Windows XP Sp3, Event 516, mfehdik, SLL-API, memory Leak, crypt32.dll

by butsch 12. October 2011 18:13

Windows XP Sp3, Event 516, mfehdik, SLL-API, memory Leak, crypt32.dll

Memory leak in MFEVTPS.EXE

Recent Microsoft security updates for Windows XP SP3 and Server 2003R2 introduce a memory leak for the VirusScan Enterprise process MFEVTPS.EXE. The leak is actually from a Windows binary, Crypt32.dll, that MFEVTPS.EXE utilizes. A fix for this issue is available from Microsoft. Other security related products may also have such problems.

Event: 516, Crypt32.dll

Product: Mcafee VSE 8.8 on WIndows XP, Server 2003R2

File: WindowsXP-KB959658-x86-DEU.exe

File: WindowsXP-KB959658-x86-ENU.exe

Install silent with: WindowsXP-KB959658-x86-DEU.exe -q -n -z

The Hotfix needs a Reboot you may surpress with Option -Z

66.218: Destination:C:\WINDOWS\system32\crypt32.dll (5.131.2600.5512)
66.218: UpdateSpUpdSvcInf: Source [ProcessesToRunAfterReboot] section is empty; nothing to do.
66.218: IsRebootRequiredForFileQueue: At least one file operation was delayed; reboot is required.
66.218: IsRebootRequiredForFileQueue: c:\windows\system32\crypt32.dll was delayed; reboot is required.
66.218: DoInstallation: A reboot is required to complete the installation of one or more files.
66.218: In Function SetVolatileFlag, line 11741, RegOpenKeyEx failed with error 0x2
66.218: In Function SetVolatileFlag, line 11758, RegOpenKeyEx failed with error 0x2
66.218: UpdateSpUpdSvcInf: Source [ProcessesToRunAfterReboot.RebootNotRequired] section is empty; nothing to do.
66.312: RebootNecessary = 1,WizardInput = 1 , DontReboot = 1, ForceRestart = 0

You have an application that uses the HttpSendRequest function of the WinHTTP API or of the Windows Internet (WinINet) API to send a Secure Sockets Layer (SSL) request. When you run this application in Windows XP Service Pack 3 (SP3) for some time, you may notice that the system performance decreases. This decrease occurs because of a memory leak in the application.

Prozess **\VSTSKMGR.EXE pid (1580) enthält signierten aber nicht vertrauenswürdigen Inhalt. Das Ausführen einer bevorzugten Operation mit einem McAfee-Treiber wurde jedoch zugelassen.

 Version after installing the Hotfix:

Please also read what Mcafee says to the Event:

72. 12.10.2011 14:13 (als Antwort auf: khume)

Re: mfehidk Warnings with VSE8.8 installed

Hi Everyone,

I know a great many of you are looking forward to making the Event 516 "noise" go away.

Unfortunately the Patch 1 release for VSE 8.8 will not give you that. However, we plan to release a hotfix for a specific issue that was identified which is responsible for the "noise".


The VSTSKMGR.exe process is executing code routines that will inevitably result in the Event 516 occurring frequently.

The hotfix will solve this and is expected to be available by the end of October (it will be freely available once it's released).


When the noisy aspect of these events is resolved, what will remain are legitimate Event 516 occurrences. Meaning, the VSE product is warning you that there is 3rd party code inside our process(es) interacting with our kernel level drivers. For these legitimate events, if you know it's not due to malware, and if you wish for those events to cease, then there is a mechanism to allow that.

A comprehensive knowledgebase article is being written to cater to the various scenarios and to better educate our customers on this particular event, including how to fix the noise and how to make them stop altogether. The first step though will be to get the hotfix out that solves the "noise".


The article will be KB71083, but as yet the new and revised content has not been published so it still has old content for now. I'll let you know when it's live.



Deployment | Hotfixes / Updates | Mcafee ENS, EPO, DLP, TIE, ATD, VSE, MSME | WSUS

Comments are closed

Werbung von Drittfirmen (Nicht Butsch Informatik):

Werbung von Drittfirmen via Google Adsense: