The new forums will be named Coin Return (based on the most recent vote)! You can check on the status and timeline of the transition to the new forums here.
The Guiding Principles and New Rules document is now in effect.
Windows Firewall/ICS getting shut off??
VoodooV
Registered User regular
Registered User regular
Greetings, I'm an IT tech at my office and maybe once or twice a week, we've been discovering that in the morning when a seemingly random user powers on their XP SP2 computer they get a popup message that their Firewall/ICS service has been terminated.
The actual event viewer message is this:
The Windows Firewall/Internet Connection Sharing (ICS) service terminated with the following error: Illegal operation attempted on a registry key that has been marked for deletion
(event id: 7023)
I've scoured through the IntarWebs but so far I have not found anyone else with this exact error message. My first gut instinct was a virus/spyware I've done virus scans with McAfee, spyware scans with AdAware and Spybot all with latest definitions and haven't found a thing. My boss seems obsessed with blaming my WSUS patch server since we first noticed the problem on 3-4 people immediately after rebooting after installing patches on Patch Tuesday, but I can't help but think if it was the patches, there would be more people than just the half dozen or so (out of 500 networked computers) that would have this problem, not to mention I'd think other networks would be having this problem too. I'm willing to entertain the idea that there is some sort of indirect connection between the WSUS patcher and the problem, but so far I haven't been able to find anything concrete. I haven't been able to discern anything the victims have in common other than XP SP2 or why we haven't had more than just a half dozen or so people have this problem. Upon rebooting the computer, the service seems to return to normal with no further errors There have been a couple cases where the computer would get the firewall turned off a 2nd time a couple days later, but nothing more than that.
At this point I'm running out of ideas. I thought maybe it was a DoS attack at one point, but again, Nothing I've searched for seems to exactly describe what we've been seeing and again why wouldn't more people be affected?
Is there any way I can find out what registry entry it was trying to work with that supposedly is deleted or marked for deletion?
Anyone have any ideas on what I could check next? Thanks in advance!
The actual event viewer message is this:
The Windows Firewall/Internet Connection Sharing (ICS) service terminated with the following error: Illegal operation attempted on a registry key that has been marked for deletion
(event id: 7023)
I've scoured through the IntarWebs but so far I have not found anyone else with this exact error message. My first gut instinct was a virus/spyware I've done virus scans with McAfee, spyware scans with AdAware and Spybot all with latest definitions and haven't found a thing. My boss seems obsessed with blaming my WSUS patch server since we first noticed the problem on 3-4 people immediately after rebooting after installing patches on Patch Tuesday, but I can't help but think if it was the patches, there would be more people than just the half dozen or so (out of 500 networked computers) that would have this problem, not to mention I'd think other networks would be having this problem too. I'm willing to entertain the idea that there is some sort of indirect connection between the WSUS patcher and the problem, but so far I haven't been able to find anything concrete. I haven't been able to discern anything the victims have in common other than XP SP2 or why we haven't had more than just a half dozen or so people have this problem. Upon rebooting the computer, the service seems to return to normal with no further errors There have been a couple cases where the computer would get the firewall turned off a 2nd time a couple days later, but nothing more than that.
At this point I'm running out of ideas. I thought maybe it was a DoS attack at one point, but again, Nothing I've searched for seems to exactly describe what we've been seeing and again why wouldn't more people be affected?
Is there any way I can find out what registry entry it was trying to work with that supposedly is deleted or marked for deletion?
Anyone have any ideas on what I could check next? Thanks in advance!
VoodooV on
0
Posts
I've had random problems with Microsoft updates in the past, they work fine on 99% of the workstations and servers I admin but there has been one or two in the last year the resulted in Registry damage that required Repair Installs to fix.
http://www.microsoft.com/technet/sysinternals/utilities/regmon.mspx
I'd fire that up on a machine with the problem and try starting the service again.