Splunk Enterprise installation fails in connection with regmon driver ( Windows 7 Enterprise x64)?

New Member


I've tried to install the latest version of Splunk on Windows 7 Enterprise x64. The installation consistently errors out because a regmon driver can not be installed. I've attached the relevant portion of the log file generated during the installation.

I see the post

however running sfc /scannow does not help (even though the process performed some fixes)

Are there any other possible explanations/solutions? Thanks,


MSI (s) (D8:C0) [15:29:32:460]: File: C:\Program Files\Splunk\Python-2.7\Lib\site-packages\django\contrib\admin\static\admin\css\widgets.css; To be installed; Won't patch; No existing file
MSI (s) (D8:C0) [15:29:32:460]: Source for file 'filFFEE9CEB7944FFE7CAB39491F0767E9C' is compressed
MSI (s) (D8:C0) [15:29:32:461]: Executing op: CacheSizeFlush(,)
MSI (s) (D8:C0) [15:29:32:461]: Executing op: ActionStart(Name=RollbackRegmonDrv,,)
MSI (s) (D8:C0) [15:29:32:469]: Executing op: CustomActionSchedule(Action=RollbackRegmonDrv,ActionType=3329,Source=BinaryData,Target=UninstallRegmonDrvCA,CustomActionData=SplunkHome=C:\Program Files\Splunk\;FailCA=)
MSI (s) (D8:C0) [15:29:32:472]: Executing op: ActionStart(Name=InstallRegmonDrv,,)
MSI (s) (D8:C0) [15:29:32:473]: Executing op: CustomActionSchedule(Action=InstallRegmonDrv,ActionType=3073,Source=BinaryData,Target=InstallRegmonDrvCA,CustomActionData=SplunkHome=C:\Program Files\Splunk\;LEGACYDRV=1;FailCA=)
MSI (s) (D8:08) [15:29:32:480]: Invoking remote custom action. DLL: C:\Windows\Installer\MSI8D6F.tmp, Entrypoint: InstallRegmonDrvCA
MSI (s) (D8:4C) [15:29:32:480]: Generating random cookie.
MSI (s) (D8:4C) [15:29:32:481]: Created Custom Action Server with PID 14100 (0x3714).
MSI (s) (D8:58) [15:29:32:496]: Running as a service.
MSI (s) (D8:58) [15:29:32:496]: Hello, I'm your 64bit Elevated custom action server.
InstallRegmonDrv: Warning: Invalid property ignored: FailCA=.
InstallRegmonDrv: Info: Driver inf file: C:\Program Files\Splunk\bin\splunkdrv-win6.inf.
InstallRegmonDrv: Error: DriverPackageInstall failed with: 0xa.
InstallRegmonDrv: Warning: Failed to install regmon driver.
InstallRegmonDrv: Error 0x80004005: Cannot install regmon driver.
CustomAction InstallRegmonDrv returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)
Action ended 15:29:32: InstallFinalize. Return value 3.
MSI (s) (D8:C0) [15:29:32:514]: User policy value 'DisableRollback' is 0
MSI (s) (D8:C0) [15:29:32:514]: Machine policy value 'DisableRollback' is 0
MSI (s) (D8:C0) [15:29:32:531]: Executing op: Header
Labels (1)
Tags (2)
0 Karma

Re: Splunk Enterprise installation fails in connection with regmon driver


This might be a shot in the dark, but what happens if you run the installer as administrator? See:

0 Karma

Re: Splunk Enterprise installation fails in connection with regmon driver

Path Finder

Did you ever resolve this issue? In my case I can fix it with the sfc command, but we had a 20% failure rate for this software on 60 machines. I have worked with Splunk support, but have not gotten any help besides to run the sfc command. I need to install this on over a 1000 and would like to know why it's failing so much.

0 Karma

Re: Splunk Enterprise installation fails in connection with regmon driver

Splunk Employee
Splunk Employee

Anyone having installation issues please can you check the difxapi.dll in your system32 Directory and ensure its the original for that OS.

I have just seen a similar issue where the HP Universal Print drivers was installing it's own copy of the difxapi.dll which was causing the the splunk installer to fail. after restoring the original version the installer worked.

Some driver suppliers include the difxapi.dll because it's not on windows XP systems by default and may be replacing it on the Newer systems as well.

0 Karma

Re: Splunk Enterprise installation fails in connection with regmon driver

For us, this issue was caused by a several issues; (1) %windir%\system32\difxapi.dll was allowed to be overwritten with an invalid difxapi.dll release by the HP Universal Print Driver and (2) a failure by Microsoft to correctly increment the release versions of difxapi.dll. Except for timestamps and file size, the VersionInfo on both files is identical.

To validate this issue is occurring in the environment, execute the following command: sfc.exe /verifyfile=%windir%\system32\difxapi.dll

If the output shows: Windows Resource Protection found integrity violations. Resolve the integrity violation with the individual file by executing the following command: sfc.exe /scanfile=%windir%\system32\difxapi.dll. A reboot will be required to restore integrity.