Solved

unknown folders\files appearing on external drive

Posted on 2006-11-21
15
3,021 Views
Last Modified: 2013-12-04
I just noticed this morning four mysterious folders\files that appeared on an external drive on my system the last few days. They are:

G:\b1201850cc0a39819d56\msxml4-KB927978-enu.log dated 11/19/2006
G:\31c11969bae64284f5c2\msxml4-KB927978-enu.log dated 11/21/2006
G:\20f148c90af9482eb9\msxml4-KB927978-enu.log dated 11/15/2006
and
G:\3fd648d73a75f1a28910d568a1e345fc\msxml4-KB927978-enu.log dated 11/20/2006

The contents are quite lengthy (230-242kb) but the most recent starts with:

***********
=== Verbose logging started: 11/21/2006  3:00:43  Build type: SHIP UNICODE 3.01.4000.2435  Calling process: C:\WINDOWS\system32\msiexec.exe ===
MSI (c) (DC:54) [03:00:43:400]: Resetting cached policy values
MSI (c) (DC:54) [03:00:43:400]: Machine policy value 'Debug' is 0
MSI (c) (DC:54) [03:00:43:400]: ******* RunEngine:
           ******* Product: g:\31c11969bae64284f5c2\msxml.msi
           ******* Action:
           ******* CommandLine: **********
MSI (c) (DC:54) [03:00:43:400]: Client-side and UI is none or basic: Running entire install on the server.
MSI (c) (DC:54) [03:00:43:400]: Grabbed execution mutex.
MSI (c) (DC:54) [03:00:44:197]: Cloaking enabled.
MSI (c) (DC:54) [03:00:44:197]: Attempting to enable all disabled priveleges before calling Install on Server
MSI (c) (DC:54) [03:00:44:197]: Incrementing counter to disable shutdown. Counter after increment: 0
MSI (s) (D4:3C) [03:00:44:228]: Grabbed execution mutex.
MSI (s) (D4:C4) [03:00:44:228]: Resetting cached policy values
MSI (s) (D4:C4) [03:00:44:228]: Machine policy value 'Debug' is 0
MSI (s) (D4:C4) [03:00:44:228]: ******* RunEngine:
           ******* Product: g:\31c11969bae64284f5c2\msxml.msi
           ******* Action:
           ******* CommandLine: **********
MSI (s) (D4:C4) [03:00:44:244]: Machine policy value 'DisableUserInstalls' is 0
MSI (s) (D4:C4) [03:00:44:322]: File will have security applied from OpCode.
MSI (s) (D4:C4) [03:00:44:494]: SOFTWARE RESTRICTION POLICY: Verifying package --> 'g:\31c11969bae64284f5c2\msxml.msi' against software restriction policy
MSI (s) (D4:C4) [03:00:44:494]: SOFTWARE RESTRICTION POLICY: g:\31c11969bae64284f5c2\msxml.msi has a digital signature
MSI (s) (D4:C4) [03:00:45:181]: SOFTWARE RESTRICTION POLICY: g:\31c11969bae64284f5c2\msxml.msi is permitted to run at the 'unrestricted' authorization level.
MSI (s) (D4:C4) [03:00:45:181]: End dialog not enabled
MSI (s) (D4:C4) [03:00:45:181]: Original package ==> g:\31c11969bae64284f5c2\msxml.msi
MSI (s) (D4:C4) [03:00:45:181]: Package we're running from ==> C:\WINDOWS\Installer\1cbdb5f9.msi
***************

and ends with:
***************
MSI (s) (D4:C4) [03:00:50:010]: Cleaning up uninstalled install packages, if any exist
MSI (s) (D4:C4) [03:00:50:010]: MainEngineThread is returning 1603
MSI (s) (D4:3C) [03:00:50:103]: Destroying RemoteAPI object.
MSI (s) (D4:E8) [03:00:50:103]: Custom Action Manager thread ending.
=== Logging stopped: 11/21/2006  3:00:49 ===
MSI (c) (DC:54) [03:00:50:135]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied.  Counter after decrement: -1
MSI (c) (DC:54) [03:00:50:135]: MainEngineThread is returning 1603
=== Verbose logging stopped: 11/21/2006  3:00:50 ===
****************

Any ideas as to what these are and where they came from? Can they just be deleted?
0
Comment
Question by:BobArnett
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 6
15 Comments
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 17989268
Those are M$ update log's, temp files typically, not sure why they were directed to your external drive unless that is where the XML update was stored an ran from
KB927978 http://support.microsoft.com/kb/927978
-rich
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 17989300
Lot's of folks seem to notice the same thing: http://www.google.com/search?client=firefox-a&rls=org.mozilla%3Aen-US%3Aofficial_s&hl=en&q=msxml4-KB927978-enu.log&btnG=Google+Search
I'm not sure why you'd have this log file multiple times unless your PC is being updated on those dates, and that update is being reapplied each time?
-rich
0
 

Author Comment

by:BobArnett
ID: 17989788
I note that each of the logs has this line:
"MSI (s) (08:B8) [03:00:44:718]: Product: MSXML 4.0 SP2 (KB927978) -- Installation failed."
I'm guessing that it has been done multiple times because it failed but I don't know why. I checked my "Scheduled tasks" and don't see anything around 3:00AM when all these were dated. Maybe I can just manually download/install that update. Oh, I see the link you gave me above (KB927978 http://support.microsoft.com/kb/927978) does report a problem with that update and suggests doing just that. I'll try it, give it a couple of days and see if that keeps if from trying anymore.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:BobArnett
ID: 17990460
uh, oh... a hitch. I downloaded the upgrade exe and attemtped the installation... with the same results; it failed and left a similar log file on the same external drive. It came up with the error message: "Could not open Hkey_Local_Machine\Software\Classes\Msxml2.DOM Document.4.0.1\CLSID" and then said to make sure that I was logged on with the proper access rights. I am the only user on this machine and am logged in as an administrator so I assume I can't do better than that. I also still don't get why it should be choosing an external drive to work from but if it would work, I guess I really don't care.
0
 

Author Comment

by:BobArnett
ID: 17990542
Just checked in the register and there is NOT a key with that name so it obviously could not open it. There is a key for
"Hkey_Local_Machine\Software\Classes\Msxml2.DOM Document.4.0\CLSID" with the value "but not for "...Document.4.0.1\CLSID"
Should I make one? If I do, what value should I give it?
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 17990634
0
 

Author Comment

by:BobArnett
ID: 17990755
No, I'm using XP Pro. I did find someone who had luck by deleting MSXml 4.0 using Add/Delete Programs and then reinstalling the KB927978. I can't tell which of the Microsoft updates is the right one to uninstall MSXml 4.0.
0
 

Author Comment

by:BobArnett
ID: 18116491
Well, I'm at a total loss. These folders (which are failed/aborted attempts of an MS upgrade) keep appearing on my drive every few days. Quite exasperating.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 18116644
G: is your system drive? or is C:? It's odd that anything other than your system drive would be the destination for these logs... from the link I first provided
Security update package 927978 may create a log file. The package names the log file KB927978.log. The package saves the log file inside a folder. The folder has a system generated name. The folder is in the root of a system drive. The path resembles the following:
C:\system generated name\KB927978.log.
Note In this example, C is system drive.
Although it is optional, you can remove the log file and the folder.

You can specify not to recieve this update, by visiting the windows update page, finding the update and choosing ignore.
-rich
0
 

Author Comment

by:BobArnett
ID: 18124338
Drive G: is an external drive, C is my system drive. You are correct about the log inside the folder inside the drive and I also don't know why it saving all this on an external drive. I have removed these folders several times. I had already flagged the update to be ignored but I keep getting reminders that this is an important update and shouldn't be ignored. I've also now put in a support request at MS.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 18125190
Let me know how it turns out, I can't really find much more on it than uninstall/reinstall the update XML package.
-rich
0
 

Author Comment

by:BobArnett
ID: 18189858
The uninstalling/reinstalling of the XML update turned out to be quite the thing MS was able to straighten it out however. I won't give you all the gory details but even though I am the only user on this computer and I am the "administrator" and have all "permissions", the MS tech had me use Regedit and specifically grant permission to myself on the key "HKEY_LOCAL_MACHINE\SOFTWARE\Classes". That allowed the update to run. That was three days ago and I've noticed no new unwelcome update log folders on my drive. Hopefully that solved the whole problem. Thanks for your help. I'll ask to have the question abandoned.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 18191909
NP, glad you found your answer.
-rich
0
 
LVL 1

Accepted Solution

by:
DarthMod earned 0 total points
ID: 18221508
PAQd, 250 points refunded.

DarthMod
CS Moderator
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, a new law in my state forced us to get a top-to-bottom analysis of all of our contract client's networks. While we have documentation, it was spotty at best for some - and in any event it needed to be checked against reality. That was m…
Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
In a recent question (https://www.experts-exchange.com/questions/29004105/Run-AutoHotkey-script-directly-from-Notepad.html) here at Experts Exchange, a member asked how to run an AutoHotkey script (.AHK) directly from Notepad++ (aka NPP). This video…

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question