Monday, April 28, 2008

XP available after the June 30th deadline

Good news! It looks like you can get Windows XP past the June 30th deadline. C|Net has reported the news a couple of times - their latest article is here: PC Makers Find Way to Extend XP's Life.

The solution turns out to be quite a good one. Both HP and Dell are taking advantage of the downgrade option for Vista Business and Ultimate. For the next year you can buy either version of the Vista OS from these companies and request that they install XP at the factory.

This is fantastic on so many levels:

  1. You won't be forced to move to Vista before you're ready.
  2. You'll be able to give Vista time to mature and eliminate even more bugs.
  3. You can give your in-house software developers and other software vendors more time to rewrite their software to support Vista.
  4. You will have your Vista licenses bought and paid for when you are ready to make that step.
  5. You know HP & Dell will continue to make drivers to support their hardware under XP.
  6. It may actually be feasible to hold off migrating to Vista and move to Windows 7 when it is released.

Wednesday, April 23, 2008

Vista SP1 makes some undocumented changes

Microsoft MVP Rick Strahl has a very informative blog article: Vista SP1: Terminal Services /console switch no longer working. Rick and the follow-up comments provide some valuable information about the disappearing /console switch. His anger and frustration are palpable.

It also makes me sad. Here Microsoft made a rather simple change and handled it quite terribly. They didn't document or publish the change and they didn't provide backward compatibility by continuing support for the old parameter. Could they have made any more mistakes? - And this was a simple change!

The reason this makes me sad is that I have been hoping for massive changes to Vista. Me, and many of my colleagues, regularly encounter ill-conceived approaches to the design and implementation of Vista. When we hear Steve Ballmer make statements that Vista is a "work in progress", we get our hopes up that some of this stupidity will get resolved. I've long said that SP1 was coming out too quickly and was so focussed on bug fixes that we wouldn't see any real changes until SP2. But the poor handling of the /console switch retirement causes me to lose hope.

I'm beginning to realize that the changes I want made to Vista are just too big. Too many dependencies will be broken or change behaviors to be manageable. I realize now that fixing UAC or improving the intelligence of Folder Redirection just isn't possible in a Service Pack. I think Microsoft realizes this as well. There's a reason we are getting mixed messages out of Redmond about a Windows 7 release schedule. I think various stakeholders are making realizations and the script is being rewritten on a daily basis. I know Microsoft still has many more lessons to learn from Vista before moving on, but I also know that I won't get what I want until Windows 7 (maybe).

Tuesday, April 22, 2008

Windows XP Service Pack 3 is here!

The much anticipated - and I suppose latest Microsoft OS release is here! Microsoft released Windows XP SP3 to manufacturing on Monday. The release schedule for North America is as follows:

April 21: OEM Channel
April 29: Windows Update
April 29: Download Centre
May 2: MSDN/Technet Download
May 19: Windows XP SP3 Fulfillment Media
June 1: VL Customers via download
June 10: Automatic Updates

C|Net reported the release in their article: Windows XP SP3: A quick painless upgrade
Microsoft has a Windows XP Service Pack 3 Overview available for download. But information is limited. I imagine a full list of hotfixes included in the service pack will be published soon.

I've seen griping by people that XP SP3 doesn't include DirectX 10 (available in Vista). But I'm not sure XP users are really missing out on all that much. There are quite a lot of sites comparing DirectX 9 to DirectX 10 and finding negligible differences. Here's a site that actually demonstrates the differences quite well in one of the few DirectX 10 supported games - Crysis. It goes on to describe how to eliminate a "false ceiling" in DirectX 9 mode and allow the use of very high detail normally only available for DirectX 10 mode.

Vista criticism in the news

I'm sorry I haven't had time for much more than links lately. The job search is eating up a lot of time. I am working on some new articles though...

In the mean time I've found some articles criticizing Vista recently. Take them for what they are worth.

  • A lot of people have linked to the Register's article: Ballmer bitch slaps Vista. I'm not sure it's as important as everyone makes out. It just tells me that Microsoft is definitely aware of the Vista problems and that they are willing to do something about it. Maybe we will see much needed changes coming to SP2. (But I doubt it. My next article will be a good demonstration of why Microsoft's hands are basically tied.)
  • Softpedia has a rather long and confusing article that makes the point that Vista has a whole host of ways to harvest various pieces of information and transmit it back to the mothership. I felt like I was being asked to put my tin foil hat back on - but I suppose it doesn't hurt to be reminded of what is possible.

Monday, April 21, 2008

Some humor at Vista's expense

There was a lot of Vista humor this month. I thought I'd share...

Saturday, April 12, 2008

UAC: This explains a few things

Ars Technica published the article Vista's UAC security prompt was designed to annoy you, in which they quote Microsoft's David Cross as saying "The reason we put UAC into the platform was to annoy users. I'm serious."

The article goes on to describe Microsoft's thinking on that approach and the flaws in that thinking.

Friday, April 4, 2008

More news of interest

I swear I have no plans to become just another news linking site, but there's just been so much notable Vista related news these days! I found today's news on the pages of Slashdot and Digg and thought I'd better post it before it slides off the front pages into history...

1) c|net has a commentary on the latest stats from W3Counter. The commentary is focused on the 65% growth of Linux's market share which now stands at just 2.01%. That may not sound like much until you consider that Windows Vista only commands 6.48%. I find the Vista story far more interesting. When you consider the product has been out for over a year - when you consider how many copies Microsoft claims it has sold - when you consider all the money, marketing and leverage Microsoft can throw at the product - it's barely got triple Linux's penetration! I don't care what you think - that's significant. Remember those numbers when we check back next year. There should be a very interesting story to tell. BTW, have I mentioned that I'd like my next blog to be about an enterprise Microsoft IT guy that explores Linux and figures out how to support it in an enterprise environment? (If only I had the time.)

2) The Industry Standard has big news that Microsoft extends XP through 2010 for ultra-low-cost laptops. This only applies to Windows XP Home edition, but it is significant nonetheless. In my opinion its the first crack in the floodgates of an extension for XP beyond the June deadline. At any rate it's an admission by Microsoft that they don't have a current product for that market segment and can't bear to just hand it to Linux on a silver platter.

3) There's a great article for those of you who are able to save licensing dollars by buying Vista upgrade licenses. Windows Secrets has the article It's official: upgrade hack included in Vista SP1. At first I wasn't interested because Scott is just going on about how to defeat the validation scheme - not something I could consider. But near the end of the article he raises some very good points about why you would even want to use the trick if you are doing things legally. (I'm about to ruin the punchline so you might want to stop reading now and check out the link.) Basically, Vista doesn't allow you to prove you have a prior license just by sticking in an install disk - it instead insists that the install be run from the qualifying upgradeable product. Not good if you want to have a fresh start in the world. The trick involves installing Vista without a license key and then using that install to launch the install again - using Vista as the qualifying product! Great hack that blows Microsoft's validation scheme to hell but which really improves life for those legal users as well.

4) BTW, my contract with my current client will be coming to an end in a few weeks (end of April). Since my travails for my client's Vista implementation are inspiration for this blog's stories, I do wonder how I'll keep this thing going. Hopefully I can find another client in this town with an interest in Vista. If any of you have suggestions for possible leads, please drop me a line.

Wednesday, April 2, 2008

UAC: "Run As" like XP from the GUI

It's no secret that basically every enterprise admin is upset that Vista's "Run as Administrator" feature is not a replacement for XP's "Run As" functionality. I've written a few articles that mention the problem: UAC: Local Admin vs. Domain Admin, Welcome back Command Prompt!, UAC: How to elevate anything. In fact I just got off the phone today with a large organization that is taking a pass on Vista - they cited the "Run as Administrator" as one problem that affected their decision.

Well, Mark Russinovich has released a new Microsoft Sysinternals utility called ShellRunAs in an attempt to meet the demand for an XP-like "Run As" command. I've had a chance to play with it so here is my review...

As the name implies, ShellRunAs gets RUN AS to the shell. As a local administrator I am now able to specify other user accounts when running programs - Yay! This is what I need when managing my network but isn't enough when I wish to manage the local Vista machine. The problem is that ShellRunAs is too faithful to the RUN AS paradigm which seems to have been borrowed from the XP days without being updated to reflect the whole Vista reality.

Traditionally under Vista, non-administrators must switch to an administrator account and elevate if they hope to do such things as edit the HKLM registry locations. Naturally Run As Administrator comes into play at this point. But if the non-administrator has any extra rights (like a Power User does), the Run As Administrator command only presents the Consent dialog and offers no opportunity to switch to the desired administrator account. This is the kind of behavior that has lead people to plead for the old RUN AS functionality to be brought back and a place where I now logically tried ShellRunAs. But when I specified to run Regedit as my administrator account it gave me the error "Error launching application: The requested operation requires elevation". Clearly ShellRunAs is allowing me to switch users but is not allowing that user to run elevated. The tool doesn't help me with this particular type of problem.

So I tried another scenario that needs help... Let's pretend that my Power User must maintain or design the Welcome Center. The files for that are stored in C:\Windows\System32\oobe which can only be edited when an administrator is elevated. This time I want to edit a text file by launching Notepad. Run As Administrator still doesn't allow me to specify a different account so I use ShellRunAs and specify the administrator account. It launches with no problems - Yay! I edit the document and attempt to Save. I get the message "You don't have permissions to save in the location - save in Documents instead?" - The same message normal users and unelevated administrators get. Further proof that elevation doesn't occur. There is still no real solution to this kind of problem except to carefully design your environment so that you don't run with multiple tokens on your normal user account (see my past article: UAC: Avoid elevation like the plague!)

For giggles I tried something different. I created a session as my administrator and ran Notepad as a normal user account using ShellRunAs (not a typical scenario - but could happen). I got interesting results - rather than the familiar message about not having rights to save in System32, Vista allowed me to save the document. Even more interesting, Notepad is able to see the file as having been saved but Windows Explorer refuses to show it to me. ShellRunAs is getting Notepad the AppCompat treatment and being redirected to a shadow storage area for System32! How unexpected is that without adequate documentation?

I got other interesting results during my tests. At times I could click Save As repeatedly and get no messages at all - the dialog box would remain as if I had done nothing. It seems ShellRunAs is causing launched applications to receive unexpected messages from the system that it doesn't know how to cope with.

I also had interesting results with my User Profile. Having switched Notepad to another account using ShellRunAs, I was unable to Save As in the new User Files Folder that was shown to me - it just wouldn't allow me into the folder tree. It displayed the entry in the Save As browser but clicking on it got me nowhere. This is because the User Files Folders for my users are redirected to the network. I guess ShellRunAs doesn't ask Vista to make the connection to that redirected location.

Since ShellRunAs is unable to connect to redirected locations and doesn't recognize the Home Folder specified for the user in AD and certainly doesn't map drives defined in a logon script, I see no point in using the product in its default mode. But is has another mode called NetOnly that I quite like. NetOnly seems to give up on the half-hearted attempt of swinging Vista over to a new user profile and just uses the original profile you were already using. This was just fine. It was great for being able to use my network management tools and still have access to the User Profile and mappings of the initial user. I just wish NetOnly had been described in documentation so I didn't have to waste time trying to figure out what it had meant.

This will work well for the scenario where I have a Power User or Local Administrator who needs to switch accounts in order to manage the network with GPMC, etc. (Functionality that Vista did not previously allow.) They can maintain all their existing drive mappings and User File Folder access. They don't even have to expose themselves to the risk of running elevated while doing it either! But don't bother trying to use ShellRunAs for anything local - things just get weird and basically useless. If an administrator wants to do some local over-the-shoulder support for a power user (such as editing the registry), this tool does nothing for them because it is not possible to get an elevated token - there is still no way to do this in Vista without logging the user out or without forcing all users to always enter credentials at every UAC prompt. (It was possible in XP.)

ShellRunAs is one more patch in the patchwork of Vista and there are still many holes in the quilt. We need a proper way to specify the account and token we wish to use when launching a program. We need a solution that works properly with the User Profiles and with the drive mappings. It needs to be easy and exhibit predictable behavior so we don't have to devote our lives to getting the darn thing to work. Keep working Microsoft!

Here are some more observations:

  • ShellRunAs continues in the tradition of Run As Administrator and only makes itself available on the context menu for EXE and BAT files. I would still like to have support for files like VBS, HTA, VBA, etc.
  • ShellRunAs isn't multilingual - it doesn't display messages in the language of the OS or GUI of the user - only English.
  • The NetOnly version of the program doesn't flash up a black CMD window as described, but rather keeps the CMD window open until the called application (such as Notepad) is closed. (This is the clearest indicator that ShellRunAs is a bit of a hack tacked onto the OS rather than a fix to the OS itself - a traditional Sysinternals tool I suppose.)
  • The /accepteula parameter is not described on the web page or in the help screen but it is important to know about if the application is to be deployed in an organization. That was almost a deal breaker for me until I found the note at the top of the eula window.
  • I have an issue with the right-click context menu... This tool can add one or two entries - giving us a total of three entries - and we still don't have all the functionality we need for specifying accounts and tokens. We need fewer entries - not more. These three and any others to come need to be combined into one command. My XP machine already has such a long context menu that I can't see all of the entries on the screen at once - and it doesn't scroll!
One suggestion I've made to Microsoft a couple of times in the past is that Vista's Consent dialog be made more robust. I think it should present the Consent button but also have the fields available in case someone wishes to make a switch to some other account. That seems like the easiest improvement with the biggest benefits while staying true to the original vision of UAC. Although there is currently a great variety of UAC elevation prompts, they are very simplistic and offer very little in the way of flexibility.