Post-SP5 Hotfixes; Obscure Bug Reports

Recent Post-SP5 Hotfixes
There are 11 hotfixes for Windows NT Service Pack 5 (SP5)—four released or updated since the beginning of June of this year, and four issued since July 14, 1999. I’ve discussed the Client-Server Runtime Subsystem (CSRSS) fix and RAS/RRAS password hotfixes in previous columns, so I’ll address the three most recent hotfixes here. You’ll appreciate that Post-SP5 hotfixes have no interdependencies, so you can install them in any order.

The three hotfixes I discuss below are available for NT and Windows NT Server 4.0, Terminal Server Edition. The BIOS2 hotfix is available for both SP4 and SP5. You can download the English version of Post-SP5 hotfixes for NT at ftp://ftp.microsoft.com/bussys/ winnt/winnt-public/ fixes/usa/NT40/hotfixes-postSP5/. You can find Terminal Server hotfixes at ftp://ftp.microsoft.com/ bussys/winnt/winnt-public/fixes/usa/ NT40TSE/hotfixes-postSP5/. To locate the international version, select the appropriate country from the /fixes directory.

Y2K BIOS Hotfix. The BIOS2-fix hotfix was released last week to correct two Y2K-specific problems omitted from SP5. The BIOS2-fix correctly refreshes the realtime clock when located in a time zone that does not observe Daylight Saving Time; it also updates the multi-processor kernel, if one exists. There are two BIOS2-fix updates, one for SP4 and one for SP5, so be sure you download the correct version for your installed service pack. You can find the instructions for checking your installed hotfix version (there are three—the original, BIOS, and BIOS2) listed by filename and size in the file Q216913.txt, which is located in the hotfix directory.

Phone Dialer Hotfix. According to Microsoft Support Online article Q237185 (http://support.microsoft.com/support/kb/articles/q237/1/85.ASP), the phone dialer code does not properly remove entries from memory when the dialer.ini file contains a string between 128 and 256 characters in the [Last Number Dialed] field—a bug that generates an access violation when you exit the dialer code. If your system has this problem, you’ll see the following message in the Application event log:

The application, exedialer.dbg, generated an application error.
The error occurred on @
The exception generated was c0000005 at address 31313131.

This problem applies to all versions of Windows NT 4.0 (Server and Workstation), Small Business Server 4.5, BackOffice Server 4.0 and 4.5, and Terminal Server Edition 4.0. Contact Microsoft Support to get the hotfix.

Mouse/Keyboard Vulnerability Hotfix. This denial-of-service hotfix corrects a security vulnerability in NT and Terminal Server. Developers access devices via I/O control (IOCTL) functions and a device can be purposely disabled from responding to the OS with a specific combination of calling parameters. On NT, this form of an IOCTL lets an ill-intentioned user disable the mouse and keyboard driver of the local machine; on Terminal Server the same usage disables the keyboard and mouse on both the local system and the Terminal Server machine.

When the devices are disabled, you can restore normal operation by rebooting the system. But without the hotfix, the mouse and keyboard can be disabled repeatedly. The good news is that this vulnerability cannot be exploited to obtain elevated privileges, and the bug does not allow data to be compromised.

The hotfix that corrects this vulnerability is the IOCTL-fix, documented in Microsoft Support Online article Q236359 (http://support.microsoft.com/ support/kb/articles/ q236/3/59.asp). Be sure you download the correct hotfix version for your platform.

Busy SP4 Print Server Deletes Jobs
Microsoft Support Online article Q232230 (http://support.microsoft.com/ support/kb/articles/ q232/2/30.ASP) documents an unusual local procedure call (LPC) bug in the print-spooler code. When a print client and a print server have the same process identifier (PID) and the print server is busy, LPC messages between the two processes are lost. This deletes print jobs before they are printed. If your system has this problem, you will see the Event ID 10 message, "0 bytes, 0 pages printed," in the Application event log, possibly followed by an Event ID 13 message indicating that the print job was deleted.

This bug applies to Service Pack 4 (SP4) and possibly to SP5 (its discovery postdates the release of SP5). Call Microsoft Support for the bug fix, which updates files ntoskrnl.exe and ntkrnlmp.exe.

Why is this update a bug fix and not a hotfix? Deleting print jobs seems like a more widespread and problematic issue than, for example, phone-dialer code that crashes when the last dialed number is longer than 128 characters. Perhaps this bug is rarer because client and server processes seldom have the same PID.

SP4 and SP5 Emergency Repair Error Message
During a Windows NT installation or a service pack update, the install program records each installed system file name, size, and checksum in the setup.log file. When you invoke the emergency repair procedure, the repair utility compares the files on disk to the files in the setup.log file and verifies that the checksum of the disk file is the same as the one in setup.log.

Microsoft Support Online article Q236954 (http://support.microsoft.com/ support/kb/articles/ q236/9/54.ASP) indicates that the Service Pack 4 (SP4) and SP5 update.exe code incorrectly records the checksum of system files certmgr.hlp and secauth.hlp in setup.log. When you attempt a repair, you see an error message for these two files during the repair process. To work around this, skip the restore of these files during the repair process. The problem is corrected in a new version of update.exe. You can get the bug fix from Microsoft Support.

RRAS-Induced System Crash
RRAS doesn’t calculate the total resources required to support ports during the configuration process. After you configure 200 ports and reboot to complete the configuration, Windows NT can run out of resources and crash with a Stop code of 0x1E or 0x1A. Microsoft Support Online article Q232133 (http://support.microsoft.com/ support/kb/articles/ q232/1/33.ASP) documents neither the module that crashes nor the resource shortage, so I expect this is a fairly unusual occurrence. The problem occurs in Service Pack 4 (SP4) and might also apply to SP5. You can get the bug fix, a new netbt.sys, from Microsoft Support.