Share via

Upgrading FCS with the latest hotfix fails due to missing DifX reg keys

  • Article

When applying the latest FCS hotfix such as KB979536 (or uninstalling the FCS client)  the install fails with the following errors at the bottom of the MSI log;

MSI (s) (F8:A0) [17:38:46:253]: Note: 1: 1725
MSI (s) (F8:A0) [17:38:46:253]: Product: Microsoft Forefront Client Security Antimalware Service -- Removal failed.

Further inspection of the MSI log shows the following errors earlier in the log;

DIFXAPP: UninstallDriverPackages()
DIFXAPP: 'CustomActionData' property 'DIFxApp Version' is 2.1.
DIFXAPP: 'CustomActionData' property 'UI Level' is 2.
DIFXAPP: 'CustomActionData' property 'componentId' is {153AA63E-3BFD-495C-A35F-85F66650141D}.
DIFXAPP: 'CustomActionData' property 'flags' is 0x4.
DIFXAPP: 'CustomActionData' property 'ProductName' is Microsoft Forefront Client Security Antimalware Service.
DIFXAPP: 'CustomActionData' property 'ManufacturerName' is Microsoft Corporation.
DIFXAPP: ERROR 0x2 encountered while opening persistent-info key for component '{153AA63E-3BFD-495C-A35F-85F66650141D}'
DIFXAPP: UninstallDriverPackages failed with error 0x2
DIFXAPP: RETURN: UninstallDriverPackages() 2 (0x2)

The uninstall routine that occurs during the hotfix upgrade checks the DifX reg keys to perform it's operation. On a known good client the reg keys should look something like this;

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DIFx

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DIFx\DriverStore

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DIFx\DriverStore\mpfilter_7624CBE7EF3BB21A52F29BE608459E93D0D31F4C

    creation           REG_BINARY      115BA0167F12C901

    type   REG_DWORD     0x4

    INF     REG_SZ mpfilter.inf

    Services           REG_MULTI_SZ  MpFilter\0\0

    ProductName REG_SZ Microsoft Forefront Client Security Antimalware Service

    ManufacturerName     REG_SZ Microsoft Corporation

    DisplayName  REG_SZ Microsoft Forefront Client Security Antimalware Service

    DependentInstaller      REG_MULTI_SZ  {153AA63E-3BFD-495C-A35F-85F66650141D}\0\0

    DependentInstallerName          REG_MULTI_SZ  Microsoft Forefront Client Security Antimalware Service\0\0

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DIFx\Services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DIFx\Services\MpFilter

    RefCount         REG_MULTI_SZ  mpfilter_7624CBE7EF3BB21A52F29BE608459E93D0D31F4C\0\0

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DIFxApp

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DIFxApp\Components

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DIFxApp\Components\153AA63E-3BFD-495C-A35F-85F66650141D}

    DriverStore     REG_SZ               C:\WINDOWS\system32\DRVSTORE\mpfilter_7624CBE7EF3BB21A52F29BE608459E93D0D31F4C\mpfilter.inf

By restoring the known good keys above the uninstall as well as hotfix upgrades are successful.