Re: Q329170 (MS02-070), Q327984 and slow logoffs
From: Sturgeon, Jon (JonS_at_FUTURESOFT.COM)
Date: Thu, 26 Jun 2003 16:31:44 -0500 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
According to Q327194 "List of bugs that are fixed in Windows 2000
Service Pack 4", the problem described by Chris Hill on 3/21/03
reproduced below is fixed (article Q814770). However, I have had the
exact same symptoms on my SP3 machine for quite some time now and
unfortunately the problem still exists after installing SP4.
Apparently the fix for this bug is in spoolsv.exe, which on my machine
is now version 5.00.2195.6659. Before I applied SP4, this file was
version 5.00.2195.4299, so the file has definitely been updated by the
Can anybody else confirm that this bug has/has not been fixed on their
machine by SP4? Perhaps there are several issues with the same or
similar symptoms, some of which SP4 doesn't fix...
Christopher Hill wrote:
> I have been investigating the apparently widespread problem under
> Windows 2000 that if you install the Q329170 patch from the MS02-070
> security bulletin, your computer takes a long time to log off (up to
> 60 seconds more), and logs an error with event ID 1000 in your
> Application event log from 'Userenv', stating 'Windows cannot unload
> your registry file. If you have a roaming profile, your settings are
> not replicated. Contact your administrator. DETAIL - Access is
> denied. , Build number ((2195)).' Relevant articles are here:
> Having tested the problem, it seems that it is linked to the problem
> described in Q327984:
> which is the problem that if you change printer settings and log off,
> your user profile is not unloaded. I have confirmed this by using
> oh.exe (available here:
> On a computer with Q329170 applied, if you log on as one user, open
> up the properties of a printer (I opened up the properties of a
> network printer *and* a local one just to be safe), and then log off,
> then log on as another user, OH will show that the HKEY_USERS\<user's
> SID> registry key
> is still open by spoolsv.exe, the printer spooler service.
> As an aside, it is strange that Q327984 says that the problem 'is
> by a handle leak in shlwapi32.dll' whereas this patch does not exist
> the Windows 2000 system that I am using... shlwapi.dll does exist but
> even this file is not actually updated by the patch mentioned in
> Q327984 (the patch is not publicly available).
> Uninstalling the Q329170 patch fixes the problem perfectly. This is
> the quick workaround for anyone interested! Others have suggested
> stopping the spooler service in a logoff script which should work as
> My theory? If you compare Q327984 and Q329170's list of updated
> files, all of the files in Q327984 are also in Q329170, but Q329170's
> files are later versions. Q327984 is the earlier article. I reckon
> that the problem solved by Q327984 was broken again by Q329170 - or
> perhaps Q329170 does not include the patches created by Q327984.
> Anyway, it would be really nice if anyone from Microsoft reading this
> could put some serious muscle behind it being fixed - because it is
> REALLY annoying having to wait 60 seconds every time you log off just
> because you've been aware enough to actually apply security patches!
> 'Trustworthy Computing' means that you also trust security patches
> not to break other parts of your computer's functionality! There is
> no mention in the KB of the problem although a quick Google search
> will show that it is well
> known. The security patch should be re-released, or another patch
> released that fixes the problem.
> Thanks a lot!
> Chris Hill
> ICT Technician
> Colchester Royal Grammar
Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER!
With a growth rate exceeding 110%, the TICSA security practitioner
certification is one of the hottest IT credentials available. And now, for
a limited time, you can save 33% off of the TICSA certification exam! To
learn more about the TICSA certification, and to register as a TICSA
candidate online, just go to