Endpoint Protection

 View Only
Expand all | Collapse all

USNWash.exe and Conhost.exe crashing

ℬrίαη

ℬrίαηApr 23, 2013 11:51 AM

  • 1.  USNWash.exe and Conhost.exe crashing

    Posted Apr 22, 2013 01:38 PM

    I have SEP 2012 installed on a Windows 2008 Ent R2 server, running SEPM for our organization.

    I have a series of event logs that keep popping up aveyr minute or two. It looks like a process called USNWash.exe is trying to start, which in turn starts conhost.exe, and then both terminate immedietly. It is causing a lot of chatter in my security event log on this server.

    What is USNWash.exe? It is part of SEP, I just cannot tell what it does or why it keeps trying to spawn. Here you can see both processes start, then immedietly terminate. This happens every minute or so:

    Log Name:      Security
    Source:        Microsoft-Windows-Security-Auditing
    Date:          4/22/2013 12:06:08 PM
    Event ID:      4688
    Task Category: Process Creation
    Level:         Information
    Keywords:      Audit Success
    User:          N/A
    Computer:      xxxxxxx
    Description:
    A new process has been created.

    Subject:
        Security ID:        SYSTEM
        Account Name:        xxxxx
        Account Domain:        xxxxxx
        Logon ID:        0x3e7

    Process Information:
        New Process ID:        0x1980
        New Process Name:    D:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\bin\USNWash.exe
        Token Elevation Type:    TokenElevationTypeDefault (1)
        Creator Process ID:    0x1114

    Log Name:      Security
    Source:        Microsoft-Windows-Security-Auditing
    Date:          4/22/2013 12:06:08 PM
    Event ID:      4688
    Task Category: Process Creation
    Level:         Information
    Keywords:      Audit Success
    User:          N/A
    Computer:      xxxxx
    Description:
    A new process has been created.

    Subject:
        Security ID:        SYSTEM
        Account Name:        xxxxx
        Account Domain:        xxxxx
        Logon ID:        0x3e7

    Process Information:
        New Process ID:        0x1efc
        New Process Name:    C:\Windows\System32\conhost.exe
        Token Elevation Type:    TokenElevationTypeDefault (1)
        Creator Process ID:    0x174

    Log Name:      Security
    Source:        Microsoft-Windows-Security-Auditing
    Date:          4/22/2013 12:06:08 PM
    Event ID:      4689
    Task Category: Process Termination
    Level:         Information
    Keywords:      Audit Success
    User:          N/A
    Computer:      xxxxx
    Description:
    A process has exited.

    Subject:
        Security ID:        SYSTEM
        Account Name:        xxxxx
        Account Domain:        xxxxx
        Logon ID:        0x3e7

    Process Information:
        Process ID:    0x1980
        Process Name:    D:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\bin\USNWash.exe
        Exit Status:    0x40000001

    Log Name:      Security
    Source:        Microsoft-Windows-Security-Auditing
    Date:          4/22/2013 12:06:08 PM
    Event ID:      4689
    Task Category: Process Termination
    Level:         Information
    Keywords:      Audit Success
    User:          N/A
    Computer:      xxxxx
    Description:
    A process has exited.

    Subject:
        Security ID:        SYSTEM
        Account Name:        xxxxx
        Account Domain:        xxxxx
        Logon ID:        0x3e7

    Process Information:
        Process ID:    0x1efc
        Process Name:    C:\Windows\System32\conhost.exe
        Exit Status:    0x0

     

     

    Thanks!

     



  • 2.  RE: USNWash.exe and Conhost.exe crashing

    Trusted Advisor
    Posted Apr 22, 2013 01:42 PM

    Hello,

    What version of SEP are you running on the Windows 2012 server??

    Make sure you are running the Latest version of SEP 12.1 RU2 and above.

    USNWash.exe is used by the SemSvc.exe service

    Hope that helps!!



  • 3.  RE: USNWash.exe and Conhost.exe crashing

    Posted Apr 22, 2013 01:43 PM

    USNWash.exe is part of SEPM although a Symantec employee could best tell you what it does exactly. They check in frequently on this forum.

    What version are you running?



  • 4.  RE: USNWash.exe and Conhost.exe crashing

    Posted Apr 22, 2013 01:58 PM

    It is on a 2008 Server.

    Symantec version is 12.1.2015.2015 - is that the latest?



  • 5.  RE: USNWash.exe and Conhost.exe crashing

    Posted Apr 22, 2013 02:02 PM

    The latest is 12.1.2100.2092 (12.1 RU2 MP1) so you're one version behind.



  • 6.  RE: USNWash.exe and Conhost.exe crashing

    Posted Apr 22, 2013 02:12 PM

    Does this not come down with LiveUpdate? LiveUpdate says all my products are up to date. Is this something I am required to download from FileConnect?



  • 7.  RE: USNWash.exe and Conhost.exe crashing

    Trusted Advisor
    Posted Apr 22, 2013 02:25 PM

    Hello,

    Is this issue occurying only on 1 of these server machines?

    Was this SEP 12.1 RU2 client migrated from SEP 11.x?

    USNWash.exe is located in ‘C:\Program Files\Symantec\Symantec Endpoint Protection Manager\bin\

    Could you try uninstalling the SEP client, Restarting the server and reinstalling the SEP client again and check if this issue reoccurs?

    In case, it re-occurs, please create a case with Symantec Technical Support.

    To Create a Case with Symantec Technical Support, check these - 

    How to create a new case in MySymantec (formerly MySupport)

    http://www.symantec.com/docs/TECH58873

    OR

    Phone numbers to contact Tech Support:-

    Regional Support Telephone Numbers:

    • United States: https://support.broadcom.com (407-357-7600 from outside the United States)
    • Australia: 1300 365510 (+61 2 8220 7111 from outside Australia)
    • United Kingdom: +44 (0) 870 606 6000

    Additional contact numbers: http://www.symantec.com/business/support/contact_techsupp_static.jsp

    Hope that helps!!


  • 8.  RE: USNWash.exe and Conhost.exe crashing

    Posted Apr 22, 2013 02:32 PM

    It looks like just on the managment server, my other servers do not seem to have this issue. So, just to clarify, I can remove just the SEP client from the SEPM machine, and reinstall the client to see if it lcears up the issue?

    Also, I am currently downloading 12.1.2_MP1 from FileConnect. Is there a reason this does not come down through LiveUpdate? Is FileConnect the correct way to obtain this update?



  • 9.  RE: USNWash.exe and Conhost.exe crashing

    Trusted Advisor
    Posted Apr 22, 2013 02:44 PM

    Hello,

    Currently, try - 

    1) Uninstalling the SEP client from the server, restarting the server and reinstalling the SEP client only.

    2) Running a Repair on SEPM (from Add/Remove Programs).

    Secondly, Yes, Fileconnect is the only way to download the latest version. Product version upgrades does not happen via Liveupdate.

    Liveupdate updates only updates the minor updates like product catalog files, etc.

    Upgrading or migrating to Symantec Endpoint Protection 12.1.2100 (RU2 MP1)

    http://www.symantec.com/docs/TECH204449

    Hope that helps!!



  • 10.  RE: USNWash.exe and Conhost.exe crashing

    Posted Apr 22, 2013 02:50 PM

    USNWash.exe is a process used by the SEPM. I don't believe uninstalling the SEP client itself will resolve this. Upgrading the SEPM may fix this.



  • 11.  RE: USNWash.exe and Conhost.exe crashing

    Posted Apr 22, 2013 03:59 PM

    I disabled the SEPM service and the errors went away. I suspect this is with the SEPM module also now. Should I still uninstall the client anyway, go ahwad with the upgade to MP1 of the entire system, or try somethign different with SEPM itself?



  • 12.  RE: USNWash.exe and Conhost.exe crashing

    Posted Apr 22, 2013 04:11 PM

    Yes, it should only be related to the SEPM, not the SEP client itself. I don't see how uninstalling the client would fix this though.

    I would always recommend upgrading to the latest version to see if it fixes it. I couldn't find anything specific to this in the release notes but it could fix it nonethless.

    If it doesn't, you may need to log a support case.

    Release note for latest version are here:

    http://www.symantec.com/docs/DOC6419

    Fix notes are here:

    http://www.symantec.com/docs/TECH204685

    What I know is the USN is a proprietary key tied to the client. My guess is USNwash cleans up old clients from the database. It is probably not a vital part of the SEPM. Support can confirm all of this for you though.



  • 13.  RE: USNWash.exe and Conhost.exe crashing

    Trusted Advisor
    Posted Apr 23, 2013 11:03 AM

    Hello,

    I am not sure, if the above steps were read properly.

    USNWash.exe is used by the SemSvc.exe service

    USNWash.exe is located in ‘C:\Program Files\Symantec\Symantec Endpoint Protection Manager\bin\

    Please Run a Repair of Symantec Endpoint Protection Manager from Add/ Remove Programs.



  • 14.  RE: USNWash.exe and Conhost.exe crashing

    Posted Apr 23, 2013 11:49 AM

    I have upgraded to MP1 and I am stil recieving the event log messages. Should I now open a support case?



  • 15.  RE: USNWash.exe and Conhost.exe crashing

    Posted Apr 23, 2013 11:51 AM

    Yes



  • 16.  RE: USNWash.exe and Conhost.exe crashing

    Trusted Advisor
    Posted Apr 23, 2013 11:57 AM

    Hello,

    Yes, please create a Case with Symantec Technical Support.

    Check these Steps below:

    How to create a new case in MySymantec

    http://www.symantec.com/business/support/index?page=content&id=TECH58873

    Phone numbers to contact Tech Support:-

    Regional Support Telephone Numbers:

    • United States: https://support.broadcom.com (407-357-7600 from outside the United States)
    • Australia: 1300 365510 (+61 2 8220 7111 from outside Australia)
    • United Kingdom: +44 (0) 870 606 6000

    Additional contact numbers: http://www.symantec.com/business/support/contact_t...

    Hope that helps!!