Event ID 4 - FilterManager

 Can you post the full event text please.

Log Name: System
Source: Microsoft-Windows-FilterManager
Date: 2009-05-26 10:51:47
Event ID: 4
Task Category: None
Level: Warning
Keywords:
User: SYSTEM
Computer: xxxxx
Description:
File System Filter 'FileScreenFilter' (Version 6.0, 2009-03-25 18:04:33) failed to attach to volume '\Device\Harddisk5\DR5'. The filter returned a non-standard final status of 0xc00000bb. This filter and/or its supporting applications should handle this condition. If this condition persists, contact the vendor.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-FilterManager" Guid="{f3c5e28e-63f6-49c7-a204-e48a1bc4b09d}" />
<EventID>4</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2009-05-26T08:51:47.673Z" />
<EventRecordID>148618</EventRecordID>
<Correlation />
<Execution ProcessID="1124" ThreadID="1448" />
<Channel>System</Channel>
<Computer>xxxxx</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="FinalStatus">0xc00000bb</Data>
<Data Name="DeviceVersionMajor">6</Data>
<Data Name="DeviceVersionMinor">0</Data>
<Data Name="DeviceNameLength">16</Data>
<Data Name="DeviceName">FileScreenFilter</Data>
<Data Name="DeviceTime">2009-03-25T18:04:33.000Z</Data>
<Data Name="ExtraStringLength">21</Data>
<Data Name="ExtraString">\Device\Harddisk5\DR5</Data>
</EventData>
</Event>

-------------------------------------------------------------------------------------------------------------------------------

Log Name: System
Source: Microsoft-Windows-DistributedCOM
Date: 2009-05-26 10:52:52
Event ID: 10009
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: xxxxx
Description:
DCOM was unable to communicate with the computer EVSITE using any of the configured protocols.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-DistributedCOM" Guid="{1B562E86-B7AA-4131-BADC-B6F3A001407E}" EventSourceName="DCOM" />
<EventID Qualifiers="49152">10009</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2009-05-26T08:52:52.000Z" />
<EventRecordID>148625</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>System</Channel>
<Computer>xxxxx</Computer>
<Security />
</System>
<EventData>
<Data Name="param1">EVSITE</Data>
<Binary>3C5265636F726423313A20436F6D70757465723D286E756C6C293B5069643D3934383B352F32362F3230303920383A35323A35323A3839373B5374617475733D313732323B47656E636F6D703D323B4465746C6F633D313731303B466C6167733D303B506172616D733D313B7B506172616D23303A307D3E3C5265636F726423323A20436F6D70757465723D286E756C6C293B5069643D3934383B352F32362F3230303920383A35323A35323A3839373B5374617475733D313732323B47656E636F6D703D383B4465746C6F633D313434323B466C6167733D303B506172616D733D313B7B506172616D23303A4556534954457D3E</Binary>
</EventData>
</Event>

 Umm...well..

So couple of questions..

You had the EV7 Placeholder service on the fileservers and upgraded directly to EV8 FSA Agent?  I know this is a bit lame - but have you tried to un-install and re-install the EV8 FSA Agent?

What exactly is \Device\Harddisk5\DR5 - is that the only device throwing up warnings?

Yes, we upgraded directly. I haven't tried to install it again because we have to do it during nighttime since we're a global company. Do you have another idea?
Hmm. I'm not really sure what \Device\Harddisk5\DR5 is.. our hardware is on HCAP from Hitatchi.. that says anything to you? In the eventlog they come in pairs.. exact same warning but for  '\Device\Harddisk0\DR0',  '\Device\Harddisk1\DR1', '\Device\Harddisk2\DR2' and so on until no 6. 
I guess there are 6 hd and then 6 different directories? I don't know.. sorry.

 

I haven't actually seen that error - and at this point, because it has given the error since installation - I would uninstal and re-install as the next troubleshooting step.

You could however log a case with Symantec, we may have something on our databases of this happening before.

Yes, I logged a case with Symantec yesterday. Hope they have seen this problem before. I'll get back with the resolution.. hopefully.. :)