How to detect corrupt attachment in Exchange 2003

Exchange 2003 running on Server 2003, 4 Gig RAM, boot to disk, databases are on SAN, 6 months old.
Receiving several hundred Event ID 12800 errors on this particular server.
What I've done:
Removed all instances of Symantec, according to MS, they saw some excesive symantec hooks. That did not help. Stopped ALL other non MS services, rebooted and tested, same error.  Removed the RAM and replaced with identical from spare server, no luck.
I noticed on one of MS's KB's that this could be due to a corrupt attachment.  

Since I have several thousand users on this box, how can I determine WHO (if any) has the corrupt attachment?  I have defragged the databse, still no joy.
Who is Participating?
PAQed with points refunded (250)

EE Admin
Is this the KB you found ?  There is a hotfix, but it looks like you may get charged for it.

I don't think you'll be able to locate the attachment (even assuming that that is the cause) until someone tries to open it.

Using isinteg might help, but will take a long time.
johnwgarnettAuthor Commented:
Yes, that's the hotfix that I FTP'd from MS.  Has not gone through regression testing yet, hence it is not on their site for download. That did not do anything for me.  Mind you, I have working directly the MS Premier Support for almost a month now on this issue with no resolution.  I was hoping to find something in here to help out or get me going in a different direction. As stated in my question, I'm leaning more towards it being a corrupt attachment from user "X" account, I need to know if there is a way determine, via logs or debugging, who's the one with the bad attachment so I can have them delete that email, or move ALL there email down to a .pst.  I'm sure I can turn up logging to 100% and watch my logs fill up in about 10 minutes, but what would I be looking for?
johnwgarnettAuthor Commented:
received this from MS, but after 2 days of logging, nothing actually appeared that was helpful. Well... nothing appeared at all. so, still waiting to hear back from MS on what the next move might be. But wanted to post this information in case was helful to someone else down the road.

add the following registry key to try to capture the problematic message(s) that may be causing this error.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeIs\ParametersSystem\Save Content on Conversion Error .
When this entry is added with a DWORD value of one, an .eml file is copied to the Mdbdata folder. To add this entry and this DWORD value, follow these steps.

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

1.  Click Start, click Run, type regedit , and then click OK.
2.  Expand the following subkey:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeIs\ParametersSystem .
3.  Right-click ParametersSystem, point to New, and then click DWORD Value.
4.  Type Save Content on Conversion Error , and then press ENTER to name the new value.
5.  Right-click Save Content on Conversion Error, and then click Modify.
6.  In the Value data box, type 1 , and then click OK.

To see the events in the application log, you must set diagnostic logging for the MSExchangeIS\Content Engine category to Medium or higher. To increase diagnostic logging, follow these steps:

1.  Start Exchange System Manager.
2.  Expand Administrative Groups, expand AdministrativeGroupName, and then expand Servers.
3.  Right-click Your_Exchange_Server , and then click Properties.
4.  Click the Diagnostics Logging tab, and then expand MSExchangeIS in the Services list.
5.  In the Categories list, click Content Engine.
6.  In the Logging Level area, click Medium, click Apply, and then click OK.
7.  Quit Exchange System Manager.

Note When a user tries to open, to forward, or to flag for follow-up an e-mail message that has not converted correctly from MIME format to MAPI format, the user may receive an error message that is similar to the following:
There is not enough memory available to perform the operation.
johnwgarnettAuthor Commented:
Fix action:

Using the previously posted techniques, I was able to get the system to log a new event 9684 which contained the name of the user that had corrupt data.
Error -2147024882 occurred while converting message 1-27A3B0 from Internet to MAPI format.  The mailbox owner is /o=Organization/ou=XXXXXX/cn=81MSS/cn=xxxx.xxxx, and the folder is /Inbox.

The only caviot to the previous instructions is you have to turn loggin up to MAX on Content Engine in the MSExchangeIS services list.  If you dont do this, it will not log the 9684 errors.

I was never able to get it to post a .eml file in the particular folder that contains the .edb, but if you follow these instructions, you will be able to.

To change the location of the .eml file, add the following entry to the registry: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeIs\ParametersSystem\Save Content Location .
To do this, follow these steps:

1.  Click Start, click Run, type regedit , and then click OK.
2.  Expand the following subkey:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeIs\ParametersSystem .
3.  Right-click ParametersSystem, point to New, and then click String Value.
4.  Type Save Content Location , and then press ENTER to name the new entry.
5.  Right-click Save Content Location, and then click Modify.
6.  In the Value data box, type the full path of the folder where you want the file to be copied. Make sure that you include the trailing backslash (\).

If the trailing backslash is omitted, the .eml file will be created in the parent folder by using a file name that begins with the name of the directory that was specified. For example, type the following, and then click OK:


Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.