Service Pack 6; Dr. Watson and the Print Spooler

Service Pack 6
I went to Microsoft’s FTP hotfix site to check on new Windows NT post-Service Pack 5 (SP5) hotfixes and, much to my surprise, found a directory called Hotfixes-PostSP6 with a hotfix called Rasman-fix dated September 30. According to Knowledge Base article Q242994, included in the hotfix directory (the article doesn't appear in the official Knowledge Base), the Rasman ACL lets an unprivileged user substitute another executable for rasman.exe. Because Rasman runs in the system context, this situation presents a gaping security hole. The Rasman-fix hotfix changes the ACL to eliminate the vulnerability.

Curiously, although there's a hotfix for SP6, I couldn't find the SP6 download anywhere. According to one rumor, Microsoft will release the service pack for public download on October 7 or shortly thereafter. If we’re lucky, Microsoft will incorporate the Rasman-fix hotfix into SP6 before the company releases the service pack. If so, this addition will likely delay the release of SP6, but I’d rather have a current copy than one with a security vulnerability that needs immediate attention. Let me know if you have SP6 and, if so, how you acquired it, and I'll pass the information on to the rest of our community.

Dr. Watson and the Print Spooler
The Spooler service might die when you have a bad print monitor utility or a corrupted spool file. If you experience this problem on your system, Dr. Watson will pop up when you try to start the Spooler service with a message that spoolss.exe failed with an access violation. Microsoft Support Online article Q242054 ( support/kb/articles/ Q242/0/54.asp) outlines a four-step procedure you can use to restore normal print operation. The article recommends you check to see whether the printer is working after you perform each action, stopping when normal print operation resumes.

First, verify that the Spooler service logs on with the System account (via the Services applet in the Control Panel). Second, delete all spool files in the print spooler directory. By default, printer spool files (files with an extension of .spl) are located in the %SystemRoot%\System32\ Spool\Printers folder. When you delete a spool file, you delete all print jobs queued for printing—a major corrective action, considering that you might have hundreds of print jobs waiting, but you can’t remove a printer if jobs are in the queue. Third, manually remove references to the offending printer from the Registry and reinstall the printer. Fourth, manually remove any print monitor references from the Registry. This troubleshooting procedure is too long to reproduce here, so be sure to read the article for the cautions and related Registry path names.

Blue Screen Update
I haven’t summarized recent blue screens in a couple of months, so it’s time for an update. One crash occurs as a result of poor systems administration practices, two result from missing or corrupted files, and the rest are known bugs.

Full Event Logs and System Crashes
When you enable event logging, you specify a maximum size for each log file and the action the event log application should take when a log file fills up. When you check "Do Not Overwrite Events (clear the log file manually)," you must carefully monitor the event log to ensure it never fills up. According to Microsoft Support Online article Q242084 ( support/kb/articles/q242/0/84.asp), when you try to browse a domain controller with a full event log, the domain controller will crash with a stop code of "STOP 0xC0000244." You can avoid this problem by periodically clearing the log file and checking either option that allows log file overwriting (as needed or every N days).

Missing or Corrupt Drivers Blue Screens
If you have a version mismatch between the Windows NT kernel and a loaded driver or if a driver is somehow corrupted, Windows NT will crash and display the following error message:

STOP 0xC0000263 Driver Entry Point Not Found

where is the corrupted driver. You can use three techniques to replace a bad driver: run the emergency repair restore system files option, install another system root and copy a good driver to the production system root, and worst case, restore a functioning OS from a backup tape. Corrupted drivers occur only in rare circumstances—for example, when you download a driver and the download introduces errors. See Microsoft Support Online article Q242107 ( support/kb/articles/q242/1/07.asp) for more information.

Corrupted Pagefile Blue Screen
A corrupted pagefile can cause Windows NT to crash and display the error message "STOP 0x0000000A or 0x0000001E." To correct the problem, set the pagefile size to zero, run Chkdsk

with the /f and /r options on the drive where the pagefile resides, and recreate the pagefile. If you have only one pagefile on the system disk, you need to reboot after you set the pagefile to zero, then reboot a second time when you resize it. If you have multiple pagefiles, you need to perform this procedure on all drives. Microsoft Support Online article Q242099 ( support/kb/articles/q242/0/99.asp) documents this procedure in detail.

Services for Macintosh
Microsoft Support Online article Q240864 ( support/kb/articles/q240/8/64.asp) documents an intermittent crash caused by bugs in the Services for Macintosh (SFM) code. If your system has this problem, you’ll see the error message

"STOP 0x00000050 : 0xa63cb000 0x00000000 0x00000000 0x0000000 sfmsrv!AfpLookupIcon". The article gives no explanation for cause of the crash, but Microsoft has corrected the problem in new versions of two modules, sfmatalk.sys and sfmsrv.sys and the updates are only available from Microsoft Support. This blue screen occurs on all versions of NT, regardless of service-pack level.

SNMP and SP4
This error is specific to NT systems running Service Pack 4 (SP4) with a Symbios PCI-SCSI controller. When you load SNMP extensions on a system with a Symbios controller, your system might blue screen with the error message "STOP 0x0000000A." A faulty symc810.sys driver causes the crash and you can download an updated Symbios driver at scsi/drivers/Windows_Drivers/WindowsNT/. Microsoft Support Online article Q242078 ( articles/q242/0/78.asp) documents the problem.

Tcpip.sys and SP4
If you're still running NT with Service Pack 4 (SP4), your system might crash and display the error message "STOP 0x00000050 in Tcpip.sys" when under stress. An incorrect release of an address object causes this blue screen. Microsoft has corrected the problem in an updated version of tcpip.sys, which you must obtain directly from Microsoft Support. See Microsoft Support Online article Q238763 ( support/kb/articles/Q238/7/63.asp) for more details.

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.