In-Depth

The Treasures of Windows 2000 SP4

Besides amending the EULA to maintain antitrust compliance and adding USB and wireless support, Microsoft rolls up fixes for a slew of performance bugs into its latest service pack.

Windows 2000 Service Pack 4, released in June, is the latest batch of fixes and features that can be applied to Windows 2000 Professional, Windows 2000 Server, Windows 2000 Advanced Server, and Windows 2000 with the Server Appliance Kit operating systems. The 129MB SP4 contains more than 660 bug fixes, the more interesting ones of which are detailed here. You can either download SP4 from Microsoft's Web site at no charge (click here), or you can order it on a CD (click here).

Although SP4 doesn't include any new features, it includes Microsoft Internet Explorer 5.01 SP4 and Microsoft Outlook Express 5.5 SP2. SP4 primarily includes driver updates and security patches since the last service pack (SP3). The areas of main focus include security, operating system reliability, application compatibility, and Windows 2000 setup. Similar to the previous service packs, SP4 is cumulative—it includes all the previous fixes from Windows 2000 service packs (SP1, SP2, and SP3) and the Windows 2000 Security Rollup Package version 1. Microsoft recommends that you download and install SP4 to benefit from all the latest updates. If you're running any previous version, you can simply install SP4 on top of an existing service pack without removing it.

EULA, USB, and Wireless
As I mentioned, SP4 primarily consists of security updates, patches, and new drivers. Let's first look at two major changes: end-user licensing and support for new devices.

Updated EULA—There's been a lot of controversy about so-called "phone home" features embedded in Microsoft products, particularly because those features raise privacy concerns. Windows XP also includes several of them, such as Windows Media Player, Update Root Certificates, and error reporting features. Due to strong public criticism, Microsoft has updated the Windows 2000 End User License Agreement to address these issues. According to Microsoft, users are now given more specific information regarding features that will "call home" to Microsoft and are made aware that they can turn these features off if they want to. (Both Digital Rights Management and Software Error Reporting by default run in silent mode, but can be turned off; I cover these and other "phone home" features in more detail in this article I've written for another site.)

Support for Wireless and USB 2.0—SP4 also adds support for wireless authentication protocol 802.1x and support for USB 2.0 EHCI host controllers. With wireless and USB devices gaining tremendous popularity, this is great news for most users. For more information on using 802.1x authentication on computers running Windows 2000, Microsoft publishes detailed information in Knowledgebase Article 313664, "Using 802.1x Authentication on Computers Running Windows 2000." For information on USB 2.0 support in Windows 2000, read KB 319973.

Deploying SP4 Across a Network

If you're an administrator interested in installing SP4 on multiple computers in a corporate environment, you'll definitely be interested in reading the Windows 2000 SP4 Installation and Deployment Guide from Microsoft. The guide helps you plan deployment of SP4 in both stand-alone installations as well as integrated installations where SP4 is integrated with Windows 2000. The step-by-step guide allows you to customize your deployments and it covers several scenarios.

Updated Deployment and Support Tools
SP4 includes updated deployment tools, sysprep.exe and setupcl.exe, that allow you to deploy Windows 2000 on multiple computers. However, the Windows 2000 Resource Kit Deployment Tools are not automatically installed when you install Windows 2000 SP4. The tools are available on Windows 2000 SP4 CD-ROM in the Support\Tools\Deploy.cab file. They are also available from Microsoft's Web site at no charge (click here to get it).

In addition to the deployment tools, the following support tools have been updated but are not installed with SP4:

  • Iadstools.dll
  • Netdiag.exe
  • Netdom.exe
  • Repadmin.exe
  • Replmon.exe

These are available in the Support\Tools\Support.cab file on the SP4 CD-ROM. If you don't have the SP4 CD-ROM, you can download the updated Windows 2000 SP4 Support Tools from Microsoft's Web site.

Updated Drivers in SP4
Windows 2000 includes a file called driver.cab file, which contains drivers that can be used with Windows 2000. You'd imagine that SP4's update.exe program should update that file, but it doesn't. Instead update.exe adds another file called sp4.cab, which contains just the updated drivers in the driver.cab file. SP4 also installs a drvindex.inf file that points to sp4.cab for the updated drivers and a pointer to driver.cab for all other drivers.

A Bug's Eye View
Let's look at some fixes in SP4 that may be of interest to most of us. All of these bugs have been fixed in SP4:

Cannot View Presentation Material When Participating in Data Conference
If you're participating in a data conference, you may not be able to see the presentation material, such as PowerPoint slides or Word documents. To properly view the material you may need to leave the conference and rejoin it. This problem is detailed in KB 328509.

IIS Admin Services Does Not Stay Running and Exchange SMTP Service Repeatedly Stops
On an Exchange 2000 server running on Windows 2000 Server you may notice that IIS Admin service stops repeatedly. When you try to start IIS Admin, it stops again. Similarly, Simple Mail Transfer Protocol (SMTP) service and the Network News Transport Protocol (NNTP) services also repeatedly stop and restart. The problem occurs if the Exchange server receives a corrupted message that contains an invalid recipient size. This problem is detailed in KB 331509.

No Audio on a Web Camera When You Resume from Hibernation
When you're using a USB Web camera, your computer's power state may not be managed properly it goes into hibernation. When the system wakes up, it doesn't quite realize that it's time to wake up. As a result, you may be unable to record sound with your microphone. This problem is detailed in KB 318107.

Cannot Play Video CDs on Windows 2000
If you have a video CD that's written with third-party software and the Joliet option is selected, you may not be able to access files on the video CD. Even Windows Media Player will refuse to recognize the format. More details in KB 811281.

Administratively Created DNS Records May Not Be Security-Enhanced
Any static records that are manually created by an administrator in an Active Directory-integrated DNS zone configured with the Allow Secure Updates Only setting, may give full control access to members of Authenticated users group. Because the Authenticated users group essentially includes every logged in user, this could be a security risk. This problem is detailed in KB 321610.

You Cannot Access Protected Data After You Change Your Password
If you change your domain password, you may get an error when you try to access your own encrypted data. This happens because when the domain password is changed, data is not re-encrypted with the new password until you try to access the data. If you are not connected to the domain and you try to access the data for the first time, your attempt fails because you can't contact a domain controller. Obviously, you can't re-encrypt the data with your new password-you're not communicating with the domain controller, so you can't read your data. See KB 322346 for more details.

Your Windows XP-Based Client Cannot Establish a VPN Connection
When you try to establish a VPN connection from your Windows XP computer to your corporate network, you may get this:

Error 721: Remote PPP peer is not responding

This error occurs if you connect to a Windows 2000 server that's configured in a cluster environment and is using the cluster's virtual IP address on TCP port 1723, which is the port used by PPTP to establish a VPN tunnel. More details in KB 810839.

The Serial Number Is Decremented in DNS When You Reboot the Computer
Some times the DNS doesn't know how to update the Active Directory-integrated zones during the shutdown process. This can cause problems because when you reboot your computer, the serial numbers of the DNS zone may be magically decremented. Install SP4 and be a happy camper. See KB 304653.

You Cannot Collect DHCP Data by Using SNMP
Due to a bug in Windows 2000, when you remove and then reinstall DHCP Server service you may not be able to collect DHCP data using SNMP. The problem is that SNMP functionality requires a certain registry key and when you reinstall DHCP Server service it doesn't create the registry key HKEY_LOCAL_MACHINE\Software\Microsoft\DhcpMibAgent. See KB 320677.

CPU Utilization in Services.exe Increases to 100 Percent
CPU utilization in Services.exe may intermittently reach 100 percent on your computer and your computer may stop responding. If your computer is a domain controller or a file server, the users connected to the server may get disconnected. You may even need to reboot your computer to fix the problem. This happens if Esent.dll incorrectly processes the way that files are flushed to disk. See KB 328885.

Cannot Connect to a Network Share over a VPN Connection
Once you make a VPN connection to the server, you may not be able to connect to any shares on the server. You can ping the server successfully by name or IP address but you can't establish any connections to network shares on the server. The problem has to do with the TCP window size for the TCP connection for the VPN client which is 0 (zero). When you try to use Net View or Net Use commands, you get one of the following errors:

System error 121. The semaphore timeout period has expired
System error 53. The network path was not found.
System error 64. The specified network name is no longer available.

SP4 includes a patch for this problem. See KB 817069.

The Most Interesting Fix
One of the more interesting fix has to do with the USB keyboards that have an incorporated PS/2 mouse port, with the mouse connected to the port on the keyboard. Windows 2000 computers may hang for up to an hour during startup. The GUI mode progress bar indicates 12 percent completion at the time this problem occurs. This problem only occurs about five percent of the time at startup. You can try to unplug and then reconnect the USB keyboard during the delay but if that doesn't solve your problem, installing SP4 will. See KB 320877.

What Didn't Get Fixed in SP4
Although SP4 includes over 650 patches it leaves dozens of problems unsolved. There are almost 60 known bugs that SP4 doesn't address, including:

I've created this link, which provides a comprehensive list of the fixes that haven't been incorporated into SP4. It includes:

What SP4 Breaks
Not only SP4 doesn't fix all the bugs, it may break some things. For instance, if you install Norton Internet Security 2001 or Norton Personal Firewall 2001, Internet Explorer may time out while it tries to load a Web page. In addition, you may experience problems with NetMeeting in which you may not receive notifications of incoming calls for several minutes. See KB 823087 for more details. You can obtain an update from Symantec to resolve these issues.

SP4 also breaks .NET Framework-based applications and Visual Studio .NET over a Terminal Server session. Currently, Microsoft suggests that as a workaround you may want to install .NET Framework 1.1. See KB 823485 for more info.

If you install SP4 on a Windows 2000 Server that's running Exchange 2000 SP3, Key Management Service on Exchange 2000 will not start. As a workaround Microsoft recommends that you run the "eseutil.exe /d" command against the KMS database to defragment it. The details are at KB 818952.

These are some of the known issues with SP4 that Microsoft has published. For additional information check out the Release Note for Windows 2000 Service Pack 4 at KB 813432.

Windows 2000 Hotfixes That Conflict With SP4
According to Microsoft (see KB 822384), there are some 33 post-SP4 hotfixes from Microsoft Product Support Services (PPS) that may cause a conflict with Windows 2000 SP4. However, the hotfixes obtained from Microsoft's download center or Windows Update Web site don't seem to be affected and should work just fine.

The Fix is In
Windows 2000 SP4 includes several crucial security updates that address issues such as Internet Key Exchange selecting incorrect certificate, DNS zones being removed from the registry when the DNS service is started, potential Denial of Service vulnerability in Security Account Manager (SAM), and malicious users potentially gaining access to your computer by creating an RPC connection. (Click here for Microsoft's complete list.) Microsoft recommends that you apply this service pack to your qualifying systems. At the time of writing SP4 has just been released so there isn't enough data to give it a passing or failing grade.

As is always the case with any service pack, a lot of people will experience problems with SP4. Despite the issues raised in some of the newsgroups I read, overall SP4 seems to be relatively stable at this early stage after the release. There will be hotfixes to fix the fixes, and then fixes to fix those fixes, and over the years we'll have lots of service pack disaster stories to share. However, Microsoft has definitely improved its work compared to the NT 4.0 service pack days. But don't tell that to the folks who have experienced problems with the service packs in the past several years.

When I wrote about Windows 2000 Service Pack 3 in a previous MCP Magazine article (click here to read it), I said that SP3 left out some crucial updates. SP4 is no different. In fact, SP4 leaves more than 50 bugs unresolved, which you would hope that Microsoft will start addressing in upcoming weeks and months.

For a complete listing of bug fixes, check out KB 327194, "List of Bugs That Are Fixed in Windows 2000 Service Pack 4." To find out what has not been fixed, click here to view a custom search I created that lists them. In addition, check out the Release Notes for Windows 2000 SP4 at http://support.microsoft.com/?kbid=813432, which lists several known issues with SP4, including some that are related to third-party programs.

Featured