Windows 2K Security Updates

[GreenMachine]

Thanks once again, Bilou_Gateux.

I am currently working on updating the XP SP2 list, then I will do the 2K lists.

I am not sure what is hanging your installation, but most often it is a call from RunOnceEx (Windows puts many there). My suggestion would be to start Regedit when you press CTRL-ALT-DEL, and see what is left there. The command in question will not be shown there, but the next command will be. Then run setup again, and interupt with SHIFT-F10, at around the end of setup, look at the registry again, and see which command is just before the ones you previously noted.

I'll report back when I make some progress on my end.

[Bilou_Gateux]

Obsolete

Until GM give us the solution to install 834707 under Windows 2000, i use this method... (not recommended if you don't know what you're doing)

Download Cumulative Security Update for Internet Explorer 6 Service Pack 1 for Windows XP and Windows 2000 (KB834707)

Create C:\Temp\KB834707.W2K folder

Extract package :

IE6.0sp1-KB834707-Windows-2000-XP-x86-ENU.exe /c /t:C:\Temp\KB834707.W2K /Q

Download Cumulative Security Update for Internet Explorer 6 Service Pack 1 for Windows 98, Windows NT and Windows Millennium (KB834707)

Create C:\Temp\KB834707.NT4 folder

Extract package :

IE6.0sp1-KB834707-Windows-NT4sp6a-98-ME-x86-ENU.exe /c /t:C:\Temp\KB834707.NT4 /Q

Create SED file (see sample for French version) and save it to c:\Temp\KB834707.SED

[Version]
Class=IEXPRESS
SEDVersion=3
[Options]
PackagePurpose=InstallApp
ShowInstallProgramWindow=1
HideExtractAnimation=1
UseLongFileName=0
InsideCompressed=0
CAB_FixedSize=0
CAB_ResvCodeSigning=0
RebootMode=I
InstallPrompt=%InstallPrompt%
DisplayLicense=%DisplayLicense%
FinishMessage=%FinishMessage%
TargetName=%TargetName%
FriendlyName=%FriendlyName%
AppLaunched=%AppLaunched%
PostInstallCmd=%PostInstallCmd%
AdminQuietInstCmd=%AdminQuietInstCmd%
UserQuietInstCmd=%UserQuietInstCmd%
SourceFiles=SourceFiles
[Strings]
InstallPrompt=Voulez-vous installer cette mise à jour ?
DisplayLicense=C:\Temp\KB834707.W2K\update\eula.txt
FinishMessage=Cette mise à jour est installée.
TargetName=C:\Temp\KB834707.EXE
FriendlyName=Mise à jour de Microsoft Internet Explorer
AppLaunched=IEUPDATE.EXE Q834707
PostInstallCmd=<None>
AdminQuietInstCmd=
UserQuietInstCmd=
FILE0="WININET.DLL"
FILE1="dummy.cat"
FILE2="IEUNINST.EXE"
FILE3="IEUPDATE.EXE"
FILE4="INSENG.DLL"
FILE5="MSHTML.DLL"
FILE6="Q834707.cat"
FILE7="Q834707.inf"
FILE8="Q834707_d.inf"
FILE9="Q834707_me.cat"
FILE10="SHDOCVW.DLL"
FILE11="SHLWAPI.DLL"
FILE12="URLMON.DLL"
FILE13="BROWSEUI.DLL"
[SourceFiles]
SourceFiles0=C:\Temp\KB834707.NT4\
[SourceFiles0]
%FILE0%=
%FILE1%=
%FILE2%=
%FILE3%=
%FILE4%=
%FILE5%=
%FILE6%=
%FILE7%=
%FILE8%=
%FILE9%=
%FILE10%=
%FILE11%=
%FILE12%=
%FILE13%=

run iexpress c:\temp\KB834707.SED and create package

You have now a Type 2 HotFix KB834707.EXE

copy KB834707.EXE and Q834707.CAT to CDROOT\I386\SVCPACK

Edit SVCPACK.INF and replace old 867801 with 834707

[SetupHotfixesToRun] 
KB834707.EXE /Q:A /R:N

[ProductCatalogsToInstall] 
Q834707.CAT

Create compressed version of the updated files from C:\Temp\KB834707.NT4 --> CDROOT\I386

MAKECAB /D CompressionMemory=21 /D CompressionType=LZX /L <target_path> <source_path>\<filename>

you're done

to avoid WindowsUpdate to claim Q834707 not installed

Value had to be changed from Q834707 to KB834707 in registry

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{3e7bb08a-a7a3-4692-8eac-ac5e7895755b}]
@="KB834707"
"IsInstalled"=dword:00000001
"Version"="6,0,2800,1584"
"ComponentID"="KB834707"

[GreenMachine]

Thanks, Bilou. I am looking into both that error, and finding a way to add Windows Media Connect to Windows XP at the moment. It looks like you saved me some work there. For some reason, with that update (if that is the "bad" one) my attempt to start RunOnceEx during installation with IE SP1 does not work. This results in the RunOnceEx problem I described earlier. I have about another hour free now, otherwise I will continue tomorrow.

More later ...

[GreenMachine]

It seems that the KB841356 update is giving me problems. Can you, Bilou, confirm that this is installing OK for you? When I slipstream it, I never get to the shell, even after multiple forced reboots. I hope it is not due to the fact that I am using the un-released version - but I believe you are, as well. Are you?

[tommyp]

I thought I was the only one with the taskmanager-only OS! Good thing I started reading this thread!

I read that there seems to be a lot of problems with the latest round of fixes. I also read on a website that there is a problem with the 841356 and 834707 patches with the shlwapi.dll file. Both hotfixes have it. Someone says that there's something with the same filesize and version but different checksums. Maybe that's a clue? I haven't run xpcreate after removing 834707 one yet to see if that's the problem.

[Bilou_Gateux]

Here the latest build i have make (XPCreate 17 SEP 2004) with a French 2K Server SP4 and installed on a real box without any problems.

• All my HF's are renamed to their 8.3 short name in SVC-??? folders (except for SVC-HF1)
  
• I don't add Journal Viewer to my list of HF
  
• After the end of xpcreation, manually edit SVCPACK.INF to replace HF1 KB834707 with my own HF2 build, replace KB8347~1.CAT file and 834707.EXE in SVCPACK folder with Q834707.CAT and KB834707.EXE.
  
• My HF2 KB834707.EXE is no longer digitally signed but the content is still signed (inf file not modified) and Q834707.CAT OK.
  
• Edited DOSNET.INF and removed references to I386 subfolders added by original KB834707.EXE HF Type 1 integration. (details in previous post)
  
• I don't create the ISO and burn it to CDRW
  
• install directly from %_source%=<PREPDIR>\CDROOT stored on a external USB Drive to %_target%=C: and launch
  %_source%\i386\winnt32.exe /s:%_source%\I386 /unattend:%_target%\unattend.txt /syspart:%_target% /tempdrive:%_target% /makelocalsource /noreboot
  from BartPE boot CD)
  

[GreenMachine]

I don't quite understand why it works for you ... The problem I was having I have traced to the file SHLWAPI.DLL that is in the update 841356. The file that shold be slipstreamed is in one of the sub-directories. The SHLWAPI.DLL in the root of the patch is much too old. Instead of trying to figure out how to slipstream the correct file version, I have created a new SVC directory for Type I Hotfixes that are applied from SVCPACK.INF, but not slipstreamed. This was the same solution to the OE updates that are added to the SVC-POS directory.

Another thing I noted was that the update KB873377 can be used to replace the update KB834707. I add that to SVC-HF1, and have had success with it.

So, in the end, I do have everything installed, Windows Update and the Baseline Security Advisor come up quite clean. I will post the updated "Current Hotfixes" Web Page, as well as the latest XPCTEST version in a day or two.

Thanks, Bilou, for the help!

[Bilou_Gateux]

In my I386 directory the compressed shlwapi.dl_ version 6.0.2800.1584 is the one i have manually compressed and copied to the i386 directory (with the 6 others files from 834707 HF ) and owerwrited the "too much old" put by 841356.

Because i have created my build with the 3 new 12 oct. 2004 Windows 2000 HF + 834707 ieupdate, having no success to install it, then do some manual job to integrate my own type 2 834707, change the order in SVCPACK.INF, edited DOSNET.INF and added compressed files to i386 dir, the installation goes successfull.

834707 FILE VERSION

Date         Time   Version            Size    File name        Platform
   ----------------------------------------------------------------------
   23-Aug-2004  02:34  6.0.2800.1584   1,025,536  Browseui.dll     X86
   26-Aug-2004  17:53  6.0.2800.1469      69,632  Inseng.dll       X86
   29-Sep-2004  07:57  6.0.2800.1476   2,805,760  Mshtml.dll       X86
   27-Aug-2004  20:58  6.0.2800.1584   1,340,416  Shdocvw.dll      X86
   20-Aug-2004  22:01  6.0.2800.1584     422,912  Shlwapi.dll      X86
   24-Sep-2004  00:08  6.0.2800.1474     487,936  Urlmon.dll       X86
   24-Aug-2004  03:32  6.0.2800.1468     589,312  Wininet.dll      X86

841356 FILE VERSION

Date         Time   Version         Size       File name    Folder
-----------------------------------------------------------------------
10-Aug-2004  05:21  5.0.2195.6966      41,744  Grpconv.exe      
02-Sep-2004  20:03  5.0.2195.6958      17,168  Linkinfo.dll     
02-Sep-2004  20:03  5.0.2195.6824      35,088  Ntlanman.dll     
18-Sep-2004  08:24  5.0.3900.6975   2,358,544  Shell32.dll      
20-Aug-2004  22:49  5.0.3900.6969     282,384  Shlwapi.dll      
26-Aug-2004  15:28  5.0.2195.6970   5,893,632  Sp3res.dll       
18-Sep-2004  08:24  5.0.3900.6975   1,118,992  Webvw.dll        
20-Aug-2004  22:39  6.0.2750.167      393,728  Shlwapi.dll  Xpclnt_qfe_binarydrop
20-Aug-2004  22:39  6.0.2800.1584     422,912  Shlwapi.dll  Xpsp2_binarydrop

After editing the update.inf from 841356, i see conditional statement "Install these files depending of IE version on the system" :

• IE501 from RTM to SP4 version, use the "too much old DLL" version 5
  
• IE6 RTM use the one in subfolder XPCLNT_QFE_BINARYDROP version 6.0.2750.167
  
• IE6 SP1 use the one in subfolder XPSP2_BINARYDROP version 6.0.2800.1584
  

We should not have ref in dosnet.inf to shlwapi.dll in subfolders nor create these subfolders and only copy the needed version in i386.

Hotfixes for Corporate Use Only.

A security issue has been identified that could allow an attacker to compromise a computer running Internet Explorer and gain control over it. Update 873377 includes security update 834707 (MS04-038) and all Internet Explorer hotfixes.

Internet Explorer 6.0 Service Pack 1 (SP1) for Windows XP and Windows 2000 (873377)

Date        Heure  Version            Taille  Nom de fichier
 --------------------------------------------------------------
 29/09/2004  06:44  6.0.2800.1596   1 030 144  Browseui.dll
 24/09/2004  19:07  6.0.2800.1475      69 632  Inseng.dll
 29/09/2004  06:42  6.0.2800.1477   2 809 856  Mshtml.dll
 29/09/2004  06:44  6.0.2800.1596   1 346 048  Shdocvw.dll
 20/08/2004  19:01  6.0.2800.1584     422 912  Shlwapi.dll
 24/09/2004  21:41  6.0.2800.1475     489 984  Urlmon.dll
 24/09/2004  21:41  6.0.2800.1475     592 896  Wininet.dll

Edited December 24, 2004 by Bilou_Gateux

[BaTLeZone]

So what other updates would this replace besides 834707?

http://www.microsoft.com/downloads/details...&displaylang=en

@GM

What is the newes XPCREATE? I have 19 SEP 2004. Your website still has the june version up.

[BaTLeZone]

Well the new updates proved to be a big headake for me as well.

I tryied with them all on 1st test run and install locked up.

On 2nd run I removed the odd ones and same result.

So I tried out what GM was doing with the 841356 not in and used 873377 instead and it work great

These are the updates that I used and there location:

Windows2000-KB840987-x86-ENU.EXE - SVC-HF1

Windows2000-KB841533-x86-ENU.EXE - SVC-HF1

IE6.0sp1-KB873377-Windows-2000-XP-x86-ENU.exe - SVC-HF1

JournalViewer1.5_KB886179_ENU.exe - SVC-HF2

Q317244.exe - SVC-X2M (msxml update)

After WU only reported 841356 to be needed. I am going to though it in now and try again. I'll post my results later.

EDIT: Update....

Yup 841356 made the install die so I put it runonce for now untill someone has an answer.

[GreenMachine]

Thanks, BaTLeZone!

I think I have an answer to the last update, but I'm still testing it. I'll keep you posted.

[Bilou_Gateux]

@BatTLeZone

Can you run DXDIAG.EXE the first time you boot your fresh 2K install.

I get an error popup windows :

FRA : dxdiag.exe - point d'entrée introuvable

ENU : dxdiag.exe - Entry Point not Found

FRA : Le point d'entrée de procédure DdEntry1 est introuvable dans la bibliothèque de liaisons dynamique GDI32.DLL

ENU : The procedure entry point DdEntry1 could not be located in the dynamic link library GDI32.dll.

I would like to know if you get this error ?

Found the solution by googling

The procedure entry point DdEntry1 could not be located in the dynamic link library GDI32.dll.

Extract d3d8thk.w2k from dxnt.cab and copy to %windir%\system32

Then delete d3d8thk.dll from the c:/winnt/system32 folder.

Then rename the d3d8thk.w2k to d3d8thk.dll

Developpers @ M$ are unable to write patching routines that works...

Edited October 29, 2004 by Bilou_Gateux

[RayM]

(A quick note at the top, for what it's worth. DXDIAG.EXE works fine for me.)

Hey all. I've been through this a number of times, so I'll share my results with the hope that they may be useful to someone else. Thanks GreenMachine for the nice tool. It's a real time-saver.

This turned out to be a pretty long post. I know that the regulars here don't need all of this detail, but I was thinking of any newby who might be struggling with the same things. I posted here instead of in a new thread because it seemed to belong here.

(1) I'm using Windows 2000 Server SP4. For now I'm using IE6SP1, but I may go back to IE5.5SP2. I have done hotfix integration manually, and it was a real PITA. I found XPCREATE in September, and it worked great first time. Then all those new patches came out in October and everything got messed up again.

(2) Since GreenMachine's update list is not current and/or is offline (at least, the last time I checked) I did a clean install and then went to Windows Update to see what I needed. I downloaded everything manually and put them in what I imagined to be the correct folders (SVC-???). Then I ran XPCREATE and let it do its stuff (DLAUTO=NO). Then I did a fresh install with the ISO that XPCREATE made. Then I went to Windows Update again and found a bunch of new things that were missing. I repeated this cycle until I had a list of updates that leaves me missing two. I don't know how to resolve these two, and I'm hoping for a little help here.

The following list of updates will (to the best of my knowledge) patch a Windows2000 Server system with the exception of two critical updates: KB873374 KB841356. (Also note, I do not update DirectX and I do not add Journal Viewer.)

KB873374 is the GDI+ detection tool. Although this shows up as a critical update, and is potentially a serious problem, it does not seem to be a "patch" as such.

KB841356 seems (from reading this forum) to be giving others problems. I was going to wait until MS recognizes that there's a problem with this and patches their patch.

With the exception of those two, the following list gives me a patched system. All of this was done independently of (but compared against) bilou_gateaux's very useful list earlier in this thread.

For ease of reading, I've only listed the KB numbers. I have (rather inconsistently) changed the names as suggested elsewhere in the forum (ie, 8.3 names except for Type 1 hotfixes).

I'll explain the asterisks and the numbers in parenteses after.

SVC-DAH: Q832483 *

SVC-HF1: KB873388 (22)

Q818043 *

KB329115 (5)

KB820888 *

KB822831 *

KB823182 *

KB823559 *

KB824105 (6)

KB825119 (7)

KB826232 (8)

KB828035 (9)

KB828741 (10)

KB828749 (11)

KB835732 (12)

KB837001 (13)

KB839643 (14)

KB839645 (15)

KB840315 (16)

KB840987 (17)

KB841533 (18)

KB841872 (19)

KB841873 (20)

KB842526 (21)

KB837272 (23)

KB828026 (24)

SVC-HF2: js56nene *

KB833989 (3)

KB867801 *

KB870669 (2)

rootsupd *

SVC-MSX KB867460 (1)

SVC-POS KB823353 (4)

SVC-PRE IE6SP1 **

IESTART **

SVC-QCH Q815062 **

SVC-WMP MPSetup **

SVC-X2M DOTNETF **

After the install completes, I look in Add/Remove programs. The numbers in parentheses show which item in the Add/Remove programs list the hotfix is. An asterisk indicates that the hotfix did not appear in the Add/Remove programs list. Two asterisks indicate that although the item did not appear in the Add/Remove programs list, I could by other means (like running the program) verify that the item had installed.

?? How can I tell if the asterisked hotfixes have been applied or not? The fact that a hotfix doesn't show up on the Add/Remove list doesn't necessarily mean that it wasn't applied. It might have been superseded. It might be a hotfix that can't be removed. Or ... maybe it wasn't applied successfully.

?? In fact, how can I tell if any hotfix has definitively been applied? I mean, isn't it possible that a registry entry (for instance) has been changed to indicate the presence of a hotfix when in fact the hotfix hasn't been applied?

?? Another question, and I apologize if I've missed this while reading through hundreds of posts at MSFN -- can someone spell out the differences between a Type 1, Type 2 and the various other types of hotfixes? A link to the relevant thread would be enough.

OK, finally, a few problems I had.

First off, I had inconsistent results at first. It was my fault, but since others may have similar problems I'm going to mention it as something to watch out for. There were a number of different reasons for my inconsistent results.

One problem was lack of patience. Sometimes the process would seem to hang. I noticed (and later read in the forum) that pressing "y" or the space bar would answer some hidden question and get the process going. Maybe in my impatience, I hit too many "y"'s and something got skipped over. Anyhow, I've learned to be more patient, hit a "y" only once and wait a while and to check for minimized command prompt windows.

Another problem was a "dirty workspace". This means doing XPCREATE in a folder where I had done XPCREATE before. I don't know why this would make a difference, and maybe it's just my imagination -- but I've become superstitious. Now I start with a newly created folder. Then I run XPCREATE once to create all of the working folders. Then I copy my Win2K-S (SP1 slipstreamed) CD to the CD source. I put SP4 in SPACKS (or, I use a slipstreamed Win2K-SP4 as my CDSOURCE). Then I put the XPCTBOOT.BIN in the BOOT folder. All of this is my "Master" folder. I only work on copies of that. I fact, I only work on copies of copies of that. I'll make a copy and call it XPCREATE##, and then I load it up with all of the hotfixes that I think are appropriate. Then I copy that whole bunch of stuff to a new folder called TEST##. Then I run XPCREATE on TEST##. I use these two folders, XPCREATE## and TEST## because I don't know what changes XPCREATE might make to the original, and this way I can try to track what's happening. Then I do a clean install from the newly created ISO and check the results. For the next iteration, I go back to the "Master" folder, make a new copy (incrementing the number ie XPCREATE02), try the hotfixes a different way, make another copy (ie TEST02) and on and on.

Another problem may have been having too many (or interfering) hotfixes. At some point, I was using all of the hotfixes for September together with all of the new hotfixes. Maybe there were some conflicts, I don't know. Maybe it was just this KB841356 that seems to be causing problems.

OK. Sorry this was so long. I hope all of the details could be useful to someone.

[Bilou_Gateux]

• 1/ KB873374 GDI+ Detection Tool : don't bother about that. It's not a hotfix but a tool that open predefined web page to check your system for possibly programs needing updates. Value set to 1 in registry to avoid WindowsUpdate claiming not installed/run.
  

  REG ADD "HKLM\SOFTWARE\Microsoft\GdiDetectionTool" /v "GDITool" /t REG_DWORD /d "00000001"

  
  

• 2/ I have already build a Windows 2000 Server SP4 + IE 5.5 SP2 with XPCreate.
  I have set DLAUTO=NO in XPCREATE.INI and build my own IE55SP2 package. It's the same method from building IE6SP1 package except i use an older IE5OEM.EXE instead of IE5SETUP.EXE to avoid a popup windows claiming the installer is not digitallly signed. If you want more infos, let me know i can give you more details.
  M$ don't release anymore HotFixes for IE55SP2 for Windows 2000 but you can still use IE55SP2 for WinMe HotFixes with some modifications.
  
• 3/ My video card do not need/support latest DirectX and i replace it with DX81NTOP.EXE + 839643 DirectX HotFix in my running box.
  
• 4/ to check HotFixes installation, you can use Shavlik HFNetChk.exe
  

[RayM]

Thanks for the reply bilou_gateux.

1. (about the GDI+ detection tool.) OK. That's what I thought. Still, there will need to be a better tool for this, because so many apps keep a copy of the vulnerable dll in their working dir. Anyhow, WRT XPCREATE, all is good.

2. (about IE5.5SP2) Ok. Good. That's what I was thinking I would have to do. I have most of the appropriate service packs and hotfixes around here somewhere. I never intended to use IE6, it just happened because that's what was on GreenMachine's list. I almost never use IE anyway -- only for checking page rendering and such.

3. (about DirectX) Ok. Good. I'll probably do the same.

4. (About HFNetChk by Shavlik) I used to use that, but I stopped. I forget what it was that I didn't like. Maybe they required ActiveX or something like that. OK, I'll try it again while I'm working on the hotfixes. Any idea what it checks (exactly)? I mean, does it check versions and MD5s of the dll's, vxd'x and ocx's (for instance) ... or does it just look for some flag or regkey that says that the hotfix has been applied?

Gee, I just checked the HFNetChk site. Maybe I'm thinking of something else, but the program I remember was much bigger (like 20MB). Is this going to give me anything that Windows Update won't? Would I be better off using the Baseline Security Analyzer?

Gee, weirder. On a clean install the program says that it detects a previously installed version. I wonder what's up with that.

Hmm... It gets worse. The good news is that I have answered one of my questions. It looks like Windows Update makes a very simplistic check of installed hotfixes and patches. Windows Update still shows the same two critical updates. Also HFNetChk does look at version numbers and checksums. That's good. They use a file that they get from Microsoft. That's good. Tht file was last updated October 20th. That's not so good. The worse part is that HFNetChk indicats that several patches on my system have not been installed -- patches which Windows Update thinks are installed, and which were integrated with XPCREATE. Some of them are due to wrong version numbers. I can understand that, considering that their list is a little old. The disturbing part is that a few files have the right version number, but the wrong checksum. Most disturbing in this category is kernel32.dll. Yikes!! Running HFNetChk -vv (Very Verbose) shows that this could be very bad. I would expect that if a dll changed (thus changing the checksum) that the version number would change too. Does anyone know if it every happens that they change a dll and they don't change the version number?

You tip to check out HFNetChk was good. BTW, HFNetChk -b (baseline) seemed good.

Your post (with all of the download links and MD5s) was really good. It will save some people a lot of time. (Unfortunately, I had already downloaded everything manually before you posted.) Anyway, I have found your contributions to be very valuable. Thanks.

Any idea about KB841356 ?