ShimFlushCahe and MS09-010 on XP

Usage and Config Patch
1

(imported topic written by PaulPhillabaum)

Can anyone tell me about ShimFlushCache? After installing the MS09-010 fixlet on XP machines, I see “Administrative Login Required” relevant on all the machines. In the registry, I find an entry with the name “kb923561” and the value “rundll32.exe apphelp.dll,ShimFlushCache” in

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce.

I have tested it running in the SYSTEM context using this earlier post.

http://forum.bigfix.com/viewtopic.php?pid=4194

My problem is I don’t know enough about this shim cache to be able to check if running it in the SYSTEM context actually worked or not. I don’t mean testing it via relavence with bigfix (although that would be nice in version 2.0 of my fixlet). I mean how can I tell if running it in the SYSTEM context on my test machine produced the equivalent result as running it as an admin via runonce.

Thanks.

2

(imported comment written by ktm_200091)

I found the same thing so I built an analysis to return that registry value.

We have Novell’s zen in house so I made an app which ran as a system user and executed the run once command and then deleted the registry key.

I also patched non-admin user pcs with the same patch via wsus and this did not occur, not sure why