Merge pull request #250 from netwrix/upd-ka0Qk000000GEILIA4

Update Activity Monitor KB: Agent returns no results for Active Directory

Author: hilram7

docs/kb/activitymonitor/agent-returns-no-results-for-active-directory.md

@@ -16,40 +16,39 @@ products:
   - activitymonitor
   - threat-prevention
 sidebar_label: Agent Returns No Results for Active Directory
-tags: []
+tags: [Troubleshooting]
 title: "Agent Returns No Results for Active Directory"
 knowledge_article_id: kA04u000000LLO2CAO
 ---
 
 # Agent Returns No Results for Active Directory
 
-## Symptom
+## Symptoms
 
-You have encountered the following `Cannot Find Process` error in the Netwrix Threat Prevention logs:
+1. You encounter the following `Cannot Find Process` error in the Netwrix Threat Prevention logs:
 
-```text
-Failed loading monitor dll:
-C:\Program Files\STEALTHbits\StealthINTERCEPT\SIWindowsAgent\SI.ActiveDirectoryMonitor.dll, status: CannotFindProcess
-```
+   * `Failed loading monitor DLL: C:\Program Files\STEALTHbits\StealthINTERCEPT\SIWindowsAgent\SI.ActiveDirectoryMonitor.dll, status: CannotFindProcess`
 
-When attempting to create a dump of `LSASS.exe` via Task Manager on the affected domain controller, it fails or creates a 0-kb file. If the dump creation succeeds, it does not indicate that `SIWindowsAgent.exe` is not blocked, only that `Taskmgr.exe` is allowed to access `LSASS.exe`.
+2. When inspecting `C:\Program Files\Netwrix\Netwrix Threat Prevention\SIWindowsAgent\ADMonitor_Logs`, if there is no recent `HookTrace<yyyy-mm-dd>.log` present, the agent is blocked from hooking `LSASS.exe` by a third party.
 
-## Cause
+3. When attempting to create a dump of `LSASS.exe` via Task Manager on the affected domain controller, it fails or creates a 0-KB file. If the dump creation succeeds, it does not indicate that `SIWindowsAgent.exe` is not blocked, only that `Taskmgr.exe` is allowed to access `LSASS.exe`.
 
-Endpoint protection is hiding the `LSASS.exe` process from `SIWindowsagent.exe` or otherwise blocking the hook into the LSASS API. Common EPP solutions include CarbonBlack, Cylance, and CrowdStrike.
+## Cause
 
-## Resolution
+Endpoint protection is hiding the `LSASS.exe` process from `SIWindowsAgent.exe` or otherwise blocking the hook into the LSASS API. Common endpoint protection (EPP) solutions include Carbon Black, Cylance, and CrowdStrike.
 
-In the endpoint protection configuration, allow `SIWindowsAgent.exe` and the contents of the SIAgent install directory access to `LSASS.exe`. Refer to the following default folder:
+> **NOTE:** Not all endpoint protection software properly logs when they block the attempted `LSASS.exe` hook.
 
-```text
-C:\Program Files\STEALTHBits\StealthINTERCEPT\SIWindowsAgent
-```
+## Resolution
 
-Refer to the following article for additional information on recommended exclusions for your antivirus and endpoint protection solutions: Installation — Antivirus Software Considerations · v7.3
-https://docs.netwrix.com/docs/threatprevention/7_5
+1. Refer to the following article for recommended exclusions for your antivirus and endpoint protection solutions: [Installation — Antivirus Software Considerations](https://docs.netwrix.com/docs/threatprevention/7_5/install/overview#antivirus-software-considerations).
+2. Inspect the following registry key:
+   `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa`
+3. If this location contains the value `RunAsPPL` of type `REG_DWORD` set to `1`, change it to **`0`** and reboot the machine.
+4. If this change allows `SIWindowsAgent.exe` to inject into `LSASS.exe` (i.e., no `processNotFound` error is returned), then you must add the file **`plsahlp.sys`** to the allowlist of the EDR/antivirus solution before setting the registry value back to `1`.
+5. If, after validating these exclusions and restarting the SIWindowsAgent, the hook to `LSASS.exe` still fails, contact your endpoint protection vendor's support for assistance with proper configuration.
 
-## Related Article
+## Related Links
 
-- Installation — Antivirus Software Considerations · v7.3  
-  https://docs.netwrix.com/docs/threatprevention/7_5
+* [Installation — Antivirus Software Considerations](https://docs.netwrix.com/docs/threatprevention/7_5/install/overview#antivirus-software-considerations)
+* [Configuring Additional LSA Protection](https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection)