locked
FCS client uninstalled after update RRS feed

  • Question

  • Hi,
    I have successfully installed FCS client on a Windows 2000 sp 4 client which has the w2k update rollup 1 on it. I then try to install KB956280, which fails everytime and then completely uninstalls the FCS client.
    I have tried installing the update 3 times now from WSUS and each time it gets removed because this update fails. I've tried installing FCS and then rebooting and then trying to install the update but nothing works.

    The mp_ambits.log log is below which shows the update failing:

    === Verbose logging started: 30/03/2009  11:05:37  Build type: SHIP UNICODE 3.01.4000.4033  Calling process: c:\dee3a5ec5b0d232d1992b9446c0eb5\FCSInstall.exe ===
    === Logging stopped: 30/03/2009  11:06:38 ===
    MSI (c) (28:D0) [11:06:38:703]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied.  Counter after decrement: -1
    MSI (c) (28:D0) [11:06:38:703]: MainEngineThread is returning 1603
    === Verbose logging stopped: 30/03/2009  11:06:38 ===

    Action start 11:05:41: CostFinalize.
    MSI (s) (58:24) [11:05:43:218]: Doing action: SetFindFileParams
    Action ended 11:05:43: CostFinalize. Return value 1.
    MSI (s) (58:24) [11:05:43:218]: PROPERTY CHANGE: Adding FindFileParams property. Its value is 'INSTALLDIR;gdiplus.dll;GDI_INSTALLED'.
    Action start 11:05:43: SetFindFileParams.
    MSI (s) (58:24) [11:05:43:234]: Doing action: FindGDIPlusFile
    Action ended 11:05:43: SetFindFileParams. Return value 1.
    MSI (s) (58:20) [11:05:43:234]: Invoking remote custom action. DLL: C:\WINNT\Installer\MSI2.tmp, Entrypoint: FindFileW
    MSI (s) (58:20) [11:05:43:234]: Generating random cookie.
    MSI (s) (58:20) [11:05:43:250]: Created Custom Action Server with PID 1228 (0x4CC).
    MSI (s) (58:1C) [11:05:43:265]: Running as a service.
    MSI (s) (58:28) [11:05:43:296]: Hello, I'm your 32bit Impersonated custom action server.
    MSI (s) (58!64) [11:05:43:562]: PROPERTY CHANGE: Adding GDI_INSTALLED property. Its value is '1'.
    Action start 11:05:43: FindGDIPlusFile.
    MSI (s) (58:24) [11:05:43:578]: Skipping action: GDIPlusError (condition is false)
    MSI (s) (58:24) [11:05:43:578]: Doing action: MigrateFeatureStates
    Action ended 11:05:43: FindGDIPlusFile. Return value 1.
    Action start 11:05:43: MigrateFeatureStates.
    MSI (s) (58:24) [11:05:43:578]: Doing action: InstallValidate
    Action ended 11:05:43: MigrateFeatureStates. Return value 0.
    Action start 11:05:43: InstallValidate.

    Action ended 11:05:53: CostFinalize. Return value 1.
    MSI (s) (58:BC) [11:05:53:484]: PROPERTY CHANGE: Adding FindFileParams property. Its value is 'INSTALLDIR;gdiplus.dll;GDI_INSTALLED'.
    Action start 11:05:53: SetFindFileParams.
    MSI (s) (58:BC) [11:05:53:484]: Doing action: FindGDIPlusFile
    Action ended 11:05:53: SetFindFileParams. Return value 1.
    MSI (s) (58:78) [11:05:53:546]: Invoking remote custom action. DLL: C:\WINNT\Installer\MSI5.tmp, Entrypoint: FindFileW
    MSI (s) (58!00) [11:05:53:765]: PROPERTY CHANGE: Adding GDI_INSTALLED property. Its value is '1'.
    Action start 11:05:53: FindGDIPlusFile.
    MSI (s) (58:BC) [11:05:53:781]: Skipping action: GDIPlusError (condition is false)
    MSI (s) (58:BC) [11:05:53:781]: Skipping action: MigrateFeatureStates (condition is false)
    MSI (s) (58:BC) [11:05:53:781]: Doing action: InstallValidate
    Action ended 11:05:53: FindGDIPlusFile. Return value 1.
    Action start 11:05:53: InstallValidate.

    DIFXAPP: UninstallDriverPackages()
    DIFXAPP: 'CustomActionData' property 'DIFxApp Version' is 2.1.
    DIFXAPP: 'CustomActionData' property 'UI Level' is 2.
    DIFXAPP: 'CustomActionData' property 'componentId' is {153AA63E-3BFD-495C-A35F-85F66650141D}.
    DIFXAPP: 'CustomActionData' property 'flags' is 0x4.
    DIFXAPP: 'CustomActionData' property 'ProductName' is Microsoft Forefront Client Security Antimalware Service.
    DIFXAPP: 'CustomActionData' property 'ManufacturerName' is Microsoft Corporation.
    DIFXAPP: INFO:   ENTER:  DriverPackageUninstallW
    DIFXAPP: INFO:   Uninstalling driver package C:\WINNT\system32\DRVSTORE\mpfilter_FE6173491945E3649350E0A8953531C10A4566A0\mpfilter.inf...
    DIFXAPP: ERROR:  Unable to revert to a previous driver store for service 'MpFilter'.
    DIFXAPP: ERROR:  Will attempt to uninstall the driver.
    DIFXAPP: ERROR:  service 'MpFilter' failed to stop with error 0x426
    DIFXAPP: INFO:   service 'MpFilter' was deleted.
    DIFXAPP: WARNING:We've waited a while for the service to get deleted, but it did not get deleted yet. Will prompt for reboot
    DIFXAPP: INFO:   Driver store entry 'C:\WINNT\system32\DRVSTORE\mpfilter_FE6173491945E3649350E0A8953531C10A4566A0\mpfilter.inf' removed.
    DIFXAPP: SUCCESS:Uninstall completed.
    DIFXAPP: INFO:   RETURN: DriverPackageUninstallW  (0x0)
    DIFXAPP: INFO: driver store 'C:\WINNT\system32\DRVSTORE\mpfilter_FE6173491945E3649350E0A8953531C10A4566A0\mpfilter.inf' uninstalled.
    DIFXAPP: INFO: deleted add remove programs key for 'C:\WINNT\system32\DRVSTORE\mpfilter_FE6173491945E3649350E0A8953531C10A4566A0\mpfilter.inf'.
    DIFXAPP: A reboot is needed to uninstall the driver package '{153AA63E-3BFD-495C-A35F-85F66650141D}'.
    MSI (s) (58:BC) [11:06:24:031]: Executing op: ActionStart(Name=StartServices,Description=Starting services,Template=Service: [1])
    DIFXAPP: RETURN: UninstallDriverPackages() 0 (0x0)

    DIFXAPP: ENTER: CleanupOnSuccess()
    DIFXAPP: 'Component' is 'MPFILTER'
    DIFXAPP: 'ComponentId' is {153AA63E-3BFD-495C-A35F-85F66650141D}
    MSI (s) (58!50) [11:06:24:578]: Doing action: ScheduleReboot
    DIFXAPP: WARNING! The uninstall phase of this upgrade required a reboot. This may result in errors during the subsequent install phase. If such errors do occur, please reboot your system and run the upgrade again.
    Action start 11:06:24: ScheduleReboot.
    Action ended 11:06:24: ScheduleReboot. Return value 1.
    DIFXAPP: RETURN: CleanupOnSuccess() 0 (0x0)
    MSI (s) (58:BC) [11:06:24:593]: Skipping action: LAUNCH_MY_PROGRAM_PLEASE (condition is false)
    Action ended 11:06:24: MsiCleanupOnSuccess. Return value 1.
    Action ended 11:06:24: INSTALL. Return value 1.
    MSI (s) (58:BC) [11:06:24:593]: Propagated Reboot to the client/parent install.
    MSI (s) (58:24) [11:06:24:609]: Doing action: InstallInitialize
    Action ended 11:06:24: RemoveExistingProducts. Return value 1.

    DIFXAPP: INFO: opening HKEY_USERS 'S-1-5-21-682003330-616249376-839522115-1007\Software\Microsoft\Windows\CurrentVersion\DIFxApp\Components\{153AA63E-3BFD-495C-A35F-85F66650141D}' (User's SID: 'S-1-5-21-682003330-616249376-839522115-1007') ...
    DIFXAPP: INFO:   ENTER:  DriverPackageInstallW
    DIFXAPP: INFO:   mpfilter.inf: checking signature with catalog 'c:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\Drivers\mpfilter\MpFilter.cat' ...
    DIFXAPP: INFO:   Driver package 'mpfilter.inf' is WHQL signed.
    DIFXAPP: INFO:   Copied 'mpfilter.inf' to driver store...
    DIFXAPP: INFO:   Copied 'MpFilter.cat' to driver store...
    DIFXAPP: INFO:   Commiting queue...
    DIFXAPP: INFO:   Copied file: 'c:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\Drivers\mpfilter\mpfilter.sys' -> 'C:\WINNT\system32\DRVSTORE\mpfilter_7624CBE7EF3BB21A52F29BE608459E93D0D31F4C\mpfilter.sys'.
    DIFXAPP: INFO:   Installing INF file "C:\WINNT\system32\DRVSTORE\mpfilter_7624CBE7EF3BB21A52F29BE608459E93D0D31F4C\mpfilter.inf" of Type 4.
    DIFXAPP: INFO:   Installing File System Driver 'C:\WINNT\system32\DRVSTORE\mpfilter_7624CBE7EF3BB21A52F29BE608459E93D0D31F4C\mpfilter.inf'
    DIFXAPP: ERROR:  Unable to start service 'MpFilter' because of error 0x422
    DIFXAPP: SUCCESS:Installation completed with code 0x0.
    DIFXAPP: INFO:   RETURN: DriverPackageInstallW  (0x0)
    DIFXAPP: INFO:   ENTER:  DriverPackageGetPathW
    DIFXAPP: SUCCESS:Found driver store entry.
    DIFXAPP: INFO:   RETURN: DriverPackageGetPathW  (0x7A)
    DIFXAPP: INFO:   ENTER:  DriverPackageGetPathW
    DIFXAPP: SUCCESS:Found driver store entry.
    DIFXAPP: INFO:   RETURN: DriverPackageGetPathW  (0x0)
    DIFXAPP: A reboot is needed to install the component '{153AA63E-3BFD-495C-A35F-85F66650141D}'.
    MSI (s) (58:24) [11:06:36:046]: Executing op: ActionStart(Name=CreateShortcuts,Description=Creating shortcuts,Template=Shortcut: [1])
    DIFXAPP: RETURN: InstallDriverPackages() 0 (0x0)

    MSI (s) (58:24) [11:06:36:921]: Executing op: ActionStart(Name=InstallServices,Description=Installing new services,Template=Service: [2])
    MSI (s) (58:24) [11:06:36:921]: Executing op: ProgressTotal(Total=1,Type=1,ByteEquivalent=1300000)
    MSI (s) (58:24) [11:06:36:921]: Executing op: ServiceInstall(Name=FCSAM,DisplayName=Microsoft Forefront Client Security Antimalware Service,ImagePath="c:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MsMpEng.exe",ServiceType=16,StartType=2,ErrorControl=1,LoadOrderGroup=COM Infrastructure,Dependencies=RpcSs[~]WMI[~][~],,,Password=**********,Description=Helps protect users from spyware and other potentially unwanted software)
    MSI (s) (58:24) [11:06:36:921]: Product: Microsoft Forefront Client Security Antimalware Service -- Error 1923. Service 'Microsoft Forefront Client Security Antimalware Service' (FCSAM) could not be installed.  Verify that you have sufficient privileges to install system services.

    MSI (s) (58:24) [11:06:36:968]: Executing op: ActionStart(Name=ExecSecureObjects,,)
    MSI (s) (58:24) [11:06:36:968]: Executing op: CustomActionSchedule(Action=ExecSecureObjects,ActionType=3073,Source=BinaryData,Target=ExecSecureObjects,CustomActionData=c:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\€CreateFolder€€Users€-1610612736€MACHINE\SOFTWARE\Microsoft\Microsoft Forefront\Client Security\1.0\AM€Registry€€Users€-1610612736€MACHINE\SOFTWARE\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Software Explorers€Registry€€Users€-1610612736€MACHINE\SOFTWARE\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Miscellaneous Configuration€Registry€€Users€-1610612736€c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\€CreateFolder€€Users€0€c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\Definition Updates\€CreateFolder€€Users€0€c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\Definition Updates\Backup\€CreateFolder€€Users€0€c:\Documents and
    MSI (s) (58:BC) [11:06:36:984]: Invoking remote custom action. DLL: C:\WINNT\Installer\MSI17.tmp, Entrypoint: ExecSecureObjects
    MSI (s) (58:24) [11:06:37:343]: Executing op: ActionStart(Name=ExecServiceConfig,,)
    MSI (s) (58:24) [11:06:37:343]: Executing op: CustomActionSchedule(Action=ExecServiceConfig,ActionType=3073,Source=BinaryData,Target=ExecServiceConfig,CustomActionData=FCSAM€restart€restart€none€1€15€€)
    MSI (s) (58:BC) [11:06:37:343]: Invoking remote custom action. DLL: C:\WINNT\Installer\MSI18.tmp, Entrypoint: ExecServiceConfig
    ExecServiceConfig:  Error 0x80070430: Cannot change service configuration. Error: The specified service has been marked for deletion.

    MSI (s) (58:24) [11:06:37:515]: User policy value 'DisableRollback' is 0
    MSI (s) (58:24) [11:06:37:515]: Machine policy value 'DisableRollback' is 0
    Action ended 11:06:37: InstallExecute. Return value 3.

    DIFXAPP: INFO:   ENTER:  DriverPackageUninstallW
    DIFXAPP: INFO:   Uninstalling driver package C:\WINNT\system32\DRVSTORE\mpfilter_7624CBE7EF3BB21A52F29BE608459E93D0D31F4C\mpfilter.inf...
    DIFXAPP: ERROR:  Unable to revert back to the previous driver since it was not installed using DIFx.  The service for the driver will not be removed, since non-DIFx installers might depend on it
    DIFXAPP: ERROR:  ERROR 0x154FC3C - Failed to install driver  to support the service MpFilter
    DIFXAPP: ERROR:  Unable to revert to a previous driver store for service 'MpFilter'.
    DIFXAPP: INFO:   Driver store entry 'C:\WINNT\system32\DRVSTORE\mpfilter_7624CBE7EF3BB21A52F29BE608459E93D0D31F4C\mpfilter.inf' removed.
    DIFXAPP: SUCCESS:Uninstall completed.
    DIFXAPP: INFO:   RETURN: DriverPackageUninstallW  (0x0)
    DIFXAPP: Rollback failed with error 0x2
    DIFXAPP: RETURN: RollbackInstall() 2 (0x2)

    MSI (s) (58:24) [11:06:38:671]: Error in rollback skipped. Return: 5
    MSI (s) (58:24) [11:06:38:687]: Unlocking Server
    MSI (s) (58:24) [11:06:38:687]: PROPERTY CHANGE: Deleting UpdateStarted property. Its current value is '1'.
    Action ended 11:06:38: INSTALL. Return value 3.
    MSI (s) (58:24) [11:06:38:687]: Note: 1: 1708
    MSI (s) (58:24) [11:06:38:687]: Product: Microsoft Forefront Client Security Antimalware Service -- Installation failed.


    I installed FCS client with all FCS updates on it on a similar W2K PC and that all worked. Has anyone seen the above problem before?

    Monday, March 30, 2009 11:43 AM

All replies

  • Hi,
    I've tried installing FCS 6 times now, and each time it is removed after a FCS patch has been applied. I'm now removing everything to do with FCS inorder to do a clean install, I've uninstalled FCS but there were some reg keys and folders left behind. I've deleted the folders, however, I can't remove the HKLM\Software\Microsoft\Microsoft Forefront Client Security Key. It keeps saying access is denied to one or more keys, although I have logged on as the local administrator and I have full permissions to this key and subkey. I am also the owner of these keys.
    Anyone help on the above or/and this question?
    Tuesday, March 31, 2009 11:32 AM
  • Registry keys have now been deleted and I'm in a position to re-install FCS. However, I'm loathed to do this at the moment since I know the update will uninstall it. Has anyone seen this before?
    Tuesday, March 31, 2009 2:23 PM
  • Same problem here.

    It seems mpfilter driver has been damaged, but don't know how to restore....

    Anyone any suggestion to try?

    Thanks

    Diego Castelli
    Wednesday, January 13, 2010 3:02 PM
  • Same problem here.

    It seems mpfilter driver has been damaged, but don't know how to restore....

    Anyone any suggestion to try?

    Thanks

    Diego Castelli


    Try using the INF of MPFILTER from its installation location.
    Usually at: C:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\Drivers\mpfilter\


    MVP [2010] | Consumer Security
    Visit me @ Crimson Spectrum
    Tuesday, April 20, 2010 11:38 PM
  • i ended up using REVO UNINSTALLER to remove all traces of FCS and then re-installed.

    everything working fine, now.

     

    HTH.

    bye!


    Diego Castelli
    Thursday, April 22, 2010 3:41 PM