Exchange 2007 Store.exe crashes with Event IDs 4999, 1000 and 7031

Akulsh
Akulsh used Ask the Experts™
on
Exchange 2007 SP3 is installed on Windows 2008-R2.
Last week, after TrendMicro AV update, we have started seeing these Errors:

Source:        MSExchange Common
Event ID:      4999
Description: Watson report about to be sent to dw20.exe for process id: 5100, with parameters: E12N, c-

Source:        Application Error
Event ID:      1000
Description: Faulting application name: store.exe, version: 8.3.330.0, time stamp: 0x5208b2fb. Faulting module name: MSVCR80.dll, version: 8.0.50727.6229, time stamp: 0x4ec3407e

Log Name:      System
Source:        Service Control Manager
Event ID:      7031
Description: The Microsoft Exchange Information Store service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.

We suspected that TrendMicro must have done something and found that Exclusions were gone in OfficeScan client configuration. We have restored all of them, have rebooted the server, but the problem remains.

There is a small possibility that a few mailboxes may have been migrated in around that time. Windows updates also were installed last week.

Thanks for any insight you can provide.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Gareth GudgerSolution Architect
Most Valuable Expert 2014
Top Expert 2014
Commented:
I would blame Trend on this one. Have you recreated exceptions for your Database paths, Log paths and all your Transport Queues? I usually do the whole Exchange Installation path as well.
Technical Consultant
Commented:
Hi,

If event id: 7031 is getting occurred continuously then i would recommend you to please uninstall Trend Micro antivirus and use Microsoft Security Essential Antivirus for next 2 working days and monitor exchange event logs, and if non of these events are getting generated then suggest you to open case with Trend Micro support case on this issue.

Regards,
Arjun
Instead of guessing, you can just disable temporary the TrendMicro Transport Agents.

Use get-transportagent to list the installed agents and then disable-agent <agentname> to disable the TrendMicro agents.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
Diggisaur and Arjun,

Thank you both for responding. As I mentioned in the original post, I have specified Exclusions in OfficeScan. They are per documentation of Microsoft and TrendMicro. Here is the final Exlusion list (server has Client Access, Hub Transport and Mailbox roles; databases on E: and logs on F:)

C:\inetpub\logs
C:\Windows\System32\Inetsrv
C:\Windows\TEMP

C:\Exchange Server\ClientAccess
C:\Exchange Server\TransportRoles\Logs
C:\Exchange Server\TransportRoles\Pickup
C:\Exchange Server\TransportRoles\Replay
C:\Exchange Server\TransportRoles\Data
C:\Exchange Server\Working

C:\Exchange Server\Logging
C:\Exchange Server\Mailbox
E:\Exchange Server\Mailbox
F:\Exchange Server\Mailbox

C:\Program Files\Trend Micro\Smex

1. Should not these paths be enough?
2. I was thinking of stopping all OfficeScan services for a day. It should not be too risky, right?
3. On installing Microsoft Security Essential Antivirus, do we have to setup Exclusions or is it smart enough to not go where it is not supposed to?
4. How about using this MSE AV, instead of OfficeScan, on this server for good?

Thanks again.

Jay
Arjun VyavahareTechnical Consultant

Commented:
If you install Microsoft Security Essential, then you don't need to set any exclusions which you have specified.

I know that removing antivirus is risky, thatswhy recommending to install Security Essential for 2 days, if it works properly then proceed to open case with Trend Micro support.

Regards,
Arjun
Most Valuable Expert 2014
Commented:
Last time I checked, the free Microsoft Security Essential Antivirus wouldn't install on servers.

Disabling AV products on an Exchange server doesn't always provide the right results because the links in to the product are still there. Removing the product and rebooting is required.

You may find that removing the product, rebooting then installing the latest build from Trend resolves the issue, as the update may well have simply damaged the original installation.

Simon.

Author

Commented:
Sembee,

I also used to think that MSE AV is for workstations only. However, this MSDN link specifically says: Download Microsoft Security Essentials For Windows Server 2008 R2.

I did ask in my previous post if such MSE can be used as permanent replacement on servers for AV softwares like OfficeScan BUT no one has responded.

About your second statement -- links are there and server needs to be rebooted -- we had similar experience only today when the person in-charge just uninstalled the AV and problem continued. But then I stopped and disabled both OfficeScan services and this did the trick. We will reboot in off-hours.

Finally, about your last suggestion, I had already done this -- including pre and post reboots -- before starting this thread. It did not help one bit. The latest build of TrendMciro's OfficeScan (10.6 SP3) is the problem on this Exch 2007 server, even though this build is not all that new.

Ajay K

Author

Commented:
Looks like no one wants to say that MSE can be used as a permanent AV solution, since its use on servers is not official.

In any case, we still have Store.exe termination instances after removing OfficeScan, though much fewer. Now I have added Exclusions of folders in MSE  -- was told that it is not necessary -- and hopefully things will improve further.

A question: I don't see any service related to MSE. Where is it? Any other way to restart this program? Thanks.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial