Exchange Y2K22 Audit

Find Exchange Assets Affected by Y2K22

With the start of the new year, a bug in the antivirus engine of Exchange 2019 and 2016 has caused messages to get stuck in a queue. The usage of a 32-bit number in suspected to be the culprit. With the change to 2022 the value was too large for the field causing a crash. When an exchange server is stuck due to this issue, it can be identified thanks to the errors logged:

Error event 5300 with the description "The FIP-FS "Microsoft" Scan Engine failed to load. PID: 23092, Error Code: 0x80004005. Error Description: Can't convert "2201010001" to long."
Error event 1106 with the description "The FIP-FS Scan Process failed initialization. Error: 0x80004005. Error Details: Unspecified error."

You can read more about the Y2K22 bug in our Exchange Y2K22 blog post.

Exchange Y2K22 Audit Query

Select Top 1000000 tblAssets.AssetID,
tblAssets.AssetName,
tblAssets.Domain,
tblAssets.Username,
tblAssets.Userdomain,
Coalesce(tsysOS.Image, tsysAssetTypes.AssetTypeIcon10) As icon,
tblAssets.IPAddress,
tsysIPLocations.IPLocation,
tblAssetCustom.Manufacturer,
tblAssetCustom.Model,
tsysOS.OSname As OS,
Count(tblNtlog.EventlogID) As [Times scanned],
tblNtlog.Eventcode,
tblNtlogSource.Sourcename,
tblNtlogMessage.Message,
Case
When tblErrors.ErrorText Is Not Null Or
tblErrors.ErrorText != '' Then
'Scanning Error: ' + tsysasseterrortypes.ErrorMsg
Else ''
End As ScanningErrors,
tblAssets.Lastseen,
tblAssets.Lasttried
From tblAssets
Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
Inner Join tsysAssetTypes On tsysAssetTypes.AssetType = tblAssets.Assettype
Inner Join tsysIPLocations On tsysIPLocations.LocationID =
tblAssets.LocationID
Inner Join tblNtlog On tblAssets.AssetID = tblNtlog.AssetID
Inner Join tblNtlogMessage On tblNtlogMessage.MessageID = tblNtlog.MessageID
Inner Join tblNtlogSource On tblNtlogSource.SourcenameID =
tblNtlog.SourcenameID
Inner Join tblState On tblState.State = tblAssetCustom.State
Left Join tsysOS On tsysOS.OScode = tblAssets.OScode
Left Join (Select Distinct Top 1000000 tblErrors.AssetID As ID,
Max(tblErrors.Teller) As ErrorID
From tblErrors
Group By tblErrors.AssetID) As ScanningError On tblAssets.AssetID =
ScanningError.ID
Left Join tblErrors On ScanningError.ErrorID = tblErrors.Teller
Left Join tsysasseterrortypes On tsysasseterrortypes.Errortype =
tblErrors.ErrorType
Where (tsysOS.OSname In ('Win 2019', 'Win 2016') And tblNtlog.Eventcode = 1106
And
tblNtlogMessage.Message Like
'%The FIP-FS Scan Process failed initialization. Error: 0x80004005. Error Details: Unspecified error%' And tblAssetCustom.State = 1) Or
(tsysOS.OSname In ('Win 2019', 'Win 2016') And tblNtlog.Eventcode = 5300 And
tblNtlogMessage.Message Like
'%The FIP-FS "Microsoft" Scan Engine failed to load. PID: 23092, Error Code: 0x80004005. Error Description: Can''t convert "2201010001" to long%' And tblAssetCustom.State = 1)
Group By tblAssets.AssetID,
tblAssets.AssetName,
tblAssets.Domain,
tblAssets.Username,
tblAssets.Userdomain,
tsysOS.Image,
tsysAssetTypes.AssetTypeIcon10,
tblAssets.IPAddress,
tsysIPLocations.IPLocation,
tblAssetCustom.Manufacturer,
tblAssetCustom.Model,
tsysOS.OSname,
tblNtlog.Eventcode,
tblNtlogSource.Sourcename,
tblNtlogMessage.Message,
tblErrors.ErrorText,
tsysasseterrortypes.ErrorMsg,
tblAssets.Lastseen,
tblAssets.Lasttried
Order By tblAssets.Domain,
tblAssets.AssetName

Audit and Take Action in 3 Easy Steps

1. Download & Install Lansweeper

3. Run the Audit & Take Action

Download Lansweeper to Run this Audit

Harness the Power of Reporting