Installation
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Enterprise installation fails in connection with regmon driver ( Windows 7 Enterprise x64)?

grose
New Member
‎03-27-2015 02:19 PM

Hi,

I've tried to install the latest version of Splunk on Windows 7 Enterprise x64. The installation consistently errors out because a regmon driver can not be installed. I've attached the relevant portion of the log file generated during the installation.

I see the post

http://answers.splunk.com/answers/205168/universal-forwarder-installation-fails-while-insta.html

however running sfc /scannow does not help (even though the process performed some fixes)

Are there any other possible explanations/solutions? Thanks,

Gordon

MSI (s) (D8:C0) [15:29:32:460]: File: C:\Program Files\Splunk\Python-2.7\Lib\site-packages\django\contrib\admin\static\admin\css\widgets.css; To be installed; Won't patch; No existing file
MSI (s) (D8:C0) [15:29:32:460]: Source for file 'filFFEE9CEB7944FFE7CAB39491F0767E9C' is compressed
MSI (s) (D8:C0) [15:29:32:461]: Executing op: CacheSizeFlush(,)
MSI (s) (D8:C0) [15:29:32:461]: Executing op: ActionStart(Name=RollbackRegmonDrv,,)
MSI (s) (D8:C0) [15:29:32:469]: Executing op: CustomActionSchedule(Action=RollbackRegmonDrv,ActionType=3329,Source=BinaryData,Target=UninstallRegmonDrvCA,CustomActionData=SplunkHome=C:\Program Files\Splunk\;FailCA=)
MSI (s) (D8:C0) [15:29:32:472]: Executing op: ActionStart(Name=InstallRegmonDrv,,)
MSI (s) (D8:C0) [15:29:32:473]: Executing op: CustomActionSchedule(Action=InstallRegmonDrv,ActionType=3073,Source=BinaryData,Target=InstallRegmonDrvCA,CustomActionData=SplunkHome=C:\Program Files\Splunk\;LEGACYDRV=1;FailCA=)
MSI (s) (D8:08) [15:29:32:480]: Invoking remote custom action. DLL: C:\Windows\Installer\MSI8D6F.tmp, Entrypoint: InstallRegmonDrvCA
MSI (s) (D8:4C) [15:29:32:480]: Generating random cookie.
MSI (s) (D8:4C) [15:29:32:481]: Created Custom Action Server with PID 14100 (0x3714).
MSI (s) (D8:58) [15:29:32:496]: Running as a service.
MSI (s) (D8:58) [15:29:32:496]: Hello, I'm your 64bit Elevated custom action server.
InstallRegmonDrv: Warning: Invalid property ignored: FailCA=.
InstallRegmonDrv: Info: Driver inf file: C:\Program Files\Splunk\bin\splunkdrv-win6.inf.
InstallRegmonDrv: Error: DriverPackageInstall failed with: 0xa.
InstallRegmonDrv: Warning: Failed to install regmon driver.
InstallRegmonDrv: Error 0x80004005: Cannot install regmon driver.
CustomAction InstallRegmonDrv returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)
Action ended 15:29:32: InstallFinalize. Return value 3.
MSI (s) (D8:C0) [15:29:32:514]: User policy value 'DisableRollback' is 0
MSI (s) (D8:C0) [15:29:32:514]: Machine policy value 'DisableRollback' is 0
MSI (s) (D8:C0) [15:29:32:531]: Executing op: Header
Labels (1)
Labels
Tags (2)
0 Karma
Reply

Splunk_MyITGuy
Engager
‎06-08-2016 09:25 AM

For us, this issue was caused by a several issues; (1) %windir%\system32\difxapi.dll was allowed to be overwritten with an invalid difxapi.dll release by the HP Universal Print Driver and (2) a failure by Microsoft to correctly increment the release versions of difxapi.dll. Except for timestamps and file size, the VersionInfo on both files is identical.

To validate this issue is occurring in the environment, execute the following command: sfc.exe /verifyfile=%windir%\system32\difxapi.dll

If the output shows: Windows Resource Protection found integrity violations. Resolve the integrity violation with the individual file by executing the following command: sfc.exe /scanfile=%windir%\system32\difxapi.dll. A reboot will be required to restore integrity.

Reply

johnberwick
Splunk Employee
Splunk Employee
‎11-20-2015 03:34 AM

Anyone having installation issues please can you check the difxapi.dll in your system32 Directory and ensure its the original for that OS.

I have just seen a similar issue where the HP Universal Print drivers was installing it's own copy of the difxapi.dll which was causing the the splunk installer to fail. after restoring the original version the installer worked.

Some driver suppliers include the difxapi.dll because it's not on windows XP systems by default and may be replacing it on the Newer systems as well.

0 Karma
Reply

chadman
Path Finder
‎06-22-2015 06:07 AM

Did you ever resolve this issue? In my case I can fix it with the sfc command, but we had a 20% failure rate for this software on 60 machines. I have worked with Splunk support, but have not gotten any help besides to run the sfc command. I need to install this on over a 1000 and would like to know why it's failing so much.

0 Karma
Reply

masonmorales
Influencer
‎03-27-2015 04:42 PM

This might be a shot in the dark, but what happens if you run the installer as administrator? See: http://windows.microsoft.com/en-us/windows7/how-do-i-run-an-application-once-with-a-full-administrat...

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...