Re: Q329170 (MS02-070), Q327984 and slow logoffs
From: Russ (Russ.Cooper_at_RC.ON.CA)
Date: 07/03/03
- Previous message: Secure Net Service(SNS) Security Advisory: "[SNS Advisory No.65] Windows 2000 ShellExecute() API Let Applications to Cause Buffer Overflow"
- Maybe in reply to: Sturgeon, Jon: "Re: Q329170 (MS02-070), Q327984 and slow logoffs"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 3 Jul 2003 10:54:29 -0400 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
I received the message below from a poster who preferred to not have his email address posted.
I have received 6 other replies to the original post. 2 indicated they had not seen the error messages since applying SP4, the other 4 were all still experiencing the same problems (slow logoffs) and/or the error messages in their event logs despite SP4.
---- I wanted to write to say that I disagree with Mr. Hill's assertion that the SMB signing flaw has anything at all to do with changing printer settings and he is looking at symptoms rather than the technical issue itself. I want to apologize in advance to Mr. Hill if I misread his post and he has found some other connection between the SMB signing flaw and the printer settings besides the fact they generate the same error code. Personally, I have also run into this error code, but it was in relation to starting and stopping a specific service on a Windows 2000 based Celerra Anti-Virus Agent server that is utilized to scan an EMC Storage Area Network (please be sure to note that the generation of this error in my case did not require an actual user logoff or the use of roaming profiles). My research into this event showed that one of the ways that event ID 1000 could be generated in your Application event log from 'Userenv' is that a handle to a registry key is not closed properly. Because a handle remains open, the profile cannot be saved properly and Windows must wait until the Userenv times out before the user is allowed to log off and the event is generated. The following KB articles all mention different programming errors in Windows 2000 as the cause for the Userenv 1000 event being generated: http://support.microsoft.com/default.aspx?scid=kb;en-us;253820 http://support.microsoft.com/default.aspx?scid=kb;en-us;269858 http://support.microsoft.com/default.aspx?scid=kb;en-us;319909 http://support.microsoft.com/default.aspx?scid=kb;en-us;327984 I believe the reason that this event code is the most researched event ID at EventID.net is because it can being generated by programming errors in all sorts of applications running on a server (regardless of whether it is a portion of Windows itself or a 3rd party application). In relation to Windows, there are KB articles stating that the issues that generate this error have been fixed with hotfixes and/or upgrades to SP2, SP3 and now SP4. However, I believe that Microsoft is only speaking in relation to the specific issue from the KB article in question, rather than the generation of Userenv 1000 events, and this is the cause of the confusion. Unfortunately, Microsoft has not seen fit to write a KB article or white paper to fully explain why the error code itself is generated, nor provided any way to diagnose which is the offending process/thread for troubleshooting purposes. Therefore, we are all left to fall down rabbit holes of information in an attempt to understand this error and why it is happening to us. Hopefully, they will eventually respond to the continuing confusion and correct this oversight. Mike ---- Cheers, Russ - NTBugtraq Editor oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER! With a growth rate exceeding 110%, the TICSA security practitioner certification is one of the hottest IT credentials available. And now, for a limited time, you can save 33% off of the TICSA certification exam! To learn more about the TICSA certification, and to register as a TICSA candidate online, just go to http://www.trusecure.com/offer/s0100/ oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
- Previous message: Secure Net Service(SNS) Security Advisory: "[SNS Advisory No.65] Windows 2000 ShellExecute() API Let Applications to Cause Buffer Overflow"
- Maybe in reply to: Sturgeon, Jon: "Re: Q329170 (MS02-070), Q327984 and slow logoffs"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
