Print Queue, DNS Client, SPE, Msinfo32/WinMSD Bug Fixes

Win2K Print Queue Bug Fix
A spooler bug in all versions of Windows 2000 prevents print jobs from printing when a user logs on with a guest or local account and submits a print job. When you check the print queue, you see the print job in the queue, but the spooler never prints the job. If you're experiencing this problem, you'll probably see an Event ID 45 error in the System event log. You can work around the problem by temporarily resetting the queue. Log on as an administrator on the server where you defined the queue and print a test page to the problem printer. This action must reset security on a key spooler file because after you print a test page as administrator, the spooler prints all subsequent print jobs from guest or local accounts. The workaround is only effective until someone restarts the print server. If you stop and start the queue or reboot the server, you must log on as administrator again and print another test page. To permanently eliminate the problem, call Microsoft Support Services (MSS) and ask for the spooler update. The update, which Microsoft released on September 7, contains three files: localspl.dll (release date: August 3), sp3res.dll (release date: July 4), and spoolss.dll (release date: April 30). For more information, see Microsoft article Q283795.

DNS Client Bug Fix
When you configure client TCP/IP settings (manually or through DHCP), you commonly provide two or more DNS server entries for redundancy. By design, the DNS client service always attempts to contact the first server on the list. If the first server doesn't respond, the client tries to contact the next entry on the list. When you have multiple DNS servers, the client DNS service uses an algorithm to prioritize the list of servers to contact for subsequent queries. However, a bug in the recalculation algorithm causes the client service to skip the server reordering step, which can potentially reduce the list of DNS servers to one entry, even when additional servers are available. If the server at the top of the list is down, the client might be unable to resolve TCP/IP names. Microsoft Support Services (MSS) has a new version of the client DNS resolver component, dnsrslvr.dll (release date: September 26), that correctly reorders the list of configured DNS servers every 15 minutes.

After you install the bug fix, you can modify a DNS cache registry value to control how often the resolver recalculates the list. Find the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters. The value entry ServerPriorityTimeLimit:REG_DWORD, which defines the interval in seconds between updates, can have a value between 0x0 and 0xFFFFFFFF. If you set this entry to 0, the resolver resets server priorities before the client service decides which DNS server to query, which causes the resolver to always contact the first DNS server on the list. If you change the default interval, you must reboot to activate the change. This bug affects all versions of Windows 2000, through Service Pack 2 (SP2). For more information, see Microsoft article Q286834.

Password Change Auditing Bug Fix
Microsoft article Q302662 documents a security audit bug that exists in all versions of the Gold release of Windows 2000 through Service Pack 2 (SP2). If an administrator or a user who has rights to reset a user's password resets a user's password while auditing is enabled, the system doesn't generate an audit event for either a failure or a successful result. If your site security requirements mandate password-change monitoring, you must install the bug fix that Microsoft released on October 8. The update's—a big one—contains new versions of 22 core system files, including the time service, Kerberos, the Local Security Authority (LSA), Netlogon, and the SAM. Call Microsoft Support Services (MSS) for the update.

Policy Editor Security Bug
When you use the System Policy Editor (SPE) or the Microsoft Management Console (MMC) Security Template snap-in to modify file or registry permissions, a bug in both tools can remove rights that you originally granted or denied to the creator or owner of the file or registry key. After you modify the access rights, you approve your changes by clicking the "Applies to" option. If you set the "Applies to" option to "This folder, subfolders, and files" or "This key and subkeys," both tools reset the scope to "Subfolders and files only" or "Subkeys only." This change can result in the loss of previously granted or denied rights, which creates problems for running services or programs that need to access the file or registry key.

Microsoft article Q311444 provides an example of how this bug can cause a Windows 2000 Service Pack 2 (SP2) upgrade to fail. The article states that if you modify permissions on the Windows Management Instrumentation (WMI) registry key and select "Applies to," the security template snap-in makes the changes to the subkeys only, not to the Security key. The basicdc.inf security template defines the affected key, HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Security. You might encounter this problem if you modify the permissions on this key or its subkeys and apply the basicdc.inf template before you perform the SP2 upgrade. To work around the problem, you can use Notepad to edit the security template and add Administrator Full Control permissions on the Security key. This bug affects all versions of Win2K. Microsoft hasn't released a code fix that corrects the problem.

Msinfo32/WinMSD Bug Fix
Both Msinfo32 and WinMSD let you save system settings in an external file. If you run either tool, save the settings, and then log off, you might see the standard profile unload error, Event ID 1000, in the System event log. The text of the error is "Windows cannot unload your registry file. If you have a roaming profile, your settings are not replicated. Contact your administrator. DETAIL - Access is denied." Both utilities have a bug related to the save operation that prevents Windows 2000 from updating and saving your profile at logoff. If you run either utility regularly, you should install the patch that eliminates the profile save error. The update contains five files with release dates of August 23: cimwin32.dll, ieinfo5.ocx, netui0.dll, wimmgmt.exe, and winspool.drv. This bug affects all versions of Win2K through Service Pack 2 (SP2). For more information, see Microsoft article Q285192.

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.