I am attempting to deploy the Splunk UniversalForwarder as an SCCM application using an MSI Deployment Type to a small group of testing servers and am encountering an uncharacteristically confusing issue with the MSI installer.
The Deployment Type itself is pretty straight forward. I uploaded the MSI file (splunkforwarder-6.2.1-245427-x64-release.msi) to the SCCM Site Server and let the Detection Method be auto-filled from the MSI. The only thing I did was change the install string to include the following arguments:
msiexec.exe /lv splunkinstall.log /i "splunkforwarder-6.2.1-245427-x64-release.msi" AGREETOLICENSE=YES DEPLOYMENT_SERVER="splunkd.security.contoso.com" /quiet /norestart /qn
Due to the inclusion of the
/lv switch I can go to the C:\Windows\CCMcache folder and view the installation log:
GetPreviousSettings: Error: DetermineContextForAllProducts failed witht: 0x65b. GetPreviousSettings: Error 0x80004005: Failed to GetInstalledSplunkSettings. GetPreviousSettings: Info: Leave GetPreviousSettings: 0x80004005. CustomAction GetPreviousSettings returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox) Action ended 14:20:23: GetPreviousSettings. Return value 3.
A little Google-fu and I find this posting over at Splunk's Community Support but I'm not terribly confident in correctness of the answers; however the failing installer step is
GetInstalledSplunkSettings so maybe I should go digging through the registry to see if stale Product or Installer keys are erroneously causing the installer to try to uninstall nonexistent instances of UniversalForwarder.
With a combination of ProcMon and manually searching through the registry I managed to locate the following keys that seem to be related.
HKCR:\Installer\Products\B0271F4D65C5D084FA81634DC56AD4A HKCR:\Installer\Features\B0271F4D65C5D084FA81634DC56AD4AE HKCR:\Installer\UpgradeCodes\13631B46466632F4FA2E89CF8E9602DB HKLM:\SOFTWARE\Classes\Installer\Features\B0271F4D65C5D084FA81634DC56AD4AE HKLM:\SOFTWARE\Classes\Installer\UpgradeCode\13631B46466632F4FA2E89CF8E9602DB
ProcMon Events during installation:
10:17:31.8751924 AM MsiExec.exe 7436 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x0 10:17:31.8752103 AM MsiExec.exe 7436 RegOpenKey HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-18\Installer\Products\B0271F4D65C5D084FA81634DC56AD4AE NAME NOT FOUND Desired Access: Read 10:17:31.8752409 AM MsiExec.exe 7436 RegQueryKey HKU SUCCESS Query: HandleTags, HandleTags: 0x0 10:17:31.8752584 AM MsiExec.exe 7436 RegOpenKey HKU\S-1-5-18\Software\Microsoft\Installer\Products\B0271F4D65C5D084FA81634DC56AD4AE REPARSE Desired Access: Read 10:17:31.8752831 AM MsiExec.exe 7436 RegOpenKey HKU\.DEFAULT\Software\Microsoft\Installer\Products\B0271F4D65C5D084FA81634DC56AD4AE NAME NOT FOUND Desired Access: Read 10:17:31.8753062 AM MsiExec.exe 7436 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x0 10:17:31.8753230 AM MsiExec.exe 7436 RegOpenKey HKCR\Installer\Products\B0271F4D65C5D084FA81634DC56AD4AE SUCCESS Desired Access: Read 10:17:31.8753486 AM MsiExec.exe 7436 RegQueryValue HKCR\Installer\Products\B0271F4D65C5D084FA81634DC56AD4AE\ProductName SUCCESS Type: REG_SZ, Length: 38, Data: UniversalForwarder 10:17:31.8753716 AM MsiExec.exe 7436 RegCloseKey HKCR\Installer\Products\B0271F4D65C5D084FA81634DC56AD4AE SUCCESS 10:34:31.5741168 AM MsiExec.exe 7560 RegEnumKey HKCR\Installer\Products SUCCESS Index: 11, Name: B0271F4D65C5D084FA81634DC56AD4AE 10:34:31.5744153 AM MsiExec.exe 7560 RegOpenKey HKCR\Installer\Products\B0271F4D65C5D084FA81634DC56AD4AE SUCCESS Desired Access: Read 10:34:31.5744407 AM MsiExec.exe 7560 RegQueryValue HKCR\Installer\Products\B0271F4D65C5D084FA81634DC56AD4AE\ProductName SUCCESS Type: REG_SZ, Length: 38, Data: UniversalForwarder 10:34:31.5744637 AM MsiExec.exe 7560 RegCloseKey HKCR\Installer\Products\B0271F4D65C5D084FA81634DC56AD4AE SUCCESS
Now things get interesting! I remove the keys expecting success, run the Client Application Deployment and Evaluation Cycle and I get the same disappointing results. I doubled check the NTFS permissions for those keys and SYSTEM has Full Control which seems to disprove this answer indicating that the
0x80004005. Hmmmmm. What if I run the installation manually?
Same installer, same installation arguments (copy and pasted right out of AppEnforce.log), run from a Run As Administrator cmd.exe prompt and it fails with the same error at the same step. If I go back and remove the registry keys again, and re-run the installer from cmd.exe it works! LOL WUT?
DetermineContextForAllProductsinstallation step both as run by the SCCM client and manually by me.
Any ideas? I'm happy to provide a whole copy of my ProcMon events or any other information if that would be helpful.
It happened to me too while i was trying to install Splunk 6.2.2 throw the command line of Windows.
After some research with ProcMon I found that the problem is because another installation is found for Splunk.
It search in the following registry keys that contains the product code:
HKU\S-1-5-18\Software\Microsoft\Installer\Products HKCR\Installer\Products HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-18\Installer\Products HKU\.DEFAULT\Software\Microsoft\Installer\Products
For some reason it fails with the error you mentioned and not a MSI error as expected.
Go over those Registry Keys and try to find the one that making the problems
User contributions licensed under CC BY-SA 3.0