?
Solved

Patch installation via Novell ZENwork to Windows 2000 PCs

Posted on 2003-03-27
15
Medium Priority
?
379 Views
Last Modified: 2013-12-04
I have a Novell 5.1 LAN with ZENwork 2 installed. Recently a security patch has to be installed on all Win2k Pro. PCs. Usual practice is to create a ZENwork application and apply it to the PCs. However, I encountered problems when trying to replace some "protected" Windows system DLLs -- in this particular case, is the file NTDLL.DLL

I have set up a test PC (same config. as production one). I logon with the testing account, and checked that the ZENwork application has been distributed, with files pending to be replaced. Here are the registry keys which tells the OS to replace files on next reboot:

Under "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager" :
"AllowedProtectRenames"=dword:00000001
"PendingFileRenameOperations"=hex(7):5c,00,3f,00 ... 00,00
(when view with REGEDT32.EXE, it reveals:
\??\C:\WINNT\System32\NAL9.tmp
!\??\C:\WINNT\System32\NTDLL.DLL)

The file "NAL9.tmp" is located at the right place. After restarting the PC, the replace operation didn't take place, the file "NAL9.tmp" is still there, with "NTDLL.DLL" remains unchanged. This makes me puzzled!!

Could anyone tell me how to fix this problem? Many thanks!!
0
Comment
Question by:raytung
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 6
  • 2
15 Comments
 
LVL 9

Expert Comment

by:MSGeek
ID: 8225230
Problem is those files are in use when you are trying to replace them.  You may be able to use something like http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/inuse-o.asp

But my gut feeling is this will need to be done locally.  You may as well upfrade to Netware 6 and Zen 4 while your at it.
0
 

Author Comment

by:raytung
ID: 8228920
Tried the tool suggested. No luck, not even done it locally with local Administrator.

The tool itself copy the source to a temp. name under C:\Temp and create a key under "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations" instructing to replace the files on next reboot. It didn't succeed, however.

Is it something to do with the file "NTDLL.DLL" itself?
Besides, I have 2000+ PCs hooked up in a Novell LAN and it would be impossible to go to every PC, logon as Administrator and apply the patch!!

BTW, is there a way to allow normal users to run the MS patch (ref. MS03-007) with local Admin. right temporarily?

Thanks!!
0
 
LVL 9

Expert Comment

by:MSGeek
ID: 8230630
Try downloading another copy of this patch, there were some issues with it's initial launch.  Some workstations would not even come up on reboot. So donwload the latest patch and try applying it.  You may be able to use snapshot to deploy this one.
0
WatchGuard's M Series Appliances - Miecom Approved

WatchGuard's newest M series appliances were put to the test by Miercom.  We had great results and outperformed all of our competitors in both stateless and stateful traffic throghput scenarios! Ready to see how your UTM appliance stacked up? Download the Miercom Report!

 

Author Comment

by:raytung
ID: 8235781
Let me clarify the situation:
1. The patch itself can be installed using local Administrator on a Win2K PC;

2. I then use Novell ZENwork snapshot tools to capture the image of the changes to build a package for deployment;

3. The package itself involves copying files to certain locations and add registry keys as described originally in my question;

4. After package deployed on a Win2K PC, I discovered that the file "NTDLL.DLL" wasn't being replaced at all;

5. I tried the tool "inuse" but it wasn't successful -- even with local Administrator account.


Now here's what puzzles me:

I had done similar things on some other MS patches and they all worked fine. So, is this something to do with the file "NTDLL.DLL" itself? Are there any alternatives to  replace this file besides running the MS patch interactively with local Administrator account (this obviously is not practical when you have over 2000+ PCs to work on) ?

And I cannot understand why running the patch itself is ok, while I deploy the changes via ZENwork is not. The critical files/keys have been put in the right place, but the file just wouldn't be replaced after reboot... I could have put a command to run the MS patch directly when users login, but then the patch itself cannot be run by non-admin. accounts...

HELP!!!
0
 
LVL 9

Expert Comment

by:MSGeek
ID: 8238296
ZenWorks imaging did not capture all the registry changes.  Is this the first time you have had a Snapshot fail?  Download the executable patch and without a Snapshot, push it out with ZenWorks.
0
 

Author Comment

by:raytung
ID: 8242692
Yes, I have worked for quite a lot of snapshots (you can imagine when MS releases patches from time to time) and all are working fine. Occasionally there will be some files that just couldn't be replaced after deployment (the ZENwork imaging tool did not capture all the registry changes as you said), but then when I added that key "AllowedProtectRenames" in the ZENwork application, it worked flawlessly.

I've also tried to distribute the patch itself and run on the PCs, but the user account has not enough authority to run the batch (no administrative rights), is there any way to bypass that to allow them to execute it?

0
 
LVL 9

Expert Comment

by:MSGeek
ID: 8245194
Forgive me as Zen 3.2 was the last version I worked with, it has been sometime since I worked on Zen 2.  Do you have an option to run the script as the system or with elevated rights?
0
 

Author Comment

by:raytung
ID: 8250209
No, I don't think it has such an option, it only has edit boxes for Launch scripts (before / after) and Distribution scripts (before / after)
0
 

Author Comment

by:raytung
ID: 8250531
I discovered a trick which finally makes it works!! I added a command in the "Run before distribution script":

#cmd /c ren c:\winnt\system32\ntdll.dll _03007_.tmp

which renames the DLL to some other name before the application is deployed; that way, the OS will uses the new version of the DLL when reboots. However, the downside is that the temp. file remains.

Thank you once again for all your help!!
0
 
LVL 9

Expert Comment

by:MSGeek
ID: 8252837
Glad I could be of some help, hope you get to Zen 4 soon!  You'll wonder what you have been doing.  :)
0
 

Accepted Solution

by:
Chmod earned 0 total points
ID: 8256160
Dear Expert(s),

A request has been made in Community Support to close this question:
http://www.experts-exchange.com/Community_Support/Q_20567057.html

If there are no objections, after 72 hrs, a moderator will finalise this question by:

- Saving this Q as a PAQ and refunding the points

Please leave any recommendations here.

Chmod
Community Support Moderator @Experts Exchange
0
 
LVL 9

Expert Comment

by:MSGeek
ID: 8256434
Chmod...No objections, I am only expert on this could close now?
0
 

Expert Comment

by:Chmod
ID: 8257125
Thanks MSGeek
0
 

Author Comment

by:raytung
ID: 8258065
Thanks MSGeek for all your help and advice. Greatly appreciated!!
0
 
LVL 9

Expert Comment

by:MSGeek
ID: 8258132
That's what it's all about.  That guy helping you in the Novell section really knows his stuff, I have followed lots of his posts.  Listen to him, he'll get you on the right track.
0

Featured Post

Four New Appliances. Same Industry-leading Speeds.

But don't take it from us.  The Firebox M370 is Miercom tested and Miercom approved, outperforming its competitors for stateless and stateful traffic throughput scenarios.  Learn more about the M370, M470, M570 and M670 and find the right solution for your organization today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…
Suggested Courses
Course of the Month9 days, 12 hours left to enroll

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question