Installing the forwarder manually works fine, installing it automatically with the same user account fails with a 1603 error.
Installer logs snippet:
MSI (s) (B8:FC) [09:22:23:304]: Note: 1: 2203 2: C:\Windows\Installer\inprogressinstallinfo.ipi 3: -2147287038
MSI (s) (B8:FC) [09:22:23:304]: Note: 1: 2205 2: 3: LaunchCondition
MSI (s) (B8:FC) [09:22:23:304]: Note: 1: 2228 2: 3: LaunchCondition 4: SELECT `Condition` FROM `LaunchCondition`
MSI (s) (B8:FC) [09:22:23:304]: APPCOMPAT: [DetectVersionLaunchCondition] Failed to initialize pRecErr.
MSI (s) (B8:FC) [09:22:23:304]: PROPERTY CHANGE: Adding ACTION property. Its value is 'INSTALL'.
MSI (s) (B8:FC) [09:22:23:304]: Doing action: INSTALL
MSI (s) (B8:FC) [09:22:23:304]: Note: 1: 2205 2: 3: ActionText
Action start 9:22:23: INSTALL.
MSI (s) (B8:FC) [09:22:23:320]: Running ExecuteSequence
MSI (s) (B8:FC) [09:22:23:320]: Doing action: SetAllUsers
MSI (s) (B8:FC) [09:22:23:320]: Note: 1: 2205 2: 3: ActionText
MSI (s) (B8:EC) [09:22:23:320]: Invoking remote custom action. DLL: C:\Windows\Installer\MSI5F93.tmp, Entrypoint: SetAllUsersCA
MSI (s) (B8:F8) [09:22:23:320]: Generating random cookie.
MSI (s) (B8:F8) [09:22:23:320]: Created Custom Action Server with PID 976 (0x3D0).
MSI (s) (B8:3C) [09:22:23:335]: Running as a service.
MSI (s) (B8:3C) [09:22:23:335]: Hello, I'm your 64bit Impersonated custom action server.
Action start 9:22:23: SetAllUsers.
SetAllUsers: Debug: Num of subkeys found: 1.
SetAllUsers: Info: Previously installed Splunk product is not found.
SetAllUsers: Error: Failed SetAllUsers: 0x2.
SetAllUsers: Info: Leave SetAllUsers: 0x80004005.
CustomAction SetAllUsers returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)
Action ended 9:22:23: SetAllUsers. Return value 3.
Action ended 9:22:23: INSTALL. Return value 3.
Thanks Jo! Unfortunately, I pretty much exhausted everything I could find in the community discussions (including that link).
That link did prompt me to include the logging information in my post though.
Hope that helps.
I'm pretty sure the linked answer is the issue, it's just that the culprit here will be a different key that doesn't contain a ProductName value.
Are you on the Splunk-Usergroups Slack, perchance? Feel free to hit me up there. Otherwise I would suggest that you open a case with Support.
Please see here: https://community.splunk.com/t5/Getting-Data-In/unable-to-install-universal-forwarder-windows-10/td-....
The 1603 error code during an automatic Splunk Universal Forwarder installation is most likely caused by a failure in the SetAllUsers custom action. This could be due to a variety of factors, including, but not limited to, insufficient permissions, an earlier version of Splunk installed, or an issue with the installation package. You can try the following steps to resolve this issue:
The Splunk documentation contains information about the 1603 error. The official documentation can be found here: https://docs.splunk.com/Documentation/Forwarder/7.3.1/Forwarder/TroubleshoottheSplunkforwarderinstal...
I get the same 1603 error but only on our Exchange Servers, DCs or regular servers work fine without an error.
Is there anything different on Exchange during setup?
1. User is Domain Admin
2. No previous installations
3. latest MSI
I can confirm that the Splunk Windows Installer package does not do anything special on servers that are running Exchange. Were you able to follow the instructions in the link I posted above?
Unfortunately, that link doesn't resolve to anything for me.