• Symptom: On Windows Server 2003 (SBS, Standard, etc.), error 0x8004230f (“The shadow copy provider had an unexpected error”) occurs when running NTBackup and/or when the Volume Shadow Copy scheduled task(s) run.

    Cause: This error can occur If certain VSS DLLs are not registered properly, or if something
    is wrong with the VSS provider.  This issue is often associated with the installation of new hard drives, especially when deploying previously-created hard drive images to them.

    Resolution:

    1. Apply the latest VSS package (KB940349) on the server from Microsoft here, and reboot the server.
    2. Re-register the VSS related DLLs by running the following commands (a batch file would probably be a good idea here):
    3. cd /d %windir%\system32
      net stop vss
      net stop swprv
      regsvr32 /s ole32.dll
      regsvr32 /s oleaut32.dll
      regsvr32 /s vss_ps.dll
      vssvc /register
      regsvr32 /i swprv.dll
      regsvr32 /i eventcls.dll
      regsvr32 /s es.dll
      regsvr32 /s stdprov.dll
      regsvr32 /s vssui.dll
      regsvr32 /s msxml.dll
      regsvr32 /s msxml3.dll
      regsvr32 /s msxml4.dll

      NOTE: The command in the final line may fail– this is normal.

    4. Delete the following registry key (after exporting for a backup):
    5. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\STORAGE\Volume]

    6. Reboot the system, and the “VOLUME” key will be recreated, hopefully fixing the issue.

    Tags: , , , , , ,

  • Symptom: You schedule a chkdsk before rebooting a Windows machine (can be Windows XP or any flavor of Server 2003, possibly others as well) it appears to run through the chkdsk successfully, then reboots again and continues the cycle, continuously running chkdsks on startup, but never getting up to Windows.  Sometimes the Windows splash screen shows, sometimes not.

    Power down and cold boot doesn’t change the behavior.  Attempting to boot into Safe Mode also fails with the same behavior.

    Cause: Unknown, but probably due to a failing chkdsk operation not removing the BootExecute reg value.

    Resolution (some steps borrowed from http://windowsxp.mvps.org/peboot.htm and http://support.microsoft.com/kb/158675):

    1. Create a BartPE boot CD.  You will need the install disk for your exact edition of Windows to do this.
    2. Insert the BartPE CD into the drive, and boot the system from the CD. Once the file loading phase is over, the Bart PE desktop will be visible.
    3. Type Regedit.exe in the prompt, and press Enter. Select the HKEY_LOCAL_MACHINE hive.
    4. From the File menu, choose the Load Hive option. Browse to your Windows installation drive, for example the following location:
    5. C:\Windows\System32\Config\

    6. Select the file named SYSTEM (the file without any extensions), and click Open
    7. Type a name for the hive that you’ve loaded now. (Example: MyHive)
    8. Now the SYSTEM hive is loaded, and present under the HKEY_LOCAL_COMPUTER base hive.
    9. In order to fix the BootExecute value in the loaded hive, navigate to the following location:
    10. HKEY_LOCAL_COMPUTER \ MyHive \ CurrentControlSet \ Control \ Session Manager

    11. Double-click BootExecute and change it’s value to:
    12. autocheck autochk *

    13. After entering the correct data, you MUST unload the Hive. To do so, select MyHive branch, and then in the File menu, choose Unload Hive. It’s important to note that you’ll need to select the MyHive branch first, before unloading it.
    14. Quit BartPE and restart Windows.  The machine should now boot up normally, skipping the chkdsk.

    Tags: , , , , , , ,

  • From article on eWeek.com here:

    Microsoft is investigating reports that users are experiencing the infamous “Blue Screen of Death” after installing one of Microsoft’s Patch Tuesday security updates.

    According to Microsoft, the problem appears to be related to MS10-015, but the company has not determined if the problem is specific to MS10-015 or if it is an interoperability problem with another component or third-party software. The bulletin addresses two Windows Kernel privilege escalation bugs, and was among 13 issued Feb. 9 to plug a total of 26 security holes.

    IMO, the forum post they link with the “fix” procedure is overkill.  It makes you uninstall all of that week’s updates when the only problematic one is KB977165.

    The procedure really should be:

    1. Boot from your Windows XP CD or DVD and start the recovery console
    2. Once you are in the Repair Screen..
    3. Type this command: CHDIR $NtUninstallKB9777165 $\spuninst
    4. Type this command: BATCH spuninst.txt
    5. Type this command: systemroot
    6. When complete, type this command: exit

    Your computer should restart and everything should be back to normal.

    Update: It’s now been discovered that the root cause of this issue was actually a rootkit that conflicted with the update in question:

    From the post on ComputerWorld.com here:

    Hackers behind the rootkit responsible for crippling Windows machines after users installed a Microsoft security patch have updated their malware so that it no longer crashes systems, researchers confirmed today.

    The rootkit, known by a variety of names — including TDSS, Tidserv and TDL3 — was blamed by Microsoft last Friday for causing Windows XP PCs to crash after users applied the MS10-015 security update, one of 13 Microsoft issued a week ago.

    So, if you applied the fix I prescribed above and it fixed your BSOD, you’ve still (probably) got a rootkit on your machine, and you just fixed the symptom, NOT THE TRUE ISSUE!

    And if you never got a BSOD from this update (heh, why are you reading this?), you may still be infected, if your rootkit was updated before your installed the Windows Update.  Clear as mud? 😉

    Tags: , , ,

  • If you have WIndows XP SP3 and you try to install the Microsoft hotfix to install the Link Layer Topology Discovery service, you’ll get an immediate error message saying:

    “Setup has detected that the Service Pack version of this system is newer than the update you are applying.  There is no need to install this update.”

    Unfortunately, this may or may not actually be accurate, as the LLTD update is not always installed on computers with XP SP3.  As far as I can tell, this is a known bug in SP3, and MS has been slow to release a LLTD update specifically for SP3.  In the meantime, here’s how to force the LLTD update to run on SP3:

    First, make sure you can see hidden folders:
    1. From any Explorer window (not IE) click on “Tools” -> “Folder Options” -> “View” tab.

    2. Enable the radio button labeled “Show hidden files and folders” and uncheck the “Hide extensions for known file types”.

    Actual Install:
    1. Download the installer file from here or here.

    2. Rename it to something like LLTD.exe (unless you really want to type out “WindowsXP-KB922120-v5-x86-ENU.exe”) and put it in the root of your c: drive.

    3. Go to Start -> Run, and type in “cmd” (without the quotes) and hit Enter.

    4. When the black command prompt comes up, type in “cd c:\” (minus quotes) and hit Enter.

    5. Now type in “LLTD.exe -x:c:\LLTD” (again, minus quotes).  This will extract all the files in to a new folder called c:\LLTD.

    6. Open that folder with an Explorer window, and there will be another folder inside it called “SP2QFE”.  Open that, find the file named “rspndr.sys”, and copy it inside your c:\Windows\system32\drivers directory.

    7. Also in the “SP2QFE” folder, find the “rspndr.exe” and copy it inside your c:\Windows\System32 directory.

    8. Finally in the IP Folder, find the “rspndr.inf” file , and copy it inside your c:\Windows\inf directory.

    9. Now back in the command prompt enter “cd C:\Windows\system32” and then enter “rspndr.exe -i”.  This will actually install the LLTD.

    When it completes, you should get a notice stating that it’s installed. Go to your Network Interface Card and verify that you see Link Layer Topology Discovery.

    Good luck!

    Regards,

    Jon Heese

    Tags: , , , , , , ,

   

Recent Comments

  • You actually can delete the PublishAddresses registry key. T...
  • Thanks - One step along the road to getting Vista and XP ...