반품
-
제목
Issues may occur after uninstalling 3rd party AD monitoring Tools and installing the Change Auditor agent -
설명
If you uninstall 3rd party software that uses LSASS (injects dlls into the LSASS process) and then install the Change Auditor agent, without rebooting the server after removing the other software, may result in issues with the agent or the server such as memory dumps being created and crashes occurring. -
원인
Software that uses LSASS usually does so by hooking (injecting dlls) into the LSASS process. The Change Auditor agent also hooks LSASS by injecting dlls into the LSASS process. When uninstalling software, processes that run continually and cannot be stopped (such as LSASS) may not be able to clear memory or the registry completely, or with process hooking, may not be able to remove the dll stubs that were injected. To clean up memory, the registry and these processes, a reboot is generally needed. Without a reboot to clear up the previous applications injection, the agent injection process could end up trying to inject into the same areas of the process that still has stubs from the previous application. -
해결 방안
Rebooting the server will clear out the remnants of the previous hooking allowing for the process to start up clean for the Change Auditor agent install and our hooking to complete successfully.