Re: HfNetChk and Q299444 problem

From: Eric (ews@tellurian.net)
Date: 08/16/01


Message-Id: <5.1.0.14.0.20010816134014.036a0ad8@mail.tellurian.net>
Date: Thu, 16 Aug 2001 13:59:06 -0700
To: "Alex S. Sachetti Araujo" <woyzeck@terra.com.br>, <focus-ms@securityfocus.com>
From: Eric <ews@tellurian.net>
Subject: Re: HfNetChk and Q299444 problem

You are running HFNetChk with the -a m switch to show missing hotfixes,
without regard for supersedences.

Run the tool again without using the -a switch. It will recognize that
many of the fixes you list below are superseded and will not even look for
them, as there is no reason to. I bet if you do this, you'll see a much
smaller list of things that needs to be addressed.

(Please also realize that the SRP does not contain ALL the post SP6a
fixes. You'll need to review this page to see what was NOT included in the
SRP at the time it was
released:
http://www.microsoft.com/technet/itsolutions/security/news/nt4srp.asp
(obviously, those things that we released after the SRP are not listed on
this page either, but that's the beauty of this tool, run it and it will
tell you what you are missing.))

Just because one rollup patch delivers all the fixes contained in earlier
fixes, it does NOT mean that the rollup patch goes back and creates
registry key entries for each of the hotfixes that were never installed to
begin with. That wouldn't be right. HFnetchk is aware that 01-041
supersedes X,Y, and Z hotfixes, so it doesn't bother to check to see if you
need those - cause if you apply the most recent fix (01-041), then you
don't need to worry about the ones that it supersedes. (a patch is only
considered superseded if all of it's files are included in a later hotfix -
with the exception of three files in a 1999 fix which were NOT included in
the SRP, and were not necessary, even in the original version of the patch
(beep.sys, etc))

If you specify -a m to see missing hotfixes, it will show you the status of
each patch irregardless of the supersedences, and as you've seen below, it
will show that you are running fileversions that are more recent than is
expected. For example:

WARNING MS00-040 Q264684
File C:\WINNT\system32\winlogon.exe has a file version that
is greater than what is expected.

00-040 contained winlogon.exe with file version 4.0.1381.7058. 00-040 is
recorded in the XML file as being superseded by 01-041 (SBID 57) which
contains winlogon.exe with file version 4.0.1381.7097

So the warning message is accurate, and seeing as how you didn't get a
warning for this file for 01-041, all is good.

Run the tool again, but don't use the -a switch. The results will show you
just what you need to apply to be current for your OS and SP, without
showing you any superseded hotfixes. (the riched issue should be
investigated - send to hfnetchk@microsoft.com)

At 10:49 PM 8/15/2001 -0300, Alex S. Sachetti Araujo wrote:

> Hi,
>
> I'm totally confused after running HfNetChk. Recently, Microsoft launch
>a new package (Q299444) that delivers all necessary hotfixes pos SP6.0a for
>Windows NT 4.0 Server. For a complete hotfix list reference see:
>http://support.microsoft.com/support/kb/articles/q299/4/44.asp. Imediatelly
>after installing this package (I use qchain.exe, reboot machine, etc)
>HfNetChk reports missing hotfixes (wich must be delivered in Q299444),
>unknown hotfixes and inconsistent dll/exe versions.
>
>
> The following is the report generated by HfNetChk wich expose missing
>hotfixes:
>
> Patch NOT Found MS99-047 Q243649
> The registry key **SOFTWARE\Microsoft\Windows
>NT\CurrentVersion\Hotfix\Q243649** does not exist. It is required for this
>patch to be considered installed.
>
> Patch NOT Found MS99-055 Q246045
> The registry key **SOFTWARE\Microsoft\Windows
>NT\CurrentVersion\Hotfix\Q246045** does not exist. It is required for this
>patch to be considered installed.
>
> Patch NOT Found MS99-056 Q248183
> The registry key **SOFTWARE\Microsoft\Windows
>NT\CurrentVersion\Hotfix\Q248183** does not exist. It is required for this
>patch to be considered installed.
>
> Patch NOT Found MS99-057 Q248183
> The registry key **SOFTWARE\Microsoft\Windows
>NT\CurrentVersion\Hotfix\Q248183** does not exist. It is required for this
>patch to be considered installed.
>
> Patch NOT Found MS00-003 Q247869
> The registry key **SOFTWARE\Microsoft\Windows
>NT\CurrentVersion\Hotfix\Q247869** does not exist. It is required for this
>patch to be considered installed.
>
> Patch NOT Found MS00-004 Q249108
> The registry key **SOFTWARE\Microsoft\Windows
>NT\CurrentVersion\Hotfix\Q249108** does not exist. It is required for this
>patch to be considered installed.
>
> Patch NOT Found MS00-027 Q259622
> The registry key **SOFTWARE\Microsoft\Windows
>NT\CurrentVersion\Hotfix\Q259622** does not exist. It is required for this
>patch to be considered installed.
>
> Patch NOT Found MS00-029 Q259728
> The registry key **SOFTWARE\Microsoft\Windows
>NT\CurrentVersion\Hotfix\Q259728** does not exist. It is required for this
>patch to be considered installed.
>
> Patch NOT Found MS00-095 Q265714
> The registry key **SOFTWARE\Microsoft\Windows
>NT\CurrentVersion\Hotfix\Q265714** does not exist. It is required for this
>patch to be considered installed.
>
>
>
>
> Also, HfNetChk report the folowing hotfix wich is not mentioned in
>Q299444 (maybe it was substituted by other hotfix?):
>
> Patch NOT Found MS99-046 Q243825
> The registry key **SOFTWARE\Microsoft\Windows
>NT\CurrentVersion\Hotfix\Q243835** does not exist. It is required for this
>patch to be considered installed.
>
>
>
>
> Other problems (maybe my machine is running trojaned +_+ ?):
>
> Patch NOT Found MS01-003 Q279336
> File C:\WINNT\system32\ws2_32.dll has an invalid checksum
>and its file version is equal to or less than what is expected.
>
> WARNING MS00-040 Q264684
> File C:\WINNT\system32\winlogon.exe has a file version that
>is greater than what is expected.
>
> WARNING MS00-070 Q266433
> File C:\WINNT\system32\ntoskrnl.exe has a file version that
>is greater than what is expected.
>
> Patch NOT Found MS01-003 Q279336
> File C:\WINNT\system32\ws2_32.dll has an invalid checksum
>and its file version is equal to or less than what is expected.
>
> WARNING MS01-008 Q280119
> File C:\WINNT\system32\ntlmssps.dll has a file version that
>is greater than what is expected.
>
> WARNING MS01-041 Q299444
> File C:\WINNT\system32\riched20.dll has a file version that
>is greater than what is expected. File C:\WINNT\system32\riched32.dll has a
>file version that is greater than what is expected
>
> Any apointments?
>
> Alex
>
>---
>Alex Sander Sachetti
>alex@sekure.org



Relevant Pages

  • HfNetChk and Q299444 problem
    ... after installing this package ... HfNetChk reports missing hotfixes, ... patch to be considered installed. ...
    (Focus-Microsoft)
  • Re: neues IE-Update "KB867801"
    ... Hotfixes werden *nicht* über Windows Update angeboten. ... Zeit auch im Download Center von Microsoft zum öffentlichen ... einen älteren Patch mit installieren, ...
    (microsoft.public.de.german.inetexplorer.ie6)
  • Re: Security Updates...
    ... Die wenigsten dieser Hotfixes sind Sicherheitshotfixes. ... dass solche Hotfixes nur über den Microsoft ... Da die Hotfixes nicht für alle Umgebungen getestet worden ... Issues That Are Resolved in SQL Server 2000 Patch ...
    (microsoft.public.de.sqlserver)
  • Re: MS02-059 Security Bulletin
    ... Surely if this Bulletin is for a security vunerablility in ... >Hotfixes require a call, and the tech has to be ... >> mention in the security Bulletin MS02-059, ... >> to him all I wanted was the patch to download, ...
    (microsoft.public.security)
  • Re: MS02-023 Silent Install Question
    ... possible command line switch sets that may or may not work ... with hotfixes, and it's trial and error as to which do. ... reboot no matter what, ... Unfortunately, this patch ...
    (microsoft.public.win2000.security)