Sign in
 
HomeProductsLibraryLearnDownloadsSupportForums
Microsoft Forefront TechCenter >
KB2780435 hosing Win2k3 servers

Answered KB2780435 hosing Win2k3 servers

  • Thursday, December 06, 2012 11:10 AM
     
      Has Code
    Sign In to Vote
    0

    Hi

    We've been rolling this out slowly via a corporate WSUS and it appears that it's hurting a few of our Win2k3 servers. They had the previous version on working fine, and this update was approved as par-for-the-course. Gradually, it has appeared to cause us trouble (thankfully, we didn't push the roll out to all).

    Symptoms are that we are coming in to find the afflicted servers reporting no anti-virus installed. FEP is still in Add/Remove programs. The executables are still on disk. The service entry is missing from Services. None of the typical Forefront executables appear to be running. Trying to uninstall it hangs (and then you can't even bring Services up again). Trying to run KB2780435 manually hangs on uninstalling.

    Anyone got any ideas here? Best suggestions to resolve so far I found are at Steve Bancroft's post here:

    http://social.technet.microsoft.com/Forums/en/w7itprogeneral/thread/ea5feb8a-c66a-4bbd-994c-0d56ca715745

    A tail snippet from an afflicted server's MSSecurityClient_Setup_4.1.522.0_epp_install.log

    MSI (s) (68:E0) [06:03:11:840]: Executing op: ActionStart(Name=UnpublishFeatures,Description=Unpublishing Product Features,Template=Feature: [1])
MSI (s) (68:E0) [06:03:11:840]: Executing op: FeatureUnpublish(Feature=UACSupport,Parent=MSMPService,Absent=2,Component=
KaYSUOy7U=fuABMGqd[_]q6G'ZJLOAn.Xl`bJ3i(M^Q6?a%$]A'WcGG=Jg{&)
MSI (s) (68:E0) [06:03:11:840]: Note: 1: 1402 2: UNKNOWN\Installer\Features\4D880477777087D409D44E533B815F2D 3: 2 
MSI (s) (68:E0) [06:03:11:840]: Executing op: FeatureUnpublish(Feature=MSMPService,,Absent=2,Component=KaYSUOy7U=fuABMGqd[_]q6G'ZJLOAn.Xl`bJ3i(M^Q6?a%$]A'WcGG=Jg{&B{od?X`DZ=DEY@8X=5iA~4Wc[oB1f@_Bi?,T,Frvs(r?jTdHm@2Sekdb%7qog14WykIa'Ah`I2qLv0B7(AS&(jm@+?V0(e2s{GVWOl?ZFuIiK=jNBaR*QrV35JLjliTZ5?7=$I3+^(YHv]YNdLrxl=tIR)o^=i8,-6ial_U_1?]ruFM^Acpkf.jLu4zqD=I={5cUhCd$cl3IZyt-T=}OGBGz0yv0^'JVm_Vb2Aa[=UmKq2wwb4zV)scLD@pQ,)[&o3DV@$MXQEv`w@6+4DD5X.,-UNX^txejM?k!tM6%.~B,II!qg8W~2Ak]cxRzs6,0%RuMW8B@S={JbiE17yUoFk__3U7b!@X1A9U`vBiTWKHAjTO36=]T=)vh64RX5$Ydq,=-o8zB`bh]Oycaw^^@xp2ci?qT%y0pO1Wr$Zo`2n?UY@E0pV)e3VqglVDT5j$uYA!M.'pD4SIv}70kwLzGX@'(2SBlNy4@6mw0bJP8o9z9Q7Cfk9D`vfD~UMLxx?X+rcF}v8[XDe&D3LIG29)5xzQYE$s2Uc9IQi17k@*J[tWjye.1G'FI0Yo6?=o+^b`r3UP^(x(JXB{5e9TT$DCTG96a.)C`]dheA9g~z3^=&kSzI}z*1m!Q)9J%h=
e$9EDLb6o04F2wP9R&QS@xBHlsSTU,%D(wt95yKwzxJKQS_.%]Ff&rJAn.YYrS)EoSED6sr]x'x?V2vR5mZnzAQSkRwJ9GcACWLLub~e]^0vl.?=Eq-9)uYu4,!]YwLNtlz1{K2?.&7MXyz{)$H}mER%Fy@?6b4(_!t%j'f6.JnE0&A=b4179fWSj-i4`.f~5$y@n{e]MW?Pbr0O^tuk9-O=&?3TYTjm*0IZUUfv`%%AOLr+j5hCGDW.C2Ud]Vq?j}w-AlR%-vkVeqLA+xg8u5hT--t+DaiA4s^Im9==wy}Ov'
MSI (s) (68:E0) [06:03:11:840]: Note: 1: 1402 2: UNKNOWN\Installer\Features\4D880477777087D409D44E533B815F2D 3: 2 
MSI (s) (68:E0) [06:03:11:840]: Executing op: ActionStart(Name=ExecSecureObjectsRollback,,)
MSI (s) (68:E0) [06:03:11:840]: Executing op: CustomActionSchedule(Action=ExecSecureObjectsRollback,ActionType=3329,Source=BinaryData,Target=ExecSecureObjectsRollback,CustomActionData=MsMpSvc€ServiceInstall€D:(A;;CCLCSWRPLOCRRC;;;BU)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CR;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)€0)
MSI (s) (68:E0) [06:03:11:840]: Executing op: ActionStart(Name=StopServices,Description=Stopping services,Template=Service: [1])
MSI (s) (68:E0) [06:03:11:840]: Executing op: ProgressTotal(Total=1,Type=1,ByteEquivalent=1300000)
MSI (s) (68:E0) [06:03:11:840]: Executing op: ServiceControl(,Name=MsMpSvc,Action=2,,)
MSI (s) (68:E0) [06:03:16:839]: Executing op: ActionStart(Name=DeleteScheduledTasks,,)
MSI (s) (68:E0) [06:03:16:839]: Executing op: CustomActionSchedule(Action=DeleteScheduledTasks,ActionType=3137,Source=BinaryData,Target=DeleteTasks,CustomActionData=Microsoft\Microsoft Antimalware)
MSI (s) (68:C0) [06:03:16:839]: Invoking remote custom action. DLL: C:\WINDOWS\Installer\MSID7.tmp, Entrypoint: DeleteTasks
MSI (s) (68:E0) [06:03:17:448]: Executing op: ActionStart(Name=DeleteServices,Description=Deleting services,Template=Service: [1])
MSI (s) (68:E0) [06:03:17:464]: Executing op: ProgressTotal(Total=1,Type=1,ByteEquivalent=1300000)
MSI (s) (68:E0) [06:03:17:464]: Executing op: ServiceControl(,Name=MsMpSvc,Action=8,,)
MSI (s) (68:E0) [06:03:17:479]: Executing op: ActionStart(Name=UninstallMpFilterDriverRollback,,)
MSI (s) (68:E0) [06:03:17:479]: Executing op: CustomActionSchedule(Action=UninstallMpFilterDriverRollback,ActionType=3393,Source=BinaryData,Target=MpInstallDriver,CustomActionData=C:\Program Files\Microsoft Security Client\Antimalware\Drivers\mpfilter\)
MSI (s) (68:E0) [06:03:17:479]: Executing op: ActionStart(Name=UninstallMpFilterDriver,,)
MSI (s) (68:E0) [06:03:17:479]: Executing op: CustomActionSchedule(Action=UninstallMpFilterDriver,ActionType=3073,Source=BinaryData,Target=MpUninstallDriver,CustomActionData=C:\Program Files\Microsoft Security Client\Antimalware\Drivers\mpfilter\)
MSI (s) (68:7C) [06:03:17:479]: Invoking remote custom action. DLL: C:\WINDOWS\Installer\MSID8.tmp, Entrypoint: MpUninstallDriver
WIXFXCA: MpUninstallDriver: INFO: MpDrvInst - uninstallation begin.
WIXFXCA: MpUninstallDriver: INFO: Driver package located at C:\Program Files\Microsoft Security Client\Antimalware\Drivers\mpfilter\

    Log ends at this point.

    Found this in the event log of another (Application, MSIInstaller, 11704)

    Product: Microsoft Application Error Reporting -- Error 1704. An installation for Microsoft Antimalware is currently suspended.  You must undo the changes made by that installation to continue.  Do you want to undo those changes?

    That lead me to investigate the following registry key, that suggests the MSI uninstall is hung waiting for some action.

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\InProgress

    The default value of which is C:\WINDOWS\Installer\496a662.ipi, and the timestamp of that is consistent with the installation.

    However, am wondering how many other people are experiencing this pain? And has anyone else found a root cause for this? Investigations are ongoing here, hopefully some of this might help someone else see what's going on.

    Might have to open a PSS call with MS as this is a bit nasty.

    Thanks

    AW




    • Edited by andreww Thursday, December 06, 2012 11:35 AM
    •  
     

All Replies

  • Thursday, December 06, 2012 9:08 PM
     
     Answered
    Sign In to Vote
    0

    OK, got a procedure worked out for resolving this. Give it a try if you want, let me know how you get on.

    First, if you're knackered, don't try and uninstall Forefront (or if you have - reboot; chances are you won't be able to get this going until you're clear).

    Delete the key at

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\InProgress

    (Make sure no setup/msiexec processes are still running).

    Then, uninstall the old forefront. Reboot at this point when it completes. Then, reinstall forefront (the new version-4 works fine, up to you which one you go for I guess but I tried 4 and it's OK). When I hadn't rebooted first, it wouldn't start the Forefront on-demand scanning service. So I rebooted and that got it going again.

    Worked for me so far. Your results may vary. But it's a start...

     
  • Friday, December 07, 2012 12:00 PM
     
     
    Sign In to Vote
    0
    Have now resolved all my broken Win2k3 servers using this method. Apart from it needing a restart, it's pretty painless. Hope it helps someone.