Solved: Event ID 4 - FilterManager

MiaLid · ‎05-26-2009

Hello!
We have recently upgraded from EV 7, SP4 to EV88, SP1.
After that we started to get ALOT of warnings in the system log regarding "FilterManager". (Event ID 4 - Filtermanager) I get this on all three fileservers. I also get alot of error events on two of the fileservers. Event ID : 10009 and Source: DistributedCOM.

Found this: http://seer.entsupport.symantec.com/docs/323117.htm, but when I tried to do this I get "access denied". Anyone knows why? Tried with EV Admin account and administrator account. (domain admin).

Environment: Two domains is targeted, 3 fileservers. 1 is on the first one, 2 (which gets the DCOM errors) are on the "new domain" that we recently connected. On the "new domain" I've registered a GC.

Please, help!

Best regards,

Mia

MiaLid · ‎06-03-2009

Filescreenfilter for Microsoft and Enterprise vault cannot work together. So we turned the one for MS off.

Navigate to following reg key
HKLM\SYSTEM\CurrentControlSet\Services\FileScreenFilter
4. Change "START" key to a value of "4" to disable FileScreenFilter driver.

View solution in original post

John_Chisari · ‎05-26-2009

Can you post the full event text please.

MiaLid · ‎05-26-2009

Log Name: System
Source: Microsoft-Windows-FilterManager
Date: 2009-05-26 10:51:47
Event ID: 4
Task Category: None
Level: Warning
Keywords:
User: SYSTEM
Computer: xxxxx
Description:
File System Filter 'FileScreenFilter' (Version 6.0, 2009-03-25 18:04:33) failed to attach to volume '\Device\Harddisk5\DR5'. The filter returned a non-standard final status of 0xc00000bb. This filter and/or its supporting applications should handle this condition. If this condition persists, contact the vendor.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-FilterManager" Guid="{f3c5e28e-63f6-49c7-a204-e48a1bc4b09d}" />
<EventID>4</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2009-05-26T08:51:47.673Z" />
<EventRecordID>148618</EventRecordID>
<Correlation />
<Execution ProcessID="1124" ThreadID="1448" />
<Channel>System</Channel>
<Computer>xxxxx</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="FinalStatus">0xc00000bb</Data>
<Data Name="DeviceVersionMajor">6</Data>
<Data Name="DeviceVersionMinor">0</Data>
<Data Name="DeviceNameLength">16</Data>
<Data Name="DeviceName">FileScreenFilter</Data>
<Data Name="DeviceTime">2009-03-25T18:04:33.000Z</Data>
<Data Name="ExtraStringLength">21</Data>
<Data Name="ExtraString">\Device\Harddisk5\DR5</Data>
</EventData>
</Event>

-------------------------------------------------------------------------------------------------------------------------------

Log Name: System
Source: Microsoft-Windows-DistributedCOM
Date: 2009-05-26 10:52:52
Event ID: 10009
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: xxxxx
Description:
DCOM was unable to communicate with the computer EVSITE using any of the configured protocols.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-DistributedCOM" Guid="{1B562E86-B7AA-4131-BADC-B6F3A001407E}" EventSourceName="DCOM" />
<EventID Qualifiers="49152">10009</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2009-05-26T08:52:52.000Z" />
<EventRecordID>148625</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>System</Channel>
<Computer>xxxxx</Computer>
<Security />
</System>
<EventData>
<Data Name="param1">EVSITE</Data>
<Binary>3C5265636F726423313A20436F6D70757465723D286E756C6C293B5069643D3934383B352F32362F3230303920383A35323A35323A3839373B5374617475733D313732323B47656E636F6D703D323B4465746C6F633D313731303B466C6167733D303B506172616D733D313B7B506172616D23303A307D3E3C5265636F726423323A20436F6D70757465723D286E756C6C293B5069643D3934383B352F32362F3230303920383A35323A35323A3839373B5374617475733D313732323B47656E636F6D703D383B4465746C6F633D313434323B466C6167733D303B506172616D733D313B7B506172616D23303A4556534954457D3E</Binary>
</EventData>
</Event>

John_Chisari · ‎05-26-2009

Umm...well..

So couple of questions..

You had the EV7 Placeholder service on the fileservers and upgraded directly to EV8 FSA Agent? I know this is a bit lame - but have you tried to un-install and re-install the EV8 FSA Agent?

What exactly is \Device\Harddisk5\DR5 - is that the only device throwing up warnings?

MiaLid · ‎05-26-2009

Yes, we upgraded directly. I haven't tried to install it again because we have to do it during nighttime since we're a global company. Do you have another idea?
Hmm. I'm not really sure what \Device\Harddisk5\DR5 is.. our hardware is on HCAP from Hitatchi.. that says anything to you? In the eventlog they come in pairs.. exact same warning but for '\Device\Harddisk0\DR0', '\Device\Harddisk1\DR1', '\Device\Harddisk2\DR2' and so on until no 6.
I guess there are 6 hd and then 6 different directories? I don't know.. sorry.

John_Chisari · ‎05-26-2009

I haven't actually seen that error - and at this point, because it has given the error since installation - I would uninstal and re-install as the next troubleshooting step.

You could however log a case with Symantec, we may have something on our databases of this happening before.

MiaLid · ‎05-27-2009

Yes, I logged a case with Symantec yesterday. Hope they have seen this problem before. I'll get back with the resolution.. hopefully.. :)

MiaLid · ‎06-03-2009

Filescreenfilter for Microsoft and Enterprise vault cannot work together. So we turned the one for MS off.

Navigate to following reg key
HKLM\SYSTEM\CurrentControlSet\Services\FileScreenFilter
4. Change "START" key to a value of "4" to disable FileScreenFilter driver.

VOX

Event ID 4 - FilterManager