Tales from the Crypto






         Alun Jones (Security MVP Reconnect) writes about security, cryptography, SSL, PKI, and pretty much anything else that bothers him enough.

September 22, 2013

Security-SPP errors in the event log. EVERY. THIRTY. SECONDS.

Filed under: General Security,Windows 8 @ 9:04 pm

I admit that it’s a little strange to look at your event log fairly often, but I occasionally find interesting behaviour there, and certainly whenever I encounter an unexpected error, that’s where I look first.

Why?

Because that’s actually where developers put information relating to problems you’re experiencing.

So, when I tried to install Windows 8.1 and was told that I would be able to keep “Nothing” – no apps, no settings, etc – I assumed there would be an error in the log.

But all I saw was this:

image

So, yes, that’s an error with:

Source: Security-SPP
Event ID: 16385
Error Code: 0x80041316

This goes back to September 2, but only because the Application log that it’s in has already run out of room and ‘rolled over’ with too many entries. Presumably, then, the occurrence that caused this was prior to that.

Searching online, I find that there are some others who have experienced the same thing, the most recent of which is in January 2013, and who posted of this error to the TechNet forums.

A Microsoft representative had answered indicating that the cause could be (of all strange things) a partition with no name. Odd. Then they suggested Refreshing or Reinstalling the PC.

I’m not reinstalling unless there’s something hugely wrong, and the refresh didn’t help at all.

So, on to tracing the cause of the problem.

“Schedule” suggests it might be a Task Scheduler issue, and sure enough, when I open up the Task Scheduler (it’s under the Administrative Tools in the Control Panel, so making it very hard to find in Windows 8), I get the following error:

image

Or for the search engines to find, title: “Task Scheduler”, text: “Task SvcRestartTask: The task XML contains an unexpected node.”

It’s a matter of fairly simple searching (as an Administrator, naturally) to find this file “SvcRestartTask” under C:\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform.

So I moved this file to a document SvcRestartTask.xml in a different folder.

Time to edit it.

Among other lines in the file, these stood out:

    <RestartOnFailure>
      <Priority>3</Priority>
      <Priority>PT1M</Priority>
    </RestartOnFailure>

Odd – two values for Priority, one numeric, one text. So I went hunting in a file from a system that didn’t have that problem. I found these lines in the same place:

    <Priority>7</Priority>
    <RestartOnFailure>
      <Interval>PT1M</Interval>
      <Count>3</Count>
    </RestartOnFailure>

So, clearly something had written to the SvcRestartTask file with incorrect names for these elements. Changing them around in my XML version of the file, I reopened the Task Scheduler UI, navigated down to Microsoft / Windows / SoftwareProtectionPlatform, and imported the XML file there. [This is under “Actions”, but you can also right-click the folder SoftwareProtectionPlatform and select “Import”, then “Refresh”]

Sadly, this wasn’t quite the end of things, because the Task Scheduler UI fails to talk to the Task Scheduler service. Nor can I restart the Task Scheduler service directly.

So a restart will take care of that, and sure enough, now that I’ve restarted, I see no more of these 16385 errors from Security-SPP.

It’s just a shame it took so long to get this answer, and that the Microsoft-supplied answer in the forums is incomplete.

Oh, and of course, one last thing – what does SPP (Software Protection Platform) actually do?

Since this is an element of the Windows Genuine Advantage initiative, with the goal of preventing use of pirated copies of Windows, you might consider you don’t really need / want it around. Either way, you definitely don’t want it clearing your Application event log out every three weeks!

10 Comments

  1.   HiTechHiTouch — September 23, 2013 @ 3:10 am    Reply

    The MS rep saw “WGA problem” and probably started going down the path “this poor legit user has been smacked by one of our too cleaver/not completely thought out validations”.  A blank HD label can be a problem in some circumstances, but it happens way further along the validation than the basic problem of getting WGA aka SPP running to do the periodic re-validation.

    Any why they have to restart their failure every 30 seconds confounds me.  In fact, I’d expect that task manager would have a sliding scale of retries to stop this 30 second loop.

    Off topic, I’m wondering if/when MS will shut down the XP license validation servers, and what will happen to any installs after that time…

  2.   Second_Fry — October 12, 2013 @ 10:19 am    Reply

    Thank you so much!

  3.   Ian Brown — June 14, 2014 @ 10:25 am    Reply

    Many thanks!

    Whilst troubleshooting a USB Drive problem I visited the event log and came across the same issue.

  4.   vibhor sehgal — December 3, 2014 @ 11:39 am    Reply

    kindly help in resolving the following similar issue with a different error code:

    event 16385 security-spp
    error code: 0x80041318

  5.   Claude Bitner — August 11, 2015 @ 8:21 pm    Reply

    When I try to import a modified version of the .XML file, I get the error: “The format of the task is not valid. The following error was reported: (1,2):::ERROR:one root element.
    Maybe I’m doing it wrong. I’m copying the SvcRestartTask file to another folder, renaming it with a .XML extension, and changing the lines to read:

    PT1M
    3

    (I get the same error just trying to re-import an unaltered copy of the .XML file.)

    •   Claude Bitner — August 11, 2015 @ 8:25 pm    Reply

      That should have read:
      _RestartOnFailure>
      _IntervalPT1M/Interval>
      _Count>3_/Count>
      _/RestartOnFailure>

  6.   XweAponX — September 25, 2015 @ 11:14 am    Reply

    Yep! I had the exact same issue, constant errors in my event log. I opened the task on my PC and the file was the same as yours. I copied the code:

    [code]7

    PT1M
    3
    [/code]

    Back into the SvcRestartTask.xml I had copied to my desktop, deleted the one that was there, and I used Task Scheduler to re-import the fixed copy.

    After I rebooted, my Event Viewer/Applications no longer is logging errors for this every 30 seconds or so.

    I have the same issue with this, for AirPrint on one of my other systems, I suppose the solution is similar? I’ll have to find the original AirPrint task, I thought I had created it myself, so I must have done something wrong int he process. But this article is pointing me to the right direction, many, many thanks!

    •   XweAponX — September 25, 2015 @ 11:16 am    Reply

      Sorry, the code tags didn’t work, basically I planted your code into right before RestartOnFailure. My Bad. But thanks again!

  7.   TMathews — October 28, 2015 @ 7:14 am    Reply

    Very clear outline and investigation thanks. The same error was affecting our Windows Server 2012 – I have handed it over to the techs to mend – it’s their mess. Thanks

  8.   Garrett — January 20, 2017 @ 9:26 am    Reply

    Thanks for this. I started testing out a few syslog servers and this was driving me crazy.

RSS feed for comments on this post. TrackBack URI

Leave a comment

© 2017 Tales from the Crypto   Provided by WPMU DEV -The WordPress Experts   Hosted by Microsoft MVPs