Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Unable to SMC -stop damaged client, forced to uninstall

Created: 28 Jun 2013 | 17 comments
ScottM 2's picture

Morning, I've been looking at a few damaged SEP clients (12.1 RU-1 level currently) where it isn't properly communicating but a SMC -stop command will not stop the service, the only way to repair is to uninstall/reinstall. Is there a more forceful way then the SMC -stop command to pull SEP out of memory? Tamper protection is disabled so that isn't an issue.

Operating Systems:

Comments 17 CommentsJump to latest comment

Brɨan's picture

If tamper protection isn't enabled than you should be able to use task manager or process explorer to kill the process.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

John Cooperfield's picture

Here are two alternatives:

  1. Under Add/Remove Programs, do a Repair on SEP.
  2. Restart the system.

HTH

John

ScottM 2's picture

I'll have to try that on the next one I encounter, the one I encountered this morning I already fixed via the reinstall route.

I'll respond with my results.

ScottM 2's picture

Just found another one. Sepmasterservice will not stop as a result of smc -stop and no SMC process in the process list to kill.

Going to pull a support tool report and send to my RPS.

SebastianZ's picture

When executing smc-stop make sure that the SEP client console (GUI) is not open on the screen - have already seen several cases where this prevented smc -stop from executing correctly.

ScottM 2's picture

Nope that wasn't the case either unfortunately.

Optimally I'd like to setup my script to force the sepmasterservice to stop in these cases so I can replace the policy dat files and sylink.xml file.

Brɨan's picture

Try this:

Get the PID of smc.exe and ccsvhst.exe

Open a CMD prompt

Execute "taskkill /PID <PID> /f" where PID is that of smc.exe and ccsvchst.exe

For example, where PID of smc.exe is 400

taskkill /pid 400 /f

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

ScottM 2's picture

Can't kill ccsvhst even with the /f option, I received an access denied though granted I was trying to do it remotely using psexec, maybe locally I'd have more luck. The idea is to eventually have a process to repair these without any console access.

Elisha's picture

Check out this thread.  It should have data to help you remove the SEP client and reinstall it:

https://www-secure.symantec.com/connect/forums/how-get-cleanwipe-tool-endpoint-removal

ScottM 2's picture

The objective is to repair without uninstalling.

AjinBabu's picture

Hi, 

If it is a corrupted client i am not thinking there is a way without repairing the client.

Regards

Ajin

ScottM 2's picture

Very possible that may be the only solution. I'd like to explore the options, it is often easier to find the clients then to get the users off the devices to repair them.

Elisha's picture

Hello Scott,

Unfortunately there is no good way to repair the client.  There are few things in the SEP client that can be fixed by a repair.  If the install is bad the best bet is to remove the client, reboot and reinstall.

Is there some reason you don't want to uninstall and reinstall?

ScottM 2's picture

Aside from the time involved in Uninstall/Reboot/Install/Reboot/Confirm working, the problemis that every workstation with a broken SEP client has a user with the most important job at the company that can't afford any downtime. The rest of the company just pushes booms around by comparison.

For years I've looked for ways to fix these problems without impacting the user, I'm hoping to continue with these few broken SEP 12 clients.

Elisha's picture

Yes, understood.  However repairs can be just as impactfull as uninstall and reinstall.  Both require downtime and both require reboots.  However I understand the request.  You need a way to repair the system without downtime and without impacting the user.  We don't have this feature today, but it is something we can look at in the future.  For now I recommend uninstalling and then reinstalling.

John Cooperfield's picture

1. Going back to your original post, what is the precise symptom of client-SEPM comm not working properly?

2. If the user will not let you on the machine how are you stopping SMC? 

3. Here are two batch script lines I use to stop SMC ... starting is similar::

rem  32bit sep 11 and 12
"C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe" -stop && echo  "SMC -STOP" was applied.

rem  64bit
"C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Smc.exe" -stop && echo  "SMC -STOP" was applied.

John

John Cooperfield's picture

Also, going to Add/Remove Programs and doing a Repair is simple enough that I have talked a couple of end users through it over the phone. They were happy that it only took a couple of minutes.