logo

Knowledge Base

Access official resources from Carbon Black experts

Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

App Control: Agent Upgrades Fail Due to Presence Of Reg Keys From Previous Versions

App Control: Agent Upgrades Fail Due to Presence Of Reg Keys From Previous Versions

Environment

  • App Control Windows Agent: 8.7.x - 8.8.x
  • App Control Console: All Supported Versions

Symptoms

  • Upgrades from Agent version 8.7.x to Agent version 8.7.8, 8.8.0, 8.8.2 fails
  • ParityHostAgentInstall_xxxx-xx-xx.log located in "C:\ProgramData\Bit9\Parity Agent\Logs" shows errors similar to: 
    <Cb Log> [8-16-2022 02:48:32] (FAILURE) Agent cannot be installed per-user. Please Specify ALLUSERS=1

    MSI (s) (C0:24) [07:55:37:601]: Product: Bit9 Agent -- Error 1714.The older version of Bit9 Agent cannot be removed. Contact your technical support group. System Error 1612.

Cause

  • Windows agent upgrades fail due to leftover registry keys from previous agent versions
  • This typically happens when the agent was deployed via SCCM and the original MSI is no longer present in the ccmcache folder
  • During agent upgrades to a version with a different GUID, Windows uninstalls the old version first using information contained in the original MSI
  • When the original MSI was not cached by SCCM then leftover registry keys will remain after the uninstall causing the new install to fail

Resolution

I. Check if there are leftover registry keys from previous agent versions

  1. Check the file version of the agent that is installed in CMD:  
    "C:\Program Files (x86)\Bit9\Parity Agent\DasCLI.exe" status

Version Information
    CLI:        8.7.8.787 6/17/2022 5:00:17 PM
    Agent:      8.7.8.787 6/17/2022 5:00:17 PM
    Kernel:     8.7.8.787 6/17/2022 5:00:17 PM
  2. Navigate to the following registry key or run the following in CMD: 
    reg query HKEY_CLASSES_ROOT\Installer\UpgradeCodes\BE699B28D1B16A04D9F1AA3A0C28A1C9
    • The registry key should only have 1 package code matching the agent version installed on the system
    • GOOD registry shows only the package code for the currently installed agent 8.7.8 - C56DE352F399D2544A140184D1CFDFA9
    • This is a article attached imageThis is a article attached image
    • BAD registry shows 2 or more product codes for the current agent and previous agent versions
    • This is a article attached imageThis is a article attached image
  3. Verify the Package Codes against their corresponding agent versions HERE
  4. If the current agent's product code is missing and only product codes for older versions are present please open a support case

II. Cleanup the registry keys from previous agent versions, please do not remove the keys for the currently running agent

Not all reg keys will exist, if a registry key is missing, the command will print an error and continue with the next line
  1. Run the following commands on each agent or save them as a script file and deploy it via GPO or other deployment method
    • To cleanup old 8.7.4 - 8.7.6 keys if the product code is present - 18633383D60BA99428F49BE443CC1879 
      reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Features\18633383D60BA99428F49BE443CC1879 /f &
reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\18633383D60BA99428F49BE443CC1879 /f &
reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\BE699B28D1B16A04D9F1AA3A0C28A1C9 /v 18633383D60BA99428F49BE443CC1879 /f &
reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-18\Installer\Features\18633383D60BA99428F49BE443CC1879 /f &
reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-18\Installer\Products\18633383D60BA99428F49BE443CC1879 /f &
reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-18\Installer\UpgradeCodes\BE699B28D1B16A04D9F1AA3A0C28A1C9 /v 18633383D60BA99428F49BE443CC1879 /f &
reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\18633383D60BA99428F49BE443CC1879 /f &
reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\BE699B28D1B16A04D9F1AA3A0C28A1C9 /v 18633383D60BA99428F49BE443CC1879 /f &
reg delete HKEY_CLASSES_ROOT\Installer\Features\18633383D60BA99428F49BE443CC1879 /f &
reg delete HKEY_CLASSES_ROOT\Installer\Products\18633383D60BA99428F49BE443CC1879 /f &
reg delete HKEY_CLASSES_ROOT\Installer\UpgradeCodes\BE699B28D1B16A04D9F1AA3A0C28A1C9 /v 18633383D60BA99428F49BE443CC1879 /f &
reg delete HKEY_USERS\.DEFAULT\Software\Microsoft\Installer\Features\18633383D60BA99428F49BE443CC1879 /f &
reg delete HKEY_USERS\.DEFAULT\Software\Microsoft\Installer\Products\18633383D60BA99428F49BE443CC1879 /f &
reg delete HKEY_USERS\.DEFAULT\Software\Microsoft\Installer\UpgradeCodes\BE699B28D1B16A04D9F1AA3A0C28A1C9 /v 18633383D60BA99428F49BE443CC1879 /f &
reg delete HKEY_USERS\S-1-5-18\Software\Microsoft\Installer\Features\18633383D60BA99428F49BE443CC1879 /f &
reg delete HKEY_USERS\S-1-5-18\Software\Microsoft\Installer\Products\18633383D60BA99428F49BE443CC1879 /f &
reg delete HKEY_USERS\S-1-5-18\Software\Microsoft\Installer\UpgradeCodes\BE699B28D1B16A04D9F1AA3A0C28A1C9 /v 18633383D60BA99428F49BE443CC1879 /f
    • To cleanup old 8.7.2 keys if the product code is present - 16C74908109DF684982E92D6C6EFA8CA 
      reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Features\16C74908109DF684982E92D6C6EFA8CA /f &
reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\16C74908109DF684982E92D6C6EFA8CA /f &
reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\BE699B28D1B16A04D9F1AA3A0C28A1C9 /v 16C74908109DF684982E92D6C6EFA8CA /f &
reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-18\Installer\Features\16C74908109DF684982E92D6C6EFA8CA /f &
reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-18\Installer\Products\16C74908109DF684982E92D6C6EFA8CA /f &
reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-18\Installer\UpgradeCodes\BE699B28D1B16A04D9F1AA3A0C28A1C9 /v 16C74908109DF684982E92D6C6EFA8CA /f &
reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\16C74908109DF684982E92D6C6EFA8CA /f &
reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\BE699B28D1B16A04D9F1AA3A0C28A1C9 /v 16C74908109DF684982E92D6C6EFA8CA /f &
reg delete HKEY_CLASSES_ROOT\Installer\Features\16C74908109DF684982E92D6C6EFA8CA /f &
reg delete HKEY_CLASSES_ROOT\Installer\Products\16C74908109DF684982E92D6C6EFA8CA /f &
reg delete HKEY_CLASSES_ROOT\Installer\UpgradeCodes\BE699B28D1B16A04D9F1AA3A0C28A1C9 /v 16C74908109DF684982E92D6C6EFA8CA /f &
reg delete HKEY_USERS\.DEFAULT\Software\Microsoft\Installer\Features\16C74908109DF684982E92D6C6EFA8CA /f &
reg delete HKEY_USERS\.DEFAULT\Software\Microsoft\Installer\Products\16C74908109DF684982E92D6C6EFA8CA /f &
reg delete HKEY_USERS\.DEFAULT\Software\Microsoft\Installer\UpgradeCodes\BE699B28D1B16A04D9F1AA3A0C28A1C9 /v 16C74908109DF684982E92D6C6EFA8CA /f &
reg delete HKEY_USERS\S-1-5-18\Software\Microsoft\Installer\Features\16C74908109DF684982E92D6C6EFA8CA /f &
reg delete HKEY_USERS\S-1-5-18\Software\Microsoft\Installer\Products\16C74908109DF684982E92D6C6EFA8CA /f &
reg delete HKEY_USERS\S-1-5-18\Software\Microsoft\Installer\UpgradeCodes\BE699B28D1B16A04D9F1AA3A0C28A1C9 /v 16C74908109DF684982E92D6C6EFA8CA /f
    • To cleanup old 8.7.0 keys if the product code is present - 752723C1D0E4CEA42903E4A1A2D7405A 
      reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Features\752723C1D0E4CEA42903E4A1A2D7405A /f &
reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\752723C1D0E4CEA42903E4A1A2D7405A /f &
reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\BE699B28D1B16A04D9F1AA3A0C28A1C9 /v 752723C1D0E4CEA42903E4A1A2D7405A /f &
reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-18\Installer\Features\752723C1D0E4CEA42903E4A1A2D7405A /f &
reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-18\Installer\Products\752723C1D0E4CEA42903E4A1A2D7405A /f &
reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-18\Installer\UpgradeCodes\BE699B28D1B16A04D9F1AA3A0C28A1C9 /v 752723C1D0E4CEA42903E4A1A2D7405A /f &
reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\752723C1D0E4CEA42903E4A1A2D7405A /f &
reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\BE699B28D1B16A04D9F1AA3A0C28A1C9 /v 752723C1D0E4CEA42903E4A1A2D7405A /f &
reg delete HKEY_CLASSES_ROOT\Installer\Features\752723C1D0E4CEA42903E4A1A2D7405A /f &
reg delete HKEY_CLASSES_ROOT\Installer\Products\752723C1D0E4CEA42903E4A1A2D7405A /f &
reg delete HKEY_CLASSES_ROOT\Installer\UpgradeCodes\BE699B28D1B16A04D9F1AA3A0C28A1C9 /v 752723C1D0E4CEA42903E4A1A2D7405A /f &
reg delete HKEY_USERS\.DEFAULT\Software\Microsoft\Installer\Features\752723C1D0E4CEA42903E4A1A2D7405A /f &
reg delete HKEY_USERS\.DEFAULT\Software\Microsoft\Installer\Products\752723C1D0E4CEA42903E4A1A2D7405A /f &
reg delete HKEY_USERS\.DEFAULT\Software\Microsoft\Installer\UpgradeCodes\BE699B28D1B16A04D9F1AA3A0C28A1C9 /v 752723C1D0E4CEA42903E4A1A2D7405A /f &
reg delete HKEY_USERS\S-1-5-18\Software\Microsoft\Installer\Features\752723C1D0E4CEA42903E4A1A2D7405A /f &
reg delete HKEY_USERS\S-1-5-18\Software\Microsoft\Installer\Products\752723C1D0E4CEA42903E4A1A2D7405A /f &
reg delete HKEY_USERS\S-1-5-18\Software\Microsoft\Installer\UpgradeCodes\BE699B28D1B16A04D9F1AA3A0C28A1C9 /v 752723C1D0E4CEA42903E4A1A2D7405A /f
    • To cleanup old 8.1.x - 8.6.x keys if the product code is present - 95E4D2F9825022B46B466A0B8B4B28EE: 
      reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Features\95E4D2F9825022B46B466A0B8B4B28EE /f &
reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\95E4D2F9825022B46B466A0B8B4B28EE /f &
reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\BE699B28D1B16A04D9F1AA3A0C28A1C9 /v 95E4D2F9825022B46B466A0B8B4B28EE /f &
reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-18\Installer\Features\95E4D2F9825022B46B466A0B8B4B28EE /f &
reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-18\Installer\Products\95E4D2F9825022B46B466A0B8B4B28EE /f &
reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-18\Installer\UpgradeCodes\BE699B28D1B16A04D9F1AA3A0C28A1C9 /v 95E4D2F9825022B46B466A0B8B4B28EE /f &
reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\95E4D2F9825022B46B466A0B8B4B28EE /f &
reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\BE699B28D1B16A04D9F1AA3A0C28A1C9 /v 95E4D2F9825022B46B466A0B8B4B28EE /f &
reg delete HKEY_CLASSES_ROOT\Installer\Features\95E4D2F9825022B46B466A0B8B4B28EE /f &
reg delete HKEY_CLASSES_ROOT\Installer\Products\95E4D2F9825022B46B466A0B8B4B28EE /f &
reg delete HKEY_CLASSES_ROOT\Installer\UpgradeCodes\BE699B28D1B16A04D9F1AA3A0C28A1C9 /v 95E4D2F9825022B46B466A0B8B4B28EE /f &
reg delete HKEY_USERS\.DEFAULT\Software\Microsoft\Installer\Features\95E4D2F9825022B46B466A0B8B4B28EE /f &
reg delete HKEY_USERS\.DEFAULT\Software\Microsoft\Installer\Products\95E4D2F9825022B46B466A0B8B4B28EE /f &
reg delete HKEY_USERS\.DEFAULT\Software\Microsoft\Installer\UpgradeCodes\BE699B28D1B16A04D9F1AA3A0C28A1C9 /v 95E4D2F9825022B46B466A0B8B4B28EE /f &
reg delete HKEY_USERS\S-1-5-18\Software\Microsoft\Installer\Features\95E4D2F9825022B46B466A0B8B4B28EE /f &
reg delete HKEY_USERS\S-1-5-18\Software\Microsoft\Installer\Products\95E4D2F9825022B46B466A0B8B4B28EE /f &
reg delete HKEY_USERS\S-1-5-18\Software\Microsoft\Installer\UpgradeCodes\BE699B28D1B16A04D9F1AA3A0C28A1C9 /v 95E4D2F9825022B46B466A0B8B4B28EE /f
    • To cleanup old 8.0.x keys if the product code is present - 3AC179ADAA3775A4FA4B18557EC2BE69: 
      reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Features\3AC179ADAA3775A4FA4B18557EC2BE69 /f &
reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\3AC179ADAA3775A4FA4B18557EC2BE69 /f &
reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\BE699B28D1B16A04D9F1AA3A0C28A1C9 /v 3AC179ADAA3775A4FA4B18557EC2BE69 /f &
reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-18\Installer\Features\3AC179ADAA3775A4FA4B18557EC2BE69 /f &
reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-18\Installer\Products\3AC179ADAA3775A4FA4B18557EC2BE69 /f &
reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-18\Installer\UpgradeCodes\BE699B28D1B16A04D9F1AA3A0C28A1C9 /v 3AC179ADAA3775A4FA4B18557EC2BE69 /f &
reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\3AC179ADAA3775A4FA4B18557EC2BE69 /f &
reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\BE699B28D1B16A04D9F1AA3A0C28A1C9 /v 3AC179ADAA3775A4FA4B18557EC2BE69 /f &
reg delete HKEY_CLASSES_ROOT\Installer\Features\3AC179ADAA3775A4FA4B18557EC2BE69 /f &
reg delete HKEY_CLASSES_ROOT\Installer\Products\3AC179ADAA3775A4FA4B18557EC2BE69 /f &
reg delete HKEY_CLASSES_ROOT\Installer\UpgradeCodes\BE699B28D1B16A04D9F1AA3A0C28A1C9 /v 3AC179ADAA3775A4FA4B18557EC2BE69 /f &
reg delete HKEY_USERS\.DEFAULT\Software\Microsoft\Installer\Features\3AC179ADAA3775A4FA4B18557EC2BE69 /f &
reg delete HKEY_USERS\.DEFAULT\Software\Microsoft\Installer\Products\3AC179ADAA3775A4FA4B18557EC2BE69 /f &
reg delete HKEY_USERS\.DEFAULT\Software\Microsoft\Installer\UpgradeCodes\BE699B28D1B16A04D9F1AA3A0C28A1C9 /v 3AC179ADAA3775A4FA4B18557EC2BE69 /f &
reg delete HKEY_USERS\S-1-5-18\Software\Microsoft\Installer\Features\3AC179ADAA3775A4FA4B18557EC2BE69 /f &
reg delete HKEY_USERS\S-1-5-18\Software\Microsoft\Installer\Products\3AC179ADAA3775A4FA4B18557EC2BE69 /f &
reg delete HKEY_USERS\S-1-5-18\Software\Microsoft\Installer\UpgradeCodes\BE699B28D1B16A04D9F1AA3A0C28A1C9 /v 3AC179ADAA3775A4FA4B18557EC2BE69 /f
  2. Attempt the agent upgrade again

Additional Notes

  • If the Agent upgrade was forced through by temporarily disabling Tamper Protection on the endpoint a partial upgrade could occur that will require agent cleanup

Labels (1)
Labels:
Was this article helpful? Yes No
No ratings
Article Information
Author:
CB_Support
Creation Date:
‎01-19-2023
Views:
899
Contributors
logo