none
Error 0x80070643 installing FEP2010 client on XP SP3 machine RRS feed

  • Question

  • I have had the majority of XP SP3 clients install properly with the FEP2010 (update 1) install on our new deployment of Forefront through SCCM SP2 R3.  I have 1 machine that is not installing with this failure reason:

    Operation failed: Setup - Cannot complete the Forefront Endpoint Protection installation. An error has prevented the Forefront Endpoint Protection setup wizard from completing successfully. Please restart your computer and try again. Error code:0x80070643. Fatal error during installation.   [80070643]

     

    The EPPSetup.log shows the client installing, then uninstalling itself immediately afterward.  I have tried scanning for spyware, but nothing turns up.  We were using McAfee EPO, but this has been successfully removed, so now this workstation is without any A/V at all.

    Any ideas on how to troubleshoot or move forward to get a successful install would be helpful!  Thanks.


    Marjorie
    Monday, October 31, 2011 6:28 PM

Answers

  • The nice support team at Microsoft contacted me (Thanks Faron and Jeramy) and helped discover the issue.  Malware apparently targeted a registry key that was never cleaned up including these keys that needed to be deleted:

    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

       MpCmdRun.exe

         C:\WINDOWS\system32\svchost.exe

         Generic Host Process for Win32 Services

         (Verified) Microsoft Windows Component Publisher

         5.1.2600.5512

         c:\windows\system32\svchost.exe

       MSASCui.exe

         C:\WINDOWS\system32\svchost.exe

         Generic Host Process for Win32 Services

         (Verified) Microsoft Windows Component Publisher

         5.1.2600.5512

         c:\windows\system32\svchost.exe

       MsMpEng.exe

         C:\WINDOWS\system32\svchost.exe

         Generic Host Process for Win32 Services

         (Verified) Microsoft Windows Component Publisher

         5.1.2600.5512

         c:\windows\system32\svchost.exe

    Everything installed and updated without a restart after the keys were removed!


    Marjorie
    • Marked as answer by msmenacker Thursday, November 10, 2011 8:35 PM
    Thursday, November 10, 2011 8:35 PM

All replies

  • Hi,

    the error 1603 is it located in your log file ? If so, look at these link http://support.microsoft.com/kb/834484/en-us ; http://www.symantec.com/connect/articles/understanding-error-1603-fatal-error-during-installation


    Bechir Gharbi | http://myitforum.com/cs2/blogs/bgharbi/ | Time zone : GMT+1
    Tuesday, November 1, 2011 7:37 AM
  • Hi Marjorie,

    Thank you for your post.

    Please try follow steps below:
    1. Check the Prerequisites for FEP client
    Windows Installer 3.1 or later versions
    Secondary Logon service must not be disabled
    2. Try this troubleshooting article
    Ensure that the Windows Installer service is running
    Start Windows in Selective Startup mode
    3. Run Windows Installer CleanUp Utility(KB2438651) to check if McAfee uninstalled clearly

    Regards,
    Rick Tan

    Tuesday, November 1, 2011 7:51 AM
    Moderator
  • Thanks for your responses.  The client seems to install successfully, but then immediately starts uninstalling.  I have tried the 3 items Rick suggested from technet: http://technet.microsoft.com/en-us/library/ff823833.aspx

    Here is end of MSSecurityClient_setup_epp_install.log (I just ran it again from SCCM advertisement)

    Action start 8:27:02: InstallFinalize.
    MSI (s) (AC:A4) [08:27:02:875]: Executing op: ProductInfo(ProductKey={54B6DC7D-8C5B-4DFB-BC15-C010A3326B2B},ProductName=Microsoft Security Client,PackageName=epp.msi,Language=1033,Version=33621084,Assignment=1,ObsoleteArg=0,,,PackageCode={C48E7845-16F1-4FA2-B9FC-51502CDE8AE7},,,InstanceType=0,LUASetting=0,RemoteURTInstalls=0)
    MSI (s) (AC:A4) [08:27:02:875]: Executing op: DialogInfo(Type=0,Argument=1033)
    MSI (s) (AC:A4) [08:27:02:875]: Executing op: DialogInfo(Type=1,Argument=Microsoft Security Client)
    MSI (s) (AC:A4) [08:27:02:875]: Executing op: RollbackInfo(,RollbackAction=Rollback,RollbackDescription=Rolling back action:,RollbackTemplate=[1],CleanupAction=RollbackCleanup,CleanupDescription=Removing backup files,CleanupTemplate=File: [1])
    MSI (s) (AC:A4) [08:27:02:875]: Executing op: SetBaseline(Baseline=0,)
    MSI (s) (AC:A4) [08:27:02:875]: Executing op: SetBaseline(Baseline=1,)
    MSI (s) (AC:A4) [08:27:02:875]: Executing op: ActionStart(Name=RollbackEppShellLinks,,)
    MSI (s) (AC:A4) [08:27:02:875]: Executing op: CustomActionSchedule(Action=RollbackEppShellLinks,ActionType=3393,Source=BinaryData,Target=RemoveShellLinks,CustomActionData=c:\Program Files\Microsoft Security Client\|Microsoft Forefront Endpoint Protection|Microsoft Forefront Endpoint Protection)
    MSI (s) (AC:A4) [08:27:02:875]: Executing op: ActionStart(Name=CreateEppShellLinks,,)
    MSI (s) (AC:A4) [08:27:02:875]: Executing op: CustomActionSchedule(Action=CreateEppShellLinks,ActionType=3073,Source=BinaryData,Target=CreateShellLinks,CustomActionData=c:\Program Files\Microsoft Security Client\|Microsoft Forefront Endpoint Protection|Microsoft Forefront Endpoint Protection)
    MSI (s) (AC:D8) [08:27:02:891]: Invoking remote custom action. DLL: C:\WINDOWS\Installer\MSI65.tmp, Entrypoint: CreateShellLinks
    MSI (s) (AC:A4) [08:27:02:999]: Executing op: ActionStart(Name=FepMofUnregisterRollBack,,)
    Custom Action Trace (GetCustomActionData): MsiGetProperty('CustomActionData') returns 'c:\Program Files\Microsoft Security Client\|Microsoft Forefront Endpoint Protection|Microsoft Forefront Endpoint Protection'
    MSI (s) (AC:A4) [08:27:03:014]: Executing op: CustomActionSchedule(Action=FepMofUnregisterRollBack,ActionType=9537,Source=BinaryData,Target=**********,CustomActionData=**********)
    MSI (s) (AC:A4) [08:27:03:014]: Executing op: ActionStart(Name=RegisterClientMofFile,,)
    MSI (s) (AC:A4) [08:27:03:014]: Executing op: CustomActionSchedule(Action=RegisterClientMofFile,ActionType=1025,Source=BinaryData,Target=CompileMofFromFile,CustomActionData=c:\Program Files\Microsoft Security Client\ClientWMIInstall.mof)
    MSI (s) (AC:00) [08:27:03:014]: Invoking remote custom action. DLL: C:\WINDOWS\Installer\MSI66.tmp, Entrypoint: CompileMofFromFile
    Custom Action Trace (CompileMofFromFile): Enter Function CompileMofFromFile
    Custom Action Trace (CompileMofFromFile): COM initialized with hr='0x0'
    Custom Action Trace (GetCustomActionData): MsiGetProperty('CustomActionData') returns 'c:\Program Files\Microsoft Security Client\ClientWMIInstall.mof'
    Custom Action Trace (CompileMof): CMofCompiler created
    Custom Action Trace (CompileMof): MOF Compiled with result = 0x0
    Custom Action Trace (ProcessCompileMofResult): Compiled successfully
    MSI (s) (AC:A4) [08:27:03:262]: Executing op: ActionStart(Name=RegisterAMMofFile,,)
    Custom Action Trace (CompileMofFromFile): Successfully exit Function CompileMofFromFile
    MSI (s) (AC:A4) [08:27:03:262]: Executing op: CustomActionSchedule(Action=RegisterAMMofFile,ActionType=1025,Source=BinaryData,Target=CompileMofFromFile,CustomActionData=c:\Program Files\Microsoft Security Client\AmMonitoringInstall.mof)
    MSI (s) (AC:38) [08:27:03:277]: Invoking remote custom action. DLL: C:\WINDOWS\Installer\MSI68.tmp, Entrypoint: CompileMofFromFile
    Custom Action Trace (CompileMofFromFile): Enter Function CompileMofFromFile
    Custom Action Trace (CompileMofFromFile): COM initialized with hr='0x0'
    Custom Action Trace (GetCustomActionData): MsiGetProperty('CustomActionData') returns 'c:\Program Files\Microsoft Security Client\AmMonitoringInstall.mof'
    Custom Action Trace (CompileMof): CMofCompiler created
    Custom Action Trace (CompileMof): MOF Compiled with result = 0x0
    Custom Action Trace (ProcessCompileMofResult): Compiled successfully
    MSI (s) (AC:A4) [08:27:03:586]: Executing op: ActionStart(Name=MpProviderInstallMofFile,,)
    Custom Action Trace (CompileMofFromFile): Successfully exit Function CompileMofFromFile
    MSI (s) (AC:A4) [08:27:03:586]: Executing op: CustomActionSchedule(Action=MpProviderInstallMofFile,ActionType=1025,Source=BinaryData,Target=CompileMofFromFile,CustomActionData=c:\Program Files\Microsoft Security Client\AmStatusInstall.mof)
    MSI (s) (AC:D0) [08:27:03:586]: Invoking remote custom action. DLL: C:\WINDOWS\Installer\MSI6A.tmp, Entrypoint: CompileMofFromFile
    Custom Action Trace (CompileMofFromFile): Enter Function CompileMofFromFile
    Custom Action Trace (CompileMofFromFile): COM initialized with hr='0x0'
    Custom Action Trace (GetCustomActionData): MsiGetProperty('CustomActionData') returns 'c:\Program Files\Microsoft Security Client\AmStatusInstall.mof'
    Custom Action Trace (CompileMof): CMofCompiler created
    Custom Action Trace (CompileMof): MOF Compiled with result = 0x0
    Custom Action Trace (ProcessCompileMofResult): Compiled successfully
    MSI (s) (AC:A4) [08:27:03:710]: Executing op: ActionStart(Name=FirewallConfigurationNamespaceMofFile,,)
    Custom Action Trace (CompileMofFromFile): Successfully exit Function CompileMofFromFile
    MSI (s) (AC:A4) [08:27:03:710]: Executing op: CustomActionSchedule(Action=FirewallConfigurationNamespaceMofFile,ActionType=1025,Source=BinaryData,Target=CompileMofFromFile,CustomActionData=c:\Program Files\Microsoft Security Client\FirewallConfigurationNamespace.mof)
    MSI (s) (AC:44) [08:27:03:710]: Invoking remote custom action. DLL: C:\WINDOWS\Installer\MSI6C.tmp, Entrypoint: CompileMofFromFile
    Custom Action Trace (CompileMofFromFile): Enter Function CompileMofFromFile
    Custom Action Trace (CompileMofFromFile): COM initialized with hr='0x0'
    Custom Action Trace (GetCustomActionData): MsiGetProperty('CustomActionData') returns 'c:\Program Files\Microsoft Security Client\FirewallConfigurationNamespace.mof'
    Custom Action Trace (CompileMof): CMofCompiler created
    Custom Action Trace (CompileMof): MOF Compiled with result = 0x0
    Custom Action Trace (ProcessCompileMofResult): Compiled successfully
    MSI (s) (AC:A4) [08:27:04:050]: Executing op: ActionStart(Name=FirewallConfigurationProviderMofFile,,)
    Custom Action Trace (CompileMofFromFile): Successfully exit Function CompileMofFromFile
    MSI (s) (AC:A4) [08:27:04:050]: Executing op: CustomActionSchedule(Action=FirewallConfigurationProviderMofFile,ActionType=1025,Source=BinaryData,Target=CompileMofFromFile,CustomActionData=c:\Program Files\Microsoft Security Client\FirewallConfigurationProvider.mof)
    MSI (s) (AC:58) [08:27:04:050]: Invoking remote custom action. DLL: C:\WINDOWS\Installer\MSI6E.tmp, Entrypoint: CompileMofFromFile
    Custom Action Trace (CompileMofFromFile): Enter Function CompileMofFromFile
    Custom Action Trace (CompileMofFromFile): COM initialized with hr='0x0'
    Custom Action Trace (GetCustomActionData): MsiGetProperty('CustomActionData') returns 'c:\Program Files\Microsoft Security Client\FirewallConfigurationProvider.mof'
    Custom Action Trace (CompileMof): CMofCompiler created
    Custom Action Trace (CompileMof): MOF Compiled with result = 0x0
    Custom Action Trace (ProcessCompileMofResult): Compiled successfully
    MSI (s) (AC:A4) [08:27:04:421]: Executing op: ActionStart(Name=FirewallConfigurationProfileMofFile,,)
    Custom Action Trace (CompileMofFromFile): Successfully exit Function CompileMofFromFile
    MSI (s) (AC:A4) [08:27:04:421]: Executing op: CustomActionSchedule(Action=FirewallConfigurationProfileMofFile,ActionType=1025,Source=BinaryData,Target=CompileMofFromFile,CustomActionData=c:\Program Files\Microsoft Security Client\FirewallConfigurationProfile.mof)
    MSI (s) (AC:64) [08:27:04:421]: Invoking remote custom action. DLL: C:\WINDOWS\Installer\MSI70.tmp, Entrypoint: CompileMofFromFile
    Custom Action Trace (CompileMofFromFile): Enter Function CompileMofFromFile
    Custom Action Trace (CompileMofFromFile): COM initialized with hr='0x0'
    Custom Action Trace (GetCustomActionData): MsiGetProperty('CustomActionData') returns 'c:\Program Files\Microsoft Security Client\FirewallConfigurationProfile.mof'
    Custom Action Trace (CompileMof): CMofCompiler created
    Custom Action Trace (CompileMof): MOF Compiled with result = 0x0
    Custom Action Trace (ProcessCompileMofResult): Compiled successfully
    MSI (s) (AC:A4) [08:27:04:808]: Executing op: ActionStart(Name=FirewallConfigurationRuleMofFile,,)
    Custom Action Trace (CompileMofFromFile): Successfully exit Function CompileMofFromFile
    MSI (s) (AC:A4) [08:27:04:808]: Executing op: CustomActionSchedule(Action=FirewallConfigurationRuleMofFile,ActionType=1025,Source=BinaryData,Target=CompileMofFromFile,CustomActionData=c:\Program Files\Microsoft Security Client\FirewallConfigurationRule.mof)
    MSI (s) (AC:DC) [08:27:04:808]: Invoking remote custom action. DLL: C:\WINDOWS\Installer\MSI72.tmp, Entrypoint: CompileMofFromFile
    Custom Action Trace (CompileMofFromFile): Enter Function CompileMofFromFile
    Custom Action Trace (CompileMofFromFile): COM initialized with hr='0x0'
    Custom Action Trace (GetCustomActionData): MsiGetProperty('CustomActionData') returns 'c:\Program Files\Microsoft Security Client\FirewallConfigurationRule.mof'
    Custom Action Trace (CompileMof): CMofCompiler created
    Custom Action Trace (CompileMof): MOF Compiled with result = 0x0
    Custom Action Trace (ProcessCompileMofResult): Compiled successfully
    MSI (s) (AC:A4) [08:27:04:931]: Executing op: ActionStart(Name=FirewallStateProviderInstallMofFile,,)
    Custom Action Trace (CompileMofFromFile): Successfully exit Function CompileMofFromFile
    MSI (s) (AC:A4) [08:27:04:931]: Executing op: CustomActionSchedule(Action=FirewallStateProviderInstallMofFile,ActionType=1025,Source=BinaryData,Target=CompileMofFromFile,CustomActionData=c:\Program Files\Microsoft Security Client\FirewallStateInstall.mof)
    MSI (s) (AC:E4) [08:27:04:931]: Invoking remote custom action. DLL: C:\WINDOWS\Installer\MSI74.tmp, Entrypoint: CompileMofFromFile
    Custom Action Trace (CompileMofFromFile): Enter Function CompileMofFromFile
    Custom Action Trace (CompileMofFromFile): COM initialized with hr='0x0'
    Custom Action Trace (GetCustomActionData): MsiGetProperty('CustomActionData') returns 'c:\Program Files\Microsoft Security Client\FirewallStateInstall.mof'
    Custom Action Trace (CompileMof): CMofCompiler created
    Custom Action Trace (CompileMof): MOF Compiled with result = 0x0
    Custom Action Trace (ProcessCompileMofResult): Compiled successfully
    MSI (s) (AC:A4) [08:27:05:163]: Executing op: ActionStart(Name=PolicyInstall,,)
    Custom Action Trace (CompileMofFromFile): Successfully exit Function CompileMofFromFile
    MSI (s) (AC:A4) [08:27:05:163]: Executing op: CustomActionSchedule(Action=PolicyInstall,ActionType=1089,Source=BinaryData,Target=CAQuietExec,CustomActionData="c:\Program Files\Microsoft Security Client\ConfigSecurityPolicy.exe" "C:\WINDOWS\system32\CCM\Cache\VFB001CD.27.System\Policies\County Desktop Policy.xml")
    MSI (s) (AC:08) [08:27:05:163]: Invoking remote custom action. DLL: C:\WINDOWS\Installer\MSI76.tmp, Entrypoint: CAQuietExec
    MSI (s) (AC:A4) [08:27:06:601]: Executing op: End(Checksum=0,ProgressTotalHDWord=0,ProgressTotalLDWord=0)
    CAQuietExec:  Microsoft Security Client successfully applied policy: "County Desktop Policy".
    MSI (s) (AC:A4) [08:27:06:601]: User policy value 'DisableRollback' is 0
    MSI (s) (AC:A4) [08:27:06:601]: Machine policy value 'DisableRollback' is 0
    MSI (s) (AC:A4) [08:27:06:601]: No System Restore sequence number for this installation.
    MSI (s) (AC:A4) [08:27:06:601]: Unlocking Server
    MSI (s) (AC:A4) [08:27:06:601]: PROPERTY CHANGE: Deleting UpdateStarted property. Its current value is '1'.
    Action ended 8:27:06: InstallFinalize. Return value 1.
    Action ended 8:27:06: INSTALL. Return value 1.
    MSI (s) (AC:A4) [08:27:06:601]: Note: 1: 1707
    MSI (s) (AC:A4) [08:27:06:601]: Product: Microsoft Security Client -- Installation completed successfully.

    MSI (s) (AC:A4) [08:27:06:601]: Cleaning up uninstalled install packages, if any exist
    MSI (s) (AC:A4) [08:27:06:601]: MainEngineThread is returning 0
    MSI (s) (AC:88) [08:27:06:709]: Destroying RemoteAPI object.
    MSI (s) (AC:54) [08:27:06:709]: Custom Action Manager thread ending.
    === Logging stopped: 11/1/2011  8:27:06 ===
    MSI (c) (AC:CC) [08:27:06:709]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied.  Counter after decrement: -1
    MSI (c) (AC:CC) [08:27:06:709]: MainEngineThread is returning 0
    === Verbose logging stopped: 11/1/2011  8:27:06 ===

    THis is the beginning of the MSSecurityMSSecurityClient_setup_epp_uninstall.log

    === Verbose logging started: 11/1/2011  8:27:41  Build type: SHIP UNICODE 3.01.4001.5512  Calling process: c:\cb8b172fc5b1ebe8745665f8\x86\Setup.exe ===
    MSI (c) (AC:6C) [08:27:41:420]: Resetting cached policy values
    MSI (c) (AC:6C) [08:27:41:420]: Machine policy value 'Debug' is 0
    MSI (c) (AC:6C) [08:27:41:420]: ******* RunEngine:
               ******* Product: {54B6DC7D-8C5B-4DFB-BC15-C010A3326B2B}
               ******* Action:
               ******* CommandLine: **********
    MSI (c) (AC:6C) [08:27:41:420]: Client-side and UI is none or basic: Running entire install on the server.
    MSI (c) (AC:6C) [08:27:41:420]: Grabbed execution mutex.
    MSI (c) (AC:6C) [08:27:41:420]: Cloaking enabled.
    MSI (c) (AC:6C) [08:27:41:420]: Attempting to enable all disabled priveleges before calling Install on Server
    MSI (c) (AC:6C) [08:27:41:420]: Incrementing counter to disable shutdown. Counter after increment: 0
    MSI (s) (AC:88) [08:27:41:420]: Grabbed execution mutex.
    MSI (s) (AC:F0) [08:27:41:420]: Resetting cached policy values
    MSI (s) (AC:F0) [08:27:41:420]: Machine policy value 'Debug' is 0
    MSI (s) (AC:F0) [08:27:41:420]: ******* RunEngine:
               ******* Product: {54B6DC7D-8C5B-4DFB-BC15-C010A3326B2B}
               ******* Action:
               ******* CommandLine: **********
    MSI (s) (AC:F0) [08:27:41:420]: Machine policy value 'DisableUserInstalls' is 0
    MSI (s) (AC:F0) [08:27:41:420]: End dialog not enabled
    MSI (s) (AC:F0) [08:27:41:420]: Original package ==> c:\WINDOWS\Installer\143793.msi
    MSI (s) (AC:F0) [08:27:41:420]: Package we're running from ==> c:\WINDOWS\Installer\143793.msi
    MSI (s) (AC:F0) [08:27:41:420]: APPCOMPAT: looking for appcompat database entry with ProductCode '{54B6DC7D-8C5B-4DFB-BC15-C010A3326B2B}'.
    MSI (s) (AC:F0) [08:27:41:420]: APPCOMPAT: no matching ProductCode found in database.
    MSI (s) (AC:F0) [08:27:41:420]: MSCOREE not loaded loading copy from system32
    MSI (s) (AC:F0) [08:27:41:420]: Machine policy value 'DisablePatch' is 0
    MSI (s) (AC:F0) [08:27:41:420]: Machine policy value 'AllowLockdownPatch' is 0
    MSI (s) (AC:F0) [08:27:41:420]: Machine policy value 'DisableLUAPatching' is 0
    MSI (s) (AC:F0) [08:27:41:420]: Machine policy value 'DisableFlyWeightPatching' is 0
    MSI (s) (AC:F0) [08:27:41:420]: APPCOMPAT: looking for appcompat database entry with ProductCode '{54B6DC7D-8C5B-4DFB-BC15-C010A3326B2B}'.
    MSI (s) (AC:F0) [08:27:41:420]: APPCOMPAT: no matching ProductCode found in database.
    MSI (s) (AC:F0) [08:27:41:420]: Transforms are not secure.
    MSI (s) (AC:F0) [08:27:41:420]: Note: 1: 2205 2:  3: Control
    MSI (s) (AC:F0) [08:27:41:420]: Command Line: DEPLOYOEMFILES=0 ENABLEMANAGEMENT=1 INSTALLDIR=C:\Program Files\Microsoft Security Client OEMMODE=0 PRODUCT_DESCRIPTION=Microsoft Forefront Endpoint Protection PRODUCT_NAME=Microsoft Forefront Endpoint Protection REBOOT=ReallySuppress SECURITY_POLICY_LOCATION=C:\WINDOWS\system32\CCM\Cache\VFB001CD.27.System\Policies\County Desktop Policy.xml REMOVE=ALL CURRENTDIRECTORY=c:\cb8b172fc5b1ebe8745665f8\x86 CLIENTUILEVEL=3 CLIENTPROCESSID=3244
    MSI (s) (AC:F0) [08:27:41:420]: PROPERTY CHANGE: Adding PackageCode property. Its value is '{C48E7845-16F1-4FA2-B9FC-51502CDE8AE7}'.
    MSI (s) (AC:F0) [08:27:41:420]: Product Code passed to Engine.Initialize:           '{54B6DC7D-8C5B-4DFB-BC15-C010A3326B2B}'
    MSI (s) (AC:F0) [08:27:41:420]: Product Code from property table before transforms: '{54B6DC7D-8C5B-4DFB-BC15-C010A3326B2B}'
    MSI (s) (AC:F0) [08:27:41:420]: Product Code from property table after transforms:  '{54B6DC7D-8C5B-4DFB-BC15-C010A3326B2B}'
    MSI (s) (AC:F0) [08:27:41:420]: Product registered: entering maintenance mode
    MSI (s) (AC:F0) [08:27:41:420]: PROPERTY CHANGE: Adding ProductState property. Its value is '5'.
    MSI (s) (AC:F0) [08:27:41:420]: PROPERTY CHANGE: Adding ProductToBeRegistered property. Its value is '1'.
    MSI (s) (AC:F0) [08:27:41:420]: Package name retrieved from configuration data: 'epp.msi'
    MSI (s) (AC:F0) [08:27:41:420]: Determined that existing product (either this product or the product being upgraded with a patch) is installed per-machine.

    Here is more of the EPPSetup.log:

    START 2011/11/01 08:26:59:582 TID:4032 PID:3244

    INFO 2011/11/01 08:26:59:582 TID:4032 PID:3244
    Log location [C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Security Client\Support]

    ERROR 2011/11/01 08:26:59:582 TID:4032 PID:3244
    Operation failed: Start WPP logging - Can't complete the Setup Wizard. An error has prevented Setup Wizard from continuing. Please restart your computer and try again. Error code:0x800700A1. The specified path is invalid.   [800700A1]

    INFO 2011/11/01 08:26:59:582 TID:4032 PID:3244
    Initializing WPP Logging with APP NAME[MSSESetup]

    SUCCESS 2011/11/01 08:26:59:597 TID:4032 PID:3244
    Starting setup...

    INFO 2011/11/01 08:26:59:597 TID:4032 PID:3244
    Current version number is '2.1.1116.0'

    INFO 2011/11/01 08:26:59:597 TID:4032 PID:3244
    Command line arguments: [/s /q  /policy "C:\WINDOWS\system32\CCM\Cache\VFB001CD.27.System\Policies\County Desktop Policy.xml"]

    INFO 2011/11/01 08:26:59:597 TID:4032 PID:3244
    Setup type is 0x2

    INFO 2011/11/01 08:26:59:613 TID:4032 PID:3244
    Market set to 'en-us'

    INFO 2011/11/01 08:26:59:613 TID:4032 PID:3244
    Internal brand name is 'FEP 2010'

    INFO 2011/11/01 08:26:59:613 TID:4032 PID:3244
    Processor Architecture: x86

    INFO 2011/11/01 08:26:59:613 TID:4032 PID:3244
    OS type: 4

    INFO 2011/11/01 08:26:59:613 TID:4032 PID:3244
    OS friendly name: Microsoft Windows XP

    INFO 2011/11/01 08:26:59:613 TID:4032 PID:3244
    Attempt to run Install scenario

    INFO 2011/11/01 08:26:59:721 TID:4032 PID:3244
    Operation finished: MorroBootstraper::CInstallFlow::InternalRun - GetInstallPrequalChecksAction

    INFO 2011/11/01 08:26:59:721 TID:4032 PID:3244
    Operation finished: MorroBootstraper::CInstallFlow::InternalRun - GetSqmOptInAction

    INFO 2011/11/01 08:26:59:798 TID:4032 PID:3244
    Operation finished: MorroBootstraper::CInstallFlow::InternalRun - GetWmiInfrastructureCheckAction

    INFO 2011/11/01 08:26:59:937 TID:4032 PID:3244
    Operation finished: MorroBootstraper::CInstallFlow::InternalRun - GetCompetitiveAppRemoveAction

    INFO 2011/11/01 08:26:59:937 TID:4032 PID:3244
    Operation finished: MorroBootstraper::CInstallFlow::InternalRun - GetInstallNisPrequal

    INFO 2011/11/01 08:26:59:937 TID:4032 PID:3244
    Operation finished: MorroBootstraper::CInstallFlow::InternalRun - GetClientLocUninstallPackage

    INFO 2011/11/01 08:26:59:937 TID:4032 PID:3244
    Operation finished: MorroBootstraper::CInstallFlow::InternalRun - GetClientUninstallAction

    INFO 2011/11/01 08:26:59:953 TID:4032 PID:3244
    Operation finished: MorroBootstraper::CInstallFlow::InternalRun - GetAMUninstallAction

    INFO 2011/11/01 08:26:59:953 TID:4032 PID:3244
    Operation finished: MorroBootstraper::CInstallFlow::InternalRun - GetAMLocUninstallAction

    INFO 2011/11/01 08:26:59:953 TID:4032 PID:3244
    Operation finished: MorroBootstraper::CInstallFlow::InternalRun - GetUninstallExternalPackagesAction

    INFO 2011/11/01 08:26:59:953 TID:4032 PID:3244
    Operation finished: MorroBootstraper::CInstallFlow::InternalRun - GetClientLocMUIUninstallAction

    INFO 2011/11/01 08:26:59:953 TID:4032 PID:3244
    Operation finished: MorroBootstraper::CInstallFlow::InternalRun - GetAMLocMUIUninstallAction

    INFO 2011/11/01 08:26:59:968 TID:4032 PID:3244
    Operation finished: MorroBootstraper::CInstallFlow::InternalRun - GetCopyFileAction

    INFO 2011/11/01 08:27:01:082 TID:4032 PID:3244
    Operation finished: MorroBootstraper::CInstallFlow::InternalRun - GetDrWatsonInstallAction

    INFO 2011/11/01 08:27:06:709 TID:4032 PID:3244
    Operation finished: MorroBootstraper::CInstallFlow::InternalRun - GetClientInstallAction

    INFO 2011/11/01 08:27:06:709 TID:4032 PID:3244
    Operation finished: MorroBootstraper::CInstallFlow::InternalRun - GetClientLocInstallPackage

    ERROR 2011/11/01 08:27:41:404 TID:4032 PID:3244
    Operation failed: MorroBootstraper::CInstallFlow::InternalRun - GetAMInstallAction - Cannot complete the Forefront Endpoint Protection installation. An error has prevented the Forefront Endpoint Protection setup wizard from completing successfully. Please restart your computer and try again. Error code:0x80070643. Fatal error during installation.   [80070643]

    INFO 2011/11/01 08:27:41:404 TID:4032 PID:3244
    Performing Rollback

    INFO 2011/11/01 08:27:41:404 TID:4032 PID:3244
    Operation finished: MorroBootstraper::CInstallFlow::RollbackInstallation - GetBetaUninstallAction

    INFO 2011/11/01 08:27:41:420 TID:4032 PID:3244
    Operation finished: MorroBootstraper::CInstallFlow::RollbackInstallation - GetUninstallExternalPackagesAction

    INFO 2011/11/01 08:27:41:420 TID:4032 PID:3244
    Operation finished: MorroBootstraper::CInstallFlow::RollbackInstallation - GetAMLocUninstallAction

    INFO 2011/11/01 08:27:43:507 TID:4032 PID:3244
    Operation finished: MorroBootstraper::CInstallFlow::RollbackInstallation - GetClientUninstallAction

    INFO 2011/11/01 08:27:43:507 TID:4032 PID:3244
    Operation finished: MorroBootstraper::CInstallFlow::RollbackInstallation - GetClientLocMUIUninstallAction

    INFO 2011/11/01 08:27:43:507 TID:4032 PID:3244
    Operation finished: MorroBootstraper::CInstallFlow::RollbackInstallation - GetAMLocMUIUninstallAction

    INFO 2011/11/01 08:27:43:507 TID:4032 PID:3244
    Operation finished: MorroBootstraper::CInstallFlow::RollbackInstallation - GetClientLocUninstallPackage

    INFO 2011/11/01 08:27:43:523 TID:4032 PID:3244
    Operation finished: MorroBootstraper::CInstallFlow::RollbackInstallation - GetAMUninstallAction

    INFO 2011/11/01 08:27:43:523 TID:4032 PID:3244
    Operation finished: MorroBootstraper::CInstallFlow::RollbackInstallation - GetArpUninstallAction

    INFO 2011/11/01 08:27:44:932 TID:4032 PID:3244
    Operation finished: MorroBootstraper::CInstallFlow::RollbackInstallation - GetDrWatsonUninstallAction

    ERROR 2011/11/01 08:27:44:978 TID:4032 PID:3244
    Operation failed: Flow InternalRun - Cannot complete the Forefront Endpoint Protection installation. An error has prevented the Forefront Endpoint Protection setup wizard from completing successfully. Please restart your computer and try again. Error code:0x80070643. Fatal error during installation.   [80070643]

    ERROR 2011/11/01 08:27:44:978 TID:4032 PID:3244
    Operation failed: Setup - Cannot complete the Forefront Endpoint Protection installation. An error has prevented the Forefront Endpoint Protection setup wizard from completing successfully. Please restart your computer and try again. Error code:0x80070643. Fatal error during installation.   [80070643]

    INFO 2011/11/01 08:27:44:994 TID:4032 PID:3244
    Operation finished: Sending setup completed event to event log

    INFO 2011/11/01 08:27:44:994 TID:4032 PID:3244
    Stopping logging...

    FINISH 2011/11/01 08:27:44:994 TID:4032 PID:3244

    So it appears to install, but then uninstalls itself right away.


    Marjorie
    Tuesday, November 1, 2011 1:09 PM
  • Here is another log file I just noticed reports unable to start service.  The user has admin rights on the local machine, and again, the install is running through the Config Manager client.  Included is the portion referring to the service in bold, and the subsequent removal:

    MSSecurityClient_Setup_mp_ambits_Install.log

    MSI (s) (AC:DC) [08:27:10:590]: Executing op: ActionStart(Name=InstallServices,Description=Installing new services,Template=Service: [2])
    WIXFXCA: SetEDTValue: INFO: end.
    MSI (s) (AC:DC) [08:27:10:590]: Executing op: ProgressTotal(Total=1,Type=1,ByteEquivalent=1300000)
    MSI (s) (AC:DC) [08:27:10:590]: Executing op: ServiceInstall(Name=MsMpSvc,DisplayName=Microsoft Antimalware Service,ImagePath="c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe",ServiceType=16,StartType=2,ErrorControl=1,LoadOrderGroup=COM Infrastructure,Dependencies=RpcSs[~][~],,,Password=**********,Description=Helps protect users from malware and other potentially unwanted software)
    MSI (s) (AC:DC) [08:27:10:621]: Executing op: ActionStart(Name=ExecSecureObjects,,)
    MSI (s) (AC:DC) [08:27:10:621]: Executing op: CustomActionSchedule(Action=ExecSecureObjects,ActionType=3073,Source=BinaryData,Target=ExecSecureObjects,CustomActionData=MsMpSvc?ServiceInstall??Users?131485)
    MSI (s) (AC:24) [08:27:10:621]: Invoking remote custom action. DLL: C:\WINDOWS\Installer\MSI89.tmp, Entrypoint: ExecSecureObjects
    ExecSecureObjects:  Securing Object: MsMpSvc Type: ServiceInstall User: Users
    MSI (s) (AC:DC) [08:27:10:637]: Executing op: ActionStart(Name=RollbackServiceConfig,,)
    MSI (s) (AC:DC) [08:27:10:637]: Executing op: CustomActionSchedule(Action=RollbackServiceConfig,ActionType=3329,Source=BinaryData,Target=RollbackServiceConfig,CustomActionData=SchedServiceConfig)
    MSI (s) (AC:DC) [08:27:10:652]: Executing op: ActionStart(Name=ExecServiceConfig,,)
    MSI (s) (AC:DC) [08:27:10:652]: Executing op: CustomActionSchedule(Action=ExecServiceConfig,ActionType=3073,Source=BinaryData,Target=ExecServiceConfig,CustomActionData=SchedServiceConfig?MsMpSvc?1?restart?restart?none?1?15??)
    MSI (s) (AC:E4) [08:27:10:652]: Invoking remote custom action. DLL: C:\WINDOWS\Installer\MSI8A.tmp, Entrypoint: ExecServiceConfig
    ExecServiceConfig:  Configuring Service: MsMpSvc
    MSI (s) (AC:DC) [08:27:10:683]: Executing op: ActionStart(Name=CollectErrorLogFiles,,)
    MSI (s) (AC:DC) [08:27:10:683]: Executing op: CustomActionSchedule(Action=CollectErrorLogFiles,ActionType=3393,Source=BinaryData,Target=CollectErrorLogFiles,CustomActionData=c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Support\)
    MSI (s) (AC:DC) [08:27:10:683]: Executing op: ActionStart(Name=StartServices,Description=Starting services,Template=Service: [1])
    MSI (s) (AC:DC) [08:27:10:683]: Executing op: ProgressTotal(Total=1,Type=1,ByteEquivalent=1300000)
    MSI (s) (AC:DC) [08:27:10:683]: Executing op: ServiceControl(,Name=MsMpSvc,Action=1,,)
    MSI (s) (AC:DC) [08:27:41:095]: Product: Microsoft Antimalware -- Error 1920. Service 'Microsoft Antimalware Service' (MsMpSvc) failed to start.  Verify that you have sufficient privileges to start system services.

    MSI (s) (AC:DC) [08:27:41:111]: User policy value 'DisableRollback' is 0
    MSI (s) (AC:DC) [08:27:41:111]: Machine policy value 'DisableRollback' is 0
    Action ended 8:27:41: InstallExecute. Return value 3.
    MSI (s) (AC:DC) [08:27:41:111]: Executing op: Header(Signature=1397708873,Version=301,Timestamp=1063338853,LangId=1033,Platform=0,ScriptType=2,ScriptMajorVersion=21,ScriptMinorVersion=4,ScriptAttributes=1)
    MSI (s) (AC:DC) [08:27:41:111]: Executing op: DialogInfo(Type=0,Argument=1033)
    MSI (s) (AC:DC) [08:27:41:111]: Executing op: DialogInfo(Type=1,Argument=Microsoft Antimalware)
    MSI (s) (AC:DC) [08:27:41:111]: Executing op: RollbackInfo(,RollbackAction=Rollback,RollbackDescription=Rolling back action:,RollbackTemplate=[1],CleanupAction=RollbackCleanup,CleanupDescription=Removing backup files,CleanupTemplate=File: [1])
    MSI (s) (AC:DC) [08:27:41:111]: Executing op: ActionStart(Name=StartServices,Description=Starting services,Template=Service: [1])
    MSI (s) (AC:DC) [08:27:41:111]: Executing op: ProductInfo(ProductKey={05BFB060-4F22-4710-B0A2-2801A1B606C5},ProductName=Microsoft Antimalware,PackageName=mp_ambits.msi,Language=1033,Version=50340050,Assignment=1,ObsoleteArg=0,,,PackageCode={C28D81E6-5EE9-468C-8EC2-C151C0325C2F},,,InstanceType=0,LUASetting=0,RemoteURTInstalls=0)
    MSI (s) (AC:DC) [08:27:41:111]: Executing op: ActionStart(Name=CollectErrorLogFiles,,)
    MSI (s) (AC:DC) [08:27:41:111]: Executing op: CustomActionRollback(Action=CollectErrorLogFiles,ActionType=3393,Source=BinaryData,Target=CollectErrorLogFiles,CustomActionData=c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Support\)
    MSI (s) (AC:BC) [08:27:41:111]: Invoking remote custom action. DLL: C:\WINDOWS\Installer\MSI8B.tmp, Entrypoint: CollectErrorLogFiles
    WIXFXCA: CollectErrorLogFiles: INFO: begin.
    WIXFXCA: CollectErrorLogFiles: INFO: Reading files from 'c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Support\'
    WIXFXCA: CollectErrorLogFiles: ERROR: HrCollectErrorLogFiles failed, code 0x80070002
    WIXFXCA: CollectErrorLogFiles: INFO: end.
    WIXFXCA: CollectErrorLogFiles: ERROR: CollectErrorLogFiles failed, code 0x80070002
    MSI (s) (AC:DC) [08:27:41:111]: Executing op: ActionStart(Name=ExecServiceConfig,,)
    MSI (s) (AC:DC) [08:27:41:111]: Executing op: ActionStart(Name=RollbackServiceConfig,,)
    MSI (s) (AC:DC) [08:27:41:111]: Executing op: CustomActionRollback(Action=RollbackServiceConfig,ActionType=3329,Source=BinaryData,Target=RollbackServiceConfig,CustomActionData=SchedServiceConfig)
    MSI (s) (AC:84) [08:27:41:126]: Invoking remote custom action. DLL: C:\WINDOWS\Installer\MSI8C.tmp, Entrypoint: RollbackServiceConfig
    MSI (s) (AC:DC) [08:27:41:126]: Executing op: ActionStart(Name=ExecSecureObjects,,)
    MSI (s) (AC:DC) [08:27:41:126]: Executing op: ActionStart(Name=InstallServices,Description=Installing new services,Template=Service: [2])
    MSI (s) (AC:DC) [08:27:41:126]: Executing op: ServiceControl(,Name=MsMpSvc,Action=8,,)
    MSI (s) (AC:DC) [08:27:41:126]: Executing op: ActionStart(Name=SetEDTValue,,)
    MSI (s) (AC:DC) [08:27:41:126]: Executing op: ActionStart(Name=WriteRegistryValues,Description=Writing system registry values,Template=Key: [1], Name: [2], Value: [3])
    MSI (s) (AC:DC) [08:27:41:126]: Executing op: RegOpenKey(Root=-2147483646,Key=System\CurrentControlSet\Services\FltMgr,,BinaryType=0)
    MSI (s) (AC:DC) [08:27:41:126]: Executing op: RegRemoveValue(Name=AttachWhenLoaded,Value=#1,)
    MSI (s) (AC:DC) [08:27:41:126]: Executing op: RegAddValue(Name=AttachWhenLoaded,Value=#0,)
    MSI (s) (AC:DC) [08:27:41:126]: Executing op: RegOpenKey(Root=-2147483646,Key=SYSTEM\CurrentControlSet\Services\MsMpSvc,,BinaryType=0)
    MSI (s) (AC:DC) [08:27:41:126]: Executing op: RegCreateKey()
    MSI (s) (AC:DC) [08:27:41:126]: Executing op: RegRemoveValue(Name=RequiredPrivileges,Value=SeLoadDriverPrivilege[~]SeImpersonatePrivilege[~]SeBackupPrivilege[~]SeRestorePrivilege[~]SeDebugPrivilege[~]SeChangeNotifyPrivilege[~]SeSecurityPrivilege[~]SeShutdownPrivilege[~]SeIncreaseQuotaPrivilege[~]SeAssignPrimaryTokenPrivilege,)
    MSI (s) (AC:DC) [08:27:41:126]: Executing op: RegCreateKey()
    MSI (s) (AC:DC) [08:27:41:126]: Executing op: RegRemoveValue(Name=ServiceSidType,Value=#1,)
    MSI (s) (AC:DC) [08:27:41:126]: Executing op: RegRemoveKey()
    MSI (s) (AC:DC) [08:27:41:126]: Executing op: RegOpenKey(Root=-2147483646,Key=SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft Antimalware,,BinaryType=0)
    MSI (s) (AC:DC) [08:27:41:126]: Executing op: RegCreateKey()
    MSI (s) (AC:DC) [08:27:41:126]: Executing op: RegRemoveValue(Name=TypesSupported,Value=#7,)
    MSI (s) (AC:DC) [08:27:41:126]: Executing op: RegCreateKey()
    MSI (s) (AC:DC) [08:27:41:126]: Executing op: RegRemoveValue(Name=ParameterMessageFile,Value=c:\Program Files\Microsoft Security Client\Antimalware\MpEvMsg.dll,)
    MSI (s) (AC:DC) [08:27:41:126]: Executing op: RegCreateKey()
    MSI (s) (AC:DC) [08:27:41:126]: Executing op: RegRemoveValue(Name=EventMessageFile,Value=c:\Program Files\Microsoft Security Client\Antimalware\MpEvMsg.dll,)
    MSI (s) (AC:DC) [08:27:41:126]: Executing op: RegRemoveKey()
    MSI (s) (AC:DC) [08:27:41:126]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft Antimalware 3: 2
    MSI (s) (AC:DC) [08:27:41:126]: Executing op: RegOpenKey(Root=-2147483646,Key=SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MsMpSvc,,BinaryType=0)
    MSI (s) (AC:DC) [08:27:41:126]: Executing op: RegCreateKey()
    MSI (s) (AC:DC) [08:27:41:126]: Executing op: RegRemoveValue(,Value=Service,)
    MSI (s) (AC:DC) [08:27:41:126]: Executing op: RegRemoveKey()
    MSI (s) (AC:DC) [08:27:41:126]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MsMpSvc 3: 2
    MSI (s) (AC:DC) [08:27:41:126]: Executing op: RegOpenKey(Root=-2147483646,Key=SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc,,BinaryType=0)
    MSI (s) (AC:DC) [08:27:41:126]: Executing op: RegCreateKey()
    MSI (s) (AC:DC) [08:27:41:126]: Executing op: RegRemoveValue(,Value=Service,)
    MSI (s) (AC:DC) [08:27:41:126]: Executing op: RegRemoveKey()
    MSI (s) (AC:DC) [08:27:41:126]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc 3: 2
    MSI (s) (AC:DC) [08:27:41:126]: Executing op: RegOpenKey(Root=-2147483646,Key=SYSTEM\CurrentControlSet\Services\Eventlog\Application\MPSampleSubmission,,BinaryType=0)
    MSI (s) (AC:DC) [08:27:41:126]: Executing op: RegCreateKey()
    MSI (s) (AC:DC) [08:27:41:126]: Executing op: RegRemoveValue(Name=TypesSupported,Value=#7,)
    MSI (s) (AC:DC) [08:27:41:126]: Executing op: RegCreateKey()
    MSI (s) (AC:DC) [08:27:41:126]: Executing op: RegRemoveValue(Name=EventMessageFile,Value=c:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE,)
    MSI (s) (AC:DC) [08:27:41:126]: Executing op: RegRemoveKey()
    MSI (s) (AC:DC) [08:27:41:142]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\MPSampleSubmission 3: 2
    MSI (s) (AC:DC) [08:27:41:142]: Executing op: RegOpenKey(Root=-2147483646,Key=Software\Microsoft\Windows\CurrentVersion\Policies\Attachments,,BinaryType=0)
    MSI (s) (AC:DC) [08:27:41:142]: Executing op: RegRemoveValue(Name=ScanWithAntiVirus,Value=#2,)
    MSI (s) (AC:DC) [08:27:41:142]: Executing op: RegRemoveKey()
    MSI (s) (AC:DC) [08:27:41:142]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments 3: 2
    MSI (s) (AC:DC) [08:27:41:142]: Executing op: RegOpenKey(Root=-2147483646,Key=SOFTWARE\Microsoft\Microsoft Antimalware\MpEngine,SecurityDescriptor=BinaryData,BinaryType=0)
    MSI (s) (AC:DC) [08:27:41:142]: Executing op: RegRemoveKey()
    MSI (s) (AC:DC) [08:27:41:142]: Executing op: RegOpenKey(Root=-2147483646,Key=SOFTWARE\Microsoft\Microsoft Antimalware\Miscellaneous Configuration,SecurityDescriptor=BinaryData,BinaryType=0)
    MSI (s) (AC:DC) [08:27:41:142]: Executing op: RegRemoveKey()
    MSI (s) (AC:DC) [08:27:41:142]: Executing op: RegOpenKey(Root=-2147483646,Key=SOFTWARE\Microsoft\Microsoft Antimalware\UX Configuration,,BinaryType=0)
    MSI (s) (AC:DC) [08:27:41:142]: Executing op: RegRemoveKey()
    MSI (s) (AC:DC) [08:27:41:142]: Executing op: RegOpenKey(Root=-2147483646,Key=SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes,,BinaryType=0)
    MSI (s) (AC:DC) [08:27:41:142]: Executing op: RegRemoveKey()
    MSI (s) (AC:DC) [08:27:41:142]: Executing op: RegOpenKey(Root=-2147483646,Key=SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths,,BinaryType=0)
    MSI (s) (AC:DC) [08:27:41:142]: Executing op: RegRemoveKey()
    MSI (s) (AC:DC) [08:27:41:142]: Executing op: RegOpenKey(Root=-2147483646,Key=SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Extensions,,BinaryType=0)
    MSI (s) (AC:DC) [08:27:41:142]: Executing op: RegRemoveKey()
    MSI (s) (AC:DC) [08:27:41:142]: Executing op: RegOpenKey(Root=-2147483646,Key=SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions,,BinaryType=0)
    MSI (s) (AC:DC) [08:27:41:142]: Executing op: RegRemoveKey()
    MSI (s) (AC:DC) [08:27:41:142]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions 3: 2
    MSI (s) (AC:DC) [08:27:41:142]: Executing op: RegOpenKey(Root=-2147483646,Key=SOFTWARE\Microsoft\Microsoft Antimalware\Threats\ThreatSeverityDefaultAction,,BinaryType=0)
    MSI (s) (AC:DC) [08:27:41:142]: Executing op: RegRemoveKey()
    MSI (s) (AC:DC) [08:27:41:142]: Executing op: RegOpenKey(Root=-2147483646,Key=SOFTWARE\Microsoft\Microsoft Antimalware\Threats\ThreatIDDefaultAction,,BinaryType=0)
    MSI (s) (AC:DC) [08:27:41:142]: Executing op: RegRemoveKey()
    MSI (s) (AC:DC) [08:27:41:142]: Executing op: RegOpenKey(Root=-2147483646,Key=SOFTWARE\Microsoft\Microsoft Antimalware\Threats,,BinaryType=0)
    MSI (s) (AC:DC) [08:27:41:142]: Executing op: RegRemoveKey()
    MSI (s) (AC:DC) [08:27:41:142]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\Threats 3: 2
    MSI (s) (AC:DC) [08:27:41:142]: Executing op: RegOpenKey(Root=-2147483646,Key=SOFTWARE\Microsoft\Microsoft Antimalware\SpyNet,,BinaryType=0)
    MSI (s) (AC:DC) [08:27:41:142]: Executing op: RegCreateKey()
    MSI (s) (AC:DC) [08:27:41:142]: Executing op: RegRemoveValue(Name=SpyNetReportingLocation,Value=[~]https://spynet2.microsoft.com/AntiMalwareServices/2/SpynetReportSrvc.asmx,)
    MSI (s) (AC:DC) [08:27:41:142]: Executing op: RegRemoveKey()
    MSI (s) (AC:DC) [08:27:41:142]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\SpyNet 3: 2
    MSI (s) (AC:DC) [08:27:41:142]: Executing op: RegOpenKey(Root=-2147483646,Key=SOFTWARE\Microsoft\Microsoft Antimalware\Quarantine,,BinaryType=0)
    MSI (s) (AC:DC) [08:27:41:142]: Executing op: RegRemoveKey()
    MSI (s) (AC:DC) [08:27:41:142]: Executing op: RegOpenKey(Root=-2147483646,Key=SOFTWARE\Microsoft\Microsoft Antimalware\Scan,,BinaryType=0)
    MSI (s) (AC:DC) [08:27:41:142]: Executing op: RegRemoveKey()
    MSI (s) (AC:DC) [08:27:41:142]: Executing op: RegOpenKey(Root=-2147483646,Key=SOFTWARE\Microsoft\Microsoft Antimalware\Real-Time Protection,,BinaryType=0)
    MSI (s) (AC:DC) [08:27:41:142]: Executing op: RegRemoveKey()
    MSI (s) (AC:DC) [08:27:41:142]: Executing op: RegOpenKey(Root=-2147483646,Key=SOFTWARE\Microsoft\Microsoft Antimalware\Signature Updates,,BinaryType=0)
    MSI (s) (AC:DC) [08:27:41:142]: Executing op: RegCreateKey()
    MSI (s) (AC:DC) [08:27:41:142]: Executing op: RegRemoveValue(Name=SignatureCategoryID,Value=a38c835c-2950-4e87-86cc-6911a52c34a3,)
    MSI (s) (AC:DC) [08:27:41:142]: Executing op: RegRemoveKey()
    MSI (s) (AC:DC) [08:27:41:142]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\Signature Updates 3: 2
    MSI (s) (AC:DC) [08:27:41:142]: Executing op: RegOpenKey(Root=-2147483646,Key=SOFTWARE\Microsoft\Microsoft Antimalware\Reporting,,BinaryType=0)
    MSI (s) (AC:DC) [08:27:41:142]: Executing op: RegCreateKey()
    MSI (s) (AC:DC) [08:27:41:142]: Executing op: RegRemoveValue(Name=EventNotificationDelay,Value=#1200,)
    MSI (s) (AC:DC) [08:27:41:142]: Executing op: RegCreateKey()
    MSI (s) (AC:DC) [08:27:41:142]: Executing op: RegRemoveValue(Name=EventNotificationPath,Value=C:\Program Files\Microsoft Security Client\DcmNotifier.exe,)
    MSI (s) (AC:DC) [08:27:41:142]: Executing op: RegRemoveKey()
    MSI (s) (AC:DC) [08:27:41:142]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\Reporting 3: 2
    MSI (s) (AC:DC) [08:27:41:142]: Executing op: RegOpenKey(Root=-2147483646,Key=SOFTWARE\Microsoft\Microsoft Antimalware,SecurityDescriptor=BinaryData,BinaryType=0)
    MSI (s) (AC:DC) [08:27:41:142]: Executing op: RegCreateKey()
    MSI (s) (AC:DC) [08:27:41:142]: Executing op: RegRemoveValue(Name=RemediationExe,Value=C:\Program Files\Microsoft Security Client\msseces.exe,)
    MSI (s) (AC:DC) [08:27:41:142]: Executing op: RegCreateKey()
    MSI (s) (AC:DC) [08:27:41:142]: Executing op: RegRemoveValue(Name=ProductLocalizedName,Value=@C:\Program Files\Microsoft Security Client\EppManifest.dll,-1000,)
    MSI (s) (AC:DC) [08:27:41:142]: Executing op: RegCreateKey()
    MSI (s) (AC:DC) [08:27:41:142]: Executing op: RegRemoveValue(Name=ProductIcon,Value=@C:\Program Files\Microsoft Security Client\EppManifest.dll,-100,)
    MSI (s) (AC:DC) [08:27:41:142]: Executing op: RegCreateKey()
    MSI (s) (AC:DC) [08:27:41:142]: Executing op: RegRemoveValue(Name=ProductAppDataPath,Value=c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware,)
    MSI (s) (AC:DC) [08:27:41:142]: Executing op: RegCreateKey()
    MSI (s) (AC:DC) [08:27:41:142]: Executing op: RegRemoveValue(Name=InstallLocation,Value=c:\Program Files\Microsoft Security Client\Antimalware\,)
    MSI (s) (AC:DC) [08:27:41:142]: Executing op: RegRemoveKey()
    MSI (s) (AC:DC) [08:27:41:142]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware 3: 2
    MSI (s) (AC:DC) [08:27:41:142]: Executing op: RegOpenKey(,Key=CLSID\{2781761E-28E1-4109-99FE-B9D127C57AFE}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49},,BinaryType=0)
    MSI (s) (AC:DC) [08:27:41:142]: Executing op: RegRemoveKey()
    MSI (s) (AC:DC) [08:27:41:142]: Executing op: RegOpenKey(,Key=CLSID\{2781761E-28E1-4109-99FE-B9D127C57AFE}\Implemented Categories,,BinaryType=0)
    MSI (s) (AC:DC) [08:27:41:142]: Executing op: RegRemoveKey()
    MSI (s) (AC:DC) [08:27:41:142]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{2781761E-28E1-4109-99FE-B9D127C57AFE}\Implemented Categories 3: 2
    MSI (s) (AC:DC) [08:27:41:142]: Executing op: RegOpenKey(,Key=CLSID\{2781761E-28E1-4109-99FE-B9D127C57AFE}\Hosts\urlmon,,BinaryType=0)
    MSI (s) (AC:DC) [08:27:41:142]: Executing op: RegRemoveValue(Name=Enable,Value=#1,)
    MSI (s) (AC:DC) [08:27:41:142]: Executing op: RegCreateKey()
    MSI (s) (AC:DC) [08:27:41:142]: Executing op: RegRemoveValue(,Value=ActiveX controls,)
    MSI (s) (AC:DC) [08:27:41:142]: Executing op: RegRemoveKey()
    MSI (s) (AC:DC) [08:27:41:142]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{2781761E-28E1-4109-99FE-B9D127C57AFE}\Hosts\urlmon 3: 2
    MSI (s) (AC:DC) [08:27:41:142]: Executing op: RegOpenKey(,Key=CLSID\{2781761E-28E1-4109-99FE-B9D127C57AFE}\Hosts\shdocvw,,BinaryType=0)
    MSI (s) (AC:DC) [08:27:41:142]: Executing op: RegRemoveValue(Name=Enable,Value=#1,)
    MSI (s) (AC:DC) [08:27:41:142]: Executing op: RegCreateKey()
    MSI (s) (AC:DC) [08:27:41:142]: Executing op: RegRemoveValue(,Value=IAttachmentExecute,)
    MSI (s) (AC:DC) [08:27:41:142]: Executing op: RegRemoveKey()
    MSI (s) (AC:DC) [08:27:41:142]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{2781761E-28E1-4109-99FE-B9D127C57AFE}\Hosts\shdocvw 3: 2
    MSI (s) (AC:DC) [08:27:41:142]: Executing op: RegOpenKey(,Key=CLSID\{2781761E-28E1-4109-99FE-B9D127C57AFE}\Hosts,,BinaryType=0)
    MSI (s) (AC:DC) [08:27:41:142]: Executing op: RegRemoveValue(,Value=Scanned Hosting Applications,)
    MSI (s) (AC:DC) [08:27:41:142]: Executing op: RegRemoveKey()
    MSI (s) (AC:DC) [08:27:41:142]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{2781761E-28E1-4109-99FE-B9D127C57AFE}\Hosts 3: 2
    MSI (s) (AC:DC) [08:27:41:142]: Executing op: RegOpenKey(,Key=CLSID\{2781761E-28E1-4109-99FE-B9D127C57AFE}\InprocHandler32,,BinaryType=0)
    MSI (s) (AC:DC) [08:27:41:142]: Executing op: RegRemoveValue(,Value=c:\Program Files\Microsoft Security Client\Antimalware\MpOAV.dll,)
    MSI (s) (AC:DC) [08:27:41:157]: Executing op: RegRemoveKey()
    MSI (s) (AC:DC) [08:27:41:157]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{2781761E-28E1-4109-99FE-B9D127C57AFE}\InprocHandler32 3: 2
    MSI (s) (AC:DC) [08:27:41:157]: Executing op: RegOpenKey(,Key=CLSID\{2781761E-28E1-4109-99FE-B9D127C57AFE},,BinaryType=0)
    MSI (s) (AC:DC) [08:27:41:157]: Executing op: RegRemoveValue(,Value=Microsoft Antimalware IOfficeAntiVirus implementation,)
    MSI (s) (AC:DC) [08:27:41:157]: Executing op: RegCreateKey()
    MSI (s) (AC:DC) [08:27:41:157]: Executing op: RegOpenKey(,Key=CLSID\{2781761E-28E1-4109-99FE-B9D127C57AFE}\InprocServer32,,BinaryType=0)
    MSI (s) (AC:DC) [08:27:41:157]: Executing op: RegRemoveValue(Name=ThreadingModel,Value=Both,)
    MSI (s) (AC:DC) [08:27:41:157]: Executing op: RegCreateKey()
    MSI (s) (AC:DC) [08:27:41:157]: Executing op: RegRemoveValue(,Value=c:\Program Files\Microsoft Security Client\Antimalware\MpOAv.dll,)
    MSI (s) (AC:DC) [08:27:41:157]: Executing op: RegRemoveKey()
    MSI (s) (AC:DC) [08:27:41:157]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{2781761E-28E1-4109-99FE-B9D127C57AFE}\InprocServer32 3: 2
    MSI (s) (AC:DC) [08:27:41:157]: Executing op: RegOpenKey(,Key=TypeLib\{8C389764-F036-48F2-9AE2-88C260DCF400}\1.0\HELPDIR,,BinaryType=0)
    MSI (s) (AC:DC) [08:27:41:157]: Executing op: RegRemoveValue(,Value=c:\Program Files\Microsoft Security Client\Antimalware\,)
    MSI (s) (AC:DC) [08:27:41:157]: Executing op: RegRemoveKey()
    MSI (s) (AC:DC) [08:27:41:157]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Classes\TypeLib\{8C389764-F036-48F2-9AE2-88C260DCF400}\1.0\HELPDIR 3: 2
    MSI (s) (AC:DC) [08:27:41:157]: Executing op: RegOpenKey(,Key=TypeLib\{8C389764-F036-48F2-9AE2-88C260DCF400}\1.0\FLAGS,,BinaryType=0)
    MSI (s) (AC:DC) [08:27:41:157]: Executing op: RegRemoveValue(,Value=0,)
    MSI (s) (AC:DC) [08:27:41:157]: Executing op: RegRemoveKey()
    MSI (s) (AC:DC) [08:27:41:157]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Classes\TypeLib\{8C389764-F036-48F2-9AE2-88C260DCF400}\1.0\FLAGS 3: 2
    MSI (s) (AC:DC) [08:27:41:157]: Executing op: RegOpenKey(,Key=TypeLib\{8C389764-F036-48F2-9AE2-88C260DCF400}\1.0\0\win32,,BinaryType=0)
    MSI (s) (AC:DC) [08:27:41:157]: Executing op: RegRemoveValue(,Value=c:\Program Files\Microsoft Security Client\Antimalware\MsMpCom.dll,)
    MSI (s) (AC:DC) [08:27:41:157]: Executing op: RegRemoveKey()
    MSI (s) (AC:DC) [08:27:41:157]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Classes\TypeLib\{8C389764-F036-48F2-9AE2-88C260DCF400}\1.0\0\win32 3: 2
    MSI (s) (AC:DC) [08:27:41:157]: Executing op: RegOpenKey(,Key=TypeLib\{8C389764-F036-48F2-9AE2-88C260DCF400}\1.0,,BinaryType=0)
    MSI (s) (AC:DC) [08:27:41:157]: Executing op: RegRemoveValue(,Value=Microsoft AntiMalware 1.0 Type Library,)
    MSI (s) (AC:DC) [08:27:41:157]: Executing op: RegRemoveKey()
    MSI (s) (AC:DC) [08:27:41:157]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Classes\TypeLib\{8C389764-F036-48F2-9AE2-88C260DCF400}\1.0 3: 2
    MSI (s) (AC:DC) [08:27:41:157]: Executing op: RegOpenKey(,Key=Interface\{CDFED399-7999-4309-B064-1EDE04BC5800}\ProxyStubClsid32,,BinaryType=0)
    MSI (s) (AC:DC) [08:27:41:157]: Executing op: RegRemoveValue(,Value={00020424-0000-0000-C000-000000000046},)
    MSI (s) (AC:DC) [08:27:41:157]: Executing op: RegRemoveKey()
    MSI (s) (AC:DC) [08:27:41:157]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Classes\Interface\{CDFED399-7999-4309-B064-1EDE04BC5800}\ProxyStubClsid32 3: 2
    MSI (s) (AC:DC) [08:27:41:157]: Executing op: RegOpenKey(,Key=Interface\{CDFED399-7999-4309-B064-1EDE04BC5800}\TypeLib,,BinaryType=0)
    MSI (s) (AC:DC) [08:27:41:157]: Executing op: RegRemoveValue(Name=Version,Value=1.0,)
    MSI (s) (AC:DC) [08:27:41:157]: Executing op: RegCreateKey()
    MSI (s) (AC:DC) [08:27:41:157]: Executing op: RegRemoveValue(,Value={8C389764-F036-48F2-9AE2-88C260DCF400},)
    MSI (s) (AC:DC) [08:27:41:157]: Executing op: RegRemoveKey()
    MSI (s) (AC:DC) [08:27:41:157]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Classes\Interface\{CDFED399-7999-4309-B064-1EDE04BC5800}\TypeLib 3: 2
    MSI (s) (AC:DC) [08:27:41:157]: Executing op: RegOpenKey(,Key=Interface\{CDFED399-7999-4309-B064-1EDE04BC5800},,BinaryType=0)
    MSI (s) (AC:DC) [08:27:41:157]: Executing op: RegRemoveValue(,Value=IMsMpSimpleConfig,)
    MSI (s) (AC:DC) [08:27:41:157]: Executing op: RegRemoveKey()
    MSI (s) (AC:DC) [08:27:41:157]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Classes\Interface\{CDFED399-7999-4309-B064-1EDE04BC5800} 3: 2
    MSI (s) (AC:DC) [08:27:41:157]: Executing op: RegOpenKey(,Key=Interface\{E2D74550-8E41-460E-BB51-52E1F9522100}\ProxyStubClsid32,,BinaryType=0)
    MSI (s) (AC:DC) [08:27:41:157]: Executing op: RegRemoveValue(,Value={00020424-0000-0000-C000-000000000046},)
    MSI (s) (AC:DC) [08:27:41:157]: Executing op: RegRemoveKey()
    MSI (s) (AC:DC) [08:27:41:157]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Classes\Interface\{E2D74550-8E41-460E-BB51-52E1F9522100}\ProxyStubClsid32 3: 2
    MSI (s) (AC:DC) [08:27:41:157]: Executing op: RegOpenKey(,Key=Interface\{E2D74550-8E41-460E-BB51-52E1F9522100}\TypeLib,,BinaryType=0)
    MSI (s) (AC:DC) [08:27:41:157]: Executing op: RegRemoveValue(Name=Version,Value=1.0,)
    MSI (s) (AC:DC) [08:27:41:157]: Executing op: RegCreateKey()
    MSI (s) (AC:DC) [08:27:41:157]: Executing op: RegRemoveValue(,Value={8C389764-F036-48F2-9AE2-88C260DCF400},)
    MSI (s) (AC:DC) [08:27:41:157]: Executing op: RegRemoveKey()
    MSI (s) (AC:DC) [08:27:41:157]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Classes\Interface\{E2D74550-8E41-460E-BB51-52E1F9522100}\TypeLib 3: 2
    MSI (s) (AC:DC) [08:27:41:157]: Executing op: RegOpenKey(,Key=Interface\{E2D74550-8E41-460E-BB51-52E1F9522100},,BinaryType=0)
    MSI (s) (AC:DC) [08:27:41:157]: Executing op: RegRemoveValue(,Value=IMsMpClientUtils,)
    MSI (s) (AC:DC) [08:27:41:157]: Executing op: RegRemoveKey()
    MSI (s) (AC:DC) [08:27:41:157]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Classes\Interface\{E2D74550-8E41-460E-BB51-52E1F9522100} 3: 2
    MSI (s) (AC:DC) [08:27:41:157]: Executing op: RegOpenKey(,Key=Interface\{AC30C2BA-0109-403D-9D8E-140BB4703700}\ProxyStubClsid32,,BinaryType=0)
    MSI (s) (AC:DC) [08:27:41:157]: Executing op: RegRemoveValue(,Value={00020424-0000-0000-C000-000000000046},)
    MSI (s) (AC:DC) [08:27:41:157]: Executing op: RegRemoveKey()
    MSI (s) (AC:DC) [08:27:41:157]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Classes\Interface\{AC30C2BA-0109-403D-9D8E-140BB4703700}\ProxyStubClsid32 3: 2
    MSI (s) (AC:DC) [08:27:41:157]: Executing op: RegOpenKey(,Key=Interface\{AC30C2BA-0109-403D-9D8E-140BB4703700}\TypeLib,,BinaryType=0)
    MSI (s) (AC:DC) [08:27:41:157]: Executing op: RegRemoveValue(Name=Version,Value=1.0,)
    MSI (s) (AC:DC) [08:27:41:157]: Executing op: RegCreateKey()
    MSI (s) (AC:DC) [08:27:41:157]: Executing op: RegRemoveValue(,Value={8C389764-F036-48F2-9AE2-88C260DCF400},)
    MSI (s) (AC:DC) [08:27:41:157]: Executing op: RegRemoveKey()
    MSI (s) (AC:DC) [08:27:41:157]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Classes\Interface\{AC30C2BA-0109-403D-9D8E-140BB4703700}\TypeLib 3: 2
    MSI (s) (AC:DC) [08:27:41:157]: Executing op: RegOpenKey(,Key=Interface\{AC30C2BA-0109-403D-9D8E-140BB4703700},,BinaryType=0)
    MSI (s) (AC:DC) [08:27:41:157]: Executing op: RegRemoveValue(,Value=IMsMpComFactory,)
    MSI (s) (AC:DC) [08:27:41:157]: Executing op: RegRemoveKey()
    MSI (s) (AC:DC) [08:27:41:157]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Classes\Interface\{AC30C2BA-0109-403D-9D8E-140BB4703700} 3: 2
    MSI (s) (AC:DC) [08:27:41:157]: Executing op: RegOpenKey(,Key=CLSID\{546BF232-C9DD-4F28-8E38-30AE2D964D46}\Programmable,,BinaryType=0)
    MSI (s) (AC:DC) [08:27:41:157]: Executing op: RegRemoveKey()
    MSI (s) (AC:DC) [08:27:41:157]: Executing op: RegOpenKey(,Key=CLSID\{546BF232-C9DD-4F28-8E38-30AE2D964D46}\Version,,BinaryType=0)
    MSI (s) (AC:DC) [08:27:41:157]: Executing op: RegRemoveValue(,Value=1.0,)
    MSI (s) (AC:DC) [08:27:41:157]: Executing op: RegRemoveKey()
    MSI (s) (AC:DC) [08:27:41:157]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{546BF232-C9DD-4F28-8E38-30AE2D964D46}\Version 3: 2
    MSI (s) (AC:DC) [08:27:41:157]: Executing op: RegOpenKey(,Key=CLSID\{546BF232-C9DD-4F28-8E38-30AE2D964D46}\TypeLib,,BinaryType=0)
    MSI (s) (AC:DC) [08:27:41:157]: Executing op: RegRemoveValue(,Value={8C389764-F036-48F2-9AE2-88C260DCF400},)
    MSI (s) (AC:DC) [08:27:41:157]: Executing op: RegRemoveKey()
    MSI (s) (AC:DC) [08:27:41:157]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{546BF232-C9DD-4F28-8E38-30AE2D964D46}\TypeLib 3: 2
    MSI (s) (AC:DC) [08:27:41:157]: Executing op: RegOpenKey(,Key=CLSID\{546BF232-C9DD-4F28-8E38-30AE2D964D46}\InprocHandler32,,BinaryType=0)
    MSI (s) (AC:DC) [08:27:41:157]: Executing op: RegRemoveValue(,Value=c:\Program Files\Microsoft Security Client\Antimalware\MsMpCom.dll,)
    MSI (s) (AC:DC) [08:27:41:157]: Executing op: RegRemoveKey()
    MSI (s) (AC:DC) [08:27:41:157]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{546BF232-C9DD-4F28-8E38-30AE2D964D46}\InprocHandler32 3: 2
    MSI (s) (AC:DC) [08:27:41:157]: Executing op: RegOpenKey(,Key=CLSID\{546BF232-C9DD-4F28-8E38-30AE2D964D46},,BinaryType=0)
    MSI (s) (AC:DC) [08:27:41:157]: Executing op: RegRemoveValue(,Value=Microsoft AntiMalware Com Layer,)
    MSI (s) (AC:DC) [08:27:41:157]: Executing op: RegCreateKey()
    MSI (s) (AC:DC) [08:27:41:157]: Executing op: RegRemoveValue(Name=AppId,Value={A79DB36D-6218-48e6-9EC9-DCBA9A39BF00},)
    MSI (s) (AC:DC) [08:27:41:157]: Executing op: RegCreateKey()
    MSI (s) (AC:DC) [08:27:41:157]: Executing op: RegOpenKey(,Key=CLSID\{546BF232-C9DD-4F28-8E38-30AE2D964D46}\InprocServer32,,BinaryType=0)
    MSI (s) (AC:DC) [08:27:41:157]: Executing op: RegRemoveValue(Name=ThreadingModel,Value=Both,)
    MSI (s) (AC:DC) [08:27:41:157]: Executing op: RegCreateKey()
    MSI (s) (AC:DC) [08:27:41:157]: Executing op: RegRemoveValue(,Value=c:\Program Files\Microsoft Security Client\Antimalware\MsMpCom.dll,)
    MSI (s) (AC:DC) [08:27:41:173]: Executing op: RegRemoveKey()
    MSI (s) (AC:DC) [08:27:41:173]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{546BF232-C9DD-4F28-8E38-30AE2D964D46}\InprocServer32 3: 2
    MSI (s) (AC:DC) [08:27:41:173]: Executing op: RegOpenKey(,Key=CLSID\{546BF232-C9DD-4F28-8E38-30AE2D964D46}\ProgID,,BinaryType=0)
    MSI (s) (AC:DC) [08:27:41:173]: Executing op: RegRemoveValue(,Value=MsMpComExports.MsMpComFactoryFcs.1,)
    MSI (s) (AC:DC) [08:27:41:173]: Executing op: RegRemoveKey()
    MSI (s) (AC:DC) [08:27:41:173]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{546BF232-C9DD-4F28-8E38-30AE2D964D46}\ProgID 3: 2
    MSI (s) (AC:DC) [08:27:41:173]: Executing op: RegOpenKey(,Key=MsMpComExports.MsMpComFactoryFcs.1\CLSID,,BinaryType=0)
    MSI (s) (AC:DC) [08:27:41:173]: Executing op: RegRemoveValue(,Value={546BF232-C9DD-4F28-8E38-30AE2D964D46},)
    MSI (s) (AC:DC) [08:27:41:173]: Executing op: RegRemoveKey()
    MSI (s) (AC:DC) [08:27:41:173]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Classes\MsMpComExports.MsMpComFactoryFcs.1\CLSID 3: 2
    MSI (s) (AC:DC) [08:27:41:173]: Executing op: RegOpenKey(,Key=MsMpComExports.MsMpComFactoryFcs.1,,BinaryType=0)
    MSI (s) (AC:DC) [08:27:41:173]: Executing op: RegRemoveValue(,Value=Microsoft AntiMalware Com Layer,)
    MSI (s) (AC:DC) [08:27:41:173]: Executing op: RegRemoveKey()
    MSI (s) (AC:DC) [08:27:41:173]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Classes\MsMpComExports.MsMpComFactoryFcs.1 3: 2
    MSI (s) (AC:DC) [08:27:41:173]: Executing op: RegOpenKey(,Key=MsMpComExports.MsMpComFactoryFcs\CurVer,,BinaryType=0)
    MSI (s) (AC:DC) [08:27:41:173]: Executing op: RegRemoveValue(,Value=MsMpComExports.MsMpComFactoryFcs.1,)
    MSI (s) (AC:DC) [08:27:41:173]: Executing op: RegRemoveKey()
    MSI (s) (AC:DC) [08:27:41:173]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Classes\MsMpComExports.MsMpComFactoryFcs\CurVer 3: 2
    MSI (s) (AC:DC) [08:27:41:173]: Executing op: RegOpenKey(,Key=CLSID\{546BF232-C9DD-4F28-8E38-30AE2D964D46}\VersionIndependentProgID,,BinaryType=0)
    MSI (s) (AC:DC) [08:27:41:173]: Executing op: RegRemoveValue(,Value=MsMpComExports.MsMpComFactoryFcs,)
    MSI (s) (AC:DC) [08:27:41:173]: Executing op: RegRemoveKey()
    MSI (s) (AC:DC) [08:27:41:173]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{546BF232-C9DD-4F28-8E38-30AE2D964D46}\VersionIndependentProgID 3: 2
    MSI (s) (AC:DC) [08:27:41:173]: Executing op: RegOpenKey(,Key=MsMpComExports.MsMpComFactoryFcs\CLSID,,BinaryType=0)
    MSI (s) (AC:DC) [08:27:41:173]: Executing op: RegRemoveValue(,Value={546BF232-C9DD-4F28-8E38-30AE2D964D46},)
    MSI (s) (AC:DC) [08:27:41:173]: Executing op: RegRemoveKey()
    MSI (s) (AC:DC) [08:27:41:173]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Classes\MsMpComExports.MsMpComFactoryFcs\CLSID 3: 2
    MSI (s) (AC:DC) [08:27:41:173]: Executing op: RegOpenKey(,Key=MsMpComExports.MsMpComFactoryFcs,,BinaryType=0)
    MSI (s) (AC:DC) [08:27:41:173]: Executing op: RegRemoveValue(,Value=Microsoft AntiMalware Com Layer,)
    MSI (s) (AC:DC) [08:27:41:173]: Executing op: RegRemoveKey()
    MSI (s) (AC:DC) [08:27:41:173]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Classes\MsMpComExports.MsMpComFactoryFcs 3: 2
    MSI (s) (AC:DC) [08:27:41:173]: Executing op: RegOpenKey(,Key=AppID\{A79DB36D-6218-48E6-9EC9-DCBA9A39BF00},,BinaryType=0)
    MSI (s) (AC:DC) [08:27:41:173]: Executing op: RegRemoveValue(Name=DllSurrogate,,)
    MSI (s) (AC:DC) [08:27:41:173]: Executing op: RegCreateKey()
    MSI (s) (AC:DC) [08:27:41:173]: Executing op: RegRemoveValue(,Value=MsMpCom,)
    MSI (s) (AC:DC) [08:27:41:173]: Executing op: RegRemoveKey()
    MSI (s) (AC:DC) [08:27:41:173]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Classes\AppID\{A79DB36D-6218-48E6-9EC9-DCBA9A39BF00} 3: 2
    MSI (s) (AC:DC) [08:27:41:173]: Executing op: ActionStart(Name=EnableUSN,,)
    MSI (s) (AC:DC) [08:27:41:173]: Executing op: ActionStart(Name=InstallMpFilterDriver,,)
    MSI (s) (AC:DC) [08:27:41:173]: Executing op: ActionStart(Name=InstallMpFilterDriverRollback,,)
    MSI (s) (AC:DC) [08:27:41:173]: Executing op: CustomActionRollback(Action=InstallMpFilterDriverRollback,ActionType=3393,Source=BinaryData,Target=MpUninstallDriver,CustomActionData=c:\Program Files\Microsoft Security Client\Antimalware\Drivers\mpfilter\)
    MSI (s) (AC:A8) [08:27:41:173]: Invoking remote custom action. DLL: C:\WINDOWS\Installer\MSI8D.tmp, Entrypoint: MpUninstallDriver
    WIXFXCA: MpUninstallDriver: INFO: MpDrvInst - uninstallation begin.
    WIXFXCA: MpUninstallDriver: INFO: Driver package located at c:\Program Files\Microsoft Security Client\Antimalware\Drivers\mpfilter\
    WIXFXCA: MpUninstallDriver: INFO: Driver service name is mpfilter
    WIXFXCA: MpUninstallDriver: ERROR: HrControlService failed, code 0x80070426
    WIXFXCA: MpUninstallDriver: INFO: MpDrvInst - uninstallation end.
    MSI (s) (AC:DC) [08:27:41:188]: Executing op: ActionStart(Name=InstallFiles,Description=Copying new files,Template=File: [1],  Directory: [9],  Size: [6])
    MSI (s) (AC:DC) [08:27:41:188]: Executing op: SetTargetFolder(Folder=c:\Program Files\Microsoft Security Client\Antimalware\)
    MSI (s) (AC:DC) [08:27:41:188]: Executing op: FileRemove(,FileName=c:\Program Files\Microsoft Security Client\Antimalware\MsMpCom.dll,,)
    MSI (s) (AC:DC) [08:27:41:188]: Executing op: FileRemove(,FileName=c:\Program Files\Microsoft Security Client\Antimalware\MpSvc.dll,,)
    MSI (s) (AC:DC) [08:27:41:188]: Executing op: FileRemove(,FileName=c:\Program Files\Microsoft Security Client\Antimalware\MpRTP.dll,,)
    MSI (s) (AC:DC) [08:27:41:188]: Executing op: FileRemove(,FileName=c:\Program Files\Microsoft Security Client\Antimalware\MpOAv.dll,,)
    MSI (s) (AC:DC) [08:27:41:188]: Executing op: SetTargetFolder(Folder=c:\Program Files\Microsoft Security Client\Antimalware\Drivers\mpnwmon\)
    MSI (s) (AC:DC) [08:27:41:188]: Executing op: FileRemove(,FileName=c:\Program Files\Microsoft Security Client\Antimalware\Drivers\mpnwmon\mpnwmon.sys,,)
    MSI (s) (AC:DC) [08:27:41:188]: Executing op: FileRemove(,FileName=c:\Program Files\Microsoft Security Client\Antimalware\Drivers\mpnwmon\mpnwmon.inf,,)
    MSI (s) (AC:DC) [08:27:41:188]: Executing op: FileRemove(,FileName=c:\Program Files\Microsoft Security Client\Antimalware\Drivers\mpnwmon\mpnwmon.cat,,)
    MSI (s) (AC:DC) [08:27:41:188]: Executing op: SetTargetFolder(Folder=c:\Program Files\Microsoft Security Client\Antimalware\Drivers\mpfilter\)
    MSI (s) (AC:DC) [08:27:41:188]: Executing op: FileRemove(,FileName=c:\Program Files\Microsoft Security Client\Antimalware\Drivers\mpfilter\mpfilter.sys,,)
    MSI (s) (AC:DC) [08:27:41:188]: Executing op: FileRemove(,FileName=c:\Program Files\Microsoft Security Client\Antimalware\Drivers\mpfilter\mpfilter.inf,,)
    MSI (s) (AC:DC) [08:27:41:188]: Executing op: FileRemove(,FileName=c:\Program Files\Microsoft Security Client\Antimalware\Drivers\mpfilter\mpfilter.cat,,)
    MSI (s) (AC:DC) [08:27:41:188]: Executing op: SetTargetFolder(Folder=c:\Program Files\Microsoft Security Client\Antimalware\EN-US\)
    MSI (s) (AC:DC) [08:27:41:188]: Executing op: FileRemove(,FileName=c:\Program Files\Microsoft Security Client\Antimalware\EN-US\mpevmsg.dll.mui,,)
    MSI (s) (AC:DC) [08:27:41:188]: Executing op: SetTargetFolder(Folder=c:\Program Files\Microsoft Security Client\Antimalware\)
    MSI (s) (AC:DC) [08:27:41:188]: Executing op: FileRemove(,FileName=c:\Program Files\Microsoft Security Client\Antimalware\mpevmsg.dll,,)
    MSI (s) (AC:DC) [08:27:41:188]: Executing op: FileRemove(,FileName=c:\Program Files\Microsoft Security Client\Antimalware\MpCommu.dll,,)
    MSI (s) (AC:DC) [08:27:41:203]: Executing op: FileRemove(,FileName=c:\Program Files\Microsoft Security Client\Antimalware\MpCmdRun.exe,,)
    MSI (s) (AC:DC) [08:27:41:203]: Executing op: FileRemove(,FileName=c:\Program Files\Microsoft Security Client\Antimalware\MpClient.dll,,)
    MSI (s) (AC:DC) [08:27:41:203]: Executing op: SetTargetFolder(Folder=c:\Program Files\Microsoft Security Client\Antimalware\EN-US\)
    MSI (s) (AC:DC) [08:27:41:203]: Executing op: FileRemove(,FileName=c:\Program Files\Microsoft Security Client\Antimalware\EN-US\MpAsDesc.dll.mui,,)
    MSI (s) (AC:DC) [08:27:41:203]: Executing op: SetTargetFolder(Folder=c:\Program Files\Microsoft Security Client\Antimalware\)
    MSI (s) (AC:DC) [08:27:41:203]: Executing op: FileRemove(,FileName=c:\Program Files\Microsoft Security Client\Antimalware\MpAsDesc.dll,,)
    MSI (s) (AC:DC) [08:27:41:203]: Executing op: FileRemove(,FileName=c:\Program Files\Microsoft Security Client\Antimalware\MsMpLics.dll,,)
    MSI (s) (AC:DC) [08:27:41:203]: Executing op: FileRemove(,FileName=c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe,,)
    MSI (s) (AC:DC) [08:27:41:203]: Executing op: ActionStart(Name=CreateFolders,Description=Creating folders,Template=Folder: [1])
    MSI (s) (AC:DC) [08:27:41:203]: Executing op: FolderRemove(Folder=c:\Program Files\Microsoft Security Client\Antimalware\Drivers\mpfilter\,Foreign=0)
    MSI (s) (AC:DC) [08:27:41:203]: Executing op: FolderRemove(Folder=c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\,Foreign=0)
    MSI (s) (AC:DC) [08:27:41:203]: Executing op: FolderRemove(Folder=c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Support\,Foreign=0)
    MSI (s) (AC:DC) [08:27:41:203]: Executing op: FolderRemove(Folder=c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Scans\,Foreign=0)
    MSI (s) (AC:DC) [08:27:41:203]: Executing op: FolderRemove(Folder=c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Quarantine\,Foreign=0)
    MSI (s) (AC:DC) [08:27:41:219]: Executing op: FolderRemove(Folder=c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Updates\,Foreign=0)
    MSI (s) (AC:DC) [08:27:41:219]: Executing op: FolderRemove(Folder=c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\,Foreign=0)
    MSI (s) (AC:DC) [08:27:41:219]: Executing op: FolderRemove(Folder=c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\,Foreign=0)
    MSI (s) (AC:DC) [08:27:41:219]: Executing op: FolderRemove(Folder=c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\,Foreign=0)
    MSI (s) (AC:DC) [08:27:41:219]: Executing op: FolderRemove(Folder=c:\Program Files\Microsoft Security Client\Antimalware\,Foreign=0)
    MSI (s) (AC:DC) [08:27:41:219]: Executing op: FolderRemove(Folder=c:\Program Files\Microsoft Security Client\Antimalware\,Foreign=0)
    MSI (s) (AC:DC) [08:27:41:219]: Executing op: FolderRemove(Folder=c:\Program Files\Microsoft Security Client\Antimalware\,Foreign=0)
    MSI (s) (AC:DC) [08:27:41:219]: Executing op: FolderRemove(Folder=c:\Program Files\Microsoft Security Client\Antimalware\,Foreign=0)
    MSI (s) (AC:DC) [08:27:41:219]: Executing op: FolderRemove(Folder=c:\Program Files\Microsoft Security Client\Antimalware\,Foreign=0)
    MSI (s) (AC:DC) [08:27:41:219]: Executing op: FolderRemove(Folder=c:\Program Files\Microsoft Security Client\Antimalware\,Foreign=0)
    MSI (s) (AC:DC) [08:27:41:219]: Executing op: FolderRemove(Folder=c:\Program Files\Microsoft Security Client\Antimalware\,Foreign=0)
    MSI (s) (AC:DC) [08:27:41:219]: Executing op: FolderRemove(Folder=c:\Program Files\Microsoft Security Client\Antimalware\,Foreign=0)
    MSI (s) (AC:DC) [08:27:41:219]: Executing op: FolderRemove(Folder=c:\Program Files\Microsoft Security Client\Antimalware\,Foreign=0)
    MSI (s) (AC:DC) [08:27:41:219]: Executing op: FolderRemove(Folder=c:\Program Files\Microsoft Security Client\Antimalware\,Foreign=0)
    MSI (s) (AC:DC) [08:27:41:219]: Executing op: FolderRemove(Folder=c:\Program Files\Microsoft Security Client\Antimalware\,Foreign=0)
    MSI (s) (AC:DC) [08:27:41:219]: Executing op: FolderRemove(Folder=c:\Program Files\Microsoft Security Client\Antimalware\,Foreign=0)
    MSI (s) (AC:DC) [08:27:41:219]: Executing op: FolderRemove(Folder=c:\Program Files\Microsoft Security Client\Antimalware\,Foreign=0)
    MSI (s) (AC:DC) [08:27:41:219]: Executing op: FolderRemove(Folder=c:\Program Files\Microsoft Security Client\Antimalware\,Foreign=0)
    MSI (s) (AC:DC) [08:27:41:219]: Executing op: FolderRemove(Folder=c:\Program Files\Microsoft Security Client\Antimalware\,Foreign=0)
    MSI (s) (AC:DC) [08:27:41:219]: Executing op: FolderRemove(Folder=c:\Program Files\Microsoft Security Client\Antimalware\,Foreign=0)
    MSI (s) (AC:DC) [08:27:41:234]: Executing op: FolderRemove(Folder=c:\Program Files\Microsoft Security Client\Antimalware\,Foreign=0)
    MSI (s) (AC:DC) [08:27:41:234]: Executing op: FolderRemove(Folder=c:\Program Files\Microsoft Security Client\Antimalware\,Foreign=0)
    MSI (s) (AC:DC) [08:27:41:234]: Executing op: FolderRemove(Folder=c:\Program Files\Microsoft Security Client\Antimalware\,Foreign=0)
    MSI (s) (AC:DC) [08:27:41:234]: Executing op: FolderRemove(Folder=c:\Program Files\Microsoft Security Client\Antimalware\,Foreign=0)
    MSI (s) (AC:DC) [08:27:41:234]: Executing op: FolderRemove(Folder=c:\Program Files\Microsoft Security Client\Antimalware\,Foreign=0)
    MSI (s) (AC:DC) [08:27:41:234]: Executing op: FolderRemove(Folder=c:\Program Files\Microsoft Security Client\Antimalware\,Foreign=0)
    MSI (s) (AC:DC) [08:27:41:234]: Executing op: FolderRemove(Folder=c:\Program Files\Microsoft Security Client\Antimalware\,Foreign=0)
    MSI (s) (AC:DC) [08:27:41:234]: Executing op: FolderRemove(Folder=c:\Program Files\Microsoft Security Client\Antimalware\,Foreign=0)
    MSI (s) (AC:DC) [08:27:41:234]: Executing op: FolderRemove(Folder=c:\Program Files\Microsoft Security Client\Antimalware\,Foreign=0)
    MSI (s) (AC:DC) [08:27:41:234]: Executing op: FolderRemove(Folder=c:\Program Files\Microsoft Security Client\Antimalware\,Foreign=0)
    MSI (s) (AC:DC) [08:27:41:234]: Executing op: FolderRemove(Folder=c:\Program Files\Microsoft Security Client\Antimalware\,Foreign=0)
    MSI (s) (AC:DC) [08:27:41:234]: Executing op: FolderRemove(Folder=c:\Program Files\Microsoft Security Client\Antimalware\,Foreign=0)
    MSI (s) (AC:DC) [08:27:41:234]: Executing op: FolderRemove(Folder=c:\Program Files\Microsoft Security Client\Antimalware\,Foreign=0)
    MSI (s) (AC:DC) [08:27:41:234]: Executing op: FolderRemove(Folder=c:\Program Files\Microsoft Security Client\Antimalware\,Foreign=0)
    MSI (s) (AC:DC) [08:27:41:234]: Executing op: FolderRemove(Folder=c:\Program Files\Microsoft Security Client\Antimalware\,Foreign=0)
    MSI (s) (AC:DC) [08:27:41:234]: Executing op: FolderRemove(Folder=c:\Program Files\Microsoft Security Client\Antimalware\,Foreign=0)
    MSI (s) (AC:DC) [08:27:41:234]: Executing op: FolderRemove(Folder=c:\Program Files\Microsoft Security Client\Antimalware\,Foreign=0)
    MSI (s) (AC:DC) [08:27:41:234]: Executing op: FolderRemove(Folder=c:\Program Files\Microsoft Security Client\Antimalware\,Foreign=0)
    MSI (s) (AC:DC) [08:27:41:234]: Executing op: FolderRemove(Folder=c:\Program Files\Microsoft Security Client\Antimalware\,Foreign=0)
    MSI (s) (AC:DC) [08:27:41:234]: Executing op: FolderRemove(Folder=c:\Program Files\Microsoft Security Client\Antimalware\,Foreign=0)
    MSI (s) (AC:DC) [08:27:41:234]: Executing op: FolderRemove(Folder=c:\Program Files\Microsoft Security Client\Antimalware\,Foreign=0)
    MSI (s) (AC:DC) [08:27:41:234]: Executing op: FolderRemove(Folder=c:\Program Files\Microsoft Security Client\Antimalware\,Foreign=0)
    MSI (s) (AC:DC) [08:27:41:234]: Executing op: FolderRemove(Folder=c:\Program Files\Microsoft Security Client\Antimalware\,Foreign=0)
    MSI (s) (AC:DC) [08:27:41:234]: Executing op: FolderRemove(Folder=c:\Program Files\Microsoft Security Client\Antimalware\,Foreign=0)
    MSI (s) (AC:DC) [08:27:41:234]: Executing op: FolderRemove(Folder=c:\Program Files\Microsoft Security Client\Antimalware\,Foreign=0)
    MSI (s) (AC:DC) [08:27:41:234]: Executing op: FolderRemove(Folder=c:\Program Files\Microsoft Security Client\Antimalware\,Foreign=0)
    MSI (s) (AC:DC) [08:27:41:250]: Executing op: FolderRemove(Folder=c:\Program Files\Microsoft Security Client\Antimalware\,Foreign=0)
    MSI (s) (AC:DC) [08:27:41:250]: Executing op: FolderRemove(Folder=c:\Program Files\Microsoft Security Client\Antimalware\,Foreign=0)
    MSI (s) (AC:DC) [08:27:41:250]: Executing op: FolderRemove(Folder=c:\Program Files\Microsoft Security Client\Antimalware\,Foreign=0)
    MSI (s) (AC:DC) [08:27:41:250]: Executing op: ActionStart(Name=DeleteServices,Description=Deleting services,Template=Service: [1])
    ****skipping multiple entries removing stuff**************
    MSI (s) (AC:DC) [08:27:41:265]: Executing op: End(Checksum=0,ProgressTotalHDWord=0,ProgressTotalLDWord=0)
    MSI (s) (AC:DC) [08:27:41:265]: Error in rollback skipped. Return: 5
    MSI (s) (AC:DC) [08:27:41:265]: No System Restore sequence number for this installation.
    MSI (s) (AC:DC) [08:27:41:265]: Unlocking Server
    MSI (s) (AC:DC) [08:27:41:265]: PROPERTY CHANGE: Deleting UpdateStarted property. Its current value is '1'.
    Action ended 8:27:41: INSTALL. Return value 3.
    MSI (s) (AC:DC) [08:27:41:265]: Note: 1: 1708
    MSI (s) (AC:DC) [08:27:41:265]: Product: Microsoft Antimalware -- Installation failed.


    Marjorie
    Tuesday, November 1, 2011 2:31 PM
  • The nice support team at Microsoft contacted me (Thanks Faron and Jeramy) and helped discover the issue.  Malware apparently targeted a registry key that was never cleaned up including these keys that needed to be deleted:

    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

       MpCmdRun.exe

         C:\WINDOWS\system32\svchost.exe

         Generic Host Process for Win32 Services

         (Verified) Microsoft Windows Component Publisher

         5.1.2600.5512

         c:\windows\system32\svchost.exe

       MSASCui.exe

         C:\WINDOWS\system32\svchost.exe

         Generic Host Process for Win32 Services

         (Verified) Microsoft Windows Component Publisher

         5.1.2600.5512

         c:\windows\system32\svchost.exe

       MsMpEng.exe

         C:\WINDOWS\system32\svchost.exe

         Generic Host Process for Win32 Services

         (Verified) Microsoft Windows Component Publisher

         5.1.2600.5512

         c:\windows\system32\svchost.exe

    Everything installed and updated without a restart after the keys were removed!


    Marjorie
    • Marked as answer by msmenacker Thursday, November 10, 2011 8:35 PM
    Thursday, November 10, 2011 8:35 PM