Solved

file named "Program" with no extension randomly created

Posted on 2012-04-03
19
701 Views
Last Modified: 2012-04-05
We have a brand new SBS2011 server setup and under the Data Drive (F) a random file keeps appearing named: Program .  This file has no extension and is 1kb.  Our concern is having that file there is causing issues with services starting from that drive.  every time we delete that file it shows up again randomly within the hour...

thoughts...

also this is a brand new server, so a virus is very unlikely
0
Comment
Question by:tampatechman
  • 7
  • 7
  • 5
19 Comments
 
LVL 9

Expert Comment

by:Geodash
ID: 37803439
Do you have all files and folders, system files showing? Is this happening on the console when logged in, or can users see it form their workstations as well?
0
 

Author Comment

by:tampatechman
ID: 37803453
all files and folders view is enabled.  
This shows up when we are logged in or off.  
Users cant see it because that main directory is not shared
0
 
LVL 9

Expert Comment

by:Geodash
ID: 37803460
Is there anything else on the F Drive? Have you migrated any services yet such as Exchange or sharepoint or user data to this drive?
0
 

Author Comment

by:tampatechman
ID: 37803469
we dont use sharepoint so it was not migrated.  we have our user data and Exchange data on this drive and users email was migrated from SBS 2003
0
 
LVL 9

Expert Comment

by:Geodash
ID: 37803479
This is related to XP, but I did find something else having this same issue. Researching further but here is the discussion of this happening on XP.

http://forums.cnet.com/7723-6142_102-293153/file-name-warning-at-boot/
0
 

Author Comment

by:tampatechman
ID: 37803490
Thanks for that link.  Dont think it helps in this specific situation though.

I have renamed Program to Program1, however another Program appears within the hour randomly...
0
 
LVL 7

Expert Comment

by:ZShaver
ID: 37803546
you probably have some command line script or path variable set up that refered to Program Files
but you don't have the full path in quotes so it's interpreting the space as a break

e.g.:

echo "Hello" > C:\Program Files\file.txt
vs...
echo "Hello" > "C:\Program Files\file.txt"
0
 
LVL 7

Expert Comment

by:ZShaver
ID: 37803552
I highly doubt this is a brand new, just-completed installation of SBS2011 as you indicated as this simply does not happen unless there is a script causing it.
0
 
LVL 7

Expert Comment

by:ZShaver
ID: 37803556
for a clue, open the file with notepad
see what's inside
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:tampatechman
ID: 37803681
It is a brand new SBS install.  

ZShaver - great idea though to open with notepad.  See contents below:



MIBCounts:
      Discovers = 12.
      Offers = 12.
      Delayed Offers = 0.
      Requests = 16.
      Acks = 73.
      Naks = 0.
      Declines = 0.
      Releases = 0.
      ServerStartTime = Tuesday, April 03, 2012 12:46:03 PM  
      Scopes = 1.
      Scopes with Delay configured= 0.
      Subnet = 192.168.10.0.
            No. of Addresses in use = 5.
            No. of free Addresses = 176.
            No. of pending offers = 0.


Server Database Properties :  

      DatabaseName              = dhcp.mdb
      DatabasePath              = C:\Windows\system32\dhcp
      DatabaseBackupPath        = C:\Windows\system32\dhcp\backup
      DatabaseBackupInterval    = 60 mins.
      DatabaseLoggingFlag       = 1
      DatabaseRestoreFlag       = 0
      DatabaseCleanupInterval   = 60 mins.


Server Status:
      Server Attrib - Rogue Authorization Succeeded :TRUE
      Server Attrib - Dynamic BootP Support Enabled :TRUE
      Server Attrib - DHCP Server Part Of DS        :TRUE
      Server Attrib - DHCP Server Bindings Aware    :TRUE
      Server Attrib - Administrative Rights         :TRUE

So thoughts......
0
 
LVL 9

Accepted Solution

by:
Geodash earned 250 total points
ID: 37803687
DHCP, its a DHCP log - go into your DHCP Service and see where it is logging to
0
 

Author Comment

by:tampatechman
ID: 37803693
DHCP server shows logging set to C:\Windows\system32\dhcp
0
 
LVL 7

Assisted Solution

by:ZShaver
ZShaver earned 250 total points
ID: 37803710
so it's a reporting function or log file that is getting dumped to that file:

commands being executed to get this data is:

netsh dhcp serverName show mibinfo
netsh dhcp serverName show dbproperties
netsh dhcp serverName show show serverstatus
0
 
LVL 7

Expert Comment

by:ZShaver
ID: 37803749
destination was probably:  C:\Program Files\Windows Small Business Server\Logs\MonitoringServiceLogs
0
 
LVL 9

Expert Comment

by:Geodash
ID: 37803753
Weird how its showing up on F. Did you change any DHCP settings after building the server?
0
 
LVL 7

Expert Comment

by:ZShaver
ID: 37803770
actually the command to get that log is just

netsh dhcp serverName show all

but anyways

it seems even more unlikely that this is a fresh install of windows sbs when you're saying that you're concerned about services not being able to start from your "Data" drive (F:)... windows doesn't arbitrarily throw services out to other drives afaik.

so it's probably something you installed to that drive that's causing the issue, maybe one of these "services" that are on that drive are outputting this data into a log file in it's own program folder, so that it can be parsed and analysed and used by the service/application, but a path might not be set correctly in that application's configuration as I stated it needs quotes or no spaces, or supplementing Program Files with PROGRA~1

Say you installed application to F:\Program Files\App1....
Maybe try just reinstalling the whole app to F:\App1 so there there are no spaces in the filename

If the command is hard-coded into the executable without quotes, there will be no way for you to fix this without reinstalling the app to a location containing no spaces
0
 

Author Comment

by:tampatechman
ID: 37806285
ZShaver - I assure you this is a new SBS install.  We moved Exchange and several other directories to the Data drive instead of C.  We have installed Quickbooks and a LOB application to F and it has services assigned to it.  

When I run netsh dhcp serverName show all I get The following command was not found: dhcp serverName show all.
0
 
LVL 7

Expert Comment

by:ZShaver
ID: 37807887
"netsh dhcp server show all " sorry
0
 

Author Closing Comment

by:tampatechman
ID: 37811853
Splitting points as both contributed well.  Since we know its a dhcp issue now - we have just disabled DHCP on the SBS server and enabled it on the router. Thanks for the help everyone.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

I was supporting a handful of Windows 2008 (non-R2) 2 node clusters with shared quorum disks. Some had SQL 2008 installed and some were just a vendor application that we supported. For the purposes of this article it doesn’t really matter which so w…
Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now