Can't apply KB835732 on various Win2k systems

[Guest]

On various systems (all Win2k) the KB835732 patch does not apply other than in Safe Mode. When trying to install, technicians get the error 'lsass.exe cannot be terminated.' obviously it can't be stopped manually. The %windir%\kb835732.log is rather undecipherable, but I do notice lots of errors (I'll attach a section of one log at the bottom of this post). The System event log gives a Windows File Protection event for sp3res.dll and then auto-uninstalls the patch (see full events below). I can't find any similarities between the systems - some are SP3, some SP4. Some are one version of our standard image, some are another. Some have special software loaded, some don't

Has anyone encountered this as well, or have any idea how to resolve it? Rebooting into Safe Mode seems to work, but it's a lot of extra work

[from System event log

Event Type: Informatio
Event Source: Windows File Protectio
Event Category: Non
Event ID: 6402
Date: 5/4/200
Time: 10:36:40 A
User: N/
Computer: (removed
Description
The system file c:\winnt\system32\sp3res.dll could not be copied into the DLL cache. The specific error code is 0x00000020 [The process cannot access the file because it is being used by another process
]. This file is necessary to maintain system stability

Event Type: Informatio
Event Source: NtServicePac
Event Category: Non
Event ID: 438
Date: 5/4/200
Time: 10:36:45 A
User: (domain user w/ local admin access
Computer: (removed
Description
Windows 2000 KB835732 was removed from your computer, and the previous Windows 2000 configuration was restored

[from %windir%\kb835732.log - white space & "***" lines removed to save space
================== Update.exe started at 5/ 4/2004 at 10:34:42 =================
Service Pack started with following command line:
DoInstallation: CleanPFR failed: 0x2
SetAltOsLoaderPath: No section uses DirId 65701; done
IncludeDirectoryIdFromInfSection: No DirId found for: DontRemoveOnUninst.DirI
FetchSourceURL: SetupOpenInfFile Failed to open file: c:\9568cc827f370578407edb7f06e5\update\update.url
DoInstallation: FetchSourceURL for c:\9568cc827f370578407edb7f06e5\update\update.inf Failed
LoadFileQueues: SetupGetSourceFileLocation for halacpi.dll failed: 0xe000010
BuildCabinetManifest:SetupOpenInfFile failed with error INVALID_HANDLE_VALU
AnalyzePhaseZero used 0 tick
CreateUninstall = 1,Directory = C:\WINNT\$NtUninstallKB835732$
AnalyzePhaseOne: used 7691 tick
AnalyzeComponents: Hotpatch analysis disabled; skipping
AnalyzeComponents: Hotpatching is disabled
AnalyzePhaseTwo used 100 tick
AnalyzePhaseThree used 0 tick
AnalyzePhaseFive used 0 tick
AnalyzePhaseSix used 30 tick
AnalyzeComponents used 7821 tick
Downloading 0 file
bPatchMode = FALS
Inventory complete: ReturnStatus=0, 7951 tick
Num Ticks for invent : 795
Allocation size of drive C: is 512 bytes, free space = 11345235456 byte
LoadFileQueues: SetupGetSourceFileLocation for halacpi.dll failed: 0xe000010
Drive C: free 10819MB req: 51MB w/uninstall 83M
Num Ticks for download : 85
CabinetBuild complet
Num Ticks for Cabinet build :
Starting process: C:\WINNT\system32\secedit.exe /configure /cfg C:\WINNT\inf\hfsecper.inf /db C:\WINNT\security\templates\hfsecper.sdb /log C:\WINNT\security\logs\hfsecper.lo
Return Code = 1
LoadFileQueues: SetupGetSourceFileLocation for halacpi.dll failed: 0xe000010
Num Ticks for Backup : 399
Num Ticks for creating uninst inf : 223
Registering Uninstall Program for -> KB835732, KB835732 , 0x
LoadFileQueues: SetupGetSourceFileLocation for halacpi.dll failed: 0xe000010
SfcTurnOff: System is not Win2k < SP2; Not turning off SFC
SfcTurnOff: SFC was not turned off; using MakeSfcFileException
AtomicReplaceFile: Calling HpReplaceSystemModule( C:\WINNT\system32\ADVAPI32.DLL, HFX18.tmp, _000064_.tmp, FALSE )
AtomicReplaceFile: HpReplaceSystemModule failed; status=0xc0000003, location=684
DoNoDelayReplace: Atomic replace support not implemented; disabling
Copied file: C:\WINNT\system32\ADVAPI32.DL
Message displayed to the user: The file C:\WINNT\system32\LSASS.EXE is open or in use by another application
Close all other applications and then click Retry.
User Input: CANCEL
Message displayed to the user: Are you sure you want to cancel?
User Input: YES
DoInstllation: SetupCommitFileQueue for FileQueue failed: 0x4c7
VerifySize: Unable to verify size: Source = NULL: c:\winnt\oem12.cat
KB835732 Setup canceled.
Select 'OK' to undo the changes that have been made, or select 'Cancel' to quit. If you select 'Cancel', your system will be left in a partially updated state and may not work correctly.
Message displayed to the user: KB835732 Setup canceled.
Select 'OK' to undo the changes that have been made, or select 'Cancel' to quit. If you select 'Cancel', your system will be left in a partially updated state and may not work correctly.
User Input: OK
Starting process: C:\WINNT\$NtUninstallKB835732$\spuninst\spuninst.exe /~ -u -z
Dirty Uninstall was successful
[KB835732.log]
2004/5/4 10:42:39.669
Exe = UPDATE.EXE, Version = 5.4.1.0

 

[Kiran Sanghi]

I have same problem w/ KB835732 not installing on W2K Pro
SP4 PC's. If you hear or find a solution, please e-mail
me at (e-mail address removed) Thanks!.
Kiran

-----Original Message-----
On various systems (all Win2k) the KB835732 patch does

not apply other than in Safe Mode. When trying to
install, technicians get the error 'lsass.exe cannot be
terminated.' obviously it can't be stopped manually. The
%windir%\kb835732.log is rather undecipherable, but I do
notice lots of errors (I'll attach a section of one log at
the bottom of this post). The System event log gives a
Windows File Protection event for sp3res.dll and then auto-
uninstalls the patch (see full events below). I can't
find any similarities between the systems - some are SP3,
some SP4. Some are one version of our standard image,
some are another. Some have special software loaded, some
don't.

Has anyone encountered this as well, or have any idea how

to resolve it? Rebooting into Safe Mode seems to work,
but it's a lot of extra work.

[from System event log]

Event Type: Information
Event Source: Windows File Protection
Event Category: None
Event ID: 64021
Date: 5/4/2004
Time: 10:36:40 AM
User: N/A
Computer: (removed)
Description:
The system file c:\winnt\system32\sp3res.dll could not be

copied into the DLL cache. The specific error code is
0x00000020 [The process cannot access the file because it
is being used by another process.

]. This file is necessary to maintain system stability.

Event Type: Information
Event Source: NtServicePack
Event Category: None
Event ID: 4382
Date: 5/4/2004
Time: 10:36:45 AM
User: (domain user w/ local admin access)
Computer: (removed)
Description:
Windows 2000 KB835732 was removed from your computer, and

the previous Windows 2000 configuration was restored.

[from %windir%\kb835732.log - white space & "***" lines removed to save space]
================== Update.exe started at 5/ 4/2004 at 10:34:42 ==================
Service Pack started with following command line:
DoInstallation: CleanPFR failed: 0x2
SetAltOsLoaderPath: No section uses DirId 65701; done.
IncludeDirectoryIdFromInfSection: No DirId found for: DontRemoveOnUninst.DirId
FetchSourceURL: SetupOpenInfFile Failed to open file: c:\9568cc827f370578407edb7f06e5\update\update.url
DoInstallation: FetchSourceURL for

c:\9568cc827f370578407edb7f06e5\update\update.inf Failed

LoadFileQueues: SetupGetSourceFileLocation for halacpi.dll failed: 0xe0000102
BuildCabinetManifest:SetupOpenInfFile failed with error INVALID_HANDLE_VALUE
AnalyzePhaseZero used 0 ticks
CreateUninstall = 1,Directory = C:\WINNT\$NtUninstallKB835732$
AnalyzePhaseOne: used 7691 ticks
AnalyzeComponents: Hotpatch analysis disabled; skipping.
AnalyzeComponents: Hotpatching is disabled.
AnalyzePhaseTwo used 100 ticks
AnalyzePhaseThree used 0 ticks
AnalyzePhaseFive used 0 ticks
AnalyzePhaseSix used 30 ticks
AnalyzeComponents used 7821 ticks
Downloading 0 files
bPatchMode = FALSE
Inventory complete: ReturnStatus=0, 7951 ticks
Num Ticks for invent : 7951
Allocation size of drive C: is 512 bytes, free space = 11345235456 bytes
LoadFileQueues: SetupGetSourceFileLocation for halacpi.dll failed: 0xe0000102
Drive C: free 10819MB req: 51MB w/uninstall 83MB
Num Ticks for download : 851
CabinetBuild complete
Num Ticks for Cabinet build : 0
Starting process: C:\WINNT\system32

\secedit.exe /configure /cfg C:\WINNT\inf\hfsecper.inf /db
C:\WINNT\security\templates\hfsecper.sdb /log
C:\WINNT\security\logs\hfsecper.log

Return Code = 1
LoadFileQueues: SetupGetSourceFileLocation for halacpi.dll failed: 0xe0000102
Num Ticks for Backup : 3996
Num Ticks for creating uninst inf : 2233
Registering Uninstall Program for -> KB835732, KB835732 , 0x0
LoadFileQueues: SetupGetSourceFileLocation for halacpi.dll failed: 0xe0000102
SfcTurnOff: System is not Win2k < SP2; Not turning off SFC.
SfcTurnOff: SFC was not turned off; using MakeSfcFileException.
AtomicReplaceFile: Calling HpReplaceSystemModule(

C:\WINNT\system32\ADVAPI32.DLL, HFX18.tmp, _000064_.tmp,
FALSE ).

AtomicReplaceFile: HpReplaceSystemModule failed;

status=0xc0000003, location=684.

DoNoDelayReplace: Atomic replace support not implemented; disabling.
Copied file: C:\WINNT\system32\ADVAPI32.DLL
Message displayed to the user: The file C:\WINNT\system32

\LSASS.EXE is open or in use by another application.

Close all other applications and then click Retry.
User Input: CANCEL
Message displayed to the user: Are you sure you want to cancel?
User Input: YES
DoInstllation: SetupCommitFileQueue for FileQueue failed: 0x4c7
VerifySize: Unable to verify size: Source = NULL: c:\winnt\oem12.cat
KB835732 Setup canceled.
Select 'OK' to undo the changes that have been made, or

select 'Cancel' to quit. If you select 'Cancel', your
system will be left in a partially updated state and may
not work correctly.

Message displayed to the user: KB835732 Setup canceled.
Select 'OK' to undo the changes that have been made, or

select 'Cancel' to quit. If you select 'Cancel', your
system will be left in a partially updated state and may
not work correctly.

User Input: OK
Starting process: C:\WINNT\$NtUninstallKB835732

$\spuninst\spuninst.exe /~ -u -z

Dirty Uninstall was successful
[KB835732.log]
2004/5/4 10:42:39.669
Exe = UPDATE.EXE, Version = 5.4.1.0
.

 

[Jerry Bryant [MSFT]]

Aaron,

So these machines have the Sasser worm? Sounds like it. See the recovery
steps in the instructions below:

NEW WORM: SASSER
If the recovery procedures in this bulletin do not resolve your issue,
please contact Microsoft at 1-866-PCSafety (1-866-727-2338).
Microsoft has learned about a worm identified as "W32.Sasser.worm" that is
currently circulating on the Internet. The worm exploits the Local Security
Authority Subsystem Service (LSASS) vulnerability which was fixed in
Microsoft Security Update MS04-011 on April 13, 2004.
Microsoft encourages customers to protect themselves against this worm by
immediately installing Microsoft Security Bulletin MS04-011 from the
following Web site:

www.microsoft.com/technet/security/bulletin/ms04-011.mspx

PRODUCTS AFFECTED
.. Windows XP Home
.. Windows XP Professional
.. Windows XP 64 Bit Edition
.. Windows 2000 Professional
.. Windows 2000 Server Edition


IMPACT OF ATTACK
Remote Execution of Code

TECHNICAL DETAILS
For additional details on this worm from antivirus software vendors
participating in the Microsoft Virus Information Alliance (VIA), please
visit the following Web sites:

.. F-secure: http://www.f-secure.com/v-descs/sasser.shtml
.. Global Hauri:
http://www.globalhauri.com/html/notice/notice_read.html?uid=447
.. Network Associates: http://vil.nai.com/vil/content/v_125007.htm
.. Norman: http://www.norman.com/Virus/Virus_descriptions/14919/en-us
. Panda: http://www.pandasoftware.com/virus_info/threats.aspx
. Sophos: http://www.sophos.com/virusinfo/analyses/w32sassera.html
. Symantec:
http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.worm.html
. Trend Micro:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SASSER.A
For more information about Microsoft's Virus Information Alliance, please
visit the following Web site:
.. http://www.microsoft.com/technet/security/topics/virus/via.mspx
For more information about Microsoft's Virus Information Alliance please
visit the following Web Site:
.. http://www.microsoft.com/technet/security/topics/virus/via.mspx

Please contact your Antivirus Vendor for additional details about this
virus.

PREVENTION
1. Install the latest Microsoft Security Bulletin MS04-011 from the
following Web site:

http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx

2. Users who have enabled the Windows XP Firewall are protected from the
vector this worm attacks -- the TCP Port 139. Most third party firewalls
also block this attack vector by default.

RECOVERY
If your computer has been infected with this virus, please contact your
preferred antivirus vendor or Microsoft Product Support Services for
assistance with removing it.
Follow the below steps to try and resolve the issue:
If you are connected to a network within your company, refer to the
Anti-Virus software vendor for support on the Sasser or AgoBot viruses.
If your machine is rebooting, sluggish or your Internet connection is slow

1. Terminate the following processes in Task Manager.

Access your Task Manager one of the following ways:
1. Right click the Taskbar and select Task Manager.
2. On the keyboard, press CTRL + ALT + DEL and then select Task Manager.
3. Click on processes tab.
4. Highlight process to terminate and press End Process.
1. any process ending with _up.exe
2. any process starting with avserv
3. hkey.exe
4. msiwin84.exe
5. wmiprvsw.exe
****Note: There is a legitimate system process called 'wmiprvse.exe' that
does NOT need to be terminated.

2. Remove your computer from the Internet by:
a) Unplug their internet cable(s). (Preferred method)
b) Disable their internet connection.

Note: This is a required step. If you do not disconnect your internet
connection, it may result in crash.


Enable your Internet Connection Firewall (ICF).
If you are using Windows XP:
1. Click the Start button and then click Control Panel. Double-click
"Networking and Internet Connections" and then click Network Connections.
2. Right-click the current Internet or Network connection and then click
Properties.
3. On the Advanced tab, click select the option to "Protect my computer or
network."

If you are using Windows 2000:
Enable Advanced TCP/IP filtering on all interfaces to block un-solicited
incoming network packets.
1. Click the Start button, click Run and type: cmd.exe
2. Click Enter and then type the following command:

echo dcpromo >%systemroot%\debug\dcpromo.log

3. Then type the following command:

attrib +R %systemroot%\debug\dcpromo.log

Install Microsoft Security Patch MS04-011
1. Connect to the Internet and install the patch from Microsoft to remove
the vulnerability. You must disable your antivirus software before
installing the patch.
2. To install the patch, visit the following Web site:
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
3. Reboot the machine after the patch is installed.

Run the Sasser Removal Tool.

To access the tool, visit one of the following Web sites:
.. http://www.microsoft.com/security/incident/sasser.asp
..
http://www.microsoft.com/downloads/...7E-1B6B-4FC3-90D4-9FA42D14CC17&displaylang=en
.. Via KB article 841720 located at
http://support.microsoft.com/default.aspx?scid=kb;EN-US;841720.


Check your machine for infection from a variant of the Agobot worm.

The Agobot worm can infect your machine using the same method as the Sasser
worm.
1. Contact your antivirus vendor or run the update on your antivirus
signatures to ensure you have the latest version.
2. Run a full antivirus scan on your machine.

Note If you do not have an antivirus product installed, you can perform a
free antivirus scan from HouseCall TrendMicro. For more information, visit
the following Web site:

http://housecall.trendmicro.com/

3. Finally, go to Windows Update to ensure you have all other necessary
Critical Updates installed on your machine. Microsoft recommends doing this
on a regular basis to ensure your machine is kept up to date.

For more information about Windows Update, visit the following Web site:
http://windowsupdate.microsoft.com/

If these steps do not resolve the issue please call 1-866-PCSAFETY or (866)
727-2338.
During a virus situation you may experience longer than normal hold times or
a busy signal.
--
Regards,

Jerry Bryant - MCSE, MCDBA
Microsoft IT Communities

Get Secure! www.microsoft.com/security


This posting is provided "AS IS" with no warranties, and confers no rights.

On various systems (all Win2k) the KB835732 patch does not apply other

than in Safe Mode. When trying to install, technicians get the error
'lsass.exe cannot be terminated.' obviously it can't be stopped manually.
The %windir%\kb835732.log is rather undecipherable, but I do notice lots of
errors (I'll attach a section of one log at the bottom of this post). The
System event log gives a Windows File Protection event for sp3res.dll and
then auto-uninstalls the patch (see full events below). I can't find any
similarities between the systems - some are SP3, some SP4. Some are one
version of our standard image, some are another. Some have special software
loaded, some don't.

Has anyone encountered this as well, or have any idea how to resolve it?

Rebooting into Safe Mode seems to work, but it's a lot of extra work.

[from System event log]

Event Type: Information
Event Source: Windows File Protection
Event Category: None
Event ID: 64021
Date: 5/4/2004
Time: 10:36:40 AM
User: N/A
Computer: (removed)
Description:
The system file c:\winnt\system32\sp3res.dll could not be copied into the

DLL cache. The specific error code is 0x00000020 [The process cannot access
the file because it is being used by another process.

]. This file is necessary to maintain system stability.

Event Type: Information
Event Source: NtServicePack
Event Category: None
Event ID: 4382
Date: 5/4/2004
Time: 10:36:45 AM
User: (domain user w/ local admin access)
Computer: (removed)
Description:
Windows 2000 KB835732 was removed from your computer, and the previous

Windows 2000 configuration was restored.

[from %windir%\kb835732.log - white space & "***" lines removed to save space]
================== Update.exe started at 5/ 4/2004 at 10:34:42 ==================
Service Pack started with following command line:
DoInstallation: CleanPFR failed: 0x2
SetAltOsLoaderPath: No section uses DirId 65701; done.
IncludeDirectoryIdFromInfSection: No DirId found for: DontRemoveOnUninst.DirId
FetchSourceURL: SetupOpenInfFile Failed to open file: c:\9568cc827f370578407edb7f06e5\update\update.url
DoInstallation: FetchSourceURL for

c:\9568cc827f370578407edb7f06e5\update\update.inf Failed

LoadFileQueues: SetupGetSourceFileLocation for halacpi.dll failed: 0xe0000102
BuildCabinetManifest:SetupOpenInfFile failed with error INVALID_HANDLE_VALUE
AnalyzePhaseZero used 0 ticks
CreateUninstall = 1,Directory = C:\WINNT\$NtUninstallKB835732$
AnalyzePhaseOne: used 7691 ticks
AnalyzeComponents: Hotpatch analysis disabled; skipping.
AnalyzeComponents: Hotpatching is disabled.
AnalyzePhaseTwo used 100 ticks
AnalyzePhaseThree used 0 ticks
AnalyzePhaseFive used 0 ticks
AnalyzePhaseSix used 30 ticks
AnalyzeComponents used 7821 ticks
Downloading 0 files
bPatchMode = FALSE
Inventory complete: ReturnStatus=0, 7951 ticks
Num Ticks for invent : 7951
Allocation size of drive C: is 512 bytes, free space = 11345235456 bytes
LoadFileQueues: SetupGetSourceFileLocation for halacpi.dll failed: 0xe0000102
Drive C: free 10819MB req: 51MB w/uninstall 83MB
Num Ticks for download : 851
CabinetBuild complete
Num Ticks for Cabinet build : 0
Starting process: C:\WINNT\system32\secedit.exe /configure /cfg

C:\WINNT\inf\hfsecper.inf /db C:\WINNT\security\templates\hfsecper.sdb /log
C:\WINNT\security\logs\hfsecper.log

Return Code = 1
LoadFileQueues: SetupGetSourceFileLocation for halacpi.dll failed: 0xe0000102
Num Ticks for Backup : 3996
Num Ticks for creating uninst inf : 2233
Registering Uninstall Program for -> KB835732, KB835732 , 0x0
LoadFileQueues: SetupGetSourceFileLocation for halacpi.dll failed: 0xe0000102
SfcTurnOff: System is not Win2k < SP2; Not turning off SFC.
SfcTurnOff: SFC was not turned off; using MakeSfcFileException.
AtomicReplaceFile: Calling HpReplaceSystemModule(

C:\WINNT\system32\ADVAPI32.DLL, HFX18.tmp, _000064_.tmp, FALSE ).

AtomicReplaceFile: HpReplaceSystemModule failed; status=0xc0000003, location=684.
DoNoDelayReplace: Atomic replace support not implemented; disabling.
Copied file: C:\WINNT\system32\ADVAPI32.DLL
Message displayed to the user: The file C:\WINNT\system32\LSASS.EXE is

open or in use by another application.

Close all other applications and then click Retry.
User Input: CANCEL
Message displayed to the user: Are you sure you want to cancel?
User Input: YES
DoInstllation: SetupCommitFileQueue for FileQueue failed: 0x4c7
VerifySize: Unable to verify size: Source = NULL: c:\winnt\oem12.cat
KB835732 Setup canceled.
Select 'OK' to undo the changes that have been made, or select 'Cancel' to

quit. If you select 'Cancel', your system will be left in a partially
updated state and may not work correctly.

Message displayed to the user: KB835732 Setup canceled.
Select 'OK' to undo the changes that have been made, or select 'Cancel' to

quit. If you select 'Cancel', your system will be left in a partially
updated state and may not work correctly.

User Input: OK
Starting process: C:\WINNT\$NtUninstallKB835732$\spuninst\spuninst.exe /~ -u -z
Dirty Uninstall was successful
[KB835732.log]
2004/5/4 10:42:39.669
Exe = UPDATE.EXE, Version = 5.4.1.0

 

[Guest]

No, they are not infected because McAfee VirusScan is blocking the worm from installing. They are affected, though, as the vulnerability still exists so the buffer overflow in lsass still occurs and the system still restarts occasionally. The issue I'm having is that when trying to install the patch it errors with "lsass cannot be terminated." See my original post for more details.

 

[Jerry Bryant [MSFT]]

You should still follow the instructions I gave to get the patch installed
as they will assist you in disabling the services being attacked and causing
the lsass shutdown issue.
--
Regards,

Jerry Bryant - MCSE, MCDBA
Microsoft IT Communities

Get Secure! www.microsoft.com/security


This posting is provided "AS IS" with no warranties, and confers no rights.

No, they are not infected because McAfee VirusScan is blocking the worm

from installing. They are affected, though, as the vulnerability still
exists so the buffer overflow in lsass still occurs and the system still
restarts occasionally. The issue I'm having is that when trying to install
the patch it errors with "lsass cannot be terminated." See my original post
for more details.

 

[News Microsoft]

Hi all

Maybe somebody can help, me i can install the patch with no problem but when
install internet explorer 6 can't open anymore, i have 3 computer with win
2000 pro sp4 all update done, but only on 1 of them i can't install the
patch ie crash.

--
Roger
** Ge sé ke g'sui poury an frensai écri **
Supprimer SPAM dans le courriel
Remove SPAM from e-mail