J
Jason Oakley via WinServerKB.com
I have a curious problem.
At the company I work in, we recently had about 80% of computers stop
working with explorer.exe crashing the second anyone types in their
username and password to log onto the AD domain.
After a huge amount of researching over the last couple of weeks I've
discovered the problem is related to shlwapi.dll
All of our computers are installed from an image on a RIS server and
therefore all have Windows 2000 Service Pack 4 with Internet Explorer 5.5
The two DLL files causing the problem have the version numbers:
6.0.2900.2573
6.0.2900.2627
From researching the Microsoft Support site and Google, I've come to the
conclusion that the second DLL above is an upgrade to the first and both
DLLs are actually for Windows XP systems running Internet Explorer 6!
I've checked the C:\WINNT directory for log files relating to Hotfixes and
the hotfixes which contain these DLLs (KB890923 & KB867282) are not
installed by our SUS server (at least there are no KB890923.log and
KB867282.log files whereas all our other KB files have logfiles). Looking
at the SUS Server Admin page, these KBs have not been Authorised to
download from Windows Update in the first place, so cannot have been
installed by SUS on our computers.
The first Hotfix applied to our desktop systems (KB890175) tries to
overwrite the shlwapi.dll with a 5.50 version:
---------
3.328: Deleting File: \??\C:\WINNT\system32\SET49.tmp ( File on disk is
newer than the temp file )
3.328: Source:C:\WINNT\system32\SET49.tmp
3.328: Destination:C:\WINNT\system32\SHLWAPI.DLL (6.0.2900.2627)[/QUOTE]
---------
This is also evidenced in setupapi.log:
---------
[2005/04/22 14:47:12 1004.10]
Munged cmdline: C:\WINNT\TEMP\IXP000.TMP\IEUPDATE.EXE /q Q824145
EXE name: C:\WINNT\TEMP\IXP000.TMP\IEUPDATE.EXE
Copying file C:\WINNT\TEMP\IXP000.TMP\SHLWAPI.DLL to C:\WINNT\system32\
SHLWAPI.DLL.
A newer file (C:\WINNT\system32\SHLWAPI.DLL) was overwritten by an older
(signed) file. Version of source file: 5.50.4930.1200. Version of target
file: 6.0.2900.2627. The SP_COPY_FORCE_NEWER flag was ignored. The existing
target file was not signed.
----------
I have no idea as yet where these spurious DLL files are coming from.
According to the Microsoft website there are only four ways for this DLL
(being protected by Windows File Protection) can be overwritten and thats:
1. Windows Service Pack installation using Update.exe
2. Hotfixes installed using Hotfix.exe or Update.exe
3. Operating system upgrades using Winnt32.exe
4. Windows Update
Our Windows Update SUS server only runs Tuesday nights, so it's unlikely to
be the culprit. In any case, rebuilding systems many times over the course
of that day resulted in the same computer dying as soon as a user logged in.
We are not upgrading to other versions of Windows..
We are not installing any new Service Packs.
The only thing left are Hotfixes, but as I said we have not seen any logs
of these KB's with the DLL files in them.
As soon as anyone logs into the computers, we get "Explorer.exe has
generated errors and will be closed by Windows". The computer is then
unusable. We are able to fiddle around and get a command prompt. Using the
command prompt we have fixed the computers temporarily by:
1. inserting a Win2kSP4 cd and running 'sfc /scannow' which seems to
overwrite the bad dll files
2. upgrade to Internet Explorer 6.0SP1 which also overwrites the bad dll
files.
The other strange thing is 80% of the computers died around the same time
of day on April 22nd. After running either of the above fixes, we've had
about 3-4 computers with this problem happening most (but not all) days and
not on the same scale as that day.
Any ideas?
TIA
At the company I work in, we recently had about 80% of computers stop
working with explorer.exe crashing the second anyone types in their
username and password to log onto the AD domain.
After a huge amount of researching over the last couple of weeks I've
discovered the problem is related to shlwapi.dll
All of our computers are installed from an image on a RIS server and
therefore all have Windows 2000 Service Pack 4 with Internet Explorer 5.5
The two DLL files causing the problem have the version numbers:
6.0.2900.2573
6.0.2900.2627
From researching the Microsoft Support site and Google, I've come to the
conclusion that the second DLL above is an upgrade to the first and both
DLLs are actually for Windows XP systems running Internet Explorer 6!
I've checked the C:\WINNT directory for log files relating to Hotfixes and
the hotfixes which contain these DLLs (KB890923 & KB867282) are not
installed by our SUS server (at least there are no KB890923.log and
KB867282.log files whereas all our other KB files have logfiles). Looking
at the SUS Server Admin page, these KBs have not been Authorised to
download from Windows Update in the first place, so cannot have been
installed by SUS on our computers.
The first Hotfix applied to our desktop systems (KB890175) tries to
overwrite the shlwapi.dll with a 5.50 version:
---------
3.328: Deleting File: \??\C:\WINNT\system32\SET49.tmp ( File on disk is
newer than the temp file )
3.328: Source:C:\WINNT\system32\SET49.tmp
3.328: Destination:C:\WINNT\system32\SHLWAPI.DLL (6.0.2900.2627)[/QUOTE]
---------
This is also evidenced in setupapi.log:
---------
[2005/04/22 14:47:12 1004.10]
Munged cmdline: C:\WINNT\TEMP\IXP000.TMP\IEUPDATE.EXE /q Q824145
EXE name: C:\WINNT\TEMP\IXP000.TMP\IEUPDATE.EXE
Copying file C:\WINNT\TEMP\IXP000.TMP\SHLWAPI.DLL to C:\WINNT\system32\
SHLWAPI.DLL.
A newer file (C:\WINNT\system32\SHLWAPI.DLL) was overwritten by an older
(signed) file. Version of source file: 5.50.4930.1200. Version of target
file: 6.0.2900.2627. The SP_COPY_FORCE_NEWER flag was ignored. The existing
target file was not signed.
----------
I have no idea as yet where these spurious DLL files are coming from.
According to the Microsoft website there are only four ways for this DLL
(being protected by Windows File Protection) can be overwritten and thats:
1. Windows Service Pack installation using Update.exe
2. Hotfixes installed using Hotfix.exe or Update.exe
3. Operating system upgrades using Winnt32.exe
4. Windows Update
Our Windows Update SUS server only runs Tuesday nights, so it's unlikely to
be the culprit. In any case, rebuilding systems many times over the course
of that day resulted in the same computer dying as soon as a user logged in.
We are not upgrading to other versions of Windows..
We are not installing any new Service Packs.
The only thing left are Hotfixes, but as I said we have not seen any logs
of these KB's with the DLL files in them.
As soon as anyone logs into the computers, we get "Explorer.exe has
generated errors and will be closed by Windows". The computer is then
unusable. We are able to fiddle around and get a command prompt. Using the
command prompt we have fixed the computers temporarily by:
1. inserting a Win2kSP4 cd and running 'sfc /scannow' which seems to
overwrite the bad dll files
2. upgrade to Internet Explorer 6.0SP1 which also overwrites the bad dll
files.
The other strange thing is 80% of the computers died around the same time
of day on April 22nd. After running either of the above fixes, we've had
about 3-4 computers with this problem happening most (but not all) days and
not on the same scale as that day.
Any ideas?
TIA