From: Darryl on
Here you go.

Filter Name Num Instances Frame
------------------------------ ------------- -----
PROCMON20 0 0
sr <Legacy>


"MowGreen" wrote:

> Well, I didn't an obvious cause of the WUA failing to be updated,
> Darryl. There are no failures showing in the log.
> It very well may signify that either the HD has bad sectors or the
> memory may be starting to go kaput.
>
> The only other thing I can think of is that there's a minifilter still
> present that may have been installed by Trend.
>
> From: http://support.microsoft.com/kb/922582
>
> " Click Start, click Run, type cmd, and then click OK.
> Type fltmc.exe, and then press ENTER.
>
> The following example shows a legacy filter and minifilters:
>
> Filter Name Num Instances Frame
> ------------------------------ ------------------ --------
> TestLegacyFilter <Legacy>
> TestMiniFilter1 4 1
> TestMiniFilter2 0 0
>
> The following example shows only minifilters:
>
> Filter Name Num Instances Frame
> ------------------------------ ------------------ --------
> TestMiniFilter1 4 1
> TestMiniFilter2 0 0 "
>
>
> Please post back with the results of running filtmc.exe.
>
>
> MowGreen
> ================
> * -343-* FDNY
> Never Forgotten
> ================
>
> banthecheck.com
> "Security updates should *never* have *non-security content* prechecked
>
>
>
> Darryl wrote:
> > Mow, you're right, I had messed up the winhttp registration/unregistration.
> > Went back and redid it, but still no error messages.
> >
> > I tried to install from the D:\ drive, stopping the services first and
> > clearing out the distribution folder as instructed, but got that same old
> > error again.
> >
> > I downloaded and installed the Process Monitor. I set up a filter for
> > windowsupdateagent30-x86, cleared the display and ran the installer.
> > Scanning through the items (and not being very familiar with interpreting the
> > entries), I finally decided that based on the WindowsUpdate.log, it looked
> > like what was failing was wusetup, not windowsupdateagent30-x86 itself. So I
> > set another filter for wusetup, cleared the display, and ran the installer
> > again. Again, I'm not sure how to interpret the entries, but if you would
> > like to take a look, I saved the log and you can get it here:
> > http://darrylsimagehost.s3.amazonaws.com/Logfile.PML
> >
> > Hoping you'll find the silver bullet in there! (and thanks again!)
> >
> > "MowGreen" wrote:
> >
> >> You're mowst welcome, Darryl.
> >> Previously, I suggested the unregistering of winhttp5.dll and the re
> >> registering of *winhttp.dll*.
> >> Did you mistakenly re register winhttp5.dll ?
> >>
> >> Before proceeding, I can see there are at least 2 partitions involved, C
> >> and D. Suggest you download another copy of the WUA and place it on the
> >> partition where the Windows directory is *not* installed, which I assume
> >> is D:\ -
> >> http://download.windowsupdate.com/windowsupdate/redist/standalone/7.4.7600.226/windowsupdateagent30-x86.exe
> >>
> >> Then stop the AU and BITS services.
> >> ( Adding the /force switch to the executable prior to running it should
> >> not have be done when the services are stopped. )
> >> Next, show hidden files, folders, and system files:
> >> http://www.bleepingcomputer.com/tutorials/tutorial62.html#winxp
> >>
> >> Using Windows Explorer, navigate to
> >> WINDOWS\Software Distribution
> >> Open the Software Distribution subfolder and delete *all* of it's
> >> subfolders.
> >> The only thing left now in the Software Distribution subfolder should be
> >> the ReportingEvents.log
> >> Now run windowsupdateagent30-x86.exe from the D partition and then
> >> restart the system.
> >> See if it can search for updates now.
> >>
> >> If no joy, the only other suggestion left is to download, save, and then
> >> run Process Monitor when you try to install the Windows Update Agent.
> >> You could set a filter for the executable, windowsupdateagent30-x86.exe,
> >> and perhaps see which process/handle/thread is preventing it from
> >> installing properly.
> >>
> >>
> >> MowGreen
> >> ================
> >> * -343-* FDNY
> >> Never Forgotten
> >> ================
> >>
> >> banthecheck.com
> >> "Security updates should *never* have *non-security content* prechecked
> >>
> >>
> >>
> >>
> >> Darryl wrote:
> >>> Thanks again for the help, Mow.
> >>>
> >>> The unregister/register of winhttp5.dll worked without any errors.
> >>>
> >>> kxentovz.dll is one of the dlls belonging to software that we have written
> >>> here, so it is Ok.
> >>>
> >>> I think rockvdd.dll may be left over from something the prior owner of this
> >>> machine installed long ago. I think it is benign based on info I found here:
> >>> http://www.siteadvisor.com/sites/rockey.gr/downloads/2178178/
> >>>
> >>> AppRemover did not find any remnants of security software to be removed. It
> >>> only found my installation of Malware AntiBytes.
> >>>
> >>> Early on in all this, I installed and ran AntiBytes and it found some things
> >>> that I quarantined and removed:
> >>>
> >>> Registry Keys Infected:
> >>> HKEY_CLASSES_ROOT\Interface\{00ada225-ea6c-4fb3-82e8-68189201ccb9}
> >>> (Adware.Winad) -> Quarantined and deleted successfully.
> >>> HKEY_CLASSES_ROOT\AppID\{735c5a0c-f79f-47a1-8ca1-2a2e482662a8}
> >>> (Adware.Winad) -> Quarantined and deleted successfully.
> >>> HKEY_CLASSES_ROOT\Typelib\{15696ae2-6ea4-47f4-bea6-a3d32693efc7}
> >>> (Adware.Winad) -> Quarantined and deleted successfully.
> >>> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{2d2bee6e-3c9a-4d58-b9ec-458edb28d0f6}
> >>> (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
> >>> HKEY_CLASSES_ROOT\AppID\LoaderX.exe (Adware.Winad) -> Quarantined and
> >>> deleted successfully.
> >>>
> >>> Getting rid of these things did not solve my problem, though.
> >>>
> >>> I ran it again as you suggested and it found more items, which were probably
> >>> not causing any problems. I quarantined them and removed them anyway:
> >>>
> >>> Files Infected:
> >>> C:\Documents and Settings\joncmartin\Local Settings\Temp\res88B.tmp
> >>> (Adware.180olutions) -> Quarantined and deleted successfully.
> >>> C:\Program Files\Microsoft
> >>> AntiSpyware\Quarantine\28B36EAB-3A20-47BF-BB9A-9B4B89\6C755816-4BC4-4E67-B68F-31930B (Adware.180olutions) -> Quarantined and deleted successfully.
> >>> C:\Program Files\Microsoft
> >>> AntiSpyware\Quarantine\28B36EAB-3A20-47BF-BB9A-9B4B89\D8CEB3A0-F20D-4A91-A424-1CDAB6 (Adware.180olutions) -> Quarantined and deleted successfully.
> >>> C:\Program Files\Microsoft
> >>> AntiSpyware\Quarantine\547A6688-0AE7-4F21-8599-6C7272\FBC29733-84E4-4766-9ABB-D365FA (Adware.180olutions) -> Quarantined and deleted successfully.
> >>>
> >>> I'm starting to think that the only solution is going to be repaving this
> >>> machine!
> >>>
> >>>
> >> .
> >>
> .
>
From: MowGreen on
Robert Aldwinckle wrote:
> "Darryl"<Darryl(a)discussions.microsoft.com> wrote in message news:7897B33C-6215-4E83-815F-1CBB5BAB08EA(a)microsoft.com...
>> Mow, you're right, I had messed up the winhttp registration/unregistration.
>> Went back and redid it, but still no error messages.
>>
>> I tried to install from the D:\ drive, stopping the services first and
>> clearing out the distribution folder as instructed, but got that same old
>> error again.
>>
>> I downloaded and installed the Process Monitor. I set up a filter for
>> windowsupdateagent30-x86, cleared the display and ran the installer.
>> Scanning through the items (and not being very familiar with interpreting the
>> entries), I finally decided that based on the WindowsUpdate.log, it looked
>> like what was failing was wusetup, not windowsupdateagent30-x86 itself. So I
>> set another filter for wusetup, cleared the display, and ran the installer
>> again. Again, I'm not sure how to interpret the entries, but if you would
>> like to take a look, I saved the log and you can get it here:
>> http://darrylsimagehost.s3.amazonaws.com/Logfile.PML
>
>
> Filter on Operation Contains WRITE
> to find C:\$PrepareToShrinkFileSize
> WTH is that? Notice that it is surrounded by a bunch of WU.log writes;
> so you should be able to use the pattern of their timestamps and lengths
> to see if there is anything interesting in the log which explains that.
> Tip: I use Notepad with its Status line on and press End to find out
> which lines end where. ; )
>


Interesting is an understatement, Robert. Something really hinky is
going on here which may be stemming from a hardware issue. Heck, it may
even be related to how the drive(s) are partitioned.
I've never seen this with the installation of the WUA before.


MowGreen
================
* -343-* FDNY
Never Forgotten
================

banthecheck.com
"Security updates should *never* have *non-security content* prechecked
From: MowGreen on
There are no mini filters present from the installation of Trend, just
Process Monitor and the Legacy System Restore filter.

How many Hard Drives and how many partitions does the drive(s) have,
Darryl ?
How much free space is available on C:\ and D:\ ?
Automatic updates are stored in the WINDOWS directory but will be
unpacked and installed from the drive with the most free space available.

Frankly speaking, I've never seen this issue when installing the WUA
before. There may be something amiss with the partioning/provisioning of
the HD, there are bad sectors of the HD, or failing RAM involved.
Also, I don't get why there are Write attempts to F:\.

What is F:\ ?

I'm going to fire up a Virtual instance of XP and run ProcMon while
installing the latest release of the WUA and compare the log to the one
from your system. Hang in there.


MowGreen
================
* -343-* FDNY
Never Forgotten
================

banthecheck.com
"Security updates should *never* have *non-security content* prechecked



Darryl wrote:
> Here you go.
>
> Filter Name Num Instances Frame
> ------------------------------ ------------- -----
> PROCMON20 0 0
> sr<Legacy>
>
>
> "MowGreen" wrote:
>
>> Well, I didn't an obvious cause of the WUA failing to be updated,
>> Darryl. There are no failures showing in the log.
>> It very well may signify that either the HD has bad sectors or the
>> memory may be starting to go kaput.
>>
>> The only other thing I can think of is that there's a minifilter still
>> present that may have been installed by Trend.
>>
>> From: http://support.microsoft.com/kb/922582
>>
>> " Click Start, click Run, type cmd, and then click OK.
>> Type fltmc.exe, and then press ENTER.
>>
>> The following example shows a legacy filter and minifilters:
>>
>> Filter Name Num Instances Frame
>> ------------------------------ ------------------ --------
>> TestLegacyFilter<Legacy>
>> TestMiniFilter1 4 1
>> TestMiniFilter2 0 0
>>
>> The following example shows only minifilters:
>>
>> Filter Name Num Instances Frame
>> ------------------------------ ------------------ --------
>> TestMiniFilter1 4 1
>> TestMiniFilter2 0 0 "
>>
>>
>> Please post back with the results of running filtmc.exe.
>>
>>
>> MowGreen
>> ================
>> * -343-* FDNY
>> Never Forgotten
>> ================
>>
>> banthecheck.com
>> "Security updates should *never* have *non-security content* prechecked
>>
>>
>>
>> Darryl wrote:
>>> Mow, you're right, I had messed up the winhttp registration/unregistration.
>>> Went back and redid it, but still no error messages.
>>>
>>> I tried to install from the D:\ drive, stopping the services first and
>>> clearing out the distribution folder as instructed, but got that same old
>>> error again.
>>>
>>> I downloaded and installed the Process Monitor. I set up a filter for
>>> windowsupdateagent30-x86, cleared the display and ran the installer.
>>> Scanning through the items (and not being very familiar with interpreting the
>>> entries), I finally decided that based on the WindowsUpdate.log, it looked
>>> like what was failing was wusetup, not windowsupdateagent30-x86 itself. So I
>>> set another filter for wusetup, cleared the display, and ran the installer
>>> again. Again, I'm not sure how to interpret the entries, but if you would
>>> like to take a look, I saved the log and you can get it here:
>>> http://darrylsimagehost.s3.amazonaws.com/Logfile.PML
>>>
>>> Hoping you'll find the silver bullet in there! (and thanks again!)
>>>
>>> "MowGreen" wrote:
>>>
>>>> You're mowst welcome, Darryl.
>>>> Previously, I suggested the unregistering of winhttp5.dll and the re
>>>> registering of *winhttp.dll*.
>>>> Did you mistakenly re register winhttp5.dll ?
>>>>
>>>> Before proceeding, I can see there are at least 2 partitions involved, C
>>>> and D. Suggest you download another copy of the WUA and place it on the
>>>> partition where the Windows directory is *not* installed, which I assume
>>>> is D:\ -
>>>> http://download.windowsupdate.com/windowsupdate/redist/standalone/7.4.7600.226/windowsupdateagent30-x86.exe
>>>>
>>>> Then stop the AU and BITS services.
>>>> ( Adding the /force switch to the executable prior to running it should
>>>> not have be done when the services are stopped. )
>>>> Next, show hidden files, folders, and system files:
>>>> http://www.bleepingcomputer.com/tutorials/tutorial62.html#winxp
>>>>
>>>> Using Windows Explorer, navigate to
>>>> WINDOWS\Software Distribution
>>>> Open the Software Distribution subfolder and delete *all* of it's
>>>> subfolders.
>>>> The only thing left now in the Software Distribution subfolder should be
>>>> the ReportingEvents.log
>>>> Now run windowsupdateagent30-x86.exe from the D partition and then
>>>> restart the system.
>>>> See if it can search for updates now.
>>>>
>>>> If no joy, the only other suggestion left is to download, save, and then
>>>> run Process Monitor when you try to install the Windows Update Agent.
>>>> You could set a filter for the executable, windowsupdateagent30-x86.exe,
>>>> and perhaps see which process/handle/thread is preventing it from
>>>> installing properly.
>>>>
>>>>
>>>> MowGreen
>>>> ================
>>>> * -343-* FDNY
>>>> Never Forgotten
>>>> ================
>>>>
>>>> banthecheck.com
>>>> "Security updates should *never* have *non-security content* prechecked
>>>>
>>>>
>>>>
>>>>
>>>> Darryl wrote:
>>>>> Thanks again for the help, Mow.
>>>>>
>>>>> The unregister/register of winhttp5.dll worked without any errors.
>>>>>
>>>>> kxentovz.dll is one of the dlls belonging to software that we have written
>>>>> here, so it is Ok.
>>>>>
>>>>> I think rockvdd.dll may be left over from something the prior owner of this
>>>>> machine installed long ago. I think it is benign based on info I found here:
>>>>> http://www.siteadvisor.com/sites/rockey.gr/downloads/2178178/
>>>>>
>>>>> AppRemover did not find any remnants of security software to be removed. It
>>>>> only found my installation of Malware AntiBytes.
>>>>>
>>>>> Early on in all this, I installed and ran AntiBytes and it found some things
>>>>> that I quarantined and removed:
>>>>>
>>>>> Registry Keys Infected:
>>>>> HKEY_CLASSES_ROOT\Interface\{00ada225-ea6c-4fb3-82e8-68189201ccb9}
>>>>> (Adware.Winad) -> Quarantined and deleted successfully.
>>>>> HKEY_CLASSES_ROOT\AppID\{735c5a0c-f79f-47a1-8ca1-2a2e482662a8}
>>>>> (Adware.Winad) -> Quarantined and deleted successfully.
>>>>> HKEY_CLASSES_ROOT\Typelib\{15696ae2-6ea4-47f4-bea6-a3d32693efc7}
>>>>> (Adware.Winad) -> Quarantined and deleted successfully.
>>>>> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{2d2bee6e-3c9a-4d58-b9ec-458edb28d0f6}
>>>>> (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
>>>>> HKEY_CLASSES_ROOT\AppID\LoaderX.exe (Adware.Winad) -> Quarantined and
>>>>> deleted successfully.
>>>>>
>>>>> Getting rid of these things did not solve my problem, though.
>>>>>
>>>>> I ran it again as you suggested and it found more items, which were probably
>>>>> not causing any problems. I quarantined them and removed them anyway:
>>>>>
>>>>> Files Infected:
>>>>> C:\Documents and Settings\joncmartin\Local Settings\Temp\res88B.tmp
>>>>> (Adware.180olutions) -> Quarantined and deleted successfully.
>>>>> C:\Program Files\Microsoft
>>>>> AntiSpyware\Quarantine\28B36EAB-3A20-47BF-BB9A-9B4B89\6C755816-4BC4-4E67-B68F-31930B (Adware.180olutions) -> Quarantined and deleted successfully.
>>>>> C:\Program Files\Microsoft
>>>>> AntiSpyware\Quarantine\28B36EAB-3A20-47BF-BB9A-9B4B89\D8CEB3A0-F20D-4A91-A424-1CDAB6 (Adware.180olutions) -> Quarantined and deleted successfully.
>>>>> C:\Program Files\Microsoft
>>>>> AntiSpyware\Quarantine\547A6688-0AE7-4F21-8599-6C7272\FBC29733-84E4-4766-9ABB-D365FA (Adware.180olutions) -> Quarantined and deleted successfully.
>>>>>
>>>>> I'm starting to think that the only solution is going to be repaving this
>>>>> machine!
>>>>>
>>>>>
>>>> .
>>>>
>> .
>>
From: Darryl on
Mow, the machine has 2 physical disks.

Disk 0 has 2 partitions: C: and F:
- C: is 32GB, with 3GB free
- F: has 37GB, with 20GB free

Disk 0 has one partition, D:
- D: has 149GB, with 126GB free

Originally, I only had disk 0, and it was partitioned into C: and D:. C:
was the OS and I did my work on D:. But I kept running out of space on C:,
so I added a new disk to be my work disk. To keep things the way they were,
I assigned the original D: to be F:, and assigned the new disk to be D:. I
then uninstalled/reinstalled my biggest applications (Office, Visual Studio,
etc) from C: to D: to free up as much space as possible on C:. It still has
only a little space, but I figured 3GB ought to be enough for Windows
updates, etc.

My CD-ROM is E:.

If it matters, I also have configured page files to be on both D: and F:,
where there is a lot of free space (so no page file on C:).
From: MowGreen on
Unless you've mistyped it, it's hard to believe that both drives were
assigned the number 0. The D:\ drive should be Disk1.

Was a 3rd party tool used to rename D:\ to F:\ and did the updating
correlate with the installation of the new HD or did it occur after the
upgrade of Trend ?

From what I've seen in the ProcMon log from my VPC of XP, the ProcMon
log from your system is showing many more BUFFER OVERFLOWS. In fact,
there was just one in the ProcMon log from the VPC of XP.

C:\ is being used only for the Windows directory, correct ? If so, you
can recover a great deal of disk capacity by removing the uninstall
subfolders of Service Packs, the backup of SP3 located at
WINDOWS\ServicePackFiles\i386, and the uninstall subfolders of installed
updates.
If you have the original XP installation CD you can slipstream SP3 to it
so as to be able to reinstall XP SP3 before removing the
ServicePackFiles\i386 subfolder.

Slipstreamed Windows XP CD Using SP3
http://www.theeldergeek.com/slipstreamed_xpsp3_cd.htm

Save Space After Installing Updates
http://www3.telus.net/dandemar/spack.htm

Though the question still remains as to the paths issue which appears to
be part of or entirely the cause of the failure of the WUA to install.


MowGreen
================
* -343-* FDNY
Never Forgotten
================

banthecheck.com
"Security updates should *never* have *non-security content* prechecked




Darryl wrote:
> Mow, the machine has 2 physical disks.
>
> Disk 0 has 2 partitions: C: and F:
> - C: is 32GB, with 3GB free
> - F: has 37GB, with 20GB free
>
> Disk 0 has one partition, D:
> - D: has 149GB, with 126GB free
>
> Originally, I only had disk 0, and it was partitioned into C: and D:. C:
> was the OS and I did my work on D:. But I kept running out of space on C:,
> so I added a new disk to be my work disk. To keep things the way they were,
> I assigned the original D: to be F:, and assigned the new disk to be D:. I
> then uninstalled/reinstalled my biggest applications (Office, Visual Studio,
> etc) from C: to D: to free up as much space as possible on C:. It still has
> only a little space, but I figured 3GB ought to be enough for Windows
> updates, etc.
>
> My CD-ROM is E:.
>
> If it matters, I also have configured page files to be on both D: and F:,
> where there is a lot of free space (so no page file on C:).