SAMR Queries from specific server (not computer)

%3CLINGO-SUB%20id%3D%22lingo-sub-331031%22%20slang%3D%22en-US%22%3ESAMR%20Queries%20from%20specific%20server%20(not%20computer)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-331031%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3EOne%20of%20my%20servers%20show%20in%20ATA%20multiple%20SAMR%20queries%20(see%20attached%20screen-shot).%3C%2FP%3E%3CP%3EIt's%20happening%20at%20the%20beginning%20of%20each%20our%20as%20can%20be%20seen%20(3%3A13pm%2C%202%3A13pm%2C%20etc.)%3C%2FP%3E%3CP%3EWhich%20process%2Fnetwork%20activity%20should%20I%20check%20in%20the%20server%20(if%20there%20is%20no%20scheduled%20task)%20%3F%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EThank%20you.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-331031%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ESAMR%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-358069%22%20slang%3D%22en-US%22%3ERe%3A%20SAMR%20Queries%20from%20specific%20server%20(not%20computer)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-358069%22%20slang%3D%22en-US%22%3E%3CP%3EThank%20you%2C%3C%2FP%3E%3CP%3EHow%20did%20you%20manage%20to%20solve%20it%20%26amp%3B%20stop%20these%20queries%20%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-353611%22%20slang%3D%22en-US%22%3ERe%3A%20SAMR%20Queries%20from%20specific%20server%20(not%20computer)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-353611%22%20slang%3D%22en-US%22%3E%3CP%3EI%20ran%20into%20similar%20activity%20recently.%20The%20SAMR%20queries%20were%20only%20being%20seen%20on%20servers%20in%20Azure%2C%20so%20that%20was%20a%20bit%20of%20a%20clue.%20Using%20Message%20Analyzer%20and%20adding%20the%20Process%20Name%20column%20from%20Global%20Properties%20quickly%20found%20which%20process%20was%20performing%20that%20activity.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20culprit%20was%20WaAppAgent.exe%20which%20is%20the%20Azure%20VM%20agent.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-331040%22%20slang%3D%22en-US%22%3ERe%3A%20SAMR%20Queries%20from%20specific%20server%20(not%20computer)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-331040%22%20slang%3D%22en-US%22%3E%3CP%3ESo%20far%20I%20mainly%20seen%20it%20come%20from%20Lenovo.%3CBR%20%2F%3EI%20think%20they%20have%20some%20kind%20of%20messaging%20app%26nbsp%3B%20that%20does%20it.%3CBR%20%2F%3EBut%20netmon%20should%20provide%20you%20with%20more%20clues.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-331038%22%20slang%3D%22en-US%22%3ERe%3A%20SAMR%20Queries%20from%20specific%20server%20(not%20computer)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-331038%22%20slang%3D%22en-US%22%3EI%20know%20about%20the%20Lenovo%20issue%20with%20SAMR%2C%20do%20you%20know%20which%20software%20cause%20these%20queries%20%3F%3CBR%20%2F%3E%26amp%3B%20regarding%20the%20server%20-%20gonna%20check%20and%20get%20back%20on%20this.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-331036%22%20slang%3D%22en-US%22%3ERe%3A%20SAMR%20Queries%20from%20specific%20server%20(not%20computer)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-331036%22%20slang%3D%22en-US%22%3E%3CP%3EA%20good%20start%20would%20be%20to%20capture%20a%20netmon%203.4%20trace%20during%20the%20expected%20time%20of%20this%20traffic%2C%20as%20netmon%26nbsp%3B%20is%20usually%20able%20to%20show%20you%20which%20process%20generated%20the%20traffic.%3C%2FP%3E%0A%3CP%3EBy%20Any%20chance%20is%20there%20any%20software%20installed%20on%20this%20machine%20by%20Lenovo%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Hi,

One of my servers show in ATA multiple SAMR queries (see attached screen-shot).

It's happening at the beginning of each our as can be seen (3:13pm, 2:13pm, etc.)

Which process/network activity should I check in the server (if there is no scheduled task) ?


Thank you.

5 Replies
Highlighted

A good start would be to capture a netmon 3.4 trace during the expected time of this traffic, as netmon  is usually able to show you which process generated the traffic.

By Any chance is there any software installed on this machine by Lenovo?

Highlighted
I know about the Lenovo issue with SAMR, do you know which software cause these queries ?
& regarding the server - gonna check and get back on this.
Highlighted

So far I mainly seen it come from Lenovo.
I think they have some kind of messaging app  that does it.
But netmon should provide you with more clues.

Highlighted

I ran into similar activity recently. The SAMR queries were only being seen on servers in Azure, so that was a bit of a clue. Using Message Analyzer and adding the Process Name column from Global Properties quickly found which process was performing that activity.

 

The culprit was WaAppAgent.exe which is the Azure VM agent.

Highlighted

Thank you,

How did you manage to solve it & stop these queries ?