Catroot2 corruption

[paristotle]

I have a recurring catroot2 corruption issue. When it happens the machine
asks for Admin credentials to install simple devices like optical mouse,
flash drive. This has happened mostly for one machine image, but not
exculsively. If I rename the c:\windows\system32\catroot2\edb.log file the
problem goes away, and may or may notreturn sometime in the future. Today it
happened on a completely different type of machine so I am at least a little
concerned. What can cause this kind of corruption on XP pro sp2 machines?

 

[MowGreen [MVP]]

The edb.log can be corrupted by an antivirus scanning it while it's in
use, commonly known as being 'locked'. Other security software that
guards a file by preventing changes it to it may also cause corruption.

See: Virus scanning recommendations for computers that are running
Windows Server 2003, Windows 2000, or Windows XP
http://support.microsoft.com/kb/822158

Exclude the edb.log from scans and realtime 'protection' and see if that
resolves the corruption issue.

MowGreen [MVP 2003-2008]
===============
*-343-* FDNY
Never Forgotten
===============

 

[paristotle]

Thanks. I'll look into it. I am a little sceptical only because the antivirus
is deployed and managed across our org in a similar manner to both desktops
and laptops. in this case only some laptops have this problem.
What I would really like is some in depth into on what happens in the
catroot2 folder. So far all I have learned is that it relates to the
encryption of signed drivers. This is why it propmts for admin creds to
install simple devices; they appear as unknown and unsigned. Am I on the
wrong track here?

The edb.log can be corrupted by an antivirus scanning it while it's in
use, commonly known as being 'locked'. Other security software that
guards a file by preventing changes it to it may also cause corruption.

See: Virus scanning recommendations for computers that are running
Windows Server 2003, Windows 2000, or Windows XP
http://support.microsoft.com/kb/822158

Exclude the edb.log from scans and realtime 'protection' and see if that
resolves the corruption issue.

MowGreen [MVP 2003-2008]
===============
*-343-* FDNY
Never Forgotten
===============

I have a recurring catroot2 corruption issue. When it happens the machine
asks for Admin credentials to install simple devices like optical mouse,
flash drive. This has happened mostly for one machine image, but not
exculsively. If I rename the c:\windows\system32\catroot2\edb.log file the
problem goes away, and may or may notreturn sometime in the future. Today it
happened on a completely different type of machine so I am at least a little
concerned. What can cause this kind of corruption on XP pro sp2 machines?

 

[MowGreen [MVP]]

Is the AV a Symantec 'product' ?

Rereading your original post ... are the images created on a system with
an X processor and deployed to other systems with Y processors ?

Corruption in catroot2 immediately after an install of the OS may also
be caused by faulty RAM.

Catroot2 is not where the digital signatures are stored, they're in
Catroot. The catdb [catalogue database] contains the info that points to
the {F750E6C3-38EE-11D1-85E5-00C04FC295EE} subfolder in Catroot.
That's where the .cats are stored. <meow>


MowGreen [MVP 2003-2008]
===============
*-343-* FDNY
Never Forgotten
===============

Thanks. I'll look into it. I am a little sceptical only because the antivirus
is deployed and managed across our org in a similar manner to both desktops
and laptops. in this case only some laptops have this problem.
What I would really like is some in depth into on what happens in the
catroot2 folder. So far all I have learned is that it relates to the
encryption of signed drivers. This is why it propmts for admin creds to
install simple devices; they appear as unknown and unsigned. Am I on the
wrong track here?

:

The edb.log can be corrupted by an antivirus scanning it while it's in
use, commonly known as being 'locked'. Other security software that
guards a file by preventing changes it to it may also cause corruption.

See: Virus scanning recommendations for computers that are running
Windows Server 2003, Windows 2000, or Windows XP
http://support.microsoft.com/kb/822158

Exclude the edb.log from scans and realtime 'protection' and see if that
resolves the corruption issue.

MowGreen [MVP 2003-2008]
===============
*-343-* FDNY
Never Forgotten
===============


paristotle wrote:

I have a recurring catroot2 corruption issue. When it happens the machine
asks for Admin credentials to install simple devices like optical mouse,
flash drive. This has happened mostly for one machine image, but not
exculsively. If I rename the c:\windows\system32\catroot2\edb.log file the
problem goes away, and may or may notreturn sometime in the future. Today it
happened on a completely different type of machine so I am at least a little
concerned. What can cause this kind of corruption on XP pro sp2 machines?

 

[paristotle]

Our AV solution is Trend.
As for the image, I always use the same model of reference machine to build
the image on as the intended target machines. The first time I built this
image all the machine created from it had this problem so I went back and
rebuilt it from scratch and now only some machines get the problem, and they
don't get it right away. It shows up after a while. I wonder if it has
anything to do with the Lenovo software utiliites, or some other software
that I preinstall onto the image. I've also wondered if updates from our WSUS
server could cause this.Thanks for all your info.

Is the AV a Symantec 'product' ?

Rereading your original post ... are the images created on a system with
an X processor and deployed to other systems with Y processors ?

Corruption in catroot2 immediately after an install of the OS may also
be caused by faulty RAM.

Catroot2 is not where the digital signatures are stored, they're in
Catroot. The catdb [catalogue database] contains the info that points to
the {F750E6C3-38EE-11D1-85E5-00C04FC295EE} subfolder in Catroot.
That's where the .cats are stored. <meow>


MowGreen [MVP 2003-2008]
===============
*-343-* FDNY
Never Forgotten
===============

Thanks. I'll look into it. I am a little sceptical only because the antivirus
is deployed and managed across our org in a similar manner to both desktops
and laptops. in this case only some laptops have this problem.
What I would really like is some in depth into on what happens in the
catroot2 folder. So far all I have learned is that it relates to the
encryption of signed drivers. This is why it propmts for admin creds to
install simple devices; they appear as unknown and unsigned. Am I on the
wrong track here?

:

The edb.log can be corrupted by an antivirus scanning it while it's in
use, commonly known as being 'locked'. Other security software that
guards a file by preventing changes it to it may also cause corruption.

See: Virus scanning recommendations for computers that are running
Windows Server 2003, Windows 2000, or Windows XP
http://support.microsoft.com/kb/822158

Exclude the edb.log from scans and realtime 'protection' and see if that
resolves the corruption issue.

MowGreen [MVP 2003-2008]
===============
*-343-* FDNY
Never Forgotten
===============


paristotle wrote:


I have a recurring catroot2 corruption issue. When it happens the machine
asks for Admin credentials to install simple devices like optical mouse,
flash drive. This has happened mostly for one machine image, but not
exculsively. If I rename the c:\windows\system32\catroot2\edb.log file the
problem goes away, and may or may notreturn sometime in the future. Today it
happened on a completely different type of machine so I am at least a little
concerned. What can cause this kind of corruption on XP pro sp2 machines?