Archived from groups: microsoft.public.win2000.security (More info?)
Hi,
I'm observing something really odd with the version of ntoskrnl.exe installed by MS04-011 on some of my Win 2K servers and I was hoping someone might be able to shed some light on it. I've done a search on what I am seeing but the only results I've come up with relate to hfnetchk and a checksum problem.
The version of ntoskrnl.exe which ships with MS04-011, according to the security bulletin, is dated 11/03/2004, with a size of 1,726,032 bytes and a version of 5.0.2195.6902
All of my Win2K servers have been patched with MS04-011 and the patch is listed in add and remove programs. The version of ntoskrnl.exe in the System32 directory is as listed above on only some of them. On the rest it has a file date of 26/02/2003, a size of 1,699,904 bytes and the correct version, (5.0.2195.6902). However, on these servers, the correct version, with date, size and version matching the security bulletin is in the DLLCache directory.
The version of ntoskrnl.exe in the KB835732 uninstall directory on all servers is dated 19/06/2003. The filesize is 1,694,976 bytes and the version is 5.0.2195.6717.
The servers with the incorrect version in the System32 directory include all the domain controllers and certain application servers, but so far I haven't been able to identify a common factor between all machines with the incorrect version.
Yesterday, I did some tests to investigate this further.
Firstly, on one affected server I uninstalled the MS04-011 patch. After I'd done this, the ntoskrnl.exe was the 19/06/2003 version. Then I reinstalled the patch and checked the versions. The version in System32 was the 26/02/2004 version and the DLLCache version was 11/03/2004. For some reason the newer version in the DLLCache does not overwrite the older version in the System32 directory. We've had systems with a newer version of the file in the DLLCache directory left for weeks and rebooted multiple times without the System32 version being updated.
Next, I searched on affected (test) system for files named ntoskrnl.exe. I found two copies dated 26/02/2003, one copy in System32 dated 26/02/2004 and one copy in the DLLCache dated 11/03/2004. To see if I could force the overwrite, I renamed the version in the System32 directory, hoping the version from the DLLCache would be copied in. Within a few seconds, the file was replaced, but with the same file, (dated 26/02/2004), that was there before.
I'm totally at a loss as to why MS04-011 would install a different version of ntoskrnl.exe than listed on the bulletin on some machines only and why it would put a newer version in the DLLCache on those machines. I'm also a bit concerned that without the correct version of the ntoskrnl.exe, the machines are not properly security patched.
As I am seeing this behaviour on 10% or so of my servers, I am a mite worried.
Does anyone know why I am observing this? Any ideas or theories?
I'd really appreciate any thoughts.
Thanks,
Emma Holmes
MCSE
Server Security Analyst
Hi,
I'm observing something really odd with the version of ntoskrnl.exe installed by MS04-011 on some of my Win 2K servers and I was hoping someone might be able to shed some light on it. I've done a search on what I am seeing but the only results I've come up with relate to hfnetchk and a checksum problem.
The version of ntoskrnl.exe which ships with MS04-011, according to the security bulletin, is dated 11/03/2004, with a size of 1,726,032 bytes and a version of 5.0.2195.6902
All of my Win2K servers have been patched with MS04-011 and the patch is listed in add and remove programs. The version of ntoskrnl.exe in the System32 directory is as listed above on only some of them. On the rest it has a file date of 26/02/2003, a size of 1,699,904 bytes and the correct version, (5.0.2195.6902). However, on these servers, the correct version, with date, size and version matching the security bulletin is in the DLLCache directory.
The version of ntoskrnl.exe in the KB835732 uninstall directory on all servers is dated 19/06/2003. The filesize is 1,694,976 bytes and the version is 5.0.2195.6717.
The servers with the incorrect version in the System32 directory include all the domain controllers and certain application servers, but so far I haven't been able to identify a common factor between all machines with the incorrect version.
Yesterday, I did some tests to investigate this further.
Firstly, on one affected server I uninstalled the MS04-011 patch. After I'd done this, the ntoskrnl.exe was the 19/06/2003 version. Then I reinstalled the patch and checked the versions. The version in System32 was the 26/02/2004 version and the DLLCache version was 11/03/2004. For some reason the newer version in the DLLCache does not overwrite the older version in the System32 directory. We've had systems with a newer version of the file in the DLLCache directory left for weeks and rebooted multiple times without the System32 version being updated.
Next, I searched on affected (test) system for files named ntoskrnl.exe. I found two copies dated 26/02/2003, one copy in System32 dated 26/02/2004 and one copy in the DLLCache dated 11/03/2004. To see if I could force the overwrite, I renamed the version in the System32 directory, hoping the version from the DLLCache would be copied in. Within a few seconds, the file was replaced, but with the same file, (dated 26/02/2004), that was there before.
I'm totally at a loss as to why MS04-011 would install a different version of ntoskrnl.exe than listed on the bulletin on some machines only and why it would put a newer version in the DLLCache on those machines. I'm also a bit concerned that without the correct version of the ntoskrnl.exe, the machines are not properly security patched.
As I am seeing this behaviour on 10% or so of my servers, I am a mite worried.
Does anyone know why I am observing this? Any ideas or theories?
I'd really appreciate any thoughts.
Thanks,
Emma Holmes
MCSE
Server Security Analyst
Facebook
Twitter
Instagram