After upgrade of the Endpoint protection post reboot system gets stuck at windows login screen
windows Server 2012 R2 64 bit
it is showing that the registry flush failed several times -12T21:51:28.350Z WARN I NAT SetExecutorInProgress() - Failed to flush the registry key. 0xC000014D = An I/O operation initiated by the Registry failed unrecoverably. The Registry could not read in, or write out, or flush, one of the files that contain the system's image of the Registry.
From Memory Dump analysis we can see SISNAT requesting for reboot
c ffffd000c7976b00 00007ffa6b79206a nt!KiSystemServiceCopyEnd+0x13
d 00000028d4d4f9d8 00000000613bcb02 ntdll!NtShutdownSystem+0xa
e 00000028d4d4f9e0 00000028d4ea3148 sisnat << shut down request
There are SEP drivers running in native mode. SISNAT sets their start type to 3 (on-demand) and tries to reboot. This is where there's a deadlock.
The SEP drivers are set to on-demand start at 1) during migration, pre-reboot SIS, 2) SIS running in ccSvcHst when it gets a system shutdown event, and 3) In SISNAT.
Scenario 1 - succeeds but the month's time before the actual reboot caused some issues. There was likely content updates that caused the SEP driver start types to remediate and changed back to 1 (system start).
Scenario 2 - doesn't get to run because Microsoft set the Windows service timeout to 5 seconds; used to be 30 seconds. Basically, the system will shutdown after 5 seconds and not allow services to finish any shutdown operations.
Scenario 3 - the last attempt by SEP to set the start type to ensure no SEP drivers are running in native mode to complete the migration.
Workaround: Allow scenario 2 to execute to avoid scenario 3 and the deadlock. Setting the Windows service timeout to 30 seconds allows SIS to execute during system shutdown.
Have the customer change the following registry to increase the timeout from 5 seconds (5000 ms) to 30 seconds (30000 ms).