- What kind of server is this? Terminal server?
- UPDATE: It isn't a
virtual machine is it? If so, are the disks set fully persistent? See 9.
- If you run repair on the MSI in question, does the file come back?
- What happens if you check the file directly with your malware scanner?
- If you shut down the service manually, is the file still there? (just to be sure). Try repeatedly stopping and starting the service a few times.
- Did you verify that the service runs from where you expect after installation? (have to ask)
- Do you install per-machine or per-user?
Debugging
Check the event viewer and the MSI log files:
MSI Logging: Installsite: MSI log "how-to" and / or More MSI logging information.
Event Viewer: Hold down Windows Key, tap R, type eventvwr.msc and press Enter. Go to Windows Logs => Applications. Look for MsiInstaller events. Check the other logs too (Security, System, Configuration).
Deployment Mnemonic: And a "deployment mnemonic" (yellow section) - some heuristics to think about deployment problems.
Some Ideas
Loose Cannon: While we wait for feedback from you, let's fire off a list of suggestions shooting from the hip. Some of these are bad or
eliminated as causes, let's just list all to remember the bad ones
too:
1) Quarantined malware? (real or false positive, doesn't matter which). The file gets quarantined on every reboot? Upload file(s) to virustotal.com to check binaries that are missing. Do an administrative installation if you need to get hold of the files.
2) Upgrade Problem?
3) System policies? Not really familiar with what policies that could delete files - if any at all. Just mentioning that a lot of policies can affect Windows in general. Check the event logs. Some registry keys are periodically overwritten for example with defined AD settings.
4) Cleanup Scripts? Anything is possible here, but it would be strange to delete a pinpointed executable? Check what runs on boot? Autoruns. Run that tool and have a look at auto-starting binaries - there are a lot on most systems.
5) System Restore?
6) Recovery hardware? Some computers have hardware devices that restore the system to earlier states on reboot with various options to allow some persistence here and there. No idea how prevailing these are now, but I expect their use for quick malware recovery and stuff like that. Talk to your system administrators?
7) Permissions? Does the package apply ACL permissions to the folder in question? It shouldn't cause this problem, but maybe check it. The service should never be able to start at all if permissioning is wrong.
8) Disk Corruption? An issue that one must always check for.
9) Virtual Machine? One issue that came to mind is whether this server is running as a virtual machine and if so whether the disk setup is one of full persistence? Not sure what is technically possible here at the current day and time.
10) Hidden Icons?
Questions
PendingFileRenameOperations: After installation, are there entries in PendingFileRenameOperations? Check BEFORE installation as well.
- Are there pending operations waiting for a reboot?
- Location:
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager
Rollback: Even more obscure, is rollback disabled for Windows Installer? I can't see how that would cause this problem, but it is possible to do and what it triggers and makes possible I am not sure of.
Bitness Confusion: It is possible that people just think that files are missing, because they are looking in the wrong folder (x86 instead of x64 or vice versa). Not relevant here (then the service would start - unless there is something else wrong), but listed to remember it for other, similar cases.
"Out There": This is C:\Program Files\ right? Not C:\ProgramData\? Are there any mounted disks on the NTFS partition? Any symbolic links? Roaming profiles? Do you install per-machine or per-user?
