Collects reported as 'still in progress'

The scheduled collects on a TSIEM Windows agent do not complete, with the audit controller reporting the following error in auditctl.log

<20121210 14:30:12 utc> P259M902V0.0.1L2855A4S4E255:AudCont: Collect for AUDITHOST Microsoft Windows (18.1.267) on AUDITHOST(12.1.100) still in progress.

Enable dynamical tracing for the agent component on the TSIEM Windows Agent (see related information section).

The CeSystemLog shows that the actuator process is being started repeatedly, however each time the actuator process exits immediately with an error code 128

Below is excerpt of CeSystemLog :

<20121210 16:18:04 utc> P261M902V0.0.1L1739A4S0E30:IPCSer: Starting '..\bin\actuator A:localhost:49152:15.1.267 ..\log\actuator267.log 12.1.100 28.1.162'
<20121210 16:18:04 utc> P261M902V0.0.1L599A2S0E0:IpcKillProgram(ObjVal *povAdapt)
<20121210 16:18:04 utc> P261M902V0.0.1L599A2S0E0:IpcSer (15.1.267) ::IpcKillProgram(). No job to kill
<20121210 16:18:04 utc> P261M902V0.0.1L599A2S0E0:Crypt: Key_index used for crypting outgoing message: 1
<20121210 16:18:04 utc> P261M902V0.0.1L599A2S0E0:CrmTimer: TimerRemove(): Deleting a timer with address 004C9F80
<20121210 16:18:04 utc> P261M902V0.0.1L599A2S0E0:Route: RouteConnectionSetTimeOut(): TIMER : 12.1.1 in 3600000 msecs
<20121210 16:18:07 utc> P261M902V0.0.1L599A2S0E0:IpcJobCallBack(CRM_JOB_DESCR *pJob,ObjVal *povAdapt,int iStatus)
<20121210 16:18:07 utc> P261M902V0.0.1L599A2S0E0:IPCSER:jobcallback->kill con ( status = 128)
<20121210 16:18:07 utc> P261M902V0.0.1L599A2S0E0:IpcKillConnection(ObjVal *povAdapt)
<20121210 16:18:07 utc> P261M902V0.0.1L599A2S0E0:IpcKillConnection: removing Connection handle: 00922C50
<20121210 16:18:07 utc> P261M902V0.0.1L599A2S0E0:IPCSER:killcon:S:Connecting
<20121210 16:18:07 utc> P261M902V0.0.1L599A2S0E0:TCPIP Conn: Cancel connect localhost:49152
<20121210 16:18:07 utc> P261M902V0.0.1L599A2S0E0:IpcSetState: 15.1.267 setting state ( S:Connecting -> S:No Connection )

With the help of Microsoft's Process Monitor (formerly part of Sysinternals toolset), it was found that the actuator.exe process aborts while trying to load kernel32.dll and ntdll.dll

Description:
Company:
Name: actuator.exe
Version:
Path: D:\IBM\TSIEM\actuator\bin\actuator.exe
Command Line: ..\bin\actuator A:localhost:49152:15.1.267 ..\log\actuator267.log 12.1.100 28.1.162
PID: 2372
Parent PID: 4736
Session ID: 0
User: TSIEM
Auth ID: 00000000:3e567b49
Architecture: 32-bit
Virtualized: n/a
Integrity: n/a
Started: 10.12.2012 17:18:07
Ended: 10.12.2012 17:18:07
Modules:
actuator.exe 0x400000 0x3a000 D:\IBM\TSIEM\actuator\bin\actuator.exe
kernel32.dll 0x7c800000 0x115000 C:\WINDOWS\system32\kernel32.dll Microsoft Corporation 5.2.3790.4480 (srv03_sp2_gdr.090321-1244)
ntdll.dll 0x7c920000 0xc9000 C:\WINDOWS\system32\ntdll.dll Microsoft Corporation 5.2.3790.4937 (srv03_sp2_qfe.111121-0236)

Investigation with Microsoft Support indicated that the problem was due to Operating System running out of desktop heap memory. See Microsoft Knowledge Base article:

Article ID Q184802: User32.dll or Kernel32.dll fails to initialize

(See Related Information section for the URL link)

Use the procedure in the above knowledgebase article with your system administrator and configure / tune the SharedSection parameter in the following Windows Registry path of the TSIEM Windows agent

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\SubSystems\Windows

A reboot is required for the changes to the registry to take effect.