MOMHost.exe processes may stop responding after you install Windows Active Directory Management Pack for Microsoft Operations Manager 2005 on a Windows Server 2003-based domain controller (890736)

Important This article contains information that shows you how to help lower security settings or how to turn off security features on a computer. You can make these changes to work around a specific problem. Before you make these changes, we recommend that you evaluate the risks that are associated with implementing this workaround in your particular environment. If you implement this workaround, take any appropriate additional steps to help protect your system.

SYMPTOMS

You have installed the Microsoft Windows Active Directory Management Pack for Microsoft Operations Manager (MOM) 2005 on a Microsoft Windows Server 2003-based domain controller. The domain controller is also running McAfee VirusScan Enterprise 8.0i. In this scenario, MOMHost.exe processes may stop responding. These processes may log the following alert in the MOM Operator Console:

The response processor failed to execute a response. The response returned the error message : The remote procedure call failed.

Response ID: {response GUID}
Response description: script : Response script name

Additionally, the MOMHost.exe process that is running the script responses may stop responding and may continually try to restart.

On the Windows Server 2003-based domain controller that generated the MOM alert, the following error messages may be logged repeatedly in the Application log:Source: Microsoft Operations Manager
Type: Warning
Category: None
Event ID: 21245
Description:
The response processor failed to execute a response. The response returned the error message : The remote procedure call failed.

Response ID: {response GUID}
Response description: script : Response script name

Source: Microsoft Operations Manager
Type: Error
Category: None
Event ID: 21422
Description:
The host process for the script responses has terminated unexpectedly. Management Group : ManagementGroupName

Note The symptoms may also occur on Windows Servers 2003-based computers that are not domain controllers, depending on the type of script response the MOMHost.exe process is running and whether that script response calls methods on an ActiveX control.

CAUSE

This problem is typically caused by McAfee VirusScan Enterprise 8.0i. Specifically, the problem may occur when the McAfee Scriptscan.dll component scans a script that calls an ActiveX control.

The McAfee ScriptScan component replaces the Windows Script Host component with its own proxy component. The McAfee ScriptScan proxy component (ScriptProxy.dll) scans JavaScript and Visual Basic Scripting Edition (VBScript) scripts. When a script is executed and passes through the scan as clean, the script is passed on to the appropriate Windows Script Host.

However, the ScriptProxy.dll component may cause an access violation when it parses the Active Directory Management Pack scripts in the MOMHost.exe process that calls ActiveX controls. When the ScriptProxy.dll component stops responding, the MOMHost.exe process that is running the script also fails. The MOM service tries to restart the failed MOMHost.exe process, and the access violation is repeated.

Note The ScriptScan component in McAfee VirusScan Enterprise 8.0i is enabled by default.

WORKAROUND

Warning This workaround may make your computer or your network more vulnerable to attack by malicious users or by malicious software such as viruses. We do not recommend this workaround but are providing this information so that you can implement this workaround at your own discretion. Use this workaround at your own risk.

To work around this problem, you must unregister the ScriptProxy.dll component. To do this, follow these steps.

Important When you unregister the ScriptProxy.dll component, McAfee VirusScan software does not check any scripts for viruses.

Use an account that has domain administrator permissions to log on to the Windows Server 2003-based domain controller.
Click Start, click Run, type cmd, and then click OK.
At the command prompt, locate the %ProgramFiles%\Network Associates\VirusScan folder.
At the command prompt, type regsvr32 /u scriptproxy.dll.
You must restart the MOM service to apply the changes. To do this, follow these steps:
1. Click Start, point to Administrative Tools, and then click Services.
2. In the Services snap-in, right-click MOM, and then click Restart.
3. Close the Services snap-in.

Note If unregistring the Scriptproxy.dll component does not work around this issue, disable the McAfee ScriptScan by using the McAfee Configuration Console.

MORE INFORMATION

Patch 11 for McAfee VirusScan Enterprise 8.0i corrects the problem discussed in this Microsoft Knowledge Base article. For more information, visit the McAfee support Web site:

http://knowledgemap.nai.com

Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.

Note On the McAfee support Web site, search for Solution ID kb40049 for more information about Patch 11. Also, if you currently experience the problem that is described in the Microsoft Knowledge Base article 891605, "Event 21246 is logged on an agent computer, and you receive an error message in the Microsoft Operations Manager (MOM) 2005 Operator Console," McAfee Solution ID kb40067 describes the same problem. McAfee VirusScan Enterprise 8.0i does not fix the memory leak that is referenced by these articles. Also, McAfee Solution ID kb47302 describes an issue that is related.

The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, regarding the performance or reliability of these products.