Chat now with support
Chat with Support

InTrust 11.6 - Release Notes

Known issues

The following is a list of issues, including those attributed to third-party products, known to exist at the time of release.

Table 5: Installation known issues

Known Issue Issue ID

You may face a known issue while performing an installation/upgrade over an existing version of Intrust, as below: 

Error: System.Web.Services.Protocols.SoapException:The value of parameter 'Data Sources' is not valid.


Proceed by clicking ‘Ok’ on the system prompt during the upgrade.


During Upgrade, the IT monitoring console throws fatal error


  1. Open IIS (Internet Information services)
  2. Expand Server > Sites > Default website > IT Monitoring
  3. Left Click on IT Monitoring and click on remove


While Installing InTrust, assign new Virtual directory to InTrust Monitoring Console.


Prerequisites are not checked correctly by the installers of InTrust Knowledge Packs for the following systems:

  • VMware
  • Recovery Manager for Active Directory
  • Active Roles

If you try to install one of these Knowledge Packs on a computer that is not an InTrust server, setup does not prevent this as it should. When the installation fails, you get the following cryptic error message:

"Data source name not found and no default driver specified"


Some administrative PowerShell activity such as Remote Desktop Web Services installation could be considered as suspicious and, as a result, can trigger some actions defined by suspicious activity rules.

Workaround: Quest recommends adding the accounts that will run such installations as trusted users (in the Whitelist parameter of the suspicious activity rule). To add a user account to the whitelist, navigate to InTrust Manager | Real-Time Monitoring | Rules | Advanced Threat Protection | Windows/AD Suspicious Activity | PowerShell | Suspicious PowerShell activity, open rule properties and change the user whitelist parameter on the Matching tab. Provide the account data in the following format: <domain name>\<user name>.

If you are installing InTrust on a SQL server and updating SQL Server Native Client through the InTrust setup suite in the process, this causes the locally installed SQL Server service to restart automatically.

To avoid this, update the client to the required version before you set up InTrust.


You will have to log off and log on again once you have installed InTrust Manager to a location other than default. Otherwise, the InTrust Manager shortcut will not work. 0112449
If you have used the Add/Remove Programs dialog to uninstall InTrust, you will get the Modify/Repair/Remove dialog next time you launch InTrust setup from the CD. Click Remove and wait until setup finishes, then run setup again. 0112184

You may get the following error while trying to install InTrust:

Cannot grant the following privileges: Back up files and directories Log on as a service to <account_name> Your Group Policy settings may be preventing setup from granting the privileges specified.

There must exist a Group Policy that controls the assignment of the specified privilege(s) in your environment. InTrust setup can neither override it nor check if the account inherits the required privilege(s) from a security group the policy applies to. Make sure the policy grants the specified privilege(s) to InTrust service account, either directly or through its membership in a security group, and click the Ignore button in the error dialog to proceed with the installation.


Support for ITMonitoring Console in Microsoft Edge


  1. Open Edge, click on three dot icons on the top right corner.
  2. Click on Settings tab.
  3. Select the Default Browser present in left panel.
  4. Click on the dropdown in "Allow sites to be reloaded in Internet Explorer mode (IE mode" and select "Allow".
  5. Click on the Add button which is appeared after completing 4th step.
  6. Copy the URL you want to run and paste it into the box present below "Enter a URL:" and click ADD.
  7. Click on Restart.

InTrust Monitoring Console and Quest Knowledge Portal cannot be installed into a Virtual Directory with special characters (like !#$%^&()_+|][}{;,-=`~) in the name.


If you receive the following error while upgrading an InTrust Server:

Error Code: 1603 Fatal error during installation.

Error 0x000006BE occurred. Exiting.

First of all, check if all of the InTrust Server services have been stopped. Most often, it is Quest InTrust Real-Time Monitoring Server service that takes long to stop and causes the setup to fail with this error. If this is the case, quit the setup, make sure all of the Quest InTrust services have stopped and run the setup again.


If you receive the following error at InTrust setup:

Cannot configure default Audit Database. Error code: 0x80004005. Property value is invalid. Make sure the value is typed correctly. Unspecified error Multiple-step OLE DB operation generated errors. Check each OLE DB status value, if available. No work was done. Property value is invalid. Make sure the value is typed correctly.

Check if you have specified a database with a name that starts with a numeric character (0-9) as either Audit or Alert database. The names of all InTrust Audit and Alert databases must start with an alphabetic character (a-z, A-Z).

On the Select Features step, InTrust setup wizard displays the required disk space only for the features you select in the tree. There are, however, some features required by those listed in the tree but not shown there because they are not user-selectable. Those 'hidden' features affect disk space requirements too. Click the Disk Cost button to see the more accurate numbers for required disk space calculated with regards to the features not displayed in the tree.



When InTrust installation fails and is rolled back, some registry keys it has created are not removed. This is controlled by the Microsoft Installer and cannot be handled from the InTrust setup code. 0112227

When you are running the configdb.sql SQL script on a pre-created InTrust configuration database to provide for not giving InTrust service account the database owner right for it, you may receive warnings like the following:

Cannot add rows to sysdepends for the current stored procedure because it depends on the missing object 'dbo.ITRTProcessingRule_change'.

These warnings may be ignored since they do not indicate of any problems that may affect the future InTrust operation.

Don't specify any existing Quest Active Roles Server database as the InTrust configuration database, since these two products have incompatible requirements to the system configurations of their databases. 0153990
Components and configuration objects added to an existing InTrust installation by installing an individual Knowledge Pack cannot be consistently removed from InTrust by deselecting the related nodes on the 'Select Features' step of the Installation Wizard. 0153504

When you install InTrust or upgrade it from an earlier version, you may receive the following error message:

Error 1335. The cabinet file <cab_file_name> required for this installation is corrupt and cannot be used. This could indicate a network error, an error reading from the CD-ROM, or a problem with this package.

If this happens, try making a local copy of your InTrust distribution on the computer where you are performing the installation and starting setup from there.

If you have individual InTrust components installed on a computer to a non-default path, be sure to not use the InTrust Suite setup to add other InTrust components to that machine. Install additional InTrust components by running their individual setup (.MSI) packages from the product DVD instead. This will let you avoid problems at both installation and uninstallation of those components in the future. 0184325
When you change the installation path for the InTrust Server node of the feature tree (on the Select Features step of the Quest InTrust Setup wizard), installation paths for features down the tree is changed accordingly so that individual InTrust components are installed to subfolders of the folder you specify for InTrust Server. Note that this, however, does not apply to Quest Knowledge Portal, which does not inherit its installation path from the InTrust Server component and requires that you explicitly change the installation path if you need that. 0190311
It is recommended that you install the same set of InTrust components on all InTrust Servers in an InTrust Organization. Otherwise, you may have problems, for example, when switching the server that runs a task. 0149166

When you install a report pack and the SQL Server hosting its target database does not have SQL Server Agent running, you may receive the following warning, sometimes followed by an error dialog with the same text:

Cannot upload report pack: For Temporary Tables Clean-Up job schedule to be applied, make sure that: 1. Authentication method for database access uses the explicitly specified credentials which are stored in the data source (either SQL Server authentication, or Windows authentication). If Integrated Windows authentication i...

When you click OK in this dialog, another error message may be displayed asking you if you want to continue with the setup. Click No and wait for the setup application to prompt you with the options to Retry, Ignore or Abort the installation. When prompted, select Retry. From this point on, the installation of the report pack is expected to run smoothly.


You may receive one of the following error messages when you install the Knowledge Pack for Microsoft Audit Collection Services (ACS KP) from the command line:

  • Error: 0x80040154. Cannot install ACI packages. Reason: Class not registered.
  • Error: 0x80070005. Cannot install ADC predefined objects. Reason: Error while performing the following action: Enumerating collection. Reason: Access is denied.

This is not expected to happen again if you click OK in each error dialog window, let the installation process exit and run the knowledge pack installation command one more time.

[Trend view] Ensure "Exclude" works in trend view.


You may receive the following misleading error message when installing an additional Knowledge Pack into an existing InTrust organization:

Error: 0x80004005. Cannot configure default Audit Database. Reason: Data source name not found and no default driver specified.

This error is not expected to cause any real problem with a Knowledge Pack installation. If you see it, click OK in the error message and let the installation finish. No troubleshooting is required unless you see more errors during the installation or find the Knowledge Pack not working properly when installation is finished.

InTrust suite installation program cannot automatically discover an Exchange Server in domain trusted by the domain the InTrust Server computer is a part of. 81962

When you use the default InTrust setup, the installation program does not prompt you for the Communication Port number. If you use the extended InTrust setup to complement a default deployment, you are prompted for the Communication Port value but the setting you make is not applied to the InTrust installation. In this installation scenario, edit this registry value to change the Communication port number after InTrust is installed, if needed:



[HKEY_LOCAL_MACHINE]\SOFTWARE\Wow6432Node\Aelita\ADC\RpcServer\Endpoints\1 STRING: Endpoint="8340"


It is not recommended to create InTrust configuration database with "." symbol in its name (for example: InTrust_10.6_ConfigDB), though it will be created, such database is unusable and you will receive the error like:

Invalid database name supplied.


Sometimes uninstalling an InTrust component can cause miscellaneous problems for another InTrust component on the same computer. If this happens, open the Programs and Features facility in the Control Panel and perform a Repair operation for the component that is not working properly.


The "InTrust Monitoring Console" feature cannot be installed if the ASP record is corrupted. If this happens, reinstall the ASP Windows feature (Internet Information Services | World Wide Web Services | Application Development Features | ASP in the Windows Features facility) by removing it and adding it again.


Table 6: Upgrade known issues

Known Issue Issue ID

If you have customized the default alerting profile in Monitoring Console, then upgrading InTrust deletes the profile.


In some rare situations, if InTrust fails to apply a real-time monitoring policy, this creates an invalid configuration, and other real-time monitoring policies cannot be applied anymore. As a result, real-time monitoring and real-time collection stop working, but there are no error messages to indicate it.

This can occur in InTrust organizations where some servers have been upgraded and some haven't, and an upgraded server makes configuration changes that are not recognized by the older servers. If it happens, try the following steps:

  1. Note down the settings of all real-time monitoring policies, then delete the policies and commit the change.
  2. Note down the settings of all real-time collections in InTrust Deployment Manager and delete the collections.
  3. Recreate the real-time monitoring policies with the settings from before.
  4. Recreate the collections in InTrust Deployment Manager with the settings from before.


If you have performed an upgrade from version 11.3.1 or earlier without deleting the "Redhat Linux Syslog" data source (as recommended in the Upgrade Guide), then you will still have the old version of this data source after the upgrade. To update the data source in this situation, take the following steps:

  1. In InTrust Manager, make a backup copy of the "Redhat Linux Syslog" data source.
  2. Delete the original data source.
  3. Apply your changes by clicking the Commit button.
  4. Close InTrust Manager.
  5. Locate the Linux Knowledge Pack setup package LINUX_KP.*.*.*.*.msi in the InTrust\Server folder in your InTrust distribution and launch it and select Repair mode.

After the installation, the up-to-date version of the data source will be available.


If any job in an InTrust task completes with a status other than success, then notification task jobs in the same task may send messages where the job list contains items with invalid job type designations. These are broken duplicates of valid items in the same list, and you can safely ignore them.

This problem was fixed in InTrust 11.4 and doesn't occur in fresh installs of version 11.4 and later. However, upgrades from prior versions don't correct this, because the InTrust upgrade policy is not to overwrite any existing configuration objects.


In the course of an upgrade, you may get the following error messages during repository indexing and searching:

Unknown field <field_name> referenced in log knowledge base as source of value.

This is caused by differences in log knowledge base definitions between the old and new InTrust versions. The problem should go away as soon as all InTrust components have been upgraded—not just InTrust Server, but also Repository Viewer and others.

When you upgrade an existing installation of InTrust under an account that doesn't have DBO access rights to the InTrust configuration database, you may receive the following error message:

Cannot uninstall CI packages. Error code: 0x80004005. Cannot parse ADCClassInventory query. Error of opening file.

Click OK and continue. This error does not affect the results of the upgrade.


At an upgrade of an InTrust Server in a multiserver InTrust organization, you may receive a misleading error message:

You are about to remove an InTrust server from an InTrust organization. Any jobs configured to run on this server must be manually transferred to another live server in the same organization.

It is safe to ignore this error. Click OK and continue upgrading.


You may receive the following error when you attempt to upgrade Quest Knowledge Portal (QKP) as a part of your InTrust upgrade process:

The installer has insufficient privileges to access this directory: C:\Program Files\Quest Software\Knowledge Portal. The installation cannot continue. Log on as administrator or contact your system administrator.

To work around this error, click OK in the error message box, let the upgrade run to the end and repeat the upgrade of QKP.



Table 7: General known issues

Known Issue Issue ID

In a 2022 server machine, creating real time policy crashes the IM


Step 1: Run System File Checker (sfc) scan

  1. Type cmd in the search box, and then right click Command prompt select Run as Administrator.
    C:\Windows\System32> sfc /scannow
  1. Check the link to check for system file corruption.
    C:\Windows\System32>dism /online /cleanup-image /checkhealth

    C:\Windows\System32>dism /online /cleanup-image /scanhealth

    C:\Windows\System32>dism /online /cleanup-image /restorehealth

Step 2: Reinstall the DLL

  1. Type cmd in the search box, and then right click Command prompt select Run as Administrator.
  2. Type this in command prompt:
    regsvr32.exe /u ntdll.dll and press Enter key (this will uninstall the file)
    regsvr32.exe ntdll.dll and press Enter key (this will reinstall the file).

  3. Cleanup temp directory
  4. Restart the Machine Again run the below command and see any corrupted files
    C:\Windows\System32> sfc /scannow

  5. Restart Quest services.

Note: Wait for 10-15 minutes, select InTrust Manager Run as Administrator.


Workaround 2

  1. Create a Real time Monitoring policy without selecting operators event log message recipients in the Notification window.
  2. Click on the Policy created in step 1 and click on Properties.
  3. Click on Event Log.
  4. Select ‘Notifying the following operators’.
  5. Click on Add. InTrust Manager crashes.
  6. Now try creating Real time Policy and select event log message recipients and add the operator.

If you get a lot of events with event ID 13650 in the InTrust Server log, this may mean that an attacker is trying to scan the open ports on the InTrust server. Consider blacklisting the IP addresses that occur in such series of events.

The event description contains the phrase "The system cannot find the file specified", which in this case is misleading and should be interpreted as the system being unable to connect to a socket.


In some data sources, particularly in the newer ones, named event fields are not associated with the original event fields as you might expect. Improvement of event definitions is an ongoing process, and relevant mapping may be added for the events you need in future InTrust versions. To stay abreast of the event field mapping changes, check the Changes to Event Fields topic.


When you open SQL scripts from the InTrust distribution (for example, configdb.sql) in SQL Server Management Studio, you get an "Inconsistent Line Endings" message. This message can be safely ignored.


You may get the following warning during gathering from VMware ESXi and vCenter servers:

Cannot find the specified position in the event log.

If this happens, consider gathering more frequently. This warning means events that came after the last gathered event were lost.


Some Windows Security log events with identical event IDs have variants with different layouts, where specific fields are added or reordered. The differences exist both among Windows versions and within the same Windows version.

InTrust provides event field aliases for indexing and convenient searching, and this functionality relies on field ordering. InTrust has not always accommodated the event layout differences, and searching by affected fields may give you incorrect results.

At this time, InTrust potentially has this issue with the following event IDs:

  • In Windows Server 2016:
    4616, 4624, 4654, 4656, 4661, 4663, 4688, 4728, 4732, 4746, 4751, 4756, 4761, 4785, 5125, 5140, 5451, 5452, 5632, 6272, 6273, 6274, 6275, 6416
  • In Windows Server 2019 and Windows 10:
    4616, 4624, 4654, 4656, 4661, 4663, 4688, 4728, 4732, 4746, 4751, 4756, 4761, 4785, 5125, 5140, 5451, 5452, 5632, 6272, 6273, 6274, 6275, 6416, 5058, 5059, 5376, 5377


The InTrust agent does not require Microsoft .NET Framework for most of its functionality and can be installed on a computer without .NET. However, some agent features, such as PowerShell script-based response actions, will not work on those computers.


Event forwarding configuration and repository indexing configuration are mistakenly coupled during failover activity. If either a forwarding server or an indexing server fails, then the failover rule will switch both the forwarding server and the indexing server, even if one of the servers is OK.


An InTrust server performs self-auditing correctly only if UAC is enabled on that server. Otherwise, some InTrust activity may not be audited.


When you create a repository, specifying a local path for it is not prevented, even though InTrust does not support locally-hosted repositories.


Two InTrust servers cannot concurrently process each other using agents. 0115565
You may not be able to log on interactively to a computer where InTrust server is installed, if the InTrust configuration database went offline while restarting the computer. Wait until the database goes back online or for about 5 minutes, then try logging on again. 0115564

Don't delete the Default configuration objects (Default databases, repositories, operators, etc.) even if you never use them in InTrust sites, policies etc. Other predefined objects may have references to the Default objects by default, which may result in hard-to-find errors if referenced objects no longer exist in your InTrust configuration database. Note that the deleted predefined configuration objects are not recreated at InTrust upgrades or reinstallations, some of them causing errors at the setup phase if missing from the configuration database.

The recommended practice is to keep default configuration objects as templates for the custom ones you create for the routine use.

If two operator records with the same computer name exist in the InTrust configuration and both are specified as operators to notify, then two NET SEND notifications are sent to that one computer. 0112241
When you restart InTrust services on an InTrust Server serving a large number of agents, real-time monitoring and gathering may require a few minutes to start working again after the services are started. 0114831

If notification is configured so that email is sent to an operator that represents a group and sending fails for one of the group members (for example, due to an invalid email address), then it also fails for all other members of the group.

This issue does not occur if all selected operators represent individual users; in this case, sending failure for an operator does not affect other operators.

When the system time is set back on an InTrust Server computer or on a computer with InTrust agent running, InTrust agent-server operation may become unstable or even broken. It is recommended to restart InTrust services (either Quest InTrust Server or Quest InTrust Agent) on the computer after setting the system time back on it. Automatic time adjustment for daylight savings does not produce this effect on InTrust and does not require restarting any InTrust services. 0145993

The following error message logged to the session results of an InTrust task may indicate of a frequent changes in the system time on the InTrust Server computer:

Error: 0x80040e2f Cannot initialize the required component. Cannot initialize session. Sessions Error- The statement has been terminated. Sql State: 01000 Native Error Code: 3621 Violation of PRIMARY KEY constraint 'PK_ITGSessionsInfo'. Cannot insert duplicate key in object 'dbo.ITGSessionInfo'. Sql State: 23000 Native Error Code: 2627 , !! IDispatch error #3119

This may be happening because of some problems with hardware or operating system, frequent time synchronizations with multiple hosts on the network or some other reason.

If an InTrust site includes an AD site that has subnets misconfigured, InTrust may try processing, when monitoring or gathering from this InTrust site, a lot of unrelated computers or even all computers in the Domain(s) that the AD site spans. 0130865
You may be confused with events you may find in the InTrust event log on the InTrust Server computer stating that a job has completed with error and providing an error code without any error description. These events don't signal of any problem and may be ignored. They are logged to the InTrust event log in order to have process exit codes for InTrust jobs saved for the purpose of possible troubleshooting. 0155885
When you edit filters in data sources for IIS logs, ISAS logs, DHCP logs and Exchange events, and you want to use filtering by empty string value, specify empty strings. To do it, leave the text box in the Add/Edit String dialog box empty and click OK. 0146236

If you see a notification job failing consistently with the following error:

Object Name: (InTrust Server) Data Source: Notification Description: Cannot notify the 'Default Notification Operator' operator using the 'mail' notification type. An error has occurred during sending the mail. Error text: An established connection was aborted by the software in your host machine. Function 'recv' failed.

Verify that the SMTP server handling notification messages from InTrust does not require sender authentication.


If you are using Windows 2012 running on an ESXi 5.0, 5.1, or 5.5 host, DO NOT USE e1000e default network adapter. This may lead data corruption may occur when copying data over the network and therefore cause problems with repository indexing. You may see the following errors in the log:

Indexing of long-term items for repository "\\y12r2\RepsG\20140321_CalcE5310_Corruption" failed. Reason: Operation failed on agent localhost. Reason: 'ADC Error: Error: ADC Error: Unspecified error, error code 0x8adc1005' Indexing of recent items for repository "\\y12r2\RepsG\20140321_CalcE5310_Corruption" failed. Reason: Operation failed on agent localhost. Reason: 'ADC Error: Error: ADC Error: Field stream is invalid, error code 0x80004005' Indexing of long-term items for repository "\\y12r2\RepsG\20140321_CalcE5310_Corruption" failed. Reason: Operation failed on agent localhost. Reason: 'ADC Error: Error: ADC Error: ADC Error: ADC Error: One or more segments of incoming index data (\\y12r2\RepsG\20140321_CalcE5310_Corruption\IndexingRoot$\indexes\{00000000-0000-0000-0000-000000000000}\index\{7F}, \\y12r2\RepsG\20140321_CalcE5310_Corruption\IndexingRoot$\indexes\{00000000-0000-0000-0000-000000000000}\index\{AE}) could not be merged with the repository index, error code 0x8adc1005' The indexing queue of recent events in repository "\\y12r2\RepsG\20140321_CalcE5310_Corruption" exceeded the size limit. Please check the InTrust Server event log for errors, and consider collecting less audit data to this repository and adding more indexing servers.

For more information see the article "Possible data corruption after a Windows 2012 virtual machine network transfer (2058692)":


When the InTrust server is switched during a failover operation, you get the following error in InTrust Deployment Manager and in the InTrust Server event log:

Some required components for working with the data source could not be installed

This message is about the user session tracking component of the InTrust agents. The agents may temporarily stop reporting user session events.


Filtering of site objects by registry value works only with the 32-bit registry view on 64-bit systems.


Automatic cleanup is not implemented for the %ALLUSERSPROFILE%\Application Data\Quest Software and %ALLUSERSPROFILE%\Application Data\Quest folders. If these folders grow too large, you can safely clear their contents manually.


User session tracking events contain extended information, including the IP address of the agent computer. However, the IP address can vary from event to event as network interfaces are added and removed dynamically. Keep this in mind if you rely on IP addresses when you search for events; otherwise, you may miss important events.


Table 8: InTrust Deployment Manager known issues

Known Issue Issue ID

In InTrust versions prior to 11.4.1 Update 1, it was a known issue that multiple repository cleanup schedules could be created for the same repository if multiple instances of InTrust Deployment Manager were editing the repository at once.

This was resolved in InTrust 11.4.1 Update 1, but it can still happen if an old instance of InTrust Deployment Manager is editing a repository simultaneously with an up-to-date instance. If you experience this issue, simply set the cleanup schedule again in an up-to-date instance.


If event forwarding is enabled for a repository managed by InTrust Server 11.4.1 or later, then earlier versions of InTrust Deployment Manager show meaningless collection-wide errors for collections that use the repository. These errors can be safely ignored; they are actually incorrectly interpreted data from the forwarding engine's performance counters.


If any indexing errors occur for a repository, they are displayed in the error details dialog box for that repository until the repository-managing InTrust server clears them. However, if the server is removed from the organization before it can clear them, they stay indefinitely.

Before you decommission an InTrust server, make sure you switch all indexing activity to another server that you plan to keep using.


Caution: When a previous-version InTrust Deployment Manager works with a repository managed by a current-version InTrust server, you should never modify the configuration of such a repository. Doing so may invalidate the repository configuration. The version of InTrust Deployment Manager must match or exceed the version of InTrust Server if you want to edit configuration.


In the Computers not in a collection search folder, the type of some non-Windows computers (such as VMware ESXi servers) is erroneously shown as "Workstation".


In InTrust Deployment Manager, if you add objects to a collection through an LDAP query, you may get an object named "<data />" or "<data></data>". This happens if the returned object doesn't have the attribute that you specified in the LDAP query. To work around the issue, try using an attribute that your expected object is guaranteed to have.


If InTrust Deployment Manager is running on Windows 8.1, the "Next session start" field in repository cleanup options shows the scheduled time in the InTrust server's timezone instead of the local timezone.


Table 9: Event forwarding known issues

Known Issue Issue ID

Event forwarding fails for repositories whose names are longer than 127 characters.


When you set up forwarding in InTrust Deployment Manager, sometimes the port text box may not recognize a valid value and may give you an incorrect prompt that the port cannot be empty. If this happens, just delete the value an retype it.


When you forward events with long insertion string values (such as encrypted PowerShell logs) using the UDP transport, forwarding may stop for the repository with those events, and you may get error messages like the following in InTrust Deployment Manager:

A message sent on a datagram socket was larger than the internal message buffer.

This problem doesn't occur if you use TCP to forward such events.


If the adcrpcs service is restarted on an InTrust server that forwards events, it may resend duplicates of recent messages.


When the forwarding queue is cleared due to enforcement of retention policy, in rare cases InTrust may log invalid timestamps in events about deleted data. This happens in situations where special-purpose files are deleted. These files are used internally and don't contain audit data. You can safely ignore such events.


Table 10: InTrust Manager known issues

Known Issue Issue ID

During rule response action creation in InTrust Manager, unnecessary white space is added by the field picker control. This causes response actions to behave incorrectly, because the specified strings don't match anything due to the white space.


Computers added to an InTrust site by their NetBIOS names may be listed under the Agents node in InTrust Manager by their NetBIOS names, not by their FQDNs as might be expected. 0111184

The lists of available InTrust Servers in an organization may differ depending on whether or not InTrust Manager is installed on the same computer as InTrust Server. The RPC Locator service should be enabled on the InTrust Manager computer where InTrust Server is not installed for correct results.

A specific InTrust Server may be also not visible as available for connection with InTrust Manager if it fails to publish itself in Active Directory (AD). This may happen if the Quest InTrust Server service does not have sufficient rights (see the System Requirements document for details) to create a Service Connection Point (SCP) in AD. Check events logs, starting with the InTrust log, on the InTrust Manager and InTrust Server machines for events looking related to possible problem with the RPC Locator service and creating an SCP in AD, respectively.

Besides, if you know that a specific InTrust Server is available, you can connect to it by specifying it manually, whether or not it is on the list.

If an InTrust task has the starting date in its schedule set to some day before the date when the system switches to the daylight-saving time, it will begin starting one hour later than the start time specified in its schedule when the system switches to DST. A task with its starting date in the DST period starts one hour earlier than specified in the properties of its schedule when the system switches to the standard time. When the time is adjusted back, the actual local time the task starts at will match its start time specified in its schedule again. 0154835

You may receive the following error:

Internet Explorer Script Error: '' is null or not an object

when you have the Quick Start node selected in the left pane and click the right pane. You must be clicking there too early. Wait for the content of the right pane to be fully loaded before you click it.


Quick Start will fail to generate reports you specify if InTrust is configured to use SRS running on a computer different than SQL Server machine hosting the InTrust database(s) you are trying to report on, and Windows authentication is used to connect to Reporting Services.

The following error message will be received:

Login failed for NT AUTHORITY\Anonymous Logon.

When you edit settings of an existing consolidation job and change the source repository, InTrust Manager doesn't prompt you for a new set of repository objects to be copied. Make sure to review the objects selected for processing in the new repository. 41513
When InTrust is running in the Object Level security mode, the InTrust Manager snap-in may crash at an attempt to run Quick Start wizard under an account that does not have the Modify permission on either the Sites or Gathering node, or neither. 48615

Table 11: Workflow and session known issues

Known Issue Issue ID
The If the task is still running, stop it at this time option in the task's Advanced Schedule Options dialog box does not work. Instead, use the Stop the task if it runs for option. 0112061,
At least 5 minutes must pass between committing a change made to a task and its scheduled start. For example, if you modify a task and commit the configuration at 8:40, then schedule the task to begin no sooner than 8:45. Otherwise, the task will fail to start. 0112041
Tasks with identical names may fail. Avoid creating such tasks. 0112240
The Application job may seem to be not responding while the application it launches is running. Wait until the application is completed. 0112045
Do not use UPN-style account names ( 0112049

If InTrust Servers in an Organization are concurrently running too many tasks, you may receive the following error in results of some sessions:

"Components Manager: Failed to find Storage Accessors. Error=0x80004005: Timeout expired. Unspecified error."

This happens because each task accesses InTrust Configuration database, and some of them fail to do that because of query timeout expiration. If you cannot reduce the number of task that run concurrently, consider increasing the value of the timeout setting on the SQL Server level using the sp_configure stored procedure.

When you create an Application job, clicking the Browse button for Working Directory may not work and result in an error message. If this happens, type in the full path to the working directory instead of browsing for it. 0120361
A session for an InTrust job of the Windows Scheduled Task type configured to run a scheduled task that fails to start will be logged as successful if the job has the 'Synchronous operation' option disabled. 0149467
If a job finishes with an error, its session information may contain the error code without an error description. 0155885

An InTrust job of the Windows Scheduled Task type can be configured to run a task only if the task meets both of the following requirements:

  • The task is set up with the Windows Server 2003, Windows XP, Windows 2000 compatibility option enabled (in the Configure for drop-down list in the scheduled task properties). This is available only if you use the Create Task action, not the Create Basic Task action.
  • The task is located in the Task Scheduler Library, and not in its subfolder.

If either condition is not met for a scheduled task on the computer where you are looking for it, you will not see it in the Select Windows Scheduled Task dialog when you run the New Job Wizard in InTrust Manager.



Table 12: Agent known issues

Known Issue Issue ID

The agent.ini file, which contains the configuration of the InTrust agent, uses the UTF-8 encoding on Windows. Editing this file manually on Windows is strongly discouraged, because it is easy to change the encoding and make the agent configuration invalid.


If an agent consistently fails to start on a Windows machine, and you find the following error in the local Application event log:

InTrust agent stopped unexpectedly. Error occurred: An attempt was made to access a socket in a way forbidden by its access permissions. (Win32 error: 10013). or the following error from the agent process is written to syslog on the Unix machine hosting an InTrust agent: InTrust agent stopped unexpectedly. Address already in use (CRuntime error: 98).

Сheck if any other active process (application, service, daemon) is configured to listen on the port you are going to use as the InTrust agent communication port on this machine (TCP port 900 by default). If you find some, reconfigure either the agent or the other application/service/daemon to use a different port. To change the communication port setting for InTrust agent, edit the agent.ini file located in the agent folder.

If an agent has been installed manually, then uninstallation should also be performed manually rather than from InTrust Manager. 0111578
You may have to uninstall the agents manually, if the InTrust Server to which the agents belonged is uninstalled. To avoid this, uninstall the agents from InTrust Manager prior to removing the server. 102815

When agents are used to gather audit data, the following error may occur:

Agent has not yet established connection to the InTrust Server (0x8adc2c09).

This situation may occur due to network problems, or when InTrust services have just been restarted, and agents have not communicated to the InTrust Server yet.

You may get several agent errors, if there's no free disk space on the computer where the InTrust agent is installed. For example: ADC Error: User not found (0x8adc3207), (0x8adc2c05) 0111560

An attempt to manually register an agent on an InTrust server may fail with the following error message:

'Cannot register agent on the InTrust server <...> No connection could be made because the target server actively refused it. <Win32 Error 10061>.'

Check if the Quest InTrust Agent service is running and not stopped on the InTrust server. If the service is stopped, start it and try registering the agent again.

Also note that this error is possible if port 900 is closed by a firewall between the agent and the server.

Installation of an agent on a computer under an account from a trusted domain may fail with an error message stating that the 'Logon as a service' right cannot be granted to the agent account. This happens if the specific account has never logged on to that computer before. To prevent the problem, log on to the target computer under that account before installing the agent. 0114825
When you are installing an InTrust agent by running the agent installation package (adc_agent*.msi), a Command Prompt window pops up. This window neither requires any input nor indicates of any problem with the agent installation. 0135636
If you install an agent on a computer using the .MSI package, then manually uninstall it with the adcscm.nt_intel.exe -uninstall command and try to install it later using the .MSI package again, the agent setup prompts you to repair or remove the agent as if it was still installed. Select the option to Remove the agent, let the setup run to the end, and then run it again to have the agent installed. 0135745
InTrust agents do not support the ja_JP.SJIS locale on Linux. 0148319
If you use InTrust Manager to unregister an InTrust agent residing on a computer that has no connection to the InTrust Server, then you may get errors trying to register the agent again with InTrust Manager after the connection is restored. If this happens, use the agent command with the -add parameter on the target computer. 0149798
If agent recovery takes place on a site for which the Prohibit automatic agent deployment on site computers option is enabled, the InTrust Server log may contain incorrect messages stating that the recovery was successful. 0114462
When you are uninstalling an InTrust agent by running the agent installation package (adc_agent*.msi), the File In Use dialog may pop up stating that the Quest InTrust Agent process currently uses the files that require update, and prompting you to either Exit or Ignore or Retry. Agent uninstallation is expected to finish successfully if you select the Ignore option. 54666
When you select a shortcut menu command to uninstall an agent running on a machine in a different AD forest than that the InTrust Server machine belongs to, the agent service may be not uninstalled from its local machine even if you enter proper account credentials when prompted and the agent is no longer listed as installed and running in InTrust Manager. You may have to check the presence of the Quest InTrust Agent, Quest InTrust Agent Installer and Quest InTrust User Session Monitoring services on the machine you attempted to uninstall the agent from, and remove the services manually. 83400
You may experience delays with successful agent installation for a collection or site that includes a large number of computers that are unavailable at the time of this operation. 83399

Table 13: Networking known issues

Known Issue Issue ID
InTrust does not support NetBIOS computer aliases.  

Table 14: Real-time event log gathering known issues

Known Issue Issue ID

If a repository becomes unavailable during real-time collection, the InTrust server that manages this repository may put duplicate events in the other repositories that it manages. This happens because the server re-submits everything that was in the event queue at the moment the repository became unavailable.


When you create a collection in InTrust Deployment Manager, only events logged after the start of real-time gathering will be collected to the target repository of that collection. If you need events logged before that moment to be collected into the same repository, consider using InTrust Manager to collect those events into another repository and run a consolidation job to move those events to the repository you need this data in. 83446
In InTrust Deployment Manager, you may see some computers listed with the "Not installed" status that never changes. If you see this, check if your DNS server has multiple computer name entries for IP addresses matching those of computers with the sticky "Not installed" status, and clean up stale DNS records. 82991
If you delete a data source associated with any collection, the number of computers in every collection will be displayed as "0" until InTrust services are restarted on the InTrust Server machine. Computer counters in InTrust Deployment Manager is the only implication of the effect, no other aspect of InTrust operation is affected. 83414
If, in a multi-server InTrust organization, you uninstall an agent with no error, but its status is still displayed as "Installed" and further attempts to uninstall it keep failing with the "Cannot uninstall agent" problem, this agent must be a part of collection that is assigned to another InTrust Server (not the server that installed the agent on its computer). 83485
If you change the communication port number from its default value during the InTrust installation, InTrust Deployment Manager cannot automatically connect to the local InTrust Server. Use the Connect to menu command to manually select the local server as the one to work with. 83413
If you work with InTrust Deployment Manager connected to one InTrust Server in a multi-server InTrust organization and another InTrust Server goes down, collections handled by the failed server will continue looking 'green' to you. 83508

Using the same repository for real-time event collection and task-based workflow is discouraged.

One of the possible consequences of using it for both methods is that after you start real-time collection from a computer for the first time, no data from that computer will be available to InTrust import and consolidation jobs for the first 24 hours, even though the data will be available in Repository Viewer.

There are other implications as well. Specialize your repositories by type of auditing method.


If you have multiple collections performing real-time event gathering of the same log from the same computer, then you will have duplicate events in the repository and in reports created by Repository Viewer.


If a real-time collection is populated by LDAP query, the resulting set of computers can be different from the set returned by Windows native tools. This is because InTrust and Windows use different attributes for identifying computers by name.


Table 15: Task-based gathering known issues

Known Issue Issue ID

In the properties of the "VMware ESX and ESXi events" and "VMware vCenter events" data sources, the Clear log after gathering option has no effect.


Suppose you have a gathering job that collects custom text logs to either a repository or an audit database, but not both at once. If you change the job settings so that it collects both to a repository and to an audit database, then you may experience the following issues during the next gathering session after this change:

  • You may get duplicate events, or some events may be lost, even though you will not get any error or warning messages.
  • The gathering can be slow and take hours or even days if there are a lot of matching files to collect from.

These problems don't occur if the specified repository and audit database are new and haven't been used.



When you gather IIS logs, you may get the following error message in the Sessions view:

The specified log doesn't exist.

In cases where the necessary logs clearly exist, this misleading message is shown if the IIS 6 Metabase Compatibility role service is not installed on the IIS server. Install the service to fix the problem.


When you monitor IIS servers, you may get an error like the following in the InTrust Server log:

Cannot install package IISRT.

This cryptic error may mean that the IIS 6 Metabase Compatibility role service is not installed on the IIS server. Install the service to fix the problem.


If changing IndexManager Server or path to an index of the indexed repository, gathering into this repository may fail with an error like:

Failed to insert event to repository. ADC Error: The repository at "\\?\C:\Repository\" has multiple indexes, which is an unsupported configuration. The extra indexes could not be cleared automatically.

Events logged for renaming an account in Active Directory collected with a gathering policy based on a data source with the Create agent-side audit log backup option enabled may be stored to the target repository or/and database with the old account name specified instead of its new name. This happens because, due to the current implementation of operations with AD accounts and event logging in Microsoft Windows, this data is not yet available at the moment when the event is written to the agent-side cache. 57888
If at the moment you attempt to gather Microsoft Proxy Server log this log contains event data in different formats, then gathering process will not work correctly. 0117156
If you gather IIS/ISA Server text logs with the Time data field disabled for logging, some events may be lost. To avoid event losses, don't disable the Time field in the logging options on IIS/ISA Servers you are going to collect logs from. 0117109

Some successful InTrust activities, such as event forwarding and running jobs, can cause error messages if the system time is not synchronized between the InTrust Server and the SQL Server that hosts the InTrust configuration database.

This is the case in the following situations:

  • Task sessions in InTrust Manager show an error message like this: "The session terminated unexpectedly", while the job sessions in the tasks are marked as successful
  • An irrelevant collection-wide error message about repository file processing is shown InTrust Deployment Manager; this is really related to event forwarding

You should keep the system time synchronized between the two servers.



Time stamp for events collected with a Data Source of the Custom Text Log type may be displayed incorrectly in InTrust Repository Viewer if these events were logged before the system time adjustment for daylight savings but collected after the time switch. In the Audit database, event time is saved correctly and this problem does not affect in InTrust reports. 0154507
When events from the IIS log are collected with the Ignore events older than / before option enabled, a warning about some events having been ignored is not logged to the results of the gathering job session as it is for gathering jobs that collect events from other logs with this option enabled. 0155889
If an InTrust Server is included in a site with automatic agent deployment disabled, a message about skipped agent installation is generated for the InTrust Server computer, and no gathering or monitoring policies that apply to the site are applied to it. As a workaround, consider including the InTrust Server computer into a site with automatic agent deployment enabled and running some gathering job for that site at least once. Then you may move it back to the original InTrust site since the policies will work for it as expected. 0114233
Events on a Group Policy creation collected with a gathering policy based on a data source with the Create agent-side audit log backup option enabled may be stored to the target repository or/and database with the GPO display names unresolved. This happens because, due to the current implementation of GPO creation and event logging in Microsoft Wi2ndows, this data is not yet available at the moment when the event is written to the agent-side cache. 27221
On domain controllers that are really busy with processing Active Directory requests, Events on operations with newly created accounts collected with a gathering policy based on a data source with the Create agent-side audit log backup option enabled may be stored to the target repository or/and database with SIDs not resolved to account names. This happens because, due to the current implementation of account creation and event logging in Microsoft Windows, this data is not yet available at the moment when the event on account creation is written to the agent-side cache. Account resolution for events following an account creation event is done based on the account data stored in the agent SID cache, causing account SIDs being collected for these events instead of account names until the account is cleared form the cache. 71273
When you change the location of an event log file on a computer running Windows Server 2016 or later, InTrust may be unable to collect events from that log even after you reboot the server and it starts writing new events into the log at its new location. Like Windows native Event Viewer running on a remote pre-Windows 2016 machine, InTrust will be unable to use the log after you move it until you reboot the collected server again. 54042
InTrust cannot resolve event descriptions for events collected from Windows Server 2016 or later if the EventMessageFile or CategoryMessageFile value is not defined in the registry for the corresponding event Source on the collected computer. 65584,
InTrust does not automatically process Application and Services event logs auto-archived by the operating system. 81852

If a warning occurs during gathering, InTrust loses information about the number of gathered events and doesn’t show the number in the session summary.


Table 16: Real-time monitoring known issues

Known Issue Issue ID

Alert suppression has the expected effect, but doesn't affect the logging of rule matches. Rule match events are always written to the InTrust Server log, whether alerts were raised or suppressed.


If you run Event Viewer and view the InTrust Server log before there are any events with event ID 17408 in the log, and such events arrive later, then the Task Category field will show "(1)" for the events. The value of Task Category should be "Rule match".


It may take the InTrust Real-Time Monitoring Server service a long time to stop if the Alert Database is overloaded with alerts and slow to respond.


Do not use wildcards in rule parameter values that define authorized/administrative/target/etc. groups in rules that require group membership resolution for user accounts. Most of these are rules with words 'by unauthorized personnel', 'administrative account', 'administrative rights' in their names. 0112159,
Community names with non-Latin characters are sent incorrectly when you select sending an SNMP trap as a response action for a real-time monitoring rule. 0115387
After the Quest InTrust Real-Time Monitoring Server service is restarted, real-time monitoring may temporarily stop working for a computer that is included in multiple InTrust sites under different names if those InTrust sites are configured for real-time monitoring with the same monitoring policy. Monitoring will be resumed for each affected InTrust site when it is enumerated the next time, as defined in the site properties. 0115566
The RemoveGroup script does not remove Distribution groups from Active Directory. 0115585
When a new Alerting Profile associated to a different InTrust Server is created in any installation of Monitoring Console in the InTrust Organization, clickable links in alert notification emails stop working for any alerts in the old Alerting Profiles. 0152503

If you experience a degrade in the Alert Database performance, try increasing values of the two InTrust configuration parameters that control the buffer and queue sizes for the connection InTrust makes to the Alert Database. Running the following SQL query on the InTrust configuration database will increase both sizes from the default value of 800KB (819200 bytes) to 10MB (10485760 bytes):

UPDATE ADCOrganizationParameter SET [Value] = '10485760' WHERE (Name = 'ITRT_CommMaxSizePerConnection') OR (Name = 'ITRT_CommQueueSize')

After disabling a real-time monitoring policy configured to monitor an MS IIS Server and removing the InTrust Agent from a monitored IIS computer you will have to restart IIS on that computer in order to restore its Web connectivity. 0149865
If a script-based real-time monitoring rule fails on some of the monitored computers, the agent installed on that computer does not inform InTrust Server about the failure and no error entry is reported in the InTrust Server log. 0151859
When real-time monitoring rules are matched, event field names that consist only of digits are treated as integers. This causes errors, because string values are expected. 0135658
When two or more InTrust Servers have real-time monitoring policies with WMI-based rules in them applied to the same computer, alerts triggered by rules handled by different InTrust Servers may be saved to an Alerts database of a wrong InTrust Server. 0184711
You must be a member of the Administrators group on the InTrust Monitoring Console machine to make changes to Database settings of an alerting profile if this profile has SQL Authentication selected for its connection to the Alert database. 41049

You may receive the following error at an attempt to import an exported user settings in InTrust Monitoring Console:

Cannot import user.

Enhanced error information.

Number: 0x80004005

Description: 007~ASP 0104~Operation not Allowed~

This is most likely to be caused by the settings of MS IIS hosting InTrust Monitoring Console. A solution that works for this issue is proposed in the Microsoft article HTTP Error 404.13 - CONTENT_LENGTH_TOO_LARGE when you visit a web site that is hosted on a server that is running IIS 7.0.


An attempt to export a large number (around 10,000 or more) of alerts from InTrust Monitoring Console to a Microsoft Excel spreadsheet may fail with the following error:

Cannot show alerts.

Enhanced error information.

Number: 0x80004005

Description:&nbsp006~ASP 0251~Response Buffer Limit Exceeded~Execution of the ASP page caused the Response Buffer to exceed its configured limit.

This is most likely to be caused by the problem with Microsoft IIS described in Microsoft KB article 944886 "Error message when you use the Response.BinaryWrite method in IIS 6 and in IIS 7".


Table 17: Repository Viewer known issues

Known Issue Issue ID

A Repository Viewer search that is locked for editing can still be modified in some non-straightforward ways.


If you create a search and it becomes selected as a forwarding filter during the same Repository Viewer session, that search does not become locked for editing in that same session. The next time you open Repository Viewer, the search is locked as it should be.


If a search is used as an event forwarding filter, the tooltip for that search lists the repositories that use it for filtering. The tooltip is all one line, and it may not fit on the screen if the list is long.


In PDF reports created by Repository Viewer, international characters (for example, Japanese, Chinese or Korean) are rendered incorrectly if the Arial Unicode MS font is not installed on the report-making InTrust server. As a workaround, set a valid international font for reports, as described in Quest Support knowledge base article 318235.


When Repository Viewer shows the details for a parsed Syslog event that has named insertion strings whose names start with an underscore (for example, _Address), such strings are always hidden. You can see the values of such fields only in the description, which contains the entire original message.


Repository Viewer opens a repository under the same account that you are using to run it, no matter what access credentials are specified in the properties of that repository.

One workaround is to use the runas command to explicitly make Repository Viewer use the account that is allowed access to the repository. For example, if mycorp\intrust_admin is such a user account, then start Repository Viewer as follows:

runas /netonly /user:mycorp\intrust_admin new_RV.exe

As a result, Repository Viewer runs under your current account, but uses the mycorp\intrust_admin account for network operations.

Repository Viewer doesn't start on a computer where the original .NET 4.0 is installed but updates for it are not.


The Delete and Backspace keys don't work as expected in filter boxes using the "Last" keyword.


Custom values cannot be specified in the Environment and Type data fields. Сustom-made events written through the InTrust API may have any value in this field, but they cannot be matched by those fields in Repository Viewer.


Under certain circumstances, you may be receiving recurring "Out of memory" errors at attempts to run an event search. To stop receiving these errors, restart Repository Viewer. 82048
Search filters for the StartTime and EndTime data fields in user session events cannot be set for search folders where these columns are displayed in the grid. Those two are data fields of the Text type and not DateTime. You can search by those fields, entering search criteria as text, but not filter by a time interval. 82391

If you search for events where a specific insertion string or resolved insertion string has a particular value or is blank, then the results can include events where there is no such string at all.


Searches by the "Whom" field are slow.


Searches by "Any field" are slow.


Searches by some resolved insertion strings don't work.


It is not recommended that you increase the limit on the number of items displayed in the event grid. The higher the limit, the more memory Repository Viewer will consume. Changing the limit carelessly may cause your computer to run out of memory.


Table 18: SSRS reporting known issues

Known Issue Issue ID
Don't use the Update Database option for any data source in Knowledge Portal since it proved to run an outdated SQL script on Audit databases. This command is intended to update a structure of an Audit database created by InTrust of version earlier than 9.0. If you use Audit database(s) created with later versions of InTrust, you don't need to update the Audit database structure. 0190753

Don't add too many reports to one reporting job. Doing so may make the whole Tasks node not responding to your attempts to browse it, with the following error message displayed:

Enumerating collection failed. Reason: Not enough storage is available to complete this operation.

If you are absolutely sure you need hundreds of reports to be processed with one reporting job, consider installing additional memory on the SQL Server computer that hosts InTrust configuration database.


If you modify a model of a report that is already included in some reporting jobs, for example, add or remove a filter, reporting job(s) configured to compile this report will fail with the following error:

Object reference not set to an instance of an object.

After you modify a report model, you will have to remove it from any reporting jobs that use it and add them to those jobs again.


A report with query based parameters or filters cannot be added to a reporting job if a data source specified for this report is configured with invalid settings. An attempt to add such a report to a job fails with the following error:

Cannot create a connection to data source 'MainDataSource'.

If you receive this error, edit the properties of the related data source to make sure it lets the report access a valid InTrust Audit database.

An event logged to the InTrust log for a completion of a reporting job that failed states the job has completed successfully. Under the Sessions node, the status of the job is displayed correctly. 0184386

The unclear error message:

Report "<report_name>" failed to process: An error has occurred during report processing. An error has occurred during report processing. An error has occurred during report processing. Query execution failed for data set 'MainDataSet'.

is logged to the session results for each report in a reporting job that is configured to use a Data Storage that is not accessible when the job starts.


If InTrust reporting is configured to access MS SQL Reporting Services over an HTTPS connection, and the InTrust Server computer does not have a certificate installed for the specified MS SRS server, an attempt to access Reporting Services results in the following error:

Error 0x00004659: Internal error occurred. Reason: 0x80131509: The underlying connection was closed: Could not establish trust relationship with remote server.

To install a required certificate, you can use Internet Explorer to open the URL of MS SRS specified in the properties of the Reports node in InTrust Manager as 'MS SQL Reporting Services path'. When prompted for certificate installation, accept it. When the certificate is installed, you will be able to perform any operations with reports and reporting jobs in InTrust Manager.

If a reporting job fails to notify an operator specified on the Notification tab, it neither sends generated report(s) by e-mail to recipients specified on the Delivery tab even if all the settings on that tab are correct and the e-mail can be sent. 0186899

A reporting job may fail with the following error:

The job was finished, but no entry was created for it in the task session because of an error.

If this happens, check whether the account under which the job starts has the Read access permission to the Windows folder on the InTrust Server computer.


If a reporting job fails with the following error:

The remote server returned an error: (500) Internal Server Error.

check the reports in the job for incorrect filter settings. This error may be logged to the session results, for example, when some report has a filter that requires a non-empty value specified, and that filter is disabled.

When you manually stop a reporting job that is running, temporary objects related to reports the job has generated before termination may be not always automatically removed from MS SQL Reporting Services server and you may have to clean them up later. 0186374
Some subreports are cached. If you configure filters in the parent report, the subreport is not regenerated with these filters. Instead, the subreport's version is loaded from the cache. To compile a subreport with filters, press Ctrl+F5 to refresh the subreport page. 0145121
For very large reports, the Print Preview page may not open and the report may not print. 0139691
Page breaks in the online version of a report may not correspond to the page breaks in the printed version. 0139480
If the Microsoft SQL Server Reporting Services and Microsoft SQL Server used to generate a report are installed on different computers, then the report cannot be compiled using the Windows Authentication of the user currently logged on to Knowledge Portal. 0145326
Search results for the search through report descriptions may not include all keywords actually existing if description is longer than 512 characters. 0168949
If browsing for SRS local user/group accounts when configuring report (folder) security settings, in case of remote installation (Knowledge Portal installed on different computer from SRS), similar account found on Knowledge Portal computer will be selected. 0181349
If password was changed for the user account you planned to use for browsing Active Directory (specified during the setup), then error will occur when you try to browse for this account when assigning security roles in Knowledge Portal. 0173578
If you select the Create the Reporting Server snap-shot option on the Delivery tab of a reporting task properties, the settings of InTrust Data Sources used by reports in the job are overwritten with the values specific to this job. 0191127
InTrust does not clean up all of the temporary tables and views reports create in the databases. Depending on the version of SQL Server hosting the database you need to clean up, use the TempCleaner_2000.sql or TempCleaner_2005.sql script from the product distribution (in InTrust\Tools\Database CleanUp) to remove the temporary objects from databases. The script can be scheduled by means of MS SQL Server to be run on a regular basis and configured to delete temporary database objects older than a specified number of days. 0191293

You may receive the following confusing error:

"Query execution failed for data set 'MainDataSet'."

during an attempt to open a subreport of a report generated by a reporting job. If this happens, check if the subreport uses a different data source than the main report included into the job, and if that data source is configured with valid settings (server, database, access credentials).

You may be unable to compile subreports of the Multiple failed account logons report if a reporting job configured to compile it accesses the SQL Server under an account that does not have the db_owner role for the InTrust Audit database. 0188067
If you select the Use SRS data source associated with each report option for a reporting job, make sure no report included into the job has an associated data source with the Credentials supplied by the user running the report option selected in its properties. 31276
When you configure a reporting job with the Import objects from the following repository option enabled, and set it up to include reports configured to use event local time, as opposed to GMT, make sure to provide time values matching local time on the event originating computers in time-related filters of the reports. 36881
When you configure filters in a report and enable the NULL checkbox for either the Date/time from or Date/time to filter, values you specify in these filters will be ignored and data in the report will be filtered based on the value specified in the Interval filter. 41084
When a report with a cover page enabled is exported to a file in the Excel format, the resulting Microsoft Excel document does not include data column captions. 40615
The su command usage report may produce incorrect output if it is generated on the audit trail that includes entries in languages other than English. 26561

A reporting job configured to import required data from a repository may sometimes fail with the following error logged to the session results (RDDI Import node):

Description: Cannot initialize the required component. Cannot create one of the InTrust components.Cannot open repository. The system cannot find the path specified.


Description: Cannot import data from the repository.Cannot enumerate the repository objects.

If this happens, check if there is a database or some other object under Data Stores node in the configuration with a name identical to that of the source repository for the job. Rename one of the objects to make names of all objects under the Data Stores node unique.


You cannot specify a name of a text file listing parameter values in the input field on a report parameter tab in the reporting job configured to import required data from a repository. If you do so, the reporting job will fail with the error message looking like:

Internal error: Cannot initialize required component.ADC Error0x8add2102: Failed to initialize DataFilters.


If a reporting job configured to import required data from a repository fails with the following error:

Preparing for data import has finished with errors.

check that a semicolon (";") is the last character of a connection string specified in the data source of every report included into the job.

Report driven data import (RDDI) does not work for reports from the Quest InTrust Report Pack for VMWare vCenter and ESX/ESXi. You need to collect or import events for these reports into an audit database with a gathering or import job before you generate a report output. 73519

When you configure a report to use filter values from a file, on a 64-bit Microsoft SQL Server 2008 the report will fail with an error message stating:

OLE DB provider 'Microsoft.Jet.OLEDB.4.0' cannot be used for distributed queries because the provider is configured to run in single-threaded apartment mode.

Follow these steps to work around this problem:

  1. Download the report from your Microsoft SQL Reporting Services Server as an .RDL file, edit this file to replace the 'Microsoft.Jet.OLEDB.4.0' text with 'Microsoft.ACE.OLEDB.12.0' and upload the updated file back to the SSRS.
  2. Execute the following batch on your 64-bit Microsoft SQL Server:
    USE [master]
    GO EXEC master.dbo.sp_MSset_oledb_prop N'Microsoft.ACE.OLEDB.12.0', N'AllowInProcess', 1
    EXEC master.dbo.sp_MSset_oledb_prop N'Microsoft.ACE.OLEDB.12.0', N'DynamicParameters', 1

Table 19: Agent-side audit log backup known issues

Known Issue Issue ID
The option to resolve IP addresses at gathering IIS logs does not work with the 'Create agent-side audit log backup' option enabled. 0154160
When you process a non-Windows audit trail, avoid gathering the same event data to the same Audit database with and then without the 'Agent-side audit log backup' option enabled on the agents, since this may result in duplicate event records in the Audit database. For event data collect from Windows event logs, duplicate records never appear in an Audit Database. 0154165
Events collected from IIS Server log with the 'Agent-side audit log backup' option enabled are stored with empty site description fields. 0154362

An attempt to change location of an audit log backup on the agent engaged in real-time monitoring of a Microsoft IIS WWW log or gathering of that log with the 'Create agent-side audit log backup' option enabled fails with the following error popping up in InTrust Manager:

Error 0x00004659: Internal error occurred. Reason: 0x00004659: <ComputerName>: The process cannot access the file because it is being used by another process.


Table 20: Switching Wizard known issues

Known Issue Issue ID
All agents in an InTrust Site lose the Limit CPU usage to setting when the site is moved to another InTrust Server with Switching Wizard. 0141795
Don't use the AdcFailover.exe from the Support Tools folder on the InTrust Server to start the InTrust Server failover process. In the current version of InTrust, use the Switching Wizard that can be run from InTrust Manager, or the Switch server response action that runs when the InTrust server is down predefined rule is matched. 0115054
If an InTrust site with Unix computer has been re-assigned for processing to a different InTrust Server during a failover procedure, you must manually register every Unix agent in the site on the new InTrust Server. 0139189

Table 21: Repository management known issues

Known Issue Issue ID
If you convert the same .EVT file to the same repository using Evt2Repository.exe tool more than once, data from that .EVT file will be duplicated. 0117160

When a repository cleanup job starts under an account that has insufficient rights for deleting data from the target repository, the job fails with an error message that does not mention the reason for the failure:

Cannot clean up obsolete data from one or more data stores. Cannot remove one or more files.

When you create a new repository of the EMC Centera type and select the 'Use custom connection string:' option, make sure to not save a new line character at the end of the connection string you type in there. A connection string with trailing line feed characters will look as a valid one but will cause InTrust fail to authenticate when it connects to EMC Centera.  
Be careful to not specify a path to a file system based EMC Centera repository index when you configure a file system based repository, or to specify a path to a file system based repository when you configure a repository on EMC Centera. Either mistake may result in corrupted or lost data in a repository.  
Repository Viewer does not correctly display insertion strings longer than 260 characters in events stored in a repository. Characters starting from position 261 are not displayed.  
The Use this InTrust server to manage the repository setting in the properties of a consolidation job cannot be used with InTrust repositories based on EMC Centera. 54022

You may receive the following misleading error message in Repository Viewer when you open an indexed repository through an InTrust Server:

Could not open repository. Error details: Repository is not ready for index-based search. Select a different repository.

In InTrust Manager, go to /Configuration/Data Stores/Repositories, open the Properties dialog for the affected repository and verify that the path to it is specified in the InTrust configuration as a UNC and not as a local path that is valid for only one InTrust Server machine in the organization.

If you specify a special account for repository indexing in the Properties of a repository and plan to run IndexingTool.exe locally on the repository machine, provide that the account has the Log on as a batch job user right on that machine. 67189

Indexing a repository located on a local disk of an InTrust Server computer that manages indexing of this repository may fail with the following error message in the InTrust Server log (Event ID 14128 in the InTrust event log):

Indexing of repository "<repository_name>" failed. Details: Indexing on agent localhost failed, reason 'ADC Error: ADC Error0x80004005: Cannot create temp directory Unspecified error (Win32 error: 0x80004005), error code 0x80004005 '.

This happens if a specific account is specified in the properties of an InTrust Server local repository to be used for access to it, and this account does not have sufficient access rights to the %TEMP% folder of the Quest InTrust Server service account. Consider either changing the account used to access the repository or giving it rights to write to and read from that folder.

Repository Viewer does not notify a user if a connection to the open repository or its index is broken, for example, because of a networking issue or change in security settings. If you fins that the number of events displayed in Repository Viewer becomes unexpectedly small, try reopening the repository. If this operation fails, act upon the error message you receive. If you receive no error but reopened Repository Viewer shows no events for any node in the repository except the root node, this means that the connection is lost with index only. 67298

You may get the following non-informative error message in the InTrust Server log:

Indexing of repository "<repository_name>" failed. Details: Indexing on agent <agent_name> failed, reason 'ADC Error 0x80070643'.

It usually means that an agent has failed to install IndexingTool.exe on its local machine (for example, because system requirements were not met or user privileges were insufficient).

When you run Repository Viewer using an account with no administrative rights on the local machine, and specify a wrong path to the repository you want to open, a message box that pops up to notify you of this error may display no text. 67270
An attempt of an agent to install IndexingTool.exe on its local machine may cause a system restart if the machine has Repository Viewer installed. 67297

If you open a repository in Repository Viewer installed on an InTrust Server computer where the port number for InTrust Manager connection has been changed from the default value (8340), and you select the option to open a Production repository on Local computer, you will receive the following error message:

The RPC server is unavailable. (Exception from HRESULT: 0x800706BA)

To avoid this, change your choice on the Select InTrust Server wizard step from Local computer to This InTrust server, and select the name of the local computer from the list.


You may receive confusing error messages when you try to open a repository as an indexed one, but the indexing of this repository has not started yet.


If you see repository indexing on an agent failing with the following non-informative error:

ADC Error: , error code 0x8adc1006

check if the agent account specified in the Properties of the InTrust site differs from the account specified in the Properties of the repository for indexing. If the accounts are different, it is likely that the repository indexing account does not have access to the Local Settings subfolder in the profile of the agent account on the agent machine. Consider changing this setup to have an agent service account specified either in the site Properties OR in the repository indexing settings, or giving the indexing account Read and Modify access permissions to the profile of the agent account.


You may see repository indexing on an agent failing with the following error:

A required privilege is not held by the client

This is likely to mean that you have one and the same account explicitly specified as the agent account in the Properties of the InTrust site and the account specified for indexing in the Properties of the repository. If this is the case, verify that the account has the following user rights on the agent machine:

  • Replace a process level token
  • Log on as service
  • Log on as batch job
  • Adjust memory quotas for a process
If you open a repository that has not been indexed yet, then close Repository Viewer and open it again when indexing of this repository is done, the status of the repository in Repository Viewer will be still displayed as 'Not indexed'. This happens because Repository Viewer does not refresh repository indexing statuses at its startup, and has no negative effect on viewing repositories and searching events. 70451

Repository indexing on a remote machine may fail to start with the following error message registered in the Application event log:

Event ID: 14128

Type: Error

Source: Indexing Launcher

Operation: Indexing


Description: Indexing of repository "Default InTrust Audit Repository" failed. Details: Indexing on agent localhost failed, reason 'ADC Error0x80070643'.

This is likely to happen if the %TEMP% folder for the local system on the agent machine is missing. The automatic installation of Quest InTrust Indexing Tool (IndexingTool.msi) is being run under the local system account and fails with this error if it cannot access the temporary folder (normally %SYSTEMROOT%\Temp). Make sure the folder exists and the installation process can access it.


If you see the following error message in the Application event log:

Event ID: 14128

Type: Error

Source: Indexing Launcher

Operation: Indexing


Description: Indexing of repository "Default InTrust Audit Repository" failed on agent <computername>. Reason: 'ADC error: ADC Error0x80070006: The handle is invalid. The handle is invalid. (Win32 error: 6), error code 0x80070006..

this may be a result of the computer hosting the repository being too busy and slow to respond at the time of indexing. Try reducing the load on the repository machine or re-indexing the repository later.

If you find that the Quest InTrust Server service process (adcrpcs.exe) terminates unexpectedly, this may be a result of repository indexing on the local computer running out of disk space. Resolve the disk space problem and restart the Quest InTrust Server service. 61874

Repository Viewer may fail to display events from a repository with the following error message that may be confusing:

The process cannot access the file because it is being use by another process.

This error is likely to mean one of the following:

  • The idle repository you are trying to view is opened with another instance of Repository Viewer.
  • You try to view an idle repository that is currently being indexed.
  • You select the Open Idle Repository option in Repository Viewer to open a repository that should be accessed through an InTrust Server.

If you create a new repository object with a non-default path that is also used by another repository, you will get duplicate indexes, gathering will stop working and the InTrust log will contain errors like the following:

Operation failed on agent localhost. Reason: 'ADC Error: The repository at "DEAUDI00 InTrust Audit Repository" has multiple indexes, which is an unsupported configuration. The extra indexes could not be cleared automatically. Please delete irrelevant indexes to make sure the repository has only one index. For details, see the Working with Repositories document from the InTrust documentation set., error code 0x8adc1005'


Table 22: Syslog processing known issues

Known Issue Issue ID
When syslog events are collected from a computer to which syslog is redirected and not from original host that generate them, event time values in local time will be calculated based on the time zone of the computer InTrust collects them from. If you choose to treat timestamps in syslog events as local time, consider redirecting syslog for gathering it with InTrust to a computer in the same time zone as the hosts you redirect it from. 0146199
InTrust agent makes a backup copy of syslog*.conf files when it starts, and restores the files from that backup when it shuts down. Changes you make to syslog*.conf while InTrust agent is running are lost when you shut down the agent process. Consider keeping track of the changes you make since you may need to reapply them after shutting down the agent. 60463

Table 23: Microsoft IIS log processing known issues

Known Issue Issue ID
Microsoft IIS FTP log monitoring in cached mode does not work with IIS 6.0. 0145807
InTrust cannot resolve the %event_1.cs_cookee% parameter in alerts and notifications generated by real-time monitoring of the Microsoft IIS WWW log. 25411
During real-time monitoring or gathering of IIS 7.0 WWW logs with the agent-side audit log backup enabled, the values of some data fields (time_taken, cs_bytes, sc_bytes) in generated alerts or collected events are set to 0. 51758
Gathering of WWW logs in UTF-8 format does not work if logging on the IIS is configured with the Do not create new log files option enabled (a size of a single log file is not limited). 53804
Real-time monitoring and gathering of IIS 7.0 FTP logs with the agent-side audit log backup enabled doesn't work. 52601

Table 24: Microsoft ISAS log processing known issues

Known Issue Issue ID

The following reports in the current version of InTrust do not return events collected from MS ISAS 2004:

  • ISA Firewall: Cannot Assign Requested Address
  • ISA Firewall: Connection Refused
  • ISA Firewall: Connection Timed Out
  • ISA Firewall: Host not Found
  • ISA Firewall: Network is Unreachable
  • ISA Firewall: Total Statistics
  • ISA Firewall: User Connection Statistics by Agent/Platform
  • ISA Firewall: Received Kbytes by Date (chart)
  • ISA Firewall: Requests by Date (chart)
  • ISA Firewall: Sent Kbytes by Date (chart)
  • InTrust for ISAS / MSProxy / Security / Events Statistics / Raw Data Analysis (form)
  • InTrust for ISAS / MSProxy / Security / Events Statistics / Events Statistics
  • InTrust for ISAS / MSProxy / Security / Advanced Forensic Analysis / Anomalies Analysis / Anomalies Analysis

Table 25: Microsoft ACS data processing known issues

Known Issue Issue ID

If a gathering job configured to collect event data from ACS keeps failing with the following error logged to its session results:

Data Source: Microsoft OpsManager ACS events Description: Errors encountered at data collection. ADC Error: Failed to collect from network object. (Internal error: Failed to enumerate event logs. (Cannot enumerate event log instances. (The requested operation timed out.The requested operation timed out.)))

check if the Microsoft SCOM console installed on the InTrust agent (or InTrust Server, in case of agentless gathering) machine is of a version compatible with that of the collected ACS server.


Table 26: Custom text logs processing known issues

Known Issue Issue ID

When you create a custom text log data source, you can supply a regular expression with a number of groups defined. If you reference a field index that is out of range of those groups, you get the following script error: "val has no properties".

Instead of an error, this should be a warning.


Some log files of formats that suppose log data to be rewritten and not always appended to the end of the file, may be collected incorrectly and some events may be lost. If this happens, the 'Invalid record' warning is logged to the gathering session results. 0118101
InTrust agent running on a Unix machine may crash if you specify a wildcard as a part of a name for a directory immediately under the root, like '/tm*', in the path to the collected log. However, for directories down the file system tree in log paths, like '/home/user*', wildcards are safe to use. 0123466
When you collect an audit trail data with a Custom Text Log Events type data source, every event will be collected with values of Version Major and Version Minor data fields set to those of the last collected event. 0165698
The Description data field of events collected with a Custom Text Log Events type data source is not saved to an InTrust audit database. 0184224
In the New Data Source Wizard, on the Date/Time step, clicking on the Test Formatting button will display a correctly parsed date/time fields even if you don't specify field delimiters between field numbers in the 'Log fields' field of the dialog page. However, when you later collect data with the data source created in this way, gathering sessions will fail with error messages stating that some lines in the log cannot be parsed. For example, if the format of date and time data in the log is space delimited, like "Mar 23 12:13:10" and, in the 'Log fields', you specify "<1><2><3>" and not "<1> <2> <3>", the Test Formatting button will recognize date and time correctly but the gathering module will not. Make sure to always accurately specify field delimiters in the 'Log fields' input field on the Date/Time step of New Data Source Wizard. 0183396

Table 27: DB-based logs processing known issues

Known Issue Issue ID

In the DB-based log provider query, data fields of type(s) TEXT or/and NTEXT must be either come last in the SELECT statement or be explicitly converted to the NVARCHAR data type. Otherwise the following error will be received at gathering:

[Microsoft][ODBC SQL Server Driver]Invalid Descriptor Index.

If the Oracle DB-based log is being collected from a machine with no Oracle driver installed, Microsoft ODBC Driver for Oracle pops up an error message about the absence of the required Oracle driver on the collected machine. For collections that don't use agents, this message box pops up on the InTrust Server machine, while for agent-enabled collections the error message pops up on the agent side. There is no way for InTrust to suppress this error message box because of the specifics of Microsoft ODBC Driver for Oracle implementation. 0121853
Attempting to select an SQL server from the list in the New Database log template wizard may result in InTrust Manager crashing. This is caused by Microsoft ODBC driver behavior and cannot be controlled from the InTrust Manager snap-in code. 0111355

Table 28: Command line tool known issues

Known Issue Issue ID

If you run the Evt2Repository.exe tool on a Windows 2008 machine to import events from an event log saved to an .evt file on a pre-Windows 2008 computer, the tool fails with an error message saying the event log file is corrupted. To work around this problem, you can do one of the following:

  1. Process the file with Evt2Repository.exe on a computer running Windows Server 2003 or earlier.
  2. Open the .evt file with Windows 2008 Event Viewer and save it in the .evtx format. Then run Evt2Repository.exe again to import events from the saved .evtx file.
Don't use the AdcChangePath tool from the InTrust Support Tools folder. 0153635
When the AdcSrvAcc.exe tool is started with the -restart switch on the command line, the Quest InTrust Server, Quest InTrust Real-Time Monitoring Server and Quest InTrust Agent services are not restarted as expected but just stopped and have to be started manually. If the services are not running when the AdcSrvAcc.exe is run with the -restart switch, only the Quest InTrust Server service starts, while the Quest InTrust Real-Time Monitoring Server and Quest InTrust Agent services still have to be started manually. It is recommended that you don't rely on AdcSrvAcc.exe in restarting these three InTrust services but run it without the -restart switch on the command line and use the Services snap-in, net stop/net start commands or some other tool of your choice to have the services restarted. 0153996

Use the Evt2Repository.exe tool to import events only from event log files saved in the .EVT format with Event Viewer. If you try to point it to a raw .EVT file the system is writing events to, or the copy of such a file created outside Event Viewer, Evt2Repository.exe will fail to import events from this file with the following error:

Cannot convert file. The event log file is corrupted. (Win32 error: 1500)


Table 29: Platform-specific known issues

Known Issue Issue ID
If you collect event logs from computers running Windows Vista or later without agents, and InTrust Server is running on a Windows 2003 machine, then the values of some data fields in collected events will not be resolved. Agentless gathering from machines running these operating systems should be done by InTrust Servers running on computers running Windows Server 2016 or later. 53708



System requirements

Before installing InTrust 11.6.0, ensure that your system meets the following minimum hardware and software requirements.

For detailed system requirements for all the InTrust components and processed systems, see the System Requirements topic.

Product licensing

When you install the product and launch InTrust Deployment Manager or InTrust Manager for the first time, you will be asked to provide a license. Supply the license that you obtained from the sales representative. If you do not supply a license, most of InTrust functionality will be unavailable to you.

To obtain a license, contact your local sales office listed at

Upgrade and installation instructions

InTrust 11.6.0 supports upgrade from InTrust 11.5.1, 11.5, 11.4.2, 11.4.1 (with or without Update 1), 11.4, 11.3.2, 11.3.1 and 11.3. To upgrade from earlier versions, you should first upgrade your InTrust installation to one of these versions (as described in the Upgrade Guide for the particular version), and then upgrade from that version to version 11.6.0.

For more detailed instructions on upgrading your existing InTrust installations, see the Upgrade Guide.

To upgrade a default InTrust deployment, simply close all running InTrust client components and run the Default InTrust Suite on a computer where the earlier version is installed.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating