Getting Data In

Universal Forwarder Installation Fails While Installing RegMon Driver

snowmizer
SplunkTrust
SplunkTrust

I'm trying to install the v6.2.1 Windows 2008 64-bit version of the universal forwarder. It is failing during the installation. When I look at the log file I see the following:

InstallRegmonDrvCA
InstallRegmonDrv: Warning: Invalid property ignored: FailCA=.
InstallRegmonDrv: Info: Driver inf file: C:\Program Files\SplunkUniversalForwarder\bin\splunkdrv-win6.inf.
InstallRegmonDrv: Error: DriverPackageInstall failed with: 0xa.
InstallRegmonDrv: Warning: Failed to install regmon driver.
InstallRegmonDrv: Error 0x80004005: Cannot install regmon driver.
CustomAction InstallRegmonDrv returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)
Action ended 15:13:28: InstallFinalize. Return value 3.

Looking up the 0x80004005 error this points to permissions problem.

Anyone else seen this and have any solutions on how to fix?

Thanks.

1 Solution

mwong
Splunk Employee
Splunk Employee

I have the same issue, I run a command "sfc /scannow" in a command prompt, It did fix some issue. After that, I can install the Splunk 6.2.1.

View solution in original post

supergreen
Engager

When will the SPL-94693 fix be available in the maintenace release?

0 Karma

supergreen
Engager

I was trying to install 6.2.3 (x64) version BTW and running sfc /scannow does solve issue. Thanks!

mwong
Splunk Employee
Splunk Employee

I have the same issue, I run a command "sfc /scannow" in a command prompt, It did fix some issue. After that, I can install the Splunk 6.2.1.

LewisWheeler
Communicator

This fixed for me as well.

0 Karma

snowmizer
SplunkTrust
SplunkTrust

I ran this on our problem servers and was able to install the forwarders as well.

Thanks.

jcrabb_splunk
Splunk Employee
Splunk Employee

Thank you for notifying us about the issue. I've opened bug SPL-94693. I will update this when I have been provided additional information.

Jacob
Sr. Technical Support Engineer
0 Karma

e2eadmin
Explorer

I have the same issue, but running the command "sfc /scannow" does NOT fix the issue. Are there any updates to SPL-94693? Thanks.

0 Karma

jcrabb_splunk
Splunk Employee
Splunk Employee

SPL-94693 fix will likely be in the next maintenance release. The workaround is as described by mwong. Please be sure to reboot after running sfc /scannow. If that does not work, be certain all available updates are installed and repeat the steps. If after that the issue still exists, I would encourage you to file a case with Splunk so it can be reviewed.

Jacob
Sr. Technical Support Engineer
0 Karma

snowmizer
SplunkTrust
SplunkTrust

We did a little more testing and figured out that the forwarder thinks the release is incompatible because the server is an Intel server and the install thinks it's an AMD64.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...