Windows NT Common Problems and Gotcha!s
Rather than bloat the administrator index further with lots of
individual Gotcha! items and hacks, I will make a separate list here. I will be
updating this tip with NT oriented gotcha! from Microsoft security bulletins,
newsletters, bug lists, and my own experience.
- USB support for NT4
There is no built in support for USB in Windows NT
4.0. A better approach may be to upgrade to Windows 2000 Pro. If you must stay
with Windows NT, Bsquare is a 3rd party utility which will support USB
keyboards, mice, printers, and most Pocket PC cradles. If you have a USB
joystick, scanner, camera, pool cue, charging station, or other USB device, you
will have to check with the manufacturer for an NT4 driver. Good luck. EdgeUSB
allows one to run existing WDM USB class drivers on Windows NT. See for Edgeport NT 4.0 drivers.
- You have Win98 and want to dual boot with NT but can't convert because
primary partition is FAT32.
primary partition needs to be FAT16 so Win98 and NT can boot. You probably have
one large FAT32 partition. Clean up the disks - uninstall apps that can be
reinstalled easily; delete unneeded files; minimize swap file; defrag the drive.
Use PartitionMagic to create a new FAT32 partition large enough form your
remaining apps. Move your data and apps to the new partition. Reduce the
primiary partition to less than 2GB. Convert it to FAT16. Install NT on the
primary partition. Complicated. Do you have all the needed utilities? If not,
backup your data and blow it away. Install either NT and Win98 on a 2GB FAT16
primary partition. Format rest of drive into either FAT16 to share partition
between NT & Win98 or create NTFS and FAT32 partitions and keep them
- Access/IE Bigtime Gotcha!
SANS Issued a FLASH message describing a vulnerability that
is probably the most dangerous programming error in Windows workstation (all
varieties -- 95, 98, 2000, NT 4.0) that Microsoft has made.
You are vulnerable to total compromise simply by previewing or reading an
email (without opening any attachments) if you have one of the affected
operating systems and have the following installed:
Microsoft Access 97 or 2000
Internet Explorer 4.0 or higher, including
5.5 (Windows 2000 includes IE 5)
- Access Denied even to administrator when trying to
change to a folder or read a file. As administrator you can not take ownership
to get access under NTFS.
I have had
this happen with random files and an occasional folder. Its there in the
directory but the owner can't access it nor can the administrator take ownership
to get access. I had this happen about once a month on web servers which had a
lot of developer owners. I verified the problem was not a virus or other
malicious activity. I initially assumed it was disk corruption because it could
only be cleared up by chkdsk /f. Having to reboot to
clearup the problem is a real pain in a production environment. I eliminated
disk or file corruption by renaming the problem file(s) or folder(s) and leaving
them on the disk. The problem would pop up again in a few days or weeks later.
I later came to the conclusion that the problem is a natural side-effect of
NTFS. That the developer or someone with access deletes the file or folder while
it is opened by someone on the web (another developer or a web service perhaps).
The file or folder is GONE, deleted. But since someone has it open, NTFS can not
remove the NTFS table entry for the file or folder. Schedule chkdsk /f, reboot
(which breaks any connections to open files or folder) and chkdsk finds an
directory entry without data and cleans up the "bad" (actually obsolete)
directory entry. Voila! the file or folder that you gave Access
Denied even as administrator is gone. The access problem was not
permissions, it is simply that the directory entry exists but no file or folder
does. I later found a kb article which described this
- AT commands Task Scheduler is installed with IE4 or
IE5 and replaces the Schedule service and the AT commands. Some programs
will only run under the schedule service, or they run unpredictably under Task
Scheduler. If this is a problem you have had with AT, uninstall Task Scheduler
and use the Schedule service (atsvc.exe) instead. See this MS Knowledge Base
You may have trouble
importing a Security Certificate in Microsoft Outlook or Microsoft Outlook
Express running on Windows NT 4.0. The path to the Security Certificate may
contain random ASCII characters, or Internet Explorer may stop responding (hang)
or close unexpectedly. This issue can occur if you upgrade to SP4 and then
export the Security Certificate from Netscape Navigator, or if you try to import
a Security Certificate that uses the SMIME security standard. The only fix for
this is to upgrade to SP5.
- ClipArt bits you in the *ss
- Cluster Server may not start after replacing defective disk
- Default registry key permissions allow privilege elevation from
- Disable a Service or Device
that Prevents NT from Booting
- DNS Server Generates Errors Event 453 or 7053
after you upgrade a Microsoft DNS-based server from Windows NT 4.0
Service Pack 3 to Service Pack 4, 5, or 6 But that not really the problem. The
SP upgrade is revealing a reall problem. Your DNS is improperly configured. You
have something in your DNS configuration that is instructing the DNS server to
send a message to an IP address that is not valid. The most common problem is
that somewhere in your DNS configuration you have either a blank or a 0.0.0.0 IP
address. This could be in the IP Master field telling a secondary zone database
where to find a primary, or it could be in a Notify list, or it might be in a
corrupted CACHE.DNS file. It is also possible that it could be in a corrupted
entry in the registry. Check these areas for a blank, zero, or invalid IP
address, correct it, then stop and re-start the DNS service.
- Could not find domain controller for this domain
You get this error when
trying to create a trust to a domain which has RestrictAnonymous set. You can
resolve by removing RestrictAnonymous or by placing the PDCs address in the WINS
server db or LMHosts. See Q245172
- DRIVE - one or more partitions missing
Your antivirus software detects a boot sector virus. You allow
the antivirus software to clean the virus off. When you reboot, a DRIVE (1 or
more partitions) is missing. Actually the drive is not missing. The antivirus
software rewrote the MBR (master boot record) to eliminiate the boot sector
virus. The disk signature NT uses to recognize the drive as an NT drive is
stored in the MBR and is no longer there after the antivirus software rewrote a
default MBR. Reboot and when NT asks if its OK to write the drive signature,
allow it to do so. Until the drive signature is rewritten, NT will set the drive
- Drive letter missing, SP6a gotcha! (flea bite size) Q259428
When you assign a drive letter to a
jazz drive or other removable media under SP6a, if you delete the partition,
create it again, and assign a new drive letter, you won't see the previously
assigned drive letter in the available drive list until you reboot the system.
- Emergency Repair Disk Is Full Q130029
the combined size of the files in the
%SystemRoot%\Repair folder exceeds the capacity of one floppy disk. See kb
article for workarounds.
- Emergency Repair Disk
- Global group, can't delete Q119743
You get the following error when attempting you try to delete
the global group:
The following error occurred when trying to delete group
operation is not allowed on this special group.
The problem is that the global group still has members. OK! you now know
the problem and try to remove the member(s). You get the message:
The following error occurred changing the properties of the global group
This operation is not allowed on this special group.
Check to see if a group is defined as a primary group for any members,
then reset the primary group if any are found, before you delete the group.
- High Encryption
- HP4000 - Print to HP4000 hangs intermittently under NT 4.0
You can resolve by using the HP5si driver or
- IIS Netscape Gotcha!
- IIS / ZoneAlarm conflict
Seen reports of IIS /
ZoneAlarm conflict. Seems to be caused by ZoneAlarm's TrueVector Internet Monitor service. To resolve, make the
service dependon the IIS service w3svc . Then vsmon will
wait on w3svc before starting. It seems the ZoneAlarm service interferes with
w3svc starting if it starts first. Make it start after.
- Installation Unattended
- No one can LOGON unless they are an Administrator.
This happens when someone has gotten heavy handed with user rights and removed
the Access this computer from the network user right
from the Everyone group. Resolve by
- Start User Manager for Domains
- Select Policy option
- Select User Rights
- Add Everyone group to user right Access this computer from
- Start User Manager for Domains
- Memory Leak in the Rasapi32 API
- NetWare Client 4.6 locks up NT4 servers Q253445
- PDC becomes inaccessible periodically
You find the following events:
Event ID: 3013McAfee NetShield has been known to cause this problem. If you have
Description: The redirector has timed out to
Event ID: 2022
Description: The server was unable to find a free connection
times in the last seconds.
NetShield on your domain controllers, remove it.
- Pagefile.sys, Cannot access
pagfile is too small. It has gotten corrupted. I use the unix standard of
setting the pagefile to 2xRAM but at least set it to RAM+12MB.
- page fault in Apitrap.dll or Kernel32.dll caused by explorer NOT!
This error is
NOT an IE bug but is due to an incompatibility between Internet Explorer 5 and
the Apitrap.dll file that is installed by Symantec's Norton Cleansweep v4. Fix:
- The partition you have chosen is not recognized by Windows NT.
If you get this error during
the installation of NT, it usually means that your drive is formatted with FAT
32. If that's the case, you must reformat to FAT 16 or NTFS.
- Password corrupt
If someone can
NOT logon to their domain account but they can from another workstation, its
probably the machine's ability to logon that is failing not the users. You can
reset the domain password and it does not help. (all assuming that the user is
attempting to logon to the domain and not the local workstation). Solution:
remove the workstation from the domain by adding it to a workgroup and then
re-add to the domain. This will clearup the workstation's ability to authenicate
with the domain.
- Printing problems for Win9x clients
All kinds of odd problems occur when you create a printer
and you ignore the compatibility warning about the name being more than 8
characters long. A lot of people blow right past this one. It says there will be
problems with MS-DOS clients. What you may not realize, is this includes Win9x
clients. Don't create a name with more than 8 characters or with a space
- Domain Replication
Replication service included on the original Windows NT 4 CD is broken and does
not work properly. Install SP3 (or higher) to fix its problems.
- Rollback.exe kills NT
- Secure channel password out of synch.
I recently restored a server from tape, including the
registry. After reboot, the web server and all other applications and services
functioned perfectly. Unfortunately the server netlogon service would not start.
The gotcha! was that the secure channel password which every workstation and
server uses to authenicate to its domain, had been changed automatically
sometime between when then backup tape had been created and when the restore
took place. This forced the secure channel password out of synch. The BDC could
not authenicate itself to the domain. This problem is easily resolved by the
Windows NT Resource Kit utility netdom . See Admin Tip
#272: NETDOM Reports Access Denied with Windows NT 4.0 SP4 for further
- Q151427: Not enough server storage is available to process this
This is a puzzling
error when encountered and is OFTEN asked in the newsgroups. The problem is
easily resolved. This error message usually comes from an incorrect version of
the file "srv.sys". One common cause of this is adding networking software from
the NT CD after installing a service pack. This replaces files from the service
pack on the hard disk with an earlier version from the NT CD. Re-applying your
latest service pack usually cures the problem. See Q151427 for details.
- Setup is unable to locate the hard drive partition prepared by the MS-DOS
portion of setup.
If you get this
error during the installation of NT, the failure message indicates that NT's
temporary setup files are inaccessible.
Winnt.exe, by default places temporary files on the first available drive that
has enough free space, but because Winnt.exe sees drives that NT may or may not
support, these temporary files may be inaccessible to Setup. (Unsupported drives
may include compressed drives, unsupported SCSI drives, or drives on secondary
IDE or ESDI controllers.) To fix this problem, use the WINNT command with the /T
switch. The /T switch specifies the target drive to which temporary files will
be stored by Setup. For example, to install temporary files in the D: drive,
type WINNT /T:D:.
- Small Business Servers
be the PDC. Thus there can only be one SBS server in the domain. You can have
any number of member servers but they can not be SBS servers.
You attempt to add a workstation or server to a SBS domain and the
domain controller cannot be found. This is a bug and happens when tcpip is the
only protocol. Keep retrying and it will work.
- Service Packs, Not
reapplying NTs Service Packs
- Service Packs (SP1-SP6a) don't update international license server
- Soon runs jobs the next day after IE5 installed
When you install IE5, it installs Task Scheduler which schedules things by
the minute rather than by the second which the AT scheduler does. You can fix it
by uninstalling Task Scheduler and reinstalling AT. Or by scheduling a couple of
minutes into the future. There also seems to be a gotcha! with SOON and time
zones where it does not properly handle them.
- SP upgrade fails with "Unable to open or modify SETUP.LOG file"
The service pack upgrade must
access this log. The error means the file has been deleted or corrupted or the
folder where NT has been installed, has been renamed. See kb article for
- Shortcuts from the Start Menu or from the Desktop don't run
When you double-click on a shortcut or select an item from the
Start menu, nothing happens. When you try to run any program or shortcut from
Control Panel, the following error messages may appear:
Access to the specified device, path, or file is denied.
-or- This file does not have a program associated with it for performing this
action. Create an association in My Computer by clicking View and then clicking
Options. The problem is caused by the Open and/or Open\Command key(s) in
the HKEY_CLASSES_ROOT\Exefile\Shell subkey of the registry have been corrupted,
modified, or are missing.
- SP5 problems in Japanese, Chinese, & Korean versions
- SQL query overcomes SQL Server and/or NT server security
- STOP: 0x0000007B Inaccessible Boot Device or "0x4,0,0,0" Error
- System32 Folder Opens When Logging into Windows NT
- tcpcfg.dll unattended
- UNC : \\server\share is 10% slower than using drive letters.
OK. No big deal usually but I have seen
reports that Norton AV Autoprotect v7, nav2001 can make the UNCs extremely slow.
If you think you have the problem, turn off Autoprotect and see if the network
copies return to normal speeds.
- USB : NT 4 does not have support for USB.
Nada! Want to use that USB modem, scanner, printer, or
whatever? Sorry. Consider Windows2000.
- Win9x crashes on URL containing reserved devices names