Do You Need to Update YourSecurity Hotfixes?

Learn about fixes for hotfixes

Windows 2000 has more than 200 post-Service Pack 1 (SP1) bug fixes, hotfixes, and security updates. Installing and managing all these fixes is an immense task, especially when you have hundreds or thousands of systems in your enterprise. Although the Windows File Protection (WFP) feature significantly reduces file-version-number conflicts, occasionally an update incorrectly overwrites or replaces a previous version of a file. In February 2001, Microsoft acknowledged that file-version-number problems affect 24 English-language security updates and a couple of OS hotfixes (the sidebar "Updates with File-Version-Number Problems" lists these 26 updates).

To understand how version-number problems arise, you need to know how WFP uses digital signatures and catalog files to protect crucial system files. Then you can use the Qfecheck utility to analyze all the hotfixes you've previously installed to see whether any have version-number problems. If Qfecheck indicates that you should reinstall any of your hotfixes, you can follow the procedure I describe to eliminate current and potential version-number concerns for all the affected security updates.

Windows File Protection
Microsoft introduced WFP to prevent updates such as service packs, bug fixes, hotfixes, and security updates from overwriting a more recent version of a file with an older version. WFP doesn't monitor every file in the OS but, in designated folders, monitors a subset of crucial system files with .dll, .exe, .fon, .ocx, .sys, and .ttf file extensions. To eliminate the endless DLL problems systems administrators often experienced with older platforms, WFP doesn't let applications replace or overwrite any files on the protected list. When an application tries to replace a protected file, WFP issues an error message stating that the application tried to replace a protected system file, then either disables the file replacement or restores the correct file. When looking for the correct file, WFP first scans and selects files from the \%systemroot%\system32\dllcache folder. If the correct file isn't in the \dllcache folder, WFP checks the network install point, and if the file is unavailable there, WFP prompts you for the installation medium.

Unless you're a developer, you can replace protected files only when you install or update a system with standard Microsoft tools (i.e., when you install the OS with winnt32.exe, install a hotfix with hotfix.exe, apply a service pack with update.exe, or run an online Windows Update). WFP employs two tracking mechanisms to ensure that files are valid and have the most recent version number: a file signature and a digitally signed catalog file that lists the version number for all files the update will replace. The digital signature verifies that a trusted source issued the files.

Now, let's talk about the 24 security updates that have file-version-number problems. Each update contains a companion catalog file (which has a .cat file extension) that defines the correct version number for each file in the update. The problem with the 24 security updates is that the catalog file specifies either an incorrect digital signature or an incorrect version number for one or more of the files to be updated. In either case, when you install any of the 24 security updates, WFP replaces the loaded file with the incorrect file that the catalog specifies.

The Qfecheck Utility
To determine whether your system has problematic hotfixes, you can run the Qfecheck utility. Microsoft recently released a new version of Qfecheck that audits and reports on the validity of installed hotfixes. Instead of simply reporting the hotfix keys in the registry, the new version performs a thorough audit to ensure that the correct binary files exist on the system, that each file has a valid signature, and that each file has the most current version number. The utility also has a log option that stores the audit report in a text file. The ability to log results means you can run a script on all your systems to audit hotfix status and direct each system's report to a central network location. In addition to uncovering problems with security updates, Qfecheck is valuable for monitoring the current status of all your Win2K system configurations.

You can download the English version of Qfecheck from Microsoft's Download Center ( The filename to download is q282784_w2k_sp3_x86_en.exe. (Microsoft has a Windows 95 version of Qfecheck that you can download at The Microsoft article "Qfecheck.exe Verifies the Installation of Windows 2000 Hotfixes" ( contains examples of the reports Qfecheck generates.

You can download the 113KB file and install the Qfecheck utility in only a few minutes. Qfecheck places itself in \%systemroot%\system32. After you install the utility, run Qfecheck at a command prompt to initiate the hotfix audit. Qfecheck accepts three command-line arguments: /l to log the report in a text file, /v for a verbose explanation of the results, and /q for a quiet, less wordy description. Qfecheck writes the report by default to the current directory and names the output file computername.log, where computername is the name of the computer on which you run the report. To specify an alternate location (but not the output filename) use the /1 option and type

qfecheck /l: E:\foldername


qfecheck /l: \\computername\foldername

at the command line, where foldername is the name of the folder in which you want to place the log and computername is the name of the computer containing that folder. You can pipe the output of the command to the location and filename of your choice with a command such as

qfecheck /v > E:\foldername

where filename is the customized name you want to give the file and foldername is the name of the folder containing that file. I recommend that you run the utility in verbose mode, with the /v switch, to produce the maximum amount of information in the audit report; without the extra information the /v switch provides, you won't know whether the problem lies with the file or the catalog.

When Qfecheck runs, it reads the appropriate registry key for each update and compares the version number stored in the registry entry with the version number of the installed file. If the version in the registry doesn't match the version of the installed file, Qfecheck reports an error. The utility also verifies that the files the hotfix installs match the information in the catalog. If the file is valid according to the hotfix information in the registry, but the catalog entry contains different information, Qfecheck reports an error.

If the Qfecheck report contains the message This hotfix should be reinstalled, most likely, you've previously installed one or more of the affected security updates. Figures 1 and 2 contain sample Qfecheck reports indicating that a hotfix should be reinstalled. In Figure 1, Qfecheck reports that the binary file telnet.exe is bad. In Figure 2, Qfecheck reports that the catalog entries for telnet.exe need updating.

Eliminating Security Update Problems
If you receive a Qfecheck report that indicates you need to reinstall one or more hotfixes, you can eliminate the problems by installing a new version of the catalog,, that Microsoft packages with security updates and hotfixes. In late January 2001, Microsoft reissued two versions of the WFP catalog, one for pre-SP1 systems and one for post-SP1 systems. If you've installed any of the 24 security updates in the sidebar, you must download the new You also need the new catalog if you've previously installed the fix to eliminate a performance problem related to heap fragmentation (see the Microsoft article "Performance Degradation When Heap Is Fragmented" at or the fix for the Exchange services authentication failure when you reset a user password (see the Microsoft article "Error SC_E_LOGON_DENIED After a Reset of Local Machine Account Password" at

You can download the post-SP1 catalog, q281767_w2k_sp2_x86_en.exe, from If you're running Win2K without SP1 and have installed any hotfixes, get the updated catalog q285083_w2k_sp2_x86_en.exe from

The installation procedure is straightforward and takes only a few seconds. But the procedure is different depending on whether you're updating post-SP1 or pre-SP1 systems. SP1 includes an enhancement that enables WFP to dynamically read a catalog when it's initially installed. All you need to do on post-SP1 systems is double-click the download file to install the updated catalog. To activate the new catalog on pre-SP1 systems, double-click the download file, let it execute, then reboot. The reboot forces WFP to scan the new catalog and load files with the correct version numbers. When the update finishes, you see the information message that Figure 3 shows.

The new catalog doesn't install any additional security updates, but it corrects any discrepancies that exist in hotfixes you've already installed. It also eliminates any problems you might experience when you install other affected security updates. To verify that you've eliminated the problems, run Qfecheck a second time with a different output filename so that you can compare the old report (i.e., the report you ran before installing the new catalog) and the new report. In the new report, all the This hotfix needs to be reinstalled entries you saw in the old report should be gone, and you should see Current on system instead.

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.