Video Screencast Help
Protect Your POS Environment Against Retail Data Breaches. Learn More.

SEP 11.0.7000.975 installation rolls back

Created: 21 Nov 2012 • Updated: 03 Dec 2012 | 14 comments
This issue has been solved. See solution.

Dear All,

I'm trying to install SEP 11.0.7000.975 on a Win 2003 SP2 server. The previous installation crashed, a couple of moduls was not running, so I completely removed it. 

Ran the built-in uninstaller, CleanWipe, also performed the steps on the below link:

http://www.symantec.com/business/support/index?page=content&id=TECH102261

So thoretically no remnant of the old installation should exist on the machine.

However it still keeps rolling back, after isntalling virus definitions the status is: 'Removing backup files', right after it the 'Rolling back' action is starting. I've spent hours of googling this issue and I tried every single suggestion.

E.g.:

- Check for infections. Installed AVG, Spybot, MBAM, TDSSKiller etc. to scan for any threat. Nothing found, machine seems clean.

- Check if Event Log is Started and set as automatic  in services.msc. It's running fine.

- Making sure that the value of 'HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders' is '%USERPROFILE%\Application Data'.

So I'm out of ideas. I searched for 'return value 3' in SEP_INST.LOG. Please see around 30 lines above it:

ADMINMOVEFILES: Removed folder: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\1\MARGBVDQ\IPSDefs\

WriteCcSettingsTables: SetOneTimeUpdateCookie_RB.93C43188_D2F5_461E_B42B_C3A2A318345C
MSI (s) (B4:B8) [22:26:24:607]: Executing op: ActionStart(Name=SetOneTimeUpdateCookie_RB.93C43188_D2F5_461E_B42B_C3A2A318345C,,)
MSI (s) (B4:B8) [22:26:24:607]: Executing op: CustomActionRollback(Action=SetOneTimeUpdateCookie_RB.93C43188_D2F5_461E_B42B_C3A2A318345C,ActionType=1281,Source=BinaryData,Target=SetOneTimeUpdateCookie_RB,)
MSI (s) (B4:14) [22:26:24:654]: Invoking remote custom action. DLL: C:\WINDOWS\Installer\MSI191.tmp, Entrypoint: SetOneTimeUpdateCookie_RB
WriteCcSettingsTables: DisableCancelButton.93C43188_D2F5_461E_B42B_C3A2A318345C
MSI (s) (B4:B8) [22:26:25:622]: Executing op: ActionStart(Name=DisableCancelButton.93C43188_D2F5_461E_B42B_C3A2A318345C,,)
WriteCcSettingsTables: stopSP.0723A1DC_DEB6_4A50_874F_3A2D2C99A1C1
MSI (s) (B4:B8) [22:26:25:622]: Executing op: ActionStart(Name=stopSP.0723A1DC_DEB6_4A50_874F_3A2D2C99A1C1,,)
WriteCcSettingsTables: restoreSPState.0723A1DC_DEB6_4A50_874F_3A2D2C99A1C1
MSI (s) (B4:B8) [22:26:25:622]: Executing op: ActionStart(Name=restoreSPState.0723A1DC_DEB6_4A50_874F_3A2D2C99A1C1,,)
MSI (s) (B4:B8) [22:26:25:622]: Executing op: CustomActionRollback(Action=restoreSPState.0723A1DC_DEB6_4A50_874F_3A2D2C99A1C1,ActionType=3329,Source=BinaryData,Target=restoreSPState,CustomActionData=0)
MSI (s) (B4:F4) [22:26:25:638]: Invoking remote custom action. DLL: C:\WINDOWS\Installer\MSI192.tmp, Entrypoint: restoreSPState
restoreSPState: called
restoreSPState: calling loadEventManagerDLLs
loadEventManagerDLLs: called
serviceIsRunning: OpenService FAILED with error 1060
LoadEvtMgrDll: ccEvtMgr is not running
serviceIsRunning: OpenService FAILED with error 1060
SendReload: ccEvtMgr is not running
loadEventManagerDLLs: FAILED to send reload event
loadEventManagerDLLs: exiting
restoreSPState: Changing service configuration to SERVICE_DEMAND START for SPBBCSvc
modifyServiceConfiguration: OpenService() FAILED with error 1060
restoreSPState: Unable to modify configuration for SPBBCSvc
restoreSPState: Value of szSPState "0"
restoreSPState: SPState is NOT set to 1. NOT Calling startSP
restoreSPState: exiting
WriteCcSettingsTables: checkMSXMLVersion.0723A1DC_DEB6_4A50_874F_3A2D2C99A1C1
MSI (s) (B4:B8) [22:26:25:950]: Executing op: ActionStart(Name=checkMSXMLVersion.0723A1DC_DEB6_4A50_874F_3A2D2C99A1C1,,)
WriteCcSettingsTables: RB_cleanupFolder.0723A1DC_DEB6_4A50_874F_3A2D2C99A1C1
MSI (s) (B4:B8) [22:26:25:950]: Executing op: ActionStart(Name=RB_cleanupFolder.0723A1DC_DEB6_4A50_874F_3A2D2C99A1C1,,)
MSI (s) (B4:B8) [22:26:25:950]: Executing op: CustomActionRollback(Action=RB_cleanupFolder.0723A1DC_DEB6_4A50_874F_3A2D2C99A1C1,ActionType=1345,Source=BinaryData,Target=cleanupFolder,)
MSI (s) (B4:D0) [22:26:25:966]: Invoking remote custom action. DLL: C:\WINDOWS\Installer\MSI193.tmp, Entrypoint: cleanupFolder
InstSymProtect::cleanupFolder() -> called
DeleteFolderIfNoFileExists: Driver file is not present.
DeleteFolder: FAILED to delete directory C:\Program Files\Common Files\Symantec Shared\SPBBC
DeleteFolderIfNoFileExists: SHDeleteFolder FAILED
InstSymProtect::cleanupFolder() -> DeleteFolderIfNoFileExists FAILED
cleanupFolder:  exiting
MSI (s) (B4:B8) [22:26:26:341]: Executing op: End(Checksum=0,ProgressTotalHDWord=0,ProgressTotalLDWord=0)
MSI (s) (B4:B8) [22:26:26:341]: Error in rollback skipped. Return: 5
MSI (s) (B4:B8) [22:26:26:356]: No System Restore sequence number for this installation.
MSI (s) (B4:B8) [22:26:26:356]: Unlocking Server
MSI (s) (B4:B8) [22:26:26:372]: PROPERTY CHANGE: Deleting UpdateStarted property. Its current value is '1'.
Action ended 22:26:26: InstallFinalize. Return value 3.
 
In case the entire log is needed to diagnose my issue, please let me know.
Thank you for your help in advance.
 
fishmong3r

Comments 14 CommentsJump to latest comment

pete_4u2002's picture

are you trying to install using the local admin account? if not can you try ?

fishmong3r's picture

Yes, I'm trying to install with local admin account.

Mithun Sanghavi's picture

Hello,

As per the above logs, we see errors as below:

 

serviceIsRunning: OpenService FAILED with error 1060
LoadEvtMgrDll: ccEvtMgr is not running
serviceIsRunning: OpenService FAILED with error 1060
SendReload: ccEvtMgr is not running
loadEventManagerDLLs: FAILED to send reload event
loadEventManagerDLLs: exiting
restoreSPState: Changing service configuration to SERVICE_DEMAND START for SPBBCSvc
modifyServiceConfiguration: OpenService() FAILED with error 1060
restoreSPState: Unable to modify configuration for SPBBCSvc
restoreSPState: Value of szSPState "0"
restoreSPState: SPState is NOT set to 1. NOT Calling startSP
 
 
Could you let us know -
 
What happens if you export the package and then manually copy paste the package on the local HDD of the server and then run the setup.exe?

 

Also try creating a .msi package and running from the local hdd.

Check if there is a driver SPBBCSvc under Device Manager >> View >> Show Hidden devices >> Non-Plug and Play drivers. If there is a SPBBCSvc Driver, please uninstall it.

Also, check this Thread: 

https://www-secure.symantec.com/connect/forums/symantec-endpoint-protection-agent-1105-rolls-back-installation-configuring-services

It suggests - 

 

Open the Registry Editor and go to

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion

On the right hand side right-click and modify the value of "CommonFilesDir" to C:\Program Files\Common Files.

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

fishmong3r's picture

Hello,

Thank you for your advice. Unfortunately no success.

1. I extracted the installer package and ran setup.exe. The same happedned as before, also it generated the very same install log.

2. How to create MSI installer? Is there a way to do it without any 3rd party tool?

3. There were no SPBBC Svc in device manager.

4. I checked the link you posted and did:

 - Checked CommonFiledDir in 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion', the setting is ok.

- Tried the below as well:

# Open the Windows Registry editor (regedit.exe) browse to the following registry key:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager

# Verify the following Reg Multi String value PendingFileRenameOperations exists under this key.
Note: If you do not find the PendingFileRenameOperations value in the location above, this error message can be generated if there are pending changes in:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSetXXX\Control\SessionManager\PendingFileRenameOperations

# IfHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired exists, right-click on the RebootRequired registry key and choose Export.
# Provide a different file name than in step 4 for the exported registry key and click Save
# Delete RebootRequired sub-key

(delete the value after double clicking on the "PendingFileRenameOperations" string value), no need to restart the client just perform another push install from the server.

Additionally this the content of HKEY_LOCAL_MACHINE\SYSTEM\ControlSetXXX\Control\SessionManager\PendingFileRenameOperations after the installation attempt:

 

\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\CCI2F.tmp
 
\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\CCI30.tmp
 
\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\CCI33.tmp
 
\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\CCI34.tmp
 
\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\CCI35.tmp
 
\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\CCI36.tmp
 
\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\CCI37.tmp
 
\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\CCI38.tmp
 
\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\CCI39.tmp
 
\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\CCI3A.tmp
 
\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\CCI3B.tmp
 
\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\CCI3C.tmp
 
\??\C:\PROGRA~1\COMMON~1\SYMANT~1\SEVINST.EXE
 
\??\C:\PROGRA~1\COMMON~1\SYMANT~1
 
\??\C:\PROGRA~1\COMMON~1\SYMANT~1
 
\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sevinst0.exe
 
\??\C:\Program Files\Common Files\Symantec Shared\TBD175.tmp
 
\??\C:\Program Files\Common Files\Symantec Shared\TBD176.tmp
 
\??\C:\Program Files\Symantec\LiveUpdate\MSVCP71.DLL
 
\??\C:\Program Files\Symantec\LiveUpdate\MSVCR71.DLL
 
\??\C:\Program Files\Symantec\LiveUpdate\ProductRegCom_3_3.DLL
 
\??\C:\Program Files\Symantec\LiveUpdate\PSLuComServer_3_3.DLL
 
\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\LUInit.exe
 
\??\C:\Program Files\Symantec\LiveUpdate
 
\??\C:\Program Files\Symantec\LiveUpdate
 
\??\C:\Program Files\Symantec
 
\??\C:\Program Files\Symantec\LiveUpdate\PSLuComServer_3_3.dll
 
\??\C:\Program Files\Symantec\LiveUpdate
 
\??\C:\Program Files\Symantec
 
Mithun Sanghavi's picture

Hello,

Could you please upload us the entire SEP_Inst.log to understand the root cause of the issue.

Please Attach it under File Attachments.

 

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

fishmong3r's picture

Attached the log as requested.

Meanwhile I ran a SEP Support Tool scan but no error was shown in the result.

AttachmentSize
SEP_INST_upload.zip 500.71 KB
Mithun Sanghavi's picture

Hello,

After checking the Logs, we see as below:

 

Property(S): _IsSetupTypeMin = Typical
Property(S): Display_IsBitmapDlg = 1
Property(S): SAVRebootPromptText = You must restart your system for the configuration changes made to [2] to take effect. Click Yes to restart now or No if you plan to restart later.
Property(S): INSTALLLEVEL = 100
Property(S): ADDSTARTMENUICON = 1
 
Here are the suggestions - 
 
There is pending installation and you need to restart the machine.
 
If restart does not help, please check this document:
 

Installer Information - "Symantec Endpoint Protection has detected that there are pending system changes that require a reboot." when trying to install SEP 11.0 on Windows 7

http://www.symantec.com/business/support/index?page=content&id=TECH95608

NOTE: The steps also applies in case of using Windows 2003 Server.

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

fishmong3r's picture

 

Please find my exact actions below.
1. Restart
2. Installation attemp, no success, roll back.
3. Removed remnants.
4. Checked the above mentioned registry keys, PendingFileRenameOperations existed only in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SessionManager\
5. Exported key, deleted it.
6. Installation attemp, no success, error msg: "Symantec Endpoint Protection has detected that there are pending system changes that require a reboot".
7. Removed remnants.
8. Restart.
9. Checked the above mentioned registry keys, PendingFileRenameOperations existed only in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SessionManager\
10. Renamed it with a '2' at the end.
11. Restart.
12. Installation attemp, no success, roll back.
Rafeeq's picture

Change the environment variable

 %AppData% variable for the SYSTEM account.

  • Open 'regedit' from a run prompt.
  • Navigate to HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders.
  • Make sure that the AppData string is set to: %USERPROFILE%\Application Data for Windows XP/ Windows Server 2003 or %USERPROFILE%\AppData\Roaming for Windows Vista/ Windows 7/ Windows Server 2008.
    Note: Any other values here that do not have %USERPROFILE% may be incorrect as well and could cause issues.
  • Start install of Symantec Endpoint Protection Client

 

or right click my comptuer icon, select propeties, try changing the env varivable to c:\temp check if that works

fishmong3r's picture

It's in my original post:
"- Making sure that the value of 'HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData' is '%USERPROFILE%\Application Data'."

Rafeeq's picture

under the enviroment variable did you try changing it to c:\tmp and C:\temp

 

fishmong3r's picture

Just tried this as well. Thank you for your help, but the same issue appeared.

fishmong3r's picture

For the record...

MSXML 4 and 6 was installed on the machine. Both installation got corrupted. I could not even remove them from the control panel Add/Remove Programs as I received an errror message during the removal: 'Fatal Error during installation.'

The only way I could get rid of them was using Windows Installer Cleanup Utility. After installing them again the SEP installation was working properly.

Thank you all for the help anyway.

SOLUTION