MS03-029 Q823803 RAS services no longer starting

From: Dave Vantine (david.vantine_at_CREATCOMP.COM)
Date: 07/28/03

  • Next message: Microsoft Security Response Center: "MS03-029 / Q823803 and RRAS Problems [im]" 
    Date:         Mon, 28 Jul 2003 17:38:58 -0400
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

    I tried updating one of my NT4 SP6a systems with this latest patch using the
    Windows Update. This system is the PDC on an NT4 Domain. When the system
    rebooted I received an error about services unable to start. In attempting
    to logon, explorer would continuously error out with a memory error.

    The event log showed 4 errors in the following order:
    >
    Event Type: Error
    Event Source: RemoteAccess
    Event Category: None
    Event ID: 20074
    Date: 7/28/2003
    Time: 3:36:04 PM
    User: N/A
    Computer: ENTERPRISE
    Description:
    Point to Point Protocol engine was unable to load the module.
    Data:
    0000: 7e 00 00 00 ~...
    >
    Event Type: Error
    Event Source: RemoteAccess
    Event Category: None
    Event ID: 20067
    Date: 7/28/2003
    Time: 3:36:04 PM
    User: N/A
    Computer: ENTERPRISE
    Description:
    Remote Access Connection Manager failed to start because the Point to Point
    Protocol failed to initialize.
    Data:
    0000: 7e 00 00 00 ~...
    >
    Event Type: Error
    Event Source: Service Control Manager
    Event Category: None
    Event ID: 7023
    Date: 7/28/2003
    Time: 3:36:04 PM
    User: N/A
    Computer: ENTERPRISE
    Description:
    The Remote Access Connection Manager service terminated with the following
    error:
    The specified module could not be found.
    >
    Event Type: Error
    Event Source: Service Control Manager
    Event Category: None
    Event ID: 7001
    Date: 7/28/2003
    Time: 3:36:04 PM
    User: N/A
    Computer: ENTERPRISE
    Description:
    The Remote Access Server service depends on the Remote Access Connection
    Manager service which failed to start because of the following error:
    The specified module could not be found.

    I had no GUI access and was only able to run commands by entering
    CTRL-ATL-DEL to get to task manager and click the new task button. I was
    finally able to uninstall the patch from the command line and once it was
    removed my system came up without error.

    I then ran the update against the BDC with NT4 SP6a with all of the same
    patches as the PDC. Once the patches were installed the BDC also indicated
    that there were services that could not start. One difference however was
    there were no errors from explorer when logging in. The event logs had
    several of the same Event ID's but the descriptions on 20074 & 20076 were
    slightly different. This server also had 1 additional error not seen on the
    PDC as seen below:

    >
    Event Type: Error
    Event Source: RemoteAccess
    Event Category: None
    Event ID: 20074
    Date: 7/28/2003
    Time: 4:29:25 PM
    User: N/A
    Computer: ODYSSEY
    Description:
    The description for Event ID (20074) in source (RemoteAccess)
    could not be found. It contains the following insertion string(s):.
    Data:
    0000: 7e 00 00 00 ~...
    >
    Event Type: Error
    Event Source: RemoteAccess
    Event Category: None
    Event ID: 20067
    Date: 7/28/2003
    Time: 4:29:25 PM
    User: N/A
    Computer: ODYSSEY
    Description:
    The description for Event ID (20067) in source (RemoteAccess)
    could not be found. It contains the following insertion string(s):.
    Data:
    0000: 7e 00 00 00 ~...
    >
    Event Type: Error
    Event Source: Service Control Manager
    Event Category: None
    Event ID: 7023
    Date: 7/28/2003
    Time: 4:29:25 PM
    User: N/A
    Computer: ODYSSEY
    Description:
    The Remote Access Connection Manager service terminated with the following
    error:
    The specified module could not be found.
    >
    Event Type: Error
    Event Source: Service Control Manager
    Event Category: None
    Event ID: 7001
    Date: 7/28/2003
    Time: 4:29:25 PM
    User: N/A
    Computer: ODYSSEY
    Description:
    The Remote Access Autodial Manager service depends on the Remote Access
    Connection Manager service which failed to start because of the following
    error:
    The specified module could not be found.
    >
    Event Type: Error
    Event Source: Service Control Manager
    Event Category: None
    Event ID: 7001
    Date: 7/28/2003
    Time: 4:29:25 PM
    User: N/A
    Computer: ODYSSEY
    Description:
    The Remote Access Server service depends on the Remote Access Connection
    Manager service which failed to start because of the following error:
    The specified module could not be found.

    Both machines had RAS installed and configured with the PPTP connections.

    I decided to remove both the PPTP protocol and the RAS service on the BDC
    and reboot the system. This time the system booted without error with the
    patch still installed.

    -Dave Vantine

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER!

    With a growth rate exceeding 110%, the TICSA security practitioner
    certification is one of the hottest IT credentials available. And now, for
    a limited time, you can save 33% off of the TICSA certification exam! To
    learn more about the TICSA certification, and to register as a TICSA
    candidate online, just go to

    http://www.trusecure.com/offer/s0100/

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo

  • Next message: Microsoft Security Response Center: "MS03-029 / Q823803 and RRAS Problems [im]"