none
Login Issues/Slow Boot caused by Forefront

    Question

  • Hi,

    I have a number of different model HP desktop machine which are on Windows 7, which are experiencing slow boot times and a login error.

    The issue is only happening from a shutdown machine when a user starts up in the morning (or when we wake on lan the computers in question) The issues is not present when restarting the computers.

    Issue
    -The computer in question will take about 4-5 minutes to get to the login screen (they take forever at the please wait screen)
    When it takes this long to start you will always receive the error once you login - "Windows could not connect to the system event notification service service. Please contact your system administrator"
    -The message will appear for a minute then take you back to the login screen (or if you click ok you will be taken back also)
    -On second login you get no error and log in normally. There is nothing in event viewer about this error, but we know when and what user are getting the issue as we can see the below event on start-up.

    Event Error - (at bottom of page)

    Now I have been troubleshooted the error for a while and everything that normally fixes this login error hasn’t resolve this issue.

    -Made sure the services are running and started and set to automatic - mainly the Windows Event log, COM+ etc everything is started as it should be
    -Rebuild WMI repository (which did fix issue for a 3 days then returned)
    -Netsh catalogue reset and winsock reset
    -All drivers were updated to make sure they were the latest ones
    -SFC /scannow
    -HDD healthcheck done - is OK

    Now after uninstalling Microsoft Forefront Client Security and MOM 2005 agent i don’t get long start up times I don’t get the event errors, and i don’t get login errors.

    Has anyone had this issue or know why the forefront client would be causing this issue? Any help would be appreciated as we don’t really want to uninstall the client off all affected machines. Thanks

    Client Version: 1.5.1981.0, Engine Version: 1.1.8202.0, Antivirus definition: 1.123.978.0, Antispyware definition: 1.123.978.0

    Event Error - Windows Error Reporting - 1001

    Fault bucket , type 0
    Event Name: ServiceHang
    Response: Not available
    Cab Id: 0
    Problem signature:
    P1: Audiosrv
    P2: Audiosrv.dll
    P3: 6.1.7601.17514
    P4: 20
    P5: 2
    P6:
    P7:
    P8:
    P9:
    P10:
    Attached files:
    These files may be available here:
    Analysis symbol:
    Rechecking for solution: 0
    Report Id: 16e660b3-7eca-11e1-9846-00215a11088c
    Report Status: 0



    • Edited by hayden.e Thursday, April 05, 2012 12:24 PM
    Tuesday, April 03, 2012 10:12 AM

Answers

  • Hi,

    Thank you for the post.

    Please install KB976668 to fix this issue.
    Issue 4:After you install the anti-malware update 971026, some managed Forefront Client Security clients on Windows XP and on Windows Server 2003 take longer to log on. This delay occurs after a restart if one or more file or folder path exclusions that are network-based are set.

    Resolution:KB976668

    Workaround: remove network file path exclusions or disabled network file scan or set timeout values:

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Scan]
    "DisableScanningNetworkFiles"=dword:1

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MpFilter\Parameters]
    "MaxScanTimeout"=dword:7530
    "MinScanTimeout"=dword:3A98

    http://support.microsoft.com/kb/976668
    http://support.microsoft.com/kb/971026
    http://social.technet.microsoft.com/Forums/en-CA/Forefrontclientgeneral/thread/1a370db9-c211-4f2b-9a7f-3ec63412a216

    If there are more inquiries on this issue, please feel free to let us know.

    Regards


    Rick Tan

    TechNet Community Support

    Friday, April 06, 2012 3:10 AM
    Moderator
  • Hi Hayden,<o:p></o:p>

    In an effort to be more aggressive in detections, a previous FCS update changed values on the Malware Protection Filter (MPFilter) TimeOut settings.

    However,this change caused a small segment of network environments to experience an unusually long delay when users were logging on each morning or at the beginning of their shift.<o:p></o:p>

    To alleviate the problem, two workarounds were released to those customers experiencing the issue:<o:p></o:p>

    1.  Eliminate all network-based exclusions (the more recommended solution)<o:p></o:p>

    From the FCS administrative console on the Management Server remove all network based exclusions. <o:p></o:p>

    or<o:p></o:p>

    2. Perform a Registry setting modification by changing the MPFilter TimeOut setting back to its previous defaults:<o:p></o:p>

    On the client machine (end user) please create the following registry keys and set them with the following values:<o:p></o:p>

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MpFilter\Parameters]<o:p></o:p>

    "MaxScanTimeout"=dword:7530
    "MinScanTimeout"=dwoad:3A98<o:p></o:p>

    The issue had been addressed in the Forefront Endpoint Security Blog under "Client Security slow logon issue" at
    http://blogs.technet.com/clientsecurity/archive/2009/08/13/client-security-slow-logon-issue.aspx
    <o:p></o:p>

    Additionally, as Rick Tan mentioned, the following update was published:<o:p></o:p>

    976668 Forefront Client Security anti-malware client update: December 2009<o:p></o:p>

    http://support.microsoft.com/default.aspx?scid=kb;EN-US;976668

    <o:p></o:p>

    There are two other more recent updates also available:<o:p></o:p>

    2508823 Forefront Client Security anti-malware client update: March 2011<o:p></o:p>

    http://support.microsoft.com/default.aspx?scid=kb;EN-US;2508823

    <o:p></o:p>

    2524280 Antimalware agent is removed after you apply Forefront Client Security March
    2011 update when using install updates and shut down
    <o:p></o:p>

    http://support.microsoft.com/default.aspx?scid=kb;EN-US;2524280

    <o:p></o:p>

    Regards,<o:p></o:p>

    Al
    <o:p></o:p>

    Al Knecht, MCSE 2008, MCTS Server 2008 & FCS, MCITP Server 2008, MCSA 2003, CISSP®

    Microsoft Security Support Engineer<o:p></o:p>


    Tuesday, April 17, 2012 1:20 AM

All replies

  • OK i have narrowed the issue down.

    When disabling the Real-time protection option i dont have this issue. So next i turned it back on and one by one disabled the security agents under to see when the error was present.

    The error only happens when the On Access Protection Agent is enabled so this is what is causing the issue.

    Can someone give me more detail about what this agent does and the implication of leaving this disabled?

    Thanks


    • Edited by hayden.e Thursday, April 05, 2012 12:25 PM
    Thursday, April 05, 2012 9:27 AM
  • Hi,

    Thank you for the post.

    Please install KB976668 to fix this issue.
    Issue 4:After you install the anti-malware update 971026, some managed Forefront Client Security clients on Windows XP and on Windows Server 2003 take longer to log on. This delay occurs after a restart if one or more file or folder path exclusions that are network-based are set.

    Resolution:KB976668

    Workaround: remove network file path exclusions or disabled network file scan or set timeout values:

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Scan]
    "DisableScanningNetworkFiles"=dword:1

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MpFilter\Parameters]
    "MaxScanTimeout"=dword:7530
    "MinScanTimeout"=dword:3A98

    http://support.microsoft.com/kb/976668
    http://support.microsoft.com/kb/971026
    http://social.technet.microsoft.com/Forums/en-CA/Forefrontclientgeneral/thread/1a370db9-c211-4f2b-9a7f-3ec63412a216

    If there are more inquiries on this issue, please feel free to let us know.

    Regards


    Rick Tan

    TechNet Community Support

    Friday, April 06, 2012 3:10 AM
    Moderator
  • Hi Rick Tan,

    Thanks for your reply, it have tested this on the test machine (that is also having this issues) and it seems that setting the regkey for timeout values has stopped the long bootup times and the logon error i am recieving.

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MpFilter\Parameters]
    "MaxScanTimeout"=dword:7530
    "MinScanTimeout"=dword:3A98

    adding the reg key to disable network file scan didnt change anything.

    I tried to install both the KB but the mp_ambits.log file was saying "a newer version of the product is already installed on this system" we are upto date with our FCS as its updates via WSUS which is current.

    Its seems odd if this was a issue that it hasnt been addressed previously but is still present when we have been ontop of all FCS updates for all client on our network......?



    • Edited by hayden.e Tuesday, April 10, 2012 3:53 PM
    Tuesday, April 10, 2012 10:52 AM
  • Hi Hayden,<o:p></o:p>

    In an effort to be more aggressive in detections, a previous FCS update changed values on the Malware Protection Filter (MPFilter) TimeOut settings.

    However,this change caused a small segment of network environments to experience an unusually long delay when users were logging on each morning or at the beginning of their shift.<o:p></o:p>

    To alleviate the problem, two workarounds were released to those customers experiencing the issue:<o:p></o:p>

    1.  Eliminate all network-based exclusions (the more recommended solution)<o:p></o:p>

    From the FCS administrative console on the Management Server remove all network based exclusions. <o:p></o:p>

    or<o:p></o:p>

    2. Perform a Registry setting modification by changing the MPFilter TimeOut setting back to its previous defaults:<o:p></o:p>

    On the client machine (end user) please create the following registry keys and set them with the following values:<o:p></o:p>

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MpFilter\Parameters]<o:p></o:p>

    "MaxScanTimeout"=dword:7530
    "MinScanTimeout"=dwoad:3A98<o:p></o:p>

    The issue had been addressed in the Forefront Endpoint Security Blog under "Client Security slow logon issue" at
    http://blogs.technet.com/clientsecurity/archive/2009/08/13/client-security-slow-logon-issue.aspx
    <o:p></o:p>

    Additionally, as Rick Tan mentioned, the following update was published:<o:p></o:p>

    976668 Forefront Client Security anti-malware client update: December 2009<o:p></o:p>

    http://support.microsoft.com/default.aspx?scid=kb;EN-US;976668

    <o:p></o:p>

    There are two other more recent updates also available:<o:p></o:p>

    2508823 Forefront Client Security anti-malware client update: March 2011<o:p></o:p>

    http://support.microsoft.com/default.aspx?scid=kb;EN-US;2508823

    <o:p></o:p>

    2524280 Antimalware agent is removed after you apply Forefront Client Security March
    2011 update when using install updates and shut down
    <o:p></o:p>

    http://support.microsoft.com/default.aspx?scid=kb;EN-US;2524280

    <o:p></o:p>

    Regards,<o:p></o:p>

    Al
    <o:p></o:p>

    Al Knecht, MCSE 2008, MCTS Server 2008 & FCS, MCITP Server 2008, MCSA 2003, CISSP®

    Microsoft Security Support Engineer<o:p></o:p>


    Tuesday, April 17, 2012 1:20 AM