Ever had one of those days? This is the scenario:
I recently rebuilt a laptop for a client. Everything was great and performance had improved dramatically. I took the laptop back onsite, plugged it in and installed Trend Micro from the server. I then attempted to install Adobe Reader but it failed with registry access denied errors. Weird. Those of you familar with Trend Micro’s Behavior Monitor may of cottoned on by this stage, but unfortunately I hadn’t encountered the beast before.
I rebooted, logged on and attempted a reinstall of Adobe reader and all went fine. The next step was to get the end user to log on and verify all was good and I could be on my way. The user logged on and his profile started to suck down. He has a huge roaming profile (another story). Once the profile had sucked down, Xp went through the applying personal settings etc and then blank screen.
Great, explorer didn’t load. I’m thinking that there is something wrong with his profile. I bring up task manager and then try new task explorer.exe expecting the dekstop to load, but no I get an access denied error. I log the user off and log on as myself. Blank screen. Reboot log on as myself. All good. Log off and the user logs on blank screen.
So at this point I’m thinking the users profile is corrupt. I backup the profile and replace it with a blank one. User logs in. Blank screen. I reboot, walk away, come back after a while and log on as myself. Blank Screen. It feels like things are getting worse, now I can’t even get a desktop after reboot.
I boot into safe mode and logon. Every thing in safe mode is OK. So it’s not a total loss. Using msconfig “System Configuration Utility” I do a selective startup and disable all services except the Microsoft services. Reboot and login. All Good again. Log in as the user. All Good. OK the problem appears to be a service.
I check the services I’ve disabled and selective enable them. At this point I also notice some of the TrendMicro AV services have managed to restart themselves. I get to the point where I’ve reenabled every service and everything is still working.
At this point I notice that the Unauthorised Change prevention service is stopped, and then everything clicked. I started the service, logged off and back on again. Blank Screen. I try to stop the process TMBMSRV.exe but get an access denied error. I checked Trend Micro AV and notice that the behavior monitor is turned on. I checked the Worry Free Business Server and look at default settings for the behavior monitor. It appears it is blocking all changes and not notifying, but the setting on the server suggests the behavior monitor should be disabled.
It turns out because the PC was a rebuild it didn’t reregister properly with the server even though correct install procedures were followed. This results in the behavior monitor being turned on with draconian settings. I removed the old entry for the desktop from the server and added the desktop again. I then checked the desktop and now the behavior monitor has been disabled.
So what was happening? Well the behavior monitor would block installs and modification, but if you logged in quick enough before the behavior monitor could start then you could install software. The problem was when the behavior monitor did kick in it would then block access to everything because a change had occured. So that is wh ymy profile was working after reboot because I would log in before the behavior monitor had started. The user would wait longer and when they logged in the behavior monitor had started and hence the blank screen.
What does this hilight? Firstly AV products can have a tendancy to behave in a way which is very similar to malware or virus if configured incorrectly. For example look at this behavior: The AV was always starting itself even when the service was initially disabled, and once started you couldn’t stop the process. You can understand why AV products do this, because otherwise malware, viruses would turn them off willy nilly, but it doesn’t make my life any easier.
