Solved

unknown folders\files appearing on external drive

Posted on 2006-11-21
15
3,017 Views
Last Modified: 2013-12-04
I just noticed this morning four mysterious folders\files that appeared on an external drive on my system the last few days. They are:

G:\b1201850cc0a39819d56\msxml4-KB927978-enu.log dated 11/19/2006
G:\31c11969bae64284f5c2\msxml4-KB927978-enu.log dated 11/21/2006
G:\20f148c90af9482eb9\msxml4-KB927978-enu.log dated 11/15/2006
and
G:\3fd648d73a75f1a28910d568a1e345fc\msxml4-KB927978-enu.log dated 11/20/2006

The contents are quite lengthy (230-242kb) but the most recent starts with:

***********
=== Verbose logging started: 11/21/2006  3:00:43  Build type: SHIP UNICODE 3.01.4000.2435  Calling process: C:\WINDOWS\system32\msiexec.exe ===
MSI (c) (DC:54) [03:00:43:400]: Resetting cached policy values
MSI (c) (DC:54) [03:00:43:400]: Machine policy value 'Debug' is 0
MSI (c) (DC:54) [03:00:43:400]: ******* RunEngine:
           ******* Product: g:\31c11969bae64284f5c2\msxml.msi
           ******* Action:
           ******* CommandLine: **********
MSI (c) (DC:54) [03:00:43:400]: Client-side and UI is none or basic: Running entire install on the server.
MSI (c) (DC:54) [03:00:43:400]: Grabbed execution mutex.
MSI (c) (DC:54) [03:00:44:197]: Cloaking enabled.
MSI (c) (DC:54) [03:00:44:197]: Attempting to enable all disabled priveleges before calling Install on Server
MSI (c) (DC:54) [03:00:44:197]: Incrementing counter to disable shutdown. Counter after increment: 0
MSI (s) (D4:3C) [03:00:44:228]: Grabbed execution mutex.
MSI (s) (D4:C4) [03:00:44:228]: Resetting cached policy values
MSI (s) (D4:C4) [03:00:44:228]: Machine policy value 'Debug' is 0
MSI (s) (D4:C4) [03:00:44:228]: ******* RunEngine:
           ******* Product: g:\31c11969bae64284f5c2\msxml.msi
           ******* Action:
           ******* CommandLine: **********
MSI (s) (D4:C4) [03:00:44:244]: Machine policy value 'DisableUserInstalls' is 0
MSI (s) (D4:C4) [03:00:44:322]: File will have security applied from OpCode.
MSI (s) (D4:C4) [03:00:44:494]: SOFTWARE RESTRICTION POLICY: Verifying package --> 'g:\31c11969bae64284f5c2\msxml.msi' against software restriction policy
MSI (s) (D4:C4) [03:00:44:494]: SOFTWARE RESTRICTION POLICY: g:\31c11969bae64284f5c2\msxml.msi has a digital signature
MSI (s) (D4:C4) [03:00:45:181]: SOFTWARE RESTRICTION POLICY: g:\31c11969bae64284f5c2\msxml.msi is permitted to run at the 'unrestricted' authorization level.
MSI (s) (D4:C4) [03:00:45:181]: End dialog not enabled
MSI (s) (D4:C4) [03:00:45:181]: Original package ==> g:\31c11969bae64284f5c2\msxml.msi
MSI (s) (D4:C4) [03:00:45:181]: Package we're running from ==> C:\WINDOWS\Installer\1cbdb5f9.msi
***************

and ends with:
***************
MSI (s) (D4:C4) [03:00:50:010]: Cleaning up uninstalled install packages, if any exist
MSI (s) (D4:C4) [03:00:50:010]: MainEngineThread is returning 1603
MSI (s) (D4:3C) [03:00:50:103]: Destroying RemoteAPI object.
MSI (s) (D4:E8) [03:00:50:103]: Custom Action Manager thread ending.
=== Logging stopped: 11/21/2006  3:00:49 ===
MSI (c) (DC:54) [03:00:50:135]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied.  Counter after decrement: -1
MSI (c) (DC:54) [03:00:50:135]: MainEngineThread is returning 1603
=== Verbose logging stopped: 11/21/2006  3:00:50 ===
****************

Any ideas as to what these are and where they came from? Can they just be deleted?
0
Comment
Question by:BobArnett
  • 7
  • 6
15 Comments
 
LVL 38

Expert Comment

by:Rich Rumble
Comment Utility
Those are M$ update log's, temp files typically, not sure why they were directed to your external drive unless that is where the XML update was stored an ran from
KB927978 http://support.microsoft.com/kb/927978
-rich
0
 
LVL 38

Expert Comment

by:Rich Rumble
Comment Utility
Lot's of folks seem to notice the same thing: http://www.google.com/search?client=firefox-a&rls=org.mozilla%3Aen-US%3Aofficial_s&hl=en&q=msxml4-KB927978-enu.log&btnG=Google+Search
I'm not sure why you'd have this log file multiple times unless your PC is being updated on those dates, and that update is being reapplied each time?
-rich
0
 

Author Comment

by:BobArnett
Comment Utility
I note that each of the logs has this line:
"MSI (s) (08:B8) [03:00:44:718]: Product: MSXML 4.0 SP2 (KB927978) -- Installation failed."
I'm guessing that it has been done multiple times because it failed but I don't know why. I checked my "Scheduled tasks" and don't see anything around 3:00AM when all these were dated. Maybe I can just manually download/install that update. Oh, I see the link you gave me above (KB927978 http://support.microsoft.com/kb/927978) does report a problem with that update and suggests doing just that. I'll try it, give it a couple of days and see if that keeps if from trying anymore.
0
 

Author Comment

by:BobArnett
Comment Utility
uh, oh... a hitch. I downloaded the upgrade exe and attemtped the installation... with the same results; it failed and left a similar log file on the same external drive. It came up with the error message: "Could not open Hkey_Local_Machine\Software\Classes\Msxml2.DOM Document.4.0.1\CLSID" and then said to make sure that I was logged on with the proper access rights. I am the only user on this machine and am logged in as an administrator so I assume I can't do better than that. I also still don't get why it should be choosing an external drive to work from but if it would work, I guess I really don't care.
0
 

Author Comment

by:BobArnett
Comment Utility
Just checked in the register and there is NOT a key with that name so it obviously could not open it. There is a key for
"Hkey_Local_Machine\Software\Classes\Msxml2.DOM Document.4.0\CLSID" with the value "but not for "...Document.4.0.1\CLSID"
Should I make one? If I do, what value should I give it?
0
 
LVL 38

Expert Comment

by:Rich Rumble
Comment Utility
0
 

Author Comment

by:BobArnett
Comment Utility
No, I'm using XP Pro. I did find someone who had luck by deleting MSXml 4.0 using Add/Delete Programs and then reinstalling the KB927978. I can't tell which of the Microsoft updates is the right one to uninstall MSXml 4.0.
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 

Author Comment

by:BobArnett
Comment Utility
Well, I'm at a total loss. These folders (which are failed/aborted attempts of an MS upgrade) keep appearing on my drive every few days. Quite exasperating.
0
 
LVL 38

Expert Comment

by:Rich Rumble
Comment Utility
G: is your system drive? or is C:? It's odd that anything other than your system drive would be the destination for these logs... from the link I first provided
Security update package 927978 may create a log file. The package names the log file KB927978.log. The package saves the log file inside a folder. The folder has a system generated name. The folder is in the root of a system drive. The path resembles the following:
C:\system generated name\KB927978.log.
Note In this example, C is system drive.
Although it is optional, you can remove the log file and the folder.

You can specify not to recieve this update, by visiting the windows update page, finding the update and choosing ignore.
-rich
0
 

Author Comment

by:BobArnett
Comment Utility
Drive G: is an external drive, C is my system drive. You are correct about the log inside the folder inside the drive and I also don't know why it saving all this on an external drive. I have removed these folders several times. I had already flagged the update to be ignored but I keep getting reminders that this is an important update and shouldn't be ignored. I've also now put in a support request at MS.
0
 
LVL 38

Expert Comment

by:Rich Rumble
Comment Utility
Let me know how it turns out, I can't really find much more on it than uninstall/reinstall the update XML package.
-rich
0
 

Author Comment

by:BobArnett
Comment Utility
The uninstalling/reinstalling of the XML update turned out to be quite the thing MS was able to straighten it out however. I won't give you all the gory details but even though I am the only user on this computer and I am the "administrator" and have all "permissions", the MS tech had me use Regedit and specifically grant permission to myself on the key "HKEY_LOCAL_MACHINE\SOFTWARE\Classes". That allowed the update to run. That was three days ago and I've noticed no new unwelcome update log folders on my drive. Hopefully that solved the whole problem. Thanks for your help. I'll ask to have the question abandoned.
0
 
LVL 38

Expert Comment

by:Rich Rumble
Comment Utility
NP, glad you found your answer.
-rich
0
 
LVL 1

Accepted Solution

by:
DarthMod earned 0 total points
Comment Utility
PAQd, 250 points refunded.

DarthMod
CS Moderator
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

In today's information driven age, entrepreneurs have so many great tools and options at their disposal to help turn good ideas into a thriving business. With cloud-based online services, such as Amazon's Web Services (AWS) or Microsoft's Azure, bus…
Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now