Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

SAMR Queries from specific server (not computer)

Copper Contributor

Hi,

One of my servers show in ATA multiple SAMR queries (see attached screen-shot).

It's happening at the beginning of each our as can be seen (3:13pm, 2:13pm, etc.)

Which process/network activity should I check in the server (if there is no scheduled task) ?


Thank you.

5 Replies

A good start would be to capture a netmon 3.4 trace during the expected time of this traffic, as netmon  is usually able to show you which process generated the traffic.

By Any chance is there any software installed on this machine by Lenovo?

I know about the Lenovo issue with SAMR, do you know which software cause these queries ?
& regarding the server - gonna check and get back on this.

So far I mainly seen it come from Lenovo.
I think they have some kind of messaging app  that does it.
But netmon should provide you with more clues.

I ran into similar activity recently. The SAMR queries were only being seen on servers in Azure, so that was a bit of a clue. Using Message Analyzer and adding the Process Name column from Global Properties quickly found which process was performing that activity.

 

The culprit was WaAppAgent.exe which is the Azure VM agent.

Thank you,

How did you manage to solve it & stop these queries ?