Ok...here's the skinny.
We're running ITMS 7.1 SP2 MP1...I'm sure what else might be needed for this issue, but feel free to let me know if you need more info.
The issue we're seeing is laptops/desktops are getting a 0x000000f error (pic added). This happens at random and there doesn't seem to be anything available about it, that I can find. Now...the reason I bring the issue to this forum is due to mounting pressure that Altiris is doing something.
What happens is the system will boot and all desktop files are missing. This is accompanied by an error saying the link to the desktop cannot be found. If Windows Explorer is opened, the folder structure is altered and files are missing from Windows\System32. Another reboot may lead you back to the same place with even more data missing, or bring you to the Stop Error listed above. In either case, the Stop Error is unavoidable.
When the drive is recovered via a thrid party program, the log files contain the entries such as:
<event date='Jul 05 10:38:31' severity='2' hostName='xxxxxxx' source='RemoveDirectoryTree' module='AeXPackageDelivery.dll' process='AeXNSAgent.exe' pid='1460' thread='3908' tickCount='163785' >
<![CDATA[Cannot delete file: c:\Windows\winsxs\amd64_microsoft-windows-tabletpc-journal_31bf3856ad364e35_6.1.7601.18126_none_75cea008bb3e33ca\Memo.emf: Access is denied (5)]]>
There are hundreds (if not thousands) of these entries in multiple log files. These proceed the Stop Error, so it does seem suspicious.
I've also seen the following in Agent10_1...
<event date='Jul 03 17:00:27' severity='4' hostName='xxxxxxx' source='SWDAgent' module='smfagent.dll' process='AeXNSAgent.exe' pid='2028' thread='4276' tickCount='191964534' >
<![CDATA[Deleting inactive package 'copydagent' {2E0F31D3-448C-4E54-898A-FE380F038Dt.exe' pid='1460' thread='3908' tickCount='163972' >
<![CDATA[Cannot delete file: c:\Windows\winsxs\amd64_microsoft-windows-upnpcontrolpoint_31bf3856ad364e35_6.1.7601.17514_none_90f573b34760bc53\upnp.dll: Access is denied (5)]]>
</event>
<event date='Jul 05 10:38:31' severity='2' hostName='xxxxxxx' source='RemoveDirectoryTree' module='AeXPackageDelivery.dll' process='AeXNSAgent.exe' pid='1460' thread='3908' tickCount='163988' >
<![CDATA[Cannot delete file: c:\Windows\winsxs\amd64_microsoft-windows-upnpdevicehost_31bf3856ad364e35_6.1.7600.16385_none_1ddd261c4e350476\udhisapi.dll: Access is denied (5)]]>
</event>
It looks like the agent is trying to remove a package and then the whole string of RemoveDirectoryTree events happen.
I'm also including a screenshot from procmon on a different computer showing some suspicious events , as well.
Any and all help is appreciated.