Article ID: 819634
Article Last Modified on 2/5/2007
APPLIES TO
- Microsoft Windows XP Home Edition
- Microsoft Windows XP Media Center Edition 2002
- Microsoft Windows XP Professional
- Microsoft Windows XP Tablet PC Edition
SYMPTOMS
You may experience slower computer performance after you install the 811493 (MS03-013) security update package on a computer that is running Microsoft Windows XP Service Pack 1 (SP1), or after you upgrade to SP1 on a Microsoft Windows XP-based computer where the 811493 security update was previously installed.
CAUSE
This problem may be more likely to occur if you use some features of some third-party programs, such as antivirus programs. For example, this problem may occur if your antivirus program is configured to scan all files when you open (or you run) them. This is sometimes known as "real-time" scanning.
This problem occurs because of a regression error in the Windows XP SP1 versions of the kernel files (Ntoskrnl.exe, Ntkrnlmp.exe, Ntkrnlpa.exe, and Ntkrpamp.exe) that were included in the original 811493 security update. On May 28, 2003, Microsoft released a revised version of the 811493 security update for Windows XP SP1 to fix this problem.
For additional information about this security patch, click the following article number to view the article in the Microsoft Knowledge Base:
811493 MS03-013: Buffer overrun in Windows kernel message handling could lead to elevated privileges
Notes
- The original 811493 security update is still fixes the local elevation of privileges security vulnerability on Windows XP-based computers (with or without SP1) that is discussed in the MS03-013 security bulletin.
- The 811493 security update for Windows XP is a dual-mode hotfix package that contains updated kernel files for both the original version of Windows XP and Windows XP SP1. (Windows XP SP1 includes Windows Media Center Edition and Windows XP Tablet PC Edition). The regression error in the original 811493 security update affects only the Windows XP SP1 kernel files.
For additional information about dual-mode hotfix packages for Windows XP, click the following article number to view the article in the Microsoft Knowledge Base:328848 Description of dual-mode update packages for Windows XP
RESOLUTION
To resolve this problem, install the corrected version of the 811493 security update.
For additional information about how to obtain and install the corrected version of the 811493 security update, click the following article number to view the article in the Microsoft Knowledge Base:
811493 MS03-013: Buffer overrun in Windows kernel message handling could lead to elevated privileges
WORKAROUND
Note Microsoft recommends that you install the corrected version of the 811493 security update as soon as you can. If you cannot install the corrected version of the 811493 security update immediately, you can use one of these temporary workarounds.
Method 1: Temporarily remove the original 811493 update
Review the MS03-013 security bulletin to verify that you should install the 811493 security update in your particular environment. If your level of risk permits you to delay deploying the patch, temporarily remove (uninstall) the original patch.
For example, if you are the only person who uses your computer, or if all the users of your computer are computer administrators (or members of the local administrators group), it is not important that you install this update. For additional information about the scope of the security vulnerability, see the MS03-013 security bulletin. To see the bulletin, visit the following Microsoft Web site:
If you determine that you can delay deployment of the patch, temporarily remove the original 811493 security update until you can install the revised version of the patch.
Note If your Windows kernel files are not the versions that are listed for the original Windows XP SP1 version of the 811493 security update, your computer's performance issue is not caused by the problem that is discussed in this article. In this case, you do not have to remove the 811493 security update.
To remove the original 811493 security update:
- In Control Panel, double-click Add or Remove Programs.
- Click Change or Remove Programs.
- Click Windows XP Hotfix (SP1) Q811493 (or Windows XP Hotfix (SP2) Q811493), and then click Remove.
- Click Next, and then click Finish to restart your computer.
System administrators can use the Spunist.exe utility to remove this patch. The Spuninst.exe utility is located in the %Windir%\$NTUninstallQ811493$\Spuninst folder. The utility supports the following switches:
- /? Show the list of installation switches.
- /u Use Unattended mode.
- /f Force other programs to quit when the computer shuts down.
- /z Do not restart when the installation is complete.
- /q Use Quiet mode (no user interaction).
For example, to remove the 811493 patch in Unattended mode without restarting your computer, use the following command:
%windir%\$ntuninstallq811493$\spuninst\spuninst.exe /u /z
Note In this case, you must manually restart your computer to completely remove the original 811493 security update.
Method 2: Temporarily turn off real-time scanning in your antivirus program
For information about how to turn off real-time scanning in your antivirus program, see the documentation that is included with your antivirus program, or contact the manufacturer of the program.
For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
49500 List of antivirus software vendors
Note If you turn off real-time scanning, your antivirus program no longer automatically scans files when you open or you run them, but you can still run your antivirus program and manually scan potentially unsafe files before you open or you run them.
STATUS
Microsoft has confirmed that this is a problem in the original 811493 update.
Additional query words: disable realtime buffer overrun message handling could lead to elevated privileges slow crawl
Keywords: kbenv kbprb KB819634
