Environment
- EDR Sensor: 6.x - 7.x
- Microsoft Windows: All Supported Versions
- Early Launch Antimalware (ELAM) in use
Symptoms
- Windows Sensor fails to upgrade
- Sensor.log error contains:
ExtractResourceToFile failed for 'cbedrelam' -> 'C:\Windows\ELAMBKUP\cbedrelam.sys' HrError[0x80070003]
Tid[1898] 2021-03-08 21:51:55 (i): Unable to update ELAM driver HrError[0x80070003]
Cause
Third-party products that make use of "Early Launch Antimalware" (ELAM) drivers are required to keep a copy of the driver in this ELAMBKUP folder. The EDR Sensor installer requires that this folder exists in order to work.
Resolution
The overall solution is to ensure a directory exists at the location specified in the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\EarlyLaunch.
Full Steps:
- Check to see if a registry key exists at: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\EarlyLaunch
- If the EarlyLaunch registry key DOES exist, note its location and *CREATE* a directory at that location. (Just make an empty folder)
- If the EaryLaunch registry key does NOT exist, then create a registry value for it and set it to a non-existent directory. (eg. C\Windows\ELAMBKUP). Create that same directory on the filesystem.
- Attempt the sensor upgrade.
Related Content
