Windows event viewer id 1035

Hi All,

We have recently noticed that event viewer spawning MsiInstaller for an number of times in the Application log, Please let me know, if BigFix uses the Win32_Product class anywhere within the Fixlets/Tasks/Analayses.

Thanks,
Nitin V J

Can you be more specific? Relevance can include a lot of things but nothing specific like you mention as thats a Win32 structure.

What MSIInstaller is being run?

I have uploaded screenshot from one the test box, from event viewer i can see for every two hours 1035 event id being triggered, not sure from where this 1035 event id is getting triggered.

Context - https://support.microsoft.com/en-us/help/974524/event-log-message-indicates-that-the-windows-installer-reconfigured-al

Querying the WMI Win32_Product class can trigger MSInstaller to verify each product. This repeated event logging sometimes comes from WMI GPO filters using Win32_Product but third-party products (ie Bigfix) certainly could be doing the same.

1 Like

is there a way that we could avoid BigFix from querying the Win32_product class alone and not the other wmi queries?

Hello Gentleman,

Any further information ?? how I can stop spamming 1035 event id in event log ??

Thanks

Since BigFix runs in a System context I think you will have a hard time preventing it through permissions or anything like that.

Are you seeing this behaviour from the default IBM sites?

I think the issue is finding what, if any, of the content is running this check. I should have something to post shortly…

Iterate through fixlet content with REST and look for any relevance that contins “win32_product”?

2 Likes

Try searching your fixlet content to find one containing win32_product in its relevance. This may take several minutes!

You could try this in Web Reports QNA by opening a browser and connecting to https://your_web_reports_server?page=QNA

Q: (id of it, name of it, name of site of it, relevance clauses of it) of fixlets whose (exists relevance clauses whose (it as lowercase contains "win32_product") of it) of all bes sites

I didn’t get results in my deployment, which tells me that it’s (at least) not in the “Patches for Windows” or “Updates for Windows Applications” default content. You might find results from one of your custom tasks/fixlets.

update: you can also check your BES Property definitions to see whether this is being returned by a Property / Analysis Property (it’s not, in my environment):

q: (name of it, (if (exists source analysis of it) then (name of site of source analysis of it & ":" & name of source analysis of it) else "Global"), definition of it) of bes properties whose (definition of it as lowercase contains "win32_product")

4 Likes

That’s exactly where I was going with it :slight_smile:

Having had situations where I have a template piece of relevance or actionscript that worked in testing, got added to dozens of fixlets, then I found some edge case where it breaks and I have to go update the logic in lots of places, I already had a dashboard handy to search for a given string in all fixlet/task Relevance & Action Script, and in Analysis properties.

2 Likes

I did find few results on querying your first query, below are the few samples of results. Please guide how to proceed further.

A: 499496, Install_Google_Chrome_V65.96.32832, ********_SD_Prod, ( (if(name of operating system starts with “Win”) then free space of drive of client > 70071680 else if ((mac of it) of operating system) then free space of filesystem of folder (pathname of client) > 70071680 else free space of filesystem of client > 70071680) )
A: 499496, Install_Google_Chrome_V65.96.32832, ********_SD_Prod, version of client >= "9.5.6.63"
A: 499496, Install_Google_Chrome_V65.96.32832, ********_SD_Prod, windows of operating system AND (if( name of operating system starts with “Win” ) then platform id of operating system != 3 else true)
A: 499496, Install_Google_Chrome_V65.96.32832, ********_SD_Prod, not exists (select objects “name from Win32_Product where name='Google chrome’and version>=‘47.0.2526.106’” of WMIs )
A: 499496, Install_Google_Chrome_V65.96.32832, ********_SD_Prod, false
A: 440445, Install_Google_Chrome_V65.96.32832, ********_Software_Distribution, ( (if(name of operating system starts with “Win”) then free space of drive of client > 70071680 else if ((mac of it) of operating system) then free space of filesystem of folder (pathname of client) > 70071680 else free space of filesystem of client > 70071680) )
A: 440445, Install_Google_Chrome_V65.96.32832, ********_Software_Distribution, version of client >= "9.5.6.63"
A: 440445, Install_Google_Chrome_V65.96.32832, ********_Software_Distribution, windows of operating system AND (if( name of operating system starts with “Win” ) then platform id of operating system != 3 else true)
A: 440445, Install_Google_Chrome_V65.96.32832, ********_Software_Distribution, not exists (select objects “name from Win32_Product where name='Google chrome’and version>=‘47.0.2526.106’” of WMIs )
A: 440445, Install_Google_Chrome_V65.96.32832, ********_Software_Distribution, false

That’s a custom fixlet with relevance that queries win32_products, meaning someone in your organization created it. Suggestion? Rewrite it…

Removing those relevance in custom task will solve my issue ??

That may make it worse. Don’t delete it yet. Standby.

okay !! But evaluation criteria is set to false, none of the computers are applicable under this custom fixlet?? Hope it wont cause any issue until computer are subscribed…

Are you using that particular fixlet for anything? That’s an old version of Chrome, anyway…

Removing that relevance would change the fixlet functionality, which you should know if you are writing custom content. If this is news to you, I would suggest attending a training course on the automation tool your organization is using…

So at first I was concerned the “Manage Software Distribution Dashboard” might be generating fixlets with that in their relevance, but that doesn’t seem to be the case. I don’t use the SWD dashboards, but I went ahead and created a test package of Google Chrome. The generated content did not use WMI to query for the product install, so that’s good.

Looks like someone in your organization either wrote, or modified, a fixlet to use Win32_Product in the relevance. Don’t know if you noticed, but they are also not checking for the correct Chrome version - the title says version 65.96.32832, but in the Relevance they’re checking for version 47.0.2526.106.

The relevance that the SWD dashboard generated for my Chrome installer included

(disjunction of (NOT exists keys "{21BED74A-2399-33DA-A4C2-DA59444ADEC4}" whose ( value "DisplayVersion" of it as string as version >= "67.92.106" as version AND value "Language" of it as string = "1033") of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" of ( x32 registry; (if exists x64 registry then x64 registry else nothing) )))
so that might be a better check to replace the WMI query in your fixlet (again, substituting in the correct version number for what you are deploying).

I’m afraid I have to echo @mwolff’s concern…you should take some care in authoring content in BigFix, because (as you’re seeing) you can easily impact massive numbers of systems while you’re learning. You should definitely work in a test/training environment before authoring in production, and the HCL / IBM-provided training are worth every penny. You can also search for the “BigFix Relevance Guide” and “BigFix Action Authoring Guide” to read the book on how to develop content.

3 Likes

Thanks for the solution around this, haven’t seen any 1035 event after modifying relevance which was querying win32_class. Continuing to monitor for next 12 hrs, if i found any will communicate same in the same thread.

Thanks @JasonWalker @mwolff :slight_smile:

2 Likes