OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
NTBugtraq And NTSecurity Archives: Re: CONCLUSION: Did system e

Re: CONCLUSION: Did system event 6008 (unexpected shutdown) dissappear in sp5?

Frank Heyne (fhRCS.URZ.TU-DRESDEN.DE)
Mon, 1 Nov 1999 08:05:29 +0100

On 29 Oct 99, at 15:24, Randy Franklin Smith wrote:

> Well folks the conclusion is this: Until this AM I never took time to read
> Q236949 which describes the problem when you DO get 6008 since my problem
> was I wasn't getting it in the first place. In it
> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Reliability\Las
> tAliveStamp is described which controls how NT recognizes unexpected
> shutdowns. That prompted me to see what the setting was on my system and -
> wouldn't you know it - it was set to zero which means disabled.

> Remaining thoughts:
> 1) The system is a quite freshly installed nt4,sp4,sp5 system. Don't know
> why the value was set to zero when it seems like the default is enabled for

On my machines it looks like SP5 itself did reset the value to 0.
Thanky for bringing this problem to my attention!
On SP 3 machines, the value does not exist.

> 2) Either I'm dense (not that surprising) or Q236949 doesn't make much
> sense.

You are right. There is an error in this KB article.
The name of the key, where TimeStampInterval lives, is not
...\Windows\CurrentVersion\Reliability\LastAliveStamp,
but it is ...\Windows\CurrentVersion\Reliability (at least on my machines).

BTW, why Microsoft decided to put this value - which makes sense only on
Windows NT machines - under the ...\Windows\... key instead of the
...\Windows NT\... key, where I would expect it, is beyond my understanding.
Probably a Win9x programmer implemented it?

Frank Heyne

http://rcswww.urz.tu-dresden.de/~fh/

This archive was generated by hypermail 2.0b3 on Mon Nov 01 1999 - 13:04:17 CST