Shutdown Order of Services (Windows)
When configuring monitors, it is possible for false positives to occur depending upon the order services shutdown. For information on configuring monitors, see Monitor custom scans in the Add or modify a scan section of the Administration Guide.
Shutdown example (Service C is monitored):
-
Shutdown initiated
-
Service C stops
-
Persistent Agent initiates monitor
-
Service B stops
-
Monitor completes
-
Service A stops
-
Persistent Agent stops
Result: Monitor fails because Service C was not running at the time of the monitor.
Configure the order in which services shutdown
Registry Entry: \HKLM\SYSTEM\CurrentControlSet\Control\PreshutdownOrder
Type: REG_MULTI_SZ
Add BNPagent to the top of the list so the service shuts down early in the process:
BNPagent
DeviceInstall
UsoSvc
gpsvc
trustedinstaller
Alternatively, add in the monitored service towards the bottom of the list:
BNPagent
DeviceInstall
UsoSvc
gpsvc
trustedinstaller
<Monitored Service>
It is recommended to test these settings on a machine first to validate. Once validated, push the registry entries to the Windows machines using a software management program or Group Policy. Note: Once settings are pushed to machines, they may require a reboot in order for the settings to apply.