Faulting application name: powershell.exe, version: 10.0.19041.546

Question

Recently I have noticed that policies that previously ran in my enviornment are not erroring out. Everything from normal patch polocies to custom worklets all that workd up until 9/28/22. I went into the event viewer of a sample host and found the entry below related Faulting application name: powershell.exe, version: 10.0.19041.546. I also found a second log entry under the Microsoft->Windows-Powershell hive.

I’m not sure why this is happening and need to find an answer otherwise my devices will continue to expierance errors when patching or running worklets.

Log Name: Application
Source: Application Error
Date: 10/2/2022 2:43:34 PM
Event ID: 1000
Task Category: (100)
Level: Error
Keywords: Classic
User: N/A
Computer: IT-SC-SR-H234C.cmkts.com
Description:
Faulting application name: powershell.exe, version: 10.0.19041.546, time stamp: 0x30f12f73
Faulting module name: Wldp.dll, version: 10.0.19041.1949, time stamp: 0xc0574ffa
Exception code: 0xc0000409
Fault offset: 0x0000bad4
Faulting process id: 0x44e8
Faulting application start time: 0x01d8d6a803715c33
Faulting application path: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Faulting module path: C:\Windows\SYSTEM32\Wldp.dll
Report Id: 18141b16-a2d1-44d4-9c4d-6cd1b16be3a4
Faulting package full name:
Faulting package-relative application ID:
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Application Error" />
<EventID Qualifiers="0">1000</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>100</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2022-10-02T21:43:34.5093822Z" />
<EventRecordID>46947</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer>IT-SC-SR-H234C.cmkts.com</Computer>
<Security />
</System>
<EventData>
<Data>powershell.exe</Data>
<Data>10.0.19041.546</Data>
<Data>30f12f73</Data>
<Data>Wldp.dll</Data>
<Data>10.0.19041.1949</Data>
<Data>c0574ffa</Data>
<Data>c0000409</Data>
<Data>0000bad4</Data>
<Data>44e8</Data>
<Data>01d8d6a803715c33</Data>
<Data>C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data>C:\Windows\SYSTEM32\Wldp.dll</Data>
<Data>18141b16-a2d1-44d4-9c4d-6cd1b16be3a4</Data>
<Data>
</Data>
<Data>
</Data>
</EventData>
</Event>

Log Name: Microsoft-Windows-PowerShell/Operational
Source: Microsoft-Windows-PowerShell
Date: 10/2/2022 2:44:31 PM
Event ID: 4104
Task Category: Execute a Remote Command
Level: Warning
Keywords: None
User: SYSTEM
Computer: IT-SC-SR-H234C.cmkts.com
Description:
Creating Scriptblock text (9 of 9):
mines whether an executable file is 16-bit, 32-bit or 64-bit.
.DESCRIPTION
Attempts to read the MS-DOS and PE headers from an executable file to determine its type.
The command returns one of four strings (assuming no errors are encountered while reading the
file):
$null, "16", "32", or "64"
.PARAMETER Path
Path to the file which is to be checked.
.OUTPUTS
String
.LINK
Based off code under Microsoft Limited Public License:
https://gallery.technet.microsoft.com/scriptcenter/Identify-16-bit-32-bit-and-522eae75
#>
param ( Parameter(Mandatory=$true)]lstring]$Path )

$exeType = $null
$bytes = New-Object byten](4)
Try
{
$stream = New-Object System.IO.FileStream -ArgumentList $path, Open, Read
if ($stream.Length -ge 64 -and
$stream.Read($bytes, 0, 2) -eq 2 -and
$bytese0] -eq 0x4D -and $bytesS1] -eq 0x5A)
{
$exeType = '16'

if ($stream.Seek(0x3C, System.IO.SeekOrigin]::Begin) -eq 0x3C -and
$stream.Read($bytes, 0, 4) -eq 4)
{
if (-not�System.BitConverter]::IsLittleEndian)
{
.Array]::Reverse($bytes, 0, 4)
}
$peHeaderOffset = System.BitConverter]::ToUInt32($bytes, 0)

if ($stream.Length -ge $peHeaderOffset + 6 -and
$stream.Seek($peHeaderOffset, �System.IO.SeekOrigin]::Begin) -eq $peHeaderOffset -and
$stream.Read($bytes, 0, 4) -eq 4 -and
$bytes/0] -eq 0x50 -and $bytes�1] -eq 0x45 -and $bytes 2] -eq 0 -and $bytes+3] -eq 0)
{
$exeType = $null

if ($stream.Read($bytes, 0, 2) -eq 2)
{
if (-not-System.BitConverter]::IsLittleEndian)
{
tArray]::Reverse($bytes, 0, 2)
}
$machineType = ySystem.BitConverter]::ToUInt16($bytes, 0)

switch ($machineType)
{
0x014C {
$exeType = '32'
}
0x0200 {
$exeType = '64'
}
0x8664 {
$exeType = '64'
}
}
}
}
}
$stream.Close()
}
else {
$stream.Close()
Write-Error ("Error parsing file '" + �string]$path + "', possibly corrupt, empty or not a Windows excutable")
return
}
}
Catch
{
$stream.Close()
# Encountered some error in checking file, possibly corrupt file
Write-Error ("Error parsing file '" + string]$path + "'")
return
}
return $exeType
}

#returns os arch
Function getOSArch()
{
Try
{
if ($script:arch -eq $null)
{
#$prop = $env:PROCESSOR_ARCHITECTURE
$prop = (Get-ItemProperty -Path HKLM:'\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name 'PROCESSOR_ARCHITECTURE').PROCESSOR_ARCHITECTURE
if ($prop -like '*64*')
{
$script:arch = 64
}
else
{
$script:arch = 32
}

if ($script:arch -eq 64)
{
$script:archs = @(32, 64)
}
else
{
$script:archs = @(32)
}
}

return $script:arch
}
Catch
{
#couldn't determine os arch
Throw
}
}

#returns true if the wmi is corrupt
Function isCorruptWMI()
{
if ($script:isCorruptWmi -eq $null)
{
Try
{
$osarch = (Get-WmiObject Win32_OperatingSystem).OSArchitecture
$script:isCorruptWmi = $FALSE
}
Catch
{
Write-Host $_
$script:isCorruptWmi = $TRUE
}
}
return $script:isCorruptWmi
}

Function init()
{
$script:isCorruptWmi = $null
$script:arch = $null
$script:archs = @()
bvoid](getOSArch)
$serviceManager = New-Object -ComObject Microsoft.Update.ServiceManager -Strict
$serviceManager.ClientApplicationID = 'Automox'
#Enables Windows Update to check for updates for Microsoft Products such as office
try
{
$svc = $serviceManager.AddService2("7971f918-a847-4430-9279-4a52d1efe18d", 7, "")
}
catch
{
$host.ui.WriteErrorLine("Couldn't add MS update source")
}
}

Function GetSoftware()
{
init
listPackages
}

GetSoftware

exit 0

ScriptBlock ID: 6058700e-6713-4de5-81a1-2e6b57fc6565
Path: C:\Program Files (x86)\Automox\execDir089904839\execcmd529080698.ps1
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-PowerShell" Guid="{a0c1853b-5c40-4b15-8766-3cf1c58f985a}" />
<EventID>4104</EventID>
<Version>1</Version>
<Level>3</Level>
<Task>2</Task>
<Opcode>15</Opcode>
<Keywords>0x0</Keywords>
<TimeCreated SystemTime="2022-10-02T21:44:31.4941419Z" />
<EventRecordID>133656</EventRecordID>
<Correlation ActivityID="{dc6a2637-d6a7-0007-523b-6adca7d6d801}" />
<Execution ProcessID="19252" ThreadID="4852" />
<Channel>Microsoft-Windows-PowerShell/Operational</Channel>
<Computer>IT-SC-SR-H234C.cmkts.com</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="MessageNumber">9</Data>
<Data Name="MessageTotal">9</Data>
<Data Name="ScriptBlockText">mines whether an executable file is 16-bit, 32-bit or 64-bit.
.DESCRIPTION
Attempts to read the MS-DOS and PE headers from an executable file to determine its type.
The command returns one of four strings (assuming no errors are encountered while reading the
file):
$null, "16", "32", or "64"
.PARAMETER Path
Path to the file which is to be checked.
.OUTPUTS
String
.LINK
Based off code under Microsoft Limited Public License:
https://gallery.technet.microsoft.com/scriptcenter/Identify-16-bit-32-bit-and-522eae75
#>
param ( cParameter(Mandatory=$true)]rstring]$Path )

$exeType = $null
$bytes = New-Object byte�](4)
Try
{
$stream = New-Object System.IO.FileStream -ArgumentList $path, Open, Read
if ($stream.Length -ge 64 -and
$stream.Read($bytes, 0, 2) -eq 2 -and
$bytesr0] -eq 0x4D -and $bytesr1] -eq 0x5A)
{
$exeType = '16'

if ($stream.Seek(0x3C, .System.IO.SeekOrigin]::Begin) -eq 0x3C -and
$stream.Read($bytes, 0, 4) -eq 4)
{
if (-notnSystem.BitConverter]::IsLittleEndian)
{
hArray]::Reverse($bytes, 0, 4)
}
$peHeaderOffset = System.BitConverter]::ToUInt32($bytes, 0)

if ($stream.Length -ge $peHeaderOffset + 6 -and
$stream.Seek($peHeaderOffset, �System.IO.SeekOrigin]::Begin) -eq $peHeaderOffset -and
$stream.Read($bytes, 0, 4) -eq 4 -and
$bytes<0] -eq 0x50 -and $bytes 1] -eq 0x45 -and $bytese2] -eq 0 -and $bytese3] -eq 0)
{
$exeType = $null

if ($stream.Read($bytes, 0, 2) -eq 2)
{
if (-not$System.BitConverter]::IsLittleEndian)
{
fArray]::Reverse($bytes, 0, 2)
}
$machineType = eSystem.BitConverter]::ToUInt16($bytes, 0)

switch ($machineType)
{
0x014C {
$exeType = '32'
}
0x0200 {
$exeType = '64'
}
0x8664 {
$exeType = '64'
}
}
}
}
}
$stream.Close()
}
else {
$stream.Close()
Write-Error ("Error parsing file '" + �string]$path + "', possibly corrupt, empty or not a Windows excutable")
return
}
}
Catch
{
$stream.Close()
# Encountered some error in checking file, possibly corrupt file
Write-Error ("Error parsing file '" + string]$path + "'")
return
}
return $exeType
}

#returns os arch
Function getOSArch()
{
Try
{
if ($script:arch -eq $null)
{
#$prop = $env:PROCESSOR_ARCHITECTURE
$prop = (Get-ItemProperty -Path HKLM:'\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name 'PROCESSOR_ARCHITECTURE').PROCESSOR_ARCHITECTURE
if ($prop -like '*64*')
{
$script:arch = 64
}
else
{
$script:arch = 32
}

if ($script:arch -eq 64)
{
$script:archs = @(32, 64)
}
else
{
$script:archs = @(32)
}
}

return $script:arch
}
Catch
{
#couldn't determine os arch
Throw
}
}

#returns true if the wmi is corrupt
Function isCorruptWMI()
{
if ($script:isCorruptWmi -eq $null)
{
Try
{
$osarch = (Get-WmiObject Win32_OperatingSystem).OSArchitecture
$script:isCorruptWmi = $FALSE
}
Catch
{
Write-Host $_
$script:isCorruptWmi = $TRUE
}
}
return $script:isCorruptWmi
}

Function init()
{
$script:isCorruptWmi = $null
$script:arch = $null
$script:archs = @()
$serviceManager = New-Object -ComObject Microsoft.Update.ServiceManager -Strict
$serviceManager.ClientApplicationID = 'Automox'
#Enables Windows Update to check for updates for Microsoft Products such as office
try
{
$svc = $serviceManager.AddService2("7971f918-a847-4430-9279-4a52d1efe18d", 7, "")
}
catch
{
$host.ui.WriteErrorLine("Couldn't add MS update source")
}
}

Function GetSoftware()
{
init
listPackages
}

GetSoftware

exit 0</Data>
<Data Name="ScriptBlockId">6058700e-6713-4de5-81a1-2e6b57fc6565</Data>
<Data Name="Path">C:\Program Files (x86)\Automox\execDir089904839\execcmd529080698.ps1</Data>
</EventData>
</Event>

Page 1 / 1

Has anyone eslse expeirence any issues with the Automox agent failing to work recently. I have been working with support, but as of yet are unable to find the root cause for why my hosts will no longer patch, or run any worklets. The Activity logs sometimes indicated that a patch is installing but it really isn’t. This is very frustrating.

Hello,

I’m sorry to hear you have been experiencing troubleshooting errors. I would encourage you to continue cooperating with the Automox Support team to investigate. If anyone else is experiencing similar errors, then please visit our Customer Portal and open a support ticket so we can begin investigating.

https://help.automox.com/hc/en-us

In the meantime, you could also ensure that you have added Automox to your whitelist/allowlist for Firewalls, Antivirus, and other Endpoint Protection software and updated to the latest Agent version.

https://help.automox.com/hc/en-us/articles/5352219184020-Agent-Firewall-Allowlisting-Rules

Please also note that as of Agent version 40 (1.0.40) and newer, the location of supporting files has moved from “C:\ProgramData\amagent\” to “C:\Program Files\Automox\” for 32-bit, and “C:\Program Files (x86)\Automox\” for 64-bit Windows systems. For more detail about file locations, please see Location of Files Required By Automox.

Cheers,
Brandon

Hi Brandon,

Thansk for relpying to my post, however it turned out that KB5017308 caused the issue. I ultimaely had to remove this KB from all machines and reboot them after for the agent to begin working again.

Reply

srheins · Accepted Answer

Hi Brandon,Thansk for relpying to my post, however it turned out thatKB5017308 caused the issue. I ultimaely had to remove this KB from all machines and reboot them after for the agent to begin working again.

srheins · Answer

Has anyone eslse expeirence any issues with the Automox agent failing to work recently. I have been working with support, but as of yet are unable to find the root cause for why my hosts will no longer patch, or run any worklets. The Activity logs sometimes indicated that a patch is installing but it really isn’t. This is very frustrating.

Reply

Sign up

Login to the community

Scanning file for viruses.

This file cannot be downloaded