[THIN] Re: Odd Server Strangeness

Hi Robert,

Sounds interesting :-(

My initial suspicions would be either malware of Microsoft security
hotfixes, especially the 2000 security rollup.

First port of call should be the rootkit revealer
(http://www.sysinternals.com/utilities/rootkitrevealer.html) to see if
you've picked up anything. THis tool may detect malware your other
tools haven't seen.

The next course of action I'd suggest is firstly to download Bart's PE
Builder (www.nu2.nu/pebuilder/) and put together a bootable CD using
windows server 2003 (or Windows XP if you haven't got a copy of 2003
handy). That'll give you most of the tools you need to check your
system out. Include a virus checker if you can.

The basic strategy here is to check to see if your server has picked
up any interesting worms/trojans that may have been missed.

Then shut down your system and boot the CD. Once it's up you can run
up regedit.exe > navigate to HKLM and load the software, system and
default hives from the sick server's hard disk
(c:\winnt\system32\config). Name the hives old_software, old_system
and old_default when you load them.

Now navigate to HKLM\old_software and check the following keys/values:

HKLM\old_software\microsoft\windows\CurrentVersion\Run
HKLM\old_default\software\microsoft\windows\CurrentVersion\Run
HKLM\old_software\microsoft\windows nt\CurrentVersion\windows\appinit_dlls

AppInit_Dlls should only have a couple of citrix dlls listed, anything
else is suspect.

If that's clean, then things are even more difficult. Suspects then
narrow down to a hardware fault, or an operating system problem due to
newly installed hotfixes etc.

Easiest way to check out the former is to install WIndows 2000 into
another directory on the hard disk, boot and that check out how things
are running. Tracking down a subtly broken o.s. could be a bit more
challenging. But we can cover that once you've done the other checks.

Making a backup copy of the operating system using regback and
robocopy, with appropaite mods to boot.ini) is dead easy and super
useful in this scenario. If you could just boot into a copy of the
o.s. that was  made prior to the last lot of patching and run on that,
then life gets a lot easier. Doesn't help you much right now, but
there's always next time.

--- script for making o.s. copy -------
 @echo off
:: mirror.cmd - create backup systemroot
:: is c:\winback, alter to suit.
cd /d c:\

:: clean up old registry files
echo deleting old registry files
if not exist \winback\system32\config goto skip
cd \winback\system32\config
del /q c:\winback\system32\config\*.*
:skip

:: clean up any dump files
del /q %systemroot%\*.dmp

:: now copy systemroot
echo Copying systemroot .... please wait
robocopy %systemroot% c:\winback /mir /r:0 /w:0 

:: copy registry
:: NOTE: logged on user profiles are NOT copied. 
echo copying registry
cd \winback\system32\config
regback Software machine Software
regback System machine System
regback SAM machine SAM
regback Security machine Security
regback Default users .Default

 :: done
echo done
echo Make sure that \boot.ini has been correctly modified to allow you
echo to boot into the backup systemroot
--------------- end ----------------

regards,

Rick

-- 
Ulrich Mack
Volante Systems


On 8/4/05, Robert K Coffman Jr - Info From Data Corporation
<bcoffman@xxxxxxxxxxxxxxxx> wrote:
> Windows 2000/MF 1.8/Dual Processor Dell 2600/3GB.
>  
> About a week ago, users began complaining that the server was slowing down
> or their session would freeze.  
>  
> On July 28th the server was rebooted, and after it came back up we noticed
> that logging into the console took a long time right after the reboot. 
> Also, TS or ICA connections were not immediately accepted - it took about 15
> minutes after the server rebooted before those connections could be made -
> however drive mappings, etc. were fine.  When users log off, the logoff
> takes an extraordinary amount of time - 2-3 minutes.  No roaming profiles. 
> I am seeing event 1000 logged for that, along with the following text:
>  
> Windows cannot unload your registry class file. If you have a roaming
> profile, your settings are not replicated. Contact your administrator. 
> 
> 
> DETAIL Access is denied. , Build number ((2195)).  
> 
> Apparently MS has a hotfix for this. 
> 
> Additionally, at the same time (July 28) Veritas stopped backing up. 
> Checking that, it seems that it no longer recognized the tape drive,
> although hardware manager shows the tape drive as working.
> 
> Also, I noticed that any attempt to stop a service fails - eventually error
> 1053 - the service did not respond in a timely fashion is returned.  PSKILL
> will stop the process but Services still shows status as "stopping" so I
> can't restart any I kill this way.
> 
> I tried re-installing SP4, but it hung at "inspecting" until I ran it in
> safe mode - which worked but had no effect on any of the problems.
> 
> Windows update returns an error - some hex, which led me to a KB article
> that referenced some software we don't run.  Sorry I don't have any further
> info on that, server is currently rebooting.
> 
> AV software is Symantec AV Version 8.0 I think.  It says system is clean.
> 
> Adaware removed 3 things (max TAC was 7) and Spybot S&D said system was
> clean.
> 
> I'm about to open a per-incident support call with Microsoft - a step I've
> never taken, but something is seriously wrong with this server and I can't
> seem to get a handle on what.
> 
> Any suggestions appreciated.
> 
> - Bob Coffman
********************************************************
This weeks sponsor: SuperSpeed
Try Us To improve performance along with other agents!
FREE 30-day Trial!
http://www.superspeed.com/servers/computing.php?ID0
**********************************************************
Useful Thin Client Computing Links are available at:
http://thin.net/links.cfm
ThinWiki community - Excellent SBC Search Capabilities!
http://www.thinwiki.com
***********************************************************
For Archives, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://thin.net/citrixlist.cfm

Other related posts: