1 2 Previous Next 13 Replies Latest reply: Aug 7, 2014 5:39 PM by norbertg RSS

    VSE 8.8.0.1247 - WMI error 5858 on Windows Server 2012

    norbertg

      We are getting quite a few WMI errors on Server 2012 and appears to be related to VSE.

       

      Log below:

       

      Log Name:      Microsoft-Windows-WMI-Activity/Operational

      Source:        Microsoft-Windows-WMI-Activity

      Date:          1/08/2014 1:39:06 PM

      Event ID:      5858

      Task Category: None

      Level:         Error

      Keywords:     

      User:          SYSTEM

      Computer:      <compname.domain.com>

      Description:

      Id = {AB5EFFE0-52BA-4FE8-85A5-3A14F0E4B1C5}; ClientMachine = compname; User = ; ClientProcessId = 840; Component = Unknown; Operation = Start IWbemServices::DeleteInstance - Root\Rsop\User\S_1_5_21_3781176320_1899982851_248831875_2960 : RSOP_ExtensionStatus.extensionGuid="{A3F3E39B-5D83-4940-B954-28315B82F0A8}"; ResultCode = 0x80041002; PossibleCause = Unknown

      Event Xml:

      <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

        <System>

          <Provider Name="Microsoft-Windows-WMI-Activity" Guid="{1418EF04-B0B4-4623-BF7E-D74AB47BBDAA}" />

          <EventID>5858</EventID>

          <Version>0</Version>

          <Level>2</Level>

          <Task>0</Task>

          <Opcode>0</Opcode>

          <Keywords>0x4000000000000000</Keywords>

          <TimeCreated SystemTime="2014-08-01T04:09:06.440369200Z" />

          <EventRecordID>50157</EventRecordID>

          <Correlation />

          <Execution ProcessID="840" ThreadID="4212" />

          <Channel>Microsoft-Windows-WMI-Activity/Operational</Channel>

          <Computer><compname.domain.com></Computer>

          <Security UserID="S-1-5-18" />

        </System>

        <UserData>

          <Operation_ClientFailure xmlns="http://manifests.microsoft.com/win/2006/windows/WMI">

            <Id>{AB5EFFE0-52BA-4FE8-85A5-3A14F0E4B1C5}</Id>

            <ClientMachine><compname></ClientMachine>

            <User>

            </User>

            <ClientProcessId>840</ClientProcessId>

            <Component>Unknown</Component>

            <Operation>Start IWbemServices::DeleteInstance - Root\Rsop\User\S_1_5_21_3781176320_1899982851_248831875_2960 : RSOP_ExtensionStatus.extensionGuid="{A3F3E39B-5D83-4940-B954-28315B82F0A8}"</Op eration>

            <ResultCode>0x80041002</ResultCode>

            <PossibleCause>Unknown</PossibleCause>

          </Operation_ClientFailure>

        </UserData>

      </Event>

       

      The PID 840 belongs to VSE Desktop:

       

       

      vse_process.png

       

      And an MS reference link:

       

      http://social.technet.microsoft.com/Forums/windowsserver/en-US/84d42b34-6941-4b6 0-9908-450ef8305813/event-5858-from-wmiactivity?forum=winserver8gen

        • 1. Re: VSE 8.8.0.1247 - WMI error 5858 on Windows Server 2012
          llamamecomoquieras

          Morning,

           

          Is the WMI service running in the Machine? It could be that VSE is trying to get the info from WMI data base to check which vàlues has and because the service is stop it is not possible. Do you get often a pop up (Microsoft pop up) saying that your antivirus is out of date?

           

          Regards,

           

          José María

          • 2. Re: VSE 8.8.0.1247 - WMI error 5858 on Windows Server 2012
            norbertg

            Hey,

             

            The only WMI service I can see is the WMI Performance Adapter which is set to manual and not running.

             

            I've never received a pop up that VSE on the server is out of date. We get daily reports and the server is always compliant.

            • 3. Re: VSE 8.8.0.1247 - WMI error 5858 on Windows Server 2012
              llamamecomoquieras

              Do you have the issue in a single Machine or do you have many with the same issue?

               

              If you have only one you could try to do a repair installation from the console:

               

              Help - repair installation and tick both boxes and click ok

               

              Best regards,

               

              José María

              • 4. Re: VSE 8.8.0.1247 - WMI error 5858 on Windows Server 2012
                norbertg

                The server in the original post is a VM (Hyper-V) and the physical server has the same WMI errors (Server 2012 as well) but is unusable at the moment so I can't confirm.

                 

                It also has VSE 8.8 installed as per the original post.

                • 5. Re: VSE 8.8.0.1247 - WMI error 5858 on Windows Server 2012
                  norbertg

                  I finally regained control of the server the vsedeflogdir is associated with VSE again.

                   

                  On the access protection log we are getting the following alerts less than 1 second before the WMI errors appear in eventvwr.

                  4/08/201411:01:46 AMBlocked by Access Protection ruleNT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Program Files (x86)\McAfee\Common Framework\FrameworkService.exeCommon Standard Protection:Prevent termination of McAfee processesAction blocked : Terminate
                  4/08/201411:01:46 AMBlocked by Access Protection ruleNT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Program Files (x86)\McAfee\VirusScan Enterprise\VsTskMgr.exeCommon Standard Protection:Prevent termination of McAfee processesAction blocked : Terminate
                  4/08/201411:01:46 AMBlocked by Access Protection ruleNT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\system32\mfevtps.exeCommon Standard Protection:Prevent termination of McAfee processesAction blocked : Terminate
                  4/08/201411:01:46 AMBlocked by Access Protection ruleNT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Program Files (x86)\McAfee\VirusScan Enterprise\mfeann.exeCommon Standard Protection:Prevent termination of McAfee processesAction blocked : Terminate
                  4/08/201411:01:46 AMBlocked by Access Protection ruleNT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Program Files (x86)\McAfee\Common Framework\naPrdMgr.exeCommon Standard Protection:Prevent termination of McAfee processesAction blocked : Terminate
                  4/08/201411:01:46 AMBlocked by Access Protection ruleNT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Program Files\Common Files\McAfee\SystemCore\mcshield.exeCommon Standard Protection:Prevent termination of McAfee processesAction blocked : Terminate
                  4/08/201411:01:46 AMBlocked by Access Protection ruleNT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Program Files (x86)\McAfee\Common Framework\UdaterUI.exeCommon Standard Protection:Prevent termination of McAfee processesAction blocked : Terminate
                  4/08/201411:01:46 AMBlocked by Access Protection ruleNT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Program Files (x86)\McAfee\Common Framework\McTray.exeCommon Standard Protection:Prevent termination of McAfee processesAction blocked : Terminate
                  4/08/201411:01:46 AMBlocked by Access Protection ruleNT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Program Files (x86)\McAfee\Common Framework\FrameworkService.exeCommon Standard Protection:Prevent termination of McAfee processesAction blocked : Terminate
                  4/08/201411:01:46 AMBlocked by Access Protection ruleNT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Program Files (x86)\McAfee\VirusScan Enterprise\VsTskMgr.exeCommon Standard Protection:Prevent termination of McAfee processesAction blocked : Terminate
                  4/08/201411:01:46 AMBlocked by Access Protection ruleNT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\system32\mfevtps.exeCommon Standard Protection:Prevent termination of McAfee processesAction blocked : Terminate
                  4/08/201411:01:46 AMBlocked by Access Protection ruleNT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Program Files (x86)\McAfee\VirusScan Enterprise\mfeann.exeCommon Standard Protection:Prevent termination of McAfee processesAction blocked : Terminate
                  4/08/201411:01:46 AMBlocked by Access Protection ruleNT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Program Files (x86)\McAfee\Common Framework\naPrdMgr.exeCommon Standard Protection:Prevent termination of McAfee processesAction blocked : Terminate
                  4/08/201411:01:47 AMBlocked by Access Protection ruleNT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Program Files\Common Files\McAfee\SystemCore\mcshield.exeCommon Standard Protection:Prevent termination of McAfee processesAction blocked : Terminate
                  4/08/201411:01:47 AMBlocked by Access Protection ruleNT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Program Files (x86)\McAfee\Common Framework\UdaterUI.exeCommon Standard Protection:Prevent termination of McAfee processesAction blocked : Terminate
                  4/08/201411:01:47 AMBlocked by Access Protection ruleNT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Program Files (x86)\McAfee\Common Framework\McTray.exeCommon Standard Protection:Prevent termination of McAfee processesAction blocked : Terminate
                  • 6. Re: VSE 8.8.0.1247 - WMI error 5858 on Windows Server 2012
                    norbertg

                    Can I have some help please or do I need to log it with support?

                    • 7. Re: VSE 8.8.0.1247 - WMI error 5858 on Windows Server 2012
                      llamamecomoquieras

                      Hi,

                       

                      Can you please try to disable components to see which component is causing the issue?

                       

                      Disabling VirusScan Enterprise during troubleshooting

                       

                      If a system problem occurs that could be related to processes VirusScan Enterprise is running,

                      you can systematically disable VirusScan Enterprise functions until the system problem is

                      eliminated. Or, at least you can eliminate VirusScan Enterprise as the cause of the problem.

                       

                      CAUTION: You must reconfigure or restore VirusScan Enterprise to have full malware protection

                      again after troubleshooting.

                       

                      Systematically disabling the VirusScan Enterprise functionality is separated into the following eight-step process:

                       

                      1 Disabling Buffer Overflow protection

                      2 Disabling Access Protection

                      3 Disabling ScriptScan

                      4 Disabling On Access Scanning

                      5 Disabling On Access Scanning then reboot

                      6 Preventing MFEVTP from loading then reboot

                      7 Renaming mfehidk.sys then reboot

                      8 Removing the product then reboot

                       

                      Each of these eight steps is described in the following sections. For option definitions in the VirusScan Console, click Help in the interface.

                       

                      Disabling buffer overflow protection

                       

                       

                      Follow these steps to disable Buffer Overflow protection.

                       

                      1 From the VirusScan Console Task list, right-click Buffer Overflow Protection and click Properties.

                       

                      2 From the Properties dialog box, deselect Enable buffer overflow protection and click OK.

                       

                      3 Is the original system problem fixed by disabling Buffer Overflow protection:

                      • Yes — Go to the McAfee Technical Support ServicePortal at http://mysupport.mcafee.com and search for a solution or contact McAfee Technical Support.

                      • No — The original system problem was probably not related to this feature.

                       

                      Disabling access protection

                       

                      Follow these steps to disable Access Protection.

                       

                      1 From the VirusScan Console Task list, double-click Access Protection to open the Access Protection Properties dialog box.

                       

                      2 Click Access Protection tab, deselect Enable access protection and click OK.

                       

                      Is the original system problem fixed by disabling Access Protection:

                      • Yes — Go to the McAfee Technical Support ServicePortal at http://mysupport.mcafee.com and search for a solution or contact McAfee Technical Support.

                      • No — The original system problem was probably not related to VirusScan Enterprise.

                       

                      Disabling ScriptScan

                       

                       

                      Follow these steps to disable ScriptScan.

                       

                      1 From the VirusScan Console Task list, right-click On-Access Scanner to open the On-Access Scan Properties dialog box.

                       

                      2 Click ScriptScan tab, deselect Enable scanning of scripts and click OK.

                       

                      3 Is the original system problem fixed by disabling ScriptScan:

                      • Yes — Go to the McAfee Technical Support ServicePortal at http://mysupport.mcafee.com and search for a solution or contact McAfee Technical Support.

                      • No — The original system problem was probably not related to VirusScan Enterprise.

                       

                      Disabling on-access scanning

                       

                       

                      Follow these steps to disable on access scanning.

                       

                      1 Disable Access Protection. From the VirusScan Console in the Task list, right-click Access Protection and select Disable.

                       

                      2 Change the McShield Services applet Start type to Disabled using the following:

                       

                      • Click Start | Control Panel | Administrative Tools | Services to open the Services applet.

                      • In Services (Local), scroll down to McAfee McShield and right-click the name to open the McAfee McShield Properties dialog box.

                      • Click the General tab, from the Startup type list, click Disabled, and click OK.

                       

                      3 From the VirusScan Console Task list, right-click On-Access Scanner and click Disablefrom the list that appears. The On-Access Scanner icon should change to include a circle

                      with a slash to indicate the function is disabled.

                       

                      4 Is the original system problem fixed by disabling On Access scanning:

                      • Yes — Go to the McAfee Technical Support ServicePortal at http://mysupport.mcafee.com and search for a solution or contact McAfee Technical Support.

                      • No — The original system problem was probably not related to this feature.

                       

                      Disabling on-access scanning then reboot

                       

                       

                      Follow these steps to disable on access scanning and reboot.

                       

                      NOTE: The following process assumes you have not re-enabled on access scanning after disabling it in the previous section.

                       

                      1 Perform a complete shut-down and reboot of the system.

                       

                      2 Is the original system problem fixed by disabling On Access scanning then rebooting:

                      • Yes — Go to the McAfee Technical Support ServicePortal at http://mysupport.mcafee.com and search for a solution or contact McAfee Technical Support.

                      • No — The original system problem was probably not related to this feature.

                       

                      Preventing MFEVTP from loading then reboot

                       

                       

                      Follow these steps to prevent McAfee Validation Trust Protection Service (MFEVTP) from loading

                      and reboot the system:

                       

                      CAUTION: This section contains information about opening or modifying the registry.

                       

                      • The following information is intended for System Administrators. Registry modifications are

                      irreversible and could cause system failure if done incorrectly.

                      • Before proceeding, McAfee strongly recommends backing up your registry and understanding

                      the restore process. For more information, see: http://support.microsoft.com/kb/256986 .

                      • Do not run a .REG file that is not confirmed to be a genuine registry import file.

                       

                      1 From the command line, type regedit to display the Registry Editor user interface.

                       

                      2 Navigate to the following Registry: [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mfevtp]

                       

                      3 In the right-hand pane, right-click Start and click Modify to display the Edit DWORD Value

                      dialog box.

                       

                      4 Enter 4 in Value data and click OK.

                       

                      5 Is the original system problem fixed by preventing MFEVTP from loading then rebooting:

                      • Yes — Go to the McAfee Technical Support ServicePortal at http://mysupport.mcafee.com and search for a solution or contact McAfee Technical Support.

                      • No — The original system problem was probably not related to this feature.

                       

                      Renaming mfehidk.sys file then reboot

                       

                       

                      Follow these steps to rename the mfehidk.sys file and reboot the system.

                       

                      1 Navigate to the mfehidk.sys file in the following folder, depending on your operating system:

                      • For 32-bit operating systems — %windir%\System32\drivers

                      • For 64-bit operating systems — %windir%\System64\divers

                       

                      2 Change the file name from mfehidk.sys to, for example, mfehidk.sys.saved.

                       

                      3 Reboot the system to stop and restart VirusScan Enterprise without loading the mfehidk.sys

                      file.

                       

                      4 Is the original system problem fixed by renaming the mfehidk.sys file then rebooting:

                      • Yes — Go to the McAfee Technical Support ServicePortal at http://mysupport.mcafee.com and search for a solution or contact McAfee Technical Support.

                      • No — The original system problem was probably not related to VirusScan Enterprise.

                       

                      Removing the product then reboot

                       

                       

                      Follow these steps to completely remove VirusScan Enterprise and reboot:.

                       

                      1 Remove the VirusScan Enterprise program files. Refer to the McAfee VirusScan Enterprise 8.8, Installation Guide for detailed instructions.

                       

                      2 Reboot the system to stop and restart the operating system without VirusScan Enterprise

                      installed.

                       

                      3 Is the original system problem fixed by completely removing the VirusScan Enterprise

                      program files and rebooting:

                       

                      • Yes — The original system problem was probably related to VirusScan Enterprise.

                      • No — Go to the McAfee Technical Support ServicePortal at http://mysupport.mcafee.com and search for a solution, or contact McAfee Technical Support.

                       

                      Please, keep us updated.

                       

                      Best regards,

                       

                      José María

                      • 8. Re: VSE 8.8.0.1247 - WMI error 5858 on Windows Server 2012
                        norbertg

                        Thanks, EPO manages VSE (FYI) but I should be able to figure out where to make these changes. I will have to discuss this with our consultant before proceeding further.

                        • 9. Re: VSE 8.8.0.1247 - WMI error 5858 on Windows Server 2012
                          norbertg

                          I've disabled BOP in EPO but can't find it in VSE to confirm it's disabled:

                           

                          bop.png

                          1 2 Previous Next