How to detect corrupt attachment in Exchange 2003

Posted on 2007-08-08
Medium Priority
Last Modified: 2013-11-05
Exchange 2003 running on Server 2003, 4 Gig RAM, boot to disk, databases are on SAN, 6 months old.
Receiving several hundred Event ID 12800 errors on this particular server.
What I've done:
Removed all instances of Symantec, according to MS, they saw some excesive symantec hooks. That did not help. Stopped ALL other non MS services, rebooted and tested, same error.  Removed the RAM and replaced with identical from spare server, no luck.
I noticed on one of MS's KB's that this could be due to a corrupt attachment.  

Since I have several thousand users on this box, how can I determine WHO (if any) has the corrupt attachment?  I have defragged the databse, still no joy.
Question by:johnwgarnett
  • 3
LVL 31

Expert Comment

ID: 19655377
Is this the KB you found http://support.microsoft.com/kb/912068 ?  There is a hotfix, but it looks like you may get charged for it.

I don't think you'll be able to locate the attachment (even assuming that that is the cause) until someone tries to open it.

Using isinteg might help, but will take a long time.

Author Comment

ID: 19655863
Yes, that's the hotfix that I FTP'd from MS.  Has not gone through regression testing yet, hence it is not on their site for download. That did not do anything for me.  Mind you, I have working directly the MS Premier Support for almost a month now on this issue with no resolution.  I was hoping to find something in here to help out or get me going in a different direction. As stated in my question, I'm leaning more towards it being a corrupt attachment from user "X" account, I need to know if there is a way determine, via logs or debugging, who's the one with the bad attachment so I can have them delete that email, or move ALL there email down to a .pst.  I'm sure I can turn up logging to 100% and watch my logs fill up in about 10 minutes, but what would I be looking for?

Author Comment

ID: 19740657
received this from MS, but after 2 days of logging, nothing actually appeared that was helpful. Well... nothing appeared at all. so, still waiting to hear back from MS on what the next move might be. But wanted to post this information in case was helful to someone else down the road.

add the following registry key to try to capture the problematic message(s) that may be causing this error.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeIs\ParametersSystem\Save Content on Conversion Error .
When this entry is added with a DWORD value of one, an .eml file is copied to the Mdbdata folder. To add this entry and this DWORD value, follow these steps.

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

1.  Click Start, click Run, type regedit , and then click OK.
2.  Expand the following subkey:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeIs\ParametersSystem .
3.  Right-click ParametersSystem, point to New, and then click DWORD Value.
4.  Type Save Content on Conversion Error , and then press ENTER to name the new value.
5.  Right-click Save Content on Conversion Error, and then click Modify.
6.  In the Value data box, type 1 , and then click OK.

To see the events in the application log, you must set diagnostic logging for the MSExchangeIS\Content Engine category to Medium or higher. To increase diagnostic logging, follow these steps:

1.  Start Exchange System Manager.
2.  Expand Administrative Groups, expand AdministrativeGroupName, and then expand Servers.
3.  Right-click Your_Exchange_Server , and then click Properties.
4.  Click the Diagnostics Logging tab, and then expand MSExchangeIS in the Services list.
5.  In the Categories list, click Content Engine.
6.  In the Logging Level area, click Medium, click Apply, and then click OK.
7.  Quit Exchange System Manager.

Note When a user tries to open, to forward, or to flag for follow-up an e-mail message that has not converted correctly from MIME format to MAPI format, the user may receive an error message that is similar to the following:
There is not enough memory available to perform the operation.

Author Comment

ID: 19749486
Fix action:

Using the previously posted techniques, I was able to get the system to log a new event 9684 which contained the name of the user that had corrupt data.
Error -2147024882 occurred while converting message 1-27A3B0 from Internet to MAPI format.  The mailbox owner is /o=Organization/ou=XXXXXX/cn=81MSS/cn=xxxx.xxxx, and the folder is /Inbox.

The only caviot to the previous instructions is you have to turn loggin up to MAX on Content Engine in the MSExchangeIS services list.  If you dont do this, it will not log the 9684 errors.

I was never able to get it to post a .eml file in the particular folder that contains the .edb, but if you follow these instructions, you will be able to.

To change the location of the .eml file, add the following entry to the registry: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeIs\ParametersSystem\Save Content Location .
To do this, follow these steps:

1.  Click Start, click Run, type regedit , and then click OK.
2.  Expand the following subkey:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeIs\ParametersSystem .
3.  Right-click ParametersSystem, point to New, and then click String Value.
4.  Type Save Content Location , and then press ENTER to name the new entry.
5.  Right-click Save Content Location, and then click Modify.
6.  In the Value data box, type the full path of the folder where you want the file to be copied. Make sure that you include the trailing backslash (\).

If the trailing backslash is omitted, the .eml file will be created in the parent folder by using a file name that begins with the name of the directory that was specified. For example, type the following, and then click OK:



Accepted Solution

Computer101 earned 0 total points
ID: 20237595
PAQed with points refunded (250)

EE Admin

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If something goes wrong with Exchange, your IT resources are in trouble.All Exchange server migration processes are not designed to be identical and though migrating email from on-premises Exchange mailbox to Cloud’s Office 365 is relatively simple…
Stellar Exchange Toolkit: this 5 in 1 toolkit comes loaded with mega-software tool. Here’s an introduction to tools’ usage and advantages:
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
Whether it be Exchange Server Crash Issues, Dirty Shutdown Errors or Failed to mount error, Stellar Phoenix Mailbox Exchange Recovery has always got your back. With the help of its easy to understand user interface and 3 simple steps recovery proced…
Suggested Courses
Course of the Month16 days, 11 hours left to enroll

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question