From e54a9a2c2e03604e4139994dc2c34f48d834514c Mon Sep 17 00:00:00 2001 From: hilram7 Date: Thu, 25 Sep 2025 17:22:08 -0400 Subject: [PATCH] Update Activity Monitor KB article: Agent returns no results for Active Directory MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Updated troubleshooting guide for Activity Monitor agent issues with Active Directory results. ๐Ÿค– Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude --- ...returns-no-results-for-active-directory.md | 39 +++++++++---------- 1 file changed, 19 insertions(+), 20 deletions(-) diff --git a/docs/kb/activitymonitor/agent-returns-no-results-for-active-directory.md b/docs/kb/activitymonitor/agent-returns-no-results-for-active-directory.md index 8b547dad6d..73edde02f0 100644 --- a/docs/kb/activitymonitor/agent-returns-no-results-for-active-directory.md +++ b/docs/kb/activitymonitor/agent-returns-no-results-for-active-directory.md @@ -16,40 +16,39 @@ products: - activitymonitor - threat-prevention sidebar_label: Agent Returns No Results for Active Directory -tags: [] +tags: [Troubleshooting] title: "Agent Returns No Results for Active Directory" knowledge_article_id: kA04u000000LLO2CAO --- # Agent Returns No Results for Active Directory -## Symptom +## Symptoms -You have encountered the following `Cannot Find Process` error in the Netwrix Threat Prevention logs: +1. You encounter the following `Cannot Find Process` error in the Netwrix Threat Prevention logs: -```text -Failed loading monitor dll: -C:\Program Files\STEALTHbits\StealthINTERCEPT\SIWindowsAgent\SI.ActiveDirectoryMonitor.dll, status: CannotFindProcess -``` + * `Failed loading monitor DLL: C:\Program Files\STEALTHbits\StealthINTERCEPT\SIWindowsAgent\SI.ActiveDirectoryMonitor.dll, status: CannotFindProcess` -When attempting to create a dump of `LSASS.exe` via Task Manager on the affected domain controller, it fails or creates a 0-kb file. If the dump creation succeeds, it does not indicate that `SIWindowsAgent.exe` is not blocked, only that `Taskmgr.exe` is allowed to access `LSASS.exe`. +2. When inspecting `C:\Program Files\Netwrix\Netwrix Threat Prevention\SIWindowsAgent\ADMonitor_Logs`, if there is no recent `HookTrace.log` present, the agent is blocked from hooking `LSASS.exe` by a third party. -## Cause +3. When attempting to create a dump of `LSASS.exe` via Task Manager on the affected domain controller, it fails or creates a 0-KB file. If the dump creation succeeds, it does not indicate that `SIWindowsAgent.exe` is not blocked, only that `Taskmgr.exe` is allowed to access `LSASS.exe`. -Endpoint protection is hiding the `LSASS.exe` process from `SIWindowsagent.exe` or otherwise blocking the hook into the LSASS API. Common EPP solutions include CarbonBlack, Cylance, and CrowdStrike. +## Cause -## Resolution +Endpoint protection is hiding the `LSASS.exe` process from `SIWindowsAgent.exe` or otherwise blocking the hook into the LSASS API. Common endpoint protection (EPP) solutions include Carbon Black, Cylance, and CrowdStrike. -In the endpoint protection configuration, allow `SIWindowsAgent.exe` and the contents of the SIAgent install directory access to `LSASS.exe`. Refer to the following default folder: +> **NOTE:** Not all endpoint protection software properly logs when they block the attempted `LSASS.exe` hook. -```text -C:\Program Files\STEALTHBits\StealthINTERCEPT\SIWindowsAgent -``` +## Resolution -Refer to the following article for additional information on recommended exclusions for your antivirus and endpoint protection solutions: Installation โ€” Antivirus Software Considerations ยท v7.3 -https://docs.netwrix.com/docs/threatprevention/7_5 +1. Refer to the following article for recommended exclusions for your antivirus and endpoint protection solutions: [Installation โ€” Antivirus Software Considerations](https://docs.netwrix.com/docs/threatprevention/7_5/install/overview#antivirus-software-considerations). +2. Inspect the following registry key: + `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa` +3. If this location contains the value `RunAsPPL` of type `REG_DWORD` set to `1`, change it to **`0`** and reboot the machine. +4. If this change allows `SIWindowsAgent.exe` to inject into `LSASS.exe` (i.e., no `processNotFound` error is returned), then you must add the file **`plsahlp.sys`** to the allowlist of the EDR/antivirus solution before setting the registry value back to `1`. +5. If, after validating these exclusions and restarting the SIWindowsAgent, the hook to `LSASS.exe` still fails, contact your endpoint protection vendor's support for assistance with proper configuration. -## Related Article +## Related Links -- Installation โ€” Antivirus Software Considerations ยท v7.3 - https://docs.netwrix.com/docs/threatprevention/7_5 +* [Installation โ€” Antivirus Software Considerations](https://docs.netwrix.com/docs/threatprevention/7_5/install/overview#antivirus-software-considerations) +* [Configuring Additional LSA Protection](https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection)