This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Knowledge Base
Find answers to your questions and identify resolutions for known issues with knowledge base articles written by NetWitness experts.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Driver error 0xe0010014 ECAT Agents not registering in RSA ECAT 4.1

Article Number

000001574

Applies To

RSA Product Set: ECAT
RSA Product/Service Type: ECAT
RSA Version/Condition: 4.1.x,4.2.x,4.3.x,4.4.x
Platform: Windows
O/S Version: All

 

Issue

On the Machine tab in eCatUI, the error code for all the machines that are unable to check-in are 0xe0010014. An agent reporting a driver error 0xe0010014 is telling us that it did not receive sufficient information on how to handle the Windows kernel that is currently running.

Additionally, you may see messages like this in the Windows logs:

The EcatServiceDriverXXXXX service failed to start due to the following error: %%-536805356

-536805356 converted into hex is 0xe0010014 driver error code and indicates the same error message.

Cause

new/unknown kernel exists on the Windows agent that is unrecognized by the ECAT kernel agent.

Resolution

ECAT 4.1 has a security feature which disables it on unknown Windows Kernels.

There are 2 mechanisms to make the ECAT team aware of new kernels:

  1. we have a mechanism to detect new kernels from Microsoft before they are available to the public.
  2. we have a mechanism to receive potential new kernels directly from the customer through a hardcoded connection.

In a disconnected environment, this last step should be done manually using ConsoleServerSync.exe.

This has otherwise been designed to be transparent to the customer.

 

Workaround

NOTE: If a 100% unknown kernel is detected in a customer's environment, then there need to be some manipulations made by the ECAT team in order to generate the associated tables. Therefore, doing the following steps 1-2-3 will NOT succeed in all kernels being known directly.

Once step 2 is completed, the ECAT team will be aware of the new kernels and will take action, so the tables will be published shortly after (we aim for a matter of hours|day).

1. On the ConsoleServer machine

>ConsoleServerSync.exe 1 kernel  

You will be asked for DB credentials the 1st time you try to connect to it.

This will output a file named revocation_urls_live.xml which looks like this when there is 1 unknown kernel in an environment:

2. On the connected machine(i.e. the machine with Internet connectivity)

>ConsoleServerSync.exe 2 kernel  

Once step 2 is completed, the ECAT team will be aware of the new kernels and will take action, so the tables will be published shortly after (we aim for a matter of hours|day).

3. Back to the Server

>ConsoleServerSync.exe 3 kernel  
0 Likes
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2022-02-10 01:48 PM
Updated by:
Administrator Administrator

Related Content

© 2022 RSA Security LLC or its affiliates. All rights reserved.