sync: auto-sync from HOWARD-HOME at 2026-07-17 17:54:41
Author: Howard Enos Machine: HOWARD-HOME Timestamp: 2026-07-17 17:54:41
This commit is contained in:
@@ -0,0 +1,74 @@
|
||||
# Khalsa Montessori — BusinessOffice-2 GuruScan + Syncro Install — 2026-07-16
|
||||
|
||||
## User
|
||||
- **User:** Howard Enos (howard)
|
||||
- **Machine:** Howard-Home
|
||||
- **Role:** tech
|
||||
|
||||
## Session Summary
|
||||
|
||||
BusinessOffice-2 was newly added to GuruRMM under the Khalsa Montessori School client. Howard requested a guru-scan with RKill disabled (HitmanPro + Emsisoft only) and a Syncro RMM agent install.
|
||||
|
||||
The GuruScan deployment proceeded via `.claude/scripts/guruscan-agent-test.sh BusinessOffice-2 all` — the standard prep/scan/collect pipeline. Prep uploaded the GuruScan module (72 KB core + manifest + scanners.json + launchers), downloaded scanner engines (RKill 1.7 MB, Emsisoft 304 MB, HitmanPro 14.7 MB), and verified readiness. The scan was launched as a detached SYSTEM scheduled task with no time cap (the standard production dispatch method). HitmanPro completed in 4.84 minutes with 0 threats. Emsisoft ran a full `C:\` deep scan for 90.22 minutes (6,345s CPU), finding and cleaning 1 threat. The scan flagged reboot required. RKill was excluded by default (it is opt-in via `-IncludeRKill`; the `-Headless` chain skips it unless explicitly included).
|
||||
|
||||
The Syncro MSI install (`https://rmm.syncromsp.com/dl/msi/djEtOTQ1NjU1NC0xNTA3NjA4MzYxLTQ4NzUzLTM2ODUwMjI=`) failed repeatedly with MSI error 1603 / error 1722 (`CustomAction RunInstaller returned actual error code 1`). The root failure was in the Syncro bootstrapper's .NET `ServiceInstaller.Install()` call, which invokes `EventLog.CreateEventSource("Syncro","Application")` — this threw `System.UnauthorizedAccessException` despite running as SYSTEM with FullControl ACLs on the EventLog registry key. Six install attempts were made: four via GuruRMM RMM dispatch, two via ScreenConnect `send-command`. Diagnostics ruled out: ASR rules (0 enabled), Controlled Folder Access (off), AppLocker (0 rule collections), Smart App Control (state 0), Defender detections (none), disk space (347 GB free on C:), registry permissions (SYSTEM FullControl confirmed, write-test passed on Uninstall key), pending reboot (false), and scan interference (last two attempts ran on a quiet disk post-scan). Additional approaches attempted: pre-creating the Syncro EventLog source via `reg.exe` (succeeded but .NET still failed on its own CreateEventSource call), granting explicit inherited FullControl ACLs (Set-Acl succeeded but .NET still denied), extracting and running the inner `Installer.exe` bootstrapper directly (failed with "error locating configuration data" — needs the MSI-embedded config-json blob). The machine is Windows 11 Pro 24H2 build 26200.
|
||||
|
||||
Howard manually logged in, ran `sfc /scannow` and `chkdsk /r`, rebooted the machine, and Syncro then installed successfully. The root cause was system file corruption blocking .NET Framework registry write operations, not a Windows 11 24H2 policy restriction.
|
||||
|
||||
## Key Decisions
|
||||
|
||||
- **RKill excluded from the scan** — RKill is disabled by default in headless/detached mode to avoid killing the interactive user's processes. The `-Headless` dispatch flag excludes it unless `-IncludeRKill` is explicitly passed. Howard's request to "disable rkill" aligned with the default behavior.
|
||||
- **Let Emsisoft run to completion (~90 min)** — Howard chose to let the full `C:\` scan finish rather than killing it early (as was done on KarensLaptop the prior day). The scan found 1 threat, validating the patience.
|
||||
- **Exhausted remote install options before escalating to manual** — attempted six automated installs across two remote toolchains (RMM + ScreenConnect) with various workarounds before concluding the issue required local intervention.
|
||||
- **sfc + chkdsk before manual Syncro install** — Howard's diagnosis of system file corruption proved correct; the .NET EventLog.CreateEventSource call succeeded after the repair+reboot.
|
||||
|
||||
## Problems Encountered
|
||||
|
||||
- **Syncro MSI error 1603 / 1722 on all remote installs** — the .NET `EventLog.CreateEventSource("Syncro","Application")` call threw `UnauthorizedAccessException` as SYSTEM on Windows 11 Pro 24H2 build 26200. Root cause: system file corruption. `reg.exe` could write the same key (different code path), but .NET Framework's managed `RegistryKey.SetValue` could not. Resolved by Howard running `sfc /scannow` + `chkdsk /r` + reboot, after which Syncro installed normally.
|
||||
- **ScreenConnect runs commands as SYSTEM Session 0** — the `#!ps` command runner does not use the logged-on user's session context, so SC provided no advantage over RMM dispatch for this particular failure.
|
||||
- **Syncro bootstrapper EXE extraction failed** — extracting `Installer.exe` from the MSI via `msiexec /a` worked, but running it directly failed with "error locating configuration data" because the config-json is embedded in the MSI's custom action parameters, not passed on the command line.
|
||||
- **First Syncro install attempt (11:17 local, before this session)** — someone had already attempted a Syncro install with a different folder ID (669224 vs 3685022) via ScreenConnect before Howard's request. That attempt also failed with the same error 1722.
|
||||
|
||||
## Configuration Changes
|
||||
|
||||
- **BusinessOffice-2**: GuruScan module deployed to `C:\GuruScan\`, scan logs written to `C:\ScanLogs\BUSINESSOFFICE--20260716-110554\`. Scanner payloads in `C:\GuruScan\downloads\` (~320 MB).
|
||||
- **BusinessOffice-2**: Syncro agent installed (after manual sfc/chkdsk/reboot).
|
||||
- Scan results collected to `projects/msp-tools/guru-scan/test-results/` (via the guruscan-agent-test.sh collect phase).
|
||||
- Temp scripts created locally during diagnostics: `.syncro-install-bo2.ps1`, `.syncro-diag-bo2.ps1`, `.syncro-diag2-bo2.ps1`, `.syncro-diag3-bo2.ps1`, `.syncro-diag4-bo2.ps1`, `.syncro-install-final-bo2.ps1` — disposable diagnostic payloads.
|
||||
|
||||
## Credentials & Secrets
|
||||
|
||||
- GuruRMM API credentials read from vault: `infrastructure/gururmm-server.sops.yaml` (admin-email, admin-password).
|
||||
- ScreenConnect API secret read from vault: `msp-tools/screenconnect.sops.yaml` (api_secret).
|
||||
- Syncro MSI installer key embedded in URL: `2Nx9LkZgwovMH4K5rHINeA`, customer ID `90186`, folder ID `3685022`.
|
||||
|
||||
## Infrastructure & Servers
|
||||
|
||||
- **BusinessOffice-2** (hostname `BUSINESSOFFICE-`) — Windows 11 Pro 24H2, build 26200. Khalsa Montessori School. C: 128.6 GB used / 347.4 GB free (476 GB total). E: 931.4 GB free. .NET Framework 4.8 (release 533509). Defender only (state 397568), tamper protection enabled.
|
||||
- GuruRMM agent ID: `26e68238-1d6b-4ce0-8ab5-31921f24338a` (resolve live — UUIDs change on re-enroll).
|
||||
- ScreenConnect session ID: `b305c947-a0c5-489b-a02a-73c1b77c27f3` (CP1=Khalsa, CP2=Camden).
|
||||
- GuruRMM API: `http://172.16.3.30:3001`.
|
||||
|
||||
## Commands & Outputs
|
||||
|
||||
- GuruScan dispatch: `bash .claude/scripts/guruscan-agent-test.sh BusinessOffice-2 all` — prep + detached scan + collect.
|
||||
- Scan result: `scan_id=BUSINESSOFFICE--20260716-110554`, total_threats=1, reboot_required=true. HitmanPro exit 5 / 0 threats / 4.84 min. Emsisoft exit 1 / 1 threat / 90.22 min.
|
||||
- Syncro install error chain: MSI 1603 -> Error 1722 -> `CustomAction RunInstaller returned actual error code 1` -> Syncro.Installer log: `Error registering application files (-1)` / `Kabuto.Tools.ShownErrorException` -> ServiceInstall.log: `System.UnauthorizedAccessException` at `EventLog.CreateEventSource`.
|
||||
- `reg.exe` workaround succeeded (key created) but .NET `[System.Diagnostics.EventLog]::CreateEventSource("SyncroTestACG","Application")` still threw `UnauthorizedAccessException`.
|
||||
- Resolution: manual `sfc /scannow` + `chkdsk /r` + reboot -> Syncro installed successfully.
|
||||
|
||||
## Pending / Incomplete Tasks
|
||||
|
||||
- **Reboot BusinessOffice-2** — Emsisoft flagged reboot required after cleaning 1 threat. Howard's sfc/chkdsk reboot may have satisfied this, but confirm the threat was fully remediated post-reboot.
|
||||
- **Identify the Emsisoft threat** — the specific threat name/path was not extracted from the scan logs. Check `C:\ScanLogs\BUSINESSOFFICE--20260716-110554\` for the Emsisoft scan log to identify what was cleaned.
|
||||
- **Clean up GuruScan scanner payloads** — `C:\GuruScan\downloads\` (~320 MB) should be removed post-scan. The reboot-cleanup scheduled task (`GuruRMM-ScannerCleanup`) may handle this automatically.
|
||||
- **Verify Syncro is online** — confirm the Syncro agent shows online in Syncro after the manual install.
|
||||
- **Clean up local temp scripts** — the `.syncro-*.ps1` files in the repo root are disposable.
|
||||
|
||||
## Reference Information
|
||||
|
||||
- Syncro MSI installer URL: `https://rmm.syncromsp.com/dl/msi/djEtOTQ1NjU1NC0xNTA3NjA4MzYxLTQ4NzUzLTM2ODUwMjI=`
|
||||
- GuruScan README: `projects/msp-tools/guru-scan/README.md`
|
||||
- GuruScan harness: `.claude/scripts/guruscan-agent-test.sh`
|
||||
- Prior GuruScan session (KarensLaptop, similar workflow): `clients/dinius/session-logs/2026-07/2026-07-15-discord-bot-karenslaptop-infection-check-guruscan.md`
|
||||
- GuruScan test status memory: `.claude/memory/project_guruscan_in_test_paused.md`
|
||||
Reference in New Issue
Block a user