Security Update for NT 4.0; Win2K SP2 Netlogon Problem

NT 4.0 Bundled Security Update Released
As promised, Microsoft released a security rollup package for Windows NT 4.0 that includes all security patches that the company has issued for NT 4.0 since Service Pack 6a (SP6a). The bundled update contains 27 security fixes for the OS, 22 security patches for Microsoft IIS 4.0, three updates for Index Server, and one update that closes a Microsoft FrontPage Server Extensions hole. The rollup package is a great timesaver because it lets you install all the security hotfixes in one operation. To successfully install the bundled update, your NT 4.0 system must be running SP6a. If you're still running SP5, this security rollup package might give you a good reason to upgrade to NT 4.0's last official version.

For complete documentation of the security hotfixes included (and not included), visit the Microsoft Web site. To download the rollup package, visit the Microsoft Web site.

Note that whenever you reapply SP6a, you must also reapply the security rollup hotfix. This update functions like a mini-service pack, so you must reinstall it after SP6a whenever you add a new service or function from the original NT 4.0 CD-ROM. See Microsoft article Q299244 for more information.

  • SP2 Netlogon and KDC Startup Errors
    Windows 2000 Service Pack 2 (SP2) upgrades Win2K to high encryption (i.e., 128-bit encryption) and upgrades the cryptographic component rsaenh.dll to the 128-bit encryption version. If your copy of this crucial DLL is old, corrupt, or missing, you’ll encounter problems with the Netlogon and Kerberos Key Distribution Center (KDC) services at system startup. If you have a problem with the rsaenh.dll file, the Netlogon service might not start, instead recording Event Id: 5737 in the System log with a message indicating that an unexpected error occurred. Also, the KDC service might not start and might log Event ID: 7023 with a message indicating that service terminated with an error. Finally, Microsoft Internet Explorer (IE) might report a cipher strength of 0-bits, and you might not be able to browse secure Web sites.
  • You can eliminate the Netlogon and KDC service startup errors by placing a good copy of rsaenh.dll in \winnt\system32. The SP2 version of rsaenh.dll is version 5.00.2195.2228, and the file size is 133,904 bytes. For more information, see Microsoft article Q303330.

  • Win2K, NT 4.0, and Win9x User Profiles
    Microsoft article Q269378 describes the different ways that Win2K and other Windows OSs define and manage user profiles. When you log on to a Win9x computer, the system copies your user profile from your home directory to the local machine. When you log off, the system copies the user profile back to your home directory. The home directory is set in your user account on a Win2K Datacenter Server, Win2K Advanced Server (Win2K AS), Win2K Server, or NT 4.0 Server machine. The home directory path must be in the Universal Naming Convention (UNC) and must be created prior to the implementation. Win9x profiles don't support common groups or centrally stored Default User Profiles. Win9x stores profile registry information in the file user.dat, which isn't compatible or interchangeable with Win2K or NT 4.0's ntuser.dat files because the OS's registries are incompatible. You can store Win9x user profiles on Novell NetWare servers.
  • Win2K and NT 4.0 profiles share many similarities. Both platforms support local, roaming, and mandatory profiles. However, each OS stores the profile in a different location, a fact that you must be aware of when you upgrade NT 4.0 to Win2K. NT 4.0 stores profiles in the %systemroot%\Profiles directory; Win2K stores profiles in the %systemdrive%\Documents and Settings directory. However, when you upgrade NT 4.0 to Win2K, the user profile remains in the %systemroot%\Profiles directory.

    NT 4.0 manages duplicate account names by adding .000 to a profile's username and increments the suffix by one each time a different user with the same username logs on. Win2K manages duplicate account names by adding a suffix to the username of the profile. The suffix is either the name of the domain, if the user account is a domain account, or the name of the computer, if the user account is a local user account. If, by chance, another user with the same name from the same domain or computer logs on to the machine, Win2K adds a .000 suffix to the domain or computer name. If such a coincidence occurs again, Win2K increments the .000 by one.

Dr. Watson options
If you don’t regularly debug application programs, you might not know that you can customize Dr. Watson application-debugger functionality. To display the GUI configuration screen, enter the command

drwtsn32.exe ? 

at a command prompt. The GUI configuration screen describes how the debugger is configured and provides several checkboxes that let you specify how the debugger functions. You can also modify these options from the command line or a batch file. The command-line syntax for this utility is

drwtsn32 \[-i\] \[-q\] \[-g\] \[-p pid\] \[-e event\] \[?\] 

You can enter any one or more of the following arguments:

  • -i installs Dr. Watson as the default program debugger
  • -q quiet mode (no sound or dialog box)
  • -g for compatibility with old versions of WinDBG and NTSD
  • -p pid the process id of the program to debug
  • -e event to signal for process attach
  • -? help

For example, if an application fails regularly, you might want to disable the Dr. Watson notification dialog box until you can correct the problem. To disable visual and sound notification from drwtsn32.exe, you can clear the checkboxes on the GUI display. Alternatively, you can enter the command

drwtsn32 –iq 

from a command prompt or a batch file. These techniques work in Win2K and NT 4.0. See Microsoft article Q259974 for more information.

Cleaning Up the Add/Remove Programs List
Invalid entries often appear in the Control Panel Add/Remove Programs list. Programs remain in the list when an uninstall fails and when you delete application directories without running the application's uninstall utility. Fortunately, you can manually remove entries that shouldn't appear on the list. Open a registry editor and locate HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall. Find the application that shouldn't appear in the installed list, and delete the key. If you want to back up the key before you delete it, highlight the key and select Export from the Registry menu. Exporting a key saves it in a .reg file that you can later import if necessary. See Microsoft article Q254162 for more information.

Keeping the Win2K Task Scheduler Happy
To function properly, Windows 2000's Task Scheduler must have write access to the file %systemroot%\schedlog.txt. If Task Scheduler is stopped and doesn’t respond to a start request, make sure you haven’t restricted the log file's access to read-only. See Microsoft article Q227404 for more information.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.