I was able to reproduce it once, but now my XP machine no longer gets the messages. Seems like there is a 3rd variable to the equation.
When I reproduced it, Windows was applying 103 updates and had a bunch of stuff in pendingfilerenames.
Once Windows finished updates all reboots afterwards come back with no Event ID 64008.
Since I have it on VMWare I will try to go back to an old snapshot and hopefully relive it.
I've seen the issue only on XP machines, not when using VMWare. In fact, just the other day I saw McAfee install on VMWare XP SP3 build and not generate the WFP warnings. Other users that have posted in this thread have managed to reproduce this very issue on clean XP SP3 installs. Given that Ex_Brit hasn't experienced the issue and his XP SP3 build is a virtual machine, something in the virtual environment doesn't let this issue occur. For the rest of us, we see the biggest issues once we restart following McAfee updates. Mcafee_xp_user has described the problem quite accurately.
I last turned on my PC on Monday night. I received a McAfee update that required a restart without a change in build for SecurityCenter (something with the McAfee update server has made every update since around the time 11.0.572 was pushed that causes a SecurityCenter update to download each time along with the DAT). On restart following that update, I immediately checked Task Manager and Process Explorer, winlogon.exe was very active and updated files in the dllcache (this also coincides with a loss of disk space which I've described many times now). At the same time I checked Event Viewer and WFP warnings (64008s) were present for the following files:
I shutdown the PC about 40 minutes later. On boot this time around (a boot not following a boot after a McAfee update) and winlogon.exe is almost normal. Few files have been updated/replaced in the dllcache. Disk space isn't missing like it does in the session following an update. However, WFP warnings (64008s) were still present from the previous shutdown, this time for the following files:
It's generally the same or similar group of files for everyone. Another symptom I've noticed is that while I have my Excel spreadsheet open for keeping track of the disk space loss attributed to WFP/sfc_os.dll in the winlogon.exe process, I occasionally have messages when attempting to save the spreadsheet saying another user has made changes and do I wish to overwrite the file or save a copy.. There are no other users. I'm quite certain of that. It seems to me there's something with the real-time scanner that causes programs or XP itself to think files have been modified when they really haven't, which would explain the file replacement and sudden file verification by Windows File Protection.
Regarding some skeptical comments made by some posters, I sincerely doubt we're the only users experiencing the problems. I just think we're the only users who have either seen file replacement/XP installation disk pop-ups and/or looked in Event Viewer and bothered to dig deep enough to find the thread here. Non-virtual machines with XP SP3 seem to have the issue. I haven't heard of or seen a virtual machine reproduce the issue except the once instance Doug mentioned.
Nice to see tier 3 support involved. Thanks Doug and thanks to the mods and other users for keeping this alive.
Agreed with yippiekaiyay. More info about some tests I ran:
After the experiment described on my XP machine that throws the WFP popups where I disabled real-time scanning (RTS), and observed that the shutdown and startup AFTER update with RTS disabled showed nothing in event log. Later in the AM after I wrote here, I enabled RTS then did another shut down and restart and that caused some 64008 at shut down and again WFP pop ups on restart.
Last evening I did another variant on the test. RTS was enabled. I had an update waiting, so I clicked to install the update (with RTS enabled). Then i disabled RTS and performed a shut down and restart. Clean event log. I did one more shut down restart. Clean event log. Now I re-enabled RTS, and did another shut down restart. This time, the event log stayed clean. Interesting? Not sure, but maybe.
Also to echo yippiekaiyay, my other 2 XP machines (another Dell desktop, and a Dell Laptop) that never show the WFP popups, do show the event log trails of 64008 at shutdown after receiving McAfee updates. My start date on all 3 is the 08/08/2011 date.
Thats it for the additional observations that I have here.
I've done some more investigating and experimenting tonight. I disabled real time scanning and restarted the computer and had nothing from WFP showing in the event log.
I also found something from microsoft that may explain the files that could not be copied to the cache during a sfc scan that some of us have experienced. This article talks about MCE 2005 and mine is MCE 2002. Not all of our missing files are referred to in the article but this might be what is happening. The link is
The files that some of us are finding that cannot be copied are:
c\:windows\ehome\ehcircl.dll could not be copied
c:\windows\ehome\zh-chs\ehepgdat.dll could not be copied
c:\windows\ehome\de\ehepgdat.resources.dll could not be copied
c:\windows\ehome\fr\ehepgdat.resources.dll could not be copied
c:\windows\ehome\ja\ehepgdat.resources.dll could not be copied
c:\windiws\ehome\ko\ehepgdat.resources.dll could not be copied
c\:windows\ehome\ehituner.dll could not be copied
c\:windows\ehome\ehiepg.dll could not be copied
c:\windows\ehome\ehtray.exe (bad signature restored to original version)
c:\windows\ehome\ehtray.exe not restored - cancelled due to user interaction
c:\windows\ehome\snchk.exe could not be copied
c:\program files\windows media player\npdrmv2.dll could not be copied
c:\program files\windows media player\wmpns.dll could not be copied
I've never had to run sfc before so maybe it's always been this way. How about the others who are in my boat with these files?
This still doesn't explain why I get a WFP pop up when running Malwarebytes of SuperAntispyware scans. I noticed earlier in this thread somewhere that someone had gotten the pop up when running another spyware scan (I think it was Defender). Myabe we are getting somewhere with the other troubles though.
I disabled McAfee real time scanning and ran a full Malwarebytes scan without getting any WFP pop ups. I haven't tried SuperAntispyware yet but I'm betting that if I disasble real time scanning in McAfee first that no pop ups will appear in that either. Don't know if this will help come up with a fix or not but I thought I'd toss it in.
Just wondering any1 not using registry cleaners? If you are which 1s? I am running some tests on my box later on today.
I've never used a registry cleaner. From what I can tell on my system, everything is running ok is spite of the errors and the errors seem to be stemming from real time scanning. The files that scannow is asking for may be files that have been put elsewhere on the computer by Dell. Since I've never run scannow until this problem surfaced, it may not be anything to worry about as per a Microsoft article that I found. But here is something else: is this affecting only certain systems? I have a Dell XPS 400, came with MCE SP2 and I updated it to SP3 when the big update from Microsoft rolled around. There is mention of WFP errors happening recently elsewhere on the web and no solutions from what I've found. I do recall getting a Microsoft update around the sme time as McAfee's.
My test box is self built so no name PC. Doing some tests for Doug later on today.
Hi - I have never used any type of Registry Cleaner.
After reading Greens message, I did go back to look closely at the list kicked out by sfc /scannnow on my Dell XPS 410 Media Center Edition XP system. Some Windows Media Player (WMP) files and some Media Center files.
None of the WMP files complained about exist. I did upgrade the computer to WMP 11 early in the life of the computer.
None of the Media Center files exist, except the ehtray.exe, where the signature was being complained about.
And yes, the system does seem to operate okay. My WFP popup dialogs usually trace to ehtray.exe after I cancel them and look in the event log.
Any news on this issue?
3 months old now - and loads of yada yada but no action.
Man, if I treated my customers like the big M treats its XP SP3 folks - I would be out of a job and in intensive care on a drip.
Sorry that it has taken a long time but please be informed that we have already started working on this issue and we are yet to receive the technical updates from our Dev team on this . I shall update you all once I get more information on the same .
New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.
Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership: