I had a pretty tricky problem tring to install Windows Media Player 11 onto a couple of clients recently. Basically it kept failing, with the error code 0xc0000005 in the %systemroot%\wmsetup.log. To troubleshoot this, I extracted the setup files to a temp directory and tried to install each component separately to see what was causing the problem. Amongst the extracted files were a couple of exe's, umdf.exe and wmp11.exe. When I tried to run these I got the following errors every time. (extracted from the installer log file)
Hotfix started with following command line: /log:c:\temp\umdf.log
In Function GetBuildType, line 1170, RegQueryValueEx failed with error 0x2
CreateUserInterface: GetProcAddress for DefineInstallCustomUI failed: 0x7f
.
.
.
In Function TestVolatileFlag, line 12013, RegOpenKeyEx failed with error 0x2
.
.
In Function GetBuildType, line 1170, RegQueryValueEx failed with error 0x2
.
SetupFindFirstLine in LoadExclusionList Failed with error: 0xe0000102
.
Failed to query DriverPath of ROOT\LEGACY_AFD\0000 0x2
.
Waiting For watson First time ...
I tried all sorts of stuff after searching on Google, such as renaming Catroot2 dir, checking and resetting permissions on files and registry using the SubinACL tool and scripts as found here, but it didn't work.
I could have easily fixed the problem by reinstalling the system, but where's the fun in that, so I logged a call with MS PSS. After 1.5 weeks of trying various things, they sent me a link to the following www.support.microsoft.com/kb/822798. I tried the methods in order, the only one that worked for me was method 9, extracted from the support document...
To clear the temporary file and restart the hotfix installation or the service pack installation, follow these steps:
1. Delete all the tmp*.cat files in the following folders:%systemroot%\system32\CatRoot\{127D0A1D-4EF2-11D1-8608-00C04FC295EE} %systemroot%\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}
2. Delete all the kb*.cat files in the following folders:
%systemroot%\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}%systemroot%\System32\CatRoot\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}
3. Delete all the oem*.* files from the %systemroot%\inf folder.
4.
At the command prompt, type the following commands. Press ENTER after each command.
net stop cryptsvc ren %systemroot%\System32\Catroot2 oldcatroot2net start cryptsvcexit
5. Restart the failed hotfix installation or service pack installation.
Bingo, worked like a dream :)
Tuesday, 8 July 2008
Wednesday, 2 July 2008
Tuesday, 1 July 2008
Restrict User Access to Null Pipes and Shares
There is the well known method of securing a Windows system from null session access http://www.sans.org/reading_room/whitepapers/windows/286.php, but there are additional steps that can be taken.
As part of a security mandate at work, we've been advised to delete the following values from the registry to further secure systems from anonymous access.
HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters\NullSessionPipes
HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters\NullSessionShares
HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters\RestrictNullSessAccess
It can't be done via GPO, which is a shame, but can be done by a script. Easiest way is to do the following.
reg delete HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters /v NullSessionShares /f
reg delete HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters /v NullSessionPipes /f
reg delete HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters /v RestrictNullSessAccess /f
If you use Trend Server Protect, you can't delete the values TMRPC\AgentRPC or TMRPC\SPNTSVC from the NullSessionPipes or it won't work. I'm sure some nice VBScript could do the trick to get arounf this, but I don't need anything sophisticated.
I've done the registry mods on my system, and everything works OK, so happy days.
As part of a security mandate at work, we've been advised to delete the following values from the registry to further secure systems from anonymous access.
HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters\NullSessionPipes
HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters\NullSessionShares
HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters\RestrictNullSessAccess
It can't be done via GPO, which is a shame, but can be done by a script. Easiest way is to do the following.
reg delete HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters /v NullSessionShares /f
reg delete HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters /v NullSessionPipes /f
reg delete HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters /v RestrictNullSessAccess /f
If you use Trend Server Protect, you can't delete the values TMRPC\AgentRPC or TMRPC\SPNTSVC from the NullSessionPipes or it won't work. I'm sure some nice VBScript could do the trick to get arounf this, but I don't need anything sophisticated.
I've done the registry mods on my system, and everything works OK, so happy days.
Subscribe to:
Posts (Atom)