Chris, Earlier this week, I came across this problem, but it wasn't with the particular MS Patch that you mention. I wanted to send out a note to the community notifying them of the eventual 'fix' that BMC provided to me on this scenario. I had all of the same symptoms, armonitor wouldn't start, no matter how I tried it. When starting it from services, it would try to write to an armonitor.log in the syswow folder, etc.
The eventual fix that BMC came back with was to modify the 'Image Path' of the service to not include " marks. The install path was "C:\Program Files\BMC Software\ARSystem\armonitor.exe" they just had me take the " out, and everything started up fine. The best I can come up with regarding the 'reason' for this is that in x64 based systems, MS implements file system redirect to get you to the correct version of the file you are looking for...if you are a 32 bit app, and try to access various folders, you are redirected to the syswow64 folder instead. Based on the 'fix' provided, it seems that at times, MS implements a change in some process that causes the " at the beginning of the image path to be misunderstood and makes c:\windows\syswow64 the 'root' of the process instead of the intended folder, which of course makes it not work because the files don't exist there. On Wed, Jun 1, 2011 at 12:48 PM, strauss <stra...@unt.edu> wrote: > Remove Microsoft KB2509553. I have reproduced this on three 7.1 servers, > and the only fix is to take the security update back off. On at least one > of those, after upgrading it to 7.6.04 and adding the patch back on > individually, it no longer stopped the AR service from starting, but BMC > Support tells me they have had reports from most supported and older > versions. I have had an issue open with Microsoft since mid-April, and > they had several others from ARS 7.1 sites, so it is definitely a problem. > **** > > ** ** > > Christopher Strauss, Ph.D. > Call Tracking Administration Manager > University of North Texas Computing & IT Center > http://itsm.unt.edu/ **** > > *From:* Action Request System discussion list(ARSList) [mailto: > arslist@ARSLIST.ORG] *On Behalf Of *Jon Gee > *Sent:* Wednesday, June 01, 2011 12:59 PM > > *To:* arslist@ARSLIST.ORG > *Subject:* Re: WARNING on Microsoft MS11-030 KB2509553**** > > ** ** > > ** **** > > Hello,**** > > Our Dev , and test box is working after the patch , but the *ARS Service > will not start*. Does anyone have a fix for this? **** > > **** > > " *You can sell and practice theory but, life in reality, has unexpected > challenges that require decision and executions that were not covered in > your lessons*." *by Jon Gee***** > > ** ** > > *From:* Joe Martin D'Souza <jdso...@shyle.net> > *To:* arslist@ARSLIST.ORG > *Sent:* Thursday, April 14, 2011 4:03 PM > *Subject:* Re: WARNING on Microsoft MS11-030 KB2509553 > > **** > > ** **** > > **** > > That’s always a bad idea walking into the unknown even if there were no > known issues. You never know because of the uniqueness of your environment, > you may be the first to find out an issue. Its never a good idea to alter > the production without testing it on at least one other non critical > environment such as a test followed by dev or acceptance..**** > > **** > > Joe**** > > **** > > *From:* pascale.sterr...@daimler.com **** > > *Sent:* Thursday, April 14, 2011 1:52 PM**** > > *Newsgroups:* public.remedy.arsystem.general**** > > *To:* arslist@ARSLIST.ORG **** > > *Subject:* Re: WARNING on Microsoft MS11-030 KB2509553**** > > **** > > yes that is exactly what I am saying, They were about to apply that > specific patch to ALL our environments at once. Including dev , test and > Prod.They are now only going to patch our dev so we can validate. And from > now on will test first on our dev environment. So a HUGE thanks to Chris. > I did not know that they were not patching dev first. So that was a > possible close call.Pascale > > > **** > > *jdso...@shyle.net* > Sent by: arslist@ARSLIST.ORG **** > > 04/14/2011 10:48 AM **** > > Please respond to > arslist@ARSLIST.ORG**** > > To**** > > arslist@ARSLIST.ORG **** > > cc**** > > Subject**** > > Re: WARNING on Microsoft MS11-030 KB2509553**** > > ** ** > > ** You aren’t saying that your team was about to patch the production > server without applying it to a sandbox or development or test environment > right? I do not see the harm in applying it to a test or development > environment even if it has been reported to not be working ‘out of the box’ > – depending on what the error really is, it may be possible to tweak it to > get it to work.. Joe *From:* pascale.sterr...@daimler.com*Sent:*Thursday, > April 14, 2011 1:42 PM > *Newsgroups:* public.remedy.arsystem.general*To:* arslist@ARSLIST.ORG* > Subject:* Re: WARNING on Microsoft MS11-030 KB2509553 ** > Chris, > > My server team was about to install that patch next weekend. So thank you > so much!! > Just one clarification if you can. Do we need to prevent them from > patching only the app server or also the MSSQL server? We do have a remote > DB and they were going to patch both the app servers and our db. > > > Thank you, > > Pascale Sterrett > > > Thanks for the heads up, we were planning on applying that patch this > weekend. I will stop that right away. > > Christopher Pruitt > Business Consulting III > HP Enterprises Services > christopher.pru...@hp.com > www.hp.com > > > Confidentiality Notice: This message and any files transmitted with it are > intended for the sole use of the entity or individual to whom it is > addressed, and may contain information that is confidential, privileged, > and exempt from disclosure under applicable law. If you are not the > intended addressee for this e-mail, you are hereby notified that any > copying, distribution, or dissemination of this e-mail is strictly > prohibited. If you have received this e-mail in error, please immediately > destroy, erase, or discard this message. Please notify the sender > immediately by return e-mail if you have received this e-mail by mistake. > > -----Original Message----- > From: Action Request System discussion list(ARSList) [mailto: > arslist@ARSLIST.ORG] On Behalf Of strauss > Sent: Thursday, April 14, 2011 10:49 AM > To: arslist@ARSLIST.ORG > Subject: WARNING on Microsoft MS11-030 KB2509553 > > After applying this patch to my Reference Server for the 7.6.04 upgrade: > Windows 2003 R2 x64 with ARS 7.1.00.003 CMDB 2.1.00.02 and ITSM 7.0.03.009 > etc., SQL Server 2005 on remote server), the AR Service immediately and > absolutely refuses to start. On reboot from the security patches (there > were 15 total) the AR Server would not start automatically, and all > subsequent attempts to start it manually saw the armonitor start, then > crash. While troubleshooting with BMC support, it could not even be > started from the command line. > > Removing the KB2509553 security update and rebooting solved the problem > immediately, with the ARS service starting normally. The only other AR > server that I had applied this patch (and all of the others) to was the > Staging Server (Windows 2003 R2 x64 with ARS 7.6.04 CMDB 2.1.00.02 and ITSM > 7.0.03.009 etc.), and it has a local SQL Server hosting the db so it was > not affected. Note that on the problem AR Server, it was still possible to > run the SQL Server Management Studio client (2008) and connect to the > remote db normally, even though the ARS service could not. > > Security Bulletin MS11-030 KB2509553 is a Critical patch for a > vulnerability in DNS resolution that could allow remote code execution; it > slammed the door shut on something that ARS depends on. Until BMC comes up > with a solution for this, I will not be applying this patch to any other AR > Server, especially my 7.1 production system with a remote db. > > Christopher Strauss, Ph.D. > Call Tracking Administration Manager > University of North Texas Computing & IT Center > http://itsm.unt.edu/_attend WWRUG11 www.wwrug.com ARSlist: "Where the > Answers Are"_ > If you are not the intended addressee, please inform us immediately that > you have received this e-mail in error, and delete it. We thank you for > your cooperation. **** > > _attend WWRUG11 www.wwrug.com ARSlist: "Where the Answers Are"_ **** > > _attend WWRUG11 www.wwrug.com ARSlist: "Where the Answers Are"_**** > _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org "Where the Answers Are, and have been for 20 years"
