Re: Going crazy over this one!

Tech-Archive recommends: Fix windows errors by optimizing your registry

From: Marc (anyone_at_anyplace.now)
Date: 03/25/04 

Date: Thu, 25 Mar 2004 10:52:26 -0400

Hi David,

Yes, indeed, I have reinstalled ZA on this server. Going back to my earlier
postings, you will see that the problem started when I removed ZA (manually)
and updated the Symantec Corporate Antivirus, adding the Firewall Server that
comes with it. Since access to the TS started to malfunction once I did this,
I then uninstalled everything -- but the problem with remote access never went
away. Not wanting to leave my system unguarded, I finally decided to reinstall
the Symantec Antivirus program (but not the firewall), and also ZA (esp. since
I didn't like the Symantec Firewall program). I would be happy to uninstall it
all again, but again it seems that ZA has to be uninstalled manually -- when
you click on "add/remove programs" and select it, you get an "uninstall failure"
message to the effect that "the uninstaller cannot locate resources needed to
uninstall". What I did last time around was to delete the folders having to do
with ZA, and then everything I could find in the registry related to it as well.
Finally, I ran RegClean.exe. Is there any special procedure I should follow in
this case, given my past experience? Note also that I tried to repair my Win2003
installation two or three times before I reinstalled ZA and Symantec Antivirus,
and reinstalled all the updates available on Windows Update on each occasion.

Cheers,

--Marc

"David Everett [MSFT]" <deverett@online.microsoft.com> wrote in message news:OzrOqKgEEHA.2628@TK2MSFTNGP11.phx.gbl...
> I got it. It looks like Zone Alarm is installed on the server. Can you
> uninstall this and see if it helps?
>
> Vsmon.exe and zlclient.exe are being launched at logon.
>
> Also, can you get a regmon from the server when a TSClient logs on and gets
> logged off right away?
> --
> David Everett
> Microsoft Corporation
>
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
> "Marc" <anyone@anyplace.now> wrote in message
> news:eTNhdofEEHA.576@TK2MSFTNGP11.phx.gbl...
> >
> > David,
> >
> > Not sure my posting is going through fine on this newsgroup... Anyway, I
> > couldn't find most of the things you told me to look for, but there are
> > numerous calls to autoexec.bat -- which however appears to be an empty
> > file on my hard disk...
> >
> > Thanks a lot for your help with this!
> >
> > Cheers,
> >
> > --Marc
> >
> >
> >
> > "David Everett [MSFT]" <deverett@online.microsoft.com> wrote in message
> news:uBm$r#eEEHA.1240@TK2MSFTNGP10.phx.gbl...
> > > Let's try a different approach.....
> > >
> > > Download Filemon from http://www.sysinternals.com to the server.
> > > Start filemon and click the magnifying glass to stop the capture and
> click
> > > the Erase button (two buttons to the right).
> > > Start mstsc and connect to the Terminal Server and enter your account
> and
> > > password (DO NOT Login yet)
> > > In filemon click the magnifying glass again and it will start the
> capture.
> > > in the TS Client session click OK to login. As soon as it is logged off
> > > automatically make sure you click the Magnifying glass to stop the
> capture.
> > > Save the Filemon log and Post it.
> > >
> > > You can do the same thing with Regmon from http://www.sysinternals.com
> > > Same exact steps with Regmon.
> > >
> > > In filemon we'll be looking for any calls for logoff.exe or any files
> ending
> > > with .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH and ACCDENIED or
> > > Access is Denied or Access Denied.
> > >
> > > In Regmon we'll be looking for ACCDENIED or Access is Denied or Access
> > > Denied.
> > > --
> > > David Everett
> > > Microsoft Corporation
> > >
> > > This posting is provided "AS IS" with no warranties, and confers no
> rights.
> > >
> > > "Marc" <anyone@anyplace.now> wrote in message
> > > news:OFMoo3eEEHA.712@tk2msftngp13.phx.gbl...
> > > >
> > > > David,
> > > >
> > > > When I try to do this, I get a popup error that goes as follows:
> > > >
> > > >
> > > > Security
> > > >
> > > > Unable to save permission changes on Install Options.
> > > > Access is denied.
> > > >
> > > >
> > > > Cheers,
> > > >
> > > > --Marc
> > > >
> > > >
> > > > "David Everett [MSFT]" <deverett@online.microsoft.com> wrote in
> message
> > > news:#KEg$ueEEHA.2768@tk2msftngp13.phx.gbl...
> > > > > 1. Highlight HKEY_LOCAL_MACHINE\SOFTWARE\Install Options
> > > > > 2. click Edit > Permissions
> > > > > 3. click the Advanced button
> > > > > 4. uncheck "Allow inheritable permissions from the parent to
> propagate
> > > to
> > > > > this object and on all child..." and click COPY and Apply.
> > > > > 5. Place a check on "Allow inheritable permissions from the parent
> to
> > > > > propagate to this object and on all child..." and click APPLY.
> > > > > 6. Place a check on "Replace permissions entries on all child
> objects
> > > with
> > > > > entries shown here that apply to child objects" and click OK, OK
> again
> > > and
> > > > > exit regedit.
> > > > > --
> > > > > David Everett
> > > > > Microsoft Corporation
> > > > >
> > > > > This posting is provided "AS IS" with no warranties, and confers no
> > > rights.
> > > > >
> > > > > "Marc" <anyone@anyplace.now> wrote in message
> > > > > news:O9q4SVeEEHA.3576@TK2MSFTNGP12.phx.gbl...
> > > > > >
> > > > > > OK, got it... Thanks for the info! Now back to your previous
> points:
> > > > > >
> > > > > > >
> > > > > > > Here are some other things you could try:
> > > > > > > 1. Open HKLM\SOFTWARE\Microsoft\Windows
> NT\CurrentVersion\Winlogon
> > > > > > > and
> > > > > > > verify that logonui.exe is the only file being called.
> > > > > > >
> > > > > >
> > > > > > Under UIHost, I have %SystemRoot%\system32\logonui.exe.
> > > > > > Under Userinit, I see C:\WINDOWS\system32\userinit.exe.
> > > > > > Under Shell, I see Explorer.exe.
> > > > > > Under VmApplet, I see rundll32 shell32,Control_RunDLL
> "sysdm.cpl".
> > > > > >
> > > > > > >
> > > > > > > 2. Locate Logonui.exe on the file system and verify the Version
> is
> > > > > > > 6.0.3790.0 and from Microsoft Corporation.
> > > > > > >
> > > > > >
> > > > > > That's the version I have alright...
> > > > > >
> > > > > > >
> > > > > > > 3. If you have TS Roaming Profiles verify there are not scripts
> in
> > > > > > > the Startup folder of those profiles.
> > > > > > >
> > > > > >
> > > > > > No, I don't believe I have any of that...
> > > > > >
> > > > > > >
> > > > > > > The only thing about secedit I might question is the invalid
> > > > > > > structure on
> > > > > > > HKLM\software\Install Options. Do you have an "Install Options"
> key
> > > > > > > under HKLM\software and can you view the Permissions on this
> key?
> > > > > > >
> > > > > >
> > > > > > Yes, I do. There are three items listed, one with the icon showing
> > > "ab" in
> > > > > > red, type REG_SZ, and (value not set) under Data. The next one's
> name
> > > is
> > > > > > Options5, in blue, type REG_BINARY. The final one's name is
> > > Options5.2,
> > > > > > is also in blue, and is of the same type. I can't see anything
> that
> > > makes
> > > > > > sense to me when I double-click on any of these.
> > > > > >
> > > > > > >
> > > > > > > If you can view the Advanced security of this key see if it is
> > > > > > > inheriting
> > > > > > > from above. I'm not sure that this key would affect RDP logon
> but
> > > > > > > you could try the following:
> > > > > > > If it is Inheriting from above get a System state backup
> > > > > > > Uncheck this Inherit from above setting on this key and select
> Copy
> > > > > > > and Apply
> > > > > > > Check the Inherit from above again and click Apply.
> > > > > > > Click the Propagate to all child objects box and click Apply
> again.
> > > > > > >
> > > > > >
> > > > > > Well, unfortunately, I don't see anything like "Advanced" on the
> items
> > > > > > that I can see under My
> Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Install
> > > > > Options...
> > > > > >
> > > > > > Cheers,
> > > > > >
> > > > > > --Marc
> > > > > >
> > > > > >
> > > > > >
> > > > > > > > > > > --
> > > > > > > > > > > David Everett
> > > > > > > > > > > Microsoft Corporation
> > > > > > > > > > >
> > > > > > > > > > > This posting is provided "AS IS" with no warranties, and
> > > confers
> > > > > no
> > > > > > > > > rights.
> > > > > > > > > > >
> > > > > > > > > > > "Marc" <anyone@anyplace.now> wrote in message
> > > > > > > > > > > news:eAJES6aEEHA.2408@TK2MSFTNGP10.phx.gbl...
> > > > > > > > > > > >
> > > > > > > > > > > > Hi David,
> > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > > > If you walk up to the console of the server and log
> in,
> > > not
> > > > > > > through
> > > > > > > > > RDP
> > > > > > > > > > > > > session, do you stay logged in?
> > > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > Yes, I do!
> > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > > > If you do, check TS Configuration under RDP-Tcp
> > > Properties >
> > > > > > > > > Environment
> > > > > > > > > > > and
> > > > > > > > > > > > > see if the check box for "Override settings from
> user
> > > > > profile
> > > > > > > and
> > > > > > > > > Remote
> > > > > > > > > > > > > Desktop Connection or Terminal Services Client" is
> > > checked.
> > > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > No, it's not checked...
> > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > > > Run RSOP.MSC and on the console of the Terminal
> Server
> > > and
> > > > > see
> > > > > > > if a
> > > > > > > > > the
> > > > > > > > > > > > > policy option "Sets a time limit for active Terminal
> > > > > Services
> > > > > > > > > sessions"
> > > > > > > > > > > is
> > > > > > > > > > > > > Enabled and set to one minute. Also, verify the
> policy
> > > > > setting
> > > > > > > > > > > "Terminal
> > > > > > > > > > > > > session when time limits are reached" is Not
> Configured.
> > > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > Strange, I can't seem to find either policy option --
> > > where
> > > > > are
> > > > > > > they?
> > > > > > > > > :-0
> > > > > > > > > > > > I'll keep looking though...
> > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > > > You may want to reapply basic security to the
> server.
> > > If it
> > > > > is
> > > > > > > just
> > > > > > > > > a
> > > > > > > > > > > > > member server the commands to reapply default
> security
> > > are:
> > > > > > > > > > > > >
> > > > > > > > > > > > > 1. cd %systemroot%\security\templates
> > > > > > > > > > > > > 2. secedit /configure /cfg "setup security.inf" /db
> > > ss.sdb
> > > > > /log
> > > > > > > > > ss.log
> > > > > > > > > > > > > /verbose
> > > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > I just tried this -- twice -- and I got the following
> > > error
> > > > > > > message:
> > > > > > > > > "An
> > > > > > > > > > > extended
> > > > > > > > > > > > error has occurred. The task has completed with an
> error.
> > > See
> > > > > log
> > > > > > > > > > > C:\...\ss.log
> > > > > > > > > > > > for detail info." There I found the following error
> > > messages:
> > > > > > > > > > > >
> > > > > > > > > > > > ----Configure Registry Keys...
> > > > > > > > > > > > Configure users\.default.
> > > > > > > > > > > > Configure
> > > users\.default\software\microsoft\netdde.
> > > > > > > > > > > > Configure machine\software.
> > > > > > > > > > > > Warning 1336: The access control list (ACL)
> > > structure
> > > > > is
> > > > > > > > > invalid.
> > > > > > > > > > > > Error setting security on
> machine\software\Install
> > > > > > > Options.
> > > > > > > > > > > >
> > > > > > > > > > > > Configuration of Registry Keys was completed
> with
> > > one
> > > > > or
> > > > > > > more
> > > > > > > > > > > errors.
> > > > > > > > > > > >
> > > > > > > > > > > > I also get LOTS of errors to the effect that "the
> system
> > > > > cannot
> > > > > > > find
> > > > > > > > > the
> > > > > > > > > > > > file specified". The list is very long, but on the
> > > \system32
> > > > > > > folder,
> > > > > > > > > it
> > > > > > > > > > > > starts with appverif.exe and goes up to w95upgnt.dll.
> > > > > > > > > > > >
> > > > > > > > > > > > Many thanks for your help, David!
> > > > > > > > > > > >
> > > > > > > > > > > > Cheers,
> > > > > > > > > > > >
> > > > > > > > > > > > --Marc
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > > David Everett
> > > > > > > > > > > > > Microsoft Corporation
> > > > > > > > > > > > >
> > > > > > > > > > > > > This posting is provided "AS IS" with no warranties,
> and
> > > > > confers
> > > > > > > no
> > > > > > > > > > > rights.
> > > > > > > > > > > > >
> > > > > > > > > > > > > "Marc" <anyone@anyplace.now> wrote in message
> > > > > > > > > > > > > news:u8X3FYGEEHA.1544@TK2MSFTNGP11.phx.gbl...
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > Hi,
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > If this is what you mean, yes, I do get precisely
> the
> > > same
> > > > > > > > > behavior if
> > > > > > > > > > > I
> > > > > > > > > > > > > try
> > > > > > > > > > > > > > "Remote Desktop Connection" to the server from the
> > > console
> > > > > > > > > itself...
> > > > > > > > > > > As to
> > > > > > > > > > > > > > the event logs, please see my reply to Vera's
> > > posting...
> > > > > > > Thanks!
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > Cheers,
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > --Marc
> > > > > > > > > > > > > >
> > > > > > > > > > > > > >
> > > > > > > > > > > > > >
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > "Mike Silverman" <Noah.Body@nowhere.ca> wrote in
> > > message
> > > > > > > > > > > > > news:OAvZE7FEEHA.1240@TK2MSFTNGP10.phx.gbl...
> > > > > > > > > > > > > > > Can you log on at the console and have the same
> > > > > behaviour
> > > > > > > occur?
> > > > > > > > > > > What,
> > > > > > > > > > > > > > > if anything, do the event logs say?
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > Mike.
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > Marc wrote:
> > > > > > > > > > > > > > > > I kept the Symantec W32.Blaster.Worm Fix Tool
> > > 1.0.6.1
> > > > > > > > > > > > > > > > running on my system. After a looong scan of
> all
> > > my
> > > > > > > > > > > > > > > > hard drives, it came out with the following
> > > message:
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > W32.Blaster.Worm has not been found on your
> > > computer
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > Therefore, there must be another answer --
> which I
> > > am
> > > > > > > > > > > > > > > > DESPERATELY in need of at this point!!! Will
> > > anybody
> > > > > > > > > > > > > > > > help, PLEASE??? Thanks so much!!!
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > --Marc
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > >>-----Original Message-----
> > > > > > > > > > > > > > > >>
> > > > > > > > > > > > > > > >>Hmm... Seems unlikely to me, since I have
> Symantec
> > > > > Anti-
> > > > > > > > > > > > > > > >>virus Corporate Edition running on this
> server,
> > > with
> > > > > > > > > > > > > > > >>automated updates, and I haven't been prompted
> by
> > > this
> > > > > > > > > > > > > > > >>program about any virus or trojans (yet)...
> > > However,
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > I'll
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > >>give this the benefit of the doubt, and will
> let
> > > you
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > guys
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > >>know what I find once I take a closer look --
> > > thanks!
> > > > > > > > > > > > > > > >>
> > > > > > > > > > > > > > > >>Cheers,
> > > > > > > > > > > > > > > >>
> > > > > > > > > > > > > > > >>--Marc
> > > > > > > > > > > > > > > >>
> > > > > > > > > > > > > > > >>
> > > > > > > > > > > > > > > >>
> > > > > > > > > > > > > > > >>>-----Original Message-----
> > > > > > > > > > > > > > > >>>Sounds like Blaster Worm to me.
> > > > > > > > > > > > > > > >>>
> > > > > > > > > > > > > > > >>>Check Anti Virus sites for removal tools.
> > > > > > > > > > > > > > > >>>
> > > > > > > > > > > > > > > >>>--
> > > > > > > > > > > > > > > >>>
> > > > > > > > > > > > > > > >>>HTH
> > > > > > > > > > > > > > > >>>
> > > > > > > > > > > > > > > >>>Cheers
> > > > > > > > > > > > > > > >>>Lewis Knight
> > > > > > > > > > > > > > > >>>MCSE, MCT
> > > > > > > > > > > > > > > >>>Perth
> > > > > > > > > > > > > > > >>>OZ
> > > > > > > > > > > > > > > >>>
> > > > > > > > > > > > > > > >>>
> > > > > > > > > > > > > > > >>>
> > > > > > > > > > > > > > > >>>"Marc" <anonymous@discussions.microsoft.com>
> > > wrote in
> > > > > > > > > > > > > > > >>
> > > > > > > > > > > > > > > >>message
> > > > > > > > > > > > > > > >>
> > > > > > > > > > > > > > >
> >>>news:1066601c40e0a$d5ff59c0$a401280a@phx.gbl...
> > > > > > > > > > > > > > > >>>
> > > > > > > > > > > > > > > >>>>Greetings,
> > > > > > > > > > > > > > > >>>>
> > > > > > > > > > > > > > > >>>>My problem is: no one can maintain a remote
> > > session
> > > > > on
> > > > > > > > > > > > > > > >>>>this computer for more than a few seconds
> > > anymore.
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > That
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > >>>>is, the person remotely logs on, but after a
> > > second
> > > > > or
> > > > > > > > > > > > > > > >>>>two, a window shows up saying "saving your
> > > > > settings",
> > > > > > > > > > > > > > > >>>>and the user is kicked off! What should I
> do???
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > HELP!!!
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > >>>>I've been fighting this one all day, already
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > uninstalled
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > >>>>and reinstalled terminal services and
> licensing,
> > > but
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > to
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > >>>>no avail...
> > > > > > > > > > > > > > > >>>
> > > > > > > > > > > > > > > >>>
> > > > > > > > > > > > > > > >>>.
> > > > > > > > > > > > > > > >>>
> > > > > > > > > > > > > > > >>
> > > > > > > > > > > > > > > >>.
> > > > > > > > > > > > > > > >>
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > >
> > > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
> >
>
>

Quantcast