Failure Detect: Retail : wazuh-agent.exe Crash (access_violation_c0000005_wazuh-agent.exe!unknown)
Lim Rui Zhi
Product Name: Wazuh Agent
App version:
wazuh-agent.exe 4.13.0.0
wazuh-agent.exe 4.9.2.0
wazuh-agent.exe 4.7.2.0
OS version: window 10,11
Environment: Desktop, server
**Hi, we work with the Microsoft Windows Compatibility Team. This issue was captured by our telemetry system. Our team has performed initial analysis and obtained some stack information.
Due to organizational policy, we are only able to share detailed data through a secure private channel (e.g., FTP or OneDrive link). If you have a preferred method, please feel free to provide it.
Bony V John
Hi,
To investigate this further, we will need the available crash telemetry details and the following information:
The Wazuh Agent ossec.log file from the affected endpoints: C:\Program Files (x86)\ossec-agent\ossec.log
The Wazuh Agent ossec.conf file from the affected endpoints: C:\Program Files (x86)\ossec-agent\ossec.conf
The Wazuh Manager version.
The Wazuh Manager /var/ossec/etc/ossec.conf file.
The Wazuh Manager /var/ossec/logs/ossec.log file.
The Windows OS build number.
Whether the crash happens during installation, startup, upgrade, service start, service restart, or normal runtime.
Whether any third-party antivirus, EDR, or other security software is present on the affected hosts.
Any other supporting files or details that you can share.
Also, please share the crash dump files. If crash dumps are not already available, you can collect user-mode crash dumps for wazuh-agent.exe using Windows Error Reporting. For this, you can refer to the Wazuh documentation for guidance:
https://documentation.wazuh.com/current/development/coredump.html#windows-endpoints
Please replace any sensitive information with dummy values if that information is not required for the investigation.
This information will help us investigate the issue further.
Also, are you using any custom-built Wazuh Agent? If yes, please let us know and share the related build details.
Due to the sensitivity of the data, please share the information through a secure private channel. You may provide a OneDrive link with restricted access, or you can reply only to the author instead of using “Reply All” in the email. Alternatively, please let us know the preferred secure transfer method from your side.
Once the data is available, we will review it and continue the investigation.
Bony V John
Bony V John
Hi,
We have reviewed the crash dump file you shared and found that the crash pattern appears very similar to a previously reported Windows Agent issue that affected older Wazuh Agent versions.
From the dump analysis, the crash is caused by an access violation during the Wazuh Agent event-processing path. Additionally, the dump does not contain a valid stack unwind, which is commonly seen when the process stack becomes corrupted. This behavior is consistent with a previously reported issue that occurred during Wazuh Agent startup and was addressed in later Wazuh releases.
Could you please confirm whether the crash occurs during Wazuh Agent startup?
You can refer to the following GitHub discussion, which appears to describe a very similar issue: https://github.com/wazuh/wazuh/issues/34352
As a troubleshooting step, I would recommend upgrading both the Wazuh central components and the affected agents to Wazuh 4.14.3 or, preferably, the latest available version. This will help verify whether the issue is related to the previously reported bug that was addressed in newer releases.
For version compatibility, ensure that all agents are upgraded to the same version as the Wazuh server after the central components have been updated.
You can refer to the Wazuh upgrade documentation for detailed upgrade instructions.
Before performing any upgrade, I strongly recommend taking a backup of your Wazuh environment. This provides a rollback option and helps minimize risk during the upgrade process. You can follow the Wazuh backup documentation for guidance.
Please let us know the result of the startup verification and whether the issue persists after upgrading.