IBM Support

WinCollect error code: 0x0005 Access denied

Troubleshooting


Problem

My WinCollect agents are generating error codes for 0x0005 access denied. Why am I seeing error code 0x0005 from my WinCollect agents?

Symptom

If the user specified in the log source cannot read the registry of the remote system, then the agent generates access denied messages either in the device log messages or through syslog events. The location of the error message is provided in both the WinCollect agent logs and as a Syslog status event from the agent to QRadar. Administrators without access to the Windows hosts can use the Log Activity tab to locate access denied errors.

  1. Click the Admin tab.
  2. Click the WinCollect icon.
  3. Select an agent from the list.
  4. Click Show Events.

    The Log Activity tab is displayed and filtered by the log sources associated with the agent you selected. The following are sample syslog events that can be displayed or are associated with the Access Denied error:
    1. LEEF:1.0|IBM|WinCollect|7.2|4|src=Hostname dst=IP address sev=3 log=Code.RegistryCacheInfo.\\IPaddress.InitializeRegistryInfo msg=Failed to query installation language on \\ IP address (Error: Error code 0x0005: Access is denied.). Defaulting to US English.
    2. LEEF:1.0|IBM|WinCollect|7.2|4|src=Hostname dst=IP address sev=4 log=Device.WindowsLog.RegistryCacheInfo.\\IPaddress.InitializeEnvironmentInfo msg=Couldn't retrieve environment on machine \\IP address
    3. LEEF:1.0|IBM|WinCollect|7.2|4|src=Hostname dst=IP address sev=4 log=Device.WindowsLog.RemoteMessageFormatter::GetMessageA.IPaddress msg=We can retrieve logs for this machine (\\IP address) but we can't seem to access the machine's registry.

      NOTE: The 'Message=' portion of the payload will contain only the insertion values (no formatting will be present). This could adversely affect the parsing of the log by the receiver.

[{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"WinCollect","Platform":[{"code":"PF033","label":"Windows"}],"Version":"All Versions","Edition":"All Editions","Line of Business":{"code":"LOB77","label":"Automation Platform"}}]

Log InLog in to view more of this document

This document has the abstract of a technical article that is available to authorized users once you have logged on. Please use Log in button above to access the full document. After log in, if you do not have the right authorization for this document, there will be instructions on what to do next.

Document Information

Modified date:
26 October 2020

UID

swg21668526

Page Feedback