No announcement yet.

Ghost in the GPO?

  • Filter
  • Time
  • Show
Clear All
new posts

  • Ghost in the GPO?

    At this point, I'm not sure if this is a G.P.O. issue, but I figure it's a good place to start.

    We used to deploy Counter Spy Enterprise ("C.S.E.") clients to the desktops via G.P.O., but stopped that practice over a year ago. Although it wasn't until this summer that the last few links in Group Policy were finally tracked down and deleted.

    The C.S.E. installation file, CSEAgent-New.msi, was located on a Windows 2003 file server named CAROL, in a share directory called GPInstall$. This file and directory were deleted earlier this year.

    This weekend, our data center had an unexpected and prolonged series of power outages. None of the Windows servers required a restore.

    But starting yesterday (Monday), over a dozen users reported that the Windows Installer was trying to install CSEAgent-New.msi from \\CAROL\GPInstall$\ . See attached screen shots.

    Windows Installer

    The feature you are trying to use is on a network resource that is unavailable.

    Click OK to try again, or enter an alternate path to a folder containing the installation package 'CSEAgent-New.msi' in the box below.

    Use source: \\carol\GPInstall$\
    The users are unable to cancel the installation process.

    Fortunately, using Sunbelt's Counter Spy removal tool [ CS&VClean.exe , found via ] on the client workstations appears to resolve the problem. [UPDATE: I'm also getting reports from some of our techs that they have to use the Microsoft Installer Cleanup Utility instead].

    My question is:

    Is it possible that there is some over-looked link, or any type of "cruft," in Group Policy that could be causing these problems, months after the directory and file on the server and the links in Group Policy were deleted? Or is it more likely something on the client side?

    The solution/work-around seems to point to the client side. But it seems awfully coincidental that this is occurring on over a dozen workstations after a weekend-long series of power failures in the data center.

    Attached Files
    Last edited by Robert R.; 10th November 2009, 22:13.

  • #2
    Re: Ghost in the GPO?

    This problem still has been popping up intermittently.

    Sunbelt Software has stated that

    This is definitely related to your GPO configuration. It sounds like there is a reference to that MSI in a GPO somewhere in AD, but I'd be hard pressed to determine where it's located based on this. I don't know of any way to search the GPO for a specific string, but if you can find one I'd look for the missing file path referenced. That should point you in the correct direction.
    On PCs with the issue, I've found that the following registry entries were present:

    HKEY_CLASSES_ROOT\Installer\Products\116445D9734F3 51419E319EC305638CC\SourceList\PackageName = CSEAgent-New.msi

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Prod ucts\116445D9734F351419E319EC305638CC\SourceList\P ackageName = CSEAgent-New.msi

    I have no idea where this is coming from. CSEAgent-New.msi was removed from the server CAROL over a year ago. I cannot find any references to it in Group Policy.

    It is only when specific Windows XP workstations are experiencing this problem that I can find the above registry entries.

    gpresult /z shows that the source is Sotware Installations --> [OU name] Default:

    Resultant Set Of Policies for Computer:

    Software Installations
    GPO: [OU name] default
    Name: CounterSpyAgent
    Version: 1.5
    Deployment State: Assigned
    Source: \\carol\GPInstall$\CSEAgent-New.msi
    AutoInstall: True
    Origin: Removed Package

    Even though \\carol\GPInstall$\ no longer exists, and I cannot find any reference to it in Group Policy. The Group Policy Object "Software Installations" was deleted a year ago.

    Does anybody have any recommendation on how to find where this is coming from?

    Is there any way to block CSEAgent-New.msi from trying to install itself on workstations?

    This problem is rare and intermittent, but very annoying and frustrating, both for the end user and us support techs, when it happens.


    • #3
      Re: Ghost in the GPO?

      Hi Robert

      This is definitely a strange problem.

      Have you checked if the clients have cached the old group policy and tried to apply it when it couldn't locate a DC?

      See here for details

      Worth a look.

      Also try looking at GPOTOOL (part of the resource kit tools).


      • #4
        Re: Ghost in the GPO?

        Do you have any scripts running via GPO that could be referencing this install??