How to fix broken security in Windows 2000?

[Shannon Jacobs]

In http://support.microsoft.com/default.aspx?scid=kb;en-us;293781 there is
the very interesting comment:

"As you may have noticed in the provided information, some of the
certificates have expired. However, these certificates are necessary for
backwards compatibility. Even if there is an expired trusted root
certificate, anything that was signed with that certificate prior to the
expiration date needs that trusted root certificate to be validated. As long
as expired certificates are not revoked, it can be used to validate anything
that was signed prior to its expiration."

Oh! *NOW* you [Microsoft] tell me. Just too bad the information wasn't
provided earlier.

Been wrestling with this problem for several weeks, and though I'm not
certain, I very strongly suspect that what happened is that I deleted a
required security certificate in the foolish belief that the expiration date
had some meaning. Quite trivial to do from IE: Tools menu -> Internet
Options command -> Content tab -> Certificates button -> Trusted Root
Certificates tab. Not certain because it happened a while ago and the
resulting problem is minor, though annoying. Some possibility it may have
been caused by a WindowsUpdate, possibly even one that was pushed onto my
machine by the corporate IT people.

The problem itself is that the computer complains about a new file version
that it can't check. It doesn't reveal what file, and it doesn't actually
say anything about a missing security certificate, but I'm pretty sure
that's what's going on. The SFC fails to run, which is apparently related.

I'm pretty sure that all of the root certificates have been restored, but
either there is a missing certificate somewhere else, or it is some kind of
chain reaction thing.

Anyone else having similar problems? Any suggestions about how to fix it?
Diagnostic steps to identify the missing certificate or even the affected
file?

 

[Roger Abell]

I have read, and reread, you entire posting.
As far as I can tell, all that you have told us, aside from
your suspected cause, is
<quote>
The problem itself is that the computer complains about a new
file version that it can't check. It doesn't reveal what file
</quote>
That is not really very much to go on.
When does this happen for example.

 

[Shannon Jacobs]

The problem occurs during booting. Unfortunately, the exact error message is
in Japanese, and though I could copy it for you, I'm doubtful it would be
very helpful... My Japanese is far from perfect, but I'll try to describe it
as well as I can. During the boot, a popup window appears. It says that it
is unable to check the validity of a file (or certify the appropriateness or
compatibility?), and it asks me to insert the Windows 2000 Professional CD
so that it can copy an earlier version. No hint as to which file or exactly
why it doesn't like the version it has found. (Of course I have run a
variety of virus and spyware checks, and I think I can rule out that
possibility.)

In response to the error window, I can either insert the CD or cancel. If I
insert the CD, it apparently copies some file and the popup goes away. (The
newer "incorrect" version of the file is apparently restored from somewhere
at the time of the next boot.) If I cancel, then it gives me a confirmation
window where I can insist that it use the newer version, but still no
indication about the newer version of what.

I have tried various diagnostic measures such as getting a boot log (no
hints found) and reading all sorts of typically irrelevant pages on the
Microsoft Web sites. I had hoped that the SFC would identify the problem
(which is supposed to be the purpose of that program), but, as already
noted, it also refuses to run, and based on some of the information I read
on the Microsoft Web site, I believe that this is a related problem. The
error code is 0x000006ba, which will doubtlessly lead you to the same pages
I visited, but I followed the various recovery instructions without success,
which makes me think the real problem is some other file in a critical chain
is also missing. (Or based on the comment below, it is also possible that
this machine originally had a different version of a key root certificate.)

Perhaps this is a helpful diagnostic, but I think it is just a metric that
shows the problem is not so serious. Whatever file is failing to load, it
does not actually stop the boot. The machine continues booting, and I have
not noticed any crucial services that are disabled prior to getting rid of
the error message. I have also been unable to detect any difference between
using the CD or using the unverified newer file.

 

[Karl Levinson, mvp]

It seems to me this is not exactly a Microsoft or Windows problem, because
if you deleted your root certificates on any OS, you would have problems
with those certificates. What are you doing deleting root certificates
anyways? If you don't know exactly how it works, don't delete it.
Microsoft cannot possibly write an article about every single file and
object telling you not to delete it.

Anyways, I would try restoring those certificates and possibly rebooting.
See the "Method 8" section of this KB article.

http://support.microsoft.com/default.aspx/kb/822798?

It is generally not a good idea to cross-post to multiple groups, because
then your answer gets answered repeatedly in multiple groups.

--
regards,

Karl Levinson, MS MVP, CISSP
Microsoft Security FAQ:
http://securityadmin.info

 

[Shannon Jacobs]

This is exactly the level of "support" I have come to expect from MVPs. Does
Microsoft have some sort of incentive program that requires you to say
something even if you have no idea what you are talking about?

It seems to me this is not exactly a Microsoft or Windows problem,
because if you deleted your root certificates on any OS, you would
have problems with those certificates. What are you doing deleting
root certificates anyways? If you don't know exactly how it works,
don't delete it. Microsoft cannot possibly write an article about
every single file and object telling you not to delete it.

I have already confessed my culpability for being stupid enough to believe
that the expiration date on a security certificate had any meaning. Well,
actually it should have a meaning because the concept of security is
fundamentally linked to time. However, if Microsoft chooses to ignore or
reassign meanings and just redefine things, that's the new de facto
standard, isn't it? My bad, mea culpa, and I admit I was a fool to trust
Microsoft. Are you satisfied now?

(However, I'm still not certain that this is the cause of the problem, nor
even certain exactly what the problem is.)

Anyways, I would try restoring those certificates and possibly
rebooting. See the "Method 8" section of this KB article.

http://support.microsoft.com/default.aspx/kb/822798?

Done that. Didn't work. "Possibly rebooting." Damn. Why didn't I think of
that? Especially with regards to a boot-related problem. Shucks, still
didn't work.

Any more trivially obvious suggestions? Dare I say, trivially obvious to the
most casual observer?

It is generally not a good idea to cross-post to multiple groups,
because then your answer gets answered repeatedly in multiple groups.

No, you are incorrect again, but par for the current MVPs. Please read the
relevant RFC and the NNTP standards. The only notable exception is Mozilla,
which is well known to be handling cross-posting incorrectly, and which is
not even a Microsoft product.

 

[Fredrik Wahlgren]

This is exactly the level of "support" I have come to expect from MVPs. Does
Microsoft have some sort of incentive program that requires you to say
something even if you have no idea what you are talking about?

You can find more about the MVP title here:
http://mvp.support.microsoft.com/default.aspx?scid=fh;EN-US;mvpfaqs

/Fredrik

 

[Jeff Cochran]

The problem occurs during booting. Unfortunately, the exact error message is
in Japanese, and though I could copy it for you, I'm doubtful it would be
very helpful... My Japanese is far from perfect, but I'll try to describe it
as well as I can. During the boot, a popup window appears. It says that it
is unable to check the validity of a file (or certify the appropriateness or
compatibility?), and it asks me to insert the Windows 2000 Professional CD
so that it can copy an earlier version. No hint as to which file or exactly
why it doesn't like the version it has found. (Of course I have run a
variety of virus and spyware checks, and I think I can rule out that
possibility.)

Actually, you can't. This is a relatively recent spyware issue, and
easily resolved. Open the Task Manager and choose the processes tab.
Stop all processes you don't know, there aren't many that are required
and if you stop the wrong one you can always restart the system to
recover.

Once these are stopped, run the registry editor (regedt32 or regedit)
and find the key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

Remove all strange entries. You should recognize most of them anyway.
Once removed, restart the system. Also run through the Add/Remove
Programs dialog and clean out unrecognized or unwanted stuff.

Keep in mind that making changes to the registry can screw up your
system. If you're at all uncomfortable with this, call your IT
department (If they're security conscious they'll have prevented you
from editing the registry anyway...).

I haven't found a spyware removal tool that has fixed this issue, but
I've cleaned a half dozen systems in the last few days of his.

Disclaimer: If you're foolish enough to try suggestions from the
internet without verifying them, then you deserve whatever happens if
this hoses your system. Don't blame me since I'm specifically warning
you not to do what I suggest.

That said, you can easily figure out how to reach me and verify
credentials.

Jeff

 

[Karl Levinson, mvp]

This is exactly the level of "support" I have come to expect from MVPs. Does
Microsoft have some sort of incentive program that requires you to say
something even if you have no idea what you are talking about?

Hey, you came here looking for free support. I spent a fair amount of time
looking for the KB article, only to have you complain about my "level of
support" and say you had already tried that. If you already tried it, tell
us what you've already tried so we don't waste our time and yours. I'm not
psychic.

actually it should have a meaning because the concept of security is
fundamentally linked to time.

No. When someone uses a PKI cert to sign a PGP email or a Windows 2000
file, that is not linked to time.

However, if Microsoft chooses to ignore or
reassign meanings and just redefine things, that's the new de facto
standard, isn't it?

No. You still need certificates after they expire. This is true of many
PKI solutions including PGP, so it has nothing to do with Microsoft. Your
PGP emails, Windows 2000 files, etc. were signed with a cert that is now
expired, and the only way to verify the signing is to keep access to the old
certs. Not a MIcrosoft thing.

My bad, mea culpa, and I admit I was a fool to trust Microsoft.

No, your mistake was to start deleting core OS stuff for no real reason I'm
aware of, without knowing how it works, then coming here and blaming MS,
saying MS should have warned you not to delete your root certificates
haphazardly, and that MS publishing a KB article on the subject is not
sufficient warning.

Done that. Didn't work. "Possibly rebooting." Damn. Why didn't I think of
that? Especially with regards to a boot-related problem. Shucks, still
didn't work.

Any more trivially obvious suggestions? Dare I say, trivially obvious to the
most casual observer?

No, I meant the MS article doesn't tell you this, but after using the KB
article to restore the certificates, you may possibly need to reboot. I
didn't think that rebooting would solve your problem, but that rebooting
might be necessary to see whether your problem was fixed... which is of
course a true statement, since the problem occurs at boot time. I hardly
think finding an article on how to restore your root certificates is a
trivially obvious suggestion. I'm not sure I believe you when you say that
you already tried restoring your root certificates using the KB article I
posted. If you had, the problem would probably be fixed. I suspect you
misunderstood the part about "possibly rebooting" and blew up before trying
out the KB article.

The KB article states that even though you deleted the root certificates
from your Windows certificate store, they are still contained in files on
your hard drive and can be restored from there.

No, you are incorrect again, but par for the current MVPs. Please read the
relevant RFC and the NNTP standards. The only notable exception is Mozilla,
which is well known to be handling cross-posting incorrectly, and which is
not even a Microsoft product.

RFC 1855 says very little about cross-posting, and it is now at least nine
years old.

If you have such little respect for MVPs, why are you here looking for
support from them?

Anyways, if you haven't yet, try doing what I actually suggested:

http://support.microsoft.com/default.aspx/kb/822798?

Method 8: Verify the status of all certificates in the certification path
and import missing or damaged certificates from another computer
To verify certificates in the certificate path for a Windows or Internet
Explorer product update, follow these steps:
Step 1: Verify Microsoft certificates
1. In Internet Explorer, click Tools, and then click Internet Options.
2. On the Content tab, click Certificates.
3. On the Trusted Root Certification Authorities tab, double-click
Microsoft Root Authority. If this certificate is missing, go to step 2.
4. On the General tab, make sure that the Valid from dates are
1/10/1997 to 12/31/2020.
5. On the Certification Path tab, verify that This certificate is OK
appears under Certificate Status.
6. Click OK, and then double-click the NO LIABILITY ACCEPTED
certificate.
7. On the General tab, make sure that the Valid from dates are
5/11/1997 to 1/7/2004.
8. On the Certification Path tab, verify that either This certificate
has expired or is not yet valid or This certificate is OK appears under
Certificate Status.

Note Although this certificate is expired, it will continue to work.
The operating system may not work correctly if the certificate is missing or
revoked.

For additional information, click the following article number to view
the article in the Microsoft Knowledge Base:
293781 Trusted root certificates that are required by Windows 2000,
Windows XP, and Windows Server 2003
9. Click OK, and then double-click the GTE CyberTrust Root
certificate. You may have more than one of these certificates with the same
name. Check the certificate that has an expiration date of 2/23/2006.
10. On the General tab, make sure that the Valid from dates are
"2/23/1996 to 2/23/2006."
11. On the Certification Path tab, verify that This certificate is OK
appears under Certificate Status.

Step 2: Import missing or damaged certificates
If one or more of these certificates are missing or corrupted, export the
missing or corrupted certificates to another computer, and then install the
certificates on your computer. To export certificates on another computer,
follow these steps: 1. In Internet Explorer, click Tools, and then click
Internet Options.
2. On the Content tab, click Certificates.
3. On the Trusted Root Certification Authorities tab, click the
certificate that you want to export.
4. Click Export, and then follow the instructions to export the
certificate as a DER encoded Binary x.509(.CER) file.
5. After the certificate file has been exported, copy it to the
computer where you want to import it.
6. On the computer where you want to import the certificate,
double-click the certificate.
7. Click Install certificate, and then click Next.
8.
Click Finish, and then click OK.


[... and then possibly you may need to reboot for the changes to fully
take effect. The MS article didn't say this, so I added it.]

 

[Karl Levinson, mvp]

It is true that there is relatively new malware on the Internet that deletes
or inhibits your access to your root certificates. If you didn't delete any
of your root certificates that pertain to Windows file checking, this may be
the problem. The article I posted tells you how to check to see whether the
root certificates related to Windows file checking are missing.

 

[Phillip Windell]

This is exactly the level of "support" I have come to expect from MVPs. Does
Microsoft have some sort of incentive program that requires you to say
something even if you have no idea what you are talking about?

The incentive is that we get to do this for free and get the benefit of
putting up with a thankless public in the process.

Done that. Didn't work. "Possibly rebooting." Damn. Why didn't I think of
that? Especially with regards to a boot-related problem. Shucks, still
didn't work.

Did you actually read the article?

 

[Shannon Jacobs]

Here is a solution to the problem I reported:

http://www.beginningtoseethelight.org/patches/2kpro.php

Two comments:

1) It did not (proximately) come from Microsoft.

2) It did not come from a MVP.

That's not to say it doesn't exist at Microsoft, only that Microsoft has
succeeded in hiding the solution from my many diligent searches of their
sites and that their MVPs also failed in finding it. Actually, the MVPs
mostly failed in understanding the problem before they could begin looking,
but I used to do technical support and I know full well that understanding
the real problem is the most difficult part of support work. (I cannot rule
out the latest MVP speculations about the cause, but I still think that
proposal is unlikely, though an appropriate link might have been more
persuasive.)

I am especially bitter about the destruction of the MVP program, since I can
still remember when the MVPs were valuable support resources. Though I wish
to provide closure to this thread, it is quite possibly a mistake to
publicize it here, since it is quite possible that Microsoft will now
initiate legal attacks upon that site and force them to shut it down. High
quality free technical support--what an odious concept from Microsoft's
perspective.

Again, my congratulations to Microsoft for their success in destroying the
effectiveness of the free support for their own Microsoft products. The main
effect of this incident (once again struggling with Microsoft's problems
until a solution was found) is to increase my desire to abandon Microsoft
(though I remain locked in by my customers). Am I a satisfied Microsoft
customer? Not at all. I'm not very religious, but I'm praying for an escape
from Microsoft.

 

[Shannon Jacobs]

Actually I read so many of Microsoft's articles that I cannot swear for
certain whether or not I read that particular one. However, I do remember
doing the steps that were recommended there, though they may have been from
another similar article. I did find a solution, though not from Microsoft.
Here it is:

http://www.beginningtoseethelight.org/patches/2kpro.php

As already noted, I can only congratulate Microsoft for their success in
destroying yet another free support resource (the MVP program of some years
ago) and I continue to wish I had the option the abandon Microsoft.

 

[Roger Abell]

If you feel as you say about the changes MS has, perhaps, caused
in the process of growing the numbers (and kinds of people that are)
MVPs, then you should let the MVP program people know.
As you will find on
http://mvp.support.microsoft.com/default.aspx?scid=fh;EN-US;mvpfaqs&style=flat
you only need to email (e-mail address removed)

The site you mention has been known to me, or rather its maintainer has,
for more than a couple years. If some of the things Peter has disclosed
there previously have not caused pressure it is not like anything will. His
work is largely well done, with few words representing many hours of
deep level research.

As you have done support, you hopefully will keep in mind that anyone
that has not seen and gotten their hands on a system behaving as one
of a poster is, off the bat, at a rather large disadvantage.

 

[Karl Levinson, mvp]

I'm glad we could help.

You came here saying "I very strongly suspect that what happened is that I
deleted a required security certificate...The SFC fails to run... Diagnostic
steps to identify the missing certificate...?" Like it or not, the article
I posted is the answer to the question you asked.

The article you posted has nothing to do with the question you asked and is
just a series of links to Microsoft Windows Update and Microsoft-provided
patches. Given the way you ripped me a new one when you thought I was
suggesting you reboot, I'm certain you would also have ripped me a new one
had I or anyone here suggested you reinstall the Windows service packs and
patches, since that would be "trivially obvious."

You came here with a big chip on your shoulder from your initial post. I
can't take your anger and disgust at us too seriously considering you were
angry and disgusted when you first got here. That chip on your shoulder was
based on your erroneous beliefs on how PKI certificate expiration works, but
you suggest repeatedly that it is we who are not understanding your
certificate problem.

Microsoft has
succeeded in hiding the solution from my many diligent searches of their
sites

That's right, you're the intrepid hero, and Microsoft is the mustachioed
villain trying to make sure your computer doesn't work. And when your
certificates stopped working, that's Microsoft's fault for "redefining the
meaning" of PKI certificate expiration. When you can't find the canned peas
in the grocery store, is that because the grocery store hid them?

and that their MVPs also failed in finding it.

Failed in finding what? Windows Update? That's basically what your link
is.

to provide closure to this thread, it is quite possibly a mistake to
publicize it here, since it is quite possible that Microsoft will now
initiate legal attacks upon that site and force them to shut it down.

That's just more paranoid nonsense. That site has been up for years, and
the MVPs frequently point people to that site here.

 

[Shannon Jacobs]

You are simply inserting your foot farther and farther into your mouth. How
does it taste?

Several of my earliest attempts along the missing-security-certificate path
were to try to reinstall some of the recent security certificate updates
that WindowsUpdate had provided. I was not able to do so from the Microsoft
site, and none of the MVPs even thought to suggest that approach.

Using the link I provided (which actually came from someone in my company),
I was able to find a file which fixed the damage. I am not certain if that
file is the same one that exists somewhere on the Microsoft site, or if it
was a special version. However, I am absolutely certain the Microsoft search
engines failed to find it, and the MVP program participants also failed to
find it--or even to suggest looking for it.

The part that is apparently rubbing you the wrong way is my general comments
about what Microsoft has done to the MVP program. If so, you should quit
acting in a way that provides additional evidence. So far you are only
reinforcing my belief that Microsoft has pretty much destroyed the MVP
program by getting rid of the most technically competent people. Or perhaps
they have simply changed the incentive system so the MVPs are encouraged to
post meaningless answers even when they have no idea of what the answer is?
Certainly I admit that some of my queries are liable to be non-trivial.
Whatever the reason, I also believe this negative change to the MVP program
is a deliberate policy on the part of Microsoft to discourage customers from
relying on no-cash-involved support.

In truth, the main technical value I get from the newsgroups in recent
years, and the only reason I will sometimes resort to them (and usually only
after some weeks of struggle), is that the process of describing the problem
more precisely and completely for a public post is sometimes helpful in
understanding the solution. Not so in this particular case, however. This
time it was just a lucky cross-reference that caught my eye. (I cannot
provide a link to that source since it is internal to the corporate
intranet, not public.)

Today I do have a new technical problem from another friend, but I'm not yet
stumped or desperate enough to describe it here. Thanks, but no thanks.

 

[Phillip Windell]

You are simply inserting your foot farther and farther into your mouth. How
does it taste?

If you spend as much time and effort in understanding and solving your
problems as you spend annoying everyone else,...you would not have any
problems left to ask questions about.

 

[Karl Levinson, mvp]

Several of my earliest attempts along the missing-security-certificate path
were to try to reinstall some of the recent security certificate updates
that WindowsUpdate had provided. I was not able to do so from the Microsoft
site, and none of the MVPs even thought to suggest that approach.

Well, if reinstalling the patches didn't fix the problem, isn't it a good
thing we didn't suggest it?

Windows Update absolutely lets you see and re-install whatever patches are
on your system, but it has no possible way of knowing about patches that
were pushed down by your IT staff using who knows what method, nor would we.
You would have to contact your IT staff for that.

Your only statement in your OP regarding patches was this:

"Some possibility it may have been caused by a WindowsUpdate, possibly even
one that was pushed onto my machine by the corporate IT people."

With that vague level of detail, of course your IT people knew how to fix
the problem and we didn't. Your IT people knew which patch they had pushed
out to cause the problem, and we still don't.

Even now, you still haven't provided enough information about which patch or
file was the problem, but you expect us to magically know the answer in a
minute to a problem you've been struggling with for months. I can only
guess that the patch you're talking about might be the May 2004 root
certificates update over 7 months ago, but I would be hesitant to waste your
time offering suggestions like reinstalling this or that patch based on that
guess [and since this didn't fix your problem, it's a good thing I didn't
sugest it]. You still haven't shared enough detail about the fix to help
anyone else learn from your experience.

Using the link I provided (which actually came from someone in my company),
I was able to find a file which fixed the damage.

How do you know your IT people didn't get the answer to this problem from
Microsoft, or from an MVP?

I am not certain if that
file is the same one that exists somewhere on the Microsoft site, or if it
was a special version. However, I am absolutely certain the Microsoft search
engines failed to find it, and the MVP program participants also failed to
find it--or even to suggest looking for it.

Most problems with Microsoft patches are due to pre-existing problems
with the configuration of the PC. If no one else on the planet has ever had
your problem, then why would you expect the solution to be in the Microsoft
knowledge base? Note that your problems [getting answers from the MS search
engine or from the newsgroups, your computer breaking in the first place]
always seem to be because someone at Microsoft has failed you, never because
of you, say, entering the wrong description or deleting root certificates.

The part that is apparently rubbing you the wrong way is my general comments
about what Microsoft has done to the MVP program. If so, you should quit
acting in a way that provides additional evidence. So far you are only
reinforcing my belief that Microsoft has pretty much destroyed the MVP
program by getting rid of the most technically competent people.

Which of the Microsoft MVPs do you think are not technically competent? Is
it Ed Skoudis? Stuart McClure? Roberta Bragg? Tom and Debra Littlejohn
Shinder? Mark Russinovich? Mark Minasi? I would like to know why you
think the MVP program has fewer or less competent MVPs. How and why exactly
would Microsoft want to spend money and time on the MVP program, but
intentionally choose the worst candidates? How and why would they destroy
the program by increasing their support for it?

If Microsoft is solely in it for the money, as you claim, then why spend a
single cent on the MVP program in the first place? You do realize that
Microsoft has given you access to pretty much the same knowledge database
that their paid support technicians use when you call them, correct? And
that Microsoft lists the phone numbers of other companies that offer cheaper
tech support on their support web site? There are certainly some valid
criticisms that can be levied at Microsoft, but your criticisms of Microsoft
make little sense and border on paranoia.

Or perhaps
they have simply changed the incentive system so the MVPs are encouraged to
post meaningless answers even when they have no idea of what the answer

is?

The link I posted may not have fixed your problem, but it is the answer to
what you asked: "what are the dependencies and troubleshooting steps for
certificate problems related to SFC?"

I also tried in my post to clear up some of your misconceptions about how
PKI certificates work that were causing you to angrily think Microsoft was
trying to re-write PKI specifications. You have yet to prove or suggest why
the link I posted was meaningless. What exactly was it in the link that did
not apply to the question you asked?

The award MVPs get from Microsoft is relatively small and hardly compensates
me for all the time I spend here. If you think I post thousands of posts
here every year because of this award or because it gets me some kind of
points, you are very mistaken.

Certainly I admit that some of my queries are liable to be non-trivial.
Whatever the reason, I also believe this negative change to the MVP program
is a deliberate policy on the part of Microsoft to discourage customers from
relying on no-cash-involved support.

I see. Microsoft has increased the number of MVPs over the past two or
three years in order to discourage relying on free support. That makes lots
of sense.

In truth, the main technical value I get from the newsgroups in recent
years, and the only reason I will sometimes resort to them (and usually only
after some weeks of struggle), is that the process of describing the problem
more precisely and completely for a public post is sometimes helpful in
understanding the solution.

I see. So, you don't really need anything from us. You solve the problem
entirely on your own, just by typing it down here to us. Microsoft and the
MVPs caused the problem, hide the solution to the problem from you, solely
for monetary greed on the part of all of us, and you single-handedly solve
the problem. Might I recommend posting your next question to
microsoft.public.test? You'll get the same results.

I'm not sure how exactly coming back here to insult us and express your
disappointment in our not solving the answer fits in with this, given that
you didn't really expect us to solve the problem, but then again, I'm just
an MVP, so I have trouble tying my shoes in the morning.

Not so in this particular case, however. This
time it was just a lucky cross-reference that caught my eye. (I cannot
provide a link to that source since it is internal to the corporate
intranet, not public.)

That's convenient. And that prevents you from posting details about the fix
too?

Today I do have a new technical problem from another friend, but I'm not yet
stumped or desperate enough to describe it here. Thanks, but no thanks.

No problem. When you encounter problems too tough for you to solve, we'll
be here to help.

kind regards,

Karl Levnson, CISSP

 

[Phillip Windell]

Which of the Microsoft MVPs do you think are not technically competent? Is
it Ed Skoudis? Stuart McClure? Roberta Bragg? Tom and Debra Littlejohn
Shinder? Mark Russinovich? Mark Minasi? I would like to know why you
think the MVP program has fewer or less competent MVPs.

Ok,..It's me...I confess!, I confess!

 

[Shannon Jacobs]

The lady doth protesteth too much. Or is it one of Arnold's girly-men? Well,
actually the "incident" most reminds me of a certain very prominent judge
who wrote a 20-page explanation of why an apparent personal interest in a
certain case was not really an interest, so there was no reason to recuse
himself. Sorry, but the 20-page explanation goes way *beyond* the appearance
of a conflict. That explanation itself was the most concrete evidence of why
the judge should have recused himself, incredible hypocrisy notwithstanding.
Same with your verbose defenses of your technical abilities in the absence
of technical answers.

Of course, I'm not surprised you can't put up (something of technical
value). I am surprised you aren't smart enough to use the other half of the
old saying. Years ago, way back when the MVP program was useful, I would ask
similar technical questions, and if there was an answer from an MVP, it was
almost certain to be very helpful. Even their questions were helpful in
finding the real source of the problems. Other times my questions went
unanswered, but sufficient research revealed that they really were that
difficult to answer or even define, and the MVPs were correct to wait for
more knowledge.

These days it seems like an MVP will usually respond quickly--but for any
non-trivial question, more often than not, the response is just incorrect.
That is why I asked about the current metrics Microsoft is using to assess
the MVP program. I really suspect you get MVP brownie points for being the
first MVP to answer, and without regard to the utility, correctness, or even
relevance of the answer. I am quite sincerely interested in how Microsoft
does business, even in the ethically dubious tactics. As regards the MVP
program, I think it was probably easy for Microsoft to tip the scales in
this way, since most technically competent people are too busy to donate
lots of time to Microsoft's greater glory. (Yes, I'm being slightly tongue
in cheek, since I'm sure you do it to help the suffering customers--but
Microsoft is still willing to make a bit more money by milking your
efforts.)

Regarding your (Levinson's) list of candidates for MVP incompetence, I'm
sorry, but I don't track people for their inability to be helpful. I
remember people for their competence, especially technical competence. I
used to know the names of a number of MVPs--but I recognize none of the
names you mentioned. Just piling the evidence up, aren't you? Now excuse me
while I forget your name, too.

As I am prone to do, I'll commit the folly of mentioning technical matters
in what is eminently not much of a technical thread. Now that I can run SFC
again, it issues the same unable-to-verify complaints about a number of
files. Still no hint about *which* files are too new or *which* security
certificates are still missing. (However, I'm supposed to receive a new
computer in a month or two, so I think I'll just ignore it until then. Maybe
I'll convert this old one to Linux?)

Several of my earliest attempts along the
missing-security-certificate path were to try to reinstall some of
the recent security certificate updates that WindowsUpdate had
provided. I was not able to do so from the Microsoft site, and none
of the MVPs even thought to suggest that approach.

Well, if reinstalling the patches didn't fix the problem, isn't it a
good thing we didn't suggest it?

Windows Update absolutely lets you see and re-install whatever
patches are on your system, but it has no possible way of knowing
about patches that were pushed down by your IT staff using who knows
what method, nor would we. You would have to contact your IT staff
for that.

Your only statement in your OP regarding patches was this:

"Some possibility it may have been caused by a WindowsUpdate,
possibly even one that was pushed onto my machine by the corporate IT
people."

With that vague level of detail, of course your IT people knew how to
fix the problem and we didn't. Your IT people knew which patch they
had pushed out to cause the problem, and we still don't.

Even now, you still haven't provided enough information about which
patch or file was the problem, but you expect us to magically know
the answer in a minute to a problem you've been struggling with for
months. I can only guess that the patch you're talking about might
be the May 2004 root certificates update over 7 months ago, but I
would be hesitant to waste your time offering suggestions like
reinstalling this or that patch based on that guess [and since this
didn't fix your problem, it's a good thing I didn't sugest it]. You
still haven't shared enough detail about the fix to help anyone else
learn from your experience.

Using the link I provided (which actually came from someone in my
company), I was able to find a file which fixed the damage.

How do you know your IT people didn't get the answer to this problem
from Microsoft, or from an MVP?

I am not certain if that
file is the same one that exists somewhere on the Microsoft site, or
if it was a special version. However, I am absolutely certain the
Microsoft search engines failed to find it, and the MVP program
participants also failed to find it--or even to suggest looking for
it.

Most problems with Microsoft patches are due to pre-existing problems
with the configuration of the PC. If no one else on the planet has
ever had your problem, then why would you expect the solution to be
in the Microsoft knowledge base? Note that your problems [getting
answers from the MS search engine or from the newsgroups, your
computer breaking in the first place] always seem to be because
someone at Microsoft has failed you, never because of you, say,
entering the wrong description or deleting root certificates.

The part that is apparently rubbing you the wrong way is my general
comments about what Microsoft has done to the MVP program. If so,
you should quit acting in a way that provides additional evidence.
So far you are only reinforcing my belief that Microsoft has pretty
much destroyed the MVP program by getting rid of the most
technically competent people.

Which of the Microsoft MVPs do you think are not technically
competent? Is it Ed Skoudis? Stuart McClure? Roberta Bragg? Tom
and Debra Littlejohn Shinder? Mark Russinovich? Mark Minasi? I
would like to know why you think the MVP program has fewer or less
competent MVPs. How and why exactly would Microsoft want to spend
money and time on the MVP program, but intentionally choose the worst
candidates? How and why would they destroy the program by increasing
their support for it?

If Microsoft is solely in it for the money, as you claim, then why
spend a single cent on the MVP program in the first place? You do
realize that Microsoft has given you access to pretty much the same
knowledge database that their paid support technicians use when you
call them, correct? And that Microsoft lists the phone numbers of
other companies that offer cheaper tech support on their support web
site? There are certainly some valid criticisms that can be levied
at Microsoft, but your criticisms of Microsoft make little sense and
border on paranoia.

Or perhaps
they have simply changed the incentive system so the MVPs are
encouraged to post meaningless answers even when they have no idea
of what the answer is?

The link I posted may not have fixed your problem, but it is the
answer to what you asked: "what are the dependencies and
troubleshooting steps for certificate problems related to SFC?"

I also tried in my post to clear up some of your misconceptions about
how PKI certificates work that were causing you to angrily think
Microsoft was trying to re-write PKI specifications. You have yet to
prove or suggest why the link I posted was meaningless. What exactly
was it in the link that did not apply to the question you asked?

The award MVPs get from Microsoft is relatively small and hardly
compensates me for all the time I spend here. If you think I post
thousands of posts here every year because of this award or because
it gets me some kind of points, you are very mistaken.

Certainly I admit that some of my queries are liable to be
non-trivial. Whatever the reason, I also believe this negative
change to the MVP program is a deliberate policy on the part of
Microsoft to discourage customers from relying on no-cash-involved
support.

I see. Microsoft has increased the number of MVPs over the past two
or three years in order to discourage relying on free support. That
makes lots of sense.

In truth, the main technical value I get from the newsgroups in
recent years, and the only reason I will sometimes resort to them
(and usually only after some weeks of struggle), is that the process
of describing the problem more precisely and completely for a public
post is sometimes helpful in understanding the solution.

I see. So, you don't really need anything from us. You solve the
problem entirely on your own, just by typing it down here to us.
Microsoft and the MVPs caused the problem, hide the solution to the
problem from you, solely for monetary greed on the part of all of us,
and you single-handedly solve the problem. Might I recommend posting
your next question to microsoft.public.test? You'll get the same
results.

I'm not sure how exactly coming back here to insult us and express
your disappointment in our not solving the answer fits in with this,
given that you didn't really expect us to solve the problem, but then
again, I'm just an MVP, so I have trouble tying my shoes in the
morning.

Not so in this particular case, however. This
time it was just a lucky cross-reference that caught my eye. (I
cannot provide a link to that source since it is internal to the
corporate intranet, not public.)

That's convenient. And that prevents you from posting details about
the fix too?

Today I do have a new technical problem from another friend, but I'm
not yet stumped or desperate enough to describe it here. Thanks, but
no thanks.

No problem. When you encounter problems too tough for you to solve,
we'll be here to help.

kind regards,

Karl Levnson, CISSP

 

[Pat Walters [MSFT]]

"Shannon Jacobs",

After reading the thread further, let me just reiterate what Karl Levinson
said at the end of his last posting. We are here to help. I do not pretend
to understand what good can come from ranting on a newsgroup about how much
you dislike our company or the amazing and technically savvy group of
volunteers that devote themselves to people with problems using Windows
Update --but at name calling, here it ends.

Please refrain from name-calling or ad-hominem attacks in this, and any
other Microsoft newsgroup. We encourage all people with questions or
comments about our products to visit our many newsgroups and find the
community that can best help them. We are honored and humbled by the
generous time and energy of the many volunteers who contribute to these
newsgroups, and pleased to have the Microsoft Valuable Professional program
( http://www.mvps.org.) This is a *privately*-owned newsgroup for the
assistance of Microsoft customers.

To our MVPs and volunteers, thank you for your continued hard work and
efforts. We continually make a better product, and we learn how to serve
the customer better because of this forum and the interaction you have with
our customers.

Sincerely,

Pat Walters [MSFT]

The lady doth protesteth too much. Or is it one of Arnold's girly-men? Well,
actually the "incident" most reminds me of a certain very prominent judge
who wrote a 20-page explanation of why an apparent personal interest in a
certain case was not really an interest, so there was no reason to recuse
himself. Sorry, but the 20-page explanation goes way *beyond* the appearance
of a conflict. That explanation itself was the most concrete evidence of why
the judge should have recused himself, incredible hypocrisy notwithstanding.
Same with your verbose defenses of your technical abilities in the absence
of technical answers.

Of course, I'm not surprised you can't put up (something of technical
value). I am surprised you aren't smart enough to use the other half of the
old saying. Years ago, way back when the MVP program was useful, I would ask
similar technical questions, and if there was an answer from an MVP, it was
almost certain to be very helpful. Even their questions were helpful in
finding the real source of the problems. Other times my questions went
unanswered, but sufficient research revealed that they really were that
difficult to answer or even define, and the MVPs were correct to wait for
more knowledge.

These days it seems like an MVP will usually respond quickly--but for any
non-trivial question, more often than not, the response is just incorrect.
That is why I asked about the current metrics Microsoft is using to assess
the MVP program. I really suspect you get MVP brownie points for being the
first MVP to answer, and without regard to the utility, correctness, or even
relevance of the answer. I am quite sincerely interested in how Microsoft
does business, even in the ethically dubious tactics. As regards the MVP
program, I think it was probably easy for Microsoft to tip the scales in
this way, since most technically competent people are too busy to donate
lots of time to Microsoft's greater glory. (Yes, I'm being slightly tongue
in cheek, since I'm sure you do it to help the suffering customers--but
Microsoft is still willing to make a bit more money by milking your
efforts.)

Regarding your (Levinson's) list of candidates for MVP incompetence, I'm
sorry, but I don't track people for their inability to be helpful. I
remember people for their competence, especially technical competence. I
used to know the names of a number of MVPs--but I recognize none of the
names you mentioned. Just piling the evidence up, aren't you? Now excuse me
while I forget your name, too.

As I am prone to do, I'll commit the folly of mentioning technical matters
in what is eminently not much of a technical thread. Now that I can run SFC
again, it issues the same unable-to-verify complaints about a number of
files. Still no hint about *which* files are too new or *which* security
certificates are still missing. (However, I'm supposed to receive a new
computer in a month or two, so I think I'll just ignore it until then. Maybe
I'll convert this old one to Linux?)

Several of my earliest attempts along the
missing-security-certificate path were to try to reinstall some of
the recent security certificate updates that WindowsUpdate had
provided. I was not able to do so from the Microsoft site, and none
of the MVPs even thought to suggest that approach.

Well, if reinstalling the patches didn't fix the problem, isn't it a
good thing we didn't suggest it?

Windows Update absolutely lets you see and re-install whatever
patches are on your system, but it has no possible way of knowing
about patches that were pushed down by your IT staff using who knows
what method, nor would we. You would have to contact your IT staff
for that.

Your only statement in your OP regarding patches was this:

"Some possibility it may have been caused by a WindowsUpdate,
possibly even one that was pushed onto my machine by the corporate IT
people."

With that vague level of detail, of course your IT people knew how to
fix the problem and we didn't. Your IT people knew which patch they
had pushed out to cause the problem, and we still don't.

Even now, you still haven't provided enough information about which
patch or file was the problem, but you expect us to magically know
the answer in a minute to a problem you've been struggling with for
months. I can only guess that the patch you're talking about might
be the May 2004 root certificates update over 7 months ago, but I
would be hesitant to waste your time offering suggestions like
reinstalling this or that patch based on that guess [and since this
didn't fix your problem, it's a good thing I didn't sugest it]. You
still haven't shared enough detail about the fix to help anyone else
learn from your experience.

Using the link I provided (which actually came from someone in my
company), I was able to find a file which fixed the damage.

How do you know your IT people didn't get the answer to this problem
from Microsoft, or from an MVP?

I am not certain if that
file is the same one that exists somewhere on the Microsoft site, or
if it was a special version. However, I am absolutely certain the
Microsoft search engines failed to find it, and the MVP program
participants also failed to find it--or even to suggest looking for
it.

Most problems with Microsoft patches are due to pre-existing problems
with the configuration of the PC. If no one else on the planet has
ever had your problem, then why would you expect the solution to be
in the Microsoft knowledge base? Note that your problems [getting
answers from the MS search engine or from the newsgroups, your
computer breaking in the first place] always seem to be because
someone at Microsoft has failed you, never because of you, say,
entering the wrong description or deleting root certificates.

The part that is apparently rubbing you the wrong way is my general
comments about what Microsoft has done to the MVP program. If so,
you should quit acting in a way that provides additional evidence.
So far you are only reinforcing my belief that Microsoft has pretty
much destroyed the MVP program by getting rid of the most
technically competent people.

Which of the Microsoft MVPs do you think are not technically
competent? Is it Ed Skoudis? Stuart McClure? Roberta Bragg? Tom
and Debra Littlejohn Shinder? Mark Russinovich? Mark Minasi? I
would like to know why you think the MVP program has fewer or less
competent MVPs. How and why exactly would Microsoft want to spend
money and time on the MVP program, but intentionally choose the worst
candidates? How and why would they destroy the program by increasing
their support for it?

If Microsoft is solely in it for the money, as you claim, then why
spend a single cent on the MVP program in the first place? You do
realize that Microsoft has given you access to pretty much the same
knowledge database that their paid support technicians use when you
call them, correct? And that Microsoft lists the phone numbers of
other companies that offer cheaper tech support on their support web
site? There are certainly some valid criticisms that can be levied
at Microsoft, but your criticisms of Microsoft make little sense and
border on paranoia.

Or perhaps
they have simply changed the incentive system so the MVPs are
encouraged to post meaningless answers even when they have no idea
of what the answer is?

The link I posted may not have fixed your problem, but it is the
answer to what you asked: "what are the dependencies and
troubleshooting steps for certificate problems related to SFC?"

I also tried in my post to clear up some of your misconceptions about
how PKI certificates work that were causing you to angrily think
Microsoft was trying to re-write PKI specifications. You have yet to
prove or suggest why the link I posted was meaningless. What exactly
was it in the link that did not apply to the question you asked?

The award MVPs get from Microsoft is relatively small and hardly
compensates me for all the time I spend here. If you think I post
thousands of posts here every year because of this award or because
it gets me some kind of points, you are very mistaken.

Certainly I admit that some of my queries are liable to be
non-trivial. Whatever the reason, I also believe this negative
change to the MVP program is a deliberate policy on the part of
Microsoft to discourage customers from relying on no-cash-involved
support.

I see. Microsoft has increased the number of MVPs over the past two
or three years in order to discourage relying on free support. That
makes lots of sense.

In truth, the main technical value I get from the newsgroups in
recent years, and the only reason I will sometimes resort to them
(and usually only after some weeks of struggle), is that the process
of describing the problem more precisely and completely for a public
post is sometimes helpful in understanding the solution.

I see. So, you don't really need anything from us. You solve the
problem entirely on your own, just by typing it down here to us.
Microsoft and the MVPs caused the problem, hide the solution to the
problem from you, solely for monetary greed on the part of all of us,
and you single-handedly solve the problem. Might I recommend posting
your next question to microsoft.public.test? You'll get the same
results.

I'm not sure how exactly coming back here to insult us and express
your disappointment in our not solving the answer fits in with this,
given that you didn't really expect us to solve the problem, but then
again, I'm just an MVP, so I have trouble tying my shoes in the
morning.

Not so in this particular case, however. This
time it was just a lucky cross-reference that caught my eye. (I
cannot provide a link to that source since it is internal to the
corporate intranet, not public.)

That's convenient. And that prevents you from posting details about
the fix too?

Today I do have a new technical problem from another friend, but I'm
not yet stumped or desperate enough to describe it here. Thanks, but
no thanks.

No problem. When you encounter problems too tough for you to solve,
we'll be here to help.

kind regards,

Karl Levnson, CISSP