Patch Watch update: Duqu-patch install problems

Topic

New Reply

	PATCH WATCH Patch Watch update: Duqu-patch install problems
	By Susan Bradley For Windows XP systems, the recent Duqu patch detailed in Microsoft Security Bulletin MS12-034 might be a case of the cure being worse than the disease. Attempts to install KB 2686509 have resulted in frustration and confusion — and the documentation wasn’t much help.

---

The full text of this column is posted at windowssecrets.com/patch-watch/patch-watch-update-duqu-patch-install-problems/ (opens in a new window/tab).

Columnists typically cannot reply to comments here, but do incorporate the best tips into future columns.[/td]

[/tr][/tbl]

Reply | Quote

Replies

Thank you Susan Bradley for the great information. I had two issues. The first was the upgrade from Win98. I corrected that by deleting the registry keys for the kbdxx.kbd files. The second was the missing dll files. I found one on my system and copied it to Windows/System32, but a file named kbd101a.dll I did not have. Doing a search of the registry, I found it in 5 different places. I was hesitant to delete all those keys, so I found the file on the web and downloaded it to my Windows/System32 folder. After that the KB 2686509 installed properly.

Tony

Reply | Quote

I had also discovered in my research that a common thread seemed to be having changed the keyboard mapping.

I removed my mapping (disabling the Caps Lock key) and tried to reinstall this KB2686509 fix. I rebooted a few times and each and every time, Windows wanted to try and reinstall. But with all that, the patch still didn’t work.

There is no FaultyKeyboard.log file to be found. I only see 4 KBD files (nothing unusual). This system was NOT built on top of an older Win98 or Win/ME system.

So what now?

Here is the patch log:

================================================================================
1.500: 2012/05/17 15:47:32.437 (local)
1.500: C:WINDOWSSoftwareDistributionDownload3438087687b5dd8accc81e44f72f02e7updateupdate.exe (version 6.3.13.0)
1.500: DoInstallation: GetProcAddress(InitializeCustomizationDLL) Returned: 0x7f
1.500: Failed To Enable SE_SHUTDOWN_PRIVILEGE
1.500: Hotfix started with following command line: -q -z -er /ParentInfo:c891304f3d0f6c4d952c0130b3335be4
1.500: In Function GetReleaseSet, line 1240, RegQueryValueEx failed with error 0x2
1.578: Return Value From IsMachineSafe = 0
1.578: IsMachineSafe returned 441092
1.578: Fist Condition in Prereq.IsMachineSafe.Section Failed
1.578: Condition Check for Line 1 of PreRequisite returned FALSE
1.578: ReadStringFromInf: UpdSpGetLineText failed: 0xe0000102
1.578: KB2686509 Setup encountered an error: Setup cannot continue because one or more prerequisites required to install KB2686509 failed. For More details check the Log File c:windowsKB2686509.log
1.594: ReadStringFromInf: UpdSpGetLineText failed: 0xe0000102
1.594: Setup cannot continue because one or more prerequisites required to install KB2686509 failed. For More details check the Log File c:windowsKB2686509.log
1.594: Update.exe extended error code = 0xf0f4

Reply | Quote

The KB log file does ABSOLUTELY NOTHING to help (pet peeve of mine). Can you check your keyboard registry keys and see if you have anything?
Also did you upgrade from Win98?

Reply | Quote

The KB log file does ABSOLUTELY NOTHING to help (pet peeve of mine). Can you check your keyboard registry keys and see if you have anything? Also did you upgrade from Win98?

No, This was fresh XP build, not built on top of Win98. Looking through http://support.microsoft.com/kb/2686509, I see: ————- You may receive an error message that resembles the following when you try to install this security update: Setup cannot continue because one or more prerequisites required to install KB2686509 failed (0x8007F0F4) You receive this message if any registered keyboard layout files are not in the %Windir%System32 folder. In this scenario, the computer is incompatible with the security updates. —————- I see that error msg. Again, http://support.microsoft.com/kb/2686509 says to look for the Faultykeyboard.log file but that file does not exist. So it looks like it is not finding the files it wants in the SYSTEM32 folder. What are the names of those files and can I copy them in from the i386 folder? Also, looking in the registry at th eke: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlKeyboard Layout I see 2 subkeys under this key which seems to possible relate to DOS. There is another key right below named: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlKeyboard Layouts This has maybe 100 different subkeys, each of which seems to represent a keyboard language file. Microsoft seems to suggest that I should delete all these subkeys. I can do that after taking a registry backup but will the keyboard work without these files?

Reply | Quote

The KB log file does ABSOLUTELY NOTHING to help (pet peeve of mine). Can you check your keyboard registry keys and see if you have anything?
Also did you upgrade from Win98?

No, This was fresh XP build, not built on top of Win98.

Looking through http://support.microsoft.com/kb/2686509, I see:

————-
You may receive an error message that resembles the following when you try to install this security update:

Setup cannot continue because one or more prerequisites required to install KB2686509 failed (0x8007F0F4)

You receive this message if any registered keyboard layout files are not in the %Windir%System32 folder. In this scenario, the computer is incompatible with the security updates.
—————-

I see that error msg. Again, http://support.microsoft.com/kb/2686509 says to look for the Faultykeyboard.log file but that file does not exist.

So it looks like it is not finding the files it wants in the SYSTEM32 folder.

What are the names of those files and can I copy them in from the i386 folder?

Also, looking in the registry at the key:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlKeyboard Layout

I see 2 subkeys under this key which seems to possibly relate to DOS.

There is another key right below named:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlKeyboard Layouts

This has maybe 100 different subkeys, each of which seems to represent a keyboard language file.

Microsoft seems to suggest that I should delete all these subkeys in the KB article!

I can do that after taking a registry backup but will the keyboard work without these files?

Reply | Quote

The Keyboard Layout key with a value named “attributes” will also cause KB2686509 to fail. (I have that in there so that Shift will cancel Caps Lock.

Reply | Quote

No, This was fresh XP build, not built on top of Win98. Looking through http://support.microsoft.com/kb/2686509, I see: ————- You may receive an error message that resembles the following when you try to install this security update: Setup cannot continue because one or more prerequisites required to install KB2686509 failed (0x8007F0F4) You receive this message if any registered keyboard layout files are not in the %Windir%System32 folder. In this scenario, the computer is incompatible with the security updates. —————- I see that error msg. Again, http://support.microsoft.com/kb/2686509 says to look for the Faultykeyboard.log file but that file does not exist. So it looks like it is not finding the files it wants in the SYSTEM32 folder. What are the names of those files and can I copy them in from the i386 folder? Also, looking in the registry at th eke: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlKeyboard Layout I see 2 subkeys under this key which seems to possible relate to DOS. There is another key right below named: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlKeyboard Layouts This has maybe 100 different subkeys, each of which seems to represent a keyboard language file. Microsoft seems to suggest that I should delete all these subkeys. I can do that after taking a registry backup but will the keyboard work without these files?

Reply | Quote

Found this in the event log. Does it help any?

[TABLE=”width: 100%”]
[TR]
[TD]EVENT #
[/TD]
[TD]9823
[/TD]
[/TR]
[TR]
[TD]EVENT LOG
[/TD]
[TD]System
[/TD]
[/TR]
[TR]
[TD]EVENT TYPE
[/TD]
[TD]Error
[/TD]
[/TR]
[TR]
[TD]SOURCE
[/TD]
[TD]Windows Update Agent
[/TD]
[/TR]
[TR]
[TD]CATEGORY
[/TD]
[TD]Installation
[/TD]
[/TR]
[TR]
[TD]EVENT ID
[/TD]
[TD]20
[/TD]
[/TR]
[TR]
[TD]COMPUTERNAME
[/TD]
[TD]DESK01
[/TD]
[/TR]
[TR]
[TD]DATE / TIME
[/TD]
[TD]5/17/2012 3:47:32 PM
[/TD]
[/TR]
[TR]
[TD]MESSAGE
[/TD]
[TD]Installation Failure: Windows failed to install the following update with error 0x8007f0f4: Security Update for Windows XP (KB2686509).
[/TD]
[/TR]
[TR]
[TD]BINARY DATA
[/TD]
[TD]0000: 57 69 6E 33 32 48 52 65 73 75 6C 74 3D 30 78 38
0010: 30 30 37 66 30 66 34 20 55 70 64 61 74 65 49 44
0020: 3D 7B 37 37 36 34 33 44 42 33 2D 35 37 35 39 2D
0030: 34 39 37 41 2D 38 32 41 43 2D 36 30 46 31 31 31
0040: 46 36 46 34 33 42 7D 20 52 65 76 69 73 69 6F 6E
0050: 4E 75 6D 62 65 72 3D 31 30 33 20 00
[/TD]
[/TR]
[/TABLE]

Reply | Quote

Found this in the event log. Does it help any?

EVENT # 9823
EVENT LOG System
EVENT TYPE Error
SOURCE Windows Update Agent
CATEGORY Installation
EVENT ID 20
COMPUTERNAME DESK01
DATE / TIME 5/17/2012 3:47:32 PM

MESSAGE Installation Failure: Windows failed to install the following update with error 0x8007f0f4: Security Update for Windows XP (KB2686509).

BINARY DATA 0000: 57 69 6E 33 32 48 52 65 73 75 6C 74 3D 30 78 38
0010: 30 30 37 66 30 66 34 20 55 70 64 61 74 65 49 44
0020: 3D 7B 37 37 36 34 33 44 42 33 2D 35 37 35 39 2D
0030: 34 39 37 41 2D 38 32 41 43 2D 36 30 46 31 31 31
0040: 46 36 46 34 33 42 7D 20 52 65 76 69 73 69 6F 6E
0050: 4E 75 6D 62 65 72 3D 31 30 33 20 00

Reply | Quote

OK, I got this thing installed.

There is a VBS script here that is supposed to solve the problem:
http://www.vivus.net/dl/

But since I am comfortable mucking around in the registry, what I did was go to this key in RegEdit:

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlKeyboard Layout

Looking in that key, I saw an entry for ScanCodeMap, which seems to be what is causing the patch to fail. This entry apparently stores any key remappings that you might have done.

I exported this whole key, then deleted the INDIVIDUAL entry named ScanCodeMap.

Then I closed RegEdit.

I then reran the KB2686509 patch. I got a very quick response to reboot, which I did. Once back in Windows, I checked for a log entry in the Windows folder. I could see the fix now listed as installed in the Windows folder root and the log entry KB2686509.log indicated success also.

I then imported (merged) the previously exported key: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlKeyboard Layout, which included the modified ScanCodeMap entry. I then tested that my remapping of the Caps Lock key was again working (it was).

Everything is looking good now.

Hope this helps others.

Reply | Quote

Thanks to Susan Bradley for this. My situation was essentially the same as that described by ibe98765, and the same procedure fixed it. Knowing about the problem in advance saved me probably many hours of frustration.

Reply | Quote