This blog focus on Windows operating systems; Windows XP, Windows Vista, Windows 7 and now also Windows 8. The blog covers hints and guides for deploying Windows and using new technologies, solutions to problems which are not common and news related to Windows client operating systems.
Andreas Stenhall, MVP Windows Expert ITPRO
-
Beta testing service packs for Windows can be scary stuff
Posted on September 1st, 2010 No commentsWhen the SP1 beta for Windows 7 and Windows Server 2008 R2 was released a couple of months ago I pushed it in onto my Windows 7 machines without blinking. I was also about to install it (using the Windows Update script) on my Windows Server 2008 R2 Hyper-V server but thought twice as I cannot live without my virtual machines and I use many of them in my daily work.
Anyway I was kind of suprised the other day when I rebooted the Hyper-V server only to learn that the service pack was installing. Aaargghhh! I do not blame Microsoft, I blame my own stupidity. But hey, everything worked fine afterwards and by reading the release notes I can sleep good at night knowing there won’t be any problems when the next SP1 release comes.
Once you have installed this service pack, you will have to uninstall it prior to installing a later release of this service pack. The settings of any virtual machines will remain intact during the uninstallation and installation, but virtual machines that have RemoteFX or Dynamic Memory enabled will not appear in Hyper-V Manager while the service pack is removed. In addition, any snapshots taken when RemoteFX of Dynamic Memory was enabled will not appear in Hyper-V Manager. They will reappear and functional normally once the later release of SP1 is installed.
Lesson learned; check!
-
Case of the AppLocker default rules issue
Posted on August 26th, 2010 No commentsIf you have started using AppLocker with Windows 7 you know that the default rules for executable files make sure that administrators can run anything on the box, and that everything from the Windows folder and Program files folder are allowed to be executed. There exists a slight problem with this set of rules.
The default rules are intended for non-administrator users on the machine to be prevented from running any software which is not already installed or managed centrally, in the Program files folder. The default rules are also intended to allow anything from the Windows folder to be executed. Both these rules are sort of safe, as a standard user per default cannot put files in the program files folder to execute them, nor anywhere in the Windows folder.
But, there is this but. Inside the Windows folder there is a folder called “temp”, which believe it or not, standard users can write stuff to and consequently executing it thereby bypassing all the nice security benefits that AppLocker provide.
Well, the standard user just cannot copy an executable to the Temp folder using Windows Explorer, but using traditional copy commands using the command prompt this is fine, and then the executable can be executed.
The problem here might not be that the average user can bypass AppLocker this way, but when securing servers or clients, potential attackers can use this to bypass your security rules.
A simple solution if running with the default rules is to simply add the Windows\Temp folder to the exception list, effectively blocking code from being executed.
-
Infrastructure planning and design guide for DirectAccess
Posted on October 26th, 2009 No commentsThe Infrastructure planning and design guide for DirectAccess has just been RTM:ed and can be downloaded from http://go.microsoft.com/fwlink/?LinkId=164151. If you’re planning on implementing DirectAccess read this document! ;)
-
AppLocker does NOT require a Windows Server 2008 R2 DC
Posted on October 16th, 2009 No commentsDocumentation from Microsoft regarding the new feature AppLocker in Windows 7 (and Windows Server 2008 R2) early stated that to be able to use AppLocker you must have a “Windows Server 2008 R2 Domain Controller to host the AppLocker rules”. I have seen this information several times since then and at a seminar I payed a quick visit to yesterday regarding Windows 7 this particular questions was raised.
Of course I had to make sure what’s really going on here and I have now verified that AppLocker works perfectly fine in environments where there are only Windows Server 2003 DCs or Windows Server 2008 DCs. I can see no reason what so ever for AppLocker to require a Windows Server 2008 R2 DC to function. The only requirement is that you’re running Windows 7 Enterprise or Windows 7 Ultimate edition to be able to use th powerful feature of AppLocker.
-
Antivirus software slowing down RDP sessions via TS/RDS Gateway
Posted on October 15th, 2009 1 commentWe saw an interesting issue with connecting via Remote Desktop from a Windows client to another machine using Remote Desktop Services in Windows Server 2008 R2. After doing some troubleshooting it turned out to be ESET NOD32 version 4 that caused the extreme slowdown. The work around is to turn off ”HTTPS filtering” in the NOD console.
-
Hotfix saves power on AMD CPU:s for Windows Vista, 7 and Server 2008 R2
Posted on October 14th, 2009 No commentsMicrosoft have just released a hotfix for Windows Vista, Windows 7 and Windows Server 2008 R2 that potentially can reduce CPU power consumption by ten percent for AMD processors, specifically ones supporting the power state C1E. This includes popular CPUs such as AMD Phenom and Athlon range of CPUs.
The hotfix can only be obtained by contacting PSS (Product Support Services) or by requesting it for instant download via the KB article below.
-
Active Directory Administrative Center makes you do things in fewer steps
Posted on October 11th, 2009 No commentsA new tool in Windows Server 2008 R2 that you must not miss is the Active Directory Administrative Center. The tool is far from the speediest to load but once you’ve got it started I promise you that you will find it very convenient to use for account and other Active Directory object management. As with the user interface, new search tools and more in Windows 7 the Active Direcory Administrative Center in Windows Server 2008 R2 makes you do things in fewer steps and eases your daily work!
-
Be aware of a problem when renaming domain controllers
Posted on September 20th, 2009 No commentsIf you have renamed a Windows Server 2008 or Windows Server 2008 R2 domain controller you should be aware of a problem. The problem is that a DFSR object is not renamed to the new name. This does not cause any problems until you remove the domain controller in question and after doing a demote or cleaning it up with metadata cleanup the object will become orphaned. So if you have renamed 2008 or 2008 R2 DCs you should follow the steps in KB2001271 to fix this.
-
When to troubleshoot blue screen crashes
Posted on July 27th, 2009 No commentsThe other day I got an email from a blog reader which contained the information of a successful analyze of a memory dump file which is generated when an infamous blue screen of death occur. The reader wanted me to give him the solution or point him in the direction of a solution. This got me into thinking. When is it worth putting time on doing blue screen analyzes?
The content of the crash dump is maybe not that relevant after all. What is more important is how often and when the blue screen of death occurs. If the crash occurred just once or very seldom and randomly I would say that it might not be worth finding out exactly what caused the crash. Keep in mind that a blue screen could indicate a hardware failure, although driver problems are the most common cause for crashes.
However if the crashes occur often or at when doing specific tasks you have all the reasons in the world to get to the bottom of the problem. In these cases I recommend following the guide for troubleshooting blue screen crashes.
An interesting thing to note about blue screens that start occurring after for instance upgrading the OS from Windows XP to Windows Vista or Windows 7 is that the new memory management in the later operating systems might reveal problems in the memory modules that did not show when using Windows XP.
Finally, whenever having problem with blue screens of death I would recommend upgrading the machine BIOS. Often there are compatibility and stability fixes which solves problems with hardware which might be causing you the problems you are experiencing.
-
WEBSPAPW = Microsoft IT Environment Health Scanner
Posted on July 7th, 2009 1 commentI guess you’re wondering what the heck “WEBSPAPW” stands for and it is nothing but “Windows Essential Business Server Preparation and Planning Wizards”. Microsoft has now come to the conclusion that this tool as I’ve written before was not only used for EBS migrations but also for general health checks in Active Directory environments. This has resulted in the name change to “Microsoft IT Environment Health Scanner” which is built from the previous EBS tool.
When running the Microsoft IT Environment Health Scanner you may find problems related to AD, DNS, replication and many other things and for everyone in charge of or controlling the IT environment this tool is strongly recommended. Read more on the EBS Blog.
Download: Microsoft IT Environment Health Scanner
