Vista Vitals

Roll your own MS Windows OS!

2008-07-18T01:26:00.003-04:00

Just when you think you've seen it all... there is a new twist on everyone's attempts at avoiding Microsoft's Windows Vista OS. Say hello to Windows Workstation 2008!

You've probably heard by now that Windows Server 2008 and Windows Vista share the same kernel (right down to the version number). But somehow Server 2008 doesn't seem to be as bloated and sluggish as Vista. So a Microsoft engineer had the bright idea of using Server 2008 as the OS for his workstation (must be nice to get free Windows licenses). Here's his blog entry: The Way I See It by Vijayshinva Karnure

This news caused a number of hackers to get involved and to start experimenting. They've created a dedicated blog for their effort called www.win2008workstation.com. An automated conversion tool has even been created to simplify the installation process. It can be found here. Apparently, in addition to much better stability, benchmarks are reporting a 17% speed increase - all while running your favorite applications.

A reporter with InfoWorld, Randall C. Kennedy even gave it a try and wrote a series of articles on his experience (it doesn't look like he'll be going back to Vista):

If you try this approach, please post your results here. I've got other fish to fry at the moment.

XP: How to continue getting it after the June cutoff

2008-07-17T23:06:00.000-04:00

There have been quite a few articles in the media about XP and people's desire to keep using it rather than moving on to Vista. Microsoft announced XP Support for 6 more years and companies such as Dell and HP announced they would make XP available after the June 30th deadline.

Well now PC World Australia has put it to the test. They actually went to nine US PC manufacturers to see what it would take to get a PC from them with Windows XP preinstalled: What does it take to get a PC with XP?

The article is loaded with great information. It will save you gobs of time when trying to get your favorite hardware bundled with XP. It will also help you cut through all the misinformation you are likely to get from various customer support reps.

Folder Redirection: IE7 Favorites Bugs

2008-06-27T01:29:00.010-04:00

I have been amazed at how many different problems people are having just using something as simple as Favorites in IE7 under Vista. I am no different - I can't save my Favorites within IE. I have come across all sorts of possible solutions having to do with NTFS permissions and even Integrity Levels. The solutions work for some people - but not for everyone - and certainly not for me. But before I get started ranting about the IE7 bug I found, I thought I'd link to a number of the alternate solutions I found in case they are a solution for you:

Here's a Microsoft blog that describes the trouble-free way to redirect the IE Favorites folder.

Here's a blog that describes why NTFS permissions can stop IE Favorites from working properly.

Here's a blog that describes how to fix the Integrity Levels that impact IE's ability to work with Favorites.

Here's another blog that provides some additional ways of setting the integrity levels.

My Problem

Windows Internet Explorer 7 is unable to save - or even open Favorites. When trying to save Favorites I will get "access denied" errors or unspecified errors like this one:

Here is the "cannot find" error I get if I try to open a shortcut stored in a UNC path:

Who is Affected

Windows Vista users of Internet Explorer 7 (IE7) using all of the following features:

Protected Mode (if you aren't using protected mode you won't experience the problem).
User Account Control (UAC needs to be turned on in order for Protected Mode to work).
Folder Redirection of the Favorites folder to a local location (there is no problem redirecting to a network location).
Folder Redirection to UNC path (GPOs can only redirect to a UNC path on the network).

The Solution

As I mentioned, you only have the problem if you use all of the features shown above. If you can avoid using any one of those features, you can avoid the bug and go back to looking at permissions issues if the problem persists. For the rest of us that must use all of those features listed, there is no solution. You have stumbled into an IE7 bug. Microsoft is currently working on it - I'll post if I receive a fix.

What's Going On

Basically, IE7 Protected Mode gets upset when it encounters a UNC path for the Favorites folder that points to a location on the local machine. It seems to interpret the UNC path as some sort of web address and applies some zone rules or something to it. When it sees the local machine name in the URL, it seems to think a baddie is doing an end-run around its security or something and shuts it down.

IE7 doesn't kick into this mode if a local drive letter path is used and doesn't seem bothered if the UNC path refers to some other computer. But unfortunately I must redirect to a UNC path because that is the only kind of path that the Folder Redirection GPO will allow in my situation.

I felt I had somewhat of a unique situation that got me into this predicament, but the more that I look around, I suspect that the problem is quite a bit more common. Tell me if this sounds familiar.... I have a large organization that wishes to manage things like Folder Redirection via GPO. This is not a problem for my environments with dedicated servers. But my satellite offices with less than 10 people get their shares from a non-dedicated server/workstation. These users also move about the office. When they use a simple workstation with their redirected folder pointing to another computer, there is no problem. But when a worker finds himself on the non-dedicated server, the GPO redirects the favorites folder to a local location on that machine and IE7 has a fit.

Cute eh? Obviously these people want to continue roaming and I don't want to strand their data on individual machines. I won't bother discussing any of the work-arounds I have found because they are all messy and awkward and prone to failure. I'm stuck until Microsoft solves this problem.

For those of you who would like to recommend Firefox to me, let me stop you right here... Firefox stores its Bookmarks in the Roaming AppData folder. But I've had to strand that folder locally and not use folder redirection because of another Vista problem.

Yay Vista!

XP Support for 6 more years

2008-06-25T00:57:00.006-04:00

It looks like companies that are planning to continue using Windows XP beyond the June 30th deadline may be onto something. InformationWeek posted details of the ongoing support and availability of Windows XP in their article: Microsoft Pledges Windows XP Support Through 2014.

Having another 6 years of support for this product is nothing to sneeze at. It now makes the strategy of entirely skipping Vista a viable option. It is already clear that Microsoft is racing to develop Windows 7 as quickly as possible (likely hoping to sell something ASAP to those who want to skip Vista). So there will be plenty of time for Windows 7 to get released January 2010 and a Service Pack or two to follow before an organization is forced to step off its stable XP platform.

I've read plenty of articles talking about how software companies are still developing for XP (some not developing for Vista at all). Large computer manufacturers like Dell have announced that they will continue to make XP available - this of course means that drivers will also continue to be developed for the various PC components from companies like ATI, etc.

So it looks like all the pieces are in place to allow the whole world to tick along and happily pretend that Vista never existed. Frankly, after working with Vista for the past 1.5 years, I think it is a prudent strategy. But don't worry - I've already boarded the Vista boat - I'm still bailing and will continue to post when I find something of value to talk about.

Want your Windows Vista bug fixed?

2008-06-20T01:17:00.000-04:00

I found a great plea from Soma, a Microsoft developer, on his blog Shipping Seven. It's a bit old but very relevant - I felt you should all see it so I am reprinting it here:

Do you hit the same annoying Windows Vista crashing bug day after day?

Please, please, please click the 'Send information' button when you see this crash dialog.

Why?

If in the very unlikely event that you are the first person to encounter and report this bug, a new entry in our bug database is entered automatically.

If anybody else encounters the same bug, and reports it, our automated crash reporting system finds the correct bug in our database, and then updates a counter. (Basically, there is a field in the bug that indicates that X people on the internet have encountered this bug.)

If you don't report the crash, that counter is not updated.

Why is that important?

Our ship room (a bunch of guys who decide which bugs should get fixed and added to SP1, and which bugs are too minor to be fixed) rely a lot on this counter. If the counter reaches more than [redacted], we fix it.

So, every time you encounter any crash - hit that 'Send information' button. Please.

Windows Explorer: Magic file deletions

2008-06-19T01:11:00.001-04:00

In my article, UAC: Elevate Windows Explorer, I grumbled about how Windows Explorer is rather uncommunicative and can be quite confusing. I mentioned how outcomes can be quite unpredictable and that you'd need to spend time getting to know Windows Explorer. To help you in that endeavor, I'd like to describe the confusing behaviors of a simple file deletion...

Consider the case where you wish to replace an executable file on a network share (I happen to be scripting some installs at the moment). It is entirely possible that someone else has accessed that share and is currently executing (holding open) the file we wish to replace. (In my case, my executable hung on my test PC and I needed to fix my bug - my test PC held the file open.)

If I tried to delete an open file in the XP days, I would have received an error message like this:

Now that's a great error message! It tells me what file is at issue and figures out that it might be a problem with the file being in use. If I try the same action in Vista I won't get any message at all. The file will simply be deleted -- but not so fast - the file just LOOKS like it is deleted.

If I now attempt to replace it with a file of the same name, I get the following error from Vista:

The message doesn't discuss my file at all. It leads me to think I have permission problems with my 'E' folder. Incredibly misleading when you find out what is really going on. If I refresh Windows Explorer's view of the folder (hit F5 or reopen Windows Explorer, etc.) I find that my old file is back! It wasn't deleted at all. And since the file is probably still in use, I am unable to replace it with my new file. How's that for strange behaviour?

But wait! - There's more! Let's pretend that we don't know what is going on and have no idea what computer is holding my file open. Let's pretend we wander off and play a great round of golf - what a great day! In the mean time, back at the office, the PC holding my file open, for whatever reason, stops holding it open - suddenly the file gets deleted! Somewhere there is a pending delete file request that actually gets actioned!

Kind of a neat feature I guess, but incredibly confusing - perhaps dangerous. Certainly no fun when you are trying to figure out what the heck is going on with Windows Explorer.

(BTW, my team managed to create a silent install of Visual Studio 6 for SMS if anyone is interested. A very, very complicated procedure to say the least. I haven't been covering any scripting yet, but I can write an article on it if there is interest.)

Quick Command Prompt

2008-06-17T00:27:00.001-04:00

Previous articles have made a compelling case for the use of the Command Prompt in Windows Vista. It is an essential tool for an administrator. I think we would all prefer to work in a GUI, but Windows Explorer just doesn't get the job done. Well Tim Sneath, a Microsoft Client Platform Technical Evangelist, tells of a way to help us have the best of both worlds with his article: Windows Vista Secret #1: Open Command Prompt Here. He tells of an extra hidden item on a folder's context menu that opens a command prompt in that location (use the shift key). It has an interesting feature, but also an unfortunate limitation.

Naturally, any shortcut that speeds our navigation through the system is welcome. Being able to quickly open a command prompt at the current location is no exception. In fact this shortcut goes a step further - if you are accessing a folder in a network location (no drive mapping), the CMD prompt will temporarily map a drive letter to the location and then disconnect it when you are done. A very nice feature! I have often been disappointed that Vista dropped its old love of drive mappings for sexy UNC paths but didn't bother teaching the CMD prompt how to use them.

Unfortunately this handy shortcut doesn't support the Run As Administrator feature. As you probably know, we usually find ourselves running to the CMD prompt because of the administrative work we must perform. There's really not much point getting into a CMD prompt quickly if it doesn't elevate us to the level we need.

Note that this shortcut is not available from the left pane of Windows Explorer. It is only available from the shift-context menu of the right pane.

So, like so many of the patches that have been added to Windows Vista, this is another thing that doesn't go far enough. I know that Microsoft has been demoing some fancy Windows Explorer features for the upcoming Windows 7 - I just hope they have learned how we want to use it by the time they release that product.

Need to install XP on Vista hardware?

2008-06-16T02:56:00.000-04:00

Judging from the petition to save Windows XP and the lack of Vista uptake in my region, a good many organizations are taking advantage of the downgrade licensing option. This option allows companies to buy Vista licenses but actually use XP instead. HP and Dell are offering to support these customers by continuing to pre-install Windows XP when customers request it. But there are plenty of systems being manufactured out there with the expectation that they will only see Vista.

Many companies haven't developed Windows XP drivers to support their hardware. In fact, you may not even be able to run the XP install on such hardware because basic things like SATA drivers are missing. If you are considering the downgrade option, you should obviously avoid companies that don't provide XP support. However, if you are stuck in the unenviable position of already owning hardware like this, I may have found a solution for you. Edmonton Geek published a great article: The easiest way to downgrade a Windows Vista machine to Windows XP. In this article they describe how to create a custom XP install disk with integrated SATA support from other sources. This hack probably isn't for everyone, but if you're in a bind, this may just be the solution you've been looking for!

Folder Redirection: Problems with the Well-known Folder Cache

2008-06-14T20:37:00.004-04:00

Microsoft recently published KB951049 which describes a folder redirection problem for Windows Vista and Server 2008.

If you use folder redirection to redirect your User File Folders and they either disappear or give a "currently unavailable" error after a reboot, this KB may be for you. Apparently, if you log in too soon after a reboot, Windows Explorer may attempt to display the Desktop before the Workstation service has started. This creates Well-Known folders caching problems.

I don't think I've experienced this problem myself, but I'd be curious to know if this is a common problem for any of you.

Microsoft not branding web sites

2008-06-14T20:07:00.004-04:00

I'm starting to notice an odd trend. Teams within Microsoft are creating their own web sites - but without branding them or clearly advertising them as Microsoft property.

I first noticed this when Microsoft advertised their Windows Vista AppReadiness site during a Springboard Live! Virtual Roundtable. The AppReadiness site is devoid of any Microsoft logos, common-look-and-feel or any Microsoft copyright information. The only clue is the Vista subject material and the fact that Microsoft sends you there. Very odd.

Here is another interesting example... It appears that Microsoft Windows Sysinternals Team has decided to try a new distribution method for their Sysinternals tools. This new web site has all of the individual Sysinternal executables available for download and immediate execution (no installation required). Although extremely useful (check it out), it looks just like an FTP listing with absolutely no branding, logos, etc. One would think it was a pirate site if not for the readme that claims otherwise. I'm surprised that they wouldn't have a quick instant Microsoft template for whipping up a common-look-and-feel and that they wouldn't use it.

I am thankful that these sites exist, I just find it a little odd.

UAC: Elevate Windows Explorer

2008-06-05T23:36:00.002-04:00

Back in March I wrote the article UAC: How to elevate anything, where I discussed the various methods for elevating non-executables (such as .VBS scripts). At the time, I highly recommended using an elevated DOS CMD prompt and barely mentioned using Windows Explorer. Windows Explorer would seem like the logical choice, but is rarely used for elevated work. Let's cover it now. It's time to learn how to elevate Windows Explorer and discover some of its shortcomings.

The first trick is finding the darn thing (I have traditionally used the Windows+E key to launch it). To ask it to Run As Administrator, you need an actual shortcut to click on. For some reason, even though I run the thing all the time, it doesn't show up at the top of my Start menu with the rest of the recently run programs. You'll find it under Accessories:

Unfortunately, just selecting the Run as Administrator option won't get Windows Explorer to elevate. Sure, it looks like it does by providing elevation prompts - but if you try to do anything requiring elevation, it will fail - or maybe it will provide the elevation prompts again before finally doing something. The problem is caused by the fact that Windows Explorer is always running in the background in order to display your desktop. UAC can only elevate an application to a higher token when it is launching a new process - it can't elevate an existing process. Windows Explorer is already an existing process. To get around this problem, you need to set a Folder Option in Windows Explorer:

That last option "Launch folder windows in a separate process" is the one you need. With this option checked, the Windows Explorer windows you ask for will launch in a new process separate from the Desktop that is already running. This gives UAC a chance to elevate when you ask to Run as Administrator. Nice eh? It should really be the default setting. It changes Windows Explorer from being useless to being somewhat useful. But there are limitations...

You cannot have any Windows Explorer windows open when you want to elevate to the high level token. Any instance of Windows Explorer (including things like Control Panel) will already be using the separate process (all Windows Explorer windows share the same process). Again, if you accidentally leave a window open, no elevation will occur. Also, since all Windows Explorer windows will use the same process, all subsequent windows will be elevated as well - the process only dies and returns to a standard user token once all windows have been closed.

For those who wish to work the way Microsoft recommends with one standard user account and a separate administrative account, this trick still won't help. In this case you can provide credentials for another account, but it won't actually work. You either get a new window that is still using the standard token of the first user account or you get no window at all. The different behaviors will depend on how the "Launch folder windows in a separate process" option is set for the administrative account - it actually affects the behaviour in the standard user account! (You get no window if the option is set.) So even with this trick there are many occasions when you still must use a DOS CMD window.

The most annoying part is the lack of error messages when Windows Explorer fails to elevate. If you don't use the separate process trick or you mistakenly try to elevate while another window is open, Windows Explorer will never tell you. It will just sit there quietly letting you believe that you had achieved the elevation you desired. Maddening. You will just have to try things and test the results until you learn how it behaves - don't trust that it is doing what you asked it.

Also, be warned that the Vista SP1 upgrade drastically changed the rules for Windows Explorer. If you think you knew how Explorer behaved before SP1, look again - most things behave differently (in most cases better).

There are many more Windows Explorer behaviors/bugs/features that you should know about. I will cover those in future articles.

Who needs COFEE!?

2008-05-30T00:36:00.003-04:00

Talk about timing! This is the perfect follow-up to my previous article about Microsoft's Computer Online Forensic Evidence Extractor (COFEE).

Remember I said:

Actually, my outrage is dramatized for purposes of this article. Most of us know this game of security we play only stops the casual passer-by. If someone has physical access, it's only a matter of time before they get in. If not through back doors created by Microsoft then through bugs or unknown technical trickery.

Despite Microsoft's claim that Vista is their most secure OS ever (Vista is 'more secure' says Gates), I just found a demo of the easiest hack ever! It uses the exact same trick I used on XP years ago - but much more dramatically.

On XP I used a Linux boot CD to mount my disk volume. This allowed me to bypass Windows security and do such things as hack the passwords file to gain access to the administrator account. This got me what I wanted but was hardly stealthy - it would be quite clear to anyone wanting to log into the laptop afterward that someone had really messed things up since the old passwords would no longer work.

If I was into true esponiage, I would want something much more subtle. Something that would give me access over the long term without being discovered. The Vista hack demonstrated above basically gives a spy that ability! By temporarily modifying the Ease of Access button (Utilman.exe) to gain access to Vista as the elevated system account, I would be able to do anything I wanted on the system. I could setup scheduled tasks or services (keyloggers, etc.) or examine user data. But there would be no evidence that I had been there! The existing accounts would not be damaged by me and system logs would show no evidence of me even accessing the computer. This is key to me getting something into the system and allowing it to remain for an extended period of time (very bad).

I've really been enjoying showing the video to people this week. Those in the know give a good belly laugh and those who believe the hype get this empty, sick look on their face -- try it! BTW, there is more discussion about the video on Microsoft's own Channel9 blog. There are some additional perspectives there, but they kind of miss the point.

Want to protect yourself from this threat? There is no fool-proof way - but you can at least make it more difficult:

Using Bitlocker to encrypt the harddrive is the most obvious approach because the Linux boot CD will be unable to even find the System32 folder. But Bitlocker isn't practical for everyone since it requires all sorts of key management.
The easiest approach is to prevent someone from booting with Linux by turning off the system BIOS options that allow booting from USB thumb drives or CD/DVD devices. But this also means you must password protect the BIOS. It would also be a good idea to lock the case so that the BIOS override jumper can't be used to reset the BIOS. A lock would also prevent the harddrive from being temporarily removed from the system and placed in some other computer that does allow booting (maybe the spy has an external USB chasis on his laptop). But now you are managing real keys and your IT staff have a bit more work to do before they can boot from a recovery CD or something.
I found another novel approach was to disable the Ease of Access Button as described on the How-To Geek site. But don't be fooled. It turns out that someone just replaced Utilman.exe with an executable of their own :-) But it is a nice demo of how the hack can be done using a Windows install program without a Linux boot CD being needed at all.

I wish you all the best in securing your Vista environment. If you think you have a secure approach, share it with others here.

COFEE

2008-05-20T01:10:00.003-04:00

If you haven't heard about Microsoft's Computer Online Forensic Evidence Extractor (COFEE), it's high time you did. Here's a little intro from the Seattle Times.

I'm all for eliminating any excuse for law enforcement to take away my computer hardware, but this goes too far! This is basically a USB key that lets anyone into my computer and past any encryption that may be protecting me. I know the article says it's for law enforcement only - but how long before an officer leaves one in a donut shop and it finds its way onto the Pirate Bay? -- hold on, I better see if it's already there -- phew, not yet.

Actually, my outrage is dramatized for purposes of this article. Most of us know this game of security we play only stops the casual passer-by. If someone has physical access, it's only a matter of time before they get in. If not through back doors created by Microsoft then through bugs or unknown technical trickery.

I myself hacked a system once in my past. I was helping a director from another department with his laptop. XP was locked down by his IT folks but he really needed to get a program installed while at this conference. I had no prior hacking experience or skills to help me. I did a quick Google search and in 10 minutes burned a bootable Linux CD. It knew how to mount the NTFS volume, find the passwords file and examine its contents. Within 15 minutes I had this director in his laptop as administrator working with his critical application. Scary.

Actually, physical access isn't even needed either. I'm not talking about a generic virus or trojan. It is possible for someone to target your PC and run a program on it that can extract whatever they need remotely - without ever touching it. This past March this very thing was done to a Mac and a Vista machine at the CanSecWest conference as part of a contest.

But if you still care about the COFEE application and the dangers of making user-friendly hacking tools available...

Benjamin J. Romano from the Seattle Times wrote a follow-up to his article.
Here's the Microsoft press release that got it all started:

COFEE, a preconfigured, automated tool fits on a USB thumb drive. Prior to COFEE the equivalent work would require a computer forensics expert to enter 150 complex commands manually through a process that could take three to four hours. With COFEE, you simply plug into a running computer to extract the data with the click of one button --completing the work in about 20 minutes.

I like this article at C|Net news where Microsoft claims the tool is just in beta but that it has 2,000 users already. This obviously won't stay secure for long.

That darn desktop cleanup wizard

2008-05-19T23:57:00.003-04:00

This screen cap made me chuckle :o)

Windows Doesn't Know When to Shutup

I just had to share.

Has anyone ever found that wizard to be helpful in any way? I wonder how you turn that bugger off. I never thought it was a big deal but I guess it would be to some :-)

Better Desktop.ini support please!

2008-05-17T01:17:00.000-04:00

I swear that 60% of the traffic coming to my blog comes in on a Google search for Desktop.ini information. I've written numerous articles on the subject and have often wished that Vista and Windows Explorer did a better job of supporting the new Desktop.ini behaviors (read Vista's support for multiple languages & Folder Redirection: Not to the user's home directory).

Well, I just saw this Windows 7 Explorer demo on Youtube. I'm shocked to see a demo of that OS so soon (if it's genuine). But it got me thinking that I need to be more vocal and clear about my desire to have Vista and Windows Explorer fixed.

Windows Explorer needs an option where we can turn off its interpretation of the Desktop.ini and just show folders as they really are. Currently, many of us are resorting to a CMD prompt to do this. Let's face it, it just makes sense. The whole reason the Desktop.ini exists is to handhold (read "fool") users by showing them a folder name the OS thinks they want to see rather than the real underlying one. Anything that prevents you from seeing the truth is going to be problematic. Microsoft knew this when they allowed us to see hidden files or see hidden extensions - so why not now that they are hiding whole folder names?

I've also come to realize that more than just Windows Explorer needs to be fixed. In my article Vista's support for multiple languages I mentioned how the Start Menu didn't do a very good job - now I've found more problems. Microsoft seems to have thought the Desktop.ini would be a clever way of dealing with their multilingual problems. They thought they could now give users the Windows experience in their mother tongue while letting the OS play behind the scenes in English. The Desktop.ini would just hide everything - but it doesn't.

Take the example of a French OS. Users expect to find their programs under a folder called C:\Programmes. In the Windows XP days the users saw that folder and the programs were actually stored in a folder by that name. With Vista, the user still sees the expected folder but the system is actually storing them in C:\Program Files instead. Vista figures that since it is able to show the users one thing and the programs another, it's job is done and it can go back to sleep. But they forgot one little problem. Vista never tells the programs what folder name the user is expecting to see.

I was running a version of Visual Studio's MSDN Library on a French Vista OS. It encountered an error:

I liked my French message , but did'nt expect the English folder path. I can't use that path. When I browsed using the Dossiers (folders) pane on the left I couldn't find the path specified (the Desktop.ini hides it from me). The only way I could get to the folder was to manually type it in the address bar at the top of the Windows Explorer.

I realized that the application had no way of giving me the path I need because Vista never tells it what I am expecting to see. Programs are used to asking the OS where directors are located by using variables like %ProgramFiles% - and Vista is happy to tell them. But I think we now need variables like %DesktopProgramFiles% or something which tells the program what path to show users in messages. The two paths could be very different. Perhaps an API where you feed it a real path and it goes looking for Desktop.ini files and returns a path with all the relevant substitutions.

You might think this wouldn't be such a big requirement if I could tell Windows Explorer to ignore the Desktop.ini and allow me to navigate to the real folders. Although I tend to agree, it probably is still a requirement. I'm sure Germans or Egyptians don't want to find the programs under a C:\Program Files folder.

Do you know someone at Microsoft? Care to pass on the message?

More DRM woes for Vista users

2008-05-16T22:20:00.004-04:00

My article, I don't like DRM, linked to a user who was having difficulty with DRM. He was being blocked from playing movies he paid for because his computer system was too high-res. Well, Vista users are suffering again.

This week Windows Vista Media Center users were being blocked from time-shifting some NBC shows. It's unclear if the broadcaster set the flags in error or whether Vista Media Center responded to them improperly. What is clear is that only Vista users were affected. TiVo and DirecTV who also respond to copy protection flags did not prevent their users from recording.

Have any of you seen this message?

[EDIT 19/5/2008] There is a good update regarding this issue here: Microsoft confirms Windows adheres to broadcast flag. Apparently Microsoft is implementing an FCC rule that was struck down in 2005. [/EDIT]

Microsoft's Springboard series

2008-05-14T20:55:00.009-04:00

It appears that Mark Russinovich is presenting a Springboard area on Microsoft's web site to ease Windows Vista implementation pain by providing some much-needed guidance.

He kicked things off last month with a Springboard Live! Virtual Roundtable. He assembled a panel of experts (including Mark Minasi) and three Vista early adopter clients. They spent an hour discussing topics related to adopting Windows Vista. You know me, I'm a sucker for learning what Microsoft is thinking when it comes to Vista so I dove right in.

I found the roundtable to be a good use of my time - you likely will too - very informative. They pointed to some interesting resources that might help those of you considering a Vista deployment:

Microsoft Assessment and Planning Accelerator (MAP) - is supposed to be an enterprise inventory, assessment and reporting tool that can assess your readiness to move to numerous Microsoft products such as Vista.
Windows Vista Hardware Compatibility List - is basically a comprehensive listing of PC systems and peripherals known to be compatible with Vista (very comprehensive). Despite this simple list being incompatible with Firefox, I'm sure this information will be more reliable than the failed "Vista Capable" program.
Windows Vista AppReadiness - another comprehensive list - but this time of legacy software applications and their Vista compatibility.

I'm not so sure about that last one though... If I hadn't heard a Microsoft talking head send me to the site, I would have been suspicious of the strange URL, complete lack of Microsoft branding and poor resolution of the logo certificates. I'm also not sure I trust what it is telling me. I took a look at Visual Basic 6 which I am having trouble packaging for BDD at the moment. The site claims it "Works with Windows Vista". It doesn't qualify that or provide any additional guidance. However, when I attempt to run the silent install, I am only greeted with the following Vista AppCompat message and am unable to proceed:

The roundtable goes on to remind us about new features of Vista SP1 such as:

Bitlocker can now support multiple partitions (not just the first one).
Improved file copying (see Vista copies files like a duck).
Microsoft Deployment Toolkit replacing BDD.
Volume Licensing has Vista and SP1 integrated in one package (recommended for new installs).

However the three clients who were Vista early adopters were a major disappointment. Despite them being friends of Microsoft that presumably got lots of support, I was expecting them to give me hope that great Vista implementations were possible - that my own failures were somehow my own fault. They tried their best. They nodded their heads at the right places and smiled while describing how great their deployments went. But if you actually listen to the things they said during their discussions, you quickly realize the reality was very different:

one client admitted to turning off UAC! Not something we want to do - and certainly not what I would consider a feature of a successful Vista install.
while talking about hardware demands of Vista, another client admitted to only deploying to new PCs. That means he is maintaining a heavily mixed environment and can hardly be considered a successful implementation of Vista (too limited for my taste).
although that same client claimed to have installed Vista to laptops, you quickly realize that his "traveling nurses" probably have received a stand-alone treatment without the need for features like Offline Files.
another client who claimed to have rolled out to the majority of his organization, admitted to have avoided laptops. They were planning to wait for SP1 before tackling those - he had Offline Files problems no doubt.
that same client also admitted to having to install XP virtual machines to support some older legacy apps! That's two windows licenses and double the support per PC! Hardly what I would consider a successful Vista deployment.

But these guys were smiling and nodding their heads! Are these the BEST examples Microsoft could find? Am I the only one that doesn't know what a successful deployment means anymore? I'm so depressed.

Vista copies files like a duck

2008-05-14T00:47:00.004-04:00

Odd title - but let me explain... I think everyone in the industry has complained about Vista's seeming inability to copy files quickly. Like a duck, it just seems to float along in no particular rush to get to the 100% mark. Maybe it looks like it is progressing quickly at one point - only to suddenly get distracted by something shiny and slow things down again. We can't believe the glacial pace of these copies and keep telling ourselves that Vista MUST be doing something remarkable in the background to justify these results.

Well, it turns out that just like a duck, Vista has indeed been paddling mightily below the surface the whole time. Mark Russinovich does a great job of describing what has been happening in his blog article: Inside Vista SP1 File Copy Improvements. This is a must read article. It really helped me to understand what has been going on and to realize that despite appearances to the contrary, technology is moving forward.

This article is going to kick off a new topic in my blog called "Windows Explorer". This is probably the last time I will have anything positive to say about that product. I have observed many other Windows Explorer behaviors that I will be discussing.

Topic: Windows Explorer

2008-05-13T01:04:00.004-04:00

(Vista Vitals articles organized by topic)
These articles cover anything related to Windows Explorer. This includes File Copying, launching programs, UAC, navigation, etc. :

UAC: Microsoft Programs act weird - a little warning about Windows Explorer, Internet Explorer & Outlook.

Vista copies files like a duck - Mark Russinovich provides excellent details regarding the file copy process and how it has changed for Vista and again for Vista SP1. A must read.

UAC: Elevate Windows Explorer - Ever tried to launch Windows Explorer with Run as Administrator and fail? Find out why.

Quick Command Prompt - talks about a shortcut for opening CMD windows directly in any folder using Windows Explorer shift-context-menu.

Windows Explorer: Magic file deletions - a warning about Windows Explorer's surprising handling of attempted deletions of open files. Scary behavior you should be aware of.

Windows XP SP3 deployment not going so well

2008-05-12T22:10:00.003-04:00

Microsoft seems to be meeting the same success rolling out Windows XP SP3 as they did rolling out Vista SP1 (remember SP1 Hiccup: don't install KB937287! ?). These products must be getting too complex to anticipate all behaviors under all scenarios.

There are reports all over the web of people experiencing reboot issues once XP SP3 is installed. The best article I've seen is from the Register. It makes reference to Jesper Johansson's blog where you can find some solutions to the various problems.

Arm yourself with the solutions before your attempt a rollout of SP3 in your organization.

UAC: Microsoft Programs act weird

2008-05-09T23:53:00.004-04:00

(This article uses a lot of technical UAC terms. If you have trouble understanding it, check out my UAC glossary: Let's Talk UAC for the Enterprise)

I thought I'd warn you about some Microsoft programs that behave rather weirdly under Vista. When I say "weird", I mean they don't act at all like generic Vista documentation says they should. This was a big problem for me in the beginning when I was trying to learn about Vista and UAC.

The programs I am talking about are Windows Explorer, Internet Explorer and Outlook. Whenever I look at my task bar, these are programs that are always running - no matter what else I might be doing. So naturally when I wanted to learn about UAC and elevation, I started playing with the ones staring me in the face. Big mistake. Confused the hell out of me.

When learning UAC, avoid Windows Explorer, Internet Explorer and Outlook. Microsoft has built extra barriers and behaviours that cause these programs to act differently. If you want to learn how programs generally behave, pick something safe like Notepad to test with.

Internet Explorer and Outlook are problematic because Microsoft has given them special attention. Historically Windows has been exploited by trojans and viruses coming from the web via web pages or e-mail. These two applications had a bad habit of letting these badies into the system to have a good time. Microsoft has introduced barriers to minimize the opportunity for these badies to get into Vista. Some good examples are Protected Mode and Low Integrity levels. I haven't done much work with these technologies, but here's an article that gives you an idea how confusing it can get when trying to understand what's going on:

http://xato.net/bl/2007/03/12/why-doesnt-ie7-protected-mode-mark-downloaded-files-as-low-integrity/

Windows Explorer's behavior is difficult to understand for different reasons. You have likely wanted to elevate Windows Explorer to an administrative token in order to perform
some work on files in a sensitive area like System32 - but failed. Explorer just wouldn't elevate for you. In this case the problem is more technical in nature resulting from Vista's design.

Vista's UAC can only elevate applications to use different tokens when the application is being launched - when a new process is being initiated. You may think this problem doesn't apply to you because you were right-clicking on Windows Explorer and choosing "Run as Administrator" when launching the program - but you'd be wrong. It turns out you weren't launching a new instance of Windows Explorer at all.

Windows Explorer does more than just show you a file management window when you demand it - it is also used to present the user interface (desktop, etc.). You are actually using Windows Explorer just by logging in and looking at the screen or navigating the Start Menu. This means the Windows Explorer is always running. When you think you are launching Windows Explorer fresh with the "Run as Administrator" option, you are actually just asking for a new file management window in an application that is already in progress. As a result, Vista is unable to elevate Windows Explorer to an Administrative Token.

I will be talking more about the problems Windows Explorer has and tricks for overcoming them in future articles. I just wanted to warn you to watch out for these three apps - they won't behave in ways you are expecting for generic applications.

Topic: Folders & Folder Redirection

2008-05-07T23:51:00.003-04:00

(Vista Vitals articles organized by topic)
These articles cover anything related to folders. This includes Folder Redirection, Offline Files, Client Side Cache (CSC), Desktop.ini, etc. :

Introducing the User Files Folders! - introductions are needed - they have changed a lot since the XP days. You really need to get you head wrapped around this.

User Files Folders and the Desktop.INI - describes changes in folder behavior because of new Desktop.ini features - it even affects XP!

User Files Folders are Bilingual - describes how the new Desktop.ini makes it possible to support multiple languages with only one folder. (There are some problems you should know about though.)

Folder Redirection: Specifying a target share - a very important article on configuring Folder Redirection. You must use a GPO and can no longer redirect to a drive letter!

Folder Redirection of database files causes corruption - this is an outdated article so long as you are using SP1.

Folder Redirection: Duplicate User Files Folders - Vista has a nasty habit of creating duplicate folders for users. This article talks a bit about that.

Folder Redirection: Not to the user's home directory - Vista leaves a number of traps lying around. This one is a doozy! Make sure you never redirect user folders to the root of their network drive like you did in the XP days.

Folder Redirection: Amateur Magician - Vista really isn't good at working with redirect folders. You need to understand its limitations.

Folder Redirection: A case study - details a critical problem Vista has redirecting folders like the AppData folder for legacy applications. Unfortunately the work-around I describe breaks with Vista SP1 - so no solution is currently available.

User Files Folders: What's with all these extra folders - this article details more Vista problems caused by the new User Files Folder design.

Duplicate Folder Problems? Talk to me! - This is a roll-up of my articles that have anything to do with folder duplication because so many readers have been experiencing these problems.

Folder Redirection: Back to talk about Settings - this article is a lead-in to two other articles I wrote talking about the Move Data feature of the Folder Redirection GPOs - another Vista design flaw.

Folder Redirection: Duplicate User Files Folders II - this article describes how the Move Data option causes folder duplication and how to avoid it.

Folder Redirection: Misbehaves after target move - this is one of my most important articles! I provide a script for preventing a major Vista design flaw from wreaking havoc on your network.

Offline Files: Doesn't sync files modified while offline - this is an outdated article so long as Vista SP1 is being used.

Vista's support for multiple languages - this article demonstrates Vista's new approach to multilingual support and the problems it causes.

Better Desktop.ini support please! - another example of how the Desktop.ini doesn't go far enough to provide a user experience in their mother tongue. A request for Microsoft to make some improvements.

Folder Redirection: Problems with the Well-known Folders Cache - a KB article describing a problem with missing User Files Folders after a reboot.

Folder Redirection: IE7 Favorites Bugs - a description of a bug IE7 has. Protected Mode prevents access to Folder Redirection UNC paths that reference the local machine (think non-dedicated servers).

Topic: User Account Control (UAC)

2008-05-07T23:50:00.002-04:00

(Vista Vitals articles organized by topic)
These articles are primarily focused on Windows Vista's new User Account Control (UAC) feature. But many other topics are covered because UAC affects so many different areas of the Windows system:

UAC: An introduction to User Account Control - Everything the web has to teach about UAC. I introduce 10 detailed information sources about UAC. A great starting point for users, administrators and developers!

UAC: Is Windows Vista secure? - my opinions and those of experts regarding Vista security. You need to know the limitations of what Vista and UAC have to offer.

UAC: Vista UAC vulnerabilities - many more discussions on the web about Vista security for those who care.

UAC: Local Admin vs. Domain Admin - one of my more important UAC articles. If you can follow it, your life as an enterprise administrator will be greatly simplified.

Disabling UAC - despite linking to instructions on disabling UAC, I actually discourage you from doing it!

Let's Talk UAC for the Enterprise - this is a must read article. This is a glossary covering many UAC terms - it summarizes them and puts them into some context. Most of the remaining articles in this topic are written with the expectation that you understand these terms.

Logon Scripts: A Token Effort - read this if you want to make your login scripts work in Vista. I discuss in detail how to overcome the barriers that UAC tokens create.

Become a Token Geek - links to articles that will teach you more than you ever wanted to know about tokens.

UAC: Avoid elevation like the plague! - a rather important article. I wish more developers knew about this.

UAC: How many tokens did I get? - describes how to figure out how many tokens a user has.

UAC: How to elevate anything - you probably have realized that you need to be able to elevate things other than .exe and .bat files (scripts, registry files, etc.). I don't think Microsoft realized that when developing UAC though. Here are some way to get around the limitation.

Welcome back Command Prompt! - the command prompt is one of the ways to get around UAC limitations. CMD has more valuable uses now under Vista than ever before! Learn about it here.

UAC: "Run As" like XP from the GUI - a review of SysInternal's ShellRunAs command. A valuable tool for your arsenal, but you need to know when to avoid using it.

UAC: This explains a few things - did you know Microsoft introduced UAC to annoy users? Read the article here.

UAC: Microsoft Programs act weird - a little warning about Windows Explorer, Internet Explorer & Outlook.

UAC: Elevate Windows Explorer - Ever tried to launch Windows Explorer with Run as Administrator and fail? Find out why.

Topic: Windows Vista Service Pack 1 (SP1)

2008-05-07T23:49:00.000-04:00

(Vista Vitals articles organized by topic)
These articles all discuss Windows Vista Service Pack 1 (SP1). There is some good technical information here that will let you know what to expect from SP1:

Service Pack 1 (SP1) for Vista is coming - well, it's now here (kinda out of date). But I discussed some spectacular ways that it broke previous functionality.

SP1 and a new kernel! - discusses SP1 changing the OS version to 6001 - the same as Windows Server 2008!

SP1 Hiccup: don't install KB937287! - don't bother with this one - out of date.

Vista SP1 Technical Information - get all your Microsoft SP1 guides here.

Vista Service Pack 1 is here! - a link to Microsoft's download site - get SP1 from here.

Vista SP1 unavailable from Windows Update? - can't get SP1 through Windows Update? Here's your answer.

Reclaim disk space from Vista's SP1 - introduces Microsoft's VSP1CLN tool which can shrink the size of OS images (deletes files that are no longer useful).

New deployment tools for Vista SP1 - these are must have tools for administrators of a Vista environment. Includes replacements for ADUC, GPMC, etc.

Vista SP1 makes some undocumented changes - good information about how the Terminal Services Client has changed.

Topic: Miscellaneous

2008-05-07T23:48:00.007-04:00

(Vista Vitals articles organized by topic)
These articles cover a range of unique topics:

Vista's GPMC: Don't trust it - this is an outdated article covering the GPMC that was bundled with Vista. This tool was removed if you upgraded Vista to SP1.

Let's talk Roaming User Profiles - introduction to Roaming User Profiles as they pertain to Vista. Mentions some cohab issues with XP and identifies some reliability issues.

Vista deleting user profiles and data! - this outdated article describes how a buggy GPO caused the deletion of user profiles and data. The bug has been fixed as part of Vista SP1.

I don't like DRM - leads to an interesting article by Davis Freeburg describing his suffering at the hands of Vista's DRM.

Local Administrator Trumps GPO - think your GPOs have ultimate control of your enterprise workstations? Think again. - or - how to override your GPOs locally when you wish to test some alternate configurations.

GPAnswers: Group Policy Preference Extensions - an introduction to Group Policy Preference Extensions (GPPE). You will want to learn about this if you manage GPOs for your organization.

Microsoft's Springboard series - a 1 hour video discussing Vista deployment. I outline the highlights and provide a commentary.

More DRM woes for Vista users - leads to an article about Windows Vista Media Center users who were prevented from time-shifting their TV shows.

Who needs COFEE!? - a follow-up to a previous article about Microsoft's Computer Online Forensic Evidence Extractor (COFEE). Points to a demonstration of how to completely circumvent Vista security using a Linux live boot CD.

Microsoft not branding web sites - Points to some Microsoft sites that have absolutely no branding on them - weird. But useful sites nonetheless - particularly the Sysinternals executables that are ready to run.

Want your Windows Vista bug fixed? - An interesting plea to click on that Send Information button when you experience a Windows crash.

Roll your own MS Windows OS! - There is a movement out there that is hacking Windows 2008 Server to create a Windows 2008 Workstation that is one lean, mean Vista machine.