KB835732 SOLUTION!!!

[Branden Wolner]

http://support.microsoft.com/default.aspx?kbid=841382

CAUSE
The security update that is described in Microsoft Security Bulletin
MS04-011 contains an issue that causes Microsoft Windows 2000 to try
repeatedly to load drivers that do not load successfully. Microsoft has
confirmed that this problem occurs if any one of the following drivers is
installed:
Ipsecw2k.sys
Imcide.sys
Dlttape.sys

For example, Microsoft has confirmed that this problem occurs if you have
the Nortel Networks VPN client installed and if the IPSec Policy Agent is
set to Manual or Automatic for the startup type.

I uninstalled Nortel (since I don't need it anymore) and then reapplied
the patch and viola - all is well. The bulletin also describes a
workaround if you prefer. They claim there is a hotfix available but I
called the 866-PC-Safety number and the wait was over an hour (it's not
available online as far as I can tell).

Cheers

 

[Zak Nemo]

It's a bit early to get excited about a 'solution'. Microsoft makes that
clear in their text, i.e.

'Hotfix information
A supported hotfix is now available from Microsoft, but it is only intended
to correct the problem that is described in this article. Only apply it to
systems that are experiencing this specific problem. This hotfix may receive
additional testing. Therefore, if you are not severely affected by this
problem, Microsoft recommends that you wait for the next Windows 2000
service pack that contains this hotfix.

STATUS
Microsoft has confirmed that this is a problem in the Microsoft products
that are listed in the "Applies to" section. Microsoft is researching this
problem and will post more information in this article when the information
becomes available.'

Looks like we'll all have to wait a bit longer or forget KB835732 until
service pack 5.

Zak

 

[Branden Wolner]

It's a bit early to get excited about a 'solution'. Microsoft makes
that clear in their text, i.e.

'Hotfix information
A supported hotfix is now available from Microsoft, but it is only
intended to correct the problem that is described in this article.
Only apply it to systems that are experiencing this specific problem.
This hotfix may receive additional testing. Therefore, if you are not
severely affected by this problem, Microsoft recommends that you wait
for the next Windows 2000 service pack that contains this hotfix.

STATUS
Microsoft has confirmed that this is a problem in the Microsoft
products that are listed in the "Applies to" section. Microsoft is
researching this problem and will post more information in this
article when the information becomes available.'

Looks like we'll all have to wait a bit longer or forget KB835732
until service pack 5.

Zak

In one sense, you are right. There is an additional problem with KB835732
in that it causes IE to erase your history each time you quit the app. On
the other hand, if you can live with that, uninstalling Nortel VPN
clients *does* resolve the 100% CPU and long login problems.

 

[Guest]

Has anyone acquired this mentioned hotfix to their
security patch MS04-011? Tried calling them today but
that was about as fruitful as trying to squeeze water
from a rock. If you have this hotfix please post a
message here or contact me directly.

I have a W2K Server supporting a Citrix installation that
is impacted with the high CPU utilization issue of MS04-
011 and rolling back helped as did disabling the IPSec
service but did not get me back to where I was before and
I still experience higher than normal CPU usage with some
programs.

Tried to Identify the files installed with MS04-011 and
then set up an identical system with all SPs and Hotfixes
applied except that one and came up with a list of five
files that were not the same between the two boxes but
further research on those files revealed that they were
installed (to their current version) for valid reasons.
I suspect that there are Registry settings that are
changed with this faulty security patch but have no way
to identify what those may be or what they were before
applying the patch.

This is the second time I've been nailed by a patch,
guess I will learn to do a full back-up or disk image
before applying patches just in case I need to roll
back. Oddly enough I have five other identical servers
(identical as to hardware and OS, they do have different
apps) that are fully patched, even with MS04-011 and they
are having no problems - just this one has problems.

 

[David]

I am still having this problem on only one of our
workstations. I have disabled the IPSec Policy Agent
service and this has not made a difference. The problem
even happens in safe mode. Any ideas?

 

[N MacD]

Definitely too early!

I've applied the hotfix and it doesn't solve the problem.
I'm running Windows2000 Professional on a Toshiba Satellite Pro. The symptoms for me (and different folks are reporting different problems) were failure to get past the Windows log-on screen at boot up. At this point, with patch installed, the system crashes and simply reboots continuously.

With the hotfix applied, the symptoms remain the same.

As with everyone else, removing the 837732 patch returns my computer to normal state, though still protected from the security hole only by antivirus and firewall.

I've let Microsoft know I've still got a problem. Hopefully anyone else for whom the hotfix isn't the answer will let them know too. They've got some more work to do!

(By the way, for anyone for whom the hotfix does work it comes packaged with a second file (WINDOWS2000-KB841382-X86-ENU-Symbols.EXE). When I asked MS what I was supposed to do with this file, I was told to ignore it ... it was just packaging)

 

[George Hester]

Mother of Mary. What else does it break? Have we ever considered that these Buffer Overruns are NECESSARY for a well operating operating system? No!!!

You know I don't want to get into the pros and cons of applying these security fixes to Windows. But I'd like to suggest that Microsoft make these security fixes that fix one thing and one thing well. Rather then 13 things and at least 1 thing poorly.

It's like the Microsoft Office 2000 SP2. If you want to permanently disable Outlook 2000 then go ahead and apply it. If we don't then we've hit out limit with SP1 and there we are stuck. Because the Outlook 2000 debilitizer is in SP2 and later. And Outlook gets more debilitated the more it is updated.

And now we come to Windows 2003. I suspect I'll be wondering why this doesn't work and that doesn't work and I'll be spending all my time FIXING it. In fact hasn't Windows 2003 had to have all the security fixes in the last year to obviate the vulnerablities like RPC and now LSASS?

Well Microsoft has to do what they gotta do. They have to consider that Johnny Paycheck doesn't have the inclination to use their Windows responsibly. Then, since he doesn't, we have an Internet full of worms and madmen. Oh the benefits of 85% Microsoft Operating Systems Worldwide.

 

[robin]

i do not have this program installed so now what?
robin