSwapAttrib member = 0). MSI (s) (A8:88) [05:44:09:036]: Executing op: ComponentRegister(ComponentId={8FFA7C93-43A4-4946-B3B6-2255D8BFEA11},KeyPath=C:\Program Files (x86)\ossec-agent\shared\win_malware_rcl.txt,State=3,,Disk=1,SharedDllRefCount=0,BinaryType=0) 1: {74876D42-37ED-44FD-B662-AC2F5842BA6A} 2: {8FFA7C93-43A4-4946-B3B6-2255D8BFEA11} 3: C:\Program Files (x86)\ossec-agent\shared\win_malware_rcl.txt MSI (s) (A8:88) [05:44:09:036]: WIN64DUALFOLDERS: Substitution in 'C:\Program Files (x86)\ossec-agent\shared\win_malware_rcl.txt' folder had been blocked by the 1 mask argument (the folder pair's iSwapAttrib member = 0). MSI (s) (A8:88) [05:44:09:036]: Executing op: ComponentRegister(ComponentId={1007B392-F0CF-401E-B670-6EFAD5A374BA},KeyPath=C:\Program Files (x86)\ossec-agent\ruleset\sca\,State=3,,Disk=1,SharedDllRefCount=0,BinaryType=0) 1: {74876D42-37ED-44FD-B662-AC2F5842BA6A} 2: {1007B392-F0CF-401E-B670-6EFAD5A374BA} 3: C:\Program Files (x86)\ossec-agent\ruleset\sca\ MSI (s) (A8:88) [05:44:09:036]: Executing op: ComponentRegister(ComponentId={1164B8AA-1968-48D3-BAEB-68E6E0BFDBD8},KeyPath=C:\Program Files (x86)\ossec-agent\ruleset\sca\sca_win_audit.yml,State=3,,Disk=1,SharedDllRefCount=0,BinaryType=0) 1: {74876D42-37ED-44FD-B662-AC2F5842BA6A} 2: {1164B8AA-1968-48D3-BAEB-68E6E0BFDBD8} 3: C:\Program Files (x86)\ossec-agent\ruleset\sca\sca_win_audit.yml MSI (s) (A8:88) [05:44:09:036]: WIN64DUALFOLDERS: Substitution in 'C:\Program Files (x86)\ossec-agent\ruleset\sca\sca_win_audit.yml' folder had been blocked by the 1 mask argument (the folder pair's iSwapAttrib member = 0). MSI (s) (A8:88) [05:44:09:036]: Executing op: ComponentRegister(ComponentId={A6B0FCA6-522F-4129-95B7-0FF9EB2EA907},,State=-7,,Disk=1,SharedDllRefCount=0,BinaryType=0) 1: {74876D42-37ED-44FD-B662-AC2F5842BA6A} 2: {A6B0FCA6-522F-4129-95B7-0FF9EB2EA907} MSI (s) (A8:88) [05:44:09:036]: Executing op: ComponentRegister(ComponentId={6C7B21C9-2B01-4A6B-BAC5-782382D10FBB},,State=-7,,Disk=1,SharedDllRefCount=0,BinaryType=0) 1: {74876D42-37ED-44FD-B662-AC2F5842BA6A} 2: {6C7B21C9-2B01-4A6B-BAC5-782382D10FBB} MSI (s) (A8:88) [05:44:09:036]: Executing op: ComponentRegister(ComponentId={4EA82D11-D36B-4153-A6A7-8B5374296601},KeyPath=C:\Program Files (x86)\ossec-agent\ruleset\sca\cis_win2016.yml,State=3,,Disk=1,SharedDllRefCount=0,BinaryType=0) 1: {74876D42-37ED-44FD-B662-AC2F5842BA6A} 2: {4EA82D11-D36B-4153-A6A7-8B5374296601} 3: C:\Program Files (x86)\ossec-agent\ruleset\sca\cis_win2016.yml MSI (s) (A8:88) [05:44:09:036]: WIN64DUALFOLDERS: Substitution in 'C:\Program Files (x86)\ossec-agent\ruleset\sca\cis_win2016.yml' folder had been blocked by the 1 mask argument (the folder pair's iSwapAttrib member = 0). MSI (s) (A8:88) [05:44:09:036]: Executing op: ComponentRegister(ComponentId={217F0183-FB18-4FBF-BF98-0FCE7B59C706},,State=-7,,Disk=1,SharedDllRefCount=0,BinaryType=0) 1: {74876D42-37ED-44FD-B662-AC2F5842BA6A} 2: {217F0183-FB18-4FBF-BF98-0FCE7B59C706} MSI (s) (A8:88) [05:44:09:036]: Executing op: ComponentRegister(ComponentId={40284747-C50C-4905-9A72-6236276E192E},KeyPath=C:\Program Files (x86)\ossec-agent\queue\syscollector\norm_config.json,State=3,,Disk=1,SharedDllRefCount=0,BinaryType=0) 1: {74876D42-37ED-44FD-B662-AC2F5842BA6A} 2: {40284747-C50C-4905-9A72-6236276E192E} 3: C:\Program Files (x86)\ossec-agent\queue\syscollector\norm_config.json MSI (s) (A8:88) [05:44:09:036]: WIN64DUALFOLDERS: Substitution in 'C:\Program Files (x86)\ossec-agent\queue\syscollector\norm_config.json' folder had been blocked by the 1 mask argument (the folder pair's iSwapAttrib member = 0). MSI (s) (A8:88) [05:44:09:036]: Executing op: ComponentRegister(ComponentId={6C151D64-A90E-48A0-853C-FDEE0BD628C5},KeyPath=01:\Software\Wazuh, Inc.\Wazuh Agent\,State=3,,Disk=1,SharedDllRefCount=0,BinaryType=0) 1: {74876D42-37ED-44FD-B662-AC2F5842BA6A} 2: {6C151D64-A90E-48A0-853C-FDEE0BD628C5} 3: 01:\Software\Wazuh, Inc.\Wazuh Agent\ MSI (s) (A8:88) [05:44:09:036]: Executing op: ComponentRegister(ComponentId={EC4352C1-4240-4E6A-9A5E-E31F22702705},KeyPath=C:\Program Files (x86)\ossec-agent\active-response\,State=3,,Disk=1,SharedDllRefCount=0,BinaryType=0) 1: {74876D42-37ED-44FD-B662-AC2F5842BA6A} 2: {EC4352C1-4240-4E6A-9A5E-E31F22702705} 3: C:\Program Files (x86)\ossec-agent\active-response\ MSI (s) (A8:88) [05:44:09:052]: Executing op: ComponentRegister(ComponentId={EC4352C1-4240-4E6A-9A5E-E31F22702705},KeyPath=C:\Program Files (x86)\ossec-agent\active-response\,State=3,ProductKey={00000000-0000-0000-0000-000000000000},Disk=1,SharedDllRefCount=0,BinaryType=0) 1: {00000000-0000-0000-0000-000000000000} 2: {EC4352C1-4240-4E6A-9A5E-E31F22702705} 3: C:\Program Files (x86)\ossec-agent\active-response\ MSI (s) (A8:88) [05:44:09:052]: Executing op: ComponentRegister(ComponentId={EC4352C1-4110-4E6A-9A5E-E31F22702705},KeyPath=C:\Program Files (x86)\ossec-agent\tmp\,State=3,,Disk=1,SharedDllRefCount=0,BinaryType=0) 1: {74876D42-37ED-44FD-B662-AC2F5842BA6A} 2: {EC4352C1-4110-4E6A-9A5E-E31F22702705} 3: C:\Program Files (x86)\ossec-agent\tmp\ MSI (s) (A8:88) [05:44:09:052]: Executing op: ComponentRegister(ComponentId={1CA9BF16-F0B2-4E91-BA09-023518E50624},KeyPath=C:\Program Files (x86)\ossec-agent\queue\,State=3,,Disk=1,SharedDllRefCount=0,BinaryType=0) 1: {74876D42-37ED-44FD-B662-AC2F5842BA6A} 2: {1CA9BF16-F0B2-4E91-BA09-023518E50624} 3: C:\Program Files (x86)\ossec-agent\queue\ MSI (s) (A8:88) [05:44:09:052]: Executing op: ComponentRegister(ComponentId={1CA9BF16-F0B2-4E91-BA09-023518E50624},KeyPath=C:\Program Files (x86)\ossec-agent\queue\,State=3,ProductKey={00000000-0000-0000-0000-000000000000},Disk=1,SharedDllRefCount=0,BinaryType=0) 1: {00000000-0000-0000-0000-000000000000} 2: {1CA9BF16-F0B2-4E91-BA09-023518E50624} 3: C:\Program Files (x86)\ossec-agent\queue\ MSI (s) (A8:88) [05:44:09:052]: Executing op: ComponentRegister(ComponentId={AF666E2C-5C12-4355-9BB7-8FA9463ACDF2},KeyPath=C:\Program Files (x86)\ossec-agent\queue\diff\,State=3,,Disk=1,SharedDllRefCount=0,BinaryType=0) 1: {74876D42-37ED-44FD-B662-AC2F5842BA6A} 2: {AF666E2C-5C12-4355-9BB7-8FA9463ACDF2} 3: C:\Program Files (x86)\ossec-agent\queue\diff\ MSI (s) (A8:88) [05:44:09:052]: Executing op: ComponentRegister(ComponentId={AF666E2C-5C12-4355-9BB7-8FA9463ACDF2},KeyPath=C:\Program Files (x86)\ossec-agent\queue\diff\,State=3,ProductKey={00000000-0000-0000-0000-000000000000},Disk=1,SharedDllRefCount=0,BinaryType=0) 1: {00000000-0000-0000-0000-000000000000} 2: {AF666E2C-5C12-4355-9BB7-8FA9463ACDF2} 3: C:\Program Files (x86)\ossec-agent\queue\diff\ MSI (s) (A8:88) [05:44:09:052]: Executing op: ComponentRegister(ComponentId={C53FE6BC-FAD0-4C0D-9CA6-0025A9987F15},KeyPath=C:\Program Files (x86)\ossec-agent\queue\fim\,State=3,,Disk=1,SharedDllRefCount=0,BinaryType=0) 1: {74876D42-37ED-44FD-B662-AC2F5842BA6A} 2: {C53FE6BC-FAD0-4C0D-9CA6-0025A9987F15} 3: C:\Program Files (x86)\ossec-agent\queue\fim\ MSI (s) (A8:88) [05:44:09:052]: Executing op: ComponentRegister(ComponentId={C53FE6BC-FAD0-4C0D-9CA6-0025A9987F15},KeyPath=C:\Program Files (x86)\ossec-agent\queue\fim\,State=3,ProductKey={00000000-0000-0000-0000-000000000000},Disk=1,SharedDllRefCount=0,BinaryType=0) 1: {00000000-0000-0000-0000-000000000000} 2: {C53FE6BC-FAD0-4C0D-9CA6-0025A9987F15} 3: C:\Program Files (x86)\ossec-agent\queue\fim\ MSI (s) (A8:88) [05:44:09:068]: Executing op: ComponentRegister(ComponentId={CEB64639-8DD1-43D3-BC03-4EDC5C9E4E46},KeyPath=C:\Program Files (x86)\ossec-agent\queue\fim\db\,State=3,,Disk=1,SharedDllRefCount=0,BinaryType=0) 1: {74876D42-37ED-44FD-B662-AC2F5842BA6A} 2: {CEB64639-8DD1-43D3-BC03-4EDC5C9E4E46} 3: C:\Program Files (x86)\ossec-agent\queue\fim\db\ MSI (s) (A8:88) [05:44:09:068]: Executing op: ComponentRegister(ComponentId={CEB64639-8DD1-43D3-BC03-4EDC5C9E4E46},KeyPath=C:\Program Files (x86)\ossec-agent\queue\fim\db\,State=3,ProductKey={00000000-0000-0000-0000-000000000000},Disk=1,SharedDllRefCount=0,BinaryType=0) 1: {00000000-0000-0000-0000-000000000000} 2: {CEB64639-8DD1-43D3-BC03-4EDC5C9E4E46} 3: C:\Program Files (x86)\ossec-agent\queue\fim\db\ MSI (s) (A8:88) [05:44:09:068]: Executing op: ComponentRegister(ComponentId={7349FCE4-D0BF-4D63-86A0-84FCAFD071B8},KeyPath=C:\Program Files (x86)\ossec-agent\queue\syscollector\,State=3,,Disk=1,SharedDllRefCount=0,BinaryType=0) 1: {74876D42-37ED-44FD-B662-AC2F5842BA6A} 2: {7349FCE4-D0BF-4D63-86A0-84FCAFD071B8} 3: C:\Program Files (x86)\ossec-agent\queue\syscollector\ MSI (s) (A8:88) [05:44:09:068]: Executing op: ComponentRegister(ComponentId={7349FCE4-D0BF-4D63-86A0-84FCAFD071B8},KeyPath=C:\Program Files (x86)\ossec-agent\queue\syscollector\,State=3,ProductKey={00000000-0000-0000-0000-000000000000},Disk=1,SharedDllRefCount=0,BinaryType=0) 1: {00000000-0000-0000-0000-000000000000} 2: {7349FCE4-D0BF-4D63-86A0-84FCAFD071B8} 3: C:\Program Files (x86)\ossec-agent\queue\syscollector\ MSI (s) (A8:88) [05:44:09:068]: Executing op: ComponentRegister(ComponentId={A32AB5A9-0545-4262-B651-6F732CA57E5A},KeyPath=C:\Program Files (x86)\ossec-agent\queue\syscollector\db\,State=3,,Disk=1,SharedDllRefCount=0,BinaryType=0) 1: {74876D42-37ED-44FD-B662-AC2F5842BA6A} 2: {A32AB5A9-0545-4262-B651-6F732CA57E5A} 3: C:\Program Files (x86)\ossec-agent\queue\syscollector\db\ MSI (s) (A8:88) [05:44:09:083]: Executing op: ComponentRegister(ComponentId={A32AB5A9-0545-4262-B651-6F732CA57E5A},KeyPath=C:\Program Files (x86)\ossec-agent\queue\syscollector\db\,State=3,ProductKey={00000000-0000-0000-0000-000000000000},Disk=1,SharedDllRefCount=0,BinaryType=0) 1: {00000000-0000-0000-0000-000000000000} 2: {A32AB5A9-0545-4262-B651-6F732CA57E5A} 3: C:\Program Files (x86)\ossec-agent\queue\syscollector\db\ MSI (s) (A8:88) [05:44:09:083]: Executing op: ComponentRegister(ComponentId={88BDD977-56AA-4D15-9C6A-45EB86FDD12F},KeyPath=C:\Program Files (x86)\ossec-agent\queue\logcollector\,State=3,,Disk=1,SharedDllRefCount=0,BinaryType=0) 1: {74876D42-37ED-44FD-B662-AC2F5842BA6A} 2: {88BDD977-56AA-4D15-9C6A-45EB86FDD12F} 3: C:\Program Files (x86)\ossec-agent\queue\logcollector\ MSI (s) (A8:88) [05:44:09:083]: Executing op: ComponentRegister(ComponentId={88BDD977-56AA-4D15-9C6A-45EB86FDD12F},KeyPath=C:\Program Files (x86)\ossec-agent\queue\logcollector\,State=3,ProductKey={00000000-0000-0000-0000-000000000000},Disk=1,SharedDllRefCount=0,BinaryType=0) 1: {00000000-0000-0000-0000-000000000000} 2: {88BDD977-56AA-4D15-9C6A-45EB86FDD12F} 3: C:\Program Files (x86)\ossec-agent\queue\logcollector\ MSI (s) (A8:88) [05:44:09:083]: Executing op: ComponentRegister(ComponentId={0380073E-EEB0-4E82-99BD-A108949900DD},KeyPath=C:\Program Files (x86)\ossec-agent\ruleset\,State=3,,Disk=1,SharedDllRefCount=0,BinaryType=0) 1: {74876D42-37ED-44FD-B662-AC2F5842BA6A} 2: {0380073E-EEB0-4E82-99BD-A108949900DD} 3: C:\Program Files (x86)\ossec-agent\ruleset\ MSI (s) (A8:88) [05:44:09:083]: Executing op: ComponentRegister(ComponentId={E99089DF-D143-4911-BFE4-C10A469BC0D8},KeyPath=C:\Program Files (x86)\ossec-agent\ruleset\sca\,State=3,,Disk=1,SharedDllRefCount=0,BinaryType=0) 1: {74876D42-37ED-44FD-B662-AC2F5842BA6A} 2: {E99089DF-D143-4911-BFE4-C10A469BC0D8} 3: C:\Program Files (x86)\ossec-agent\ruleset\sca\ MSI (s) (A8:88) [05:44:09:083]: Executing op: ComponentRegister(ComponentId={1A441B10-7735-4507-9DB7-6158CA5D7687},KeyPath=C:\Program Files (x86)\ossec-agent\bookmarks\,State=3,,Disk=1,SharedDllRefCount=0,BinaryType=0) 1: {74876D42-37ED-44FD-B662-AC2F5842BA6A} 2: {1A441B10-7735-4507-9DB7-6158CA5D7687} 3: C:\Program Files (x86)\ossec-agent\bookmarks\ MSI (s) (A8:88) [05:44:09:083]: Executing op: ComponentRegister(ComponentId={1A441B10-7735-4507-9DB7-6158CA5D7687},KeyPath=C:\Program Files (x86)\ossec-agent\bookmarks\,State=3,ProductKey={00000000-0000-0000-0000-000000000000},Disk=1,SharedDllRefCount=0,BinaryType=0) 1: {00000000-0000-0000-0000-000000000000} 2: {1A441B10-7735-4507-9DB7-6158CA5D7687} 3: C:\Program Files (x86)\ossec-agent\bookmarks\ MSI (s) (A8:88) [05:44:09:100]: Executing op: ComponentRegister(ComponentId={17C9F68D-D1E6-4452-8C3E-992F6D7F0CF1},KeyPath=C:\Program Files (x86)\ossec-agent\logs\,State=3,,Disk=1,SharedDllRefCount=0,BinaryType=0) 1: {74876D42-37ED-44FD-B662-AC2F5842BA6A} 2: {17C9F68D-D1E6-4452-8C3E-992F6D7F0CF1} 3: C:\Program Files (x86)\ossec-agent\logs\ MSI (s) (A8:88) [05:44:09:100]: Executing op: ComponentRegister(ComponentId={17C9F68D-D1E6-4452-8C3E-992F6D7F0CF1},KeyPath=C:\Program Files (x86)\ossec-agent\logs\,State=3,ProductKey={00000000-0000-0000-0000-000000000000},Disk=1,SharedDllRefCount=0,BinaryType=0) 1: {00000000-0000-0000-0000-000000000000} 2: {17C9F68D-D1E6-4452-8C3E-992F6D7F0CF1} 3: C:\Program Files (x86)\ossec-agent\logs\ MSI (s) (A8:88) [05:44:09:100]: Executing op: ComponentRegister(ComponentId={A6811CB8-C2E2-4A1A-A2E5-DCE8221828C6},KeyPath=C:\Program Files (x86)\ossec-agent\wodles\,State=3,,Disk=1,SharedDllRefCount=0,BinaryType=0) 1: {74876D42-37ED-44FD-B662-AC2F5842BA6A} 2: {A6811CB8-C2E2-4A1A-A2E5-DCE8221828C6} 3: C:\Program Files (x86)\ossec-agent\wodles\ MSI (s) (A8:88) [05:44:09:100]: Executing op: ComponentRegister(ComponentId={A6811CB8-C2E2-4A1A-A2E5-DCE8221828C6},KeyPath=C:\Program Files (x86)\ossec-agent\wodles\,State=3,ProductKey={00000000-0000-0000-0000-000000000000},Disk=1,SharedDllRefCount=0,BinaryType=0) 1: {00000000-0000-0000-0000-000000000000} 2: {A6811CB8-C2E2-4A1A-A2E5-DCE8221828C6} 3: C:\Program Files (x86)\ossec-agent\wodles\ MSI (s) (A8:88) [05:44:09:100]: Executing op: ComponentRegister(ComponentId={2052A162-F044-4432-BF50-F89BCD0BC5D1},KeyPath=C:\Program Files (x86)\ossec-agent\rids\,State=3,,Disk=1,SharedDllRefCount=0,BinaryType=0) 1: {74876D42-37ED-44FD-B662-AC2F5842BA6A} 2: {2052A162-F044-4432-BF50-F89BCD0BC5D1} 3: C:\Program Files (x86)\ossec-agent\rids\ MSI (s) (A8:88) [05:44:09:100]: Executing op: ComponentRegister(ComponentId={2052A162-F044-4432-BF50-F89BCD0BC5D1},KeyPath=C:\Program Files (x86)\ossec-agent\rids\,State=3,ProductKey={00000000-0000-0000-0000-000000000000},Disk=1,SharedDllRefCount=0,BinaryType=0) 1: {00000000-0000-0000-0000-000000000000} 2: {2052A162-F044-4432-BF50-F89BCD0BC5D1} 3: C:\Program Files (x86)\ossec-agent\rids\ MSI (s) (A8:88) [05:44:09:100]: Executing op: ComponentRegister(ComponentId={F6841291-B9C5-4B74-82ED-CB9031C85C31},KeyPath=C:\Program Files (x86)\ossec-agent\syscheck\,State=3,,Disk=1,SharedDllRefCount=0,BinaryType=0) 1: {74876D42-37ED-44FD-B662-AC2F5842BA6A} 2: {F6841291-B9C5-4B74-82ED-CB9031C85C31} 3: C:\Program Files (x86)\ossec-agent\syscheck\ MSI (s) (A8:88) [05:44:09:100]: Executing op: ComponentRegister(ComponentId={F6841291-B9C5-4B74-82ED-CB9031C85C31},KeyPath=C:\Program Files (x86)\ossec-agent\syscheck\,State=3,ProductKey={00000000-0000-0000-0000-000000000000},Disk=1,SharedDllRefCount=0,BinaryType=0) 1: {00000000-0000-0000-0000-000000000000} 2: {F6841291-B9C5-4B74-82ED-CB9031C85C31} 3: C:\Program Files (x86)\ossec-agent\syscheck\ MSI (s) (A8:88) [05:44:09:100]: Executing op: ComponentRegister(ComponentId={A06D1C2D-CBD4-4DEB-B00C-598A99B7E712},KeyPath=C:\Program Files (x86)\ossec-agent\incoming\,State=3,,Disk=1,SharedDllRefCount=0,BinaryType=0) 1: {74876D42-37ED-44FD-B662-AC2F5842BA6A} 2: {A06D1C2D-CBD4-4DEB-B00C-598A99B7E712} 3: C:\Program Files (x86)\ossec-agent\incoming\ MSI (s) (A8:88) [05:44:09:100]: Executing op: ComponentRegister(ComponentId={9FB42D24-217F-4E13-9598-01B62040F768},KeyPath=C:\Program Files (x86)\ossec-agent\upgrade\,State=3,,Disk=1,SharedDllRefCount=0,BinaryType=0) 1: {74876D42-37ED-44FD-B662-AC2F5842BA6A} 2: {9FB42D24-217F-4E13-9598-01B62040F768} 3: C:\Program Files (x86)\ossec-agent\upgrade\ MSI (s) (A8:88) [05:44:09:100]: Executing op: ComponentRegister(ComponentId={9FB42D24-217F-4E13-9598-01B62040F768},KeyPath=C:\Program Files (x86)\ossec-agent\upgrade\,State=3,ProductKey={00000000-0000-0000-0000-000000000000},Disk=1,SharedDllRefCount=0,BinaryType=0) 1: {00000000-0000-0000-0000-000000000000} 2: {9FB42D24-217F-4E13-9598-01B62040F768} 3: C:\Program Files (x86)\ossec-agent\upgrade\ MSI (s) (A8:88) [05:44:09:100]: Executing op: ComponentRegister(ComponentId={9FB42D24-222F-4E13-9598-01B62040F768},KeyPath=C:\Program Files (x86)\ossec-agent\shared\,State=3,,Disk=1,SharedDllRefCount=0,BinaryType=0) 1: {74876D42-37ED-44FD-B662-AC2F5842BA6A} 2: {9FB42D24-222F-4E13-9598-01B62040F768} 3: C:\Program Files (x86)\ossec-agent\shared\ MSI (s) (A8:88) [05:44:09:100]: Executing op: ComponentRegister(ComponentId={9FB42D24-222F-4E13-9598-01B62040F768},KeyPath=C:\Program Files (x86)\ossec-agent\shared\,State=3,ProductKey={00000000-0000-0000-0000-000000000000},Disk=1,SharedDllRefCount=0,BinaryType=0) 1: {00000000-0000-0000-0000-000000000000} 2: {9FB42D24-222F-4E13-9598-01B62040F768} 3: C:\Program Files (x86)\ossec-agent\shared\ MSI (s) (A8:88) [05:44:09:100]: Executing op: ActionStart(Name=StopServices,Description=Stopping services,Template=Service: [1]) Action 5:44:09: StopServices. Stopping services MSI (s) (A8:88) [05:44:09:114]: Executing op: ProgressTotal(Total=1,Type=1,ByteEquivalent=1300000) MSI (s) (A8:88) [05:44:09:114]: Executing op: ServiceControl(,Name=WazuhSvc,Action=2,Wait=1,) StopServices: Service: Wazuh MSI (s) (A8:88) [05:44:09:114]: Executing op: ActionStart(Name=RemoveRegistryValues,Description=Removing system registry values,Template=Key: [1], Name: [2]) Action 5:44:09: RemoveRegistryValues. Removing system registry values MSI (s) (A8:88) [05:44:09:146]: Executing op: ProgressTotal(Total=2,Type=1,ByteEquivalent=13200) MSI (s) (A8:88) [05:44:09:146]: Executing op: RegOpenKey(Root=-2147483646,Key=SOFTWARE\ossec,,BinaryType=0,,) MSI (s) (A8:88) [05:44:09:146]: Executing op: RegRemoveKey() RemoveRegistryValues: Key: \SOFTWARE\ossec, Name: MSI (s) (A8:88) [05:44:09:146]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE32\SOFTWARE\ossec 3: 2 MSI (s) (A8:88) [05:44:09:146]: Executing op: RegOpenKey(Root=-2147483646,Key=Software\Microsoft\Windows\CurrentVersion\Uninstall\OSSEC,,BinaryType=0,,) MSI (s) (A8:88) [05:44:09:146]: Executing op: RegRemoveKey() RemoveRegistryValues: Key: \Software\Microsoft\Windows\CurrentVersion\Uninstall\OSSEC, Name: MSI (s) (A8:88) [05:44:09:146]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE32\Software\Microsoft\Windows\CurrentVersion\Uninstall\OSSEC 3: 2 MSI (s) (A8:88) [05:44:09:146]: Executing op: ActionStart(Name=RemoveFiles,Description=Removing files,Template=File: [1], Directory: [9]) Action 5:44:09: RemoveFiles. Removing files MSI (s) (A8:88) [05:44:09:146]: Executing op: ProgressTotal(Total=9,Type=1,ByteEquivalent=175000) MSI (s) (A8:88) [05:44:09:146]: Executing op: SetTargetFolder(Folder=C:\Program Files (x86)\ossec-agent\) MSI (s) (A8:88) [05:44:09:146]: Executing op: FileRemove(,FileName=win32ui.exe,,) RemoveFiles: File: win32ui.exe, Directory: C:\Program Files (x86)\ossec-agent\ MSI (s) (A8:88) [05:44:09:177]: Verifying accessibility of file: win32ui.exe MSI (s) (A8:88) [05:44:09:208]: Executing op: FileRemove(,FileName=agent-auth.exe,,) RemoveFiles: File: agent-auth.exe, Directory: C:\Program Files (x86)\ossec-agent\ MSI (s) (A8:88) [05:44:09:208]: Verifying accessibility of file: agent-auth.exe MSI (s) (A8:88) [05:44:09:224]: Executing op: FileRemove(,FileName=libwinpthread-1.dll,,) RemoveFiles: File: libwinpthread-1.dll, Directory: C:\Program Files (x86)\ossec-agent\ MSI (s) (A8:88) [05:44:09:240]: Verifying accessibility of file: libwinpthread-1.dll MSI (s) (A8:88) [05:44:09:255]: Executing op: FileRemove(,FileName=libgcc_s_sjlj-1.dll,,) RemoveFiles: File: libgcc_s_sjlj-1.dll, Directory: C:\Program Files (x86)\ossec-agent\ MSI (s) (A8:88) [05:44:09:271]: Verifying accessibility of file: libgcc_s_sjlj-1.dll MSI (s) (A8:88) [05:44:09:302]: Executing op: FileRemove(,FileName=manage_agents.exe,,) RemoveFiles: File: manage_agents.exe, Directory: C:\Program Files (x86)\ossec-agent\ MSI (s) (A8:88) [05:44:09:302]: Verifying accessibility of file: manage_agents.exe MSI (s) (A8:88) [05:44:09:334]: Executing op: FileRemove(,FileName=wazuh-agent.exe,,) RemoveFiles: File: wazuh-agent.exe, Directory: C:\Program Files (x86)\ossec-agent\ MSI (s) (A8:88) [05:44:09:334]: Verifying accessibility of file: wazuh-agent.exe MSI (s) (A8:88) [05:44:09:348]: Executing op: FileRemove(,FileName=help.txt,,) RemoveFiles: File: help.txt, Directory: C:\Program Files (x86)\ossec-agent\ MSI (s) (A8:88) [05:44:09:348]: Verifying accessibility of file: help.txt MSI (s) (A8:88) [05:44:09:365]: Executing op: SetTargetFolder(Folder=C:\Program Files (x86)\ossec-agent\active-response\bin\) MSI (s) (A8:88) [05:44:09:365]: Executing op: SetTargetFolder(Folder=C:\Program Files (x86)\ossec-agent\ruleset\sca\) MSI (s) (A8:88) [05:44:09:365]: Executing op: FileRemove(,FileName=cis_win2016.yml,,) RemoveFiles: File: cis_win2016.yml, Directory: C:\Program Files (x86)\ossec-agent\ruleset\sca\ MSI (s) (A8:88) [05:44:09:365]: Verifying accessibility of file: cis_win2016.yml MSI (s) (A8:88) [05:44:09:380]: Executing op: FileRemove(,FileName=sca_win_audit.yml,,) RemoveFiles: File: sca_win_audit.yml, Directory: C:\Program Files (x86)\ossec-agent\ruleset\sca\ MSI (s) (A8:88) [05:44:09:380]: Verifying accessibility of file: sca_win_audit.yml MSI (s) (A8:88) [05:44:09:380]: Executing op: ActionStart(Name=CreateFolders,Description=Creating folders,Template=Folder: [1]) Action 5:44:09: CreateFolders. Creating folders MSI (s) (A8:88) [05:44:09:380]: Executing op: FolderCreate(Folder=C:\Program Files (x86)\ossec-agent\,Foreign=0,,) CreateFolders: Folder: C:\Program Files (x86)\ossec-agent\ MSI (s) (A8:88) [05:44:09:380]: Executing op: FolderCreate(Folder=C:\Program Files (x86)\ossec-agent\active-response\,Foreign=0,,) CreateFolders: Folder: C:\Program Files (x86)\ossec-agent\active-response\ MSI (s) (A8:88) [05:44:09:380]: Executing op: FolderCreate(Folder=C:\Program Files (x86)\ossec-agent\shared\,Foreign=0,,) CreateFolders: Folder: C:\Program Files (x86)\ossec-agent\shared\ MSI (s) (A8:88) [05:44:09:380]: Executing op: FolderCreate(Folder=C:\Program Files (x86)\ossec-agent\ruleset\sca\,Foreign=0,,) CreateFolders: Folder: C:\Program Files (x86)\ossec-agent\ruleset\sca\ MSI (s) (A8:88) [05:44:09:380]: Executing op: FolderCreate(Folder=C:\Program Files (x86)\ossec-agent\queue\syscollector\,Foreign=0,,) CreateFolders: Folder: C:\Program Files (x86)\ossec-agent\queue\syscollector\ MSI (s) (A8:88) [05:44:09:380]: Executing op: FolderCreate(Folder=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OSSEC\,Foreign=0,,) CreateFolders: Folder: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OSSEC\ MSI (s) (A8:88) [05:44:09:380]: Executing op: FolderCreate(Folder=C:\Program Files (x86)\ossec-agent\tmp\,Foreign=0,,) CreateFolders: Folder: C:\Program Files (x86)\ossec-agent\tmp\ MSI (s) (A8:88) [05:44:09:380]: Executing op: FolderCreate(Folder=C:\Program Files (x86)\ossec-agent\queue\,Foreign=0,,) CreateFolders: Folder: C:\Program Files (x86)\ossec-agent\queue\ MSI (s) (A8:88) [05:44:09:396]: Executing op: FolderCreate(Folder=C:\Program Files (x86)\ossec-agent\queue\diff\,Foreign=0,,) CreateFolders: Folder: C:\Program Files (x86)\ossec-agent\queue\diff\ MSI (s) (A8:88) [05:44:09:396]: Executing op: FolderCreate(Folder=C:\Program Files (x86)\ossec-agent\queue\fim\,Foreign=0,,) CreateFolders: Folder: C:\Program Files (x86)\ossec-agent\queue\fim\ MSI (s) (A8:88) [05:44:09:396]: Executing op: FolderCreate(Folder=C:\Program Files (x86)\ossec-agent\queue\fim\db\,Foreign=0,,) CreateFolders: Folder: C:\Program Files (x86)\ossec-agent\queue\fim\db\ MSI (s) (A8:88) [05:44:09:396]: Executing op: FolderCreate(Folder=C:\Program Files (x86)\ossec-agent\queue\syscollector\db\,Foreign=0,,) CreateFolders: Folder: C:\Program Files (x86)\ossec-agent\queue\syscollector\db\ MSI (s) (A8:88) [05:44:09:396]: Executing op: FolderCreate(Folder=C:\Program Files (x86)\ossec-agent\queue\logcollector\,Foreign=0,,) CreateFolders: Folder: C:\Program Files (x86)\ossec-agent\queue\logcollector\ MSI (s) (A8:88) [05:44:09:396]: Executing op: FolderCreate(Folder=C:\Program Files (x86)\ossec-agent\ruleset\,Foreign=0,,) CreateFolders: Folder: C:\Program Files (x86)\ossec-agent\ruleset\ MSI (s) (A8:88) [05:44:09:396]: Executing op: FolderCreate(Folder=C:\Program Files (x86)\ossec-agent\bookmarks\,Foreign=0,,) CreateFolders: Folder: C:\Program Files (x86)\ossec-agent\bookmarks\ MSI (s) (A8:88) [05:44:09:396]: Executing op: FolderCreate(Folder=C:\Program Files (x86)\ossec-agent\logs\,Foreign=0,,) CreateFolders: Folder: C:\Program Files (x86)\ossec-agent\logs\ MSI (s) (A8:88) [05:44:09:396]: Executing op: FolderCreate(Folder=C:\Program Files (x86)\ossec-agent\wodles\,Foreign=0,,) CreateFolders: Folder: C:\Program Files (x86)\ossec-agent\wodles\ MSI (s) (A8:88) [05:44:09:396]: Executing op: FolderCreate(Folder=C:\Program Files (x86)\ossec-agent\rids\,Foreign=0,,) CreateFolders: Folder: C:\Program Files (x86)\ossec-agent\rids\ MSI (s) (A8:88) [05:44:09:396]: Executing op: FolderCreate(Folder=C:\Program Files (x86)\ossec-agent\syscheck\,Foreign=0,,) CreateFolders: Folder: C:\Program Files (x86)\ossec-agent\syscheck\ MSI (s) (A8:88) [05:44:09:396]: Executing op: FolderCreate(Folder=C:\Program Files (x86)\ossec-agent\incoming\,Foreign=0,,) CreateFolders: Folder: C:\Program Files (x86)\ossec-agent\incoming\ MSI (s) (A8:88) [05:44:09:411]: Executing op: FolderCreate(Folder=C:\Program Files (x86)\ossec-agent\upgrade\,Foreign=0,,) CreateFolders: Folder: C:\Program Files (x86)\ossec-agent\upgrade\ MSI (s) (A8:88) [05:44:09:411]: Executing op: ActionStart(Name=InstallFiles,Description=Copying new files,Template=File: [1], Directory: [9], Size: [6]) Action 5:44:09: InstallFiles. Copying new files MSI (s) (A8:88) [05:44:09:411]: Executing op: ProgressTotal(Total=21393290,Type=0,ByteEquivalent=1) MSI (s) (A8:88) [05:44:09:411]: Executing op: SetTargetFolder(Folder=C:\Program Files (x86)\ossec-agent\active-response\) MSI (s) (A8:88) [05:44:09:411]: Executing op: SetSourceFolder(Folder=1\PFiles\fjokbowa\9pxtresz\|PFiles\ossec-agent\active-response\) MSI (s) (A8:88) [05:44:09:411]: Executing op: ChangeMedia(,MediaPrompt=Please insert the disk: ,MediaCabinet=simple.cab,BytesPerTick=65536,CopierType=2,ModuleFileName=C:\Windows\Installer\17b51.msi,,,,,IsFirstPhysicalMedia=1) MSI (s) (A8:88) [05:44:09:411]: Executing op: FileCopy(SourceName=gtorpqwa.log|active-responses.log,SourceCabKey=ACTIVE_RESPONSES.LOG,DestName=active-responses.log,Attributes=512,FileSize=0,PerTick=65536,,VerifyMedia=1,,,,,CheckCRC=0,,,InstallMode=58982400,HashOptions=0,HashPart1=0,HashPart2=0,HashPart3=0,HashPart4=0,,) MSI (s) (A8:88) [05:44:09:411]: File: C:\Program Files (x86)\ossec-agent\active-response\active-responses.log; Won't Overwrite; Won't patch; Existing file is unversioned and unmodified - hash matches source file MSI (s) (A8:88) [05:44:09:411]: Executing op: SetTargetFolder(Folder=C:\Program Files (x86)\ossec-agent\) MSI (s) (A8:88) [05:44:09:411]: Executing op: SetSourceFolder(Folder=1\PFiles\fjokbowa\|PFiles\ossec-agent\) MSI (s) (A8:88) [05:44:09:411]: Executing op: FileCopy(SourceName=qb2bcach.exe|agent-auth.exe,SourceCabKey=AGENT_AUTH.EXE,DestName=agent-auth.exe,Attributes=512,FileSize=1007856,PerTick=65536,,VerifyMedia=1,,,,,CheckCRC=0,,,InstallMode=58982400,HashOptions=0,HashPart1=282626006,HashPart2=1872774687,HashPart3=-465587592,HashPart4=514521555,,) MSI (s) (A8:88) [05:44:09:411]: File: C:\Program Files (x86)\ossec-agent\agent-auth.exe; To be installed; Won't patch; No existing file MSI (s) (A8:88) [05:44:09:411]: Source for file 'AGENT_AUTH.EXE' is compressed InstallFiles: File: agent-auth.exe, Directory: C:\Program Files (x86)\ossec-agent\, Size: 1007856 MSI (s) (A8:88) [05:44:09:458]: Executing op: FileCopy(SourceName=smf9wnhp.man|agent-auth.exe.manifest,SourceCabKey=AGENT_AUTH.EXE.MANIFEST,DestName=agent-auth.exe.manifest,Attributes=512,FileSize=362,PerTick=65536,,VerifyMedia=1,,,,,CheckCRC=0,,,InstallMode=58982400,HashOptions=0,HashPart1=153517329,HashPart2=-1042801836,HashPart3=906368191,HashPart4=-1227523558,,) MSI (s) (A8:88) [05:44:09:458]: File: C:\Program Files (x86)\ossec-agent\agent-auth.exe.manifest; Won't Overwrite; Won't patch; Existing file is unversioned and unmodified - hash matches source file MSI (s) (A8:88) [05:44:09:458]: Executing op: FileCopy(SourceName=dbsync.dll,SourceCabKey=DBSYNC_DLL,DestName=dbsync.dll,Attributes=512,FileSize=1324544,PerTick=65536,,VerifyMedia=1,,,,,CheckCRC=0,,,InstallMode=58982400,HashOptions=0,HashPart1=1623839907,HashPart2=-1170728563,HashPart3=-1444872058,HashPart4=1016604572,,) MSI (s) (A8:88) [05:44:09:458]: File: C:\Program Files (x86)\ossec-agent\dbsync.dll; Overwrite; Won't patch; Existing file is unversioned and unmodified - hash doesn't match source file MSI (s) (A8:88) [05:44:09:458]: Source for file 'DBSYNC_DLL' is compressed InstallFiles: File: dbsync.dll, Directory: C:\Program Files (x86)\ossec-agent\, Size: 1324544 MSI (s) (A8:88) [05:44:09:458]: Re-applying security from existing file. MSI (s) (A8:88) [05:44:09:458]: Verifying accessibility of file: dbsync.dll MSI (s) (A8:88) [05:44:09:489]: Executing op: FileCopy(SourceName=help.txt,SourceCabKey=HELP_WIN.TXT,DestName=help.txt,Attributes=512,FileSize=1277,PerTick=65536,,VerifyMedia=1,,,,,CheckCRC=0,,,InstallMode=58982400,HashOptions=0,HashPart1=-1691128670,HashPart2=-670554920,HashPart3=-263388891,HashPart4=945605673,,) MSI (s) (A8:88) [05:44:09:489]: File: C:\Program Files (x86)\ossec-agent\help.txt; To be installed; Won't patch; No existing file MSI (s) (A8:88) [05:44:09:489]: Source for file 'HELP_WIN.TXT' is compressed InstallFiles: File: help.txt, Directory: C:\Program Files (x86)\ossec-agent\, Size: 1277 MSI (s) (A8:88) [05:44:09:489]: Executing op: FileCopy(SourceName=diwinq_z.con|internal_options.conf,SourceCabKey=INTERNAL_OPTIONS.CONF,DestName=internal_options.conf,Attributes=512,FileSize=14118,PerTick=65536,,VerifyMedia=1,,,,,CheckCRC=0,Version=1.0,,InstallMode=58982400,,,,,,,) MSI (s) (A8:88) [05:44:09:489]: File: C:\Program Files (x86)\ossec-agent\internal_options.conf; Overwrite; Won't patch; New file versioned - existing file unversioned MSI (s) (A8:88) [05:44:09:489]: Source for file 'INTERNAL_OPTIONS.CONF' is compressed InstallFiles: File: internal_options.conf, Directory: C:\Program Files (x86)\ossec-agent\, Size: 14118 MSI (s) (A8:88) [05:44:09:489]: Re-applying security from existing file. MSI (s) (A8:88) [05:44:09:489]: Verifying accessibility of file: internal_options.conf MSI (s) (A8:88) [05:44:09:489]: Executing op: FileCopy(SourceName=lcwisgcc.dll|libgcc_s_sjlj-1.dll,SourceCabKey=LIBGCC_S_SJLJ_1.DLL,DestName=libgcc_s_sjlj-1.dll,Attributes=512,FileSize=1115152,PerTick=65536,,VerifyMedia=1,,,,,CheckCRC=0,,,InstallMode=58982400,HashOptions=0,HashPart1=-2101973464,HashPart2=-332533279,HashPart3=-226017473,HashPart4=-642496123,,) MSI (s) (A8:88) [05:44:09:489]: File: C:\Program Files (x86)\ossec-agent\libgcc_s_sjlj-1.dll; To be installed; Won't patch; No existing file MSI (s) (A8:88) [05:44:09:489]: Source for file 'LIBGCC_S_SJLJ_1.DLL' is compressed InstallFiles: File: libgcc_s_sjlj-1.dll, Directory: C:\Program Files (x86)\ossec-agent\, Size: 1115152 MSI (s) (A8:88) [05:44:09:508]: Executing op: FileCopy(SourceName=7ovjuloq.dll|libwazuhext.dll,SourceCabKey=LIBWAZUHEXT_DLL,DestName=libwazuhext.dll,Attributes=512,FileSize=6064883,PerTick=65536,,VerifyMedia=1,,,,,CheckCRC=0,,,InstallMode=58982400,HashOptions=0,HashPart1=1445734392,HashPart2=1858347549,HashPart3=-407688721,HashPart4=612050930,,) MSI (s) (A8:88) [05:44:09:520]: File: C:\Program Files (x86)\ossec-agent\libwazuhext.dll; Overwrite; Won't patch; Existing file is unversioned and unmodified - hash doesn't match source file MSI (s) (A8:88) [05:44:09:520]: Source for file 'LIBWAZUHEXT_DLL' is compressed InstallFiles: File: libwazuhext.dll, Directory: C:\Program Files (x86)\ossec-agent\, Size: 6064883 MSI (s) (A8:88) [05:44:09:536]: Re-applying security from existing file. MSI (s) (A8:88) [05:44:09:536]: Verifying accessibility of file: libwazuhext.dll MSI (s) (A8:88) [05:44:09:599]: Executing op: FileCopy(SourceName=t4ndwtoy.dll|libwazuhshared.dll,SourceCabKey=LIBWAZUHSHARED_DLL,DestName=libwazuhshared.dll,Attributes=512,FileSize=842835,PerTick=65536,,VerifyMedia=1,,,,,CheckCRC=0,,,InstallMode=58982400,HashOptions=0,HashPart1=2073556701,HashPart2=704264717,HashPart3=76993259,HashPart4=-70265003,,) MSI (s) (A8:88) [05:44:09:599]: File: C:\Program Files (x86)\ossec-agent\libwazuhshared.dll; Overwrite; Won't patch; Existing file is unversioned and unmodified - hash doesn't match source file MSI (s) (A8:88) [05:44:09:599]: Source for file 'LIBWAZUHSHARED_DLL' is compressed InstallFiles: File: libwazuhshared.dll, Directory: C:\Program Files (x86)\ossec-agent\, Size: 842835 MSI (s) (A8:88) [05:44:09:599]: Re-applying security from existing file. MSI (s) (A8:88) [05:44:09:599]: Verifying accessibility of file: libwazuhshared.dll MSI (s) (A8:88) [05:44:09:599]: Executing op: RegisterSharedComponentProvider(,,File=LIBWINPTHREAD_1.DLL,Component={C15C5883-00FB-41D7-B9E6-53C8BC30761F},ComponentVersion=1.0.0.0,ProductCode={74876D42-37ED-44FD-B662-AC2F5842BA6A},ProductVersion=4.3.3,PatchSize=0,PatchAttributes=0,PatchSequence=0,SharedComponent=0,IsFullFile=0) MSI (s) (A8:88) [05:44:09:599]: Executing op: FileCopy(SourceName=9gv8207c.dll|libwinpthread-1.dll,SourceCabKey=LIBWINPTHREAD_1.DLL,DestName=libwinpthread-1.dll,Attributes=512,FileSize=533757,PerTick=65536,,VerifyMedia=1,,,,,CheckCRC=0,Version=1.0.0.0,Language=1033,InstallMode=58982400,,,,,,,) MSI (s) (A8:88) [05:44:09:599]: File: C:\Program Files (x86)\ossec-agent\libwinpthread-1.dll; To be installed; Won't patch; No existing file MSI (s) (A8:88) [05:44:09:599]: Source for file 'LIBWINPTHREAD_1.DLL' is compressed InstallFiles: File: libwinpthread-1.dll, Directory: C:\Program Files (x86)\ossec-agent\, Size: 533757 MSI (s) (A8:88) [05:44:09:614]: Executing op: FileCopy(SourceName=LICENSE.txt,SourceCabKey=LICENSE.TXT,DestName=LICENSE.txt,Attributes=512,FileSize=25209,PerTick=65536,,VerifyMedia=1,,,,,CheckCRC=0,,,InstallMode=58982400,HashOptions=0,HashPart1=-1660944290,HashPart2=-1418516013,HashPart3=1875897767,HashPart4=-2042177697,,) MSI (s) (A8:88) [05:44:09:614]: File: C:\Program Files (x86)\ossec-agent\LICENSE.txt; Won't Overwrite; Won't patch; Existing file is unversioned and unmodified - hash matches source file MSI (s) (A8:88) [05:44:09:614]: Executing op: FileCopy(SourceName=-i5xyifd.exe|manage_agents.exe,SourceCabKey=MANAGE_AGENTS.EXE,DestName=manage_agents.exe,Attributes=512,FileSize=1004864,PerTick=65536,,VerifyMedia=1,,,,,CheckCRC=0,,,InstallMode=58982400,HashOptions=0,HashPart1=-18813924,HashPart2=1681469163,HashPart3=-1497749672,HashPart4=-1026409652,,) MSI (s) (A8:88) [05:44:09:614]: File: C:\Program Files (x86)\ossec-agent\manage_agents.exe; To be installed; Won't patch; No existing file MSI (s) (A8:88) [05:44:09:614]: Source for file 'MANAGE_AGENTS.EXE' is compressed InstallFiles: File: manage_agents.exe, Directory: C:\Program Files (x86)\ossec-agent\, Size: 1004864 MSI (s) (A8:88) [05:44:09:631]: Executing op: SetTargetFolder(Folder=C:\Program Files (x86)\ossec-agent\active-response\bin\) MSI (s) (A8:88) [05:44:09:631]: Executing op: SetSourceFolder(Folder=1\PFiles\fjokbowa\9pxtresz\bin\|PFiles\ossec-agent\active-response\bin\) MSI (s) (A8:88) [05:44:09:631]: Executing op: FileCopy(SourceName=netsh.exe,SourceCabKey=NETSH.EXE,DestName=netsh.exe,Attributes=512,FileSize=50888,PerTick=65536,,VerifyMedia=1,,,,,CheckCRC=0,,,InstallMode=58982400,HashOptions=0,HashPart1=-635548259,HashPart2=266093053,HashPart3=871952161,HashPart4=-1894409140,,) MSI (s) (A8:88) [05:44:09:631]: File: C:\Program Files (x86)\ossec-agent\active-response\bin\netsh.exe; Overwrite; Won't patch; Existing file is unversioned and unmodified - hash doesn't match source file MSI (s) (A8:88) [05:44:09:631]: Source for file 'NETSH.EXE' is compressed InstallFiles: File: netsh.exe, Directory: C:\Program Files (x86)\ossec-agent\active-response\bin\, Size: 50888 MSI (s) (A8:88) [05:44:09:631]: Re-applying security from existing file. MSI (s) (A8:88) [05:44:09:631]: Verifying accessibility of file: netsh.exe MSI (s) (A8:88) [05:44:09:631]: Note: 1: 2318 2: MSI (s) (A8:88) [05:44:09:645]: Note: 1: 2318 2: MSI (s) (A8:88) [05:44:09:645]: Executing op: FileCopy(SourceName=fckdxyxv.exe|restart-wazuh.exe,SourceCabKey=RESTART_WAZUH.EXE,DestName=restart-wazuh.exe,Attributes=512,FileSize=49352,PerTick=65536,,VerifyMedia=1,,,,,CheckCRC=0,,,InstallMode=58982400,HashOptions=0,HashPart1=-438845711,HashPart2=-1484598709,HashPart3=767876167,HashPart4=-1851827225,,) MSI (s) (A8:88) [05:44:09:645]: File: C:\Program Files (x86)\ossec-agent\active-response\bin\restart-wazuh.exe; Overwrite; Won't patch; Existing file is unversioned and unmodified - hash doesn't match source file MSI (s) (A8:88) [05:44:09:645]: Source for file 'RESTART_WAZUH.EXE' is compressed InstallFiles: File: restart-wazuh.exe, Directory: C:\Program Files (x86)\ossec-agent\active-response\bin\, Size: 49352 MSI (s) (A8:88) [05:44:09:645]: Re-applying security from existing file. MSI (s) (A8:88) [05:44:09:645]: Verifying accessibility of file: restart-wazuh.exe MSI (s) (A8:88) [05:44:09:645]: Note: 1: 2318 2: MSI (s) (A8:88) [05:44:09:645]: Note: 1: 2318 2: MSI (s) (A8:88) [05:44:09:645]: Executing op: SetTargetFolder(Folder=C:\Program Files (x86)\ossec-agent\) MSI (s) (A8:88) [05:44:09:645]: Executing op: SetSourceFolder(Folder=1\PFiles\fjokbowa\|PFiles\ossec-agent\) MSI (s) (A8:88) [05:44:09:645]: Executing op: FileCopy(SourceName=REVISION,SourceCabKey=REVISION,DestName=REVISION,Attributes=512,FileSize=7,PerTick=65536,,VerifyMedia=1,,,,,CheckCRC=0,,,InstallMode=58982400,HashOptions=0,HashPart1=1785738727,HashPart2=1708326648,HashPart3=1807059697,HashPart4=-243027617,,) MSI (s) (A8:88) [05:44:09:645]: File: C:\Program Files (x86)\ossec-agent\REVISION; Overwrite; Won't patch; Existing file is unversioned and unmodified - hash doesn't match source file MSI (s) (A8:88) [05:44:09:645]: Source for file 'REVISION' is compressed InstallFiles: File: REVISION, Directory: C:\Program Files (x86)\ossec-agent\, Size: 7 MSI (s) (A8:88) [05:44:09:645]: Re-applying security from existing file. MSI (s) (A8:88) [05:44:09:645]: Verifying accessibility of file: REVISION MSI (s) (A8:88) [05:44:09:645]: Executing op: SetTargetFolder(Folder=C:\Program Files (x86)\ossec-agent\shared\) MSI (s) (A8:88) [05:44:09:645]: Executing op: SetSourceFolder(Folder=1\PFiles\fjokbowa\shared\|PFiles\ossec-agent\shared\) MSI (s) (A8:88) [05:44:09:645]: Executing op: FileCopy(SourceName=_m7kiqm-.txt|rootkit_files.txt,SourceCabKey=ROOTKIT_FILES.TXT,DestName=rootkit_files.txt,Attributes=512,FileSize=16174,PerTick=65536,,VerifyMedia=1,,,,,CheckCRC=0,,,InstallMode=58982400,HashOptions=0,HashPart1=1251361641,HashPart2=-664217721,HashPart3=-1157673149,HashPart4=-225846578,,) MSI (s) (A8:88) [05:44:09:645]: File: C:\Program Files (x86)\ossec-agent\shared\rootkit_files.txt; Won't Overwrite; Won't patch; Existing file is unversioned and unmodified - hash matches source file MSI (s) (A8:88) [05:44:09:645]: Executing op: FileCopy(SourceName=vdqxaf2n.txt|rootkit_trojans.txt,SourceCabKey=ROOTKIT_TROJANS.TXT,DestName=rootkit_trojans.txt,Attributes=512,FileSize=5548,PerTick=65536,,VerifyMedia=1,,,,,CheckCRC=0,,,InstallMode=58982400,HashOptions=0,HashPart1=986467343,HashPart2=-1768376456,HashPart3=1540935748,HashPart4=1804240938,,) MSI (s) (A8:88) [05:44:09:645]: File: C:\Program Files (x86)\ossec-agent\shared\rootkit_trojans.txt; Won't Overwrite; Won't patch; Existing file is unversioned and unmodified - hash matches source file MSI (s) (A8:88) [05:44:09:645]: Executing op: SetTargetFolder(Folder=C:\Program Files (x86)\ossec-agent\active-response\bin\) MSI (s) (A8:88) [05:44:09:645]: Executing op: SetSourceFolder(Folder=1\PFiles\fjokbowa\9pxtresz\bin\|PFiles\ossec-agent\active-response\bin\) MSI (s) (A8:88) [05:44:09:645]: Executing op: FileCopy(SourceName=u9ptonsx.exe|route-null.exe,SourceCabKey=ROUTE_NULL.EXE,DestName=route-null.exe,Attributes=512,FileSize=50888,PerTick=65536,,VerifyMedia=1,,,,,CheckCRC=0,,,InstallMode=58982400,HashOptions=0,HashPart1=1170616555,HashPart2=1802845438,HashPart3=1234941937,HashPart4=384587263,,) MSI (s) (A8:88) [05:44:09:645]: File: C:\Program Files (x86)\ossec-agent\active-response\bin\route-null.exe; Overwrite; Won't patch; Existing file is unversioned and unmodified - hash doesn't match source file MSI (s) (A8:88) [05:44:09:645]: Source for file 'ROUTE_NULL.EXE' is compressed InstallFiles: File: route-null.exe, Directory: C:\Program Files (x86)\ossec-agent\active-response\bin\, Size: 50888 MSI (s) (A8:88) [05:44:09:645]: Re-applying security from existing file. MSI (s) (A8:88) [05:44:09:645]: Verifying accessibility of file: route-null.exe MSI (s) (A8:88) [05:44:09:645]: Note: 1: 2318 2: MSI (s) (A8:88) [05:44:09:645]: Note: 1: 2318 2: MSI (s) (A8:88) [05:44:09:645]: Executing op: SetTargetFolder(Folder=C:\Program Files (x86)\ossec-agent\) MSI (s) (A8:88) [05:44:09:645]: Executing op: SetSourceFolder(Folder=1\PFiles\fjokbowa\|PFiles\ossec-agent\) MSI (s) (A8:88) [05:44:09:645]: Executing op: FileCopy(SourceName=rsync.dll,SourceCabKey=RSYNC_DLL,DestName=rsync.dll,Attributes=512,FileSize=1181696,PerTick=65536,,VerifyMedia=1,,,,,CheckCRC=0,,,InstallMode=58982400,HashOptions=0,HashPart1=2113067493,HashPart2=1766994982,HashPart3=-2051848591,HashPart4=231895006,,) MSI (s) (A8:88) [05:44:09:661]: File: C:\Program Files (x86)\ossec-agent\rsync.dll; Overwrite; Won't patch; Existing file is unversioned and unmodified - hash doesn't match source file MSI (s) (A8:88) [05:44:09:661]: Source for file 'RSYNC_DLL' is compressed InstallFiles: File: rsync.dll, Directory: C:\Program Files (x86)\ossec-agent\, Size: 1181696 MSI (s) (A8:88) [05:44:09:661]: Re-applying security from existing file. MSI (s) (A8:88) [05:44:09:661]: Verifying accessibility of file: rsync.dll MSI (s) (A8:88) [05:44:09:676]: Executing op: SetTargetFolder(Folder=C:\Program Files (x86)\ossec-agent\ruleset\sca\) MSI (s) (A8:88) [05:44:09:676]: Executing op: SetSourceFolder(Folder=1\PFiles\fjokbowa\ruleset\sca\|PFiles\ossec-agent\ruleset\sca\) MSI (s) (A8:88) [05:44:09:676]: Executing op: FileCopy(SourceName=ty-vtbk6.yml|sca_win_audit.yml,SourceCabKey=SCA_WIN_AUDIT.YML,DestName=sca_win_audit.yml,Attributes=512,FileSize=103199,PerTick=65536,,VerifyMedia=1,,,,,CheckCRC=0,,,InstallMode=58982400,HashOptions=0,HashPart1=308903912,HashPart2=-50527819,HashPart3=117636082,HashPart4=-1638425146,,) MSI (s) (A8:88) [05:44:09:676]: File: C:\Program Files (x86)\ossec-agent\ruleset\sca\sca_win_audit.yml; To be installed; Won't patch; No existing file MSI (s) (A8:88) [05:44:09:676]: Source for file 'SCA_WIN_AUDIT.YML' is compressed InstallFiles: File: sca_win_audit.yml, Directory: C:\Program Files (x86)\ossec-agent\ruleset\sca\, Size: 103199 MSI (s) (A8:88) [05:44:09:676]: Executing op: FileCopy(SourceName=jni5ckpj.yml|cis_win2016.yml,SourceCabKey=SCA_WIN2016,DestName=cis_win2016.yml,Attributes=512,FileSize=454065,PerTick=65536,,VerifyMedia=1,,,,,CheckCRC=0,,,InstallMode=58982400,HashOptions=0,HashPart1=-3843011,HashPart2=544996674,HashPart3=-1960173996,HashPart4=-183926991,,) MSI (s) (A8:88) [05:44:09:676]: File: C:\Program Files (x86)\ossec-agent\ruleset\sca\cis_win2016.yml; To be installed; Won't patch; No existing file MSI (s) (A8:88) [05:44:09:676]: Source for file 'SCA_WIN2016' is compressed InstallFiles: File: cis_win2016.yml, Directory: C:\Program Files (x86)\ossec-agent\ruleset\sca\, Size: 454065 MSI (s) (A8:88) [05:44:09:692]: Executing op: SetTargetFolder(Folder=C:\Program Files (x86)\ossec-agent\) MSI (s) (A8:88) [05:44:09:692]: Executing op: SetSourceFolder(Folder=1\PFiles\fjokbowa\|PFiles\ossec-agent\) MSI (s) (A8:88) [05:44:09:692]: Executing op: FileCopy(SourceName=aevzidph.dll|syscollector.dll,SourceCabKey=SYSCOLLECTOR_DLL,DestName=syscollector.dll,Attributes=512,FileSize=1359360,PerTick=65536,,VerifyMedia=1,,,,,CheckCRC=0,,,InstallMode=58982400,HashOptions=0,HashPart1=-465607677,HashPart2=1556668900,HashPart3=-1737917825,HashPart4=-1238557989,,) MSI (s) (A8:88) [05:44:09:692]: File: C:\Program Files (x86)\ossec-agent\syscollector.dll; Overwrite; Won't patch; Existing file is unversioned and unmodified - hash doesn't match source file MSI (s) (A8:88) [05:44:09:692]: Source for file 'SYSCOLLECTOR_DLL' is compressed InstallFiles: File: syscollector.dll, Directory: C:\Program Files (x86)\ossec-agent\, Size: 1359360 MSI (s) (A8:88) [05:44:09:692]: Re-applying security from existing file. MSI (s) (A8:88) [05:44:09:692]: Verifying accessibility of file: syscollector.dll MSI (s) (A8:88) [05:44:09:708]: Executing op: SetTargetFolder(Folder=C:\Program Files (x86)\ossec-agent\queue\syscollector\) MSI (s) (A8:88) [05:44:09:708]: Executing op: SetSourceFolder(Folder=1\PFiles\fjokbowa\queue\bnp5_md3\|PFiles\ossec-agent\queue\syscollector\) MSI (s) (A8:88) [05:44:09:708]: Executing op: FileCopy(SourceName=rb_beyqh.jso|norm_config.json,SourceCabKey=SYSCOLLECTOR_NORM_CONFIG,DestName=norm_config.json,Attributes=512,FileSize=4206,PerTick=65536,,VerifyMedia=1,,,,,CheckCRC=0,,,InstallMode=58982400,HashOptions=0,HashPart1=-706209322,HashPart2=-1100174369,HashPart3=460703689,HashPart4=-1554738443,,) MSI (s) (A8:88) [05:44:09:708]: File: C:\Program Files (x86)\ossec-agent\queue\syscollector\norm_config.json; Won't Overwrite; Won't patch; Existing file is unversioned and unmodified - hash matches source file MSI (s) (A8:88) [05:44:09:708]: Executing op: SetTargetFolder(Folder=C:\Program Files (x86)\ossec-agent\) MSI (s) (A8:88) [05:44:09:708]: Executing op: SetSourceFolder(Folder=1\PFiles\fjokbowa\|PFiles\ossec-agent\) MSI (s) (A8:88) [05:44:09:708]: Executing op: FileCopy(SourceName=sysinfo.dll,SourceCabKey=SYSINFO_DLL,DestName=sysinfo.dll,Attributes=512,FileSize=1284096,PerTick=65536,,VerifyMedia=1,,,,,CheckCRC=0,,,InstallMode=58982400,HashOptions=0,HashPart1=1547782304,HashPart2=-2139918004,HashPart3=422069393,HashPart4=-1885956875,,) MSI (s) (A8:88) [05:44:09:723]: File: C:\Program Files (x86)\ossec-agent\sysinfo.dll; Overwrite; Won't patch; Existing file is unversioned and unmodified - hash doesn't match source file MSI (s) (A8:88) [05:44:09:723]: Source for file 'SYSINFO_DLL' is compressed InstallFiles: File: sysinfo.dll, Directory: C:\Program Files (x86)\ossec-agent\, Size: 1284096 MSI (s) (A8:88) [05:44:09:723]: Re-applying security from existing file. MSI (s) (A8:88) [05:44:09:723]: Verifying accessibility of file: sysinfo.dll MSI (s) (A8:88) [05:44:09:739]: Executing op: FileCopy(SourceName=VERSION,SourceCabKey=VERSION,DestName=VERSION,Attributes=512,FileSize=8,PerTick=65536,,VerifyMedia=1,,,,,CheckCRC=0,,,InstallMode=58982400,HashOptions=0,HashPart1=496064117,HashPart2=-1306241177,HashPart3=-2137345508,HashPart4=2121158180,,) MSI (s) (A8:88) [05:44:09:739]: File: C:\Program Files (x86)\ossec-agent\VERSION; Overwrite; Won't patch; Existing file is unversioned and unmodified - hash doesn't match source file MSI (s) (A8:88) [05:44:09:739]: Source for file 'VERSION' is compressed InstallFiles: File: VERSION, Directory: C:\Program Files (x86)\ossec-agent\, Size: 8 MSI (s) (A8:88) [05:44:09:739]: Re-applying security from existing file. MSI (s) (A8:88) [05:44:09:739]: Verifying accessibility of file: VERSION MSI (s) (A8:88) [05:44:09:739]: Executing op: FileCopy(SourceName=_5xs4l_h.txt|vista_sec.txt,SourceCabKey=VISTA_SEC.TXT,DestName=vista_sec.txt,Attributes=512,FileSize=93551,PerTick=65536,,VerifyMedia=1,,,,,CheckCRC=0,,,InstallMode=58982400,HashOptions=0,HashPart1=2100817699,HashPart2=992813685,HashPart3=-1584576590,HashPart4=-619651660,,) MSI (s) (A8:88) [05:44:09:755]: File: C:\Program Files (x86)\ossec-agent\vista_sec.txt; Won't Overwrite; Won't patch; Existing file is unversioned and unmodified - hash matches source file MSI (s) (A8:88) [05:44:09:755]: Executing op: FileCopy(SourceName=twaitfa7.tem|profile.template,SourceCabKey=W2016_LOCALFILE.TEMPLATE,DestName=profile.template,Attributes=512,FileSize=90,PerTick=65536,,VerifyMedia=1,,,,,CheckCRC=0,,,InstallMode=58982400,HashOptions=0,HashPart1=-1432339855,HashPart2=621575578,HashPart3=478242607,HashPart4=-1926478882,,) MSI (s) (A8:88) [05:44:09:755]: File: C:\Program Files (x86)\ossec-agent\profile.template; Won't Overwrite; Won't patch; Existing file is unversioned and unmodified - hash matches source file MSI (s) (A8:88) [05:44:09:755]: Executing op: FileCopy(SourceName=ekhl4joq.exe|wazuh-agent.exe,SourceCabKey=WAZUH_AGENT_EVENTCHANNEL.EXE,DestName=wazuh-agent.exe,Attributes=512,FileSize=1927104,PerTick=65536,,VerifyMedia=1,,,,,CheckCRC=0,,,InstallMode=58982400,HashOptions=0,HashPart1=-1240948853,HashPart2=166643982,HashPart3=1430522071,HashPart4=536532990,,) MSI (s) (A8:88) [05:44:09:755]: File: C:\Program Files (x86)\ossec-agent\wazuh-agent.exe; To be installed; Won't patch; No existing file MSI (s) (A8:88) [05:44:09:755]: Source for file 'WAZUH_AGENT_EVENTCHANNEL.EXE' is compressed InstallFiles: File: wazuh-agent.exe, Directory: C:\Program Files (x86)\ossec-agent\, Size: 1927104 MSI (s) (A8:88) [05:44:09:786]: Executing op: FileCopy(SourceName=y9uogwj8.exe|wazuh-agent.exe,SourceCabKey=WAZUH_AGENT_UPGRADE_OSSEC.EXE,DestName=wazuh-agent.exe,Attributes=512,FileSize=1927104,PerTick=65536,,VerifyMedia=1,,,,,CheckCRC=0,,,InstallMode=58982400,HashOptions=0,HashPart1=-1240948853,HashPart2=166643982,HashPart3=1430522071,HashPart4=536532990,,) MSI (s) (A8:88) [05:44:09:786]: File: C:\Program Files (x86)\ossec-agent\wazuh-agent.exe; Won't Overwrite; Won't patch; Existing file is unversioned and unmodified - hash matches source file MSI (s) (A8:88) [05:44:09:786]: Executing op: SetTargetFolder(Folder=C:\Program Files (x86)\ossec-agent\shared\) MSI (s) (A8:88) [05:44:09:786]: Executing op: SetSourceFolder(Folder=1\PFiles\fjokbowa\shared\|PFiles\ossec-agent\shared\) MSI (s) (A8:88) [05:44:09:786]: Executing op: FileCopy(SourceName=9krl9lz2.txt|win_applications_rcl.txt,SourceCabKey=WIN_APPLICATIONS_RCL.TXT,DestName=win_applications_rcl.txt,Attributes=512,FileSize=5214,PerTick=65536,,VerifyMedia=1,,,,,CheckCRC=0,,,InstallMode=58982400,HashOptions=0,HashPart1=-830056726,HashPart2=652586862,HashPart3=782556043,HashPart4=401368995,,) MSI (s) (A8:88) [05:44:09:786]: File: C:\Program Files (x86)\ossec-agent\shared\win_applications_rcl.txt; Won't Overwrite; Won't patch; Existing file is unversioned and unmodified - hash matches source file MSI (s) (A8:88) [05:44:09:786]: Executing op: FileCopy(SourceName=b903ohm8.txt|win_audit_rcl.txt,SourceCabKey=WIN_AUDIT_RCL.TXT,DestName=win_audit_rcl.txt,Attributes=512,FileSize=4277,PerTick=65536,,VerifyMedia=1,,,,,CheckCRC=0,,,InstallMode=58982400,HashOptions=0,HashPart1=1235452272,HashPart2=617666913,HashPart3=-734526902,HashPart4=563612416,,) MSI (s) (A8:88) [05:44:09:786]: File: C:\Program Files (x86)\ossec-agent\shared\win_audit_rcl.txt; Won't Overwrite; Won't patch; Existing file is unversioned and unmodified - hash matches source file MSI (s) (A8:88) [05:44:09:786]: Executing op: FileCopy(SourceName=c4uufxig.txt|win_malware_rcl.txt,SourceCabKey=WIN_MALWARE_RCL.TXT,DestName=win_malware_rcl.txt,Attributes=512,FileSize=7314,PerTick=65536,,VerifyMedia=1,,,,,CheckCRC=0,,,InstallMode=58982400,HashOptions=0,HashPart1=-1744969508,HashPart2=57286565,HashPart3=-920050194,HashPart4=-1064319065,,) MSI (s) (A8:88) [05:44:09:786]: File: C:\Program Files (x86)\ossec-agent\shared\win_malware_rcl.txt; Won't Overwrite; Won't patch; Existing file is unversioned and unmodified - hash matches source file MSI (s) (A8:88) [05:44:09:786]: Executing op: SetTargetFolder(Folder=C:\Program Files (x86)\ossec-agent\) MSI (s) (A8:88) [05:44:09:786]: Executing op: SetSourceFolder(Folder=1\PFiles\fjokbowa\|PFiles\ossec-agent\) MSI (s) (A8:88) [05:44:09:786]: Executing op: FileCopy(SourceName=win32ui.exe,SourceCabKey=WIN32UI.EXE,DestName=win32ui.exe,Attributes=512,FileSize=932696,PerTick=65536,,VerifyMedia=1,,,,,CheckCRC=0,,,InstallMode=58982400,HashOptions=0,HashPart1=1471315261,HashPart2=-801442906,HashPart3=797002657,HashPart4=2106870719,,) MSI (s) (A8:88) [05:44:09:786]: File: C:\Program Files (x86)\ossec-agent\win32ui.exe; To be installed; Won't patch; No existing file MSI (s) (A8:88) [05:44:09:786]: Source for file 'WIN32UI.EXE' is compressed InstallFiles: File: win32ui.exe, Directory: C:\Program Files (x86)\ossec-agent\, Size: 932696 MSI (s) (A8:88) [05:44:09:802]: Executing op: FileCopy(SourceName=204zjaq0.man|win32ui.exe.manifest,SourceCabKey=WIN32UI.EXE.MANIFEST,DestName=win32ui.exe.manifest,Attributes=512,FileSize=367,PerTick=65536,,VerifyMedia=1,,,,,CheckCRC=0,,,InstallMode=58982400,HashOptions=0,HashPart1=1690135883,HashPart2=2144595334,HashPart3=1172345271,HashPart4=-871553229,,) MSI (s) (A8:88) [05:44:09:802]: File: C:\Program Files (x86)\ossec-agent\win32ui.exe.manifest; Won't Overwrite; Won't patch; Existing file is unversioned and unmodified - hash matches source file MSI (s) (A8:88) [05:44:09:802]: Executing op: FileCopy(SourceName=wpk_root.pem,SourceCabKey=WPK_ROOT.PEM,DestName=wpk_root.pem,Attributes=512,FileSize=1229,PerTick=65536,,VerifyMedia=1,,,,,CheckCRC=0,,,InstallMode=58982400,HashOptions=0,HashPart1=168350084,HashPart2=882449858,HashPart3=1661422399,HashPart4=-2066699003,,) MSI (s) (A8:88) [05:44:09:802]: File: C:\Program Files (x86)\ossec-agent\wpk_root.pem; Won't Overwrite; Won't patch; Existing file is unversioned and unmodified - hash matches source file MSI (s) (A8:88) [05:44:09:802]: Executing op: CacheSizeFlush(,) MSI (s) (A8:88) [05:44:09:802]: Executing op: ActionStart(Name=CreateShortcuts,Description=Creating shortcuts,Template=Shortcut: [1]) Action 5:44:09: CreateShortcuts. Creating shortcuts MSI (s) (A8:88) [05:44:09:802]: Executing op: IconCreate(Icon=icon.ico,Data=BinaryData) CreateShortcuts: Shortcut: icon.ico MSI (s) (A8:88) [05:44:09:802]: Executing op: SetTargetFolder(Folder=23\OSSEC\) MSI (s) (A8:88) [05:44:09:802]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu\Programs MSI (s) (A8:88) [05:44:09:802]: Executing op: ShortcutCreate(Name=zn2f_jfm|Edit conf,,,FileName=C:\Program Files (x86)\ossec-agent\ossec.conf,,WorkingDir=C:\Program Files (x86)\ossec-agent\,,,,,,,,,) CreateShortcuts: Shortcut: zn2f_jfm|Edit conf MSI (s) (A8:88) [05:44:09:818]: Verifying accessibility of file: Edit conf.lnk MSI (s) (A8:88) [05:44:09:818]: Executing op: ShortcutCreate(Name=aetn-qul|Uninstall,,,FileName=C:\Windows\system32\msiexec.exe,Arguments=/x {74876D42-37ED-44FD-B662-AC2F5842BA6A},,,,,,Description=Uninstalls the application,,,,) CreateShortcuts: Shortcut: aetn-qul|Uninstall MSI (s) (A8:88) [05:44:09:818]: Verifying accessibility of file: Uninstall.lnk MSI (s) (A8:88) [05:44:09:833]: Executing op: ShortcutCreate(Name=3i332pgp|Manage Agent,,,FileName=C:\Program Files (x86)\ossec-agent\win32ui.exe,,WorkingDir=C:\Program Files (x86)\ossec-agent\,,,,,,,,,) CreateShortcuts: Shortcut: 3i332pgp|Manage Agent MSI (s) (A8:88) [05:44:09:833]: Verifying accessibility of file: Manage Agent.lnk MSI (s) (A8:88) [05:44:09:848]: Executing op: ActionStart(Name=WixRollbackInternetShortcuts,,) Action 5:44:09: WixRollbackInternetShortcuts. MSI (s) (A8:88) [05:44:09:848]: Executing op: CustomActionSchedule(Action=WixRollbackInternetShortcuts,ActionType=3329,Source=BinaryData,Target=WixRollbackInternetShortcuts,CustomActionData=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OSSEC\Documentation.lnk€https://documentation.wazuh.com€0€€0) MSI (s) (A8:88) [05:44:09:848]: Executing op: ActionStart(Name=WixCreateInternetShortcuts,,) Action 5:44:09: WixCreateInternetShortcuts. MSI (s) (A8:88) [05:44:09:848]: Executing op: CustomActionSchedule(Action=WixCreateInternetShortcuts,ActionType=3073,Source=BinaryData,Target=WixCreateInternetShortcuts,CustomActionData=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OSSEC\Documentation.lnk€https://documentation.wazuh.com€0€€0) MSI (s) (A8:EC) [05:44:09:848]: Invoking remote custom action. DLL: C:\Windows\Installer\MSI5856.tmp, Entrypoint: WixCreateInternetShortcuts MSI (s) (A8:04) [05:44:09:848]: Generating random cookie. MSI (s) (A8:04) [05:44:09:864]: Created Custom Action Server with PID 4752 (0x1290). MSI (s) (A8:28) [05:44:09:896]: Running as a service. MSI (s) (A8:28) [05:44:09:896]: Hello, I'm your 32bit Elevated Non-remapped custom action server. WixCreateInternetShortcuts: Entering WixCreateInternetShortcuts in C:\Windows\Installer\MSI5856.tmp, version 3.11.4516.0 WixCreateInternetShortcuts: Creating IShellLinkW shortcut 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OSSEC\Documentation.lnk' target 'https://documentation.wazuh.com' MSI (s) (A8:88) [05:44:09:926]: Executing op: ActionStart(Name=WriteRegistryValues,Description=Writing system registry values,Template=Key: [1], Name: [2], Value: [3]) Action 5:44:09: WriteRegistryValues. Writing system registry values MSI (s) (A8:88) [05:44:09:926]: Executing op: ProgressTotal(Total=2,Type=1,ByteEquivalent=13200) MSI (s) (A8:88) [05:44:09:926]: Executing op: RegOpenKey(Root=-2147483647,Key=Software\Wazuh, Inc.\Wazuh Agent,,BinaryType=0,,) MSI (s) (A8:88) [05:44:09:926]: Executing op: RegAddValue(,,) WriteRegistryValues: Key: \Software\Wazuh, Inc.\Wazuh Agent, Name: , Value: MSI (s) (A8:88) [05:44:09:942]: Executing op: RegOpenKey(Root=-2147483646,Key=SOFTWARE\Wazuh, Inc.\Wazuh Agent,,BinaryType=0,,) MSI (s) (A8:88) [05:44:09:942]: Executing op: RegAddValue(Name=WazuhInstallDir,Value=C:\Program Files (x86)\ossec-agent\,) WriteRegistryValues: Key: \SOFTWARE\Wazuh, Inc.\Wazuh Agent, Name: WazuhInstallDir, Value: C:\Program Files (x86)\ossec-agent\ MSI (s) (A8:88) [05:44:09:942]: Executing op: ActionStart(Name=InstallServices,Description=Installing new services,Template=Service: [2]) Action 5:44:09: InstallServices. Installing new services MSI (s) (A8:88) [05:44:09:942]: Executing op: ProgressTotal(Total=2,Type=1,ByteEquivalent=1300000) MSI (s) (A8:88) [05:44:09:942]: Executing op: ServiceInstall(Name=WazuhSvc,DisplayName=Wazuh,ImagePath="C:\Program Files (x86)\ossec-agent\wazuh-agent.exe",ServiceType=16,StartType=2,ErrorControl=1,,Dependencies=[~],,,Password=**********,Description=Wazuh Windows Agent,,) InstallServices: Service: MSI (s) (A8:88) [05:44:09:942]: Executing op: ServiceInstall(Name=WazuhSvc,DisplayName=Wazuh,ImagePath="C:\Program Files (x86)\ossec-agent\wazuh-agent.exe",ServiceType=16,StartType=2,ErrorControl=1,,Dependencies=[~],,,Password=**********,Description=Wazuh Windows Agent,,) InstallServices: Service: MSI (s) (A8:88) [05:44:09:942]: Executing op: ActionStart(Name=StartServices,Description=Starting services,Template=Service: [1]) Action 5:44:09: StartServices. Starting services MSI (s) (A8:88) [05:44:09:942]: Executing op: ProgressTotal(Total=1,Type=1,ByteEquivalent=1300000) MSI (s) (A8:88) [05:44:09:942]: Executing op: ServiceControl(,Name=WazuhSvc,Action=1,Wait=1,) StartServices: Service: Wazuh Error 1920. Service 'Wazuh' (WazuhSvc) failed to start. Verify that you have sufficient privileges to start system services. MSI (s) (A8:88) [05:48:32:349]: Product: Wazuh Agent -- Error 1920. Service 'Wazuh' (WazuhSvc) failed to start. Verify that you have sufficient privileges to start system services. Error 1920. Service 'Wazuh' (WazuhSvc) failed to start. Verify that you have sufficient privileges to start system services. ```
DFolchA commented 2 years ago

UPDATE

As we can see in the previous log we obtain the following error:

Error 1920. Service 'Wazuh' (WazuhSvc) failed to start. Verify that you have sufficient privileges to start system services.

This error appears after a the installation has waited for some time while installing as the following pop up:

image

It seems that the user employed for the upgrade can't run the WazuhSvc service.

We are currently investigating possible solutions for this problem.

DFolchA commented 2 years ago

UPDATE

Using an OVA instance shared by @elwali10 we were able to reproduce the error.

We noticed that this error does only appear when the virtual machine only has 1 core and probably has nothing to do with the user.

We verified that the service can be started even with 1 core.

image

DFolchA commented 2 years ago

UPDATE

Found the possible cause of the error, in this line of the wxs file: https://github.com/wazuh/wazuh/blob/b1f7b533efeba1e4bd40b0edb0a5a12d8eff58fb/src/win32/wazuh-installer.wxs#L206

The MSI only verifies the condition WAZUHINSTALLEDbut there is no check for the the service being active before the installation, this may lead to the agent starting in an incorrect state.

DFolchA commented 2 years ago

UPDATE

Fixed issue mentioned in the last comment: https://github.com/wazuh/wazuh/commit/53f97596abd6e2c3348e7546731abdc3c3a3d3ff

Build and test package with the fix.

The error does not appear in the new package when upgrading a package in a machine with 1 core.

Tests

1 core

4 core

DFolchA commented 2 years ago

UPDATE

Investigate the cause of the log time spent in the starting services step of the MSI. We found this thread: https://stackoverflow.com/questions/50340129/wix-servicecontrol-start-takes-four-minutes-to-fail-should-be-30-sec

That suggests that the service may be holding the process.

Investigate windows service code: https://github.com/wazuh/wazuh/blob/2b0d34b7aec641fc4c73f150d53c3d5b0679d67b/src/win32/win_service.c https://github.com/wazuh/wazuh/blob/f2d777d86f9a2d29fbfa237e1a311eb106e1c637/src/win32/win_utils.c

Test package disabling different components.

DFolchA commented 2 years ago

UPDATE

Test installation and upgrade of failing packages while disabling different modules, we observed the same behavior when starting the services.

Impact study of proposed changes

The proposed changes affect the way the services are managed after an upgrade, currently the error described here: https://github.com/wazuh/wazuh/issues/13928#issuecomment-1181880846

Causes the services always to try to start after an upgrade or installation. The correct behavior would be only to start the services if the Wazuh services were running before the upgrade and never start them after a new installation.

These changes may affect upgrades from before the service name change, this is from versions lower than 4.2.0 and upgrades after the service name change and new installations.

Proposed tests

Auditors validation

alberpilot commented 2 years ago

Tests should be done in Windows XP, Windows 2012R2, and Windows server 2022.

DFolchA commented 2 years ago

4 Cores

Windows XP Windows 2012R2 Windows server 2022
Upgrade from 3.x previous service stopped :heavy_check_mark: :heavy_check_mark: :heavy_check_mark:
Upgrade from 4.0 previous service stopped :heavy_check_mark: :heavy_check_mark: :heavy_check_mark:
Upgrade from 4.2 previous service stopped :heavy_check_mark: :heavy_check_mark: :heavy_check_mark:
Upgrade from 3.x previous service started :red_circle: :red_circle: :red_circle:
Upgrade from 4.0 previous service started :heavy_check_mark: :heavy_check_mark: :heavy_check_mark:
Upgrade from 4.2 previous service started :heavy_check_mark: :heavy_check_mark: :heavy_check_mark:
Clean install :heavy_check_mark: :heavy_check_mark: :heavy_check_mark:

1 Core

Windows XP Windows 2012R2 Windows server 2022
Upgrade from 3.x previous service stopped :heavy_check_mark:
Upgrade from 4.0 previous service stopped :heavy_check_mark:
Upgrade from 4.2 previous service stopped :heavy_check_mark:
Upgrade from 3.x previous service started :heavy_check_mark:
Upgrade from 4.0 previous service started :heavy_check_mark:
Upgrade from 4.2 previous service started :heavy_check_mark:
Clean install :heavy_check_mark:
DFolchA commented 2 years ago

Update

Investigate problem with the upgrade from 3.x

DFolchA commented 2 years ago

Update

Add fix for 3.x upgrades. https://github.com/wazuh/wazuh/commit/d3436911016114c0912cef87df9f19b7a446ffd1

Tests

4 Cores

Windows XP Windows 2012R2 Windows server 2022
Upgrade from 3.x previous service stopped :heavy_check_mark: :heavy_check_mark: :heavy_check_mark:
Upgrade from 4.0 previous service stopped :heavy_check_mark: :heavy_check_mark: :heavy_check_mark:
Upgrade from 4.2 previous service stopped :heavy_check_mark: :heavy_check_mark: :heavy_check_mark:
Upgrade from 3.x previous service started :heavy_check_mark: :heavy_check_mark: :heavy_check_mark:
Upgrade from 4.0 previous service started :heavy_check_mark: :heavy_check_mark: :heavy_check_mark:
Upgrade from 4.2 previous service started :heavy_check_mark: :heavy_check_mark: :heavy_check_mark:
Clean install :heavy_check_mark: :heavy_check_mark: :heavy_check_mark:

1 Core

Windows XP Windows 2012R2 Windows server 2022
Upgrade from 3.x previous service stopped :heavy_check_mark: :heavy_check_mark: :heavy_check_mark:
Upgrade from 4.0 previous service stopped :heavy_check_mark: :heavy_check_mark: :heavy_check_mark:
Upgrade from 4.2 previous service stopped :heavy_check_mark: :heavy_check_mark: :heavy_check_mark:
Upgrade from 3.x previous service started :heavy_check_mark: :heavy_check_mark: :heavy_check_mark:
Upgrade from 4.0 previous service started :heavy_check_mark: :heavy_check_mark: :heavy_check_mark:
Upgrade from 4.2 previous service started :heavy_check_mark: :heavy_check_mark: :heavy_check_mark:
Clean install :heavy_check_mark: :heavy_check_mark: :heavy_check_mark: