Update KB933729 problems

I recently downloaded the KB933729 update for Windows XP home edition.
After installing this patch for the RPC vulnerability I have had
several services crash (one at a time) due to a file that is part of
the RPC update, rpcrt4.dll. The services crashing have been random.
Uninstalling the update makes everything work as normal but I figure
this patch is important to have installed and would appreciate
feedback for a solution.
I should add that I have reinstalled the patch twice with AV and other
active software disabled.

Below is the dump file debugged with rpcrt4.dll version information,
perhaps somone with more knowledge can understand more of this,
thanks.


******
This dump file has an exception of interest stored in it.
The stored exception information can be accessed via .ecxr.
(9b8.b8c): Access violation - code c0000005 (first/second chance not
available)
eax=89abcdef ebx=001879a8 ecx=0125fe18 edx=7c90eb94 esi=0017d4a0
edi=00000000
eip=77ef65e1 esp=0125fe30 ebp=0125ff80 iopl=0 nv up ei ng nz
na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000
efl=00000282
rpcrt4!CStdAsyncStubBuffer2_Release+0x2b:
77ef65e1 8b08 mov ecx,dword ptr [eax] ds:
0023:89abcdef=????????
0:002> !analyze -v
************************************************** *****************************
*
*
* Exception
Analysis *
*
*
************************************************** *****************************

*** ERROR: Symbol file could not be found. Defaulted to export
symbols for SiteAdv.dll -

FAULTING_IP:
rpcrt4!CStdAsyncStubBuffer2_Release+2b
77ef65e1 8b08 mov ecx,dword ptr [eax]

EXCEPTION_RECORD: ffffffff -- (.exr ffffffffffffffff)
ExceptionAddress: 77ef65e1 (rpcrt4!CStdAsyncStubBuffer2_Release
+0x0000002b)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 89abcdef
Attempt to read from address 89abcdef

DEFAULT_BUCKET_ID: BAD_PTR_DEREFERENCE

PROCESS_NAME: SiteAdv.exe

ERROR_CODE: (NTSTATUS) 0xc0000005 - Instruktionen p "0x%08lx"
refererade till minnet p "0x%08lx". Det gick inte att utf ra en
minnes tg rd. F ljande fel returnerades: The memory could not be "%s".

READ_ADDRESS: 89abcdef

BUGCHECK_STR: ACCESS_VIOLATION

LAST_CONTROL_TRANSFER: from 77e76c9f to 77ef65e1

STACK_TEXT:
0125ff80 77e76c9f 0125ffa8 77e76ac1 0017d4a0 rpcrt4!
CStdAsyncStubBuffer2_Release+0x2b
0125ff88 77e76ac1 0017d4a0 00000000 00d0e92c rpcrt4!
RecvLotsaCallsWrapper+0xd
0125ffa8 77e76c87 001855c8 0125ffec 7c80b683 rpcrt4!
BaseCachedThreadRoutine+0x79
0125ffb4 7c80b683 00187ac0 00000000 00d0e92c rpcrt4!ThreadStartRoutine
+0x1a
0125ffec 00000000 77e76c6d 00187ac0 00000000 kernel32!BaseThreadStart
+0x37


STACK_COMMAND: ~2s; .ecxr ; kb

FAULTING_THREAD: 00000b8c

PRIMARY_PROBLEM_CLASS: BAD_PTR_DEREFERENCE

FOLLOWUP_IP:
rpcrt4!CStdAsyncStubBuffer2_Release+2b
77ef65e1 8b08 mov ecx,dword ptr [eax]

SYMBOL_STACK_INDEX: 0

SYMBOL_NAME: rpcrt4!CStdAsyncStubBuffer2_Release+2b

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: rpcrt4

IMAGE_NAME: rpcrt4.dll

DEBUG_FLR_IMAGE_TIMESTAMP: 46923632

FAILURE_BUCKET_ID: ACCESS_VIOLATION_rpcrt4!
CStdAsyncStubBuffer2_Release+2b

BUCKET_ID: ACCESS_VIOLATION_rpcrt4!CStdAsyncStubBuffer2_Relea se+2b

Followup: MachineOwner
---------

0:002> lmvm rpcrt4
start end module name
77e70000 77f01000 rpcrt4 (pdb symbols) I:\symbols
\rpcrt4.pdb\436F11D9044249B8AB818CAD4D9079E72\rpcr t4.pdb
Loaded symbol image file: rpcrt4.dll
Mapped memory image file: I:\symbols\rpcrt4.dll
\4692363291000\rpcrt4.dll
Image path: I:\WINDOWS\system32\rpcrt4.dll
Image name: rpcrt4.dll
Timestamp: Mon Jul 09 15:20:50 2007 (46923632)
CheckSum: 0009B60A
ImageSize: 00091000
File version: 5.1.2600.3173
Product version: 5.1.2600.3173
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 2.0 Dll
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: Microsoft Corporation
ProductName: Microsoft® Windows® Operating System
InternalName: rpcrt4.dll
OriginalFilename: rpcrt4.dll
ProductVersion: 5.1.2600.3173
FileVersion: 5.1.2600.3173 (xpsp_sp2_qfe.070709-0052)
FileDescription: Remote Procedure Call Runtime
LegalCopyright: © Microsoft Corporation. All rights reserved.
******

> PROCESS_NAME: SiteAdv.exe

The issue appears to be a conflict between Site Adviser and the update
to RPC. Recommend that you contact McAfee and MS to report this.
Since this is a Security update:

> Support
> • Customers in the U.S. and Canada can receive technical support from Microsoft Product
> Support Services at 1-866-PCSAFETY. There is no charge for support calls that are
> associated with security updates.
> • International customers can receive support from their local Microsoft subsidiaries.
> There is no charge for support that is associated with security updates. For more
> information about how to contact Microsoft for support issues, visit the International
> Support Web site.

Not sure how to go about contacting McAfee. Let's check the Site Adviser
site. Try here: http://www.siteadvisor.com/feedback.html
Use the drop down window and choose 'General McAfee Product Support'.
Hopefully, you'll receive a response.

MowGreen [MVP 2003-2008]
===============
*-343-* FDNY
Never Forgotten
===============



wrote:
> I recently downloaded the KB933729 update for Windows XP home edition.
> After installing this patch for the RPC vulnerability I have had
> several services crash (one at a time) due to a file that is part of
> the RPC update, rpcrt4.dll. The services crashing have been random.
> Uninstalling the update makes everything work as normal but I figure
> this patch is important to have installed and would appreciate
> feedback for a solution.
> I should add that I have reinstalled the patch twice with AV and other
> active software disabled.
>
> Below is the dump file debugged with rpcrt4.dll version information,
> perhaps somone with more knowledge can understand more of this,
> thanks.
>
>
> ******
> This dump file has an exception of interest stored in it.
> The stored exception information can be accessed via .ecxr.
> (9b8.b8c): Access violation - code c0000005 (first/second chance not
> available)
> eax=89abcdef ebx=001879a8 ecx=0125fe18 edx=7c90eb94 esi=0017d4a0
> edi=00000000
> eip=77ef65e1 esp=0125fe30 ebp=0125ff80 iopl=0 nv up ei ng nz
> na po nc
> cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000
> efl=00000282
> rpcrt4!CStdAsyncStubBuffer2_Release+0x2b:
> 77ef65e1 8b08 mov ecx,dword ptr [eax] ds:
> 0023:89abcdef=????????
> 0:002> !analyze -v
> ************************************************** *****************************
> *
> *
> * Exception
> Analysis *
> *
> *
> ************************************************** *****************************
>
> *** ERROR: Symbol file could not be found. Defaulted to export
> symbols for SiteAdv.dll -
>
> FAULTING_IP:
> rpcrt4!CStdAsyncStubBuffer2_Release+2b
> 77ef65e1 8b08 mov ecx,dword ptr [eax]
>
> EXCEPTION_RECORD: ffffffff -- (.exr ffffffffffffffff)
> ExceptionAddress: 77ef65e1 (rpcrt4!CStdAsyncStubBuffer2_Release
> +0x0000002b)
> ExceptionCode: c0000005 (Access violation)
> ExceptionFlags: 00000000
> NumberParameters: 2
> Parameter[0]: 00000000
> Parameter[1]: 89abcdef
> Attempt to read from address 89abcdef
>
> DEFAULT_BUCKET_ID: BAD_PTR_DEREFERENCE
>
> PROCESS_NAME: SiteAdv.exe
>
> ERROR_CODE: (NTSTATUS) 0xc0000005 - Instruktionen p "0x%08lx"
> refererade till minnet p "0x%08lx". Det gick inte att utf ra en
> minnes tg rd. F ljande fel returnerades: The memory could not be "%s".
>
> READ_ADDRESS: 89abcdef
>
> BUGCHECK_STR: ACCESS_VIOLATION
>
> LAST_CONTROL_TRANSFER: from 77e76c9f to 77ef65e1
>
> STACK_TEXT:
> 0125ff80 77e76c9f 0125ffa8 77e76ac1 0017d4a0 rpcrt4!
> CStdAsyncStubBuffer2_Release+0x2b
> 0125ff88 77e76ac1 0017d4a0 00000000 00d0e92c rpcrt4!
> RecvLotsaCallsWrapper+0xd
> 0125ffa8 77e76c87 001855c8 0125ffec 7c80b683 rpcrt4!
> BaseCachedThreadRoutine+0x79
> 0125ffb4 7c80b683 00187ac0 00000000 00d0e92c rpcrt4!ThreadStartRoutine
> +0x1a
> 0125ffec 00000000 77e76c6d 00187ac0 00000000 kernel32!BaseThreadStart
> +0x37
>
>
> STACK_COMMAND: ~2s; .ecxr ; kb
>
> FAULTING_THREAD: 00000b8c
>
> PRIMARY_PROBLEM_CLASS: BAD_PTR_DEREFERENCE
>
> FOLLOWUP_IP:
> rpcrt4!CStdAsyncStubBuffer2_Release+2b
> 77ef65e1 8b08 mov ecx,dword ptr [eax]
>
> SYMBOL_STACK_INDEX: 0
>
> SYMBOL_NAME: rpcrt4!CStdAsyncStubBuffer2_Release+2b
>
> FOLLOWUP_NAME: MachineOwner
>
> MODULE_NAME: rpcrt4
>
> IMAGE_NAME: rpcrt4.dll
>
> DEBUG_FLR_IMAGE_TIMESTAMP: 46923632
>
> FAILURE_BUCKET_ID: ACCESS_VIOLATION_rpcrt4!
> CStdAsyncStubBuffer2_Release+2b
>
> BUCKET_ID: ACCESS_VIOLATION_rpcrt4!CStdAsyncStubBuffer2_Relea se+2b
>
> Followup: MachineOwner
> ---------
>
> 0:002> lmvm rpcrt4
> start end module name
> 77e70000 77f01000 rpcrt4 (pdb symbols) I:\symbols
> \rpcrt4.pdb\436F11D9044249B8AB818CAD4D9079E72\rpcr t4.pdb
> Loaded symbol image file: rpcrt4.dll
> Mapped memory image file: I:\symbols\rpcrt4.dll
> \4692363291000\rpcrt4.dll
> Image path: I:\WINDOWS\system32\rpcrt4.dll
> Image name: rpcrt4.dll
> Timestamp: Mon Jul 09 15:20:50 2007 (46923632)
> CheckSum: 0009B60A
> ImageSize: 00091000
> File version: 5.1.2600.3173
> Product version: 5.1.2600.3173
> File flags: 0 (Mask 3F)
> File OS: 40004 NT Win32
> File type: 2.0 Dll
> File date: 00000000.00000000
> Translations: 0409.04b0
> CompanyName: Microsoft Corporation
> ProductName: Microsoft® Windows® Operating System
> InternalName: rpcrt4.dll
> OriginalFilename: rpcrt4.dll
> ProductVersion: 5.1.2600.3173
> FileVersion: 5.1.2600.3173 (xpsp_sp2_qfe.070709-0052)
> FileDescription: Remote Procedure Call Runtime
> LegalCopyright: © Microsoft Corporation. All rights reserved.
> ******
>

<> wrote in message
news: oups.com
....
> Below is the dump file debugged with rpcrt4.dll version information,

> Translations: 0409.04b0


This is the same version that I have (EN-US).
However, noticing your E-mail address I wonder if that is the version
that you would want? E.g. are you running an SE version of Windows
and is there an SE version of the patch?


> FileVersion: 5.1.2600.3173 (xpsp_sp2_qfe.070709-0052)


I'm surprised to see that I have the QFE version too.
I have no idea when that would have happened.
Do you still have a QFE version after you uninstalled this one?
What are its properties? Hint: use filever.exe /v (in the XP Pro Support
Tools; I don't know if XP Home users get the same tools or not.)

BTW you might get a better perspective of the other modules in the stack
for the crash event by using ProcMon. That might give you some other clues
too from other records for the crashing task just before the one for the crash.


HTH

Robert Aldwinckle
---

Thanks for the feedback much appreciated.

I will add that the services crashing are different, alg.exe,
lssas.exe, vmplayer.exe etc and at random interval. The debugged dump
in my first post is only one example but all the other dumps look
exaclty the same except another service being affected.

The following log message is the same for all services crashing except
the name of the service.

"Faulty/wrong program lsass.exe, version 5.1.2600.2180, faulty/wrong
modul rpcrt4.dll, version 5.1.2600.3173, faulty/wrong adress
0x000865e1."

As for the file versions I checked both the downloaded KB933729 and
the one available at MS download homepage, naturally I checked the SE
versions and both contain english versions of the files.

It seems the failure is when the below is processed but as im no
programmer I cant make out what kind of operation it is doing and what
might be the cause.

"FAILURE_BUCKET_ID: ACCESS_VIOLATION_rpcrt4!
CStdAsyncStubBuffer2_Release+2b"


So far the only solution has been to uninstall the KB933729 update.
The dmp/log have been sent to MS every time a service has crashed due
to rpcrt4.dll (RPC component).

Other maybe relevant information is that I use a dual-core CPU (AMD)
with AMD optimizer to sync the cores. Additionally disabling all the
services being affected (so far except critical services) has yield no
success.

<> schrieb:

> I will add that the services crashing are different, alg.exe,
> lssas.exe, vmplayer.exe etc and at random interval.

Have you tried installing KB933729 *without* *any* McAfee and other
applications running in the background? Even in Safe Mode of Windows
XP?

Bye,
Freudi