Installing Patch for Visual Basic 6 (MS12-046/Q2688865) fails. This is often seen to include the returned exit code: -2147023728.
Cause
This appears to be a problem with the patch itself (rather than with our product). The issue has been presented to the vendor for correction, though no corrections have been made available to date.
Work Around
If a supported version of an Office product is installed (BOTH version and SP), MS12-046 should be indicated as missing for both the Office product and the operating system.
In this case, installing (e.g. deploying) the Office patch will succeed, and future scans will show the patch as installed for both the Office product and for the operating system.
If both patches are deployed, the operating system patch installation will fail, but the Office product patch installation will still succeed, and future scans will show the patch as installed for both the Office product and for the operating system (the affected DLL gets updated).
If an Office product is installed, but the patch is not indicated as missing for that Office product, then the Office product is likely an older, unsupported version. After upgrading the Office product (i.e. to a supported version or service pack level), you should be able to proceed as outlined above.
If no Office product is installed, a third-party product installed the affected DLL, and the third-party should supply the necessary patch.
Installing the operating system patch manually (e.g. as a logged in user) will usually succeed, but may not patch the affect program. See Frequently Asked Questions "I have applied the required Microsoft security updates, but I still have an affected version of the Visual Basic for Applications runtime (VBE6.dll) on my system. How do I update this DLL?" in http://technet.microsoft.com/en-us/security/bulletin/ms12-046
If this does not correct your issue please consider checking with our community of users at
This document outlines the services that the Protect Console and Protect Agent's utilize. This may be necessary for adding exclusions for anti-virus, or for documenting internally.
Services
Display Name: Shavlik Protect Console Service Service Name:STConsoleSvc Description:Provides support for Shavlik Protect management functions Path to executable:"C:\Program Files\LANDesk\Shavlik Protect\ST.ServiceHost.exe" Computers Affected:This service only shows on the Protect Console computer. Display Name: ST Remote Scheduler Service Service Name:STSchedEx Description: Supports patch management and related operations Path to executable:C:\Windows\ProPatches\Scheduler\STSchedEx.exe Computers Affected: This service will show on any computer that an agentless deployment occurred.
Display Name: Shavlik Protect Agent Service Name: STAgent Description: Provides network services for Shavlik Protect Agent components Path to executable:"C:\Program Files (x86)\LANDesk\Shavlik Protect Agent\STAgent.exe" Computers Affected:This service will show on any computer that has a Protect Agent Installed, regardless of tasks the agent policy uses.
Display Name: Shavlik Protect Agent Dispatcher Service Name: STDispatch Description: Provides dispatching for Shavlik Protect Agent components Path to executable:"C:\Program Files (x86)\LANDesk\Shavlik Protect Agent\STDispatch.exe" Computers Affected:This service will show on any computer that has a Protect Agent Installed, regardless of tasks the agent policy uses.
Display Name: Shavlik Protect Threat Engine Service Name: STThreat Description: Provides dispatching for Shavlik Protect Agent components Path to executable:"C:\Program Files (x86)\LANDesk\Shavlik Protect Agent\STThreat.exe" Computers Affected:This service will show on any computer that has a Protect Agent Installed that is also using Threat Protection.
Note: As of Protect 9.1 only 64bit Operating Systems will be supported, so all agent paths will be within the Program Files directory.
In version 9.1 by default they are not checked and reads “Detect only these user criticalities” If you upgraded to 9.1 these settings will be checked if they were before you upgraded. Unless you have set the criticality on the patches yourself you will not get any results.
Customers with a large number of previous scan results and/or a slow or heavily loaded SQL server may experience a failure when upgrading their Protect database from one version to another.
This document is meant to provide a resolution for database upgrade issues where the main reason for failure is a database connection timeout.
Symptoms
You recieve a message such as the following within the GUI or a pop up window of the upgrade:
- "Database conversion error"
- "Database connection timeout"
- "Failed to commit the database installation or upgrade"
AND
The ST.DatabaseConfiguration.log may contain one of the following errors:
System.Data.SqlClient.SqlException: Timeout expired. The timeout period elapsed prior to completion of the operation or the server is not responding.
2013-05-09T11:42:11.2629539Z 0001 E DBInstallWizard.WizardFinishClick|Failed to commit or save the database installation.: A SQL Server query operation timed out. Consider increasing the command timeout in the configuration file.
SqlError message: 'Timeout expired. The timeout period elapsed prior to completion of the operation or the server is not responding.'
Cause
The database upgrade process may be taking longer than the default alotted timeout period, or the connection to the SQL server may be slow/unstable.
Resolution
There are two suggested steps to work around this issue:
1) The SQL transaction log may be significantly larger than necessary. Using SQL Server Management Studio, verify that the transaction log for your database is set to grow or has a max size setting that is large enough (we have seen 4GB databases require 12GB for logs). Do a FULL back up of the transaction log to force its truncation. This is a good practice to verify that enough free disk space is available to perform the upgrade process.
2) The database upgrade function may be timing out on a single command. The default command timeout is 30 minutes. This timeout is implemented to provide feedback in case the command is not responsive or hangs. However, in some environments altering tables with large amounts of data may require more than 30 minutes to complete.
If the upgrade failure was related to a timeout, this timeout value can be by running the installer with an extra parameter from commandline as follows:
For instance: Shavlik Protect 9.0: "ShavlikProtectPatch_9.0.1182.exe" /wi:"DBCOMMANDTIMEOUT=10800"
Note: The value is in seconds (10800 equals 3 hours)
This document explains the capabilities of Role Based Administration in Protect.
Explanation of how Role Based Administration works
You can assign different roles to different users of Shavlik Protect . This enables you to make the program available to a wide variety of people within your organization while maintaining control over its use. The role assigned to a user determines what that particular user can do.
When Shavlik Protect is launched it checks if role-based administration is enabled. If so, the program then looks to see if the current user has been assigned a role. If the user has been assigned a role, the program grants that user access to only those features allowed by their role. For example, you may have a number of users who are allowed to create reports, but only one or two users who have permission to deploy patches. The following types of Role Definitions are available:
Administrator: Full access to all features of the program. Only an administrator user can modify the roles assigned to other users.
CAUTION! If you assign the Administrator role to only one user, make sure you know how to log on to the console machine using that user. Otherwise it is possible to lock yourself out from certain features, with the only solution being to reinstall the program.
Full User: Access to all features except for the ability to administer roles.
Scan and Report Only: Can perform patch scans and can generate reports.
Deploy and Report Only: Can perform patch deployments and can generate reports.
Report Only: Can generate reports
Features that are not available due to role limitations will be either grayed out or removed from the interface. If a user has not been assigned a role they will not be able to start the program. It is not possible for a user to switch roles while within the program.
Role-based administration is initially disabled. Until you enable this feature, all users will have full access to the program. You enable and configure role-based administration via the Manage > User Roles Assignment menu. See Assigning User Roles and Enabling and Disabling Role-based Administration for detailed information.
An error is present in the ST.Protect.Managed log:
2014-12-15T16:24:58.9102861Z 0001 C Launcher.cs:73|System.InvalidOperationException: Crash from main UI thread ---> System.InvalidOperationException: Crash from main UI thread ---> System.ArgumentException: An item with the same key has already been added.
Cause
There is a duplicate username and password for two different credentials under Manage > Credentials
Resolution
Delete one of the duplicate credentials under Manage Credentials
The following applies in a scenario where you may have one of the following setups:
-One Protect console connected to the internet, and other Protect consoles within an offline (disconnected) network.
-The internet connected console may be a rollup console with the other consoles sending results back to it.
This document is meant to provide an overview of requirements necessary for this configuration and the specific options that need to be set for this to work.
Requirements/Pre-Requisites
You will need to be able to set up a distribution server (share) that can be accessible in both the internet connected and disconnected networks, and it must meet any connection/port requirements. See the following linked documentation for more information on configuring a distribution server and any requirements:
*Note* For the configurations mentioned below it would be easiest to make your existing 'Patch download directory' as the share for the distribution server. This way the patch downloads from your internet facing console will automatically be downloaded to the share and patch files don't need to be synced.
Configuration
This section assumes that you have already set up a distribution server meeting all requirements outlined in above documents. Below are the special requirements or information you may need to set up special configurations. The graphic below is intended to provide a basic illustration of possible configurations covered here.
Using Distribution Server to Host Datafiles & Patch Files for disconnected consoles
This configuration is meant to be used if you have at least one offline console system that can reach the distribution server share. This allows the offline
console(s) to update patch & threat defintions, binaries, and patch files easily without being connected to the internet.
*Note* The distribution server will need to be set up under Tools > Operations > Distribution Servers for all consoles.
Once you have your distribution server set up in all consoles, change the following settings for the Protect console systems within the offline network:
1. Go into Tools > Operations.
2. Click the 'Downloads' tab.
3. Change the 'Definition download source' to "Specific Distribution Server" and set it to use your distribution server.
4. Change the 'Patch and Service Pack download source' to use a "Specific Distribution Server" and point to your distribution server.
(Optional) You can set the 'Schedule automatic downloads' settings.
Important: This configuration requires that you are downloading the latest engines, definitions, and patch files on your internet connected console, and that you are synchronizing those downloads to the distribution server from the internet connected console. Definitions are downloaded by running Help > Refresh Files, and patch files are downloaded manually - either using View > Patches or by downloading from a scan result.
If the latest definitions and patches do not exist on the distribution sever share, your offline consoles will not display the latest patches and most likely fail to install many outdated patches.
If the "Specific Distribution Server" section is grayed out and cannot be chosen, refer to this document:
You can still use the data rollup function, however, you will need to either:
A) Open port 3121 and have a connection available to the master console system, or;
B) Set up port forwarding to port 3121 from one network to the other. We do not assist in setting this up so you will need to contact your network admin.
This will allow you to run reports on your master console to see the current status of all machines in your environment. Note that the master console for data rollup has no control over the other Protect consoles - it is only able to run reports based on results available from any other console that is set to run data rollup to the master console.
More information about setting up the data rollup function can be found here:
Distribution server synchronizations are failing to take place.
AND
When setting up or editing a distribution server, you click 'Test Connection', and receive the error message:
Path is not accessible at this time: The communication object, System.ServiceModel.Channels.ServiceChannel, cannot be used for communication because it is in the Faulted state.
Within the ST.ServiceHost.managed.log there may be the following:
2014-12-11T23:22:24.2616476Z 0026 E CredentialsService.cs:230|System.ComponentModel.Win32Exception (0x80004005): The validation information class requested was invalid
at ST.Core.Win32.WindowsIdentityExtensions.LogOnUser(String userName, String domain, SecureString password, LogOnType logOnType)
at ST.Core.Win32.WindowsIdentityImpersonator..ctor(String userName, SecureString password)
at ST.Services.Deployment.Credentials.CredentialsService.CheckPathAccess(String path, ServiceCredential credential)
Cause
The problem is related to how you're attempting to specify a Microsoft account that is set up as an administrator.
See the example below. You can see that Windows shows the user account with the user's name as well as the email account it is associated with.
If your Protect console is installed on a system where a Microsoft account is also the local Administrator, when you go to add a new credential to Protect the default offering for an account will be the local administrator - .\User. In this case, .\Adam.
However, when Protect attempts to use a Microsoft account in this format for connecting to a share, it fails with the above error.
Resolution
Specify the Microsoft account with the user entered as the email address associated to the account. The connection will succeed if you specify the account in this way.
Within Tools > Operation > Downloads you see that "Specific Distribution Server" is grayed out under Definition download source, and you do have distribution sever(s) configured in this Protect console already.
1) Ensure that you have at least one Distribution Server configured within Tools > Operations > Distribution Servers.
2) Ensure that the Distribution Server you intend to use as a definition download source is not configured for any Scheduled automatic synchronization under Tools > Operations > Distribution Servers.
Additional Information
Be aware that if you are intending to use a Distribution Server (share) as a definition download source - this share must be getting new data copied into it from a separate console that has an internet connection.
Refer to the following documentation for more information:
Protect 9.1 is already installed on your new system. The Migration Tool is built into Protect so you can go to Start > All Programs > Shavlik Protect > Migration Tool and run the Migration GUI from there
I've been trying to use the null patch to call a .bat file that I have used successfully in the past, but the deployment fails. I then tried to use it just to remove the scheduler, which had also been set up previously and was working. Neither operation will work. Following are the errors I receive:
No patches were deployed. Please review the program logs to determine the cause.
Patch deployment canceled due to failure building deployment instructions.
Error on machine 'mypc': Failed
I don't use this often, so I may well be missing something stupid, but as I've used two previously successful deployment templates, I am confident that they are ok. Thanks, in advance, for any thoughts!
This document will show you how to manually set language localization for the Shavlik Protect interface. This workaround is only needed when the language settings in the Tools > Options > Display fails to change the language for the Shavlik Protect interface after restarting the GUI.
Resolution
Close Protect and open regedit.
Navigate to HKEY_CURRENT_USER\Software\LANDesk\Shavlik Protect\Console\Options
Add the String Value: CurrentLanguage
Modify the CurrentLanguage string and add one of the following language codes:
en-US
es-ES
fr-FR
it-IT
ja-JP
ko-KR
pt-BR
ru-RU
zh-CN
zh-TW
5. Close regedit and open Protect and verify the Shavlik Protect interface language has change.
This document outlines how to scan and show only specific patches in the results, or how to scan and not include certain patches in the results.
Symptoms
While scanning, certain patches are offered that are not desired. Example: Your organization uses Java 7u40 and upgrading to Java 7u45 will disrupt other programs in your environment.
Adding Patches to a Patch Group
To scan or exclude specific patches, begin by assigning the desired patches to a Patch Group. In Protect, openPatch View.
In thePatch Scan Templatewindow, enter aNameandDescriptionto identify the scan template. UnderPatch type filter settingsselectScan All. UnderPatch filter settingsselectScan Selected, then click thePatch group(s)browse button.
The Shavlik Protect Agent is installed on a machine that is associated with an Agent Policy configured with Threat Tasks and Actions but Active Protection is not enabled in the Agent Policy
The Scheduled Tasks log tab shows a status 1326 when the deleted task was last attempted.
The ST.Activation.managed.SYSTEM@NT AUTHORITY log shows the following error:"Failed to check access to 'xxx.x.x.x', error: 1326".
System error code 1326 means "Logon failure: The user name or password is incorrect." This error code may also display as "ERROR_LOGON_FAILURE" or as the value 0x52E.
The Scheduled Tasks log tab shows a status 1331 when the deleted task was last attempted.
The ST.Activation.managed.SYSTEM@NT AUTHORITY log shows the following error:"Failed to check access to 'xxx.x.x', error: 1331".
System error code 1331 means "Logon failure: account currently disabled." This error code may also display as "ERROR_ACCOUNT_DISABLED" or as the value 0x533.
Shavlik Protect will delete a recurring task after credentials fail. A new task will need to be created with proper credentials.
Solution
Verify that Credentials are correct for the target machine in the scan task using the following steps:
Verify which user was logged into the console machine when the scan task was created and log in to the console machine as that user.
Verify the credential listed as default credential under Manage Credentials
Login to the console as the user listed as default credential under Manager Credential in the last login.
Make sure that you can access the default administrative share (c$) on the target machine.
For other scanning prerequisites please visit the following link to online help:
This document outlines how to restore a Shavlik Database to an SQL Instance.
Resolution
Shavlik Protect does not have a built in Restore from Backup utility. Use the following instructions to use SQL Server Management Studio to restore from backup:
If you have not yet installed it, download and install SQL Server Management Studio.
If using SQL 2005 you will need the 2005 Version here.
If using SQL 2008 you’ll need the 2008 Version here.
If using SQL 2012 you will need the 2012 Version here.
Restore database using SQL Server Management Studio as found in this Microsoft Article.
Run the Shavlik Database Setup Tool (this can be found at Start Menu > All Programs > Shavlik Protect > Database setup tool), and choose to use the existing database that was just restored from backup.
Please note: You must have a /quiet switch for this to install silently.
1. You must then push out the msu, wusa.exe, and batch file to the target machine. 2. Call the batch file 3. The batch should look something like this: wusa.exe C:WINDOWSProPatchesInstallexample.msu /quiet
This document outlines how to scan for the Null Patch, then use custom actions to stop a Windows Service with a batch file, and install a 3rd party program.
Scanning for null patch
Custom Actions only run during a deployment. Deployments can only occur if a scan has found a missing patch it can deploy. In some situations it may not be desirable to apply missing patches to a computer, or there may be no missing patches to deploy. In either case you can scan for Custom Action patches/The Null patch. The Null patch is a file created by Shavlik, that will always show as missing, and when ran does absolutely nothing. It provides a way to run a deployment and only modify the target computer based on the custom action.
A Custom Action is associated with a Deployment Template, which means it can only be used during a deployment. Now that there is a missing patch available to deploy (re: Scanning for Null Patch), this video will cover how to setup a custom action for use.
In this video, we setup a custom action to stop a service using a batch file, and then install a 3rd party program.
This article provides steps to completely remove all components of the Protect agent from a client system and then perform a clean reinstallation of the agent.
Note: This article is only applicable to full removal of the 8.x & 9.x versions of the agent.
Caution: Do not perform these steps on your vCenter Protect console machine.
Resolution
To uninstall and then reinstall the vCenter Protect agent:
Uninstall the VMware vCenter Protect agent/ Shavlik Protect Agent and its components from Add/Remove Programs or Programs & Features in the Windows Control Panel.
Delete the ProgramData/App Data folders:
Version 9.x
Vista & Newer –C:\ProgramData\LANDesk\Shavlik Technologies
Windows 2008, 2008 R2, Vista, and 7 –C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys Windows 2003, 2003 R2, and XP –C:\Documents & Settings\All Users\Application Data\ Microsoft\Crypto\RSA\MachineKeys
Notes:
You can open these files using a text editor, such as notepad, and then use CTRL+F to search for the wordsconsole andagent in each of these files.
If any of the files have the wordconsole oragentin plain text, delete the file. Do not delete any files that do not contain these words in plain text.
IMPORTANT:Do not delete any certificates or files in theCrypto\RSA\MachineKeysfolder that you are not sure about. If you have any questions, contact Shavlik Support.
NOTE: It is highly recommended to perform a backup of the registry before performing any modifications.
