Hi All, Just wondering if anyone could shed some light. I have a customer who has implemented Software Restriction Policies on their Windows XP SP2 build but we are having problems with the functioning of the SCCM Client. What the Software Restriction Policies does is prevent certain extensions from runningsuch as EXE, COMs and VBS. They do have exclusion folders but I am not sure which folders should be excluded besides the standard Windows\System32\CCM folder for SCCM to function. I was wondering if there is any information about what access (Registry/File/Folder/Executable) the SCCM Client Install needs inorder to run correctly. I have checked the Client Installation Logs which allreport a successful install but when running the client it doesn't seem to kick off the notification of applications for install or software updates for install. The weird thing is if I complete a CCMRepair the Notifications for application and software updates appear immediately but as soon as I reboot and the policies apply again and the client no longer functions correctly. I am currently trying to run Process Monitor during the Client Install to see if anything gets highlight. Any ideas would be welcome. Cheers, Humphrey

The first thing I'd do is to try to isolate or eliminate the software restriction policy as the cause of the problem. Put a test machine in an OU that blocks the software restriction policy and see if there is a change in behavior. Check ccmexec.log and locationservices.log for any errors and policyevaluator log to see if any of the SCCM policies are actually getting applied. BH

Hi Bruce, It definately is the Software Policies as I have already run tests outside of the OU with the policy applied and it works. CCMExec, LocationServices and Policy Evaluatorall seem OK. I guess I am wondering more about what permissions that are needed for the job to be started or what access does the SMSCliui.exe need to be run so that the display appears? I know this is complicated and I appreciate your help. Cheers, Humphrey

Hi All, I think I have found an area of focus now. When I open the "Run Advertised Programs" and press the "Run" for software not currently installed I receive the following error: [Cannot Run Program] This program is currently not available The Execmgr.exe records the following errors when trying to run an application: CExecutionManager::FindUserExecutionManager the user ABC\Administrator is not logged on CExecutionManager::CheckContentAvailability the user is not logged on I also did a search and found this article: http://www.myitforum.com/forums/m_155391/mpage_1/key_/tm.htm#155391 Which mentions: "UIResourceManager.ExecuteProgram won't work unless a user is logged on because it takes advantage of the Control Panel interfaces." "We've seen this before, and word is that this constraint is built into the SMS SDK: the user must be logged on to use UIResourceManager.ExecuteProgram." "UIResourceMgr uses the winlogon.exe events to validate that the user is logged on." I guess I will try and do some more searches but if anyone has more information about the way they UIResourceMgr interacts with the winlogon.exe that would be really helpful. I guess I need to find out what access is needed and have the correct permissions been granted. Cheers, Humphrey

next to window\system32\ccm windows\system32\ccmsetup should definitely be excluded. Let's start with that and see how far we get :-)

Hi Kim, Apologies I should of added the current Software Restriction Policie Settings: Path Rules%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%*.exe%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%System32\*.exe%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%System32\ccm%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%System32\ccmsetup%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir% Actually what I have noticed is that the people who created the above paths forgot to add a "\" after "SystemRoot%". I have now done this and am testing. Thanks for making me check it again They are now listed as: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%\*.exe%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%\System32\*.exe%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%\System32\ccm%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%\System32\ccmsetup%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir% Cheers, Humphrey

Unfortunately didn't seem to help same issue. Cheers, H

I think am getting closer. I have noticed the following entry in the CCMEXEC.LOG: *************** Allowing activation requests on class objects.CCMEXEC30/09/2008 11:46:36 AM3832 (0x0EF8)Registering endpoint notifications.CCMEXEC30/09/2008 11:46:36 AM3832 (0x0EF8)Registering for Logon/Logoff notifications.CCMEXEC30/09/2008 11:46:41 AM3832 No Userlogged on to console during RegisterForLogon.CCMEXEC30/09/2008 11:46:41 AM3832 *************** than later the following is logged: *************** Triggered update of logged-on user settingsCcmExec30/09/2008 11:47:46 AM2284 (0x08EC)*************** I am now trying to see if I can do some Process Monitor logging to diga bit deeper. The problem seems to be related to the fact that when the computer boots it checking for the Logged on user but when a user is logging on it isn't rechecking again. !!!Update!!! I have just found out that if IKILL the CCMEXEC process and kick it off again everything is okay as the CCMExec seems to kick off the RegisterForLogon again which then sees that at that point a user is logged on so that it can continue. !!!Update!!! Anyone in SCCM worls know how the registration of the Logon/Logoff process is kicked off? I am guessing through winlogon.exe but any more ideas would be great. Cheers, Humphrey Cheers, Humphrey

HLaubscherOZ wrote: Anyone in SCCM worls know how the registration of the Logon/Logoff process is kicked off? I am guessing through winlogon.exe but any more ideas would be great. This might help you: http://support.microsoft.com/kb/905794/en-us(see "More information").

Unfortunately Humphrey, I can't really help here. We don't do much testing, so no documentation, on what files/services/permissions/etc we require on clients to do install. So you are going to be on your own (and whatever help others can provide to you) in this area. We assume our client has full rights/no restrictions, through the OS so we can operate as we expect.

Hi Torsen/Wally, Thanks for your responce's guys and I think I am getting closer but I won't have much more time to spend on the problem. From the link Torsen provided above it explains that there are 2 methods by which the SMS Agent Host get notified if someone is or had logged on. The SMS Agent Host Service (CCMExec.exe) uses the System Event Notification service (SENS) to subscribe to the StartShell event which tells the SENS service to notify the SMS Scheduler that a logon has occured. The following articles help explain the SENS Service System Event Notification Services and WMI Enable Flexible, Efficient Mobile Network Computing http://msdn.microsoft.com/en-us/magazine/cc301850.aspx AND System Event Notification Service (SENS) http://msdn.microsoft.com/en-us/library/aa940303.aspx If a user logs on prior to the process completing in step 1 then the SMS Scheduler simulates a SENS StartShell event if either a user is already logged on or if its been 60 seconds since the computer has rebooted. I believe my problem is related to the Step 1 because if I logon prior to the Logged On User task starting in CCMEXEC.log being queried then everything seems to work but if I logoff and back on I get the same issue occurring again. I have tried narrowing down where exactly the StartShell notifies the CCMEXEC service but that has been a bit difficult as ProcessMon tends to have about 1000 entries covering 1 second so I haven't had much luck. I do know that in the CCMEXEC.log it happens before the entry 'Startup' which by looking at ProcessMon is kicked off by Winlogon.exe . I can also see all the subscriptions happening to the SENS Service : HKLM\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}\Subscriptions\{0E456AA5-C279-4AB0-8AC2-9801249250B3}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000} But I believe its during these subscriptions that something happens that affects the notification subscription to complete. I have tried resetting the Computer to default file, registry and account permissions using Secedit but this hasn't resolved the problem. I am now going to try and redo the build with the customer step by step until hopefully some application or step breaks the SystemEvent service or DCOM permissions. Thanks for your time. Cheers, Humphrey

Did you find a resolution to this problem? We are having the same exact problems with our clients.

Hi Tony, I am logged a call with Microsoft Support to see if they can help. I'll keep this forum update with the progress. Cheers, Humphrey

Hi, Sorry got some bad news. I logged a call but I got retrenched along with my team so I wasn't able to complete the resolution with Microsoft. If it helps anyone I notice more severe WMI issues on the SOE when even trying to run a simple script so the issue may still lie there. Good Luck! Cheers, Humphrey

I've been having exactly the same problem and have been posting about this on another thread (4185030). The only thing I can add at the moment is I've found on systems without this problem I'll see the following entry in the CcmExec.log file if a user logs on after the ccmexec service is fully operational: SystemTaskProcessor::QueueEvent(Logon, 0) That message will also appear if the user logs off and back on without a restart (on working systems). On systems with the problem I never see that entry or the equivalent logoff entry. However if the user logs on before the ccmexec service is fully operational things will work, because the "User 'S-1-5-21-...' is logged on to console during RegisterForLogon." message occurs. This also happens when the service is restarted. I am still investigating and will update both threads if I find anything more.

Are there any updates on this ? We have the same problem with some servers which do an auto admin logon and then trigger the SCCM Agent. Sometimes the Agent says in the execmgr.log that the user is not logged on ! this is not true ! The user is logged on ! thx