Re: Q329170 (MS02-070), Q327984 and slow logoffs

From: Sturgeon, Jon (JonS_at_FUTURESOFT.COM)
Date: 06/26/03

  • Next message: Russ: "Alexa Adware in W2K SP4"
    Date:         Thu, 26 Jun 2003 16:31:44 -0500


    According to Q327194 "List of bugs that are fixed in Windows 2000
    Service Pack 4", the problem described by Chris Hill on 3/21/03
    reproduced below is fixed (article Q814770). However, I have had the
    exact same symptoms on my SP3 machine for quite some time now and
    unfortunately the problem still exists after installing SP4.

    Apparently the fix for this bug is in spoolsv.exe, which on my machine
    is now version 5.00.2195.6659. Before I applied SP4, this file was
    version 5.00.2195.4299, so the file has definitely been updated by the
    service pack.

    Can anybody else confirm that this bug has/has not been fixed on their
    machine by SP4? Perhaps there are several issues with the same or
    similar symptoms, some of which SP4 doesn't fix...


    Christopher Hill wrote:
    > I have been investigating the apparently widespread problem under
    > Windows 2000 that if you install the Q329170 patch from the MS02-070
    > security bulletin, your computer takes a long time to log off (up to
    > 60 seconds more), and logs an error with event ID 1000 in your
    > Application event log from 'Userenv', stating 'Windows cannot unload
    > your registry file. If you have a roaming profile, your settings are
    > not replicated. Contact your administrator. DETAIL - Access is
    > denied. , Build number ((2195)).' Relevant articles are here:
    > Having tested the problem, it seems that it is linked to the problem
    > described in Q327984:
    > which is the problem that if you change printer settings and log off,
    > your user profile is not unloaded. I have confirmed this by using
    > oh.exe (available here:
    > o.asp)
    > On a computer with Q329170 applied, if you log on as one user, open
    > up the properties of a printer (I opened up the properties of a
    > network printer *and* a local one just to be safe), and then log off,
    > then log on as another user, OH will show that the HKEY_USERS\<user's
    > SID> registry key
    > is still open by spoolsv.exe, the printer spooler service.
    > As an aside, it is strange that Q327984 says that the problem 'is
    > caused
    > by a handle leak in shlwapi32.dll' whereas this patch does not exist
    > on
    > the Windows 2000 system that I am using... shlwapi.dll does exist but
    > even this file is not actually updated by the patch mentioned in
    > Q327984 (the patch is not publicly available).
    > Uninstalling the Q329170 patch fixes the problem perfectly. This is
    > the quick workaround for anyone interested! Others have suggested
    > stopping the spooler service in a logoff script which should work as
    > well.
    > My theory? If you compare Q327984 and Q329170's list of updated
    > files, all of the files in Q327984 are also in Q329170, but Q329170's
    > files are later versions. Q327984 is the earlier article. I reckon
    > that the problem solved by Q327984 was broken again by Q329170 - or
    > perhaps Q329170 does not include the patches created by Q327984.
    > Anyway, it would be really nice if anyone from Microsoft reading this
    > could put some serious muscle behind it being fixed - because it is
    > REALLY annoying having to wait 60 seconds every time you log off just
    > because you've been aware enough to actually apply security patches!
    > 'Trustworthy Computing' means that you also trust security patches
    > not to break other parts of your computer's functionality! There is
    > no mention in the KB of the problem although a quick Google search
    > will show that it is well
    > known. The security patch should be re-released, or another patch
    > released that fixes the problem.
    > Thanks a lot!
    > Chris Hill
    > ICT Technician
    > Colchester Royal Grammar
    > School

    Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER!

    With a growth rate exceeding 110%, the TICSA security practitioner
    certification is one of the hottest IT credentials available. And now, for
    a limited time, you can save 33% off of the TICSA certification exam! To
    learn more about the TICSA certification, and to register as a TICSA
    candidate online, just go to


  • Next message: Russ: "Alexa Adware in W2K SP4"

    Relevant Pages

    • Re: Scanners and unpublished vulnerabilities - Full Disclosure
      ... "persuade" vendors to provide their customers with a patch rather than ... silently supply security fixes in a service pack. ... whether I can wait until the next service pack comes out. ... I'd rather see vendors furnishing their customers with the right information ...
    • Outlook and SP3
      ... better for MS to patch their SP3 patch instead of ... I employ as many security features as possible but I also ... installed this Service Pack. ... used Microsoft products for over 23 years, upgraded, ...
    • Patch 22, eh, make that Catch 22
      ... How to patch 30.000 machines. ... "Better way to perform Microsoft security ... Summer's Hottest Certification Just Got HOTTER! ... you can save 33% off of the TICSA certification exam! ...
    • Patch. While we have time.
      ... the patch has been released. ... "As a security person, I get paid to be accurate. ... SecurityFocus HOME Columnists: Waiting for the Worms: ... Summer's Hottest Certification Just Got HOTTER! ...
    • Re: [PATCH][RFC] Light-weight Auditing Framework
      ... > auditing framework that's used in production and already has gotten the ... > wizzbang certification you seem to be aiming at. ... In contrast to Olaf's work, for example, my patch does ... the work that the security module will provide. ...