How to detect corrupt attachment in Exchange 2003

Posted on 2007-08-08
Last Modified: 2013-11-05
Exchange 2003 running on Server 2003, 4 Gig RAM, boot to disk, databases are on SAN, 6 months old.
Receiving several hundred Event ID 12800 errors on this particular server.
What I've done:
Removed all instances of Symantec, according to MS, they saw some excesive symantec hooks. That did not help. Stopped ALL other non MS services, rebooted and tested, same error.  Removed the RAM and replaced with identical from spare server, no luck.
I noticed on one of MS's KB's that this could be due to a corrupt attachment.  

Since I have several thousand users on this box, how can I determine WHO (if any) has the corrupt attachment?  I have defragged the databse, still no joy.
Question by:johnwgarnett
    LVL 31

    Expert Comment

    Is this the KB you found ?  There is a hotfix, but it looks like you may get charged for it.

    I don't think you'll be able to locate the attachment (even assuming that that is the cause) until someone tries to open it.

    Using isinteg might help, but will take a long time.

    Author Comment

    Yes, that's the hotfix that I FTP'd from MS.  Has not gone through regression testing yet, hence it is not on their site for download. That did not do anything for me.  Mind you, I have working directly the MS Premier Support for almost a month now on this issue with no resolution.  I was hoping to find something in here to help out or get me going in a different direction. As stated in my question, I'm leaning more towards it being a corrupt attachment from user "X" account, I need to know if there is a way determine, via logs or debugging, who's the one with the bad attachment so I can have them delete that email, or move ALL there email down to a .pst.  I'm sure I can turn up logging to 100% and watch my logs fill up in about 10 minutes, but what would I be looking for?

    Author Comment

    received this from MS, but after 2 days of logging, nothing actually appeared that was helpful. Well... nothing appeared at all. so, still waiting to hear back from MS on what the next move might be. But wanted to post this information in case was helful to someone else down the road.

    add the following registry key to try to capture the problematic message(s) that may be causing this error.

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeIs\ParametersSystem\Save Content on Conversion Error .
    When this entry is added with a DWORD value of one, an .eml file is copied to the Mdbdata folder. To add this entry and this DWORD value, follow these steps.

    Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

    1.  Click Start, click Run, type regedit , and then click OK.
    2.  Expand the following subkey:
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeIs\ParametersSystem .
    3.  Right-click ParametersSystem, point to New, and then click DWORD Value.
    4.  Type Save Content on Conversion Error , and then press ENTER to name the new value.
    5.  Right-click Save Content on Conversion Error, and then click Modify.
    6.  In the Value data box, type 1 , and then click OK.

    To see the events in the application log, you must set diagnostic logging for the MSExchangeIS\Content Engine category to Medium or higher. To increase diagnostic logging, follow these steps:

    1.  Start Exchange System Manager.
    2.  Expand Administrative Groups, expand AdministrativeGroupName, and then expand Servers.
    3.  Right-click Your_Exchange_Server , and then click Properties.
    4.  Click the Diagnostics Logging tab, and then expand MSExchangeIS in the Services list.
    5.  In the Categories list, click Content Engine.
    6.  In the Logging Level area, click Medium, click Apply, and then click OK.
    7.  Quit Exchange System Manager.

    Note When a user tries to open, to forward, or to flag for follow-up an e-mail message that has not converted correctly from MIME format to MAPI format, the user may receive an error message that is similar to the following:
    There is not enough memory available to perform the operation.

    Author Comment

    Fix action:

    Using the previously posted techniques, I was able to get the system to log a new event 9684 which contained the name of the user that had corrupt data.
    Error -2147024882 occurred while converting message 1-27A3B0 from Internet to MAPI format.  The mailbox owner is /o=Organization/ou=XXXXXX/cn=81MSS/cn=xxxx.xxxx, and the folder is /Inbox.

    The only caviot to the previous instructions is you have to turn loggin up to MAX on Content Engine in the MSExchangeIS services list.  If you dont do this, it will not log the 9684 errors.

    I was never able to get it to post a .eml file in the particular folder that contains the .edb, but if you follow these instructions, you will be able to.

    To change the location of the .eml file, add the following entry to the registry: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeIs\ParametersSystem\Save Content Location .
    To do this, follow these steps:

    1.  Click Start, click Run, type regedit , and then click OK.
    2.  Expand the following subkey:
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeIs\ParametersSystem .
    3.  Right-click ParametersSystem, point to New, and then click String Value.
    4.  Type Save Content Location , and then press ENTER to name the new entry.
    5.  Right-click Save Content Location, and then click Modify.
    6.  In the Value data box, type the full path of the folder where you want the file to be copied. Make sure that you include the trailing backslash (\).

    If the trailing backslash is omitted, the .eml file will be created in the parent folder by using a file name that begins with the name of the directory that was specified. For example, type the following, and then click OK:


    LVL 1

    Accepted Solution

    PAQed with points refunded (250)

    EE Admin

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Integrate social media with email signatures

    Is your company active on social media? Do you also use email signatures? Including social media icons in your email signature is a great way to get fans for free. Let all your email users know you’re on social media quickly and easily, in a single click.

    Learn more about how the humble email signature can be used as more than just an electronic business card. When used correctly, a signature can easily be tailored for different purposes by different departments within an organization.
    Get an idea of what you should include in an email disclaimer with these Top 5 email disclaimer tips.
    In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
    To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    22 Experts available now in Live!

    Get 1:1 Help Now