Microsoft KB Archive/294696

= IIS4: Unable to Start Web Sites on Port 80 =

Article ID: 294696

Article Last Modified on 6/23/2005

-

APPLIES TO


 * Microsoft Internet Information Server 4.0, when used with:
 * Microsoft Windows NT 4.0

-



This article was previously published under Q294696



We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/prodtech/IIS.mspx



SYMPTOMS
All Web sites stop and cannot be started on port 80, although the sites can be started on any other port.



CAUSE
This problem is security-based.

Port 80 has been opened by a custom-written executable file (Events.exe) that enters the computer through the Recycle Bin security problem. The file adds three registry keys so that the process cannot be stopped, even if you use the KILL command.

NOTE: Microsoft Exchange Server version 5.5 has an executable file named Events.exe, but this is NOT the same file that ships with Exchange Server 5.5.

This can happen if the system drive security settings have the Everyone group with Full Control. This is not a recommended practice because of the security hole that it creates.



RESOLUTION
To resolve this problem, follow these steps:
 * 1) Back up and delete the three registry entries.
 * 2) Restart the server.
 * 3) Stop the Events.exe process by using the KILL command.
 * 4) Delete the Events.exe file.



MORE INFORMATION
The path to the executable file is C:\Recycler\Events.exe.

The file may change the registry as follows:

REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventsSystem] &quot;Type&quot;=dword:00000010 &quot;Start&quot;=dword:00000002 &quot;ErrorControl&quot;=dword:00000001 &quot;ImagePath&quot;=hex(2):43,3a,5c,77,69,6e,6e,74,5c,73,79,73,74,65,6d,33,32,5c,2e,2e,\ 5c,2e,2e,5c,52,65,63,79,63,6c,65,72,5c,65,76,65,6e,74,73,2e,65,78,65,00 &quot;DisplayName&quot;=&quot;Windows Event System&quot; &quot;ObjectName&quot;=&quot;LocalSystem&quot;

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventsSystem\Security] &quot;Security&quot;=hex:01,00,14,80,c0,00,00,00,cc,00,00,00,14,00,00,00,34,00,00,00,02,\ 00,20,00,01,00,00,00,02,80,18,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\ 00,00,20,02,00,00,02,00,8c,00,05,00,00,00,00,00,18,00,8d,01,02,00,01,01,00,\ 00,00,00,00,01,00,00,00,00,70,00,63,00,00,00,1c,00,fd,01,02,00,01,02,00,00,\ 00,00,00,05,20,00,00,00,23,02,00,00,00,00,00,00,00,00,1c,00,ff,01,0f,00,01,\ 02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,00,00,00,00,00,00,1c,00,ff,01,\ 0f,00,01,02,00,00,00,00,00,05,20,00,00,00,25,02,00,00,00,00,00,00,00,00,18,\ 00,fd,01,02,00,01,01,00,00,00,00,00,05,12,00,00,00,25,02,00,00,01,01,00,00,\ 00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventsSystem\Enum] &quot;0&quot;=&quot;Root\\LEGACY_EVENTSSYSTEM\\0000&quot; &quot;Count&quot;=dword:00000001 &quot;NextInstance&quot;=dword:00000001

REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\EventsSystem] &quot;Type&quot;=dword:00000010 &quot;Start&quot;=dword:00000002 &quot;ErrorControl&quot;=dword:00000001 &quot;ImagePath&quot;=hex(2):43,3a,5c,77,69,6e,6e,74,5c,73,79,73,74,65,6d,33,32,5c,2e,2e,\ 5c,2e,2e,5c,52,65,63,79,63,6c,65,72,5c,65,76,65,6e,74,73,2e,65,78,65,00 &quot;DisplayName&quot;=&quot;Windows Event System&quot; &quot;ObjectName&quot;=&quot;LocalSystem&quot;

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\EventsSystem\Security] &quot;Security&quot;=hex:01,00,14,80,c0,00,00,00,cc,00,00,00,14,00,00,00,34,00,00,00,02,\ 00,20,00,01,00,00,00,02,80,18,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\ 00,00,20,02,00,00,02,00,8c,00,05,00,00,00,00,00,18,00,8d,01,02,00,01,01,00,\ 00,00,00,00,01,00,00,00,00,70,00,63,00,00,00,1c,00,fd,01,02,00,01,02,00,00,\ 00,00,00,05,20,00,00,00,23,02,00,00,00,00,00,00,00,00,1c,00,ff,01,0f,00,01,\ 02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,00,00,00,00,00,00,1c,00,ff,01,\ 0f,00,01,02,00,00,00,00,00,05,20,00,00,00,25,02,00,00,00,00,00,00,00,00,18,\ 00,fd,01,02,00,01,01,00,00,00,00,00,05,12,00,00,00,25,02,00,00,01,01,00,00,\ 00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventsSystem] &quot;Type&quot;=dword:00000010 &quot;Start&quot;=dword:00000002 &quot;ErrorControl&quot;=dword:00000001 &quot;ImagePath&quot;=hex(2):43,3a,5c,77,69,6e,6e,74,5c,73,79,73,74,65,6d,33,32,5c,2e,2e,\ 5c,2e,2e,5c,52,65,63,79,63,6c,65,72,5c,65,76,65,6e,74,73,2e,65,78,65,00 &quot;DisplayName&quot;=&quot;Windows Event System&quot; &quot;ObjectName&quot;=&quot;LocalSystem&quot;

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventsSystem\Security] &quot;Security&quot;=hex:01,00,14,80,c0,00,00,00,cc,00,00,00,14,00,00,00,34,00,00,00,02,\ 00,20,00,01,00,00,00,02,80,18,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\ 00,00,20,02,00,00,02,00,8c,00,05,00,00,00,00,00,18,00,8d,01,02,00,01,01,00,\ 00,00,00,00,01,00,00,00,00,70,00,63,00,00,00,1c,00,fd,01,02,00,01,02,00,00,\ 00,00,00,05,20,00,00,00,23,02,00,00,00,00,00,00,00,00,1c,00,ff,01,0f,00,01,\ 02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,00,00,00,00,00,00,1c,00,ff,01,\ 0f,00,01,02,00,00,00,00,00,05,20,00,00,00,25,02,00,00,00,00,00,00,00,00,18,\ 00,fd,01,02,00,01,01,00,00,00,00,00,05,12,00,00,00,25,02,00,00,01,01,00,00,\ 00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventsSystem\Enum] &quot;0&quot;=&quot;Root\\LEGACY_EVENTSSYSTEM\\0000&quot; &quot;Count&quot;=dword:00000001 &quot;NextInstance&quot;=dword:00000001

For additional information on the Recycle Bin security problem, click the article number below to view the article in the Microsoft Knowledge Base:

248399 Shared Workstation Setup May Permit Access to Recycle Bin Files

Additional query words: IIS port binding 80 hacker kbWinNTsearch kbOSWinSearch

Keywords: kbprb kbpending KB294696

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.