New Tweaks and Tools

Over the past week, I've learned about three Microsoft tools that help you install Microsoft hotfixes in a more streamlined fashion and tighten security on your dial-up networking clients. In addition, I've come across some interesting articles that you might want to read.

The tools are Qchain, the Windows 9x DUN 1.4 Upgrade, and Qfecheck. Qchain lets you install multiple hotfixes without having to reboot after each one. I found out about the tool while reading the June edition of Microsoft's "Ask Us About Security" column on its Web site. Qchain runs on Windows 2000 and Windows NT. To use Qchain, you first install each required hotfix (in proper sequence) with the -z command-line switch, which tells the installation program not to reboot the OS after installing the fix. Then run Qchain, which, according to article Q296861, "cleans the Pending File Rename Operations key in the registry to make sure that only the latest version of a file is installed after the computer is rebooted." You can learn more about Qchain and download a copy here.

The DUN upgrade offers Windows 9x users support for 128-bit encryption with PPTP and also improves the stability of PPTP connections. According to Microsoft, "The DUN 1.4 release includes all of the features of all previous DUN releases, as well as those that are included in the Integrated Services Digital Network (ISDN) version 1.1 release." In addition, DUN 1.4 has multilink support and support for internal ISDN adapters and connection-time scripting, which helps automate nonstandard connections. You can find the DUN 1.4 upgrade at the following URL:

The third tool is Qfecheck, which inspects a system to ensure that hotfixes are installed correctly on Win2K systems. Hotfix information is stored in the registry under HKEY_LOCAL_MACHINESOFTWAREMicrosoftUpdates.

Qfecheck reads information from that key and compares the information to files on the system to ensure those files are the proper versions. Qfecheck also ensures that the Windows File Protection (WFP) subsystem has the information it needs to protect those files from tampering. Learn more about Qfecheck, including where to download a copy, from Microsoft's article.

While reading this month's "Ask Us About Security" column from Microsoft, I also learned that the company has begun producing no-reboot patches for Win2K—finally! Microsoft said it now analyzes each security patch it produces to determine whether a user can install it without a system reboot; the company will release those patches as no-reboot patches. The company also analyzed all of its former patches and found it could repackage only two (MS00-067 and MS00-099) as no-reboot patches using its current technology. So Microsoft is working on additional technology that will let it repackage as many as 25 percent of the currently available patches. That technology should also let the company create a greater percentage of no-reboot patches in the future. You can learn more about no-reboot patches on Microsoft's TechNet Web site.

Before I sign off this week, I want to point out that Windows 2000 Magazine senior contributing editor Sean Daily has discovered a potentially dangerous oddity with Active Directory (AD) backups. In certain instances, AD backups can become corrupt, and you know what happens when you restore corrupted data. You don't want to get bitten by this bug, so be sure to read Sean's news article.