GP and MSI installation for Conficker Removal

Posted on 2011-05-09
Last Modified: 2013-11-22
I'm trying to follow
to help a customer with the removal of Conficker. I'm testing this in a VM setup right now to run a simple batch file that runs msiexec /qn /i \\[servername]\SophosCleanup\[Sophos Cleanup Tool.msi] STARTCLI=1 REBOOT=1 UNINSTALL=1. I created an OU a put a XP test pc in it and applied the conficker policy there. When the pc reboots I get a message saying the Windows installer package is invalid or it can't be accessed. I can run the batch file from the pc. I even tried adding an xcopy statment that creates a local folder on the pc then runs the installation from there. I still get the same thing. I've doublechecked permissions and etc on the share that the MSI sits in. What am I missing.


Question by:bciengineer
    LVL 16

    Expert Comment

    Where's this running from?
    Computer Startup Script?
    User Login Script?
    Scheduled Task?

    Does the account under whose context it is installing have access to the shared folder - check both NTFS and Share permissions.  Try adding "/l <logfilename.txt>" to the command line to get more info.

    One more thought, try enabling the Group Policy option "Always wait for the network at computer startup and logon" (Computer - Administrative Templates - System - Logon) on your test OU.  It may be logging in with cached credentials before the network is ready and therefore unable to reach the server.  Be careful with this policy setting against wireless machines.

    Author Comment

    I'm trying to get it running as a computer startup script. I've tried domain administrator, domain admin which all have access to the share. I added everyone fullaccess, domain computers, system, network etc. Also added those permissions to the GPO. I can run the same bat file from the pc and all is well. I'll check on the always wait for network at computer start. That could be it.

    Author Comment

    Still not working. I enabled Always wait for a network connection and enabled logging in the bat file. This is all I'm getting.

    === Verbose logging started: 5/9/2011  19:42:32  Build type: SHIP UNICODE 3.01.4001.5512  Calling process: C:\WINDOWS\system32\msiexec.exe ===
    MSI (c) (CC:D4) [19:42:32:413]: Resetting cached policy values
    MSI (c) (CC:D4) [19:42:32:413]: Machine policy value 'Debug' is 0
    MSI (c) (CC:D4) [19:42:32:413]: ******* RunEngine:
               ******* Product: avtool.msi
               ******* Action:
               ******* CommandLine: **********
    MSI (c) (CC:D4) [19:42:32:413]: Client-side and UI is none or basic: Running entire install on the server.
    MSI (c) (CC:D4) [19:42:32:413]: Grabbed execution mutex.
    MSI (c) (CC:D4) [19:42:32:491]: Cloaking enabled.
    MSI (c) (CC:D4) [19:42:32:491]: Attempting to enable all disabled priveleges before calling Install on Server
    MSI (c) (CC:D4) [19:42:32:507]: Incrementing counter to disable shutdown. Counter after increment: 0
    MSI (s) (E0:F0) [19:42:32:522]: Grabbed execution mutex.
    MSI (s) (E0:00) [19:42:32:522]: Resetting cached policy values
    MSI (s) (E0:00) [19:42:32:522]: Machine policy value 'Debug' is 0
    MSI (s) (E0:00) [19:42:32:522]: ******* RunEngine:
               ******* Product: C:\avtool\avtool.msi
               ******* Action:
               ******* CommandLine: **********
    MSI (s) (E0:00) [19:42:32:522]: Note: 1: 2203 2: C:\avtool\avtool.msi 3: -2147287038
    MSI (s) (E0:00) [19:42:32:522]: MainEngineThread is returning 2
    MSI (c) (CC:D4) [19:42:32:538]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied.  Counter after decrement: -1
    MSI (c) (CC:D4) [19:42:32:538]: MainEngineThread is returning 2
    === Verbose logging stopped: 5/9/2011  19:42:32 ===

    LVL 16

    Accepted Solution

    "Domain computers" will need access to the fileshare when installed through a Startup Script.  That GPO setting about waiting for the network might need a couple of reboots before it takes effect so don't ditch it until you're sure.

    Try assigning the batch file as a login script instead of a startup script and ensure your test user account is in that OU just as a troubleshooting step.

    Are you able to paste your batch file here?

    Can you not assign the MSI to computers via Group Policy software distribution?
    LVL 14

    Assisted Solution

    Startup scripts run with NT Authority\System privileges on the local machine and the permissions of the computer object elsewhere in the domain. Grant rights to the computer object or to a group like Domain Computers.

    OR put the file in the sysvol share that have computer object read permission

    This directory can be accessed by startup script

    Bye Gastone

    Author Comment

    I just tried putting the msi file in the sysvol directory where the script is located. I double checked that domain computers has full rights along with this test pc. I'm still getting the MainEngineThread is returning 2 at the end of the log which basically means access denied. I'm fixing to try it as a login script.
    Here's the batch file info
    msiexec /qb /i \\X.X.X.X\sysvol\\Policies\{2787F521-6E40-48D2-846B-6A880E192959}\Machine\Scripts\Startup STARTCLI=1 /l*v c:\conficker.txt


    Assisted Solution

    I just moved the MSI file to a share on a member server running file share services. I created a new share gave domain computers,everyone,authusers,network,system full access changed my startup script to point to the new location and rebooted the test pc and what do you know it WORKS! I had the same same permissions on the share I created on the DC. I haven't a clue why it would work there.

    Author Closing Comment

    Just got lucky with moving it to another file server and it works from there so I'm happy. Not sure why it wasn't working on the DC.

    Featured Post

    How to improve team productivity

    Quip adds documents, spreadsheets, and tasklists to your Slack experience
    - Elevate ideas to Quip docs
    - Share Quip docs in Slack
    - Get notified of changes to your docs
    - Available on iOS/Android/Desktop/Web
    - Online/Offline

    Join & Write a Comment

    This is an article about Leadership and accepting and adapting to new challenges. It focuses mostly on upgrading to Windows 10.
    Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
    This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now