If your running Windows 2000 Terminal Services you may want to read this, especially if you have been vigilant and installed your Security patches, specifically MS04-011 (KB835732) or you have service Pack 4 installed. What did I break? ================= By accidentally triggering this serious WMI bug, I managed to break Internet Explorer (5.5 SP2), Outlook 2003, Windows Scripting Host 5.6 and Add/Remove programs. IE hangs on a white screen, Outlook will occasionally start in Safe mode or just not at all and the WSH failure caused our VB Script based login scripts to hang. All 4 applications hung simultaneously and the effect is instantaneous and can in some circumstances be quite prolonged, hours or days. How to Cause the Outage ======================= From your Windows XP SP1 PC, open MMC and add in the snap-in called Performance Logs and Alerts. Then add in several counters against a W2K Terminal Server. Set the sample data interval to 15 secs. I used the following counters: Memory\Available Bytes Memory\Page Faults/sec Memory\Pages/sec Memory\Write Copies/sec PhysicalDisk(0 C:)\% Disk Time PhysicalDisk(0 C:)\Current Disk Queue Length Processor(_Total)\% Processor Time Processor(_Total)\Interrupts/sec Terminal Services\Active Sessions Now just by doing this could be enough to trigger the WMI bug. You dont even need to activate the logging by pressing the play button. This is because when you add in the counters it queries the counters from the registry on the W2K server. Note: Before you can even get XP's Performance Logs and Alerts to work against remote servers you need to reconfigure the Performane Logs and Alerts service on your Windows XP PC, so that it runs under an account that has rights to view the performance counters in the registry of your W2K server. An account which has local Admin rights on the server is usually adequate, you can of course set specific ACLs on the appropriate registry key of the server. Once you have entered in the credentials of an appropriate account, start the Performance Logs and Alerts service. It gives you a couple of messages, the first indicating that that account has been given the logon as service right and the second saying something like the service started then stopped because it was not needed at this time (I'm not quoting this). The reason it gives you this second message is that the service is only started by the Performance Logs and Alerts snap-in. It also helps if you have the Performance Logs and Alerts MMC console closed *before* you change the credentials on the service. Quick Fix ========= The quick fix to this WMI bug is to restart the "Remote Registry Service" on the affected W2K server. However as soon as you load up Performance logging again you can trigger the bug. Be aware that if you set the Performance Logging to operate on a scheduled basis it will continue to run in the background even after you have closed the MMC console. Permanent Fix ============= The permanent fix the the WMI bug is Hotfix - 834010. More info on this hot fix can be found at http://support.microsoft.com/default.aspx?scid=kb;en-us;833974 and http://support.microsoft.com/default.aspx?scid=kb;en-us;834010 Disclaimer ========== If you follow my directions and break your production environment I won't take responsibility :-). So I recommend you only try this out on a test environment and if you do break it get hold of the hotfix directly from Microsoft. While I do have the Hotfix and could email it to you, this would short circuit Microsoft and they would continue to think that this is an issue that only affects a very few customers. While this problem was easily repeatable on our Production and existing Test servers, I had mixed results on subsequent testing with freshly built test servers. The new Test servers were not based on previous images of existing Citrix servers but were built by hand and had SP3, MS04-011, IE 5.5 SP2, WSH 5.6, eTrust Anti Virus 7 and all of the latest Critical and Security Patches installed. I was able to repeat the problem on one test server but not another. Neither of my freshly built Test servers had an Citrix software installed but I did put both of them into TS Application mode, although I suspect the WMI bug would still be triggered in Terminal Services was not installed. Now it is possible that there is something unusual about our environment that doesnt exist in many others or it depends on the exact order that you installed IE 5.5, WSH 5.6 and MS04-011. So if it does affect your environment please voice your concern to Microsoft and if enough people are affected by this it should encourage them to release this as a Critical Patch. Regards, Martin Stephenson. Capital & Coast District Health (for 2 more days anyway!) Find local movie times and trailers on Yahoo! Movies. http://au.movies.yahoo.com ******************************************************** This Weeks Sponsor Emergent Online ThinCity Conference Join us at ThinCity 2004: The 1st Annual Emergent OnLine Technology Conference http://www.ThinCity.com ********************************************************** Useful Thin Client Computing Links are available at: http://thin.net/links.cfm *********************************************************** For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thin.net/citrixlist.cfm