-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Stopping agent: Faulting module name sechost.dll error #13077
Comments
During research for Wazuh-qa Issues #2769 and #3057, it was found that everytime agent was stopped, the event in the previous comment would be generated. The following is a snapshot of the Windows Event Viewer showing all instances of the error caused by stopping the agent with the Event example: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Application Error" />
<EventID Qualifiers="0">1000</EventID>
<Level>2</Level>
<Task>100</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2022-08-01T11:53:10.951288500Z" />
<EventRecordID>12923</EventRecordID>
<Channel>Application</Channel>
<Computer>EC2AMAZ-NRK2S46</Computer>
<Security />
</System>
<EventData>
<Data>wazuh-agent.exe</Data>
<Data>0.0.0.0</Data>
<Data>62e04b69</Data>
<Data>sechost.dll</Data>
<Data>10.0.14393.2515</Data>
<Data>5b88518d</Data>
<Data>c0000005</Data>
<Data>0000bd56</Data>
<Data>12e8</Data>
<Data>01d8a59d45c00449</Data>
<Data>C:\Program Files (x86)\ossec-agent\wazuh-agent.exe</Data>
<Data>C:\Windows\System32\sechost.dll</Data>
<Data>a9fa1e64-894b-4932-b3b5-caa9ae514233</Data>
<Data />
<Data />
</EventData>
</Event> Further Research |
RCA: because of the function pointer it is treating a function as cdecl, calling a function that has stdcall convention
as you can see in this address (00902052), post to the call of a function you want to do the cleanup on the stack, moving the base pointer, this is typical of cdecl, when the above function is executed as stdcall, which already does this cleanup . Callee function on this case -> wazuh_agent!wm_sys_stop |
Description
It has been detected in the nightly wazuh/wazuh-qa#2769, that AR tier 0 tests fail in Windows agent
The restart wazuh command produces an unexpected error in the agent.
Steps to reproduce
Restart the wazuh-manager
Configure Syslog file monitoring in the agent configuration
example.log
fileThe text was updated successfully, but these errors were encountered: