Win2K-NT 4.0 Registry Path Security Hotfix
Unlike many vulnerabilities that only technically sophisticated users can exploit, this one is so wide open that we all need to correct it immediately. Microsoft article Q269049 indicates that a malicious user with access to the system drive can place a program called explorer.exe in the C:\ root so that it runs in place of the standard Windows shell program. By default, the share permissions on the C:\ folder are set to Everyone Full Access. Anyone with access to this share, either locally or through a network connection, can take advantage of this vulnerability. Oops!

When Windows 2000 and Windows NT 4.0 start a program named in the Registry, they use a standard path search order to locate the program (when the Registry entry doesn’t specify an absolute path). For example, the Shell value in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon key has a default value of "Explorer.exe" without any path information. When Windows reads such a value during startup, it attempts to locate the program through a standard folder search. Contrary to what the Win2K documentation says, the C:\ folder is the first location the OS checks, and it runs any program it finds there named explorer.exe in place of the correct shell program.

To close this security hole, install the security hotfix called Q269049. You can download the Win2K, NT 4.0, or Windows NT Server 4.0 hotfixes, respectively, from the following URLs:

Win2K-NT 4.0 RAS Connection Problem
When you attempt a DUN connection to a Win2K-based computer that requires encryption from an NT-based client, the connection might fail and you might receive the error message "Error 629 The data link was terminated by the remote machine." This problem can occur when you configure a Win2K Server to require encryption and the server has both 56-bit and 40-bit encryption levels enabled. Under these circumstances, the Win2K-based computer first tries to negotiate a client connection at the higher encryption level (56-bit). If the NT 4.0 machine supports only 40-bit encryption, the client is unable to negotiate a common encryption method. Microsoft has an NT 4.0 RAS client bug fix that corrects this problem. The bug fix updates one file, rasccp.dll. The file has a release date of March 13. See Microsoft article Q246347 for details.

Win2K and SP1 Integrated Installation: Reader Feedback
Last week, I discussed Win2K Service Pack 1 (SP1) and a couple of potential problems that can arise when you combine installing Win2K with the service pack. One reader performed a successful integrated installation, and I want to share the success story so that you know it works. The reader indicates that you need to create the I386 folder as a subdirectory of the folder from which you perform the update. "So for example, from the service pack's UPDATE folder, you might use UPDATE -s:C:\WIN2K at the command line to update a folder C:\WIN2K\I386, which contains a replica of the I386 folder contents." The integrated installation process implicitly appends the I386 folder to the directory you enter on the UPDATE command line. Our reader is quite happy with the integrated installation and says that it is "a significant improvement over installing the OS and subsequently installing the service pack as a second task."

Systems Management Server News
If you experience problems with Systems Management Server (SMS), review the myriad SMS articles that Microsoft posted last week. Here’s a sampling of the new SMS article titles that caught my attention:

Win2K Multiprocessor Hang Bug Fix
Microsoft article Q266132 describes a situation wherein Win2K might hang on multiprocessor computers during startup while the Preparing Network Connections screen displays. When this problem occurs, you might find that the following entry has appeared in the Registry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSetControl\Lsa\AuditBaseObjects: REG_DWORD = 1

The article doesn't give an explanation of how and when this value appears in the Registry, but it does indicate that this value makes lsasrv.dll enter into an infinite loop. To correct this problem, call Microsoft Support for the bug fix, a new version of lsasrv.dll released on June 22.

Win2K Pro Upgrade Requires New HP Scanner Driver
After you upgrade your Windows 98 computer to Win2K Professional, the machine retains Win98 driver Registry settings for the Hewlett-Packard 5000 series scanner. The old settings prevent you from installing or upgrading the HP scanner. After you install the scanner software, your computer might stop responding or restart and reboot continually.

To properly install the scanner, you need to download and install scanner patches from the HP Web site ( http://www.hp.com/cposupport/scanners/software/sj268en.exe.html ). However, the HP patch might not remove old startup Registry entries, which can cause the system to issue a DOS command-prompt window each time you reboot. If this happens, you need to remove the Registry entries that refer to a nonexistent driver. Launch a Registry editor, look at the entries in the following keys, and remove all references to the file hpppt.exe:

HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/windows/currentversion/runonce
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/windows/currentversion/run

Microsoft article Q258098 documents this problem and the procedure you need to follow to get the scanner installed and working.