Endpoint Protection

We have two domain controllers that run Windows server 2000 with Symantec Endpoint protection Version 11.0.3 installed.  Everyday the event viewer shows event ID 1000: "Windows cannot unload your registry file. If you have a roaming profile, your settings are not replicated. Contact your administrator. DETAIL - Access is denied. , Build number ((2195)).".  These error messages only appeared when SEP 11 triggers daily scheduled scan.

This error appeared between 6:03 and 6:04 PM that is right after the scheduled scan which is at 6:00 PM.  I changed the scheduled scan time to 5:20 PM and the error message also changed to 5:23 and 5:24 PM.

Can somebody explain to me why the scheduled scan would cause the error?

Thanks
 

This issue was fixed in MR4 MP1a. I would recommend upgrading to the latest build (MR4 MP2). BTW, MR5 is due to release early next month.

Cheers,
Thomas

Our Windows 2000 servers already had SP4 installed.

I upgraded our SEP Management server and all of the clients to the lastest Maintenace Release 11.0 MR4 MP2.  Waiting for Month End Maintenance to reboot the servers to see if it will fix the errors.  Will let everybody knows if the errors were fixed.  Thanks

I upgraded both the SEP Management server and the clients to ver. 11.0 MR4 MP2 and event viewer stopped showing event ID1000 as error.  It shows it as informational only.  However, after I rebooted the servers the system event viewer showed an error (Event ID 7000): "The Extend WG Protocol Driver service failed to start due to the following error:  The system cannot find the file specified.

I found an article "Windows Errors on reboot - Extend WG Protocol Driver, also Event 2510 on Server service" on:
https://www-secure.symantec.com/connect/forums/windows-errors-reboot-extend-wg-protocol-driver-also-event-2510-server-service
recommending to remove or disable WGX.sy driver but I am not sure about the repercusions for doing that. 

Is it safe to remove or disable that driver? Please help.

There is no need to remove or disable the driver

This  errors  occur if the location of the driver is not the same as the one indicated in the registry.

Navigate to

 C:\WINDOWS\System32\drivers\.

and check if  is WGX.SYS present or not.

Next, search the registry for references to that driver to see if the file path in the registry matches the actual file path.

If the actual file path differs from the path in the registry, edit the path in the registry to match the actual file path.
 
Note: Take  back up your registry prior to making changes.

C:\Program Files\Symantec\Symantec Endpoint Protection\ 

I could not find any WGX.SYS driver in registry but I found it in C:\WINDOWS\System32\drivers\.
Can someone tell me What is the path in the registry keys so I can manualy create one? Thanks

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WGX

ImagePath  C:\WINDOWS\System32\drivers\.WGX.SYS

We are running Windows 2000 servers so the correct path is: C:\Winnt\System32\Drivers\WGX.SYS. I've confirmed the WGX.SYS file is there.

I've tried to edit the following paths in the registry (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WGX).

1. C:\Winnt\System32\Drivers\WGX.SYS
2. \Winnt\System32\Drivers\WGX.SYS
3. %SystemRoot%\System32\Drivers\WGX.SYS
4. C:\Program Files\Symantec\Symantec Endpoint Protection\WGX.SYS

NONE OF THE ABOVE HAS WORKED.  Always tells me the specified path could not be found.

Can someone tell me what is really the correct path in the registry? Is it the correct driver for windows 2000 servers? Thanks

Hi Ken_D,

I see your note above about the registry, to clarify you tried searching the entire registry for "wgx.sys" and found nothing other than the mentioned key? If you search and do find any I would ensure they point to the correct path.

I checked my registry here and I see it located at the following:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\4953094E6841EF9469FB38656B309FA1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\SERVICES\WGX
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\WGX
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WGX

The entry in CurrentVersion points to the file in the SEP folder and the Services ones point to the following:

ImagePath = System32\Drivers\wgx.sys

Alternatively, this driver is for SNAC. If you are not using it or have no plans to you can simply remove it:

-Open Device Manager
-Click View > Show hidden devices
-Expand Non-Plug and Play Drivers and uninstall the "Extend WG Protocol Driver"
-Open a command prompt, and type the following command and hit Enter:

sc delete “wgx”

-Reboot the system.

On my servers this seems to be an installation issue with MR4.  If I go into Control Panel, Add Remove Programs, Select SEP and select Modify, then click on Antivirus Email Protection, and select "this feature will not be available" (even though it's already set to "unavailable") and allow the installer to finish things are fine at the next reboot.  WGX.sys should never have been there to begin with.  On reboot, sure enough it's not in the device list.

BTW, this fix comes from the thread "SEP 11.X running on Servers" https://www-secure.symantec.com/connect/forums/sep-11x-running-servers

So, my questions - Is this on the bug list?  Is it still broken in MR4 MP2?  Is it still broken in MR5?

Yet another question - why don't the "support" folks seem to know anything about this?  I currently have case number 320-221-922 open and the person that I'm dealing with is clueless about this.  He/she keeps asking me to replace WGX.sys.  Incidently, WGX.sys is happily sitting there where it belongs in system32\devices and the registry references all point just where they should.  I think that the issue is that WGX.sys knows that it's not supposed to be running and bails out which causes the errors.  Wouldn't it be great if the guy that wrote WGX.SYS knew how to write system event log entries?

Thanks!

Greg

I found that editing the registry is not a good way to solve this problem.  Also I've tried several times to edit the reg as suggested above but none has worked for me.

I decided to uninstall the WGX driver from Device Manager, then run this command line:  "delsrv WGX" without the quotes (for Windows 2000 servers only) to remove all of the WGX services and rebooted the servers.  Our three servers have no more errors.  This small issue had cost me about three weeks of tireless research, trial and errors, plus I almost made a mistake while editing the registry (luckly I've backed it up).  I think Symantec should test their product a little better before push out to production.

This issue seems to still be alive and well in SEP v11.0.5...

We just updated last night, and now both Windows 2000 and Windows 2003 servers are complaining about this service not starting because "The system cannot find the file specified."

The one difference seems to be that now the file really is missing (it is not in "[systemroot]\system32\drivers" as the Event message indicates. 

So, what is the best thing to do for MR5?  Do we hack the registry (again... since the Symantec install process hasn't been designed to properly manage these settings...), or do we uninstall the service?

Incidentally: 
The upgrade seemed to go well otherwise (at least for the systems that were online).  Most of our workstations will be getting the new client this morning, but so far that is looking good.

"The Extend WG Protocol Driver service failed to start"


Same thing happened to me with MR5 on a 2003 and 2000 server. Fun stuff this upgraging can be.

I uninstalled it and still get the same error on the 2000 server.

guess time for a regedit after the backup finishes.

We aren't running SNAC on the affected machines, so I've used the procedure provided by John Prince (above, tagged as "info") to delete the WGX service.  If you are using SNAC, I wonder if using this same process (to delete WGX manually) and then reinstalling the client would take care of the issue?  Seems like even a client that can't properly upgrade, would at least be able install cleanly and work once the conflicting registry entries are cleaned up manually... 

Here is a quote of the process John Price provided for removing WGX: 

"Alternatively, this driver is for SNAC. If you are not using it or have no plans to you can simply remove it:

-Open Device Manager
-Click View > Show hidden devices
-Expand Non-Plug and Play Drivers and uninstall the "Extend WG Protocol Driver"
-Open a command prompt, and type the following command and hit Enter:

sc delete “wgx”

-Reboot the system."

Good luck!

Symantec:  I have an excellent idea - if a service or feature is not selected for installation within the package, why not simply keep it from being deployed?  Why is it okay to push drivers and services to a system when those features are not even used?  Companies should think of customer systems more as not belonging to them - having a mindset that they don't have permission to just install anything they want as part of an application package.  Only what is necessary for the chosen feature set should be installed.

BigAnvil, you should post your idea to the "Ideas" section of this forum. Our developers look at these ideas to help in creating product features/options that the users want.

http://www-secure.symantec.com/connect/security/ideas

I have just experienced this issue upgrading from MR4 to RU5 for one of our customers.

I just love talking up this product and selling the upgrade because it's "better and has bug fixes, etc etc" only to have this problem happen on all the servers.  Makes me (and Symantec) look real good...  Especially when I explain that once SEP is installed, upgrades are painless with the autoupgrade feature.

Sure, RU5 does have bug fixes and the like, but I'd like to consider SEP a "mature" product by now but I just can't say that whole heartedly when stupid, seemingly preventable stuff like this happens.

On top of that I recently followed a KB article for moving the database to another partition which took down connectivity for all SEP clients and the SEPM.  Needed to call support for help, when they told me the article was not correct.  Thats good.

...my sarcastic 2 cents

What if I do want to use SNAC? What is the solution to keeping the WGX.SYS file? Copy it to System32\Drivers on all systems? Edit the file that points to the wrong directory? What to do?

Editing the registry works. Now is there a way to edit the registry on all my machines? Preferablly automated.