Two Security Auditing Bug Fixes
Do you audit account logon failures? If so, you've probably seen Security Event log records with event ID 642 (User Account Changed) and the text "Account locked out" when a user reaches the bad password threshold. You expect to see this security event when a user enters a bad password for either a domain or local account. The security audit code correctly records this event when a user reaches the bad password threshold while logging on with a domain account; however, a bug in the audit code prevents the system from recording the account lockout when a user reaches the bad password threshold while logging on with a local workstation or server account. Thus this glitch affects auditing only on systems that authenticate account credentials against the local SAM. The fix is extensive: It contains updates to 30 core OS and security-specific components, including DNS, the kernel, lsass.exe, samsrv.dll, and the time service. Most of the files have a mid-January release date, and you must call Microsoft Product Services (PSS) to get the code fix. For details see Microsoft article "Account Lockout Is Not Audited for Local/SAM User Accounts".
When you enable "Audit account management," you expect to see security events when you add, remove, or modify individual or group accounts. A second bug in security auditing occurs when you remove a user from a domain local group on a domain controller (DC) that isn't a global catalog (GC) server. When you remove a user who has an account in a different domain, but in the same forest, the security audit code doesn't have enough information about the user's account to record the removal event in the security log. The bug fix for this problem contains 32 files, including many of the same files that correct the first security auditing problem I described. Several of the duplicate files have a release date of January 28, which means this update supercedes the previous one.
If you need to install both updates, I suggest you install the local account audit fix first, then the domain account audit fix. Run Qchain (qchain.exe.) to ensure you only get the most recent version of the common files, and then reboot. This method is the fastest way to eliminate file version conflicts and to guarantee that you've correctly installed both patches. Why can't Microsoft release one security audit update that contains the files we need for both of these problems so we can skip the arduous update process? For more information about this problem, see the article "Removing a User from a Domain Local Group May Not Be Audited".
NTFS Blue Screen
The Windows 2000 Post-Service Pack 2 (SP2) file system driver has a bug that might cause ntfs.sys to crash with a stop code of 0x00000003. The blue screen occurs when the file system driver attempts to release the same resource twice. You can get the new version of ntfs.sys from Microsoft Product Support Services (PSS). The update has a file release date of November 30, 2001. See the Microsoft article "You Receive a 'Stop 0x000000E3' Error Message in Windows 2000".
Cleaning Up After a Bad Print Driver
When a system has a bad print driver, you might see several different error messages when you try to print a file or document, including
- Spoolsv.exe has generated errors and will be closed by Windows.
- Printer operation cannot continue due to lack of resources.
- Subsystem unavailable.
To recover from this error, you need to delete the printer, delete the print-driver file, and clean up printing subsystem registry entries. To delete the printer, open the printer window, right-click the nonfunctional printer, and select Delete. Then, if the bad print driver is on a print server, you delete the print driver as follows:
Select the File menu item in the Printers window, then select Server Properties. Click the Drivers tab, and remove the bad driver.
To eliminate any references to the bad driver, you need to clean up three sets of printer-specific registry entries. Locate the following keys, and delete all data in and below (but not including) the version subkeys.
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSetControl\Print\Environments\Windows NT x86\Drivers\Version-2
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows NT x86\Drivers\Version-3
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Environments\Windows NT x86\Drivers\Version-2
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Environments\Windows NT x86\Drivers\Version-3
Next, remove all references to nonstandard Windows print monitors in the Print\Monitor registry keys. This means you must delete all value entries and subkeys that don't contain AppleTalk Printing Devices (when Services for Macintosh is installed), BJ Language Monitor, Local Port, PJL Language Monitor, Standard TCP/IP Port, USB Monitor, and Windows NT Fax Monitor (when a fax modem is installed).
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors
Last, delete any registry date in the following two registry keys and reboot the system. When the system restarts, you can safely configure and install the problem printer with a good printer driver.
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Printers
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Printers
For more details about this tedious procedure, see the Microsoft article "Error Message: Spoolsv.exe Has Generated Errors and Will Be Closed by Windows".
