Re: Cannot Install Updates

"Roughneck" <Roughneck@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:EAA46D72-EA91-42E5-8379-DC1097A1B1E4@xxxxxxxxxxxxxxxx
> WHAT FILEMON SHOWS
> ------------------------------
>> > Lines 6 and 7 of the desktop's log read:
>> > * DoInstallation: CustomizeCall Failed: 0xb7
>> > * Cannot create a file when that file already exists.
>>
>> Shouldn't FileMon show you an access here which does not happen
>> in the clean install? Unless you already know which file this message
>> is referring to but you're not telling us?
>
> It might have -- but to be honest, the first time I started Filemon I was a
> bit overwhelmed by the amount of output (about 60k lines) that was generated
> by the KB885222 update process. So I changed the filter to just show log
> errors and ran the process again. IIRC, that brought it down to about 4k
> lines -- all errors.

That wouldn't be too useful IMO. What I use it for is as a supplemental trace
of file accesses. Use the Highlighting feature to make it less "overwhelming."
E.g. if there is a particular thing that you are interested in looking for you can
press Ctrl-L and change the pattern used for coloring lines red. I have never
had your problem so I can't say exactly what the search criterion should be.


> At that point, I noted all the specific error message
> categories (e.g. Name Clashes, Buffer Overflows, etc.), and noted a few key
> files/paths where they occurred, then compared that to the results from the
> laptop install. But all the errors I thought might be relevant from the
> desktop also occurred on the laptop. I did not however do a search for any
> of the strings found in the text "DoInstallation: CustomizeCall Failed:
> 0xb7". I'll have to run the installs again and look for that.

Unfortunately it isn't going to be that simple. There are no useful details
for us in that log, just hints about details we might be able to infer
from file accesses done at about the same time that the log message
was written. E.g. for the message you mentioned the best that I can
imagine finding using FileMon is a write by update.exe to that log file
specifying the length of that message: 50 bytes Then before that
you would expect to find something more interesting such as error
messages associated either with the access (e.g. existence or permission)
or the creation or writing to some file. "Some file" is all that the
standard log tells us. For someone who actually supports this thing
that may be enough for them to know "which file". That's why we need
to use FileMon, to figure out which file the message is referring to
and from there perhaps we can figure out what the problem with it is.

I sure hope you find that /verbose log. I have a hunch that it will
make things much clearer.


> I haven't had
> the opportunity though to set the laptop up right next to the desktop so I
> can do side by side compares in Filemon. I did try saving the Filemon log
> from the desktop, thinking I could get both logs on one machine and do a side
> by side compare that way. But when I opened the saved log, it was very
> difficult to read because of formatting -- or I should say, a lack of
> formatting -- so I scrapped that idea. . I guess Iâ??ll have to revisit that
> if I canâ??t get the two machines side by side.

Yes. Also notice that when you're just trying to do eyeball pattern matching
like that that turning off Word Wrap and scrolling both documents to the
right should help a lot.


>
> REGMON or FILEMON ?
> -----------------------------
>> > Lines 6 and 7 of the laptop's log read:
>> > * In Function TestVolatileFlag, line 11660, RegOpenKeyEx failed with error
>> > 0x2
>> > * In Function TestVolatileFlag, line 11692, RegOpenKeyEx failed with error
>> > 0x2
>>
>>
>> That's interesting. This perhaps gives some hope that the /verbose
>> option would differentiate what key is being accessed (attempted to be
>> accessed) in each case. Alternatively, you could try running RegMon
>> again with both a clean and problem install, trying to identify this difference.
>
> Did you mean to try running it again with FileMon, or did you really mean
> RegMon. If RegMon, I'll see what I can find on that.

RegMon. I'm guessing that RegOpenKeyEx is a label in a script
which is doing some registry access. A registry access there is failing
for some reason. RegMon may show you a registry access which
failed and from that you would know which key was causing the problem.
Again, the only thing which makes this analysis practicable, without any
knowledge of the internals of the script, is the possibility of comparing
the traces made on the identical system which works.

Oh. I just thought of something else. Assuming that the script
is implemented by an .inf file you might get more clues by adding
..inf to your FileMon filter. And for a real "flying leap of hope"
you could try expanding the update and extracting the (assumed) .inf file
(or intercepting it while it was expanded) and seeing what it does on line 11660.
Then you would have something specific to look for in a RegMon trace.
That could give you a timestamp to find the context within a concurrent
FileMon trace and from there you could back up to the write to the log
of the common log entry. It could be one way of synchronizing the
two FileMon traces more easily. Use the Options, Clock Time and
Show Milleseconds in both tools if you want to do this.


>
>
> SEARCHING for CHANGED FILES
> ---------------------------------------
>> Did you miss the idea of "searching"? In XP I use Search Companion.
>> However, in NT4 I would have used the equivalent File Find tool.
>
> Yes and No -- but mostly Yes. ;-) I "searched" in the sense that I
> browsed folders I thought might be relevant, but I had never looked into
> using XP's search function to look only for changed files. I see now that
> can be done (by date, but not by time), so that will help when I go through
> this process again.
>
> Also a question -- is "Search Companion" something different than the search
> function available in XP from the "Start" menu?

Exactly the same thing. Perhaps I should just say press Win-F
or F3 from the Start menu? <eg>


>
>
>> I have never used your OS but hopefully it has an equivalent tool?
>
> I didn't quite follow that. I'm using XP SP2. I thought you were using XP
> also.

Oops. I'm getting my incidents mixed up. I was thinking that this was
on W2Ksp4. Yes. I use XPsp2.


Good luck

Robert
---


.

Relevant Pages

  • Re: Please recommend a newsreader that can d
    ... files nec to install some of the larger programs to a flash drive manually. ... I guess I'm going to have to also look up filemon, regmon, and mojopac, ... Filemon and regmon track access to the file system and Windows registry in ...
    (rec.gambling.poker)
  • Re: Failed To Install Any Update From Web Only
    ... > Did the Filemon concurent with Regmon. ... The timestamp and the length of 107 tells me that if I found a record ... E.g. we suspect that invoking verbose logging on a manual install will not ...
    (microsoft.public.windowsupdate)
  • RE: OWA Error
    ... type the following command in order to register the .dll file. ... f) Test again whether the OWA works now. ... Please go to the following web sites to download and run Filemon and Regmon ...
    (microsoft.public.windows.server.sbs)
  • Re: Administrator Help
    ... The process can be a little effort, when using the filemon ... ability to write in the install area on disk (and to destroy the ... the applications area in the registry, ... For finding these the regmon and filemon tools are a great ...
    (microsoft.public.security)
  • Re: Remote Access Wizard - SBS 2003 SP1
    ... Could you please rerun Filemon and Regmon ... Microsoft CSS Online Newsgroup Support ...
    (microsoft.public.windows.server.sbs)
Loading