Exchange Y2K22 Audit
Exchange Operating System SoftwareFind Exchange Assets Affected by Y2K22
With the start of the new year, a bug in the antivirus engine of Exchange 2019 and 2016 has caused messages to get stuck in a queue. The usage of a 32-bit number in suspected to be the culprit. With the change to 2022 the value was too large for the field causing a crash. When an exchange server is stuck due to this issue, it can be identified thanks to the errors logged:
Error event 5300 with the description “The FIP-FS “Microsoft” Scan Engine failed to load. PID: 23092, Error Code: 0x80004005. Error Description: Can’t convert “2201010001” to long.”
Error event 1106 with the description “The FIP-FS Scan Process failed initialization. Error: 0x80004005. Error Details: Unspecified error.”
You can read more about the Y2K22 bug in our Exchange Y2K22 blog post.
Exchange Y2K22 Audit Query
Select Top 1000000 tblAssets.AssetID, tblAssets.AssetName, tblAssets.Domain, tblAssets.Username, tblAssets.Userdomain, Coalesce(tsysOS.Image, tsysAssetTypes.AssetTypeIcon10) As icon, tblAssets.IPAddress, tsysIPLocations.IPLocation, tblAssetCustom.Manufacturer, tblAssetCustom.Model, tsysOS.OSname As OS, Count(tblNtlog.EventlogID) As [Times scanned], tblNtlog.Eventcode, tblNtlogSource.Sourcename, tblNtlogMessage.Message, Case When tblErrors.ErrorText Is Not Null Or tblErrors.ErrorText != '' Then 'Scanning Error: ' + tsysasseterrortypes.ErrorMsg Else '' End As ScanningErrors, tblAssets.Lastseen, tblAssets.Lasttried From tblAssets Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID Inner Join tsysAssetTypes On tsysAssetTypes.AssetType = tblAssets.Assettype Inner Join tsysIPLocations On tsysIPLocations.LocationID = tblAssets.LocationID Inner Join tblNtlog On tblAssets.AssetID = tblNtlog.AssetID Inner Join tblNtlogMessage On tblNtlogMessage.MessageID = tblNtlog.MessageID Inner Join tblNtlogSource On tblNtlogSource.SourcenameID = tblNtlog.SourcenameID Inner Join tblState On tblState.State = tblAssetCustom.State Left Join tsysOS On tsysOS.OScode = tblAssets.OScode Left Join (Select Distinct Top 1000000 tblErrors.AssetID As ID, Max(tblErrors.Teller) As ErrorID From tblErrors Group By tblErrors.AssetID) As ScanningError On tblAssets.AssetID = ScanningError.ID Left Join tblErrors On ScanningError.ErrorID = tblErrors.Teller Left Join tsysasseterrortypes On tsysasseterrortypes.Errortype = tblErrors.ErrorType Where (tsysOS.OSname In ('Win 2019', 'Win 2016') And tblNtlog.Eventcode = 1106 And tblNtlogMessage.Message Like '%The FIP-FS Scan Process failed initialization. Error: 0x80004005. Error Details: Unspecified error%' And tblAssetCustom.State = 1) Or (tsysOS.OSname In ('Win 2019', 'Win 2016') And tblNtlog.Eventcode = 5300 And tblNtlogMessage.Message Like '%The FIP-FS "Microsoft" Scan Engine failed to load. PID: 23092, Error Code: 0x80004005. Error Description: Can''t convert "2201010001" to long%' And tblAssetCustom.State = 1) Group By tblAssets.AssetID, tblAssets.AssetName, tblAssets.Domain, tblAssets.Username, tblAssets.Userdomain, tsysOS.Image, tsysAssetTypes.AssetTypeIcon10, tblAssets.IPAddress, tsysIPLocations.IPLocation, tblAssetCustom.Manufacturer, tblAssetCustom.Model, tsysOS.OSname, tblNtlog.Eventcode, tblNtlogSource.Sourcename, tblNtlogMessage.Message, tblErrors.ErrorText, tsysasseterrortypes.ErrorMsg, tblAssets.Lastseen, tblAssets.Lasttried Order By tblAssets.Domain, tblAssets.AssetName