Windows file server issues... looking for assistance

Posted by Craig__D@reddit | sysadmin | View on Reddit | 15 comments

We are a small company with a small IT team. We are mostly generalists. Capable, but very much generalists. We are having an issue that I believe needs troubleshooting and diagnosis from someone with in-depth Windows file server expertise. I'll briefly describe what is happening below. I am a pretty decent troubleshooter and have worked and worked to try and isolate where the problem is coming from, but I haven't been able to pin it down. This is why I think I need help from someone with this particular set of skills and experience. I think it will be necessary to watch file handles, SMB traffic, etc. to see when the files are opened, closed, who or what opened them, etc. The most visible symptom is that when a certain program requires an update, the installer consistently experiences an error when we try to install the update from a workstation (which is how this program is updated). The program is one that uses a server-based file share to house its files, but doesn't have any processes that actually run on the server. It's just a file share-based program that is accessible from many people on our system from this shared location. The cause of the error appears to be that the installer cannot update three files that stored on the server share. The three files seem to be held open by some mysterious source, and this causes the installer to be unable to overwrite them and thus the installer fails. We've talked with the development team of the software product that is experiencing the failure, and they do not believe it is a problem with their installer (and I tend to agree, as we have seen some other evidence of a similar thing happening with other files). We've run down the anti-virus trail, and the conclusion is that it's not that... though I still believe it's a possibility. We just haven't found the "smoking gun" yet. Our environment (the parts that matter) consists of Dell hosts running ESXi 8, Windows Server (and some workstation) OSes running on those hosts, an Aruba core switch, and Pure and Tintri SAN devices. I won't go into too much more detail about the issue in this post, as it is long enough already, but will be happy to answer questions either here or in a one-on-one conversation. We've contacted the company that we occasionally lean on for technical assistance, and they do not have anyone they feel can help us with this. I'd love to hear from you if you have this particular expertise and experience. Thanks in advance.

Reply to Post

15 Comments

[-]

kenyosvx@reddit

just my opinion but.. why not make a script for deployment that just copy the installer on target machine so you don't need to deal with this type of issues?

[-]

the_andshrew@reddit

Have you used the Shared Folders mmc.exe snap-in on the file server, that will tell you exactly who has a file it is sharing open. It's pretty common for applications that store their files on a file share that everyone needs to be 'out of the system' before trying to run any kind of updates for the application, unless it's been specifically programmed to allow updates while people are using it.

[-]

Craig__D@reddit (OP)

Thanks. Yeah, I do the updates for this particular program during a maintenance window on Sunday mornings when there's nobody else in the system. It's definitely not as simple as "somebody left the program open."

[-]

the_andshrew@reddit

Since that should rule out any network based access to the file, the next step I would try is run Process Explorer the server and use the 'Find Handle or DLL' option and search for the name of the files that aren't open. That will tell you if any processes are holding the file open. If that still gives nothing then I would try Process Monitor while you are running the upgrade, so you can capture exactly what requests the installer is (or isn't) making to those files. Also turn as much verbose logging on for the installer as you can so you can match up what the installer says it's doing vs what requests were actually captured via Process Monitor. Does it ever work via the updater, or do you always have to resort to manually updating the files it can't update?

[-]

Craig__D@reddit (OP)

Thanks. Good suggestions. I'm not terribly handy with Process Explorer and Procmon (I have used them but not a ton), but will give them a try. >Does it ever work via the updater, or do you always have to resort to manually updating the files it can't update? What I have found to normally work is that I copy the entire folder to the C: drive of my updating workstation, then run the "network" update there. I then copy that updated folder back to the server (after deleting the one there\*). Lastly I re-run the network installation to the server. This has been a workable solution for a year or so. However there was an update released this past weekend, and when I tried this "reliable" method it still didn't work. I still got the error when running the update to the server. I was even able to restart the server (remember, nobody else is using the system), but it still was a no-go. \*I have made a "safe" backup before starting any of this. Here is a **very** interesting observation that I have never, ever seen before... and I am a "seasoned" network admin of \~30 years: Using the process above, when I delete the program's folder from the server... There are three files that will "resist" deletion. I won't get any error messages in File Explorer saying they could not be deleted... but when I refresh File Explorer after deleting the whole folder, the folder shows up again. When I look inside the folder all the files and subfolders are gone except for these three. I can delete them **again** and still don't get any error message, but if I refresh File Explorer they'll still be there. If I wait a little while (maybe 2 minutes) then they will actually be deleted (without any further action from me) and I can proceed with the next step. I feel like this is significant, but I can't come with what it could be.

[-]

the_andshrew@reddit

The closest I've seen to that is that when a file can't be deleted then Windows will queue that file up for deletion at the next reboot (there is a location in the registry where it stores queued deletions, which I can't remember off hand). I would try doing your deletion from the command line, as you may get a more useful error than File Explorer. Procmon is probably the quickest route to finding what is accessing these files. Open it, reset the filter if you've fiddled around with it before and then add a Path filter -> contains and then the name or path of one of the files. That should immediately filter out most of the noise, unless something is really excessively accessing the files.

[-]

Craig__D@reddit (OP)

I have an update: It has something to do with antivirus. Here's are my iterative steps: * Uninstalled antivirus from the administrative installation VM. * Copied the server-based installation folder to another server share on the same server and tried the update. Worked fine. * Copied the server-based installation folder to another server share on a different server and tried the update. Worked fine. * Copied the server-based installation folder to another server share on another different server and tried the update. Worked fine. * Installed the antivirus program (not naming it just yet). * Copied the server-based installation folder to another server share on the same server and tried the update. The failure happened. * I am now able to recreate the issue at will, and I ran Procmon and repeated the process to the point of failure. I don't know that it matters much... the testing that I've done seems to point directly to the antivirus software. For those of you who have asked, here is the error message. It is not meaningful, other than to help me identify the file that the installer is having a problem writing: https://preview.redd.it/xdnpevdtyslf1.png?width=411&format=png&auto=webp&s=3bd74bda2f7892b4701f9bbd03382ae8c3e5c939 **Now I need to know** ***why*** **this occurs.** Why is the antivirus software getting in the way? I also know this: Even if I turn all protection mechanisms in the antivirus software, the error still occurs when I run the installer. So it's NOT that the antivirus software is blocking a file that it things is malicious... it reports nothing at all. It seems that the mere *presence* of the antivirus software is what causes the problem. Would uploading the procmon log info help anyone help me diagnose this? I'm in the process of opening a case with my AV provider, but I have done this exercise in the past and they concluded there is nothing they're doing that is causing the problem.

[-]

the_andshrew@reddit

Is this a "next-gen"/EDR type AV or traditional? When I used Sophos, which included both types in one, you would get these frustrating to troubleshoot moments when one part of the AV was doing 'something' which an application didn't like, but similar to what you're seeing it wasn't recording anything useful to indicate what it was doing - it always resulted in having to send mountains of logs and captures over to their support to get to the bottom of. Have you actually set specific exclusions for the path to these files in your AV, or are you just turning the features off entirely on the test workstation? Since your testing shows its very likely AV related hopefully their support can give you a solution this time. The AV support will likely want the promon logs as it will confirm what component of the AV is accessing them; perhaps also do a capture when AV is not installed so it can be compared against the capture you have for when it is installed. If you wanted to PM me the log I don't mind taking a second look for you in case anything else stands out.

[-]

Craig__D@reddit (OP)

Next gen… Cylance Protect

[-]

Craig__D@reddit (OP)

Thanks. I will definitely give this approach a try.

[-]

BeagleBackRibs@reddit

It sounds like permissions or someone is leaving the files open. You could have a user remoting in without your knowledge. Check the Shared Folders. You could also drop a test.txt file in the share and see if you can modify it from the workstation

[-]

Craig__D@reddit (OP)

Thanks for the input. It's not this. I check to confirm that nobody is logged in (it's an exclusively VDI system, so I can see all sessions). We don't have any other way to remote in.

[-]

BeagleBackRibs@reddit

What does the error message say?

[-]

Craig__D@reddit (OP)

Thanks. The error message is not really relevant, as it is a generic "I can't update this file... installation failed" message from the installer.

[-]

Commercial_Growth343@reddit

I would run Process Monitor on the file server, with filters for the folder or drive those files reside and comb through the results. I might be tempted to look into 'oplocks' and if that is off or on, and try flipping it to the other way as a test. I would also check file permissions because maybe you can get away with just read-execute permissions for the users. good luck