IBM Support

WinCollect: Unable to start the WinCollect process due to key corruption

Troubleshooting


Problem

WinCollect service is unable to start after a reinstallation,  the following error is seen:
Windows could not start the Wincollect service on Local Computer.
Error 1067: The process terminated unexpectedly.

Symptom

When the Windows administrator tries to start the WinCollect process, for example, through the Windows Services, a pop-up message similar to the following appears:

image-20240412095422-1

Cause

The problem is related to a corruption of the RSA key created for the WinCollect application.

Resolving The Problem

  1. Log in as an Administrator to the Windows server where the WinCollect agent is installed.
  2. Open PowerShell.
  3. Run the following command to find the key for WinCollect.
    Notes:
    • Most of the content of these files is not in plain text.
    • The keys are located in C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\.
    • The key for the WinCollect agent contains the string WinCollect.ConfigServerConnection.
    • If you are not able to see or open the key, then the problem with the WinCollect agent could be the permissions for the key.
      
    Select-String -Path "C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\*" -Pattern "WinCollect"
    Output example:
    In the following capture, the key is the one starting with 6c6416ddf7:
    image-20240412103701-2
  4. Delete the key that contains the string WinCollect.ConfigServerConnection in it, you can also move it outside the C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\ directory.
  5. Uninstall the WinCollect agent.

  6. Verify that the following folders are deleted, if not, go ahead and delete them manually:

    C:\Program Files\IBM\WinCollect
C:\ProgramData\WinCollect

  7. Reinstall the WinCollect agent.

    Result:
    The WinCollect agent service is able to start without any error. If the issue persists, contact QRadar Support for assistance.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtwAAA","label":"WinCollect"}],"ARM Case Number":"TS013460420","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]

Document Information

Modified date:
12 April 2024

UID

ibm17145201

Page Feedback