New KB: System Center Operations Manager 2007 R2 CU3 & CU4 may cause non-SCOM 2007 services to restart

Article
03/28/2011

Just an FYI on another new System Center Operations Manager 2007 Knowledge Base article we published this morning:

=====

Summary

When a System Center Operations Manager 2007 R2 (SCOM) agent is updated to Cumulative Update 3 (CU3) or Cumulative Update 4 (CU4), non-SCOM services may be restarted or a reboot may be requested. The non-SCOM services can be related to other products like SQL Server, Exchange, Windows, SharePoint, etc.

The service restarts may happen on Windows Server 2008, Windows Vista and newer operating systems, while the reboot requests may happen on Windows Server 2003 and older operating systems.

Causes

A shared code library for logging events has leaked a reference to the dynamic library EventCommon.dll since SCOM 2007 R2 RTM. EventCommon.dll was first updated in CU3 which is why the service restarts started occurring with that CU. We fixed an install bug in CU4 which we believed would correct the problem, but found after CU4 released that there was another bug (the handle leak) which also caused non-SCOM services to restart. The performance counter extension MOMConnectorPerformance.dll uses the class library with the leak. When a process does a snapshot or enumeration of performance counters on a system, MOMConnectorPerformance.dll will be loaded into the process doing the snapshot. The library used by MOMConnectorPerformance.dll will load EventCommon.dll. After doing a performance counter snapshot Windows will automatically unload MOMConnectorPerformance.dll. Due to the leak, EventCommon.dll is not unloaded and left behind in the process.

While the leak can occur on any version of Windows, the service restart issue only affects Windows Server 2008 and Windows Server 2008 R2. Windows Server 2008 added a feature called Restart Manager which automatically restarts dependent processes when a file those processes depend on is replaced during an update. Windows Server 2003 and Windows Server 2003 may request a reboot after installing the patch.

Resolutions

Plan agent updates for a time when the possibility of services restarts will not impact service level agreements.
Update Management Servers and databases with the cumulative update, but wait until CU5 to update the agents. CU5 will fix the underlying leak. However, since the update is applying to a system which may have already leaked the reference to EventCommon.dll installing CU5 may exhibit a reboot request as we have disabled the interaction with Restart Manager. Once a system has been updated to CU5 future updates will not cause a reboot request.
You can determine whether a particular computer might be affected by running the following command at the command prompt or in PowerShell and looking for processes besides HealthService.exe & MonitoringHost.exe (specifically WmiPrvSE.exe):
tasklist /m EventCommon.dll
For instance, if you have explored the SCOM performance counters via PerfMon, you may find WmiPrvSE.exe (Windows Management Instrumentation service) in the list of tasks that are currently using EventCommon.dll.
To determine which services will be restarted if the Windows Management Instrumentation (WMI) service is restarted, run the following command in PowerShell:

(get-service winmgmt).dependentServices

=====

The information above was published today in the following Microsoft Knowledge Base article written by Chris Harris:

KB2526113 - System Center Operations Manager 2007 R2 CU3 & CU4 may cause non-SCOM 2007 services to restart

J.C. Hornbeck | System Center Knowledge Engineer

New KB: System Center Operations Manager 2007 R2 CU3 & CU4 may cause non-SCOM 2007 services to restart

Summary

Causes

Resolutions

Additional resources