[tomasz86]

bristols, on 21 November 2011 - 08:25 PM, said:

Incidentally tomasz86, did you ever get around to writing-up what you know regarding problematic hotfixes? I'm eager to read your findings.

Yes, I've already analysed some files included in HBRs but there's still a lot more to do I hope I'll manage to finish the first part in the next few days.

WildBill said:

When you first install KB2479628, it's important to rebuild your icon cache (such as with TweakUI). I guess changing the color depth or resolution would do the same thing. I wish I knew how to get the installer to do it automatically.

The problem is that it happens randomly (once a few days) even after the cache is flushed. I can't reproduce it, unfortunately.

Quote

Any suggestions regarding V5? I guess I can bump up the version if/when I release a V6.

That'd be probably the safest solution. You may also try to play with [OverrideVersionNumbers] but I don't really know if it works.

In case you bump the number to a higher than 7081, would be it be difficult to add changes from the original 915985 and BWC's 915985-v2?

This post has been edited by tomasz86: 21 November 2011 - 08:45 PM

[WildBill]

I'm taking a look at KB915985 and I'll see if I can push out a V6 with a higher version number. It looks like the changes in the HBR are pretty simple.

[WildBill]

I posted MS11-011 V6, which includes the KB915985 hotfix as well as the fix in blackwingcat's v2, with one exception: the HBR also has a change to RtlCallQueryRegistryRoutine that the hotfix doesn't mention, but my patch completely replaces it (and routines that call it) with the version from XPSP3. If it winds up being changed in XP then I can change it as well, but I figure the best thing to do is to leave RtlCallQueryRegistryRoutine alone.

The ntdll version is 5.0.2195.7082, which should make slipstreaming happy. I also found a couple more routines that could go into ntdll, so here's the new additions list:

ntoskrnl.exe/ntkrnlpa.exe/ntkrnlmp.exe/ntkrpamp.exe

KeAcquireInterruptSpinLock
KeReleaseInterruptSpinLock
InterlockedPushEntrySList
InterlockedPopEntrySList
RtlInt64ToUnicodeString
RtlIntegerToUnicode
RtlClearBit
RtlTestBit
RtlSetBit
ZwQueryInformationThread......already there, added it to the export table
IoForwardIrpSynchronously/IoForwardAndCatchIrp (same routine, has two different exported names)
PsRemoveLoadImageNotifyRoutine (had to completely redesign the set and call routines to make this work)
PsRemoveCreateThreadNotifyRoutine (had to completely redesign the set and call routines to make this work)
_vsnwprintf
_aulldvrm
RtlGetVersion
KeFlushQueuedDpcs


ntdll.dll

RtlIpv4StringToAddressA
RtlIpv4StringToAddressW
RtlIpv4StringToAddressExA
RtlIpv4StringToAddressExW
RtlIpv4AddressToStringA
RtlIpv4AddressToStringW
RtlIpv4AddressToStringExA
RtlIpv4AddressToStringExW
RtlIpv6StringToAddressA
RtlIpv6StringToAddressW
RtlIpv6StringToAddressExA
RtlIpv6StringToAddressExW
RtlIpv6AddressToStringA
RtlIpv6AddressToStringW
RtlIpv6AddressToStringExA
RtlIpv6AddressToStringExW
RtlInitializeGenericTableAvl
RtlIsGenericTableEmptyAvl
RtlGetElementGenericTableAvl
RtlNumberGenericTableElementsAvl
RtlInsertElementGenericTableAvl
RtlDeleteElementGenericTableAvl
RtlEnumerateGenericTableLikeADirectory
RtlLookupElementGenericTableAvl
RtlEnumerateGenericTableWithoutSplayingAvl
RtlEnumerateGenericTableAvl
RtlEncodePointer (not a stub -- it's the real functionality and depends on changes to ntoskrnl.exe, etc.)
RtlDecodePointer (not a stub -- it's the real functionality and depends on changes to ntoskrnl.exe, etc.)
RtlInterlockedPushEntrySList
RtlInterlockedPopEntrySList
RtlInterlockedFlushSList
RtlQueryDepthSList
RtlInitializeSListHead
LdrLockLoaderLock
LdrUnlockLoaderLock
LdrAddRefDll
RtlComputePrivatizedDllName_U
RtlValidateUnicodeString
RtlDuplicateUnicodeString
RtlDowncaseUnicodeChar
RtlFindCharInUnicodeString
RtlpEnsureBufferSize
RtlMultiAppendUnicodeStringBuffer
RtlAppendPathElement
LdrEnumerateLoadedModules
RtlRandomEx
RtlUnhandledExceptionFilter2
RtlUnhandledExceptionFilter
RtlAddVectoredExceptionHandler (also involved updating LdrpInitializeProcess and RtlDispatchException and adding internal function RtlCallVectoredExceptionHandlers)
RtlRemoveAddVectoredExceptionHandler (also involved updating LdrpInitializeProcess and RtlDispatchException and adding internal function RtlCallVectoredExceptionHandlers)
RtlGetNtVersionNumbers
DbgPrintEx (Win2k doesn't support the extra features in this so the call strips out the extra parameters and routes it to DbgPrint)
_vsnwprintf
_lfind
_aulldvrm
_alldvrm
RtlpNotOwnerCriticalSection
RtlpApplyLengthFunction
RtlCopyOutOfProcessMemoryStreamTo
RtlLockMemoryStreamRegion
RtlUnlockMemoryStreamRegion
RtlNtPathNameToDosPathName
RtlGetLengthWithoutLastFullDosOrNtPathElement
RtlCreateBootStatusDataFile
RtlComputeCrc32
RtlCaptureContext
RtlLockBootStatusData
RtlUnlockBootStatusData
RtlGetSetBootStatusData
RtlNtStatusToDosErrorNoTeb (already there, only had to add it to the export table)
RtlAddMemoryStream
RtlReleaseMemoryStream
RtlQueryInterfaceMemoryStream
RtlReadOutOfProcessMemoryStream
RtlRevertMemoryStream
RtlCloneMemoryStream
RtlCommitMemoryStream
RtlSetMemoryStreamSize
RtlWriteMemoryStream
RtlSeekMemoryStream
RtlCopyMemoryStreamTo
RtlReadMemoryStream
RtlStatMemoryStream
RtlInitMemoryStream
RtlFinalReleaseOutOfProcessMemoryStream
RtlInitOutOfProcessMemoryStream
RtlSetLastWin32ErrorAndNtStatusFromNtStatus
RtlSetLastWin32Error/RtlRestoreLastWin32Error (same routine, exported under two different names)


bootvid.dll

VidSetVgaPalette (used by the bootskin code)


kernel32.dll

DecodePointer (forwarded export to NTDLL.RtlDecodePointer)
EncodePointer (forwarded export to NTDLL.RtlEncodePointer)
InterlockedPushEntrySList (forwarded export to NTDLL.RtlInterlockedPushEntrySList)
InterlockedPopEntrySList (forwarded export to NTDLL.RtlInterlockedPopEntrySList)
InterlockedFlushSList (forwarded export to NTDLL.RtlInterlockedFlushSList)
QueryDepthSList (forwarded export to NTDLL.RtlQueryDepthSList)
InitializeSListHead (forwarded export to NTDLL.RtlInitializeSListHead)
GetModuleHandleExA
GetModuleHandleExW
IsWow64Process
IsWow64Message
GetProcessHandleCount
GetNativeSystemInfo (same as GetSystemInfo, simply added another export table entry)
SetDllDirectoryA
SetDllDirectoryW
GetDllDirectoryA
GetDllDirectoryW
AttachConsole
TzSpecificLocalTimeToSystemTime
SetClientTimeZoneInformation
IsValidUILanguage
GetSystemWow64DirectoryA
GetSystemWow64DirectoryW
SetHandleContext
GetProcessId
GetSystemTimes
CreateMemoryResourceNotification
QueryMemoryResourceNotification
AddVectoredExceptionHandler (forwarded export to NTDLL.RtlAddVectoredExceptionHandler)
RemoveVectoredExceptionHandler (forwarded export to NTDLL.RtlRemoveAddVectoredExceptionHandler)
RtlCaptureStackBackTrace
SetThreadUILanguage
LZStart
GetExpandedNameA
GetExpandedNameW
LZInit
LZDone
LZCreateFileW
LZOpenFileA
LZOpenFileW
LZSeek
LZRead
LZClose
LZCloseFile
LZCopy
CopyLZFile
GetVolumePathNamesForVolumeNameW
GetVolumePathNamesForVolumeNameA
GetHandleContext
GetCPFileNameFromRegistry
EnumerateLocalComputerNamesW
EnumerateLocalComputerNamesA
CreateSocketHandle
CreateNlsSecurityDescriptor
AddLocalAlternateComputerNameW
AddLocalAlternateComputerNameA
RemoveLocalAlternateComputerNameW
RemoveLocalAlternateComputerNameA
SetLocalPrimaryComputerNameW
SetLocalPrimaryComputerNameA

[MacLover]

I found an issue with your MS11-020 fix :
On Windows 2000 Advanced Server (Probably any other server variant as well), when I enable Active Directory, I am unable to log on to the system unless I use safe mode *without* networking. I narrowed down the issue to being caused by the KERBEROS.DLL file from said update.

When I look at the event log on the system (in safe mode), it mentions Kerberos causing an exception and then a cascade of failures caused by that.

[WildBill]

Can you post the info from the event? If it has the address where it happened I could try to hunt it down.

[MacLover]

The information from the first event (the Kerberos failure) is as follows:
Event ID: 5000

Description:

The security package Kerberos generated an exception. The package is now disabled. The exception information is in the data.

Data:

05 00 00 c0 00 00 00 00
00 00 00 00 dc 15 2b 78
02 00 00 00 00 00 00 00
00 00 00 00 3f 00 01 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
7f 02 ff ff 00 00 ff ff
ff ff ff ff 92 12 0a 00
20 40 45 03 20 2d 00 00

[bristols]

Hi WildBill,

Just a report about my experience after installing 2393802-v6 (for which, thank you).

So far, so relatively good (installed on a pre-existing system, not slipstreamed) except for one or two strange resource leak-type behaviours that I certainly haven't seen previously. A few hours' browsing with two browsers (Firefox and Opera) and multiple open tabs, Notepad++, Notepad2, xplorer2 Lite, and a handful of instances of Irfanview has been enough to trigger it.

I apologise for the vagueness. However I'm pretty sure that the behaviour is a consequence (somehow) of installing your patch.

[tomasz86]

I added December 2011 cumulative time zone update. It's available for all supported 24 languages.

Windows2000-UU-KBz2633952-x86-ARA.exe
Windows2000-UU-KBz2633952-x86-CHS.exe
Windows2000-UU-KBz2633952-x86-CHT.exe
Windows2000-UU-KBz2633952-x86-CSY.exe
Windows2000-UU-KBz2633952-x86-DAN.exe
Windows2000-UU-KBz2633952-x86-DEU.exe
Windows2000-UU-KBz2633952-x86-ELL.exe
Windows2000-UU-KBz2633952-x86-ENU.exe
Windows2000-UU-KBz2633952-x86-ESN.exe
Windows2000-UU-KBz2633952-x86-FIN.exe
Windows2000-UU-KBz2633952-x86-FRA.exe
Windows2000-UU-KBz2633952-x86-HEB.exe
Windows2000-UU-KBz2633952-x86-HUN.exe
Windows2000-UU-KBz2633952-x86-ITA.exe
Windows2000-UU-KBz2633952-x86-JPN.exe
Windows2000-UU-KBz2633952-x86-KOR.exe
Windows2000-UU-KBz2633952-x86-NLD.exe
Windows2000-UU-KBz2633952-x86-NOR.exe
Windows2000-UU-KBz2633952-x86-PLK.exe
Windows2000-UU-KBz2633952-x86-PTB.exe
Windows2000-UU-KBz2633952-x86-PTG.exe
Windows2000-UU-KBz2633952-x86-RUS.exe
Windows2000-UU-KBz2633952-x86-SVE.exe
Windows2000-UU-KBz2633952-x86-TRK.exe

[WildBill]

MacLover, on 25 November 2011 - 01:23 AM, said:

The information from the first event (the Kerberos failure) is as follows:
Event ID: 5000

Description:

The security package Kerberos generated an exception. The package is now disabled. The exception information is in the data.

Data:

05 00 00 c0 00 00 00 00
00 00 00 00 dc 15 2b 78
02 00 00 00 00 00 00 00
00 00 00 00 3f 00 01 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
7f 02 ff ff 00 00 ff ff
ff ff ff ff 92 12 0a 00
20 40 45 03 20 2d 00 00

That was exactly what I needed: the first four dwords are 0xC0000005 (access violation), 0, 0 (null address accessed), 0x782B15DC (address where it was caused). The problem was obvious once I looked at it (actually, there were 2 occurrences of the problem). I'll post an update later today.

[WildBill]

MS11-020 V4 is posted, and hopefully it will fix the kerberos bug. I also maanged to squeeze SystemFunction036 into advapi32 (it's a super-duper random number generator and Firefox 8 will use it if it detects it).

[MacLover]

WildBill, on 25 November 2011 - 11:59 PM, said:

MS11-020 V4 is posted, and hopefully it will fix the kerberos bug. I also maanged to squeeze SystemFunction036 into advapi32 (it's a super-duper random number generator and Firefox 8 will use it if it detects it).

Thanks, the bug is fixed now.

EDIT: By the way, XP's MSVCRT.DLL works with your MS11-011 v6 update.

This post has been edited by MacLover: 26 November 2011 - 01:38 AM

[WildBill]

bristols, on 25 November 2011 - 06:49 AM, said:

Hi WildBill,

Just a report about my experience after installing 2393802-v6 (for which, thank you).

So far, so relatively good (installed on a pre-existing system, not slipstreamed) except for one or two strange resource leak-type behaviours that I certainly haven't seen previously. A few hours' browsing with two browsers (Firefox and Opera) and multiple open tabs, Notepad++, Notepad2, xplorer2 Lite, and a handful of instances of Irfanview has been enough to trigger it.

I apologise for the vagueness. However I'm pretty sure that the behaviour is a consequence (somehow) of installing your patch.

Strange. As far as I know, the patch doesn't do anything with resources. I took a pass through kernel32, ntdll, and ntoskrnl to see if I could spot any Unicode strings that weren't being freed, but so far everything looks okay. Are you seeing high memory usage for certain apps after a long time? Are you seeing it on both UP and MP processors? I'd probably need a lot more info before I'd know where to look, much less know that the patch itself is causing it.

I have it installed here, so I'll keep an eye out for memory leaks, but to date I've had no problems.

[discdude]

Just wanted to report my experiences with MS11-011 and MS11-020.

MS11-011 v6 works pretty well on my system. The only real issue that I've run across is that the drivers for my ATI Theater 750 PCIe TV card will sometimes freeze the computer when booting. Strangely enough, sometimes it will start working after rebooting a couple of times. I guess that is an improvement since the drivers didn't work at all prior to installing MS11-011. Other than that, my computer has been working fine and I'm able to run several applications without BlackWingCat's KDW pack.

On the other hand, ZoneAlarm 7.0.483.000 does not like MS11-020 at all. It will blue screen right before the password prompt comes up.

The error message I get is:
***STOP: 0x0000001E (0xC0000005, 0xB1720D9F, 0x00000000, 0x00000000) KMODE_EXCEPTION_NOT_HANDLED
***ADDRESS B1720D9F base at B16DC000, DateStamp 4874da4c - vsdatant.sys

vsdatant.sys is part of ZoneAlarm.

[WildBill]

I'd need to get my hands on vsdatant.sys to try to see what's going on...I could put it in IDA Pro and see what that instruction is doing. I assume it runs normally without the patch installed?

[discdude]

WildBill, on 26 November 2011 - 02:17 PM, said:

I'd need to get my hands on vsdatant.sys to try to see what's going on...I could put it in IDA Pro and see what that instruction is doing. I assume it runs normally without the patch installed?

Yes, it works normally without the patch installed.

I attached a copy of vsdatant.sys to this post. If need be, you can also download a copy of ZoneAlarm 7.0.483.000 from: http://download.zone..._483_000_en.exe

Thanks for your help.

Attached File(s)

•  vsdatant.zip (161.63K)
  Number of downloads: 3

[WildBill]

Thanks. It looks like something is giving it an invalid pointer on an IOCTL_TCP_QUERY_INFORMATION_EX request. Hopefully it will be simple to find.

Edit: so far I've found one definite bug in iphlpapi.dll (missing reloc) and potentially some thread-safety issues in it (XP forces device queries to be thread-safe whereas 2k does not). I want to check out the other files before I post an update. I'm going to be going out to dinner in a little bit so the update might not be until late tonight. I've also found a missing reloc in srvsvc.dll (this new version of the PE Tool makes those much easier to find).

This post has been edited by WildBill: 26 November 2011 - 05:13 PM

[WildBill]

I couldn't find any other obvious problems aside from the ones above so I've posted MS11-020 V5. Hopefully it will help...it's working for me, at least, though I'm not running ZoneAlarm. Also, I added exports for the following functions:

IcmpCreateFile
IcmpCloseHandle
IcmpSendEcho
IcmpSendEcho2
IcmpParseReplies
do_echo_rep
do_echo_req
register_icmp

Win2k is a bit different from XP in that all of this functionality is in a separate icmp.dll instead of in iphlpapi.dll, so the exports above are just forwarded exports to the routines in icmp.dll. It shouldn't make any difference to applications since the PE loader automatically resolves forwarded exports.

[discdude]

WildBill, on 27 November 2011 - 12:03 AM, said:

I couldn't find any other obvious problems aside from the ones above so I've posted MS11-020 V5. Hopefully it will help...it's working for me, at least, though I'm not running ZoneAlarm.

WildBill you're the best. MS11-020 V5 solves the blue screen at boot when ZoneAlarm is installed. Everything seems to be working fine now.

[MacLover]

I didn't notice it before but VirtualBox needs two more APIs to install properly:
SETUPAPI.DLL -> SetupSetNonInteractiveMode
SETUPAPI.DLL -> SetupUninstallOEMInfW

As I said before, no rush on getting these in but it would be nice to have the ability to run VirtualBox 4.x on Windows 2000.

Again, keep up the great work!

[discdude]

MacLover, on 27 November 2011 - 02:21 PM, said:

I didn't notice it before but VirtualBox needs two more APIs to install properly:
SETUPAPI.DLL -> SetupSetNonInteractiveMode
SETUPAPI.DLL -> SetupUninstallOEMInfW

As I said before, no rush on getting these in but it would be nice to have the ability to run VirtualBox 4.x on Windows 2000.

Again, keep up the great work!

Did you try BlackWingCat's setupapi.dll? I don't know if it supports those two functions, but it is probably worth a try.

http://blog.livedoor...ves/873798.html