Failed To Install Any Update From Web Only
Raymond
If I download the updates and install manually, it works.
Running Win 2000 Sp4 with admin authority
Got error "80070005 :wuauclt handler: failed to spawn COM server" from
update log. Tried following links from this news group but no luck.
Please help! Any suggestions greatly appreciated.
Following is portion of the log file.
********
1236 878 Agent ** START ** Agent: Installing updates [CallerId =
MicrosoftUpdate]
1236 878 Agent *********
1236 878 Agent * Updates to install = 1
1236 878 Agent * Title = <NULL>
1236 878 Agent * UpdateId = {5C223736-DE7B-46DC-8630-CA7D2E1DEACA}.100
1236 878 Agent * Bundles 1 updates:
1236 878 Agent * {C748E49D-79E9-4642-B679-A7B4FE7FD60C}.100
1236 878 Agent WARNING: Failed to evaluate Installed rule, updateId =
{ED300F67-421C-4C08-B3BA-F35C55F3B427}.100, error = 0x80041017
1236 878 Handler Attempting to create remote handler process as *I
replaced*in session 0
1236 700 Report REPORT EVENT:
{3B8C19F6-3162-4F3F-A4F5-97C663CDD87A} 2005-08-15
00:50:16-0400 1 162 101 {5C223736-DE7B-46DC-8630-CA7D2E1DEACA} 100 0 MicrosoftUpdate Success Content Download Download succeeded.
2228 30c Misc =========== Logging initialized (build: 5.8.0.2469, tz:
-0400) ===========
2228 30c Misc = Process: C:\WINNT\system32\wuauclt.exe
2228 30c AUClnt FATAL: Error: 0x80070005. wuauclt handler: failed to spawn
COM server
1236 878 Handler FATAL: 0x80070005: ERROR: Remote update handler container
process created (PID: 2228), but exited before signaling event
1236 878 Agent * WARNING: Exit code = 0x80070005
1236 878 Agent *********
1236 878 Agent ** END ** Agent: Installing updates [CallerId =
MicrosoftUpdate]
1236 878 Agent *************
1236 878 Agent WARNING: WU client failed installing updates with error
0x80070005
2044 708 COMAPI >>-- RESUMED -- COMAPI: Install [ClientId = MicrosoftUpdate]
2044 708 COMAPI - Install call failed
2044 708 COMAPI - Reboot required = No
2044 708 COMAPI - WARNING: Exit code = 0x80240FFF; Call error code =
0x80070005
2044 708 COMAPI ---------
2044 708 COMAPI -- END -- COMAPI: Install [ClientId = MicrosoftUpdate]
2044 708 COMAPI -------------
2044 428 COMAPI WARNING: Operation failed due to earlier error, hr=80070005
PA Bear
http://support.microsoft.com/default.aspx?scid=kb;en-us;836926
Updates from the Windows Update Web site are not installed and an "Error
0x80070005: Access is denied" error message is logged to the Windows
Update.log file
This error message may occur if you have insufficient permissions to the
Windows Update registry keys. The WindowsUpdate.log file will also read
errors 0x80070005 and 0x80080005.
http://v5.windowsupdate.microsoft.com/v5consumer/showarticle.aspx?articleid=13&ln=en
(Compliments of MVP TaurArian)
--
~Robear Dyer (PA Bear)
MS MVP-Windows (IE/OE, Shell/User, Security), AH-VSOP
Raymond
Unfortunately, I have tried the links that you suggested before posting this
thread.
Method 3 and 4 from the top link and the bottom link seems doesn't apply to
win 2000. Do not have the "permission" option in regedit. Did tried
re-registering those dll mentioned. No luck.
Any more suggestion please?
Me
Nocturnal
--
Nocturnal
"Raymond" <Ray...@discussions.microsoft.com> wrote in message
news:A8C44F60-5E1B-4360...@microsoft.com...
Raymond
Checked all permissions suggested from the link...seems ok. Admin and System
has Full Control and Read permissions.
Admin and System have Full Control and Allow for HKEY_CLASSES_ROOT
I even added Everyone the same (forgot from where I read this).
Still having the same error when installing.
Anymore suggestions?
Thanks
Raymond
through quite a few of them and I should say the resolution suggestion by PA
earlier, http://support.microsoft.com/default.aspx?scid=kb;en-us;836926,
covered most of them.
Unfortunately, that doesn't work. Anymore suggestions?
Thanks!
Robert Aldwinckle
> Hi, got problem installing any updates from win update site.
> If I download the updates and install manually, it works.
By "install manually" I assume you mean via a different download?
What happens if you retry the same install that WU failed on?
E.g. you might be able to reproduce your symptom that way
and if so be able to apply the /verbose command line option on it.
The problem has always been that we don't have sufficient information
about the cause of the failure to really know what to suggest.
And so far, we haven't had anybody who has the problem willing to do
the necessary diagnosis to figure out what the real underlying problem
symptoms are so we can devise a more appropriate repair procedure.
>
> Running Win 2000 Sp4 with admin authority
> Got error "80070005 :wuauclt handler: failed to spawn COM server" from
> update log. Tried following links from this news group but no luck.
(Google Groups search for
"failed to spawn COM server" group:microsoft.*
- ordered by date to capture current thinking
)
Agreed. This is different from some of the other 0x80070005 cases
However, at least one user claims that changing permissions solves it:
http://groups-beta.google.com/group/microsoft.public.windowsupdate/msg/593d501a93606ea0
(in a thread from the second result page of the above search)
If you don't get anywhere trying to change permissions (e.g. the way that
others have done successfully) I would try adding /verbose to the
command line options of a manual install (as described above)
and see if that gives you any clearer picture of what's wrong.
Note: so far people who have tried this suggestion with me haven't had
much luck finding where the /verbose log is going. In that case I have
suggested that they do a file find (e.g. Win-F) for all files which were
changed on the day of the update and sort that result by Date Modified
(thus sorting the list by timestamp and allowing you to see files listed within
the minutes that the install was active.) Alternatively or in addition, I would
run FileMon filtering on SoftwareDistribution;Update;CatRoot to supplement
(and identify) any logs which the install produces. There is also a verbose
option for the download and install (if done by WU) documented in KB902093.
In order to get the best match for install log records with FileMon trace
entries it is very useful to use FileMon's Clock Time and Milleseconds
options. E.g. provided the FileMon filter includes writes to the install log
you will then see a timestamp down to the millesecond tied to the length
of an install log record. Then it is simply a matter of checking the length
of the records in that context to figure out what the more accurate timestamp
for that install record would be. This is particularly useful if you are doing
concurrent RegMon tracing with the same options set. E.g. then you can
match a context of the FileMon trace with a context of the RegMon trace.
Hopefully a /verbose log would have sufficient context but the FileMon
and RegMon idea is more general and may still be necessary if it turns
out that there is insufficient detail even in the /verbose log.
HTH
Robert Aldwinckle
---
Raymond
By "manual install", I mean save the update from MS download instead of
using Windows Update, then apply it by double clicking on it.
I'm willing to try out the different log method that you suggested but my
knowledge won't allow me. Don't know how to use FileMon and RegMon, not even
the verbose command. After reading KB902093, I think I can trun on verbose
and will post the log details after running the test.
Cannot try from windows update on those that I have already installed since
they removed it from my recommanded update list, but will try on some fresh
ones.
Thanks again for your patience in dealing with me who don't know nothing!
Raymond
Activated the "detailed log" as per KB902093.
Tried updating from WU and view the log file...it was huge!
The last few lines seems the same as before, indicating wuauclt handler:
failed to spawn COM server. The rest....don't understand.....
Following is the portion 1 sec before the error 80070005. Seems like a lot
of errors occured (if whenever EEhndlr means an error). Wonder if I can
border you to take a look....included the time this time which I deleted on
my first post to save some space. Thanks!!
Oops...too long....cut back starting from begining.
2005-08-16 10:35:56 1240 3a4 Agent Final detection state for update 245847
(updateId = {90B3A471-9AA6-42F2-A7A2-6709AEF03298}.12) is "NotApplicable"
2005-08-16 10:35:56 1240 3a4 Agent Evaluated Installable rule, updateId =
{B344E5BE-1325-4253-98A8-818A2830641A}.12, result = 0
2005-08-16 10:35:56 1240 3a4 Agent Evaluated Installed rule, updateId =
{B344E5BE-1325-4253-98A8-818A2830641A}.12, result = 0
2005-08-16 10:35:56 1240 3a4 Agent Evaluated Superseded rule, updateId =
{B344E5BE-1325-4253-98A8-818A2830641A}.12, result = 0
2005-08-16 10:35:56 1240 3a4 Agent Final detection state for update 245848
(updateId = {B344E5BE-1325-4253-98A8-818A2830641A}.12) is "NotApplicable"
2005-08-16 10:35:56 1240 3a4 EEHndlr EE: Evaluating RegDword:
Subkey=SYSTEM\WPA\TabletPC, value=Installed, data=1
2005-08-16 10:35:56 1240 3a4 EEHndlr EE: RegDword evaluated to 0, return
hr=0
2005-08-16 10:35:56 1240 3a4 EEHndlr Evaluation of expression: 21 returned
hr=0
2005-08-16 10:35:56 1240 3a4 EEHndlr EE: Evaluating RegDword:
Subkey=SYSTEM\WPA\MediaCenter, value=Installed, data=1
2005-08-16 10:35:56 1240 3a4 EEHndlr EE: RegDword evaluated to 0, return
hr=0
2005-08-16 10:35:56 1240 3a4 EEHndlr Evaluation of expression: 21 returned
hr=0
2005-08-16 10:35:56 1240 3a4 EEHndlr EE: Evaluating RegKeyExists
expression: Key=80000002, Subkey=Software\Microsoft\Active Setup\Installed
Components\{F5E89548-FAC4-40E0-AE9B-6F0334D443F7}
2005-08-16 10:35:56 1240 3a4 EEHndlr EE: RegKeyExists evaluated to 0,
return hr=0
2005-08-16 10:35:56 1240 3a4 EEHndlr Evaluation of expression: 18 returned
hr=0
2005-08-16 10:35:56 1240 3a4 Agent Evaluated Installable rule, updateId =
{5A7091B7-3182-49B7-A33E-CFD7A75DC652}.12, result = 0
2005-08-16 10:35:56 1240 3a4 EEHndlr EE: Evaluating RegKeyExists
expression: Key=80000002, Subkey=SOFTWARE\Microsoft\Active Setup\Installed
Components\{CC801824-56F4-4B9E-B7FF-14FB33EA9602}
2005-08-16 10:35:56 1240 3a4 EEHndlr EE: RegKeyExists evaluated to 0,
return hr=0
2005-08-16 10:35:56 1240 3a4 EEHndlr Evaluation of expression: 18 returned
hr=0
2005-08-16 10:35:56 1240 3a4 Agent Evaluated Installed rule, updateId =
{5A7091B7-3182-49B7-A33E-CFD7A75DC652}.12, result = 0
2005-08-16 10:35:56 1240 3a4 Agent Evaluated Superseded rule, updateId =
{5A7091B7-3182-49B7-A33E-CFD7A75DC652}.12, result = 0
2005-08-16 10:35:56 1240 3a4 Agent Final detection state for update 245849
(updateId = {5A7091B7-3182-49B7-A33E-CFD7A75DC652}.12) is "NotApplicable"
2005-08-16 10:35:56 1240 3a4 Agent Evaluated Installable rule, updateId =
{E9A53564-4F00-4994-8ABE-A0F34FD39450}.12, result = 0
2005-08-16 10:35:56 1240 3a4 Agent Evaluated Installed rule, updateId =
{E9A53564-4F00-4994-8ABE-A0F34FD39450}.12, result = 0
2005-08-16 10:35:56 1240 3a4 Agent Evaluated Superseded rule, updateId =
{E9A53564-4F00-4994-8ABE-A0F34FD39450}.12, result = 0
2005-08-16 10:35:56 1240 3a4 Agent Final detection state for update 245850
(updateId = {E9A53564-4F00-4994-8ABE-A0F34FD39450}.12) is "NotApplicable"
2005-08-16 10:35:56 1240 3a4 EEHndlr EE: Evaluating RegDword:
Subkey=SYSTEM\WPA\TabletPC, value=Installed, data=1
2005-08-16 10:35:56 1240 3a4 EEHndlr EE: RegDword evaluated to 0, return
hr=0
2005-08-16 10:35:56 1240 3a4 EEHndlr Evaluation of expression: 21 returned
hr=0
2005-08-16 10:35:56 1240 3a4 EEHndlr EE: Evaluating RegDword:
Subkey=SYSTEM\WPA\MediaCenter, value=Installed, data=1
2005-08-16 10:35:56 1240 3a4 EEHndlr EE: RegDword evaluated to 0, return
hr=0
2005-08-16 10:35:56 1240 3a4 EEHndlr Evaluation of expression: 21 returned
hr=0
2005-08-16 10:35:56 1240 3a4 EEHndlr EE: Evaluating RegKeyExists
expression: Key=80000002, Subkey=Software\Microsoft\Active Setup\Installed
Components\{3351022E-A2D8-4B52-B84D-491279866457}
2005-08-16 10:35:56 1240 3a4 EEHndlr EE: RegKeyExists evaluated to 0,
return hr=0
2005-08-16 10:35:56 1240 3a4 EEHndlr Evaluation of expression: 18 returned
hr=0
2005-08-16 10:35:56 1240 3a4 Agent Evaluated Installable rule, updateId =
{9BA1AA36-42D5-487C-BE8E-0AAD08B73A3E}.12, result = 0
2005-08-16 10:35:56 1240 3a4 EEHndlr EE: Evaluating RegKeyExists
expression: Key=80000002, Subkey=SOFTWARE\Microsoft\Active Setup\Installed
Components\{3A6523A4-E724-4A80-B001-022F9B94965F}
2005-08-16 10:35:56 1240 3a4 EEHndlr EE: RegKeyExists evaluated to 0,
return hr=0
2005-08-16 10:35:56 1240 3a4 EEHndlr Evaluation of expression: 18 returned
hr=0
2005-08-16 10:35:56 1240 3a4 Agent Evaluated Installed rule, updateId =
{9BA1AA36-42D5-487C-BE8E-0AAD08B73A3E}.12, result = 0
2005-08-16 10:35:56 1240 3a4 Agent Evaluated Superseded rule, updateId =
{9BA1AA36-42D5-487C-BE8E-0AAD08B73A3E}.12, result = 0
2005-08-16 10:35:56 1240 3a4 Agent Final detection state for update 245851
(updateId = {9BA1AA36-42D5-487C-BE8E-0AAD08B73A3E}.12) is "NotApplicable"
2005-08-16 10:35:56 1240 3a4 Agent Evaluated Installable rule, updateId =
{5FD7DE2D-EA22-41AE-BA8B-F0B035770FAC}.12, result = 0
2005-08-16 10:35:56 1240 3a4 Agent Evaluated Installed rule, updateId =
{5FD7DE2D-EA22-41AE-BA8B-F0B035770FAC}.12, result = 0
2005-08-16 10:35:56 1240 3a4 Agent Evaluated Superseded rule, updateId =
{5FD7DE2D-EA22-41AE-BA8B-F0B035770FAC}.12, result = 0
2005-08-16 10:35:56 1240 3a4 Agent Final detection state for update 245852
(updateId = {5FD7DE2D-EA22-41AE-BA8B-F0B035770FAC}.12) is "NotApplicable"
2005-08-16 10:35:56 1240 3a4 EEHndlr EE: Evaluating RegSzToVersion:
Subkey=Software\Microsoft\Internet Explorer, value=Version, version=5.0.3900.0
2005-08-16 10:35:56 1240 3a4 EEHndlr EE: RegSzToVersion evaluated to 0,
return hr=0
2005-08-16 10:35:56 1240 3a4 EEHndlr Evaluation of expression: 24 returned
hr=0
2005-08-16 10:35:56 1240 3a4 Agent Evaluated Installable rule, updateId =
{65E7CA9F-324B-49FE-8713-D6FF2FEA5036}.101, result = 0
2005-08-16 10:35:56 1240 3a4 EEHndlr The full path of the filename is
C:\Program Files\Outlook Express\MSOE.DLL
2005-08-16 10:35:56 1240 3a4 EEHndlr EE: FileExists evaluated to 1, return
hr=0
2005-08-16 10:35:56 1240 3a4 EEHndlr Evaluation of Expression 8 returned hr=0
2005-08-16 10:35:56 1240 3a4 EEHndlr EE: FileVersion expression:
path=\Outlook Express\MSOE.DLL, comparison=4
2005-08-16 10:35:56 1240 3a4 EEHndlr The full path of the filename is
C:\Program Files\Outlook Express\MSOE.DLL
2005-08-16 10:35:56 1240 3a4 EEHndlr EE: FileVersion evaluated to 1,
return hr=0
2005-08-16 10:35:56 1240 3a4 EEHndlr Evaluation of Expression 10 returned hr=0
2005-08-16 10:35:56 1240 3a4 EEHndlr The full path of the filename is
C:\WINNT\system32\INETCOMM.DLL
2005-08-16 10:35:56 1240 3a4 EEHndlr EE: FileExists evaluated to 1, return
hr=0
2005-08-16 10:35:56 1240 3a4 EEHndlr Evaluation of Expression 8 returned hr=0
2005-08-16 10:35:56 1240 3a4 EEHndlr EE: FileVersion expression:
path=\INETCOMM.DLL, comparison=4
2005-08-16 10:35:56 1240 3a4 EEHndlr The full path of the filename is
C:\WINNT\system32\INETCOMM.DLL
2005-08-16 10:35:56 1240 3a4 EEHndlr EE: FileVersion evaluated to 1,
return hr=0
2005-08-16 10:35:56 1240 3a4 EEHndlr Evaluation of Expression 10 returned hr=0
2005-08-16 10:35:56 1240 3a4 Agent Evaluated Installed rule, updateId =
{65E7CA9F-324B-49FE-8713-D6FF2FEA5036}.101, result = 1
2005-08-16 10:35:56 1240 3a4 Agent Evaluated Superseded rule, updateId =
{65E7CA9F-324B-49FE-8713-D6FF2FEA5036}.101, result = 0
2005-08-16 10:35:56 1240 3a4 Agent Final detection state for update 245906
(updateId = {65E7CA9F-324B-49FE-8713-D6FF2FEA5036}.101) is "Installed"
2005-08-16 10:35:56 1240 3a4 Agent Evaluated Installable rule, updateId =
{762C5D95-00E5-4B50-8759-336D56FDB617}.101, result = 0
2005-08-16 10:35:56 1240 3a4 Agent Evaluated Installed rule, updateId =
{762C5D95-00E5-4B50-8759-336D56FDB617}.101, result = 0
2005-08-16 10:35:56 1240 3a4 Agent Evaluated Superseded rule, updateId =
{762C5D95-00E5-4B50-8759-336D56FDB617}.101, result = 0
2005-08-16 10:35:56 1240 3a4 Agent Final detection state for update 245912
(updateId = {762C5D95-00E5-4B50-8759-336D56FDB617}.101) is "Installed"
2005-08-16 10:35:56 1240 3a4 EEHndlr EE: Evaluating RegSzToVersion:
Subkey=Software\Microsoft\Internet Explorer, value=Version, version=6.0.2900.0
2005-08-16 10:35:56 1240 3a4 EEHndlr EE: RegSzToVersion evaluated to 1,
return hr=0
2005-08-16 10:35:56 1240 3a4 EEHndlr Evaluation of expression: 24 returned
hr=0
2005-08-16 10:35:56 1240 3a4 EEHndlr EE: Evaluating RegSzToVersion:
Subkey=Software\Microsoft\Internet Explorer, value=Version,
version=6.0.2800.1106
2005-08-16 10:35:56 1240 3a4 EEHndlr EE: RegSzToVersion evaluated to 1,
return hr=0
2005-08-16 10:35:56 1240 3a4 EEHndlr Evaluation of expression: 24 returned
hr=0
2005-08-16 10:35:56 1240 3a4 EEHndlr EE: Evaluating RegDword:
Subkey=SOFTWARE\Microsoft\Windows
NT\CurrentVersion\HotFix\KB887797-OE6SP1-20041112.131144, value=Installed,
data=1
2005-08-16 10:35:56 1240 3a4 EEHndlr EE: RegDword evaluated to 0, return
hr=0
2005-08-16 10:35:56 1240 3a4 EEHndlr Evaluation of expression: 21 returned
hr=0
2005-08-16 10:35:56 1240 3a4 EEHndlr EE: CompareRegSzToString:
Subkey=SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings,
value=MinorVersion, data=Q823353
2005-08-16 10:35:56 1240 3a4 EEHndlr EE: RegSz evaluated to 1, return hr=0
2005-08-16 10:35:56 1240 3a4 EEHndlr Evaluation of expression: 23 returned
hr=0
2005-08-16 10:35:56 1240 3a4 Agent Evaluated Installable rule, updateId =
{0A591D73-FE21-492A-94D8-75FA56FBBE27}.101, result = 1
2005-08-16 10:35:56 1240 3a4 EEHndlr The full path of the filename is
C:\Program Files\Outlook Express\MSOE.DLL
2005-08-16 10:35:56 1240 3a4 EEHndlr EE: FileExists evaluated to 1, return
hr=0
2005-08-16 10:35:56 1240 3a4 EEHndlr Evaluation of Expression 8 returned hr=0
2005-08-16 10:35:56 1240 3a4 EEHndlr EE: FileVersion expression:
path=\Outlook Express\MSOE.DLL, comparison=4
2005-08-16 10:35:56 1240 3a4 EEHndlr The full path of the filename is
C:\Program Files\Outlook Express\MSOE.DLL
2005-08-16 10:35:56 1240 3a4 EEHndlr EE: FileVersion evaluated to 1,
return hr=0
2005-08-16 10:35:56 1240 3a4 EEHndlr Evaluation of Expression 10 returned hr=0
2005-08-16 10:35:56 1240 3a4 EEHndlr The full path of the filename is
C:\WINNT\system32\INETCOMM.DLL
2005-08-16 10:35:56 1240 3a4 EEHndlr EE: FileExists evaluated to 1, return
hr=0
2005-08-16 10:35:56 1240 3a4 EEHndlr Evaluation of Expression 8 returned hr=0
2005-08-16 10:35:56 1240 3a4 EEHndlr EE: FileVersion expression:
path=\INETCOMM.DLL, comparison=4
2005-08-16 10:35:56 1240 3a4 EEHndlr The full path of the filename is
C:\WINNT\system32\INETCOMM.DLL
2005-08-16 10:35:56 1240 3a4 EEHndlr EE: FileVersion evaluated to 1,
return hr=0
2005-08-16 10:35:56 1240 3a4 EEHndlr Evaluation of Expression 10 returned hr=0
2005-08-16 10:35:56 1240 3a4 Agent Evaluated Installed rule, updateId =
{0A591D73-FE21-492A-94D8-75FA56FBBE27}.101, result = 1
2005-08-16 10:35:56 1240 3a4 Agent Evaluated Superseded rule, updateId =
{0A591D73-FE21-492A-94D8-75FA56FBBE27}.101, result = 0
2005-08-16 10:35:56 1240 3a4 Agent Final detection state for update 245932
(updateId = {0A591D73-FE21-492A-94D8-75FA56FBBE27}.101) is "Installed"
2005-08-16 10:35:56 1240 3a4 Agent Evaluated Installable rule, updateId =
{5FF7B228-9C77-4C3C-B60C-E1DDCE9BE22D}.101, result = 0
2005-08-16 10:35:56 1240 3a4 Agent Evaluated Installed rule, updateId =
{5FF7B228-9C77-4C3C-B60C-E1DDCE9BE22D}.101, result = 0
2005-08-16 10:35:56 1240 3a4 Agent Evaluated Superseded rule, updateId =
{5FF7B228-9C77-4C3C-B60C-E1DDCE9BE22D}.101, result = 0
2005-08-16 10:35:56 1240 3a4 Agent Final detection state for update 245938
(updateId = {5FF7B228-9C77-4C3C-B60C-E1DDCE9BE22D}.101) is "Installed"
2005-08-16 10:35:56 1240 3a4 Agent Evaluated Installable rule, updateId =
{33C5653D-E1B0-43F7-A0E7-BA8D9098297E}.101, result = 1
2005-08-16 10:35:56 1240 3a4 EEHndlr EE: Evaluating RegDword:
Subkey=SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB825119,
value=Installed, data=1
2005-08-16 10:35:56 1240 3a4 EEHndlr EE: RegDword evaluated to 1, return
hr=0
2005-08-16 10:35:56 1240 3a4 EEHndlr Evaluation of expression: 21 returned
hr=0
2005-08-16 10:35:56 1240 3a4 Agent Evaluated Installed rule, updateId =
{33C5653D-E1B0-43F7-A0E7-BA8D9098297E}.101, result = 1
2005-08-16 10:35:56 1240 3a4 Agent Evaluated Superseded rule, updateId =
{33C5653D-E1B0-43F7-A0E7-BA8D9098297E}.101, result = 0
2005-08-16 10:35:56 1240 3a4 Agent Final detection state for update 246020
(updateId = {33C5653D-E1B0-43F7-A0E7-BA8D9098297E}.101) is "Installed"
2005-08-16 10:35:56 1240 3a4 Agent Evaluated Installable rule, updateId =
{F1807923-5C56-42AE-BE72-AA78C6E8250C}.101, result = 0
2005-08-16 10:35:56 1240 3a4 Agent Evaluated Installed rule, updateId =
{F1807923-5C56-42AE-BE72-AA78C6E8250C}.101, result = 0
2005-08-16 10:35:56 1240 3a4 Agent Evaluated Superseded rule, updateId =
{F1807923-5C56-42AE-BE72-AA78C6E8250C}.101, result = 0
2005-08-16 10:35:56 1240 3a4 Agent Final detection state for update 246039
(updateId = {F1807923-5C56-42AE-BE72-AA78C6E8250C}.101) is "Superseded"
2005-08-16 10:35:56 1240 3a4 Agent Evaluated Installable rule, updateId =
{80F34919-1943-4C71-B7EF-FDBCB7438561}.100, result = 1
2005-08-16 10:35:56 1240 3a4 EEHndlr The full path of the filename is
C:\WINNT\system32\UMPNPMGR.DLL
2005-08-16 10:35:56 1240 3a4 EEHndlr EE: FileExists evaluated to 1, return
hr=0
2005-08-16 10:35:56 1240 3a4 EEHndlr Evaluation of Expression 8 returned hr=0
2005-08-16 10:35:56 1240 3a4 EEHndlr EE: FileVersion expression:
path=\UMPNPMGR.DLL, comparison=4
2005-08-16 10:35:56 1240 3a4 EEHndlr The full path of the filename is
C:\WINNT\system32\UMPNPMGR.DLL
2005-08-16 10:35:56 1240 3a4 EEHndlr EE: FileVersion evaluated to 1,
return hr=0
2005-08-16 10:35:56 1240 3a4 EEHndlr Evaluation of Expression 10 returned hr=0
2005-08-16 10:35:56 1240 3a4 Agent Evaluated Installed rule, updateId =
{80F34919-1943-4C71-B7EF-FDBCB7438561}.100, result = 1
2005-08-16 10:35:56 1240 3a4 Agent Evaluated Superseded rule, updateId =
{80F34919-1943-4C71-B7EF-FDBCB7438561}.100, result = 0
2005-08-16 10:35:56 1240 3a4 Agent Final detection state for update 248798
(updateId = {80F34919-1943-4C71-B7EF-FDBCB7438561}.100) is "Installed"
2005-08-16 10:35:56 1240 3a4 Agent Evaluated Installable rule, updateId =
{335DC428-F38C-4DA2-B1BF-7D8B16934991}.100, result = 0
2005-08-16 10:35:56 1240 3a4 Agent Evaluated Installed rule, updateId =
{335DC428-F38C-4DA2-B1BF-7D8B16934991}.100, result = 0
2005-08-16 10:35:56 1240 3a4 Agent Evaluated Superseded rule, updateId =
{335DC428-F38C-4DA2-B1BF-7D8B16934991}.100, result = 0
2005-08-16 10:35:56 1240 3a4 Agent Final detection state for update 248801
(updateId = {335DC428-F38C-4DA2-B1BF-7D8B16934991}.100) is "Installed"
2005-08-16 10:35:56 1240 3a4 Agent Evaluated Installable rule, updateId =
{F520E83B-36AF-4BF0-B3B5-53A36CCD8472}.100, result = 1
2005-08-16 10:35:56 1240 3a4 EEHndlr The full path of the filename is
C:\WINNT\system32\tapisrv.dll
2005-08-16 10:35:56 1240 3a4 EEHndlr EE: FileExists evaluated to 1, return
hr=0
2005-08-16 10:35:56 1240 3a4 EEHndlr Evaluation of Expression 8 returned hr=0
2005-08-16 10:35:56 1240 3a4 EEHndlr EE: FileVersion expression:
path=\tapisrv.dll, comparison=4
2005-08-16 10:35:56 1240 3a4 EEHndlr The full path of the filename is
C:\WINNT\system32\tapisrv.dll
2005-08-16 10:35:56 1240 3a4 EEHndlr EE: FileVersion evaluated to 1,
return hr=0
2005-08-16 10:35:56 1240 3a4 EEHndlr Evaluation of Expression 10 returned hr=0
2005-08-16 10:35:56 1240 3a4 EEHndlr The full path of the filename is
C:\WINNT\system32\REMOTESP.TSP
2005-08-16 10:35:56 1240 3a4 EEHndlr EE: FileExists evaluated to 1, return
hr=0
2005-08-16 10:35:56 1240 3a4 EEHndlr Evaluation of Expression 8 returned hr=0
2005-08-16 10:35:56 1240 3a4 EEHndlr EE: FileVersion expression:
path=\REMOTESP.TSP, comparison=4
2005-08-16 10:35:56 1240 3a4 EEHndlr The full path of the filename is
C:\WINNT\system32\REMOTESP.TSP
2005-08-16 10:35:56 1240 3a4 EEHndlr EE: FileVersion evaluated to 1,
return hr=0
2005-08-16 10:35:56 1240 3a4 EEHndlr Evaluation of Expression 10 returned hr=0
2005-08-16 10:35:56 1240 3a4 Agent Evaluated Installed rule, updateId =
{F520E83B-36AF-4BF0-B3B5-53A36CCD8472}.100, result = 1
2005-08-16 10:35:56 1240 3a4 Agent Evaluated Superseded rule, updateId =
{F520E83B-36AF-4BF0-B3B5-53A36CCD8472}.100, result = 0
2005-08-16 10:35:56 1240 3a4 Agent Final detection state for update 248879
(updateId = {F520E83B-36AF-4BF0-B3B5-53A36CCD8472}.100) is "Installed"
2005-08-16 10:35:56 1240 3a4 Agent Evaluated Installable rule, updateId =
{295430EB-5D44-41BC-899B-932F9186798A}.100, result = 0
2005-08-16 10:35:56 1240 3a4 Agent Evaluated Installed rule, updateId =
{295430EB-5D44-41BC-899B-932F9186798A}.100, result = 0
2005-08-16 10:35:56 1240 3a4 Agent Evaluated Superseded rule, updateId =
{295430EB-5D44-41BC-899B-932F9186798A}.100, result = 0
2005-08-16 10:35:56 1240 3a4 Agent Final detection state for update 248882
(updateId = {295430EB-5D44-41BC-899B-932F9186798A}.100) is "Installed"
2005-08-16 10:35:56 1240 3a4 Agent Evaluated Installable rule, updateId =
{ECE36A54-7D3A-4935-AD93-D85B77137D15}.100, result = 1
2005-08-16 10:35:56 1240 3a4 EEHndlr The full path of the filename is
C:\WINNT\system32\drivers\rdpwd.sys
2005-08-16 10:35:56 1240 3a4 EEHndlr EE: FileExists evaluated to 1, return
hr=0
2005-08-16 10:35:56 1240 3a4 EEHndlr Evaluation of Expression 8 returned hr=0
2005-08-16 10:35:56 1240 3a4 EEHndlr EE: FileVersion expression:
path=\drivers\rdpwd.sys, comparison=4
2005-08-16 10:35:56 1240 3a4 EEHndlr The full path of the filename is
C:\WINNT\system32\drivers\rdpwd.sys
2005-08-16 10:35:56 1240 3a4 EEHndlr EE: FileVersion evaluated to 1,
return hr=0
2005-08-16 10:35:56 1240 3a4 EEHndlr Evaluation of Expression 10 returned hr=0
2005-08-16 10:35:56 1240 3a4 Agent Evaluated Installed rule, updateId =
{ECE36A54-7D3A-4935-AD93-D85B77137D15}.100, result = 1
2005-08-16 10:35:56 1240 3a4 Agent Evaluated Superseded rule, updateId =
{ECE36A54-7D3A-4935-AD93-D85B77137D15}.100, result = 0
2005-08-16 10:35:56 1240 3a4 Agent Final detection state for update 248964
(updateId = {ECE36A54-7D3A-4935-AD93-D85B77137D15}.100) is "Installed"
2005-08-16 10:35:56 1240 3a4 Agent Evaluated Installable rule, updateId =
{7AFF988B-7622-405E-88DE-5E2B8AECF168}.100, result = 0
2005-08-16 10:35:56 1240 3a4 Agent Evaluated Installed rule, updateId =
{7AFF988B-7622-405E-88DE-5E2B8AECF168}.100, result = 0
2005-08-16 10:35:56 1240 3a4 Agent Evaluated Superseded rule, updateId =
{7AFF988B-7622-405E-88DE-5E2B8AECF168}.100, result = 0
2005-08-16 10:35:56 1240 3a4 Agent Final detection state for update 248967
(updateId = {7AFF988B-7622-405E-88DE-5E2B8AECF168}.100) is "Installed"
2005-08-16 10:35:56 1240 3a4 Agent Evaluated Installable rule, updateId =
{982BEA34-357C-4BEE-80E1-9F325A99464C}.100, result = 1
2005-08-16 10:35:56 1240 3a4 EEHndlr EE: FileVersion expression:
path=\sp3res.dll, comparison=4
2005-08-16 10:35:56 1240 3a4 EEHndlr The full path of the filename is
C:\WINNT\system32\sp3res.dll
2005-08-16 10:35:56 1240 3a4 EEHndlr EE: FileVersion evaluated to 1,
return hr=0
2005-08-16 10:35:56 1240 3a4 EEHndlr Evaluation of Expression 10 returned hr=0
2005-08-16 10:35:56 1240 3a4 EEHndlr The full path of the filename is
C:\WINNT\system32\kdcsvc.dll
2005-08-16 10:35:56 1240 3a4 EEHndlr EE: FileExists evaluated to 1, return
hr=0
2005-08-16 10:35:56 1240 3a4 EEHndlr Evaluation of Expression 8 returned hr=0
2005-08-16 10:35:56 1240 3a4 EEHndlr EE: FileVersion expression:
path=\kdcsvc.dll, comparison=4
2005-08-16 10:35:56 1240 3a4 EEHndlr The full path of the filename is
C:\WINNT\system32\kdcsvc.dll
2005-08-16 10:35:56 1240 3a4 EEHndlr EE: FileVersion evaluated to 0,
return hr=0
2005-08-16 10:35:56 1240 3a4 EEHndlr Evaluation of Expression 10 returned hr=0
2005-08-16 10:35:56 1240 3a4 Agent Evaluated Installed rule, updateId =
{982BEA34-357C-4BEE-80E1-9F325A99464C}.100, result = 0
2005-08-16 10:35:56 1240 3a4 Agent Evaluated Superseded rule, updateId =
{982BEA34-357C-4BEE-80E1-9F325A99464C}.100, result = 0
2005-08-16 10:35:56 1240 3a4 Agent Final detection state for update 249045
(updateId = {982BEA34-357C-4BEE-80E1-9F325A99464C}.100) is "Installable"
2005-08-16 10:35:56 1240 3a4 Agent Evaluated Installable rule, updateId =
{1E64EA74-7D66-4E2B-A5D0-A04DCE164A75}.100, result = 0
2005-08-16 10:35:56 1240 3a4 Agent Evaluated Installed rule, updateId =
{1E64EA74-7D66-4E2B-A5D0-A04DCE164A75}.100, result = 0
2005-08-16 10:35:56 1240 3a4 Agent Evaluated Superseded rule, updateId =
{1E64EA74-7D66-4E2B-A5D0-A04DCE164A75}.100, result = 0
2005-08-16 10:35:56 1240 3a4 Agent Final detection state for update 249048
(updateId = {1E64EA74-7D66-4E2B-A5D0-A04DCE164A75}.100) is "Installable"
2005-08-16 10:35:56 1240 3a4 Agent Evaluated Installable rule, updateId =
{271249A1-AD58-4798-8376-6580A8176783}.100, result = 1
2005-08-16 10:35:56 1240 3a4 EEHndlr The full path of the filename is
C:\WINNT\system32\spoolsv.exe
2005-08-16 10:35:56 1240 3a4 EEHndlr EE: FileExists evaluated to 1, return
hr=0
2005-08-16 10:35:56 1240 3a4 EEHndlr Evaluation of Expression 8 returned hr=0
2005-08-16 10:35:56 1240 3a4 EEHndlr EE: FileVersion expression:
path=\spoolsv.exe, comparison=4
2005-08-16 10:35:56 1240 3a4 EEHndlr The full path of the filename is
C:\WINNT\system32\spoolsv.exe
2005-08-16 10:35:56 1240 3a4 EEHndlr EE: FileVersion evaluated to 1,
return hr=0
2005-08-16 10:35:56 1240 3a4 EEHndlr Evaluation of Expression 10 returned hr=0
2005-08-16 10:35:56 1240 3a4 EEHndlr The full path of the filename is
C:\WINNT\system32\spoolss.dll
2005-08-16 10:35:56 1240 3a4 EEHndlr EE: FileExists evaluated to 1, return
hr=0
2005-08-16 10:35:56 1240 3a4 EEHndlr Evaluation of Expression 8 returned hr=0
2005-08-16 10:35:56 1240 3a4 EEHndlr EE: FileVersion expression:
path=\spoolss.dll, comparison=4
2005-08-16 10:35:56 1240 3a4 EEHndlr The full path of the filename is
C:\WINNT\system32\spoolss.dll
2005-08-16 10:35:56 1240 3a4 EEHndlr EE: FileVersion evaluated to 1,
return hr=0
2005-08-16 10:35:56 1240 3a4 EEHndlr Evaluation of Expression 10 returned hr=0
2005-08-16 10:35:56 1240 3a4 EEHndlr The full path of the filename is
C:\WINNT\system32\WIN32SPL.DLL
2005-08-16 10:35:56 1240 3a4 EEHndlr EE: FileExists evaluated to 1, return
hr=0
2005-08-16 10:35:56 1240 3a4 EEHndlr Evaluation of Expression 8 returned hr=0
2005-08-16 10:35:56 1240 3a4 EEHndlr EE: FileVersion expression:
path=\WIN32SPL.DLL, comparison=4
2005-08-16 10:35:56 1240 3a4 EEHndlr The full path of the filename is
C:\WINNT\system32\WIN32SPL.DLL
2005-08-16 10:35:56 1240 3a4 EEHndlr EE: FileVersion evaluated to 1,
return hr=0
2005-08-16 10:35:56 1240 3a4 EEHndlr Evaluation of Expression 10 returned hr=0
2005-08-16 10:35:56 1240 3a4 EEHndlr The full path of the filename is
C:\WINNT\system32\faxui.dll
2005-08-16 10:35:56 1240 3a4 EEHndlr EE: FileExists evaluated to 1, return
hr=0
2005-08-16 10:35:56 1240 3a4 EEHndlr Evaluation of Expression 8 returned hr=0
2005-08-16 10:35:56 1240 3a4 EEHndlr EE: FileVersion expression:
path=\faxui.dll, comparison=4
2005-08-16 10:35:56 1240 3a4 EEHndlr The full path of the filename is
C:\WINNT\system32\faxui.dll
2005-08-16 10:35:56 1240 3a4 EEHndlr EE: FileVersion evaluated to 1,
return hr=0
2005-08-16 10:35:56 1240 3a4 EEHndlr Evaluation of Expression 10 returned hr=0
2005-08-16 10:35:56 1240 3a4 Agent Evaluated Installed rule, updateId =
{271249A1-AD58-4798-8376-6580A8176783}.100, result = 1
2005-08-16 10:35:56 1240 3a4 Agent Evaluated Superseded rule, updateId =
{271249A1-AD58-4798-8376-6580A8176783}.100, result = 0
2005-08-16 10:35:56 1240 3a4 Agent Final detection state for update 249126
(updateId = {271249A1-AD58-4798-8376-6580A8176783}.100) is "Installed"
2005-08-16 10:35:56 1240 3a4 Agent Evaluated Installable rule, updateId =
{1381E7AE-1C7C-401E-A6A8-539DF3612C0C}.100, result = 0
2005-08-16 10:35:56 1240 3a4 Agent Evaluated Installed rule, updateId =
{1381E7AE-1C7C-401E-A6A8-539DF3612C0C}.100, result = 0
2005-08-16 10:35:56 1240 3a4 Agent Evaluated Superseded rule, updateId =
{1381E7AE-1C7C-401E-A6A8-539DF3612C0C}.100, result = 0
2005-08-16 10:35:56 1240 3a4 Agent Final detection state for update 249129
(updateId = {1381E7AE-1C7C-401E-A6A8-539DF3612C0C}.100) is "Installed"
2005-08-16 10:35:56 1240 3a4 Agent Evaluated Installable rule, updateId =
{0E92D34B-B97B-471E-98D1-46722113113F}.100, result = 0
2005-08-16 10:35:56 1240 3a4 EEHndlr EE: FileVersion expression:
path=drivers\afs2k.sys, comparison=3
2005-08-16 10:35:56 1240 3a4 EEHndlr The full path of the filename is
C:\WINNT\system32\drivers\afs2k.sys
2005-08-16 10:35:56 1240 3a4 EEHndlr EE: FileVersion evaluated to 0,
return hr=0
2005-08-16 10:35:56 1240 3a4 EEHndlr Evaluation of Expression 10 returned hr=0
2005-08-16 10:35:56 1240 3a4 EEHndlr EE: FileVersion expression:
path=drivers\afs2k.sys, comparison=3
2005-08-16 10:35:56 1240 3a4 EEHndlr The full path of the filename is
C:\WINNT\system32\drivers\afs2k.sys
2005-08-16 10:35:56 1240 3a4 EEHndlr EE: FileVersion evaluated to 0,
return hr=0
2005-08-16 10:35:56 1240 3a4 EEHndlr Evaluation of Expression 10 returned hr=0
2005-08-16 10:35:56 1240 3a4 EEHndlr EE: FileVersion expression:
path=drivers\afs2k.sys, comparison=3
2005-08-16 10:35:56 1240 3a4 EEHndlr The full path of the filename is
C:\WINNT\system32\drivers\afs2k.sys
2005-08-16 10:35:56 1240 3a4 EEHndlr EE: FileVersion evaluated to 0,
return hr=0
2005-08-16 10:35:56 1240 3a4 EEHndlr Evaluation of Expression 10 returned hr=0
2005-08-16 10:35:56 1240 3a4 EEHndlr EE: FileVersion expression:
path=drivers\afs2k.sys, comparison=3
2005-08-16 10:35:56 1240 3a4 EEHndlr The full path of the filename is
C:\WINNT\system32\drivers\afs2k.sys
2005-08-16 10:35:56 1240 3a4 EEHndlr EE: FileVersion evaluated to 0,
return hr=0
2005-08-16 10:35:56 1240 3a4 EEHndlr Evaluation of Expression 10 returned hr=0
2005-08-16 10:35:56 1240 3a4 Agent Evaluated Installed rule, updateId =
{0E92D34B-B97B-471E-98D1-46722113113F}.100, result = 0
2005-08-16 10:35:56 1240 3a4 Agent Evaluated Superseded rule, updateId =
{0E92D34B-B97B-471E-98D1-46722113113F}.100, result = 0
2005-08-16 10:35:56 1240 3a4 Agent Final detection state for update 250965
(updateId = {0E92D34B-B97B-471E-98D1-46722113113F}.100) is "NotApplicable"
2005-08-16 10:35:56 1240 3a4 Agent prune update list before Install
2005-08-16 10:35:56 1240 3a4 Handler Attempting to create remote handler
process as HONDA6758\rchan in session 0
2005-08-16 10:35:58 1924 6fc Misc =========== Logging initialized (build:
5.8.0.2469, tz: -0400) ===========
2005-08-16 10:35:58 1924 6fc Misc = Process: C:\WINNT\system32\wuauclt.exe
2005-08-16 10:35:58 1924 6fc AUClnt FATAL: Error: 0x80070005. wuauclt
handler: failed to spawn COM server
2005-08-16 10:35:58 1240 3a4 Handler FATAL: 0x80070005: ERROR: Remote update
handler container process created (PID: 1924), but exited before signaling
event
2005-08-16 10:35:58 1240 3a4 Agent * WARNING: Exit code = 0x80070005
2005-08-16 10:35:58 1240 3a4 Agent *********
2005-08-16 10:35:58 1240 3a4 Agent ** END ** Agent: Installing updates
[CallerId = MicrosoftUpdate]
2005-08-16 10:35:58 1240 3a4 Agent *************
2005-08-16 10:35:58 1240 3a4 Agent WARNING: WU client failed installing
updates with error 0x80070005
2005-08-16 10:35:58 1348 84c COMAPI >>-- RESUMED -- COMAPI: Install
[ClientId = MicrosoftUpdate]
2005-08-16 10:35:58 1348 84c COMAPI - Install call failed
2005-08-16 10:35:58 1348 84c COMAPI - Reboot required = No
2005-08-16 10:35:58 1348 84c COMAPI - WARNING: Exit code = 0x80240FFF;
Call error code = 0x80070005
2005-08-16 10:35:58 1348 84c COMAPI ---------
2005-08-16 10:35:58 1348 84c COMAPI -- END -- COMAPI: Install [ClientId =
MicrosoftUpdate]
2005-08-16 10:35:58 1348 84c COMAPI -------------
2005-08-16 10:35:58 1240 3a4 Agent WU client calls back to install call
{2344CE33-E62E-4E32-8960-99F6A3BF87D3} with code Call failed and error
0x80070005
2005-08-16 10:35:58 1240 3a4 Agent WU client completed and deleted call
{2344CE33-E62E-4E32-8960-99F6A3BF87D3}
2005-08-16 10:35:59 1348 6d8 COMAPI WARNING: Operation failed due to earlier
error, hr=80070005
2005-08-16 10:35:59 1240 354 Agent ISusInternal API failed
CClientCallRecorder::DisconnectCall with error 0x8024000c
2005-08-16 10:35:59 1348 6d8 COMAPI ISusInternal::DisconnectCall failed,
hr=8024000C
2005-08-16 10:36:06 1240 68c Agent ISusInternal API failed
Robert Aldwinckle
> Hi Robert,
>
> Activated the "detailed log" as per KB902093.
> Tried updating from WU and view the log file...it was huge!
Well, I think you could have reduced it by trying only one update at a time? ;)
Normally you could have further reduced it by limiting the test to just a download
(e.g. using the prompts) but I don't think you are getting that far.
BTW keep 823353 for last as it has its own problems... <eg>
(e.g. see many other threads about OE6sp1 updates)
> The last few lines seems the same as before, indicating wuauclt handler:
> failed to spawn COM server.
Yes. Unfortunately verbose is doing nothing to clarify this portion:
<extract>
2005-08-16 10:35:56 1240 3a4 Handler Attempting to create remote handler process as HONDA6758\rchan in session 0
2005-08-16 10:35:58 1924 6fc Misc =========== Logging initialized (build: 5.8.0.2469, tz: -0400) ===========
2005-08-16 10:35:58 1924 6fc Misc = Process: C:\WINNT\system32\wuauclt.exe
2005-08-16 10:35:58 1924 6fc AUClnt FATAL: Error: 0x80070005. wuauclt handler: failed to spawn COM server
2005-08-16 10:35:58 1240 3a4 Handler FATAL: 0x80070005: ERROR: Remote update handler container process created (PID: 1924), but
exited before signaling event
</extract>
I think you are only going to be able to get a handle on this with RegMon.
It looks as if you may be able to get away with a fairly restrictive filter
(e.g. all entries for wuauclt.exe) so you probably don't need to run
a concurrent FileMon in order to find an appropriate context within
the RegMon trace, though I think it could make the analysis much easier.
Certainly the timestamps in these log records are going to be useless for
telling you when the error was first detected.
> The rest....don't understand.....
Well, I have some ideas but as I said I think you should try
limiting the test to a download *only* of one update *only*.
Trying to do too much at once just makes it harder to figure
out what isn't happening.
As for RegMon it's really pretty simple to use. Just download it
from SysInternals, install it and start it when you want to trace.
It always prompts you for an Include filter before starting.
As I said I think that wuauclt would be sufficient for this case.
If you want to use FileMon, same thing and the filter will be
WindowsUpdate.log Don't forget to check the Clock Time
and Milleseconds options on both. To capture their output
just select all records with a normal Windows keyboard
procedure such as Home, Shift-End,Ctrl-c (actually, I guess
if the selected line is already at the bottom that Shift-Home,
Ctrl-c would be more efficient <w>).
HTH
Robert
---
Raymond
I did only download and try to install just 1 update.....WU listed all
available updates, I clear all and selected only one. I guess the log record
all these as well...
Anyway, will try the RegMon as suggested and post it later. Got to catch up
with some of the daily work.
Thanks again.
Raymond
Following is the log from RegMon (hope I did it right), filter with wuauclt
as suggested.
Deleted some lines that says "SUSCESS KEY: xxxxx" cause the file is too big
again.
I don't know how to read it....please help and see if you can find any clue?
Thanks!!
Here is the log:
1 16:30:09.410 svchost.exe:1156 OpenKey HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\wuauclt.exe NOTFOUND
2 16:30:09.410 wuauclt.exe:1844 OpenKey HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\wuauclt.exe NOTFOUND
3 16:30:09.410 wuauclt.exe:1844 OpenKey HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\wuauclt.exe NOTFOUND
4 16:30:09.410 wuauclt.exe:1844 OpenKey HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\wuauclt.exe NOTFOUND
5 16:30:09.470 wuauclt.exe:1844 OpenKey HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\wuauclt.exe NOTFOUND
7 16:30:09.470 wuauclt.exe:1844 QueryValue HKLM\System\CurrentControlSet\Control\Session Manager\SafeDllSearchMode NOTFOUND
10 16:30:09.470 wuauclt.exe:1844 QueryValue HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\LeakTrack NOTFOUND
13 16:30:09.470 wuauclt.exe:1844 OpenKey HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Diagnostics NOTFOUND
14 16:30:09.470 wuauclt.exe:1844 OpenKey HKLM\System\CurrentControlSet\Control\Error Message Instrument\ NOTFOUND
16 16:30:09.470 wuauclt.exe:1844 QueryValue HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Compatibility32\wuauclt NOTFOUND
19 16:30:09.470 wuauclt.exe:1844 QueryValue HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Compatibility2\wuauclt5.2 NOTFOUND
22 16:30:09.470 wuauclt.exe:1844 QueryValue HKLM\Software\Microsoft\Windows
NT\CurrentVersion\IME Compatibility\wuauclt NOTFOUND
24 16:30:09.470 wuauclt.exe:1844 OpenKey HKLM\System\CurrentControlSet\Control\Session Manager\AppCompatibility\wuauclt.exe NOTFOUND
30 16:30:09.470 wuauclt.exe:1844 QueryValue HKCU\Control
Panel\Desktop\SmoothScroll NOTFOUND
33 16:30:09.470 wuauclt.exe:1844 QueryValue HKLM\System\CurrentControlSet\Control\Session Manager\AdditionalBaseNamedObjectsProtectionMode NOTFOUND
36 16:30:09.470 wuauclt.exe:1844 QueryValue HKLM\SOFTWARE\Microsoft\OLE\PageAllocatorUseSystemHeap NOTFOUND
39 16:30:09.470 wuauclt.exe:1844 QueryValue HKLM\SOFTWARE\Microsoft\OLE\PageAllocatorSystemHeapIsPrivate NOTFOUND
50 16:30:09.470 wuauclt.exe:1844 OpenKey HKLM\SOFTWARE\Microsoft\OLEAUT NOTFOUND
51 16:30:09.470 wuauclt.exe:1844 OpenKey HKLM\SOFTWARE\Microsoft\OLEAUT\UserEra NOTFOUND
52 16:30:09.470 wuauclt.exe:1844 OpenKey HKLM\SOFTWARE\Microsoft\OLEAUT NOTFOUND
63 16:30:09.470 wuauclt.exe:1844 OpenKey HKCU\Software\Policies\Microsoft\Control Panel\Desktop NOTFOUND
65 16:30:09.470 wuauclt.exe:1844 QueryValue HKCU\Control
Panel\Desktop\MultiUILanguageId NOTFOUND
75 16:30:09.470 wuauclt.exe:1844 QueryValue HKLM\Software\Microsoft\Windows
NT\CurrentVersion\winlogon\UserEnvDebugLevel NOTFOUND
77 16:30:09.470 wuauclt.exe:1844 OpenKey HKLM\Software\Policies\Microsoft\Windows\System NOTFOUND
78 16:30:09.470 wuauclt.exe:1844 OpenKey HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Performance NOTFOUND
116 16:30:09.480 wuauclt.exe:1844 QueryValue HKLM\Software\Policies\Microsoft\System\DNSclient\PrimaryDnsSuffix NOTFOUND
121 16:30:09.480 wuauclt.exe:1844 OpenKey HKLM\System\CurrentControlSet\Services\DNS NOTFOUND
130 16:30:09.480 wuauclt.exe:1844 QueryValue HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DnsTest NOTFOUND
141 16:30:09.480 wuauclt.exe:1844 QueryValue HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\UpdateSecurityLevel NOTFOUND
144 16:30:09.480 wuauclt.exe:1844 QueryValue HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\RemoteDnsResolver NOTFOUND
147 16:30:09.480 wuauclt.exe:1844 QueryValue HKLM\System\CurrentControlSet\Services\DnsCache\Parameters\UpdateTopLevelDomainZones NOTFOUND
149 16:30:09.480 wuauclt.exe:1844 OpenKey HKLM\System\CurrentControlSet\Services\LDAP NOTFOUND
154 16:30:09.480 wuauclt.exe:1844 OpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp\Tracing NOTFOUND
155 16:30:09.480 wuauclt.exe:1844 OpenKey HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\msasn1 NOTFOUND
156 16:30:09.490 wuauclt.exe:1844 OpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace NOTFOUND
157 16:30:09.490 wuauclt.exe:1844 OpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace\Misc NOTFOUND
158 16:30:09.490 wuauclt.exe:1844 OpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace\Report NOTFOUND
159 16:30:09.490 wuauclt.exe:1844 OpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace\Setup NOTFOUND
160 16:30:09.490 wuauclt.exe:1844 OpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace\Service NOTFOUND
161 16:30:09.500 wuauclt.exe:1844 OpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace\Agent NOTFOUND
162 16:30:09.500 wuauclt.exe:1844 OpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace\AU NOTFOUND
163 16:30:09.500 wuauclt.exe:1844 OpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace\AUClnt NOTFOUND
164 16:30:09.500 wuauclt.exe:1844 OpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace\WUWeb NOTFOUND
165 16:30:09.500 wuauclt.exe:1844 OpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace\DtaStor NOTFOUND
166 16:30:09.510 wuauclt.exe:1844 OpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace\CDM NOTFOUND
167 16:30:09.510 wuauclt.exe:1844 OpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace\PT NOTFOUND
168 16:30:09.510 wuauclt.exe:1844 OpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace\Driver NOTFOUND
169 16:30:09.510 wuauclt.exe:1844 OpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace\COMAPI NOTFOUND
170 16:30:09.510 wuauclt.exe:1844 OpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace\Parser NOTFOUND
171 16:30:09.510 wuauclt.exe:1844 OpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace\Handler NOTFOUND
172 16:30:09.520 wuauclt.exe:1844 OpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace\EEHndlr NOTFOUND
173 16:30:09.520 wuauclt.exe:1844 OpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace\DnldMgr NOTFOUND
174 16:30:09.520 wuauclt.exe:1844 OpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace\Cmpress NOTFOUND
175 16:30:09.520 wuauclt.exe:1844 OpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace\Shutdwn NOTFOUND
176 16:30:09.520 wuauclt.exe:1844 OpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace\WuRedir NOTFOUND
177 16:30:09.530 wuauclt.exe:1844 OpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace\OfflSnc NOTFOUND
178 16:30:09.530 wuauclt.exe:1844 OpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace\Trace NOTFOUND
179 16:30:09.530 wuauclt.exe:1844 OpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace\TraceTestMain NOTFOUND
180 16:30:09.530 wuauclt.exe:1844 OpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace\TraceTestThreads NOTFOUND
181 16:30:09.530 wuauclt.exe:1844 CreateKey HKLM\SOFTWARE\Microsoft\Cryptography\RNG SUCCESS Key: 0xE42E7C80
182 16:30:09.530 wuauclt.exe:1844 SetValue HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed SUCCESS 00 0E 08 0E 1A 56 F6 09 ...
183 16:30:09.530 wuauclt.exe:1844 CloseKey HKLM\SOFTWARE\Microsoft\Cryptography\RNG SUCCESS Key: 0xE42E7C80
184 16:30:09.530 wuauclt.exe:1844 CreateKey HKLM\SOFTWARE\Microsoft\Cryptography\RNG SUCCESS Key: 0xE42E7C80
185 16:30:09.530 wuauclt.exe:1844 SetValue HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed SUCCESS 9D 0D 92 5C 03 50 74 CF ...
186 16:30:09.530 wuauclt.exe:1844 CloseKey HKLM\SOFTWARE\Microsoft\Cryptography\RNG SUCCESS Key: 0xE42E7C80
187 16:30:09.530 wuauclt.exe:1844 CreateKey HKLM\SOFTWARE\Microsoft\Cryptography\RNG SUCCESS Key: 0xE42E7C80
188 16:30:09.530 wuauclt.exe:1844 SetValue HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed SUCCESS E8 A0 86 BE 97 E0 7F C7 ...
189 16:30:09.530 wuauclt.exe:1844 CloseKey HKLM\SOFTWARE\Microsoft\Cryptography\RNG SUCCESS Key: 0xE42E7C80
190 16:30:09.530 wuauclt.exe:1844 CreateKey HKLM\SOFTWARE\Microsoft\Cryptography\RNG SUCCESS Key: 0xE42E7C80
191 16:30:09.540 wuauclt.exe:1844 SetValue HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed SUCCESS 3D F5 76 AC 02 6A E0 04 ...
192 16:30:09.540 wuauclt.exe:1844 CloseKey HKLM\SOFTWARE\Microsoft\Cryptography\RNG SUCCESS Key: 0xE42E7C80
193 16:30:09.540 wuauclt.exe:1844 CreateKey HKLM\SOFTWARE\Microsoft\Cryptography\RNG SUCCESS Key: 0xE42E7C80
194 16:30:09.540 wuauclt.exe:1844 SetValue HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed SUCCESS 68 75 B3 D7 55 BA 69 17 ...
195 16:30:09.540 wuauclt.exe:1844 CloseKey HKLM\SOFTWARE\Microsoft\Cryptography\RNG SUCCESS Key: 0xE42E7C80
196 16:30:09.540 wuauclt.exe:1844 CreateKey HKLM\SOFTWARE\Microsoft\Cryptography\RNG SUCCESS Key: 0xE42E7C80
197 16:30:09.540 wuauclt.exe:1844 SetValue HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed SUCCESS C3 4F DA 6C FD B4 AD 0F ...
198 16:30:09.540 wuauclt.exe:1844 CloseKey HKLM\SOFTWARE\Microsoft\Cryptography\RNG SUCCESS Key: 0xE42E7C80
199 16:30:09.540 wuauclt.exe:1844 OpenKey HKLM\Software\Microsoft\COM3\Debug NOTFOUND
200 16:30:09.540 wuauclt.exe:1844 OpenKey HKLM\Software\Microsoft\COM3\Debug NOTFOUND
217 16:30:09.540 wuauclt.exe:1844 QueryValue HKLM\Software\Microsoft\COM3\REGDBVersion SUCCESS FD 00 00 00 00 00 00 00
218 16:30:09.540 wuauclt.exe:1844 CloseKey HKLM\Software\Microsoft\COM3 SUCCESS Key: 0xE5181F60
219 16:30:09.540 wuauclt.exe:1844 QueryKey HKCU SUCCESS Name:
\REGISTRY\USER\S-1-5-21-2647719360-2671216974-3573895149-11018_Classes
220 16:30:09.540 wuauclt.exe:1844 OpenKey HKCU\CLSID\{E60687F7-01A1-40AA-86AC-DB1CBF673334} NOTFOUND
223 16:30:09.540 wuauclt.exe:1844 OpenKey HKCU\CLSID\{E60687F7-01A1-40AA-86AC-DB1CBF673334}\TreatAs NOTFOUND
224 16:30:09.540 wuauclt.exe:1844 OpenKey HKCR\CLSID\{E60687F7-01A1-40AA-86AC-DB1CBF673334}\TreatAs NOTFOUND
225 16:30:09.540 wuauclt.exe:1844 QueryKey HKCU SUCCESS Name:
\REGISTRY\USER\S-1-5-21-2647719360-2671216974-3573895149-11018_Classes
226 16:30:09.540 wuauclt.exe:1844 OpenKey HKCU SUCCESS Key: 0xE5331460
227 16:30:09.540 wuauclt.exe:1844 CloseKey HKCR\CLSID\{E60687F7-01A1-40AA-86AC-DB1CBF673334} SUCCESS Key: 0xE4F97E40
228 16:30:09.540 wuauclt.exe:1844 QueryKey HKCU SUCCESS Name:
\REGISTRY\USER\S-1-5-21-2647719360-2671216974-3573895149-11018_Classes
229 16:30:09.540 wuauclt.exe:1844 OpenKey HKCU\CLSID\{E60687F7-01A1-40AA-86AC-DB1CBF673334} NOTFOUND
230 16:30:09.540 wuauclt.exe:1844 OpenKey HKCR\CLSID\{E60687F7-01A1-40AA-86AC-DB1CBF673334} SUCCESS Key: 0xE4F97E40
231 16:30:09.540 wuauclt.exe:1844 QueryKey HKCR\CLSID\{E60687F7-01A1-40AA-86AC-DB1CBF673334} SUCCESS Name:
\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{E60687F7-01A1-40AA-86AC-DB1CBF673334}
232 16:30:09.540 wuauclt.exe:1844 OpenKey HKCU\CLSID\{E60687F7-01A1-40AA-86AC-DB1CBF673334}\LocalServer32 NOTFOUND
233 16:30:09.540 wuauclt.exe:1844 OpenKey HKCR\CLSID\{E60687F7-01A1-40AA-86AC-DB1CBF673334}\LocalServer32 NOTFOUND
234 16:30:09.540 wuauclt.exe:1844 QueryKey HKCR\CLSID\{E60687F7-01A1-40AA-86AC-DB1CBF673334} SUCCESS Name:
\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{E60687F7-01A1-40AA-86AC-DB1CBF673334}
235 16:30:09.540 wuauclt.exe:1844 OpenKey HKCU\CLSID\{E60687F7-01A1-40AA-86AC-DB1CBF673334}\LocalServer32 NOTFOUND
236 16:30:09.540 wuauclt.exe:1844 OpenKey HKCR\CLSID\{E60687F7-01A1-40AA-86AC-DB1CBF673334}\LocalServer32 NOTFOUND
237 16:30:09.540 wuauclt.exe:1844 QueryKey HKCR\CLSID\{E60687F7-01A1-40AA-86AC-DB1CBF673334} SUCCESS Name:
\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{E60687F7-01A1-40AA-86AC-DB1CBF673334}
238 16:30:09.540 wuauclt.exe:1844 OpenKey HKCU\CLSID\{E60687F7-01A1-40AA-86AC-DB1CBF673334}\LocalServer NOTFOUND
239 16:30:09.540 wuauclt.exe:1844 OpenKey HKCR\CLSID\{E60687F7-01A1-40AA-86AC-DB1CBF673334}\LocalServer NOTFOUND
240 16:30:09.540 wuauclt.exe:1844 QueryKey HKCU SUCCESS Name:
\REGISTRY\USER\S-1-5-21-2647719360-2671216974-3573895149-11018_Classes
241 16:30:09.540 wuauclt.exe:1844 OpenKey HKCU\CLSID\{E60687F7-01A1-40AA-86AC-DB1CBF673334} NOTFOUND
242 16:30:09.540 wuauclt.exe:1844 OpenKey HKCR\CLSID\{E60687F7-01A1-40AA-86AC-DB1CBF673334} SUCCESS Key: 0xE54A3420
243 16:30:09.540 wuauclt.exe:1844 QueryKey HKCR\CLSID\{E60687F7-01A1-40AA-86AC-DB1CBF673334} SUCCESS Name:
\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{E60687F7-01A1-40AA-86AC-DB1CBF673334}
244 16:30:09.540 wuauclt.exe:1844 OpenKey HKCU\CLSID\{E60687F7-01A1-40AA-86AC-DB1CBF673334} NOTFOUND
245 16:30:09.540 wuauclt.exe:1844 QueryValue HKCR\CLSID\{E60687F7-01A1-40AA-86AC-DB1CBF673334}\AppID SUCCESS "{653C5148-4DCE-4905-9CFD-1B23662D3D9E}"
246 16:30:09.540 wuauclt.exe:1844 CloseKey HKCR\CLSID\{E60687F7-01A1-40AA-86AC-DB1CBF673334} SUCCESS Key: 0xE54A3420
247 16:30:09.540 wuauclt.exe:1844 QueryKey HKCU SUCCESS Name:
\REGISTRY\USER\S-1-5-21-2647719360-2671216974-3573895149-11018_Classes
248 16:30:09.540 wuauclt.exe:1844 OpenKey HKCU\AppID\{653C5148-4DCE-4905-9CFD-1B23662D3D9E} NOTFOUND
249 16:30:09.540 wuauclt.exe:1844 OpenKey HKCR\AppID\{653C5148-4DCE-4905-9CFD-1B23662D3D9E} SUCCESS Key: 0xE56404C0
250 16:30:09.540 wuauclt.exe:1844 QueryKey HKCR\AppID\{653C5148-4DCE-4905-9CFD-1B23662D3D9E} SUCCESS Name:
\REGISTRY\MACHINE\SOFTWARE\CLASSES\AppID\{653C5148-4DCE-4905-9CFD-1B23662D3D9E}
251 16:30:09.540 wuauclt.exe:1844 OpenKey HKCU\AppID\{653C5148-4DCE-4905-9CFD-1B23662D3D9E} NOTFOUND
252 16:30:09.540 wuauclt.exe:1844 QueryValue HKCR\AppID\{653C5148-4DCE-4905-9CFD-1B23662D3D9E}\DllSurrogate NOTFOUND
253 16:30:09.540 wuauclt.exe:1844 QueryKey HKCR\AppID\{653C5148-4DCE-4905-9CFD-1B23662D3D9E} SUCCESS Name:
\REGISTRY\MACHINE\SOFTWARE\CLASSES\AppID\{653C5148-4DCE-4905-9CFD-1B23662D3D9E}
254 16:30:09.540 wuauclt.exe:1844 OpenKey HKCU\AppID\{653C5148-4DCE-4905-9CFD-1B23662D3D9E} NOTFOUND
255 16:30:09.540 wuauclt.exe:1844 QueryValue HKCR\AppID\{653C5148-4DCE-4905-9CFD-1B23662D3D9E}\LocalService SUCCESS "wuauserv"
256 16:30:09.540 wuauclt.exe:1844 CloseKey HKCR\AppID\{653C5148-4DCE-4905-9CFD-1B23662D3D9E} SUCCESS Key: 0xE56404C0
257 16:30:09.540 wuauclt.exe:1844 CloseKey HKCR\CLSID\{E60687F7-01A1-40AA-86AC-DB1CBF673334} SUCCESS Key: 0xE4F97E40
258 16:30:09.540 wuauclt.exe:1844 OpenKey HKLM\Software\Microsoft\Rpc\RobustMode NOTFOUND
259 16:30:09.540 wuauclt.exe:1844 OpenKey HKLM\Software\Microsoft\Rpc SUCCESS Key: 0xE4F97E40
260 16:30:09.540 wuauclt.exe:1844 QueryValue HKLM\Software\Microsoft\Rpc\MaxRpcSize NOTFOUND
261 16:30:09.540 wuauclt.exe:1844 CloseKey HKLM\Software\Microsoft\Rpc SUCCESS Key: 0xE4F97E40
262 16:30:09.540 wuauclt.exe:1844 OpenKey HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Image File Execution
Options\wuauclt.exe\RpcThreadPoolThrottle NOTFOUND
265 16:30:09.540 wuauclt.exe:1844 OpenKey HKCU\AppID\wuauclt.exe NOTFOUND
266 16:30:09.540 wuauclt.exe:1844 OpenKey HKCR\AppID\wuauclt.exe NOTFOUND
285 16:30:09.550 wuauclt.exe:1844 QueryValue HKLM\Software\Microsoft\Ole\MaximumAllowedAllocationSize NOTFOUND
286 16:30:09.550 wuauclt.exe:1844 CloseKey HKLM\Software\Microsoft\Ole SUCCESS Key: 0xE4F93120
287 16:30:09.550 wuauclt.exe:1844 OpenKey HKCU SUCCESS Key: 0xE4F93120
288 16:30:09.550 wuauclt.exe:1844 QueryKey HKCU SUCCESS Name:
\REGISTRY\USER\S-1-5-21-2647719360-2671216974-3573895149-11018_Classes
289 16:30:09.550 wuauclt.exe:1844 OpenKey HKCU\Interface\{A9738FF1-D821-4029-8932-BA5186AFB68C} NOTFOUND
290 16:30:09.550 wuauclt.exe:1844 OpenKey HKCR\Interface\{A9738FF1-D821-4029-8932-BA5186AFB68C} SUCCESS Key: 0xE41C0220
291 16:30:09.550 wuauclt.exe:1844 CloseKey HKCU SUCCESS Key: 0xE4F93120
292 16:30:09.550 wuauclt.exe:1844 QueryKey HKCR\Interface\{A9738FF1-D821-4029-8932-BA5186AFB68C} SUCCESS Name:
\REGISTRY\MACHINE\SOFTWARE\CLASSES\Interface\{A9738FF1-D821-4029-8932-BA5186AFB68C}
293 16:30:09.550 wuauclt.exe:1844 OpenKey HKCU\Interface\{A9738FF1-D821-4029-8932-BA5186AFB68C}\ProxyStubClsid32 NOTFOUND
294 16:30:09.550 wuauclt.exe:1844 OpenKey HKCR\Interface\{A9738FF1-D821-4029-8932-BA5186AFB68C}\ProxyStubClsid32 SUCCESS Key: 0xE53D4C60
295 16:30:09.550 wuauclt.exe:1844 QueryKey HKCR\Interface\{A9738FF1-D821-4029-8932-BA5186AFB68C}\ProxyStubClsid32 SUCCESS Name:
\REGISTRY\MACHINE\SOFTWARE\CLASSES\Interface\{A9738FF1-D821-4029-8932-BA5186AFB68C}\ProxyStubClsid32
296 16:30:09.550 wuauclt.exe:1844 OpenKey HKCU\Interface\{A9738FF1-D821-4029-8932-BA5186AFB68C}\ProxyStubClsid32 NOTFOUND
297 16:30:09.550 wuauclt.exe:1844 QueryValue HKCR\Interface\{A9738FF1-D821-4029-8932-BA5186AFB68C}\ProxyStubClsid32\(Default) SUCCESS "{A9738FF1-D821-4029-8932-BA5186AFB68C}"
298 16:30:09.550 wuauclt.exe:1844 CloseKey HKCR\Interface\{A9738FF1-D821-4029-8932-BA5186AFB68C}\ProxyStubClsid32 SUCCESS Key: 0xE53D4C60
299 16:30:09.550 wuauclt.exe:1844 CloseKey HKCR\Interface\{A9738FF1-D821-4029-8932-BA5186AFB68C} SUCCESS Key: 0xE41C0220
300 16:30:09.550 wuauclt.exe:1844 OpenKey HKLM\Software\Microsoft\COM3 SUCCESS Key: 0xE41C0220
301 16:30:09.550 wuauclt.exe:1844 QueryValue HKLM\Software\Microsoft\COM3\REGDBVersion SUCCESS FD 00 00 00 00 00 00 00
302 16:30:09.550 wuauclt.exe:1844 CloseKey HKLM\Software\Microsoft\COM3 SUCCESS Key: 0xE41C0220
303 16:30:09.550 wuauclt.exe:1844 QueryKey HKCU SUCCESS Name:
\REGISTRY\USER\S-1-5-21-2647719360-2671216974-3573895149-11018_Classes
304 16:30:09.550 wuauclt.exe:1844 OpenKey HKCU\CLSID\{A9738FF1-D821-4029-8932-BA5186AFB68C} NOTFOUND
305 16:30:09.550 wuauclt.exe:1844 OpenKey HKCR\CLSID\{A9738FF1-D821-4029-8932-BA5186AFB68C} SUCCESS Key: 0xE41C0220
306 16:30:09.550 wuauclt.exe:1844 QueryKey HKCR\CLSID\{A9738FF1-D821-4029-8932-BA5186AFB68C} SUCCESS Name:
\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{A9738FF1-D821-4029-8932-BA5186AFB68C}
307 16:30:09.550 wuauclt.exe:1844 OpenKey HKCU\CLSID\{A9738FF1-D821-4029-8932-BA5186AFB68C}\TreatAs NOTFOUND
308 16:30:09.550 wuauclt.exe:1844 OpenKey HKCR\CLSID\{A9738FF1-D821-4029-8932-BA5186AFB68C}\TreatAs NOTFOUND
309 16:30:09.550 wuauclt.exe:1844 QueryKey HKCU SUCCESS Name:
\REGISTRY\USER\S-1-5-21-2647719360-2671216974-3573895149-11018_Classes
310 16:30:09.550 wuauclt.exe:1844 OpenKey HKCU SUCCESS Key: 0xE53D4C60
311 16:30:09.550 wuauclt.exe:1844 CloseKey HKCR\CLSID\{A9738FF1-D821-4029-8932-BA5186AFB68C} SUCCESS Key: 0xE41C0220
312 16:30:09.550 wuauclt.exe:1844 OpenKey HKCU SUCCESS Key: 0xE41C0220
313 16:30:09.550 wuauclt.exe:1844 QueryKey HKCU SUCCESS Name:
\REGISTRY\USER\S-1-5-21-2647719360-2671216974-3573895149-11018_Classes
314 16:30:09.550 wuauclt.exe:1844 OpenKey HKCU\CLSID\{A9738FF1-D821-4029-8932-BA5186AFB68C} NOTFOUND
315 16:30:09.550 wuauclt.exe:1844 OpenKey HKCR\CLSID\{A9738FF1-D821-4029-8932-BA5186AFB68C} SUCCESS Key: 0xE43B7B00
316 16:30:09.550 wuauclt.exe:1844 CloseKey HKCU SUCCESS Key: 0xE41C0220
317 16:30:09.550 wuauclt.exe:1844 QueryKey HKCR\CLSID\{A9738FF1-D821-4029-8932-BA5186AFB68C} SUCCESS Name:
\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{A9738FF1-D821-4029-8932-BA5186AFB68C}
318 16:30:09.550 wuauclt.exe:1844 OpenKey HKCU\CLSID\{A9738FF1-D821-4029-8932-BA5186AFB68C}\TreatAs NOTFOUND
319 16:30:09.550 wuauclt.exe:1844 OpenKey HKCR\CLSID\{A9738FF1-D821-4029-8932-BA5186AFB68C}\TreatAs NOTFOUND
320 16:30:09.550 wuauclt.exe:1844 CloseKey HKCR\CLSID\{A9738FF1-D821-4029-8932-BA5186AFB68C} SUCCESS Key: 0xE43B7B00
321 16:30:09.550 wuauclt.exe:1844 QueryKey HKCU SUCCESS Name:
\REGISTRY\USER\S-1-5-21-2647719360-2671216974-3573895149-11018_Classes
322 16:30:09.550 wuauclt.exe:1844 OpenKey HKCU\CLSID\{A9738FF1-D821-4029-8932-BA5186AFB68C} NOTFOUND
323 16:30:09.550 wuauclt.exe:1844 OpenKey HKCR\CLSID\{A9738FF1-D821-4029-8932-BA5186AFB68C} SUCCESS Key: 0xE43B7B00
324 16:30:09.550 wuauclt.exe:1844 QueryKey HKCR\CLSID\{A9738FF1-D821-4029-8932-BA5186AFB68C} SUCCESS Name:
\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{A9738FF1-D821-4029-8932-BA5186AFB68C}
325 16:30:09.550 wuauclt.exe:1844 OpenKey HKCU\CLSID\{A9738FF1-D821-4029-8932-BA5186AFB68C}\InprocServer32 NOTFOUND
326 16:30:09.550 wuauclt.exe:1844 OpenKey HKCR\CLSID\{A9738FF1-D821-4029-8932-BA5186AFB68C}\InprocServer32 SUCCESS Key: 0xE56404C0
327 16:30:09.550 wuauclt.exe:1844 QueryKey HKCR\CLSID\{A9738FF1-D821-4029-8932-BA5186AFB68C}\InprocServer32 SUCCESS Name:
\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{A9738FF1-D821-4029-8932-BA5186AFB68C}\InprocServer32
328 16:30:09.550 wuauclt.exe:1844 OpenKey HKCU\CLSID\{A9738FF1-D821-4029-8932-BA5186AFB68C}\InprocServer32 NOTFOUND
329 16:30:09.550 wuauclt.exe:1844 QueryValue HKCR\CLSID\{A9738FF1-D821-4029-8932-BA5186AFB68C}\InprocServer32\InprocServer32 NOTFOUND
330 16:30:09.550 wuauclt.exe:1844 CloseKey HKCR\CLSID\{A9738FF1-D821-4029-8932-BA5186AFB68C}\InprocServer32 SUCCESS Key: 0xE56404C0
331 16:30:09.550 wuauclt.exe:1844 QueryKey HKCR\CLSID\{A9738FF1-D821-4029-8932-BA5186AFB68C} SUCCESS Name:
\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{A9738FF1-D821-4029-8932-BA5186AFB68C}
332 16:30:09.550 wuauclt.exe:1844 OpenKey HKCU\CLSID\{A9738FF1-D821-4029-8932-BA5186AFB68C}\InprocServerX86 NOTFOUND
333 16:30:09.550 wuauclt.exe:1844 OpenKey HKCR\CLSID\{A9738FF1-D821-4029-8932-BA5186AFB68C}\InprocServerX86 NOTFOUND
334 16:30:09.550 wuauclt.exe:1844 QueryKey HKCR\CLSID\{A9738FF1-D821-4029-8932-BA5186AFB68C} SUCCESS Name:
\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{A9738FF1-D821-4029-8932-BA5186AFB68C}
335 16:30:09.550 wuauclt.exe:1844 OpenKey HKCU\CLSID\{A9738FF1-D821-4029-8932-BA5186AFB68C}\InprocServer32 NOTFOUND
336 16:30:09.550 wuauclt.exe:1844 OpenKey HKCR\CLSID\{A9738FF1-D821-4029-8932-BA5186AFB68C}\InprocServer32 SUCCESS Key: 0xE56FE5E0
337 16:30:09.550 wuauclt.exe:1844 QueryKey HKCR\CLSID\{A9738FF1-D821-4029-8932-BA5186AFB68C}\InprocServer32 SUCCESS Name:
\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{A9738FF1-D821-4029-8932-BA5186AFB68C}\InprocServer32
338 16:30:09.550 wuauclt.exe:1844 OpenKey HKCU\CLSID\{A9738FF1-D821-4029-8932-BA5186AFB68C}\InprocServer32 NOTFOUND
339 16:30:09.550 wuauclt.exe:1844 QueryValue HKCR\CLSID\{A9738FF1-D821-4029-8932-BA5186AFB68C}\InprocServer32\(Default) SUCCESS "C:\WINNT\system32\wups2.dll"
340 16:30:09.550 wuauclt.exe:1844 CloseKey HKCR\CLSID\{A9738FF1-D821-4029-8932-BA5186AFB68C}\InprocServer32 SUCCESS Key: 0xE56FE5E0
341 16:30:09.550 wuauclt.exe:1844 CloseKey HKCR\CLSID\{A9738FF1-D821-4029-8932-BA5186AFB68C} SUCCESS Key: 0xE43B7B00
342 16:30:09.550 wuauclt.exe:1844 QueryKey HKCU SUCCESS Name:
\REGISTRY\USER\S-1-5-21-2647719360-2671216974-3573895149-11018_Classes
343 16:30:09.550 wuauclt.exe:1844 OpenKey HKCU\CLSID\{A9738FF1-D821-4029-8932-BA5186AFB68C} NOTFOUND
344 16:30:09.550 wuauclt.exe:1844 OpenKey HKCR\CLSID\{A9738FF1-D821-4029-8932-BA5186AFB68C} SUCCESS Key: 0xE43B7B00
345 16:30:09.550 wuauclt.exe:1844 QueryKey HKCR\CLSID\{A9738FF1-D821-4029-8932-BA5186AFB68C} SUCCESS Name:
\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{A9738FF1-D821-4029-8932-BA5186AFB68C}
346 16:30:09.550 wuauclt.exe:1844 OpenKey HKCU\CLSID\{A9738FF1-D821-4029-8932-BA5186AFB68C}\InprocServer32 NOTFOUND
347 16:30:09.550 wuauclt.exe:1844 OpenKey HKCR\CLSID\{A9738FF1-D821-4029-8932-BA5186AFB68C}\InprocServer32 SUCCESS Key: 0xE56FE5E0
348 16:30:09.550 wuauclt.exe:1844 QueryKey HKCR\CLSID\{A9738FF1-D821-4029-8932-BA5186AFB68C}\InprocServer32 SUCCESS Name:
\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{A9738FF1-D821-4029-8932-BA5186AFB68C}\InprocServer32
349 16:30:09.550 wuauclt.exe:1844 OpenKey HKCU\CLSID\{A9738FF1-D821-4029-8932-BA5186AFB68C}\InprocServer32 NOTFOUND
350 16:30:09.550 wuauclt.exe:1844 QueryValue HKCR\CLSID\{A9738FF1-D821-4029-8932-BA5186AFB68C}\InprocServer32\ThreadingModel SUCCESS "Both"
351 16:30:09.550 wuauclt.exe:1844 CloseKey HKCR\CLSID\{A9738FF1-D821-4029-8932-BA5186AFB68C}\InprocServer32 SUCCESS Key: 0xE56FE5E0
352 16:30:09.550 wuauclt.exe:1844 CloseKey HKCR\CLSID\{A9738FF1-D821-4029-8932-BA5186AFB68C} SUCCESS Key: 0xE43B7B00
353 16:30:09.550 wuauclt.exe:1844 OpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace NOTFOUND
354 16:30:09.550 wuauclt.exe:1844 OpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace\Misc NOTFOUND
355 16:30:09.590 wuauclt.exe:1844 OpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace\Report NOTFOUND
356 16:30:09.590 wuauclt.exe:1844 OpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace\Setup NOTFOUND
357 16:30:09.590 wuauclt.exe:1844 OpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace\Service NOTFOUND
358 16:30:09.600 wuauclt.exe:1844 OpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace\Agent NOTFOUND
359 16:30:09.600 wuauclt.exe:1844 OpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace\AU NOTFOUND
360 16:30:09.600 wuauclt.exe:1844 OpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace\AUClnt NOTFOUND
361 16:30:09.600 wuauclt.exe:1844 OpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace\WUWeb NOTFOUND
362 16:30:09.600 wuauclt.exe:1844 OpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace\DtaStor NOTFOUND
363 16:30:09.600 wuauclt.exe:1844 OpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace\CDM NOTFOUND
364 16:30:09.611 wuauclt.exe:1844 OpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace\PT NOTFOUND
365 16:30:09.611 wuauclt.exe:1844 OpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace\Driver NOTFOUND
366 16:30:09.611 wuauclt.exe:1844 OpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace\COMAPI NOTFOUND
367 16:30:09.611 wuauclt.exe:1844 OpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace\Parser NOTFOUND
368 16:30:09.611 wuauclt.exe:1844 OpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace\Handler NOTFOUND
369 16:30:09.621 wuauclt.exe:1844 OpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace\EEHndlr NOTFOUND
370 16:30:09.621 wuauclt.exe:1844 OpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace\DnldMgr NOTFOUND
371 16:30:09.621 wuauclt.exe:1844 OpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace\Cmpress NOTFOUND
372 16:30:09.621 wuauclt.exe:1844 OpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace\Shutdwn NOTFOUND
373 16:30:09.621 wuauclt.exe:1844 OpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace\WuRedir NOTFOUND
374 16:30:09.621 wuauclt.exe:1844 OpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace\OfflSnc NOTFOUND
375 16:30:09.631 wuauclt.exe:1844 OpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace\Trace NOTFOUND
376 16:30:09.631 wuauclt.exe:1844 OpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace\TraceTestMain NOTFOUND
377 16:30:09.631 wuauclt.exe:1844 OpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace\TraceTestThreads NOTFOUND
Robert Aldwinckle
> Robert, felt so sorry kept bodering you with my problem.
> Following is the log from RegMon (hope I did it right), filter with wuauclt
> as suggested.
> Deleted some lines that says "SUSCESS KEY: xxxxx" cause the file is too big
> again.
> I don't know how to read it....please help and see if you can find any clue?
> Thanks!!
>
> Here is the log:
Raymond,
I didn't find in here what I was expecting to but it was interesting
nonetheless.
One general impression is that judging by all the NOTFOUND entries
there is a lot of undocumented provision for diagnosis or customization
in the product.
The only specific thing that seems potentially significant is the relative gap
in time between these two records and the fact that they imply something
to do with diagnosis (e.g. perhaps they are occuring in an error recovery
context? Hopefully it is not something as inconsequential as the arrival
of an E-mail or other asynchronous interruption like that. <w>)
> 354 16:30:09.550 wuauclt.exe:1844 OpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace\Misc NOTFOUND
> 355 16:30:09.590 wuauclt.exe:1844 OpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace\Report NOTFOUND
So the next thing that I would try is doing a concurrent FileMon.
If the problem is in the wuauclt process you could use that again as a filter.
But please make sure that the writes to the log are also included
e.g. add ;Update to your FileMon filter. If the pattern of the messages
in the log changes from the ones I previously quoted please also include
a complete context for the new messages from the log in your documentation
(so we can infer a timestamp for them in the FileMon log using their
record lengths.) Again, make sure that both monitors are using the Clock Time
and Milleseconds options or their traces will be much harder to correlate.
Unfortunately, I am not as hopeful now that we will be able to discover
the cause of the problem symptom this way. I was really convinced that
a permissions problem in the registry would show up. It's possible that
instead there is a permissions problem on a directory or file but I think
that that will be less likely.
OTOH someone previously diagnosed a similar symptom (but during the
install phase) as being an obscure problem with branches.inf, so we may
be lucky yet.
In any case if you would like to try to capture that data I am more than
willing to try to help you analyse it.
BTW just to be sure that I'm not missing something important:
the KB902093 article hints that there should be some header
records to identify the AUClnt component. I just realized that
there is an ambiguity in the error message:
<example>
2005-08-16 10:35:58 1924 6fc AUClnt FATAL: Error: 0x80070005. wuauclt handler: failed to spawn COM server
</example>
E.g. I was interpreting this as: component AUClnt (being wuauclt)
is declaring that it failed to do that operation. Therefore, tracing
with filter wuauclt would (hopefully) capture this event.
(I think that colon after handler makes this interpretation likely.)
OTOH if AUClnt is not wuauclt (e.g. perhaps it's service wuauserv
in which case it's svchost.exe) then we would be completely
missing the possibility of capturing the error with the current filter.
Perhaps you should try adding ;svchost.exe to the current filters too?
That reminds me of something else that the FileMon trace would
show us: the account of the wuauclt process. I have noticed
that sometimes there are two such processes, one having my
account and another having the System account. If that's your
case too knowing the details of that difference could be essential
to understanding the error symptom.
HTH
Robert
---
Raymond
Did the Filemon concurent with Regmon.
Filemon filter "wuauclt; Update; svhost.exe" as suggested.
Regmon same as before, "wuauclt"
Update tried : KB899587
The Regmon result basically the same.
Tried to understand how to compare/read/analysis the log from both sources
from yr post with Fortunatov...sorry, really don't understand....
What I did is delete most of the "Success" lines from Filemon and include
those lines that has the same time value from Regmon.....hope that is ok...
If you need more detailed entries, please let me know and I'll post as much
as possible.
Again, really appreciate your help!!
Here is the Filemon:
1 12:57:11.617 svchost.exe:1068 OPEN C:\WINNT\system32\wuauclt.exe SUCCESS Options: Open Access: All
2 12:57:11.617 svchost.exe:1068 QUERY
INFORMATION C:\WINNT\system32\wuauclt.exe SUCCESS Attributes: A
3 12:57:11.617 svchost.exe:1068 CLOSE C:\WINNT\system32\wuauclt.exe SUCCESS
4 12:57:11.617 svchost.exe:1068 OPEN C:\WINNT\system32\wuauclt.exe SUCCESS Options: Open Access: All
5 12:57:11.617 svchost.exe:1068 QUERY
INFORMATION C:\WINNT\system32\wuauclt.exe SUCCESS Attributes: A
6 12:57:11.617 svchost.exe:1068 CLOSE C:\WINNT\system32\wuauclt.exe SUCCESS
7 12:57:11.617 svchost.exe:1068 OPEN C:\WINNT\system32\wuauclt.exe SUCCESS Options: Open Access: Execute
8 12:57:11.617 svchost.exe:1068 OPEN C:\WINNT\system32\wuauclt.exe SUCCESS Options: Open Access: All
9 12:57:11.617 svchost.exe:1068 CLOSE C:\WINNT\system32\wuauclt.exe SUCCESS
10 12:57:11.617 svchost.exe:1068 OPEN C:\WINNT\system32\wuauclt.exe SUCCESS Options: Open Access: All
11 12:57:11.617 svchost.exe:1068 QUERY
INFORMATION C:\WINNT\system32\wuauclt.exe SUCCESS Length: 124184
12 12:57:11.617 svchost.exe:1068 CLOSE C:\WINNT\system32\wuauclt.exe SUCCESS
13 12:57:11.617 svchost.exe:1068 CLOSE C:\WINNT\system32\wuauclt.exe SUCCESS
360 12:57:11.707 wuauclt.exe:1800 OPEN C:\WINNT\system32\ole32.dll SUCCESS Options: Open Access: All
361 12:57:11.707 wuauclt.exe:1800 QUERY
INFORMATION C:\WINNT\system32\ole32.dll SUCCESS Attributes: A
362 12:57:11.707 wuauclt.exe:1800 CLOSE C:\WINNT\system32\ole32.dll SUCCESS
363 12:57:11.707 wuauclt.exe:1800 OPEN C:\WINNT\AdvPack.log SUCCESS Options:
OpenIf Access: All
364 12:57:11.707 wuauclt.exe:1800 OPEN C:\WINNT\AdvPack.log SUCCESS Options:
Open Access: All
365 12:57:11.707 wuauclt.exe:1800 CLOSE C:\WINNT\AdvPack.log SUCCESS
366 12:57:11.707 wuauclt.exe:1800 QUERY
INFORMATION C:\WINNT\AdvPack.log SUCCESS Length: 41128
367 12:57:11.707 wuauclt.exe:1800 WRITE
C:\WINNT\AdvPack.log SUCCESS Offset: 41128 Length: 87
368 12:57:11.707 wuauclt.exe:1800 WRITE C:\WINNT\AdvPack.log SUCCESS Offset:
41215 Length: 57
513 12:57:11.727 wuauclt.exe:1800 OPEN C:\WINNT\system32\WINTRUST.dll SUCCESS Options: Open Access: All
514 12:57:11.727 wuauclt.exe:1800 QUERY
INFORMATION C:\WINNT\system32\WINTRUST.dll SUCCESS Attributes: A
515 12:57:11.727 wuauclt.exe:1800 CLOSE C:\WINNT\system32\WINTRUST.dll SUCCESS
516 12:57:11.727 wuauclt.exe:1800 OPEN C:\WINNT\system32\WINTRUST.dll SUCCESS Options: Open Access: All
517 12:57:11.727 wuauclt.exe:1800 QUERY
INFORMATION C:\WINNT\system32\WINTRUST.dll SUCCESS Attributes: A
518 12:57:11.727 wuauclt.exe:1800 CLOSE C:\WINNT\system32\WINTRUST.dll SUCCESS
519 12:57:11.727 wuauclt.exe:1800 OPEN C:\WINNT\system32\WINTRUST.dll SUCCESS Options: Open Access: All
520 12:57:11.727 wuauclt.exe:1800 QUERY
INFORMATION C:\WINNT\system32\WINTRUST.dll SUCCESS Attributes: A
521 12:57:11.727 wuauclt.exe:1800 CLOSE C:\WINNT\system32\WINTRUST.dll SUCCESS
522 12:57:11.727 wuauclt.exe:1800 OPEN C:\WINNT\system32\WINTRUST.dll SUCCESS Options: Open Access: All
523 12:57:11.727 wuauclt.exe:1800 QUERY
INFORMATION C:\WINNT\system32\WINTRUST.dll SUCCESS Attributes: A
524 12:57:11.727 wuauclt.exe:1800 CLOSE C:\WINNT\system32\WINTRUST.dll SUCCESS
525 12:57:11.727 wuauclt.exe:1800 OPEN C:\WINNT\system32\WINTRUST.dll SUCCESS Options: Open Access: All
526 12:57:11.727 wuauclt.exe:1800 QUERY
INFORMATION C:\WINNT\system32\WINTRUST.dll SUCCESS Attributes: A
527 12:57:11.727 wuauclt.exe:1800 CLOSE C:\WINNT\system32\WINTRUST.dll SUCCESS
528 12:57:11.727 wuauclt.exe:1800 OPEN C:\WINNT\system32\WINTRUST.dll SUCCESS Options: Open Access: All
529 12:57:11.727 wuauclt.exe:1800 QUERY
INFORMATION C:\WINNT\system32\WINTRUST.dll SUCCESS Attributes: A
530 12:57:11.727 wuauclt.exe:1800 CLOSE C:\WINNT\system32\WINTRUST.dll SUCCESS
531 12:57:11.727 wuauclt.exe:1800 CREATE C:\WINNT NAME COLLISION Options:
Create Directory Access: All
532 12:57:11.727 wuauclt.exe:1800 OPEN C:\WINNT\WindowsUpdate.log SUCCESS Options: Open Access: All
533 12:57:11.727 wuauclt.exe:1800 CLOSE C:\WINNT\WindowsUpdate.log SUCCESS
534 12:57:11.727 wuauclt.exe:1800 OPEN C:\WINNT\WindowsUpdate.log SUCCESS Options: Open Access: All
535 12:57:11.727 wuauclt.exe:1800 CLOSE C:\WINNT\WindowsUpdate.log SUCCESS
536 12:57:11.727 wuauclt.exe:1800 OPEN C:\WINNT\WindowsUpdate.log SUCCESS Options: Open Access: All
537 12:57:11.727 wuauclt.exe:1800 CLOSE C:\WINNT\WindowsUpdate.log SUCCESS
538 12:57:11.727 wuauclt.exe:1800 OPEN C:\WINNT\WindowsUpdate.log\ NAME
INVALID Options: Open Access: All
539 12:57:11.727 wuauclt.exe:1800 OPEN C:\WINNT IS DIRECTORY Options: Open
Access: All
540 12:57:11.727 wuauclt.exe:1800 OPEN C:\WINNT SUCCESS Options: Open
Access: All
541 12:57:11.727 wuauclt.exe:1800 CLOSE C:\WINNT SUCCESS
542 12:57:11.727 wuauclt.exe:1800 OPEN C:\WINNT SUCCESS Options: Open
Access: All
543 12:57:11.727 wuauclt.exe:1800 CLOSE C:\WINNT SUCCESS
544 12:57:11.727 wuauclt.exe:1800 OPEN C:\WINNT\ SUCCESS Options: Open
Access: All
545 12:57:11.727 wuauclt.exe:1800 CLOSE C:\WINNT\ SUCCESS
546 12:57:11.727 wuauclt.exe:1800 OPEN C:\WINNT\WindowsUpdate.log SUCCESS Options: OpenIf Access: All
547 12:57:11.727 wuauclt.exe:1800 OPEN C:\WINNT\WindowsUpdate.log SUCCESS Options: Open Access: All
548 12:57:11.727 wuauclt.exe:1800 CLOSE C:\WINNT\WindowsUpdate.log SUCCESS
549 12:57:11.727 wuauclt.exe:1800 CREATE C:\WINNT NAME COLLISION Options:
Create Directory Access: All
550 12:57:11.727 wuauclt.exe:1800 OPEN C:\WINNT\WindowsUpdate.log SUCCESS Options: Open Access: All
551 12:57:11.727 wuauclt.exe:1800 CLOSE C:\WINNT\WindowsUpdate.log SUCCESS
552 12:57:11.727 wuauclt.exe:1800 OPEN C:\WINNT\WindowsUpdate.log SUCCESS Options: Open Access: All
553 12:57:11.727 wuauclt.exe:1800 CLOSE C:\WINNT\WindowsUpdate.log SUCCESS
554 12:57:11.727 wuauclt.exe:1800 OPEN C:\WINNT\WindowsUpdate.log SUCCESS Options: Open Access: All
555 12:57:11.727 wuauclt.exe:1800 CLOSE C:\WINNT\WindowsUpdate.log SUCCESS
556 12:57:11.727 wuauclt.exe:1800 OPEN C:\WINNT\WindowsUpdate.log\ NAME
INVALID Options: Open Access: All
557 12:57:11.727 wuauclt.exe:1800 OPEN C:\WINNT IS DIRECTORY Options: Open
Access: All
558 12:57:11.727 wuauclt.exe:1800 OPEN C:\WINNT SUCCESS Options: Open
Access: All
559 12:57:11.727 wuauclt.exe:1800 CLOSE C:\WINNT SUCCESS
560 12:57:11.727 wuauclt.exe:1800 OPEN C:\WINNT SUCCESS Options: Open
Access: All
561 12:57:11.727 wuauclt.exe:1800 CLOSE C:\WINNT SUCCESS
562 12:57:11.727 wuauclt.exe:1800 OPEN C:\WINNT\ SUCCESS Options: Open
Access: All
563 12:57:11.727 wuauclt.exe:1800 CLOSE C:\WINNT\ SUCCESS
564 12:57:11.727 wuauclt.exe:1800 OPEN C:\WINNT\WindowsUpdate.log SUCCESS Options: OpenIf Access: All
565 12:57:11.727 wuauclt.exe:1800 OPEN C:\WINNT\WindowsUpdate.log SUCCESS Options: Open Access: All
566 12:57:11.727 wuauclt.exe:1800 CLOSE C:\WINNT\WindowsUpdate.log SUCCESS
567 12:57:11.727 wuauclt.exe:1800 CREATE C:\WINNT NAME COLLISION Options:
Create Directory Access: All
568 12:57:11.727 wuauclt.exe:1800 OPEN C:\WINNT\WindowsUpdate.log SUCCESS Options: Open Access: All
569 12:57:11.727 wuauclt.exe:1800 CLOSE C:\WINNT\WindowsUpdate.log SUCCESS
570 12:57:11.727 wuauclt.exe:1800 OPEN C:\WINNT\WindowsUpdate.log SUCCESS Options: Open Access: All
571 12:57:11.727 wuauclt.exe:1800 CLOSE C:\WINNT\WindowsUpdate.log SUCCESS
572 12:57:11.727 wuauclt.exe:1800 OPEN C:\WINNT\WindowsUpdate.log SUCCESS Options: Open Access: All
573 12:57:11.727 wuauclt.exe:1800 CLOSE C:\WINNT\WindowsUpdate.log SUCCESS
574 12:57:11.727 wuauclt.exe:1800 OPEN C:\WINNT\WindowsUpdate.log\ NAME
INVALID Options: Open Access: All
575 12:57:11.727 wuauclt.exe:1800 OPEN C:\WINNT IS DIRECTORY Options: Open
Access: All
576 12:57:11.727 wuauclt.exe:1800 OPEN C:\WINNT SUCCESS Options: Open
Access: All
577 12:57:11.727 wuauclt.exe:1800 CLOSE C:\WINNT SUCCESS
578 12:57:11.727 wuauclt.exe:1800 OPEN C:\WINNT SUCCESS Options: Open
Access: All
579 12:57:11.727 wuauclt.exe:1800 CLOSE C:\WINNT SUCCESS
580 12:57:11.727 wuauclt.exe:1800 OPEN C:\WINNT\ SUCCESS Options: Open
Access: All
581 12:57:11.727 wuauclt.exe:1800 CLOSE C:\WINNT\ SUCCESS
582 12:57:11.727 wuauclt.exe:1800 OPEN C:\WINNT\WindowsUpdate.log SUCCESS Options: OpenIf Access: All
583 12:57:11.727 wuauclt.exe:1800 OPEN C:\WINNT\WindowsUpdate.log SUCCESS Options: Open Access: All
584 12:57:11.727 wuauclt.exe:1800 CLOSE C:\WINNT\WindowsUpdate.log SUCCESS
585 12:57:11.727 wuauclt.exe:1800 CREATE C:\WINNT NAME COLLISION Options:
Create Directory Access: All
586 12:57:11.727 wuauclt.exe:1800 OPEN C:\WINNT\WindowsUpdate.log SUCCESS Options: Open Access: All
587 12:57:11.727 wuauclt.exe:1800 CLOSE C:\WINNT\WindowsUpdate.log SUCCESS
588 12:57:11.737 wuauclt.exe:1800 OPEN C:\WINNT\WindowsUpdate.log SUCCESS Options: Open Access: All
589 12:57:11.737 wuauclt.exe:1800 CLOSE C:\WINNT\WindowsUpdate.log SUCCESS
590 12:57:11.737 wuauclt.exe:1800 OPEN C:\WINNT\WindowsUpdate.log SUCCESS Options: Open Access: All
591 12:57:11.737 wuauclt.exe:1800 CLOSE C:\WINNT\WindowsUpdate.log SUCCESS
592 12:57:11.737 wuauclt.exe:1800 OPEN C:\WINNT\WindowsUpdate.log\ NAME
INVALID Options: Open Access: All
593 12:57:11.737 wuauclt.exe:1800 OPEN C:\WINNT IS DIRECTORY Options: Open
Access: All
594 12:57:11.737 wuauclt.exe:1800 OPEN C:\WINNT SUCCESS Options: Open
Access: All
595 12:57:11.737 wuauclt.exe:1800 CLOSE C:\WINNT SUCCESS
596 12:57:11.737 wuauclt.exe:1800 OPEN C:\WINNT SUCCESS Options: Open
Access: All
597 12:57:11.737 wuauclt.exe:1800 CLOSE C:\WINNT SUCCESS
598 12:57:11.737 wuauclt.exe:1800 OPEN C:\WINNT\ SUCCESS Options: Open
Access: All
599 12:57:11.737 wuauclt.exe:1800 CLOSE C:\WINNT\ SUCCESS
600 12:57:11.737 wuauclt.exe:1800 OPEN C:\WINNT\WindowsUpdate.log SUCCESS Options: OpenIf Access: All
601 12:57:11.737 wuauclt.exe:1800 OPEN C:\WINNT\WindowsUpdate.log SUCCESS Options: Open Access: All
602 12:57:11.737 wuauclt.exe:1800 CLOSE C:\WINNT\WindowsUpdate.log SUCCESS
603 12:57:11.737 wuauclt.exe:1800 CREATE C:\WINNT NAME COLLISION Options:
Create Directory Access: All
610 12:57:11.737 wuauclt.exe:1800 OPEN C:\WINNT\WindowsUpdate.log\ NAME
INVALID Options: Open Access: All
621 12:57:11.737 wuauclt.exe:1800 CREATE C:\WINNT NAME COLLISION Options:
Create Directory Access: All
628 12:57:11.737 wuauclt.exe:1800 OPEN C:\WINNT\WindowsUpdate.log\ NAME
INVALID Options: Open Access: All
639 12:57:11.737 wuauclt.exe:1800 CREATE C:\WINNT NAME COLLISION Options:
Create Directory Access: All
646 12:57:11.737 wuauclt.exe:1800 OPEN C:\WINNT\WindowsUpdate.log\ NAME
INVALID Options: Open Access: All
647 12:57:11.737 wuauclt.exe:1800 OPEN C:\WINNT IS DIRECTORY Options: Open
Access: All
648 12:57:11.737 wuauclt.exe:1800 OPEN C:\WINNT SUCCESS Options: Open
Access: All
649 12:57:11.737 wuauclt.exe:1800 CLOSE C:\WINNT SUCCESS
650 12:57:11.737 wuauclt.exe:1800 OPEN C:\WINNT SUCCESS Options: Open
Access: All
651 12:57:11.737 wuauclt.exe:1800 CLOSE C:\WINNT SUCCESS
652 12:57:11.737 wuauclt.exe:1800 OPEN C:\WINNT\ SUCCESS Options: Open
Access: All
653 12:57:11.737 wuauclt.exe:1800 CLOSE C:\WINNT\ SUCCESS
963 12:57:11.898 wuauclt.exe:1800 OPEN C:\WINNT\system32\wuaueng.dll SUCCESS Options: Open Access: All
964 12:57:11.898 wuauclt.exe:1800 QUERY
INFORMATION C:\WINNT\system32\wuaueng.dll SUCCESS Attributes: A
965 12:57:11.898 wuauclt.exe:1800 CLOSE C:\WINNT\system32\wuaueng.dll SUCCESS
966 12:57:11.898 wuauclt.exe:1800 OPEN C:\WINNT\system32\rpcss.dll SUCCESS Options: Open Access: All
967 12:57:11.898 wuauclt.exe:1800 QUERY
INFORMATION C:\WINNT\system32\rpcss.dll SUCCESS Attributes: A
968 12:57:11.898 wuauclt.exe:1800 CLOSE C:\WINNT\system32\rpcss.dll SUCCESS
969 12:57:11.898 wuauclt.exe:1800 OPEN C:\WINNT\system32\rpcss.dll SUCCESS Options: Open Access: Execute
970 12:57:11.898 wuauclt.exe:1800 OPEN C:\WINNT\system32\rpcss.dll SUCCESS Options: Open Access: All
971 12:57:11.898 wuauclt.exe:1800 CLOSE C:\WINNT\system32\rpcss.dll SUCCESS
972 12:57:11.898 wuauclt.exe:1800 OPEN C:\WINNT\system32\rpcss.dll SUCCESS Options: Open Access: All
973 12:57:11.898 wuauclt.exe:1800 QUERY
INFORMATION C:\WINNT\system32\rpcss.dll SUCCESS Length: 273680
974 12:57:11.898 wuauclt.exe:1800 CLOSE C:\WINNT\system32\rpcss.dll SUCCESS
975 12:57:11.898 wuauclt.exe:1800 QUERY
INFORMATION C:\WINNT\system32\rpcss.dll SUCCESS Length: 273680
976 12:57:11.898 wuauclt.exe:1800 CLOSE C:\WINNT\system32\rpcss.dll SUCCESS
977 12:57:11.908 wuauclt.exe:1800 OPEN C:\WINNT\System32\~CLBCATQ.DLL FILE
NOT FOUND Options: Open Access: All
978 12:57:11.908 wuauclt.exe:1800 OPEN C:\WINNT\system32\CLBCATQ.DLL SUCCESS Options: Open Access: All
979 12:57:11.908 wuauclt.exe:1800 QUERY
INFORMATION C:\WINNT\system32\CLBCATQ.DLL SUCCESS Attributes: A
980 12:57:11.908 wuauclt.exe:1800 CLOSE C:\WINNT\system32\CLBCATQ.DLL SUCCESS
981 12:57:11.908 wuauclt.exe:1800 OPEN C:\WINNT\system32\CLBCATQ.DLL SUCCESS Options: Open Access: Execute
982 12:57:11.908 wuauclt.exe:1800 OPEN C:\WINNT\system32\CLBCATQ.DLL SUCCESS Options: Open Access: All
983 12:57:11.908 wuauclt.exe:1800 CLOSE C:\WINNT\system32\CLBCATQ.DLL SUCCESS
984 12:57:11.908 wuauclt.exe:1800 OPEN C:\WINNT\system32\CLBCATQ.DLL SUCCESS Options: Open Access: All
985 12:57:11.908 wuauclt.exe:1800 QUERY
INFORMATION C:\WINNT\system32\CLBCATQ.DLL SUCCESS Length: 552720
986 12:57:11.908 wuauclt.exe:1800 CLOSE C:\WINNT\system32\CLBCATQ.DLL SUCCESS
987 12:57:11.908 wuauclt.exe:1800 CLOSE C:\WINNT\system32\CLBCATQ.DLL SUCCESS
988 12:57:11.918 wuauclt.exe:1800 OPEN C:\WINNT\system32\wups2.dll SUCCESS Options: Open Access: All
989 12:57:11.918 wuauclt.exe:1800 QUERY
INFORMATION C:\WINNT\system32\wups2.dll SUCCESS Attributes: A
990 12:57:11.918 wuauclt.exe:1800 CLOSE C:\WINNT\system32\wups2.dll SUCCESS
991 12:57:11.918 wuauclt.exe:1800 OPEN C:\WINNT\system32\wups2.dll SUCCESS Options: Open Access: Execute
992 12:57:11.918 wuauclt.exe:1800 OPEN C:\WINNT\system32\wups2.dll SUCCESS Options: Open Access: All
993 12:57:11.918 wuauclt.exe:1800 CLOSE C:\WINNT\system32\wups2.dll SUCCESS
994 12:57:11.918 wuauclt.exe:1800 OPEN C:\WINNT\system32\wups2.dll SUCCESS Options: Open Access: All
995 12:57:11.918 wuauclt.exe:1800 QUERY
INFORMATION C:\WINNT\system32\wups2.dll SUCCESS Length: 18200
996 12:57:11.918 wuauclt.exe:1800 CLOSE C:\WINNT\system32\wups2.dll SUCCESS
997 12:57:11.918 wuauclt.exe:1800 QUERY
INFORMATION C:\WINNT\system32\wups2.dll SUCCESS Length: 18200
998 12:57:11.918 wuauclt.exe:1800 CLOSE C:\WINNT\system32\wups2.dll SUCCESS
999 12:57:11.918 wuauclt.exe:1800 OPEN C:\WINNT\system32\wups2.dll SUCCESS Options: Open Access: All
1000 12:57:11.918 wuauclt.exe:1800 QUERY
INFORMATION C:\WINNT\system32\wups2.dll SUCCESS Attributes: A
1001 12:57:11.918 wuauclt.exe:1800 CLOSE C:\WINNT\system32\wups2.dll SUCCESS
1002 12:57:11.918 wuauclt.exe:1800 OPEN C:\WINNT\system32\wups2.dll SUCCESS Options: Open Access: Execute
1003 12:57:11.918 wuauclt.exe:1800 OPEN C:\WINNT\system32\wups2.dll SUCCESS Options: Open Access: All
1004 12:57:11.918 wuauclt.exe:1800 CLOSE C:\WINNT\system32\wups2.dll SUCCESS
1005 12:57:11.918 wuauclt.exe:1800 OPEN C:\WINNT\system32\wups2.dll SUCCESS Options: Open Access: All
1006 12:57:11.918 wuauclt.exe:1800 QUERY
INFORMATION C:\WINNT\system32\wups2.dll SUCCESS Length: 18200
1007 12:57:11.918 wuauclt.exe:1800 CLOSE C:\WINNT\system32\wups2.dll SUCCESS
1446 12:57:11.988 wuauclt.exe:1800 WRITE
C:\WINNT\WindowsUpdate.log SUCCESS Offset: 153635 Length: 107
1447 12:57:11.988 wuauclt.exe:1800 CLOSE C:\WINNT\WindowsUpdate.log SUCCESS
1448 12:57:11.988 wuauclt.exe:1800 CLOSE C:\WINNT\WindowsUpdate.log SUCCESS
1449 12:57:11.988 wuauclt.exe:1800 CLOSE C:\WINNT\WindowsUpdate.log SUCCESS
1450 12:57:11.988 wuauclt.exe:1800 CLOSE C:\WINNT\WindowsUpdate.log SUCCESS
1451 12:57:11.988 wuauclt.exe:1800 CLOSE C:\WINNT\WindowsUpdate.log SUCCESS
1452 12:57:11.988 wuauclt.exe:1800 CLOSE C:\WINNT\WindowsUpdate.log SUCCESS
1453 12:57:11.988 wuauclt.exe:1800 CLOSE C:\WINNT\WindowsUpdate.log SUCCESS
1454 12:57:11.988 wuauclt.exe:1800 CLOSE C:\WINNT\WindowsUpdate.log SUCCESS
1455 12:57:11.988 wuauclt.exe:1800 CLOSE C:\WINNT\WindowsUpdate.log SUCCESS
Follow to the end a whole bunch of "CLOSE" Success.
Now the RegMon:
1 12:57:11.617 svchost.exe:1068 OpenKey HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\wuauclt.exe NOTFOUND
2 12:57:11.627 wuauclt.exe:1800 OpenKey HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\wuauclt.exe NOTFOUND
3 12:57:11.627 wuauclt.exe:1800 OpenKey HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\wuauclt.exe NOTFOUND
4 12:57:11.627 wuauclt.exe:1800 OpenKey HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\wuauclt.exe NOTFOUND
5 12:57:11.697 wuauclt.exe:1800 OpenKey HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\wuauclt.exe NOTFOUND
50 12:57:11.707 wuauclt.exe:1800 OpenKey HKLM\SOFTWARE\Microsoft\OLEAUT NOTFOUND
51 12:57:11.707 wuauclt.exe:1800 OpenKey HKLM\SOFTWARE\Microsoft\OLEAUT\UserEra NOTFOUND
52 12:57:11.707 wuauclt.exe:1800 OpenKey HKLM\SOFTWARE\Microsoft\OLEAUT NOTFOUND
53 12:57:11.707 wuauclt.exe:1800 OpenKey HKLM\Software\Microsoft\Advanced
INF Setup SUCCESS Key: 0xE54FD600
54 12:57:11.707 wuauclt.exe:1800 QueryValue HKLM\Software\Microsoft\Advanced
INF Setup\AdvpackLogFile SUCCESS "AdvPack.log"
55 12:57:11.707 wuauclt.exe:1800 QueryValue HKLM\Software\Microsoft\Advanced
INF Setup\AdvpackLogFile SUCCESS "AdvPack.log"
56 12:57:11.707 wuauclt.exe:1800 CloseKey HKLM\Software\Microsoft\Advanced
INF Setup SUCCESS Key: 0xE54FD600
130 12:57:11.707 wuauclt.exe:1800 QueryValue HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DnsTest NOTFOUND
131 12:57:11.707 wuauclt.exe:1800 CloseKey HKLM\System\CurrentControlSet\Services\Tcpip\Parameters SUCCESS Key: 0xE13B37E0
132 12:57:11.707 wuauclt.exe:1800 CreateKey HKLM\System\CurrentControlSet\Services\Tcpip\Parameters SUCCESS Key: 0xE13B37E0
133 12:57:11.707 wuauclt.exe:1800 QueryValue HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\AllowUnqualifiedQuery SUCCESS 0x0
134 12:57:11.707 wuauclt.exe:1800 QueryValue HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\AllowUnqualifiedQuery SUCCESS 0x0
135 12:57:11.707 wuauclt.exe:1800 CloseKey HKLM\System\CurrentControlSet\Services\Tcpip\Parameters SUCCESS Key: 0xE13B37E0
136 12:57:11.707 wuauclt.exe:1800 CreateKey HKLM\System\CurrentControlSet\Services\Tcpip\Parameters SUCCESS Key: 0xE13B37E0
137 12:57:11.707 wuauclt.exe:1800 QueryValue HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\PrioritizeRecordData SUCCESS 0x1
138 12:57:11.707 wuauclt.exe:1800 QueryValue HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\PrioritizeRecordData SUCCESS 0x1
139 12:57:11.707 wuauclt.exe:1800 CloseKey HKLM\System\CurrentControlSet\Services\Tcpip\Parameters SUCCESS Key: 0xE13B37E0
140 12:57:11.707 wuauclt.exe:1800 OpenKey HKLM\System\CurrentControlSet\Services\Tcpip\Parameters SUCCESS Key: 0xE13B37E0
141 12:57:11.707 wuauclt.exe:1800 QueryValue HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\UpdateSecurityLevel NOTFOUND
142 12:57:11.707 wuauclt.exe:1800 CloseKey HKLM\System\CurrentControlSet\Services\Tcpip\Parameters SUCCESS Key: 0xE13B37E0
143 12:57:11.707 wuauclt.exe:1800 OpenKey HKLM\System\CurrentControlSet\Services\Tcpip\Parameters SUCCESS Key: 0xE13B37E0
144 12:57:11.707 wuauclt.exe:1800 QueryValue HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\RemoteDnsResolver NOTFOUND
145 12:57:11.707 wuauclt.exe:1800 CloseKey HKLM\System\CurrentControlSet\Services\Tcpip\Parameters SUCCESS Key: 0xE13B37E0
146 12:57:11.707 wuauclt.exe:1800 OpenKey HKLM\System\CurrentControlSet\Services\DnsCache\Parameters SUCCESS Key: 0xE13B37E0
147 12:57:11.707 wuauclt.exe:1800 QueryValue HKLM\System\CurrentControlSet\Services\DnsCache\Parameters\UpdateTopLevelDomainZones NOTFOUND
148 12:57:11.707 wuauclt.exe:1800 CloseKey HKLM\System\CurrentControlSet\Services\DnsCache\Parameters SUCCESS Key: 0xE13B37E0
149 12:57:11.707 wuauclt.exe:1800 OpenKey HKLM\System\CurrentControlSet\Services\LDAP NOTFOUND
150 12:57:11.707 wuauclt.exe:1800 OpenKey HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName SUCCESS Key: 0xE52E48A0
151 12:57:11.707 wuauclt.exe:1800 QueryValue HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName\ComputerName SUCCESS "PC218"
152 12:57:11.707 wuauclt.exe:1800 CloseKey HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName SUCCESS Key: 0xE52E48A0
153 12:57:11.707 wuauclt.exe:1800 OpenKey HKLM\system\CurrentControlSet\control\NetworkProvider\HwOrder SUCCESS Key: 0xE52E48A0
154 12:57:11.707 wuauclt.exe:1800 OpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp\Tracing NOTFOUND
155 12:57:11.707 wuauclt.exe:1800 OpenKey HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\msasn1 NOTFOUND
156 12:57:11.727 wuauclt.exe:1800 OpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace NOTFOUND
156 12:57:11.727 wuauclt.exe:1800 OpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace NOTFOUND
157 12:57:11.727 wuauclt.exe:1800 OpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace\Misc NOTFOUND
158 12:57:11.727 wuauclt.exe:1800 OpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace\Report NOTFOUND
159 12:57:11.727 wuauclt.exe:1800 OpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace\Setup NOTFOUND
160 12:57:11.727 wuauclt.exe:1800 OpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace\Service NOTFOUND
161 12:57:11.737 wuauclt.exe:1800 OpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace\Agent NOTFOUND
162 12:57:11.737 wuauclt.exe:1800 OpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace\AU NOTFOUND
163 12:57:11.737 wuauclt.exe:1800 OpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace\AUClnt NOTFOUND
164 12:57:11.737 wuauclt.exe:1800 OpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace\WUWeb NOTFOUND
165 12:57:11.747 wuauclt.exe:1800 OpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace\DtaStor NOTFOUND
166 12:57:11.747 wuauclt.exe:1800 OpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace\CDM NOTFOUND
167 12:57:11.747 wuauclt.exe:1800 OpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace\PT NOTFOUND
168 12:57:11.747 wuauclt.exe:1800 OpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace\Driver NOTFOUND
169 12:57:11.757 wuauclt.exe:1800 OpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace\COMAPI NOTFOUND
170 12:57:11.757 wuauclt.exe:1800 OpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace\Parser NOTFOUND
171 12:57:11.757 wuauclt.exe:1800 OpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace\Handler NOTFOUND
172 12:57:11.757 wuauclt.exe:1800 OpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace\EEHndlr NOTFOUND
173 12:57:11.767 wuauclt.exe:1800 OpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace\DnldMgr NOTFOUND
174 12:57:11.767 wuauclt.exe:1800 OpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace\Cmpress NOTFOUND
175 12:57:11.767 wuauclt.exe:1800 OpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace\Shutdwn NOTFOUND
176 12:57:11.767 wuauclt.exe:1800 OpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace\WuRedir NOTFOUND
177 12:57:11.888 wuauclt.exe:1800 OpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace\OfflSnc NOTFOUND
178 12:57:11.888 wuauclt.exe:1800 OpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace\Trace NOTFOUND
179 12:57:11.898 wuauclt.exe:1800 OpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace\TraceTestMain NOTFOUND
180 12:57:11.898 wuauclt.exe:1800 OpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace\TraceTestThreads NOTFOUND
Robert Aldwinckle
> Hi Robert,
>
> Did the Filemon concurent with Regmon.
> Filemon filter "wuauclt; Update; svhost.exe" as suggested.
> Regmon same as before, "wuauclt"
> Update tried : KB899587
>
> The Regmon result basically the same.
> Tried to understand how to compare/read/analysis the log from both sources
> from yr post with Fortunatov...sorry, really don't understand....
>
> What I did is delete most of the "Success" lines from Filemon and include
> those lines that has the same time value from Regmon.....hope that is ok...
> If you need more detailed entries, please let me know and I'll post as much
> as possible.
Raymond,
The most important information that we can get from the FileMon log
is the length of the Writes associated with WindowsUpdate.log
I think that you may be deleting most of those records with your cull
of "Success" lines. ;)
See, here is the only such line you have left
> 1446 12:57:11.988 wuauclt.exe:1800 WRITE C:\WINNT\WindowsUpdate.log SUCCESS Offset: 153635 Length: 107
The timestamp and the length of 107 tells me that if I found a record
in your log with 106 characters in it which had a log timestamp of
12:57:11 then chances are that this would have been the write for it.
Making that linkage would then allow us to say that the real timestamp
of that log record was 12:57:11.988 (i.e. we could infer the milleseconds
for the log's timestamp.) Also we would then have a more accurate timestamp
to go into the RegMon trace with and see if anything interesting happened
there just before that time.
Unfortunately by doing that for this record all I can see is this hint from
the RegMon trace that diagnostics were being considered just before this
> 156 12:57:11.727 wuauclt.exe:1800 OpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace NOTFOUND
However, since there are no internals guides for us we can't know whether
that would be occurring in a recovery event or just as a normal part of this
thread's processing.
I think if we could somehow activate the install program's verbose trace
we would have more effective diagnostics than what FileMon and RegMon
appear to be giving us. I.e., it is beginning to look to me more like a logic
error which is being covered up with a bogus code than a real permissions
problem. If it really was a permissions problem I would expect that either
RegMon or FileMon would expose it (provided we aren't excluding that
possibility with a too restrictive filter by either RegMon or FileMon.)
Presumably those diagnostics implied by the attempted registry accesses
would be ways of invoking the verbose logging even on automatic installs.
E.g. we suspect that invoking verbose logging on a manual install will not
be useful because you already know that you do not have a problem doing
a manual install. Unfortunately, applying verbose logging on a manual
install is the only option that I have found documented.
Sorry this didn't work out for you.
Robert
---
Raymond
Sorry, wasting yr time.
Since I can download and apply the update manually, I guess I'll stop here
and hope it is something MS (assuming its their fault since I can do that not
long ago) will fix in the near future.
Your help all along is most appreciated. Thank you!!
Ray