SBS console crashes when duplicate entries from AV products are written into Security Center

SBS console crashes when duplicate entries from AV products are written into Security Center

  • Comments 3
  • Likes

We have seen some cases where the SBS Console crashes over and over every time you open it. It has been isolated to some orphaned WMI entries on client computers for Antivirus or Antispyware products.

How to identify you are experiencing this:

1. Open the C:\Program Files\Windows Small Business Server\Logs\console.log file and search for this: “An item with the same key has already been added.”

[1184] 090309.152753.0142: Admin: !!!!FATAL: Console shutting down due to unhandled exception: An item with the same key has already been added.
[1184] 090309.152753.0252: Exception:
---------------------------------------
An exception of type 'Type: System.ArgumentException, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' has occurred.
Timestamp: 03/09/2009 15:27:53
Message: An item with the same key has already been added.
Stack:
Server stack trace:
    at System.ThrowHelper.ThrowArgumentException(ExceptionResource resource)
    at System.Collections.Generic.Dictionary`2.Insert(TKey key, TValue value, Boolean add)
    at System.Collections.Generic.Dictionary`2.Add(TKey key, TValue value)
    at Microsoft.WindowsServerSolutions.AntiVirus.Infrastructure.AntivirusProductCollection.Add(AntivirusProduct avProduct)

 

2. Download the attached file (getavproducts.txt) to the server and rename it to .vbs. Open an elevated command prompt on the server, change directories to the folder where you saved it to and type this command: "cscript getavproducts.vbs > myavproducts.txt"

 

3. Analyze the myavproducts.txt file using the example provided below for computers that have multiple AntiVirus or AntiSpyware Products with the same name.  COMPUTER1 illustrates an example with one Antivirus product and COMPUTER2 illustrates an example with multiple Antivirus products.

EXAMPLE OUTPUT

**** COMPUTER1 ***

 

            ++++++ AntiVirusProduct

            VendorA Antivirus 3.0

            {A1B2C3D4-0101-0202-0303-E5F6G7H8I9J0}

            3.0

 

            ++++++ AntiSpywareProduct

 

            ++++++ FirewallProduct

 

            SecurityCenter2++++++ AntiVirusProduct

            VendorA Antivirus 3.0

            {A1B2C3D4-0101-0202-0303-E5F6G7H8I9J0}

            3.0

 

            SecurityCenter2++++++ AntiSpywareProduct

 

            SecurityCenter2++++++ FirewallProduct

 

**** COMPUTER2 ***

 

            ++++++ AntiVirusProduct

 

            VendorB Antivirus

            {Z1Y2X3W4-0303-0101-0202-V6U5T4S3R2Q1}

            5.0

 

            VendorB Antivirus

            {00000000-0000-0000-0000-000000000000}

            5.0

 

            VendorB Antivirus

            {Z1Y2X3W4-0303-0101-0202-V6U5T4S3R2Q1}

             6.0

 

            VendorA Antivirus 3.0

            {A1B2C3D4-0101-0202-0303-E5F6G7H8I9J0}

            3.0

 

            ++++++ AntiSpywareProduct

 

            ++++++ FirewallProduct

 

            SecurityCenter2++++++ AntiVirusProduct

 

            VendorB Antivirus

            {Z1Y2X3W4-0303-0101-0202-V6U5T4S3R2Q1}

            5.0

 

            VendorB Antivirus

            {00000000-0000-0000-0000-000000000000}

5.0

 

            VendorB Antivirus

            {Z1Y2X3W4-0303-0101-0202-V6U5T4S3R2Q1}

             6.0

 

            VendorA Antivirus 3.0

            {A1B2C3D4-0101-0202-0303-E5F6G7H8I9J0}

            3.0

 

            SecurityCenter2++++++ AntiSpywareProduct

 

            SecurityCenter2++++++ FirewallProduct

 

Notice how COMPUTER2 has multiple entries with the same name (VendorB Antivirus 6.0) listed under AntiVirusProduct in SecurityCenter and SecurityCenter2, whereas COMPUTER1 only has one (VendorA Antivirus 3.0). These multiple entries with the same name are causing the console crash. There may be more than one computer like this, so you need to check all of them in the myavproducts.txt file.

 

4. Determine which AntiVirus (or AntiSpyware) you intend to keep, VendorA or VendorB. If the multiple entries are from the same vendor, then base your decision on the version as they may be different. Typically, the bottommost entry is the one you want to keep. In the COMPUTER2 example above, this would be VendorA Antivirus 3.0.

 

5. To remove the entry, try uninstalling the vendor’s program. If this is not possible, because it has already been uninstalled, you can clean it out of WMI manually.

 

6. To clean it out of WMI manually (from the server):

 

a. Start - Run - Wbemtest

b. Click Connect

c. Type in \\COMPUTER2\root\SecurityCenter where it says root\default or root\cimv2 and click OK.

d. Click Enum Classes. Leave everything as it is and click OK.

e. Double-click AntivirusProduct (or AntiSpywareProduct)

f. Click the Instances button.

g. You should several entries like:

AntiVirusProduct.instanceGuid=”{Z1Y2X3W4-0303-0101-0202-V6U5T4S3R2Q1}”AntiVirusProduct.instanceGuid="{00000000-0000-0000-0000-000000000000}”

AntiVirusProduct.instanceGuid=”{Z1Y2X3W4-0303-0101-0202-V6U5T4S3R2Q1}

AntiVirusProduct.instanceGuid=”{A1B2C3D4-0101-0202-0303-E5F6G7H8I9J0}”

 

NOTE: For the following steps, we assume you want to keep VendorA AntiVirus 3.0 and not VendorB AntiVirus. If this is not the case, keep the AV GUID for the AV you intend to keep.  If you intend to run both, then make sure there are not two entries with the same name.

 

h. Delete all of them except the last one: AntiVirusProduct.instanceGuid={A1B2C3D4-0101-0202-0303-E5F6G7H8I9J0}” as it corresponds to VendorA AntiVirus 3.0 (the one we assume you want to keep).

    

7. Repeat the steps 6a-6h for root\securitycenter2 to get it down to just one entry (assuming you only intend to run one Antivirus/AntiSpyware product on it).

    

8. Repeat the steps 5-7 for each computer you identified in the myavproducts.txt that has multiple entries with the same name.

 

9. Once you get rid of the duplicate entries it will take up to 30 minutes for the database on the server to be updated. There is no way to speed this up.

 

10. Once the database is updated, the console should no longer crash.

 

This issue is currently under investigation and will be fixed in the next SBS 2008 Update Rollup. 

 

 

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
Comments