Article by Marc Liron - Microsoft MVP (2004-2010)
Buffer Overrun in Windows Kernel
Message Handling Could Lead to Elevated Privileges
Since I wrote this article Microsoft have released a fix. Please see the end of this article for the update - Thanks.
(Please Note: There is much confusion between patches Q811493 and Q815021. Please go to http://www.updatexp.com/q815021-q811493.html for more clarity and information.)
So What's The Story With Q811493 ?
Since its release on the 16th April 2003. Rumours of Windows XP machines "running like molasses uphill on a cold day" have spread around the Internet. And the culprit?
Windows XP Security Patch Q811493!
Windows XP Guru "Steve Bink" has noticed the issue too... He posted a report on a Microsoft Newsgroup and got this reply from Redmond HQ:
Thank you for the info. I'm not sure yet what is conflicting with Q811493.We currently have a group of developers working on the problem. We'll get this resolved as soon as possible. Sorry for the inconvenience.
Thanks, Lucy [MS]
Well as of writing this article, 22nd April 2003, there is no update from Microsoft on this issue... ( NB - Please see the end of this article for updates on this situation.) I also revisited the Windows Update site but could not find Q811493 listed under Critical or Recommended Updates. Perhaps Microsoft pulled it for further investigation...?
So What Are XP User's Experiencing?
Well first of all it is worth mentioning that NOT all those who have upgraded their machine with Q811493 have experienced "slowdown" problems. This includes those with XP SP1 and those without.
For those with problems these are generally the symptoms after installation of the Q811493 patch: (based on postings to the major news groups and forums)
On Starting the machine it takes much longer to boot into Windows XP. Then either attempting to logon or enter via the welcome screen than takes an additional longer wait. Some users of Windows XP Home edition report a green timer bar appearing when they try and enter their profile via the welcome screen -in many instances this has taken 5 mins on a Pentium 4...
Many of these same users have reported reported further problems with their machines when they try and run any software. It would appear that NO application, MS or 3rd party, is immune so slow starting and exiting. In fact exiting an application can take so long that on the "Task Menu" the application will show up under "Processes" but nothing is displayed under "Applications" - this can go on for several mins...
One user gave up trying to play a DVD on a P4 3.0 with 1G RAM - nothing happened for almost 10 mins except the usual hourglass appearing in the middle of the screen...
One interesting observation is that a minority of users have found disabling their Anti Virus product speeds things up, but that is not the case for most folks hit by the Q811493 problem. But might be worth trying if you are experiencing problems after installing Q811493.
So What Can Be Done?
Well if you have not yet installed it - DON'T! Just wait until the fix to this patch is released.
If you have already installed it then simply remove it and re-boot Windows XP to resolve the problem and get your speedy machine back.
To do this:
Go to the Control Panel then Select Add or Remove Programs. In here look for an entry:
Windows Hot fix Q811493
Then select the item, so it highlights, and then click the Change/Remove button. This will then launch the uninstall process!
You will need to re boot after the uninstall process.
Not Sure It Is Installed On Your PC?
Apart from a quick check in the Add/Remove panel to see if it is listed. You could always take a peek in the registry and if you have the following registry key, it is installed:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP1\ Q811493
Windows XP with Service Pack 1 (SP1):
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP2\ Q811493
Whilst the Q811493 patch does offer protection for your system, in the face of a known vulnerability. There is no point installing it to have a more secure system and then not be able to use it. Therefore this is one Systems Administrator that will NOT be installing it on his network until Microsoft have fixed the problem.
Q811493 was not deemed a "Critical" patch on its release by Microsoft, as any potential attacker would have to have "local access" to your local machine. So having good controls over who can access your machines will limit any threat this vulnerability may pose to the Windows XP operating system.
Update as of 28th May 2003
Microsoft have issued this update via the "Microsoft Knowledge Base"
This is a précis of the article:
You May Experience Performance Issues After You Install the Q811493 (MS03-013) Package on Your Windows XP SP1-Based Computer
The information in this article applies to:
- Microsoft Windows XP Home Edition SP1
- Microsoft Windows XP Media Center Edition
- Microsoft Windows XP Professional SP1
- Microsoft Windows XP Tablet PC Edition
You may experience slower computer performance after you install the Q811493 (MS03-013) security update package on a computer that is running Windows XP Service Pack 1 (SP1), or after you upgrade to SP1 on a Windows XP-based computer on which the Q811493 security update was previously installed. This problem may be more likely to occur if you use some features of some third-party programs, such as antivirus programs. For example, this problem may occur if your antivirus program is configured to scan all files when you open (or you run) them. This is sometimes called "real-time" scanning.
This problem occurs because of a regression error in the Windows XP SP1 versions of the kernel files (Ntoskrnl.exe, Ntkrnlmp.exe, Ntkrnlpa.exe, and Ntkrpamp.exe) that are included in the Q811493 security update. This problem occurs because of a regression error in the Windows XP SP1 versions of the kernel files (Ntoskrnl.exe, Ntkrnlmp.exe, Ntkrnlpa.exe, and Ntkrpamp.exe) that were included in the original 811493 security update. On May 28, 2003, Microsoft released a revised version of the 811493 security update for Windows XP SP1 to address this problem.
- The Q811493 security update is still effective in addressing the local elevation of privileges security vulnerability on Windows XP-based computers (with or without SP1) that is discussed in the MS03-013 security bulletin.
- The Q811493 security update for Windows XP is a dual-mode hotfix package that contains updated kernel files for both the original version of Windows XP and Windows XP SP1 (which includes Windows Media Center Edition and Windows XP Tablet PC Edition). The regression error in the Q811493 security update affects only the Windows XP SP1 kernel files. For additional information about dual-mode hotfix packages for Windows XP, click the following article number to view the article in the Microsoft Knowledge Base:
328848 Description of Dual-Mode Hotfix Packages for Windows XP
To resolve this problem, install the corrected version of the Q811493 security update.
Trouble Free PC Security?
"Discover The Simple But Powerful Secrets To Keeping Out Viruses, Hackers, Trojans, Keyloggers And Many Other Online Security Threats"
CLICK HERE - For More Information Now!
>>> My FREE Windows Newsletter! >>>
Fortnightly copy of my FREE Windows
Windows XP, Vista, 7 , Microsoft Office and Windows Live Services - Sign-up TODAY!!!
We offer best quality 70-646 test papers and 1Y0-A08 prep materials. You can get our 100% guaranteed microsoft mcts questions to help you in passing the real exam. Enjoy the real success with HP0-S27 online training and latest ccna voice dumps. Also prepare for next level with quality cisa questions and answers.
Trouble Free PC Security?
"Discover The Simple But Powerful Secrets To Keeping Out Viruses,
Hackers, Trojans, Keyloggers And Many Other Online Security Threats"