Automatic scans don't work on Win2K

[Guest]

I've been following several threads, looking for a solution to why automatic
scans no longer work for me on a Windows 2000 machine.

The problems seemed to start for me when I upgraded from Beta 1 to Beta 2.

The issue doesn't appear to be the error message 0x8007052E (unknown user
name or password). Here is a log file excerpt from Beta 1:

-------------------------------------------------------------------------------------
MpCmdRun: Command Line: "C:\Program Files\Windows Defender\MpCmdRun.exe"
Scan -ScanType config -Privileges restricted
Start Time: Sat Feb 25 02:09:00 2006


Start: MpScan(MP_ANTISPYWARE, dwOptions=1)
Start: MpSignatureUpdate()
Update started (Type:Scheduled)
SearchStarted...Search Completed with hr: 0x00000000
Update completed succesfuly . no updates needed (hr:0x00000001)
Finish: MpSignatureUpdate()
ERROR: LogonUserExW(NetworkService) Failed 8007052E
Error running as network service. hr = 0x8007052e


-------------------------------------------------------------------------------------
MpCmdRun: Command Line: "C:\Program Files\Windows Defender\MpCmdRun.exe"
Scan -ScanType config -Privileges restricted -Reinvoke
Start Time: Sat Feb 25 02:09:31 2006


Start: MpScan(MP_ANTISPYWARE, dwOptions=1)
MpScan() started
MpCmdRun: End Time: Sat Feb 25 02:10:37 2006

-------------------------------------------------------------------------------------
MpScan() was completed
Finish: MpScan(MP_ANTISPYWARE, dwOptions=1)
Creating SpyNet Report
MpScan() has detected 0 threats.
Sending the SpyNet Report
MpCmdRun: End Time: Sat Feb 25 02:24:52 2006

-------------------------------------------------------------------------------------

Windows Defender did an update, didn't find anything, and then got the logon
error. It didn't seem to matter, because immediately after Defender did a
scan which took 14 minutes.

The new problem in Beta 2 seems to be related to error 0x80070020 (file
sharing violation). Here's a log file excerpt from Beta 2:

-------------------------------------------------------------------------------------
MpCmdRun: Command Line: "C:\Program Files\Windows Defender\MpCmdRun.exe"
Scan -RestrictPrivileges
Start Time: Sat May 06 07:36:21 2006


Start: MpScan(MP_ANTISPYWARE, dwOptions=2)
Start: MpSignatureUpdate()
Update started (Type:Scheduled)
SearchStarted...
Search Completed with hr: 0x00000000
Update completed succesfuly . no updates needed (hr:0x00000001)
Finish: MpSignatureUpdate()
ERROR: LogonUserExW(NetworkService) Failed 8007052E
Error running as network service. hr = 0x8007052e


-------------------------------------------------------------------------------------
MpCmdRun: Command Line: "C:\Program Files\Windows Defender\MpCmdRun.exe"
Scan -RestrictPrivileges -Reinvoke
Start Time: Sat May 06 07:36:31 2006


Start: MpScan(MP_ANTISPYWARE, dwOptions=2)
CreateFileW(C) FAILED 80070020
MpCmdRun: End Time: Sat May 06 07:36:31 2006

-------------------------------------------------------------------------------------
MpCmdRun: End Time: Sat May 06 07:36:33 2006

The task scheduler is running Defender. But Defender gets the file sharing
error and then exits with a success status code of zero. Here's an excerpt
of the task scheduler log:

"MP Scheduled Scan.job" (MpCmdRun.exe)
Started 5/6/2006 7:36:21 AM
"MP Scheduled Scan.job" (MpCmdRun.exe)
Finished 5/6/2006 7:36:33 AM
Result: The task completed with an exit code of (0).

It looks to me like a Beta 2 bug that we won't be able to workaround. I
guess you could try to reinstall Beta 1 if you could find a copy.

Hopefully this message will generate some type of response from Microsoft so
that we can quit spinning our wheels.

 

[Guest]

I was somewhat unclear in my last post. When I refer to Beta 1 I'm talking
about the original release of Windows Defender, and Beta 2 refers to the
updated version of Windows Defender released in mid April. Both of those
versions are actually called Windows Defender Beta 2.

 

[Bill Sanderson MVP]

Tony - you are using Beta1 and Beta2 in a different sense than the rest of
us. I believe that you are comparing results from build 1051 of Windows
Defender, versus build 1347. All Windows Defender builds are beta2, from
Microsoft's perspective.

Aside from that nomenclature issue, I agree completely with your what you
are saying and seeing in these logs.

I agree that the logon error is a smokescreen--it appears to be "normal."

I agree that your file creation error is likely what needs to be fixed on
your system.

I have not seen such an error on systems I work with as far as I know--but
I'll do some more checking tonight and tomorrow--I've got very few Windows
2000 systems--3 servers, which I can reach remotely at any time, and one
workstation, which I can check tomorrow.

One obvious question would be whether you see any error if you do the same
type of scan on this system manually?

--

 

[Guest]

Bill,

You're correct about my misuse of "beta #" versus "build"; that's why I
posted my second message.

To answer your question, manual scans work fine. I've tried a manual scan
from within the Defender human interface, and it worked. I also tried a
command prompt scan using the syntax "mpcmdrun scan -1 -restrictprivileges
-reinvoke" and it worked.

As far as I can see, the problem first surfaced in build 1347.

Thanks for the help.

 

[Bill Sanderson MVP]

Now that I think of it, I am probably not running 1347 on any Windows 2000
machines. I'll look into this tomorrow (whoops--today!) as I get time.

--

 

[Guest]

Scheduled scan job command has been changed from build 1051:
"C:\Program Files\Windows Defender\MpCmdRun.exe" Scan -ScanType config
-Privileges restricted

to the following in build 1347:
"C:\Program Files\Windows Defender\MpCmdRun.exe" Scan -RestrictPrivileges

When you schedule command from build 1051 in build 1347 it works fine. Here
is the log:

-------------------------------------------------------------------------------------
MpCmdRun: Command Line: "C:\Program Files\Windows Defender\MpCmdRun.exe"
Scan -ScanType config -Privileges restricted
Start Time: Thu May 11 06:00:00 2006


Start: MpScan(MP_ANTISPYWARE, dwOptions=1)
MpScan() started
Time Info - Thu May 11 06:02:23 2006
MpScan() was completed
Finish: MpScan(MP_ANTISPYWARE, dwOptions=1)
MpScan() has detected 0 threats.
MpCmdRun: End Time: Thu May 11 06:02:28 2006

 

[Bill Sanderson MVP]

Thanks very much. This certainly has the appearance of a bug....

--

 

[Guest]

I upgraded from Microsoft Antispyware to Windows defender beta 2 1347 and
auto scans do not work for me either. I have it all set OK but nothing
happens at the scan time. It also does not seem to be auto updating.
Am using W2K SP4 fully patched from MS update site.

 

[Bill Sanderson MVP]

If you are set to update before a scheduled scan, and scheduled scans are
not happening, then that update is probably also not happening. However,
AutoUpdate should still function, if it is functional for other updates on
the machine in question.

I believe theres a post in this thread giving the syntax for the scheduled
job from the older build. Scheduling a job with that syntax yourself should
work, I believe. Here it is:

"C:\Program Files\Windows Defender\MpCmdRun.exe" Scan -ScanType
config -Privileges restricted

Try scheduling that, manually, using the Windows Scheduled tasks facility.

The update issue may be unrelated--here's the troubleshooting KB for that:

http://support.microsoft.com/kb/918355/en-us