Wazuh Installer getting hung on certain Windows 10/Windows Server Devices | 4.9.0 or 4.12.0

237 views

Skip to first unread message

ak

unread,

Jul 14, 2025, 7:52:51 AM7/14/25

to Wazuh | Mailing List

Issue:
- When installing wazuh via CLI or GUI, the installer gets stuck.

- Tested with 4.9.0 and also latest version 4.12.0 and see the same issue.

- There are other devices were same installer works in the same client environment.

- Tested with EDR enabled and disabled. We see same issue.

Test Environment:

Get-CimInstance Win32_OperatingSystem | Select Caption, Version, BuildNumber

Caption Version BuildNumber
------- ------- -----------
Microsoft Windows Server 2019 Standard 10.0.17763 17763

Test Install 1: CLI

Tried installing using below

msiexec /i "C:\windows\sysmon_wazuh-agent-4.9.0\wazuh-agent-4.9.0-1.msi" /quiet WAZUH_MANAGER=172.22.24.50 /l*v C:\wazuh-agent-install-latest.log

Below shows no data:

Get-Service -Name wazuh* | Select-Object Name, Status

Get-WmiObject -Class Win32_Product | Where-Object { $_.Name -like "Wazuh*" } | Select Name, Version

-Below is log output:

wazuh-agent-install-latest.log

��=== Verbose logging started: 7/14/2025 12:57:48 Build type: SHIP UNICODE 5.00.10011.00 Calling process: C:\Windows\system32\msiexec.exe ===
MSI (c) (F4:48) [12:57:48:504]: Resetting cached policy values
MSI (c) (F4:48) [12:57:48:504]: Machine policy value 'Debug' is 0
MSI (c) (F4:48) [12:57:48:504]: ******* RunEngine:
******* Product: C:\windows\sysmon_wazuh-agent-4.9.0\wazuh-agent-4.9.0-1.msi
******* Action:
******* CommandLine: **********
MSI (c) (F4:48) [12:57:48:505]: Client-side and UI is none or basic: Running entire install on the server.
MSI (c) (F4:48) [12:57:48:505]: Grabbed execution mutex.
MSI (c) (F4:48) [12:57:48:516]: Cloaking enabled.
MSI (c) (F4:48) [12:57:48:516]: Attempting to enable all disabled privileges before calling Install on Server
MSI (c) (F4:48) [12:57:48:516]: Incrementing counter to disable shutdown. Counter after increment: 0
MSI (s) (F0:C4) [12:57:48:532]: Running installation inside multi-package transaction C:\windows\sysmon_wazuh-agent-4.9.0\wazuh-agent-4.9.0-1.msi
MSI (s) (F0:C4) [12:57:48:532]: Grabbed execution mutex.
MSI (s) (F0:9C) [12:57:48:532]: Resetting cached policy values
MSI (s) (F0:9C) [12:57:48:532]: Machine policy value 'Debug' is 0
MSI (s) (F0:9C) [12:57:48:532]: ******* RunEngine:
******* Product: C:\windows\sysmon_wazuh-agent-4.9.0\wazuh-agent-4.9.0-1.msi
******* Action:
******* CommandLine: **********
MSI (s) (F0:9C) [12:57:48:532]: Machine policy value 'DisableUserInstalls' is 0
MSI (s) (F0:9C) [12:57:48:532]: Note: 1: 2203 2: C:\Windows\Installer\inprogressinstallinfo.ipi 3: -2147287038
MSI (s) (F0:9C) [12:57:48:532]: SRSetRestorePoint skipped for this transaction.
MSI (s) (F0:9C) [12:57:48:532]: Note: 1: 1402 2: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer 3: 2
MSI (s) (F0:9C) [12:57:48:548]: File will have security applied from OpCode.
MSI (s) (F0:9C) [12:57:48:548]: SOFTWARE RESTRICTION POLICY: Verifying package --> 'C:\windows\sysmon_wazuh-agent-4.9.0\wazuh-agent-4.9.0-1.msi' against software restriction policy
MSI (s) (F0:9C) [12:57:48:563]: SOFTWARE RESTRICTION POLICY: C:\windows\sysmon_wazuh-agent-4.9.0\wazuh-agent-4.9.0-1.msi has a digital signature
MSI (s) (F0:9C) [12:57:48:610]: SOFTWARE RESTRICTION POLICY: C:\windows\sysmon_wazuh-agent-4.9.0\wazuh-agent-4.9.0-1.msi is permitted to run at the 'unrestricted' authorization level.
MSI (s) (F0:9C) [12:57:48:610]: MSCOREE not loaded loading copy from system32
MSI (s) (F0:9C) [12:57:48:653]: End dialog not enabled
MSI (s) (F0:9C) [12:57:48:653]: Original package ==> C:\windows\sysmon_wazuh-agent-4.9.0\wazuh-agent-4.9.0-1.msi
MSI (s) (F0:9C) [12:57:48:653]: Package we're running from ==> C:\Windows\Installer\d3ee1931.msi
MSI (s) (F0:9C) [12:57:48:653]: APPCOMPAT: Compatibility mode property overrides found.
MSI (s) (F0:9C) [12:57:48:653]: APPCOMPAT: looking for appcompat database entry with ProductCode '{AA553771-6A70-4C6F-A5C2-D417D03DD8A5}'.
MSI (s) (F0:9C) [12:57:48:653]: APPCOMPAT: no matching ProductCode found in database.
MSI (s) (F0:9C) [12:57:48:668]: Machine policy value 'TransformsSecure' is 1
MSI (s) (F0:9C) [12:57:48:668]: Machine policy value 'DisablePatch' is 0
MSI (s) (F0:9C) [12:57:48:668]: Machine policy value 'AllowLockdownPatch' is 0
MSI (s) (F0:9C) [12:57:48:668]: Machine policy value 'DisableLUAPatching' is 0
MSI (s) (F0:9C) [12:57:48:668]: Machine policy value 'DisableFlyWeightPatching' is 0
MSI (s) (F0:9C) [12:57:48:668]: APPCOMPAT: looking for appcompat database entry with ProductCode '{AA553771-6A70-4C6F-A5C2-D417D03DD8A5}'.
MSI (s) (F0:9C) [12:57:48:668]: APPCOMPAT: no matching ProductCode found in database.
MSI (s) (F0:9C) [12:57:48:668]: Transforms are not secure.
MSI (s) (F0:9C) [12:57:48:668]: PROPERTY CHANGE: Adding MsiLogFileLocation property. Its value is 'C:\wazuh-agent-install-latest.log'.
MSI (s) (F0:9C) [12:57:48:668]: Command Line: WAZUH_MANAGER=172.22.24.50 CURRENTDIRECTORY=C:\Users\Administrator CLIENTUILEVEL=3 CLIENTPROCESSID=18164
MSI (s) (F0:9C) [12:57:48:668]: PROPERTY CHANGE: Adding PackageCode property. Its value is '{1EBD6D53-25A4-402C-9730-5A0C9C2C0939}'.
MSI (s) (F0:9C) [12:57:48:668]: Product Code passed to Engine.Initialize: ''
MSI (s) (F0:9C) [12:57:48:668]: Product Code from property table before transforms: '{AA553771-6A70-4C6F-A5C2-D417D03DD8A5}'
MSI (s) (F0:9C) [12:57:48:668]: Product Code from property table after transforms: '{AA553771-6A70-4C6F-A5C2-D417D03DD8A5}'
MSI (s) (F0:9C) [12:57:48:668]: Product not registered: beginning first-time install
MSI (s) (F0:9C) [12:57:48:668]: Product {AA553771-6A70-4C6F-A5C2-D417D03DD8A5} is not managed.
MSI (s) (F0:9C) [12:57:48:668]: MSI_LUA: Credential prompt not required, user is an admin
MSI (s) (F0:9C) [12:57:48:668]: PROPERTY CHANGE: Adding ProductState property. Its value is '-1'.
MSI (s) (F0:9C) [12:57:48:668]: Entering CMsiConfigurationManager::SetLastUsedSource.
MSI (s) (F0:9C) [12:57:48:668]: User policy value 'SearchOrder' is 'nmu'
MSI (s) (F0:9C) [12:57:48:668]: Adding new sources is allowed.
MSI (s) (F0:9C) [12:57:48:668]: PROPERTY CHANGE: Adding PackagecodeChanging property. Its value is '1'.
MSI (s) (F0:9C) [12:57:48:668]: Package name extracted from package path: 'wazuh-agent-4.9.0-1.msi'
MSI (s) (F0:9C) [12:57:48:668]: Package to be registered: 'wazuh-agent-4.9.0-1.msi'
MSI (s) (F0:9C) [12:57:48:668]: Note: 1: 2262 2: AdminProperties 3: -2147287038
MSI (s) (F0:9C) [12:57:48:668]: Machine policy value 'DisableMsi' is 1
MSI (s) (F0:9C) [12:57:48:668]: Machine policy value 'AlwaysInstallElevated' is 0
MSI (s) (F0:9C) [12:57:48:668]: User policy value 'AlwaysInstallElevated' is 0
MSI (s) (F0:9C) [12:57:48:668]: Product installation will be elevated because user is admin and product is being installed per-machine.
MSI (s) (F0:9C) [12:57:48:668]: Running product '{AA553771-6A70-4C6F-A5C2-D417D03DD8A5}' with elevated privileges: Product is assigned.
MSI (s) (F0:9C) [12:57:48:668]: PROPERTY CHANGE: Adding WAZUH_MANAGER property. Its value is '172.22.24.50'.
MSI (s) (F0:9C) [12:57:48:668]: PROPERTY CHANGE: Adding CURRENTDIRECTORY property. Its value is 'C:\Users\Administrator'.
MSI (s) (F0:9C) [12:57:48:668]: PROPERTY CHANGE: Adding CLIENTUILEVEL property. Its value is '3'.
MSI (s) (F0:9C) [12:57:48:668]: PROPERTY CHANGE: Adding CLIENTPROCESSID property. Its value is '18164'.
MSI (s) (F0:9C) [12:57:48:668]: Machine policy value 'DisableAutomaticApplicationShutdown' is 0
MSI (s) (F0:9C) [12:57:48:668]: RESTART MANAGER: Disabled by MSIRESTARTMANAGERCONTROL property; Windows Installer will use the built-in FilesInUse functionality.
MSI (s) (F0:9C) [12:57:48:668]: PROPERTY CHANGE: Adding MsiSystemRebootPending property. Its value is '1'.
MSI (s) (F0:9C) [12:57:48:668]: TRANSFORMS property is now:
MSI (s) (F0:9C) [12:57:48:668]: PROPERTY CHANGE: Adding VersionDatabase property. Its value is '200'.
MSI (s) (F0:9C) [12:57:48:668]: SHELL32::SHGetFolderPath returned: C:\Users\Administrator\AppData\Roaming
MSI (s) (F0:9C) [12:57:48:668]: SHELL32::SHGetFolderPath returned: C:\Users\Administrator\Favorites
MSI (s) (F0:9C) [12:57:48:668]: SHELL32::SHGetFolderPath returned: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Network Shortcuts
MSI (s) (F0:9C) [12:57:48:684]: SHELL32::SHGetFolderPath returned: C:\Users\Administrator\Documents
MSI (s) (F0:9C) [12:57:48:684]: SHELL32::SHGetFolderPath returned: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Printer Shortcuts
MSI (s) (F0:9C) [12:57:48:684]: SHELL32::SHGetFolderPath returned: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent
MSI (s) (F0:9C) [12:57:48:684]: SHELL32::SHGetFolderPath returned: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\SendTo
MSI (s) (F0:9C) [12:57:48:684]: SHELL32::SHGetFolderPath returned: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Templates
MSI (s) (F0:9C) [12:57:48:684]: SHELL32::SHGetFolderPath returned: C:\ProgramData
MSI (s) (F0:9C) [12:57:48:684]: SHELL32::SHGetFolderPath returned: C:\Users\Administrator\AppData\Local
MSI (s) (F0:9C) [12:57:48:684]: SHELL32::SHGetFolderPath returned: C:\Users\Administrator\Pictures
MSI (s) (F0:9C) [12:57:48:684]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools
MSI (s) (F0:9C) [12:57:48:684]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
MSI (s) (F0:9C) [12:57:48:684]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu\Programs
MSI (s) (F0:9C) [12:57:48:700]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu
MSI (s) (F0:9C) [12:57:48:700]: SHELL32::SHGetFolderPath returned: C:\Users\Public\Desktop
MSI (s) (F0:9C) [12:57:48:700]: SHELL32::SHGetFolderPath returned: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools
MSI (s) (F0:9C) [12:57:48:700]: SHELL32::SHGetFolderPath returned: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
MSI (s) (F0:9C) [12:57:48:700]: SHELL32::SHGetFolderPath returned: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs
MSI (s) (F0:9C) [12:57:48:700]: SHELL32::SHGetFolderPath returned: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu
MSI (s) (F0:9C) [12:57:48:700]: SHELL32::SHGetFolderPath returned: C:\Users\Administrator\Desktop
MSI (s) (F0:9C) [12:57:48:700]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Templates
MSI (s) (F0:9C) [12:57:48:700]: SHELL32::SHGetFolderPath returned: C:\Windows\Fonts
MSI (s) (F0:9C) [12:57:48:700]: Note: 1: 2898 2: MS Sans Serif 3: MS Sans Serif 4: 0 5: 16
MSI (s) (F0:9C) [12:57:48:715]: MSI_LUA: Setting MsiRunningElevated property to 1 because the install is already running elevated.
MSI (s) (F0:9C) [12:57:48:715]: PROPERTY CHANGE: Adding MsiRunningElevated property. Its value is '1'.
MSI (s) (F0:9C) [12:57:48:715]: PROPERTY CHANGE: Adding Privileged property. Its value is '1'.
MSI (s) (F0:9C) [12:57:48:715]: Note: 1: 1402 2: HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info 3: 2
MSI (s) (F0:9C) [12:57:48:715]: PROPERTY CHANGE: Adding USERNAME property. Its value is 'Windows User'.
MSI (s) (F0:9C) [12:57:48:715]: Note: 1: 1402 2: HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info 3: 2
MSI (s) (F0:9C) [12:57:48:715]: PROPERTY CHANGE: Adding DATABASE property. Its value is 'C:\Windows\Installer\d3ee1931.msi'.
MSI (s) (F0:9C) [12:57:48:715]: PROPERTY CHANGE: Adding OriginalDatabase property. Its value is 'C:\windows\sysmon_wazuh-agent-4.9.0\wazuh-agent-4.9.0-1.msi'.
MSI (s) (F0:9C) [12:57:48:715]: Machine policy value 'MsiDisableEmbeddedUI' is 0
MSI (s) (F0:9C) [12:57:48:715]: EEUI - Disabling MsiEmbeddedUI for service because it's not a quiet/basic install
MSI (s) (F0:9C) [12:57:48:715]: Note: 1: 2205 2: 3: PatchPackage
MSI (s) (F0:9C) [12:57:48:715]: Machine policy value 'DisableRollback' is 0
MSI (s) (F0:9C) [12:57:48:715]: User policy value 'DisableRollback' is 0
MSI (s) (F0:9C) [12:57:48:715]: PROPERTY CHANGE: Adding UILevel property. Its value is '2'.
=== Logging started: 7/14/2025 12:57:48 ===
MSI (s) (F0:9C) [12:57:48:715]: Note: 1: 2203 2: C:\Windows\Installer\inprogressinstallinfo.ipi 3: -2147287038
MSI (s) (F0:9C) [12:57:48:715]: Note: 1: 2205 2: 3: LaunchCondition
MSI (s) (F0:9C) [12:57:48:715]: Note: 1: 2228 2: 3: LaunchCondition 4: SELECT `Condition` FROM `LaunchCondition`
MSI (s) (F0:9C) [12:57:48:715]: APPCOMPAT: [DetectVersionLaunchCondition] Failed to initialize pRecErr.
MSI (s) (F0:9C) [12:57:48:715]: PROPERTY CHANGE: Adding ACTION property. Its value is 'INSTALL'.
MSI (s) (F0:9C) [12:57:48:715]: Doing action: INSTALL
MSI (s) (F0:9C) [12:57:48:715]: Note: 1: 2205 2: 3: ActionText
Action start 12:57:48: INSTALL.
MSI (s) (F0:9C) [12:57:48:715]: Running ExecuteSequence
MSI (s) (F0:9C) [12:57:48:715]: Doing action: FindRelatedProducts
MSI (s) (F0:9C) [12:57:48:715]: Note: 1: 2205 2: 3: ActionText
Action start 12:57:48: FindRelatedProducts.
MSI (s) (F0:9C) [12:57:48:731]: Doing action: CheckSvcRunning
MSI (s) (F0:9C) [12:57:48:731]: Note: 1: 2205 2: 3: ActionText
Action ended 12:57:48: FindRelatedProducts. Return value 1.

I see the install process still active in the background.

Get-WmiObject Win32_Process -Filter "Name = 'msiexec.exe'" | Select-Object ProcessId, CommandLine

ProcessId CommandLine

--------- -----------

20720 C:\Windows\system32\msiexec.exe /V

18164 "C:\Windows\system32\msiexec.exe" /i C:\windows\sysmon_wazuh-agent-4.9.0\wazuh-agent-4.9.0-1.msi /quiet WAZUH_MANAGER=172.22.24.50 /l*v C:\wazuh-ag...

3728 C:\Windows\syswow64\MsiExec.exe -Embedding 6CE174ABD460E8F93EB23E50B3189621

Test Install 2: CLI

Used below command (Reinstall With Logging & No /quiet)

-Verified no active windows installer are active. Killed old installer and ran the below:

msiexec /i "C:\windows\sysmon_wazuh-agent-4.9.0\wazuh-agent-4.9.0-1.msi" WAZUH_MANAGER=172.22.24.50 /l*v C:\wazuh-install-debug-logging-no-quiet.log

-Above gets hung and was killed manually

-Below is log:

��=== Verbose logging started: 7/14/2025 13:18:08 Build type: SHIP UNICODE 5.00.10011.00 Calling process: C:\Windows\system32\msiexec.exe ===
MSI (c) (CC:44) [13:18:08:082]: Font created. Charset: Req=0, Ret=0, Font: Req=MS Shell Dlg, Ret=MS Shell Dlg

MSI (c) (CC:44) [13:18:08:082]: Font created. Charset: Req=0, Ret=0, Font: Req=MS Shell Dlg, Ret=MS Shell Dlg

MSI (c) (CC:50) [13:18:08:099]: Resetting cached policy values
MSI (c) (CC:50) [13:18:08:099]: Machine policy value 'Debug' is 0
MSI (c) (CC:50) [13:18:08:099]: ******* RunEngine:
******* Product: C:\windows\sysmon_wazuh-agent-4.9.0\wazuh-agent-4.9.0-1.msi
******* Action:
******* CommandLine: **********
MSI (c) (CC:50) [13:18:08:099]: Machine policy value 'DisableUserInstalls' is 0
MSI (c) (CC:50) [13:18:08:099]: Note: 1: 1402 2: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer 3: 2
MSI (c) (CC:50) [13:18:08:099]: SOFTWARE RESTRICTION POLICY: Verifying package --> 'C:\windows\sysmon_wazuh-agent-4.9.0\wazuh-agent-4.9.0-1.msi' against software restriction policy
MSI (c) (CC:50) [13:18:08:099]: SOFTWARE RESTRICTION POLICY: C:\windows\sysmon_wazuh-agent-4.9.0\wazuh-agent-4.9.0-1.msi has a digital signature
MSI (c) (CC:50) [13:18:08:145]: SOFTWARE RESTRICTION POLICY: C:\windows\sysmon_wazuh-agent-4.9.0\wazuh-agent-4.9.0-1.msi is permitted to run at the 'unrestricted' authorization level.
MSI (c) (CC:50) [13:18:08:224]: Cloaking enabled.
MSI (c) (CC:50) [13:18:08:224]: Attempting to enable all disabled privileges before calling Install on Server
MSI (c) (CC:50) [13:18:08:224]: End dialog not enabled
MSI (c) (CC:50) [13:18:08:224]: Original package ==> C:\windows\sysmon_wazuh-agent-4.9.0\wazuh-agent-4.9.0-1.msi
MSI (c) (CC:50) [13:18:08:224]: Package we're running from ==> C:\windows\sysmon_wazuh-agent-4.9.0\wazuh-agent-4.9.0-1.msi
MSI (c) (CC:50) [13:18:08:224]: APPCOMPAT: Compatibility mode property overrides found.
MSI (c) (CC:50) [13:18:08:224]: APPCOMPAT: looking for appcompat database entry with ProductCode '{AA553771-6A70-4C6F-A5C2-D417D03DD8A5}'.
MSI (c) (CC:50) [13:18:08:224]: APPCOMPAT: no matching ProductCode found in database.
MSI (c) (CC:50) [13:18:08:239]: MSCOREE not loaded loading copy from system32
MSI (c) (CC:50) [13:18:08:239]: Machine policy value 'TransformsSecure' is 1
MSI (c) (CC:50) [13:18:08:239]: Machine policy value 'DisablePatch' is 0
MSI (c) (CC:50) [13:18:08:239]: Machine policy value 'AllowLockdownPatch' is 0
MSI (c) (CC:50) [13:18:08:239]: Machine policy value 'DisableLUAPatching' is 0
MSI (c) (CC:50) [13:18:08:239]: Machine policy value 'DisableFlyWeightPatching' is 0
MSI (c) (CC:50) [13:18:08:239]: APPCOMPAT: looking for appcompat database entry with ProductCode '{AA553771-6A70-4C6F-A5C2-D417D03DD8A5}'.
MSI (c) (CC:50) [13:18:08:239]: APPCOMPAT: no matching ProductCode found in database.
MSI (c) (CC:50) [13:18:08:239]: Transforms are not secure.
MSI (c) (CC:50) [13:18:08:255]: PROPERTY CHANGE: Adding MsiLogFileLocation property. Its value is 'C:\wazuh-install-debug-logging-no-quiet.log'.
MSI (c) (CC:50) [13:18:08:255]: Command Line: WAZUH_MANAGER=172.22.24.50 CURRENTDIRECTORY=C:\Users\Administrator CLIENTUILEVEL=0 CLIENTPROCESSID=5580
MSI (c) (CC:50) [13:18:08:255]: PROPERTY CHANGE: Adding PackageCode property. Its value is '{1EBD6D53-25A4-402C-9730-5A0C9C2C0939}'.
MSI (c) (CC:50) [13:18:08:255]: Product Code passed to Engine.Initialize: ''
MSI (c) (CC:50) [13:18:08:255]: Product Code from property table before transforms: '{AA553771-6A70-4C6F-A5C2-D417D03DD8A5}'
MSI (c) (CC:50) [13:18:08:255]: Product Code from property table after transforms: '{AA553771-6A70-4C6F-A5C2-D417D03DD8A5}'
MSI (c) (CC:50) [13:18:08:255]: Product not registered: beginning first-time install
MSI (c) (CC:50) [13:18:08:255]: PROPERTY CHANGE: Adding ProductState property. Its value is '-1'.
MSI (c) (CC:50) [13:18:08:255]: Entering CMsiConfigurationManager::SetLastUsedSource.
MSI (c) (CC:50) [13:18:08:255]: User policy value 'SearchOrder' is 'nmu'
MSI (c) (CC:50) [13:18:08:255]: Adding new sources is allowed.
MSI (c) (CC:50) [13:18:08:255]: PROPERTY CHANGE: Adding PackagecodeChanging property. Its value is '1'.
MSI (c) (CC:50) [13:18:08:255]: Package name extracted from package path: 'wazuh-agent-4.9.0-1.msi'
MSI (c) (CC:50) [13:18:08:255]: Package to be registered: 'wazuh-agent-4.9.0-1.msi'
MSI (c) (CC:50) [13:18:08:255]: Note: 1: 2262 2: AdminProperties 3: -2147287038
MSI (c) (CC:50) [13:18:08:255]: Machine policy value 'DisableMsi' is 1
MSI (c) (CC:50) [13:18:08:255]: Machine policy value 'AlwaysInstallElevated' is 0
MSI (c) (CC:50) [13:18:08:255]: User policy value 'AlwaysInstallElevated' is 0
MSI (c) (CC:50) [13:18:08:255]: Product installation will be elevated because user is admin and product is being installed per-machine.
MSI (c) (CC:50) [13:18:08:255]: Running product '{AA553771-6A70-4C6F-A5C2-D417D03DD8A5}' with elevated privileges: Product is assigned.
MSI (c) (CC:50) [13:18:08:255]: PROPERTY CHANGE: Adding WAZUH_MANAGER property. Its value is '172.22.24.50'.
MSI (c) (CC:50) [13:18:08:255]: PROPERTY CHANGE: Adding CURRENTDIRECTORY property. Its value is 'C:\Users\Administrator'.
MSI (c) (CC:50) [13:18:08:255]: PROPERTY CHANGE: Adding CLIENTUILEVEL property. Its value is '0'.
MSI (c) (CC:50) [13:18:08:255]: PROPERTY CHANGE: Adding CLIENTPROCESSID property. Its value is '5580'.
MSI (c) (CC:50) [13:18:08:255]: PROPERTY CHANGE: Adding MsiSystemRebootPending property. Its value is '1'.
MSI (c) (CC:50) [13:18:08:255]: TRANSFORMS property is now:
MSI (c) (CC:50) [13:18:08:255]: PROPERTY CHANGE: Adding VersionDatabase property. Its value is '200'.
MSI (c) (CC:50) [13:18:08:255]: SHELL32::SHGetFolderPath returned: C:\Users\Administrator\AppData\Roaming
MSI (c) (CC:50) [13:18:08:255]: SHELL32::SHGetFolderPath returned: C:\Users\Administrator\Favorites
MSI (c) (CC:50) [13:18:08:255]: SHELL32::SHGetFolderPath returned: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Network Shortcuts
MSI (c) (CC:50) [13:18:08:255]: SHELL32::SHGetFolderPath returned: C:\Users\Administrator\Documents
MSI (c) (CC:50) [13:18:08:255]: SHELL32::SHGetFolderPath returned: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Printer Shortcuts
MSI (c) (CC:50) [13:18:08:255]: SHELL32::SHGetFolderPath returned: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent
MSI (c) (CC:50) [13:18:08:255]: SHELL32::SHGetFolderPath returned: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\SendTo
MSI (c) (CC:50) [13:18:08:255]: SHELL32::SHGetFolderPath returned: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Templates
MSI (c) (CC:50) [13:18:08:255]: SHELL32::SHGetFolderPath returned: C:\ProgramData
MSI (c) (CC:50) [13:18:08:255]: SHELL32::SHGetFolderPath returned: C:\Users\Administrator\AppData\Local
MSI (c) (CC:50) [13:18:08:255]: SHELL32::SHGetFolderPath returned: C:\Users\Administrator\Pictures
MSI (c) (CC:50) [13:18:08:255]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools
MSI (c) (CC:50) [13:18:08:255]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
MSI (c) (CC:50) [13:18:08:255]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu\Programs
MSI (c) (CC:50) [13:18:08:255]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu
MSI (c) (CC:50) [13:18:08:255]: SHELL32::SHGetFolderPath returned: C:\Users\Public\Desktop
MSI (c) (CC:50) [13:18:08:255]: SHELL32::SHGetFolderPath returned: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools
MSI (c) (CC:50) [13:18:08:255]: SHELL32::SHGetFolderPath returned: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
MSI (c) (CC:50) [13:18:08:255]: SHELL32::SHGetFolderPath returned: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs
MSI (c) (CC:50) [13:18:08:255]: SHELL32::SHGetFolderPath returned: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu
MSI (c) (CC:50) [13:18:08:255]: SHELL32::SHGetFolderPath returned: C:\Users\Administrator\Desktop
MSI (c) (CC:50) [13:18:08:255]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Templates
MSI (c) (CC:50) [13:18:08:255]: SHELL32::SHGetFolderPath returned: C:\Windows\Fonts
MSI (c) (CC:50) [13:18:08:255]: Note: 1: 2898 2: MS Sans Serif 3: MS Sans Serif 4: 0 5: 20
MSI (c) (CC:50) [13:18:08:270]: MSI_LUA: Setting AdminUser property to 1 because this is the client or the user has already permitted elevation
MSI (c) (CC:50) [13:18:08:270]: MSI_LUA: Setting MsiRunningElevated property to 1 because the install is already running elevated.
MSI (c) (CC:50) [13:18:08:270]: PROPERTY CHANGE: Adding MsiRunningElevated property. Its value is '1'.
MSI (c) (CC:50) [13:18:08:270]: PROPERTY CHANGE: Adding Privileged property. Its value is '1'.
MSI (c) (CC:50) [13:18:08:270]: Note: 1: 1402 2: HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info 3: 2
MSI (c) (CC:50) [13:18:08:270]: PROPERTY CHANGE: Adding USERNAME property. Its value is 'Windows User'.
MSI (c) (CC:50) [13:18:08:270]: Note: 1: 1402 2: HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info 3: 2
MSI (c) (CC:50) [13:18:08:270]: PROPERTY CHANGE: Adding DATABASE property. Its value is 'C:\windows\sysmon_wazuh-agent-4.9.0\wazuh-agent-4.9.0-1.msi'.
MSI (c) (CC:50) [13:18:08:270]: PROPERTY CHANGE: Adding OriginalDatabase property. Its value is 'C:\windows\sysmon_wazuh-agent-4.9.0\wazuh-agent-4.9.0-1.msi'.
MSI (c) (CC:50) [13:18:08:270]: Machine policy value 'MsiDisableEmbeddedUI' is 0
MSI (c) (CC:50) [13:18:08:270]: PROPERTY CHANGE: Adding SourceDir property. Its value is 'C:\windows\sysmon_wazuh-agent-4.9.0\'.
MSI (c) (CC:50) [13:18:08:270]: PROPERTY CHANGE: Adding SOURCEDIR property. Its value is 'C:\windows\sysmon_wazuh-agent-4.9.0\'.
MSI (c) (CC:44) [13:18:08:286]: PROPERTY CHANGE: Adding VersionHandler property. Its value is '5.00'.
=== Logging started: 7/14/2025 13:18:08 ===
MSI (c) (CC:50) [13:18:08:286]: Note: 1: 2205 2: 3: PatchPackage
MSI (c) (CC:50) [13:18:08:286]: Machine policy value 'DisableRollback' is 0
MSI (c) (CC:50) [13:18:08:286]: User policy value 'DisableRollback' is 0
MSI (c) (CC:50) [13:18:08:286]: PROPERTY CHANGE: Adding UILevel property. Its value is '5'.
MSI (c) (CC:50) [13:18:08:286]: Note: 1: 2203 2: C:\Windows\Installer\inprogressinstallinfo.ipi 3: -2147287038
MSI (c) (CC:50) [13:18:08:286]: Note: 1: 2205 2: 3: LaunchCondition
MSI (c) (CC:50) [13:18:08:286]: Note: 1: 2228 2: 3: LaunchCondition 4: SELECT `Condition` FROM `LaunchCondition`
MSI (c) (CC:50) [13:18:08:286]: APPCOMPAT: [DetectVersionLaunchCondition] Failed to initialize pRecErr.
MSI (c) (CC:50) [13:18:08:302]: PROPERTY CHANGE: Adding ACTION property. Its value is 'INSTALL'.
MSI (c) (CC:50) [13:18:08:302]: Doing action: INSTALL
MSI (c) (CC:50) [13:18:08:302]: Note: 1: 2205 2: 3: ActionText
Action 13:18:08: INSTALL.
Action start 13:18:08: INSTALL.
MSI (c) (CC:50) [13:18:08:302]: UI Sequence table 'InstallUISequence' is present and populated.
MSI (c) (CC:50) [13:18:08:302]: Running UISequence
MSI (c) (CC:50) [13:18:08:302]: PROPERTY CHANGE: Adding EXECUTEACTION property. Its value is 'INSTALL'.
MSI (c) (CC:50) [13:18:08:302]: Doing action: FindRelatedProducts
MSI (c) (CC:50) [13:18:08:302]: Note: 1: 2205 2: 3: ActionText
Action 13:18:08: FindRelatedProducts. Searching for related applications
Action start 13:18:08: FindRelatedProducts.
Action ended 13:18:08: FindRelatedProducts. Return value 1.
MSI (c) (CC:50) [13:18:08:302]: Doing action: PrepareDlg
MSI (c) (CC:50) [13:18:08:302]: Note: 1: 2205 2: 3: ActionText
Action 13:18:08: PrepareDlg.
Action start 13:18:08: PrepareDlg.
Info 2898.For WixUI_Font_Normal textstyle, the system created a 'Tahoma' font, in 0 character set, of 16 pixels height.
Info 2898.For WixUI_Font_Bigger textstyle, the system created a 'Tahoma' font, in 0 character set, of 24 pixels height.
Action 13:18:08: PrepareDlg. Dialog created
Action ended 13:18:08: PrepareDlg. Return value 1.
MSI (c) (CC:50) [13:18:08:349]: Doing action: AppSearch
MSI (c) (CC:50) [13:18:08:349]: Note: 1: 2205 2: 3: ActionText
Action 13:18:08: AppSearch. Searching for installed applications
Action start 13:18:08: AppSearch.
AppSearch: Property: MAJORVERSION, Signature: CurrentMajorVersion
MSI (c) (CC:50) [13:18:08:349]: Note: 1: 2262 2: Signature 3: -2147287038
MSI (c) (CC:50) [13:18:08:349]: PROPERTY CHANGE: Modifying MAJORVERSION property. Its current value is '0'. Its new value: '#10'.
AppSearch: Property: BUILDVERSION, Signature: BuildVersion
MSI (c) (CC:50) [13:18:08:349]: Note: 1: 2262 2: Signature 3: -2147287038
MSI (c) (CC:50) [13:18:08:349]: PROPERTY CHANGE: Modifying BUILDVERSION property. Its current value is '0'. Its new value: '17763'.
AppSearch: Property: APPLICATIONFOLDER, Signature: WazuhInstallDirProperty
MSI (c) (CC:50) [13:18:08:349]: Note: 1: 2262 2: Signature 3: -2147287038
MSI (c) (CC:50) [13:18:08:349]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE32\Software\Wazuh, Inc.\Wazuh Agent 3: 2
AppSearch: Property: OSSECINSTALLED, Signature: OssecInstalled
MSI (c) (CC:50) [13:18:08:349]: Note: 1: 2262 2: Signature 3: -2147287038
MSI (c) (CC:50) [13:18:08:349]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE32\System\CurrentControlSet\Services\OssecSvc 3: 2
AppSearch: Property: WAZUHINSTALLED, Signature: WazuhInstalled
MSI (c) (CC:50) [13:18:08:349]: Note: 1: 2262 2: Signature 3: -2147287038
MSI (c) (CC:50) [13:18:08:349]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE32\System\CurrentControlSet\Services\WazuhSvc 3: 2
Action ended 13:18:08: AppSearch. Return value 1.
MSI (c) (CC:50) [13:18:08:349]: Doing action: ValidateProductID
MSI (c) (CC:50) [13:18:08:349]: Note: 1: 2205 2: 3: ActionText
Action 13:18:08: ValidateProductID.
Action start 13:18:08: ValidateProductID.
Action ended 13:18:08: ValidateProductID. Return value 1.
MSI (c) (CC:50) [13:18:08:349]: Doing action: CostInitialize
MSI (c) (CC:50) [13:18:08:349]: Note: 1: 2205 2: 3: ActionText
Action 13:18:08: CostInitialize. Computing space requirements
Action start 13:18:08: CostInitialize.
MSI (c) (CC:50) [13:18:08:349]: Machine policy value 'MaxPatchCacheSize' is 10
MSI (c) (CC:50) [13:18:08:349]: PROPERTY CHANGE: Adding ROOTDRIVE property. Its value is 'D:\'.
MSI (c) (CC:50) [13:18:08:349]: PROPERTY CHANGE: Adding CostingComplete property. Its value is '0'.
Action ended 13:18:08: CostInitialize. Return value 1.
MSI (c) (CC:50) [13:18:08:349]: Doing action: FileCost
MSI (c) (CC:50) [13:18:08:349]: Note: 1: 2205 2: 3: ActionText
Action 13:18:08: FileCost. Computing space requirements
Action start 13:18:08: FileCost.
MSI (c) (CC:50) [13:18:08:364]: Note: 1: 2205 2: 3: MsiAssembly
MSI (c) (CC:50) [13:18:08:364]: Note: 1: 2205 2: 3: Class
MSI (c) (CC:50) [13:18:08:364]: Note: 1: 2205 2: 3: Extension
MSI (c) (CC:50) [13:18:08:364]: Note: 1: 2205 2: 3: TypeLib
Action ended 13:18:08: FileCost. Return value 1.
MSI (c) (CC:50) [13:18:08:364]: Doing action: WixSetDefaultPerUserFolder
MSI (c) (CC:50) [13:18:08:364]: Note: 1: 2205 2: 3: ActionText
Action 13:18:08: WixSetDefaultPerUserFolder.
Action start 13:18:08: WixSetDefaultPerUserFolder.
MSI (c) (CC:50) [13:18:08:364]: PROPERTY CHANGE: Adding WixPerUserFolder property. Its value is 'C:\Users\Administrator\AppData\Local\Apps\ossec-agent'.
Action ended 13:18:08: WixSetDefaultPerUserFolder. Return value 1.
MSI (c) (CC:50) [13:18:08:364]: Doing action: WixSetDefaultPerMachineFolder
MSI (c) (CC:50) [13:18:08:364]: Note: 1: 2205 2: 3: ActionText
Action 13:18:08: WixSetDefaultPerMachineFolder.
Action start 13:18:08: WixSetDefaultPerMachineFolder.
MSI (c) (CC:50) [13:18:08:364]: PROPERTY CHANGE: Adding WixPerMachineFolder property. Its value is 'C:\Program Files (x86)\ossec-agent'.
Action ended 13:18:08: WixSetDefaultPerMachineFolder. Return value 1.
MSI (c) (CC:50) [13:18:08:364]: Skipping action: WixSetPerUserFolder (condition is false)
MSI (c) (CC:50) [13:18:08:364]: Doing action: WixSetPerMachineFolder
MSI (c) (CC:50) [13:18:08:364]: Note: 1: 2205 2: 3: ActionText
Action 13:18:08: WixSetPerMachineFolder.
Action start 13:18:08: WixSetPerMachineFolder.
MSI (c) (CC:50) [13:18:08:364]: PROPERTY CHANGE: Adding APPLICATIONFOLDER property. Its value is 'C:\Program Files (x86)\ossec-agent'.
Action ended 13:18:08: WixSetPerMachineFolder. Return value 1.
MSI (c) (CC:50) [13:18:08:364]: Doing action: CostFinalize
MSI (c) (CC:50) [13:18:08:364]: Note: 1: 2205 2: 3: ActionText
Action 13:18:08: CostFinalize. Computing space requirements
Action start 13:18:08: CostFinalize.
MSI (c) (CC:50) [13:18:08:364]: PROPERTY CHANGE: Adding OutOfDiskSpace property. Its value is '0'.
MSI (c) (CC:50) [13:18:08:364]: PROPERTY CHANGE: Adding OutOfNoRbDiskSpace property. Its value is '0'.
MSI (c) (CC:50) [13:18:08:364]: PROPERTY CHANGE: Adding PrimaryVolumeSpaceAvailable property. Its value is '0'.
MSI (c) (CC:50) [13:18:08:364]: PROPERTY CHANGE: Adding PrimaryVolumeSpaceRequired property. Its value is '0'.
MSI (c) (CC:50) [13:18:08:364]: PROPERTY CHANGE: Adding PrimaryVolumeSpaceRemaining property. Its value is '0'.
MSI (c) (CC:50) [13:18:08:364]: Note: 1: 2205 2: 3: Patch
MSI (c) (CC:50) [13:18:08:364]: Note: 1: 2205 2: 3: Condition
MSI (c) (CC:50) [13:18:08:364]: PROPERTY CHANGE: Adding TARGETDIR property. Its value is 'D:\'.
MSI (c) (CC:50) [13:18:08:364]: PROPERTY CHANGE: Adding ProgramMenuDir property. Its value is 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OSSEC\'.
MSI (c) (CC:50) [13:18:08:364]: PROPERTY CHANGE: Modifying APPLICATIONFOLDER property. Its current value is 'C:\Program Files (x86)\ossec-agent'. Its new value: 'C:\Program Files (x86)\ossec-agent\'.
MSI (c) (CC:50) [13:18:08:364]: PROPERTY CHANGE: Adding UPGRADE property. Its value is 'C:\Program Files (x86)\ossec-agent\upgrade\'.
MSI (c) (CC:50) [13:18:08:364]: PROPERTY CHANGE: Adding INCOMING property. Its value is 'C:\Program Files (x86)\ossec-agent\incoming\'.
MSI (c) (CC:50) [13:18:08:364]: PROPERTY CHANGE: Adding SYSCHECK property. Its value is 'C:\Program Files (x86)\ossec-agent\syscheck\'.
MSI (c) (CC:50) [13:18:08:364]: PROPERTY CHANGE: Adding RIDS property. Its value is 'C:\Program Files (x86)\ossec-agent\rids\'.
MSI (c) (CC:50) [13:18:08:364]: PROPERTY CHANGE: Adding WODLES property. Its value is 'C:\Program Files (x86)\ossec-agent\wodles\'.
MSI (c) (CC:50) [13:18:08:364]: PROPERTY CHANGE: Adding LOGS property. Its value is 'C:\Program Files (x86)\ossec-agent\logs\'.
MSI (c) (CC:50) [13:18:08:364]: PROPERTY CHANGE: Adding BOOKMARKS property. Its value is 'C:\Program Files (x86)\ossec-agent\bookmarks\'.
MSI (c) (CC:50) [13:18:08:364]: PROPERTY CHANGE: Adding TMP property. Its value is 'C:\Program Files (x86)\ossec-agent\tmp\'.
MSI (c) (CC:50) [13:18:08:364]: PROPERTY CHANGE: Adding QUEUE property. Its value is 'C:\Program Files (x86)\ossec-agent\queue\'.
MSI (c) (CC:50) [13:18:08:364]: PROPERTY CHANGE: Adding LOGCOLLECTOR property. Its value is 'C:\Program Files (x86)\ossec-agent\queue\logcollector\'.
MSI (c) (CC:50) [13:18:08:364]: PROPERTY CHANGE: Adding FIM property. Its value is 'C:\Program Files (x86)\ossec-agent\queue\fim\'.
MSI (c) (CC:50) [13:18:08:364]: PROPERTY CHANGE: Adding FIM_DB property. Its value is 'C:\Program Files (x86)\ossec-agent\queue\fim\db\'.
MSI (c) (CC:50) [13:18:08:364]: PROPERTY CHANGE: Adding DIFF property. Its value is 'C:\Program Files (x86)\ossec-agent\queue\diff\'.
MSI (c) (CC:50) [13:18:08:364]: PROPERTY CHANGE: Adding SYSCOLLECTOR property. Its value is 'C:\Program Files (x86)\ossec-agent\queue\syscollector\'.
MSI (c) (CC:50) [13:18:08:364]: PROPERTY CHANGE: Adding SYSCOLLECTOR_DB property. Its value is 'C:\Program Files (x86)\ossec-agent\queue\syscollector\db\'.
MSI (c) (CC:50) [13:18:08:364]: PROPERTY CHANGE: Adding RULESET property. Its value is 'C:\Program Files (x86)\ossec-agent\ruleset\'.
MSI (c) (CC:50) [13:18:08:364]: PROPERTY CHANGE: Adding SECURITY_CONFIGURATION_ASSESSMENT property. Its value is 'C:\Program Files (x86)\ossec-agent\ruleset\sca\'.
MSI (c) (CC:50) [13:18:08:364]: PROPERTY CHANGE: Adding SHARED property. Its value is 'C:\Program Files (x86)\ossec-agent\shared\'.
MSI (c) (CC:50) [13:18:08:364]: PROPERTY CHANGE: Adding ACTIVE_RESPONSE property. Its value is 'C:\Program Files (x86)\ossec-agent\active-response\'.
MSI (c) (CC:50) [13:18:08:364]: PROPERTY CHANGE: Adding BIN property. Its value is 'C:\Program Files (x86)\ossec-agent\active-response\bin\'.
MSI (c) (CC:50) [13:18:08:364]: Target path resolution complete. Dumping Directory table...
MSI (c) (CC:50) [13:18:08:364]: Note: target paths subject to change (via custom actions or browsing)
MSI (c) (CC:50) [13:18:08:364]: Dir (target): Key: TARGETDIR , Object: D:\
MSI (c) (CC:50) [13:18:08:364]: Dir (target): Key: WindowsFolder , Object: C:\Windows\
MSI (c) (CC:50) [13:18:08:364]: Dir (target): Key: ProgramMenuFolder , Object: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\
MSI (c) (CC:50) [13:18:08:364]: Dir (target): Key: ProgramMenuDir , Object: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OSSEC\
MSI (c) (CC:50) [13:18:08:364]: Dir (target): Key: ProgramFilesFolder , Object: C:\Program Files (x86)\
MSI (c) (CC:50) [13:18:08:364]: Dir (target): Key: APPLICATIONFOLDER , Object: C:\Program Files (x86)\ossec-agent\
MSI (c) (CC:50) [13:18:08:364]: Dir (target): Key: UPGRADE , Object: C:\Program Files (x86)\ossec-agent\upgrade\
MSI (c) (CC:50) [13:18:08:364]: Dir (target): Key: INCOMING , Object: C:\Program Files (x86)\ossec-agent\incoming\
MSI (c) (CC:50) [13:18:08:364]: Dir (target): Key: SYSCHECK , Object: C:\Program Files (x86)\ossec-agent\syscheck\
MSI (c) (CC:50) [13:18:08:364]: Dir (target): Key: RIDS , Object: C:\Program Files (x86)\ossec-agent\rids\
MSI (c) (CC:50) [13:18:08:364]: Dir (target): Key: WODLES , Object: C:\Program Files (x86)\ossec-agent\wodles\
MSI (c) (CC:50) [13:18:08:364]: Dir (target): Key: LOGS , Object: C:\Program Files (x86)\ossec-agent\logs\
MSI (c) (CC:50) [13:18:08:364]: Dir (target): Key: BOOKMARKS , Object: C:\Program Files (x86)\ossec-agent\bookmarks\
MSI (c) (CC:50) [13:18:08:364]: Dir (target): Key: TMP , Object: C:\Program Files (x86)\ossec-agent\tmp\
MSI (c) (CC:50) [13:18:08:364]: Dir (target): Key: QUEUE , Object: C:\Program Files (x86)\ossec-agent\queue\
MSI (c) (CC:50) [13:18:08:364]: Dir (target): Key: LOGCOLLECTOR , Object: C:\Program Files (x86)\ossec-agent\queue\logcollector\
MSI (c) (CC:50) [13:18:08:364]: Dir (target): Key: FIM , Object: C:\Program Files (x86)\ossec-agent\queue\fim\
MSI (c) (CC:50) [13:18:08:364]: Dir (target): Key: FIM_DB , Object: C:\Program Files (x86)\ossec-agent\queue\fim\db\
MSI (c) (CC:50) [13:18:08:364]: Dir (target): Key: DIFF , Object: C:\Program Files (x86)\ossec-agent\queue\diff\
MSI (c) (CC:50) [13:18:08:364]: Dir (target): Key: SYSCOLLECTOR , Object: C:\Program Files (x86)\ossec-agent\queue\syscollector\
MSI (c) (CC:50) [13:18:08:364]: Dir (target): Key: SYSCOLLECTOR_DB , Object: C:\Program Files (x86)\ossec-agent\queue\syscollector\db\
MSI (c) (CC:50) [13:18:08:364]: Dir (target): Key: RULESET , Object: C:\Program Files (x86)\ossec-agent\ruleset\
MSI (c) (CC:50) [13:18:08:364]: Dir (target): Key: SECURITY_CONFIGURATION_ASSESSMENT , Object: C:\Program Files (x86)\ossec-agent\ruleset\sca\
MSI (c) (CC:50) [13:18:08:364]: Dir (target): Key: SHARED , Object: C:\Program Files (x86)\ossec-agent\shared\
MSI (c) (CC:50) [13:18:08:364]: Dir (target): Key: ACTIVE_RESPONSE , Object: C:\Program Files (x86)\ossec-agent\active-response\
MSI (c) (CC:50) [13:18:08:364]: Dir (target): Key: BIN , Object: C:\Program Files (x86)\ossec-agent\active-response\bin\
MSI (c) (CC:50) [13:18:08:364]: PROPERTY CHANGE: Adding INSTALLLEVEL property. Its value is '1'.
MSI (c) (CC:50) [13:18:08:364]: Note: 1: 2205 2: 3: MsiAssembly
MSI (c) (CC:50) [13:18:08:364]: Note: 1: 2228 2: 3: MsiAssembly 4: SELECT `MsiAssembly`.`Attributes`, `MsiAssembly`.`File_Application`, `MsiAssembly`.`File_Manifest`, `Component`.`KeyPath` FROM `MsiAssembly`, `Component` WHERE `MsiAssembly`.`Component_` = `Component`.`Component` AND `MsiAssembly`.`Component_` = ?
Action ended 13:18:08: CostFinalize. Return value 1.
MSI (c) (CC:50) [13:18:08:364]: Doing action: MigrateFeatureStates
MSI (c) (CC:50) [13:18:08:364]: Note: 1: 2205 2: 3: ActionText
Action 13:18:08: MigrateFeatureStates. Migrating feature states from related applications
Action start 13:18:08: MigrateFeatureStates.
Action ended 13:18:08: MigrateFeatureStates. Return value 0.
MSI (c) (CC:50) [13:18:08:364]: Skipping action: WelcomeDlg (condition is false)
MSI (c) (CC:50) [13:18:08:364]: Doing action: AdvancedWelcomeEulaDlg
MSI (c) (CC:50) [13:18:08:364]: Note: 1: 2205 2: 3: ActionText
Action 13:18:08: AdvancedWelcomeEulaDlg.
Action start 13:18:08: AdvancedWelcomeEulaDlg.
Info 2898.For WixUI_Font_Title textstyle, the system created a 'Tahoma' font, in 0 character set, of 18 pixels height.
Action 13:18:08: AdvancedWelcomeEulaDlg. Dialog created
MSI (c) (CC:E8) [13:18:08:395]: Note: 1: 2205 2: 3: _RemoveFilePath
MSI (c) (CC:E8) [13:18:08:395]: PROPERTY CHANGE: Modifying CostingComplete property. Its current value is '0'. Its new value: '1'.
MSI (c) (CC:E8) [13:18:08:395]: Note: 1: 2205 2: 3: BindImage
MSI (c) (CC:E8) [13:18:08:395]: Note: 1: 2205 2: 3: ProgId
MSI (c) (CC:E8) [13:18:08:395]: Note: 1: 2205 2: 3: PublishComponent
MSI (c) (CC:E8) [13:18:08:395]: Note: 1: 2205 2: 3: SelfReg
MSI (c) (CC:E8) [13:18:08:395]: Note: 1: 2205 2: 3: Extension
MSI (c) (CC:E8) [13:18:08:395]: Note: 1: 2205 2: 3: Font
MSI (c) (CC:E8) [13:18:08:395]: Note: 1: 2205 2: 3: Class
MSI (c) (CC:E8) [13:18:08:395]: Note: 1: 2205 2: 3: TypeLib
MSI (c) (CC:E8) [13:18:08:395]: Note: 1: 2727 2:
MSI (c) (CC:44) [13:18:09:388]: PROPERTY CHANGE: Adding LicenseAccepted property. Its value is '1'.
Action 13:18:10: InstallDirDlg. Dialog created
MSI (c) (CC:44) [13:18:11:360]: Doing action: WixUIValidatePath
MSI (c) (CC:44) [13:18:11:360]: Note: 1: 2205 2: 3: ActionText
Action 13:18:11: WixUIValidatePath.
Action start 13:18:11: WixUIValidatePath.
MSI (c) (CC:C0) [13:18:11:376]: Invoking remote custom action. DLL: C:\Users\ADMINI~1\AppData\Local\Temp\15\MSIC1ED.tmp, Entrypoint: ValidatePath
MSI (c) (CC:14) [13:18:11:376]: Cloaking enabled.
MSI (c) (CC:14) [13:18:11:376]: Attempting to enable all disabled privileges before calling Install on Server
MSI (c) (CC:14) [13:18:11:376]: Connected to service for CA interface.
MSI (c) (CC!6C) [13:18:11:470]: PROPERTY CHANGE: Adding WIXUI_INSTALLDIR_VALID property. Its value is '1'.
Action ended 13:18:11: WixUIValidatePath. Return value 1.
Action 13:18:11: VerifyReadyDlg. Dialog created
Action ended 13:18:11: AdvancedWelcomeEulaDlg. Return value 1.
MSI (c) (CC:50) [13:18:11:968]: Skipping action: MaintenanceWelcomeDlg (condition is false)
MSI (c) (CC:50) [13:18:11:968]: Skipping action: ResumeDlg (condition is false)
MSI (c) (CC:50) [13:18:11:968]: Doing action: ProgressDlg
MSI (c) (CC:50) [13:18:11:968]: Note: 1: 2205 2: 3: ActionText
Action 13:18:11: ProgressDlg.
Action start 13:18:11: ProgressDlg.
Action 13:18:11: ProgressDlg. Dialog created
Action ended 13:18:11: ProgressDlg. Return value 1.
MSI (c) (CC:50) [13:18:11:983]: Doing action: ExecuteAction
MSI (c) (CC:50) [13:18:11:983]: Note: 1: 2205 2: 3: ActionText
Action 13:18:11: ExecuteAction.
Action start 13:18:11: ExecuteAction.
MSI (c) (CC:50) [13:18:11:983]: PROPERTY CHANGE: Adding SECONDSEQUENCE property. Its value is '1'.
MSI (c) (CC:50) [13:18:11:983]: Grabbed execution mutex.
MSI (c) (CC:50) [13:18:11:983]: Incrementing counter to disable shutdown. Counter after increment: 0
MSI (c) (CC:50) [13:18:11:983]: Switching to server: MAJORVERSION="#10" BUILDVERSION="17763" APPLICATIONFOLDER="C:\Program Files (x86)\ossec-agent\" BIN="C:\Program Files (x86)\ossec-agent\active-response\bin\" ACTIVE_RESPONSE="C:\Program Files (x86)\ossec-agent\active-response\" SHARED="C:\Program Files (x86)\ossec-agent\shared\" SECURITY_CONFIGURATION_ASSESSMENT="C:\Program Files (x86)\ossec-agent\ruleset\sca\" SYSCOLLECTOR="C:\Program Files (x86)\ossec-agent\queue\syscollector\" TMP="C:\Program Files (x86)\ossec-agent\tmp\" QUEUE="C:\Program Files (x86)\ossec-agent\queue\" DIFF="C:\Program Files (x86)\ossec-agent\queue\diff\" FIM="C:\Program Files (x86)\ossec-agent\queue\fim\" FIM_DB="C:\Program Files (x86)\ossec-agent\queue\fim\db\" SYSCOLLECTOR_DB="C:\Program Files (x86)\ossec-agent\queue\syscollector\db\" LOGCOLLECTOR="C:\Program Files (x86)\ossec-agent\queue\logcollector\" RULESET="C:\Program Files (x86)\ossec-agent\ruleset\" BOOKMARKS="C:\Program Files (x86)\ossec-agent\bookmarks\" LOGS="C:\Program Files (x86)\ossec-agent\logs\" WODLES="C:\Program Files (x86)\ossec-agent\wod
MSI (s) (70:50) [13:18:11:999]: Running installation inside multi-package transaction C:\windows\sysmon_wazuh-agent-4.9.0\wazuh-agent-4.9.0-1.msi
MSI (s) (70:50) [13:18:11:999]: Grabbed execution mutex.
MSI (s) (70:00) [13:18:11:999]: Resetting cached policy values
MSI (s) (70:00) [13:18:11:999]: Machine policy value 'Debug' is 0
MSI (s) (70:00) [13:18:11:999]: ******* RunEngine:
******* Product: C:\windows\sysmon_wazuh-agent-4.9.0\wazuh-agent-4.9.0-1.msi
******* Action: INSTALL
******* CommandLine: **********
MSI (s) (70:00) [13:18:11:999]: Machine policy value 'DisableUserInstalls' is 0
MSI (s) (70:00) [13:18:12:015]: Note: 1: 2203 2: C:\Windows\Installer\inprogressinstallinfo.ipi 3: -2147287038
MSI (s) (70:00) [13:18:12:015]: Machine policy value 'LimitSystemRestoreCheckpointing' is 0
MSI (s) (70:00) [13:18:12:015]: Note: 1: 1715 2: Wazuh Agent
MSI (s) (70:00) [13:18:12:015]: Calling SRSetRestorePoint API. dwRestorePtType: 0, dwEventType: 102, llSequenceNumber: 0, szDescription: "Installed Wazuh Agent".
MSI (s) (70:00) [13:18:12:015]: The call to SRSetRestorePoint API failed. Returned status: 0. GetLastError() returned: 127
MSI (s) (70:00) [13:18:12:015]: File will have security applied from OpCode.
MSI (s) (70:00) [13:18:12:030]: SOFTWARE RESTRICTION POLICY: Verifying package --> 'C:\windows\sysmon_wazuh-agent-4.9.0\wazuh-agent-4.9.0-1.msi' against software restriction policy
MSI (s) (70:00) [13:18:12:030]: SOFTWARE RESTRICTION POLICY: C:\windows\sysmon_wazuh-agent-4.9.0\wazuh-agent-4.9.0-1.msi has a digital signature
MSI (s) (70:00) [13:18:12:077]: SOFTWARE RESTRICTION POLICY: C:\windows\sysmon_wazuh-agent-4.9.0\wazuh-agent-4.9.0-1.msi is permitted to run at the 'unrestricted' authorization level.
MSI (s) (70:00) [13:18:12:077]: MSCOREE not loaded loading copy from system32
MSI (s) (70:00) [13:18:12:093]: End dialog not enabled
MSI (s) (70:00) [13:18:12:093]: Original package ==> C:\windows\sysmon_wazuh-agent-4.9.0\wazuh-agent-4.9.0-1.msi
MSI (s) (70:00) [13:18:12:093]: Package we're running from ==> C:\Windows\Installer\d400c47d.msi
MSI (s) (70:00) [13:18:12:093]: APPCOMPAT: Compatibility mode property overrides found.
MSI (s) (70:00) [13:18:12:093]: APPCOMPAT: looking for appcompat database entry with ProductCode '{AA553771-6A70-4C6F-A5C2-D417D03DD8A5}'.
MSI (s) (70:00) [13:18:12:093]: APPCOMPAT: no matching ProductCode found in database.
MSI (s) (70:00) [13:18:12:109]: Machine policy value 'TransformsSecure' is 1
MSI (s) (70:00) [13:18:12:109]: Machine policy value 'DisablePatch' is 0
MSI (s) (70:00) [13:18:12:109]: Machine policy value 'AllowLockdownPatch' is 0
MSI (s) (70:00) [13:18:12:109]: Machine policy value 'DisableLUAPatching' is 0
MSI (s) (70:00) [13:18:12:109]: Machine policy value 'DisableFlyWeightPatching' is 0
MSI (s) (70:00) [13:18:12:109]: APPCOMPAT: looking for appcompat database entry with ProductCode '{AA553771-6A70-4C6F-A5C2-D417D03DD8A5}'.
MSI (s) (70:00) [13:18:12:109]: APPCOMPAT: no matching ProductCode found in database.
MSI (s) (70:00) [13:18:12:109]: Transforms are not secure.
MSI (s) (70:00) [13:18:12:109]: PROPERTY CHANGE: Adding MsiLogFileLocation property. Its value is 'C:\wazuh-install-debug-logging-no-quiet.log'.
MSI (s) (70:00) [13:18:12:109]: Command Line: MAJORVERSION=#10 BUILDVERSION=17763 APPLICATIONFOLDER=C:\Program Files (x86)\ossec-agent\ BIN=C:\Program Files (x86)\ossec-agent\active-response\bin\ ACTIVE_RESPONSE=C:\Program Files (x86)\ossec-agent\active-response\ SHARED=C:\Program Files (x86)\ossec-agent\shared\ SECURITY_CONFIGURATION_ASSESSMENT=C:\Program Files (x86)\ossec-agent\ruleset\sca\ SYSCOLLECTOR=C:\Program Files (x86)\ossec-agent\queue\syscollector\ TMP=C:\Program Files (x86)\ossec-agent\tmp\ QUEUE=C:\Program Files (x86)\ossec-agent\queue\ DIFF=C:\Program Files (x86)\ossec-agent\queue\diff\ FIM=C:\Program Files (x86)\ossec-agent\queue\fim\ FIM_DB=C:\Program Files (x86)\ossec-agent\queue\fim\db\ SYSCOLLECTOR_DB=C:\Program Files (x86)\ossec-agent\queue\syscollector\db\ LOGCOLLECTOR=C:\Program Files (x86)\ossec-agent\queue\logcollector\ RULESET=C:\Program Files (x86)\ossec-agent\ruleset\ BOOKMARKS=C:\Program Files (x86)\ossec-agent\bookmarks\ LOGS=C:\Program Files (x86)\ossec-agent\logs\ WODLES=C:\Program Files (x86)\ossec-agent\wodles\ RIDS=C:\Program Files (x86)\ossec-agent
MSI (s) (70:00) [13:18:12:109]: PROPERTY CHANGE: Adding PackageCode property. Its value is '{1EBD6D53-25A4-402C-9730-5A0C9C2C0939}'.
MSI (s) (70:00) [13:18:12:109]: Product Code passed to Engine.Initialize: ''
MSI (s) (70:00) [13:18:12:109]: Product Code from property table before transforms: '{AA553771-6A70-4C6F-A5C2-D417D03DD8A5}'
MSI (s) (70:00) [13:18:12:109]: Product Code from property table after transforms: '{AA553771-6A70-4C6F-A5C2-D417D03DD8A5}'
MSI (s) (70:00) [13:18:12:109]: Product not registered: beginning first-time install
MSI (s) (70:00) [13:18:12:109]: Product {AA553771-6A70-4C6F-A5C2-D417D03DD8A5} is not managed.
MSI (s) (70:00) [13:18:12:109]: MSI_LUA: Credential prompt not required, user is an admin
MSI (s) (70:00) [13:18:12:109]: PROPERTY CHANGE: Adding ProductState property. Its value is '-1'.
MSI (s) (70:00) [13:18:12:109]: Entering CMsiConfigurationManager::SetLastUsedSource.
MSI (s) (70:00) [13:18:12:109]: User policy value 'SearchOrder' is 'nmu'
MSI (s) (70:00) [13:18:12:109]: Adding new sources is allowed.
MSI (s) (70:00) [13:18:12:109]: PROPERTY CHANGE: Adding PackagecodeChanging property. Its value is '1'.
MSI (s) (70:00) [13:18:12:109]: Package name extracted from package path: 'wazuh-agent-4.9.0-1.msi'
MSI (s) (70:00) [13:18:12:109]: Package to be registered: 'wazuh-agent-4.9.0-1.msi'
MSI (s) (70:00) [13:18:12:109]: Note: 1: 2262 2: AdminProperties 3: -2147287038
MSI (s) (70:00) [13:18:12:109]: Machine policy value 'DisableMsi' is 1
MSI (s) (70:00) [13:18:12:109]: Machine policy value 'AlwaysInstallElevated' is 0
MSI (s) (70:00) [13:18:12:109]: User policy value 'AlwaysInstallElevated' is 0
MSI (s) (70:00) [13:18:12:109]: Product installation will be elevated because user is admin and product is being installed per-machine.
MSI (s) (70:00) [13:18:12:109]: Running product '{AA553771-6A70-4C6F-A5C2-D417D03DD8A5}' with elevated privileges: Product is assigned.
MSI (s) (70:00) [13:18:12:109]: PROPERTY CHANGE: Modifying MAJORVERSION property. Its current value is '0'. Its new value: '#10'.
MSI (s) (70:00) [13:18:12:109]: PROPERTY CHANGE: Modifying BUILDVERSION property. Its current value is '0'. Its new value: '17763'.
MSI (s) (70:00) [13:18:12:109]: PROPERTY CHANGE: Adding APPLICATIONFOLDER property. Its value is 'C:\Program Files (x86)\ossec-agent\'.
MSI (s) (70:00) [13:18:12:109]: PROPERTY CHANGE: Adding BIN property. Its value is 'C:\Program Files (x86)\ossec-agent\active-response\bin\'.
MSI (s) (70:00) [13:18:12:109]: PROPERTY CHANGE: Adding ACTIVE_RESPONSE property. Its value is 'C:\Program Files (x86)\ossec-agent\active-response\'.
MSI (s) (70:00) [13:18:12:109]: PROPERTY CHANGE: Adding SHARED property. Its value is 'C:\Program Files (x86)\ossec-agent\shared\'.
MSI (s) (70:00) [13:18:12:109]: PROPERTY CHANGE: Adding SECURITY_CONFIGURATION_ASSESSMENT property. Its value is 'C:\Program Files (x86)\ossec-agent\ruleset\sca\'.
MSI (s) (70:00) [13:18:12:109]: PROPERTY CHANGE: Adding SYSCOLLECTOR property. Its value is 'C:\Program Files (x86)\ossec-agent\queue\syscollector\'.
MSI (s) (70:00) [13:18:12:109]: PROPERTY CHANGE: Adding TMP property. Its value is 'C:\Program Files (x86)\ossec-agent\tmp\'.
MSI (s) (70:00) [13:18:12:109]: PROPERTY CHANGE: Adding QUEUE property. Its value is 'C:\Program Files (x86)\ossec-agent\queue\'.
MSI (s) (70:00) [13:18:12:109]: PROPERTY CHANGE: Adding DIFF property. Its value is 'C:\Program Files (x86)\ossec-agent\queue\diff\'.
MSI (s) (70:00) [13:18:12:109]: PROPERTY CHANGE: Adding FIM property. Its value is 'C:\Program Files (x86)\ossec-agent\queue\fim\'.
MSI (s) (70:00) [13:18:12:109]: PROPERTY CHANGE: Adding FIM_DB property. Its value is 'C:\Program Files (x86)\ossec-agent\queue\fim\db\'.
MSI (s) (70:00) [13:18:12:109]: PROPERTY CHANGE: Adding SYSCOLLECTOR_DB property. Its value is 'C:\Program Files (x86)\ossec-agent\queue\syscollector\db\'.
MSI (s) (70:00) [13:18:12:109]: PROPERTY CHANGE: Adding LOGCOLLECTOR property. Its value is 'C:\Program Files (x86)\ossec-agent\queue\logcollector\'.
MSI (s) (70:00) [13:18:12:109]: PROPERTY CHANGE: Adding RULESET property. Its value is 'C:\Program Files (x86)\ossec-agent\ruleset\'.
MSI (s) (70:00) [13:18:12:109]: PROPERTY CHANGE: Adding BOOKMARKS property. Its value is 'C:\Program Files (x86)\ossec-agent\bookmarks\'.
MSI (s) (70:00) [13:18:12:109]: PROPERTY CHANGE: Adding LOGS property. Its value is 'C:\Program Files (x86)\ossec-agent\logs\'.
MSI (s) (70:00) [13:18:12:109]: PROPERTY CHANGE: Adding WODLES property. Its value is 'C:\Program Files (x86)\ossec-agent\wodles\'.
MSI (s) (70:00) [13:18:12:109]: PROPERTY CHANGE: Adding RIDS property. Its value is 'C:\Program Files (x86)\ossec-agent\rids\'.
MSI (s) (70:00) [13:18:12:109]: PROPERTY CHANGE: Adding SYSCHECK property. Its value is 'C:\Program Files (x86)\ossec-agent\syscheck\'.
MSI (s) (70:00) [13:18:12:109]: PROPERTY CHANGE: Adding INCOMING property. Its value is 'C:\Program Files (x86)\ossec-agent\incoming\'.
MSI (s) (70:00) [13:18:12:109]: PROPERTY CHANGE: Adding UPGRADE property. Its value is 'C:\Program Files (x86)\ossec-agent\upgrade\'.
MSI (s) (70:00) [13:18:12:109]: PROPERTY CHANGE: Adding WAZUH_MANAGER property. Its value is '172.22.24.50'.
MSI (s) (70:00) [13:18:12:109]: PROPERTY CHANGE: Adding TARGETDIR property. Its value is 'D:\'.
MSI (s) (70:00) [13:18:12:109]: PROPERTY CHANGE: Adding CURRENTDIRECTORY property. Its value is 'C:\Users\Administrator'.
MSI (s) (70:00) [13:18:12:109]: PROPERTY CHANGE: Adding CLIENTUILEVEL property. Its value is '0'.
MSI (s) (70:00) [13:18:12:109]: PROPERTY CHANGE: Adding CLIENTPROCESSID property. Its value is '5580'.
MSI (s) (70:00) [13:18:12:109]: PROPERTY CHANGE: Adding USERNAME property. Its value is 'Windows User'.
MSI (s) (70:00) [13:18:12:109]: PROPERTY CHANGE: Adding SOURCEDIR property. Its value is 'C:\windows\sysmon_wazuh-agent-4.9.0\'.
MSI (s) (70:00) [13:18:12:109]: PROPERTY CHANGE: Adding ACTION property. Its value is 'INSTALL'.
MSI (s) (70:00) [13:18:12:109]: PROPERTY CHANGE: Adding EXECUTEACTION property. Its value is 'INSTALL'.
MSI (s) (70:00) [13:18:12:109]: PROPERTY CHANGE: Adding SECONDSEQUENCE property. Its value is '1'.
MSI (s) (70:00) [13:18:12:109]: PROPERTY CHANGE: Adding ROOTDRIVE property. Its value is 'D:\'.
MSI (s) (70:00) [13:18:12:109]: PROPERTY CHANGE: Adding INSTALLLEVEL property. Its value is '1'.
MSI (s) (70:00) [13:18:12:109]: PROPERTY CHANGE: Adding WIXUI_INSTALLDIR_VALID property. Its value is '1'.
MSI (s) (70:00) [13:18:12:109]: PROPERTY CHANGE: Adding ADDLOCAL property. Its value is 'MainFeature'.
MSI (s) (70:00) [13:18:12:109]: Machine policy value 'DisableAutomaticApplicationShutdown' is 0
MSI (s) (70:00) [13:18:12:109]: RESTART MANAGER: Disabled by MSIRESTARTMANAGERCONTROL property; Windows Installer will use the built-in FilesInUse functionality.
MSI (s) (70:00) [13:18:12:109]: PROPERTY CHANGE: Adding MsiSystemRebootPending property. Its value is '1'.
MSI (s) (70:00) [13:18:12:109]: Engine has iefSecondSequence set to true.
MSI (s) (70:00) [13:18:12:109]: TRANSFORMS property is now:
MSI (s) (70:00) [13:18:12:109]: PROPERTY CHANGE: Deleting SOURCEDIR property. Its current value is 'C:\windows\sysmon_wazuh-agent-4.9.0\'.
MSI (s) (70:00) [13:18:12:109]: PROPERTY CHANGE: Adding VersionDatabase property. Its value is '200'.
MSI (s) (70:00) [13:18:12:109]: SHELL32::SHGetFolderPath returned: C:\Users\Administrator\AppData\Roaming
MSI (s) (70:00) [13:18:12:109]: SHELL32::SHGetFolderPath returned: C:\Users\Administrator\Favorites
MSI (s) (70:00) [13:18:12:109]: SHELL32::SHGetFolderPath returned: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Network Shortcuts
MSI (s) (70:00) [13:18:12:109]: SHELL32::SHGetFolderPath returned: C:\Users\Administrator\Documents
MSI (s) (70:00) [13:18:12:125]: SHELL32::SHGetFolderPath returned: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Printer Shortcuts
MSI (s) (70:00) [13:18:12:125]: SHELL32::SHGetFolderPath returned: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent
MSI (s) (70:00) [13:18:12:125]: SHELL32::SHGetFolderPath returned: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\SendTo
MSI (s) (70:00) [13:18:12:125]: SHELL32::SHGetFolderPath returned: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Templates
MSI (s) (70:00) [13:18:12:125]: SHELL32::SHGetFolderPath returned: C:\ProgramData
MSI (s) (70:00) [13:18:12:125]: SHELL32::SHGetFolderPath returned: C:\Users\Administrator\AppData\Local
MSI (s) (70:00) [13:18:12:125]: SHELL32::SHGetFolderPath returned: C:\Users\Administrator\Pictures
MSI (s) (70:00) [13:18:12:125]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools
MSI (s) (70:00) [13:18:12:125]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
MSI (s) (70:00) [13:18:12:125]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu\Programs
MSI (s) (70:00) [13:18:12:125]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu
MSI (s) (70:00) [13:18:12:125]: SHELL32::SHGetFolderPath returned: C:\Users\Public\Desktop
MSI (s) (70:00) [13:18:12:141]: SHELL32::SHGetFolderPath returned: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools
MSI (s) (70:00) [13:18:12:141]: SHELL32::SHGetFolderPath returned: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
MSI (s) (70:00) [13:18:12:141]: SHELL32::SHGetFolderPath returned: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs
MSI (s) (70:00) [13:18:12:141]: SHELL32::SHGetFolderPath returned: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu
MSI (s) (70:00) [13:18:12:141]: SHELL32::SHGetFolderPath returned: C:\Users\Administrator\Desktop
MSI (s) (70:00) [13:18:12:141]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Templates
MSI (s) (70:00) [13:18:12:141]: SHELL32::SHGetFolderPath returned: C:\Windows\Fonts
MSI (s) (70:00) [13:18:12:141]: Note: 1: 2898 2: MS Sans Serif 3: MS Sans Serif 4: 0 5: 16
MSI (s) (70:00) [13:18:12:157]: MSI_LUA: Setting MsiRunningElevated property to 1 because the install is already running elevated.
MSI (s) (70:00) [13:18:12:157]: PROPERTY CHANGE: Adding MsiRunningElevated property. Its value is '1'.
MSI (s) (70:00) [13:18:12:157]: PROPERTY CHANGE: Adding Privileged property. Its value is '1'.
MSI (s) (70:00) [13:18:12:157]: Note: 1: 1402 2: HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info 3: 2
MSI (s) (70:00) [13:18:12:157]: PROPERTY CHANGE: Adding DATABASE property. Its value is 'C:\Windows\Installer\d400c47d.msi'.
MSI (s) (70:00) [13:18:12:157]: PROPERTY CHANGE: Adding OriginalDatabase property. Its value is 'C:\windows\sysmon_wazuh-agent-4.9.0\wazuh-agent-4.9.0-1.msi'.
MSI (s) (70:00) [13:18:12:157]: Machine policy value 'MsiDisableEmbeddedUI' is 0
MSI (s) (70:00) [13:18:12:157]: EEUI - Disabling MsiEmbeddedUI for service because it's not a quiet/basic install
MSI (s) (70:00) [13:18:12:157]: Note: 1: 2205 2: 3: PatchPackage
MSI (s) (70:00) [13:18:12:157]: Machine policy value 'DisableRollback' is 0
MSI (s) (70:00) [13:18:12:157]: User policy value 'DisableRollback' is 0
MSI (s) (70:00) [13:18:12:157]: PROPERTY CHANGE: Adding UILevel property. Its value is '5'.
MSI (s) (70:00) [13:18:12:157]: PROPERTY CHANGE: Adding Preselected property. Its value is '1'.
MSI (s) (70:00) [13:18:12:157]: Note: 1: 2205 2: 3: LaunchCondition
MSI (s) (70:00) [13:18:12:157]: Note: 1: 2228 2: 3: LaunchCondition 4: SELECT `Condition` FROM `LaunchCondition`
MSI (s) (70:00) [13:18:12:157]: APPCOMPAT: [DetectVersionLaunchCondition] Failed to initialize pRecErr.
MSI (s) (70:00) [13:18:12:157]: Doing action: INSTALL
MSI (s) (70:00) [13:18:12:157]: Note: 1: 2205 2: 3: ActionText
Action 13:18:12: INSTALL.
Action start 13:18:12: INSTALL.
MSI (s) (70:00) [13:18:12:157]: Running ExecuteSequence
MSI (s) (70:00) [13:18:12:157]: Doing action: FindRelatedProducts
MSI (s) (70:00) [13:18:12:157]: Note: 1: 2205 2: 3: ActionText
Action 13:18:12: FindRelatedProducts. Searching for related applications
Action start 13:18:12: FindRelatedProducts.
MSI (s) (70:00) [13:18:12:157]: Skipping FindRelatedProducts action: already done on client side
Action ended 13:18:12: FindRelatedProducts. Return value 0.
MSI (s) (70:00) [13:18:12:157]: Doing action: CheckSvcRunning
MSI (s) (70:00) [13:18:12:157]: Note: 1: 2205 2: 3: ActionText
Action 13:18:12: CheckSvcRunning.
Action start 13:18:12: CheckSvcRunning.
MSI (s) (70:B0) [13:18:12:173]: Generating random cookie.
MSI (s) (70:B0) [13:18:12:188]: Created Custom Action Server with PID 20424 (0x4FC8).
MSI (s) (70:D4) [13:18:12:219]: Running as a service.
MSI (s) (70:D4) [13:18:12:219]: Hello, I'm your 32bit Impersonated custom action server.
MSI (s) (70:D4) [13:18:17:586]: Running as a service.
MSI (s) (70:D4) [13:18:17:681]: Running as a service.
MSI (s) (70:D4) [13:18:17:761]: Running as a service.
MSI (s) (70:D4) [13:18:17:849]: Running as a service.
MSI (s) (70:D4) [13:18:17:927]: Running as a service.
MSI (s) (70:D4) [13:18:18:083]: Running as a service.
MSI (s) (70:D4) [13:18:18:177]: Running as a service.
MSI (s) (70:D4) [13:18:18:256]: Running as a service.
MSI (s) (70:D4) [13:18:18:349]: Running as a service.
MSI (s) (70:D4) [13:18:18:503]: Running as a service.
MSI (s) (70:D4) [13:18:18:596]: Running as a service.
MSI (s) (70:D4) [13:18:18:692]: Running as a service.
MSI (s) (70:D4) [13:18:18:802]: Running as a service.
MSI (s) (70:D4) [13:18:18:881]: Running as a service.
MSI (s) (70:D4) [13:18:18:959]: Running as a service.
MSI (s) (70:D4) [13:18:19:053]: Running as a service.
MSI (s) (70:D4) [13:18:19:140]: Running as a service.
MSI (s) (70:D4) [13:18:19:219]: Running as a service.
MSI (s) (70:D4) [13:18:19:313]: Running as a service.
MSI (s) (70:D4) [13:18:19:517]: Running as a service.
MSI (s) (70:D4) [13:18:19:709]: Running as a service.
MSI (s) (70:D4) [13:18:19:818]: Running as a service.
MSI (s) (70:D4) [13:18:19:912]: Running as a service.
MSI (s) (70:D4) [13:18:19:990]: Running as a service.
MSI (s) (70:D4) [13:18:20:099]: Running as a service.
MSI (s) (70:D4) [13:18:20:194]: Running as a service.
MSI (s) (70:D4) [13:18:20:287]: Running as a service.
MSI (s) (70:D4) [13:18:20:365]: Running as a service.
MSI (s) (70:D4) [13:18:20:459]: Running as a service.
MSI (s) (70:D4) [13:18:20:663]: Running as a service.
MSI (s) (70:D4) [13:18:20:800]: Running as a service.
MSI (s) (70:D4) [13:18:20:894]: Running as a serviceAction 13:18:52: CancelDlg. Dialog created

Test 3: Tested install with 4.12.0
-Tried the same with 4.12.0 and see same issue - UI install has the same issue

Test 4: Tested 4.9.0 / 4.12.0 using GUI

- Double clicked the installer, it goes through the options to click Next and it reaches the section with the progress bar but it gets stuck and does not show the bar moving.

Test 5: Install 7zip.msi as a test to verify if issue with wazuh or windows msi install

- Downloaded the 7zip.msi as a test.

https://www.7-zip.org/a/7z2500-x64.msi

msiexec /i "C:\SOC_INSTALL_SCRIPT\7z2500-x64.msi" /qn /L*V "C:\Temp\7zip-install.log"

- The 7zip.msi installer works.

Any feedback would be appricated on the issue.

Farouk Musa

unread,

Jul 14, 2025, 8:18:32 AM7/14/25

to Wazuh | Mailing List

Hi Ak, From the shared output, no error immediately catches my attention. Let me simulate this and come back to you.

ak

unread,

Jul 14, 2025, 10:54:33 AM7/14/25

to Wazuh | Mailing List

Hi,

Below are additional information (Please ignore if not related):

These are installed list of applications on the device.

```

DisplayName,DisplayVersion,Publisher,InstallDate
FileZilla Pro 3.66.2,3.66.2,Tim Kosse,
Google Chrome,138.0.7204.101,Google LLC,20250712
Microsoft Help Viewer 2.3,2.3.28307,Microsoft Corporation,
Visual Studio 2017 Isolated Shell for SSMS,15.0.28308.421,Microsoft Corporation,20231025
SQL Server Management Studio,19.1.56.0,Microsoft Corp.,20231025
SQL Server Management Studio Language Pack - English,19.1.56.0,Microsoft Corp.,20231025
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532,14.36.32532.0,Microsoft Corporation,
MySQL Installer - Community,1.6.7.0,Oracle Corporation,20230815
GTB Technologies Endpoint Protector,15.18.3.34715,GTB Technologies,20240205
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532,14.36.32532,Microsoft Corporation,20231031
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.40664,12.0.40664,Microsoft Corporation,20231017
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532,14.36.32532.0,Microsoft Corporation,
Microsoft Analysis Services OLE DB Provider,16.0.5143.0,Microsoft Corporation,20231025
SSMS Post Install Tasks,19.1.56.0,Microsoft Corporation,20231025
Microsoft SQL Server Management Studio - 19.1,19.1.56.0,Microsoft Corporation,
Microsoft Help Viewer 2.3,2.3.28307,Microsoft Corporation,20231025
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.40664,12.0.40664.0,Microsoft Corporation,
Integration Services,16.0.5107.6,Microsoft Corporation,20231025
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532,14.36.32532,Microsoft Corporation,20231031
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.40664,12.0.40664,Microsoft Corporation,20231017
Microsoft Visual Studio Tools for Applications 2019 x86 Hosting Support,16.0.31110,Microsoft Corporation,20231025
Microsoft Visual Studio Tools for Applications 2019,16.0.31110,Microsoft Corporation,
Browser for SQL Server 2022,16.0.1000.6,Microsoft Corporation,20231220

```

Farouk Musa

unread,

Jul 14, 2025, 9:50:06 PM7/14/25

to Wazuh | Mailing List

Hi Ak, i have conducted multiple tests trying to replicate your environment as much as possible but i am not able to replicate your issue as the agent installs using the same commands you have used.

I notice two things in the logs you shared i think might be affecting your installation

1. there is MsiSystemRebootPending=1 appearing severally. This suggests that a system reboot is required.

2. i can also see DisableMsi=1 which will suggest that there is a GPO that disables msi installation. but there is also Product installation will be elevated because user is admin and product is being installed per-machine which will suggest you are running it as admin.

I'll suggest that you clean up any partial installation files (check C:\Program Files (x86)\ossec-agent) then reboot the endpoint then try to install again and lets see how that goes,

ak

unread,

Jul 15, 2025, 6:14:21 PM7/15/25

to Wazuh | Mailing List

Hi Farouk,

Thanks for the update.

The folder C:\Program Files (x86)\ossec-agent is not created.

Query:

Any idea why only wazuh.msi installer has the issue? I tried 7zip.msi installer on the same system and it worked.

Meanwhile, I will reboot the machine and re-try the install and update the results.

Farouk Musa

unread,

Jul 16, 2025, 5:23:08 AM7/16/25

to Wazuh | Mailing List

Judging from the generated logs, only the two items i shared seem to be the issue. When you reboot and try again, please share the updated logs if it does not work properly.

ak

unread,

Jul 17, 2025, 3:59:11 AM7/17/25

to Wazuh | Mailing List

Hi Farouk,

Sure. I will reboot and update the results.

ak

unread,

Jul 22, 2025, 11:21:30 AM7/22/25

to Wazuh | Mailing List

Hi Farouk,

The system was rebooted and re-tested. The installer is getting stuck. Below is latest log for reference:

��=== Verbose logging started: 7/20/2025 12:32:45 Build type: SHIP UNICODE 5.00.10011.00 Calling process: C:\Windows\system32\msiexec.exe ===
MSI (c) (1C:9C) [12:32:45:310]: Font created. Charset: Req=0, Ret=0, Font: Req=MS Shell Dlg, Ret=MS Shell Dlg

MSI (c) (1C:9C) [12:32:45:310]: Font created. Charset: Req=0, Ret=0, Font: Req=MS Shell Dlg, Ret=MS Shell Dlg

MSI (c) (1C:E4) [12:32:45:323]: Resetting cached policy values
MSI (c) (1C:E4) [12:32:45:323]: Machine policy value 'Debug' is 0
MSI (c) (1C:E4) [12:32:45:323]: ******* RunEngine:

******* Product: C:\windows\sysmon_wazuh-agent-4.9.0\wazuh-agent-4.9.0-1.msi
******* Action:
******* CommandLine: **********

MSI (c) (1C:E4) [12:32:45:332]: Machine policy value 'DisableUserInstalls' is 0
MSI (c) (1C:E4) [12:32:45:339]: Note: 1: 1402 2: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer 3: 2
MSI (c) (1C:E4) [12:32:45:339]: SOFTWARE RESTRICTION POLICY: Verifying package --> 'C:\windows\sysmon_wazuh-agent-4.9.0\wazuh-agent-4.9.0-1.msi' against software restriction policy
MSI (c) (1C:E4) [12:32:45:341]: SOFTWARE RESTRICTION POLICY: C:\windows\sysmon_wazuh-agent-4.9.0\wazuh-agent-4.9.0-1.msi has a digital signature
MSI (c) (1C:E4) [12:32:45:720]: SOFTWARE RESTRICTION POLICY: C:\windows\sysmon_wazuh-agent-4.9.0\wazuh-agent-4.9.0-1.msi is permitted to run at the 'unrestricted' authorization level.
MSI (c) (1C:E4) [12:32:45:846]: Cloaking enabled.
MSI (c) (1C:E4) [12:32:45:846]: Attempting to enable all disabled privileges before calling Install on Server
MSI (c) (1C:E4) [12:32:45:849]: End dialog not enabled
MSI (c) (1C:E4) [12:32:45:849]: Original package ==> C:\windows\sysmon_wazuh-agent-4.9.0\wazuh-agent-4.9.0-1.msi
MSI (c) (1C:E4) [12:32:45:849]: Package we're running from ==> C:\windows\sysmon_wazuh-agent-4.9.0\wazuh-agent-4.9.0-1.msi
MSI (c) (1C:E4) [12:32:45:851]: APPCOMPAT: Compatibility mode property overrides found.
MSI (c) (1C:E4) [12:32:45:851]: APPCOMPAT: looking for appcompat database entry with ProductCode '{AA553771-6A70-4C6F-A5C2-D417D03DD8A5}'.
MSI (c) (1C:E4) [12:32:45:851]: APPCOMPAT: no matching ProductCode found in database.
MSI (c) (1C:E4) [12:32:45:866]: MSCOREE not loaded loading copy from system32
MSI (c) (1C:E4) [12:32:45:873]: Machine policy value 'TransformsSecure' is 1
MSI (c) (1C:E4) [12:32:45:873]: Machine policy value 'DisablePatch' is 0
MSI (c) (1C:E4) [12:32:45:873]: Machine policy value 'AllowLockdownPatch' is 0
MSI (c) (1C:E4) [12:32:45:873]: Machine policy value 'DisableLUAPatching' is 0
MSI (c) (1C:E4) [12:32:45:873]: Machine policy value 'DisableFlyWeightPatching' is 0
MSI (c) (1C:E4) [12:32:45:874]: APPCOMPAT: looking for appcompat database entry with ProductCode '{AA553771-6A70-4C6F-A5C2-D417D03DD8A5}'.
MSI (c) (1C:E4) [12:32:45:874]: APPCOMPAT: no matching ProductCode found in database.
MSI (c) (1C:E4) [12:32:45:874]: Transforms are not secure.
MSI (c) (1C:E4) [12:32:45:874]: PROPERTY CHANGE: Adding MsiLogFileLocation property. Its value is 'C:\wazuh-install-debug-logging-no-quiet-after-reboot.log'.
MSI (c) (1C:E4) [12:32:45:874]: Command Line: WAZUH_MANAGER=172.22.24.50 CURRENTDIRECTORY=C:\Users\Administrator CLIENTUILEVEL=0 CLIENTPROCESSID=23580
MSI (c) (1C:E4) [12:32:45:874]: PROPERTY CHANGE: Adding PackageCode property. Its value is '{1EBD6D53-25A4-402C-9730-5A0C9C2C0939}'.
MSI (c) (1C:E4) [12:32:45:874]: Product Code passed to Engine.Initialize: ''
MSI (c) (1C:E4) [12:32:45:874]: Product Code from property table before transforms: '{AA553771-6A70-4C6F-A5C2-D417D03DD8A5}'
MSI (c) (1C:E4) [12:32:45:874]: Product Code from property table after transforms: '{AA553771-6A70-4C6F-A5C2-D417D03DD8A5}'
MSI (c) (1C:E4) [12:32:45:874]: Product not registered: beginning first-time install
MSI (c) (1C:E4) [12:32:45:874]: PROPERTY CHANGE: Adding ProductState property. Its value is '-1'.
MSI (c) (1C:E4) [12:32:45:874]: Entering CMsiConfigurationManager::SetLastUsedSource.
MSI (c) (1C:E4) [12:32:45:874]: User policy value 'SearchOrder' is 'nmu'
MSI (c) (1C:E4) [12:32:45:874]: Adding new sources is allowed.
MSI (c) (1C:E4) [12:32:45:874]: PROPERTY CHANGE: Adding PackagecodeChanging property. Its value is '1'.
MSI (c) (1C:E4) [12:32:45:874]: Package name extracted from package path: 'wazuh-agent-4.9.0-1.msi'
MSI (c) (1C:E4) [12:32:45:874]: Package to be registered: 'wazuh-agent-4.9.0-1.msi'
MSI (c) (1C:E4) [12:32:45:875]: Note: 1: 2262 2: AdminProperties 3: -2147287038
MSI (c) (1C:E4) [12:32:45:875]: Machine policy value 'DisableMsi' is 1
MSI (c) (1C:E4) [12:32:45:875]: Machine policy value 'AlwaysInstallElevated' is 0
MSI (c) (1C:E4) [12:32:45:875]: User policy value 'AlwaysInstallElevated' is 0
MSI (c) (1C:E4) [12:32:45:875]: Product installation will be elevated because user is admin and product is being installed per-machine.
MSI (c) (1C:E4) [12:32:45:875]: Running product '{AA553771-6A70-4C6F-A5C2-D417D03DD8A5}' with elevated privileges: Product is assigned.
MSI (c) (1C:E4) [12:32:45:875]: PROPERTY CHANGE: Adding WAZUH_MANAGER property. Its value is '172.22.24.50'.
MSI (c) (1C:E4) [12:32:45:875]: PROPERTY CHANGE: Adding CURRENTDIRECTORY property. Its value is 'C:\Users\Administrator'.
MSI (c) (1C:E4) [12:32:45:875]: PROPERTY CHANGE: Adding CLIENTUILEVEL property. Its value is '0'.
MSI (c) (1C:E4) [12:32:45:875]: PROPERTY CHANGE: Adding CLIENTPROCESSID property. Its value is '23580'.
MSI (c) (1C:E4) [12:32:45:875]: PROPERTY CHANGE: Adding MsiSystemRebootPending property. Its value is '1'.
MSI (c) (1C:E4) [12:32:45:875]: TRANSFORMS property is now:
MSI (c) (1C:E4) [12:32:45:875]: PROPERTY CHANGE: Adding VersionDatabase property. Its value is '200'.
MSI (c) (1C:E4) [12:32:45:876]: SHELL32::SHGetFolderPath returned: C:\Users\Administrator\AppData\Roaming
MSI (c) (1C:E4) [12:32:45:876]: SHELL32::SHGetFolderPath returned: C:\Users\Administrator\Favorites
MSI (c) (1C:E4) [12:32:45:877]: SHELL32::SHGetFolderPath returned: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Network Shortcuts
MSI (c) (1C:E4) [12:32:45:877]: SHELL32::SHGetFolderPath returned: C:\Users\Administrator\Documents
MSI (c) (1C:E4) [12:32:45:877]: SHELL32::SHGetFolderPath returned: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Printer Shortcuts
MSI (c) (1C:E4) [12:32:45:878]: SHELL32::SHGetFolderPath returned: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent
MSI (c) (1C:E4) [12:32:45:878]: SHELL32::SHGetFolderPath returned: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\SendTo
MSI (c) (1C:E4) [12:32:45:879]: SHELL32::SHGetFolderPath returned: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Templates
MSI (c) (1C:E4) [12:32:45:879]: SHELL32::SHGetFolderPath returned: C:\ProgramData
MSI (c) (1C:E4) [12:32:45:879]: SHELL32::SHGetFolderPath returned: C:\Users\Administrator\AppData\Local
MSI (c) (1C:E4) [12:32:45:879]: SHELL32::SHGetFolderPath returned: C:\Users\Administrator\Pictures
MSI (c) (1C:E4) [12:32:45:880]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools
MSI (c) (1C:E4) [12:32:45:881]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
MSI (c) (1C:E4) [12:32:45:881]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu\Programs
MSI (c) (1C:E4) [12:32:45:881]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu
MSI (c) (1C:E4) [12:32:45:881]: SHELL32::SHGetFolderPath returned: C:\Users\Public\Desktop
MSI (c) (1C:E4) [12:32:45:882]: SHELL32::SHGetFolderPath returned: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools
MSI (c) (1C:E4) [12:32:45:882]: SHELL32::SHGetFolderPath returned: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
MSI (c) (1C:E4) [12:32:45:883]: SHELL32::SHGetFolderPath returned: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs
MSI (c) (1C:E4) [12:32:45:883]: SHELL32::SHGetFolderPath returned: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu
MSI (c) (1C:E4) [12:32:45:883]: SHELL32::SHGetFolderPath returned: C:\Users\Administrator\Desktop
MSI (c) (1C:E4) [12:32:45:884]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Templates
MSI (c) (1C:E4) [12:32:45:885]: SHELL32::SHGetFolderPath returned: C:\Windows\Fonts
MSI (c) (1C:E4) [12:32:45:886]: Note: 1: 2898 2: MS Sans Serif 3: MS Sans Serif 4: 0 5: 20
MSI (c) (1C:E4) [12:32:45:901]: MSI_LUA: Setting AdminUser property to 1 because this is the client or the user has already permitted elevation
MSI (c) (1C:E4) [12:32:45:901]: MSI_LUA: Setting MsiRunningElevated property to 1 because the install is already running elevated.
MSI (c) (1C:E4) [12:32:45:901]: PROPERTY CHANGE: Adding MsiRunningElevated property. Its value is '1'.
MSI (c) (1C:E4) [12:32:45:901]: PROPERTY CHANGE: Adding Privileged property. Its value is '1'.
MSI (c) (1C:E4) [12:32:45:901]: Note: 1: 1402 2: HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info 3: 2
MSI (c) (1C:E4) [12:32:45:901]: PROPERTY CHANGE: Adding USERNAME property. Its value is 'Windows User'.
MSI (c) (1C:E4) [12:32:45:901]: Note: 1: 1402 2: HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info 3: 2
MSI (c) (1C:E4) [12:32:45:901]: PROPERTY CHANGE: Adding DATABASE property. Its value is 'C:\windows\sysmon_wazuh-agent-4.9.0\wazuh-agent-4.9.0-1.msi'.
MSI (c) (1C:E4) [12:32:45:901]: PROPERTY CHANGE: Adding OriginalDatabase property. Its value is 'C:\windows\sysmon_wazuh-agent-4.9.0\wazuh-agent-4.9.0-1.msi'.
MSI (c) (1C:E4) [12:32:45:901]: Machine policy value 'MsiDisableEmbeddedUI' is 0
MSI (c) (1C:E4) [12:32:45:901]: PROPERTY CHANGE: Adding SourceDir property. Its value is 'C:\windows\sysmon_wazuh-agent-4.9.0\'.
MSI (c) (1C:E4) [12:32:45:901]: PROPERTY CHANGE: Adding SOURCEDIR property. Its value is 'C:\windows\sysmon_wazuh-agent-4.9.0\'.
MSI (c) (1C:9C) [12:32:45:912]: PROPERTY CHANGE: Adding VersionHandler property. Its value is '5.00'.
=== Logging started: 7/20/2025 12:32:45 ===
MSI (c) (1C:E4) [12:32:45:919]: Note: 1: 2205 2: 3: PatchPackage
MSI (c) (1C:E4) [12:32:45:919]: Machine policy value 'DisableRollback' is 0
MSI (c) (1C:E4) [12:32:45:919]: User policy value 'DisableRollback' is 0
MSI (c) (1C:E4) [12:32:45:919]: PROPERTY CHANGE: Adding UILevel property. Its value is '5'.
MSI (c) (1C:E4) [12:32:45:921]: Note: 1: 2203 2: C:\Windows\Installer\inprogressinstallinfo.ipi 3: -2147287038
MSI (c) (1C:E4) [12:32:45:921]: Note: 1: 2205 2: 3: LaunchCondition
MSI (c) (1C:E4) [12:32:45:921]: Note: 1: 2228 2: 3: LaunchCondition 4: SELECT `Condition` FROM `LaunchCondition`
MSI (c) (1C:E4) [12:32:45:921]: APPCOMPAT: [DetectVersionLaunchCondition] Failed to initialize pRecErr.
MSI (c) (1C:E4) [12:32:45:924]: PROPERTY CHANGE: Adding ACTION property. Its value is 'INSTALL'.
MSI (c) (1C:E4) [12:32:45:924]: Doing action: INSTALL
MSI (c) (1C:E4) [12:32:45:924]: Note: 1: 2205 2: 3: ActionText
Action 12:32:45: INSTALL.
Action start 12:32:45: INSTALL.
MSI (c) (1C:E4) [12:32:45:924]: UI Sequence table 'InstallUISequence' is present and populated.
MSI (c) (1C:E4) [12:32:45:924]: Running UISequence
MSI (c) (1C:E4) [12:32:45:924]: PROPERTY CHANGE: Adding EXECUTEACTION property. Its value is 'INSTALL'.
MSI (c) (1C:E4) [12:32:45:924]: Doing action: FindRelatedProducts
MSI (c) (1C:E4) [12:32:45:924]: Note: 1: 2205 2: 3: ActionText
Action 12:32:45: FindRelatedProducts. Searching for related applications
Action start 12:32:45: FindRelatedProducts.
Action ended 12:32:45: FindRelatedProducts. Return value 1.
MSI (c) (1C:E4) [12:32:45:926]: Doing action: PrepareDlg
MSI (c) (1C:E4) [12:32:45:926]: Note: 1: 2205 2: 3: ActionText
Action 12:32:45: PrepareDlg.
Action start 12:32:45: PrepareDlg.

Info 2898.For WixUI_Font_Normal textstyle, the system created a 'Tahoma' font, in 0 character set, of 16 pixels height.
Info 2898.For WixUI_Font_Bigger textstyle, the system created a 'Tahoma' font, in 0 character set, of 24 pixels height.

Action 12:32:45: PrepareDlg. Dialog created
Action ended 12:32:45: PrepareDlg. Return value 1.
MSI (c) (1C:E4) [12:32:45:962]: Doing action: AppSearch
MSI (c) (1C:E4) [12:32:45:962]: Note: 1: 2205 2: 3: ActionText
Action 12:32:45: AppSearch. Searching for installed applications
Action start 12:32:45: AppSearch.

AppSearch: Property: MAJORVERSION, Signature: CurrentMajorVersion

MSI (c) (1C:E4) [12:32:45:964]: Note: 1: 2262 2: Signature 3: -2147287038
MSI (c) (1C:E4) [12:32:45:965]: PROPERTY CHANGE: Modifying MAJORVERSION property. Its current value is '0'. Its new value: '#10'.

AppSearch: Property: BUILDVERSION, Signature: BuildVersion

MSI (c) (1C:E4) [12:32:45:966]: Note: 1: 2262 2: Signature 3: -2147287038
MSI (c) (1C:E4) [12:32:45:966]: PROPERTY CHANGE: Modifying BUILDVERSION property. Its current value is '0'. Its new value: '17763'.

AppSearch: Property: APPLICATIONFOLDER, Signature: WazuhInstallDirProperty

MSI (c) (1C:E4) [12:32:45:967]: Note: 1: 2262 2: Signature 3: -2147287038
MSI (c) (1C:E4) [12:32:45:967]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE32\Software\Wazuh, Inc.\Wazuh Agent 3: 2

AppSearch: Property: OSSECINSTALLED, Signature: OssecInstalled

MSI (c) (1C:E4) [12:32:45:967]: Note: 1: 2262 2: Signature 3: -2147287038
MSI (c) (1C:E4) [12:32:45:967]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE32\System\CurrentControlSet\Services\OssecSvc 3: 2

AppSearch: Property: WAZUHINSTALLED, Signature: WazuhInstalled

MSI (c) (1C:E4) [12:32:45:968]: Note: 1: 2262 2: Signature 3: -2147287038
MSI (c) (1C:E4) [12:32:45:968]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE32\System\CurrentControlSet\Services\WazuhSvc 3: 2
Action ended 12:32:45: AppSearch. Return value 1.
MSI (c) (1C:E4) [12:32:45:968]: Doing action: ValidateProductID
MSI (c) (1C:E4) [12:32:45:968]: Note: 1: 2205 2: 3: ActionText
Action 12:32:45: ValidateProductID.
Action start 12:32:45: ValidateProductID.
Action ended 12:32:45: ValidateProductID. Return value 1.
MSI (c) (1C:E4) [12:32:45:968]: Doing action: CostInitialize
MSI (c) (1C:E4) [12:32:45:968]: Note: 1: 2205 2: 3: ActionText
Action 12:32:45: CostInitialize. Computing space requirements
Action start 12:32:45: CostInitialize.
MSI (c) (1C:E4) [12:32:45:970]: Machine policy value 'MaxPatchCacheSize' is 10
MSI (c) (1C:E4) [12:32:45:971]: PROPERTY CHANGE: Adding ROOTDRIVE property. Its value is 'D:\'.
MSI (c) (1C:E4) [12:32:45:971]: PROPERTY CHANGE: Adding CostingComplete property. Its value is '0'.
Action ended 12:32:45: CostInitialize. Return value 1.
MSI (c) (1C:E4) [12:32:45:971]: Doing action: FileCost
MSI (c) (1C:E4) [12:32:45:971]: Note: 1: 2205 2: 3: ActionText
Action 12:32:45: FileCost. Computing space requirements
Action start 12:32:45: FileCost.
MSI (c) (1C:E4) [12:32:45:973]: Note: 1: 2205 2: 3: MsiAssembly
MSI (c) (1C:E4) [12:32:45:973]: Note: 1: 2205 2: 3: Class
MSI (c) (1C:E4) [12:32:45:973]: Note: 1: 2205 2: 3: Extension
MSI (c) (1C:E4) [12:32:45:973]: Note: 1: 2205 2: 3: TypeLib
Action ended 12:32:45: FileCost. Return value 1.
MSI (c) (1C:E4) [12:32:45:973]: Doing action: WixSetDefaultPerUserFolder
MSI (c) (1C:E4) [12:32:45:973]: Note: 1: 2205 2: 3: ActionText
Action 12:32:45: WixSetDefaultPerUserFolder.
Action start 12:32:45: WixSetDefaultPerUserFolder.
MSI (c) (1C:E4) [12:32:45:973]: PROPERTY CHANGE: Adding WixPerUserFolder property. Its value is 'C:\Users\Administrator\AppData\Local\Apps\ossec-agent'.
Action ended 12:32:45: WixSetDefaultPerUserFolder. Return value 1.
MSI (c) (1C:E4) [12:32:45:973]: Doing action: WixSetDefaultPerMachineFolder
MSI (c) (1C:E4) [12:32:45:973]: Note: 1: 2205 2: 3: ActionText
Action 12:32:45: WixSetDefaultPerMachineFolder.
Action start 12:32:45: WixSetDefaultPerMachineFolder.
MSI (c) (1C:E4) [12:32:45:974]: PROPERTY CHANGE: Adding WixPerMachineFolder property. Its value is 'C:\Program Files (x86)\ossec-agent'.
Action ended 12:32:45: WixSetDefaultPerMachineFolder. Return value 1.
MSI (c) (1C:E4) [12:32:45:974]: Skipping action: WixSetPerUserFolder (condition is false)
MSI (c) (1C:E4) [12:32:45:974]: Doing action: WixSetPerMachineFolder
MSI (c) (1C:E4) [12:32:45:974]: Note: 1: 2205 2: 3: ActionText
Action 12:32:45: WixSetPerMachineFolder.
Action start 12:32:45: WixSetPerMachineFolder.
MSI (c) (1C:E4) [12:32:45:974]: PROPERTY CHANGE: Adding APPLICATIONFOLDER property. Its value is 'C:\Program Files (x86)\ossec-agent'.
Action ended 12:32:45: WixSetPerMachineFolder. Return value 1.
MSI (c) (1C:E4) [12:32:45:974]: Doing action: CostFinalize
MSI (c) (1C:E4) [12:32:45:974]: Note: 1: 2205 2: 3: ActionText
Action 12:32:45: CostFinalize. Computing space requirements
Action start 12:32:45: CostFinalize.
MSI (c) (1C:E4) [12:32:45:975]: PROPERTY CHANGE: Adding OutOfDiskSpace property. Its value is '0'.
MSI (c) (1C:E4) [12:32:45:975]: PROPERTY CHANGE: Adding OutOfNoRbDiskSpace property. Its value is '0'.
MSI (c) (1C:E4) [12:32:45:975]: PROPERTY CHANGE: Adding PrimaryVolumeSpaceAvailable property. Its value is '0'.
MSI (c) (1C:E4) [12:32:45:975]: PROPERTY CHANGE: Adding PrimaryVolumeSpaceRequired property. Its value is '0'.
MSI (c) (1C:E4) [12:32:45:975]: PROPERTY CHANGE: Adding PrimaryVolumeSpaceRemaining property. Its value is '0'.
MSI (c) (1C:E4) [12:32:45:976]: Note: 1: 2205 2: 3: Patch
MSI (c) (1C:E4) [12:32:45:976]: Note: 1: 2205 2: 3: Condition
MSI (c) (1C:E4) [12:32:45:976]: PROPERTY CHANGE: Adding TARGETDIR property. Its value is 'D:\'.
MSI (c) (1C:E4) [12:32:45:976]: PROPERTY CHANGE: Adding ProgramMenuDir property. Its value is 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OSSEC\'.
MSI (c) (1C:E4) [12:32:45:976]: PROPERTY CHANGE: Modifying APPLICATIONFOLDER property. Its current value is 'C:\Program Files (x86)\ossec-agent'. Its new value: 'C:\Program Files (x86)\ossec-agent\'.
MSI (c) (1C:E4) [12:32:45:976]: PROPERTY CHANGE: Adding UPGRADE property. Its value is 'C:\Program Files (x86)\ossec-agent\upgrade\'.
MSI (c) (1C:E4) [12:32:45:976]: PROPERTY CHANGE: Adding INCOMING property. Its value is 'C:\Program Files (x86)\ossec-agent\incoming\'.
MSI (c) (1C:E4) [12:32:45:976]: PROPERTY CHANGE: Adding SYSCHECK property. Its value is 'C:\Program Files (x86)\ossec-agent\syscheck\'.
MSI (c) (1C:E4) [12:32:45:976]: PROPERTY CHANGE: Adding RIDS property. Its value is 'C:\Program Files (x86)\ossec-agent\rids\'.
MSI (c) (1C:E4) [12:32:45:976]: PROPERTY CHANGE: Adding WODLES property. Its value is 'C:\Program Files (x86)\ossec-agent\wodles\'.
MSI (c) (1C:E4) [12:32:45:976]: PROPERTY CHANGE: Adding LOGS property. Its value is 'C:\Program Files (x86)\ossec-agent\logs\'.
MSI (c) (1C:E4) [12:32:45:976]: PROPERTY CHANGE: Adding BOOKMARKS property. Its value is 'C:\Program Files (x86)\ossec-agent\bookmarks\'.
MSI (c) (1C:E4) [12:32:45:976]: PROPERTY CHANGE: Adding TMP property. Its value is 'C:\Program Files (x86)\ossec-agent\tmp\'.
MSI (c) (1C:E4) [12:32:45:976]: PROPERTY CHANGE: Adding QUEUE property. Its value is 'C:\Program Files (x86)\ossec-agent\queue\'.
MSI (c) (1C:E4) [12:32:45:976]: PROPERTY CHANGE: Adding LOGCOLLECTOR property. Its value is 'C:\Program Files (x86)\ossec-agent\queue\logcollector\'.
MSI (c) (1C:E4) [12:32:45:976]: PROPERTY CHANGE: Adding FIM property. Its value is 'C:\Program Files (x86)\ossec-agent\queue\fim\'.
MSI (c) (1C:E4) [12:32:45:976]: PROPERTY CHANGE: Adding FIM_DB property. Its value is 'C:\Program Files (x86)\ossec-agent\queue\fim\db\'.
MSI (c) (1C:E4) [12:32:45:976]: PROPERTY CHANGE: Adding DIFF property. Its value is 'C:\Program Files (x86)\ossec-agent\queue\diff\'.
MSI (c) (1C:E4) [12:32:45:976]: PROPERTY CHANGE: Adding SYSCOLLECTOR property. Its value is 'C:\Program Files (x86)\ossec-agent\queue\syscollector\'.
MSI (c) (1C:E4) [12:32:45:976]: PROPERTY CHANGE: Adding SYSCOLLECTOR_DB property. Its value is 'C:\Program Files (x86)\ossec-agent\queue\syscollector\db\'.
MSI (c) (1C:E4) [12:32:45:976]: PROPERTY CHANGE: Adding RULESET property. Its value is 'C:\Program Files (x86)\ossec-agent\ruleset\'.
MSI (c) (1C:E4) [12:32:45:976]: PROPERTY CHANGE: Adding SECURITY_CONFIGURATION_ASSESSMENT property. Its value is 'C:\Program Files (x86)\ossec-agent\ruleset\sca\'.
MSI (c) (1C:E4) [12:32:45:976]: PROPERTY CHANGE: Adding SHARED property. Its value is 'C:\Program Files (x86)\ossec-agent\shared\'.
MSI (c) (1C:E4) [12:32:45:976]: PROPERTY CHANGE: Adding ACTIVE_RESPONSE property. Its value is 'C:\Program Files (x86)\ossec-agent\active-response\'.
MSI (c) (1C:E4) [12:32:45:976]: PROPERTY CHANGE: Adding BIN property. Its value is 'C:\Program Files (x86)\ossec-agent\active-response\bin\'.
MSI (c) (1C:E4) [12:32:45:976]: Target path resolution complete. Dumping Directory table...
MSI (c) (1C:E4) [12:32:45:976]: Note: target paths subject to change (via custom actions or browsing)
MSI (c) (1C:E4) [12:32:45:976]: Dir (target): Key: TARGETDIR , Object: D:\
MSI (c) (1C:E4) [12:32:45:976]: Dir (target): Key: WindowsFolder , Object: C:\Windows\
MSI (c) (1C:E4) [12:32:45:976]: Dir (target): Key: ProgramMenuFolder , Object: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\
MSI (c) (1C:E4) [12:32:45:976]: Dir (target): Key: ProgramMenuDir , Object: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OSSEC\
MSI (c) (1C:E4) [12:32:45:976]: Dir (target): Key: ProgramFilesFolder , Object: C:\Program Files (x86)\
MSI (c) (1C:E4) [12:32:45:976]: Dir (target): Key: APPLICATIONFOLDER , Object: C:\Program Files (x86)\ossec-agent\
MSI (c) (1C:E4) [12:32:45:976]: Dir (target): Key: UPGRADE , Object: C:\Program Files (x86)\ossec-agent\upgrade\
MSI (c) (1C:E4) [12:32:45:976]: Dir (target): Key: INCOMING , Object: C:\Program Files (x86)\ossec-agent\incoming\
MSI (c) (1C:E4) [12:32:45:976]: Dir (target): Key: SYSCHECK , Object: C:\Program Files (x86)\ossec-agent\syscheck\
MSI (c) (1C:E4) [12:32:45:976]: Dir (target): Key: RIDS , Object: C:\Program Files (x86)\ossec-agent\rids\
MSI (c) (1C:E4) [12:32:45:976]: Dir (target): Key: WODLES , Object: C:\Program Files (x86)\ossec-agent\wodles\
MSI (c) (1C:E4) [12:32:45:976]: Dir (target): Key: LOGS , Object: C:\Program Files (x86)\ossec-agent\logs\
MSI (c) (1C:E4) [12:32:45:976]: Dir (target): Key: BOOKMARKS , Object: C:\Program Files (x86)\ossec-agent\bookmarks\
MSI (c) (1C:E4) [12:32:45:976]: Dir (target): Key: TMP , Object: C:\Program Files (x86)\ossec-agent\tmp\
MSI (c) (1C:E4) [12:32:45:976]: Dir (target): Key: QUEUE , Object: C:\Program Files (x86)\ossec-agent\queue\
MSI (c) (1C:E4) [12:32:45:976]: Dir (target): Key: LOGCOLLECTOR , Object: C:\Program Files (x86)\ossec-agent\queue\logcollector\
MSI (c) (1C:E4) [12:32:45:976]: Dir (target): Key: FIM , Object: C:\Program Files (x86)\ossec-agent\queue\fim\
MSI (c) (1C:E4) [12:32:45:976]: Dir (target): Key: FIM_DB , Object: C:\Program Files (x86)\ossec-agent\queue\fim\db\
MSI (c) (1C:E4) [12:32:45:976]: Dir (target): Key: DIFF , Object: C:\Program Files (x86)\ossec-agent\queue\diff\
MSI (c) (1C:E4) [12:32:45:976]: Dir (target): Key: SYSCOLLECTOR , Object: C:\Program Files (x86)\ossec-agent\queue\syscollector\
MSI (c) (1C:E4) [12:32:45:976]: Dir (target): Key: SYSCOLLECTOR_DB , Object: C:\Program Files (x86)\ossec-agent\queue\syscollector\db\
MSI (c) (1C:E4) [12:32:45:976]: Dir (target): Key: RULESET , Object: C:\Program Files (x86)\ossec-agent\ruleset\
MSI (c) (1C:E4) [12:32:45:976]: Dir (target): Key: SECURITY_CONFIGURATION_ASSESSMENT , Object: C:\Program Files (x86)\ossec-agent\ruleset\sca\
MSI (c) (1C:E4) [12:32:45:976]: Dir (target): Key: SHARED , Object: C:\Program Files (x86)\ossec-agent\shared\
MSI (c) (1C:E4) [12:32:45:976]: Dir (target): Key: ACTIVE_RESPONSE , Object: C:\Program Files (x86)\ossec-agent\active-response\
MSI (c) (1C:E4) [12:32:45:976]: Dir (target): Key: BIN , Object: C:\Program Files (x86)\ossec-agent\active-response\bin\
MSI (c) (1C:E4) [12:32:45:976]: PROPERTY CHANGE: Adding INSTALLLEVEL property. Its value is '1'.
MSI (c) (1C:E4) [12:32:45:976]: Note: 1: 2205 2: 3: MsiAssembly
MSI (c) (1C:E4) [12:32:45:976]: Note: 1: 2228 2: 3: MsiAssembly 4: SELECT `MsiAssembly`.`Attributes`, `MsiAssembly`.`File_Application`, `MsiAssembly`.`File_Manifest`, `Component`.`KeyPath` FROM `MsiAssembly`, `Component` WHERE `MsiAssembly`.`Component_` = `Component`.`Component` AND `MsiAssembly`.`Component_` = ?
Action ended 12:32:45: CostFinalize. Return value 1.
MSI (c) (1C:E4) [12:32:45:977]: Doing action: MigrateFeatureStates
MSI (c) (1C:E4) [12:32:45:977]: Note: 1: 2205 2: 3: ActionText
Action 12:32:45: MigrateFeatureStates. Migrating feature states from related applications
Action start 12:32:45: MigrateFeatureStates.
Action ended 12:32:45: MigrateFeatureStates. Return value 0.
MSI (c) (1C:E4) [12:32:45:979]: Skipping action: WelcomeDlg (condition is false)
MSI (c) (1C:E4) [12:32:45:979]: Doing action: AdvancedWelcomeEulaDlg
MSI (c) (1C:E4) [12:32:45:979]: Note: 1: 2205 2: 3: ActionText
Action 12:32:45: AdvancedWelcomeEulaDlg.
Action start 12:32:45: AdvancedWelcomeEulaDlg.

Info 2898.For WixUI_Font_Title textstyle, the system created a 'Tahoma' font, in 0 character set, of 18 pixels height.

Action 12:32:46: AdvancedWelcomeEulaDlg. Dialog created
MSI (c) (1C:78) [12:32:46:015]: Note: 1: 2205 2: 3: _RemoveFilePath
MSI (c) (1C:78) [12:32:46:018]: PROPERTY CHANGE: Modifying CostingComplete property. Its current value is '0'. Its new value: '1'.
MSI (c) (1C:78) [12:32:46:019]: Note: 1: 2205 2: 3: BindImage
MSI (c) (1C:78) [12:32:46:019]: Note: 1: 2205 2: 3: ProgId
MSI (c) (1C:78) [12:32:46:019]: Note: 1: 2205 2: 3: PublishComponent
MSI (c) (1C:78) [12:32:46:019]: Note: 1: 2205 2: 3: SelfReg
MSI (c) (1C:78) [12:32:46:019]: Note: 1: 2205 2: 3: Extension
MSI (c) (1C:78) [12:32:46:019]: Note: 1: 2205 2: 3: Font
MSI (c) (1C:78) [12:32:46:019]: Note: 1: 2205 2: 3: Class
MSI (c) (1C:78) [12:32:46:019]: Note: 1: 2205 2: 3: TypeLib
MSI (c) (1C:78) [12:32:46:019]: Note: 1: 2727 2:
MSI (c) (1C:9C) [12:32:47:486]: PROPERTY CHANGE: Adding LicenseAccepted property. Its value is '1'.
Action 12:32:48: InstallDirDlg. Dialog created
MSI (c) (1C:9C) [12:32:49:490]: Doing action: WixUIValidatePath
MSI (c) (1C:9C) [12:32:49:490]: Note: 1: 2205 2: 3: ActionText
Action 12:32:49: WixUIValidatePath.
Action start 12:32:49: WixUIValidatePath.
MSI (c) (1C:6C) [12:32:49:495]: Invoking remote custom action. DLL: C:\Users\ADMINI~1\AppData\Local\Temp\7\MSI81A5.tmp, Entrypoint: ValidatePath
MSI (c) (1C:A0) [12:32:49:497]: Cloaking enabled.
MSI (c) (1C:A0) [12:32:49:497]: Attempting to enable all disabled privileges before calling Install on Server
MSI (c) (1C:A0) [12:32:49:497]: Connected to service for CA interface.
MSI (c) (1C!40) [12:32:49:636]: PROPERTY CHANGE: Adding WIXUI_INSTALLDIR_VALID property. Its value is '1'.
Action ended 12:32:49: WixUIValidatePath. Return value 1.
Action 12:32:49: VerifyReadyDlg. Dialog created
Action ended 12:32:50: AdvancedWelcomeEulaDlg. Return value 1.
MSI (c) (1C:E4) [12:32:50:086]: Skipping action: MaintenanceWelcomeDlg (condition is false)
MSI (c) (1C:E4) [12:32:50:086]: Skipping action: ResumeDlg (condition is false)
MSI (c) (1C:E4) [12:32:50:086]: Doing action: ProgressDlg
MSI (c) (1C:E4) [12:32:50:086]: Note: 1: 2205 2: 3: ActionText
Action 12:32:50: ProgressDlg.
Action start 12:32:50: ProgressDlg.
Action 12:32:50: ProgressDlg. Dialog created
Action ended 12:32:50: ProgressDlg. Return value 1.
MSI (c) (1C:E4) [12:32:50:105]: Doing action: ExecuteAction
MSI (c) (1C:E4) [12:32:50:105]: Note: 1: 2205 2: 3: ActionText
Action 12:32:50: ExecuteAction.
Action start 12:32:50: ExecuteAction.
MSI (c) (1C:E4) [12:32:50:106]: PROPERTY CHANGE: Adding SECONDSEQUENCE property. Its value is '1'.
MSI (c) (1C:E4) [12:32:50:106]: Grabbed execution mutex.
MSI (c) (1C:E4) [12:32:50:107]: Incrementing counter to disable shutdown. Counter after increment: 0
MSI (c) (1C:E4) [12:32:50:108]: Switching to server: MAJORVERSION="#10" BUILDVERSION="17763" APPLICATIONFOLDER="C:\Program Files (x86)\ossec-agent\" BIN="C:\Program Files (x86)\ossec-agent\active-response\bin\" ACTIVE_RESPONSE="C:\Program Files (x86)\ossec-agent\active-response\" SHARED="C:\Program Files (x86)\ossec-agent\shared\" SECURITY_CONFIGURATION_ASSESSMENT="C:\Program Files (x86)\ossec-agent\ruleset\sca\" SYSCOLLECTOR="C:\Program Files (x86)\ossec-agent\queue\syscollector\" TMP="C:\Program Files (x86)\ossec-agent\tmp\" QUEUE="C:\Program Files (x86)\ossec-agent\queue\" DIFF="C:\Program Files (x86)\ossec-agent\queue\diff\" FIM="C:\Program Files (x86)\ossec-agent\queue\fim\" FIM_DB="C:\Program Files (x86)\ossec-agent\queue\fim\db\" SYSCOLLECTOR_DB="C:\Program Files (x86)\ossec-agent\queue\syscollector\db\" LOGCOLLECTOR="C:\Program Files (x86)\ossec-agent\queue\logcollector\" RULESET="C:\Program Files (x86)\ossec-agent\ruleset\" BOOKMARKS="C:\Program Files (x86)\ossec-agent\bookmarks\" LOGS="C:\Program Files (x86)\ossec-agent\logs\" WODLES="C:\Program Files (x86)\ossec-agent\wod
MSI (s) (8C:0C) [12:32:50:148]: Running installation inside multi-package transaction C:\windows\sysmon_wazuh-agent-4.9.0\wazuh-agent-4.9.0-1.msi
MSI (s) (8C:0C) [12:32:50:148]: Grabbed execution mutex.
MSI (s) (8C:98) [12:32:50:153]: Resetting cached policy values
MSI (s) (8C:98) [12:32:50:153]: Machine policy value 'Debug' is 0
MSI (s) (8C:98) [12:32:50:153]: ******* RunEngine:

******* Product: C:\windows\sysmon_wazuh-agent-4.9.0\wazuh-agent-4.9.0-1.msi
******* Action: INSTALL
******* CommandLine: **********

MSI (s) (8C:98) [12:32:50:155]: Machine policy value 'DisableUserInstalls' is 0
MSI (s) (8C:98) [12:32:50:162]: Note: 1: 2203 2: C:\Windows\Installer\inprogressinstallinfo.ipi 3: -2147287038
MSI (s) (8C:98) [12:32:50:164]: Machine policy value 'LimitSystemRestoreCheckpointing' is 0
MSI (s) (8C:98) [12:32:50:164]: Note: 1: 1715 2: Wazuh Agent
MSI (s) (8C:98) [12:32:50:164]: Calling SRSetRestorePoint API. dwRestorePtType: 0, dwEventType: 102, llSequenceNumber: 0, szDescription: "Installed Wazuh Agent".
MSI (s) (8C:98) [12:32:50:164]: The call to SRSetRestorePoint API failed. Returned status: 0. GetLastError() returned: 127
MSI (s) (8C:98) [12:32:50:169]: File will have security applied from OpCode.
MSI (s) (8C:98) [12:32:50:178]: SOFTWARE RESTRICTION POLICY: Verifying package --> 'C:\windows\sysmon_wazuh-agent-4.9.0\wazuh-agent-4.9.0-1.msi' against software restriction policy
MSI (s) (8C:98) [12:32:50:181]: SOFTWARE RESTRICTION POLICY: C:\windows\sysmon_wazuh-agent-4.9.0\wazuh-agent-4.9.0-1.msi has a digital signature
MSI (s) (8C:98) [12:32:50:244]: SOFTWARE RESTRICTION POLICY: C:\windows\sysmon_wazuh-agent-4.9.0\wazuh-agent-4.9.0-1.msi is permitted to run at the 'unrestricted' authorization level.
MSI (s) (8C:98) [12:32:50:244]: MSCOREE not loaded loading copy from system32
MSI (s) (8C:98) [12:32:50:257]: End dialog not enabled
MSI (s) (8C:98) [12:32:50:257]: Original package ==> C:\windows\sysmon_wazuh-agent-4.9.0\wazuh-agent-4.9.0-1.msi
MSI (s) (8C:98) [12:32:50:257]: Package we're running from ==> C:\Windows\Installer\f2bd8445.msi
MSI (s) (8C:98) [12:32:50:259]: APPCOMPAT: Compatibility mode property overrides found.
MSI (s) (8C:98) [12:32:50:259]: APPCOMPAT: looking for appcompat database entry with ProductCode '{AA553771-6A70-4C6F-A5C2-D417D03DD8A5}'.
MSI (s) (8C:98) [12:32:50:259]: APPCOMPAT: no matching ProductCode found in database.
MSI (s) (8C:98) [12:32:50:276]: Machine policy value 'TransformsSecure' is 1
MSI (s) (8C:98) [12:32:50:277]: Machine policy value 'DisablePatch' is 0
MSI (s) (8C:98) [12:32:50:277]: Machine policy value 'AllowLockdownPatch' is 0
MSI (s) (8C:98) [12:32:50:277]: Machine policy value 'DisableLUAPatching' is 0
MSI (s) (8C:98) [12:32:50:277]: Machine policy value 'DisableFlyWeightPatching' is 0
MSI (s) (8C:98) [12:32:50:277]: APPCOMPAT: looking for appcompat database entry with ProductCode '{AA553771-6A70-4C6F-A5C2-D417D03DD8A5}'.
MSI (s) (8C:98) [12:32:50:278]: APPCOMPAT: no matching ProductCode found in database.
MSI (s) (8C:98) [12:32:50:278]: Transforms are not secure.
MSI (s) (8C:98) [12:32:50:278]: PROPERTY CHANGE: Adding MsiLogFileLocation property. Its value is 'C:\wazuh-install-debug-logging-no-quiet-after-reboot.log'.
MSI (s) (8C:98) [12:32:50:278]: Command Line: MAJORVERSION=#10 BUILDVERSION=17763 APPLICATIONFOLDER=C:\Program Files (x86)\ossec-agent\ BIN=C:\Program Files (x86)\ossec-agent\active-response\bin\ ACTIVE_RESPONSE=C:\Program Files (x86)\ossec-agent\active-response\ SHARED=C:\Program Files (x86)\ossec-agent\shared\ SECURITY_CONFIGURATION_ASSESSMENT=C:\Program Files (x86)\ossec-agent\ruleset\sca\ SYSCOLLECTOR=C:\Program Files (x86)\ossec-agent\queue\syscollector\ TMP=C:\Program Files (x86)\ossec-agent\tmp\ QUEUE=C:\Program Files (x86)\ossec-agent\queue\ DIFF=C:\Program Files (x86)\ossec-agent\queue\diff\ FIM=C:\Program Files (x86)\ossec-agent\queue\fim\ FIM_DB=C:\Program Files (x86)\ossec-agent\queue\fim\db\ SYSCOLLECTOR_DB=C:\Program Files (x86)\ossec-agent\queue\syscollector\db\ LOGCOLLECTOR=C:\Program Files (x86)\ossec-agent\queue\logcollector\ RULESET=C:\Program Files (x86)\ossec-agent\ruleset\ BOOKMARKS=C:\Program Files (x86)\ossec-agent\bookmarks\ LOGS=C:\Program Files (x86)\ossec-agent\logs\ WODLES=C:\Program Files (x86)\ossec-agent\wodles\ RIDS=C:\Program Files (x86)\ossec-agent
MSI (s) (8C:98) [12:32:50:278]: PROPERTY CHANGE: Adding PackageCode property. Its value is '{1EBD6D53-25A4-402C-9730-5A0C9C2C0939}'.
MSI (s) (8C:98) [12:32:50:278]: Product Code passed to Engine.Initialize: ''
MSI (s) (8C:98) [12:32:50:278]: Product Code from property table before transforms: '{AA553771-6A70-4C6F-A5C2-D417D03DD8A5}'
MSI (s) (8C:98) [12:32:50:278]: Product Code from property table after transforms: '{AA553771-6A70-4C6F-A5C2-D417D03DD8A5}'
MSI (s) (8C:98) [12:32:50:278]: Product not registered: beginning first-time install
MSI (s) (8C:98) [12:32:50:278]: Product {AA553771-6A70-4C6F-A5C2-D417D03DD8A5} is not managed.
MSI (s) (8C:98) [12:32:50:278]: MSI_LUA: Credential prompt not required, user is an admin
MSI (s) (8C:98) [12:32:50:278]: PROPERTY CHANGE: Adding ProductState property. Its value is '-1'.
MSI (s) (8C:98) [12:32:50:278]: Entering CMsiConfigurationManager::SetLastUsedSource.
MSI (s) (8C:98) [12:32:50:278]: User policy value 'SearchOrder' is 'nmu'
MSI (s) (8C:98) [12:32:50:278]: Adding new sources is allowed.
MSI (s) (8C:98) [12:32:50:278]: PROPERTY CHANGE: Adding PackagecodeChanging property. Its value is '1'.
MSI (s) (8C:98) [12:32:50:278]: Package name extracted from package path: 'wazuh-agent-4.9.0-1.msi'
MSI (s) (8C:98) [12:32:50:279]: Package to be registered: 'wazuh-agent-4.9.0-1.msi'
MSI (s) (8C:98) [12:32:50:280]: Note: 1: 2262 2: AdminProperties 3: -2147287038
MSI (s) (8C:98) [12:32:50:280]: Machine policy value 'DisableMsi' is 1
MSI (s) (8C:98) [12:32:50:280]: Machine policy value 'AlwaysInstallElevated' is 0
MSI (s) (8C:98) [12:32:50:280]: User policy value 'AlwaysInstallElevated' is 0
MSI (s) (8C:98) [12:32:50:280]: Product installation will be elevated because user is admin and product is being installed per-machine.
MSI (s) (8C:98) [12:32:50:280]: Running product '{AA553771-6A70-4C6F-A5C2-D417D03DD8A5}' with elevated privileges: Product is assigned.
MSI (s) (8C:98) [12:32:50:280]: PROPERTY CHANGE: Modifying MAJORVERSION property. Its current value is '0'. Its new value: '#10'.
MSI (s) (8C:98) [12:32:50:280]: PROPERTY CHANGE: Modifying BUILDVERSION property. Its current value is '0'. Its new value: '17763'.
MSI (s) (8C:98) [12:32:50:280]: PROPERTY CHANGE: Adding APPLICATIONFOLDER property. Its value is 'C:\Program Files (x86)\ossec-agent\'.
MSI (s) (8C:98) [12:32:50:280]: PROPERTY CHANGE: Adding BIN property. Its value is 'C:\Program Files (x86)\ossec-agent\active-response\bin\'.
MSI (s) (8C:98) [12:32:50:280]: PROPERTY CHANGE: Adding ACTIVE_RESPONSE property. Its value is 'C:\Program Files (x86)\ossec-agent\active-response\'.
MSI (s) (8C:98) [12:32:50:280]: PROPERTY CHANGE: Adding SHARED property. Its value is 'C:\Program Files (x86)\ossec-agent\shared\'.
MSI (s) (8C:98) [12:32:50:280]: PROPERTY CHANGE: Adding SECURITY_CONFIGURATION_ASSESSMENT property. Its value is 'C:\Program Files (x86)\ossec-agent\ruleset\sca\'.
MSI (s) (8C:98) [12:32:50:280]: PROPERTY CHANGE: Adding SYSCOLLECTOR property. Its value is 'C:\Program Files (x86)\ossec-agent\queue\syscollector\'.
MSI (s) (8C:98) [12:32:50:280]: PROPERTY CHANGE: Adding TMP property. Its value is 'C:\Program Files (x86)\ossec-agent\tmp\'.
MSI (s) (8C:98) [12:32:50:280]: PROPERTY CHANGE: Adding QUEUE property. Its value is 'C:\Program Files (x86)\ossec-agent\queue\'.
MSI (s) (8C:98) [12:32:50:280]: PROPERTY CHANGE: Adding DIFF property. Its value is 'C:\Program Files (x86)\ossec-agent\queue\diff\'.
MSI (s) (8C:98) [12:32:50:280]: PROPERTY CHANGE: Adding FIM property. Its value is 'C:\Program Files (x86)\ossec-agent\queue\fim\'.
MSI (s) (8C:98) [12:32:50:280]: PROPERTY CHANGE: Adding FIM_DB property. Its value is 'C:\Program Files (x86)\ossec-agent\queue\fim\db\'.
MSI (s) (8C:98) [12:32:50:280]: PROPERTY CHANGE: Adding SYSCOLLECTOR_DB property. Its value is 'C:\Program Files (x86)\ossec-agent\queue\syscollector\db\'.
MSI (s) (8C:98) [12:32:50:280]: PROPERTY CHANGE: Adding LOGCOLLECTOR property. Its value is 'C:\Program Files (x86)\ossec-agent\queue\logcollector\'.
MSI (s) (8C:98) [12:32:50:280]: PROPERTY CHANGE: Adding RULESET property. Its value is 'C:\Program Files (x86)\ossec-agent\ruleset\'.
MSI (s) (8C:98) [12:32:50:280]: PROPERTY CHANGE: Adding BOOKMARKS property. Its value is 'C:\Program Files (x86)\ossec-agent\bookmarks\'.
MSI (s) (8C:98) [12:32:50:280]: PROPERTY CHANGE: Adding LOGS property. Its value is 'C:\Program Files (x86)\ossec-agent\logs\'.
MSI (s) (8C:98) [12:32:50:280]: PROPERTY CHANGE: Adding WODLES property. Its value is 'C:\Program Files (x86)\ossec-agent\wodles\'.
MSI (s) (8C:98) [12:32:50:280]: PROPERTY CHANGE: Adding RIDS property. Its value is 'C:\Program Files (x86)\ossec-agent\rids\'.
MSI (s) (8C:98) [12:32:50:280]: PROPERTY CHANGE: Adding SYSCHECK property. Its value is 'C:\Program Files (x86)\ossec-agent\syscheck\'.
MSI (s) (8C:98) [12:32:50:280]: PROPERTY CHANGE: Adding INCOMING property. Its value is 'C:\Program Files (x86)\ossec-agent\incoming\'.
MSI (s) (8C:98) [12:32:50:280]: PROPERTY CHANGE: Adding UPGRADE property. Its value is 'C:\Program Files (x86)\ossec-agent\upgrade\'.
MSI (s) (8C:98) [12:32:50:280]: PROPERTY CHANGE: Adding WAZUH_MANAGER property. Its value is '172.22.24.50'.
MSI (s) (8C:98) [12:32:50:280]: PROPERTY CHANGE: Adding TARGETDIR property. Its value is 'D:\'.
MSI (s) (8C:98) [12:32:50:280]: PROPERTY CHANGE: Adding CURRENTDIRECTORY property. Its value is 'C:\Users\Administrator'.
MSI (s) (8C:98) [12:32:50:280]: PROPERTY CHANGE: Adding CLIENTUILEVEL property. Its value is '0'.
MSI (s) (8C:98) [12:32:50:280]: PROPERTY CHANGE: Adding CLIENTPROCESSID property. Its value is '23580'.
MSI (s) (8C:98) [12:32:50:280]: PROPERTY CHANGE: Adding USERNAME property. Its value is 'Windows User'.
MSI (s) (8C:98) [12:32:50:280]: PROPERTY CHANGE: Adding SOURCEDIR property. Its value is 'C:\windows\sysmon_wazuh-agent-4.9.0\'.
MSI (s) (8C:98) [12:32:50:280]: PROPERTY CHANGE: Adding ACTION property. Its value is 'INSTALL'.
MSI (s) (8C:98) [12:32:50:280]: PROPERTY CHANGE: Adding EXECUTEACTION property. Its value is 'INSTALL'.
MSI (s) (8C:98) [12:32:50:280]: PROPERTY CHANGE: Adding SECONDSEQUENCE property. Its value is '1'.
MSI (s) (8C:98) [12:32:50:280]: PROPERTY CHANGE: Adding ROOTDRIVE property. Its value is 'D:\'.
MSI (s) (8C:98) [12:32:50:280]: PROPERTY CHANGE: Adding INSTALLLEVEL property. Its value is '1'.
MSI (s) (8C:98) [12:32:50:280]: PROPERTY CHANGE: Adding WIXUI_INSTALLDIR_VALID property. Its value is '1'.
MSI (s) (8C:98) [12:32:50:280]: PROPERTY CHANGE: Adding ADDLOCAL property. Its value is 'MainFeature'.
MSI (s) (8C:98) [12:32:50:280]: Machine policy value 'DisableAutomaticApplicationShutdown' is 0
MSI (s) (8C:98) [12:32:50:280]: RESTART MANAGER: Disabled by MSIRESTARTMANAGERCONTROL property; Windows Installer will use the built-in FilesInUse functionality.
MSI (s) (8C:98) [12:32:50:280]: PROPERTY CHANGE: Adding MsiSystemRebootPending property. Its value is '1'.
MSI (s) (8C:98) [12:32:50:280]: Engine has iefSecondSequence set to true.
MSI (s) (8C:98) [12:32:50:280]: TRANSFORMS property is now:
MSI (s) (8C:98) [12:32:50:280]: PROPERTY CHANGE: Deleting SOURCEDIR property. Its current value is 'C:\windows\sysmon_wazuh-agent-4.9.0\'.
MSI (s) (8C:98) [12:32:50:280]: PROPERTY CHANGE: Adding VersionDatabase property. Its value is '200'.
MSI (s) (8C:98) [12:32:50:283]: SHELL32::SHGetFolderPath returned: C:\Users\Administrator\AppData\Roaming
MSI (s) (8C:98) [12:32:50:284]: SHELL32::SHGetFolderPath returned: C:\Users\Administrator\Favorites
MSI (s) (8C:98) [12:32:50:286]: SHELL32::SHGetFolderPath returned: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Network Shortcuts
MSI (s) (8C:98) [12:32:50:289]: SHELL32::SHGetFolderPath returned: C:\Users\Administrator\Documents
MSI (s) (8C:98) [12:32:50:291]: SHELL32::SHGetFolderPath returned: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Printer Shortcuts
MSI (s) (8C:98) [12:32:50:293]: SHELL32::SHGetFolderPath returned: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent
MSI (s) (8C:98) [12:32:50:295]: SHELL32::SHGetFolderPath returned: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\SendTo
MSI (s) (8C:98) [12:32:50:298]: SHELL32::SHGetFolderPath returned: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Templates
MSI (s) (8C:98) [12:32:50:298]: SHELL32::SHGetFolderPath returned: C:\ProgramData
MSI (s) (8C:98) [12:32:50:301]: SHELL32::SHGetFolderPath returned: C:\Users\Administrator\AppData\Local
MSI (s) (8C:98) [12:32:50:302]: SHELL32::SHGetFolderPath returned: C:\Users\Administrator\Pictures
MSI (s) (8C:98) [12:32:50:305]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools
MSI (s) (8C:98) [12:32:50:307]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
MSI (s) (8C:98) [12:32:50:308]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu\Programs
MSI (s) (8C:98) [12:32:50:309]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu
MSI (s) (8C:98) [12:32:50:311]: SHELL32::SHGetFolderPath returned: C:\Users\Public\Desktop
MSI (s) (8C:98) [12:32:50:314]: SHELL32::SHGetFolderPath returned: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools
MSI (s) (8C:98) [12:32:50:316]: SHELL32::SHGetFolderPath returned: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
MSI (s) (8C:98) [12:32:50:317]: SHELL32::SHGetFolderPath returned: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs
MSI (s) (8C:98) [12:32:50:318]: SHELL32::SHGetFolderPath returned: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu
MSI (s) (8C:98) [12:32:50:320]: SHELL32::SHGetFolderPath returned: C:\Users\Administrator\Desktop
MSI (s) (8C:98) [12:32:50:323]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Templates
MSI (s) (8C:98) [12:32:50:324]: SHELL32::SHGetFolderPath returned: C:\Windows\Fonts
MSI (s) (8C:98) [12:32:50:324]: Note: 1: 2898 2: MS Sans Serif 3: MS Sans Serif 4: 0 5: 16
MSI (s) (8C:98) [12:32:50:339]: MSI_LUA: Setting MsiRunningElevated property to 1 because the install is already running elevated.
MSI (s) (8C:98) [12:32:50:339]: PROPERTY CHANGE: Adding MsiRunningElevated property. Its value is '1'.
MSI (s) (8C:98) [12:32:50:339]: PROPERTY CHANGE: Adding Privileged property. Its value is '1'.
MSI (s) (8C:98) [12:32:50:339]: Note: 1: 1402 2: HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info 3: 2
MSI (s) (8C:98) [12:32:50:339]: PROPERTY CHANGE: Adding DATABASE property. Its value is 'C:\Windows\Installer\f2bd8445.msi'.
MSI (s) (8C:98) [12:32:50:339]: PROPERTY CHANGE: Adding OriginalDatabase property. Its value is 'C:\windows\sysmon_wazuh-agent-4.9.0\wazuh-agent-4.9.0-1.msi'.
MSI (s) (8C:98) [12:32:50:339]: Machine policy value 'MsiDisableEmbeddedUI' is 0
MSI (s) (8C:98) [12:32:50:339]: EEUI - Disabling MsiEmbeddedUI for service because it's not a quiet/basic install
MSI (s) (8C:98) [12:32:50:339]: Note: 1: 2205 2: 3: PatchPackage
MSI (s) (8C:98) [12:32:50:339]: Machine policy value 'DisableRollback' is 0
MSI (s) (8C:98) [12:32:50:339]: User policy value 'DisableRollback' is 0
MSI (s) (8C:98) [12:32:50:339]: PROPERTY CHANGE: Adding UILevel property. Its value is '5'.
MSI (s) (8C:98) [12:32:50:340]: PROPERTY CHANGE: Adding Preselected property. Its value is '1'.
MSI (s) (8C:98) [12:32:50:340]: Note: 1: 2205 2: 3: LaunchCondition
MSI (s) (8C:98) [12:32:50:340]: Note: 1: 2228 2: 3: LaunchCondition 4: SELECT `Condition` FROM `LaunchCondition`
MSI (s) (8C:98) [12:32:50:340]: APPCOMPAT: [DetectVersionLaunchCondition] Failed to initialize pRecErr.
MSI (s) (8C:98) [12:32:50:344]: Doing action: INSTALL
MSI (s) (8C:98) [12:32:50:344]: Note: 1: 2205 2: 3: ActionText
Action 12:32:50: INSTALL.
Action start 12:32:50: INSTALL.
MSI (s) (8C:98) [12:32:50:345]: Running ExecuteSequence
MSI (s) (8C:98) [12:32:50:345]: Doing action: FindRelatedProducts
MSI (s) (8C:98) [12:32:50:345]: Note: 1: 2205 2: 3: ActionText
Action 12:32:50: FindRelatedProducts. Searching for related applications
Action start 12:32:50: FindRelatedProducts.
MSI (s) (8C:98) [12:32:50:347]: Skipping FindRelatedProducts action: already done on client side
Action ended 12:32:50: FindRelatedProducts. Return value 0.
MSI (s) (8C:98) [12:32:50:348]: Doing action: CheckSvcRunning
MSI (s) (8C:98) [12:32:50:348]: Note: 1: 2205 2: 3: ActionText
Action 12:32:50: CheckSvcRunning.
Action start 12:32:50: CheckSvcRunning.
MSI (s) (8C:58) [12:32:50:349]: Generating random cookie.
MSI (s) (8C:58) [12:32:50:365]: Created Custom Action Server with PID 16152 (0x3F18).
MSI (s) (8C:E8) [12:32:50:404]: Running as a service.
MSI (s) (8C:E8) [12:32:50:408]: Hello, I'm your 32bit Impersonated custom action server.
Error 1720. There is a problem with this Windows Installer package. A script required for this install to complete could not be run. Contact your support personnel or package vendor. Custom action CheckSvcRunning script error -2147217358, SWbemObjectSet: Call cancelled Line 363, Column 5,
MSI (s) (8C:58) [10:34:04:900]: Product: Wazuh Agent -- Error 1720. There is a problem with this Windows Installer package. A script required for this install to complete could not be run. Contact your support personnel or package vendor. Custom action CheckSvcRunning script error -2147217358, SWbemObjectSet: Call cancelled Line 363, Column 5,

Action ended 10:34:04: CheckSvcRunning. Return value 3.
Action ended 10:34:04: INSTALL. Return value 3.
Property(S): UpgradeCode = {F495AC57-7BDE-4C4B-92D8-DBE40A9AA5A0}
Property(S): MAJORVERSION = #10
Property(S): BUILDVERSION = 17763
Property(S): APPLICATIONFOLDER = C:\Program Files (x86)\ossec-agent\
Property(S): BIN = C:\Program Files (x86)\ossec-agent\active-response\bin\
Property(S): ACTIVE_RESPONSE = C:\Program Files (x86)\ossec-agent\active-response\
Property(S): SHARED = C:\Program Files (x86)\ossec-agent\shared\
Property(S): SECURITY_CONFIGURATION_ASSESSMENT = C:\Program Files (x86)\ossec-agent\ruleset\sca\
Property(S): SYSCOLLECTOR = C:\Program Files (x86)\ossec-agent\queue\syscollector\
Property(S): TMP = C:\Program Files (x86)\ossec-agent\tmp\
Property(S): QUEUE = C:\Program Files (x86)\ossec-agent\queue\
Property(S): DIFF = C:\Program Files (x86)\ossec-agent\queue\diff\
Property(S): FIM = C:\Program Files (x86)\ossec-agent\queue\fim\
Property(S): FIM_DB = C:\Program Files (x86)\ossec-agent\queue\fim\db\
Property(S): SYSCOLLECTOR_DB = C:\Program Files (x86)\ossec-agent\queue\syscollector\db\
Property(S): LOGCOLLECTOR = C:\Program Files (x86)\ossec-agent\queue\logcollector\
Property(S): RULESET = C:\Program Files (x86)\ossec-agent\ruleset\
Property(S): BOOKMARKS = C:\Program Files (x86)\ossec-agent\bookmarks\
Property(S): LOGS = C:\Program Files (x86)\ossec-agent\logs\
Property(S): WODLES = C:\Program Files (x86)\ossec-agent\wodles\
Property(S): RIDS = C:\Program Files (x86)\ossec-agent\rids\
Property(S): SYSCHECK = C:\Program Files (x86)\ossec-agent\syscheck\
Property(S): INCOMING = C:\Program Files (x86)\ossec-agent\incoming\
Property(S): UPGRADE = C:\Program Files (x86)\ossec-agent\upgrade\
Property(S): WixUIRMOption = UseRM
Property(S): WixAppFolder = WixPerMachineFolder
Property(S): WIXUI_INSTALLDIR = APPLICATIONFOLDER
Property(S): ALLUSERS = 1
Property(S): Privileged = 1
Property(S): ARPNOMODIFY = yes
Property(S): ARPNOREPAIR = yes
Property(S): WAZUH_MANAGER = 172.22.24.50
Property(S): ProgramFilesFolder = C:\Program Files (x86)\
Property(S): TARGETDIR = D:\
Property(S): ProgramMenuFolder = C:\ProgramData\Microsoft\Windows\Start Menu\Programs\
Property(S): VersionNT = 603
Property(S): MSIRESTARTMANAGERCONTROL = Disable
Property(S): MsiLogging = v
Property(S): ARPPRODUCTICON = icon.ico
Property(S): WIXUI_EXITDIALOGOPTIONALCHECKBOXTEXT = Run Agent configuration interface
Property(S): ApplicationFolderName = ossec-agent
Property(S): WixShellExecTarget = [APPLICATIONFOLDER]win32ui.exe
Property(S): Manufacturer = Wazuh, Inc.
Property(S): ProductCode = {AA553771-6A70-4C6F-A5C2-D417D03DD8A5}
Property(S): ProductLanguage = 1033
Property(S): ProductName = Wazuh Agent
Property(S): ProductVersion = 4.9.0
Property(S): DefaultUIFont = WixUI_Font_Normal
Property(S): WixUI_Mode = Advanced
Property(S): ErrorDialog = ErrorDlg
Property(S): SecureCustomProperties = ADDRESS;AGENT_NAME;AUTHD_PORT;AUTHD_SERVER;CERTIFICATE;GROUP;KEY;NOTIFY_TIME;OS_VERSION;PASSWORD;PEM;PROTOCOL;SERVER_PORT;TIME_RECONNECT;WAZUH_AGENT_GROUP;WAZUH_AGENT_NAME;WAZUH_KEEP_ALIVE_INTERVAL;WAZUH_MANAGER;WAZUH_MANAGER_PORT;WAZUH_PROTOCOL;WAZUH_REGISTRATION_CA;WAZUH_REGISTRATION_CERTIFICATE;WAZUH_REGISTRATION_KEY;WAZUH_REGISTRATION_PASSWORD;WAZUH_REGISTRATION_PORT;WAZUH_REGISTRATION_SERVER;WAZUH_TIME_RECONNECT;WIX_UPGRADE_DETECTED
Property(S): MsiHiddenProperties = ExecSecureObjects;ExecSecureObjectsRollback
Property(S): MsiLogFileLocation = C:\wazuh-install-debug-logging-no-quiet-after-reboot.log
Property(S): PackageCode = {1EBD6D53-25A4-402C-9730-5A0C9C2C0939}
Property(S): ProductState = -1
Property(S): PackagecodeChanging = 1
Property(S): CURRENTDIRECTORY = C:\Users\Administrator
Property(S): CLIENTUILEVEL = 0
Property(S): CLIENTPROCESSID = 23580
Property(S): USERNAME = Windows User
Property(S): VersionDatabase = 200
Property(S): ACTION = INSTALL
Property(S): EXECUTEACTION = INSTALL
Property(S): SECONDSEQUENCE = 1
Property(S): ROOTDRIVE = D:\
Property(S): INSTALLLEVEL = 1
Property(S): WIXUI_INSTALLDIR_VALID = 1
Property(S): ADDLOCAL = MainFeature
Property(S): MsiSystemRebootPending = 1
Property(S): VersionMsi = 5.00
Property(S): VersionNT64 = 603
Property(S): WindowsBuild = 9600
Property(S): ServicePackLevel = 0
Property(S): ServicePackLevelMinor = 0
Property(S): MsiNTProductType = 3
Property(S): WindowsFolder = C:\Windows\
Property(S): WindowsVolume = C:\
Property(S): System64Folder = C:\Windows\system32\
Property(S): SystemFolder = C:\Windows\SysWOW64\
Property(S): RemoteAdminTS = 1
Property(S): TempFolder = C:\Users\ADMINI~1\AppData\Local\Temp\
Property(S): CommonFilesFolder = C:\Program Files (x86)\Common Files\
Property(S): ProgramFiles64Folder = C:\Program Files\
Property(S): CommonFiles64Folder = C:\Program Files\Common Files\
Property(S): AppDataFolder = C:\Users\Administrator\AppData\Roaming\
Property(S): FavoritesFolder = C:\Users\Administrator\Favorites\
Property(S): NetHoodFolder = C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Network Shortcuts\
Property(S): PersonalFolder = C:\Users\Administrator\Documents\
Property(S): PrintHoodFolder = C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\
Property(S): RecentFolder = C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\
Property(S): SendToFolder = C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\SendTo\
Property(S): TemplateFolder = C:\ProgramData\Microsoft\Windows\Templates\
Property(S): CommonAppDataFolder = C:\ProgramData\
Property(S): LocalAppDataFolder = C:\Users\Administrator\AppData\Local\
Property(S): MyPicturesFolder = C:\Users\Administrator\Pictures\
Property(S): AdminToolsFolder = C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\
Property(S): StartupFolder = C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Property(S): StartMenuFolder = C:\ProgramData\Microsoft\Windows\Start Menu\
Property(S): DesktopFolder = C:\Users\Public\Desktop\
Property(S): FontsFolder = C:\Windows\Fonts\
Property(S): GPTSupport = 1
Property(S): OLEAdvtSupport = 1
Property(S): ShellAdvtSupport = 1
Property(S): MsiAMD64 = 6
Property(S): Msix64 = 6
Property(S): Intel = 6
Property(S): PhysicalMemory = 118784
Property(S): VirtualMemory = 36679
Property(S): AdminUser = 1
Property(S): MsiTrueAdminUser = 1
Property(S): LogonUser = Administrator
Property(S): UserSID = S-1-5-21-1689351167-2780846351-2222794732-500
Property(S): UserLanguageID = 1033
Property(S): ComputerName = RHPPWDW01
Property(S): SystemLanguageID = 1033
Property(S): ScreenX = 1024
Property(S): ScreenY = 768
Property(S): CaptionHeight = 23
Property(S): BorderTop = 1
Property(S): BorderSide = 1
Property(S): TextHeight = 16
Property(S): TextInternalLeading = 3
Property(S): ColorBits = 32
Property(S): TTCSupport = 1
Property(S): Time = 10:34:04
Property(S): Date = 7/22/2025
Property(S): MsiNetAssemblySupport = 4.7.3190.0
Property(S): MsiWin32AssemblySupport = 6.3.17763.4131
Property(S): RedirectedDllSupport = 2
Property(S): MsiRunningElevated = 1
Property(S): DATABASE = C:\Windows\Installer\f2bd8445.msi
Property(S): OriginalDatabase = C:\windows\sysmon_wazuh-agent-4.9.0\wazuh-agent-4.9.0-1.msi
Property(S): UILevel = 5
Property(S): Preselected = 1
MSI (s) (8C:98) [10:34:04:931]: MainEngineThread is returning 1603
MSI (s) (8C:0C) [10:34:04:931]: No System Restore sequence number for this installation.
MSI (s) (8C:0C) [10:34:04:931]: User policy value 'DisableRollback' is 0
MSI (s) (8C:0C) [10:34:04:931]: Machine policy value 'DisableRollback' is 0
MSI (s) (8C:0C) [10:34:04:931]: Incrementing counter to disable shutdown. Counter after increment: 0
MSI (s) (8C:0C) [10:34:04:931]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2
MSI (s) (8C:0C) [10:34:04:931]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2
MSI (s) (8C:0C) [10:34:04:931]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied. Counter after decrement: -1
MSI (s) (8C:0C) [10:34:04:931]: Destroying RemoteAPI object.
MSI (s) (8C:58) [10:34:04:931]: Custom Action Manager thread ending.
MSI (c) (1C:E4) [10:34:04:931]: Back from server. Return value: 1603
MSI (c) (1C:E4) [10:34:04:931]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied. Counter after decrement: -1
MSI (c) (1C:E4) [10:34:04:931]: PROPERTY CHANGE: Deleting SECONDSEQUENCE property. Its current value is '1'.
Action ended 10:34:04: ExecuteAction. Return value 3.
MSI (c) (1C:E4) [10:34:04:931]: Doing action: FatalError
MSI (c) (1C:E4) [10:34:04:931]: Note: 1: 2205 2: 3: ActionText
Action 10:34:04: FatalError.
Action start 10:34:04: FatalError.
Action 10:34:04: FatalError. Dialog created
Action ended 10:34:06: FatalError. Return value 2.
Action ended 10:34:06: INSTALL. Return value 3.
MSI (c) (1C:E4) [10:34:06:137]: Destroying RemoteAPI object.
MSI (c) (1C:A0) [10:34:06:137]: Custom Action Manager thread ending.
Property(C): UpgradeCode = {F495AC57-7BDE-4C4B-92D8-DBE40A9AA5A0}
Property(C): MAJORVERSION = #10
Property(C): BUILDVERSION = 17763
Property(C): APPLICATIONFOLDER = C:\Program Files (x86)\ossec-agent\
Property(C): LicenseAccepted = 1
Property(C): BIN = C:\Program Files (x86)\ossec-agent\active-response\bin\
Property(C): ACTIVE_RESPONSE = C:\Program Files (x86)\ossec-agent\active-response\
Property(C): SHARED = C:\Program Files (x86)\ossec-agent\shared\
Property(C): SECURITY_CONFIGURATION_ASSESSMENT = C:\Program Files (x86)\ossec-agent\ruleset\sca\
Property(C): SYSCOLLECTOR = C:\Program Files (x86)\ossec-agent\queue\syscollector\
Property(C): ProgramMenuDir = C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OSSEC\
Property(C): TMP = C:\Program Files (x86)\ossec-agent\tmp\
Property(C): QUEUE = C:\Program Files (x86)\ossec-agent\queue\
Property(C): DIFF = C:\Program Files (x86)\ossec-agent\queue\diff\
Property(C): FIM = C:\Program Files (x86)\ossec-agent\queue\fim\
Property(C): FIM_DB = C:\Program Files (x86)\ossec-agent\queue\fim\db\
Property(C): SYSCOLLECTOR_DB = C:\Program Files (x86)\ossec-agent\queue\syscollector\db\
Property(C): LOGCOLLECTOR = C:\Program Files (x86)\ossec-agent\queue\logcollector\
Property(C): RULESET = C:\Program Files (x86)\ossec-agent\ruleset\
Property(C): BOOKMARKS = C:\Program Files (x86)\ossec-agent\bookmarks\
Property(C): LOGS = C:\Program Files (x86)\ossec-agent\logs\
Property(C): WODLES = C:\Program Files (x86)\ossec-agent\wodles\
Property(C): RIDS = C:\Program Files (x86)\ossec-agent\rids\
Property(C): SYSCHECK = C:\Program Files (x86)\ossec-agent\syscheck\
Property(C): INCOMING = C:\Program Files (x86)\ossec-agent\incoming\
Property(C): UPGRADE = C:\Program Files (x86)\ossec-agent\upgrade\
Property(C): WixUIRMOption = UseRM
Property(C): WixAppFolder = WixPerMachineFolder
Property(C): WIXUI_INSTALLDIR = APPLICATIONFOLDER
Property(C): ALLUSERS = 1
Property(C): Privileged = 1
Property(C): ARPNOMODIFY = yes
Property(C): ARPNOREPAIR = yes
Property(C): WixPerUserFolder = C:\Users\Administrator\AppData\Local\Apps\ossec-agent
Property(C): WAZUH_MANAGER = 172.22.24.50
Property(C): WixPerMachineFolder = C:\Program Files (x86)\ossec-agent
Property(C): ProgramFilesFolder = C:\Program Files (x86)\
Property(C): TARGETDIR = D:\
Property(C): ProgramMenuFolder = C:\ProgramData\Microsoft\Windows\Start Menu\Programs\
Property(C): SourceDir = C:\windows\sysmon_wazuh-agent-4.9.0\
Property(C): VersionNT = 603
Property(C): MSIRESTARTMANAGERCONTROL = Disable
Property(C): MsiLogging = v
Property(C): ARPPRODUCTICON = icon.ico
Property(C): WIXUI_EXITDIALOGOPTIONALCHECKBOXTEXT = Run Agent configuration interface
Property(C): ApplicationFolderName = ossec-agent
Property(C): WixShellExecTarget = [APPLICATIONFOLDER]win32ui.exe
Property(C): Manufacturer = Wazuh, Inc.
Property(C): ProductCode = {AA553771-6A70-4C6F-A5C2-D417D03DD8A5}
Property(C): ProductLanguage = 1033
Property(C): ProductName = Wazuh Agent
Property(C): ProductVersion = 4.9.0
Property(C): DefaultUIFont = WixUI_Font_Normal
Property(C): WixUI_Mode = Advanced
Property(C): ErrorDialog = ErrorDlg
Property(C): SecureCustomProperties = ADDRESS;AGENT_NAME;AUTHD_PORT;AUTHD_SERVER;CERTIFICATE;GROUP;KEY;NOTIFY_TIME;OS_VERSION;PASSWORD;PEM;PROTOCOL;SERVER_PORT;TIME_RECONNECT;WAZUH_AGENT_GROUP;WAZUH_AGENT_NAME;WAZUH_KEEP_ALIVE_INTERVAL;WAZUH_MANAGER;WAZUH_MANAGER_PORT;WAZUH_PROTOCOL;WAZUH_REGISTRATION_CA;WAZUH_REGISTRATION_CERTIFICATE;WAZUH_REGISTRATION_KEY;WAZUH_REGISTRATION_PASSWORD;WAZUH_REGISTRATION_PORT;WAZUH_REGISTRATION_SERVER;WAZUH_TIME_RECONNECT;WIX_UPGRADE_DETECTED
Property(C): MsiHiddenProperties = ExecSecureObjects;ExecSecureObjectsRollback
Property(C): MsiLogFileLocation = C:\wazuh-install-debug-logging-no-quiet-after-reboot.log
Property(C): PackageCode = {1EBD6D53-25A4-402C-9730-5A0C9C2C0939}
Property(C): ProductState = -1
Property(C): PackagecodeChanging = 1
Property(C): CURRENTDIRECTORY = C:\Users\Administrator
Property(C): CLIENTUILEVEL = 0
Property(C): CLIENTPROCESSID = 23580
Property(C): VersionDatabase = 200
Property(C): MsiSystemRebootPending = 1
Property(C): VersionMsi = 5.00
Property(C): VersionNT64 = 603
Property(C): WindowsBuild = 9600
Property(C): ServicePackLevel = 0
Property(C): ServicePackLevelMinor = 0
Property(C): MsiNTProductType = 3
Property(C): WindowsFolder = C:\Windows\
Property(C): WindowsVolume = C:\
Property(C): System64Folder = C:\Windows\system32\
Property(C): SystemFolder = C:\Windows\SysWOW64\
Property(C): RemoteAdminTS = 1
Property(C): TempFolder = C:\Users\ADMINI~1\AppData\Local\Temp\7\
Property(C): CommonFilesFolder = C:\Program Files (x86)\Common Files\
Property(C): ProgramFiles64Folder = C:\Program Files\
Property(C): CommonFiles64Folder = C:\Program Files\Common Files\
Property(C): AppDataFolder = C:\Users\Administrator\AppData\Roaming\
Property(C): FavoritesFolder = C:\Users\Administrator\Favorites\
Property(C): NetHoodFolder = C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Network Shortcuts\
Property(C): PersonalFolder = C:\Users\Administrator\Documents\
Property(C): PrintHoodFolder = C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\
Property(C): RecentFolder = C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\
Property(C): SendToFolder = C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\SendTo\
Property(C): TemplateFolder = C:\ProgramData\Microsoft\Windows\Templates\
Property(C): CommonAppDataFolder = C:\ProgramData\
Property(C): LocalAppDataFolder = C:\Users\Administrator\AppData\Local\
Property(C): MyPicturesFolder = C:\Users\Administrator\Pictures\
Property(C): AdminToolsFolder = C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\
Property(C): StartupFolder = C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Property(C): StartMenuFolder = C:\ProgramData\Microsoft\Windows\Start Menu\
Property(C): DesktopFolder = C:\Users\Public\Desktop\
Property(C): FontsFolder = C:\Windows\Fonts\
Property(C): GPTSupport = 1
Property(C): OLEAdvtSupport = 1
Property(C): ShellAdvtSupport = 1
Property(C): MsiAMD64 = 6
Property(C): Msix64 = 6
Property(C): Intel = 6
Property(C): PhysicalMemory = 118784
Property(C): VirtualMemory = 36693
Property(C): AdminUser = 1
Property(C): MsiTrueAdminUser = 1
Property(C): LogonUser = Administrator
Property(C): UserSID = S-1-5-21-1689351167-2780846351-2222794732-500
Property(C): UserLanguageID = 1033
Property(C): ComputerName = RHPPWDW01
Property(C): SystemLanguageID = 1033
Property(C): ScreenX = 1920
Property(C): ScreenY = 1200
Property(C): CaptionHeight = 29
Property(C): BorderTop = 1
Property(C): BorderSide = 1
Property(C): TextHeight = 20
Property(C): TextInternalLeading = 4
Property(C): ColorBits = 32
Property(C): TTCSupport = 1
Property(C): Time = 10:34:06
Property(C): Date = 7/22/2025
Property(C): MsiNetAssemblySupport = 4.7.3190.0
Property(C): MsiWin32AssemblySupport = 6.3.17763.4131
Property(C): RedirectedDllSupport = 2
Property(C): MsiRunningElevated = 1
Property(C): USERNAME = Windows User
Property(C): DATABASE = C:\windows\sysmon_wazuh-agent-4.9.0\wazuh-agent-4.9.0-1.msi
Property(C): OriginalDatabase = C:\windows\sysmon_wazuh-agent-4.9.0\wazuh-agent-4.9.0-1.msi
Property(C): SOURCEDIR = C:\windows\sysmon_wazuh-agent-4.9.0\
Property(C): VersionHandler = 5.00
Property(C): UILevel = 5
Property(C): ACTION = INSTALL
Property(C): EXECUTEACTION = INSTALL
Property(C): ROOTDRIVE = D:\
Property(C): CostingComplete = 1
Property(C): OutOfDiskSpace = 0
Property(C): OutOfNoRbDiskSpace = 0
Property(C): PrimaryVolumeSpaceAvailable = 0
Property(C): PrimaryVolumeSpaceRequired = 0
Property(C): PrimaryVolumeSpaceRemaining = 0
Property(C): INSTALLLEVEL = 1
Property(C): WIXUI_INSTALLDIR_VALID = 1
=== Logging stopped: 7/22/2025 10:34:06 ===
MSI (c) (1C:E4) [10:34:06:137]: Note: 1: 1708
MSI (c) (1C:E4) [10:34:06:137]: Product: Wazuh Agent -- Installation failed.

MSI (c) (1C:E4) [10:34:06:137]: Windows Installer installed the product. Product Name: Wazuh Agent. Product Version: 4.9.0. Product Language: 1033. Manufacturer: Wazuh, Inc.. Installation success or error status: 1603.

MSI (c) (1C:E4) [10:34:06:153]: Grabbed execution mutex.
MSI (c) (1C:E4) [10:34:06:153]: Cleaning up uninstalled install packages, if any exist
MSI (c) (1C:E4) [10:34:06:153]: MainEngineThread is returning 1603
=== Verbose logging stopped: 7/22/2025 10:34:06 ===

Do let me know if additional information is needed.

ak

unread,

Jul 22, 2025, 11:28:58 AM7/22/25

to Wazuh | Mailing List

Hi,

Please find additional information:

- There no GPO policy running which blocks MSI files. (Other .msi install such as 7zip.msi install worked)

Note: After rebooting that server, tried installing with the command (msiexec /i "C:\windows\sysmon_wazuh-agent-4.9.0\wazuh-agent-4.9.0-1.msi" WAZUH_MANAGER=172.22.24.50 /l*v C:\wazuh-install-debug-logging-no-quiet-after-reboot.log) and after waiting for more than 30 minutes, We received the attached error

- No Wazuh service is seen running on this system.

Farouk Musa

unread,

Jul 23, 2025, 6:56:59 PM7/23/25

to Wazuh | Mailing List

Thanks for the additional information provided. Let me review this and come back to you with a possible fix.

Abdusamad Nazarov

unread,

Jul 24, 2025, 12:07:03 AM7/24/25

to Wazuh | Mailing List

Hello,

1. Activate Windows!

2. I was able to determine "Win32_Service" needed to be reregistered.

To validate Win32_Service is working, perform the following.

Open PowerShell as Administrator.
Type wbemtest and press enter.
Click on [Connect...].
Ensure the namespace is root\cimv2.
Press [Connect].
Under IWbemServices, select [Open Class...].
Search for Win32_Service and click [OK].
If you receive an error message, you need to reregister the service.

To reregister the service, perform the following:

Open PowerShell as Administrator.
Type mofcomp %windir%\system32\wbem\cimwin32.mof and press enter.
Verify registration with the previous steps.
Run the Wazuh client installer.

вторник, 22 июля 2025 г. в 20:28:58 UTC+5, ak:

Farouk Musa

unread,

Jul 24, 2025, 11:03:47 AM7/24/25

to Wazuh | Mailing List

@ak have you tried out the suggestion from Abdusamad ye?

ak

unread,

Jul 28, 2025, 2:51:38 AM7/28/25

to Wazuh | Mailing List

Hi Team,

With reference to point 2: I had already tried this before raising this ticket. I was checking the Wazuh git issues before to see similar issue and I had already tried steps in this bug (Ref: https://github.com/wazuh/wazuh/issues/18145 ) which is same as the ones refered to point 2 here.

Open PowerShell as Administrator.
Type wbemtest and press enter.
Click on [Connect...].
Ensure the namespace is root\cimv2.
Press [Connect].
Under IWbemServices, select [Open Class...].
Search for Win32_Service and click [OK].
If you receive an error message, you need to reregister the service.

To reregister the service, perform the following:

Open PowerShell as Administrator.
Type mofcomp %windir%\system32\wbem\cimwin32.mof and press enter.
Verify registration with the previous steps.

The above was already done before. It did not give me an error. I will try this again after activating windows.

With reference to point 1: I will try to get the windows activated and I re-check and get back to you.

Note: Any idea why wazuh .msi only has the issue? while other .msi installers like 7zip / wireshark install works? Is there any flags that I can provide via CLI to skip any specific checks?

ak

unread,

Aug 7, 2025, 12:19:59 PM8/7/25

to Wazuh | Mailing List

- WMI is working. (Verified earlier as well before I created the ticket)

- Re-tested and install gets hung. (Any ideas?)

Farouk Musa

unread,

Aug 7, 2025, 12:38:54 PM8/7/25

to Wazuh | Mailing List

I have been trying to recreate your issue with no luck and the output of the MSI log has not been very helpful. Please let me consult with others and come back to you with some more information. Thanks.

Farouk Musa

unread,

Aug 14, 2025, 8:00:04 AM8/14/25

to Wazuh | Mailing List

Hello,

The process seems to get stuck while trying to create the Wazuh agent service. Can you clean the current installation and start afresh:

1. Uninstall the current installation. msiexec.exe /x wazuh-agent-4.12.0-1.msi /qn (for version 4.12)

2. You clean up any residual files that might remain from the initial installation. Check C:\Program Files (x86)\ossec-agent

3. Check that the service does not exist. Run sc query WazuhSvc from cmd to verify.

4. Run a fresh installation ensuring that the agent installer is run as admin.

5. If the installation gets stuck at the same point, Check if the service is installed sc query WazuhSvc

6. If not installed, run these to manually install the service

cd "\Program Files (x86)"\ossec-agent
wazuh-agent.exe install-service

Please perform the steps and let me know the outcome

Reply all

Reply to author

Forward

0 new messages