Pending Restart

Usage and Config
1

(imported topic written by boostaz191)

I am trying to get a grip on my pending restart operations. However We run groupwise which incorrectly uses the “PendingFileRenameOperations” of key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager” so to counter act this I have set the following.

setting “_BESClient_ActionManager_PendingRestartExclusions”=“Text%2ehtm%3bMime%2e822%3bGWViewer%3b” on “Mon, 20 Aug 2007 16:40:05 +0000” for client

However this has not corrected the problem. I Have systems which report back as pending restart. I have created the following analysis to help me identifiy which restart are valid.

Properties

Triggered by BES

Period Every Report

(

exists key “HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\EnterpriseClient\BESPendingRestart” of it

AND

exists value “BESPendingRestart” of key “HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\EnterpriseClient\BESPendingRestart” of it

)

of registry

OR

(

exists key “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce” of it

AND

exists value “BESPendingRestart” of key “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce” of it

)

of registry

(exists key “HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\EnterpriseClient\BESPendingRestart” of it AND exists value “BESPendingRestart” of key “HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\EnterpriseClient\BESPendingRestart” of it) of registry OR (exists key “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce” of it AND exists value “BESPendingRestart” of key “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce” of it) of registry

Not Triggered by BES

Period Every Report

pending restart

pending restart

Triggerd By MS

Period Every Report

exists value “PendingFileRenameOperations” of key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager” of registry

exists value “PendingFileRenameOperations” of key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager” of registry

Invalid restart

Period Every Report

value “PendingFileRenameOperations” of key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager” of registry as string contains “.htm”

value “PendingFileRenameOperations” of key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager” of registry as string contains “.htm”

Value of Pending Restart

Period Every Report

value “PendingFileRenameOperations” of key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager” of registry as string

value “PendingFileRenameOperations” of key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager” of registry as string

Here is an example of the results:

XXXXX True True True True ??\C:\DOCUME~1\XXXXX\LOCALS~1\Temp\Text.htm%00%00??\C:\DOCUME~1\XXXXX\LOCALS~1\Temp\Lessons Learned 080507.doc%00%00??\C:\WINNT\system32\SETB10.tmp%00!??\C:\WINNT\system32\ntdsa.dll%00??\C:\WINNT\system32\SETB11.tmp%00!??\C:\WINNT\system32\sp3res.dll%00??\C:\WINNT\system32\DllCache\SETB12.tmp%00!??\C:\WINNT\system32\DllCache\sp3res.dll%00??\C:\WINNT\system32\DllCache\SETB13.tmp%00!??\C:\WINNT\system32\DllCache\ntdsa.dll%00??\C:\WINNT\system32_000006_.tmp.dll%00%00??\C:\WINNT\system32\SET24DC.tmp%00!??\C:\WINNT\system32\GDI32.DLL%00??\C:\WINNT\system32\DllCache\SET24DD.tmp%00!??\C:\WINNT\system32\DllCache\GDI32.DLL%00%00

XXXXX True True True True

XXXXX False True True True

XXXXX True True True True ??\C:\DOCUME~1\XXXXX\LOCALS~1\Temp\Text.htm%00%00??\C:\DOCUME~1\XXXXX\LOCALS~1\Temp\TEXT.htm%00%00??\C:\DOCUME~1\XXXXX\LOCALS~1\Temp\Text.htm%00%00??\C:\DOCUME~1\XXXXX\LOCALS~1\Temp\Mime.822%00%00??\C:\WINDOWS\System32\spool\drivers\W32X86\3\temp\mdi31.tmp%00%00??\C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\New\mdiui.dll%00??\C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\mdiui.dll%00??\C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\New\mdiui.dll%00??\C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\mdiui.dll%00??\C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\New\mdiui.dll%00??\C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\mdiui.dll%00??\C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\New\mdiui.dll%00??\C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\mdiui.dll%00??\C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\New\mdiui.dll%00??\C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\mdiui.dll%00??\C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\New\mdiui.dll%00??\C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\mdiui.dll%00%00

XXXXX False True True True ??\C:\DOCUME~1\XXXXX\LOCALS~1\Temp\ROI Lessons Learned 8-17-07.doc%00%00??\C:\DOCUME~1\XXXXX\LOCALS~1\Temp\Mime.822%00%00??\C:\DOCUME~1\XXXXX\LOCALS~1\Temp\Text.htm%00%00??\C:\DOCUME~1\XXXXX\LOCALS~1\Temp\GWViewer\EmpReferralApp 07.doc%00%00??\C:\DOCUME~1\XXXXX\LOCALS~1\Temp\Mime.822%00%00??\C:\DOCUME~1\XXXXX\LOCALS~1\Temp\Text.htm%00%00%00

XXXXX True True True True

COMPUTER AND USER NAMES HAVE BEEN REMOVED TO PROCTECT INDIGENT.

2

(imported comment written by BenKus)

Hey boostaz,

Yea… this is quite a pain because technically your computer

does

need a restart if that “pendingfilerenameoperations” value exists at all… but so many applications are so bad about making restart operations occur for trivial reasons.

To help address this, we built 3 Fixlets which work in BES 6.0+ that identify when a restart is needed for BigFix reasons and when they are not related to BigFix. Here is some more info:

http://forum.bigfix.com/viewtopic.php?id=646

Do the new Fixlets help solve your issue?

Ben

3

(imported comment written by boostaz191)

So am I supposed to review these fixlets and see if system I have which is reporting peinding restart is listed? that kind of a pain to do for 600+ systems…

4

(imported comment written by dgibson91)

I am not sure what you are trying to accomplish with this analysis, but it doesn’t appear correct. “Triggered by BES” is correct, but “Not Triggered by BES” is not and “Triggerd By MS” does not necessarily mean Microsoft requested the restart.

We had a problem with McAfee incorrectly setting the Pending restart operation which sounds similar to the problem you are having. Take a look at this post :

http://forum.bigfix.com/viewtopic.php?id=879.

Maybe you can modify the action to remove the entry you are seeing.

I also created a Pending File Rename Operations property, but did it a little differently. I return the results as an array, instead of a single string. This makes reporting for reoccurring entries easier.

(if exists value “PendingFileRenameOperations” of it then (substrings separated by “<–blah–>” whose (it != “”) of concatenation of (if (it = character 0) then “<–blah–>” else it) of characters of (value “PendingFileRenameOperations” of it as string)) else nothings ) of key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager” of registry

Not exactly related, but one you may find useful is the “Actions Required at Logon” property i created. We use this to see if certain application or patch installs need administrators to login.

values of key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce” of registry ; values of keys of key “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx” of registry

Hope this helps.

Daryl

5

(imported comment written by boostaz191)

Here is my problem We run 24x7 so systems dont reboot very often. I have pushed patches which require restarts but my 600+ user dont want to stop production to do this. So I created 3 fixlets that send a message every monday wednesday and friday. This message is only supposed to appear on systems which still need a restart. I am using the peding restart as my relevance. However several of my users report that they reboot and then the get the message again at the next interval. I have added a couple of items to the restart exclusion list but it does not seem to work. So I created the above analysis to show me where the pending restart is coming from. Is it BES, MS, or neither. What I have found is that it appears to be comining from something other than BES & MS, GroupWise seems to be the culprit. I cannot get the exclusions however to work. That is what needs to happen. I guess I dont fully understand how that works.

6

(imported comment written by RosaMartin)

we are seeing an issues that the key “HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\EnterpriseClient\BESPendingRestart\BESPendingRestart” is not getting cleared even after all actions have been rebooted. This is making our assets relevant for the fixlet #390 “Restart Needed - Triggered by a BES Action”. can you tell me why this is happening and how to resolve it?