Terminal Services Client Blue Screen Bug Fix; SMB Signing Hotfix Flaw; Adult Web Site Trojan Horse; and More

Terminal Services Client Blue Screen Bug Fix Do your Windows XP Home Edition, XP Professional Edition, and Windows 2000 Server Terminal Services clients crash with a stop code of 0x7F from win32k.sys? Microsoft attributes this system crash to a stack overflow that occurs when the OS closes a large number of nested windows. Given this description, I expect the Terminal Services client crash occurs when a user opens a large number of windows, either before or during a Terminal Services session. If this bug is causing the problem, after the client reboots and establishes another Terminal Services session, it crashes with the same stop code. Microsoft has released a patch that solves the stack overflow problem. The patch contains updated versions of 14 files with release dates of February 14 through March 4. You can get this update only from Microsoft Product Support Services (PSS); cite Microsoft article "Windows Stops Responding with 'Stop Error 0x7F' Error Message" (http://support.microsoft.com/?kbid=814789) as the reference.

SMB Signing Hotfix Flaw
Microsoft Security Bulletin MS02-070 (Flaw in SMB Signing May Permit Group Policy to Be Modified) introduces a spooler problem that causes Win2K Professional systems to take as long as 1 minute to log off. Microsoft has corrected the problem in a new version of the spooler service, with a file release date of January 28, 2003. If you distributed this Group Policy vulnerability hotfix, you probably need the bug fix for the hotfix. Call PSS and cite the reference article "Unexpected Delay When You Log Off Your Domain" (http://support.microsoft.com/?kbid=814770). According to the documentation, users can work around the problem by restarting the spooler service before they log off. However, if it takes a minute for the spooler service to restart, it doesn't seem like this workaround saves any time.

Adult Web Site Pop-Ups
I haven’t encountered this nasty problem, but if a system suddenly starts displaying pop-up ads inviting you to browse adult Web sites, the machine likely is infected with a Trojan Horse called W32.DSS.Trojan. The infection source is typically a mail message with an attachment named Open Me. The Trojan Horse inserts a Web page that invites you to visit adult sites in a hidden Microsoft Internet Explorer (IE) window. You can confirm this infection by checking the IE history list--in most cases, the URL http://voyour-cams.xww.de appears in the history list. The Microsoft article "Pop-Up Windows That Contain Advertisements to Adult Web Sites Intermittently Appear on Your Desktop" (http://support.microsoft.com/?kbid=810981) contains instructions about how to stop the Trojan process and how to rid a system of references to the openme.exe file on disk and in the registry.

Windows Installer 2.0 Bug Fix
Microsoft updated Windows Installer to version 2.0 in XP, XP Service Pack 1 (SP1), and Win2K SP3 systems. Version 2 of Windows Installer has a bug that prevents you from installing software from a shared network location, but only when the installer’s .msi file has entries in the IsolatedComponent table. If you distribute software by using a script that invokes the Msiexec command, the installer might fail with Error 1308 when you use a URL to identify the location of the .msi file--for example, when you use the command msiexec /i "http://appserver/outlook/test.msi." The installer responds with an error message stating that it was unable to locate the .msi file and displays a mangled version of the .msi file name that is part URL and part normal. PSS has a new msi.dll file that eliminates this bug. If you update XP and Win2K systems, you need to get the updated msi.dll for both platforms. The XP has a release date of February 20, and the Win2K version has a release date of March 3. When you call, cite the Microsoft article "FIX: Error 1308 When You Install a Program from an Internet Source Location" (http://support.microsoft.com/?kbid=811364) as a reference.

More Win2K Redirector Problems
The Win2K redirector mrxsmb.sys and its partner code rdbss.sys have morphed twice since my discussion of these components in October (To read the article, visit http://www.winnetmag.com/articles/index.cfm?articleid=27037). These two components implement remote access to shared resources. Between them, they create a remote session, perform requested file-system operations (e.g., opening, closing, reading, or writing a file or spooling a print job), and terminate the session when you no longer need the resource. When a system encounters a problem connecting to or accessing a remote resource, you see event-log warning and error messages from mrxsmb.sys. As Table 1 illustrates, when things go wrong, mrxsmb.sys bugs can crash a system eight different ways. If you haven’t reviewed the redirector components for a while, you can add two additional blue screen problems to mrxsmb.sys’s bag of tricks. The November 2002 update eliminates a blue screen with a stop code of 0x0E3 that occurs when the redirector attempts to release a lock it doesn’t own, plus a crash with a stop code of 0xCE that might occur during shutdown. If you don’t have a support contract or you haven’t updated the redirector for months, you might want to download the November update so that it’s available if your systems exhibit any of the known Microsoft Server Message Block (SMB) problems. Microsoft published the updated November versions at the Microsoft Download Center ( http://microsoft.com/downloads/details.aspx?familyid=83e6f78a-b2ed-4ff4-996e-d29fc44d6b43&displaylang=en). The March 2003 release fixes a bug that causes a system to crash with a stop code of 0Xd1, but no details on the cause of this blue screen are available. The March version is available only from PSS. To check the version number of these two files running on your systems, use Windows Explorer to locate both files in the system root; they should appear in two places: %systemroot%\dllcache and %systemroot%\drivers. The running version is the file that appears in the dllcache folder. Right-click the file, click Properties, then click the Version tab. If the version number is lower than 5.0.2195.6114, you should consider updating these components.

TABLE 1: Known Redirector Problems
Article Title Mrxsmb.sys File Release Date Mrxsmb Version Number Rdbss.sys File Release Date Rdbss.sys Version Number
816036 Windows 2000 Crashes with a ‘Stop 0x000000d1’ Error Message March 3, 2003 5.0.2195.6676 March 3, 2003 5.0.21956676
810038 Stop 0x0E3 Error Occurs When Redirector Thread Tries to Release a Lock November 5, 2002 5.0.2195.6114 November 5, 2002 5.0.2195.6114
321613 Stop 0x0a Error in nt!ExpBoostOwnerThread() Occurs on a Large Terminal Server Installation September 23, 2002 5.0.2195.6067 September 23, 2002 5.0.2195.6067
329175 Rdbss.sys May Cause STOP 0xA Error September 17, 2002 5.0.2195.6062 September 17, 2002 5.0.2195.6062
315819 STOP 0x50 Error Occurs in Mrxsmb.sys When the Digital Dashboard Is Loaded September 17, 2002 5.0.2195.6060 September 17, 2002 5.0.2195.6060
328776 A "Stop 0x000000C2" Error Occurs When You Try to Close a File on a Network Share September 4, 2002 5.0.2195.60 August 23, 2002 5.0.2195.60
327643 You Receive a "Stop 0x000000CE" Error Message During Shutdown August 23, 2002 5.0.2195.6026 August 23, 2002 5.0.2195.6026
327498 Files May Appear to Be Empty with an Older Redirector August 15, 2002 5.0.2195.6018 August 15, 2002 5.0.2195.6018
325988 A "Stop 50" Error Occurs in the Browser (Mrxsmb.sys) July 19, 2002 5.0.2195.5955 July 19, 2002 5.0.2195.5955
324224 "Stop 0xc5" Error Message in Windows 2000 July 19, 2002 5.0.2195.5956 July 19, 2002 5.0.2195.5956
322019 Data Loss Occurs When You Copy Files Over the Network Files May 13, 2002 5.0.2195.5786 May 13, 2002 5.0.2195.5786
321733 A "Delayed Write Failed" Error Message Occurs When You Write a File to a Server May 8, 2002 5.0.2195.5754 April 4, 2002 5.0.2195.5535
319967 You Cannot Open a File That You Moved to a DFS Share April 5, 2002 5.0.2195.5535 April 5, 2002 5.0.2195.5535
318789 Redirector Does Not Cache Files When the SPARSE Attribute Is Set April 4, 2002 5.0.2195.5534 April 4, 2002 5.0.2195.5534
SP3 --- September 22, 2002 5.0.2195.5434 September 22, 2002 5.0.2195.5434
TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.