Profile overwrite/delete due to registry size limit.

Type securityvulns
Reporter Securityvulns
Modified 2000-05-13T00:00:00



We have discovered a bug with NT v4.0-SP6a registry size growth and overwriting of user profiles. This bug was exposed when the SMS v2.0-SP2 client runs into a condition where it continually creates new registry keys and values filling the system registry with thousands of crap entries - thus slowly (over a period of weeks) increasing the size of the registry until one day the user logons on...

When the system registry becomes bigger that the "Maximum Registry Size" set in Control Panel=>Virtual Memory and a user logons on NT will "backup" the users profile by changing the directory from "winnt\profiles\username" to "winnt\profiles\username.bak" and then creating an new "winnt\profiles\username" from the default user profile - presumably to reduce the size of the registry and allow the logon to complete - which does not work when it's the system registry that is too big.

Here's the bug: When the user logons on the first time after the registry size is exceeded they get a default profile and their original profile is renamed username.bak. Soooo, the user sees an error message and promptly logs off and then on again. The seconded time the user logs on after the registry size is exceeded NT OVERWRITES the username.bak with the first default profile created thus wiping out the users original NT profile directory and all it contained.

See Q189119 for Microsoft's description of what happens when the Registry Size Limit (RSL) is exceeded. Note it does not mention this profile username.bak overwrite bug.

We have about 12 users that have experience a complete loss of profiles - including all email stored in the profile directory - because of this bug. Most users - not all - had local admin rights.

This bug seems to be a SEB since I could write a small "time bomb" program that slowly or quickly consumes the registry and thus wiping out another users profile.

Additional notes: 1) Microsoft support says that they will amend Q189119 to include a description of this additional bug. (I consider this a weak response since I now know of TWO different customers that have experience this problem. One caused by the SMS v2.0 client and one cause by just a large number of software packages installed on a workstations, including Office 2000.) 2) Microsoft SMS support says that they are working on a Q article and fix for the runaway SMS v2.0-SP1 client agent that fills the registry with crap. This will be a SMS v2.0-SP2 post hot fix since SMS SP is now in beta. 3) I have not tested various registry ACL lockdown scenarios to try to "fix" or workaround this problem. 4) I have not recreated this problem with something other than the runaway SMS v2.0-SP1 client. 5) We have not found a way to reduce the size of the registry (winnt\config\ SOFTWARE) file after this problem occurs. We have one server with a 71 Mb registry and many workstations with 20Mb+ registries because of this problem.

Have fun, Mike