Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Security certificate problems in Windows 2000

0 views
Skip to first unread message

Shannon Jacobs

unread,
Feb 5, 2005, 7:07:31 PM2/5/05
to
Great. Taking you at your (poorly written) word, you are technically
competent and polite, and claim to have read and understood all of this
discussion. Therefore it was obviously an oversight that you forgot to
answer the technical question:

How can missing security certificates be identified (and replaced)?

I forgive you your unfortunate lapse, and look forward to your enlightening
answer. We're heard the talk, now let's see the walk.

By the way, the problem is rather more serious than I initially thought.
Turns out that all of the other Windows 2000 machines I was able to test
also have the problem (of apparently missing security certificates). I gave
up counting after 30 unverified files on the last one. The Windows XP
machines don't reveal the problem when running SFC, so I'm not really sure
what it means, apart from the obvious inability to know if the Windows 2000
is running valid files or has been hacked. That isn't a very large sample,
but perhaps this post may elicit some other reports?

For the moment, I suspect this is a typical Microsoftian
security-by-obscurity-whoops problem. That explains why the visiting
Microsoftian had no technical contribution to the thread. He probably knows
the answer, but he doesn't want to talk about it in public. Or perhaps it's
just yet another example of Microsoft's forced migration/upgrade strategy?
We can even dream that one of this week's numerous security patches will fix
it.

Yet again by the way, I find your (Mr. Dilley's) projection on the "lack of
maturity" issue so funny that I'm reposting this reply in a few other forums
for wider amusement. Given the state of the newsgroups these days, I have
little hope of a technically accurate answer, but at least you're
entertaining. Your advice to the project managers is especially hilarious
and amusingly timed, but I'm not actually interested in playing your pro/ad
hominem games.

[And how about using a spelling checker? I'm not making an issue of it, but
it's yet another matter of politeness to the readers.]

Rick Dilley <rdi...@tesslerweiss.com> wrote:
> Shannon,
>
> I have read this entire thread with great interest.
> Unfortunately I find you lacking in class, maturity, and common
> courtesy...possible technical competence as well.
>
> I did not see any mention of your technical background and level of
> responsibility for your "own" computer, but you did mention that
> your company's IT department MAY have caused or contributed to the
> problem.
>
> In every installation that I have consulted at over the last 23
> years and the preceeding 12 years in corporate IT, there were
> always users that wanted to delve deeply into technical problems
> and assist in the solutions.
>
> Unfortunately those same pseudo-technologists had other corporate
> responsibilities that they ignored to "fiddle" with their
> computer...
>
> SO.... in my , occasionally humble, opinion you probably should
> have had the corporate IT department fix your self-created problem
> and gone about selling life insurance or whatever it is that you do
> to create profit for your company.
>
> Your drum-beat of criticism of the MVP's personally and as a group
> is NOT shared by the MSNG community.
>
> As in all things published here, a reader MUST:
> 1. read
> 2. understand
> 3. formulate a plan
> 4. provide a fall-back option
> 5. finally, implement at you own risk
>
> I believe that my 35 years in this IT merry-go-round qualifies me
> to say that you did not follow any of those 5 steps.
>
> Stand up, be a man , and take your beating...you messed up and
> really do not seem qualified to be doing anything but USING a
> computer....
>
> If you were on any of the networks that I currently support, your
> desktop would be "locked-down" tight specifically because you seem
> to think a lot of your abilities.
>
> To the MS NG community, I humble appologize for Shannon and the
> rest of us mere mortals, I have personally used the MS news groups
> for many and varied issues and am very pleased with the information
> I receive here.
>
> Please continue to receive our stupid posts and be patient with the
> loud-mouth idiots like Shannon.
>
> TIA
>
> RickD
>
>
> "Shannon Jacobs" <sha...@my-deja.com> wrote in message
> news:eBqjHEp$EHA....@TK2MSFTNGP09.phx.gbl...
>> Actually I read so many of Microsoft's articles that I cannot
>> swear for certain whether or not I read that particular one.
>> However, I do remember doing the steps that were recommended
>> there, though they may have been from another similar article. I
>> did find a solution, though not from Microsoft. Here it is:
>>
>> http://www.beginningtoseethelight.org/patches/2kpro.php
>>
>> As already noted, I can only congratulate Microsoft for their
>> success in destroying yet another free support resource (the MVP
>> program of some years ago) and I continue to wish I had the option
>> the abandon Microsoft.
>>
>> Phillip Windell wrote:
>>> "Shannon Jacobs" <sha...@my-deja.com> wrote in message
>>> news:O3y3iGc$EHA....@TK2MSFTNGP12.phx.gbl...
>>>> This is exactly the level of "support" I have come to expect from
>>>> MVPs. Does Microsoft have some sort of incentive program that
>>>> requires you to say something even if you have no idea what you
>>>> are talking about?
>>>
>>> The incentive is that we get to do this for free and get the
>>> benefit of putting up with a thankless public in the process.
>>>
>>>>> Anyways, I would try restoring those certificates and possibly
>>>>> rebooting. See the "Method 8" section of this KB article.
>>>>>
>>>>> http://support.microsoft.com/default.aspx/kb/822798?
>>>>
>>>> Done that. Didn't work. "Possibly rebooting." Damn. Why didn't I
>>>> think of that? Especially with regards to a boot-related problem.
>>>> Shucks, still didn't work.
>>>
>>> Did you actually read the article?

Shannon Jacobs

unread,
Feb 5, 2005, 7:43:01 PM2/5/05
to
Is this [the post included below] a veiled threat to delete more posts? Or
some sort of disguised back-handed sales pitch? Based on previous
experiences, I do believe I could escalate the issue, pay Microsoft some
"support" money, and someone at Microsoft would reveal the answer, perhaps
with a clause requiring me not to republish it in public places like the
newsgroups. After all, security almost entirely depends on obscurity, as all
good Microsoftians "know".

Anyway, in the event that some thin-skinned person was offended by my
attempt at lighten-the-tone humor, I have no problems with apologizing for
it. Apparently only Republicans are allowed to make such jokes, and I also
apologize for being too poorly read to know of a suitable parallel usage
with a male protagonist, which would have obviated the attempted joke.

Now let's return to the technical issues you (Pat Walters [MSFT]) ignored,
for whatever mysterious reasons. I think it best to begin by refreshing the
history a bit.

One of my machines developed an annoying but apparently minor problem at
boottime. As time allowed for such a low-priority item, I investigated.
After several months, I became focused on the hypothesis that the problem
involved missing security certificates. My current belief is that the
problem is more widespread than I initially thought and that many of your
customers would see it if they ran the "sfc /scannow" command, especially on
Windows 2000 computers. My sample is too small, but so far it seems to be
*all* W2K boxes. I'll probably check some more machines over the next few
days.

After reading *lots* of official Microsoft Web pages and searching in
various other places, I finally resorted to the newsgroups. My initial query
resulted in a request for more data, which I provided, but it went downhill
from there. Many years ago the newsgroups had a positive SNR, but nowadays
zero-signal-and-downhill is the safe prediction.

Just in case some technically competent person would be so kind as to
provide a useful answer, the technical question is:

How can missing security certificates be identified (and "safely" replaced)?

I am stressing "safely" because this is actually a new technical issue for
this thread. Perhaps I misunderstand the situation, but I think it would be
possible for someone to replace a system file with a bogus one and produce
the problems I am describing here. However, that same "someone" could
perhaps prepare a security certificate that could be used to assure people
(via SFC) that the bogus file is the truly bogus one (albeit with
non-Microsoft ownership).

[The non-technical question is "Why have the MVPs become so ineffective at
answering anything beyond the most trivial FAQs?", but we're not supposed to
consider that one, even in the absence of useful technical answers.]

Pat Walters [MSFT] <a-pa...@online.microsoft.com> wrote:
> "Shannon Jacobs",
>
> After reading the thread further, let me just reiterate what Karl
> Levinson said at the end of his last posting. We are here to help.
> I do not pretend to understand what good can come from ranting on a
> newsgroup about how much you dislike our company or the amazing and
> technically savvy group of volunteers that devote themselves to
> people with problems using Windows Update --but at name calling,
> here it ends.
> Please refrain from name-calling or ad-hominem attacks in this, and
> any other Microsoft newsgroup. We encourage all people with
> questions or comments about our products to visit our many
> newsgroups and find the community that can best help them. We are
> honored and humbled by the generous time and energy of the many
> volunteers who contribute to these newsgroups, and pleased to have
> the Microsoft Valuable Professional program ( http://www.mvps.org.)
> This is a *privately*-owned newsgroup for the assistance of
> Microsoft customers.
> To our MVPs and volunteers, thank you for your continued hard work
> and efforts. We continually make a better product, and we learn
> how to serve the customer better because of this forum and the
> interaction you have with our customers.
>
> Sincerely,
>
> Pat Walters [MSFT]


>
> "Shannon Jacobs" <sha...@my-deja.com> wrote in message

> news:e9exlqCB...@TK2MSFTNGP15.phx.gbl...
>> The lady doth protesteth too much. Or is it one of Arnold's
>> girly-men? Well, actually the "incident" most reminds me of a
>> certain very prominent judge who wrote a 20-page explanation of
>> why an apparent personal interest in a certain case was not really
>> an interest, so there was no reason to recuse himself. Sorry, but
>> the 20-page explanation goes way *beyond* the appearance of a
>> conflict. That explanation itself was the most concrete evidence
>> of why the judge should have recused himself, incredible hypocrisy
>> notwithstanding. Same with your verbose defenses of your technical
>> abilities in the absence of technical answers. Of course, I'm not
>> surprised you can't put up (something of
>> technical value). I am surprised you aren't smart enough to use
>> the other half of the old saying. Years ago, way back when the MVP
>> program was useful, I would ask similar technical questions, and
>> if there was an answer from an MVP, it was almost certain to be
>> very helpful. Even their questions were helpful in finding the
>> real source of the problems. Other times my questions went
>> unanswered, but sufficient research revealed that they really were
>> that difficult to answer or even define, and the MVPs were correct
>> to wait for more knowledge. These days it seems like an MVP will usually
>> respond quickly--but
>> for any non-trivial question, more often than not, the response is
>> just incorrect. That is why I asked about the current metrics
>> Microsoft is using to assess the MVP program. I really suspect you
>> get MVP brownie points for being the first MVP to answer, and
>> without regard to the utility, correctness, or even relevance of
>> the answer. I am quite sincerely interested in how Microsoft does
>> business, even in the ethically dubious tactics. As regards the
>> MVP program, I think it was probably easy for Microsoft to tip the
>> scales in this way, since most technically competent people are
>> too busy to donate lots of time to Microsoft's greater glory.
>> (Yes, I'm being slightly tongue in cheek, since I'm sure you do it
>> to help the suffering customers--but Microsoft is still willing to
>> make a bit more money by milking your efforts.) Regarding your
>> (Levinson's) list of candidates for MVP
>> incompetence, I'm sorry, but I don't track people for their
>> inability to be helpful. I remember people for their competence,
>> especially technical competence. I used to know the names of a
>> number of MVPs--but I recognize none of the names you mentioned.
>> Just piling the evidence up, aren't you? Now excuse me while I
>> forget your name, too. As I am prone to do, I'll commit the folly of
>> mentioning technical
>> matters in what is eminently not much of a technical thread. Now
>> that I can run SFC again, it issues the same unable-to-verify
>> complaints about a number of files. Still no hint about *which*
>> files are too new or *which* security certificates are still
>> missing. (However, I'm supposed to receive a new computer in a
>> month or two, so I think I'll just ignore it until then. Maybe


>> I'll convert this old one to Linux?) Karl Levinson, mvp wrote:
>>> "Shannon Jacobs" <sha...@my-deja.com> wrote in message

>>> news:OvKU5AbA...@TK2MSFTNGP11.phx.gbl...
>>>
>>>> Several of my earliest attempts along the
>>>> missing-security-certificate path were to try to reinstall some
>>>> of the recent security certificate updates that WindowsUpdate had
>>>> provided. I was not able to do so from the Microsoft site, and
>>>> none of the MVPs even thought to suggest that approach.
>>>
>>> Well, if reinstalling the patches didn't fix the problem, isn't
>>> it a good thing we didn't suggest it?
>>>
>>> Windows Update absolutely lets you see and re-install whatever
>>> patches are on your system, but it has no possible way of knowing
>>> about patches that were pushed down by your IT staff using who
>>> knows what method, nor would we. You would have to contact your
>>> IT staff for that.
>>>
>>> Your only statement in your OP regarding patches was this:
>>>
>>> "Some possibility it may have been caused by a WindowsUpdate,
>>> possibly even one that was pushed onto my machine by the
>>> corporate IT people."
>>>
>>> With that vague level of detail, of course your IT people knew
>>> how to fix the problem and we didn't. Your IT people knew which
>>> patch they had pushed out to cause the problem, and we still
>>> don't. Even now, you still haven't provided enough information about
>>> which patch or file was the problem, but you expect us to
>>> magically know the answer in a minute to a problem you've been
>>> struggling with for months. I can only guess that the patch
>>> you're talking about might be the May 2004 root certificates
>>> update over 7 months ago, but I would be hesitant to waste your
>>> time offering suggestions like reinstalling this or that patch
>>> based on that guess [and since this didn't fix your problem, it's
>>> a good thing I didn't sugest it]. You still haven't shared
>>> enough detail about the fix to help anyone else learn from your
>>> experience.
>>>> Using the link I provided (which actually came from someone in my
>>>> company), I was able to find a file which fixed the damage.
>>>
>>> How do you know your IT people didn't get the answer to this
>>> problem from Microsoft, or from an MVP?
>>>
>>>> I am not certain if that
>>>> file is the same one that exists somewhere on the Microsoft
>>>> site, or if it was a special version. However, I am absolutely
>>>> certain the Microsoft search engines failed to find it, and the
>>>> MVP program participants also failed to find it--or even to
>>>> suggest looking for it.
>>>
>>> Most problems with Microsoft patches are due to pre-existing
>>> problems with the configuration of the PC. If no one else on the
>>> planet has ever had your problem, then why would you expect the
>>> solution to be in the Microsoft knowledge base? Note that your
>>> problems [getting answers from the MS search engine or from the
>>> newsgroups, your computer breaking in the first place] always
>>> seem to be because someone at Microsoft has failed you, never
>>> because of you, say, entering the wrong description or deleting
>>> root certificates.
>>>> The part that is apparently rubbing you the wrong way is my
>>>> general comments about what Microsoft has done to the MVP
>>>> program. If so, you should quit acting in a way that provides
>>>> additional evidence. So far you are only reinforcing my belief
>>>> that Microsoft has pretty much destroyed the MVP program by
>>>> getting rid of the most technically competent people.
>>>
>>> Which of the Microsoft MVPs do you think are not technically
>>> competent? Is it Ed Skoudis? Stuart McClure? Roberta Bragg? Tom and
>>> Debra Littlejohn Shinder? Mark Russinovich? Mark
>>> Minasi? I would like to know why you think the MVP program has
>>> fewer or less competent MVPs. How and why exactly would
>>> Microsoft want to spend money and time on the MVP program, but
>>> intentionally choose the worst candidates? How and why would
>>> they destroy the program by increasing their support for it?
>>>
>>> If Microsoft is solely in it for the money, as you claim, then why
>>> spend a single cent on the MVP program in the first place? You do
>>> realize that Microsoft has given you access to pretty much the
>>> same knowledge database that their paid support technicians use
>>> when you call them, correct? And that Microsoft lists the phone
>>> numbers of other companies that offer cheaper tech support on
>>> their support web site? There are certainly some valid
>>> criticisms that can be levied at Microsoft, but your criticisms
>>> of Microsoft make little sense and border on paranoia.
>>>
>>>> Or perhaps
>>>> they have simply changed the incentive system so the MVPs are
>>>> encouraged to post meaningless answers even when they have no
>>>> idea of what the answer is?
>>>
>>> The link I posted may not have fixed your problem, but it is the
>>> answer to what you asked: "what are the dependencies and
>>> troubleshooting steps for certificate problems related to SFC?"
>>>
>>> I also tried in my post to clear up some of your misconceptions
>>> about how PKI certificates work that were causing you to angrily
>>> think Microsoft was trying to re-write PKI specifications. You
>>> have yet to prove or suggest why the link I posted was
>>> meaningless. What exactly was it in the link that did not apply
>>> to the question you asked? The award MVPs get from Microsoft is
>>> relatively small and hardly
>>> compensates me for all the time I spend here. If you think I post
>>> thousands of posts here every year because of this award or
>>> because it gets me some kind of points, you are very mistaken.
>>>
>>>> Certainly I admit that some of my queries are liable to be
>>>> non-trivial. Whatever the reason, I also believe this negative
>>>> change to the MVP program is a deliberate policy on the part of
>>>> Microsoft to discourage customers from relying on
>>>> no-cash-involved support.
>>>
>>> I see. Microsoft has increased the number of MVPs over the past
>>> two or three years in order to discourage relying on free
>>> support. That makes lots of sense.
>>>
>>>> In truth, the main technical value I get from the newsgroups in
>>>> recent years, and the only reason I will sometimes resort to them
>>>> (and usually only after some weeks of struggle), is that the
>>>> process of describing the problem more precisely and completely
>>>> for a public post is sometimes helpful in understanding the
>>>> solution.
>>>
>>> I see. So, you don't really need anything from us. You solve the
>>> problem entirely on your own, just by typing it down here to us.
>>> Microsoft and the MVPs caused the problem, hide the solution to
>>> the problem from you, solely for monetary greed on the part of
>>> all of us, and you single-handedly solve the problem. Might I
>>> recommend posting your next question to microsoft.public.test? You'll
>>> get the same results.
>>>
>>> I'm not sure how exactly coming back here to insult us and express
>>> your disappointment in our not solving the answer fits in with
>>> this, given that you didn't really expect us to solve the
>>> problem, but then again, I'm just an MVP, so I have trouble tying
>>> my shoes in the morning.
>>>
>>>> Not so in this particular case, however. This
>>>> time it was just a lucky cross-reference that caught my eye. (I
>>>> cannot provide a link to that source since it is internal to the
>>>> corporate intranet, not public.)
>>>
>>> That's convenient. And that prevents you from posting details
>>> about the fix too?
>>>
>>>> Today I do have a new technical problem from another friend, but
>>>> I'm not yet stumped or desperate enough to describe it here.
>>>> Thanks, but no thanks.
>>>
>>> No problem. When you encounter problems too tough for you to
>>> solve, we'll be here to help.
>>>
>>> kind regards,
>>>
>>> Karl Levnson, CISSP

0 new messages