Getting Data In

Universal Forwarder Installation Fails While Installing RegMon Driver

SplunkTrust
SplunkTrust

I'm trying to install the v6.2.1 Windows 2008 64-bit version of the universal forwarder. It is failing during the installation. When I look at the log file I see the following:

InstallRegmonDrvCA
InstallRegmonDrv: Warning: Invalid property ignored: FailCA=.
InstallRegmonDrv: Info: Driver inf file: C:\Program Files\SplunkUniversalForwarder\bin\splunkdrv-win6.inf.
InstallRegmonDrv: Error: DriverPackageInstall failed with: 0xa.
InstallRegmonDrv: Warning: Failed to install regmon driver.
InstallRegmonDrv: Error 0x80004005: Cannot install regmon driver.
CustomAction InstallRegmonDrv returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)
Action ended 15:13:28: InstallFinalize. Return value 3.

Looking up the 0x80004005 error this points to permissions problem.

Anyone else seen this and have any solutions on how to fix?

Thanks.

1 Solution

Splunk Employee
Splunk Employee

I have the same issue, I run a command "sfc /scannow" in a command prompt, It did fix some issue. After that, I can install the Splunk 6.2.1.

View solution in original post

Engager

When will the SPL-94693 fix be available in the maintenace release?

0 Karma

Engager

I was trying to install 6.2.3 (x64) version BTW and running sfc /scannow does solve issue. Thanks!

Splunk Employee
Splunk Employee

I have the same issue, I run a command "sfc /scannow" in a command prompt, It did fix some issue. After that, I can install the Splunk 6.2.1.

View solution in original post

Communicator

This fixed for me as well.

0 Karma

SplunkTrust
SplunkTrust

I ran this on our problem servers and was able to install the forwarders as well.

Thanks.

Splunk Employee
Splunk Employee

Thank you for notifying us about the issue. I've opened bug SPL-94693. I will update this when I have been provided additional information.

Jacob
Sr. Technical Support Engineer
0 Karma

Explorer

I have the same issue, but running the command "sfc /scannow" does NOT fix the issue. Are there any updates to SPL-94693? Thanks.

0 Karma

Splunk Employee
Splunk Employee

SPL-94693 fix will likely be in the next maintenance release. The workaround is as described by mwong. Please be sure to reboot after running sfc /scannow. If that does not work, be certain all available updates are installed and repeat the steps. If after that the issue still exists, I would encourage you to file a case with Splunk so it can be reviewed.

Jacob
Sr. Technical Support Engineer
0 Karma

SplunkTrust
SplunkTrust

We did a little more testing and figured out that the forwarder thinks the release is incompatible because the server is an Intel server and the install thinks it's an AMD64.

0 Karma