tomasz86 Posted November 22, 2011 Posted November 22, 2011 (edited) Incidentally tomasz86, did you ever get around to writing-up what you know regarding problematic hotfixes? I'm eager to read your findings.Yes, I've already analysed some files included in HBRs but there's still a lot more to do I hope I'll manage to finish the first part in the next few days.When you first install KB2479628, it's important to rebuild your icon cache (such as with TweakUI). I guess changing the color depth or resolution would do the same thing. I wish I knew how to get the installer to do it automatically.The problem is that it happens randomly (once a few days) even after the cache is flushed. I can't reproduce it, unfortunately.Any suggestions regarding V5? I guess I can bump up the version if/when I release a V6.That'd be probably the safest solution. You may also try to play with [OverrideVersionNumbers] but I don't really know if it works.In case you bump the number to a higher than 7081, would be it be difficult to add changes from the original 915985 and BWC's 915985-v2? Edited November 22, 2011 by tomasz86
WildBill Posted November 22, 2011 Author Posted November 22, 2011 I'm taking a look at KB915985 and I'll see if I can push out a V6 with a higher version number. It looks like the changes in the HBR are pretty simple.
WildBill Posted November 23, 2011 Author Posted November 23, 2011 I posted MS11-011 V6, which includes the KB915985 hotfix as well as the fix in blackwingcat's v2, with one exception: the HBR also has a change to RtlCallQueryRegistryRoutine that the hotfix doesn't mention, but my patch completely replaces it (and routines that call it) with the version from XPSP3. If it winds up being changed in XP then I can change it as well, but I figure the best thing to do is to leave RtlCallQueryRegistryRoutine alone.The ntdll version is 5.0.2195.7082, which should make slipstreaming happy. I also found a couple more routines that could go into ntdll, so here's the new additions list:ntoskrnl.exe/ntkrnlpa.exe/ntkrnlmp.exe/ntkrpamp.exeKeAcquireInterruptSpinLockKeReleaseInterruptSpinLockInterlockedPushEntrySListInterlockedPopEntrySListRtlInt64ToUnicodeStringRtlIntegerToUnicodeRtlClearBitRtlTestBitRtlSetBitZwQueryInformationThread......already there, added it to the export tableIoForwardIrpSynchronously/IoForwardAndCatchIrp (same routine, has two different exported names)PsRemoveLoadImageNotifyRoutine (had to completely redesign the set and call routines to make this work)PsRemoveCreateThreadNotifyRoutine (had to completely redesign the set and call routines to make this work)_vsnwprintf_aulldvrmRtlGetVersionKeFlushQueuedDpcsntdll.dllRtlIpv4StringToAddressARtlIpv4StringToAddressWRtlIpv4StringToAddressExARtlIpv4StringToAddressExWRtlIpv4AddressToStringARtlIpv4AddressToStringWRtlIpv4AddressToStringExARtlIpv4AddressToStringExWRtlIpv6StringToAddressARtlIpv6StringToAddressWRtlIpv6StringToAddressExARtlIpv6StringToAddressExWRtlIpv6AddressToStringARtlIpv6AddressToStringWRtlIpv6AddressToStringExARtlIpv6AddressToStringExWRtlInitializeGenericTableAvlRtlIsGenericTableEmptyAvlRtlGetElementGenericTableAvlRtlNumberGenericTableElementsAvlRtlInsertElementGenericTableAvlRtlDeleteElementGenericTableAvlRtlEnumerateGenericTableLikeADirectoryRtlLookupElementGenericTableAvlRtlEnumerateGenericTableWithoutSplayingAvlRtlEnumerateGenericTableAvlRtlEncodePointer (not a stub -- it's the real functionality and depends on changes to ntoskrnl.exe, etc.)RtlDecodePointer (not a stub -- it's the real functionality and depends on changes to ntoskrnl.exe, etc.)RtlInterlockedPushEntrySListRtlInterlockedPopEntrySListRtlInterlockedFlushSListRtlQueryDepthSListRtlInitializeSListHeadLdrLockLoaderLockLdrUnlockLoaderLockLdrAddRefDllRtlComputePrivatizedDllName_URtlValidateUnicodeStringRtlDuplicateUnicodeStringRtlDowncaseUnicodeCharRtlFindCharInUnicodeStringRtlpEnsureBufferSizeRtlMultiAppendUnicodeStringBufferRtlAppendPathElementLdrEnumerateLoadedModulesRtlRandomExRtlUnhandledExceptionFilter2RtlUnhandledExceptionFilterRtlAddVectoredExceptionHandler (also involved updating LdrpInitializeProcess and RtlDispatchException and adding internal function RtlCallVectoredExceptionHandlers)RtlRemoveAddVectoredExceptionHandler (also involved updating LdrpInitializeProcess and RtlDispatchException and adding internal function RtlCallVectoredExceptionHandlers)RtlGetNtVersionNumbersDbgPrintEx (Win2k doesn't support the extra features in this so the call strips out the extra parameters and routes it to DbgPrint)_vsnwprintf_lfind_aulldvrm_alldvrmRtlpNotOwnerCriticalSectionRtlpApplyLengthFunctionRtlCopyOutOfProcessMemoryStreamToRtlLockMemoryStreamRegionRtlUnlockMemoryStreamRegionRtlNtPathNameToDosPathNameRtlGetLengthWithoutLastFullDosOrNtPathElementRtlCreateBootStatusDataFileRtlComputeCrc32RtlCaptureContextRtlLockBootStatusDataRtlUnlockBootStatusDataRtlGetSetBootStatusDataRtlNtStatusToDosErrorNoTeb (already there, only had to add it to the export table)RtlAddMemoryStreamRtlReleaseMemoryStreamRtlQueryInterfaceMemoryStreamRtlReadOutOfProcessMemoryStreamRtlRevertMemoryStreamRtlCloneMemoryStreamRtlCommitMemoryStreamRtlSetMemoryStreamSizeRtlWriteMemoryStreamRtlSeekMemoryStreamRtlCopyMemoryStreamToRtlReadMemoryStreamRtlStatMemoryStreamRtlInitMemoryStreamRtlFinalReleaseOutOfProcessMemoryStreamRtlInitOutOfProcessMemoryStreamRtlSetLastWin32ErrorAndNtStatusFromNtStatusRtlSetLastWin32Error/RtlRestoreLastWin32Error (same routine, exported under two different names)bootvid.dllVidSetVgaPalette (used by the bootskin code)kernel32.dllDecodePointer (forwarded export to NTDLL.RtlDecodePointer)EncodePointer (forwarded export to NTDLL.RtlEncodePointer)InterlockedPushEntrySList (forwarded export to NTDLL.RtlInterlockedPushEntrySList)InterlockedPopEntrySList (forwarded export to NTDLL.RtlInterlockedPopEntrySList)InterlockedFlushSList (forwarded export to NTDLL.RtlInterlockedFlushSList)QueryDepthSList (forwarded export to NTDLL.RtlQueryDepthSList)InitializeSListHead (forwarded export to NTDLL.RtlInitializeSListHead)GetModuleHandleExAGetModuleHandleExWIsWow64ProcessIsWow64MessageGetProcessHandleCountGetNativeSystemInfo (same as GetSystemInfo, simply added another export table entry)SetDllDirectoryASetDllDirectoryWGetDllDirectoryAGetDllDirectoryWAttachConsoleTzSpecificLocalTimeToSystemTimeSetClientTimeZoneInformationIsValidUILanguageGetSystemWow64DirectoryAGetSystemWow64DirectoryWSetHandleContextGetProcessIdGetSystemTimesCreateMemoryResourceNotificationQueryMemoryResourceNotificationAddVectoredExceptionHandler (forwarded export to NTDLL.RtlAddVectoredExceptionHandler)RemoveVectoredExceptionHandler (forwarded export to NTDLL.RtlRemoveAddVectoredExceptionHandler)RtlCaptureStackBackTraceSetThreadUILanguageLZStartGetExpandedNameAGetExpandedNameWLZInitLZDoneLZCreateFileWLZOpenFileALZOpenFileWLZSeekLZReadLZCloseLZCloseFileLZCopyCopyLZFileGetVolumePathNamesForVolumeNameWGetVolumePathNamesForVolumeNameAGetHandleContextGetCPFileNameFromRegistryEnumerateLocalComputerNamesWEnumerateLocalComputerNamesACreateSocketHandleCreateNlsSecurityDescriptorAddLocalAlternateComputerNameWAddLocalAlternateComputerNameARemoveLocalAlternateComputerNameWRemoveLocalAlternateComputerNameASetLocalPrimaryComputerNameWSetLocalPrimaryComputerNameA
MacLover Posted November 25, 2011 Posted November 25, 2011 I found an issue with your MS11-020 fix :On Windows 2000 Advanced Server (Probably any other server variant as well), when I enable Active Directory, I am unable to log on to the system unless I use safe mode *without* networking. I narrowed down the issue to being caused by the KERBEROS.DLL file from said update.When I look at the event log on the system (in safe mode), it mentions Kerberos causing an exception and then a cascade of failures caused by that.
WildBill Posted November 25, 2011 Author Posted November 25, 2011 Can you post the info from the event? If it has the address where it happened I could try to hunt it down.
MacLover Posted November 25, 2011 Posted November 25, 2011 The information from the first event (the Kerberos failure) is as follows:Event ID: 5000Description:The security package Kerberos generated an exception. The package is now disabled. The exception information is in the data.Data:05 00 00 c0 00 00 00 0000 00 00 00 dc 15 2b 7802 00 00 00 00 00 00 0000 00 00 00 3f 00 01 0000 00 00 00 00 00 00 0000 00 00 00 00 00 00 0000 00 00 00 00 00 00 007f 02 ff ff 00 00 ff ffff ff ff ff 92 12 0a 0020 40 45 03 20 2d 00 00
bristols Posted November 25, 2011 Posted November 25, 2011 Hi WildBill,Just a report about my experience after installing 2393802-v6 (for which, thank you).So far, so relatively good (installed on a pre-existing system, not slipstreamed) except for one or two strange resource leak-type behaviours that I certainly haven't seen previously. A few hours' browsing with two browsers (Firefox and Opera) and multiple open tabs, Notepad++, Notepad2, xplorer2 Lite, and a handful of instances of Irfanview has been enough to trigger it.I apologise for the vagueness. However I'm pretty sure that the behaviour is a consequence (somehow) of installing your patch.
tomasz86 Posted November 25, 2011 Posted November 25, 2011 I added December 2011 cumulative time zone update. It's available for all supported 24 languages.Windows2000-UU-KBz2633952-x86-ARA.exeWindows2000-UU-KBz2633952-x86-CHS.exeWindows2000-UU-KBz2633952-x86-CHT.exeWindows2000-UU-KBz2633952-x86-CSY.exeWindows2000-UU-KBz2633952-x86-DAN.exeWindows2000-UU-KBz2633952-x86-DEU.exeWindows2000-UU-KBz2633952-x86-ELL.exeWindows2000-UU-KBz2633952-x86-ENU.exeWindows2000-UU-KBz2633952-x86-ESN.exeWindows2000-UU-KBz2633952-x86-FIN.exeWindows2000-UU-KBz2633952-x86-FRA.exeWindows2000-UU-KBz2633952-x86-HEB.exeWindows2000-UU-KBz2633952-x86-HUN.exeWindows2000-UU-KBz2633952-x86-ITA.exeWindows2000-UU-KBz2633952-x86-JPN.exeWindows2000-UU-KBz2633952-x86-KOR.exeWindows2000-UU-KBz2633952-x86-NLD.exeWindows2000-UU-KBz2633952-x86-NOR.exeWindows2000-UU-KBz2633952-x86-PLK.exeWindows2000-UU-KBz2633952-x86-PTB.exeWindows2000-UU-KBz2633952-x86-PTG.exeWindows2000-UU-KBz2633952-x86-RUS.exeWindows2000-UU-KBz2633952-x86-SVE.exeWindows2000-UU-KBz2633952-x86-TRK.exe
WildBill Posted November 25, 2011 Author Posted November 25, 2011 The information from the first event (the Kerberos failure) is as follows:Event ID: 5000Description:The security package Kerberos generated an exception. The package is now disabled. The exception information is in the data.Data:05 00 00 c0 00 00 00 0000 00 00 00 dc 15 2b 7802 00 00 00 00 00 00 0000 00 00 00 3f 00 01 0000 00 00 00 00 00 00 0000 00 00 00 00 00 00 0000 00 00 00 00 00 00 007f 02 ff ff 00 00 ff ffff ff ff ff 92 12 0a 0020 40 45 03 20 2d 00 00That was exactly what I needed: the first four dwords are 0xC0000005 (access violation), 0, 0 (null address accessed), 0x782B15DC (address where it was caused). The problem was obvious once I looked at it (actually, there were 2 occurrences of the problem). I'll post an update later today.
WildBill Posted November 26, 2011 Author Posted November 26, 2011 MS11-020 V4 is posted, and hopefully it will fix the kerberos bug. I also maanged to squeeze SystemFunction036 into advapi32 (it's a super-duper random number generator and Firefox 8 will use it if it detects it).
MacLover Posted November 26, 2011 Posted November 26, 2011 (edited) MS11-020 V4 is posted, and hopefully it will fix the kerberos bug. I also maanged to squeeze SystemFunction036 into advapi32 (it's a super-duper random number generator and Firefox 8 will use it if it detects it).Thanks, the bug is fixed now. EDIT: By the way, XP's MSVCRT.DLL works with your MS11-011 v6 update. Edited November 26, 2011 by MacLover
WildBill Posted November 26, 2011 Author Posted November 26, 2011 Hi WildBill,Just a report about my experience after installing 2393802-v6 (for which, thank you).So far, so relatively good (installed on a pre-existing system, not slipstreamed) except for one or two strange resource leak-type behaviours that I certainly haven't seen previously. A few hours' browsing with two browsers (Firefox and Opera) and multiple open tabs, Notepad++, Notepad2, xplorer2 Lite, and a handful of instances of Irfanview has been enough to trigger it.I apologise for the vagueness. However I'm pretty sure that the behaviour is a consequence (somehow) of installing your patch.Strange. As far as I know, the patch doesn't do anything with resources. I took a pass through kernel32, ntdll, and ntoskrnl to see if I could spot any Unicode strings that weren't being freed, but so far everything looks okay. Are you seeing high memory usage for certain apps after a long time? Are you seeing it on both UP and MP processors? I'd probably need a lot more info before I'd know where to look, much less know that the patch itself is causing it.I have it installed here, so I'll keep an eye out for memory leaks, but to date I've had no problems.
discdude Posted November 26, 2011 Posted November 26, 2011 Just wanted to report my experiences with MS11-011 and MS11-020.MS11-011 v6 works pretty well on my system. The only real issue that I've run across is that the drivers for my ATI Theater 750 PCIe TV card will sometimes freeze the computer when booting. Strangely enough, sometimes it will start working after rebooting a couple of times. I guess that is an improvement since the drivers didn't work at all prior to installing MS11-011. Other than that, my computer has been working fine and I'm able to run several applications without BlackWingCat's KDW pack.On the other hand, ZoneAlarm 7.0.483.000 does not like MS11-020 at all. It will blue screen right before the password prompt comes up.The error message I get is:***STOP: 0x0000001E (0xC0000005, 0xB1720D9F, 0x00000000, 0x00000000) KMODE_EXCEPTION_NOT_HANDLED***ADDRESS B1720D9F base at B16DC000, DateStamp 4874da4c - vsdatant.sysvsdatant.sys is part of ZoneAlarm.
WildBill Posted November 26, 2011 Author Posted November 26, 2011 I'd need to get my hands on vsdatant.sys to try to see what's going on...I could put it in IDA Pro and see what that instruction is doing. I assume it runs normally without the patch installed?
discdude Posted November 26, 2011 Posted November 26, 2011 I'd need to get my hands on vsdatant.sys to try to see what's going on...I could put it in IDA Pro and see what that instruction is doing. I assume it runs normally without the patch installed?Yes, it works normally without the patch installed.I attached a copy of vsdatant.sys to this post. If need be, you can also download a copy of ZoneAlarm 7.0.483.000 from: http://download.zonealarm.com/bin/free/1023_zl/zlsSetup_70_483_000_en.exeThanks for your help.vsdatant.zip
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now