Re: After Ms patches last Wed ...

[Dan Harkless <bugtraq () harkless org>]

On April 16, 2004, phaser-X <px () zeroday net> wrote:
> On Fri, 16 Apr 2004 aborg () mca org mt wrote:
> > Is anyone else having time problems on their networks?
> >
> > Yesterday (Thu) I had approx 50% of my users unable to login because "the
> > time on the client and server are different" and I could not figure out a
> > way to solve it.  Some people managed to login but could not get access to
> > shared resources; others could not login at all.  I tried syncing the time
> > but that didn't work and several other things I tried didn't seem to work.
> > Having said that, I managed to get them operational after lots of cursing
> > but I can't say what it was that I did that solved it.  I thought about the
> > new patches from MS and read all there is about them to see if they affect
> > logins/Kerberos/time service but it doesn't seem to be the case.
> >
> > This morning, I found a MS white paper
> > (http://www.microsoft.com/windows2000/docs/_Toc528382509) which explains
> > how an "Access is denied" message can appear if RPC fails to authenticate
> > and I started thinking about those patches again.  Can anyone help shed
> > some light on this?  I fail to believe that I'm the only one on the planet
> > who got negatively affected by these patches, so either I'm the first to
> > mention it or I'm the only one with a skewed set of network settings!
>
> I had a different issue after Wednesdays updates.  Two win2k computers in 
> my office were rendered useless after the patch.  They were fine before, 
> but as soon as the patch finished and the PC was rebooted, the CPU usage 
> was 100% and nothing could be done.  I left both PC's sitting for about 20 
> minutes and the 100% CPU usage never came down.  Another coworker said he 
> had the same issue with his home PC and he was eventually able to get into 
> the task manager and noticed that the system process was taking up 99-100% 
> of the CPU.
>
> Anyone else experience this issue?

No, but I experienced a *third* issue after applying the updates on my Win2K
box.  After being up for a couple of minutes, it would freeze for a moment
and then very briefly display a black screen saying:

    PAGE_FAULT_IN_NONPAGED_<something>

and then reboot.  The error would display so briefly that I had to read it
over the course of multiple consecutive crashes, and I never got as far as
the <something>, but some searching reveals it most likely said "AREA".

The Event Viewer revealed that a crash dump had been saved, but running
dumpchk on it wasn't all that illuminating.  Nothing in the "Process"
section -- this was a pure kernel task.  The Stack Trace:

    ChildEBP RetAddr  Args to Child
    ba5b2b2c 80468f3a 00000000 fe55e01c 00000000 ntoskrnl!MmTrimAllSystemPagableMemory+0x4350
    ba5b2b44 ba5b2bf8 00000246 80404151 ba5b2b88 ntoskrnl!Kei386EoiHelper+0x2994
    ffffffff 00000000 00000000 00000000 00000000 0xba5b2bf8

I had noticed that before the Tuesday updates came out (why are y'all saying
"Wednesday" above?), there was a Windows Update for my onboard Intel
Ethernet, but I hadn't yet applied it.  I tried installing the new driver
(my system thankfully stayed up long enough for it to complete), and after
installing it, the crashes magically went away.

I was told a Win2K user at work experienced the same thing.  Seems that
Microsoft may not have spent enough time testing one of these patches on the
Win2K platform.  Dunno which one, since in recent years I'd found
Microsoft's patches to be well-tested enough that I haven't made a point to
apply them only one at a time so I could identify faulty ones, as I found it
necessary to do in past years.

-- 
Dan Harkless
http://harkless.org/dan/