locked
Help needed!! MSSHA causing XP SP3 Machines to freeze: Event ID:1002 & 1007 RRS feed

  • Question

  • Hi

    I have a problem with MSSHA causing all of our XP SP3 Machines to freeze on logon and then after every hour. Stopping the napagent service makes the issue go away.

    Anyone able to shed any light on what may be causing this??

    Events Showing on the eventlog:

    _______________________________________________________________________
    Event Type: Information
    Event Source: MSSHA
    Event Category: None
    Event ID: 1002
    Date:  xx/xx/20xx
    Time:  xx:xx:xx
    User:  N/A
    Computer: PC-XXXX
    Description:
    The Windows Security Health Agent was initialized successfully.

    Scan Interval: 60 minutes.

    Time delay before first scan: 35 seconds.

    Time interval between manual remediation state change: 15 seconds.

    Manual remediation timeout interval: 150 seconds.
    _______________________________________________________________________
    Event Type: Information
    Event Source: MSSHA
    Event Category: None
    Event ID: 1007
    Date:  xx/xx/20xx
    Time:  xx:xx:xx
    User:  N/A
    Computer: PC-XXXX
    Description:
    The Windows Security Health Agent completed an offline scan.

    Number of Updates : 0.

    Update Titles : No Updates found.
    ________________________________________________________________________


    Following commands run:

    _______________________________________________________________________

    C:\WINDOWS>netsh NAP client show state

    Client state:
    ----------------------------------------------------
    Name                   = Network Access Protection Client
    Description            = Microsoft Network Access Protection Client
    Protocol version       = 1.0
    Status                 = Enabled
    Restriction state      = Not restricted
    Troubleshooting URL    =
    Restriction start time =
    Extended state         =

    Enforcement client state:
    ----------------------------------------------------
    Id                     = 79617
    Name                   = DHCP Quarantine Enforcement Client
    Description            = Provides DHCP based enforcement for NAP
    Version                = 1.0
    Vendor name            = Microsoft Corporation
    Registration date      =
    Initialized            = No

    Id                     = 79618
    Name                   = Remote Access Quarantine Enforcement Client
    Description            = Provides the quarantine enforcement for RAS Client
    Version                = 1.0
    Vendor name            = Microsoft Corporation
    Registration date      =
    Initialized            = No

    Id                     = 79619
    Name                   = IPSec Relying Party
    Description            = Provides IPSec based enforcement for Network Access Pro
    tection
    Version                = 1.0
    Vendor name            = Microsoft Corporation
    Registration date      =
    Initialized            = No

    Id                     = 79620
    Name                   = Wireless Eapol Quarantine Enforcement Client
    Description            = Provides wireless Eapol based enforcement for NAP
    Version                = 1.0
    Vendor name            = Microsoft Corporation
    Registration date      =
    Initialized            = No

    Id                     = 79621
    Name                   = TS Gateway Quarantine Enforcement Client
    Description            = Provides TS Gateway enforcement for NAP
    Version                = 1.0
    Vendor name            = Microsoft Corporation
    Registration date      =
    Initialized            = No

    Id                     = 79623
    Name                   = EAP Quarantine Enforcement Client
    Description            = Provides EAP based enforcement for NAP
    Version                = 1.0
    Vendor name            = Microsoft Corporation
    Registration date      =
    Initialized            = No

    System health agent (SHA) state:
    ----------------------------------------------------
    Id                     = 79744
    Name                   = Windows Security Health Agent

    Description            = The Windows Security Health Agent checks the compliance
     of a computer with an administrator-defined policy.

    Version                = 1.0

    Vendor name            = Microsoft Corporation

    Registration date      =
    Initialized            = Yes
    Failure category       = None
    Remediation state      = Success
    Remediation percentage = 0
    Fixup Message          = (3237937214) - The Windows Security Health Agent has fi
    nished updating its security state.

    Compliance results     =
    Remediation results    =

    Id                     = 79745
    Name                   = Configuration Manager System Health Agent
    Description            = Configuration Manager System Health Agent facilitates e
    nforcement of software update compliance using Network Access Protection.
    Version                = 2007
    Vendor name            = Microsoft Corporation
    Registration date      = 26/03/2010 16:25:15
    Initialized            = Yes
    Failure category       = None
    Remediation state      = Success
    Remediation percentage = 100
    Fixup Message          = (90507) - Configuration Manager NAP Client Agent is not
     enabled, Client will be deemed compliant.
    Compliance results     =
    Remediation results    = (0x00000000) - (null)


    Ok.

    _______________________________________________________________________


    C:\WINDOWS>netsh NAP client show group

    NAP client configuration (group policy):
    ----------------------------------------------------

    NAP client configuration:
    ----------------------------------------------------

    _______________________________________________________________________


    C:\WINDOWS>netsh NAP client show config

    NAP client configuration:
    ----------------------------------------------------

    Cryptographic service provider (CSP) = Microsoft RSA SChannel Cryptographic Prov
    ider, keylength = 2048

    Hash algorithm = sha1RSA (1.3.14.3.2.29)

    Enforcement clients:
    ----------------------------------------------------
    Name            = DHCP Quarantine Enforcement Client
    ID              = 79617
    Admin           = Disabled

    Name            = Remote Access Quarantine Enforcement Client
    ID              = 79618
    Admin           = Disabled

    Name            = IPSec Relying Party
    ID              = 79619
    Admin           = Disabled

    Name            = Wireless Eapol Quarantine Enforcement Client
    ID              = 79620
    Admin           = Disabled

    Name            = TS Gateway Quarantine Enforcement Client
    ID              = 79621
    Admin           = Disabled

    Name            = EAP Quarantine Enforcement Client
    ID              = 79623
    Admin           = Disabled

    Client tracing:
    ----------------------------------------------------
    State = Disabled
    Level = Disabled

    Ok.
    _______________________________________________________________________

    Thanks For your time

    Chris

     

    Tuesday, January 18, 2011 5:12 PM

All replies

  • Hi Chris,

     

    Thanks for posting here.

     

    Can you verify the “Number of hours since last scanned” setting that for Windows XP in Windows Security health validator properties ?

    For more information please refer to the link below:

     

    NAP FAQ: Enforcing Security Updates (out-of-the-box)

    http://blogs.technet.com/b/nap/archive/2008/04/24/nap-faq-enforcing-security-updates-out-of-the-box-2.aspx

     

    Thanks.

     

    Tiger Li


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Wednesday, January 19, 2011 7:38 AM
  • As far as I know there is no WSHV, I have checked our sccm servers. Also any ideas as to why the machines freezes up during the Scan? Disabling the nap service even though its currently not used seems a bit excessive.

    • Edited by Chris705 Wednesday, January 19, 2011 11:26 AM
    Wednesday, January 19, 2011 10:36 AM
  • More events from the system log.

    __________________________________________________________________________________________________________________________________________________________

    Event Type: Information
    Event Source: NapAgent
    Event Category: None
    Event ID: 26
    Date:  19/01/2011
    Time:  09:26:22
    User:  N/A
    Computer: PC-xxxx
    Description:
    The NAP service has started.
     NAP has the following information for this computer:
     Computer name is PC-xxxx
     Domain status is: Domain Joined.
     The OS SKU is: CLIENT.
     The service pack version is: 3.0.
     The processor type is: 0.


    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

    __________________________________________________________________________________________________________________________________________________________

    Event Type: None
    Event Source: NapAgent
    Event Category: None
    Event ID: 4
    Date:  19/01/2011
    Time:  09:26:22
    User:  N/A
    Computer: PC-xxxx
    Description:
    The System Health Agent 79745 successfully initialized.

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

    __________________________________________________________________________________________________________________________________________________________

    Event Type: Information
    Event Source: Service Control Manager
    Event Category: None
    Event ID: 7035
    Date:  19/01/2011
    Time:  09:26:22
    User:  NT AUTHORITY\SYSTEM
    Computer: PC-xxxx
    Description:
    The Network Access Protection Agent service was successfully sent a start control.

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

    __________________________________________________________________________________________________________________________________________________________

    Event Type: Information
    Event Source: Service Control Manager
    Event Category: None
    Event ID: 7036
    Date:  19/01/2011
    Time:  09:26:22
    User:  N/A
    Computer: PC-xxxx
    Description:
    The Network Access Protection Agent service entered the running state.

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

    __________________________________________________________________________________________________________________________________________________________

    Event Type: None
    Event Source: NapAgent
    Event Category: None
    Event ID: 9
    Date:  19/01/2011
    Time:  09:26:22
    User:  N/A
    Computer: PC-xxxx
    Description:
    The enforcement client 79871 successfully initialized.

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

    __________________________________________________________________________________________________________________________________________________________

    Event Type: Warning
    Event Source: NapAgent
    Event Category: None
    Event ID: 39
    Date:  19/01/2011
    Time:  09:26:22
    User:  N/A
    Computer: PC-xxxx
    Description:
    The Network Access Protection Agent was unable to determine which HRAs to request a health certificate from.
    A network change or if GP is configured, a configuration change will prompt further attempts to acquire a health certificate. Otherwise no further attempts will be made.
    Contact the HRA administrator for more information.

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

    __________________________________________________________________________________________________________________________________________________________


    Event Type: None
    Event Source: NapAgent
    Event Category: None
    Event ID: 4
    Date:  19/01/2011
    Time:  09:26:22
    User:  N/A
    Computer: PC-xxxx
    Description:
    The System Health Agent 79744 successfully initialized.

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

    __________________________________________________________________________________________________________________________________________________________

     

    Wednesday, January 19, 2011 11:25 AM
  • Any ideas??
    Wednesday, January 26, 2011 10:27 AM
  • Chis705 you resolve this problem?
    Monday, October 8, 2012 3:49 PM