Home > Articles > Security > Software Security

This chapter is from the book

Troubleshooting the Deployment of Service Packs and Updates

In a perfect world, the tools and methodologies discussed in this chapter are smoothly implemented and always work. Of course, in the real world, things do not always work as expected, and sometimes troubleshooting skills are necessary. Specific errors, issues, and steps to resolve issues are described in the sections that follow.

Troubleshooting SUS

Errors and issues related to SUS are outlined in Table 3.5. The associated cause and a possible resolution are provided for each issue.

Table 3.5 SUS Issues

Error or Issue

Cause

Resolution

Event ID 7024, server- specific error 2147944102. BITs does not start on Windows 2000 Server with Terminal Services (TS). After you install the automatic updates version 2.2 client on a Windows 2000 computer that has TS installed, BITS doesn't start and does not download the job that was passed to the service.

TS is set to start automatically. If this service is disabled, BITS does not start.

Remove the TS, or reset the service so that it starts automatically.

The automatic update client does not seem to have performed a detection cycle.

Unknown.

Force a detection by running gpedit.msc to configure the SUS server location. Configure the intranet Microsoft Update Service Location policy. Set the automatic updates policy to Not Configured. After setting the automatic updates policy to Not Configured, you can turn the service on and off by using the Control Panel. Start the tool in the Control Panel or use the Automatic Updates tab in Windows XP, set the option as desired, clear the Enable Automatic Updates check box, and then click Apply to apply the change. Within a few seconds, click to enable automatic updates and then click OK to force a detection cycle. Verify the changes by checking the registry key HKLM\Software\Microsoft\Windows\CurrentVersion\
WindowsUPdate\Autoupdate.Verify that the AUState value is 2; check the DetectionStartTime value, which should be approximately the time of the last used automatic updates. The value is deleted after the detection cycle occurs (5 to 10 minutes). Finally, view the logfile for entries.

The automatic updates does not detect approved updates from SUS.

The client is unable to resolve the name of the server and/or the client does not receive policy settings.

First, look for an entry like client 2002/05/02 17:38:42:22:38l.42 Success IUENGINE Querying Software UpdateCatalog from http://servername/autoupdate/getmanifest.asp in the %SYSTEMROOT%windows Update.log file.The date in this entry should be after the most recent update time. If it is not, update detection has not occurred. You can force detection by stopping the automatic update service and editing the registry key HKLM\Software\Microsoft\Windows\CurrentVersion
\WindowsUPdate\Autoupdate.Then, you delete the LastWaitTimeout value and restart the service. After you do this, you should look for error codes in the Windows Update logfile.

Miscellaneous error codes are found in the update log file.These are codes generated when the client is trying to read the update information on the SUS server.

These may be due to various problems o n the Web server side, and the error codes may lead you to a solution.

If a hexadecimal error code begins with 0x8019, convert the last three digits to decimal to get the HTTP status code. For example, 0x80190194 is status code 404.

The client is not getting updates, and the client was configured through manual editing of the registry.

Entries may not be in the correct place in the registry.

Use gpedit.msc to configure the client to make sure that registry entries are created in the correct location. In gpedit, under Computer Configuration, Administrative Template, select Action, Add/Remove Template. Click add and add the wuau.adm file. Then expand the Windows Components, Windows Update portion of Computer Configuration, Administrative Templates and configure the Windows Update policy.

The client was configured using group policy, but does not detect updates.

The computer may not be getting the group policy.

Use the gpresult tool from theWindows 2000 Resource Kit to determine whether the client computer is receiving the policy settings.

An error occurs when you attempt to load wuau.adm with poledit in WindowsNT 4.0: The error is ."unexpected keyword; found garbled characters: the file cannot be loaded."

wuau.adm uses Unicode, but Windows NT 4.0 does not.

Open the wuau.adm file in Notepad and chose File, Save As. Then, disable the Save As Unicode check box

Error 0x801900194 is logged in the Windows Update logfile when the client queries autoupdatedrivers/getmanifest.asp.

This is an expected error that does not indicate a problem. The client is checking for driver updates, and SUS can't synchronize them. (This is actually a 404, "file not found," error.)

You are setting up SSL for accessing the IIS, and the IIS on the SUS server does not display the Content\EULA folder.

The Content\EULA folder does not appear until SUS has performed at least one successful synchronization.

Log on locally and manually synchronize the SUS server. Then set up SSL for remote administration.

The client cannot detect updates.

The client uses port 80 to detect updates. If the root of the Web site, the /content virtual root, or the /selfupdate virtual root is configured to use SSL, automatic update clients cannot detect updates.

Remove the SSL requirement from these folders.

SUS setup does not finish.

Many possibilities exist: The administrator is not logged on; SUS was installed through group policy with user settings; Internet Explorer5.5 is not detected; an NTFS partition is not detected; Service Pack 2 or 3 is not detected; or there was an attempt to install SUS on a non-NTFS drive.

Modify the system to correct these errors. You might also need to turn off services that aren't required, such as antivirus software. Also, you should check the Event Viewer for messages. You need to be sure to upgrade to Windows Installer version 2.0 and turn on the Windows Installer logger. (More information can be found in knowledge base article 223300.)


Troubleshooting hfnetchk

As you learned earlier in this chapter, hfnetchk is a command-line hotfix assessment tool that you can use to determine the hotfix status of multiple Windows operating systems and products. hfnetchk reports the service pack status of the computer as well. It does not download patches nor provide any way to update systems.

The most common problem experienced when using hfnetchk is typos. When you're troubleshooting problems with hfnetchk, the first thing to check is the accuracy of the entered command line. Other common problems include the following:

  • False positives—These problems occur when hfnetchk reports the need to apply a fix that is already applied. These reports should be considered suspect because there are a number of known issues where it is difficult for hfnetchk to determine whether a fix has been applied. These issues are documented in the notes. The report refers to a knowledge base article or to other information that either details how to determine whether the hotfix has been applied or why it might not be possible to determine. Known issues include MS01-022 and MS98-001.

  • hfnetchk displaying a message that the checksum is invalid and the file version is equal to or less than what is expected—If you have this problem, most likely the file is old and the patch has not been installed.

  • hfnetchk displaying a message that the checksum is invalid and the file version is greater than expected—If you have this problem, most likely you have installed a nonsecurity-related patch that just happens to install a file that is also in the hotfix. You might be protected from the vulnerability because the later version of the file might also include the fix.

  • After you install required patches, checksums still noted as bad—Another patch can sometimes install an even newer version of the file replaced by a hotfix. You should check file versions against those in knowledge base articles to verify that the correct files are present. You can use sigverif.exe (a Windows 2000 command-line tool) to verify that the Microsoft signature is on system files. This eliminates the possibility that a Trojan Horse version of the file was installed on the system.

  • Inability to read the XML file—The computer may not be able to access the XML file from the Microsoft site or cannot locate the one listed by using the –x switch. In this case, you need to verify the Internet connection or verify the alternate location and its accessibility. You can test to see that the local network or local copy of the file is not corrupt by attempting to open it in your browser. A good file will be readable in the browser.

Troubleshooting MBSA

The use of MBSA is straightforward and usually does not generate many errors. However, even though mistakes can occur with proper use, requirements and common problems in MBSA's configuration are detailed in the documentation that is downloaded with the tool. Administrators and users often choose to ignore these items, and therefore errors occur. Common errors or omissions and their resolution are detailed in Table 3.6.

Table 3.6 Common MBSA Problems and Solutions

Error or Problem

Cause

Solution

Unable to determine the computer file system type in Windows NT.

A registry check cannot verify that drives are hard disks. There may be a missing registry key in Windows NT.

There is currently no solution to this problem .

Different results occur between MBSA and Windows Update.

Windows Update carries critical updates only for Windows operating systems. MBSA security updates are missing for Windows and other applications, such as SQL Server. MBSA always looks for the latest hotfix. Windows Update may not because its scope is different.

There is currently no solution to this problem. Microsoft indicates that it is working to make scans consistent between products.

Can't install on Windows NT.

MBSA is not designed to be installed on Windows NT. MBSA can scan Windows NT from the Windows 2000 installation; it just cannot run on Windows NT.

Install MBSA on Windows 2000.

Can't find systems on the network

The DNS server is unreachable.

Make sure DNS services are.running and reachable.

MBSA cannot read or locate the XML file.

Another application may have unregistered the XML parser.

Reregister the parser by using regsvr32 mscml.dll.


Troubleshooting Installation Problems

Problems can occur when you attempt to add service packs and/or hotfixes during installation. Table 3.7 lists known problems and their resolution.

Table 3.7 MBSA Installation Problems

Product and Problem

Cause

Solution

RIS client cannot join the domain.

A prestaged computer account is disabled in Active Directory.

Enable (or reset) the account.

A stop 0x0000006b error is received, or setup stops when installing a Windows XP Service Pack 1 client via RIS.

NT LAN Manager (NTLM) version 2 is used during the client-logon phase of RIS installation of Windows XP Service Pack 1 and later. The problem is with SMB signing not always occurring

Obtain a fix from Microsoft.

Using RIS, you get an error message saying that you have entered an invalid password and that you continue the installation and attempt to join the domain later.

You might have this problem during a RIS installation including Windows 2000 Service Pack 2. This is a problem with Kerberos, which substituted the computer name for the username that is necessary to join a domain.

As a workaround, you can shut off the computer if you have this problem. You can then restart the computer, and Setup will restart and successfully complete. To solve this problem, you must obtain a fix from Microsoft and change RIS to install Service Pack 3.

You get Error 86, "The Windows to complete andis not correct," when attempting to map a drive using net use during an unattended installation of Service Pack 2.

The unattended installation is slipstreamed. Or The net use command is run directly from the cmdlines.txt file as net use [driveletter:] [\\computername\sharename\][password] [/user:[domainname\username] In this case, domainname is the name of the domain the computer is a member of.

Allow the GUI portion of Windows to complete and then reboot the computer. The installation will continute Or Use a nonexistent domain name.

You cannot use a combination installation of Windows 2000, Service Pack 2, and post-Service Pack 2 hotfixes form a network share.

Hotfixes already included in Service Pack 2 are inadvertently added to the share. Service Pack 2 fixes (that is, post–Service Pack 1 fixes) have an sp2.cat file that contains the necessary signatures to allow Windows file protection to properly function. If the fix is slipstreamed into the share point, the new sp2.cat file overwrites the old and breaks Windows file protection.

You should slipstream only Windows Service Pack 3 and later fixes into a combination (Service Pack 2, Windows 2000, and hotfix) installation share.

You get the message "The BINL service cannot locate a flat image with a version of the riprep image" or the message "Missing CD image."

This might occur when you're using RIS to install Windows 2000 Professional from an image created with riprep.exe or when attempting to create the riprep image. If a riprep image is used, a RIS server must find a CD-ROM-based image that matches the riprep image that is selected from the Client Installation Wizard. When no CD-ROM-based image is available, installaiton fails. The error also occurs when you run riprep.exe on a computer that has a hotfix that updates ntoskrnl.exe or you attempt to run riprep.exe on a computer that has a service pack installed but no image with the same service pack exists on the computer.

Make sure the proper CD-ROM–based images are available.

Hotfixes in the [SetupHotfixesToRun] section of the svcpack.inf file are not installed.

This technique does not work until Service Pack 2.

Update installation to include a more current service pack.

During an attempt to slipstream a Windows 2000 service pack into a CD-ROM–based image on a the RIS server using the update –s switch, the following error occurs, "An error has occurred copying files from the of service pack share to the the distribution folder."

The slipstream switch for update.exe does not support slipstreaming to a CD-ROM–based RIS image.

Use risetup.exe to create the CD-ROM–based RIS image that has a slipstreamed service pack. You can create slipstreamed installation folder on another server, share the folder, and then use risetup.exe. When you're prompted for the location the files, type the path to share.

RIS clients stop responding at the Setup Is Starting Windows 2000 screen.

If a slipstreamed CD-ROM–based image is attempted, the error "An error has occurred copying files from the service pack share to the distribution folder" occurs. The slipstream switch does not support this.

Use risetup.exe to create the CD-ROM–based RIS image that has a slipstreamed service pack. You can create the slipstreamed installation folder on another server, share the folder, and then use risetup.exe. When you're prompted for the location of the files, type the path to the share.


Troubleshooting qchain

qchain works to ensure that hotfixes are installed in the proper order for Windows NT and to ensure that hotfixes chained without a reboot do not install the wrong updated version of a file. However, qchain may not work correctly if hotfixes contain binary files, as listed in the HKLM\System\CurrentControlSet\Control\Session Manager\KnownDLLs registry key. The reason appears to be the code used to identify the version of these files. Post–Service Pack 2 hotfixes have been corrected to identify correct file versions and eliminate this problem.

Troubleshooting Windows Update

Errors can occur during use or attempted use of the Windows Update site. Table 3.8 enumerates the error conditions and explains possible causes and solutions. Many of these errors and problems are caused by failed installations or damaged scripting engines. Thus, removing and then reinstalling the Windows Update script engine often resolves Windows Update problems.

Table 3.8 Problems with Windows Update

Error or Problem

Cause

Solution

You are prompted to install the March 4 security update, even though you have already done so or have installed Service Pack 3 for Windows 2000 (which includes the update).

The Java Runtime Environment (JRE) from Sun Microsystems is installed. This sets the HKEY_LOCAL_machine\ Software\Microsoft\ Active Setup\Components\{08b0e5co-4fcb-11cf-aaa5-00401c608500} key to 3802, which triggers the prompt.

If Windows 2000 (Service Pack 3) or Windows XP Service Pack 1 and Microsoft Virtual Machine 5.00.3805 are installed, this may not apply. Removing the JRE does not change the key. You need to reinstall the update to update the registry value to 3805.

The error "JavaScript:void(0)" The scripting engine is appears in the Internet Explorer status bar, and no downloadable file is received.

The scripting engineis damaged

Download and install a new engine.

The Download button appears dimmed after components are chosen.

The Internet Explorer cache/history needs to be cleared or the control is damaged.

Clear the Internet Explorer cache and history, remove Windows Update controls, and install a new Windows script.

The Download button does not work.

There's a problem with the Visual Basic scripting engine.

Clear the Internet Explorer cache, install a new script engine, and disable antivirus software or Internet filter software.

You get Error 403, "Access denied/forbidden."

There may be interference from ATGuard personal firewall or other security, Ad removal, download assistant, or Web accelerator software. The Windows update control may be damaged or missing. The host file may be damaged or contains incorrect information. There may be missing or damaged Internet Explorer files.

Remove suspect software and try using Windows Update again. If it still does not work, remove Windows Update controls and install a new scripting engine.

The WINUP-Blank Page is displayed. You might get the message "Done, but with errors on page" in the Internet Explorer status bar.

The Visual Basic Scripting support (VBScript) component failed to install properly or became corrupted after installation.

Remove the Windows Update controls and then reinstall them.

You are accessing through a proxy server or firewall and receive one of the following messages: "Cannot display page" or "Download and installation failed." The site hangs on the "Please Wait" window as it starts to initialize the product catalog.

Possible software incompatibility could involve WinProxy by Otis Software, WinGate by Deerfield.com, or Internet Gate from MaccaSoft. Possible caching of the Windows Update page might interfere with installation and initialization; port 80 or 443 may be disabled (both of these are used by Windows Update); and client machines may not be configured to allow active scripting or download and initialization of ActiveX controls.

Clear the proxy cache and configure it to exclude the Windows Update site; enable ports 80 and 443; set Internet Explorer security on the client to Medium or lower, with Active Scripting enabled and allowing download and initialization of ActiveX controls.

You get an error about installing a dependency.

The software control did not download or install properly.

Uninstall the control and then reinstall it.

An unknown error occurs.

The software control did not download or install properly.

Uninstall the control and then reinstall it.

You chose not to download the software controls or there was a problem with downloading the controls, and much of the Windows Update site is unavailable to you. If you would like to download the controls, you need to click Try Again.

The software control did not download or install properly.

Uninstall the control and then reinstall it.

You get the error "Your Internet Explorer security settings are set too High. In order to use the Windows Update site, you need to set your security settings at Medium."

Windows Update requires Medium to Low security

Set Internet Explorer security settings to Medium.settings.

You get the error "Internet Explorer cannot open the Internet site address. A connection to the server cannot be established."

TCP/IP connectivity problems are occurring.

Troubleshoot TCP/IP connectivity.

The computer stops responding (hangs) when you attempt to download a file from the Windows Update site.

A script may be corrupt.

Install a new Windows Update script.

You encounter an error when loading the script (that is, when downloading critical update).

The Windows script is damaged.

Reinstall or remove and install the script.

You receive an "unknown error (-2147024770)" message when trying to install a Windows update.

Internet Explorer is corrupt or some system files are not registered correctly.

Repair the Internet Explorer installation by using Control Panel, Add/Remove Programs.If the Add/Remove Programs applet does not display Internet Explorer 5.5, use the command rundll32 setupwbv.dll,ie5maintenance.


Alert

The first problem in Table 3.8 is an interesting one. Not only does it reveal an interesting application conflict, which may result in an unnecessary warning, but the problem can actually prevent another advisory from occurring. Thus, it may mask a potential security vulnerability. The issue occurs because a third-party product modifies the registry key that is used by hfnetchk and the Windows Update site to determine whether a patch has been added. This results in a warning even if the patch has been installed. It also prevents a warning on another update (which requires the first to be installed). Fixing the first problem allows the Windows Update site or hfnetchk to give the correct warning if it affects the system. The two security bulletins to examine are MS02-013 and MS02-052. More information can be found in knowledge base article 329077.

TIP

You should use security zones to avoid the problem created when you lock down Internet Explorer and then try to use Windows Update. Windows Update requires that active scripting be enabled and the client be set to allow the download and initialization of ActiveX controls. You can put the Windows Update site address in the Trusted Sites zone and allow those activities there. You can then restrict them in the other security zones.

InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.

Overview


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information


To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites, develop new products and services, conduct educational research and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information


Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children


This site is not directed to children under the age of 13.

Marketing


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information


If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out


Users can always make an informed choice as to whether they should proceed with certain services offered by InformIT. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.informit.com/u.aspx.

Sale of Personal Information


Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents


California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure


Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact


Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice


We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020