Issue
Why does Symantec Endpoint Protection (SEP) 11.x / 12.1 fail to install when there are pending file rename operations on a computer?
Symptoms
This issue has been reported on several systems with differing specifications and configurations. Below is a list of the commonalities between systems exhibiting this issue:
Symptoms
This issue has been reported on several systems with differing specifications and configurations. Below is a list of the commonalities between systems exhibiting this issue:
- The system is running Windows XP SP 3 or later, Windows Vista RTM or later, or Windows 2008 RTM or later.
- An application or driver was installed or uninstalled previously to SEP which requires a reboot to complete some actions.
- A reboot may or may not have been performed between the previous install/uninstall and the SEP installation attempt.
- The installation attempt of SEP 11 fails with the message "Pending system changes that require a reboot have been detected".
Cause
The Microsoft Installer (MSI) package used to install the SEP client makes several checks during the install process to ensure that the installation will not cause system instability or possible damage to other application installations on the system it is being installed to.
One of these checks verifies that Windows is not configured to rename or move any files after the next reboot.
If there are file names present under the "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations" registry value, the checks implemented by SEP will fail, and a "Pending system changes that require a reboot have been detected" message will be generated.
One of these checks verifies that Windows is not configured to rename or move any files after the next reboot.
If there are file names present under the "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations" registry value, the checks implemented by SEP will fail, and a "Pending system changes that require a reboot have been detected" message will be generated.
Files will be listed in the above registry key for several possible reasons:
- An application installation attempted to update a file currently in use by Windows or another application.
- A user or application attempted to delete, move or rename a file they may not have had permissions to.
It has become common practice for some applications which are not written to Microsoft's standards to write to the PendingFileRenameOperations registry value instead of directly renaming or deleting files.
This has been fixed in SEP 11 RU6a by removing the check of "PendingFileRenameOperations" registry key from the installer.
This has been fixed in SEP 11 RU6a by removing the check of "PendingFileRenameOperations" registry key from the installer.
Solution
Upgrade to SEP 11 RU6a.
The following work around can be applied (if not upgrading to SEP 11 RU6a)
The PendingFileRenameOperations registry value can be backed up and deleted. Symantec Endpoint Protection can then be installed, and the PendingFileRenameOperations value can then be replaced in order to facilitate installing Symantec Endpoint Protection without affecting the operating system or 3rd party applications negatively.
This method will leave several temporary installation files in the logged-in user's temp directory that would normally be deleted after a reboot.
The following work around can be applied (if not upgrading to SEP 11 RU6a)
The PendingFileRenameOperations registry value can be backed up and deleted. Symantec Endpoint Protection can then be installed, and the PendingFileRenameOperations value can then be replaced in order to facilitate installing Symantec Endpoint Protection without affecting the operating system or 3rd party applications negatively.
This method will leave several temporary installation files in the logged-in user's temp directory that would normally be deleted after a reboot.
- Open the Windows Registry editor (regedit.exe) and browse to the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
- Verify the following Reg Multi String value PendingFileRenameOperations exists under this key.
Note: If you do not find the PendingFileRenameOperations value in the location above, this error message can be generated if there are pending changes in:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSetXXX\Control\SessionManager\PendingFileRenameOperations - Right-click on the SessionManager registry key that contains the PendingFileRenameOperationsvalue and choose Export
- Provide a file name and location for the exported registry key and click Save
- Delete the PendingFileRenameOperations value from the registry
- If HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired exists, right-click on the RebootRequired registry key and choose Export.
- Provide a different file name than in step 4 for the exported registry key and click Save
- Delete the RebootRequired sub-key
- Install Symantec Endpoint Protection normally
- Before rebooting, double-click on the .reg files created in Step 4 and 7 to merge the previousPendingFileRenameOperations value and RebootRequired sub-key.
Technical Information
Regarding "Pending system changes" and SEP installation rollback: RU6 removed the check of PendingFileRenameOperations registry key because many third-party programs do not use this key correctly and it may remain populated even after a reboot. However, there are still valid reasons for which our installer will terminate when there are pending changes detected.
The important question: does the SEP 11 RU6 installer work OK after rebooting the system? If so, that is the solution. We are concerned only if our installer fails for the same reason after rebooting the machine.
No comments:
Post a Comment