Q329170 (MS02-070), Q327984 and slow logoffs
From: Christopher Hill (chris@CRGS.CO.UK)
Date: Fri, 21 Mar 2003 16:02:36 GMT From: Christopher Hill <chris@CRGS.CO.UK> To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
I have been investigating the apparently widespread problem under Windows
2000 that if you install the Q329170 patch from the MS02-070 security
bulletin, your computer takes a long time to log off (up to 60 seconds
more), and logs an error with event ID 1000 in your Application event log
from 'Userenv', stating 'Windows cannot unload your registry file. If you
have a roaming profile, your settings are not replicated. Contact your
administrator. DETAIL - Access is denied. , Build number ((2195)).'
Relevant articles are here:
Having tested the problem, it seems that it is linked to the problem
described in Q327984:
which is the problem that if you change printer settings and log off, your
user profile is not unloaded. I have confirmed this by using oh.exe
On a computer with Q329170 applied, if you log on as one user, open up the
properties of a printer (I opened up the properties of a network printer
*and* a local one just to be safe), and then log off, then log on as
another user, OH will show that the HKEY_USERS\<user's SID> registry key
is still open by spoolsv.exe, the printer spooler service.
As an aside, it is strange that Q327984 says that the problem 'is caused
by a handle leak in shlwapi32.dll' whereas this patch does not exist on
the Windows 2000 system that I am using... shlwapi.dll does exist but even
this file is not actually updated by the patch mentioned in Q327984 (the
patch is not publicly available).
Uninstalling the Q329170 patch fixes the problem perfectly. This is the
quick workaround for anyone interested! Others have suggested stopping the
spooler service in a logoff script which should work as well.
My theory? If you compare Q327984 and Q329170's list of updated files, all
of the files in Q327984 are also in Q329170, but Q329170's files are later
versions. Q327984 is the earlier article. I reckon that the problem solved
by Q327984 was broken again by Q329170 - or perhaps Q329170 does not
include the patches created by Q327984.
Anyway, it would be really nice if anyone from Microsoft reading this
could put some serious muscle behind it being fixed - because it is REALLY
annoying having to wait 60 seconds every time you log off just because
you've been aware enough to actually apply security patches! 'Trustworthy
Computing' means that you also trust security patches not to break other
parts of your computer's functionality! There is no mention in the KB of
the problem although a quick Google search will show that it is well
known. The security patch should be re-released, or another patch released
that fixes the problem.
Thanks a lot!
Colchester Royal Grammar
This message was sent using Endymion MailMan.
Delivery co-sponsored by TruSecure Corporation
TICSA - Anniversary Special - Limited Time
Become TICSA certified for just $221.25 US when you register before 3/31/03
with PROMO "TS0103" at www.2test.com. NO membership fees, certification
good for 2 years. Price for international delivery just $296.25 US, with
this offer. Offer cannot be combined with any other special and expires
3/31/03. Visit www.trusecure.com/ticsa for full details.