Re: SP4 reverts MS03-026 - Not!

From: Young, Jerry (Jerry.Young_at_SAVVIS.NET)
Date: 09/19/03

  • Next message: Edward Sullivan: "HOSTS File Hijack - Search Engines redirect to 64.191.95.139 in HOSTS file" 
    Date:         Fri, 19 Sep 2003 14:51:54 +0900
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

    Russ,

    Generally speaking, installation of a service pack after installation of
    hotfixes will require reinstallation of non-service pack included
    hotfixes. However, Windows 2000 does implement by default Windows File
    Protection. This may be what is actually returning the hotfix file
    version after the service pack overwrites it (latest file version should
    exist in %SystemRoot%\system32\dllcache).

    My personal opinion about the inclusion of service pack revision numbers
    in the hotfix Registry keys has been that this is really more of an
    effort at organization. Still, I haven't done any testing with regards
    to this. Using RegMon from Sysinternals should, however, be able to
    determine if the hotfix or SP checks Registry keys for hotfixes when
    compiling the list of files to install.

    I have, however, determined that the list of files being protected is
    apparently included (hardcoded??) in sfcfiles.dll. I've often wondered
    if this is ever recompiled. For Windows XP, however, the file list is
    included in an XML document (%SystemRoot%\system32\restore\filelist.xml)
    that you can simply edit in notepad to, say for example, remove
    (exclusion statement in XML Doc) files from the system which will never
    be used.

    In any case, information about WFP can be found at the following URL.

    http://www.microsoft.com/whdc/hwdev/driver/sfp/wfp_print.mspx

    If you'd like to be able to disable WFP for testing - without the need
    of a kernel debugger being attached to the machine - the Registry tweak
    is given at the following URL. Note, you may have to copy-paste the
    entire link as a single line to get it to work.

    http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&threadm=Pine
    .GSO.4.21.0006261037330.24013-100000%40mail&rnum=2&prev=/groups%3Fq%3Ddi
    sable%2B%2522windows%2Bfile%2Bprotection%2522%26ie%3DUTF-8%26oe%3DUTF-8%
    26hl%3Den

    Anyway, if this is old news, my apologies. If it's not, then I hope it
    might help to shed some light on this topic. *8^)

    Cordially yours,
    Jerry G. Young II
    %-+-&+-+$---#+++%
    Senior Windows Engineer
      Microsoft Certified Systems Engineer (W2K/NT 4.0)
    Hosting Engineering, Tokyo Datacenter
    Savvis Communications (http://www.savvis.net)

    > -----Original Message-----
    > From: Russ [mailto:Russ.Cooper@RC.ON.CA]
    > Sent: Friday, August 22, 2003 6:22 AM
    > To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    > Subject: Re: SP4 reverts MS03-026 - Not!
    >
    > FYI, thought I would pass this info along also.
    >
    > I don't know when MS started doing this, but at some point they added
    a
    > registry value "Service Pack" into the hive for hotfixes. This value
    seems
    > to tell the SP installer whether or not to remove the hotfix. The
    value
    > for KB823980 is 5, indicating SP5, the SP the fix will be included in,
    so
    > SP3 or SP4 should not remove it.
    >
    > May be old news, but was something I bumped into while re-doing my
    tests.
    >
    > Cheers,
    > Russ - NTBugtraq Editor
    >
    >
    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    oo
    > oo
    > Whatever Happened to Octopus?
    >
    > LEGATO RepliStor, formerly known as Octopus, delivers breakthrough
    > replication performance that's 5X faster than the competition in an
    > independent head-to-head test. Learn how RepliStor uses patented,
    > asynchronous, real-time replication, to deliver disaster recovery,
    data
    > distribution and consolidated backups. It is the first replication
    > solution
    > to achieve Windows 2003 certification. Get the performance report now.
    >
    > http://portal1.legato.com/products/replistor/upgrade.cfm
    >
    >
    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    oo
    > oo 

    ----
Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER!
With a growth rate exceeding 110%, the TICSA security practitioner
certification is one of the hottest IT credentials available.  And now, for
a limited time, you can save 33% off of the TICSA certification exam! To
learn more about the TICSA certification, and to register as a TICSA
candidate online, just go to
http://www.trusecure.com/offer/s0100/
----
  • Next message: Edward Sullivan: "HOSTS File Hijack - Search Engines redirect to 64.191.95.139 in HOSTS file"

    Relevant Pages

    • RE: Windows shutting down..window freezes
      ... When you try to shut down your computer that is running Microsoft Windows ... 2000 Service Pack 3, ... A supported hotfix is now available from Microsoft, ...
      (microsoft.public.win2000.file_system)
    • RE: Important information about XP SP2 .ADM Files
      ... Though when I go to the link it says I must call to get the hotfix is ... > Windows XP Service Pack 2. ... > associated with this service pack, ... > your attention to an important issue related to Group Policy. ...
      (microsoft.public.win2000.group_policy)
    • RE: Important information about XP SP2 .ADM Files
      ... Though when I go to the link it says I must call to get the hotfix is ... > Windows XP Service Pack 2. ... > associated with this service pack, ... > your attention to an important issue related to Group Policy. ...
      (microsoft.public.windows.group_policy)
    • RE: do you need to re-install SP after adding a windows component ?
      ... After you change the system state by adding or changing additional Windows ... When you install a Windows 2000 service pack, ... Spn.cat file that was installed with a Windows 2000 hotfix. ...
      (microsoft.public.win2000.setup)
    • Re: SP4 reverts MS03-026 - Not!
      ... hotfixes will require reinstallation of non-service pack included ... Windows 2000 does implement by default Windows File ... version after the service pack overwrites it (latest file version should ... Summer's Hottest Certification Just Got HOTTER! ...
      (NT-Bugtraq)
    Loading