Security certificate problems in Windows 2000

Security certificate problems in Windows 2000

Post by Shannon Ja » Mon, 07 Feb 2005 09:07:31

reat. Taking you at your (poorly written) word, you are technically
competent and polite, and claim to have read and understood all of this
discussion. Therefore it was obviously an oversight that you forgot to
answer the technical question:

How can missing security certificates be identified (and replaced)?

I forgive you your unfortunate lapse, and look forward to your enlightening
answer. We're heard the talk, now let's see the walk.

By the way, the problem is rather more serious than I initially thought.
Turns out that all of the other Windows 2000 machines I was able to test
also have the problem (of apparently missing security certificates). I gave
up counting after 30 unverified files on the last one. The Windows XP
machines don't reveal the problem when running SFC, so I'm not really sure
what it means, apart from the obvious inability to know if the Windows 2000
is running valid files or has been hacked. That isn't a very large sample,
but perhaps this post may elicit some other reports?

For the moment, I suspect this is a typical Microsoftian
security-by-obscurity-whoops problem. That explains why the visiting
Microsoftian had no technical contribution to the thread. He probably knows
the answer, but he doesn't want to talk about it in public. Or perhaps it's
just yet another example of Microsoft's forced migration/upgrade strategy?
We can even dream that one of this week's numerous security patches will fix

Yet again by the way, I find your (Mr. Dilley's) projection on the "lack of
maturity" issue so funny that I'm reposting this reply in a few other forums
for wider amusement. Given the state of the newsgroups these days, I have
little hope of a technically accurate answer, but at least you're
entertaining. Your advice to the project managers is especially hilarious
and amusingly timed, but I'm not actually interested in playing your pro/ad
hominem games.

[And how about using a spelling checker? I'm not making an issue of it, but
it's yet another matter of politeness to the readers.]

Rick Dilley < XXXX@XXXXX.COM > wrote:


Security certificate problems in Windows 2000

Post by Shannon Ja » Mon, 07 Feb 2005 09:43:01

s this [the post included below] a veiled threat to delete more posts? Or
some sort of disguised back-handed sales pitch? Based on previous
experiences, I do believe I could escalate the issue, pay Microsoft some
"support" money, and someone at Microsoft would reveal the answer, perhaps
with a clause requiring me not to republish it in public places like the
newsgroups. After all, security almost entirely depends on obscurity, as all
good Microsoftians "know".

Anyway, in the event that some thin-skinned person was offended by my
attempt at lighten-the-tone humor, I have no problems with apologizing for
it. Apparently only Republicans are allowed to make such jokes, and I also
apologize for being too poorly read to know of a suitable parallel usage
with a male protagonist, which would have obviated the attempted joke.

Now let's return to the technical issues you (Pat Walters [MSFT]) ignored,
for whatever mysterious reasons. I think it best to begin by refreshing the
history a bit.

One of my machines developed an annoying but apparently minor problem at
boottime. As time allowed for such a low-priority item, I investigated.
After several months, I became focused on the hypothesis that the problem
involved missing security certificates. My current belief is that the
problem is more widespread than I initially thought and that many of your
customers would see it if they ran the "sfc /scannow" command, especially on
Windows 2000 computers. My sample is too small, but so far it seems to be
*all* W2K boxes. I'll probably check some more machines over the next few

After reading *lots* of official Microsoft Web pages and searching in
various other places, I finally resorted to the newsgroups. My initial query
resulted in a request for more data, which I provided, but it went downhill
from there. Many years ago the newsgroups had a positive SNR, but nowadays
zero-signal-and-downhill is the safe prediction.

Just in case some technically competent person would be so kind as to
provide a useful answer, the technical question is:

How can missing security certificates be identified (and "safely" replaced)?

I am stressing "safely" because this is actually a new technical issue for
this thread. Perhaps I misunderstand the situation, but I think it would be
possible for someone to replace a system file with a bogus one and produce
the problems I am describing here. However, that same "someone" could
perhaps prepare a security certificate that could be used to assure people
(via SFC) that the bogus file is the truly bogus one (albeit with
non-Microsoft ownership).

[The non-technical question is "Why have the MVPs become so ineffective at
answering anything beyond the most trivial FAQs?", but we're not supposed to
consider that one, even in the absence of useful technical answers.]

Pat Walters [MSFT] < XXXX@XXXXX.COM > wrote: