Failed installs of MS07-040 - .NET Framework 1.1 SP1 - Windows 2000/XP

(imported topic written by tj12)

Hi Folks,

Is anybody else experiencing failed installations of Q931212 (MS07-040: Vulnerabilities in .NET Framework Could Allow Remote Code Execution - .NET Framework 1.1 SP1 - Windows 2000/XP)?

Here is the failed log from one of the machines in the console:

The action has been run 1 time.

Action has failed and is waiting before trying again.

Completed: download

Completed: continue if {(size of it = 9249736 and sha1 of it = “20112ef50011e0de2c0e3378139245d81a178b15”) of file “NDP1.1sp1-KB928366-X86.exe” of folder “__Download”}

Completed: wait __Download\NDP1.1sp1-KB928366-X86.exe /q

Completed: run “{pathname of client folder of site “BESSupport” & “\RunQuiet.exe”}” “{pathname of client folder of site “BESSupport” & “\qchain.exe”}”

Completed: action may require restart

When I manually run the patch from the __Download folder using the parameters, “NDP1.1sp1-KB928366-X86.exe /q,” the patch installs correctly and then shows as fixed in the console.

Any ideas?


(imported comment written by BenKus)

Hey Tim,

The only difference between the way the BES Client runs the application and the way you ran the application manually is that the BES Client runs as the SYSTEM account and you were logged in as a user. This normally doesn’t affect MS patches (and we haven’t had any other reports of a similar issue), but it might be interesting to note.

Do you have any specific security policies in place that you think might be affecting this patch run as SYSTEM? And does this happen on all your computers or just a subset?


(imported comment written by tj12)

Hi Ben,

I can’t seem to find a common ground between all the machines that are failing. Out of 667 that have currently failed, 2 are desktops and the rest are laptops. The failures span multiple hardware manufacturers from different locations in the country. All affected systems are Windows XP SP2.

Here is the local machine log even though the machine is reporting to the console as failed for our task 2413:

At 11:39:13 -0500 -

ActionLogMessage: (action 2413 ) JobReady - ok to start

ActionLogMessage: (action 2413 ) starting action

At 11:39:16 -0500 - Enterprise Security (

Command succeeded (Using download manager collected file) download (fixlet 2413)

Command succeeded (evaluated true) continue if {(size of it = 9249736 and sha1 of it = “20112ef50011e0de2c0e3378139245d81a178b15”) of file “NDP1.1sp1-KB928366-X86.exe” of folder “__Download”} (fixlet 2413)

At 11:40:04 -0500 - Enterprise Security (

Command succeeded wait __Download\NDP1.1sp1-KB928366-X86.exe /q (fixlet 2413)

At 11:40:06 -0500 - Enterprise Security (

Command succeeded run “C:\Program Files\BigFix Enterprise\BES Client__BESData\BES Support\RunQuiet.exe” “C:\Program Files\BigFix Enterprise\BES Client__BESData\BES Support\qchain.exe” (fixlet 2413)

Command succeeded (No pending restart) action may require restart (fixlet 2413)

At 11:44:55 -0500 - actionsite (

Relevant - Status of Action 2413 (fixlet:2147486061)

At 11:46:33 -0500 -

Report posted successfully.

Based on what I see here, the machine log appears to have run the task successfully and reported back to the relay successfully. Now I’m puzzled. Any ideas?


(imported comment written by jessewk)

Hi Tim,

Instead of manually running the patch from __Download, can you reissue the action, but edit the action script to remove the /q on the ‘wait’ line? This will cause the patch UI to show and you might get an error message telling you what is wrong.

When you run it manually the patch runs in your user context, while running it via an action will get the patch running in system context. It may be there is a problem running in the system context that doesn’t exist when you run it manually in user context.

Just something to help troubleshoot, sorry I don’t have a sure answer.