返回
-
标题
Workflows never finishing. "Read the Operation times out". -
说明
Workflows never finishing. "Read the Operation times out".
Read: The operation has timed out. From the target Domain Controller BTPass log (found in c:\Windows\BTPass folder):
[BTPassUtil] - Opened SCM successfully
[BTPassUtil] - Service created successfully
[BTPassUtil] - Service started successfully
[BTPassSvc] - Entered Service
[BTPassSvc] - Registered service control handler successfully for service '{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}'
[BTPassSvc] - Enabled debug privilege successfully
[BTPassSvc] - Found LSASS pid #696
[BTPassSvc] - Opened LSASS process (pid #696)
[BTPassSvc] - Injecting BTPassAsm.dll into LSASS process. Endpoint is 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
[BTPassSvc] - VirtualAllocEx failed: 5
[BTPassSvc] - Exiting serviceIn Windows event logs at this time for 'Application', we see an error for 'Quest ODM Directory Sync'
The Error processing 'ReadPasswordChanges' activity.
System.TimeoutException: the operation has timed out -
原因
Anti-Virus software (AV). Specifically h
AV exclusions not added into tool to allow process to work, this windows event log error usually means. (The Error processing 'ReadPasswordChanges' activity). Related to the sourceAll errors are password sync errorsThe Dirsync agent contacts the Domain Controller for jobs related to recent password change, retrieves the hash file, processes, sends it over to target using pcex. Anti-virus picks it up and flags it. Need to add it to exclusion list / whitelist it. -
解决办法
Add Anti-Virus exclusions. There is a different installation path for agent server versus the domain controllers1. For the target domain controller, the BTPass folder must be added to AV exclusions list.
Exclude this folder: c:\windows\BTPassAlso add exclusions for all three modules (programs) in the BTPass Folder:
For Windows Defender Antivirus
Include the following on the target DC
Local GPO Windows Defender Antivirus\Windows Defender Exploit Guard\Attack Surface Reduction\Exclude Files and paths from Attack Surface Reduction Rules: Value Name: c:\windows\BTPassInclude the agent ODMDirectorySync (On Demand Migration Directory Sync Agent) in the exclusion list (whitelist).C:\Windows\BTPass\x64\C:\Windows\BTPass\x86\BTPassUtil.exeBTPassSvc.exeBTPassAsm.dllC:\Windows\BTPass2. For Dirsync agent server machine, exclude these Directories:C:\Program Files (x86)\Quest\On Demand Migration Directory Sync Agentand everything under this directory
Windows Defender
All other GPO’s
Computer Configurations\Policies\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Exclusions
Agent Server
P365
%ProgramFiles(x86)%\Binary Tree
%ProgramFiles(x86)%\Binary Tree\Power365 Directory Sync\bin\btpaexec.exe
%ProgramFiles(x86)%\Binary Sync\bin\BTPass\x64\BTPassAsm.dll
%ProgramFiles(x86)%\Binary Tree\Power365 Directory Sync\bin\BTPass\x64\BTPassSvc.exe
%ProgramFiles(x86)%\Binary Tree\Power365 Directory Sync\bin\BTPass\x64\BTPassUtil.exe
%ProgramFiles(x86)%\Binary Tree\Power365 Directory Sync\bin\BTPass\x86\BTPassSvc.exe
%ProgramFiles(x86)%\Binary Tree\Power365 Directory Sync\bin\BTPass\x86\BTPassAsm.dll
%ProgramFiles(x86)%\Binary Tree\Power365 Directory Sync\bin\BTPass\x86\BTPassUtil.exe
%ProgramFiles(x86)%\Binary Tree\Power365 Directory Sync\bin\CDSAgentService.exe
ODM Dirsync
%ProgramFiles(x86)%\Quest
%ProgramFiles(x86)%\Quest\Power365 Directory Sync\bin\btpaexec.exe
%ProgramFiles(x86)%\Quest\bin\BTPass\x64\BTPassAsm.dll
%ProgramFiles(x86)%\Quest\On Demand Migration Directory Sync Agent\bin\BTPass\x64\BTPassSvc.exe
%ProgramFiles(x86)%\Quest\On Demand Migration Directory Sync Agent\bin\BTPass\x64\BTPassUtil.exe
%ProgramFiles(x86)%\Quest\On Demand Migration Directory Sync Agent\bin\BTPass\x86\BTPassSvc.exe
%ProgramFiles(x86)%\Quest\On Demand Migration Directory Sync Agent\bin\BTPass\x86\BTPassAsm.dll
%ProgramFiles(x86)%\Quest\On Demand Migration Directory Sync Agent\bin\BTPass\x86\BTPassUtil.exe
%ProgramFiles(x86)%\Quest\On Demand Migration Directory Sync Agent\bin\CDSAgentService.exe
Domain Controllers
%windir%\BTPass
%windir%\BTPass\x64\BTPassAsm.dll
%windir%\BTPass\x64\BTPassSvc.exe
%windir%\BTPass\x86\BTPassAsm.dll
%windir%\BTPass\x86\BTPassUtil.exeFor Sophos Antivirus: Disable the 'Prevent Credential Theft' feature within the product UI.
If running Sophos with HitmanPro then the Exploit Mitigation setting needs to be disabled or an exclusion added using the paths below
https://doc.sophos.com/central/customer/help/en-us/ManageYourProducts/GlobalSettings/GlobalExclusions/ExploitExclusions/index.html%windir%\BTPass
%windir%\BTPass\x64\BTPassAsm.dll
%windir%\BTPass\x64\BTPassSvc.exe
%windir%\BTPass\x86\BTPassAsm.dll
%windir%\BTPass\x86\BTPassUtil.exe