GP and MSI installation for Conficker Removal

Posted on 2011-05-09
Medium Priority
Last Modified: 2013-11-22
I'm trying to follow http://www.sophos.com/support/knowledgebase/article/67398.html
to help a customer with the removal of Conficker. I'm testing this in a VM setup right now to run a simple batch file that runs msiexec /qn /i \\[servername]\SophosCleanup\[Sophos Cleanup Tool.msi] STARTCLI=1 REBOOT=1 UNINSTALL=1. I created an OU a put a XP test pc in it and applied the conficker policy there. When the pc reboots I get a message saying the Windows installer package is invalid or it can't be accessed. I can run the batch file from the pc. I even tried adding an xcopy statment that creates a local folder on the pc then runs the installation from there. I still get the same thing. I've doublechecked permissions and etc on the share that the MSI sits in. What am I missing.


Question by:bciengineer
  • 5
  • 2
LVL 16

Expert Comment

ID: 35724556
Where's this running from?
Computer Startup Script?
User Login Script?
Scheduled Task?

Does the account under whose context it is installing have access to the shared folder - check both NTFS and Share permissions.  Try adding "/l <logfilename.txt>" to the command line to get more info.

One more thought, try enabling the Group Policy option "Always wait for the network at computer startup and logon" (Computer - Administrative Templates - System - Logon) on your test OU.  It may be logging in with cached credentials before the network is ready and therefore unable to reach the server.  Be careful with this policy setting against wireless machines.

Author Comment

ID: 35725108
I'm trying to get it running as a computer startup script. I've tried domain administrator, domain admin which all have access to the share. I added everyone fullaccess, domain computers, system, network etc. Also added those permissions to the GPO. I can run the same bat file from the pc and all is well. I'll check on the always wait for network at computer start. That could be it.

Author Comment

ID: 35725391
Still not working. I enabled Always wait for a network connection and enabled logging in the bat file. This is all I'm getting.

=== Verbose logging started: 5/9/2011  19:42:32  Build type: SHIP UNICODE 3.01.4001.5512  Calling process: C:\WINDOWS\system32\msiexec.exe ===
MSI (c) (CC:D4) [19:42:32:413]: Resetting cached policy values
MSI (c) (CC:D4) [19:42:32:413]: Machine policy value 'Debug' is 0
MSI (c) (CC:D4) [19:42:32:413]: ******* RunEngine:
           ******* Product: avtool.msi
           ******* Action:
           ******* CommandLine: **********
MSI (c) (CC:D4) [19:42:32:413]: Client-side and UI is none or basic: Running entire install on the server.
MSI (c) (CC:D4) [19:42:32:413]: Grabbed execution mutex.
MSI (c) (CC:D4) [19:42:32:491]: Cloaking enabled.
MSI (c) (CC:D4) [19:42:32:491]: Attempting to enable all disabled priveleges before calling Install on Server
MSI (c) (CC:D4) [19:42:32:507]: Incrementing counter to disable shutdown. Counter after increment: 0
MSI (s) (E0:F0) [19:42:32:522]: Grabbed execution mutex.
MSI (s) (E0:00) [19:42:32:522]: Resetting cached policy values
MSI (s) (E0:00) [19:42:32:522]: Machine policy value 'Debug' is 0
MSI (s) (E0:00) [19:42:32:522]: ******* RunEngine:
           ******* Product: C:\avtool\avtool.msi
           ******* Action:
           ******* CommandLine: **********
MSI (s) (E0:00) [19:42:32:522]: Note: 1: 2203 2: C:\avtool\avtool.msi 3: -2147287038
MSI (s) (E0:00) [19:42:32:522]: MainEngineThread is returning 2
MSI (c) (CC:D4) [19:42:32:538]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied.  Counter after decrement: -1
MSI (c) (CC:D4) [19:42:32:538]: MainEngineThread is returning 2
=== Verbose logging stopped: 5/9/2011  19:42:32 ===

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

LVL 16

Accepted Solution

cantoris earned 1000 total points
ID: 35726808
"Domain computers" will need access to the fileshare when installed through a Startup Script.  That GPO setting about waiting for the network might need a couple of reboots before it takes effect so don't ditch it until you're sure.

Try assigning the batch file as a login script instead of a startup script and ensure your test user account is in that OU just as a troubleshooting step.

Are you able to paste your batch file here?

Can you not assign the MSI to computers via Group Policy software distribution?
LVL 14

Assisted Solution

canali earned 1000 total points
ID: 35727514
Startup scripts run with NT Authority\System privileges on the local machine and the permissions of the computer object elsewhere in the domain. Grant rights to the computer object or to a group like Domain Computers.

OR put the file in the sysvol share that have computer object read permission

This directory can be accessed by startup script

Bye Gastone

Author Comment

ID: 35741814
I just tried putting the msi file in the sysvol directory where the script is located. I double checked that domain computers has full rights along with this test pc. I'm still getting the MainEngineThread is returning 2 at the end of the log which basically means access denied. I'm fixing to try it as a login script.
Here's the batch file info
msiexec /qb /i \\X.X.X.X\sysvol\domain.com\Policies\{2787F521-6E40-48D2-846B-6A880E192959}\Machine\Scripts\Startup STARTCLI=1 /l*v c:\conficker.txt


Assisted Solution

bciengineer earned 0 total points
ID: 35741856
I just moved the MSI file to a share on a member server running file share services. I created a new share gave domain computers,everyone,authusers,network,system full access changed my startup script to point to the new location and rebooted the test pc and what do you know it WORKS! I had the same same permissions on the share I created on the DC. I haven't a clue why it would work there.

Author Closing Comment

ID: 35767654
Just got lucky with moving it to another file server and it works from there so I'm happy. Not sure why it wasn't working on the DC.

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
If you are like me and like multiple layers of protection, read on!
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question