Getting Data In

Splunk Forwarder Windows Installation Fails with Error Code 1625

akira_splunk
Splunk Employee
Splunk Employee

=== Verbose logging started: 4/4/2016 8:59:13 Build type: SHIP UNICODE 5.00.9600.00 Calling process: C:\Windows\system32\msiexec.exe ===
MSI (c) (A8:64) [08:59:13:892]: Resetting cached policy values
MSI (c) (A8:64) [08:59:13:892]: Machine policy value 'Debug' is 0
MSI (c) (A8:64) [08:59:13:892]: ******* RunEngine:
******* Product: c:\windows\temp\splunkforwarder-6.3.3-f44afce176d0-x64-release.msi
******* Action:
******* CommandLine: **********
MSI (c) (A8:64) [08:59:13:892]: Client-side and UI is none or basic: Running entire install on the server.
MSI (c) (A8:64) [08:59:13:892]: Grabbed execution mutex.
MSI (c) (A8:64) [08:59:13:908]: Cloaking enabled.
MSI (c) (A8:64) [08:59:13:908]: Attempting to enable all disabled privileges before calling Install on Server
MSI (c) (A8:64) [08:59:13:908]: Incrementing counter to disable shutdown. Counter after increment: 0
MSI (s) (38:24) [08:59:13:908]: Running installation inside multi-package transaction c:\windows\temp\splunkforwarder-6.3.3-f44afce176d0-x64-release.msi
MSI (s) (38:24) [08:59:13:908]: Grabbed execution mutex.
MSI (s) (38:B8) [08:59:13:908]: Resetting cached policy values
MSI (s) (38:B8) [08:59:13:908]: Machine policy value 'Debug' is 0
MSI (s) (38:B8) [08:59:13:908]: ******* RunEngine:
******* Product: c:\windows\temp\splunkforwarder-6.3.3-f44afce176d0-x64-release.msi
******* Action:
******* CommandLine: **********
MSI (s) (38:B8) [08:59:13:908]: Machine policy value 'DisableUserInstalls' is 0
MSI (s) (38:B8) [08:59:13:908]: Note: 1: 2203 2: C:\Windows\Installer\inprogressinstallinfo.ipi 3: -2147287038
MSI (s) (38:B8) [08:59:13:924]: SRSetRestorePoint skipped for this transaction.
MSI (s) (38:B8) [08:59:13:924]: File will have security applied from OpCode.
MSI (s) (38:B8) [08:59:14:330]: SOFTWARE RESTRICTION POLICY: Verifying package --> 'c:\windows\temp\splunkforwarder-6.3.3-f44afce176d0-x64-release.msi' against software restriction policy
MSI (s) (38:B8) [08:59:14:330]: SOFTWARE RESTRICTION POLICY: c:\windows\temp\splunkforwarder-6.3.3-f44afce176d0-x64-release.msi has a digital signature
MSI (s) (38:B8) [08:59:14:705]: SOFTWARE RESTRICTION POLICY: c:\windows\temp\splunkforwarder-6.3.3-f44afce176d0-x64-release.msi is permitted to run at the 'unrestricted' authorization level.
MSI (s) (38:B8) [08:59:14:705]: End dialog not enabled
MSI (s) (38:B8) [08:59:14:705]: Original package ==> c:\windows\temp\splunkforwarder-6.3.3-f44afce176d0-x64-release.msi
MSI (s) (38:B8) [08:59:14:705]: Package we're running from ==> c:\Windows\Installer\405ce823.msi
MSI (s) (38:B8) [08:59:14:721]: APPCOMPAT: Compatibility mode property overrides found.
MSI (s) (38:B8) [08:59:14:721]: APPCOMPAT: looking for appcompat database entry with ProductCode '{6909E33C-54C7-4380-9790-93E834B78BAF}'.
MSI (s) (38:B8) [08:59:14:721]: APPCOMPAT: no matching ProductCode found in database.
MSI (s) (38:B8) [08:59:14:721]: Machine policy value 'TransformsSecure' is 1
MSI (s) (38:B8) [08:59:14:721]: Machine policy value 'DisablePatch' is 0
MSI (s) (38:B8) [08:59:14:721]: Machine policy value 'AllowLockdownPatch' is 0
MSI (s) (38:B8) [08:59:14:736]: Machine policy value 'DisableMsi' is 1
MSI (s) (38:B8) [08:59:14:736]: Machine policy value 'AlwaysInstallElevated' is 0
MSI (s) (38:B8) [08:59:14:736]: User policy value 'AlwaysInstallElevated' is 0
MSI (s) (38:B8) [08:59:14:736]: Rejecting product '{6909E33C-54C7-4380-9790-93E834B78BAF}': Non-assigned apps are disabled for non-admin users.
MSI (s) (38:B8) [08:59:14:736]: Machine policy value 'DisableLUAPatching' is 0
MSI (s) (38:B8) [08:59:14:736]: Machine policy value 'DisableFlyWeightPatching' is 0
MSI (s) (38:B8) [08:59:14:736]: APPCOMPAT: looking for appcompat database entry with ProductCode '{6909E33C-54C7-4380-9790-93E834B78BAF}'.
MSI (s) (38:B8) [08:59:14:736]: APPCOMPAT: no matching ProductCode found in database.
MSI (s) (38:B8) [08:59:14:736]: Transforms are not secure.
MSI (s) (38:B8) [08:59:14:736]: PROPERTY CHANGE: Adding MsiLogFileLocation property. Its value is 'c:\windows\temp\splunk.txt'.
MSI (s) (38:B8) [08:59:14:736]: Command Line: CURRENTDIRECTORY=C:\ CLIENTUILEVEL=3 CLIENTPROCESSID=3752
MSI (s) (38:B8) [08:59:14:736]: PROPERTY CHANGE: Adding PackageCode property. Its value is '{9B5DC04D-40BF-4F0C-BC1D-F9A710A81949}'.
MSI (s) (38:B8) [08:59:14:736]: Product Code passed to Engine.Initialize: ''
MSI (s) (38:B8) [08:59:14:736]: Product Code from property table before transforms: '{6909E33C-54C7-4380-9790-93E834B78BAF}'
MSI (s) (38:B8) [08:59:14:736]: Product Code from property table after transforms: '{6909E33C-54C7-4380-9790-93E834B78BAF}'
MSI (s) (38:B8) [08:59:14:736]: Product not registered: beginning first-time install
MSI (s) (38:B8) [08:59:14:736]: Product {6909E33C-54C7-4380-9790-93E834B78BAF} is not managed.
MSI (s) (38:B8) [08:59:14:736]: Machine policy value 'AlwaysInstallElevated' is 0
MSI (s) (38:B8) [08:59:14:736]: User policy value 'AlwaysInstallElevated' is 0
MSI (s) (38:B8) [08:59:14:736]: MSI_LUA: Installation UI level is silent, no credential elevation is possible
MSI (s) (38:B8) [08:59:14:736]: PROPERTY CHANGE: Adding ProductState property. Its value is '-1'.
MSI (s) (38:B8) [08:59:14:736]: Entering CMsiConfigurationManager::SetLastUsedSource.
MSI (s) (38:B8) [08:59:14:736]: User policy value 'SearchOrder' is 'nmu'
MSI (s) (38:B8) [08:59:14:736]: Adding new sources is allowed.
MSI (s) (38:B8) [08:59:14:736]: PROPERTY CHANGE: Adding PackagecodeChanging property. Its value is '1'.
MSI (s) (38:B8) [08:59:14:736]: Package name extracted from package path: 'splunkforwarder-6.3.3-f44afce176d0-x64-release.msi'
MSI (s) (38:B8) [08:59:14:736]: Package to be registered: 'splunkforwarder-6.3.3-f44afce176d0-x64-release.msi'
MSI (s) (38:B8) [08:59:14:736]: Note: 1: 2205 2: 3: Error
MSI (s) (38:B8) [08:59:14:736]: Note: 1: 2262 2: AdminProperties 3: -2147287038
MSI (s) (38:B8) [08:59:14:736]: Machine policy value 'AlwaysInstallElevated' is 0
MSI (s) (38:B8) [08:59:14:736]: User policy value 'AlwaysInstallElevated' is 0
MSI (s) (38:B8) [08:59:14:736]: Rejecting product '{6909E33C-54C7-4380-9790-93E834B78BAF}': Non-assigned apps are disabled for non-admin users.
MSI (s) (38:B8) [08:59:14:736]: Note: 1: 1708
MSI (s) (38:B8) [08:59:14:736]: Product: UniversalForwarder -- Installation failed.

MSI (s) (38:B8) [08:59:14:736]: Windows Installer installed the product. Product Name: UniversalForwarder. Product Version: 6.3.3.0. Product Language: 1033. Manufacturer: Splunk, Inc.. Installation success or error status: 1625.

MSI (s) (38:B8) [08:59:14:736]: MainEngineThread is returning 1625
MSI (s) (38:24) [08:59:14:736]: No System Restore sequence number for this installation.
Info 1625.This installation is forbidden by system policy. Contact your system administrator.
c:\windows\temp\splunkforwarder-6.3.3-f44afce176d0-x64-release.msi
MSI (s) (38:24) [08:59:14:752]: User policy value 'DisableRollback' is 0
MSI (s) (38:24) [08:59:14:752]: Machine policy value 'DisableRollback' is 0
MSI (s) (38:24) [08:59:14:752]: Incrementing counter to disable shutdown. Counter after increment: 0
MSI (s) (38:24) [08:59:14:752]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2
MSI (s) (38:24) [08:59:14:752]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2
MSI (s) (38:24) [08:59:14:752]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied. Counter after decrement: -1
MSI (c) (A8:64) [08:59:14:752]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied. Counter after decrement: -1
MSI (c) (A8:64) [08:59:14:752]: MainEngineThread is returning 1625
=== Verbose logging stopped: 4/4/2016 8:59:14 ===

0 Karma
1 Solution

akira_splunk
Splunk Employee
Splunk Employee

Error 1625: This installation is forbidden by system policy occurs when installing

Possible Causes:

You're not logged in as an administrator.
Your Windows Installer system policy prevents you from installing digitally-signed software updates.

Possible Solutions:

Log on to your computer with administrative rights, and try reinstalling.

Log on as an administrator and retry installation, and retry.

If that doesn't work, you will need to enable installation of digitally-signed software updates:

Open a command prompt as administrator
From the command prompt, type gpedit.msc, and then click OK.
On the Local Group Policy window, navigate to Local Computer Policy, then Computer Configuration, then Administrative Templates, then Windows Components, and then Windows Installer.
Double-click Prohibit non-administrators from applying vendor-signed updates.
Click Disabled, and then click OK.

View solution in original post

akira_splunk
Splunk Employee
Splunk Employee

Error 1625: This installation is forbidden by system policy occurs when installing

Possible Causes:

You're not logged in as an administrator.
Your Windows Installer system policy prevents you from installing digitally-signed software updates.

Possible Solutions:

Log on to your computer with administrative rights, and try reinstalling.

Log on as an administrator and retry installation, and retry.

If that doesn't work, you will need to enable installation of digitally-signed software updates:

Open a command prompt as administrator
From the command prompt, type gpedit.msc, and then click OK.
On the Local Group Policy window, navigate to Local Computer Policy, then Computer Configuration, then Administrative Templates, then Windows Components, and then Windows Installer.
Double-click Prohibit non-administrators from applying vendor-signed updates.
Click Disabled, and then click OK.

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...