Re: SP4 reverts MS03-026 - Not!
From: Young, Jerry (Jerry.Young_at_SAVVIS.NET)
Date: 09/22/03
- Previous message: Thor Larholm: "FW: [Fwd: Re: AIM Password theft]"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 22 Sep 2003 09:11:12 +0900 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Russ,
Generally speaking, installation of a service pack after installation of
hotfixes will require reinstallation of non-service pack included
hotfixes. However, Windows 2000 does implement by default Windows File
Protection. This may be what is actually returning the hotfix file
version after the service pack overwrites it (latest file version should
exist in %SystemRoot%\system32\dllcache).
My personal opinion about the inclusion of service pack revision numbers
in the hotfix Registry keys has been that this is really more of an
effort at organization. Still, I haven't done any testing with regards
to this. Using RegMon from Sysinternals should, however, be able to
determine if the hotfix or SP checks Registry keys for hotfixes when
compiling the list of files to install.
I have, however, determined that the list of files being protected is
apparently included (hardcoded??) in sfcfiles.dll. I've often wondered
if this is ever recompiled. For Windows XP, however, the file list is
included in an XML document (%SystemRoot%\system32\restore\filelist.xml)
that you can simply edit in notepad to, say for example, remove
(exclusion statement in XML Doc) files from the system which will never
be used.
In any case, information about WFP can be found at the following URL.
http://www.microsoft.com/whdc/hwdev/driver/sfp/wfp_print.mspx
If you'd like to be able to disable WFP for testing - without the need
of a kernel debugger being attached to the machine - the Registry tweak
is given at the following URL. Note, you may have to copy-paste the
entire link as a single line to get it to work.
http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&threadm=Pine
.GSO.4.21.0006261037330.24013-100000%40mail&rnum=2&prev=/groups%3Fq%3Ddi
sable%2B%2522windows%2Bfile%2Bprotection%2522%26ie%3DUTF-8%26oe%3DUTF-8%
26hl%3Den
Anyway, if this is old news, my apologies. If it's not, then I hope it
might help to shed some light on this topic. *8^)
Cordially yours,
Jerry G. Young II
%-+-&+-+$---#+++%
Senior Windows Engineer
Microsoft Certified Systems Engineer (W2K/NT 4.0)
Hosting Engineering, Tokyo Datacenter
Savvis Communications (http://www.savvis.net <http://www.savvis.net/> )
---- Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER! With a growth rate exceeding 110%, the TICSA security practitioner certification is one of the hottest IT credentials available. And now, for a limited time, you can save 33% off of the TICSA certification exam! To learn more about the TICSA certification, and to register as a TICSA candidate online, just go to http://www.trusecure.com/offer/s0100/ ----
- Previous message: Thor Larholm: "FW: [Fwd: Re: AIM Password theft]"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
