cluberti

Honestly, I don't know from the data uploaded, as it's only giving me a WMI event sink due to a plug-and-play event. I'm not sure how warcraft works with the hardware, so you might want to send a quick email to support for that product on this - it could be some code in their network portion of the product has caused this when you allow it access to the 'net. Again, not sure, but from what I've got it looks like a PNP event raising an exception - it's either a buggy driver, or buggy software (or both ).

Have you checked task manager to make sure you don't have a process using 100% CPU during this time?

Try configuring the RPC services to use the Local System account first. They technically should be using Network Service after installation of SP2, but it looks like something has modified your services from the defaults. Try setting those two RPC services to Local System and reboot first.

I've got no experience with that, but a Linux PXE server booting a WinPE or BartPE image with network support might be all that you need to launch your Windows installs. I think if you hop over to the WinPE forum, this has been discussed before.

You could always try running the update in a machine logon script, as those run as the local SYSTEM account (you wouldn't necessarily have network access, so the install file would need to be local, but the script would definitely have rights as the SYSTEM account). It's worth a try in a test environment .

You will be hard-pressed to keep them from seeing the delay without a DFS infrastructure or offline files. I strongly suggest you consider 2K3 R2 and DFS for your issue, but in the meantime, offline files.

Unfortunately, I've only tried the Linux RIS option. It works, but the learning curve is definitely there and requires a bit of time and effort to get running. Usually in these scenarios, I've seen people set up a stand-alone domain on a single W2K3 box running RIS, and make the .sif files so that the machine doesn't join the domain on build. This allows the machine to be built via RIS (by pointing the correct dhcp options to the RIS server), but be able to join any other domain (including a linux/samba AD) after build, or even during the build (point the domain join portion to the new domain).

Note that slow link speed is determined by the speed of the local site DC if the machine logging in is able to connect to the local site DC - meaning that if the laptop connects to the local site DC at 10 or 100Mb, slow link detection will detect a "fast" link. Have you instead considered using DFS to replicate the problem userhome's to all file servers (or at least all DCs) in your domain, so that the roaming user would always have a "local" copy of their userhome on the local site file server or DC?

Why are the two RPC services running as "Network Service", when all other services in that svchost.exe shared process appear to be starting as "Local System"?

And safe mode always works?

According to the second dump, an event was written to the log (doesn't indicate which) by a WMI xsink at approximately 11:45.19 US Eastern Time - would you happen to have that event? Also, the actual error appears to have come from the wiaserv service, or the Windows Image Acquisition service, during a PNP Unregister Notification event. Was any PNP device disconnected from the machine at the time of the error? From the first svchost.exe dump, the imgsvc svchost.exe process: ChildEBP RetAddr Args to Child 0007f808 77ea38d3 000006b5 00000001 00000000 kernel32!RaiseException+0x53 0007f820 77e91357 000006b5 77926a70 0007fc2c rpcrt4!RpcpRaiseException+0x24 0007f834 77ef3675 0007f87c 000a13fc 00000000 rpcrt4!NdrSendReceive+0x35 0007fc10 7792f318 77926a70 77929ecc 0007fc2c rpcrt4!NdrClientCall2+0x222 0007fc24 7792f2a9 000b4770 000e2444 77d664ef setupapi!PNP_UnregisterNotification+0x1b 0007fc64 77d66534 000e2440 77d664ef 75aea3d8 setupapi!CMP_UnregisterNotification+0x4a 0007fca4 75ac83db 000e2440 00000000 00000005 user32!UnregisterDeviceNotification+0x45 0007fcc8 75ac8575 0009ba88 75ac8520 00000000 wiaservc!StiServiceStop+0x80 0007fcdc 77deb603 00000005 00000000 00000000 wiaservc!StiServiceCtrlHandler+0x55 0007fd50 77deb568 00000074 0007fd7c 00000216 advapi32!ScDispatcherLoop+0x266 0007ffb0 01002585 00098278 7c910738 ffffffff advapi32!StartServiceCtrlDispatcherW+0xe3 0007ffc0 7c816d4f 7c910738 ffffffff 7ffd9000 svchost!_wmainCRTStartup+0x77 0007fff0 00000000 01002509 00000000 78746341 kernel32!BaseProcessStart+0x23 And from the second svchost.exe dump, the netsvcs svchost.exe process: ChildEBP RetAddr Args to Child 0189f718 77ea38d3 000006b5 00000001 00000000 kernel32!RaiseException+0x53 0189f730 77e91357 000006b5 77ddf110 0189fb3c rpcrt4!RpcpRaiseException+0x24 0189f744 77ef3675 0189f78c 001076a0 000da5c8 rpcrt4!NdrSendReceive+0x35 0189fb20 77de766c 77ddf110 77de644c 0189fb3c rpcrt4!NdrClientCall2+0x222 0189fb34 77de762f 000a53e8 45b4415b 00000004 advapi32!ElfrReportEventW+0x1b 0189fbac 77de7570 000a53e8 00000004 00000000 advapi32!ElfReportEventW+0x5a 0189fc18 73d35673 000a53e8 00000004 00000000 advapi32!ReportEventW+0xce 0189fcec 5981d2b7 005ba860 00d7c6c0 00000006 wbemcons!CEventLogSink::XSink::IndicateToConsumer+0x495 0189fd48 598206da 00000000 00d7c6c0 00000006 wmiprvsd!CInterceptor_IWbemSyncUnboundObjectSink::InternalEx_IndicateToConsumer+0x6d 0189fd60 59815bf8 000b7af0 00d7c6c0 00000006 wmiprvsd!CInterceptor_IWbemSyncUnboundObjectSink::IndicateToConsumer+0x18 0189fdbc 753ac47b 000b7af0 00d7c6c0 00000006 wmiprvsd!CInterceptor_IWbemUnboundObjectSink::IndicateToConsumer+0xba 0189fdf4 753ad40f 000bad38 00d7c6c0 00000006 wbemess!CPermanentConsumer::Indicate+0x28 0189fe3c 7539912d 00000006 0189fe74 00000000 wbemess!CPermanentConsumer::ActuallyDeliver+0xd3 0189fe60 75399648 00000000 00000006 0189fe74 wbemess!CQueueingEventSink::DeliverEvents+0x3a 0189ff04 753998a7 00db5e90 00d598e8 00d15e98 wbemess!CQueueingEventSink::DeliverSome+0x24f 0189ff38 7529f0a7 00db5e90 00d15e98 7c9010ed wbemess!CQueueingEventSink::DeliverAll+0x56 0189ff4c 7529eda9 00db5e90 756a0195 00db5e90 wbemcomn!CExecQueue::Execute+0x17 0189ff7c 753ac2da 00002ee0 756a0195 0120f3bc wbemcomn!CExecQueue::ThreadMain+0x11f 0189ffa8 7529edc2 00db5e90 0189ffec 7c80b50b wbemess!CEventQueue::ThreadMain+0x22 0189ffb4 7c80b50b 00db5e90 756a0195 0120f3bc wbemcomn!CExecQueue::_ThreadEntry+0xf This smacks of a driver issue, but I can't figure out what from the current crop of data - some kernel-mode driver is calling up into the imgsvc svchost.exe process, which usually hosts scanners, cameras, etc. However, at the same time (which is why you have two dumps), the WMI event consumer is dumping an event to the event log for a permanent event consumer from the event queue, which indicates a WMI provider indicating either a problem or a warning on a WMI interface. I'd say it's a bad PNP device driver from what can be seen here, but I cannot say with 100% certainty that this is the case. Perhaps making sure all of your drivers are 100% up to the latest versions (especially your network interface driver), and also trying to run with no 3rd party startup items and services (via autoruns from sysinternals) to see if this clears up. Also checking for any events in any event log, at around that time (Jan 21, 11:45PM ET) may help as well.

And you've installed no 3rd party software or drivers on this install?

Are the server and workstation services running? Do you have any services configured "Automatic" that are not running?

I'm not sure - but I've been using xplode 4.x with the following config file with no problems: <XPlode4> <config> <display plugin='#XPLODE#\XPlodeOriginalInstall.x4d'> <show total='21' after='19' subcount='false' /> <!-- make antialiasing false if you're running GUIinstall mode --> <font face='Tahoma' antialias='true' small='8' large='13' /> <!-- note the position attribute - it is listed in 'x,y' positions. --> <!-- 0..8 still may be used. --> <window position='4' /> <!-- can be standalone, or guiredraw --> <!-- for the latter two, you don't need to specify background colours, or images. --> <windowmode mode='standalone' border='false' /> <colours> <header back='#003399' fore='#FFFFFF' image='#XPLODE#\images\head.png' /> <footer back='#003399' fore='#FFFFFF' image='#XPLODE#\images\foot.png' /> <progress border='#000000' back='#FFFFFF' fore='#008800' fore2='#00AA00' /> <main back='#6699FF' fore='#FFFFFF' current='#FFFF00' description='#FFFFFF' image='#XPLODE#\images\install.png' overlay='#FFFFFF22' /> </colours> </display> <environment> <!-- strings for the header/footer text --> <display.title> Installing Applications </display.title> <display.complete> Complete </display.complete> </environment> </config> <items> <item display='.NET Framework 2.0'> <execute display='.NET Framework 2.0'> <program>D:\Unattend\dotnetfx\dotnet20.exe</program> <arguments>/q:a /c:"install /l /q"</arguments> <hide>true</hide> </execute> </item> <item display='Virtual Machine Additions'> <execute display='Virtual Machine Additions'> <program>C:\DRIVERS\VM\virtualmachineadditions.msi</program> <arguments>REBOOT=ReallySuppress</arguments> <hide>false</hide> </execute> </item> <item display='Windows Critical Updates'> <execute display='Windows Journal Viewer'> <program>D:\Unattend\jrnlvwr\jrnlvwr.msi</program> <arguments>/qn</arguments> <hide>true</hide> </execute> <execute display='HighMat CD Wizard'> <program>D:\Unattend\hotfix\HMTCDWizard_enu.exe</program> <arguments>/qn</arguments> <hide>true</hide> </execute> <execute display='Multi Desktop Manager'> <program>D:\Unattend\xppower\deskman.exe</program> <arguments>/v/qn</arguments> <hide>true</hide> </execute> <execute display='Task Switcher'> <program>D:\Unattend\xppower\taskstch.exe</program> <arguments>/v/qn</arguments> <hide>true</hide> </execute> <execute display='Fast User Switcher'> <program>D:\Unattend\xppower\fastuser.msi</program> <arguments>TRANSFORMS=D:\UNATTEND\xppower\fastuser.mst /qn</arguments> <hide>true</hide> </execute> </item> <item display='Windows Server Support Tools'> <execute display='Support Tools'> <program>D:\Unattend\suptools\suptools.msi</program> <arguments>/qn</arguments> <hide>true</hide> </execute> <execute display='Resource Kit'> <program>D:\Unattend\rktools\rktools.msi</program> <arguments>/qn</arguments> <hide>true</hide> </execute> <execute display='AdminPak'> <program>D:\Unattend\adminpak\adminpak.msi</program> <arguments>/qn</arguments> <hide>true</hide> </execute> <execute display='Group Policy Management Console'> <program>D:\Unattend\gpmc\gpmc.msi</program> <arguments>/qn</arguments> <hide>true</hide> </execute> <execute display='BootVis'> <program>D:\Unattend\bootvis\bootvis.msi</program> <arguments>TRANSFORMS=D:\Unattend\bootvis\bootvis.mst /qn</arguments> <hide>true</hide> </execute> <execute display='PSTools'> <program>D:\Unattend\pstools\pstools.exe</program> <arguments>/verysilent /SP-</arguments> <hide>true</hide> </execute> <execute display='RegClean'> <program>D:\Unattend\regclean\regclean.exe</program> <arguments>/verysilent /SP-</arguments> <hide>true</hide> </execute> <execute display='UPHClean'> <program>D:\Unattend\UPHClean\UPHClean.msi</program> <arguments>/qn</arguments> <hide>true</hide> </execute> </item> <item display='Microsoft Office Components'> <execute display='Office 2003 Professional'> <program>D:\Unattend\Office\PRO11.msi</program> <arguments>TRANSFORMS=D:\UNATTEND\Office\PRO11.mst /qn</arguments> <hide>true</hide> </execute> <execute display='SpamBayes'> <program>D:\Unattend\Spambayes\spambayes.msi</program> <arguments>/qn</arguments> <hide>true</hide> </execute> </item> <item display='Multimedia Applications'> <execute display='Irfanview'> <program>D:\Unattend\irfanview\irfanview.msi</program> <arguments>/qn</arguments> <hide>true</hide> </execute> <execute display='Flash'> <program>D:\Unattend\Flash\flashplayer_7.msi</program> <arguments>/qn</arguments> <hide>true</hide> </execute> <execute display='Shockwave'> <program>D:\Unattend\Shockwave\shockwave_8.msi</program> <arguments>/qn</arguments> <hide>true</hide> </execute> </item> <item display='File Transfer Applications'> <execute display='WinSCP'> <program>D:\Unattend\WinSCP\winscp.msi</program> <arguments>/qn</arguments> <hide>true</hide> </execute> <execute display='SmartFTP'> <program>D:\Unattend\smartftp\smartftp.msi</program> <arguments>/qn</arguments> <hide>true</hide> </execute> <execute display='PuTTY'> <program>D:\Unattend\putty\putty.exe</program> <arguments>/verysilent /SP-</arguments> <hide>true</hide> </execute> </item> <item display='File Manipulation Components'> <execute display='WinZIP'> <program>C:\progra~1\winzip\winzip32.exe</program> <arguments>/noqp /autoinstall</arguments> <hide>true</hide> </execute> <execute display='WinRAR'> <program>D:\Unattend\winrar\winrar.msi</program> <arguments>/qn</arguments> <hide>true</hide> </execute> <execute display='WinImage'> <program>D:\Unattend\WinImage\winimage.msi</program> <arguments>/qn</arguments> <hide>true</hide> </execute> <execute display='CutePDF Writer'> <program>D:\Unattend\CutePDF\CutePDF Writer.msi</program> <arguments>/qn</arguments> <hide>true</hide> </execute> <execute display='GhostScript Converter'> <program>D:\Unattend\CutePDF\GhostScript Converter.msi</program> <arguments>/qn</arguments> <hide>true</hide> </execute> </item> <item display='CD/DVD Applications'> <execute display='PowerDVD'> <program>D:\Unattend\PowerDVD\powerdvd.msi</program> <arguments>/qn</arguments> <hide>true</hide> </execute> </item> <item display='Diskeeper'> <execute display='Diskeeper'> <program>D:\Unattend\dskeeper\dskeeper.msi</program> <arguments>/qn</arguments> <hide>true</hide> </execute> </item> <item display='Adobe Acrobat'> <execute display='Adobe Acrobat'> <program>D:\Unattend\adobe\Adobe Reader 7.0.msi</program> <arguments>/qn</arguments> <hide>true</hide> </execute> </item> <item display='RealPlayer'> <execute display='RealPlayer'> <program>D:\Unattend\Real\real.msi</program> <arguments>/qn</arguments> <hide>true</hide> </execute> </item> <item display='System Virus and Spyware Protection'> <execute display='Create Reg Key'> <program>REG</program> <arguments>ADD HKCU\Software\Intel\LANDesk\VirusProtect6\CurrentVersion\Custom Tasks</arguments> <hide>true</hide> </execute> <execute display='Prevent Start Scan'> <program>REG</program> <arguments>ADD HKCU\Software\Intel\LANDesk\VirusProtect6\CurrentVersion\Custom Tasks /v CreatedUserQuickScan /t REG_DWORD /d 00000001 /f</arguments> <hide>true</hide> </execute> <execute display='Set Default Scan Options'> <program>REG</program> <arguments>ADD HKCU\Software\Intel\LANDesk\VirusProtect6\CurrentVersion\Custom Tasks /v CopiedDefaultScanOptions /t REG_DWORD /d 00000001 /f</arguments> <hide>true</hide> </execute> <execute display='Symantec Antivirus'> <program>D:\Unattend\SAV\Symantec Antivirus.msi</program> <arguments>REBOOT=ReallySuppress RUNLIVEUPDATE=0 ADDLOCAL=SAVMain,SAVUI,SAVHelp,EMailTools,OutlookSnapin,Pop3Smtp,QClient NETWORKTYPE=2 ENABLEAUTOPROTECT=1 /qn</arguments> <hide>true</hide> </execute> <execute display='Windows Defender'> <program>D:\Unattend\defender\windowsdefender.msi</program> <arguments>/qn</arguments> <hide>true</hide> </execute> </item> <item display='System Cleanup'> <execute display='Cleanup Script'> <program>D:\Unattend\cleanup.cmd</program> <hide>true</hide> </execute> </item> <item display='Shutdown'> <execute display='Initiating Shutdown'> <program>shutdown</program> <arguments>-r -t 5 -c "Finishing Windows Installation and Rebooting"</arguments> <hide>true</hide> </execute> </item> </items> </XPlode4>

If your monitor installed any entries into the WMI database, they may be missing or corrupt, or even the WMI database itself is corupt or missing data.

Actually, it likely indicates one. That error maps to "REC_E_NOCALLBACK" and "WBEM_E_FAILED", leading to believe it's having trouble talking to a device on your system, or a .dll file. Since you're having hangs and lockups, I'd say it's more likely a hardware device than a .dll file. You won't be able to tell which without exhaustive wbemtest'ing, but if your memory tests OK, I'd say you should consider removing all unnecessary devices needed to boot (leave only memory, CPU, and video card) and reboot into the test Windows and see if the problem persists.

It depends on what driver caused it, but yes, if it was the video driver, it would possibly be related.

If it's set up, the next time the error occurs you should have a dump file (or series of dump files) in C:\userdump. PM me when you've got them.

Well, you can almost do that with 802.1x if you have a RADIUS server (and a 2K3 domain makes it even easier). Requiring both authentication and a shared (private) certificate before gaining any network access, plus the above, makes wireless access points fairly secure. Hard to hack a network when all you can send are EAPOL packets without a domain username/password, a valid MAC address, and a valid certificate. Not impossible, but highly unlikely .

Not sure why the domain join is failing, but the error maps to "ERROR_SERVICE_CANNOT_ACCEPT_CTRL".

If you have a PS/2 keyboard attached (or can attach one for testing), follow the instructions here for configuring your machine for a complete memory dump. Once you follow that and reboot, the next time the box hangs you can dump it by holding down the RIGHT-hand CTRL key and pressing the SCROLL LOCK key twice - it'll generate a bugcheck STOP 0xE2, dump memory, and ultimately reboot. The resulting memory.dmp file that will eventually get created in your Windows directory (usually takes 5 - 25 minutes, depending on how much RAM you have installed) can be analyzed to show us the hang, and the culprit of such.

I too had problems with this one - I found that it would slipstream into an RTM source, but when I slipstreamed into an SP1 source, it would fail with random file errors. I'm pretty sure this one has been bugged, but it wouldn't hurt to report it again.

Hopefully a dump will point us to the culprit, then, and you can go about getting everything working again .

http://technet2.microsoft.com/WindowsServe...3.mspx?mfr=true I believe your domain must be at 2003 functional level for the forced logoff to work, but I'm not 100% certain.

No, unfortunately, there isn't. You'll have to get a non-trial version of the Windows i386 directory to integrate any hotfixes or service packs. You may be able to hack it in, but that usually breaks trial versions...