unknown folders\files appearing on external drive

I just noticed this morning four mysterious folders\files that appeared on an external drive on my system the last few days. They are:

G:\b1201850cc0a39819d56\msxml4-KB927978-enu.log dated 11/19/2006
G:\31c11969bae64284f5c2\msxml4-KB927978-enu.log dated 11/21/2006
G:\20f148c90af9482eb9\msxml4-KB927978-enu.log dated 11/15/2006
and
G:\3fd648d73a75f1a28910d568a1e345fc\msxml4-KB927978-enu.log dated 11/20/2006

The contents are quite lengthy (230-242kb) but the most recent starts with:

***********
=== Verbose logging started: 11/21/2006  3:00:43  Build type: SHIP UNICODE 3.01.4000.2435  Calling process: C:\WINDOWS\system32\msiexec.exe ===
MSI (c) (DC:54) [03:00:43:400]: Resetting cached policy values
MSI (c) (DC:54) [03:00:43:400]: Machine policy value 'Debug' is 0
MSI (c) (DC:54) [03:00:43:400]: ******* RunEngine:
           ******* Product: g:\31c11969bae64284f5c2\msxml.msi
           ******* Action:
           ******* CommandLine: **********
MSI (c) (DC:54) [03:00:43:400]: Client-side and UI is none or basic: Running entire install on the server.
MSI (c) (DC:54) [03:00:43:400]: Grabbed execution mutex.
MSI (c) (DC:54) [03:00:44:197]: Cloaking enabled.
MSI (c) (DC:54) [03:00:44:197]: Attempting to enable all disabled priveleges before calling Install on Server
MSI (c) (DC:54) [03:00:44:197]: Incrementing counter to disable shutdown. Counter after increment: 0
MSI (s) (D4:3C) [03:00:44:228]: Grabbed execution mutex.
MSI (s) (D4:C4) [03:00:44:228]: Resetting cached policy values
MSI (s) (D4:C4) [03:00:44:228]: Machine policy value 'Debug' is 0
MSI (s) (D4:C4) [03:00:44:228]: ******* RunEngine:
           ******* Product: g:\31c11969bae64284f5c2\msxml.msi
           ******* Action:
           ******* CommandLine: **********
MSI (s) (D4:C4) [03:00:44:244]: Machine policy value 'DisableUserInstalls' is 0
MSI (s) (D4:C4) [03:00:44:322]: File will have security applied from OpCode.
MSI (s) (D4:C4) [03:00:44:494]: SOFTWARE RESTRICTION POLICY: Verifying package --> 'g:\31c11969bae64284f5c2\msxml.msi' against software restriction policy
MSI (s) (D4:C4) [03:00:44:494]: SOFTWARE RESTRICTION POLICY: g:\31c11969bae64284f5c2\msxml.msi has a digital signature
MSI (s) (D4:C4) [03:00:45:181]: SOFTWARE RESTRICTION POLICY: g:\31c11969bae64284f5c2\msxml.msi is permitted to run at the 'unrestricted' authorization level.
MSI (s) (D4:C4) [03:00:45:181]: End dialog not enabled
MSI (s) (D4:C4) [03:00:45:181]: Original package ==> g:\31c11969bae64284f5c2\msxml.msi
MSI (s) (D4:C4) [03:00:45:181]: Package we're running from ==> C:\WINDOWS\Installer\1cbdb5f9.msi
***************

and ends with:
***************
MSI (s) (D4:C4) [03:00:50:010]: Cleaning up uninstalled install packages, if any exist
MSI (s) (D4:C4) [03:00:50:010]: MainEngineThread is returning 1603
MSI (s) (D4:3C) [03:00:50:103]: Destroying RemoteAPI object.
MSI (s) (D4:E8) [03:00:50:103]: Custom Action Manager thread ending.
=== Logging stopped: 11/21/2006  3:00:49 ===
MSI (c) (DC:54) [03:00:50:135]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied.  Counter after decrement: -1
MSI (c) (DC:54) [03:00:50:135]: MainEngineThread is returning 1603
=== Verbose logging stopped: 11/21/2006  3:00:50 ===
****************

Any ideas as to what these are and where they came from? Can they just be deleted?
BobArnettAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
DarthModConnect With a Mentor Commented:
PAQd, 250 points refunded.

DarthMod
CS Moderator
0
 
Rich RumbleSecurity SamuraiCommented:
Those are M$ update log's, temp files typically, not sure why they were directed to your external drive unless that is where the XML update was stored an ran from
KB927978 http://support.microsoft.com/kb/927978
-rich
0
 
Rich RumbleSecurity SamuraiCommented:
Lot's of folks seem to notice the same thing: http://www.google.com/search?client=firefox-a&rls=org.mozilla%3Aen-US%3Aofficial_s&hl=en&q=msxml4-KB927978-enu.log&btnG=Google+Search
I'm not sure why you'd have this log file multiple times unless your PC is being updated on those dates, and that update is being reapplied each time?
-rich
0
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

 
BobArnettAuthor Commented:
I note that each of the logs has this line:
"MSI (s) (08:B8) [03:00:44:718]: Product: MSXML 4.0 SP2 (KB927978) -- Installation failed."
I'm guessing that it has been done multiple times because it failed but I don't know why. I checked my "Scheduled tasks" and don't see anything around 3:00AM when all these were dated. Maybe I can just manually download/install that update. Oh, I see the link you gave me above (KB927978 http://support.microsoft.com/kb/927978) does report a problem with that update and suggests doing just that. I'll try it, give it a couple of days and see if that keeps if from trying anymore.
0
 
BobArnettAuthor Commented:
uh, oh... a hitch. I downloaded the upgrade exe and attemtped the installation... with the same results; it failed and left a similar log file on the same external drive. It came up with the error message: "Could not open Hkey_Local_Machine\Software\Classes\Msxml2.DOM Document.4.0.1\CLSID" and then said to make sure that I was logged on with the proper access rights. I am the only user on this machine and am logged in as an administrator so I assume I can't do better than that. I also still don't get why it should be choosing an external drive to work from but if it would work, I guess I really don't care.
0
 
BobArnettAuthor Commented:
Just checked in the register and there is NOT a key with that name so it obviously could not open it. There is a key for
"Hkey_Local_Machine\Software\Classes\Msxml2.DOM Document.4.0\CLSID" with the value "but not for "...Document.4.0.1\CLSID"
Should I make one? If I do, what value should I give it?
0
 
Rich RumbleSecurity SamuraiCommented:
0
 
BobArnettAuthor Commented:
No, I'm using XP Pro. I did find someone who had luck by deleting MSXml 4.0 using Add/Delete Programs and then reinstalling the KB927978. I can't tell which of the Microsoft updates is the right one to uninstall MSXml 4.0.
0
 
BobArnettAuthor Commented:
Well, I'm at a total loss. These folders (which are failed/aborted attempts of an MS upgrade) keep appearing on my drive every few days. Quite exasperating.
0
 
Rich RumbleSecurity SamuraiCommented:
G: is your system drive? or is C:? It's odd that anything other than your system drive would be the destination for these logs... from the link I first provided
Security update package 927978 may create a log file. The package names the log file KB927978.log. The package saves the log file inside a folder. The folder has a system generated name. The folder is in the root of a system drive. The path resembles the following:
C:\system generated name\KB927978.log.
Note In this example, C is system drive.
Although it is optional, you can remove the log file and the folder.

You can specify not to recieve this update, by visiting the windows update page, finding the update and choosing ignore.
-rich
0
 
BobArnettAuthor Commented:
Drive G: is an external drive, C is my system drive. You are correct about the log inside the folder inside the drive and I also don't know why it saving all this on an external drive. I have removed these folders several times. I had already flagged the update to be ignored but I keep getting reminders that this is an important update and shouldn't be ignored. I've also now put in a support request at MS.
0
 
Rich RumbleSecurity SamuraiCommented:
Let me know how it turns out, I can't really find much more on it than uninstall/reinstall the update XML package.
-rich
0
 
BobArnettAuthor Commented:
The uninstalling/reinstalling of the XML update turned out to be quite the thing MS was able to straighten it out however. I won't give you all the gory details but even though I am the only user on this computer and I am the "administrator" and have all "permissions", the MS tech had me use Regedit and specifically grant permission to myself on the key "HKEY_LOCAL_MACHINE\SOFTWARE\Classes". That allowed the update to run. That was three days ago and I've noticed no new unwelcome update log folders on my drive. Hopefully that solved the whole problem. Thanks for your help. I'll ask to have the question abandoned.
0
 
Rich RumbleSecurity SamuraiCommented:
NP, glad you found your answer.
-rich
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.