Fix: Setup cannot copy the file winhlp32.exe when installing Windows XP SP3

Our desktop team has finally started deploying Windows XP Service Pack 3 to corporate computers.  Their silent installation package kept failing on my laptop.  I finally ran the installer manually, and found it was failing with the following error:

Setup cannot copy the file winhlp32.exe

I checked the NTFS permissions, and found that Everyone was denied access to the C:\Windows\Winhlp32.exe file.  I logged in with administrative access, removed the deny permission, and SP3 installed successfully.

Turns out that I had implemented this change in file permissions as a workaround to the Help Keypress Vulnerability in VBScript enabling Remote Code Execution, detailed in this Technet Blog post.  It’s funny, the things I forget I do to my system to try to deal with security vulnerabilities because I can’t update patches on my own machine.

No RDP access or Internet activity after installing ISA 2004 SP3

Yesterday I was using Microsoft’s Remote Desktop (RDP) to review the Event Logs for a Windows 2003 Appliance that runs ISA 2004 SP2 server at a client’s remote location. I noticed in the system log unsuccessful installation entries for Windows Update patches:

Event ID: 16 Source: Windows Update Agent

Unable to Connect: Windows is unable to connect to the automatic updates service and therefore cannot download and install updates according to the set schedule. Windows will continue to try to establish a connection.

I reviewed the WindowsUpdate.log file, and found the following logged repeatedly:

Windows Update Client failed to detect with error 0x80072efd

WARNING: PTError: 0x80072efd
2008-02-18 22:57:34:127 1948 133c PT WARNING: GetCookie_WithRecovery failed : 0x80072efd
2008-02-18 22:57:34:127 1948 133c PT WARNING: RefreshCookie failed: 0x80072efd
2008-02-18 22:57:34:127 1948 133c PT WARNING: RefreshPTState failed: 0x80072efd
2008-02-18 22:57:34:127 1948 133c PT WARNING: Sync of Updates: 0x80072efd
2008-02-18 22:57:34:127 1948 133c PT WARNING: SyncServerUpdatesInternal failed: 0x80072efd
2008-02-18 22:57:34:127 1948 133c Agent * WARNING: Failed to synchronize, error = 0x80072EFD
2008-02-18 22:57:34:158 1948 133c Agent * WARNING: Exit code = 0x80072EFD
2008-02-18 22:57:34:158 1948 133c Agent *********

These failures and warnings had been occuring for at least a month, so the server was definitely behind in its security patches. Since Automatic Updates weren’t installing properly, I manually visited the Microsoft Update (MU) web site and scanned the system for missing updates.

MU found 12 missing security patches, along with ISA 2004 SP3. I told MU to go ahead and install all the updates, and it successfully installed the 12 security patches. It did tell me that ISA 2004 SP3 did NOT install successfully, and prompted me for a reboot.

I told Windows not to reboot immediately, since I had a few more things I wanted to do on the system – but then I lost my RDP connection to the device. I tried to reconnect unsuccessfully, and was unable to ping the server. I waited a few minutes and retried to communicate with the device unsuccessfully.

A few more minutes passes, and the server was still MIA. We called an employee at the remote site, and had her restart the server. She did so, and we waited. Fifteen minutes passed, and I could not ping the server, let alone connect via RDP. The scene was not pretty, because when the ISA server is down, 1500 unhappy users cannot access the Internet. The phone calls we starting to pour in on a consistent basis.

I had the local network admin drive out to the site to try to figure out what was going on. After half an hour, he said the ISA and Routing and Remote Access services had not started automatically at boot, and he could not start them manually. We were stuck with a down server, and no Internet to help us figure out the problems.

I decided we should plug a laptop into the public side of the Internet connection with a statically asssigned IP. For whatever reason, that laptop was unable to surf. I had the local admin mess around with the laptop while I reviewed all of the server’s logs.

Source: Service Control Manager Event ID: 7022

The Microsoft Firewall service hung on starting.


Source: Service Control Manager Event ID: 7001

The Routing and Remote Access service depends on the Microsoft Firewall service which failed to start because of the following error:

After starting, the service hung in a start-pending state.


Source: Service Control Manager Event ID: 7031

The Microsoft Firewall service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

The Application Log showed the following errors:

Source: Microsoft Firewall Event ID: 14056

The application filter (DNS Filter, CLSID={49FE2B2F-3BB4-495C-87C8-3890C3C35756}) performed an illegal operation inside the Firewall service process at method FilterInit. The Firewall service terminated. To resolve this error, remove recently installed application filters and restart the service. If this does not resolve the problem, contact the component vendor.


Source: Microsoft ISA Server 2004 Event ID: 1000

Faulting application wspsrv.exe, version 4.0.2165.610, stamp 442d48f1, faulting module dnsfltr.dll, version 4.0.2165.594, stamp 43cd50bc, debug? 0, fault address 0x0000cce9.

and finally

Souce: MsiInstaller Event ID: 1024

Product: Microsoft ISA Server 2004 – Update ‘Microsoft ISA Server 2004 Service Pack 3’ could not be installed. Error code 1603. Windows Installer can create logs to help troubleshoot issues with installing software packages.

One of the events above referenced wspsrv.exe and dnsfltr.dll – I figured one of the patches I applied earlier may have replaced one (or both) of these files, so I searched the hard drive for duplicates. I was disappointed to find no alternate versions of these files.

I immediately went to Add/Remove Programs, uninstalled the 12 security updates I had applied earlier, and rebooted. The server took forever to come back up, I still had the errors listed above, and the Internet was still down.

Eventually we were able to get a connection to the Internet, and I found KB 937028The Microsoft Firewall service does not start after an ISA Server 2004 SP3 installation fails

The KB described our situation exactly! It goes on to explain the cause of the problem is:

This issue occurs if the rollback operation is not successful and if the computer contains ISA Server 2004 components from the pre-update version and from ISA Server 2004 SP3.

The most common installation and rollback failures occur in the following scenario:

• You have the ISA Server Management Microsoft Management Console (MMC) snap-in open in a separate Remote Desktop Protocol (RDP) session.

• You use an unattended installation to install ISA Server 2004 SP3. For example, ISA Server 2004 SP3 is installed from the Microsoft Update Web site.

The Microsoft Update installer cannot prompt a user to close the ISA Server Management MMC snap-in. Therefore, the installation fails. Then, it starts a rollback of all changes to this point. If the rollback also fails, the computer will contain ISA Server 2004 components from the pre-update version and from ISA Server 2004 SP3.

Now, while I didn’t have the MMC open in my session during the installation, I did perform the installation via RDP from the Microsoft Update web site. I suspect this unsuccessful SP3 installation is what caused the Firewall service not to start.

The KB described two workarounds, and I chose to apply Method 2 immediately to get my users back up working as quickly as possible:

Method 2: Reregister the ISA Server administration component

1. Click Start, click Run, type cmd, and then press ENTER.

2. At the command prompt, type the following commands. Press ENTER after each command.

cd /d “%programfiles%\microsoft isa server”

regsvr32 wspadmin.dll

3. When you receive the “DllRegisterServer in wspadmin.dll succeeded” message, click OK.

4. At the command prompt, type the following commands. Press ENTER after each command.

md VPN\Netsh

net start fwsrv

This fix worked like a charm, and everyone was back online. Later in the day after the majority of the users had gone home, I decided to reapply ISA 2004 SP3 from the server itself, instead of via Remote Desktop. I used the following syntax:

msiexec /p “E:\Isa2004SP3\ISA2004SE-KB924406-x86-ENU.msp”
REINSTALL=all REINSTALLMODE=omus /l*v E:\Isa2004SP3\sp3.log

Where the SP3 installation file is named ISA2004SE-KB924406-x86-ENU.msp and is located in the E:\Isa2004SP3\ directory. It also writes a log file named sp3.log into the E:\Isa2004SP3\ directory. REINSTALLMODE=omus specifies the following:

o – Reinstalls if file is missing or an older version is installed.

m – Rewrites all required computer-specific registry entries.

u – Rewrites all required user-specific registry entries.

s – Overwrites all existing shortcuts.

Note that I specified REINSTALL rather than INSTALL. The previous attempt at installing SP3 failed and was supposedly rolled back, but I didn’t know how many residual files and settings were left behind.

I rebooted, and the ISA server came back up with no problems. I was able to reinstall the 12 security patched from Microsoft Update, and after another reboot the server was back to acting as expected.