From: Abigail on
I'm experiencing the following error warning every time W XP starts:
##
Event Error SecurityCenter ID: 1802

The Windows Security Center Service was unable to establish event queries
with WMI to monitor third party Antivirus and Firewall.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
###

I have the XP proprietary firewall active and use a third party Antivirus
software up to date that is not monitored by the system but why this is
referring to the firewall?
Thanks in advance
From: nass on


"Abigail" wrote:

> I'm experiencing the following error warning every time W XP starts:
> ##
> Event Error SecurityCenter ID: 1802
>
> The Windows Security Center Service was unable to establish event queries
> with WMI to monitor third party Antivirus and Firewall.
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
> ###
>
> I have the XP proprietary firewall active and use a third party Antivirus
> software up to date that is not monitored by the system but why this is
> referring to the firewall?
> Thanks in advance


The error about MS Security Center not being able to track or recognize your
anti-virus, check that the Firewall service for TrendMicro
is Enabled Auto and working in the Services control panel.

1... Click start >> Control Panel >> Double Click Network and Internet
Connections >> Double click Internet Options, on the IE Properties window
you will see these Options:
General | Security | Privacy | Content | Connections | Programs
| Advanced .

Click on General Tab (1st Tab on the left) and you will see a Button called
[ Clear History ..] click on it to clear your History caches, then click on
[Delete Files..] to delete Internet Files created over the time, click on [
Delete Cookies...] to delete your cookies left by visiting websites.

= Then try to Disable the Add-Ons on your Browser somehow installed on your
browser, On how to disable the Add-ons follow this:
Click on Programs Tab and then click the Manage Add-Ons Button there Disable
the None/Not Verified Plug-ins/Add-ons ( you need to Renable them one-by-one
later and see which is the culprit or you can send them here in your next
post) and click [OK] to confirm your Changes.
How to manage Add-Ons:
http://support.microsoft.com/kb/883256

Click on Advanced Tab and scroll down under the browsing option and uncheck
this box:
[&] Browsing
[ ] Enable Third-Party browser extensions (Req Rest) and click Apply
then OK to close your IE Properties.
Scan for malware from here:
SuperAntispyware - Free
http://www.superantispyware.com/superantispywarefreevspro.html

http://onecare.live.com/site/en-gb/default.htm?s_cid=sah
http://onecare.live.com/standard/en-gb/default.htm
Run a scan from here on-line:
http://security.symantec.com/sscv6/default.asp?langid=ie&venid=sym
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
Download Avast Cleaner (offline scanner) from here:
http://www.avast.com/eng/avast-virus-cleaner.html
Comodo BOClean : Anti-Malware Version 4.27
http://www.comodo.com/boclean/boclean.html

Download Comodo Firewall an disbale windows FW and see if the error will be
logged or you can go for Kerio or ZA free firewall.
http://www.personalfirewall.comodo.com/download_firewall.html

HTH,
nass
---
http://www.nasstec.co.uk
From: Abigail on
Nope, done with all your recommendations but the error is still present, any
more ideas?

Thanks
Abigail


"nass" wrote:

>
> The error about MS Security Center not being able to track or recognize your
> anti-virus, check that the Firewall service for TrendMicro
> is Enabled Auto and working in the Services control panel.
>
> 1... Click start >> Control Panel >> Double Click Network and Internet
> Connections >> Double click Internet Options, on the IE Properties window
> you will see these Options:
> General | Security | Privacy | Content | Connections | Programs
> | Advanced .
>
> Click on General Tab (1st Tab on the left) and you will see a Button called
> [ Clear History ..] click on it to clear your History caches, then click on
> [Delete Files..] to delete Internet Files created over the time, click on [
> Delete Cookies...] to delete your cookies left by visiting websites.
>
> = Then try to Disable the Add-Ons on your Browser somehow installed on your
> browser, On how to disable the Add-ons follow this:
> Click on Programs Tab and then click the Manage Add-Ons Button there Disable
> the None/Not Verified Plug-ins/Add-ons ( you need to Renable them one-by-one
> later and see which is the culprit or you can send them here in your next
> post) and click [OK] to confirm your Changes.
> How to manage Add-Ons:
> http://support.microsoft.com/kb/883256
>
> Click on Advanced Tab and scroll down under the browsing option and uncheck
> this box:
> [&] Browsing
> [ ] Enable Third-Party browser extensions (Req Rest) and click Apply
> then OK to close your IE Properties.
> Scan for malware from here:
> SuperAntispyware - Free
> http://www.superantispyware.com/superantispywarefreevspro.html
>
> http://onecare.live.com/site/en-gb/default.htm?s_cid=sah
> http://onecare.live.com/standard/en-gb/default.htm
> Run a scan from here on-line:
> http://security.symantec.com/sscv6/default.asp?langid=ie&venid=sym
> http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
> Download Avast Cleaner (offline scanner) from here:
> http://www.avast.com/eng/avast-virus-cleaner.html
> Comodo BOClean : Anti-Malware Version 4.27
> http://www.comodo.com/boclean/boclean.html
>
> Download Comodo Firewall an disbale windows FW and see if the error will be
> logged or you can go for Kerio or ZA free firewall.
> http://www.personalfirewall.comodo.com/download_firewall.html
>
> HTH,
> nass
> ---
> http://www.nasstec.co.uk
From: nass on


"Abigail" wrote:

> Nope, done with all your recommendations but the error is still present, any
> more ideas?
>
> Thanks
> Abigail

MS:: <Quote>
Stopping and Starting the WMI Service

If you are experiencing problems with the WMI service you might need to
manually stop and restart the service. Before doing so you should enable
WMI's verbose logging option. This provides additional information in the WMI
error logs that might be useful in diagnosing the problem. To enable verbose
logging using the WMI control, do the following:
1.Open the Computer Management MMC snap-in and expand Services and
Applications.
2.Right-click WMI Control and click Properties.
3.In the WMI Control Properties dialog box, on the Logging tab, select
Verbose (includes extra information for Microsoft troubleshooting) and then
click OK.
Alternatively, you can modify the following registry values:
•Set HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\Logging to 2.
•Set HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\Logging File Max Size
to 4000000.
After enabling verbose logging try stopping the WMI service by typing the
following
Open a run command prompt:
net stop winmgmt

If the net stop command fails you can force the service to stop by typing
this:
winmgmt /kill

Important. If you are running Windows XP or Windows Server 2003 the WMI
service runs inside a process named Svchost; this process contains other
services as well as WMI. Because of that, you should not try to stop
Svchost;
if you succeed, you'll stop all the other services running in that process
as
well. Instead, use net stop winmgmt or winmgmt /kill in order to stop just
the WMI service.

You can then restart the service by typing the following command:
net start winmgmt

If the service does not restart try rebooting the computer to see if that
corrects the problem.
If it does not, then continue reading.
MS:: </Quote>

"WMI Diagnosis Utility"
http://www.microsoft.com/technet/scriptcenter/topics/help/wmidiag.mspx

Systems that have changed the default Access Control List permissions on the
%windir%\registration directory may experience various problems after you
install the Microsoft Security Bulletin MS05-051 for COM+ and MS DTC
http://support.microsoft.com/kb/909444
Also you can download the DiagWMI from here and some good solutions on the
page:
http://windowsxp.mvps.org/repairwmi.htm.

= Open a run command and try to re-register these DLLs:
regsvr32 hnetcfg.dll
regsvr32 netcfgx.dll
regsvr32 netman.dll
regsvr32 atl.dll
regsvr32 netshell.dll
Also try repair the WMI as descriped here:
http://groups.google.com/group/microsoft.public.win32.programmer.wmi/msg/1da6ab3690bc75a0



From: Abigail on
Stopping and Starting WMI was successful but did not correct the error.
I downloaded and run the WMI Diagnosis Utility and the following is the text
in the report (parts pertaining to the errors only) ::

####################
....92 20:38:01 (1) !! ERROR: The SYSTEM32 folder is NOT in the PATH.
....93 20:38:01 (1) !! ERROR: The WBEM folder is NOT in the PATH.
....94 20:38:01 (3) The PATH environment variable has a maximum length of
512 characters. Current PATH length is 18 characters.
....95 20:38:01 (4) Reading registry (REG_DWORD)
'HKCU\Software\Microsoft\Windows Script Host\Settings\Timeout'.
....96 20:38:01 (4) Reading registry (REG_DWORD)
'HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings\Timeout'.

...446 20:38:29 (1) !! ERROR: (ReadRegistry) : 0x80070002 - Invalid root in
registry key
"HKCR\CLSID\{D71EE747-F455-4804-9DF6-2ED81025F2C1}\InProcServer32\".
...447 20:38:29 (1) !! ERROR: (CheckWMIDCOMComponentRegistrations) :
'C:\WINNT\SYSTEM32\WBEM\FASTPROX.DLL' is not registered correctly, missing
'\CLSID\{D71EE747-F455-4804-9DF6-2ED81025F2C1}\InProcServer32'.

...451 20:38:29 (1) !! ERROR: (ReadRegistry) : 0x80070002 - Invalid root in
registry key
"HKCR\CLSID\{ED51D12E-511F-4999-8DCD-C2BAC91BE86E}\InProcServer32\".
...452 20:38:29 (1) !! ERROR: (CheckWMIDCOMComponentRegistrations) :
'C:\WINNT\SYSTEM32\WBEM\FASTPROX.DLL' is not registered correctly, missing
'\CLSID\{ED51D12E-511F-4999-8DCD-C2BAC91BE86E}\InProcServer32'.

...580 20:38:29 (1) !! ERROR: (ReadRegistry) : 0x80070002 - Invalid root in
registry key
"HKCR\CLSID\{4C6055D8-84B9-4111-A7D3-6623894EEDB3}\InProcServer32\".
...581 20:38:29 (1) !! ERROR: (CheckWMIDCOMComponentRegistrations) :
'C:\WINNT\SYSTEM32\WBEM\WBEMPROX.DLL' is not registered correctly, missing
'\CLSID\{4C6055D8-84B9-4111-A7D3-6623894EEDB3}\InProcServer32'.

18280 20:44:38 (1) !! ERROR: Environment:
.................................................................................................. 3 ITEM(S)!
18281 20:44:38 (1) !! ERROR: => The following path(s) is/are missing from
the PATH environment variable:
18282 20:44:38 (0) ** - C:\WINNT\SYSTEM32
18283 20:44:38 (0) ** - C:\WINNT\SYSTEM32\WBEM
18284 20:44:38 (0) ** Failing to have the listed path(s) in the
PATH environment variable
18285 20:44:38 (0) ** could prevent the system to work properly.
18286 20:44:38 (0) ** INFO: => 4 incorrect shutdown(s) detected on:
18287 20:44:38 (0) ** - Shutdown on 22 September 2008 00:03:18
(GMT+4).
18288 20:44:38 (0) ** - Shutdown on 24 September 2008 12:44:53
(GMT+4).
18289 20:44:38 (0) ** - Shutdown on 24 September 2008 12:49:36
(GMT+4).
18290 20:44:38 (0) ** - Shutdown on 26 September 2008 14:34:34
(GMT+4).

18388 20:44:38 (0) ** ERROR: WMIDiag detected issues that could prevent WMI
to work properly!. Check 'C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL
SETTINGS\TEMP\WMIDIAG-V2.0_XP___.CLI.RTM.32_HAL-9000_2008.10.01_20.37.20.LOG'
for details.
####################

"nass" wrote:

>
> MS:: <Quote>
> Stopping and Starting the WMI Service
>
> If you are experiencing problems with the WMI service you might need to
> manually stop and restart the service. Before doing so you should enable
> WMI's verbose logging option. This provides additional information in the WMI
> error logs that might be useful in diagnosing the problem. To enable verbose
> logging using the WMI control, do the following:
> 1.Open the Computer Management MMC snap-in and expand Services and
> Applications.
> 2.Right-click WMI Control and click Properties.
> 3.In the WMI Control Properties dialog box, on the Logging tab, select
> Verbose (includes extra information for Microsoft troubleshooting) and then
> click OK.
> Alternatively, you can modify the following registry values:
> •Set HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\Logging to 2.
> •Set HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\Logging File Max Size
> to 4000000.
> After enabling verbose logging try stopping the WMI service by typing the
> following
> Open a run command prompt:
> net stop winmgmt
>
> If the net stop command fails you can force the service to stop by typing
> this:
> winmgmt /kill
>
> Important. If you are running Windows XP or Windows Server 2003 the WMI
> service runs inside a process named Svchost; this process contains other
> services as well as WMI. Because of that, you should not try to stop
> Svchost;
> if you succeed, you'll stop all the other services running in that process
> as
> well. Instead, use net stop winmgmt or winmgmt /kill in order to stop just
> the WMI service.
>
> You can then restart the service by typing the following command:
> net start winmgmt
>
> If the service does not restart try rebooting the computer to see if that
> corrects the problem.
> If it does not, then continue reading.
> MS:: </Quote>
>
> "WMI Diagnosis Utility"
> http://www.microsoft.com/technet/scriptcenter/topics/help/wmidiag.mspx
>
> Systems that have changed the default Access Control List permissions on the
> %windir%\registration directory may experience various problems after you
> install the Microsoft Security Bulletin MS05-051 for COM+ and MS DTC
> http://support.microsoft.com/kb/909444
> Also you can download the DiagWMI from here and some good solutions on the
> page:
> http://windowsxp.mvps.org/repairwmi.htm.
>
> = Open a run command and try to re-register these DLLs:
> regsvr32 hnetcfg.dll
> regsvr32 netcfgx.dll
> regsvr32 netman.dll
> regsvr32 atl.dll
> regsvr32 netshell.dll
> Also try repair the WMI as descriped here:
> http://groups.google.com/group/microsoft.public.win32.programmer.wmi/msg/1da6ab3690bc75a0
>