Interpret Windows System Health Validator Entries in Log Files

  • Article

Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012

When NPS is configured as a Network Access Protection (NAP) policy server, and one or more health policies are configured with the Windows Security Health Validator (WSHV), NPS logs statement of health responses (SoHRs) in the NPS log file or to a Microsoft® SQL Server™ database, depending on your accounting configuration.

You can use the information in this topic to interpret WSHV entries in NPS accounting logs.

Diagnostic codes

The WSHV entries contain elements that correspond to components that might be installed or enabled on client computers, such as firewalls, antivirus applications, and Windows Automatic Updates.

The WSHV log file entries always present the WSHV list of elements as diagnostic codes, and these codes are always presented in the following order:

  1. Firewall (On/Off)

  2. Antivirus - On/Off

  3. Antivirus - Up-to-date status

  4. Antispyware - On/Off

  5. Antispyware - Up-to-date status

  6. Automatic Updates (On/Off)

  7. Security Updates - Compliance code

  8. Security Updates - Severity

  9. Security Updates - Legitimate Source (Windows Update, Windows Server Update Services, or Microsoft Update)

For item 9 above, the following codes are possible values in the log file.

Update source Diagnostic code

Windows Update

0x00004000

Windows Server Update Services (WSUS)

0x00010000

Microsoft Update

0x00020000

Important

If the configuration allows the receipt of updates from more than one source, the log file entry combines the codes. For example, if both Windows Update and Microsoft Update are legitimate sources, the log file code is 0x00024000.

When each of the other eight elements is evaluated as compliant by NPS, the diagnostic code is 0x0. When an element of the SHV is compliant, the corresponding component on the client computer is either on, as in the case of a firewall application, or it is up-to-date, as in the case of Windows Automatic Updates or signatures for an antispyware application. If the Windows SHV is not configured to enforce any specific element, such as Firewall or Security Updates, log entries for the element are not relevant and should be ignored.

The Security Updates element provides a severity rating. To interpret the severity rating when reviewing the NPS log file, you can use the following severity levels.

Severity level Code in NPS log

Unspecified

0x0040

Low

0x0080

Moderate

0x0100

Important

0x0200

Critical

0x0400

Error codes

On the client computer, the NAP agent can receive errors from the Windows System Health Agent, which monitors the components on the client operating system, such as firewalls and antivirus applications. When the NAP agent sends a statement of health (SoH) to NPS, the statement contains information about errors on the client computer.

In turn, NPS records the error in the NPS log file.

The following table provides the possible error codes that can be logged by NPS.

Error code Description

0xC0FF0001

E_MSSHV_PRODUCT_NOT_ENABLED

A system health component is not enabled.

0xC0FF0002

E_MSSHAV_PRODUCT_NOT_INSTALLED

A system health component is not installed.

0xC0FF0003

E_MSSHAV_WSC_SERVICE_DOWN

The Windows Security Center service is not running.

0xC0FF0004

E_MSSHV_PRODUCT_NOT_UPTODATE

The signatures for a specific system health component are not up to date.

0x00FF0008

E_MSSHAV_WUA_SERVICE_NOT_STARTED_SINCE_BOOT

The Windows Server Update Services has not started. An administrator must try to start the service manually.

0xC0FF000C

E_MSSHAV_NO_WUS_SERVER

The Windows Update Agent on this computer is not configured to synchronize with a Windows Server Update Services server. An administrator must configure the Windows Update Agent service. Click the Try again button after configuration is done for the changes to take effect.

0xC0FF000D

E_MSSHAV_NO_CLIENT_ID

Windows failed to determine the Windows Server Update Services client ID of this computer.

0xC0FF000E

E_MSSHAV_WUA_SERVICE_DISABLED

The Windows Update Agent service has been disabled or not configured to start automatically. An administrator must enable the service.

0xC0FF000F

E_MSSHAV_WUA_COMM_FAILURE

The periodic scan of this computer for security updates failed. An administrator must ensure that a Windows Server Update Services server is available and that the Windows Update Agent on this computer is configured to synchronize with the server.

0xC0FF0010

E_MSSHAV_UPDATES_INSTALLED_REQUIRE_REBOOT

Security updates have been installed and require this computer to be restarted. Please close all applications and restart this computer.

0xC0FF0012

E_MSSHV_WUS_SHC_FAILURE

The NPS server failed to validate the security update status of this computer. An administrator must ensure that a Windows Server Update Services server is available and that the Windows Update Agent on this computer is configured to synchronize with the server.

0xC0FF0014

E_MSSHV_UNKNOWN_CLIENT

Unknown client

0xC0FF0017

E_MSSHV_INVALID_SOH

The Windows Security Health Validator did not process the latest Statement of Health (SoH) because the SoH is not valid.

0xC0FF0018

E_MSSHAV_WSC_SERVICE_NOT_STARTED_SINCE_BOOT

The Windows Security Center service has not started. An administrator must try to start the service manually.

0xC0FF0047

E_MSSHV_THIRD_PARTY_PRODUCT_NOT_ENABLED

A third-party system health component is not enabled.

0xC0FF0048

E_MSSHV_THIRD_PARTY_PRODUCT_NOT_UPTODATE

The signatures for a specific third-party system health component are not up to date.

0xC0FF004EL

E_MSSHAV_BAD_UPDATE_SOURCE_MU

This computer is not configured to receive security updates from a source approved for this network. An administrator must configure the Windows Update Agent service to receive updates from Microsoft Update.

0xC0FF004FL

E_MSSHAV_BAD_UPDATE_SOURCE_WUMU

This computer is not configured to receive security updates from a source approved for this network. An administrator must configure the Windows Update Agent service to receive updates from Windows Update or Microsoft Update.

0xC0FF0050L

E_MSSHAV_BAD_UPDATE_SOURCE_MUWSUS

This computer is not configured to receive security updates from a source approved for this network. An administrator must configure the Windows Update Agent service to receive updates from Windows Server Update Services or Microsoft Update.

0xC0FF0051L

E_MSSHAV_NO_UPDATE_SOURCE

The Windows Update Agent on this computer is not configured to receive security updates. An administrator must configure the Windows Update Agent service. The NAP agent might have to be restarted for changes to take effect.

Determining the client operating system

When you review Windows SHV entries in the NPS log file, you can determine whether the client computer is running Windows Vista or Windows XP in one of two ways:

  1. Examine the field OS-Version in the NPS log.

  2. Count the number of diagnostic codes recorded in the log file. If the client computer is running Windows Vista, NPS logs all eight diagnostic codes. If the client computer is running Windows XP, NPS logs only six diagnostic codes because the monitoring of antispyware status is not supported in WSHV for Windows XP.

Example log file entries

The first example log file entry depicts an entry for a client computer running Windows Vista that is not configured to synchronize with a Windows Server Update Services server. The text in italics is added to clarify the meaning of the diagnostic codes and does not normally appear in NPS log entries.

First example log file entry

Machine testclient was quarantined.
 OS-Version = 6.0.5495 0.0 x86 Workstation
 Fully-Qualified-Machine-Name = <undetermined>
 Fully-Qualified-User-Name = <undetermined>
 NAS-IP-Address = <not present>
 NAS-IPv6-Address = fe80::e1dc:49f:af27:d0c1
 NAS-Identifier = testserver
 Called-Station-Identifier = <not present>
 Calling-Station-Identifier = <not present>
 Account-Session-Identifier = F1290E5E59241D44A57539224835F0FDC46427E9FBCAC601
 Proxy-Policy-Name = Use Windows authentication for all users
 Policy-Name = Access Denied
 Quarantine-Session-Identifier =
{5E0E29F1-2459-441D-A575-39224835F0FD} - 2006-08-28 23:44:32.391Z
 Quarantine-Help-URL = <undetermined>
 Quarantine-System-Health-Result =
Windows Security Health Validator
       NonCompliant
       None
       (0x0-) Firewall is compliant
       (0x0-) Anti Virus is compliant
       (0x0-) Anti Virus signatures are compliant
       (0x0-) Anti Spyware is compliant
       (0x0-) Anti Spyware signatures are compliant
       (0x0-) Automatic Update is compliant
       (0xc0ff000c-The Windows Update Agent on this computer is not
configured to synchronize with a Windows Server Update Services
server.  An administrator must configure the Windows Update Agent
service. Please click the 'try again' button after configuration is
done for the changes to take effect.) Diagnostic code for Security Updates from Diagnostic Code table
       (0x40-) Unspecified Severity Level from Severity level table
       (0x00004000-) Legitimate update source is Windows Update

Second example log file entry

The second example log file entry depicts an entry for a client computer running Windows Vista that is configured to use the Windows Security Center for the firewall, antivirus, antispyware and Automatic Updates. Because Windows Security Center is disabled, as is detailed in the log file entry, the diagnostic codes for the Windows SHV do not have meaning and should be ignored.

Machine testclient was quarantined.
 OS-Version = 6.0.5495 0.0 x86 Workstation
 Fully-Qualified-Machine-Name = <undetermined>
 Fully-Qualified-User-Name = <undetermined>
 NAS-IP-Address = <not present>
 NAS-IPv6-Address = fe80::e1dc:49f:af27:d0c1
 NAS-Identifier = testserver
 Called-Station-Identifier = <not present>
 Calling-Station-Identifier = <not present>
 Account-Session-Identifier = 32049473A12646448AB5DCFD9BF69271B0477E2E58CCC601
 Proxy-Policy-Name = Use Windows authentication for all users
 Policy-Name = Access Denied
 Quarantine-Session-Identifier = {73940432-26A1-4446-8AB5-DCFD9BF69271} - 2006-08-30 17:17:33.585Z
 Quarantine-Help-URL = <undetermined>
 Quarantine-System-Health-Result = 
Windows Security Health Validator
NonCompliant
None
(0xc0ff0003-The Windows Security Center service is not running.)
(0x0-)
(0x0-)
(0xc0ff0003-The Windows Security Center service is not running.)
(0x0-)
(0xc0ff0003-The Windows Security Center service is not running.)
(0xc0ff000c-The Windows Update Agent on this computer is not configured to synchronize with a Windows Server Update Services server.  An administrator must configure the Windows Update Agent service. Please click the 'try again' button after configuration is done for the changes to take effect.)
(0x40-)