Windows 2000 Compatibility?

[Guest]

After I installed WD on Windows 2000 SP4, whenever I started up, I was
getting an error message in the Application Event Log saying -

Windows Defender Real-Time Protection checkpoint has encountered an error
and failed to start.
User: AshfieldCourt\Dave Hawley
Checkpoint Id: 7
Error Code: 0x80070005
Error description: Access is denied.

This is immediately followed by -

Windows Defender Real-Time Protection agents have started.
User: AshfieldCourt\Dave Hawley

I found by trial and error that these messages both disappeared if I
un-checked
"System Configuration" under the "real-time protection" options in the WD
tools menu.
Is the "Real-Time Protection checkpoint" something to do with system restore?
Windows 2000 does not have the system restore function that XP does, so
could this be the cause of the error messages? Perhaps it's trying to use
something which simply isn't there on Windows 2000 systems.

If that is the case, the WD application isn't completely compatible with
Windows 2000, which it is supposed to be!
Any thoughts on this MVPs?

 

[Bill Sanderson MVP]

As a quick first response, I haven't seen this issue on three Windows 2000
SP4 servers I work with, nor either of two Windows 2000 Professional
workstations.

 

[Guest]

Thanks Bill.
Good to know that it doesn't happen on all Windows 2000 systems!
But why is it happening on mine?
The "access denied" error message seeems to imply that it can't access a
registry key or keys perhaps.
All the WD keys seem to have restricted access, presumably for security
reasons as you would expect.
I did try de-restricting them all, but this made no difference to the error
messages.
Any more ideas anyone?
Thanks, Dave.

 

[Bill Sanderson MVP]

Dave - back on May 10th, you posted a similar issue, and Joe Faulhaber of
Microsoft responded with this post:
---------------------------------------------------
Hi Dave,

Apparently, WD can't access your hosts file. Checkpoint 7 is WD's hosts
file monitoring. The hosts file is usually at
\windows\system32\drivers\etc.
You probably want to check it out - I think it's unusal to set security on
hosts so you can't read it.

Please let us know what was in there, if it's interesting.

Regards,
Joe
--------------------------------------------------
I don't know whether you ever saw that response, but it seems to match the
circumstances--so--tell us about the permissions on the hosts file and its
content?


--

 

[Guest]

Bill, thank you so much for that.
I had completely missed Joe's response to the previous thread.
I do apologise to him and to yourself.
I can only assume that the auto notification of the reply failed for some
reason, and I didn't check the thread manually as I should have done.

I have checked the "hosts" file, and it is present where it should be.
Its attributes are normal, so I can't see any reason why it couldn't have
been accessed by WD if it needed to.
Its contents at present are as follows -

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost

# MeadCo's Neptune: the fix for a well-known Netscape Java LiveConnect bug
# http://developer.netscape.com/support/bugs/known/plugins.html
0.0.0.0 javascript-of-unknown-origin.netscape.com

Does this give any clues?
It appears to be a generic sample file, with no reference to WD at all.
Thanks, Dave.

 

[Bill Sanderson MVP]

Your hosts file seems standard except for those last three lines.

I don't see anything sinister about them.

So, I'd think that the answer should either be in the permissions, which you
say look normal, or perhaps some subtlety about the file content which is
causing an issue with Defender opening and parsing it--which would be a bug,
I'd think.

Hmm--this doesn't work too well.

If I use this tool
http://www.sysinternals.com/Utilities/AccessEnum.html

A hosts file on a Windows 2000 server I work with has these permissions:

"Path" "Read" "Write" "Deny"
"C:\WINNT\system32\drivers\etc" "Administrators, NT AUTHORITY\Authenticated
Users, Server Operators" "Administrators, Server Operators" ""

(to read this properly, there's nobody in the Deny group.)

 

[Guest]

Thanks again Bill.
I have checked the access rights on my "Drivers\ETC" folder, and AccessEnum
reports that "Everybody" has read and write access, with no-one denied.

I tried modiying the file, and stripped everything out except the line -
127.0.0.1 localhost

This seemed to be the only line that wasn't just a comment, or something
that maybe shouldn't be there, e.g. the last three lines.
This made no difference.

I have now deleted the "hosts" file altogether, and the error messages have
gone away! I can't find that this is causing any other immediate problems. I
still have the original saved of course so I can easily reinstate it, but
what problems might not having a hosts file at all cause?
Cheers, Dave.

 

[Bill Sanderson MVP]

Look in the same folder that the hosts file was in for a file "hosts.sam"
Copy this file to hosts (with no suffix)--that will reinstate the original
default hosts file.

I'm not sure just what running without the default hosts file would
affect--but it is easily recreated.

--

 

[Guest]

Bill, I don't have "hosts.sam" file in that folder, only a "lmhosts.sam"
file, whose contents seem to be completely different to the original "hosts"
file.
I do get the feeling that it's the
"127.0.0.1 localhost"
line in the hosts file which is causing the problem.
127.0.0.1 is presumably an IP address, and maybe it's that that WD cannot
access.
Is that IP address standard, or does it vary from system to system?
Thanks again for all your help.
Dave.

 

[Bill Sanderson MVP]

That's not the problem--that is standard--every localhost in the world
should be at that address, I think.

Here's a cut and paste from mine:
Just cut and paste the stuff between the dashed lines to notepad and save it
as hosts--no suffix, in \windows\system32\drivers\etc I can't remember
what's needed to get notepad to do this--you may need to go to a command
prompt at that location and rename the file after saving it to get it named
correctly with no suffix.

There is indeed not a lot of magic about this file. It'd be interesting to
know just what it was about your original that caused Windows Defender to
throw up its hands in dismay, but this is an easy fix, anyway.

---
# Copyright (c) 1993-1999 Microsoft Corp.
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
# For example:
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
127.0.0.1 localhost

 

[Guest]

Thanks again Bill.
I used your "hosts" file, and the error message in the event log immediately
came back!
So it doesn't look as if it's the content of the hosts file which is the
problem, its very presence seems to generate the error.
What next?
Cheers, Dave.

 

[Bill Sanderson MVP]

I'm stumped. So, you've deleted the hosts file completely, and then
recreated it using the text I provided, and the warning is back...

Clearly Windows Defender knows where the file is because it is complaining
as it changes. Permissions of some kind on the containing folder are all
that I can see to come back to.

Highlighting the etc folder in explorer, and hitting properties, security
tab, advanced:

Authenticated users have Read & Execute for This folder, subfolders and
files






--

 

[Guest]

Hi Bill,
I'm stumped too!
I have no "security" tab on the "ETC" folder properties, only "General" and
"Sharing" tabs.
Is this significant?
I tried switching sharing on, and gave "everyone" access, but this made no
difference.
The error only disappears if I remove the hosts file completely.
I even tried putting a completely empty hosts file in the folder, and the
error came back!

My path isn't standard by the way.
Instead of the usual default "C:\WINNT\System32" I have "D:\WIN-NT\System32".
I assume that this should make no difference.
I even tried making a dummy "C:\WINNT\System32\Drivers\ETC" folder, and
putting the hosts file there, in case WD hadn't detected the non-default path.
The error message stayed away, but that isn't a test that will prove that's
the problem of course, as WD probaly can't see a hosts file at all again in
that case, so it's no different to deleting it altogether!

What does WD actually use the hosts file for, and why would it need to
access it?
Thanks again.
Dave.

 

[Bill Sanderson MVP]

The missing tab is probably highly significant--but wh

--

 

[Bill Sanderson MVP]

The missing tab is probably highly significant--but why this would be on
Windows 2000, isn't coming immediately to mind. Maybe somebody else will
chime in or I'll remember something over time.

Windows Defender doesn't use the hosts file itself, but it needs to monitor
the content because that file is a fundemental part of the name resolution
system, and, for example, is used by malware to prevent access to antivirus
vendor sites to gain updates or repair tools.

--

 

[Guest]

Bill, research indicates that the missing security tab is probably because
I'm using FAT32 rather than NTFS as my file system. I have to stick with
FAT32 as I have a dual boot system with Windows 98.
Several references I've seeen on the web seem to imply that the security tab
does not appear on FAT32 systems.
I don't think that anyone has reported any problems with Windows Defender as
a result of using FAT32 though..........

 

[Bill Sanderson MVP]

Thanks for spotting that--it makes perfect sense, and it's been a good long
time since I saw a Windows 2000 system on fat32.

Realistically, I can't test this out in the next 3 weeks or so.

Let's see if I can recap correctly--let me know if I've got anything wrong:

1) You are an administator on the machine.
2) You have Windows 2000 SP4 installed on a fat32 volume.
3) You get the error you originally cited when a hosts file exists in the
correct location, even if that file has the default content.

This seems reasonably easy to replicate--I can do it myself, but I won't
have the time soon. I'll see if I can get some other eyes on it.

--

 

[Guest]

Bill, that sums up the situation perfectly!
Let me know what you find if you replicate my setup.
Thanks very much again.
Cheers, Dave.

 

[Bill Sanderson MVP]

Dave - I've created a virtual PC using Microsoft Virtual PC 2004 SP1 (which
is now downloadable and available at no cost!) and created a fat32-based
Windows 2000 machine.

However, I have to say that I was unable to replicate your symptoms. I'll
go back and reread here to see if I've missed anything, but I'm not sure
what it would be.

I started with the default file, and then modified it using notepad--just
added a comment line--to see if that would trigger any complaints--haven't
gotten Defender to say anything.

--