Exchange 2007 Store.exe crashes with Event IDs 4999, 1000 and 7031
Exchange 2007 SP3 is installed on Windows 2008-R2.
Last week, after TrendMicro AV update, we have started seeing these Errors:
Source: MSExchange Common
Event ID: 4999
Description: Watson report about to be sent to dw20.exe for process id: 5100, with parameters: E12N, c-
Source: Application Error
Event ID: 1000
Description: Faulting application name: store.exe, version: 8.3.330.0, time stamp: 0x5208b2fb. Faulting module name: MSVCR80.dll, version: 8.0.50727.6229, time stamp: 0x4ec3407e
Log Name: System
Source: Service Control Manager
Event ID: 7031
Description: The Microsoft Exchange Information Store service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
We suspected that TrendMicro must have done something and found that Exclusions were gone in OfficeScan client configuration. We have restored all of them, have rebooted the server, but the problem remains.
There is a small possibility that a few mailboxes may have been migrated in around that time. Windows updates also were installed last week.
Thanks for any insight you can provide.
Last week, after TrendMicro AV update, we have started seeing these Errors:
Source: MSExchange Common
Event ID: 4999
Description: Watson report about to be sent to dw20.exe for process id: 5100, with parameters: E12N, c-
Source: Application Error
Event ID: 1000
Description: Faulting application name: store.exe, version: 8.3.330.0, time stamp: 0x5208b2fb. Faulting module name: MSVCR80.dll, version: 8.0.50727.6229, time stamp: 0x4ec3407e
Log Name: System
Source: Service Control Manager
Event ID: 7031
Description: The Microsoft Exchange Information Store service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
We suspected that TrendMicro must have done something and found that Exclusions were gone in OfficeScan client configuration. We have restored all of them, have rebooted the server, but the problem remains.
There is a small possibility that a few mailboxes may have been migrated in around that time. Windows updates also were installed last week.
Thanks for any insight you can provide.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Diggisaur and Arjun,
Thank you both for responding. As I mentioned in the original post, I have specified Exclusions in OfficeScan. They are per documentation of Microsoft and TrendMicro. Here is the final Exlusion list (server has Client Access, Hub Transport and Mailbox roles; databases on E: and logs on F:)
C:\inetpub\logs
C:\Windows\System32\Inetsr
C:\Windows\TEMP
C:\Exchange Server\ClientAccess
C:\Exchange Server\TransportRoles\Logs
C:\Exchange Server\TransportRoles\Pick
C:\Exchange Server\TransportRoles\Repl
C:\Exchange Server\TransportRoles\Data
C:\Exchange Server\Working
C:\Exchange Server\Logging
C:\Exchange Server\Mailbox
E:\Exchange Server\Mailbox
F:\Exchange Server\Mailbox
C:\Program Files\Trend Micro\Smex
1. Should not these paths be enough?
2. I was thinking of stopping all OfficeScan services for a day. It should not be too risky, right?
3. On installing Microsoft Security Essential Antivirus, do we have to setup Exclusions or is it smart enough to not go where it is not supposed to?
4. How about using this MSE AV, instead of OfficeScan, on this server for good?
Thanks again.
Jay
Thank you both for responding. As I mentioned in the original post, I have specified Exclusions in OfficeScan. They are per documentation of Microsoft and TrendMicro. Here is the final Exlusion list (server has Client Access, Hub Transport and Mailbox roles; databases on E: and logs on F:)
C:\inetpub\logs
C:\Windows\System32\Inetsr
C:\Windows\TEMP
C:\Exchange Server\ClientAccess
C:\Exchange Server\TransportRoles\Logs
C:\Exchange Server\TransportRoles\Pick
C:\Exchange Server\TransportRoles\Repl
C:\Exchange Server\TransportRoles\Data
C:\Exchange Server\Working
C:\Exchange Server\Logging
C:\Exchange Server\Mailbox
E:\Exchange Server\Mailbox
F:\Exchange Server\Mailbox
C:\Program Files\Trend Micro\Smex
1. Should not these paths be enough?
2. I was thinking of stopping all OfficeScan services for a day. It should not be too risky, right?
3. On installing Microsoft Security Essential Antivirus, do we have to setup Exclusions or is it smart enough to not go where it is not supposed to?
4. How about using this MSE AV, instead of OfficeScan, on this server for good?
Thanks again.
Jay
If you install Microsoft Security Essential, then you don't need to set any exclusions which you have specified.
I know that removing antivirus is risky, thatswhy recommending to install Security Essential for 2 days, if it works properly then proceed to open case with Trend Micro support.
Regards,
Arjun
I know that removing antivirus is risky, thatswhy recommending to install Security Essential for 2 days, if it works properly then proceed to open case with Trend Micro support.
Regards,
Arjun
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Sembee,
I also used to think that MSE AV is for workstations only. However, this MSDN link specifically says: Download Microsoft Security Essentials For Windows Server 2008 R2.
I did ask in my previous post if such MSE can be used as permanent replacement on servers for AV softwares like OfficeScan BUT no one has responded.
About your second statement -- links are there and server needs to be rebooted -- we had similar experience only today when the person in-charge just uninstalled the AV and problem continued. But then I stopped and disabled both OfficeScan services and this did the trick. We will reboot in off-hours.
Finally, about your last suggestion, I had already done this -- including pre and post reboots -- before starting this thread. It did not help one bit. The latest build of TrendMciro's OfficeScan (10.6 SP3) is the problem on this Exch 2007 server, even though this build is not all that new.
Ajay K
I also used to think that MSE AV is for workstations only. However, this MSDN link specifically says: Download Microsoft Security Essentials For Windows Server 2008 R2.
I did ask in my previous post if such MSE can be used as permanent replacement on servers for AV softwares like OfficeScan BUT no one has responded.
About your second statement -- links are there and server needs to be rebooted -- we had similar experience only today when the person in-charge just uninstalled the AV and problem continued. But then I stopped and disabled both OfficeScan services and this did the trick. We will reboot in off-hours.
Finally, about your last suggestion, I had already done this -- including pre and post reboots -- before starting this thread. It did not help one bit. The latest build of TrendMciro's OfficeScan (10.6 SP3) is the problem on this Exch 2007 server, even though this build is not all that new.
Ajay K
ASKER
Looks like no one wants to say that MSE can be used as a permanent AV solution, since its use on servers is not official.
In any case, we still have Store.exe termination instances after removing OfficeScan, though much fewer. Now I have added Exclusions of folders in MSE -- was told that it is not necessary -- and hopefully things will improve further.
A question: I don't see any service related to MSE. Where is it? Any other way to restart this program? Thanks.
In any case, we still have Store.exe termination instances after removing OfficeScan, though much fewer. Now I have added Exclusions of folders in MSE -- was told that it is not necessary -- and hopefully things will improve further.
A question: I don't see any service related to MSE. Where is it? Any other way to restart this program? Thanks.
Use get-transportagent to list the installed agents and then disable-agent <agentname> to disable the TrendMicro agents.