I don't usually re-hash my own blog comments I leave on someone else's blog here on my own.
I try to avoid leftovers...even when they are ones I personally have cooked.
I'm not even sure that is "acceptable" practice.
However, every now and then someone encounters a problem and posts it on their blog and I do some research and offer a solution in the comments.
Sometimes I hit close to the mark, and if the info is pretty useful, I'll tidy it up and repost it here.
This is one of those posts.
Liar Liar...OS on Fire!
Last week Dwight Silverman ran into a "bitty" problem with Vista and posted his observations: TechBlog: Windows Vista is lying to me.
Briefly, Dwight uninstalled AVG Free from his Vista system to make way for a new security suite Norton 360 from Symantec.
Vista's Security Center reported it was still installed.
That is a Really Bad Thing™ as it seems to indicate to a user that important security software is present and accounted for when it really is AWOL. Not good.
So Dwight installed Norton and it showed up...along with AVG Free still.
Searches through the registry and system didn't seem to find any traces of AVG Free that would make AVG appear present to the OS.
What's up with that?
It's a WMI Thang!
It turns out that what we are actually observing is a WMI (Windows Management Instrumentation) reporting issue.
Dwight did some web-searching and didn't find any useful info about this bad behavior under Vista, but I knew XP has a Windows Security Center feature that operates almost exactly like that for Vista.
Here are some Microsoft links that explain how the Windows Security Center works to update the anti-virus installation list so you can get caught up with us:
One more interesting link on WMI: Scripting Eye for the GUI Guy WBEM What?
Usually this reporting process works fine, but it could be possible for a malicious attack on the WMI to get Windows Security Center to report (falsely) that it has protection enabled when it wasn't.
This is previously known issue in some security circles: Security Watch Special: Windows XP SP2 Security Center Spoofing Threat so we really aren't talking about something new...just pretty uncommon to occur.
Reality of that threat aside (XP SP2 Craters) it does point out that WMI can get borked and false report to the end user that their XP/Vista system is nice and toastily protected, when it (in fact) isn't.
Because XP/Vista use the WMI system to store it's Windows Security Center data instead of the registry, that is why users aren't able to locate registry keys to match what they observe. It doesn't exist there; the data is being stored/reported elsewhere by system.
So Fix it Dear Liza...
Now that we know that a hole can indeed appear Windows Security Center bucket, let's plug it.
Armed with a new (albeit basic) knowledge of the Vista/XP base WMI/Windows Security Center relationship, I performed a revised search and located the following LockerGnome thread with other users who are also seeing a similar problem in Vista with false AV reporting...and that had two suggested fixes: New AV program is not shown in Security center.
Here is the brilliant fix offered by thread-poster Malke. (His pc service webpage has some pretty funny and good work on it as well!)
Note: Before doing this, I made a copy of my Repository files for backup...just in case something went horribly wrong I could put it back. Good advice to follow.
This trick for fixing that issue in XP apparently works in Vista, too. In Vista you probably need to run elevated. There are two ways of doing the same thing - the first way is using the GUI and the second way is from the command line. Your choice. Set a System Restore point first.
Scroll down to Windows Management Instrumentation and double-click it.
Now click on the "Pause" button. Leave that window open and double-click
My Computer. Navigate to %systemroot%\Windows\System32\wbem (where
%systemroot% is the drive where XP is installed). Delete the Repository
folder and *only* the Repository folder. Now go back to the WMI service
window you left open and restart the service.
This will rebuild the Repository and hopefully straighten out the
incorrect entries for all your duplicates.
In order to see the Windows files, you may need to unhide them:
Make sure you are able to see all hidden files and extensions (View tab
in Folder Options).
a. Check "Display the contents of system folders".
b. Check "Show hidden files and folders".
c. Uncheck "Hide protected operating system files" and click "OK" to the
Method B from MVP Torgeir Bakken (more elegant)
Open a command window (Start/Run --> cmd.exe) and run the following
net stop winmgmt
cd /d %windir%\system32\wbem
ren repository repository.old
net start winmgmt
(or alternatively delete it using the command "rd /s repository" instead
of the ren command)
It may take a minute or so to complete while WMI rebuilds the database.
Update: It doesn't say so, but many commenters below say a system reboot is required to fully complete the process. Sounds like good advice.
Just Don't Ask Why...
I still can't say if the issue is related to a problem in how AVG reported its information to the WMI repository or if the issue is with the Windows XP/Vista WMI update process. It does present an interesting (if not rare) observation and is apparently still carried over as a (limited) issue from XP.
Even though I didn't have the issue, I tried it on my Virtual PC Vista RC1 image. After completing, I couldn't get the Security Center to fully display all the items I expected to be seeing (AVG Free).
I did a reboot and all was back and displaying normally again. So while I can't say for myself it fixes the issue, I didn't tank my (virtual) Vista system either.
Dwight tried the tips and it cleared the AVG Free error, but also cleared the reported presence of his installed firewall and Norton's anti-virus applications.
It's a two steps forward, one step back thing, I suppose. Tech troubleshooting is like that sometimes....
One Final Suggestion
I proposed that an uninstallation (since the applications were still correctly reported in the Add/Remove program lists) of the programs, then a reinstall might enable them to correctly (re)report their presence to Windows Security Center via the WMI interaction. A repair (if supported by the application installer) might also do the trick.
Dwight had bigger rats to kill than this, so he put the original Repository folder back (see I told you it might be useful to do that) and went on with life...but another commenter in the post who had a similar problem tried that and it worked to fix it up.
So if you've come this far, and it still isn't looking right, give that suggestion a whirl.
That should tidy things up for good.