2003 Help and Support Service causing odd behavior

From: Chris Clayton (cclayton_delete_must_decrease_spam__at_stlcc.edu)
Date: 04/27/04 

Date: Tue, 27 Apr 2004 14:57:03 -0700

We have a file server that is configured with McAfee
VirusScan 7.0 Enterprise running a Mirror Task as well as
the usual protection and Remote Desktop administration is
enabled. As best we can tell, from some time after it was
first set up (early February) until the Help and Support
service was disabled last Friday (4/23/04), about every 24
hours all users' registry files were updated (apparently
no content change from comparison of text exports, but
last modified date changes). It would happen about 3-5
minutes later each day. Most users actually do not log in
locally (or not often) so that obviously wasn't the cause,
and EVERY ntuser.dat file changed in the same second which
wouldn't be humanly possible anyway. It happened at the
same time an XML file was being created in
C:\WINDOWS\PCHEALTH\HELPCTR\DataColl\ and also the time a
file called framework.log in C:\WINDOWS\system32\wbem\Logs
was updated.

The framework.log file is full of messages along the lines
of:
"Shell Name Explorer.exe in Registry not found in process
list. 04/23/2004 02:28:57.000 thread:2688
[d:\srv03rtm\admin\wmi\wbem\providers\win32provider\common\
implogonuser.cpp.156]
Unable to locate Shell Process, Impersonation failed.
04/23/2004 02:28:57.015 thread:2688
[d:\srv03rtm\admin\wmi\wbem\providers\win32provider\common\
implogonuser.cpp.168]"

The server is a dual-Xeon Dell PowerEdge 2650 with the
Dell OpenManage software installed.

Does anyone have any idea what is going on? I'm totally
at a loss and so I can't properly evaluate any risk we are
taking by not "fixing" the problem aside from disabling
the service.

Side note: In looking into this and doing searches for
all files modified on a certain day, we discovered that on
Server 2003 a properly-crafted search of the local drive
would cause explorer.exe to crash with event log messages
pointing to zipfldr.dll as the part that had the problem.
We tracked it down to the .zip file in the McAfee
VirusScan mirror task download folder, which apparently
the native zip file support doesn't like. We've contacted
Network Associates/McAfee about that issue.

Any and all help welcome.
Chris Clayton
St. Louis Community College

Relevant Pages

  • Mcafee FTP Mirror Sites and ISA Server 2004 Authentication
    ... We have a McAfee AV server behide the firewall. ... McAfee calls it a "Mirror Task". ... When this task runs the connection fails. ...
    (microsoft.public.isa)
  • McAfee AV server Mirror Task fails authentication
    ... We have a McAfee AV server behide the firewall. ... McAfee calls it a "Mirror Task". ... When this task runs the connection fails. ...
    (microsoft.public.isaserver)
  • RE: Incoming Fax error
    ... I.Verify the SMTP Virtual Server settings. ... Verify that automatic routing is enabled for email and Sharepoint. ... If the administrative groups are displayed, expand Administrative ... III.What's the version of McAfee running on the SBS server? ...
    (microsoft.public.windows.server.sbs)
  • Re: Outlook Express error when sending email
    ... >> with McAfee Antivirus and Firewall disabled. ... >> Looking on MS's Knowledge Base, the error means "0x800CCC0B BUSY Server ... >> The SMTP server was definitely correct - it was the same ISP and same ... > make a clean installation. ...
    (uk.comp.misc)
  • Re: Outlook Express error when sending email
    ... |> Are you using the SMTP server belonging to the ISP which provides the ... |>> with McAfee Antivirus and Firewall disabled. ... | it was only when I disabled McAfee's AV and firewall that Outlook Express ... |> make a clean installation. ...
    (uk.comp.misc)
Loading