Agent crash 4.7.3 - 4.7.5 on Windows

[cscfocus]

Wazuh version	Component	Install type	Install method	Platform
4.7.3 -> 4.7.5	Wazuh agent	Deploy command from "(+) Agent" and also GPO	MSI from web site	Windows Server 2016 Std 10.0.14393.6897

Windows agent crashes after minutes being running fine.
Same agent deployed on all the servers, only this one is crashing.

Event report:
Faulting application name: wazuh-agent.exe, version: 4.7.3.0, time stamp: 0x65e0813c
Faulting module name: libstdc++-6.dll, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0x40000015
Fault offset: 0x000ed794
Faulting process id: 0x1f34
Faulting application start time: 0x01dab672f26d8ad2 Faulting application path: C:\Program Files (x86)\ossec-agent\wazuh-agent.exe
Faulting module path: C:\Program Files (x86)\ossec-agent\libstdc++-6.dll Report Id: da68fdd9-f409-4a32-95cf-9093ebe6baa1 Faulting package full name: Faulting package-relative application ID: "

[vikman90]

@cscfocus Thank you for reporting the details of this bug.

To begin with, I would like to clarify the version range 4.7.3-4.7.5. Does this mean the issue occurs in 4.7.3 and not in 4.7.2? Does it also fail in 4.7.5? This reminds me of an issue we specifically addressed in agent version 4.7.5 for Windows:

• Bug: non-UTF-8 characters kill syscheckd silently #23354

I have looked up the fault offset, and it corresponds to the __cxa_bad_array_new_length function. Unfortunately, with only this information, we cannot trace the origin of the issue. To address this, we are working on enhancing trace data to debug such errors:

• Generate Wazuh symbols for macOS, linux and windows separate from the binary file #9913

Since this version lacks this functionality, we need a way to reproduce the problem. I suggest starting by selectively disabling modules, for instance, FIM or Syscollector (which are implemented in C++ and use this DLL). Additionally, please enable windows.debug=2 in the local_internal_options.conf file. This might give us some clues about the point of failure.

Thank you again.
Best regards.

[cscfocus]

Will enable debug.
I first installed 4.7.3 and it crashed, the upgraded to 4.7.4 and 4.7.5 and the crash happens in the same way.

[vikman90]

Hello @cscfocus,

@aritosteles helped us to create an MSI package for version 4.7.5 with debugging capabilities:

• wazuh-agent-4.7.5-debuggable.zip

Please install this package and enable core dumps in Windows by following the instructions in the future Wazuh documentation.

This way, we expect that Windows will generate a core dump when the agent program crashes. If you can provide us with that core dump, we will likely be able to trace the issue you are experiencing more effectively.

Thank you for your cooperation.

Best regards,

[cscfocus]

Thank you @vikman90, I will be on site next week and will try to install the debug agent.
Not sure about the core dump if it requires a reboot, we need to schedule ahead for that.

[vikman90]

@cscfocus Thanks, we look forward to your response.

Answering your question, according to the documentation, you just need to restart the Wazuh Agent service.

Best.

[cscfocus]

w.log
One good news and a bad one.
Good news: I uninstalled the old agent, installed a new one (4.7.5) from the official distro after deleting the folder in c:\program files. This worked, it seems some permission broke on the old installation folder that led to that error. Same MSI I used before now works fine and does not crash. I never modified permissions on the installation folder by hand, somehow it broke by itself.
Bad news: the debug version you gave me does complete the installation process with success, but it does not even create the folder in c:\program files x86. It says it was installed, but nothing on the server was done. Using the stock 4.7.5 installer, same CLI, installs correctly.
I have attached the install log from the debug MSI, just for reference.

[vikman90]

Hello @cscfocus,

For the good news, it's great to hear that uninstalling the old agent and installing the new one resolved the issue.

Regarding the bad news, if the problem reappears, we will regenerate the debug package, test it, and provide it to you for further troubleshooting.

In the meantime, since the official 4.7.5 installer works correctly, I recommend continuing to use that version for now. If we need to gather more detailed debug information in the future, we will ensure that the debug version is fully functional.

Thank you for your cooperation and patience. Please let us know if you encounter any further issues or have any other questions.

Best regards

[cscfocus]

Thank you for your support @vikman90 @aritosteles