Fred: 0x800A138F with 0xC00CE55F error

[Steve Egbert]

I have been getting the referenced errors since Dec 1.
In the Windows Update group, a fix has been found for this
in XP, but it does not work for W2K. Fred has asked me to
move the W2K discussion of this problem to this group:

Fred:
This machine is a fresh install of W2k SP4 with IE6.1. I
can provide a list if all the patches that are installed,
if needed.
Windows update functioned fine prior to dec 1. I had
installed Visual Studio 6(Source Safe) and Visual
Studio.net prior to that and it still worked. On dec1 I
installed Visual Studio 6 (VC++ and Interdev)first thing
in the morning, and after that install,it did not work.

IE6 says cypher strength 128 bits.

HKLM\Software\Microsoft\Cryptography\Defaults\Provider
Types\Type 001 = microsoft strong cryptographic provider

HKLM\Software\Microsoft\Cryptography\Defaults\Provider\micr
osoft strong cryptographic provider
(Default) REG_SZ (value not set)
Image Pathe REG_SZ rsaenh.dll
SigInFile REG_DWORD 0x00000000 (0)
Type REG_DWORD 0x00000001 (1)

rsaenh.dll - Microsoft Corporation version 5.0.2195.6611
rsabase.dll - Microsoft corporation version 5.0.2195.6619

-----Original Message-----


| There is no entry for "System
| Cryptography: Use FIPs compliant algorithms" under Control
| Panel, Administrative Tools, Local Security Policy, Local
| Policies, Security Options

W2K's Schannel.dll does indeed not support an overall FIPScompliant policy.
W2K's SecEdit does have a "Secure channel: Require strong (Windows 2000 or
later) session key" policy item, but that effects WinLogon only.

| In
| [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Securi
| tyProviders\SCHAN
| NEL\Ciphers\RC4 128/128]
| ALL 11 ciphers have only the default value set.

Some questions about your W2K machine:

Did the Windows Update service function ok on that machine before December,
1st ?

If you're not running US "domestic" crypto, did you ever install the W2K
ServicePack that made your system "128-bits" ?

Check "HKLM\Software\Microsoft\Cryptography\Defaults\Provi der Types\Type
001".
What does the Name value say ? "Microsoft Strong Cryptographic Provider" ?

Then check
"HKLM\Software\Microsoft\Cryptography\Defaults\Provider\<p rovidername>".
Are you sure that your default RSA Full CrytoApi-provider is one supplied by
Microsoft (rsaenh.dll/rsabase.dll) ?

Fred


.

..

 

[Steve Egbert]

It also has Office XP installed

 

[Fred]

Steve, I see you really want to get this problem solved. Together we should
be able to get to the real problem here.

Reading your reply, the CryptoAPI cannot be the problem.

I noticed your remark having OfficeXP installed too.

Let's start with a dependency (call tree) analysis (yes, the "DLL hell").
And concentrate on the failing HTTP GET over SSL/TLS of a filled-out catalog
XML-response from:
https://v4.windowsupdate.microsoft.com/getmanifest.asp

I presume that when you let IE browse to the ASP URL (no parameters) above,
you already get next XML-document returned:
<catalog><provider /></catalog>

That indicates that you can successfully connect over HTTPS to MsWU.

The IE Windows Update v4 pages activate two ActiveX controls directly
(I always thought MS WU already would use Web Services on SOAP, but that
does not seem to be the case):

WU Page top.js gives us:
function fnInitializeControl(l)
sCodeBase = "/CAB/" + g_sCpuClass + "/" + (conWinNT ? "unicode/" :
"ansi/") +
"iuctl.CAB?" + dDate.getTime();
IUCtl.outerHTML =
"<object id='IUCtl'
classid='CLSID:9F1C11AA-197B-4942-BA54-47A8489BB47F' codebase='" +
sCodeBase + "'></object>";
g_oControl = IUCtl;
====> running %SystemRoot%\System32\IUctl.dll

Control IUCtl is the Windows Update Client Control. I presume it is recent
on your PC: v5.4.3790.14

WU Page top.js also gives us:
function xmlNewXML()
oXML = new ActiveXObject("Microsoft.XMLDOM");
====> running %SystemRoot%\System32\MsXml3.dll

This MsXml3.dll should be an sp4 version: v8.40.9419.0

I do not have OfficeXP here, but to my knowledge, the latest version of
MsXml4 (not MsXml3 sp4, later than MsXml4 sp2) goes with it ?

The IUCtl component uses WinHttp, which calls on WinInet, which in turn uses
Schannel and Windows Sockets.

WinHttp.dll (v5.1.2600.1106) is, to my knowledge, for XP only. Its
predecessor is WinHttp5.dll (v5.0.2613.0 ?).
However, on my sysadmin-only W2K-Pro SP4 (with IE6 sp1 + all updates, but
without any apps), I even have a WinHttp.dll in v5.1.2600.1188 !

For now, I'd bet your problem is caused by - an old version of - WinHttp.
| ...On dec1 I
| installed Visual Studio 6 (VC++ and Interdev)first thing
| in the morning, and after that install,it did not work.

You could check the MS DLL Hell Help database (but that's far from a
complete registration):
http://support.microsoft.com/default.aspx?scid=/servicedesks/fileversion/default.asp?vartarget=msdn

You could unregister all old WinHttp*.dll (regsvr32 /u), delete them, wait
for W2K Windows File Protection to recreate them, or copy a recent
WinHttp.dll from some product installation CD. Do not forget to (re)register
the COM-component (regsvr32).

Let us know your findingd,

Fred

"Steve Egbert" <[email protected]> schreef in bericht
| I have been getting the referenced errors since Dec 1.
| In the Windows Update group, a fix has been found for this
| in XP, but it does not work for W2K. Fred has asked me to
| move the W2K discussion of this problem to this group:
|
| Fred:
| This machine is a fresh install of W2k SP4 with IE6.1. I
| can provide a list if all the patches that are installed,
| if needed.
| Windows update functioned fine prior to dec 1. I had
| installed Visual Studio 6(Source Safe) and Visual
| Studio.net prior to that and it still worked. On dec1 I
| installed Visual Studio 6 (VC++ and Interdev)first thing
| in the morning, and after that install,it did not work.
|
| IE6 says cypher strength 128 bits.
|
| HKLM\Software\Microsoft\Cryptography\Defaults\Provider
| Types\Type 001 = microsoft strong cryptographic provider
|
| HKLM\Software\Microsoft\Cryptography\Defaults\Provider\micr
| osoft strong cryptographic provider
| (Default) REG_SZ (value not set)
| Image Pathe REG_SZ rsaenh.dll
| SigInFile REG_DWORD 0x00000000 (0)
| Type REG_DWORD 0x00000001 (1)
|
| rsaenh.dll - Microsoft Corporation version 5.0.2195.6611
| rsabase.dll - Microsoft corporation version 5.0.2195.6619
|
| >-----Original Message-----
| >
| >
| >| There is no entry for "System
| >| Cryptography: Use FIPs compliant algorithms" under
| Control
| >| Panel, Administrative Tools, Local Security Policy,
| Local
| >| Policies, Security Options
| >
| >W2K's Schannel.dll does indeed not support an overall
| FIPScompliant policy.
| >W2K's SecEdit does have a "Secure channel: Require strong
| (Windows 2000 or
| >later) session key" policy item, but that effects
| WinLogon only.
| >
| >| In
| >|
| [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Securi
| >| tyProviders\SCHAN
| >| NEL\Ciphers\RC4 128/128]
| >| ALL 11 ciphers have only the default value set.
| >
| >Some questions about your W2K machine:
| >
| >Did the Windows Update service function ok on that
| machine before December,
| >1st ?
| >
| >If you're not running US "domestic" crypto, did you ever
| install the W2K
| >ServicePack that made your system "128-bits" ?
| >
| >Check "HKLM\Software\Microsoft\Cryptography\Defaults\Provi
| der Types\Type
| >001".
| >What does the Name value say ? "Microsoft Strong
| Cryptographic Provider" ?
| >
| >Then check
| >"HKLM\Software\Microsoft\Cryptography\Defaults\Provider\<p
| rovidername>".
| >Are you sure that your default RSA Full CrytoApi-provider
| is one supplied by
| >Microsoft (rsaenh.dll/rsabase.dll) ?
| >
| >Fred
| >
| >
| >.
| >
| .
|
|

 

[Guest]

You are right. This is my production machine at work, and
I am dead in the water till I get this resolved. We are
not allowed to create anything for release on unpatched
machines since blaster.

The version of winhttp.dll in both System32 and dllcache
is 5.1.260.1188. Should I unregister and delete it?
There is a winhttp.dl_ on the W2k+sp4 installation disk,
but I'm not sure how to uncompress it to use it for
replacement.

 

[Steve Egbert]

Oh yes, I do get - <catalog>
<provider />
</catalog> when I input
https://v4.windowsupdate.microsoft.com/getmanifest.asp
to IE

 

[Steve Egbert]

Here is a summay of what I had previously tried.
Also, MS sent me debug WU controls and I took a detailed
debug trace for them about a week and a half ago, but they
have not responded with a soloution yet. I still have, and
can post,the trace if needed. I think they think your XP
soloution has resolved this issue.

I have:
*Uninstalled Visual Studio 6.0
*reinstalled IE6.1
*repaired VS.net2003 prerequsites (reinstalls mdac 2.7)
*repaired VS.net2003
*adjusted settings in IE per posts in WU newsgroups
*deleted cookies, cache and history
*emptied programfiles/windows update except iuhist.xml
*renamed ProgramFiles/WindowsUpdate then put it back when
it did not help
*downloaded and ran netop fix, it said it did not aply
*manually downloaded and installed windows update controls
*deleted all copies of iuctl.dll, iuengine.dll,
iuenginenew.dll (none found) and registry entry
SelfupdateStatus per a post. They reappear in
Winnt/system32 on running WU, but WU does not notify that
it is downloading a control.
*downloaded and installed msxml3usa.exe
*downloaded and installed latest MDAC security update

None of these have any effect on the problem.

A co-worker has W2K with Visual Studio 6 and has no
problems with WU, but it has been installed for a long
time, mine is a fresh install.

Steve

 

[Steve Egbert]

IUctrl.dll version = 5.4.3790.14
IUengine.dll version = 5.4.3790.14
Steve

 

[Fred]

| Here is a summay of what I had previously tried.

An old MDAC of VS6 should not be the problem then.

| Also, MS sent me debug WU controls and I took a detailed
| debug trace for them about a week and a half ago, but they
| have not responded with a soloution yet. I still have, and

Would that be this WinhttpTraceCfg tool ?
http://support.microsoft.com/default.aspx?scid=kb;en;307272&FR=1&PA=1&SD=HSCH
I've not used it yet.

| can post,the trace if needed. I think they think your XP
| soloution has resolved this issue.

Don't think so. The schannel encryption-level problem really is a
server-side issue. I've tried to make that quite clear to them. Lucy [MS]
confirmed she (or is it really a he ?) informed the Ms WU server team about
it.

| The version of winhttp.dll in both System32 and dllcache
| is 5.1.260.1188. Should I unregister and delete it?

No, that version looks fine to me.

| There is a winhttp.dl_ on the W2k+sp4 installation disk,
| but I'm not sure how to uncompress it to use it for
| replacement

EXPAND.EXE is a std. cmdline command.

-----

So, we have to look somewhere else. What puzzles me all the time is this
0xC00CE55F error.
Which component raises it ? Cannot find 0xE55F or 58719 in any include\*.h
file (like winerror.h).
What would be its base error value ?
Assume 0xE000 (57344) -> 0x55F (1375), or maybe 0xE400 (58368) -> 0x15F
(351).

Still assuming it has to do with SChannel.

Googling for C00CE55F
http://www.google.com/groups?q=+oxC...5F&hl=en&lr=&ie=UTF-8&scoring=d&start=20&sa=N
gives some historical (2nd half of 2001) Hotmail postings too.

 

[Guest]

Would that be this WinhttpTraceCfg tool ?

http://support.microsoft.com/default.aspx? scid=kb;en;307272&FR=1&PA=1&SD=HSCH
I've not used it yet.

I don't think so. I believe it replaced iuctrl.dll &
iuengine.dll. They gave me a registry merge file to turn
logging on and off. With it on it generated a log file
that looked like a call/argument/return trace.

When I installed Source Safe, I selected theb default
dataaccess components. When I later installed VC+, I
selected to install ALL data access components. I had
originally thought this is what whacked it, but when I saw
the same exact symptoms began for many others at the exact
same time, I figured it was just a coincidence, unrelated
to my installation.

Steve

 

[Steve Egbert]

So, we have to look somewhere else. What puzzles me all
the time is this

0xC00CE55F error.
Which component raises it ? Cannot find 0xE55F or 58719 in any include\*.h
file (like winerror.h).

The detailed error log shows:
2003/12/03|13:22:19:223|000005f0|
win2k</item><item>win98se</item><item>winme</item><item>win
xp</item></parentItems></dObjQueryV1></query></GetManifest>
2003/12/03|13:22:19:223|000005f0|
</SOAP:Body></SOAP:Envelope>
2003/12/03|13:22:19:223|000005f0| AmINotPrivileged()
2003/12/03|13:22:19:223|000005f0| ~AmINotPrivileged(), 0
msec
2003/12/03|13:22:19:223|000005f0| CheckDebugRegKey()
2003/12/03|13:22:19:223|000005f0| ~CheckDebugRegKey(), 0
msec
2003/12/03|13:22:19:223|000005f0| GetManifest using
WININET.DLL
2003/12/03|13:22:19:494|000005f0| ReportParseError()
2003/12/03|13:22:19:494|000005f0| Error Line 1203: XML
line 1, pos 1 error 0xc00ce55f: End element was missing
the character '>'.
)
2003/12/03|13:22:19:494|000005f0| Error Line 1208: XML
starts: cata
2003/12/03|13:22:19:504|000005f0| ~ReportParseError(),
10 msec
2003/12/03|13:22:19:504|000005f0| Error Line 530:
0x80070057: The parameter is incorrect.
2003/12/03|13:22:19:504|000005f0| FreeAUProxySettings()
2003/12/03|13:22:19:504|000005f0| ~FreeAUProxySettings
(), 0 msec
2003/12/03|13:22:19:504|000005f0| ~GetManifest(), 290 msec
2003/12/03|13:22:19:504|000005f0| ~CUpdate::GetManifest,
290 msec
2003/12/03|13:23:08:925|000005f0| DeleteEngUpdateInstance
2003/12/03|13:23:08:925|000005f0| CEngUpdate::~CEngUpdate
2003/12/03|13:23:08:925|000005f0|
ShutdownInstanceThreads
2003/12/03|13:23:08:925|000005f0| Shutdown event has
been signalled

I supose wininet.dll calls somebody who calls somebody ad
nauseum, and is not the actual culprit?
Steve

 

[Guest]

0xC00CE55F error.

Which component raises it ? Cannot find 0xE55F or 58719 in any include\*.h
file (like winerror.h).

http://msdn.microsoft.com/library/default.asp?
url=/library/en-
us/xmlsdk30/htm/pushmodelparser_errorcodes.asp

says this is an msxml 3.0 error code, but they are:
[Deprecated. Do not use. Superseded by SAX2 API/MSXML 3.0]

msxml.dll - version 8.0.6730.0
msxml3.dll - version 8.40.9419.0 (sp4)
msxml3a.dll - version 8.20.8730.1 (does not say SP4)
msxml3r.xml - version 8.20.8730.1 (does not say sp4)
msxml4.dll - version 4.20.9818.0 (sp2)
there is no msxml4a.dll (there was in my W98)
msxml4r.dll - version 4.10.9404.0 (sp1)
msxmlr.dll - 8.0.6730.0

 

[Fred]

| The detailed error log shows:

Ah, interesting, so they do use SOAP. Hidden in the encrypted
SSL-connection.

Steve, got to go now. It's getting late over here. Will continue. Maybe
tomorrow.

Looking into %Systemroot%\System32\iuengine.dll strings:

---------------------------------
%SystemRoot%\System32\iuengine.dll, v5.4.3790.14, maandag 25 augustus 2003,
18:06:50

Windows Update Control Engine

_______________

!This program cannot be run in DOS mode.
Rich
..text
..data
..rsrc
..reloc
IUEngine update completed
SeShutdownPrivilege
Shutting down
InitializeCriticalSection
Starting
IUENGINE
Windows Update.log
Found error during detection %hs %ls
Item:
Provider:
{5f3255a9-9051-49b1-80b9-aac31c092af4}
ReadMore.url
Download finished
See iuhist.xml for details:
Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\IUControl
HistoricalSpeed
TimeElapsed
WUTemp
%lu:%lu
..%02d
https
http
%d = %s
order.txt
Downloading file %ls, skipping remaining files for this Item
Download cancelled while processing file %ls
Local path %ls
Downloaded file %ls
Software
Driver
%s %s
NTFS
Download destination root folder is: %ls
Catalog Download Path Greater Than (%d)
Download started
Asynchronous Download thread exiting
Asynchronous Download failed during startup
Asynchronous Download started

sfc.dll

Windows Update V4
Install finished
Asynchronous Install failed during startup
See iuhist.xml for details:
%s|%d|%s|%s|%s|%s|%#x|%#x|%s|%s|%s|%s
DriverVersion
DriverDate
ProviderName
MatchingDeviceId
%d.%d.%d.%d
%02d-%02d-%d
00-00-0000
AllCluster
%lu:%lu
Installing PnP Driver %ls, %ls
Installing Printer Driver %ls
SOFTWARE
CUSTOM
ADVANCED_INF
Installer Command Type: %ls
Install Command processing
Installing %ls item from publisher %ls
Failed to get Item %ls Install Information
Install couldn't get Item %ls Download Path
Install failed to get an Item Identity
%ls|
%lu:0
Install Set Restore Point
SRSetRestorePointW
Install started
Asynchronous Install completed startup
Asynchronous Install started

The PID is invalid
IUSchema
SOAPQuerySchema
IUServerCache
ServerCount
Server
Querying software update catalog from
Querying software update catalog
iuident.txt
catalogStatus
%s%d
clientName
clientInfo
href
query
x-schema:%s
systemInfo

GetManifest
SOAP:Body
SOAP:Envelope
%s %ls
Already tried all proxies. Will not retry.
Validation of PID failed
Will retry.

POST

VER_PLATFORM_WIN32_NT
VER_PLATFORM_WIN32_WINDOWS
Determining machine configuration
VER_SUITE_SMALLBUSINESS
VER_SUITE_ENTERPRISE
VER_SUITE_BACKOFFICE
VER_SUITE_COMMUNICATIONS
VER_SUITE_TERMINAL
VER_SUITE_SMALLBUSINESS_RESTRICTED
VER_SUITE_EMBEDDEDNT
VER_SUITE_DATACENTER
VER_SUITE_SINGLEUSERTS
VER_SUITE_PERSONAL
VER_SUITE_BLADE
VER_NT_WORKSTATION
VER_NT_DOMAIN_CONTROLLER
VER_NT_SERVER

licdll.dll

0000-00-00
..vxd
..drv
..dll
..sys
USER
Version
DriverVer
Manufacturer
%04d-%02d-%02d
inf\other
..inf
InfPath
%s|%s
%02x
IUSchema
SystemSpecSchema
ResultSchema
x86WinNT4
x86win2k
x86Win98
x86Win95
x86WinME
x86WinXP
ia64WinXP
WU_V3
iuident.txt
hwid
compid
classes/devices
classes/locale
classes/platform
classes/regKeys
classes/computerSystem
x86
VER_PLATFORM_WIN32_NT
%ls"%d"]
command[@order =
IN_PROGRESS
%4d-%02d-%02dT%02d:%02d:%02d
FAILED
STARTED
COMPLETE
SUCCESS
%sT%s
INSTALL
V3_2
V3CAT

wuhistv3.log

iuhist.xml
iuhist_catalog.xml
iuhist_catalogAdmin.xml
IU_CORP_SITE
GetHistoricalSpeed
Global\6D7495AB-399E-4768-89CC-9444202E8412
Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\IUControl
HistoricalSpeed
Downloading printer list for Add Printer Wizard
Finding matching driver
Opening Help and Support with:
Driver download failed for %ls
Downloaded driver for %ls at %ls
3FBF5B30-DEB4-11D1-AC97-00A0C903492B
Didn't find matching driver
Didn't find matching driver for %ls
Found matching driver for %ls, %ls, %ls
%s for %ls
%s"%S"
%s%s
hcp://services/layout/xml?definition=hcp://system/dfs/viewmode.xml&topic=hcp
://system/dfs/uplddrvinfo.htm%3F
Started process to regester driver not found with Help Center. Not
completing this process may not be error.
<clientInfo
xmlns="x-schema:http://schemas.windowsupdate.com/iu/clientInfo.xml"
clientName="CDM" />
<query><dObjQueryV1 procedure="printercatalog"></dObjQueryV1></query>
<query><dObjQueryV1 procedure="driverupdates"></dObjQueryV1></query>
A//itemStatus
A//compatibleHardware

PrinterClassName="Printer"
[Version]
Signature="$Windows NT$"
Provider=%PRTPROV%
ClassGUID={4D36E979-E325-11CE-BFC1-08002BE10318}
Class=Printer
CatalogFile=webntprn.cat
[ClassInstall32.NT]
AddReg=printer_class_addreg
[printer_class_addreg]
HKR,,,,%%PrinterClassName%%
HKR,,Icon,,"-4"
HKR,,Installer32,,"ntprint.dll,ClassInstall32"
HKR,,NoDisplayClass,,1
HKR,,EnumPropPages32,,"printui.dll,PrinterPropPageProvider"
[Strings]
PRTPROV="
%s%s%d.%s
Hardware_
PList_
InstallSection,"%s"
"%s"
CDMPlist\
value
downloadStatus
WUTemp
\*.*

UnhandledExceptionFilter

kernel32.dll

(Error 0x%08X:
%04d-%02d-%02d %02d:%02d:%02d %02d:%02d:%02d %s %-13s
Error
Success
iuident.txt
\WindowsUpdate\
SOFTWARE\Microsoft\Windows\CurrentVersion
:\Program Files
ProgramFilesDir
Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\IUControl
IsBeta
IUServerCache
DefaultQueryServerIndex
BetaQueryServerIndex
QueryServerIndex

kernel32.dll

GetDiskFreeSpaceExW

CSIDL_WINDOWS
CSIDL_TEMPLATES
CSIDL_SYSTEM
CSIDL_STARTUP
CSIDL_STARTMENU
CSIDL_SENDTO
CSIDL_RECENT
CSIDL_PROGRAMS
CSIDL_PROGRAM_FILES_COMMON
CSIDL_PROGRAM_FILES
CSIDL_PROFILE
CSIDL_PRINTHOOD
CSIDL_PRINTERS
CSIDL_PERSONAL
CSIDL_NETWORK
CSIDL_NETHOOD
CSIDL_MYPICTURES
CSIDL_LOCAL_APPDATA
CSIDL_INTERNET_CACHE
CSIDL_INTERNET
CSIDL_HISTORY
CSIDL_FONTS
CSIDL_FAVORITES
CSIDL_DRIVES
CSIDL_DESKTOPDIRECTORY
CSIDL_DESKTOP
CSIDL_COOKIES
CSIDL_CONTROLS
CSIDL_COMMON_TEMPLATES
CSIDL_COMMON_STARTUP
CSIDL_COMMON_STARTMENU
CSIDL_COMMON_PROGRAMS
CSIDL_COMMON_FAVORITES
CSIDL_COMMON_DOCUMENTS
CSIDL_COMMON_DESKTOPDIRECTORY
CSIDL_COMMON_APPDATA
CSIDL_COMMON_ALTSTARTUP
CSIDL_COMMON_ADMINTOOLS
CSIDL_BITBUCKET
CSIDL_APPDATA
CSIDL_ALTSTARTUP
CSIDL_ADMINTOOLS

CryptCATAdminCalcHashFromFileHandle

wintrust.dll

%c:\
%08x%08x%02hd%02hd%02hd%02hd%02hd%03hd%08x
*.cab

TreeResetNamedSecurityInfo

advapi32.dll

DA;OICI;GA;;;SY)(A;OICI;GA;;;BA)(A;OICI;GA;;;CO)(A;OICI;GRGWGX;;;PU)
O:BAG:BADA;OICI;FA;;;SY)(A;OICI;FA;;;BA)
%s.%lu
\WindowsUpdate
SeTakeOwnershipPrivilege
HKEY_DYN_DATA
HKEY_PERFORMANCE_DATA
HKEY_USERS
HKEY_CURRENT_CONFIG
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
HKEY_LOCAL_MACHINE

StrToInt64ExW

Shlwapi.dll

0.0.0.0
K.$
SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\OemInfo
Mask
AcpiOem
AcpiProduct
SmbOem
SmbProduct
PnpOemId
IniOem
WbemOem
WbemProduct
OemInfoVersion
OemSupportURL
SupportURL
General
OEMINFO.INI
Hardware\ACPI\DSDT
Model
Win32_ComputerSystem
\\.\root\cimv2
Control Panel\Desktop\ResourceLocale
SYSTEM\CurrentControlSet\Control\Nls\CodePage
OEMCP
Locale
..DEFAULT\Control Panel\International
Control Panel\Desktop\ResourceLocale

kernel32.dll

el_MS
el_IBM
HARDWARE\DESCRIPTION\System
Identifier
NEC PC-98
pt-BR
zh-TW
es-CL
es-EC
es-AR
es-PE
es-CO
es-VE
es-MX
nl-BE
it-CH
fr-CH
fr-CA
fr-BE
en-IE
en-NZ
en-CA
en-AU
en-GB
en-ZA
de-CH
de-AT
zh-CN
GetSystemDefaultUILanguage
GetUserDefaultUILanguage
Error
Software\Policies\Microsoft\Windows\WindowsUpdate\AU
NoAutoUpdate
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoWindowsUpdate
Software\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate
DisableWindowsUpdateAccess

winhttp.dll
wininet.dll

Industry Update Control

WinHttpGetIEProxyConfigForCurrentUser
WinHttpSetOption
WinHttpCloseHandle
WinHttpReadData
WinHttpQueryHeaders
WinHttpReceiveResponse
WinHttpSendRequest
WinHttpOpenRequest
WinHttpConnect
WinHttpOpen
WinHttpCrackUrl
WinHttpGetProxyForUrl
Library download error and timed out (%d ms). Will not retry.
text/html
Library download error. Will retry.
?%02d%02d%02d%02d%02d
HEAD
Unexpected answer from LoadTransportDll(): %d

advapi32.dll

FreeSid
EqualSid
IsValidSid
SetThreadToken
OpenThreadToken
OpenProcessToken
GetTokenInformation
AllocateAndInitializeSid

<html
Industry Update Control
InternetCloseHandle
InternetReadFile
HttpQueryInfoW
HttpSendRequestW
HttpOpenRequestW
InternetConnectW
InternetOpenW
InternetCrackUrlW
Intel
Printer
InstallWindowsUpdateDriver

newdev.dll

PrintUIEntryW

printui.dll

/ia /m "%s" /f "%s" /q /U
*.inf

msiexec.exe /i %s %s

CryptHashPublicKeyInfo
CertGetCertificateContextProperty
Digital Signatures on file %ls are not trusted
WTHelperGetProvCertFromChain
WTHelperGetProvSignerFromChain
WTHelperProvDataFromStateData

WinVerifyTrust
crypt32.dll

http://wustat.windows.com/
AccountDomainSid
SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate
urllog.dat
-_.!~*'()
%swutrack.bin?V=%d&U=%s&C=%s&A=%c&I=%s&D=%s&P=%s&L=%s&S=%c&E=%08x&M=%s&X=%02
d%02d%02d%02d%02d%02d%03d
PingID
%lx.%lx.%lx.lx.%x.%x.%x
207.46.226.17
IsConnectedMode

inet_addr
GetBestInterface
iphlpapi.dll

ws2_32.dll

WSACleanup
WSAStartup
gethostbyname
IsNetworkAlive

sensapi.dll

regKeyExists
regKeyValue
regKeySubstring
regKeyVersion
fileVersion
fileExists
client
regKey
path
publisherName
identity
LOWER
LOWER_OR_SAME
SAME
HIGHER_OR_SAME
HIGHER
force
excluded
newerVersion
upToDate
installed
detectResult
errorCode
description/descriptionText/details
rank
driverVer
mfgName
driverProvider
deviceInstance
isPrinter
hidden
itemID
title
descriptionText
device/hwid
driverName
device/printerInfo
printerInfo
device
devices
compatibleHardware
servicePackMinor
servicePackMajor
build
minor
major
context
locale
productType
suite
processorArchitecture
platform
language
description
dependencies
downloadPath
size
patchAvailable
codeBase
infInstallSection
commandType
switches
command
needsReboot
exclusive
installerType
installStatus
installation
detection
itemStatus
items/itemStatus
item
catalog/provider/item
items
catalog/provider
guid
timestamp
filePath
versionStatus
version
entry
comserverID
name
regKeys
kbytes
drive
driveSpace

autoUpdateEnabled
windowsUpdateDisabled
administrator
supportSite
model
manufacturer
computerSystem
xmlns
Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\IUControl
ValidateSchema
loadXML: line %ld, pos %ld, %S
iuident.txt
http://windowsupdate.microsoft.com/v4/
IdentServer
Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\IUControl
IsBeta
Software\Policies\Microsoft\Windows\WindowsUpdate
WUServer
WUStatusServer
UseWUServer
IUPingServer
ServerUrl
IUServerCache
QueryServerIndex
BetaQueryServerIndex
Server
IUSelfUpdate
IUBetaSelfUpdate
StructureKey
ARCH
LOCALE
CHARTYPE
IUArch
IUOS
IULocale
IUCharType
unicode
/iuengine.cab
AUDriver
InitializeCriticalSectionAndSpinCount
..exe
..exe
Volume{
UNC\
\\?\

NB10
iuengine.pdb

ResetEvent
SetEvent
GetLastError
GetCurrentProcess
GetVersionExW
HeapFree
GetProcessHeap
lstrcpynW
HeapAlloc
CloseHandle
WaitForSingleObject
CreateEventW
GetCurrentThreadId
DeleteCriticalSection
DisableThreadLibraryCalls
LeaveCriticalSection
EnterCriticalSection
MultiByteToWideChar
WideCharToMultiByte
lstrlenA
lstrcmpiW
DeleteFileW
WriteFile
lstrlenW
CreateFileW
RemoveDirectoryW
GetTickCount
ReleaseMutex
CreateMutexW
CompareStringW
GetVolumeInformationW
GetDriveTypeW
GetLogicalDriveStringsW
SetFileAttributesW
GetFileAttributesW
InterlockedDecrement
CreateThread
InterlockedIncrement
FindClose
FindNextFileW
Sleep
FindFirstFileW
FileTimeToSystemTime
HeapReAlloc
FreeLibrary
GetProcAddress
GetPrivateProfileStringW
GetPrivateProfileIntW
CompareFileTime
GetFileTime
GetWindowsDirectoryW
LocalFree
GetLocalTime
SetLastError
WritePrivateProfileStringW
lstrcmpW
GetSystemInfo
GetSystemTimeAsFileTime
InterlockedExchange
ReadFile
GetFileSize
TerminateProcess
GetModuleHandleA
QueryPerformanceCounter
GetCurrentProcessId
KERNEL32.dll
??3@YAXPAX@Z
??2@YAPAXI@Z
_vsnprintf
_vsnwprintf
strchr
_stricmp
strstr
free
_initterm
_adjust_fdiv
msvcrt.dll
__dllonexit
_onexit
malloc

OLEAUT32.dll

CoCreateInstance
CoUninitialize
CoInitialize
CoTaskMemFree
StringFromCLSID
CoCreateGuid

ole32.dll

DispatchMessageW
TranslateMessage
PeekMessageW
ExitWindowsEx
PostMessageW
SendMessageW
GetWindowThreadProcessId

USER32.dll

StrCmpIW
StrCmpW
PathRemoveBackslashW
StrRChrW
StrChrW
StrStrIW
PathFindExtensionW

SHLWAPI.dll

ShellExecuteW
SHGetPathFromIDListW
SHGetMalloc
SHBrowseForFolderW
SHELL32.dll
AdjustTokenPrivileges
LookupPrivilegeValueW
OpenProcessToken
RegCloseKey
RegSetValueExW
RegQueryValueExW
RegOpenKeyW
RegEnumKeyExW
RegOpenKeyExW

ADVAPI32.dll

InternetCrackUrlW
InternetCanonicalizeUrlW

WININET.dll

CM_Get_DevNode_Status
CM_Locate_DevNodeW
SetupDiGetDriverInstallParamsW
SetupDiEnumDriverInfoW
SetupDiBuildDriverInfoList
SetupDiSetDeviceInstallParamsW
SetupDiGetDeviceInstallParamsW
SetupDiGetDeviceInstanceIdW
SetupDiDestroyDeviceInfoList
SetupDiEnumDeviceInfo
SetupDiGetClassDevsW
SetupDiGetDeviceRegistryPropertyW
SetupGetStringFieldW
SetupFindFirstLineW
SetupDiOpenDevRegKey
SetupCloseFileQueue
SetupScanFileQueueW
SetupDiInstallDriverFiles
SetupOpenFileQueue
SetupDiSetSelectedDriverW
SetupCloseInfFile
SetupOpenInfFileW
CM_Get_DevNode_Registry_PropertyW
SetupDiOpenDeviceInfoW
SetupDiCreateDeviceInfoList

SETUPAPI.dll

EnumPrinterDriversW

WINSPOOL.DRV

SetEndOfFile
SetFilePointer
UnmapViewOfFile
MapViewOfFile
CreateFileMappingW
FormatMessageW
GetSystemTime
GetDiskFreeSpaceW
GetModuleHandleW
ExpandEnvironmentStringsW
CreateDirectoryW
GetFileAttributesExW
MoveFileW
GetSystemDirectoryW
GetSystemDefaultLangID
GetUserDefaultLangID
GetLocaleInfoW
InterlockedCompareExchange
GlobalAlloc
GlobalFree
SystemTimeToFileTime
SetFileTime
GetCurrentThread
WaitForMultipleObjects
CompareStringA
GetExitCodeThread
GetExitCodeProcess
CreateProcessW
InitializeCriticalSection
LoadLibraryExW
GetVolumePathNameW
GetFileType
memmove
_wcsdup
wcschr
toupper
wcslen
_wcsicmp
wcscmp
rand
srand
_ftime
_except_handler3
CoSetProxyBlanket
MsgWaitForMultipleObjects
CharNextW
GetKeyboardType
CharUpperA
CharLowerA
GetActiveWindow
CharUpperW
StrToIntW
StrToIntExW
UrlCombineW
UrlGetPartW
PathIsRootW
PathIsUNCW
PathStripToRootW
PathIsRelativeW

SHGetFolderPathW

SHFOLDER.dll

SetNamedSecurityInfoW
GetSecurityDescriptorDacl
GetSecurityDescriptorOwner
ConvertStringSecurityDescriptorToSecurityDescriptorW
RegEnumKeyW
RegCreateKeyExW
RegDeleteKeyW
FreeSid
EqualSid
AllocateAndInitializeSid
GetTokenInformation
LsaClose
LsaFreeMemory
CopySid
GetLengthSid
IsValidSid
LsaQueryInformationPolicy
LsaNtStatusToWinError
LsaOpenPolicy
ExtractFiles
RunSetupCommand
ExecuteCab

ADVPACK.dll

InternetQueryOptionA
InternetGetConnectedState

VerQueryValueW
GetFileVersionInfoW
GetFileVersionInfoSizeW

VERSION.dll

IUENGINE.dll

AsyncExtraWorkUponEngineLoad
CompleteSelfUpdateProcess
CreateEngUpdateInstance
DeleteEngUpdateInstance
EngBrowseForFolder
EngDetect
EngDownload
EngDownloadAsync
EngGetHistory
EngGetManifest
EngGetOperationMode
EngGetSystemSpec
EngInstall
EngInstallAsync
EngRebootMachine
EngSetOperationMode
InternalDetFilesDownloaded
InternalDownloadGetUpdatedFiles
InternalDownloadUpdatedFiles
InternalFindMatchingDriver
InternalLogDriverNotFound
InternalQueryDetectionFiles
InternalSetGlobalOfflineFlag
PingIUEngineUpdateStatus
ShutdownGlobalThreads
ShutdownThreads
DllMain

VS_VERSION_INFO
StringFileInfo
040904B0
CompanyName
Microsoft Corporation
FileDescription
Windows Update Control Engine
FileVersion
5.4.3790.14 built by: lab04_n
InternalName
iuengine.dll
LegalCopyright
Microsoft Corporation. All rights reserved.
OriginalFilename
iuengine.dll
ProductName
Microsoft
Windows
Operating System
ProductVersion
5.4.3790.14
VarFileInfo
Translation

0!0

VeriSign Trust Network1
VeriSign, Inc.1,0*
#VeriSign Time Stamping Service Root1402
+NO LIABILITY ACCEPTED, (c)97 VeriSign, Inc.0
970512000000Z
040107235959Z0
VeriSign Trust Network1
VeriSign, Inc.1,0*
#VeriSign Time Stamping Service Root1402
+NO LIABILITY ACCEPTED, (c)97 VeriSign, Inc.0
VeriSign Trust Network1
VeriSign, Inc.1,0*
#VeriSign Time Stamping Service Root1402
+NO LIABILITY ACCEPTED, (c)97 VeriSign, Inc.0
010228000000Z
040106235959Z0
VeriSign, Inc.1
VeriSign Trust Network1;09
2Terms of use at https://www.verisign.com/rpa (c)011'0%
VeriSign Time Stamping Service0
$http://ocsp.verisign.com/ocsp/status0
https://www.verisign.com/rpa0
"Copyright (c) 1997 Microsoft Corp.1
Microsoft Corporation1!0
Microsoft Root Authority0
970110070000Z
201231070000Z0p1+0)
"Copyright (c) 1997 Microsoft Corp.1
Microsoft Corporation1!0
Microsoft Root Authority0
"Copyright (c) 1997 Microsoft Corp.1
Microsoft Corporation1!0
Microsoft Root Authority
"Copyright (c) 1997 Microsoft Corp.1
Microsoft Corporation1!0
Microsoft Root Authority0
990701070000Z
051015070000Z0
Redmond1
Microsoft Corporation1+0)
"Copyright (c) 1999 Microsoft Corp.1806
/Microsoft Windows Verification Intermediate PCA0
"Copyright (c) 1997 Microsoft Corp.1
Microsoft Corporation1!0
Microsoft Root Authority
Redmond1
Microsoft Corporation1+0)
"Copyright (c) 1999 Microsoft Corp.1806
/Microsoft Windows Verification Intermediate PCA0
030630232243Z
040830233243Z0
Washington1
Redmond1
Microsoft Corporation1+0)
"Copyright (c) 2003 Microsoft Corp.1'0%
Microsoft Windows XP Publisher0
"Copyright (c) 1997 Microsoft Corp.1
Microsoft Corporation1!0
Microsoft Root Authority
8http://crl.microsoft.com/pki/crl/products/WindowsPCA.crl0
Redmond1
Microsoft Corporation1+0)
"Copyright (c) 1999 Microsoft Corp.1806
/Microsoft Windows Verification Intermediate PCA
Windows Updat
2http://cdm.microsoft.com/update/certs/usacert.htm 0
VeriSign Trust Network1
VeriSign, Inc.1,0*
#VeriSign Time Stamping Service Root1402
+NO LIABILITY ACCEPTED, (c)97 VeriSign, Inc.
-----------------------

 

[Fred]

Steve,

It is very likely that your W2K sp4 IE6 sp1 client computer has all the
correct software components. If you do not force Schannel to use any
specific encryption ciphers, the SOAP over SSL/TLS problem is probably
related to the firewalls used by MS at, and behind,
https://v4.windowsupdate.microsoft.com.

I presume that there is no proxy/firewall between your machine and the
Internet.

The Microsoft Windows Update server farm undoubtedly uses Microsoft Internet
Security and Acceleration (ISA) servers. http://www.isaserver.org has some
interesting articles and tutorials on that product.

Several architectures at the MS-side are possible: SSL bridging, SSL
tunneling, distributed and/or hierarchical chaining, HTTPS-redirects. They
undoubtedly use more than a single layer of ISA-servers through which our
windowsupdate traffic has to go.

I suspect these ISA-servers to falsely assume that your Schannel-traffic
must be alerted as coming from an intruder. As they - probably - do when
3DES in stead of RC4 is used to encrypt the data.

How to work around this ?

You could experiment a little with the way your HTTPS connection datastreams
end up in distinct IP-packets on the Internet. Win32 has some local TCP/IP
settings that can influence that. I've seen "Lucy [MS]" advising this in the
group here and there (MTU-size).

See: http://www.isaserver.org/tutorials/onlinebanking.html

Fred

 

[Guest]

I applied the two patches listed in the article you
referred me to, and set the mtu for my nic to 1400.
Negative effect.

Yes, I am behind a corporate firewall. This is my
production machine here at Bull Worldwide Information
Systems. It is attached to our ethernet network. There ara
abour 1k machines on this network at my site. I THINK
there may be a firewall between our site and the rest of
the Bull network, and I am sure there is a firewall
between Bull and the internet. However, others with smilar
setups are not experiencing this problem.

My machine has a modem, and I have a personal dialup at
earthlink. Should I try hooking up through that and seeing
if there is any difference? It will take a day or so.

Steve

 

[Fred]

Hi Steve,

| between Bull and the internet. However, others with smilar
| setups are not experiencing this problem.

Changes in MTU-size would probably only affect this case when they are
applied at the Internet-trunk of the most outer router outside of your LAN's
outer firewall. When other LAN-users have no problem, your MTU-size cannot
make a difference I suppose.

| My machine has a modem, and I have a personal dialup at
| earthlink. Should I try hooking up through that and seeing
| if there is any difference? It will take a day or so.

That would help a lot. It should show us where exactly the problem is
located:
in the setup of your local machine, or somewhere in the MS server farm.

Fred

 

[Guest]

I will work on the modem.
I tried setting it up once, but things got kind of wierd,
having both a NIC connection and a dialup connection.
By the way, my normal logon is via a Bull domain server,
but I can log on to administrator on the local PC without
it.
What would you suggest as the best way to TEMPORARILY
disable the NIC while I try the modem?

 

[Fred]

| What would you suggest as the best way to TEMPORARILY
| disable the NIC while I try the modem?

You are right to care about the LAN's security. Your LAN's policy will
probably not account for this procedure. To minimize possible
compromization, always pull the network cable out of your machine's Network
Interface Card. Also open the Devices Management console (Start Run
devmgmt.msc), check option "Show hidden devices" - if needed, and Disable
your NIC-driver. The NIC-driver is the lowest component in the network
stack. This way, you can leave all (domain-related) LAN-settings as-is.
Reboot, and verify that the NIC stays disabled. Only then start to configure
your dial-up.

There will be errors logged when you reboot. These can then be ignored I
suppose.

 

[Steve Egbert]

Fred:
I:
booted into administrator
disabled my NIC in device manager
disconnected the lan cable
installed dialup to my mindspring account
rebooted

The dialup got me to the net OK
No change whatsoever in the behavior of WU.
Errors in WUlog are the same
https: still hangs without showing "scan for updates"

So the problem is either in my machine or the MS Server,
but not in the network between or the Bull firewalls.

Note that this machile has both outlook express from the
IE6 install and outlook from the OfficeXP install.

Also, I tried to install .NET framework SP2 from
WindowsUpdateCatalog, thinking it might help. It said that
the component it patched was not installed??? I
installed .NET framework 1.1 when I installed Visual
Studio.NET 2003. (VSN2002 uses the 1.0 framework and 2003
uses the 1.1 framework). Could this error have been
because it was trying to update the 1.0 framework, not the
1.1 framework?

 

[Fred]

| So the problem is either in my machine or the MS Server,
| but not in the network between or the Bull firewalls.

Yes, a problem in the network (incl. client-sided proxy/firewalls) is
definitely ruled out now.

| Note that this machile has both outlook express from the
| IE6 install and outlook from the OfficeXP install.

I do not think that would be relevant for WU. Any MsXml4 (side-by-side
installation from OfficeXP) would not be used by the WU client. WU v4
clients are MsXml3 only.

| uses the 1.1 framework). Could this error have been
| because it was trying to update the 1.0 framework, not the
| 1.1 framework?

I do not know, but it would not be related to Windows Update. WU clients use
the old COM-technology only. No .NET involved as far as I can see.

---------

So we have to continue this quest for a WU-solution.
Lets have a closer look at the inner workings of Schannel: Public Key
certificates and all.

How did you configure the Internet Options ?

I compiled an overview (attached hereafter) of my Win2000 Sp4 IE 6 sp1
setup.

Ignore the disabled proxy settings.
Check the disabled SSL2 and enabled SSL3 and enabled TLS.
Check the enabled HTTP 1.1.
Check the enabled Access data sources across domains.

If the MS WU ISA-servers would noy be correctly configured for anonymous
clients and thus ask for some form of Authentication (Digest, negotiate,
NTLM, even an MS Passport (if any) could be of influence).

Do you have any personal X.509 certificate to identify yourself ?

-------------

Checklist

Microsoft Windows Update Querying Catalog ("scan") problem

december 2003

https://v4.windowsupdate.microsoft.com/getmanifest.asp

IE-WU shows 0x800A138F with 0xC00CE55F (MsXML3) errors.
It is probably a remote microsoft.com zone ISA-server (v2000+sp1 ?, v2004 ?)
problem.
WU uses SOAP XML (HTTP POST) over SSL/TLS.
Downstream remote ISA connects to IIS-ASP over HTTPS ok,
but returned XML-doc response is not filled out:

<catalog><provider /></catalog>

-------------

DNS query from ns home.nl reports for v4.windowsupdate.microsoft.com:

Host name: v4windowsupdate.microsoft.nsatc.net
IP address: 207.46.245.126
Alias(es): v4.windowsupdate.microsoft.com

Reversed DNS query for 207.46.245.126 gives:

Host name: v4-ori.windowsupdate.microsoft.com
IP address: 207.46.245.126
Alias(es): None

207.46.0.0 = us.msn.net, msft.net

-------------

NT [4.0,5.1,5.2] clients have at least following components:

%Systemroot%\System32\*
wupdmgr.exe - Start menu's Windows Update
IUCtl, IUEngine,

wuaucpl.cpl, wuauclt.exe - Windows Auto Update service
WUAUserv, WUAUeng,

[WinHttp,] WinInet,

(128+bit Crypto SChannel, WinTrust, Crypt32, Rsabase, Rsaenh, ...

--------------

Internet Options - overruled by Domain Group Policy, if any

Working Ms Win 2000 Pro SP4 + IE 6.0 sp1 settings - when No local
Proxy/Firewall is used

HKCU\Software\Microsoft\Windows\Internet Settings

REG_DWORD CertificateRevocation = 0x00000000 (0)
REG_DWORD EnableHttp1_1 = 0x00000001 (1)
REG_DWORD EnableNegotiate = 0x00000000 (0)
REG_DWORD Fortezza = 0x00000000 (0)
REG_BINARY UseSchannelDirectly = 01 00 00 00
REG_DWORD SecureProtocols = 0x000000a0 (160) - no PCT nor SSL2.0

REG_DWORD ProxyEnable = 0x00000000 (0)
REG_DWORD ProxyHttp1.1 = 0x00000000 (0)

[Domain/Computer] [Group] policies are effective through:

Current User Policies in:

HKCU\Software\Microsoft\Windows\Internet Settings\*
HKCU\Software\Microsoft\Windows\Policies\*
HKCU\Software\Policies\Microsoft\*
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\*

HKCU Policies are overruled by Computer Policies in HKLM:

HKLM\Software\Microsoft\Windows\Internet Settings\*
HKLM\Software\Microsoft\Windows\Policies\*
HKLM\Software\Policies\Microsoft\*
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\*

Schannel machine wide settings (override all other settings):

HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\*

WU needs 128-bit RC4:
.... SCHANNEL\Ciphers\RC4 128/128] "Enabled"=dword:ffffffff

[XP/W2K3/NT5.1+ has additional Schannel policy, allowing 3-key/168-bit
Triple DES (3DES/DES3) only:
HKLM\System\CurrentControlSet\Control\Lsa - REG_DWORD FIPSalgorithmPolicy,
for WU: set to 0x0]

IUEngine policies:

Software\Policies\Microsoft\Windows\WindowsUpdate\AU
NoAutoUpdate

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoWindowsUpdate

Software\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate
DisableWindowsUpdateAccess

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OC
Manager\Subcomponents]
"rootautoupdate"=dword:00000001 //// this is a policy !!! implemented by
Crypt32.dll, the core of CryptoAPI !!!
//// auto updates Trusted Root Certficates from hardcoded
////
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en
!!!!!
"autoupdate"=dword:00000001 // set by installing optional Windows Component
"Update root certificates" !!

Software\Policies\Microsoft\Windows\WindowsUpdate
WUServer
WUStatusServer
UseWUServer
IUPingServer
ServerUrl
IUServerCache
QueryServerIndex
BetaQueryServerIndex
Server
IUSelfUpdate
IUBetaSelfUpdate
StructureKey

Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto
Update\SystemWasRestored
Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto
Update\RebootRequired

-------------

Software\Microsoft\Msxml30

UseBuiltinWinhttp
DebugMaxLines
DebugLeakInfo
MaxXSLProcessors
GCContentionThreshold
NoFullGC
MaxGCThreshold
GCThreshold
createProcessor
MaxXMLSize
ForcedResync
AllowDocumentFunction

-------------

Internet Options

* tab Advanced

group HTTP 1.1 settings
Use HTTP 1.1 - Checked
Use HTTP 1.1 through proxy connections - Unchecked

group Security
Check for server certificate revocation (requires restart) - Unchecked
Enable Integrated Windows Authentication (requires restart) - Unchecked
[= NTLM* ?]
Enable Profile Assistent - Unchecked
Use SSL 2.0 - Unchecked
Use SSL 3.0 - Checked
Use TLS 1.0 - Checked
Warn about invalid site certificates - Checked
Warn if changing between secure and not secure mode - Checked

* tab Connections
btn LAN Settings...

dlg Local Area Network (LAN) settings
grp Automatic configuration
Automatically detect settings - Unchecked
Use automatic configuration script - Unchecked
grp Proxy server
Use a proxy server for your LAN - Unchecked

* tab Security [implemented by urlmon.dll, etc.]

zone Trusted Sites

trusted sites - add:
http://*.microsoft.com
https://*.microsoft.com
[ ] Require server verification (https for all sites in this zone

Security Settings

ActiveX controls and plug-ins
Download signed ActiveX controls - enable
Download unsigned ActiveX controls - prompt
Initialize and script ActiveX controls not marked as safe - prompt
Run ActiveX controls and plug-ins - Enable
Script ActiveX controls marked safe for scripting - enable

Miscellaneous
Access data sources across domains - enable
Allow META REFRESH - enable
Display mixed content - prompt
Don't prompt for client certificate selection when no certificates
or only one certificate exits - enable

Scripting
Active scripting - enable

User Authentication
Logon
choose Anonymous logon,
not Automatic logon with current username and password

---------

MMC Group Policy (gpedit.msc, secpol.msc)

[Local Computer Policy] - overruled by Domain Group Policy, if any

Computer Configuration
Windows Settings
Security Settings
Security Options

Next items should not influence the use of SChannel by WU IE:
[ Microsoft network client - SMB : ]
Digitally sign client communication (always) - Disabled
Digitally sign client communication (when possible) - Enabled
[ Microsoft network server - SMB : ]
Digitally sign server communication (always) - Disabled
Digitally sign server communication (when possible) - Disabled
[ Network security - NetLogon : ]
LAN Manager Authentication Level - Send NTLMv2 response
[ Windows Domain member (DC client) : ]
Secure channel: Digitally encrypt or sign secure channel data
(always) - Disabled
Secure channel: Digitally encrypt secure channel data (when possible) -
Enabled
Secure channel: Digitally sign secure channel data (when possible) -
Enabled
Secure channel: Require strong (Windows 2000 or later) session key -
Enabled

Administrative templates [add inetres.adm]
Windows Components
Internet Explorer

Security Zones: Use only machine settings - Not configured
Security Zones: Do not allow users to change policies - Not configured
Security Zones: Do not allow users to add/delete sites - Not
configured
make proxy settings per-machine (rather than per-user) - Not
configured

User Configuration
Windows settings
Internet Explorer Maintenance
Connection
Security
Security Settings
Administrative Templates [inetres.adm, system.adm]
Windows Components
Windows Update

remove access to use all Windows Update features - Not configured [
?? ]

Software\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate
DisableWindowsUpdateAccess
Access to Windows Update has been disabled by administrative policy

-----------------------

 

[Fred]

Steve,

We cannot assume that everything on the MS v4 WU server-side is working
flawlessly.

As can be seen in the redirect.js page of the current v4 site, MS is working
on a new v5 version that will be based on ASP.NET (aspx).

I took a look at the MS SUS (Software Update caching) server (free download)
to get some idea of what getmanifest.asp should do.

However, the MS SUS-server v1.0 sp1 seems to be somewhat outdated. It
probably was written for WU v3. It also does not - officially - support SLL.
It is file-based and uses a custom Fast Dictionary COM-object to handle the
meta data (tables) of the Update-packages. There is no true SOAP involved,
no SQL-server (SQLXML) either.

I wonder why that SUS getmanifest.asp page does not Flush its Response
object. Maybe they assume AspBufferOn is always set to False ?

Would the MS v4 WU production server not have activated ASP-buffering
(AspBufferOn = True) ?

If so, the XML Response could probably be better handled (over SLL), when
the page would do something like:
if Response.Buffer = True then Response.Flush().

In the MSDN-lib I read that Response.Flush does not honour a Keep-alive
client requested HTTP-Header option. This would not guarantee that all HTTP
Request/Responses are transported over a single connection. But would the
(front-end, load balancing) ISA-servers not keep that SSL-connection open
already ?

The SUS getmanifest.asp page also has several hardcoded size limitations:

Const con_iMaxProvidersAllowedInQueryXML = 25
Const con_iMaxProductsAllowedInQueryXML = 25
Const con_iMaxItemsAllowedInQueryXML = 200
Const con_iMaxRequestLength = 50000
Const con_iMaxDependencyDepth = 10

When such a limit is exceeded, SUS explicitly returns an empty <catalog>.
There is a separate function ReturnEmptyCatalog() !

Maybe your fresh W2K sp4 with lots of MS apps reaches some limit in the v4
WU getmanifest.asp page too ?

The MS Windows Update v4 ASP pages are most likely served by a Windows
Server 2003 with IIS 6. IIS6 fiddles around a lot with SSL buffers. In
http://www.microsoft.com/technet/pr...oddocs/resguide/iisrg_arc_runi.asp?frame=true
they talk about how the HTTP.sys kernel driver delegates SSL-processing to a
user-mode HTTPFilter ISAPI filter.
Seems quite vulnerable to me.

Also the IIS6 server has several options to handle SSL HTTP POSTs. In
http://msdn.microsoft.com/library/en-us/iissdk/iis/ref_mb_accesssslflags.asp
we can read about AccessSSL128, AccessSSLNegotioate and other SSL-related
IIS-server settings.

Steve, I think we should end this "0x800A138F with 0xC00CE55F error"
discussion here now. We have not found a workaround for your W2K sp4 WU
problem. Let us hope that MS still works on the v4 WU servers too (and not
only on v5) to fix this.

It was nice talking to you, wish you lots of success and happy december
days,

Fred