Video Screencast Help

USNWash.exe and Conhost.exe crashing

Created: 22 Apr 2013 | 15 comments

I have SEP 2012 installed on a Windows 2008 Ent R2 server, running SEPM for our organization.

I have a series of event logs that keep popping up aveyr minute or two. It looks like a process called USNWash.exe is trying to start, which in turn starts conhost.exe, and then both terminate immedietly. It is causing a lot of chatter in my security event log on this server.

What is USNWash.exe? It is part of SEP, I just cannot tell what it does or why it keeps trying to spawn. Here you can see both processes start, then immedietly terminate. This happens every minute or so:

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          4/22/2013 12:06:08 PM
Event ID:      4688
Task Category: Process Creation
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      xxxxxxx
Description:
A new process has been created.

Subject:
    Security ID:        SYSTEM
    Account Name:        xxxxx
    Account Domain:        xxxxxx
    Logon ID:        0x3e7

Process Information:
    New Process ID:        0x1980
    New Process Name:    D:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\bin\USNWash.exe
    Token Elevation Type:    TokenElevationTypeDefault (1)
    Creator Process ID:    0x1114

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          4/22/2013 12:06:08 PM
Event ID:      4688
Task Category: Process Creation
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      xxxxx
Description:
A new process has been created.

Subject:
    Security ID:        SYSTEM
    Account Name:        xxxxx
    Account Domain:        xxxxx
    Logon ID:        0x3e7

Process Information:
    New Process ID:        0x1efc
    New Process Name:    C:\Windows\System32\conhost.exe
    Token Elevation Type:    TokenElevationTypeDefault (1)
    Creator Process ID:    0x174

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          4/22/2013 12:06:08 PM
Event ID:      4689
Task Category: Process Termination
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      xxxxx
Description:
A process has exited.

Subject:
    Security ID:        SYSTEM
    Account Name:        xxxxx
    Account Domain:        xxxxx
    Logon ID:        0x3e7

Process Information:
    Process ID:    0x1980
    Process Name:    D:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\bin\USNWash.exe
    Exit Status:    0x40000001

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          4/22/2013 12:06:08 PM
Event ID:      4689
Task Category: Process Termination
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      xxxxx
Description:
A process has exited.

Subject:
    Security ID:        SYSTEM
    Account Name:        xxxxx
    Account Domain:        xxxxx
    Logon ID:        0x3e7

Process Information:
    Process ID:    0x1efc
    Process Name:    C:\Windows\System32\conhost.exe
    Exit Status:    0x0

 

 

Thanks!

 

Operating Systems:

Comments 15 CommentsJump to latest comment

Mithun Sanghavi's picture

Hello,

What version of SEP are you running on the Windows 2012 server??

Make sure you are running the Latest version of SEP 12.1 RU2 and above.

USNWash.exe is used by the SemSvc.exe service

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

_Brian's picture

USNWash.exe is part of SEPM although a Symantec employee could best tell you what it does exactly. They check in frequently on this forum.

What version are you running?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

spitty's picture

It is on a 2008 Server.

Symantec version is 12.1.2015.2015 - is that the latest?

_Brian's picture

The latest is 12.1.2100.2092 (12.1 RU2 MP1) so you're one version behind.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

spitty's picture

Does this not come down with LiveUpdate? LiveUpdate says all my products are up to date. Is this something I am required to download from FileConnect?

Mithun Sanghavi's picture

Hello,

Is this issue occurying only on 1 of these server machines?

Was this SEP 12.1 RU2 client migrated from SEP 11.x?

USNWash.exe is located in ‘C:\Program Files\Symantec\Symantec Endpoint Protection Manager\bin\

Could you try uninstalling the SEP client, Restarting the server and reinstalling the SEP client again and check if this issue reoccurs?

In case, it re-occurs, please create a case with Symantec Technical Support.

To Create a Case with Symantec Technical Support, check these - 

How to create a new case in MySymantec (formerly MySupport)

http://www.symantec.com/docs/TECH58873

OR

Phone numbers to contact Tech Support:-

Regional Support Telephone Numbers:

  • United States: 800-342-0652 (407-357-7600 from outside the United States)
  • Australia: 1300 365510 (+61 2 8220 7111 from outside Australia)
  • United Kingdom: +44 (0) 870 606 6000

Additional contact numbers: http://www.symantec.com/business/support/contact_techsupp_static.jsp

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

spitty's picture

It looks like just on the managment server, my other servers do not seem to have this issue. So, just to clarify, I can remove just the SEP client from the SEPM machine, and reinstall the client to see if it lcears up the issue?

Also, I am currently downloading 12.1.2_MP1 from FileConnect. Is there a reason this does not come down through LiveUpdate? Is FileConnect the correct way to obtain this update?

Mithun Sanghavi's picture

Hello,

Currently, try - 

1) Uninstalling the SEP client from the server, restarting the server and reinstalling the SEP client only.

2) Running a Repair on SEPM (from Add/Remove Programs).

Secondly, Yes, Fileconnect is the only way to download the latest version. Product version upgrades does not happen via Liveupdate.

Liveupdate updates only updates the minor updates like product catalog files, etc.

Upgrading or migrating to Symantec Endpoint Protection 12.1.2100 (RU2 MP1)

http://www.symantec.com/docs/TECH204449

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

_Brian's picture

USNWash.exe is a process used by the SEPM. I don't believe uninstalling the SEP client itself will resolve this. Upgrading the SEPM may fix this.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

spitty's picture

I disabled the SEPM service and the errors went away. I suspect this is with the SEPM module also now. Should I still uninstall the client anyway, go ahwad with the upgade to MP1 of the entire system, or try somethign different with SEPM itself?

_Brian's picture

Yes, it should only be related to the SEPM, not the SEP client itself. I don't see how uninstalling the client would fix this though.

I would always recommend upgrading to the latest version to see if it fixes it. I couldn't find anything specific to this in the release notes but it could fix it nonethless.

If it doesn't, you may need to log a support case.

Release note for latest version are here:

http://www.symantec.com/docs/DOC6419

Fix notes are here:

http://www.symantec.com/docs/TECH204685

What I know is the USN is a proprietary key tied to the client. My guess is USNwash cleans up old clients from the database. It is probably not a vital part of the SEPM. Support can confirm all of this for you though.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Mithun Sanghavi's picture

Hello,

I am not sure, if the above steps were read properly.

USNWash.exe is used by the SemSvc.exe service

USNWash.exe is located in ‘C:\Program Files\Symantec\Symantec Endpoint Protection Manager\bin\

Please Run a Repair of Symantec Endpoint Protection Manager from Add/ Remove Programs.

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

spitty's picture

I have upgraded to MP1 and I am stil recieving the event log messages. Should I now open a support case?

_Brian's picture

Yes

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Mithun Sanghavi's picture

Hello,

Yes, please create a Case with Symantec Technical Support.

Check these Steps below:

How to create a new case in MySymantec

http://www.symantec.com/business/support/index?page=content&id=TECH58873

Phone numbers to contact Tech Support:-

Regional Support Telephone Numbers:

  • United States: 800-342-0652 (407-357-7600 from outside the United States)
  • Australia: 1300 365510 (+61 2 8220 7111 from outside Australia)
  • United Kingdom: +44 (0) 870 606 6000

Additional contact numbers: http://www.symantec.com/business/support/contact_t...

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.