Chat now with support
Chat with Support

InTrust 11.3.1 - Release Notes

Known issues

The following is a list of issues, including those attributed to third-party products, known to exist at the time of release.

Table 5: Installation known issues

Known Issue Issue ID

If you install InTrust Deployment Manager on a running InTrust server, a restart of the Quest InTrust Server and Quest InTrust Real-Time Monitoring Server services is required. The restart causes some downtime in InTrust operations performed by that server.


If you are installing InTrust on a SQL server and updating SQL Server Native Client through the InTrust setup suite in the process, this causes the locally installed SQL Server service to restart automatically.

To avoid this, update the client to the required version before you set up InTrust.


You will have to log off and log on again once you have installed InTrust Manager to a location other than default. Otherwise, the InTrust Manager shortcut will not work. 0112449
If you have used the Add/Remove Programs dialog to uninstall InTrust, you will get the Modify/Repair/Remove dialog next time you launch InTrust setup from the CD. Click Remove and wait until setup finishes, then run setup again. 0112184

You may get the following error while trying to install InTrust:

Cannot grant the following privileges: Back up files and directories Log on as a service to <account_name> Your Group Policy settings may be preventing setup from granting the privileges specified.

There must exist a Group Policy that controls the assignment of the specified privilege(s) in your environment. InTrust setup can neither override it nor check if the account inherits the required privilege(s) from a security group the policy applies to. Make sure the policy grants the specified privilege(s) to InTrust service account, either directly or through its membership in a security group, and click the Ignore button in the error dialog to proceed with the installation.


InTrust Monitoring Console and Quest Knowledge Portal cannot be installed into a Virtual Directory with special characters (like !#$%^&()_+|][}{;,-=`~) in the name.


If you receive the following error while upgrading an InTrust Server:

Error Code: 1603 Fatal error during installation.

First of all, check if all of the InTrust Server services have been stopped. Most often, it is Quest InTrust Real-Time Monitoring Server service that takes long to stop and causes the setup to fail with this error. If this is the case, quit the setup, make sure all of the Quest InTrust services have stopped and run the setup again.


If you receive the following error at InTrust setup:

Cannot configure default Audit Database. Error code: 0x80004005. Property value is invalid. Make sure the value is typed correctly. Unspecified error Multiple-step OLE DB operation generated errors. Check each OLE DB status value, if available. No work was done. Property value is invalid. Make sure the value is typed correctly.

Check if you have specified a database with a name that starts with a numeric character (0-9) as either Audit or Alert database. The names of all InTrust Audit and Alert databases must start with an alphabetic character (a-z, A-Z).

On the Select Features step, InTrust setup wizard displays the required disk space only for the features you select in the tree. There are, however, some features required by those listed in the tree but not shown there because they are not user-selectable. Those 'hidden' features affect disk space requirements too. Click the Disk Cost button to see the more accurate numbers for required disk space calculated with regards to the features not displayed in the tree.



When InTrust installation fails and is rolled back, some registry keys it has created are not removed. This is controlled by the Microsoft Installer and cannot be handled from the InTrust setup code. 0112227

When you are running the configdb.sql SQL script on a pre-created InTrust configuration database to provide for not giving InTrust service account the database owner right for it, you may receive warnings like the following:

Cannot add rows to sysdepends for the current stored procedure because it depends on the missing object 'dbo.ITRTProcessingRule_change'.

These warnings may be ignored since they do not indicate of any problems that may affect the future InTrust operation.

Don't specify any existing Quest Active Roles Server database as the InTrust configuration database, since these two products have incompatible requirements to the system configurations of their databases. 0153990
Components and configuration objects added to an existing InTrust installation by installing an individual Knowledge Pack cannot be consistently removed from InTrust by deselecting the related nodes on the 'Select Features' step of the Installation Wizard. 0153504

When you install InTrust or upgrade it from an earlier version, you may receive the following error message:

Error 1335. The cabinet file '<cab_file_name>' required for this installation is corrupt and cannot be used. This could indicate a network error, an error reading from the CD-ROM, or a problem with this package.

One of the recommendations you can find in the Microsoft KB article 314810 must help you resolve this problem. The article describes a similar problem with MS Office installation and the resolutions it provides has proved to work for InTrust installation.

If you have individual InTrust components installed on a computer to a non-default path, be sure to not use the InTrust Suite setup to add other InTrust components to that machine. Install additional InTrust components by running their individual setup (.MSI) packages from the product DVD instead. This will let you avoid problems at both installation and uninstallation of those components in the future. 0184325
When you change the installation path for the InTrust Server node of the feature tree (on the Select Features step of the Quest InTrust Setup wizard), installation paths for features down the tree is changed accordingly so that individual InTrust components are installed to subfolders of the folder you specify for InTrust Server. Note that this, however, does not apply to Quest Knowledge Portal, which does not inherit its installation path from the InTrust Server component and requires that you explicitly change the installation path if you need that. 0190311
It is recommended that you install the same set of InTrust components on all InTrust Servers in an InTrust Organization. Otherwise, you may have problems, for example, when switching the server that runs a task. 0149166

When you install a report pack and the SQL Server hosting its target database does not have SQL Server Agent running, you may receive the following warning, sometimes followed by an error dialog with the same text:

Cannot upload report pack: For Temporary Tables Clean-Up job schedule to be applied, make sure that: 1. Authentication method for database access uses the explicitly specified credentials which are stored in the data source (either SQL Server authentication, or Windows authentication). If Integrated Windows authentication i...

When you click OK in this dialog, another error message may be displayed asking you if you want to continue with the setup. Click No and wait for the setup application to prompt you with the options to Retry, Ignore or Abort the installation. When prompted, select Retry. From this point on, the installation of the report pack is expected to run smoothly.


You may receive the following error messages when you install the Knowledge Pack for Microsoft Audit Collection Services (ACS KP) from the command line:

  • Error: 0x80040154. Cannot install ACI packages. Reason: Class not registered.
  • Error: 0x80070005. Cannot install ADC predefined objects. Reason: Error while performing the following action: Enumerating collection. Reason: Access is denied.

This is not expected to happen again if you click OK in each error dialog window, let the installation process exit and run the knowledge pack installation command one more time.


You may receive the following misleading error message when installing an additional Knowledge Pack into an existing InTrust organization:

Error: 0x80004005. Cannot configure default Audit Database. Reason: Data source name not found and no default driver specified.

This error is not expected to cause any real problem with a Knowledge Pack installation. If you see it, click OK in the error message and let the installation finish. No troubleshooting is required unless you see more errors during the installation or find the Knowledge Pack not working properly when installation is finished.

InTrust suite installation program cannot automatically discover an Exchange Server in domain trusted by the domain the InTrust Server computer is a part of. 81962

When you use the default InTrust setup, the installation program does not prompt you for the Communication Port number. If you use the extended InTrust setup to complement a default deployment, you are prompted for the Communication Port value but the setting you make is not applied to the InTrust installation. In this installation scenario, edit this registry value to change the Communication port number after InTrust is installed, if needed:



[HKEY_LOCAL_MACHINE]\SOFTWARE\Wow6432Node\Aelita\ADC\RpcServer\Endpoints\1 STRING: Endpoint="8340"


It is not recommended to create InTrust configuration database with "." symbol in its name (for example: InTrust_10.6_ConfigDB), though it will be created, such database is unusable and you will receive the error like:

Invalid database name supplied.


Sometimes uninstalling an InTrust component can cause miscellaneous problems for another InTrust component on the same computer. If this happens, open the Programs and Features facility in the Control Panel and perform a Repair operation for the component that is not working properly.


The "InTrust Monitoring Console" feature cannot be installed if the ASP record is corrupted. If this happens, reinstall the ASP Windows feature (Internet Information Services | World Wide Web Services | Application Development Features | ASP in the Windows Features facility) by removing it and adding it again.



Table 6: Upgrade known issues

Known Issue Issue ID

When you upgrade an existing installation of InTrust under an account that doesn't have DBO access rights to the InTrust configuration database, you may receive the following error message:

Cannot uninstall CI packages. Error code: 0x80004005. Cannot parse ADCClassInventory query. Error of opening file.

Click OK and continue. This error does not affect the results of the upgrade.


At an upgrade of an InTrust Server in a multiserver InTrust organization, you may receive a misleading error message:

You are about to remove an InTrust server from an InTrust organization. Any jobs configured to run on this server must be manually transferred to another live server in the same organization.

It is safe to ignore this error. Click OK and continue upgrading.


You may receive the following error when you attempt to upgrade Quest Knowledge Portal (QKP) as a part of your InTrust upgrade process:

The installer has insufficient privileges to access this directory: C:\Program Files\Quest Software\Knowledge Portal. The installation cannot continue. Log on as administrator or contact your system administrator.

To work around this error, click OK in the error message box, let the upgrade run to the end and repeat the upgrade of QKP.



Table 7: General known issues

Known Issue Issue ID

On January 3, 2018, Microsoft released a number of Windows updates to address the Meltdown and Spectre vulnerabilities:

  • For Windows Server 2016:
    • KB4056890
  • For Windows 10:
    • KB4056893
    • KB4056888
    • KB4056890
    • KB4056891
    • KB4056892
  • For Windows 8.1 and Windows Server 2012 R2:
    • KB4056898
  • For Windows 7 and Windows Server 2008 R2:
    • KB4056897
    • KB4056894

These updates turned out to cause numerous problems with various software, including InTrust. MIcrosoft fixed these problems in subsequent updates, starting with January 17, 2018.

For InTrust to operate normally, make sure your systems are patched with recent Meltdown and Spectre-related Windows updates issued later than the broken updates of January 3, 2018.

For details about protecting your systems against speculative execution attacks, see Microsoft KB article 4072698.


When you create a repository, specifying a local path for it is not prevented, even though InTrust does not support locally-hosted repositories.


Two InTrust servers cannot concurrently process each other using agents. 0115565
You may not be able to log on interactively to a computer where InTrust server is installed, if the InTrust configuration database went offline while restarting the computer. Wait until the database goes back online or for about 5 minutes, then try logging on again. 0115564

Don't delete the Default configuration objects (Default databases, repositories, operators, etc.) even if you never use them in InTrust sites, policies etc. Other predefined objects may have references to the Default objects by default, which may result in hard-to-find errors if referenced objects no longer exist in your InTrust configuration database. Note that the deleted predefined configuration objects are not recreated at InTrust upgrades or reinstallations, some of them causing errors at the setup phase if missing from the configuration database.

The recommended practice is to keep default configuration objects as templates for the custom ones you create for the routine use.

If two operator records with the same computer name exist in the InTrust configuration and both are specified as operators to notify, then two NET SEND notifications are sent to that one computer. 0112241
When you restart InTrust services on an InTrust Server serving a large number of agents, real-time monitoring and gathering may require a few minutes to start working again after the services are started. 0114831

If notification is configured so that email is sent to an operator that represents a group and sending fails for one of the group members (for example, due to an invalid email address), then it also fails for all other members of the group.

This issue does not occur if all selected operators represent individual users; in this case, sending failure for an operator does not affect other operators.

When the system time is set back on an InTrust Server computer or on a computer with InTrust agent running, InTrust agent-server operation may become unstable or even broken. It is recommended to restart InTrust services (either Quest InTrust Server or Quest InTrust Agent) on the computer after setting the system time back on it. Automatic time adjustment for daylight savings does not produce this effect on InTrust and does not require restarting any InTrust services. 0145993

The following error message logged to the session results of an InTrust task may indicate of a frequent changes in the system time on the InTrust Server computer:

Error: 0x80040e2f Cannot initialize the required component. Cannot initialize session. Sessions Error- The statement has been terminated. Sql State: 01000 Native Error Code: 3621 Violation of PRIMARY KEY constraint 'PK_ITGSessionsInfo'. Cannot insert duplicate key in object 'dbo.ITGSessionInfo'. Sql State: 23000 Native Error Code: 2627 , !! IDispatch error #3119

This may be happening because of some problems with hardware or operating system, frequent time synchronizations with multiple hosts on the network or some other reason.

If an InTrust site includes an AD site that has subnets misconfigured, InTrust may try processing, when monitoring or gathering from this InTrust site, a lot of unrelated computers or even all computers in the Domain(s) that the AD site spans. 0130865
You may be confused with events you may find in the InTrust event log on the InTrust Server computer stating that a job has completed with error and providing an error code without any error description. These events don't signal of any problem and may be ignored. They are logged to the InTrust event log in order to have process exit codes for InTrust jobs saved for the purpose of possible troubleshooting. 0155885
When you edit filters in data sources for IIS logs, ISAS logs, DHCP logs and Exchange events, and you want to use filtering by empty string value, specify empty strings. To do it, leave the text box in the Add/Edit String dialog box empty and click OK. 0146236

If you see a notification job failing consistently with the following error:

Object Name: (InTrust Server) Data Source: Notification Description: Cannot notify the 'Default Notification Operator' operator using the 'mail' notification type. An error has occurred during sending the mail. Error text: An established connection was aborted by the software in your host machine. Function 'recv' failed.

Verify that the SMTP server handling notification messages from InTrust does not require sender authentication.


If you are using Windows 2012 running on an ESXi 5.0, 5.1, or 5.5 host, DO NOT USE e1000e default network adapter. This may lead data corruption may occur when copying data over the network and therefore cause problems with repository indexing. You may see the following errors in the log:

Indexing of long-term items for repository "\\y12r2\RepsG\20140321_CalcE5310_Corruption" failed. Reason: Operation failed on agent localhost. Reason: 'ADC Error: Error: ADC Error: Unspecified error, error code 0x8adc1005' Indexing of recent items for repository "\\y12r2\RepsG\20140321_CalcE5310_Corruption" failed. Reason: Operation failed on agent localhost. Reason: 'ADC Error: Error: ADC Error: Field stream is invalid, error code 0x80004005' Indexing of long-term items for repository "\\y12r2\RepsG\20140321_CalcE5310_Corruption" failed. Reason: Operation failed on agent localhost. Reason: 'ADC Error: Error: ADC Error: ADC Error: ADC Error: One or more segments of incoming index data (\\y12r2\RepsG\20140321_CalcE5310_Corruption\IndexingRoot$\indexes\{00000000-0000-0000-0000-000000000000}\index\{7F}, \\y12r2\RepsG\20140321_CalcE5310_Corruption\IndexingRoot$\indexes\{00000000-0000-0000-0000-000000000000}\index\{AE}) could not be merged with the repository index, error code 0x8adc1005' The indexing queue of recent events in repository "\\y12r2\RepsG\20140321_CalcE5310_Corruption" exceeded the size limit. Please check the InTrust Server event log for errors, and consider collecting less audit data to this repository and adding more indexing servers.

For more information see the following article:


When the InTrust server is switched during a failover operation, you get the following error in InTrust Deployment Manager and in the InTrust Server event log:

Some required components for working with the data source could not be installed

This message is about the user session tracking component of the InTrust agents. The agents may temporarily stop reporting user session events.


Filtering of site objects by registry value works only with the 32-bit registry view on 64-bit systems.


Automatic cleanup is not implemented for the %ALLUSERSPROFILE%\Application Data\Quest Software and %ALLUSERSPROFILE%\Application Data\Quest folders. If these folders grow too large, you can safely clear their contents manually.


User session tracking events contain extended information, including the IP address of the agent computer. However, the IP address can vary from event to event as network interfaces are added and removed dynamically. Keep this in mind if you rely on IP addresses when you search for events; otherwise, you may miss important events.


Table 8: InTrust Deployment Manager known issues

Known Issue Issue ID

In the Computers not in a collection search folder, the type of some non-Windows computers (such as VMware ESXi servers) is erroneously shown as "Workstation".


Table 9: Syslog message forwarding known issues

Known Issue Issue ID

If the adcrpcs service is restarted on an InTrust server that forwards Syslog messages, it may resend duplicates of recent messages.


Table 10: InTrust Manager known issues

Known Issue Issue ID
Computers added to an InTrust site by their NetBIOS names may be listed under the Agents node in InTrust Manager by their NetBIOS names, not by their FQDNs as might be expected. 0111184

The lists of available InTrust Servers in an organization may differ depending on whether or not InTrust Manager is installed on the same computer as InTrust Server. The RPC Locator service should be enabled on the InTrust Manager computer where InTrust Server is not installed for correct results.

A specific InTrust Server may be also not visible as available for connection with InTrust Manager if it fails to publish itself in Active Directory (AD). This may happen if the Quest InTrust Server service does not have sufficient rights (see the System Requirements document for details) to create a Service Connection Point (SCP) in AD. Check events logs, starting with the InTrust log, on the InTrust Manager and InTrust Server machines for events looking related to possible problem with the RPC Locator service and creating an SCP in AD, respectively.

Besides, if you know that a specific InTrust Server is available, you can connect to it by specifying it manually, whether or not it is on the list.

If an InTrust task has the starting date in its schedule set to some day before the date when the system switches to the daylight-saving time, it will begin starting one hour later than the start time specified in its schedule when the system switches to DST. A task with its starting date in the DST period starts one hour earlier than specified in the properties of its schedule when the system switches to the standard time. When the time is adjusted back, the actual local time the task starts at will match its start time specified in its schedule again. 0154835

You may receive the following error:

Internet Explorer Script Error: '' is null or not an object

when you have the Quick Start node selected in the left pane and click the right pane. You must be clicking there too early. Wait for the content of the right pane to be fully loaded before you click it.


Quick Start will fail to generate reports you specify if InTrust is configured to use SRS running on a computer different than SQL Server machine hosting the InTrust database(s) you are trying to report on, and Windows authentication is used to connect to Reporting Services.

The following error message will be received:

Login failed for NT AUTHORITY\Anonymous Logon.

When you edit settings of an existing consolidation job and change the source repository, InTrust Manager doesn't prompt you for a new set of repository objects to be copied. Make sure to review the objects selected for processing in the new repository. 41513
When InTrust is running in the Object Level security mode, the InTrust Manager snap-in may crash at an attempt to run Quick Start wizard under an account that does not have the Modify permission on either the Sites or Gathering node, or neither. 48615

Table 11: Workflow and session known issues

Known Issue Issue ID
The If the task is still running, stop it at this time option in the task's Advanced Schedule Options dialog box does not work. Instead, use the Stop the task if it runs for option. 0112061
At least 5 minutes must pass between committing a change made to a task and its scheduled start. For example, if you modify a task and commit the configuration at 8:40, then schedule the task to begin no sooner than 8:45. Otherwise, the task will fail to start. 0112041
Tasks with identical names may fail. Avoid creating such tasks. 0112240
The Application job may seem to be not responding while the application it launches is running. Wait until the application is completed. 0112045
Do not use UPN-style account names ( 0112049

If InTrust Servers in an Organization are concurrently running too many tasks, you may receive the following error in results of some sessions:

"Components Manager: Failed to find Storage Accessors. Error=0x80004005: Timeout expired. Unspecified error."

This happens because each task accesses InTrust Configuration database, and some of them fail to do that because of query timeout expiration. If you cannot reduce the number of task that run concurrently, consider increasing the value of the timeout setting on the SQL Server level using the sp_configure stored procedure.

When you create an Application job, clicking the Browse button for Working Directory may not work and result in an error message. If this happens, type in the full path to the working directory instead of browsing for it. 0120361
A session for an InTrust job of the Windows Scheduled Task type configured to run a scheduled task that fails to start will be logged as successful if the job has the 'Synchronous operation' option disabled. 0149467
If a job finishes with an error, its session information may contain the error code without an error description. 0155885

An InTrust job of the Windows Scheduled Task type can be configured to run a task scheduled on a computer running Windows Vista or later only if the task meets both of the following requirements:

  • The task is set up with the Windows 2000/XP/2003 compatibility option enabled.
  • The task is located in the Task Scheduler Library, and not in its subfolder.

If either condition is not met for a scheduled task on Windows Vista or later, you will not see it in the Select Windows Scheduled Task dialog when you run the New Job Wizard in InTrust Manager.


Table 12: Agent known issues

Known Issue Issue ID

If an agent consistently fails to start on a Windows machine, and you find the following error in the local Application event log:

InTrust agent stopped unexpectedly. Error occurred: An attempt was made to access a socket in a way forbidden by its access permissions. (Win32 error: 10013). or the following error from the agent process is written to syslog on the Unix machine hosting an InTrust agent: InTrust agent stopped unexpectedly. Address already in use (CRuntime error: 98).

Сheck if any other active process (application, service, daemon) is configured to listen on the port you are going to use as the InTrust agent communication port on this machine (TCP port 900 by default). If you find some, reconfigure either the agent or the other application/service/daemon to use a different port. To change the communication port setting for InTrust agent, edit the agent.ini file located in the agent folder.

If an agent has been installed manually, then uninstallation should also be performed manually rather than from InTrust Manager. 0111578
You may have to uninstall the agents manually, if the InTrust Server to which the agents belonged is uninstalled. To avoid this, uninstall the agents from InTrust Manager prior to removing the server. 102815

When agents are used to gather audit data, the following error may occur:

Agent has not yet established connection to the InTrust Server (0x8adc2c09).

This situation may occur due to network problems, or when InTrust services have just been restarted, and agents have not communicated to the InTrust Server yet.

You may get several agent errors, if there's no free disk space on the computer where the InTrust agent is installed. For example: ADC Error: User not found (0x8adc3207), (0x8adc2c05) 0111560

An attempt to manually register an agent on an InTrust server may fail with the following error message:

'Cannot register agent on the InTrust server <...> No connection could be made because the target server actively refused it. <Win32 Error 10061>.'

Check if the Quest InTrust Agent service is running and not stopped on the InTrust server. If the service is stopped, start it and try registering the agent again.

Also note that this error is possible if port 900 is closed by a firewall between the agent and the server.

Installation of an agent on a computer under an account from a trusted domain may fail with an error message stating that the 'Logon as a service' right cannot be granted to the agent account. This happens if the specific account has never logged on to that computer before. To prevent the problem, log on to the target computer under that account before installing the agent. 0114825
When you are installing an InTrust agent by running the agent installation package (adc_agent*.msi), a Command Prompt window pops up. This window neither requires any input nor indicates of any problem with the agent installation. 0135636
If you install an agent on a computer using the .MSI package, then manually uninstall it with the adcscm.nt_intel.exe -uninstall command and try to install it later using the .MSI package again, the agent setup prompts you to repair or remove the agent as if it was still installed. Select the option to Remove the agent, let the setup run to the end, and then run it again to have the agent installed. 0135745
InTrust agents do not support the ja_JP.SJIS locale on Linux. 0148319
If you use InTrust Manager to unregister an InTrust agent residing on a computer that has no connection to the InTrust Server, then you may get errors trying to register the agent again with InTrust Manager after the connection is restored. If this happens, use the agent command with the -add parameter on the target computer. 0149798
If agent recovery takes place on a site for which the Prohibit automatic agent deployment on site computers option is enabled, the InTrust Server log may contain incorrect messages stating that the recovery was successful. 0114462
When you are uninstalling an InTrust agent by running the agent installation package (adc_agent*.msi), the File In Use dialog may pop up stating that the Quest InTrust Agent process currently uses the files that require update, and prompting you to either Exit or Ignore or Retry. Agent uninstallation is expected to finish successfully if you select the Ignore option. 54666
When you select a shortcut menu command to uninstall an agent running on a machine in a different AD forest than that the InTrust Server machine belongs to, the agent service may be not uninstalled from its local machine even if you enter proper account credentials when prompted and the agent is no longer listed as installed and running in InTrust Manager. You may have to check the presence of the Quest InTrust Agent, Quest InTrust Agent Installer and Quest InTrust User Session Monitoring services on the machine you attempted to uninstall the agent from, and remove the services manually. 83400
You may experience delays with successful agent installation for a collection or site that includes a large number of computers that are unavailable at the time of this operation. 83399

Table 13: Networking known issues

Known Issue Issue ID
InTrust does not support NetBIOS computer aliases.  

Table 14: Real-time event log gathering known issues

Known Issue Issue ID
When you create a collection in InTrust Deployment Manager, only events logged after the start of real-time gathering will be collected to the target repository of that collection. If you need events logged before that moment to be collected into the same repository, consider using InTrust Manager to collect those events into another repository and run a consolidation job to move those events to the repository you need this data in. 83446
In InTrust Deployment Manager, you may see some computers listed with the "Not installed" status that never changes. If you see this, check if your DNS server has multiple computer name entries for IP addresses matching those of computers with the sticky "Not installed" status, and clean up stale DNS records. 82991
If you delete a data source associated with any collection, the number of computers in every collection will be displayed as "0" until InTrust services are restarted on the InTrust Server machine. Computer counters in InTrust Deployment Manager is the only implication of the effect, no other aspect of InTrust operation is affected. 83414
If, in a multi-server InTrust organization, you uninstall an agent with no error, but its status is still displayed as "Installed" and further attempts to uninstall it keep failing with the "Cannot uninstall agent" problem, this agent must be a part of collection that is assigned to another InTrust Server (not the server that installed the agent on its computer). 83485
If you change the communication port number from its default value during the InTrust installation, InTrust Deployment Manager cannot automatically connect to the local InTrust Server. Use the Connect to menu command to manually select the local server as the one to work with. 83413
If you work with InTrust Deployment Manager connected to one InTrust Server in a multi-server InTrust organization and another InTrust Server goes down, collections handled by the failed server will continue looking 'green' to you. 83508

Using the same repository for real-time event collection and task-based workflow is discouraged.

One of the possible consequences of using it for both methods is that after you start real-time collection from a computer for the first time, no data from that computer will be available to InTrust import and consolidation jobs for the first 24 hours, even though the data will be available in Repository Viewer.

There are other implications as well. Specialize your repositories by type of auditing method.


If you have multiple collections performing real-time event gathering of the same log from the same computer, then you will have duplicate events in the repository and in reports created by Repository Viewer.


If a real-time collection is populated by LDAP query, the resulting set of computers can be different from the set returned by Windows native tools. This is because InTrust and Windows use different attributes for identifying computers by name.


Table 15: Task-based gathering known issues

Known Issue Issue ID

If changing IndexManager Server or path to an index of the indexed repository, gathering into this repository may fail with an error like:

Failed to insert event to repository. ADC Error: The repository at "\\?\C:\Repository\" has multiple indexes, which is an unsupported configuration. The extra indexes could not be cleared automatically.

Events logged for renaming an account in Active Directory collected with a gathering policy based on a data source with the Create agent-side audit log backup option enabled may be stored to the target repository or/and database with the old account name specified instead of its new name. This happens because, due to the current implementation of operations with AD accounts and event logging in Microsoft Windows, this data is not yet available at the moment when the event is written to the agent-side cache. 57888
If at the moment you attempt to gather Microsoft Proxy Server log this log contains event data in different formats, then gathering process will not work correctly. 0117156
If you gather IIS/ISA Server text logs with the Time data field disabled for logging, some events may be lost. To avoid event losses, don't disable the Time field in the logging options on IIS/ISA Servers you are going to collect logs from. 0117109

If you receive the following error message in the task session results:

The session terminated unexpectedly.

while the individual job sessions under this task are marked as successful, check if the system time is synchronized between the InTrust Server and the SQL Server that hosts the InTrust configuration database.

Time stamp for events collected with a Data Source of the Custom Text Log type may be displayed incorrectly in InTrust Repository Viewer if these events were logged before the system time adjustment for daylight savings but collected after the time switch. In the Audit database, event time is saved correctly and this problem does not affect in InTrust reports. 0154507
When events from the IIS log are collected with the Ignore events older than / before option enabled, a warning about some events having been ignored is not logged to the results of the gathering job session as it is for gathering jobs that collect events from other logs with this option enabled. 0155889
If an InTrust Server is included in a site with automatic agent deployment disabled, a message about skipped agent installation is generated for the InTrust Server computer, and no gathering or monitoring policies that apply to the site are applied to it. As a workaround, consider including the InTrust Server computer into a site with automatic agent deployment enabled and running some gathering job for that site at least once. Then you may move it back to the original InTrust site since the policies will work for it as expected. 0114233
Events on a Group Policy creation collected with a gathering policy based on a data source with the Create agent-side audit log backup option enabled may be stored to the target repository or/and database with the GPO display names unresolved. This happens because, due to the current implementation of GPO creation and event logging in Microsoft Wi2ndows, this data is not yet available at the moment when the event is written to the agent-side cache. 27221
On domain controllers that are really busy with processing Active Directory requests, Events on operations with newly created accounts collected with a gathering policy based on a data source with the Create agent-side audit log backup option enabled may be stored to the target repository or/and database with SIDs not resolved to account names. This happens because, due to the current implementation of account creation and event logging in Microsoft Windows, this data is not yet available at the moment when the event on account creation is written to the agent-side cache. Account resolution for events following an account creation event is done based on the account data stored in the agent SID cache, causing account SIDs being collected for these events instead of account names until the account is cleared form the cache. 71273
When you change the location of an event log file on a computer running Windows Server 2008 or later, InTrust may be unable to collect events from that log even after you reboot the server and it starts writing new events into the log at its new location. Like Windows native Event Viewer running on a remote pre-Windows 2008 machine, InTrust will be unable to use the log after you move it until you reboot the collected server again. 54042
InTrust cannot resolve event descriptions for events collected from Windows Server 2008 or later if the EventMessageFile or CategoryMessageFile value is not defined in the registry for the corresponding event Source on the collected computer. 65584,
InTrust does not automatically process Application and Services event logs auto-archived by the operating system. 81852

If a warning occurs during gathering, InTrust loses information about the number of gathered events and doesn’t show the number in the session summary.


Table 16: Real-time monitoring known issues

Known Issue Issue ID

The following real-time monitoring rules don't trigger alerts on Debian GNU/Linux, Red Hat Enterprise Linux 6.9 and 7.4, and Oracle Linux 6.9 and 7.4 hosts:

  • SU administrative activity

  • Succeeded 'su' command after failed attempts

  • Succeeded 'su root' after failed attempts

IN 1777

It may take the InTrust Real-Time Monitoring Server service a long time to stop if the Alert Database is overloaded with alerts and slow to respond.


Do not use wildcards in rule parameter values that define authorized/administrative/target/etc. groups in rules that require group membership resolution for user accounts. Most of these are rules with words 'by unauthorized personnel', 'administrative account', 'administrative rights' in their names. 0112159,
Community names with non-Latin characters are sent incorrectly when you select sending an SNMP trap as a response action for a real-time monitoring rule. 0115387
After the Quest InTrust Real-Time Monitoring Server service is restarted, real-time monitoring may temporarily stop working for a computer that is included in multiple InTrust sites under different names if those InTrust sites are configured for real-time monitoring with the same monitoring policy. Monitoring will be resumed for each affected InTrust site when it is enumerated the next time, as defined in the site properties. 0115566
The RemoveGroup script does not remove Distribution groups from Active Directory. 0115585
When a new Alerting Profile associated to a different InTrust Server is created in any installation of Monitoring Console in the InTrust Organization, clickable links in alert notification emails stop working for any alerts in the old Alerting Profiles. 0152503

If you experience a degrade in the Alert Database performance, try increasing values of the two InTrust configuration parameters that control the buffer and queue sizes for the connection InTrust makes to the Alert Database. Running the following SQL query on the InTrust configuration database will increase both sizes from the default value of 800KB (819200 bytes) to 10MB (10485760 bytes):

UPDATE ADCOrganizationParameter SET [Value] = '10485760' WHERE (Name = 'ITRT_CommMaxSizePerConnection') OR (Name = 'ITRT_CommQueueSize')

After disabling a real-time monitoring policy configured to monitor an MS IIS Server and removing the InTrust Agent from a monitored IIS computer you will have to restart IIS on that computer in order to restore its Web connectivity. 0149865
If a script-based real-time monitoring rule fails on some of the monitored computers, the agent installed on that computer does not inform InTrust Server about the failure and no error entry is reported in the InTrust Server log. 0151859
When real-time monitoring rules are matched, event field names that consist only of digits are treated as integers. This causes errors, because string values are expected. 0135658
When two or more InTrust Servers have real-time monitoring policies with WMI-based rules in them applied to the same computer, alerts triggered by rules handled by different InTrust Servers may be saved to an Alerts database of a wrong InTrust Server. 0184711
You must be a member of the Administrators group on the InTrust Monitoring Console machine to make changes to Database settings of an alerting profile if this profile has SQL Authentication selected for its connection to the Alert database. 41049

You may receive the following error at an attempt to import an exported user settings in InTrust Monitoring Console:

Cannot import user.

Enhanced error information.

Number: 0x80004005

Description: 007~ASP 0104~Operation not Allowed~

This is most likely to be caused by the settings of MS IIS hosting InTrust Monitoring Console. For more information see Microsoft KB article 327659.


An attempt to export a large number (around 10,000 or more) of alerts from InTrust Monitoring Console to a Microsoft Excel spreadsheet may fail with the following error:

Cannot show alerts.

Enhanced error information.

Number: 0x80004005

Description:&nbsp006~ASP 0251~Response Buffer Limit Exceeded~Execution of the ASP page caused the Response Buffer to exceed its configured limit.

This is most likely to be caused by the problem with Microsoft IIS described in Microsoft KB article 826756.


Table 17: Repository Viewer known issues

Known Issue Issue ID

Repository Viewer opens a repository under the same account that you are using to run it, no matter what access credentials are specified in the properties of that repository.

One workaround is to use the runas command to explicitly make Repository Viewer use the account that is allowed access to the repository. For example, if mycorp\intrust_admin is such a user account, then start Repository Viewer as follows:

runas /netonly /user:mycorp\intrust_admin new_RV.exe

As a result, Repository Viewer runs under your current account, but uses the mycorp\intrust_admin account for network operations.

Repository Viewer doesn't start on a computer where the original .NET 4.0 is installed but updates for it are not.


The Delete and Backspace keys don't work as expected in filter boxes using the "Last" keyword.


Custom values cannot be specified in the Environment and Type data fields. Сustom-made events written through the InTrust API may have any value in this field, but they cannot be matched by those fields in Repository Viewer.


Under certain circumstances, you may be receiving recurring "Out of memory" errors at attempts to run an event search. To stop receiving these errors, restart Repository Viewer. 82048
Search filters for the StartTime and EndTime data fields in user session events cannot be set for search folders where these columns are displayed in the grid. Those two are data fields of the Text type and not DateTime. You can search by those fields, entering search criteria as text, but not filter by a time interval. 82391

If you search for events where a specific insertion string or resolved insertion string has a particular value or is blank, then the results can include events where there is no such string at all.


Searches by the "Whom" field are slow.


Searches by "Any field" are slow.


Searches by some resolved insertion strings don't work.


It is not recommended that you increase the limit on the number of items displayed in the event grid. The higher the limit, the more memory Repository Viewer will consume. Changing the limit carelessly may cause your computer to run out of memory.


Table 18: SSRS reporting known issues

Known Issue Issue ID
Don't use the Update Database option for any data source in Knowledge Portal since it proved to run an outdated SQL script on Audit databases. This command is intended to update a structure of an Audit database created by InTrust of version earlier than 9.0. If you use Audit database(s) created with later versions of InTrust, you don't need to update the Audit database structure. 0190753

Don't add too many reports to one reporting job. Doing so may make the whole Tasks node not responding to your attempts to browse it, with the following error message displayed:

Enumerating collection failed. Reason: Not enough storage is available to complete this operation.

If you are absolutely sure you need hundreds of reports to be processed with one reporting job, consider installing additional memory on the SQL Server computer that hosts InTrust configuration database.


If you modify a model of a report that is already included in some reporting jobs, for example, add or remove a filter, reporting job(s) configured to compile this report will fail with the following error:

Object reference not set to an instance of an object.

After you modify a report model, you will have to remove it from any reporting jobs that use it and add them to those jobs again.


A report with query based parameters or filters cannot be added to a reporting job if a data source specified for this report is configured with invalid settings. An attempt to add such a report to a job fails with the following error:

Cannot create a connection to data source 'MainDataSource'.

If you receive this error, edit the properties of the related data source to make sure it lets the report access a valid InTrust Audit database.

An event logged to the InTrust log for a completion of a reporting job that failed states the job has completed successfully. Under the Sessions node, the status of the job is displayed correctly. 0184386

The unclear error message:

Report "<report_name>" failed to process: An error has occurred during report processing. An error has occurred during report processing. An error has occurred during report processing. Query execution failed for data set 'MainDataSet'.

is logged to the session results for each report in a reporting job that is configured to use a Data Storage that is not accessible when the job starts.


If InTrust reporting is configured to access MS SQL Reporting Services over an HTTPS connection, and the InTrust Server computer does not have a certificate installed for the specified MS SRS server, an attempt to access Reporting Services results in the following error:

Error 0x00004659: Internal error occurred. Reason: 0x80131509: The underlying connection was closed: Could not establish trust relationship with remote server.

To install a required certificate, you can use Internet Explorer to open the URL of MS SRS specified in the properties of the Reports node in InTrust Manager as 'MS SQL Reporting Services path'. When prompted for certificate installation, accept it. When the certificate is installed, you will be able to perform any operations with reports and reporting jobs in InTrust Manager.

If a reporting job fails to notify an operator specified on the Notification tab, it neither sends generated report(s) by e-mail to recipients specified on the Delivery tab even if all the settings on that tab are correct and the e-mail can be sent. 0186899

A reporting job may fail with the following error:

The job was finished, but no entry was created for it in the task session because of an error.

If this happens, check whether the account under which the job starts has the Read access permission to the Windows folder on the InTrust Server computer.


If a reporting job fails with the following error:

The remote server returned an error: (500) Internal Server Error.

check the reports in the job for incorrect filter settings. This error may be logged to the session results, for example, when some report has a filter that requires a non-empty value specified, and that filter is disabled.

When you manually stop a reporting job that is running, temporary objects related to reports the job has generated before termination may be not always automatically removed from MS SQL Reporting Services server and you may have to clean them up later. 0186374
Some subreports are cached. If you configure filters in the parent report, the subreport is not regenerated with these filters. Instead, the subreport's version is loaded from the cache. To compile a subreport with filters, press Ctrl+F5 to refresh the subreport page. 0145121
For very large reports, the Print Preview page may not open and the report may not print. 0139691
Page breaks in the online version of a report may not correspond to the page breaks in the printed version. 0139480
If the Microsoft SQL Server Reporting Services and Microsoft SQL Server used to generate a report are installed on different computers, then the report cannot be compiled using the Windows Authentication of the user currently logged on to Knowledge Portal. 0145326
Search results for the search through report descriptions may not include all keywords actually existing if description is longer than 512 characters. 0168949
If browsing for SRS local user/group accounts when configuring report (folder) security settings, in case of remote installation (Knowledge Portal installed on different computer from SRS), similar account found on Knowledge Portal computer will be selected. 0181349
If password was changed for the user account you planned to use for browsing Active Directory (specified during the setup), then error will occur when you try to browse for this account when assigning security roles in Knowledge Portal. 0173578
When storing the Solaris events, Quest InTrust may add spaces to the beginning and end of the event fields. To prevent problems at filtration, specify these fields with percent signs: '%username%', but not 'username'. 0137465
If you select the Create the Reporting Server snap-shot option on the Delivery tab of a reporting task properties, the settings of InTrust Data Sources used by reports in the job are overwritten with the values specific to this job. 0191127
InTrust does not clean up all of the temporary tables and views reports create in the databases. Depending on the version of SQL Server hosting the database you need to clean up, use the TempCleaner_2000.sql or TempCleaner_2005.sql script from the product distribution (in InTrust\Tools\Database CleanUp) to remove the temporary objects from databases. The script can be scheduled by means of MS SQL Server to be run on a regular basis and configured to delete temporary database objects older than a specified number of days. 0191293

You may receive the following confusing error:

"Query execution failed for data set 'MainDataSet'."

during an attempt to open a subreport of a report generated by a reporting job. If this happens, check if the subreport uses a different data source than the main report included into the job, and if that data source is configured with valid settings (server, database, access credentials).

You may be unable to compile subreports of the Multiple failed account logons report if a reporting job configured to compile it accesses the SQL Server under an account that does not have the db_owner role for the InTrust Audit database. 0188067
If you select the Use SRS data source associated with each report option for a reporting job, make sure no report included into the job has an associated data source with the Credentials supplied by the user running the report option selected in its properties. 31276
When you configure a reporting job with the Import objects from the following repository option enabled, and set it up to include reports configured to use event local time, as opposed to GMT, make sure to provide time values matching local time on the event originating computers in time-related filters of the reports. 36881
When you configure filters in a report and enable the NULL checkbox for either the Date/time from or Date/time to filter, values you specify in these filters will be ignored and data in the report will be filtered based on the value specified in the Interval filter. 41084
When a report with a cover page enabled is exported to a file in the Excel format, the resulting Microsoft Excel document does not include data column captions. 40615
The su command usage report may produce incorrect output if it is generated on the audit trail that includes entries in languages other than English. 26561

A reporting job configured to import required data from a repository may sometimes fail with the following error logged to the session results (RDDI Import node):

Description: Cannot initialize the required component. Cannot create one of the InTrust components.Cannot open repository. The system cannot find the path specified.


Description: Cannot import data from the repository.Cannot enumerate the repository objects.

If this happens, check if there is a database or some other object under Data Stores node in the configuration with a name identical to that of the source repository for the job. Rename one of the objects to make names of all objects under the Data Stores node unique.


You cannot specify a name of a text file listing parameter values in the input field on a report parameter tab in the reporting job configured to import required data from a repository. If you do so, the reporting job will fail with the error message looking like:

Internal error: Cannot initialize required component.ADC Error0x8add2102: Failed to initialize DataFilters.


If a reporting job configured to import required data from a repository fails with the following error:

Preparing for data import has finished with errors.

check that a semicolon (";") is the last character of a connection string specified in the data source of every report included into the job.

Report driven data import (RDDI) does not work for reports from the Quest InTrust Report Pack for VMWare vCenter and ESX/ESXi. You need to collect or import events for these reports into an audit database with a gathering or import job before you generate a report output. 73519

When you configure a report to use filter values from a file, on a 64-bit Microsoft SQL Server 2008 the report will fail with an error message stating:

OLE DB provider 'Microsoft.Jet.OLEDB.4.0' cannot be used for distributed queries because the provider is configured to run in single-threaded apartment mode.

Follow these steps to work around this problem:

  1. Download the report from your Microsoft SQL Reporting Services Server as an .RDL file, edit this file to replace the 'Microsoft.Jet.OLEDB.4.0' text with 'Microsoft.ACE.OLEDB.12.0' and upload the updated file back to the SSRS.
  2. Execute the following batch on your 64-bit Microsoft SQL Server:
    USE [master]
    GO EXEC master.dbo.sp_MSset_oledb_prop N'Microsoft.ACE.OLEDB.12.0', N'AllowInProcess', 1
    EXEC master.dbo.sp_MSset_oledb_prop N'Microsoft.ACE.OLEDB.12.0', N'DynamicParameters', 1
Microsoft Office "International Support" feature is required on the host with RV to display international (Japanese, Korean, etc) symbols in reports for interactive reporting, and on the host with InTrust server for scheduled reporting. 85225

Table 19: Agent-side audit log backup known issues

Known Issue Issue ID
The option to resolve IP addresses at gathering IIS logs does not work with the 'Create agent-side audit log backup' option enabled. 0154160
When you process a non-Windows audit trail, avoid gathering the same event data to the same Audit database with and then without the 'Agent-side audit log backup' option enabled on the agents, since this may result in duplicate event records in the Audit database. For event data collect from Windows event logs, duplicate records never appear in an Audit Database. 0154165
Events collected from IIS Server log with the 'Agent-side audit log backup' option enabled are stored with empty site description fields. 0154362

An attempt to change location of an audit log backup on the agent engaged in real-time monitoring of a Microsoft IIS WWW log or gathering of that log with the 'Create agent-side audit log backup' option enabled fails with the following error popping up in InTrust Manager:

Error 0x00004659: Internal error occurred. Reason: 0x00004659: <ComputerName>: The process cannot access the file because it is being used by another process.


Table 20: Switching Wizard known issues

Known Issue Issue ID
All agents in an InTrust Site lose the Limit CPU usage to setting when the site is moved to another InTrust Server with Switching Wizard. 0141795
Don't use the AdcFailover.exe from the Support Tools folder on the InTrust Server to start the InTrust Server failover process. In the current version of InTrust, use the Switching Wizard that can be run from InTrust Manager, or the Switch server response action that runs when the InTrust server is down predefined rule is matched. 0115054
If an InTrust site with Unix computer has been re-assigned for processing to a different InTrust Server during a failover procedure, you must manually register every Unix agent in the site on the new InTrust Server. 0139189

Table 21: Repository management known issues

Known Issue Issue ID
If you convert the same .EVT file to the same repository using Evt2Repository.exe tool more than once, data from that .EVT file will be duplicated. 0117160

When a repository cleanup job starts under an account that has insufficient rights for deleting data from the target repository, the job fails with an error message that does not mention the reason for the failure:

Cannot clean up obsolete data from one or more data stores. Cannot remove one or more files.

When you create a new repository of the EMC Centera type and select the 'Use custom connection string:' option, make sure to not save a new line character at the end of the connection string you type in there. A connection string with trailing line feed characters will look as a valid one but will cause InTrust fail to authenticate when it connects to EMC Centera.  
Be careful to not specify a path to a file system based EMC Centera repository index when you configure a file system based repository, or to specify a path to a file system based repository when you configure a repository on EMC Centera. Either mistake may result in corrupted or lost data in a repository.  
Repository Viewer does not correctly display insertion strings longer than 260 characters in events stored in a repository. Characters starting from position 261 are not displayed.  
The Use this InTrust server to manage the repository setting in the properties of a consolidation job cannot be used with InTrust repositories based on EMC Centera. 54022

You may receive the following misleading error message in Repository Viewer when you open an indexed repository through an InTrust Server:

Could not open repository. Error details: Repository is not ready for index-based search. Select a different repository.

In InTrust Manager, go to /Configuration/Data Stores/Repositories, open the Properties dialog for the affected repository and verify that the path to it is specified in the InTrust configuration as a UNC and not as a local path that is valid for only one InTrust Server machine in the organization.

If you specify a special account for repository indexing in the Properties of a repository and plan to run IndexingTool.exe locally on the repository machine, provide that the account has the Log on as a batch job user right on that machine. 67189

Indexing a repository located on a local disk of an InTrust Server computer that manages indexing of this repository may fail with the following error message in the InTrust Server log (Event ID 14128 in the InTrust event log):

Indexing of repository "<repository_name>" failed. Details: Indexing on agent localhost failed, reason 'ADC Error: ADC Error0x80004005: Cannot create temp directory Unspecified error (Win32 error: 0x80004005), error code 0x80004005 '.

This happens if a specific account is specified in the properties of an InTrust Server local repository to be used for access to it, and this account does not have sufficient access rights to the %TEMP% folder of the Quest InTrust Server service account. Consider either changing the account used to access the repository or giving it rights to write to and read from that folder.

Repository Viewer does not notify a user if a connection to the open repository or its index is broken, for example, because of a networking issue or change in security settings. If you fins that the number of events displayed in Repository Viewer becomes unexpectedly small, try reopening the repository. If this operation fails, act upon the error message you receive. If you receive no error but reopened Repository Viewer shows no events for any node in the repository except the root node, this means that the connection is lost with index only. 67298

You may get the following non-informative error message in the InTrust Server log:

Indexing of repository "<repository_name>" failed. Details: Indexing on agent <agent_name> failed, reason 'ADC Error 0x80070643'.

It usually means that an agent has failed to install IndexingTool.exe on its local machine (for example, because system requirements were not met or user privileges were insufficient).

When you run Repository Viewer using an account with no administrative rights on the local machine, and specify a wrong path to the repository you want to open, a message box that pops up to notify you of this error may display no text. 67270
An attempt of an agent to install IndexingTool.exe on its local machine may cause a system restart if the machine has Repository Viewer installed. 67297

If you open a repository in Repository Viewer installed on an InTrust Server computer where the port number for InTrust Manager connection has been changed from the default value (8340), and you select the option to open a Production repository on Local computer, you will receive the following error message:

The RPC server is unavailable. (Exception from HRESULT: 0x800706BA)

To avoid this, change your choice on the Select InTrust Server wizard step from Local computer to This InTrust server, and select the name of the local computer from the list.


You may receive confusing error messages when you try to open a repository as an indexed one, but the indexing of this repository has not started yet.


If you see repository indexing on an agent failing with the following non-informative error:

ADC Error: , error code 0x8adc1006

check if the agent account specified in the Properties of the InTrust site differs from the account specified in the Properties of the repository for indexing. If the accounts are different, it is likely that the repository indexing account does not have access to the Local Settings subfolder in the profile of the agent account on the agent machine. Consider changing this setup to have an agent service account specified either in the site Properties OR in the repository indexing settings, or giving the indexing account Read and Modify access permissions to the profile of the agent account.


You may see repository indexing on an agent failing with the following error:

A required privilege is not held by the client

This is likely to mean that you have one and the same account explicitly specified as the agent account in the Properties of the InTrust site and the account specified for indexing in the Properties of the repository. If this is the case, verify that the account has the following user rights on the agent machine:

  • Replace a process level token
  • Log on as service
  • Log on as batch job
  • Adjust memory quotas for a process
If you open a repository that has not been indexed yet, then close Repository Viewer and open it again when indexing of this repository is done, the status of the repository in Repository Viewer will be still displayed as 'Not indexed'. This happens because Repository Viewer does not refresh repository indexing statuses at its startup, and has no negative effect on viewing repositories and searching events. 70451

Repository indexing on a remote machine may fail to start with the following error message registered in the Application event log:

Event ID: 14128

Type: Error

Source: Indexing Launcher

Operation: Indexing


Description: Indexing of repository "Default InTrust Audit Repository" failed. Details: Indexing on agent localhost failed, reason 'ADC Error0x80070643'.

This is likely to happen if the %TEMP% folder for the local system on the agent machine is missing. The automatic installation of Quest InTrust Indexing Tool (IndexingTool.msi) is being run under the local system account and fails with this error if it cannot access the temporary folder (normally %SYSTEMROOT%\Temp). Make sure the folder exists and the installation process can access it.


If you see the following error message in the Application event log:

Event ID: 14128

Type: Error

Source: Indexing Launcher

Operation: Indexing


Description: Indexing of repository "Default InTrust Audit Repository" failed on agent <computername>. Reason: 'ADC error: ADC Error0x80070006: The handle is invalid. The handle is invalid. (Win32 error: 6), error code 0x80070006..

this may be a result of the computer hosting the repository being too busy and slow to respond at the time of indexing. Try reducing the load on the repository machine or re-indexing the repository later.

If you find that the Quest InTrust Server service process (adcrpcs.exe) terminates unexpectedly, this may be a result of repository indexing on the local computer running out of disk space. Resolve the disk space problem and restart the Quest InTrust Server service. 61874

Repository Viewer may fail to display events from a repository with the following error message that may be confusing:

The process cannot access the file because it is being use by another process.

This error is likely to mean one of the following:

  • The idle repository you are trying to view is opened with another instance of Repository Viewer.
  • You try to view an idle repository that is currently being indexed.
  • You select the Open Idle Repository option in Repository Viewer to open a repository that should be accessed through an InTrust Server.

If you create a new repository object with a non-default path that is also used by another repository, you will get duplicate indexes, gathering will stop working and the InTrust log will contain errors like the following:

Operation failed on agent localhost. Reason: 'ADC Error: The repository at "DEAUDI00 InTrust Audit Repository" has multiple indexes, which is an unsupported configuration. The extra indexes could not be cleared automatically. Please delete irrelevant indexes to make sure the repository has only one index. For details, see the Working with Repositories document from the InTrust documentation set., error code 0x8adc1005'


Table 22: Solaris data processing known issues

Known Issue Issue ID
On a SPARC machine, a successfully installed agent may fail to start with the following error message logged to syslog: "ADC error: 8adc1006 host/server name not known". If this happens, use the 'hostname' command to restore the host name. 0111618
During an attempt to uninstall an InTrust agent on a Solaris system, the file adcscm.solaris_sparc may be removed before the agent process is stopped. In that case, uninstallation of the agent fails, and no further attempt to uninstall the agent can succeed until you create a new file with the name 'adcscm.solaris_sparc' that the uninstallation process is able to remove. 0114822

When you are gathering BSM log events from a Solaris host that does not have access to a DNS server and has an entry for itself in the hosts file only by a FQDN and not by its short name, gathering fails with the following error:

'ADC Error: Failed to collect from network object. (Internal error: Failed to enumerate event logs. (host/servername not known (CRuntime error: 8)))'.

Edit the hosts file on the Solaris host to include an entry for the short name of that host.

When InTrust collects syslog events from a Linux machine, events logged on a Solaris machine and redirected to a Linux machine are stored with the Linux PlatformID (630) and not the Solaris one (610). When InTrust collects a redirected Linux syslog trail from a Solaris host, all events are saved with the Solaris PlatformID. 0152540

The following reports from the InTrust for Solaris report pack work only for events collected from Solaris 8 and 9:

  • Forensic Analysis / Solaris Syslog Events
  • Normal User Activity / Logins / Failed logins
  • Normal User Activity / Logins / Successful logins
  • Normal User Activity / Privileged User Logins / Failed logins of privileged users
  • Normal User Activity / Privileged User Logins / Successful logins of privileged users
When you collect data from a BSM log, you may receive a warning that InTrust is unable to find the last gathering position in the log file to start gathering from. InTrust is unable to identify a last gathered event in the BSM log file if any process keeps the log file open at the time of gathering. When this happens, all data in such a log file is gathered starting from the first record in it. To avoid collection of duplicate data, consider forcing the Solaris system to start writing a new BSM log file shortly before the gathering is started.  
When you change the adc_temp_path parameter for an agent running on a SPARC Solaris machine, you may receive the "Connection is closed" error in InTrust Manager. If this happens, the target agent loses connection(s) to InTrust server(s) and may crash with a core dump. After a restart, the agent will reconnect to InTrust server(s) it is registered with. Sometimes it is required that the agent is restarted more than once before it is able to successfully restore the connection(s). 47168

Table 23: Linux data processing known issues

Known Issue Issue ID
On Linux systems with Novell AppArmor enabled, InTrust cannot gather or monitor data with the Syslog data source out-of-the-box and requires ad-hoc tuning of AppArmor configuration. 56955
The 'Text file modified' real-time monitoring rule doesn't work for files with space characters in the names. 0185158
Alert generated by predefined rules from the Account Management group may display inconsistent user names if a user is not only created or only deleted but created AND deleted between the consequent runs of the rule script (at 1 minute intervals by default). 0116004
On Linux systems with SELinux enabled, InTrust cannot gather or monitor data with Syslog data source out-of-the-box and requires ad-hoc tuning of SELinux configuration. 56684

Table 24: HP-UX data processing known issues

Known Issue Issue ID
The ADC Error: System resources exceeded (0x8adc100b) error received at log gathering from an HP-UX system is most likely to mean that the value of the max_thread_proc Kernel Parameter in the collected system should be increased (see for details). This error is most expected at gathering from HP-UX 11.11 systems where this parameter is set to 64 by default. 54690

Table 25: Syslog processing known issues

Known Issue Issue ID
When syslog events are collected from a computer to which syslog is redirected and not from original host that generate them, event time values in local time will be calculated based on the time zone of the computer InTrust collects them from. If you choose to treat timestamps in syslog events as local time, consider redirecting syslog for gathering it with InTrust to a computer in the same time zone as the hosts you redirect it from. 0146199
InTrust agent makes a backup copy of syslog*.conf files when it starts, and restores the files from that backup when it shuts down. Changes you make to syslog*.conf while InTrust agent is running are lost when you shut down the agent process. Consider keeping track of the changes you make since you may need to reapply them after shutting down the agent. 60463

Table 26: Microsoft IIS log processing known issues

Known Issue Issue ID
Microsoft IIS FTP log monitoring in cached mode does not work with IIS 6.0. 0145807
InTrust cannot resolve the %event_1.cs_cookee% parameter in alerts and notifications generated by real-time monitoring of the Microsoft IIS WWW log. 25411
During real-time monitoring or gathering of IIS 7.0 WWW logs with the agent-side audit log backup enabled, the values of some data fields (time_taken, cs_bytes, sc_bytes) in generated alerts or collected events are set to 0. 51758
Gathering of WWW logs in UTF-8 format does not work if logging on the IIS is configured with the Do not create new log files option enabled (a size of a single log file is not limited). 53804
Real-time monitoring and gathering of IIS 7.0 FTP logs with the agent-side audit log backup enabled doesn't work. 52601

Table 27: Microsoft ISAS log processing known issues

Known Issue Issue ID

The following reports in the current version of InTrust do not return events collected from MS ISAS 2004:

  • ISA Firewall: Cannot Assign Requested Address
  • ISA Firewall: Connection Refused
  • ISA Firewall: Connection Timed Out
  • ISA Firewall: Host not Found
  • ISA Firewall: Network is Unreachable
  • ISA Firewall: Total Statistics
  • ISA Firewall: User Connection Statistics by Agent/Platform
  • ISA Firewall: Received Kbytes by Date (chart)
  • ISA Firewall: Requests by Date (chart)
  • ISA Firewall: Sent Kbytes by Date (chart)
  • InTrust for ISAS / MSProxy / Security / Events Statistics / Raw Data Analysis (form)
  • InTrust for ISAS / MSProxy / Security / Events Statistics / Events Statistics
  • InTrust for ISAS / MSProxy / Security / Advanced Forensic Analysis / Anomalies Analysis / Anomalies Analysis

Table 28: Microsoft ACS data processing known issues

Known Issue Issue ID

If a gathering job configured to collect event data from ACS keeps failing with the following error logged to its session results:

Data Source: Microsoft OpsManager ACS events Description: Errors encountered at data collection. ADC Error: Failed to collect from network object. (Internal error: Failed to enumerate event logs. (Cannot enumerate event log instances. (The requested operation timed out.The requested operation timed out.)))

check if the Microsoft SCOM console installed on the InTrust agent (or InTrust Server, in case of agentless gathering) machine is of a version compatible with that of the collected ACS server.


Table 29: Custom text logs processing known issues

Known Issue Issue ID
Some log files of formats that suppose log data to be rewritten and not always appended to the end of the file, may be collected incorrectly and some events may be lost. If this happens, the 'Invalid record' warning is logged to the gathering session results. 0118101
InTrust agent running on a Unix machine may crash if you specify a wildcard as a part of a name for a directory immediately under the root, like '/tm*', in the path to the collected log. However, for directories down the file system tree in log paths, like '/home/user*', wildcards are safe to use. 0123466
When you collect an audit trail data with a Custom Text Log Events type data source, every event will be collected with values of Version Major and Version Minor data fields set to those of the last collected event. 0165698
The Description data field of events collected with a Custom Text Log Events type data source is not saved to an InTrust audit database. 0184224
In the New Data Source Wizard, on the Date/Time step, clicking on the Test Formatting button will display a correctly parsed date/time fields even if you don't specify field delimiters between field numbers in the 'Log fields' field of the dialog page. However, when you later collect data with the data source created in this way, gathering sessions will fail with error messages stating that some lines in the log cannot be parsed. For example, if the format of date and time data in the log is space delimited, like "Mar 23 12:13:10" and, in the 'Log fields', you specify "<1><2><3>" and not "<1> <2> <3>", the Test Formatting button will recognize date and time correctly but the gathering module will not. Make sure to always accurately specify field delimiters in the 'Log fields' input field on the Date/Time step of New Data Source Wizard. 0183396

Table 30: DB-based logs processing known issues

Known Issue Issue ID

In the DB-based log provider query, data fields of type(s) TEXT or/and NTEXT must be either come last in the SELECT statement or be explicitly converted to the NVARCHAR data type. Otherwise the following error will be received at gathering:

[Microsoft][ODBC SQL Server Driver]Invalid Descriptor Index.

If the Oracle DB-based log is being collected from a machine with no Oracle driver installed, Microsoft ODBC Driver for Oracle pops up an error message about the absence of the required Oracle driver on the collected machine. For collections that don't use agents, this message box pops up on the InTrust Server machine, while for agent-enabled collections the error message pops up on the agent side. There is no way for InTrust to suppress this error message box because of the specifics of Microsoft ODBC Driver for Oracle implementation. 0121853
Attempting to select an SQL server from the list in the New Database log template wizard may result in InTrust Manager crashing. This is caused by Microsoft ODBC driver behavior and cannot be controlled from the InTrust Manager snap-in code. 0111355

Table 31: Command line tool known issues

Known Issue Issue ID

If you run the Evt2Repository.exe tool on a Windows 2008 machine to import events from an event log saved to an .evt file on a pre-Windows 2008 computer, the tool fails with an error message saying the event log file is corrupted. To work around this problem, you can do one of the following:

  1. Process the file with Evt2Repository.exe on a computer running Windows Server 2003 or earlier.
  2. Open the .evt file with Windows 2008 Event Viewer and save it in the .evtx format. Then run Evt2Repository.exe again to import events from the saved .evtx file.
Don't use the AdcChangePath tool from the InTrust Support Tools folder. 0153635
When the AdcSrvAcc.exe tool is started with the -restart switch on the command line, the Quest InTrust Server, Quest InTrust Real-Time Monitoring Server and Quest InTrust Agent services are not restarted as expected but just stopped and have to be started manually. If the services are not running when the AdcSrvAcc.exe is run with the -restart switch, only the Quest InTrust Server service starts, while the Quest InTrust Real-Time Monitoring Server and Quest InTrust Agent services still have to be started manually. It is recommended that you don't rely on AdcSrvAcc.exe in restarting these three InTrust services but run it without the -restart switch on the command line and use the Services snap-in, net stop/net start commands or some other tool of your choice to have the services restarted. 0153996

Use the Evt2Repository.exe tool to import events only from event log files saved in the .EVT format with Event Viewer. If you try to point it to a raw .EVT file the system is writing events to, or the copy of such a file created outside Event Viewer, Evt2Repository.exe will fail to import events from this file with the following error:

Cannot convert file. The event log file is corrupted. (Win32 error: 1500)


Table 32: Platform-specific known issues

Known Issue Issue ID
If you collect event logs from computers running Windows Vista or later without agents, and InTrust Server is running on a Windows 2003 machine, then the values of some data fields in collected events will not be resolved. Agentless gathering from machines running these operating systems should be done by InTrust Servers running on computers running Windows Server 2008 or later. 53708

InTrust agent for HP-UX does not support the following code pages:

  • arab8 : HP-Arabic8
  • arabe : Arabic EBCDIC
  • chinse: Simplified Chinese (China) EBCDIC
  • chinte: Traditional Chinese (Taiwan) EBCDIC
  • cp037 : Code Page 037, american, c-french, dutch, portuguese EBCDIC
  • cp277 : Code Page 277, danish, norwegian EBCDIC
  • cp500 : Code Page 500, new swiss-french, swiss-german, belgian EBCDIC
  • cp870 : Code Page 870, EBCDIC code for East European languages, eg,
  • cp875 : Code Page 875, Greek EBCDIC incl. Euro (= greee)
  • cp880 : Code Page 880, bulgarian, russian EBCDIC
  • cp924 : Code Page 924, Latin9 EBCDIC incl. Euro
  • cp930 : Code Page 930, Japanese EBCDIC, contains 16-bit characters
  • cp939 : Code Page 939, Japanese EBCDIC, contains 16-bit characters
  • engle : English EBCDIC
  • finne : Finnish EBCDIC
  • frene : French EBCDIC
  • germe : German EBCDIC
  • gree8 : HP-Greek8
  • hebr8 : HP-Hebrew8
  • hebre : Hebrew EBCDIC
  • icele : Icelandic EBCDIC
  • itale : Italian EBCDIC
  • japae : Japanese EBCDIC
  • jis : JIS (JIS X0201, JIS X208-1990, JIS X212-1990 Japanese)
  • katae : Katakana EBCDIC
  • koree : Korean EBCDIC
  • sjishi: Shift-JIS (JIS X0208-1990 + UDC, VDC for Mainframe user)
  • sjispc: Shift-JIS (JIS X0208-1990 + UDC, VDC for PC user)
  • spane : Spanish EBCDIC • swede : Swedish EBCDIC
  • thaie : Thai EBCDIC
  • turk8 : HP-Turkish8
  • turke
  • jefc
  • jefk
  • jefc9p
  • jefk9p
  • kana8
  • keis7k
  • keis8k
  • keis7c
  • keis8c
  • jipsj
  • jipsec
  • jipsek
  • eucJPp
  • sjisp



System requirements

Before installing InTrust 11.3.1, ensure that your system meets the following minimum hardware and software requirements.

For detailed system requirements for all the InTrust components and processed systems, see the System Requirements topic.

IMPORTANT: Before you install any InTrust components on Windows computers, confirm that no deprecated Windows updates are applied there. For details about which updates to avoid, see the description of issue IN-1714. If your Windows updates are recent, you should be safe.

Product licensing

When you install the product and launch InTrust Deployment Manager or InTrust Manager for the first time, you will be asked to provide a license. Supply the license that you obtained from the sales representative. If you do not supply a license, most of InTrust functionality will be unavailable to you.

To obtain a license, contact your local sales office listed at

Upgrade and installation instructions

InTrust 11.3.1 supports upgrade from InTrust 11.3, 11.2 and 11.1. To upgrade from earlier versions, you should first upgrade your InTrust installation to one of these versions (as described in the Upgrade Guide for the particular version), and then upgrade from that version to version 11.3.1.

For more detailed instructions on upgrading your existing InTrust installations, see the Upgrade Guide.

To upgrade a default InTrust deployment, simply close all running InTrust client components and run the Default InTrust Suite on a computer where the earlier version is installed.

Related Documents