KS Advanced Host Monitor service terminated unexpectedly

ggdimov · Post by **ggdimov** » Sat Mar 04, 2006 10:07 am

Hi,

we use v5.70(enterprise license) and since midnight last night started to receive the error below.

The software runs on windows 2003 sp1 server with all ms updates loaded. I have setup the service to auto restart and that keeps it going but how can I find out what is causing the service to fail in the first place?

I searched the forum and am clueless

; we use trend as AV - server protect; symantec livestate recovery agent is installed too on the server; active sms...

Thanks for your help
George

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7031
Date: 04/03/2006
Time: 15:49:55
User: N/A
Computer: TRINITY
Description:
The KS Advanced Host Monitor service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Yoorix · Post by **Yoorix** » Sat Mar 04, 2006 2:00 pm

Are there any other suspicious messages in EventLog?
Do you use RMA to access this host?
Please, go to Services Applet, scroll down to KS Advanced Host Monitor and ensure that "Allow service to interact with desktop" check box is checked.

Regards,
Yoorix

ggdimov · Post by **ggdimov** » Sat Mar 04, 2006 2:30 pm

Thanks for your reply!

Are there any other suspicious messages in EventLog?

I can only see informational alerts the server was installed about two months ago - the teleohone service seem to start few soconds before the hostmonitor server is restarted...
Event Type: Information
Event Source: Service Control Manager
Event Category: None
Event ID: 7035
Date: 04/03/2006
Time: 19:51:53
User: NT AUTHORITY\SYSTEM
Computer: TRINITY
Description:
The Telephony service was successfully sent a start control...

Do you use RMA to access this host?

this machine trinity is the server; we have two rma's but those are installed elsewhere on the network.

Please, go to Services Applet, scroll down to KS Advanced Host Monitor and ensure that "Allow service to interact with desktop" check box is checked.

this checkbox is already selected for this service.

Also we seem to have 826 tests defined could there be a limitation on the number of tests? Also all our servers send snmp traps to trinity as well as event log tests are used - having said that we haven't added any test recently.

One more thing - few minutes ago I rebooted the machine and windows indicated an error with Data Execution Prevention. I have added hostmon to the exception list but am not sure it works properly even after another reboot. There was an issue with earlier versions of windows, but I believe in windows 2003 sp1 this was fixed accoring to other posts...

G

KS-Soft · Post by **KS-Soft** » Sat Mar 04, 2006 7:48 pm

I can only see informational alerts the server was installed about two months ago - the teleohone service seem to start few soconds before the hostmonitor server is restarted...

May be that could lead as to the reason of the problem. Do you use "Send message to pager TAP" or "Send message to beeper" action methods?
Could you try to disable them for a while?

Regards
Alex

ggdimov · Post by **ggdimov** » Sun Mar 05, 2006 3:41 am

thanks Alex,

we only send alerts to e-mail addresses because we have sms gateway and have no need to use pagers...

is there a central way to disable this kind of alerting opposed to individual tests?

G

ggdimov · Post by **ggdimov** » Sun Mar 05, 2006 4:28 am

made a bit of a progress here - i have noticed that if i disable alerts the service stops crashing

will post if I find more, however any advice on how to narrow it down is welcome; I wish there was change auditing in HM

KS-Soft · Post by **KS-Soft** » Mon Mar 06, 2006 11:21 am

made a bit of a progress here - i have noticed that if i disable alerts the service stops crashing

The only alert method you are using - "Send e-mail"?
Then problem must be related to some 3rd party software that probably modified winsock to intercept TCP traffic (e.g. antivirus checks incoming/outgoing mails). Try to install HostMonitor on clean system

Regards
Alex

ggdimov · Post by **ggdimov** » Mon Mar 06, 2006 4:02 pm

my colleague disabled all changes that were made on friday. All he did is disable two tests NT event Log: SECURITY, Error, Warning, Failure audit for our two exchange servers - test dependent of ping to the host and writing to "c:\Program Files\HostMonitor\Logs\Security Logs\Event Logs %DDMMYYYY%.txt"

SInce those two test were disabled the service stopped crashing and has been stable for over 7h.

KS-Soft · Post by **KS-Soft** » Mon Mar 06, 2006 5:22 pm

I think this problem was fixed in version 5.82
http://www.ks-soft.net/hostmon.eng/news.htm#v582

The problem related to NT Event Log test method has been fixed: when HostMonitor calls Windows API to format event description, Windows does not check the accordance between the number of variables in a template (that is stored in resource file) and the number of variables stored in an event log. This could lead to access violation errors when some software was installed or updated incorrectly (e.g. version mismatch between different DLLs) Now HostMonitor checks the template (retrieved from the DLL) and verifies the number of insertion strings before calling Windows function
Also if there is DLLs version mismatch (described above), you may copy appropriate DLL (e.g. copy file from another system) into <HostMonitor>\EventLogDlls\ directory. If HostMonitor detects DLL in EventLogDlls subdirectory, this DLL will be used instead of installed DLL (installed DLL - DLL that is specified in the system registry under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\<log name>\<event source name> key)

Regards
Alex