Re: How to fix broken security in Windows 2000?

From: Jeff Cochran (jeff.nospam_at_zina.com)
Date: 01/19/05 

Date: Wed, 19 Jan 2005 01:14:23 GMT

On Tue, 18 Jan 2005 16:41:24 +0900, "Shannon Jacobs"
<shanen@my-deja.com> wrote:

>The problem occurs during booting. Unfortunately, the exact error message is
>in Japanese, and though I could copy it for you, I'm doubtful it would be
>very helpful... My Japanese is far from perfect, but I'll try to describe it
>as well as I can. During the boot, a popup window appears. It says that it
>is unable to check the validity of a file (or certify the appropriateness or
>compatibility?), and it asks me to insert the Windows 2000 Professional CD
>so that it can copy an earlier version. No hint as to which file or exactly
>why it doesn't like the version it has found. (Of course I have run a
>variety of virus and spyware checks, and I think I can rule out that
>possibility.)

Actually, you can't. This is a relatively recent spyware issue, and
easily resolved. Open the Task Manager and choose the processes tab.
Stop all processes you don't know, there aren't many that are required
and if you stop the wrong one you can always restart the system to
recover.

Once these are stopped, run the registry editor (regedt32 or regedit)
and find the key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

Remove all strange entries. You should recognize most of them anyway.
Once removed, restart the system. Also run through the Add/Remove
Programs dialog and clean out unrecognized or unwanted stuff.

Keep in mind that making changes to the registry can screw up your
system. If you're at all uncomfortable with this, call your IT
department (If they're security conscious they'll have prevented you
from editing the registry anyway...).

I haven't found a spyware removal tool that has fixed this issue, but
I've cleaned a half dozen systems in the last few days of his.

Disclaimer: If you're foolish enough to try suggestions from the
internet without verifying them, then you deserve whatever happens if
this hoses your system. Don't blame me since I'm specifically warning
you not to do what I suggest.

That said, you can easily figure out how to reach me and verify
credentials.

Jeff

>In response to the error window, I can either insert the CD or cancel. If I
>insert the CD, it apparently copies some file and the popup goes away. (The
>newer "incorrect" version of the file is apparently restored from somewhere
>at the time of the next boot.) If I cancel, then it gives me a confirmation
>window where I can insist that it use the newer version, but still no
>indication about the newer version of what.
>
>I have tried various diagnostic measures such as getting a boot log (no
>hints found) and reading all sorts of typically irrelevant pages on the
>Microsoft Web sites. I had hoped that the SFC would identify the problem
>(which is supposed to be the purpose of that program), but, as already
>noted, it also refuses to run, and based on some of the information I read
>on the Microsoft Web site, I believe that this is a related problem. The
>error code is 0x000006ba, which will doubtlessly lead you to the same pages
>I visited, but I followed the various recovery instructions without success,
>which makes me think the real problem is some other file in a critical chain
>is also missing. (Or based on the comment below, it is also possible that
>this machine originally had a different version of a key root certificate.)
>
>Perhaps this is a helpful diagnostic, but I think it is just a metric that
>shows the problem is not so serious. Whatever file is failing to load, it
>does not actually stop the boot. The machine continues booting, and I have
>not noticed any crucial services that are disabled prior to getting rid of
>the error message. I have also been unable to detect any difference between
>using the CD or using the unverified newer file.
>
>Roger Abell wrote:
>> I have read, and reread, you entire posting.
>> As far as I can tell, all that you have told us, aside from
>> your suspected cause, is
>> <quote>
>> The problem itself is that the computer complains about a new
>> file version that it can't check. It doesn't reveal what file
>> </quote>
>> That is not really very much to go on.
>> When does this happen for example.
>>
>>> In http://support.microsoft.com/default.aspx?scid=kb;en-us;293781
>>> there is the very interesting comment:
>>>
>>> "As you may have noticed in the provided information, some of the
>>> certificates have expired. However, these certificates are necessary
>>> for backwards compatibility. Even if there is an expired trusted root
>>> certificate, anything that was signed with that certificate prior to
>>> the expiration date needs that trusted root certificate to be
>>> validated. As long as expired certificates are not revoked, it can
>>> be used to validate anything that was signed prior to its
>>> expiration."
>>>
>>> Oh! *NOW* you [Microsoft] tell me. Just too bad the information
>>> wasn't provided earlier.
>>>
>>> Been wrestling with this problem for several weeks, and though I'm
>>> not certain, I very strongly suspect that what happened is that I
>>> deleted a required security certificate in the foolish belief that
>>> the expiration date had some meaning. Quite trivial to do from IE:
>>> Tools menu -> Internet Options command -> Content tab ->
>>> Certificates button -> Trusted Root Certificates tab. Not certain
>>> because it happened a while ago and the resulting problem is minor,
>>> though annoying. Some possibility it may have been caused by a
>>> WindowsUpdate, possibly even one that was pushed onto my machine by
>>> the corporate IT people.
>>>
>>> The problem itself is that the computer complains about a new file
>>> version that it can't check. It doesn't reveal what file, and it
>>> doesn't actually say anything about a missing security certificate,
>>> but I'm pretty sure that's what's going on. The SFC fails to run,
>>> which is apparently related.
>>>
>>> I'm pretty sure that all of the root certificates have been
>>> restored, but either there is a missing certificate somewhere else,
>>> or it is some kind of chain reaction thing.
>>>
>>> Anyone else having similar problems? Any suggestions about how to
>>> fix it? Diagnostic steps to identify the missing certificate or even
>>> the affected file?