Q329170 (MS02-070), Q327984 and slow logoffs

From: Christopher Hill (chris@CRGS.CO.UK)
Date: 03/21/03

  • Next message: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "Re: Q329170 (MS02-070), Q327984 and slow logoffs" 
    Date:         Fri, 21 Mar 2003 16:02:36 GMT
From: Christopher Hill <chris@CRGS.CO.UK>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

    I have been investigating the apparently widespread problem under Windows
    2000 that if you install the Q329170 patch from the MS02-070 security
    bulletin, your computer takes a long time to log off (up to 60 seconds
    more), and logs an error with event ID 1000 in your Application event log
    from 'Userenv', stating 'Windows cannot unload your registry file. If you
    have a roaming profile, your settings are not replicated. Contact your
    administrator. DETAIL - Access is denied. , Build number ((2195)).'
    Relevant articles are here:
    http://support.microsoft.com/?kbid=329170
    http://www.microsoft.com/technet/security/bulletin/MS02-070.asp

    Having tested the problem, it seems that it is linked to the problem
    described in Q327984:
    http://support.microsoft.com/?kbid=327984
    which is the problem that if you change printer settings and log off, your
    user profile is not unloaded. I have confirmed this by using oh.exe
    (available here:
    http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/oh-
    o.asp)

    On a computer with Q329170 applied, if you log on as one user, open up the
    properties of a printer (I opened up the properties of a network printer
    *and* a local one just to be safe), and then log off, then log on as
    another user, OH will show that the HKEY_USERS\<user's SID> registry key
    is still open by spoolsv.exe, the printer spooler service.

    As an aside, it is strange that Q327984 says that the problem 'is caused
    by a handle leak in shlwapi32.dll' whereas this patch does not exist on
    the Windows 2000 system that I am using... shlwapi.dll does exist but even
    this file is not actually updated by the patch mentioned in Q327984 (the
    patch is not publicly available).

    Uninstalling the Q329170 patch fixes the problem perfectly. This is the
    quick workaround for anyone interested! Others have suggested stopping the
    spooler service in a logoff script which should work as well.

    My theory? If you compare Q327984 and Q329170's list of updated files, all
    of the files in Q327984 are also in Q329170, but Q329170's files are later
    versions. Q327984 is the earlier article. I reckon that the problem solved
    by Q327984 was broken again by Q329170 - or perhaps Q329170 does not
    include the patches created by Q327984.

    Anyway, it would be really nice if anyone from Microsoft reading this
    could put some serious muscle behind it being fixed - because it is REALLY
    annoying having to wait 60 seconds every time you log off just because
    you've been aware enough to actually apply security patches! 'Trustworthy
    Computing' means that you also trust security patches not to break other
    parts of your computer's functionality! There is no mention in the KB of
    the problem although a quick Google search will show that it is well
    known. The security patch should be re-released, or another patch released
    that fixes the problem.

    Thanks a lot!

    Chris Hill
    ICT Technician
    Colchester Royal Grammar
    School

    ---------------------------------------------
    This message was sent using Endymion MailMan.
    http://www.endymion.com/products/mailman/

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    Delivery co-sponsored by TruSecure Corporation
    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    TICSA - Anniversary Special - Limited Time

    Become TICSA certified for just $221.25 US when you register before 3/31/03
    with PROMO "TS0103" at www.2test.com. NO membership fees, certification
    good for 2 years. Price for international delivery just $296.25 US, with
    this offer. Offer cannot be combined with any other special and expires
    3/31/03. Visit www.trusecure.com/ticsa for full details.

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo

  • Next message: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "Re: Q329170 (MS02-070), Q327984 and slow logoffs"

    Relevant Pages

    • Using Windows Update "SteppingMode" to grab patches and see silen t install switches.
      ... > I have received numerous messages about these two Security ... > Bulletins. ... Having the patch only be available on Windows Update is highly annoying ...
      (NT-Bugtraq)
    • Re: security bulletin MS01-027
      ... "The MS01-020 and MS01-027 Security Patches May Not Be ... >patch or two on top of that. ... >If you are running NT4, Windows 2000, or Windows XP, an ...
      (microsoft.public.security)
    • RE: IIS on 443 replaced by serv-u
      ... It sounds like your system was compromised before installing the patch. ... More information on creating slip-streamed installs of Windows can ... Download the Security Patch Management Guide: ... It's important to not that not all security patches are offered by the ...
      (microsoft.public.inetserver.iis.security)
    • MS02-065 patch download
      ... Tell me where to download the said patch please! ... What You Should Know About Microsoft Security Bulletin ... Anyone using Microsoft Windows 2000, Windows Me, Windows ...
      (microsoft.public.security)
    • VMSA-2006-0006 - VMware ESX Server 2.5.3 Upgrade Patch 4
      ... Patch URL: http://www.vmware.com/download/esx/esx-253-200610-patch.html ... Updated package addresses several security issues. ... Common Vulnerabilities and Exposures project assigned ... VMware Security Response Policy ...
      (Bugtraq)