Skip to main content

 

Druva Documentation

Failed to launch inSync Client after TPM was enabled

This article applies to:

  • OS: Windows 7 and later
  • Product edition: inSync Client

Problem description

inSync Client fails to launch and backup stops on the device after the Trusted Platform Module (TPM) is enabled on the device.

inSync process workflow

Before TMP is enabled:

  1. When inSync Client is activated on a device inSync Client stores a device key in the inSync configuration on the device.
  2. The device key received from inSync Master/Cloud during an activation is sent in plain text to the inSync Client.
  3. At the same time during activation, inSync Client encrypts the inSync device keys using the CryptProtectData function of the Windows OS with the local system key (CRYPTPROTECT_LOCAL_MACHINE flag).
  4. Since the TPM is not enabled, OS provides the local system key for the encryption of the device key.
  5. The same local system key is later used to decrypt the device key, every time inSync Client service is restarted.
  6. While starting, inSync Client service loads the configuration in memory and at the same time it decrypts the device key as well.

After TPM is enabled:

A TPM is a microchip designed to provide basic security-related functions, primarily involving encryption keys. The TPM is usually installed on the motherboard of a system, and communicates with the rest of the system using a hardware bus.

  1. The OS starts using the TPM-provided key only to encrypt/decrypt keys.
  2. Since inSync Client was activated before the TPM was enabled, it used local system key during encryption. After the TPM is enabled, the OS starts providing the TPM-provided key to the inSync Client service at the startup.
  3. Since the key does not match, inSync Client fails to load the configuration with the following message:

    CouldNotConnect.png
  4. The following message is saved to the inSyncSyncer,log file:

    Error <type 'exceptions.WindowsError'>:[Error -2146893813] Key not valid for use in specified state.

    Note that the inSyncSyncer.log file is present at C:\programData\Druva\inSync4 (if upgraded from old client: C:\inSync4)
  5. Additionally, you can verify the System Event logs if the TPM was recently enabled. Following is an example from the System Event Logs:

    Log Name: System 
    Source: TPM 
    Date: 22-06-2018 02:42:41 PM 
    Event ID: 24 
    Task Category: None 
    Level: Information 
    Keywords: 
    User: SYSTEM 
    Computer: XXXX-XXXX 
    Description: 
    The Trusted Platform Module (TPM) status: Enabled and Active

Cause

This issue occurs when inSync Client is activated before the TPM is enabled.

Resolution

Since this is a change at the hardware and the OS levels, you need to rename the configuration file and reactivate the inSync Client by performing one of the following steps:

  • Manually rename the inSync configuration file and reactivate the inSync Client:
    1. Launch the Services console with elevated rights.
    2. Stop the Druva inSync Client Service from the Services console.
    3. Launch the Task Manager and end the inSyncAgent.exe process from the Task Manager.
    4. Open Windows Explorer and go to C:\ProgramData\Druva\inSync4\users folder and see folder(s) created with the logged in user accounts.
    5. Open the user folders one-by-one and rename the inSync.cfg file to old. The file is present under all the user folders.
    6. Start the Druva inSync Client Service from the Services console.
    7. Launch the inSync Client and perform the activation steps.
    8. Select replace device during activation if asked and choose the same device from the list to replace with.
    9. Do not restore the data and complete the activation.
  • Use a bat script to rename the inSync configuration file and manually reactivate the inSync Client.
    1. Launch a notepad and enter the following text:

      @echo off

      IF EXIST C:\inSync4 (GOTO DO_REN1) ELSE (GOTO DO_REN2)

      GOTO END

      :DO_REN1

      For /F %%H in ('sc query "inSyncCPHService" ^| findstr "    STATE"') do ( 

      if /I "%%H" neq "STOPPED" ( 
      net stop "inSyncCPHService" 

      taskkill /fi "IMAGENAME eq inSync.exe" /f
      taskkill /fi "IMAGENAME eq inSyncAgent.exe.exe" /f

      cd \
      c:
      cd inSync4\users
      for /R %%x in (insync.cfg) do ren "%%x" insync.TPMold

      TIMEOUT /T 10

      For /F %%H in ('sc query "inSyncCPHService" ^| findstr "    STATE"') do ( 

      if /I "%%H" neq "RUNNING" ( 
      net start "inSyncCPHService" 

      Exit

      :DO_REN2

      For /F %%H in ('sc query "inSyncCPHService" ^| findstr "    STATE"') do ( 

      if /I "%%H" neq "STOPPED" ( 
      net stop "inSyncCPHService" 

      taskkill /fi "IMAGENAME eq inSync.exe" /f
      taskkill /fi "IMAGENAME eq inSyncAgent.exe.exe" /f 
      cd \
      c:
      cd C:\ProgramData\Druva\inSync4\users
      for /R %%x in (insync.cfg) do ren "%%x" insync.TPMold

      TIMEOUT /T 10

      For /F %%H in ('sc query "inSyncCPHService" ^| findstr "    STATE"') do ( 

      if /I "%%H" neq "RUNNING" ( 
      net start "inSyncCPHService" 

      Exit

      :END
      exit 0

    2. Save the file with an extension .bat. For example, inSync_cfg_ren.bat
    3. Run the script with elevated rights.
    4. Launch the inSync Client and perform the activation steps.
    5. Select Replace Device during the client activation and select the same device to replace.
    6. Do not restore the data and complete the activation.
       
  • Use a bat script to rename the inSync configuration file and auto activate the inSync Client (if the inSync IMD being used):
    1. Keep the inSync IMD token ready.
    2. Launch a notepad and enter the following text:

      @echo off

      IF EXIST C:\inSync4 (GOTO DO_REN1) ELSE (GOTO DO_REN2)

      GOTO END

      :DO_REN1

      For /F %%H in ('sc query "inSyncCPHService" ^| findstr "    STATE"') do ( 

      if /I "%%H" neq "STOPPED" ( 
      net stop "inSyncCPHService" 

      taskkill /fi "IMAGENAME eq inSync.exe" /f
      taskkill /fi "IMAGENAME eq inSyncAgent.exe.exe" /f

      cd \
      c:
      cd inSync4\users
      for /R %%x in (insync.cfg) do ren "%%x" insync.TPMold

      :: CheckOS
      IF EXIST "%PROGRAMFILES(X86)%" (GOTO 64BIT) ELSE (GOTO 32BIT)

      :64BIT
      echo "64-bit..." >> "C:\inSyncFix.log"  2>&1

      reg query "HKLM\SOFTWARE\Wow6432Node\Druva Software" >> "C:\inSyncFix.log"  2>&1
      if %errorlevel% == 0  reg delete "HKLM\SOFTWARE\Wow6432Node\Druva Software" /f >> "C:\inSyncFix.log"  2>&1

      set INSYNC_AGENT="%PROGRAMFILES(X86)%\Druva\inSync\inSyncAgent.exe"

      GOTO SAVE_TOKEN

      :32BIT
      echo "32-bit..." >> "C:\inSyncFix.log"  2>&1

      reg query "HKLM\SOFTWARE\Druva Software" >> "C:\inSyncFix.log"  2>&1
      if %errorlevel% == 0  reg delete "HKLM\SOFTWARE\Druva Software" /f >> "C:\inSyncFix.log"  2>&1

      set INSYNC_AGENT="%PROGRAMFILES%\Druva\inSync\inSyncAgent.exe"

      GOTO SAVE_TOKEN

      :SAVE_TOKEN

      :: provide the parameters in double quote
      %INSYNC_AGENT% -t ‘IMD-TOKEN-HERE’ -m "cloud.druva.com:PORT" 

      TIMEOUT /T 10

      For /F %%H in ('sc query "inSyncCPHService" ^| findstr "    STATE"') do ( 

      if /I "%%H" neq "RUNNING" ( 
      net start "inSyncCPHService" 

      Exit

      :DO_REN2

      For /F %%H in ('sc query "inSyncCPHService" ^| findstr "    STATE"') do ( 

      if /I "%%H" neq "STOPPED" ( 
      net stop "inSyncCPHService" 

      taskkill /fi "IMAGENAME eq inSync.exe" /f
      taskkill /fi "IMAGENAME eq inSyncAgent.exe.exe" /f 
      cd \
      c:
      cd C:\ProgramData\Druva\inSync4\users
      for /R %%x in (insync.cfg) do ren "%%x" insync.TPMold

      :: CheckOS
      IF EXIST "%PROGRAMFILES(X86)%" (GOTO 64BIT) ELSE (GOTO 32BIT)

      :64BIT
      echo "64-bit..." >> "C:\inSyncFix.log"  2>&1

      reg query "HKLM\SOFTWARE\Wow6432Node\Druva Software" >> "C:\inSyncFix.log"  2>&1
      if %errorlevel% == 0  reg delete "HKLM\SOFTWARE\Wow6432Node\Druva Software" /f >> "C:\inSyncFix.log"  2>&1

      set INSYNC_AGENT="%PROGRAMFILES(X86)%\Druva\inSync\inSyncAgent.exe"

      GOTO SAVE_TOKEN

      :32BIT
      echo "32-bit..." >> "C:\inSyncFix.log"  2>&1

      reg query "HKLM\SOFTWARE\Druva Software" >> "C:\inSyncFix.log"  2>&1
      if %errorlevel% == 0  reg delete "HKLM\SOFTWARE\Druva Software" /f >> "C:\inSyncFix.log"  2>&1

      set INSYNC_AGENT="%PROGRAMFILES%\Druva\inSync\inSyncAgent.exe"

      GOTO SAVE_TOKEN

      :SAVE_TOKEN

      :: provide the parameters in double quote
      %INSYNC_AGENT% -t ‘IMD-TOKEN-HERE’ -m "cloud.druva.com:PORT" 

      TIMEOUT /T 10

      For /F %%H in ('sc query "inSyncCPHService" ^| findstr "    STATE"') do ( 

      if /I "%%H" neq "RUNNING" ( 
      net start "inSyncCPHService" 

      Exit

      :ENDs
      exit 0

       

    3. In the above script:
      • Replace 'IMD-TOKEN-HERE'  with and IMD token and use single quotes.
      • Replace  "cloud.druva.com:PORT" with the inSync Master's IP/FQDN and port number and use double quoes. For example, "could.druva.com:443".
    4. Save the file with an extension .bat.  For example, inSync_cfg_ren_Activate.bat
    5.  Run the script with elevated rights.
    6. After successfully runniung the script, launch the inSync Client and verify.
       

See also