Rather than bloat the administrator index further with lots of You are vulnerable to total compromise simply by previewing or reading an Microsoft Access 97 or 2000
individual Gotcha! items and hacks, I will make a separate list here. I will be
updating this tip with NT oriented gotcha! from Microsoft security bulletins,
newsletters, bug lists, and my own experience.
There is no built in support for USB in Windows NT
4.0. A better approach may be to upgrade to Windows 2000 Pro. If you must stay
with Windows NT, Bsquare is a 3rd party utility which will support USB
keyboards, mice, printers, and most Pocket PC cradles. If you have a USB
joystick, scanner, camera, pool cue, charging station, or other USB device, you
will have to check with the manufacturer for an NT4 driver. Good luck. EdgeUSB
allows one to run existing WDM USB class drivers on Windows NT. See for Edgeport NT 4.0 drivers.
primary partition is FAT32.
primary partition needs to be FAT16 so Win98 and NT can boot. You probably have
one large FAT32 partition. Clean up the disks - uninstall apps that can be
reinstalled easily; delete unneeded files; minimize swap file; defrag the drive.
Use PartitionMagic to create a new FAT32 partition large enough form your
remaining apps. Move your data and apps to the new partition. Reduce the
primiary partition to less than 2GB. Convert it to FAT16. Install NT on the
primary partition. Complicated. Do you have all the needed utilities? If not,
backup your data and blow it away. Install either NT and Win98 on a 2GB FAT16
primary partition. Format rest of drive into either FAT16 to share partition
between NT & Win98 or create NTFS and FAT32 partitions and keep them
SANS Issued a FLASH message describing a vulnerability that
is probably the most dangerous programming error in Windows workstation (all
varieties -- 95, 98, 2000, NT 4.0) that Microsoft has made.
email (without opening any attachments) if you have one of the affected
operating systems and have the following installed:
Internet Explorer 4.0 or higher, including
5.5 (Windows 2000 includes IE 5)
You are vulnerable to total compromise simply by previewing or reading an
Microsoft Access 97 or 2000
change to a folder or read a file. As administrator you can not take ownership
to get access under NTFS.
I have had
this happen with random files and an occasional folder. Its there in the
directory but the owner can't access it nor can the administrator take ownership
to get access. I had this happen about once a month on web servers which had a
lot of developer owners. I verified the problem was not a virus or other
malicious activity. I initially assumed it was disk corruption because it could
only be cleared up by chkdsk /f. Having to reboot to
clearup the problem is a real pain in a production environment. I eliminated
disk or file corruption by renaming the problem file(s) or folder(s) and leaving
them on the disk. The problem would pop up again in a few days or weeks later.
I later came to the conclusion that the problem is a natural side-effect of
NTFS. That the developer or someone with access deletes the file or folder while
it is opened by someone on the web (another developer or a web service perhaps).
The file or folder is GONE, deleted. But since someone has it open, NTFS can not
remove the NTFS table entry for the file or folder. Schedule chkdsk /f, reboot
(which breaks any connections to open files or folder) and chkdsk finds an
directory entry without data and cleans up the "bad" (actually obsolete)
directory entry. Voila! the file or folder that you gave Access
Denied even as administrator is gone. The access problem was not
permissions, it is simply that the directory entry exists but no file or folder
does. I later found a kb article which described this
IE5 and replaces the Schedule service and the AT commands. Some programs
will only run under the schedule service, or they run unpredictably under Task
Scheduler. If this is a problem you have had with AT, uninstall Task Scheduler
and use the Schedule service (atsvc.exe) instead. See this MS Knowledge Base
You may have trouble
importing a Security Certificate in Microsoft Outlook or Microsoft Outlook
Express running on Windows NT 4.0. The path to the Security Certificate may
contain random ASCII characters, or Internet Explorer may stop responding (hang)
or close unexpectedly. This issue can occur if you upgrade to SP4 and then
export the Security Certificate from Netscape Navigator, or if you try to import
a Security Certificate that uses the SMIME security standard. The only fix for
this is to upgrade to SP5.
that Prevents NT from Booting
after you upgrade a Microsoft DNS-based server from Windows NT 4.0
Service Pack 3 to Service Pack 4, 5, or 6 But that not really the problem. The
SP upgrade is revealing a reall problem. Your DNS is improperly configured. You
have something in your DNS configuration that is instructing the DNS server to
send a message to an IP address that is not valid. The most common problem is
that somewhere in your DNS configuration you have either a blank or a 0.0.0.0 IP
address. This could be in the IP Master field telling a secondary zone database
where to find a primary, or it could be in a Notify list, or it might be in a
corrupted CACHE.DNS file. It is also possible that it could be in a corrupted
entry in the registry. Check these areas for a blank, zero, or invalid IP
address, correct it, then stop and re-start the DNS service.
You get this error when
trying to create a trust to a domain which has RestrictAnonymous set. You can
resolve by removing RestrictAnonymous or by placing the PDCs address in the WINS
server db or LMHosts. See Q245172
Your antivirus software detects a boot sector virus. You allow
the antivirus software to clean the virus off. When you reboot, a DRIVE (1 or
more partitions) is missing. Actually the drive is not missing. The antivirus
software rewrote the MBR (master boot record) to eliminiate the boot sector
virus. The disk signature NT uses to recognize the drive as an NT drive is
stored in the MBR and is no longer there after the antivirus software rewrote a
default MBR. Reboot and when NT asks if its OK to write the drive signature,
allow it to do so. Until the drive signature is rewritten, NT will set the drive
When you assign a drive letter to a
jazz drive or other removable media under SP6a, if you delete the partition,
create it again, and assign a new drive letter, you won't see the previously
assigned drive letter in the available drive list until you reboot the system.
the combined size of the files in the
%SystemRoot%\Repair folder exceeds the capacity of one floppy disk. See kb
article for workarounds.
You get the following error when attempting you try to delete
the global group:
The following error occurred when trying to delete group
operation is not allowed on this special group.
the problem and try to remove the member(s). You get the message:
The following error occurred changing the properties of the global group
This operation is not allowed on this special group.
then reset the primary group if any are found, before you delete the group.
You can resolve by using the HP5si driver or
Seen reports of IIS /
ZoneAlarm conflict. Seems to be caused by ZoneAlarm's TrueVector Internet Monitor service. To resolve, make the
service dependon the IIS service w3svc . Then vsmon will
wait on w3svc before starting. It seems the ZoneAlarm service interferes with
w3svc starting if it starts first. Make it start after.
This happens when someone has gotten heavy handed with user rights and removed
the Access this computer from the network user right
from the Everyone group. Resolve by
- Start User Manager for Domains
- Select Policy option
- Select User Rights
- Add Everyone group to user right Access this computer from
You find the following events:
Event ID: 3013McAfee NetShield has been known to cause this problem. If you have
Description: The redirector has timed out to
Event ID: 2022
Description: The server was unable to find a free connection
times in the last seconds.
NetShield on your domain controllers, remove it.
pagfile is too small. It has gotten corrupted. I use the unix standard of
setting the pagefile to 2xRAM but at least set it to RAM+12MB.
This error is
NOT an IE bug but is due to an incompatibility between Internet Explorer 5 and
the Apitrap.dll file that is installed by Symantec's Norton Cleansweep v4. Fix:
If you get this error during
the installation of NT, it usually means that your drive is formatted with FAT
32. If that's the case, you must reformat to FAT 16 or NTFS.
If someone can
NOT logon to their domain account but they can from another workstation, its
probably the machine's ability to logon that is failing not the users. You can
reset the domain password and it does not help. (all assuming that the user is
attempting to logon to the domain and not the local workstation). Solution:
remove the workstation from the domain by adding it to a workgroup and then
re-add to the domain. This will clearup the workstation's ability to authenicate
with the domain.
All kinds of odd problems occur when you create a printer
and you ignore the compatibility warning about the name being more than 8
characters long. A lot of people blow right past this one. It says there will be
problems with MS-DOS clients. What you may not realize, is this includes Win9x
clients. Don't create a name with more than 8 characters or with a space
Replication service included on the original Windows NT 4 CD is broken and does
not work properly. Install SP3 (or higher) to fix its problems.
I recently restored a server from tape, including the
registry. After reboot, the web server and all other applications and services
functioned perfectly. Unfortunately the server netlogon service would not start.
The gotcha! was that the secure channel password which every workstation and
server uses to authenicate to its domain, had been changed automatically
sometime between when then backup tape had been created and when the restore
took place. This forced the secure channel password out of synch. The BDC could
not authenicate itself to the domain. This problem is easily resolved by the
Windows NT Resource Kit utility netdom . See Admin Tip
#272: NETDOM Reports Access Denied with Windows NT 4.0 SP4 for further
This is a puzzling
error when encountered and is OFTEN asked in the newsgroups. The problem is
easily resolved. This error message usually comes from an incorrect version of
the file "srv.sys". One common cause of this is adding networking software from
the NT CD after installing a service pack. This replaces files from the service
pack on the hard disk with an earlier version from the NT CD. Re-applying your
latest service pack usually cures the problem. See Q151427 for details.
portion of setup.
If you get this
error during the installation of NT, the failure message indicates that NT's
temporary setup files are inaccessible.
Winnt.exe, by default places temporary files on the first available drive that
has enough free space, but because Winnt.exe sees drives that NT may or may not
support, these temporary files may be inaccessible to Setup. (Unsupported drives
may include compressed drives, unsupported SCSI drives, or drives on secondary
IDE or ESDI controllers.) To fix this problem, use the WINNT command with the /T
switch. The /T switch specifies the target drive to which temporary files will
be stored by Setup. For example, to install temporary files in the D: drive,
type WINNT /T:D:.
be the PDC. Thus there can only be one SBS server in the domain. You can have
any number of member servers but they can not be SBS servers.
You attempt to add a workstation or server to a SBS domain and the
domain controller cannot be found. This is a bug and happens when tcpip is the
only protocol. Keep retrying and it will work.
reapplying NTs Service Packs
When you install IE5, it installs Task Scheduler which schedules things by
the minute rather than by the second which the AT scheduler does. You can fix it
by uninstalling Task Scheduler and reinstalling AT. Or by scheduling a couple of
minutes into the future. There also seems to be a gotcha! with SOON and time
zones where it does not properly handle them.
The service pack upgrade must
access this log. The error means the file has been deleted or corrupted or the
folder where NT has been installed, has been renamed. See kb article for
When you double-click on a shortcut or select an item from the
Start menu, nothing happens. When you try to run any program or shortcut from
Control Panel, the following error messages may appear:
Access to the specified device, path, or file is denied.
-or- This file does not have a program associated with it for performing this
action. Create an association in My Computer by clicking View and then clicking
Options. The problem is caused by the Open and/or Open\Command key(s) in
the HKEY_CLASSES_ROOT\Exefile\Shell subkey of the registry have been corrupted,
modified, or are missing.
OK. No big deal usually but I have seen
reports that Norton AV Autoprotect v7, nav2001 can make the UNCs extremely slow.
If you think you have the problem, turn off Autoprotect and see if the network
copies return to normal speeds.
Nada! Want to use that USB modem, scanner, printer, or
whatever? Sorry. Consider Windows2000.