Classic shimming tip for forcing apps to run without UAC prompting

If you during your way in testing app compatibility with Windows 7 encounter an application that require a UAC prompt to launch you can suppress this UAC prompt by creating a more or less classic shim “RunAsInvoker”. A few years ago Microsoft posted this as a KB article but not long after it vanished. Now the guide for creating this shim is available in Ask The Performance Team blog and I strongly suggest you put this shimming tip in mind because it might come in handy when you least expect it.

Modify default profile in Windows 7 with the least amount of effort

I’ve received a question on why Microsoft stopped supporting the old way of making changes to the default user profile in Windows 7. As you might already know the only supported way to make changes to the default user profile is to make them with a local user account and then sysprep the image with an answer file containing CopyProfile=TRUE.

The question or should I say problem is that the user in question find it ineffective to make changes to the default user profile, by installing the image to a machine then make the changes and once again to sysprep and capture the image.

Fortunately there is a much more effective way to make changes. Just mount the image using imagex or dism, and then add or remove the files you want. If you want to change some settings they most likely stored in the registry so then you can just start the regedit.exe utility as usual and then mount the ntuser.dat file within the image to make the changes and when done just applying the changes and you are done!

Case of the AppLocker default rules issue

If you have started using AppLocker with Windows 7 you know that the default rules for executable files make sure that administrators can run anything on the box, and that everything from the Windows folder and Program files folder are allowed to be executed. There exists a slight problem with this set of rules.

The default rules are intended for non-administrator users on the machine to be prevented from running any software which is not already installed or managed centrally, in the Program files folder. The default rules are also intended to allow anything from the Windows folder to be executed. Both these rules are sort of safe, as a standard user per default cannot put files in the program files folder to execute them, nor anywhere in the Windows folder.

But, there is this but. Inside the Windows folder there is a folder called “temp”, which believe it or not, standard users can write stuff to and consequently executing it thereby bypassing all the nice security benefits that AppLocker provide.

Well, the standard user just cannot copy an executable to the Temp folder using Windows Explorer, but using traditional copy commands using the command prompt this is fine, and then the executable can be executed.

The problem here might not be that the average user can bypass AppLocker this way, but when securing servers or clients, potential attackers can use this to bypass your security rules.

A simple solution if running with the default rules is to simply add the Windows\Temp folder to the exception list, effectively blocking code from being executed.

Live Meetings, now with Aero!

If you use the Office Live Meeting client you have surely noticed that it does not support Windows Aero. Thanks to Brian McCann for the solution to enable Aero when using Live Meeting. Great!

Solution to folder icons not showing if it is shared

When teaching a Windows 7 course some time ago I was asked why shared folders often are not displayed in Windows Explorer as being shared. Well, the reason for this bug is still unknown but at least there is now a solution available, se KB article KB2291175. This fix will be included in service pack 1.

Which desktop virtualization options are there out there?

So in the jungle of desktop virtualization, which one are you gonna go with? VDI, App-V, MED-V and more, what are they all about and what are the pros and cons using either of these? These questions and many more is answered by Ian Moulster.

Quickly login with local user account

Ever tried logging in with a local user account to a Windows 7 machine wondering what the heck the computer name is? Simply type:

.\username

and the password to login. This will login you in with a local account to the machine. Simple as that! :)

Fix for annoying DFS issue with Windows 7

I have experienced this problem a few times and there is now a hotfix for a problem with mapping and accessing DFS shares with Windows 7 clients. Hotfix can be requested from Microsoft Support. Basically you get “An unpexcted network error occured” or a couple of other issues and cannot access the DFS share. Patch and make the problem go away.

Tip when using roaming profiles in Windows 7

If you are using roaming profiles in Windows 7, you should probably want to look at a new GPO setting that (Computer|User Configuration\Policies\Administrative Templates\System\User Profiles) which by an interval you specify upload the registry hive for the user logged into the machine. This is in particular good as users tend to become more and more mobile and just bringing the machine to sleep or hibernation. Normally the profile and the registry included are only copied to the network server at user logoff time. Making this settings hopefully keeps customizations done by your users stick, making the users a lot happier.

Who do not want to cache video and music files using offline files?

Even been in a scenario where users tend to put not only large files but also a large number of music and movie files in a folder which is redirected using folder redirection? Find relief in this new GPO setting which you can use to exclude certain file types from being cached on the client machines. You find the setting in Computer configuration > Administrative templates > Network > Offline files and the setting is called “Exclude files from being cached”. Now only the relevant files will be cached on the client machines, saving space and reducing network bandwidth.