Systems that have changed the default Access Control List permissions on the %windir%\registration directory may experience various problems after you install the Microsoft Security Bulletin MS05-051 for COM+ and MS DTC
On a computer that is running Microsoft Windows XP,
Microsoft Windows 2000, or Windows Server 2003, one or more problems may occur
after you install the critical update that is discussed in Microsoft Security
Bulletin MS05-051. These problems include the following:
•
The Windows Installer service may not start.
•
The Windows Firewall Service may not start.
•
The Network Connections folder is empty.
•
The Windows Update Web site may incorrectly recommend that
you change the Userdata persistence setting in Microsoft
Internet Explorer.
•
Active Server Pages (ASP) pages that are running on
Microsoft Internet Information Services (IIS) return an “HTTP 500 – Internal
Server Error” error message.
•
The Microsoft COM+ EventSystem service will not
start.
•
COM+ applications will not start.
•
The computers node in the Microsoft
Component Services Microsoft Management Console (MMC) tree will not
expand.
•
Authenticated users cannot log on, and a blank screen
appears after the users apply the October Security Updates.
•
In a server cluster configuration, the cluster service may
not start. The following event is logged in the cluster log file:
ERR [NM] Couldn't establish connection point with Net Connection
Manager, status 80070005. WARN [NM] Couldn't initialize Net Connection Manager
advise sink, status 80070005 ERR [NM] Initialization failed
-2147024891
•
An event that is similar to the following may be logged in
the System log:
Event ID: 512 Source:
CryptSvc Description: The Cryptographic Services service failed to
initialize the VSS backup "System Writer" object.
Details: System
Writer object failed to subscribe to VSS.
System
Error: Catastrophic failure
•
An access denied error may occur when you try to connect to
Windows Management Instrumentation (WMI) by using script, the WBEMTest.exe
utility, or other utilities. The %windir%\system32\wbem\logs\wbemprox.log file
contains errors that are similar to the following error at the time of the
failure:
ConnectViaDCOM, CoCreateInstanceEx resulted in hr
= 0x80070005
•
You may receive the following COM+ 1.0 catalog error message when
you create an empty COM+ application:
This problem can occur if any COM applications or COM+
applications cannot access the COM+ catalog files. The application cannot
access the COM+ catalog files because the default permissions on the COM+
catalog directory and files have been changed from the default settings. Before
Microsoft Security Bulletin MS05-051, explicit permissions to the COM+ catalog
were not required. The COM+ catalog files are .clb files and are located in the
%windir%\registration folder. By default, the COM+ catalog directory and files
have the following permissions:
Based on security changes implemented in MS05-051, Read
level NTFS file system permission is required to the %windir%\registration
folder. Default permissions include Read access for the Everyone group. If this
configuration is changed, applications and services may exhibit unexpected
behavior. Organizations that have chosen to implement more restrictive NTFS
security permissions should consider granting Read level permissions through
group membership for users, applications, and services that require access to
COM functionality. We recommend that the default settings for the folder be
used to avoid potential application compatibility. Extensive application
compatibility testing is recommended for administrators who want to implement
settings other than the default settings.
For more information about the issues that may be
experienced by modifying permissions on system folders, click the following
article number to view the article in the Microsoft Knowledge Base:
885409 (http://support.microsoft.com/kb/885409/)
Security configuration guidance
support
Besides NTFS permissions, Bypass Traversal
permission is required. By default, this permission is granted to the Everyone
group. As stated with NFTS permissions, users, applications, and services
should be granted this permission through group membership.
For more
information about the Bypass Traversal user right, click the following article
number to view the article in the Microsoft Knowledge Base:
823659 (http://support.microsoft.com/kb/823659/)
Client, service, and program incompatibilities that may occur when you
modify security settings and user rights assignments
To resolve this problem, restore the default
permissions to the COM+ catalog.
For a computer that is running
Windows 2000 or Windows Server 2003 and is not running as a domain controller,
follow these steps:
1.
In the %windir%/registration folder, make sure that the
Everyone group has Read permissions.
2.
In the %windir%/registration folder, make sure that the
SYSTEM account has Full Control permissions.
3.
In the %windir%/registration folder, make sure that the
Administrators group has Full Control permissions.
4.
In the advanced security properties of the .clb files in
the %windir%/registration folder, make sure that the Allow inheritable
auditing entries from the parent to propagate to this object and all objects.
Include these with entries explicitly defined here option is
selected.
5.
Make sure that the Everyone group has one of the following
permissions:
•
Traverse permissions (“List Folder Contents”) on all
parent directories, including %systemdrive%, %windir%, and
%windir%\registration
•
The Bypass traverse checking user right
To assign the Bypass traverse checking user right to the
Everyone group, follow these steps:
1.
Click Start, click
Run, type gpedit.msc, and then click
OK.
2.
Expand Computer Configuration, expand
Windows Settings, expand Security Settings,
expand Local Policies, and then expand User Rights
Assignment.
3.
Right-click Bypass traverse checking,
and then click Properties.
4.
Click Add User or Group.
5.
Type Everyone, and then click
OK.
Note If you receive a message that an object named "Users" cannot be
found, click Object Types, click to select the
Groups check box, and then click OK two
times.
For a domain controller that is running Windows 2000, follow
these steps:
1.
In the %windir%/registration folder, make sure that the
Authenticated Users group has Read & Execute permissions.
2.
In the %windir%/registration folder, make sure that the
Server Operators group has Modify permissions.
3.
In the %windir%/registration folder, make sure that the
SYSTEM account has Full Control permissions.
4.
In the %windir%/registration folder, make sure that the
Administrators group has Full Control permissions.
5.
In the advanced security properties of the .clb files in
the %windir%/registration folder, make sure that the Allow Inheritable
permissions from parent to propagate to this object option is
selected.
For a domain controller that is running Windows Server 2003,
follow these steps:
1.
In the %windir%/registration folder, make sure that the
Everyone group has Read & Execute permissions.
2.
In the %windir%/registration folder, make sure that the
SYSTEM account has Full Control permissions.
3.
In the %windir%/registration folder, make sure that the
Administrators group has Full Control permissions.
4.
In the advanced security properties of the .clb files in
the %windir%/registration folder, make sure that the Allow inheritable
auditing entries from the parent to propagate to this object and all objects.
Include these with entries explicitly defined here. option is
selected.
5.
Make sure that the Everyone group has one of the following
permissions:
•
Traverse permissions (“List Folder Contents”) on all
parent directories, including %systemdrive%, %windir%, and
%windir%\registration
•
The Bypass traverse checking user right
To assign the Bypass traverse checking user right to the
Everyone group, follow these steps:
1.
Click Start, click
Run, type gpedit.msc, and then click
OK.
2.
Expand Computer Configuration, expand
Windows Settings, expand Security Settings,
expand Local Policies, and then expand User Rights
Assignment.
3.
Right-click Bypass traverse checking,
and then click Properties.
4.
Click Add User or Group.
5.
Type Everyone, and then click
OK.
Note If you receive a message that an object named "Users" cannot be
found, click Object Types, click to select the
Groups check box, and then click OK two
times.
Note The system may later create additional .clb files in the
%windir%/registration folder. To make sure that the new .clb files have the
appropriate permissions, grant the Read permissions to the whole directory
instead of just granting it directly to the .clb files that currently exist.
You can use the Cacls.exe file to automate these permission changes on the
affected computer or to easily roll out the changes to multiple
computers.
For a computer that is running Windows 2000 or Windows
Server 2003 and is not running as a domain controller, use the following
commands:
Note Make sure that there is no space between the y character and the
pipe (|) character. If there is a space between these characters, the commands
will not correctly execute.
When this problem occurs, you may receive one or more of the
following events in the event log:
•
The following EventSystem event may be logged in the event
log if the Network Service account does not have the correct
permissions:
Event Type: Error Event Source:
EventSystem Event Category: (50) Event ID: 4609 Date:
<Date> Time: <Time> User: N/A Computer:
Server Description: The COM+ Event System detected a bad return code during
its internal processing. HRESULT was 80070005 from line xx of
d:\qxp_slp\com\com1x\src\events\tier1\eventsystemobj.cpp. Please contact
Microsoft Product Support Services to report this error.
•
The following COM+ event may be logged in the event log if
the Network Service account does not have the correct permissions:
Event
Type: Information Event Source: COM+ Event Category: (117) Event
ID: 778 Date: <Date> Time: <Time> User:
N/A Computer: Server Description: Application image dump
failed. Server Application ID:
<GUID> Server Application Instance ID:
<GUID> Server Application Name: COM+
Explorer Error Code = 0x80004005 : Unspecified error COM+ Services
Internals Information: File: d:\qxp_slp\com\com1x\src\shared\util\svcerr.cpp,
Line: 1259 Comsvcs.dll file version: ENU 2001.12.4414.308 shp For more
information, see Help and Support Center at
http://support.microsoft.com.
•
The following COM+ event may be logged in the event log if
the Network Service account does not have the correct permissions:
Event
Type: Error Event Source: COM+ Event Category: Unknown Event ID:
4689 Date: <Date> Time: <Time> User: N/A Computer:
Server Description: The run-time environment has detected an inconsistency
in its internal state. This indicates a potential instability in the process
that could be caused by the custom components running in the COM+ application,
the components they make use of, or other factors. Error in
d:\qxp_slp\com\com1x\src\comsvcs\package\cpackage.cpp(1184), hr = 80070005:
InitEventCollector failed For more information, see Help and Support Center
at http://support.microsoft.com.
•
When you try to browse an ASP page that is running on an
IIS service and the Show friendly HTTP error messages option
is not selected in Internet Explorer, you may receive the following error
message:
Server Application Error.
The server has encountered an error while loading an application
during the processing of your request. Please refer to the event log for more
detail information. Please contact the server administrator for assistance.
HTTP 500 - Internal server error Internet Explorer
An event similar to the following may also be logged in
the event log:
Event Type: Error Event Source:
DCOM Event Category: None Event ID: 10010 Date:
<Date> Time:
<Time> User: NT
AUTHORITY\SYSTEM Computer: Server Description: The server
<GUID> did not register with DCOM within the
required timeout.
•
When you try to manually start COM+ applications in
Component Services, you may receive the following error message:
Catalog Error: An error occurred while processing the last
operation. Error code 80080005 - Server execution failed. The event log may
contain additional troubleshooting information.
An event similar to
the following may also be logged in the event log:
Event
Type: Error Event Source: DCOM Event Category: None Event ID:
10010 Date: <Date> Time:
<Time> User: NT
AUTHORITY\SYSTEM Computer: Server Description: The server
<GUID> did not register with DCOM within the
required timeout. Event Type: Warning Event Source: W3SVC Event
Category: None Event ID: 36 Date:
<Date> Time:
<Time> User: N/A Computer:
Server Description: The server failed to load application
'/LM/W3SVC/1/ROOT'. The error was 'Server execution failed '. For
additional information specific to this message please visit the Microsoft
Online Support site located at: http://search.support.microsoft.com/search/?adv=1.
For more information, see Help and Support Center at http://support.microsoft.com.
•
When you try to install an application or when you try to
manually start the Windows Installer Service, you may receive the following
error message:
The Windows Installer Service could not be
accessed. This can occur if you are running Windows in safe mode, or if the
Windows Installer is not correctly installed. Contact your support personnel
for assistance.
•
The Windows Firewall Service may not start with the
following error code:
Error Result : 0x80070005 (
-2147024891 ) ID Defined as : E_ACCESSDENIED Message Text : Access is
denied.
Contact Microsoft Phone Numbers, Support Options and Pricing, Online Help, and more.
•
Customer Service For non-technical assistance with product purchases, subscriptions, online services, events, training courses, corporate sales, piracy issues, and more.
•
Newsgroups Pose a question to other users. Discussion groups and Forums about specific Microsoft products, technologies, and services.
