The third service pack (SP3) for Windows XP was released in May this year and while it’s a relatively stable and straightforward cumulative upgrade, there are some minor installation issues that you’ll want to be aware of before you roll it out — and if SP3 is already there, they might already be generating support calls.
SP3 can be installed on top of any 32-bit version of Windows XP SP1 or XP2 except embedded versions (64-bit XP is serviced by Windows Server 2003 SP2 instead, because they share the same code base).
It can be deployed using the Systems Management Server 2003
, Systems Center Configuration Manager 2007
and some third party systems management applications.
XP SP3 contains all previously released XP updates, so there is no need to install SP1 or SP2 if a customer is that far behind.
-- click image to enlarge --
SP3 will also download through Windows Update. If you want to temporarily prevent automatic installation of SP3 through Windows Update, use the SPBlockerTools.EXE tool (available from the Microsoft Web site), though it is important to note that as with other Microsoft operating systems, this may only be valid for twelve months after XP SP3’s official release date (6 May 2008); if you’re still blocking SP3 next year, check closer to the date to see how long it will be valid.
The SPreg.cmd script included within that self-extracting tool names a specific client that the tool must be run against; that’s useful for protecting remote machines against SP3 installations because you don’t have to visit each one individually to run SPBlockerTool.EXE.
The Windows product family provides for two years of support for the previous service pack once a new one is released, which means support for Windows XP SP2 is set to end on 13 July 2010.
XP SP3 is a cumulative update with an estimated 1,073 hotfixes, enhancements and out-of-band releases like version 3.0 of the Microsoft Management Console (MMC 3.0) framework, MSXML6, Microsoft Windows Installer 3.1 v2, Background Intelligent Transfer Service (BITS) 2.5, IPsec Simple Policy Update for Windows Server 2003 and Windows XP, Digital Identity Management Service (DIMS), Peer Name Resolution Protocol (PNRP) 2.1 and Wi-Fi Protected Access 2 (WPA2). The specific new features that SP3 adds to the OS are based primarily around security and performance.
Network Access Protection (NAP) allows you to configure group policies that validate system health, like anti-virus definitions or patch levels for example, before the client is allowed to connect to a network domain and access some of the security features
in Windows Server 2008.
NAP is Microsoft’s take on Network Access Control and uses local health certificates and keys whether the client is fit to access network domains and servers.
-- click image to enlarge --
This is particularly useful for securing mobile users who connect from different locations or on different computers because the quarantine option helps ensure that the PC is adequately protected before allowing it on the network. At the time of connecting to the network, NAP can compare the system’s state against a pre-defined policy to allow network access or quarantine it to a specific network segment with access to limited resources which allow the system to be updated before it is scanned again.
Black hole router detection (new)
Set to turn itself on by default, black hole router detection enables the XP client to identify routers that drop packets, which are often responsible for sudden and unexplained network disconnections (http://support.microsoft.com/kb/314825
) and reroute traffic around them.
Administrator and Service Policy Entries (new)
Systems Center Essentials for Windows XP SP3 presents administrator and service entries by default for new policy instances in order to control program and user rights more tightly whilst the ‘Impersonate Client After Authentication’ user right cannot remove these settings.
Descriptive security options UI (new)
The descriptive text in the Security Options control panel has been expanded so you get more information on the available settings, making it easier to get the right configuration.
CresSSP Security Service Pprovider (new)
Available through the Security Service Provider Interface (SSPI), CredSSP improves the performance of Terminal Server sessions by re-using disconnected sessions instead of creating temporary sessions. To do that securely it only enables an application to delegate client side user credentials to a server if that server is authenticated to the client and if it has passed a security principal name (SPN) policy check, to ensure that user credentials are not delegated to an unauthorised server or computer which might be under the control of a hacker.
is turned off by default because it sends user credentials to Terminal Server in plain text; if that’s not an issue for the customer’s network, turn it on by modifying the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa and HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders
Microsoft kernel mode cryptographic module (new)
FIPS.SYS, the software-based general purpose cryptographic module, is now part of the XP kernel in the form of an export driver than can be run as a kernel-mode DLL to better handle cryptographic requests at the application layer. It’s been updated to support SHA2 hashing algorithms for cryptographic key management and has been certified according to the Federal Information Processing Standard (FIPS) 140-2 standard.
Issues to be aware of during installation
XP SP3 cannot be installed over the top of either the Microsoft Shared Computer Toolkit or the Remote Desktop Connection (RDP) 6.0 MUI pack; if either of these are on the system they will need to be uninstalled first.
Also, customers running the Microsoft Dynamics Retail Management Systems (RMS
) are advised to install a hot fix prior to installing SP3 (http://support.microsoft.com/kb/952287/
) as there is an issue that may cause the ADO interface to malfunction, or even to lose data when the app connects to SQL Server in Vista, XP or Server 2008.
If you have installed IE7 or a beta version of IE8 prior to installing XP SP3, then you will not be able to uninstall IE afterwards. Users running the Windows XP SP2 multilingual user interface (MUI) pack may have problems when selecting a non-English language for the UI after the SP3 upgrade; install the MUI Pack for SP3 separately to fix this.
The Action Pane within MMC 3.0 is hidden by default and has to be turned on by clicking the Show/Hide Action Pane option in the toolbar or ticking the appropriate box by clicking the View, then Customise option. In addition, the Add/Remove Snap-in Dialog Box has to be enabled by adding the following key to the registry:
As with any other OS upgrade, it may be necessary to disable anti-virus software prior to the upgrade as some applications can prevent certain system files from being changed during the installation.
One problem you’ll see if SP3 was installed with anti-virus on — usually through Windows Update — is that the Device Manager does not show any devices and Network Connections are also blank, which can block network and Internet connectivity. This occurs when the Fixccs.exe process creates intermediate registry subkeys, then later tries to delete them, but is prevented from doing so by the anti-virus software.
Similar problems occur on systems running SpyWare Doctor 5.5
or earlier (http://support.microsoft.com/kb/951403/en-us
) because the software is not fully compatible with XP SP3. The SP3 installation can stop responding, for example during the ‘Running Processes after Install
’ part of the installation while system performance can also slow to a crawl. If you reboot to deal with that, this prompts the OS to suggest you roll back to SP2. Even when SpyWare Doctor
is disabled prior to the XP SP3 installation, the OS can hang during the uninstallation process and a hardware restart causes it to revert back to SP2.
Avoid potential problems
with the Windows Update facility on systems where you’ve downloaded XP SP3 directly from the Windows Update site rather than through the automatic updates by registering the Wups2.dll
file or downloading and installing the Windows Update Agent from http://update.microsoft.com
To register the Wups2.dll file, first stop the Automatic Updates service, then enter NET STOP WUAUSERVE at the command prompt.
Then type REGSVR32 %WINDIR%\SYSTEM32\WUPS2.DLL
(REGSVR32 %WINDIR%\SYSWOW64\WUPS2.DLL for the 64-bit edition), click OK for each verification message then restart the Automatic Updates service by typing NET START WUAUSERV.
Macs and Amd PCs
There’s an issue affecting both XP Home and Professional SP2 editions running through Apple Boot Camp
version 2.0 or earlier on Intel-based PCs that means the installation may show an ‘Out of disk space
’ error. You can prevent this
by creating a registry key prior to the installation. Add a new string value under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup
and set it to the drive letter of the system drive.Alternatively, download and install update 2.1 of Apple Boot Camp prior to installing the SP3 upgrade (www.apple.com/support/downloads/bootcampupdate21forwindowsxp.html
A special update must be installed to prevent an issue on systems with AMD (and indeed all non-Intel) CPUs that causes them to restart continuously after the SP3 upgrade. Crucially, this has to be done before the SP3 upgrade in order to prevent a reboot cycle that may be difficult to break.
In some cases the computer and user settings within the PolicyMaker patch management tool for Windows can cease to apply after the SP3 update. Different client side extensions can be viewed within the registry under HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions
and you can re-register any missing extensions by typing
at the command prompt, then rebooting. If you have a large number of machines showing this problem, apply the changes with a script.
Solve ‘Out of disk space’ errors on XP systems running through Apple Boot Camp with a simple registry edit.
-- click image to enlarge --
/ADMIN instead of /CONSOLE
If you need to remotely administer other computers from an XP client, take note that the /CONSOLE switch on the Windows Remote Desktop Connection (RDC) tool, MSTSC.EXE, no longer works with SP3 installed. This is useful when Terminal server exceeds the maximum number of allowed connections, for example, at which point you can use the /CONSOLE switch to MSTSC.EXE to connect to the physical console session (session 0) and terminate any hanging connections.
Microsoft now advises using the /ADMIN switch in RDC 6.1 to connect to the physical console session on a remote machine, so type MSTSC.EXE /ADMIN instead.
Any request using MSTSC.EXE /CONSOLE will either give you an error message, or be silently ignored and rerouted to a standard Remote Desktop session that may require a Terminal Services client access license (TS CAL) depending on whether the remote server has Terminal Server installed.
According to Microsoft, the change is to protect systems processes running in session 0 from security risks that might occur if other applications were to run in session 0 concurrently.
Some users report that replacing the following files (MSTSC.EXE. MSTSCAX.DLL, MSTSMHST.DLL and MSTSMMC.DLL) with older files from Windows XP SP2 reverses the changes, but this is not a supported workaround and the system file checker may automatically replace them with updated SP3 versions when it detects them. Unless /ADMIN doesn’t give you the connection you need, it’s better to update any scripts and learn the new flag.
Windows Secrets: A useful collection of known XP SP3 problems and how to deal with them
Microsoft: A good overview of the installation is available at:
Labmice.net: remains an excellent source of advice about all things Windows XP, and Mark Salloway’s Windows XP Resource Center focuses on step by step walkthroughs designed to fix common problems within the OS.