CSA Installation error

Answered Question
Dec 5th, 2007

I have been testing the upgrade from CSA v5.2.0210 to v5.2.0326. I have multiple machines that according to the logs were successful, but once I reboot the PC the computer crashes.

I found in the application event log that csauser.dll caused a fault in explorer.exe which would explain the system crash. The only way I can restore the PC is to boot in safe mode and either rename the csauser.dll or completely uninstall CSA.

After the uninstall I attempt to reinstall with 326 and have the same result. If I uninstall and reinstall with 210 there is no crash, but I will have a version mismatch between MC and csa agent.

Has anyone experienced a similar problem with any resolution?

Thanks in advance

I have this problem too.
0 votes
Correct Answer by tsteger1 about 9 years 1 week ago

Hi Joshua, do you mean 5.2.0.238?

I don't see a v326 anywhere.

I upgraded from 210 to 225 to 238 with no problems.

You might try going to 225 or 238 on a test server and see if it works or try it on a clean test client.

Tom

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.8 (6 ratings)
Loading.
Correct Answer
tsteger1 Wed, 12/05/2007 - 14:24

Hi Joshua, do you mean 5.2.0.238?

I don't see a v326 anywhere.

I upgraded from 210 to 225 to 238 with no problems.

You might try going to 225 or 238 on a test server and see if it works or try it on a clean test client.

Tom

gojericho0 Wed, 12/05/2007 - 14:58

Yes,

I meant 238. I have tried going from 225 to 238 as well and am experiencing the same problem. I do have on machine that is working properly with the csauser.dll module failure, but I am not sure what the difference is.

I also am trying to use a builder appclass rule to add any application that accesses either explorer or csauser.dll to be added to the dynamic app

tsteger1 Thu, 12/06/2007 - 09:43

Joshua,

Do you have any uncommon or custom software installed on the failing hosts?

There is a way to exclude applications from CSA if you can figure out which app is causing it to fail.

http://www.cisco.com/en/US/products/sw/secursw/ps5057/products_configuration_example09186a00805f0c18

Try putting a host in a group that doesn't have any system API rules and see if it helps.

Don't worry too much about the version mismatch. It should still work fine until you figure it out.

Good luck.

Tom

gojericho0 Wed, 12/12/2007 - 10:15

Sorry for the delayed response. I had to open a TAC ticket because I could not figure out if a subprocess was causing csauser.dll to crash explorer.

I sent them a kernel memory dump. Because the crash did not officially create a Blue Screen of Death I was forced to manually create one. This is something new I learned and very useful to analyze code. It works with Win 2k,XP, and Server 2000/2003. This is only available to PC's that have a PS2 connected keyboard. For usb keyboards you will have to request a hotfix from microsoft:

To enable this features, you'll need to edit registry and reboot the computer after edit.

Open the

"HKLM\SYSTEM\CurrentControlSet\Services\i8042prt\Parameters" reg key,

add the REG_DWORD CrashOnCtrlScroll value, and set it to 1.

After reboot you will manually “crash” the system.

To view BSOD, press and hold right key, and press key twice.

The STOP screen contain following massage..

*** STOP: 0x000000E2 (0x00000000,0x00000000,0x00000000)

The end-user manually generated the crashdump.

Once that was done, I sent my dmp to Cisco and they found that it was caused by an explorer launched process that monitored printer usage. The software is called Print Audit 5. I created a kernel protection exception rule for that process and now everything works normally. I hope the above registry entry can help anyone else who is experiencing any type of crash with csa in order to pinpoint the underlying process

pmccubbin Wed, 12/12/2007 - 14:15

Let me second Tom's congratulations for a job well done. I have included the "Print Audit 5" in my Cheatsheet under the heading of Bugs.

Thanks. I rate it a 5.

Best,

Paul

c01642643287 Fri, 05/08/2009 - 14:56

Wow, i have been struggling with print audit 5 all afternoon and as a last resort searched for it here. Thanks. i should be able to get the audit underway now

Actions

This Discussion