Category Archives: Windows XP SP2
Yesterday Mcafee released a new DAT update that caused mcafee to identify svchost.exe as an infected file. Mcafee next attempts to quarantine this file which results in windows rebooting with a shutdown message some of us will remember from the Sass worm chaos.
Result of this is that the machine can be used anymore. svchost.exe is a name for general hostprocesses ran from DLLs, and pretty important for windows. If you would like to get an idea of the impact on you system this article might be all you need 🙂
Now how to recover?
1st i would advice to follow any manual mcafee brings out describing how to recover using the mcafee scanner console. In the cases where the quarantine is deleted (some of our machines) follow the instructions below…
If you are unable to restore svchost.exe from the quarantine you might follow these steps to recover your system.
0. Get the corrected Superdat from Mcafee and put it on a USB, CD or other available media, No network locations.
1. Boot from the windows CD and select the recovery console.
2. Select the correct windows partition and logon as the local administrator.
3. Browse to C:\windows\system32 using the command : cd \windows\system32\
4. open de CD-rom player using the allocated drive letter, usually D:\ by typing D:
5. Browse to the i386 directory located on the CD using : cd \i386\
6. copy the original svchost.ex_ to your windows drive using the command:
expand svchost.ex_ C: (C: is the drive you where on in step 3, this might differ,
in which case you need to change the drive letter to your system specific drive)
7. Boot the system in savemode. The selection can be done by pressing F8 repeatedly during boot.
8. While in savemode run and execute the superdat you accuired in step 0.
9. After the update reboot your system normally.
This is a pretty long road, but will fix the problem in all cases.
Thanks to Benjamin van Ditmars for suggesting the Expand option. We used a “good” copy of svchost before this suggestion. The expand option is “saver” 🙂
Today we found that “E-Salary” might generate a “Runtime 0” error and an “Automation” error when running in a “dual screen” desktop, afterwhich the mainscreen will freeze.
When exact is opened on the secundair screen you might not be able to run any report / declaration from the right menu options. As an result the main screen will freeze-up and the only solution is restarting exact.
A quick fix is to run exact in the Windows main-screen only! You might be able to identify the main screen by selecting the screen properties, or (if you didnt move the start menu) use the screen that has “menu start” in it.
Good luck, and hopefully this bug will be fixed 🙂
Recently I can accros a problem where uploading files to a VM machine using SCP (SSH) just wasnt possible… 😦
It was also the moment I found that I forgot to bring my ISO container containing the file, that would enable me to mount that image within VMware. Thank god i found that Nero GNU alternative that does what nero does. Build ISO files. You can find the download here 🙂
If you like the tool? Dont be shy and donate 😉
Uptill reacently we start getting messages in our client system logs stating something like;
The Automatic Updates service terminated with the following error: The class is configured to run as a security id different from the caller.
To be honost, we tried different aproaches and researched different angles on this issue. Found articles about BITS and other security stuff, but none realy helped. The following is true in our envirnoment.
1. We dont use WSUS.
2. We have a Native 2003 Domain
3. We use Windows XP servicepack 2
4. We do use network policies but for some illusive buisness requirements we dont enforce updates (developers…. )
Here are some things that where true on the issue.
1. We couldnt start or stop the windows update service (wuauserv.dll / wuaueng.dll) and got an access denied message.
2. We couldnt register the various dlls into windows.
3. We couldnt rewrite the BITS entries also getting an access denied message.
4. We couldnt enable “interactive” mode in the security>logon tab of the service getting… Yea an access denied message.
“Update on this Issue”
The problem was somewhat illusive to us, but we found the problem! 🙂
The behaviour as described above is caused when a network policy is used to enforce the service configuration (Windows Update Service) itself.
In the Machine portion of a GPO you can browse down to : Computer Configuration >Windows Settings > Security > System Services. Here you can configure various aspects of the winows services, like force the messanger service to be disabled. In our case the Windows Update Service was forced to be Automatic and with thus (check the permisssions button) the rights on that service…
Just remove the policy from the Windows Update service service and control the update service using the aprop. policies found under : Computer Configuration > Administrative templates > Windows Components > Windows Update instead.
This should fix the Id is other then caller issue 😉
Just use the “gpupdate /force” command on the clients that realy need some updates, and or wait till the next logon, or 90 Minutes (default gpo refresh time)…
Gl & Rgrds, Chris