New
#1
Update KB2667402 Remote Desktop Mystery
I also posted this in the networking forum because it affects remote desktop, hope that's ok...
I'm wondering if someone has time to help investigate or can duplicate a strange experience I've had recently with Remote Desktop in Windows 7 Ultimate x64.
Here's my story...
I have a small home network set up and regularly rdp from my Windows XP sp3 living room laptop to my Win 7 Ultimate x64 desktop in my home office.
Everything has been working fine for some time. Last week, I lost the ability to connect. On the Win 7 machine there were several errors in the system event logs indicating Terminal server failing as follows:
Terminal Server session creation failed. The relevant status code was %1 is not a valid Win32 application.
is not a valid Win32 application.
is not a valid Win32 application.
is not a valid Win32 application.
and
Terminal Server listener stack was down. The relevant status code %1 is not a valid Win32 application.
is not a valid Win32 application.
is not a valid Win32 application.
is not a valid Win32 application.
I searched the net for these errors and found something quite bizarre was going on.
It seems that on 3/14 MS issued a security update to patch a potential rdp exploit.
The story behind the update is a strange one, there are allegations that the exploit itself was leaked to the wild by MS or one of it's security partners ahead of the patch. Sort of a conspiracy theory. The tech news was all over it. You can google news for "Microsoft Leaks RDP Exploit" or have a look here for an example.
Chinese hack Microsoft
Ok, that being said, my personal story gets stranger. I checked my Windows Update logs and found my machine had indeed taken the unattended updates to prevent the rdp exploit, specifically MS12-020, KB2667402.
The timing of the update corresponded directly with my inability to rdp, so I dug a little further. I decided to do a system file integrity check. I opened an elevated command prompt and did a sfc /scannow at the dos prompt.
Sure enough! The scan indicated a problem with a critical rdp component as shown below.
==========================================================
2012-03-22 13:04:33, Info CSI 000000bc [SR] Verify complete
2012-03-22 13:04:33, Info CSI 000000bd [SR] Repairing 1 components
2012-03-22 13:04:33, Info CSI 000000be [SR] Beginning Verify and Repair transaction
2012-03-22 13:04:33, Info CSI 000000c0 [SR] Cannot repair member file [l:20{10}]"rdpwsx.dll" of Microsoft-Windows-TerminalServices-RDP-WinStationExtensions-Binaries, Version = 6.1.7601.17767, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch
2012-03-22 13:04:33, Info CSI 000000c2 [SR] Cannot repair member file [l:20{10}]"rdpwsx.dll" of Microsoft-Windows-TerminalServices-RDP-WinStationExtensions-Binaries, Version = 6.1.7601.17767, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch
2012-03-22 13:04:33, Info CSI 000000c3 [SR] This component was referenced by [l:154{77}]"Package_3_for_KB2667402~31bf3856ad364e35~amd64~~6.1.1.1.2667402-6_neutral_GDR"
2012-03-22 13:04:33, Info CSI 000000c6 [SR] Could not reproject corrupted file [ml:520{260},l:46{23}]"\??\C:\Windows\System32"\[l:20{10}]"rdpwsx.dll"; source file in store is also corrupted
2012-03-22 13:04:33, Info CSI 000000c8 [SR] Repair complete
================================================================
Ah Ha!!! rdpwsx.dll from Package_3_for_KB2667402 is the culprit!
I thought surely this corrupt file must be the problem. So I uninstalled update KB2667402, rebooted and sure enough, rdp connectivity was back, and sfc indicates no errors.
I thought maybe there was an error in downloading the update and let Windows Update install it again. Reboot and the corrupt file is back and no rdp joy. Uninstalled again and everything fine. Then I decided to update manually by downloading the individual update Windows6.1-KB2667402-x64.msu file manually from MS. Same exact problems!
The rdpwsx.dll in all update packages I've tried appears to be corrupt, and looks suspicious. If you view the file properties you'll see no signature or version information like you would in most MS certified files, just a time and date stamp. And it fails sfc check every time.
I've tried this literally dozens of times with the same results. The update succeeds with no failure but creates this suspicious bad file in the process. Could it be that the update itself is corrupt and MS doesn't realize it yet?
Can someone here with the same OS please see if you can verify or duplicate my results? I'm thinking MS may be sending a corrupt security update that breaks rdp without knowing it. I'm not sure how a person would contact MS to report this.
The solution for me is simple enough, uninstall the update and tell Windows Update not to try and install it again.
If you want to be safe from the exploit without the update you can turn off rdp altogether or set it to require Network Level Authentication.
But geez, if this update really does contain a bad or hacked file, think of how many others could be affected.
Am I the only one experiencing this???
Thanks in advance for the help or whatever comments you may have.