Sign in with
Sign up | Sign in
Your question

How to fix broken security in Windows 2000?

Last response: in Windows 2000/NT
Share
Anonymous
a b 8 Security
January 18, 2005 1:23:00 PM

Archived from groups: microsoft.public.security,microsoft.public.security.homeusers,microsoft.public.win2000.security,microsoft.public.win2000.windows_update,microsoft.public.windowsupdate (More info?)

In http://support.microsoft.com/default.aspx?scid=kb;en-us;293781 there is
the very interesting comment:

"As you may have noticed in the provided information, some of the
certificates have expired. However, these certificates are necessary for
backwards compatibility. Even if there is an expired trusted root
certificate, anything that was signed with that certificate prior to the
expiration date needs that trusted root certificate to be validated. As long
as expired certificates are not revoked, it can be used to validate anything
that was signed prior to its expiration."

Oh! *NOW* you [Microsoft] tell me. Just too bad the information wasn't
provided earlier.

Been wrestling with this problem for several weeks, and though I'm not
certain, I very strongly suspect that what happened is that I deleted a
required security certificate in the foolish belief that the expiration date
had some meaning. Quite trivial to do from IE: Tools menu -> Internet
Options command -> Content tab -> Certificates button -> Trusted Root
Certificates tab. Not certain because it happened a while ago and the
resulting problem is minor, though annoying. Some possibility it may have
been caused by a WindowsUpdate, possibly even one that was pushed onto my
machine by the corporate IT people.

The problem itself is that the computer complains about a new file version
that it can't check. It doesn't reveal what file, and it doesn't actually
say anything about a missing security certificate, but I'm pretty sure
that's what's going on. The SFC fails to run, which is apparently related.

I'm pretty sure that all of the root certificates have been restored, but
either there is a missing certificate somewhere else, or it is some kind of
chain reaction thing.

Anyone else having similar problems? Any suggestions about how to fix it?
Diagnostic steps to identify the missing certificate or even the affected
file?
Anonymous
a b 8 Security
January 18, 2005 1:23:01 PM

Archived from groups: microsoft.public.security,microsoft.public.security.homeusers,microsoft.public.win2000.security,microsoft.public.win2000.windows_update,microsoft.public.windowsupdate (More info?)

I have read, and reread, you entire posting.
As far as I can tell, all that you have told us, aside from
your suspected cause, is
<quote>
The problem itself is that the computer complains about a new
file version that it can't check. It doesn't reveal what file
</quote>
That is not really very much to go on.
When does this happen for example.

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Shannon Jacobs" <shanen@my-deja.com> wrote in message
news:uH$rAxP$EHA.2540@TK2MSFTNGP09.phx.gbl...
> In http://support.microsoft.com/default.aspx?scid=kb;en-us;293781 there is
> the very interesting comment:
>
> "As you may have noticed in the provided information, some of the
> certificates have expired. However, these certificates are necessary for
> backwards compatibility. Even if there is an expired trusted root
> certificate, anything that was signed with that certificate prior to the
> expiration date needs that trusted root certificate to be validated. As
long
> as expired certificates are not revoked, it can be used to validate
anything
> that was signed prior to its expiration."
>
> Oh! *NOW* you [Microsoft] tell me. Just too bad the information wasn't
> provided earlier.
>
> Been wrestling with this problem for several weeks, and though I'm not
> certain, I very strongly suspect that what happened is that I deleted a
> required security certificate in the foolish belief that the expiration
date
> had some meaning. Quite trivial to do from IE: Tools menu -> Internet
> Options command -> Content tab -> Certificates button -> Trusted Root
> Certificates tab. Not certain because it happened a while ago and the
> resulting problem is minor, though annoying. Some possibility it may have
> been caused by a WindowsUpdate, possibly even one that was pushed onto my
> machine by the corporate IT people.
>
> The problem itself is that the computer complains about a new file version
> that it can't check. It doesn't reveal what file, and it doesn't actually
> say anything about a missing security certificate, but I'm pretty sure
> that's what's going on. The SFC fails to run, which is apparently related.
>
> I'm pretty sure that all of the root certificates have been restored, but
> either there is a missing certificate somewhere else, or it is some kind
of
> chain reaction thing.
>
> Anyone else having similar problems? Any suggestions about how to fix it?
> Diagnostic steps to identify the missing certificate or even the affected
> file?
>
Anonymous
a b 8 Security
January 18, 2005 1:23:01 PM

Archived from groups: microsoft.public.security,microsoft.public.security.homeusers,microsoft.public.win2000.security,microsoft.public.win2000.windows_update,microsoft.public.windowsupdate (More info?)

It seems to me this is not exactly a Microsoft or Windows problem, because
if you deleted your root certificates on any OS, you would have problems
with those certificates. What are you doing deleting root certificates
anyways? If you don't know exactly how it works, don't delete it.
Microsoft cannot possibly write an article about every single file and
object telling you not to delete it.

Anyways, I would try restoring those certificates and possibly rebooting.
See the "Method 8" section of this KB article.

http://support.microsoft.com/default.aspx/kb/822798?

It is generally not a good idea to cross-post to multiple groups, because
then your answer gets answered repeatedly in multiple groups.

--
regards,

Karl Levinson, MS MVP, CISSP
Microsoft Security FAQ:
http://securityadmin.info


"Shannon Jacobs" <shanen@my-deja.com> wrote in message
news:uH$rAxP$EHA.2540@TK2MSFTNGP09.phx.gbl...
> In http://support.microsoft.com/default.aspx?scid=kb;en-us;293781 there is
> the very interesting comment:
>
> "As you may have noticed in the provided information, some of the
> certificates have expired. However, these certificates are necessary for
> backwards compatibility. Even if there is an expired trusted root
> certificate, anything that was signed with that certificate prior to the
> expiration date needs that trusted root certificate to be validated. As
long
> as expired certificates are not revoked, it can be used to validate
anything
> that was signed prior to its expiration."
>
> Oh! *NOW* you [Microsoft] tell me. Just too bad the information wasn't
> provided earlier.
>
> Been wrestling with this problem for several weeks, and though I'm not
> certain, I very strongly suspect that what happened is that I deleted a
> required security certificate in the foolish belief that the expiration
date
> had some meaning. Quite trivial to do from IE: Tools menu -> Internet
> Options command -> Content tab -> Certificates button -> Trusted Root
> Certificates tab. Not certain because it happened a while ago and the
> resulting problem is minor, though annoying. Some possibility it may have
> been caused by a WindowsUpdate, possibly even one that was pushed onto my
> machine by the corporate IT people.
>
> The problem itself is that the computer complains about a new file version
> that it can't check. It doesn't reveal what file, and it doesn't actually
> say anything about a missing security certificate, but I'm pretty sure
> that's what's going on. The SFC fails to run, which is apparently related.
>
> I'm pretty sure that all of the root certificates have been restored, but
> either there is a missing certificate somewhere else, or it is some kind
of
> chain reaction thing.
>
> Anyone else having similar problems? Any suggestions about how to fix it?
> Diagnostic steps to identify the missing certificate or even the affected
> file?
>
Related resources
Anonymous
a b 8 Security
January 18, 2005 7:41:24 PM

Archived from groups: microsoft.public.security,microsoft.public.security.homeusers,microsoft.public.win2000.security,microsoft.public.win2000.windows_update,microsoft.public.windowsupdate (More info?)

The problem occurs during booting. Unfortunately, the exact error message is
in Japanese, and though I could copy it for you, I'm doubtful it would be
very helpful... My Japanese is far from perfect, but I'll try to describe it
as well as I can. During the boot, a popup window appears. It says that it
is unable to check the validity of a file (or certify the appropriateness or
compatibility?), and it asks me to insert the Windows 2000 Professional CD
so that it can copy an earlier version. No hint as to which file or exactly
why it doesn't like the version it has found. (Of course I have run a
variety of virus and spyware checks, and I think I can rule out that
possibility.)

In response to the error window, I can either insert the CD or cancel. If I
insert the CD, it apparently copies some file and the popup goes away. (The
newer "incorrect" version of the file is apparently restored from somewhere
at the time of the next boot.) If I cancel, then it gives me a confirmation
window where I can insist that it use the newer version, but still no
indication about the newer version of what.

I have tried various diagnostic measures such as getting a boot log (no
hints found) and reading all sorts of typically irrelevant pages on the
Microsoft Web sites. I had hoped that the SFC would identify the problem
(which is supposed to be the purpose of that program), but, as already
noted, it also refuses to run, and based on some of the information I read
on the Microsoft Web site, I believe that this is a related problem. The
error code is 0x000006ba, which will doubtlessly lead you to the same pages
I visited, but I followed the various recovery instructions without success,
which makes me think the real problem is some other file in a critical chain
is also missing. (Or based on the comment below, it is also possible that
this machine originally had a different version of a key root certificate.)

Perhaps this is a helpful diagnostic, but I think it is just a metric that
shows the problem is not so serious. Whatever file is failing to load, it
does not actually stop the boot. The machine continues booting, and I have
not noticed any crucial services that are disabled prior to getting rid of
the error message. I have also been unable to detect any difference between
using the CD or using the unverified newer file.

Roger Abell wrote:
> I have read, and reread, you entire posting.
> As far as I can tell, all that you have told us, aside from
> your suspected cause, is
> <quote>
> The problem itself is that the computer complains about a new
> file version that it can't check. It doesn't reveal what file
> </quote>
> That is not really very much to go on.
> When does this happen for example.
>
>> In http://support.microsoft.com/default.aspx?scid=kb;en-us;293781
>> there is the very interesting comment:
>>
>> "As you may have noticed in the provided information, some of the
>> certificates have expired. However, these certificates are necessary
>> for backwards compatibility. Even if there is an expired trusted root
>> certificate, anything that was signed with that certificate prior to
>> the expiration date needs that trusted root certificate to be
>> validated. As long as expired certificates are not revoked, it can
>> be used to validate anything that was signed prior to its
>> expiration."
>>
>> Oh! *NOW* you [Microsoft] tell me. Just too bad the information
>> wasn't provided earlier.
>>
>> Been wrestling with this problem for several weeks, and though I'm
>> not certain, I very strongly suspect that what happened is that I
>> deleted a required security certificate in the foolish belief that
>> the expiration date had some meaning. Quite trivial to do from IE:
>> Tools menu -> Internet Options command -> Content tab ->
>> Certificates button -> Trusted Root Certificates tab. Not certain
>> because it happened a while ago and the resulting problem is minor,
>> though annoying. Some possibility it may have been caused by a
>> WindowsUpdate, possibly even one that was pushed onto my machine by
>> the corporate IT people.
>>
>> The problem itself is that the computer complains about a new file
>> version that it can't check. It doesn't reveal what file, and it
>> doesn't actually say anything about a missing security certificate,
>> but I'm pretty sure that's what's going on. The SFC fails to run,
>> which is apparently related.
>>
>> I'm pretty sure that all of the root certificates have been
>> restored, but either there is a missing certificate somewhere else,
>> or it is some kind of chain reaction thing.
>>
>> Anyone else having similar problems? Any suggestions about how to
>> fix it? Diagnostic steps to identify the missing certificate or even
>> the affected file?
Anonymous
a b 8 Security
January 19, 2005 4:14:23 AM

Archived from groups: microsoft.public.security,microsoft.public.security.homeusers,microsoft.public.win2000.security,microsoft.public.win2000.windows_update,microsoft.public.windowsupdate (More info?)

On Tue, 18 Jan 2005 16:41:24 +0900, "Shannon Jacobs"
<shanen@my-deja.com> wrote:

>The problem occurs during booting. Unfortunately, the exact error message is
>in Japanese, and though I could copy it for you, I'm doubtful it would be
>very helpful... My Japanese is far from perfect, but I'll try to describe it
>as well as I can. During the boot, a popup window appears. It says that it
>is unable to check the validity of a file (or certify the appropriateness or
>compatibility?), and it asks me to insert the Windows 2000 Professional CD
>so that it can copy an earlier version. No hint as to which file or exactly
>why it doesn't like the version it has found. (Of course I have run a
>variety of virus and spyware checks, and I think I can rule out that
>possibility.)

Actually, you can't. This is a relatively recent spyware issue, and
easily resolved. Open the Task Manager and choose the processes tab.
Stop all processes you don't know, there aren't many that are required
and if you stop the wrong one you can always restart the system to
recover.

Once these are stopped, run the registry editor (regedt32 or regedit)
and find the key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

Remove all strange entries. You should recognize most of them anyway.
Once removed, restart the system. Also run through the Add/Remove
Programs dialog and clean out unrecognized or unwanted stuff.

Keep in mind that making changes to the registry can screw up your
system. If you're at all uncomfortable with this, call your IT
department (If they're security conscious they'll have prevented you
from editing the registry anyway...).

I haven't found a spyware removal tool that has fixed this issue, but
I've cleaned a half dozen systems in the last few days of his.

Disclaimer: If you're foolish enough to try suggestions from the
internet without verifying them, then you deserve whatever happens if
this hoses your system. Don't blame me since I'm specifically warning
you not to do what I suggest.

That said, you can easily figure out how to reach me and verify
credentials.

Jeff

>In response to the error window, I can either insert the CD or cancel. If I
>insert the CD, it apparently copies some file and the popup goes away. (The
>newer "incorrect" version of the file is apparently restored from somewhere
>at the time of the next boot.) If I cancel, then it gives me a confirmation
>window where I can insist that it use the newer version, but still no
>indication about the newer version of what.
>
>I have tried various diagnostic measures such as getting a boot log (no
>hints found) and reading all sorts of typically irrelevant pages on the
>Microsoft Web sites. I had hoped that the SFC would identify the problem
>(which is supposed to be the purpose of that program), but, as already
>noted, it also refuses to run, and based on some of the information I read
>on the Microsoft Web site, I believe that this is a related problem. The
>error code is 0x000006ba, which will doubtlessly lead you to the same pages
>I visited, but I followed the various recovery instructions without success,
>which makes me think the real problem is some other file in a critical chain
>is also missing. (Or based on the comment below, it is also possible that
>this machine originally had a different version of a key root certificate.)
>
>Perhaps this is a helpful diagnostic, but I think it is just a metric that
>shows the problem is not so serious. Whatever file is failing to load, it
>does not actually stop the boot. The machine continues booting, and I have
>not noticed any crucial services that are disabled prior to getting rid of
>the error message. I have also been unable to detect any difference between
>using the CD or using the unverified newer file.
>
>Roger Abell wrote:
>> I have read, and reread, you entire posting.
>> As far as I can tell, all that you have told us, aside from
>> your suspected cause, is
>> <quote>
>> The problem itself is that the computer complains about a new
>> file version that it can't check. It doesn't reveal what file
>> </quote>
>> That is not really very much to go on.
>> When does this happen for example.
>>
>>> In http://support.microsoft.com/default.aspx?scid=kb;en-us;293781
>>> there is the very interesting comment:
>>>
>>> "As you may have noticed in the provided information, some of the
>>> certificates have expired. However, these certificates are necessary
>>> for backwards compatibility. Even if there is an expired trusted root
>>> certificate, anything that was signed with that certificate prior to
>>> the expiration date needs that trusted root certificate to be
>>> validated. As long as expired certificates are not revoked, it can
>>> be used to validate anything that was signed prior to its
>>> expiration."
>>>
>>> Oh! *NOW* you [Microsoft] tell me. Just too bad the information
>>> wasn't provided earlier.
>>>
>>> Been wrestling with this problem for several weeks, and though I'm
>>> not certain, I very strongly suspect that what happened is that I
>>> deleted a required security certificate in the foolish belief that
>>> the expiration date had some meaning. Quite trivial to do from IE:
>>> Tools menu -> Internet Options command -> Content tab ->
>>> Certificates button -> Trusted Root Certificates tab. Not certain
>>> because it happened a while ago and the resulting problem is minor,
>>> though annoying. Some possibility it may have been caused by a
>>> WindowsUpdate, possibly even one that was pushed onto my machine by
>>> the corporate IT people.
>>>
>>> The problem itself is that the computer complains about a new file
>>> version that it can't check. It doesn't reveal what file, and it
>>> doesn't actually say anything about a missing security certificate,
>>> but I'm pretty sure that's what's going on. The SFC fails to run,
>>> which is apparently related.
>>>
>>> I'm pretty sure that all of the root certificates have been
>>> restored, but either there is a missing certificate somewhere else,
>>> or it is some kind of chain reaction thing.
>>>
>>> Anyone else having similar problems? Any suggestions about how to
>>> fix it? Diagnostic steps to identify the missing certificate or even
>>> the affected file?
Anonymous
a b 8 Security
January 19, 2005 8:57:19 AM

Archived from groups: microsoft.public.security,microsoft.public.security.homeusers,microsoft.public.win2000.security,microsoft.public.win2000.windows_update,microsoft.public.windowsupdate (More info?)

It is true that there is relatively new malware on the Internet that deletes
or inhibits your access to your root certificates. If you didn't delete any
of your root certificates that pertain to Windows file checking, this may be
the problem. The article I posted tells you how to check to see whether the
root certificates related to Windows file checking are missing.


"Jeff Cochran" <jeff.nospam@zina.com> wrote in message
news:41f0b110.986627074@msnews.microsoft.com...

> Actually, you can't. This is a relatively recent spyware issue, and
> easily resolved. Open the Task Manager and choose the processes tab.
> Stop all processes you don't know, there aren't many that are required
> and if you stop the wrong one you can always restart the system to
> recover.
Anonymous
a b 8 Security
January 19, 2005 12:55:56 PM

Archived from groups: microsoft.public.security,microsoft.public.security.homeusers,microsoft.public.win2000.security,microsoft.public.win2000.windows_update,microsoft.public.windowsupdate (More info?)

This is exactly the level of "support" I have come to expect from MVPs. Does
Microsoft have some sort of incentive program that requires you to say
something even if you have no idea what you are talking about?


Karl Levinson, mvp wrote:
> It seems to me this is not exactly a Microsoft or Windows problem,
> because if you deleted your root certificates on any OS, you would
> have problems with those certificates. What are you doing deleting
> root certificates anyways? If you don't know exactly how it works,
> don't delete it. Microsoft cannot possibly write an article about
> every single file and object telling you not to delete it.

I have already confessed my culpability for being stupid enough to believe
that the expiration date on a security certificate had any meaning. Well,
actually it should have a meaning because the concept of security is
fundamentally linked to time. However, if Microsoft chooses to ignore or
reassign meanings and just redefine things, that's the new de facto
standard, isn't it? My bad, mea culpa, and I admit I was a fool to trust
Microsoft. Are you satisfied now?

(However, I'm still not certain that this is the cause of the problem, nor
even certain exactly what the problem is.)


> Anyways, I would try restoring those certificates and possibly
> rebooting. See the "Method 8" section of this KB article.
>
> http://support.microsoft.com/default.aspx/kb/822798?

Done that. Didn't work. "Possibly rebooting." Damn. Why didn't I think of
that? Especially with regards to a boot-related problem. Shucks, still
didn't work.

Any more trivially obvious suggestions? Dare I say, trivially obvious to the
most casual observer?


> It is generally not a good idea to cross-post to multiple groups,
> because then your answer gets answered repeatedly in multiple groups.

No, you are incorrect again, but par for the current MVPs. Please read the
relevant RFC and the NNTP standards. The only notable exception is Mozilla,
which is well known to be handling cross-posting incorrectly, and which is
not even a Microsoft product.


> "Shannon Jacobs" <shanen@my-deja.com> wrote in message
> news:uH$rAxP$EHA.2540@TK2MSFTNGP09.phx.gbl...
>> In http://support.microsoft.com/default.aspx?scid=kb;en-us;293781
>> there is the very interesting comment:
>>
>> "As you may have noticed in the provided information, some of the
>> certificates have expired. However, these certificates are necessary
>> for backwards compatibility. Even if there is an expired trusted root
>> certificate, anything that was signed with that certificate prior to
>> the expiration date needs that trusted root certificate to be
>> validated. As long as expired certificates are not revoked, it can
>> be used to validate anything that was signed prior to its
>> expiration."
>>
>> Oh! *NOW* you [Microsoft] tell me. Just too bad the information
>> wasn't provided earlier.
>>
>> Been wrestling with this problem for several weeks, and though I'm
>> not certain, I very strongly suspect that what happened is that I
>> deleted a required security certificate in the foolish belief that
>> the expiration date had some meaning. Quite trivial to do from IE:
>> Tools menu -> Internet Options command -> Content tab ->
>> Certificates button -> Trusted Root Certificates tab. Not certain
>> because it happened a while ago and the resulting problem is minor,
>> though annoying. Some possibility it may have been caused by a
>> WindowsUpdate, possibly even one that was pushed onto my machine by
>> the corporate IT people.
>>
>> The problem itself is that the computer complains about a new file
>> version that it can't check. It doesn't reveal what file, and it
>> doesn't actually say anything about a missing security certificate,
>> but I'm pretty sure that's what's going on. The SFC fails to run,
>> which is apparently related.
>>
>> I'm pretty sure that all of the root certificates have been
>> restored, but either there is a missing certificate somewhere else,
>> or it is some kind of chain reaction thing.
>>
>> Anyone else having similar problems? Any suggestions about how to
>> fix it? Diagnostic steps to identify the missing certificate or even
>> the affected file?
Anonymous
a b 8 Security
January 19, 2005 12:55:57 PM

Archived from groups: microsoft.public.security,microsoft.public.security.homeusers,microsoft.public.win2000.security,microsoft.public.win2000.windows_update,microsoft.public.windowsupdate (More info?)

"Shannon Jacobs" <shanen@my-deja.com> wrote in message
news:o 3y3iGc$EHA.1260@TK2MSFTNGP12.phx.gbl...
> This is exactly the level of "support" I have come to expect from MVPs.
Does
> Microsoft have some sort of incentive program that requires you to say
> something even if you have no idea what you are talking about?
>
>

You can find more about the MVP title here:
http://mvp.support.microsoft.com/default.aspx?scid=fh;EN-US;mvpfaqs

/Fredrik
Anonymous
a b 8 Security
January 19, 2005 12:55:57 PM

Archived from groups: microsoft.public.security,microsoft.public.security.homeusers,microsoft.public.win2000.security,microsoft.public.win2000.windows_update,microsoft.public.windowsupdate (More info?)

"Shannon Jacobs" <shanen@my-deja.com> wrote in message
news:o 3y3iGc$EHA.1260@TK2MSFTNGP12.phx.gbl...
> This is exactly the level of "support" I have come to expect from MVPs.
Does
> Microsoft have some sort of incentive program that requires you to say
> something even if you have no idea what you are talking about?

Hey, you came here looking for free support. I spent a fair amount of time
looking for the KB article, only to have you complain about my "level of
support" and say you had already tried that. If you already tried it, tell
us what you've already tried so we don't waste our time and yours. I'm not
psychic.

> actually it should have a meaning because the concept of security is
> fundamentally linked to time.

No. When someone uses a PKI cert to sign a PGP email or a Windows 2000
file, that is not linked to time.

> However, if Microsoft chooses to ignore or
> reassign meanings and just redefine things, that's the new de facto
> standard, isn't it?

No. You still need certificates after they expire. This is true of many
PKI solutions including PGP, so it has nothing to do with Microsoft. Your
PGP emails, Windows 2000 files, etc. were signed with a cert that is now
expired, and the only way to verify the signing is to keep access to the old
certs. Not a MIcrosoft thing.

> My bad, mea culpa, and I admit I was a fool to trust Microsoft.

No, your mistake was to start deleting core OS stuff for no real reason I'm
aware of, without knowing how it works, then coming here and blaming MS,
saying MS should have warned you not to delete your root certificates
haphazardly, and that MS publishing a KB article on the subject is not
sufficient warning.

> Done that. Didn't work. "Possibly rebooting." Damn. Why didn't I think of
> that? Especially with regards to a boot-related problem. Shucks, still
> didn't work.
>
> Any more trivially obvious suggestions? Dare I say, trivially obvious to
the
> most casual observer?

No, I meant the MS article doesn't tell you this, but after using the KB
article to restore the certificates, you may possibly need to reboot. I
didn't think that rebooting would solve your problem, but that rebooting
might be necessary to see whether your problem was fixed... which is of
course a true statement, since the problem occurs at boot time. I hardly
think finding an article on how to restore your root certificates is a
trivially obvious suggestion. I'm not sure I believe you when you say that
you already tried restoring your root certificates using the KB article I
posted. If you had, the problem would probably be fixed. I suspect you
misunderstood the part about "possibly rebooting" and blew up before trying
out the KB article.

The KB article states that even though you deleted the root certificates
from your Windows certificate store, they are still contained in files on
your hard drive and can be restored from there.

> No, you are incorrect again, but par for the current MVPs. Please read the
> relevant RFC and the NNTP standards. The only notable exception is
Mozilla,
> which is well known to be handling cross-posting incorrectly, and which is
> not even a Microsoft product.

RFC 1855 says very little about cross-posting, and it is now at least nine
years old.

If you have such little respect for MVPs, why are you here looking for
support from them?

Anyways, if you haven't yet, try doing what I actually suggested:

http://support.microsoft.com/default.aspx/kb/822798?

Method 8: Verify the status of all certificates in the certification path
and import missing or damaged certificates from another computer
To verify certificates in the certificate path for a Windows or Internet
Explorer product update, follow these steps:
Step 1: Verify Microsoft certificates
1. In Internet Explorer, click Tools, and then click Internet Options.
2. On the Content tab, click Certificates.
3. On the Trusted Root Certification Authorities tab, double-click
Microsoft Root Authority. If this certificate is missing, go to step 2.
4. On the General tab, make sure that the Valid from dates are
1/10/1997 to 12/31/2020.
5. On the Certification Path tab, verify that This certificate is OK
appears under Certificate Status.
6. Click OK, and then double-click the NO LIABILITY ACCEPTED
certificate.
7. On the General tab, make sure that the Valid from dates are
5/11/1997 to 1/7/2004.
8. On the Certification Path tab, verify that either This certificate
has expired or is not yet valid or This certificate is OK appears under
Certificate Status.

Note Although this certificate is expired, it will continue to work.
The operating system may not work correctly if the certificate is missing or
revoked.

For additional information, click the following article number to view
the article in the Microsoft Knowledge Base:
293781 Trusted root certificates that are required by Windows 2000,
Windows XP, and Windows Server 2003
9. Click OK, and then double-click the GTE CyberTrust Root
certificate. You may have more than one of these certificates with the same
name. Check the certificate that has an expiration date of 2/23/2006.
10. On the General tab, make sure that the Valid from dates are
"2/23/1996 to 2/23/2006."
11. On the Certification Path tab, verify that This certificate is OK
appears under Certificate Status.

Step 2: Import missing or damaged certificates
If one or more of these certificates are missing or corrupted, export the
missing or corrupted certificates to another computer, and then install the
certificates on your computer. To export certificates on another computer,
follow these steps: 1. In Internet Explorer, click Tools, and then click
Internet Options.
2. On the Content tab, click Certificates.
3. On the Trusted Root Certification Authorities tab, click the
certificate that you want to export.
4. Click Export, and then follow the instructions to export the
certificate as a DER encoded Binary x.509(.CER) file.
5. After the certificate file has been exported, copy it to the
computer where you want to import it.
6. On the computer where you want to import the certificate,
double-click the certificate.
7. Click Install certificate, and then click Next.
8.
Click Finish, and then click OK.


[... and then possibly you may need to reboot for the changes to fully
take effect. The MS article didn't say this, so I added it.]
Anonymous
a b 8 Security
January 19, 2005 12:55:57 PM

Archived from groups: microsoft.public.security,microsoft.public.security.homeusers,microsoft.public.win2000.security,microsoft.public.win2000.windows_update,microsoft.public.windowsupdate (More info?)

"Shannon Jacobs" <shanen@my-deja.com> wrote in message
news:o 3y3iGc$EHA.1260@TK2MSFTNGP12.phx.gbl...
> This is exactly the level of "support" I have come to expect from MVPs.
Does
> Microsoft have some sort of incentive program that requires you to say
> something even if you have no idea what you are talking about?

The incentive is that we get to do this for free and get the benefit of
putting up with a thankless public in the process.

> > Anyways, I would try restoring those certificates and possibly
> > rebooting. See the "Method 8" section of this KB article.
> >
> > http://support.microsoft.com/default.aspx/kb/822798?
>
> Done that. Didn't work. "Possibly rebooting." Damn. Why didn't I think of
> that? Especially with regards to a boot-related problem. Shucks, still
> didn't work.

Did you actually read the article?

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
Anonymous
a b 8 Security
January 20, 2005 1:40:30 PM

Archived from groups: microsoft.public.security,microsoft.public.security.homeusers,microsoft.public.win2000.security,microsoft.public.win2000.windows_update,microsoft.public.windowsupdate (More info?)

Actually I read so many of Microsoft's articles that I cannot swear for
certain whether or not I read that particular one. However, I do remember
doing the steps that were recommended there, though they may have been from
another similar article. I did find a solution, though not from Microsoft.
Here it is:

http://www.beginningtoseethelight.org/patches/2kpro.php

As already noted, I can only congratulate Microsoft for their success in
destroying yet another free support resource (the MVP program of some years
ago) and I continue to wish I had the option the abandon Microsoft.

Phillip Windell wrote:
> "Shannon Jacobs" <shanen@my-deja.com> wrote in message
> news:o 3y3iGc$EHA.1260@TK2MSFTNGP12.phx.gbl...
>> This is exactly the level of "support" I have come to expect from
>> MVPs. Does Microsoft have some sort of incentive program that
>> requires you to say something even if you have no idea what you are
>> talking about?
>
> The incentive is that we get to do this for free and get the benefit
> of putting up with a thankless public in the process.
>
>>> Anyways, I would try restoring those certificates and possibly
>>> rebooting. See the "Method 8" section of this KB article.
>>>
>>> http://support.microsoft.com/default.aspx/kb/822798?
>>
>> Done that. Didn't work. "Possibly rebooting." Damn. Why didn't I
>> think of that? Especially with regards to a boot-related problem.
>> Shucks, still didn't work.
>
> Did you actually read the article?
Anonymous
a b 8 Security
January 24, 2005 11:49:51 AM

Archived from groups: microsoft.public.security,microsoft.public.security.homeusers,microsoft.public.win2000.security,microsoft.public.win2000.windows_update,microsoft.public.windowsupdate (More info?)

"Shannon Jacobs" <shanen@my-deja.com> wrote in message
news:o vKU5AbAFHA.4044@TK2MSFTNGP11.phx.gbl...
> You are simply inserting your foot farther and farther into your mouth.
How
> does it taste?

If you spend as much time and effort in understanding and solving your
problems as you spend annoying everyone else,...you would not have any
problems left to ask questions about.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
Anonymous
a b 8 Security
January 24, 2005 3:00:40 PM

Archived from groups: microsoft.public.security,microsoft.public.security.homeusers,microsoft.public.win2000.security,microsoft.public.win2000.windows_update,microsoft.public.windowsupdate (More info?)

"Shannon Jacobs" <shanen@my-deja.com> wrote in message
news:o vKU5AbAFHA.4044@TK2MSFTNGP11.phx.gbl...

> Several of my earliest attempts along the missing-security-certificate
path
> were to try to reinstall some of the recent security certificate updates
> that WindowsUpdate had provided. I was not able to do so from the
Microsoft
> site, and none of the MVPs even thought to suggest that approach.

Well, if reinstalling the patches didn't fix the problem, isn't it a good
thing we didn't suggest it?

Windows Update absolutely lets you see and re-install whatever patches are
on your system, but it has no possible way of knowing about patches that
were pushed down by your IT staff using who knows what method, nor would we.
You would have to contact your IT staff for that.

Your only statement in your OP regarding patches was this:

"Some possibility it may have been caused by a WindowsUpdate, possibly even
one that was pushed onto my machine by the corporate IT people."

With that vague level of detail, of course your IT people knew how to fix
the problem and we didn't. Your IT people knew which patch they had pushed
out to cause the problem, and we still don't.

Even now, you still haven't provided enough information about which patch or
file was the problem, but you expect us to magically know the answer in a
minute to a problem you've been struggling with for months. I can only
guess that the patch you're talking about might be the May 2004 root
certificates update over 7 months ago, but I would be hesitant to waste your
time offering suggestions like reinstalling this or that patch based on that
guess [and since this didn't fix your problem, it's a good thing I didn't
sugest it]. You still haven't shared enough detail about the fix to help
anyone else learn from your experience.

> Using the link I provided (which actually came from someone in my
company),
> I was able to find a file which fixed the damage.

How do you know your IT people didn't get the answer to this problem from
Microsoft, or from an MVP?

> I am not certain if that
> file is the same one that exists somewhere on the Microsoft site, or if it
> was a special version. However, I am absolutely certain the Microsoft
search
> engines failed to find it, and the MVP program participants also failed to
> find it--or even to suggest looking for it.

Most problems with Microsoft patches are due to pre-existing problems
with the configuration of the PC. If no one else on the planet has ever had
your problem, then why would you expect the solution to be in the Microsoft
knowledge base? Note that your problems [getting answers from the MS search
engine or from the newsgroups, your computer breaking in the first place]
always seem to be because someone at Microsoft has failed you, never because
of you, say, entering the wrong description or deleting root certificates.

> The part that is apparently rubbing you the wrong way is my general
comments
> about what Microsoft has done to the MVP program. If so, you should quit
> acting in a way that provides additional evidence. So far you are only
> reinforcing my belief that Microsoft has pretty much destroyed the MVP
> program by getting rid of the most technically competent people.

Which of the Microsoft MVPs do you think are not technically competent? Is
it Ed Skoudis? Stuart McClure? Roberta Bragg? Tom and Debra Littlejohn
Shinder? Mark Russinovich? Mark Minasi? I would like to know why you
think the MVP program has fewer or less competent MVPs. How and why exactly
would Microsoft want to spend money and time on the MVP program, but
intentionally choose the worst candidates? How and why would they destroy
the program by increasing their support for it?

If Microsoft is solely in it for the money, as you claim, then why spend a
single cent on the MVP program in the first place? You do realize that
Microsoft has given you access to pretty much the same knowledge database
that their paid support technicians use when you call them, correct? And
that Microsoft lists the phone numbers of other companies that offer cheaper
tech support on their support web site? There are certainly some valid
criticisms that can be levied at Microsoft, but your criticisms of Microsoft
make little sense and border on paranoia.

> Or perhaps
> they have simply changed the incentive system so the MVPs are encouraged
to
> post meaningless answers even when they have no idea of what the answer
is?

The link I posted may not have fixed your problem, but it is the answer to
what you asked: "what are the dependencies and troubleshooting steps for
certificate problems related to SFC?"

I also tried in my post to clear up some of your misconceptions about how
PKI certificates work that were causing you to angrily think Microsoft was
trying to re-write PKI specifications. You have yet to prove or suggest why
the link I posted was meaningless. What exactly was it in the link that did
not apply to the question you asked?

The award MVPs get from Microsoft is relatively small and hardly compensates
me for all the time I spend here. If you think I post thousands of posts
here every year because of this award or because it gets me some kind of
points, you are very mistaken.

> Certainly I admit that some of my queries are liable to be non-trivial.
> Whatever the reason, I also believe this negative change to the MVP
program
> is a deliberate policy on the part of Microsoft to discourage customers
from
> relying on no-cash-involved support.

I see. Microsoft has increased the number of MVPs over the past two or
three years in order to discourage relying on free support. That makes lots
of sense.

> In truth, the main technical value I get from the newsgroups in recent
> years, and the only reason I will sometimes resort to them (and usually
only
> after some weeks of struggle), is that the process of describing the
problem
> more precisely and completely for a public post is sometimes helpful in
> understanding the solution.

I see. So, you don't really need anything from us. You solve the problem
entirely on your own, just by typing it down here to us. Microsoft and the
MVPs caused the problem, hide the solution to the problem from you, solely
for monetary greed on the part of all of us, and you single-handedly solve
the problem. Might I recommend posting your next question to
microsoft.public.test? You'll get the same results.

I'm not sure how exactly coming back here to insult us and express your
disappointment in our not solving the answer fits in with this, given that
you didn't really expect us to solve the problem, but then again, I'm just
an MVP, so I have trouble tying my shoes in the morning.

> Not so in this particular case, however. This
> time it was just a lucky cross-reference that caught my eye. (I cannot
> provide a link to that source since it is internal to the corporate
> intranet, not public.)

That's convenient. And that prevents you from posting details about the fix
too?

> Today I do have a new technical problem from another friend, but I'm not
yet
> stumped or desperate enough to describe it here. Thanks, but no thanks.

No problem. When you encounter problems too tough for you to solve, we'll
be here to help.

kind regards,

Karl Levnson, CISSP
Anonymous
a b 8 Security
January 26, 2005 1:34:29 PM

Archived from groups: microsoft.public.security,microsoft.public.security.homeusers,microsoft.public.win2000.security,microsoft.public.win2000.windows_update,microsoft.public.windowsupdate (More info?)

"Karl Levinson, mvp" <levinson_k@despammed.com> wrote in message
news:o vQ%23RWjAFHA.1524@TK2MSFTNGP09.phx.gbl...
> Which of the Microsoft MVPs do you think are not technically competent?
Is
> it Ed Skoudis? Stuart McClure? Roberta Bragg? Tom and Debra Littlejohn
> Shinder? Mark Russinovich? Mark Minasi? I would like to know why you
> think the MVP program has fewer or less competent MVPs.

Ok,..It's me...I confess!, I confess!

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
Anonymous
a b 8 Security
January 28, 2005 7:09:45 PM

Archived from groups: microsoft.public.security,microsoft.public.security.homeusers,microsoft.public.win2000.security,microsoft.public.win2000.windows_update,microsoft.public.windowsupdate (More info?)

"Pat Walters [MSFT]" <a-patwal@online.microsoft.com> wrote in message
news:41fa1189$1@news.microsoft.com...
> community that can best help them. We are honored and humbled by the
> generous time and energy of the many volunteers who contribute to these
> newsgroups, and pleased to have the Microsoft Valuable Professional
program

....and with what MS invest in us, as such things like the MVP Summit
meetings, Subscriptions, and other things,...I can say that the humbling
goes both ways,..what MS does to help us does not go unoticed.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
Anonymous
a b 8 Security
January 30, 2005 8:23:57 AM

Archived from groups: microsoft.public.win2000.security (More info?)

"Shannon Jacobs" <shanen@my-deja.com> wrote in message
news:e9exlqCBFHA.2792@TK2MSFTNGP15.phx.gbl...

> Years ago, way back when the MVP program was useful, I would ask
> similar technical questions, and if there was an answer from an MVP, it
> was
> almost certain to be very helpful.

Years ago a "Technical" question was, by today's standards of hardware,
software and infrastructure complexity, comparatively simple to answer :) .

Speaking for me, but probably for most MVPs too, I hate to give wrong
answers, even if it is a result of the "Wrong question" being asked, and I
am not being sarcastic, that can easily happen. If I had a dollar for every
"Wrong question" I've asked etc :) .

So given the complexity of some systems it's likely that many MVPs will wait
until they think they can fully answer before they start in, and if it looks
like it may need a series of "Try this", "Try that" exchanges it's also
likely that an MVP will try to judge how well he / she can follow up on a
thread, otherwise you start something but then end up leaving it to others.
It may also depend on what facilities an MVP has available to test things
on... not every MVP will have encountered every possible combination.

For quite a while I was able to devote a lot of time to the IE/OE groups,
but my job changed and as well as having less time to spend on here I also
got landed with being "On Call" which meant I could not reasonably expect to
be consistent. It is amazing how far and how fast one can fall behind
problem "Trends", perhaps time is a big factor for others too?

In fact the reason I am here in the W2k groups at all is because I was
looking for an answer, not trying to give them, and as it happens I found my
answer (or at least confirmation of my theory) before I even asked the
question. Although I have used W2k for years I have not done so in an
environment that qualifies me to answer much specific stuff.

So in closing, I suspect that if you review your position, taking into
account the viewpoint of those you seek to criticize, you may see things a
little differently.

As for Linux I suggest Debian to start. You can actually download the entire
thing, in whatever level of complexity you want, starting with just two or
three floppy disks that you make up yourself (Starting of course using
Windows). Other versions are not as "Free" as you might think and tech
support is patchy at best. Compatibility between versions? Hmm. Personal
opinion I guess :)  It becomes rather like arguing the difference between GM
and Ford.

Hope this helps,

Charlie
Anonymous
a b 8 Security
February 6, 2005 2:29:45 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Thanks for the recommendation on Linux, though I'm not exactly a beginner.
As I already noted, I'm constrained by my customers, and they're mostly in
bondage to Microsoft, so I'm kind of constrained to follow the most similar
path. Resource constraints being what they are, I'm probably not going to
spend a lot of time on it unless the company is supporting the move more
strongly than they have so far... The CEO keeps talking about it, but
nothing much is happening in the trenches--at least not in my part of the
trench.

As you noted, the technical answers are often found in passing and in the
old posts. You have to be flexible in how you search and pay attention to
the details--and it's especially important and useful if the responders use
the proper terminology and use it consistently. That has an important
funneling effect from the many vaguely worded n00b queries. However, I'd
already been-there-done-that at the time of the first post. As I reported
later in the thread, I did get some useful clues that way, but that path
started in our corporate newsgroups, not the public ones.

With regards to the empathic "viewpoint" issue, I actually think I'm very
sensitive to all of the aspects you've raised (or resurrected), having spent
a couple of years doing lots of support for Microsoft products and many
years teaching computer-related topics at the university level. If you feel
my response was inappropriate, I think you should review the thread from its
beginning. I'm actually trying to provide enough context to avoid exactly
what usually happens--which is a lot of my time wasted monitoring a thread
that receives many "do this again" responses.

I think that the very FIRST thing I learned when I was doing support was to
consider very carefully exactly what the customer is saying. Some customers
don't know what is going on and need to do it again from scratch, but in
other cases you should avoid wasting his or her time. When you have nothing
to say, say nothing. Wait a bit and something might come to you. The
customers apparently appreciated it, which was mostly okay. (The main down
side was that the more troublesome customers usually wound up as mine--which
made the rest of the support staff appreciative.)

Amusingly enough, as I was leaving support work I was actually considered
for a second-tier support job for Microsoft, though it was actually through
a subcontractor chain. My second language wasn't strong enough, but the
manager did keep in touch for several years after that, so I guess he was
sincerely interested, though I never did work for him. Nice fellow, but I
think feeding the behemoth would have given me ulcers...

Charlie Tame <charlie@tames.net> wrote:
> "Shannon Jacobs" <shanen@my-deja.com> wrote in message
> news:e9exlqCBFHA.2792@TK2MSFTNGP15.phx.gbl...
>
>> Years ago, way back when the MVP program was useful, I would ask
>> similar technical questions, and if there was an answer from an
>> MVP, it was
>> almost certain to be very helpful.
>
> Years ago a "Technical" question was, by today's standards of
> hardware, software and infrastructure complexity, comparatively
> simple to answer :) .
> Speaking for me, but probably for most MVPs too, I hate to give
> wrong answers, even if it is a result of the "Wrong question" being
> asked, and I am not being sarcastic, that can easily happen. If I
> had a dollar for every "Wrong question" I've asked etc :) .
>
> So given the complexity of some systems it's likely that many MVPs
> will wait until they think they can fully answer before they start
> in, and if it looks like it may need a series of "Try this", "Try
> that" exchanges it's also likely that an MVP will try to judge how
> well he / she can follow up on a thread, otherwise you start
> something but then end up leaving it to others. It may also depend
> on what facilities an MVP has available to test things on... not
> every MVP will have encountered every possible combination.
> For quite a while I was able to devote a lot of time to the IE/OE
> groups, but my job changed and as well as having less time to spend
> on here I also got landed with being "On Call" which meant I could
> not reasonably expect to be consistent. It is amazing how far and
> how fast one can fall behind problem "Trends", perhaps time is a
> big factor for others too?
> In fact the reason I am here in the W2k groups at all is because I
> was looking for an answer, not trying to give them, and as it
> happens I found my answer (or at least confirmation of my theory)
> before I even asked the question. Although I have used W2k for
> years I have not done so in an environment that qualifies me to
> answer much specific stuff.
> So in closing, I suspect that if you review your position, taking
> into account the viewpoint of those you seek to criticize, you may
> see things a little differently.
>
> As for Linux I suggest Debian to start. You can actually download
> the entire thing, in whatever level of complexity you want,
> starting with just two or three floppy disks that you make up
> yourself (Starting of course using Windows). Other versions are not
> as "Free" as you might think and tech support is patchy at best.
> Compatibility between versions? Hmm. Personal opinion I guess :)  It
> becomes rather like arguing the difference between GM and Ford.
>
> Hope this helps,
>
> Charlie
Anonymous
a b 8 Security
February 6, 2005 8:41:57 PM

Archived from groups: microsoft.public.security,microsoft.public.security.homeusers,microsoft.public.win2000.security,microsoft.public.win2000.windows_update,microsoft.public.windowsupdate (More info?)

"Shannon Jacobs" <shanen@my-deja.com> wrote in message
news:eIyF5S%23CFHA.2756@TK2MSFTNGP12.phx.gbl...

> from there. Many years ago the newsgroups had a positive SNR, but nowadays
> zero-signal-and-downhill is the safe prediction.
>
> Just in case some technically competent person would be so kind as to
> provide a useful answer, the technical question is:
>
> How can missing security certificates be identified (and "safely"
replaced)?

As I said, the first link I posted, which you complained about, tells you
EXACTLY how to do that. If the instructions in that link didn't work for
you, please tell us what the results are, e.g. you tried everything on that
list, and X happened or didn't happen. If you had tried everything on that
list, you would now be able to tell us that your computer has all the
relevant certificates, and we would then know that the problem has nothing
to do with restoring deleted certificates as you still seem to believe. We
could also rule out a number of other dependencies on file checking besides
certificates, and move towards the real cause and solution.

I thought you said in a previous post that you had fixed the problem, and
pointed to a page that suggested you might have re-installed some MS patch
or another.

> experiences, I do believe I could escalate the issue, pay Microsoft some
> "support" money, and someone at Microsoft would reveal the answer, perhaps

Phone support for problems caused by MS patches [which you blamed at times]
is absolutely free. What more could you possibly want? Which other vendors
do this for you? You might be charged if the problem was not due to a MS
patch.

> with a clause requiring me not to republish it in public places like the
> newsgroups. After all, security almost entirely depends on obscurity, as
all
> good Microsoftians "know".

Paranoia and FUD. The MS KB is the same one the paid MS support technicians
use.

[I trimmed the rest of the huge post below as a courtesy to other readers
here.]
Anonymous
a b 8 Security
February 6, 2005 8:52:00 PM

Archived from groups: microsoft.public.security,microsoft.public.security.homeusers,microsoft.public.win2000.security,microsoft.public.win2000.windows_update,microsoft.public.windowsupdate (More info?)

"Shannon Jacobs" <shanen@my-deja.com> wrote in message
news:o 59aP89CFHA.3120@TK2MSFTNGP12.phx.gbl...
> Great. Taking you at your (poorly written) word, you are technically
> competent and polite, and claim to have read and understood all of this
> discussion. Therefore it was obviously an oversight that you forgot to
> answer the technical question:

> How can missing security certificates be identified (and replaced)?

He didn't answer it because it had already been answered.

> Yet again by the way, I find your (Mr. Dilley's) projection on the "lack
of
> maturity" issue so funny that I'm reposting this reply in a few other
forums
> for wider amusement. Given the state of the newsgroups these days, I have
> little hope of a technically accurate answer, but at least you're
> entertaining.

So, you're claiming to be posting our comments elsewhere to make fun of us,
and yet you want us to solve your problems? You're either a troll, or
you're making no sense.

> You're advice to the project managers is especially hilarious
> and amusingly timed, but I'm not actually interested in playing your
pro/ad
> hominem games.

Actually, I had the same thought. Nothing personal, but if this is was
caused by something the sysadmins did, like a patch or configuration change,
it's not likely to be solved by you, because they have the necessary details
on what happened. The real sysadmins who are pushing the patches and
configuration settings in your company would be in a better position to give
us details and fix the problem. Especially if you're not able to tell us
what they said when you asked them to help with this problem.

> [And how about using a spelling checker? I'm not making an issue of it,
but
> it's yet another matter of politeness to the readers.]

You did make an issue of it. Two words had typos in them, big deal.
Anonymous
a b 8 Security
February 7, 2005 3:00:41 PM

Archived from groups: microsoft.public.security,microsoft.public.security.homeusers,microsoft.public.win2000.security,microsoft.public.win2000.windows_update,microsoft.public.windowsupdate (More info?)

Where? If you are referring to
http://support.microsoft.com/default.aspx/kb/822798 (the only link I can
find in a sampling of your posts in this thread), then you are incorrect
(again). I just reviewed it (again) and that Web page does NOT answer the
question, and is only tangentially related to the problem (via a special
case). Part of the final section would be relevant (though I already know
this is not the most convenient way to do it) *IF* there was some way to
explicitly identify the missing certificates using SFC or some other tool.
Or are you referring to some other link?

However, over the course of the several months in which I've been pursuing
this problem, I almost surely read, studied, and performed the distantly
related steps from that linked page, along with MANY others. As I already
reported, the only partial success I achieved was from non-Microsoft
sources. It makes me wonder if perhaps the real reason Microsoft has so far
avoided answering the question is because they no longer support Windows
2000 to that degree. Imaginary (but sadly plausible) Microsoftian dialog:
"Oh! So you would like to know if you have valid operating system files?
Shucks and darn it, but due to various obscure and secret technical
considerations, it turns out Windows 2000 doesn't support that feature after
SP2. Soooo sorry, but you'll just have to upgrade to Windows XP."

I also checked a few more machines with SFC, and so far my hypothesis that
all W2K machines have the problem seems to be holding up (and I have not yet
found the problem on any WXP machine). That means it would be fundamentally
impossible to know whether or not a W2K machine has valid system files,
unless you use the CD to restore the original system files. Of course that
cure would be worse than the disease, since you would almost surely be
*undoing* various security patches. Note that if all W2K machines are
missing certain security certificates, then the frequently appearing
suggestion (in many of Microsoft's "support" Web pages) of copying them (via
export) from another W2K machine is not going to work, either.

By the way, I removed the general WindowsUpdate from the follow-ups since I
think the intersection is too small there. At this point I do not believe it
is really a general WindowsUpdate problem, though it quite probably results
from the normal use of the W2K WindowsUpdate.

[One minor comment: Mr. Dilley's post contained far more problems than two
words with typos. However, it is only a trivial courtesy to use a spelling
checker. My comment was about the rudeness, not the bad spelling per se, but
Mr. Dilley's rudeness was rather amusing (or even hypocritical) in a post
that apparently accused someone else of rudeness. (Hard to be sure what his
intended points were, since they were so badly expressed.)]

Karl Levinson, mvp wrote:
> "Shannon Jacobs" <shanen@my-deja.com> wrote in message
> news:eIyF5S%23CFHA.2756@TK2MSFTNGP12.phx.gbl...
>
>> from there. Many years ago the newsgroups had a positive SNR, but
>> nowadays zero-signal-and-downhill is the safe prediction.
>>
>> Just in case some technically competent person would be so kind as to
>> provide a useful answer, the technical question is:
>>
>> How can missing security certificates be identified (and "safely"
>> replaced)?
>
> As I said, the first link I posted, which you complained about, tells
> you EXACTLY how to do that. If the instructions in that link didn't
> work for you, please tell us what the results are, e.g. you tried
> everything on that list, and X happened or didn't happen. If you had
> tried everything on that list, you would now be able to tell us that
> your computer has all the relevant certificates, and we would then
> know that the problem has nothing to do with restoring deleted
> certificates as you still seem to believe. We could also rule out a
> number of other dependencies on file checking besides certificates,
> and move towards the real cause and solution.
>
> I thought you said in a previous post that you had fixed the problem,
> and pointed to a page that suggested you might have re-installed some
> MS patch or another.
>
>> experiences, I do believe I could escalate the issue, pay Microsoft
>> some "support" money, and someone at Microsoft would reveal the
>> answer, perhaps
>
> Phone support for problems caused by MS patches [which you blamed at
> times] is absolutely free. What more could you possibly want? Which
> other vendors do this for you? You might be charged if the problem
> was not due to a MS patch.
>
>> with a clause requiring me not to republish it in public places like
>> the newsgroups. After all, security almost entirely depends on
>> obscurity, as all good Microsoftians "know".
>
> Paranoia and FUD. The MS KB is the same one the paid MS support
> technicians use.
>
> [I trimmed the rest of the huge post below as a courtesy to other
> readers here.]
Anonymous
a b 8 Security
February 7, 2005 3:00:42 PM

Archived from groups: microsoft.public.security,microsoft.public.security.homeusers,microsoft.public.win2000.security,microsoft.public.win2000.windows_update (More info?)

"Shannon Jacobs" <shanen@my-deja.com> wrote in message
news:ezTj1EMDFHA.1188@tk2msftngp13.phx.gbl...
> Where? If you are referring to
> http://support.microsoft.com/default.aspx/kb/822798 (the only link I can
> find in a sampling of your posts in this thread), then you are incorrect
> (again). I just reviewed it (again) and that Web page does NOT answer the
> question, and is only tangentially related to the problem (via a special

The article lists the certificates used to verify the crypto signatures on
files from updated Microsoft service packs and patches. So, this article
certainly answers this question at least to those files. I would be very
surprised if files from the original Windows install CD were not signed
either with those same certificates, or using other older certificates with
the same name from the same root authority. It appears to be the closest
answer you're going to find on the Internet [a google search turned up
nothing else as far as I could find] and is absolutely worth a try.

> case). Part of the final section would be relevant (though I already know
> this is not the most convenient way to do it) *IF* there was some way to
> explicitly identify the missing certificates using SFC or some other tool.

The article does identify the missing certificates, or at least the three or
so required certificates. It's just three certificates, so why not open
your GUI and compare what you've got to a working or newly installed /
imaged Windows 2000 computer? How long could that possibly take, a few
minutes? If you confirm that no certificates are missing, the other
sections of that article then become relevant, by telling you the other
possible dependencies. I don't see any reason to delay checking all of the
dependencies in the article, to confirm these are not the problem. For
example, you haven't told us whether the crypto service is starting on your
computers [one of the troubleshooting steps mentioned in the article],
unregistering and re-registering the DLLs in question, etc. I had a similar
problem and ran through most of the steps in an hour or less, much less
time than we've spent arguing about whether or not that article is the
answer to your question. I really can't figure out what your aversion is to
you or someone else on the IT staff there trying out all the steps in the
article.

> It makes me wonder if perhaps the real reason Microsoft has so far
> avoided answering the question is because they no longer support Windows
> 2000 to that degree.

As far as tech support goes, Windows 2000 is every bit as supported as it
was on the first day of its release, unless you're asking for new
functionality to be programmed.

> Imaginary (but sadly plausible) Microsoftian dialog:

Very imaginary.

> found the problem on any WXP machine). That means it would be
fundamentally
> impossible to know whether or not a W2K machine has valid system files,
> unless you use the CD to restore the original system files.

Or you use a computer that isn't having the problem, or a freshly installed
computer.

> Of course that
> cure would be worse than the disease, since you would almost surely be
> *undoing* various security patches.

Not in Windows 2000 and newer, it tracks and replaces updated files for you.
I wouldn't be using the install CD here though, it's unnecessary.

> Note that if all W2K machines are
> missing certain security certificates, then the frequently appearing
> suggestion (in many of Microsoft's "support" Web pages) of copying them
(via
> export) from another W2K machine is not going to work, either.

That's why you copy them from a known working Windows 2000 computer, or at
least compare them with a known working computer, in the default settings
that havent been touched by your IT staff. Because you refuse to look at
the certificates and compare them, we really have no idea whether the
problem is really missing certificates or not.

> Mr. Dilley's rudeness was rather amusing (or even hypocritical) in a post
> that apparently accused someone else of rudeness. (Hard to be sure what
his
> intended points were, since they were so badly expressed.)]

I understood them. His point is that you are very rude and yet you need and
demand assistance from the people you are insulting. Also, your IT staff
should be the primary ones troubleshooting this, not you.
Anonymous
a b 8 Security
February 7, 2005 3:31:55 PM

Archived from groups: microsoft.public.security,microsoft.public.security.homeusers,microsoft.public.win2000.security,microsoft.public.win2000.windows_update (More info?)

"Karl Levinson, mvp" <levinson_k@despammed.com> wrote in message
news:%23ESCuXRDFHA.1292@TK2MSFTNGP10.phx.gbl...
> The article lists the certificates used to verify the crypto signatures on
> files from updated Microsoft service packs and patches. So, this article

Karl,...give it up,...forget it. Look at her earler post,...we are just a
bunch of Republican Microsoftians that magically delete posts we don't like
off the MS News server that we don't own from 1000's of miles away (and
whatever else she came up with along the way). You're not dealing with a
sane, logical, or reasonable thinking person. She doesn't even live in the
real world. Just forget it.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
Anonymous
a b 8 Security
February 8, 2005 8:48:34 AM

Archived from groups: microsoft.public.security,microsoft.public.security.homeusers,microsoft.public.win2000.security,microsoft.public.win2000.windows_update (More info?)

I really am curious why you (Karl Levinson, mvp) persist in blath^H^H^H^H^H
commenting about a technical topic you know so little about. The only
explanation I can come up with is that you get some kind of Microsoft
brownie points for doing it. Your claim of trying to be helpful does not
sound very convincing at this point. Irrespective of your mysterious goal or
motivation, what you actually do is cause my newsreader to show the thread
is active, causing me to hope that someone who actually understands the
situation has shown up. A few years ago, that someone probably would have
been an MVP who actually understood the technology involved, and the
question would have been satisfactorily resolved within two or three
exchanges. At least that was my most common experience in those
days--whereas this exchange is pretty typical of the new situation.

If you actually go and look "in the trenches", you will see that there are
LOTS of security certificates and LOTS of files. Before resorting to the
newsgroups, I had already spent quite a bit of time trying to do it the
"Microsoft way", and found out that I was apparently wasting my time. To
make progress by that path, there would need to be some way to establish a
relationship between a file and the security certificate it requires. I can
definitely say that the specific security certificates listed in that
article (and in several others) are already present and therefore do NOT
solve the problems on at least one machine. Perhaps you'd like to suggest
that I just try to collect all the security certificates in the world and
import all of them? (Actually, I suspect that approach would actually fail
unless they were imported in the proper order.)

I did manage to test a number of additional machines, and so far the only
interesting pattern seems unchanged. Every Windows 2000 box is broken, and
every Windows XP machine is okay. I even managed to stumble across a
researcher with an English W2K machine, and it seemed to be even more badly
afflicted than most of the Japanese machines. One of the Japanese W2K
machines actually took a while to come up with a missing certificate, but
some of the delay was probably due to another process that was running at
the same time. Still, I do have the impression that the problem is not
absolutely uniform, but that some machines are missing more certificates
than others. Some of this might be because Microsoft's security certificate
upgrades have typically not been included on the primary patch list, but in
the second group, and some people may have skipped those. However, I can
certainly say that for the machines I personally control all of those
security certificate upgrades have been installed--to no avail.

Karl Levinson, mvp <levinson_k@despammed.com> wrote:
> "Shannon Jacobs" <shanen@my-deja.com> wrote in message
> news:ezTj1EMDFHA.1188@tk2msftngp13.phx.gbl...
>> Where? If you are referring to
>> http://support.microsoft.com/default.aspx/kb/822798 (the only link
>> I can find in a sampling of your posts in this thread), then you
>> are incorrect (again). I just reviewed it (again) and that Web
>> page does NOT answer the question, and is only tangentially
>> related to the problem (via a special
>
> The article lists the certificates used to verify the crypto
> signatures on files from updated Microsoft service packs and
> patches. So, this article certainly answers this question at least
> to those files. I would be very surprised if files from the
> original Windows install CD were not signed either with those same
> certificates, or using other older certificates with the same name
> from the same root authority. It appears to be the closest answer
> you're going to find on the Internet [a google search turned up
> nothing else as far as I could find] and is absolutely worth a try.
>
>> case). Part of the final section would be relevant (though I
>> already know this is not the most convenient way to do it) *IF*
>> there was some way to explicitly identify the missing certificates
>> using SFC or some other tool.
>
> The article does identify the missing certificates, or at least the
> three or so required certificates. It's just three certificates,
> so why not open your GUI and compare what you've got to a working
> or newly installed / imaged Windows 2000 computer? How long could
> that possibly take, a few minutes? If you confirm that no
> certificates are missing, the other sections of that article then
> become relevant, by telling you the other possible dependencies. I
> don't see any reason to delay checking all of the dependencies in
> the article, to confirm these are not the problem. For example,
> you haven't told us whether the crypto service is starting on your
> computers [one of the troubleshooting steps mentioned in the
> article], unregistering and re-registering the DLLs in question,
> etc. I had a similar problem and ran through most of the steps in
> an hour or less, much less time than we've spent arguing about
> whether or not that article is the answer to your question. I
> really can't figure out what your aversion is to you or someone
> else on the IT staff there trying out all the steps in the article.
>
>> It makes me wonder if perhaps the real reason Microsoft has so far
>> avoided answering the question is because they no longer support
>> Windows 2000 to that degree.
>
> As far as tech support goes, Windows 2000 is every bit as supported
> as it was on the first day of its release, unless you're asking for
> new functionality to be programmed.
>
>> Imaginary (but sadly plausible) Microsoftian dialog:
>
> Very imaginary.
>
>> found the problem on any WXP machine). That means it would be
>> fundamentally impossible to know whether or not a W2K machine has
>> valid system files, unless you use the CD to restore the original
>> system files.
>
> Or you use a computer that isn't having the problem, or a freshly
> installed computer.
>
>> Of course that
>> cure would be worse than the disease, since you would almost
>> surely be *undoing* various security patches.
>
> Not in Windows 2000 and newer, it tracks and replaces updated files
> for you. I wouldn't be using the install CD here though, it's
> unnecessary.
>
>> Note that if all W2K machines are
>> missing certain security certificates, then the frequently
>> appearing suggestion (in many of Microsoft's "support" Web pages)
>> of copying them (via export) from another W2K machine is not going
>> to work, either.
>
> That's why you copy them from a known working Windows 2000
> computer, or at least compare them with a known working computer,
> in the default settings that havent been touched by your IT staff.
> Because you refuse to look at the certificates and compare them, we
> really have no idea whether the problem is really missing
> certificates or not.
>
>> Mr. Dilley's rudeness was rather amusing (or even hypocritical) in
>> a post that apparently accused someone else of rudeness. (Hard to
>> be sure what his intended points were, since they were so badly
>> expressed.)]
>
> I understood them. His point is that you are very rude and yet you
> need and demand assistance from the people you are insulting.
> Also, your IT staff should be the primary ones troubleshooting
> this, not you.
Anonymous
a b 8 Security
February 8, 2005 8:48:35 AM

Archived from groups: microsoft.public.security,microsoft.public.security.homeusers,microsoft.public.win2000.security,microsoft.public.win2000.windows_update (More info?)

Ms. Jacobs,

In my earlier post, I did not offer any technical answer to your
self-created problem. The post only addressed your civility(or lack of).

Your analysis and the steps that you have already taken lead me to offer a
very simple and practical solution.

You have spent countless words and a lot of time wading through this
problem.

If your intention is to solve the problem rather that denigrating both
Microsoft and this newsgroup, have you considered "flattening" the system
and starting over?

Naturally, you'll have in your possession all of the licensed program CDs
and license keys needed and all of your dynamic data has been backed-up.

It is my experience that this can be done in 1-2 hours.

I realize that it is not a satisfying as "solving" the problem; but the
problem, at this point, is a rat's nest of already attempted solutions and
may be "un-solvable".

Good luck

RickD





"Shannon Jacobs" <shanen@my-deja.com> wrote in message
news:eoxOwZVDFHA.1396@tk2msftngp13.phx.gbl...
> I really am curious why you (Karl Levinson, mvp) persist in
blath^H^H^H^H^H
> commenting about a technical topic you know so little about. The only
> explanation I can come up with is that you get some kind of Microsoft
> brownie points for doing it. Your claim of trying to be helpful does not
> sound very convincing at this point. Irrespective of your mysterious goal
or
> motivation, what you actually do is cause my newsreader to show the thread
> is active, causing me to hope that someone who actually understands the
> situation has shown up. A few years ago, that someone probably would have
> been an MVP who actually understood the technology involved, and the
> question would have been satisfactorily resolved within two or three
> exchanges. At least that was my most common experience in those
> days--whereas this exchange is pretty typical of the new situation.
>
> If you actually go and look "in the trenches", you will see that there are
> LOTS of security certificates and LOTS of files. Before resorting to the
> newsgroups, I had already spent quite a bit of time trying to do it the
> "Microsoft way", and found out that I was apparently wasting my time. To
> make progress by that path, there would need to be some way to establish a
> relationship between a file and the security certificate it requires. I
can
> definitely say that the specific security certificates listed in that
> article (and in several others) are already present and therefore do NOT
> solve the problems on at least one machine. Perhaps you'd like to suggest
> that I just try to collect all the security certificates in the world and
> import all of them? (Actually, I suspect that approach would actually fail
> unless they were imported in the proper order.)
>
> I did manage to test a number of additional machines, and so far the only
> interesting pattern seems unchanged. Every Windows 2000 box is broken, and
> every Windows XP machine is okay. I even managed to stumble across a
> researcher with an English W2K machine, and it seemed to be even more
badly
> afflicted than most of the Japanese machines. One of the Japanese W2K
> machines actually took a while to come up with a missing certificate, but
> some of the delay was probably due to another process that was running at
> the same time. Still, I do have the impression that the problem is not
> absolutely uniform, but that some machines are missing more certificates
> than others. Some of this might be because Microsoft's security
certificate
> upgrades have typically not been included on the primary patch list, but
in
> the second group, and some people may have skipped those. However, I can
> certainly say that for the machines I personally control all of those
> security certificate upgrades have been installed--to no avail.
>
> Karl Levinson, mvp <levinson_k@despammed.com> wrote:
> > "Shannon Jacobs" <shanen@my-deja.com> wrote in message
> > news:ezTj1EMDFHA.1188@tk2msftngp13.phx.gbl...
> >> Where? If you are referring to
> >> http://support.microsoft.com/default.aspx/kb/822798 (the only link
> >> I can find in a sampling of your posts in this thread), then you
> >> are incorrect (again). I just reviewed it (again) and that Web
> >> page does NOT answer the question, and is only tangentially
> >> related to the problem (via a special
> >
> > The article lists the certificates used to verify the crypto
> > signatures on files from updated Microsoft service packs and
> > patches. So, this article certainly answers this question at least
> > to those files. I would be very surprised if files from the
> > original Windows install CD were not signed either with those same
> > certificates, or using other older certificates with the same name
> > from the same root authority. It appears to be the closest answer
> > you're going to find on the Internet [a google search turned up
> > nothing else as far as I could find] and is absolutely worth a try.
> >
> >> case). Part of the final section would be relevant (though I
> >> already know this is not the most convenient way to do it) *IF*
> >> there was some way to explicitly identify the missing certificates
> >> using SFC or some other tool.
> >
> > The article does identify the missing certificates, or at least the
> > three or so required certificates. It's just three certificates,
> > so why not open your GUI and compare what you've got to a working
> > or newly installed / imaged Windows 2000 computer? How long could
> > that possibly take, a few minutes? If you confirm that no
> > certificates are missing, the other sections of that article then
> > become relevant, by telling you the other possible dependencies. I
> > don't see any reason to delay checking all of the dependencies in
> > the article, to confirm these are not the problem. For example,
> > you haven't told us whether the crypto service is starting on your
> > computers [one of the troubleshooting steps mentioned in the
> > article], unregistering and re-registering the DLLs in question,
> > etc. I had a similar problem and ran through most of the steps in
> > an hour or less, much less time than we've spent arguing about
> > whether or not that article is the answer to your question. I
> > really can't figure out what your aversion is to you or someone
> > else on the IT staff there trying out all the steps in the article.
> >
> >> It makes me wonder if perhaps the real reason Microsoft has so far
> >> avoided answering the question is because they no longer support
> >> Windows 2000 to that degree.
> >
> > As far as tech support goes, Windows 2000 is every bit as supported
> > as it was on the first day of its release, unless you're asking for
> > new functionality to be programmed.
> >
> >> Imaginary (but sadly plausible) Microsoftian dialog:
> >
> > Very imaginary.
> >
> >> found the problem on any WXP machine). That means it would be
> >> fundamentally impossible to know whether or not a W2K machine has
> >> valid system files, unless you use the CD to restore the original
> >> system files.
> >
> > Or you use a computer that isn't having the problem, or a freshly
> > installed computer.
> >
> >> Of course that
> >> cure would be worse than the disease, since you would almost
> >> surely be *undoing* various security patches.
> >
> > Not in Windows 2000 and newer, it tracks and replaces updated files
> > for you. I wouldn't be using the install CD here though, it's
> > unnecessary.
> >
> >> Note that if all W2K machines are
> >> missing certain security certificates, then the frequently
> >> appearing suggestion (in many of Microsoft's "support" Web pages)
> >> of copying them (via export) from another W2K machine is not going
> >> to work, either.
> >
> > That's why you copy them from a known working Windows 2000
> > computer, or at least compare them with a known working computer,
> > in the default settings that havent been touched by your IT staff.
> > Because you refuse to look at the certificates and compare them, we
> > really have no idea whether the problem is really missing
> > certificates or not.
> >
> >> Mr. Dilley's rudeness was rather amusing (or even hypocritical) in
> >> a post that apparently accused someone else of rudeness. (Hard to
> >> be sure what his intended points were, since they were so badly
> >> expressed.)]
> >
> > I understood them. His point is that you are very rude and yet you
> > need and demand assistance from the people you are insulting.
> > Also, your IT staff should be the primary ones troubleshooting
> > this, not you.
>
Anonymous
a b 8 Security
February 8, 2005 8:48:35 AM

Archived from groups: microsoft.public.security,microsoft.public.win2000.security,microsoft.public.win2000.windows_update,microsoft.public.security.homeusers (More info?)

"Shannon Jacobs" wrote:

> newsgroups, I had already spent quite a bit of time trying to do it the
> "Microsoft way", and found out that I was apparently wasting my time.

Naturally there's a chance all the various eight steps in the article may
not fix your problem. It's still necessary to try them [again] and report
back what happened.

I don't believe you really tried those steps, or didn't try them the right
way, or tried step 1 on one computer and step 8 on a different computer, or
you got some error message when trying these steps several months ago that we
need to know about. Just saying "tried it, didn't fix my problem" is NOT
enough information. But then you knew that already, because you are an
experienced tech support person.

> make progress by that path, there would need to be some way to establish a
> relationship between a file and the security certificate it requires.

Not correct. There's no such thing as an association between a cert and a
signed file, the association is in the file itself. The article I posted
does tell you about many of the other dependencies that have nothing to do
with certificates or files.

> I really am curious why you (Karl Levinson, mvp) persist in blath^H^H^H^H^H
> commenting about a technical topic you know so little about.

> import all of them? (Actually, I suspect that approach would actually fail
> unless they were imported in the proper order.)

You are again incorrect about how PKI works. If you're going to baselessly
claim that I know nothing about PKI certificates in Windows, you should avoid
making multiple inaccurate statements yourself in the same post.

> relationship between a file and the security certificate it requires. I can
> definitely say that the specific security certificates listed in that
> article (and in several others) are already present and therefore do NOT
> solve the problems on at least one machine.

You should have said that before. So now we know you looked and made sure
all the certificates are there.

> the same time. Still, I do have the impression that the problem is not
> absolutely uniform, but that some machines are missing more certificates
> than others.

Oops. I thought you said all the certificates were there? Which ones are
missing? How do you expect the machines missing certificates to ever work?
Besides, just two days ago you said the problem was "How can missing security
certificates be identified and replaced?"

I still don't believe you've checked to see what certificates are missing,
and the other 7 steps, etc. Ignore all the certificates there. Only look at
the three or so mentioned in the article. Counting total number of certs or
looking at all the other certs is irrelevant.
Anonymous
a b 8 Security
February 8, 2005 2:13:11 PM

Archived from groups: microsoft.public.security,microsoft.public.win2000.security,microsoft.public.win2000.windows_update,microsoft.public.security.homeusers (More info?)

There are a number of technical flaws in your (Karl Levinson, mvp [And why
do you want to disguise your identity now with the cute bracket trick? Have
you suddenly become ashamed of your name?]) response. For a trivial example,
I qualified my statement about the certificate chains fairly carefully
because in the real world there are several public key algorithms, various
implementations, and a variety of possible steps involved in importing
security certificates. Of course, Microsoft can, to a great degree, ignore
the real world and define things more narrowly--but you are the one who is
apparently claiming expertise in the "Microsoft way" of security. However,
if you study Microsoft's "support" pages as carefully as you claim, then you
would notice a number of points that do suggest their security certificates
do use chaining and that there are sequence dependencies, and therefore I
could not word my statement in more absolute terms.

From an actual security expert (found elsewhere), I have actually been
informed that the certificate problems with W2K are fairly well known--and
actually started as long ago as SP1. We are still discussing the situation,
but he thinks the situation is broken beyond repair. However, if we do find
a solution, it would be amusing to circulate it and let it trickle back to
Microsoft.

Now that I've considered the technical aspects, why don't you (Karl
Levinson, mvp) answer the question you must be able to answer. My motivation
for posting is simply that I've discovered a problem and would like to find
a solution. Since you are clearly unable to provide the solution, what is
your motivation in posting? Right now the application of Occam's Razor that
seems to make the most sense is that you are really someone who dislikes
Microsoft and you are trying to make Microsoft look bad. If so,
congratulations on your subtlety.

mvp wrote:
> "Shannon Jacobs" wrote:
>
>> newsgroups, I had already spent quite a bit of time trying to do it
>> the "Microsoft way", and found out that I was apparently wasting my
>> time.
>
> Naturally there's a chance all the various eight steps in the article
> may not fix your problem. It's still necessary to try them [again]
> and report back what happened.
>
> I don't believe you really tried those steps, or didn't try them the
> right way, or tried step 1 on one computer and step 8 on a different
> computer, or you got some error message when trying these steps
> several months ago that we need to know about. Just saying "tried
> it, didn't fix my problem" is NOT enough information. But then you
> knew that already, because you are an experienced tech support person.
>
>> make progress by that path, there would need to be some way to
>> establish a relationship between a file and the security certificate
>> it requires.
>
> Not correct. There's no such thing as an association between a cert
> and a signed file, the association is in the file itself. The
> article I posted does tell you about many of the other dependencies
> that have nothing to do with certificates or files.
>
>> I really am curious why you (Karl Levinson, mvp) persist in
>> blath^H^H^H^H^H commenting about a technical topic you know so
>> little about.
>
>> import all of them? (Actually, I suspect that approach would
>> actually fail unless they were imported in the proper order.)
>
> You are again incorrect about how PKI works. If you're going to
> baselessly claim that I know nothing about PKI certificates in
> Windows, you should avoid making multiple inaccurate statements
> yourself in the same post.
>
>> relationship between a file and the security certificate it
>> requires. I can definitely say that the specific security
>> certificates listed in that article (and in several others) are
>> already present and therefore do NOT solve the problems on at least
>> one machine.
>
> You should have said that before. So now we know you looked and made
> sure all the certificates are there.
>
>> the same time. Still, I do have the impression that the problem is
>> not absolutely uniform, but that some machines are missing more
>> certificates than others.
>
> Oops. I thought you said all the certificates were there? Which
> ones are missing? How do you expect the machines missing
> certificates to ever work? Besides, just two days ago you said the
> problem was "How can missing security certificates be identified and
> replaced?"
>
> I still don't believe you've checked to see what certificates are
> missing, and the other 7 steps, etc. Ignore all the certificates
> there. Only look at the three or so mentioned in the article.
> Counting total number of certs or looking at all the other certs is
> irrelevant.
Anonymous
a b 8 Security
February 8, 2005 2:13:12 PM

Archived from groups: microsoft.public.security,microsoft.public.win2000.security,microsoft.public.win2000.windows_update,microsoft.public.security.homeusers (More info?)

"Shannon Jacobs" <shanen@my-deja.com> wrote in message
news:uqSi9OYDFHA.3256@tk2msftngp13.phx.gbl...
> And why do you want to disguise your identity now with the cute bracket
trick? Have
> you suddenly become ashamed of your name?])

You're right, you caught me. I added Karl Levinson [x y] to the end of my
name so you wouldn't figure out it was me. How did you ever figure out it
was me?

Thanks for finding my [] brackets cute. I'll explain how the trick works
later, it's complicated. It involves pressing certain keys, and making a
mountain out of a molehill.

> Of course, Microsoft can, to a great degree, ignore
> the real world

I'm not sure you're fully in "the real world."

> From an actual security expert (found elsewhere),

If "elsewhere" is so much better, then I suggest you spend more time there.

> I qualified my statement about the certificate chains fairly carefully
> because in the real world there are several public key algorithms, various
> implementations, and a variety of possible steps involved in importing
> security certificates.

Yes, there are a lot of PKI solutions out there. Why would you bother
bringing them up in trying to fix this problem? They are irrelevant here
and are only confusing you. The differences between, say, PGP and Microsoft
code signing are not proof that Microsoft is writing its own RFCs.

> apparently claiming expertise in the "Microsoft way" of security.
> if you study Microsoft's "support" pages as carefully as you claim,

I said none of these things. I simply tried to point out that you said some
things that are inaccurate, but apparently you don't make mistakes.

> would notice a number of points that do suggest their security
certificates
> do use chaining and that there are sequence dependencies, and therefore I
> could not word my statement in more absolute terms.

Chaining is not the same thing as saying you have to install or re-install
certificates in a particular order. If you deleted them out of order, just
go ahead and use Microsoft's instructions to restore them, regardless of
order.

> I have actually been
> informed that the certificate problems with W2K are fairly well known--and
> actually started as long ago as SP1.

You can't provide specifics, because you are spouting nonsense. You also
claim that Win2K certificates are irreparably broken, and yet you seem to be
the only one having these problems. Sounds like user error, or an ID ten T
problem.

> We are still discussing the situation,
> but he thinks the situation is broken beyond repair. However, if we do
find
> a solution, it would be amusing to circulate it and let it trickle back to
> Microsoft.

I don't know why you hide behind this pretense of being forced to support
and use Microsoft products. There are no *nix support jobs available in
your country? Either make the switch, or stop posing and whining about it.
It gets rather boring.

> Now that I've considered the technical aspects,

Funny how you've "considered the technical aspects," and yet you haven't
said a single thing to clarify what your problem is. In the past two days
you have said that certs are missing, certs are not missing, you need to
know how to restore certs, you know how to restore the certs and your method
is easier than Microsoft's, and restoring the missing certs would not fix
your problem.

You also have never addressed why exactly you mistakenly think the link I
posted doesn't answer your questions. It quite plainly gives the certs and
files you need to check, and you keep coming back with non-existent
Microsoft conversations in your head and vague discussions about the
existence of other irrelevant non-Microsoft PKI solutions.
Anonymous
a b 8 Security
February 8, 2005 8:09:01 PM

Archived from groups: microsoft.public.security,microsoft.public.win2000.security,microsoft.public.win2000.windows_update,microsoft.public.windowsupdate (More info?)

Thank you for posting Shannon, had I found the website you posted earlier I
could have saved both 39.95 for diagnostic software that found problems but
didn't fix my issues with the certificates. It also would have saved me four
hours of my time. My problem started when I couldn't check for Windows
updates and progressed to finding and removing a bunch of spy programs. I
agree with your comments on Microsoft's support efforts, I'm still waiting
for a reply from their online help.

I still haven't been able to run the update scan for Windows but the Office
update works now and I am able to "We've made improvements to our website. To
download the new version of the software and begin using Windows Update,
please click Update Now." page for Windows update. Now the problem is that
the new software won't load.

Anyway, thanks again.

"Shannon Jacobs" wrote:

> In http://support.microsoft.com/default.aspx?scid=kb;en-us;293781 there is
> the very interesting comment:
>
> "As you may have noticed in the provided information, some of the
> certificates have expired. However, these certificates are necessary for
> backwards compatibility. Even if there is an expired trusted root
> certificate, anything that was signed with that certificate prior to the
> expiration date needs that trusted root certificate to be validated. As long
> as expired certificates are not revoked, it can be used to validate anything
> that was signed prior to its expiration."
>
> Oh! *NOW* you [Microsoft] tell me. Just too bad the information wasn't
> provided earlier.
>
> Been wrestling with this problem for several weeks, and though I'm not
> certain, I very strongly suspect that what happened is that I deleted a
> required security certificate in the foolish belief that the expiration date
> had some meaning. Quite trivial to do from IE: Tools menu -> Internet
> Options command -> Content tab -> Certificates button -> Trusted Root
> Certificates tab. Not certain because it happened a while ago and the
> resulting problem is minor, though annoying. Some possibility it may have
> been caused by a WindowsUpdate, possibly even one that was pushed onto my
> machine by the corporate IT people.
>
> The problem itself is that the computer complains about a new file version
> that it can't check. It doesn't reveal what file, and it doesn't actually
> say anything about a missing security certificate, but I'm pretty sure
> that's what's going on. The SFC fails to run, which is apparently related.
>
> I'm pretty sure that all of the root certificates have been restored, but
> either there is a missing certificate somewhere else, or it is some kind of
> chain reaction thing.
>
> Anyone else having similar problems? Any suggestions about how to fix it?
> Diagnostic steps to identify the missing certificate or even the affected
> file?
>
>
Anonymous
a b 8 Security
February 8, 2005 11:51:33 PM

Archived from groups: microsoft.public.security,microsoft.public.win2000.security,microsoft.public.win2000.windows_update,microsoft.public.security.homeusers (More info?)

Why did you (Karl Levinson, mvp) post all this stuff? Isn't that a question
you can actually handle? Since you have nothing interesting to say, why not
say nothing? All you are "accomplishing" is forcing me to scan your stuff in
the vague hope you might slip something useful in there.

The security problem is Microsoft's, but you (Karl Levinson, mvp) have not
been any part of the solution.

Karl Levinson [x y] mvp wrote:
> "Shannon Jacobs" <shanen@my-deja.com> wrote in message
> news:uqSi9OYDFHA.3256@tk2msftngp13.phx.gbl...
>> And why do you want to disguise your identity now with the cute
>> bracket trick? Have you suddenly become ashamed of your name?])
>
> You're right, you caught me. I added Karl Levinson [x y] to the end
> of my name so you wouldn't figure out it was me. How did you ever
> figure out it was me?
>
> Thanks for finding my [] brackets cute. I'll explain how the trick
> works later, it's complicated. It involves pressing certain keys,
> and making a mountain out of a molehill.
>
>> Of course, Microsoft can, to a great degree, ignore
>> the real world
>
> I'm not sure you're fully in "the real world."
>
>> From an actual security expert (found elsewhere),
>
> If "elsewhere" is so much better, then I suggest you spend more time
> there.
>
>> I qualified my statement about the certificate chains fairly
>> carefully because in the real world there are several public key
>> algorithms, various implementations, and a variety of possible steps
>> involved in importing security certificates.
>
> Yes, there are a lot of PKI solutions out there. Why would you bother
> bringing them up in trying to fix this problem? They are irrelevant
> here and are only confusing you. The differences between, say, PGP
> and Microsoft code signing are not proof that Microsoft is writing
> its own RFCs.
>
>> apparently claiming expertise in the "Microsoft way" of security.
>> if you study Microsoft's "support" pages as carefully as you claim,
>
> I said none of these things. I simply tried to point out that you
> said some things that are inaccurate, but apparently you don't make
> mistakes.
>
>> would notice a number of points that do suggest their security
>> certificates do use chaining and that there are sequence
>> dependencies, and therefore I could not word my statement in more
>> absolute terms.
>
> Chaining is not the same thing as saying you have to install or
> re-install certificates in a particular order. If you deleted them
> out of order, just go ahead and use Microsoft's instructions to
> restore them, regardless of order.
>
>> I have actually been
>> informed that the certificate problems with W2K are fairly well
>> known--and actually started as long ago as SP1.
>
> You can't provide specifics, because you are spouting nonsense. You
> also claim that Win2K certificates are irreparably broken, and yet
> you seem to be the only one having these problems. Sounds like user
> error, or an ID ten T problem.
>
>> We are still discussing the situation,
>> but he thinks the situation is broken beyond repair. However, if we
>> do find a solution, it would be amusing to circulate it and let it
>> trickle back to Microsoft.
>
> I don't know why you hide behind this pretense of being forced to
> support and use Microsoft products. There are no *nix support jobs
> available in your country? Either make the switch, or stop posing
> and whining about it. It gets rather boring.
>
>> Now that I've considered the technical aspects,
>
> Funny how you've "considered the technical aspects," and yet you
> haven't said a single thing to clarify what your problem is. In the
> past two days you have said that certs are missing, certs are not
> missing, you need to know how to restore certs, you know how to
> restore the certs and your method is easier than Microsoft's, and
> restoring the missing certs would not fix your problem.
>
> You also have never addressed why exactly you mistakenly think the
> link I posted doesn't answer your questions. It quite plainly gives
> the certs and files you need to check, and you keep coming back with
> non-existent Microsoft conversations in your head and vague
> discussions about the existence of other irrelevant non-Microsoft PKI
> solutions.
Anonymous
a b 8 Security
February 8, 2005 11:51:34 PM

Archived from groups: microsoft.public.security,microsoft.public.win2000.security,microsoft.public.win2000.windows_update,microsoft.public.security.homeusers (More info?)

"Shannon Jacobs" <shanen@my-deja.com> wrote in message
news:%23h3VFSdDFHA.512@TK2MSFTNGP15.phx.gbl...
> Why did you (Karl Levinson, mvp) post all this stuff? Isn't that a
question
> you can actually handle? Since you have nothing interesting to say, why
not
> say nothing?

I ask you all the same questions.

By the way, thanks for all the extra brownie points. Keep arguing with me
for a few more posts, and I'll have enough for a trip to Bermuda.

Believe it or not, I truly just want you to follow the steps in the article
I posted, so we can help fix your problem. [Don't forget to perform step 13
from the article, which states "Put $50 into an envelope and mail it to..."]

> The security problem is Microsoft's,

I believe the security problem is yours. No one else besides you is having
this problem. You blamed MS, and us, every step of the way, even when you
thought the problem was that you had taken it upon yourself to delete old
certificates.

> but you (Karl Levinson, mvp) have not been any part of the solution.

The link I gave you is the solution, or part of the solution. You are just
too stubborn and arrogant to bother trying it and reporting back what
happens. I'm telling you that following those procedures and reporting back
what happened when you did them is part of the solution. You asked how to
identify and replace the certs MS uses for signing Windows files; that link
tells you that. You asked how to establish an association between those
certs and the signed files; that link also tells you that.

http://support.microsoft.com/default.aspx/kb/822798

I don't believe you really followed all 8 of those steps in a methodical
order. But even if you did, you aren't able to tell us the necessary
information about what happened after you followed the instructions.
Example, "I followed the instructions and confirmed all certs are there, but
the X service still isn't starting and is giving error message Y, or one of
the DLLs couldn't be re-registered because it was missing." You say some
workstations are missing some certs, but can't tell us which certs are
missing, and haven't bothered to replace the certs despite having the
instructions on how to do that via the link I gave you.

http://support.microsoft.com/default.aspx/kb/822798

We could tell you what to do next when the steps in that article fail, but
we would need to know how those steps failed exactly to guess what to
suggest to you next. Because you don't have this information, you need to
follow that article again to give us this information.

http://support.microsoft.com/default.aspx/kb/822798

Your problem will probably never be solved until you follow the steps in the
article above and tell us, or someone, exactly what happened.
Anonymous
a b 8 Security
February 8, 2005 11:51:35 PM

Archived from groups: microsoft.public.security,microsoft.public.win2000.security,microsoft.public.win2000.windows_update,microsoft.public.security.homeusers (More info?)

Karl,...geesh!...give it up,...forget it. Look at her earler post,...we are
just a
bunch of Republican Microsoftians that magically delete posts we don't like
off the MS News server that we don't own from 1000's of miles away (and
whatever else she came up with along the way). You're not dealing with a
sane, logical, or reasonable thinking person. She doesn't even live in the
real world. Just forget it.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
Anonymous
a b 8 Security
February 9, 2005 1:24:00 PM

Archived from groups: microsoft.public.security,microsoft.public.security.homeusers,microsoft.public.win2000.security,microsoft.public.win2000.windows_update (More info?)

The technical question:

How to identify missing security certificates in Windows 2000? I am not
asking about every individual unique case, though there are many of them,
but about the general problem which apparently affects *EVERY* computer
which is still running Windows 2000.

Case 1: I am technically naive. In that case, you (Karl Levinson, mvp), are
failing to answer the question in a meaningful way.

Case 2: I am not technically naive. In that case, you (Karl Levinson, mvp),
are still failing to answer the question, but I would also know whether or
not you're just spewing mumbo jumbo. (But maybe you'd like to start by
trying to explain your bizarre comment about who is or is not allowed to
write RFCs?)

In Case 1, there is no reason for me to waste much time with someone who is
incapable of explaining the answer, whether or not that person understands
the answer. Case 2 is even less motivating. In both cases, there is no
reason for you (Karl Levinson, mvp) to continue repeating yourself. Whatever
the case, I've so far seen no evidence that you do understand either the
technical question or the answer. That only leaves the non-technical
question of why you are keeping this thread alive. It does not really matter
why you (Karl Levinson, mvp) are failing (yet again) to resolve the
technical problem. I'm not trying to confuse the issue, though I consider it
increasingly unlikely any answer will appear here.

I've also made no secret of my personal position. I use Microsoft products
not because they are the best and freely chosen. Many of them are adequate
for certain purposes, but mostly I use them because I am constrained to do
so. That does not change the fact that I am a customer in search of
technical support. Since you (Karl Levinson, mvp) can't provide it, what
prey tell are you doing?

By the way, if you were an employee of Microsoft, I quite probably would
already be complaining about your incompetence to your manager. Perhaps
"protecting" people like you (Karl Levinson, mvp) is the true residual
purpose of the MVP program? I still can't imagine why. Perhaps Microsoft
wants more customer hostility?

Karl Levinson, mvp wrote:
> "Shannon Jacobs" <shanen@my-deja.com> wrote in message
> news:%23h3VFSdDFHA.512@TK2MSFTNGP15.phx.gbl...
>> Why did you (Karl Levinson, mvp) post all this stuff? Isn't that a
>> question you can actually handle? Since you have nothing interesting
>> to say, why not say nothing?
>
> I ask you all the same questions.
>
> By the way, thanks for all the extra brownie points. Keep arguing
> with me for a few more posts, and I'll have enough for a trip to
> Bermuda.
>
> Believe it or not, I truly just want you to follow the steps in the
> article I posted, so we can help fix your problem. [Don't forget to
> perform step 13 from the article, which states "Put $50 into an
> envelope and mail it to..."]
>
>> The security problem is Microsoft's,
>
> I believe the security problem is yours. No one else besides you is
> having this problem. You blamed MS, and us, every step of the way,
> even when you thought the problem was that you had taken it upon
> yourself to delete old certificates.
>
>> but you (Karl Levinson, mvp) have not been any part of the solution.
>
> The link I gave you is the solution, or part of the solution. You
> are just too stubborn and arrogant to bother trying it and reporting
> back what happens. I'm telling you that following those procedures
> and reporting back what happened when you did them is part of the
> solution. You asked how to identify and replace the certs MS uses
> for signing Windows files; that link tells you that. You asked how
> to establish an association between those certs and the signed files;
> that link also tells you that.
>
> http://support.microsoft.com/default.aspx/kb/822798
>
> I don't believe you really followed all 8 of those steps in a
> methodical order. But even if you did, you aren't able to tell us
> the necessary information about what happened after you followed the
> instructions. Example, "I followed the instructions and confirmed all
> certs are there, but the X service still isn't starting and is giving
> error message Y, or one of the DLLs couldn't be re-registered because
> it was missing." You say some workstations are missing some certs,
> but can't tell us which certs are missing, and haven't bothered to
> replace the certs despite having the instructions on how to do that
> via the link I gave you.
>
> http://support.microsoft.com/default.aspx/kb/822798
>
> We could tell you what to do next when the steps in that article
> fail, but we would need to know how those steps failed exactly to
> guess what to suggest to you next. Because you don't have this
> information, you need to follow that article again to give us this
> information.
>
> http://support.microsoft.com/default.aspx/kb/822798
>
> Your problem will probably never be solved until you follow the steps
> in the article above and tell us, or someone, exactly what happened.
Anonymous
a b 8 Security
February 9, 2005 1:24:01 PM

Archived from groups: microsoft.public.security,microsoft.public.security.homeusers,microsoft.public.win2000.security,microsoft.public.win2000.windows_update (More info?)

In <eqqvJYkDFHA.3504@TK2MSFTNGP12.phx.gbl>, Shannon Jacobs wrote:

>How to identify missing security certificates in Windows 2000? I am not
>asking about every individual unique case, though there are many of them,
>but about the general problem which apparently affects *EVERY* computer
>which is still running Windows 2000.

I haven't been following this thread, but it seems to me you would
need to identify every "executable" on your system and match them to
the certificates.

This may (or may not) be helpful to you.

http://www.microsoft.com/windows2000/techinfo/planning/...

As far as an automated way of doing this goes I am not aware of one.
Anonymous
a b 8 Security
February 9, 2005 3:58:58 PM

Archived from groups: microsoft.public.security,microsoft.public.security.homeusers,microsoft.public.win2000.security,microsoft.public.win2000.windows_update (More info?)

Yes, that page was moderately helpful in providing some of the background
information, but at this point it is very old news. However, I thank you
(Greg Smith) for your attempt to help, and I will attempt to clarify in
light of your response.

I agree that the perfect solution would probably call for verifying every
executable file, but I think that is probably impossible, since many are not
signed, especially the older ones. In that sense, the general security
problem is unsolvable. However, my concern is slightly more limited than
that. I'm interested in the system files that Microsoft acknowledges
responsibility for, all of which are supposedly known and signed. The System
File Checker is supposed to perform this check in an automated fashion, and
it does for Windows XP (at least on every XP machine I've tested recently).
Unfortunately it fails on every tested Windows 2000 machine, but it does not
provide any detailed information about the failures.

You (in general, not limited to Mr. Smith) can test this by typing "sfc
/scannow" at a CMD prompt. When you get the first error message (with many
more to follow), I strongly recommend that you do *NOT* give it the CD it
requests, but rather that you cancel out of the test program. The error
messages do not provide any information about the details of the problem,
though in one case I did see a request for a different CD. (Usually it asks
for the Windows 2000 Professional CD.)

I feel like that's about all I can substantively say right now. So far there
has been no useful information revealed here in the Microsoft newsgroups,
though a security expert on our intranet says it is an old problem with W2K.
He actually thinks it goes all the way back to SP1. However, I still regard
that as provisional information since our company is (obviously) not part of
the Microsoft food chain.

Greg Smith wrote:
> In <eqqvJYkDFHA.3504@TK2MSFTNGP12.phx.gbl>, Shannon Jacobs wrote:
>
>> How to identify missing security certificates in Windows 2000? I am
>> not asking about every individual unique case, though there are many
>> of them, but about the general problem which apparently affects
>> *EVERY* computer which is still running Windows 2000.
>
> I haven't been following this thread, but it seems to me you would
> need to identify every "executable" on your system and match them to
> the certificates.
>
> This may (or may not) be helpful to you.
>
>
http://www.microsoft.com/windows2000/techinfo/planning/...
>
> As far as an automated way of doing this goes I am not aware of one.
Anonymous
a b 8 Security
February 9, 2005 3:58:59 PM

Archived from groups: microsoft.public.security,microsoft.public.security.homeusers,microsoft.public.win2000.security,microsoft.public.win2000.windows_update (More info?)

"Shannon Jacobs" <shanen@my-deja.com> wrote in message
news:u0cZuulDFHA.3824@TK2MSFTNGP10.phx.gbl...

> File Checker is supposed to perform this check in an automated fashion,
and
> it does for Windows XP (at least on every XP machine I've tested
recently).
> Unfortunately it fails on every tested Windows 2000 machine, but it does
not
> provide any detailed information about the failures.

I agree with you. W2K SFC could be more informative.

Maybe you knew this already, but SFC logs information on the file names it
is complaining about in the Windows System Event Log. It does not
necessarily tell you the reason.

I believe SFC on any W2K system will find lots of "missing" and "invalid"
files. The fact that it "finds" these things does not mean your computer is
having a problem that needs to be fixed. This SFC issue is not necessarily
related to any other problem your computers may be experiencing. Also, WFP
and SFC are still helpful in checking your files, it just checks lots of
other files as well.

I believe much of this is not because of missing certificates, but because
the catalog SFC uses might contain lots of extra files by design that are
not needed in your installation, or is incorrect, out of date or needs
refreshing. For example, on my system, it found lots of missing files such
as c:\winnt\system32\agt0804.dll that my system does not seem to need to
function properly. The problem can also occur if your system administrators
have intentionally deleted or put restrictive file ACL permissions on
"unsafe" files like TFTP.EXE from your \system32\dllcache\ folder to prevent
WFP from replacing the files and a hacker from using them, or if methods
other than the approved ones below have been used to distribute updated
Windows files:

http://www.microsoft.com/whdc/winlogo/drvsign/wfp.mspx

How SFC / WFP checks files is described somewhat here:

http://www.windowsitpro.com/Articles/Print.cfm?ArticleI...

and here:

http://answers.google.com/answers/threadview?id=8227

"The following files are consulted:

Winnt\System32\CatRoot\SYSMAST.*
Winnt\System32\CatRoot\{F750...295EE}\CATMAST.*
Winnt\System32\CatRoot\{F750...295EE}\HASHMAST.*
Winnt\System32\CatRoot\{F750...295EE}\NT5.CAT "

I believe .CAT files like NT5.CAT contain lists of file hashes, but no file
names. NT5.CAT also mentions "VeriSign Time Stamping Service Root" which
may relate to the "VeriSign Time Stamping CA" cert Windows requires. New
patches install new *.CAT files containing new valid file hashes into the
CatRoot folder, but the article below suggests these are not used by a
manual SFC check:

http://www.winnetmag.com/Article/ArticleID/27471/27471....

If you are asking how do you fix this issue with SFC finding lots of
"missing" files, I think the answer is you don't. It's an annoyance by
design, but by itself isn't proof that your system is broken or needs
fixing. If you're having other problems besides SFC, remind us of the
details and we can look at those.

Other SFC information and known issues are listed here:

http://labmice.techtarget.com/windows2000/FileMgmt/WFP....

> The technical question:
>
> How to identify missing security certificates in Windows 2000?

The certificates that could affect SFC are the six certs mentioned in the MS
article you mentioned in your first post, plus the three certs mentioned in
the article I posted.

You seem to think that because that article did not solve your problem, that
there must therefore be other missing certificates that Microsoft is not
telling you about. I believe this is not the case. So, if you have already
confirmed you have no relevant missing certificates, and you don't need to
check for missing certificates, or ask here how to do so. If you are sure
all the certs in that article are in place and have the right dates, then I
don't think your problem is identifying missing certs.
Anonymous
a b 8 Security
February 9, 2005 3:59:00 PM

Archived from groups: microsoft.public.security,microsoft.public.security.homeusers,microsoft.public.win2000.security,microsoft.public.win2000.windows_update (More info?)

"Karl Levinson, mvp" <levinson_k@despammed.com> wrote in message
news:%23UylUErDFHA.612@TK2MSFTNGP15.phx.gbl...

> How SFC / WFP checks files is described somewhat here:
>
> http://www.windowsitpro.com/Articles/Print.cfm?ArticleI...

> .CAT files like NT5.CAT contain lists of file hashes, but no file
> names.

Furthermore, note that SFC is simply checking file hashes, not file signing.
Comparing file hashes is done without using certificates.

If you need more evidence that certificate issues are not causing your SFC
issues, run SFC and search for the files it flags in Event Viewer on your
hard drive. [I'm not sure if you can get the log entries you need without
clicking Cancel hundreds of times, but you could try running SFC /quiet and
rebooting to see if that does it.]

If none of the files SFC logs are on your hard drive, then the problem is
definitely not certificates. If some of the files are on your hard drive,
then the results are inconclusive, but I still don't think the problem is
certificates. To make it easier for you to find all those files, you could
use Start, find, files or folders to search for all the file names all in
one search, separated by commas [for example,
filename1.dll,filename2.dll,filename3.exe]. Or you could try using Event
Viewer to right-click and save the log file to a .TXT file... then edit that
text file to be a batch file that uses the find /s command for each file.

I'm not saying you have to do all that work, but it would be one way to
prove to you that certificates are not involved in SFC. [Or you could just
read the above article at windowsitpro.com that says that file hashes are
used.]
Anonymous
a b 8 Security
February 10, 2005 1:10:04 PM

Archived from groups: microsoft.public.security,microsoft.public.security.homeusers,microsoft.public.win2000.security,microsoft.public.win2000.windows_update (More info?)

Why thank you (Karl Levinson, mvp). I think this is your first helpful
contribution and it suggests the next path to pursue. You actually reminded
me of something I had forgotten during the original struggles to re-enable
SFC, during which time it was of course not logging anything. I'll continue
working on the problem as time allows.

However, I'd also like to know the real story of what or who reminded you.

Karl Levinson, mvp wrote:
> "Shannon Jacobs" <shanen@my-deja.com> wrote in message
> news:u0cZuulDFHA.3824@TK2MSFTNGP10.phx.gbl...
>
>> File Checker is supposed to perform this check in an automated
>> fashion, and it does for Windows XP (at least on every XP machine
>> I've tested recently). Unfortunately it fails on every tested
>> Windows 2000 machine, but it does not provide any detailed
>> information about the failures.
>
> I agree with you. W2K SFC could be more informative.
>
> Maybe you knew this already, but SFC logs information on the file
> names it is complaining about in the Windows System Event Log. It
> does not necessarily tell you the reason.
>
> I believe SFC on any W2K system will find lots of "missing" and
> "invalid" files. The fact that it "finds" these things does not mean
> your computer is having a problem that needs to be fixed. This SFC
> issue is not necessarily related to any other problem your computers
> may be experiencing. Also, WFP and SFC are still helpful in checking
> your files, it just checks lots of other files as well.
>
> I believe much of this is not because of missing certificates, but
> because the catalog SFC uses might contain lots of extra files by
> design that are not needed in your installation, or is incorrect, out
> of date or needs refreshing. For example, on my system, it found
> lots of missing files such as c:\winnt\system32\agt0804.dll that my
> system does not seem to need to function properly. The problem can
> also occur if your system administrators have intentionally deleted
> or put restrictive file ACL permissions on "unsafe" files like
> TFTP.EXE from your \system32\dllcache\ folder to prevent WFP from
> replacing the files and a hacker from using them, or if methods other
> than the approved ones below have been used to distribute updated
> Windows files:
>
> http://www.microsoft.com/whdc/winlogo/drvsign/wfp.mspx
>
> How SFC / WFP checks files is described somewhat here:
>
> http://www.windowsitpro.com/Articles/Print.cfm?ArticleI...
>
> and here:
>
> http://answers.google.com/answers/threadview?id=8227
>
> "The following files are consulted:
>
> Winnt\System32\CatRoot\SYSMAST.*
> Winnt\System32\CatRoot\{F750...295EE}\CATMAST.*
> Winnt\System32\CatRoot\{F750...295EE}\HASHMAST.*
> Winnt\System32\CatRoot\{F750...295EE}\NT5.CAT "
>
> I believe .CAT files like NT5.CAT contain lists of file hashes, but
> no file names. NT5.CAT also mentions "VeriSign Time Stamping Service
> Root" which may relate to the "VeriSign Time Stamping CA" cert
> Windows requires. New patches install new *.CAT files containing new
> valid file hashes into the CatRoot folder, but the article below
> suggests these are not used by a manual SFC check:
>
> http://www.winnetmag.com/Article/ArticleID/27471/27471....
>
> If you are asking how do you fix this issue with SFC finding lots of
> "missing" files, I think the answer is you don't. It's an annoyance
> by design, but by itself isn't proof that your system is broken or
> needs fixing. If you're having other problems besides SFC, remind us
> of the details and we can look at those.
>
> Other SFC information and known issues are listed here:
>
> http://labmice.techtarget.com/windows2000/FileMgmt/WFP....
>
>> The technical question:
>>
>> How to identify missing security certificates in Windows 2000?
>
> The certificates that could affect SFC are the six certs mentioned in
> the MS article you mentioned in your first post, plus the three certs
> mentioned in the article I posted.
>
> You seem to think that because that article did not solve your
> problem, that there must therefore be other missing certificates that
> Microsoft is not telling you about. I believe this is not the case.
> So, if you have already confirmed you have no relevant missing
> certificates, and you don't need to check for missing certificates,
> or ask here how to do so. If you are sure all the certs in that
> article are in place and have the right dates, then I don't think
> your problem is identifying missing certs.
Anonymous
a b 8 Security
February 10, 2005 1:10:05 PM

Archived from groups: microsoft.public.security,microsoft.public.security.homeusers,microsoft.public.win2000.security,microsoft.public.win2000.windows_update (More info?)

"Shannon Jacobs" <shanen@my-deja.com> wrote in message
news:eS6vB1wDFHA.464@TK2MSFTNGP15.phx.gbl...

> However, I'd also like to know the real story of what or who reminded you.

Eric Ice passed me the links. He's good. ;D

The real story is that I read your last description of the problem and then
searched Google.

Your last post caused me to think about this problem as an SFC problem
instead of as a certificate problem. Your post mentioned just the details
of the actual SFC symptoms, and gave details that allowed me to replicate
the problem. Perhaps you gave those details about SFC earlier in the
thread; if you did, it's possible I overlooked those details by
concentrating on the discussion about certificates instead.
!