The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer

We have a client machine secon (XP-Pro, SP3) and a server machine servlet. When upgrading Norton Antivirus from 11.4 to RU6, one of our applications named 'LeaftradeLauncher' did not start anymore. When I checked secon's application syslogs, these are some entries I found:

"The description for Event ID ( 0 ) in Source ( Leaftrade Alerts ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: LeaftradeLauncher::Tem.InitClient sucessful. Initialized with server:servlet"

When I Googled it, I found some sites mentioning that we need to check in services.msc, to see whether services are disabled or not. Some sites mentioned that either the DLL file responsible for generating the event for these application is damaged, or the account you are using doesn't have the rights to load the DLLs.

This mostly happens with 3rd party applications where it was installed with a user account and the service account doesn't get permission to pull the info about the required DLLs like that.

peter

Posted 2011-07-08T10:22:14.227

Reputation: 179

When i open my antivirus-> Change settings-> Centralized Exceptions,, what should i do here – peter – 2011-07-08T12:38:32.283

Hi KCotreau , if i add SSRoam.wav in to my antivirus-> Change settings-> Centralized Exceptions->SecurityRiskException->File and rename it with some other name ,,Will that sufficient – peter – 2011-07-08T12:51:50.727

@KCotreau , one more question why we need to do for SSRoam.wav like this is it a Spam or some harmful things – peter – 2011-07-08T13:18:54.010

Please don't cross-post on multiple sites, and if you need to clarify your question, [edit] it instead of asking a new one with more info. – nhinkle – 2011-07-08T17:13:47.273

Answers

Repairing AV fixed the problem.

peter

Posted 2011-07-08T10:22:14.227

Reputation: 179

It clearly misidentified the file C:\WINDOWS\Media\SSRoam.wav as viral (or maybe not even). I would go into the exceptions list, and add that file as an exception, and replace it with a known-good version.

KCotreau

Posted 2011-07-08T10:22:14.227

Reputation: 24 985

Can you make it clear – peter – 2011-07-08T12:19:32.503

where we can see exception list ,and how to replace it with a known-good version – peter – 2011-07-08T12:23:02.563

1This is similar to yours, but not sure it is the same, but open your AV, and look for "Change Settings", and possibly "Centralized Exceptions" (You are going to need to use common sense here, and maybe click on a few things to find it, but you need to find where to add files that the AV will not scan, "Exceptions").Add that file to the exceptions list so it will not be scanned and deleted again. Get the file from another computer somewhere, or replace it with any wave file you rename SSRoam.wav. – KCotreau – 2011-07-08T12:23:45.230

you mean security risk exception or proactive threat scan exception where i need to add C:\WINDOWS\Media\SSRoam.wav , and one more thing i need to know how to replace it with a known-good version – peter – 2011-07-08T12:27:44.057

1You just copy a file that is known-good to that same location. Either you get it from another computer or maybe repairing your AV will replace it since it looks to be part of your AV install. – KCotreau – 2011-07-08T12:32:02.680

KCotreau , if add SSRoam.wav in to my antivirus-> Change settings-> Centralized Exceptions->SecurityRiskException->File and rename it with some other name ,,Will that sufficient – peter – 2011-07-08T12:50:49.370

@Peter The application seems to be looking for that specific file, so it must exist, so the only way it to keep it named the same, but add it to the exception list. Are you having the same problem as the questioner? Adding it to the exception list would be enough anyway...no need to rename it. – KCotreau – 2011-07-08T12:55:41.957

application runs successfully only 10%of the time , so i if i add SSRoam.wav without renaming in to CentralizedExceptions->SecurityRiskException->File will that be sufficient – peter – 2011-07-08T12:59:09.957

i just want to know whether it is in SecurityRiskException->File or some other exception path – peter – 2011-07-08T13:00:31.687

@Peter First, add @kcotreau and I will see the messages. Not sure about what you are having problems with. SecurityRiskException->File is where you add the file, which would have an entry of C:\WINDOWS\Media\SSRoam.wav – KCotreau – 2011-07-08T13:03:56.943

@KCotreau let us continue this discussion in chat

– peter – 2011-07-08T13:05:37.033

@KCotreau , one more question why we need to do for SSRoam.wav like this is it a Spam or some harmful things – peter – 2011-07-08T13:20:23.323

The windows event log really doesn't contain event descriptions. It only contains event numbers, and Windows tries to resolve those numbers to descriptions when you view the logs. An application that adds log entries should install a number-to-description translation table.

The error message "The description for Event ID ( 0 ) in Source ( Leaftrade Alerts ) cannot be found. " means that Windows either could not find a table for Leaftrade Alerts, or that the table missed entry 0. It's an error message from Windows itself, so you can get similar error messages for different Sources.

Note however that Windows did manage to catch one part of the event coming from Leaftrade Alerts. The "LeaftradeLauncher::Tem.InitClient sucessful. Initialized with server:servlet" part doesn't come from Windows, but directly from LeaftradeLauncher. So, it seems that LeaftradeLauncher itself thinks that it started succesfully.

MSalters

Posted 2011-07-08T10:22:14.227

Reputation: 7 587

Based on the version you list you have Symantec Endpoint Protection 11.0.6300 and not Norton. Is that correct? Is the system running a management server (SEPM) Do you use application and device control? If managed, are there event log entries on the SEPM that can shed more light on this? Or log entries in the Symantec Client itself?

Dave M

Posted 2011-07-08T10:22:14.227

Reputation: 12 811