Vista Vitals

Closing down my 64-bit Ubuntu Linux experiment

2009-08-31T23:05:00.004-04:00

This article is part of my series on exploring Linux.

Late last year I began experimenting with 64-bit Ubuntu Linux. I decided to try to use it for everything I could think of. I wrote a fair number of articles in this series detailing my experiences, problems, solutions, etc.

I went on to do other things with this Linux distro that I never got around to documenting:

I connected an HP flatbed scanner. The built in scanning software recognized the device and instantly scanned a document for me - awesome!
I was able to download torrents and burn DVDs all with the built in software - no muss, no fuss.
I used it to connect to my work VPN through a Cisco/Citrix solution. I have to say the user experience far exceeded what I was used to in Windows. (Part of that was the open source client not respecting host requests to disconnect me from my network printer, etc. :-D

But there have been a number of small irritants that I haven't been able to resolve yet. I suspect there are solutions to most of them, but I lack either the time or know-how:

Although the webcam video worked like a charm, I never did get the audio recording to work. The wrong drivers or something kept causing pops and hisses over the audio track.
I was never able to do anything with the handy buttons around the screen or use the handy wireless media remote. I don't know if anyone came up with drivers for those, but they sure would have been handy.
I never did install the drivers for the touch screen or the on-screen Wacom pen. The drivers do appear to exist, but they look cludgy and the instructions confusing.

There are other things that used to work, but which eventually stopped working. I never did anything to specifically change the settings in question, but my tinkering and many automatic system updates have exacted their toll:

The thing that upset me most was my video drivers. I spent a lot of time getting them just right. At some point a system update changed the video options and also the behaviour. I could no longer just dsconnect the second monitor and have the system continue working. Instead, the system would only boot to a black screen until I returned the second monitor so that I could disable it in the software. -- Problematic when you take off with the laptop for a trip :-(
At some point my DNS name resolution started giving me grief. It seems to look to the wrong place for resolution. I have to wait until it times out in 10 seconds before finding a better place to resolve a name. I don't know if this is a result of my VPN tinkering or some system update. Quite irritating though.
I also seem to have lost connectivity to my SMB shares on my Windows network. It sees the workgroup but will go no further. This is the final nail in the coffin.

I have learned a lot through my Ubuntu experiment. I have been quite impressed at how advanced this operating system is. I can respect the solid foundation the system is built on. But I am being irritated by too many little annoyances. I suspect some of these may be cause by my choice of going 64-bit. I have since learned that 64-bit is a bit early for general consumption. It would be best to wait for applications and drivers to catch up. There was really no need for me to move with my hardware of only 4GB.

It's time to wipe this system and start fresh. I'm thinking 32-bit Suse Linux....

RDP to Windows from Ubuntu

2009-03-09T22:40:00.001-04:00

This article is part of my series on exploring Linux.

If I am to replace my desktop computer with the Ubuntu OS, I need to be able to do everything I was doing in the Windows days. As a networking guy maintaining servers, I am constantly using RDP to administer servers and lab computers remotely. This is functionality I'm not willing to live without.

I didn't need to worry. There's a product for Linux called rdesktop which includes an interface called Terminal Server Client (tsclient). It does exactly what I'm used to with RDP - with a few more options available.

The software is available via Ubuntu's package manager. I installed it by simply typing the following command from the terminal window:

sudo aptitude install rdesktop

Wow! the software looks just like the RDP I use in Microsoft land:

It works as you'd expect. I had absolutely no issues accessing Windows computers via the RDP protocol.

Word!

2009-03-05T02:41:00.003-05:00

This article is part of my series on exploring Linux.

Like every other IT guy on the planet, I must use a word processor to write documents. Naturally, as a Windows user, I have been using MS Word - and for the past couple of years Word 2007 with the docx file format. Let's see how I handle the transition to Open Office...

Open Office is a free, open source word processor. It is included with Ubuntu and is also available for Windows. There is no doubt - it is a full featured word processor. It had every feature I was looking for. Perhaps a publisher might need more... but maybe not.

I tested it out by creating a document with a complex table (something I can get frustrated by in Windows). I included graphics, hyperlinks, custom styles, cell colouring and split cells. It did quite well:

The table formatting menu that Open Office provided put MS Word to shame!

Although the menu was a pleasure to use, there were some problems. I could easily split cells, but then they became impossible to manage. There was no way I could select a row including split cells (as shown above) to save my life. This prevented bulk formatting, copying, etc. I had to actually copy each row and then manually split cells afterward.

Now, how about compatibility with the rest of the world? This isn't as big a problem as you might imagine. For one, my children's school just switched to Open Office (this seems to be a trend) so there is obviously no problem there. For the rest of us using MS Word in the work environment, Open Office supports most common file formats - let's test it!

I've heard that Open Office works very well with standard MS Word .doc files, but I've been using MS Word 2007 .docx files for the last while. Despite the docx format being only a couple years old, Open Office did a very good job of converting the file. But that's the problem. Open Office converts the document into something it can understand and it doesn't do a perfect job.

I tried editing some guides I had been working on. The documents had the usual headings, table of contents, page headers, cross-references, etc. But things just weren't right. Things like my indents were not the same and the page headers were all buggered. I quickly realized that I couldn't use Open Office to edit my work documents. There was no way I could check a document out from work, edit a couple paragraphs and return it in the same condition.

(Here's an example of the results. Open Office on the left, MS Word 2007 in the middle. (I'll discuss the image on the right in a moment.))

I realized I couldn't live without MS Word 2007, but I'm still dedicated to trying to do everything in Linux. It's time to try Wine.

Wine is an extremely interesting product. It's a Linux application that creates an environment into which a Windows application can be installed and used. Many people call Wine a Windows emulator, but it really isn't. There isn't the overhead of an emulator. Wine calls itself a "translation layer". It basically provides Windows applications with the Windows services it expects to find (such as the registry) in very much the same way that Windows does it. Apparently Wine is so efficient that people are able to play first-person shooter video games within it!

I used Wine to install and run MS Word 2007. I am now able to edit my work documents from my Linux PC and check them back into the office with no issue. Very cool! It's even quite neat how Wine integrates Windows applications with my desktop - it's almost seemless - take a look at the shortcuts:

However, as with everything, I found issues you may want to know about. Before I get to that, I'll cover how to install Wine and Word 2007.

To install wine:

It looks like my 64-bit version of Ubuntu complicated the installation of Wine a bit. I found some good instructions buried in this forum post that helped quite a bit. The first thing to do was to add a reference to a Wine repository to my system's list of APT sources for the version I am using - here's the command to enter into a Terminal window:

sudo wget http://wine.budgetdedicated.com/apt/sources.list.d/intrepid.list -O /etc/apt/sources.list.d/winehq.list

Next, I added the repository's key to my system's list of trusted APT keys:

wget -q http://wine.budgetdedicated.com/apt/387EE263.gpg -O- | sudo apt-key add -

Then I updated my package information and installed Wine:

sudo apt-get update
sudo aptitude install wine

Wine is now ready to be used to make Windows application work in Linux.

Installing an application (MS Word 2007 for instance) couldn't be easier. I just had to start the process from the Terminal window. I found the Windows commandline command for initiating an installation and just prefaced it with the word "wine" (i.e. wine setup.exe).

Because of Wine, the application's installer proceeded as I would normally expect. When it completed, I found shortcuts in the Applications menu under Wine|Programs.

I was very pleased. I then ran MS Word and opened one of my test docx files. The results are shown in that third example on the right in the earlier image above. Everything I tried in MS Word 2007 worked flawlessly. All my formatting and 'complex' document features were preserved (this is MS Word 2007 afterall). There were just two small problems...

Can you see the problems in the sample on the right as compared to the sample in the middle? For one thing I lost my bullets to some strange numbery thing. After some research I learned that the problem was with Linux/Wine not having the symbol.ttf font that Word uses to display the bullet symbol.

Luckily my machine is still licensed for Vista. I simply browsed the Vista NTFS partition for the missing font files and copied them to the folder Wine uses - in my case it was:

/home/gordon/.wine/dosdevices/c:/windows/fonts

Problem solved.

The only other very slight problem that you may have noticed from the earlier sample, is that the pagination / page formatting is out of wack. This seems to be due to a difference in the way fonts are handled - very much like when you change from one printer driver to another. This isn't a problem as long as I don't worry about the pagination at home and wait until I get to work to make sure things line up. If I don't disrupt the formatting of a document signed out from work, there are no issues at all.

As I worked with my documents, I noticed another generic Wine issue. I had troubles pasting screenshots from my Linux environment into my Word documents. It turns out that Linux and Windows handle paste buffers very differently. As a result, they don't always interact as one might hope. I had no troubles handling strings of text, but pictures were a no go. To circumvent this, I just had to save the picture as a file and then import that file into Word the usual way.

I was very impressed by what I was able to accomplish in Ubuntu regarding document editing even if it wasn't perfect. I look forward to the continued growth of Open Office both in capability and popularity. I am convinced it is the future.

Using the terminal (command line)

2009-03-04T22:11:00.005-05:00

I'd like to apologize for my long delays in posting an article. I've actually got 5 articles in the works, but my Linux configuration is getting more complex. It's taking much longer for me to overcome technical hurdles...

In the mean time, I found a book I'd like to tell you about:

Linux 101 Hacks is another free online book (pdf) that was published this February. The hacks documented really don't fit my definition of what hacks are. It's more like a book of handy commandline tips, tricks and shortcuts. In my short time working with Linux, it has become quite clear how important a role the terminal plays. Anything that helps me work in that environment is most welcome.

Getting the book is a bit awkward. You need to subscribe to a blog written by the book's author. The blog's e-mail subscription will deliver a password for getting the book. A slight pain, but the blog doesn't look half bad either!

Ubuntu Reference Book

2009-01-28T23:47:00.002-05:00

This article is part of my series on exploring Linux. In my last article I played with a thumb drive and a memory card reader in my laptop. I went on to learn about ejecting the devices and formatting them.

I've enjoyed writing this blog as I learn Linux and I like to think that I am helping people out there who are going through the same process. But one irritating thing about my blog and others is that it is focused on very small pieces of the Linux puzzle. It is hard to see the big picture or put a lot of the information in context.

This week I found a wonderful book that may help. Check out the Ubuntu Pocket Guide and Reference!

It provides a great overview of Ubuntu while also helping a beginner accomplish typical things like actually installing the product. It answers many questions I have and touches many of the areas I have been dealing with.

Not only is it a cheap $10 book, but you can also download it as a free PDF with the author's blessing!: http://www.ubuntupocketguide.com/download.html

Give it a read and then come back to my blog as I continue to struggle with things that don't behave as they should.

Thanks for the memory

2009-01-24T00:36:00.002-05:00

This article is part of my series on exploring Linux. In my last article I had fun using bluetooth to connect to my Nintendo Wiimote. Today I decided to try connecting to some memory devices. I wasn't too worried about connecting to USB thumb drives, but I was wondering if Ubuntu would make use of my memory card reader.

First up - the memory card reader! My HP tx2600 series laptop has a built in reader. I stuck in an xD memory card from my Olympus camera and instantly received this message:

Nice! A clear message that gave me clear choices. I couldn't ask for more than that. I went on to easily browse and use the memory card.

Next up - a USB thumb drive! My laptop came with a free CA Internet Security Suite (for Windows) on an autorun thumb drive. Let's see what happened when I stuck that in:

Another clear message and autorun is supported! This is much better than the behaviour in XP that either just autoruns or doesn't autorun at all depending upon previous settings. Vista also offers a similar message to this; albeit more visually confusing and with more options. It would actually be nice if Ubuntu offered to let me browse the drive like Vista does - but then again, I merely have to click elsewhere on the desktop anyway.

I really liked the way these two devices were presented in the File Browser (Ubuntu's version of Windows Explorer):

When the media has no name, the File Browser lists the device's size as a way of identifying it. Makes sense to me. At the top of the viewing pane it leaves the option to autorun the thumb drive just in case. I got the same behaviour when browsing the xD card - the option to open F-Spot was left at the top.

The thing I liked best about browsing the media devices was the eject icon next to each device. One should always eject or "safely remove" media to make sure disk caches are flushed, etc. (I don't know that this is a Linux requirement, but I imagine it is). This was an issue I've had with XP. I regularly disconnect media and have to dig down through a context menu or task bar icon to get the job done. In Ubuntu I just click the eject icon. It knows what to do differently if it is a CD, USB or memory card. No muss, no fuss - it doesn't even ask for confirmation. If you clicked eject in error, just click on the device entry that is still listed and it will automatically remount it for you. This is such a little detail, but I really liked it.

I should also mention the eject icon on my network share (called "netware" above). That icon lets me quickly unmount my network connection as well.

I did manage to find a slight hitch with my memory exploration however. Remember how my thumb drive came with an autorun of CA on it? I just wanted a blank drive. I could have just delete the files, but I decided to format the drive instead so I could remove the CA label it had. I couldn't find any way within the File Browser to format or rename the device! At first I thought that was rather dumb, but then it made sense. The only things we really needed to format regularly were floppies - when was the last time you held one of those? Maybe I should be asking why Windows still gives me the option of formatting...

So how do I format my thumb drive? Apparently there are the typical commandline methods, but I read about a graphical interface called GParted and decided to give that a try. I fell into a very typical Linux/Ubuntu routine:

I couldn't find a shortcut to GParted. That isn't unheard of for a GUI app - particularly an administrative type app like this.
I brought up a Terminal window and tried "gparted".
It wasn't present, but Ubuntu provided this helpful message: "The program 'gparted' is currently not installed. You can install it by typing: sudo apt-get install gparted"
Isn't that helpful! So I did just that. The application came tumbling in.
I typed "gparted" once again. This was the response:

Again, very helpful. GParted is treating this very much like an admin task because floppies just aren't the norm anymore. I knew how to become root. I put sudo to good use once again by typing "sudo gparted". I was rewarded with the GParted interface:

The graphic jumps ahead a little bit. In the graphic I have already asked to have my drive formatted as FAT32. It is just waiting for me to confirm the action.

There were actually some interesting choices from this interface:

You may notice that I am formatting the device /dev/sdc. That label was new to me. At first the only way I could tell it was my thumb drive was by the size. But there was a subtle detail a neophyte like me missed. GParted listed information about the various partitions - including its Mountpoint (/media/disk-1 in this case). This is the same information File Browser presented in the Location field at the top of the interface. Very subtle, but it is enough and from now on I'll know.

The second interesting choice was for the type of Filesystem. Rather than just FAT, FAT32 or NTFS as I am used to in Windows, I get a whole lot more in Linux! Here were my choices: EXT2, EXT3, FAT16, FAT32, Linux-Swap, ReiserFS. That is quite the selection! There were even 7 other partition types that didn't apply in this situation. (I think I'll just stick with FAT32 :-)

In the end, I'm very impressed with the way Ubuntu handled my access to my memory card and thumb drive. I'm fine with the way it handles formatting. I'm very impressed with the way the operating system held my hand through the formatting process. Let's face it, my hand was definitely held through what could be a daunting process - and all without the help of an annoying wizard!

Wiimote goodness

2009-01-23T00:23:00.000-05:00

This article is part of my series on exploring Linux. In my last article I was pleased at how well Linux handled the docking/undocking of my laptop. My network and dual monitor settings were reconfigured optimally for each scenario.

Today I came across the blog of Matt Cutts who describes how to connect a Wiimote to a Linux PC (a Wiimote is the game controller from a Wii console). I decided to take time out and give it a try.

Long ago I was impressed by the potential of the Wiimote as a control device when I saw Johnny Chung Lee's projects. He came up with some wonderful multi-touch, whiteboard and head tracking VR applications for Windows. More recently, David Phillip Oster, a Google engineer, made an application for the Mac that surfs Google satellite maps using a Wii balance board.

I followed Matt Cutts instructions and had my Wiimote connected in no time:

I got and installed the application from the terminal by typing: sudo apt-get install wminput wmgui lswm
I ran lswm and it returned the message: Put Wiimotes in discoverable mode now (press 1+2)...
lswm was able to properly detect my Wiimote when I pressed 1+2!
I launched the GUI with the command: wmgui and this is what I saw:

The application was able to read all the information being sent from my Wiimote and attached Nunchuck! Very cool. Now I just need to wait for people to start writing great applications that use the information - like those above that were made for the Windows and Mac environments.

BTW, here is a good articles on how to use a WiiMote in Windows: http://wiihacks.blogspot.com/2006/12/howto-use-wii-mote-in-windows-as-your.html. Here is a Windows application similar to wmgui: WiinRemote.

(Reading the Windows how-to is a very good demonstratation of the difference between the Windows and Linux world -- Half the article deals with how to overcome the limitations of the Microsoft bluetooth implementation and various licensing restructions. Those restrictions just didn't exist in Linux. Rather, in Linux the problem is a lack of people generating useful apps for the controller thus far.)

Remember my problems getting my dual-monitors to work as one seemless desktop? Well, it's been working great lately, but there are some caveats. The wmgui application triggered some of them...

When I ran wmgui, I also got the message: Xlib: extension "RANDR" missing on display ":0.0". The ATI Xinerama feature that allows me to move windows between displays seems to break the RANDR extension (xrandr). The "problem" didn't seem to affect me at all until I did a screenshot for this article. Before I ran wmgui, I could get a screenshot that included my whole desktop spread across both screens. After running wmgui and getting the error, I was only able to get a screenshot of the first monitor and the left half of the second. Not a big problem, but it bears further investigation.

I found more details here https://bugzilla.redhat.com/show_bug.cgi?id=431727 where others were troubleshooting similar problems. Part of my problem may be that xrandr screens cannot be larger than 1920x1200 but my overall desired size is 2960x1050.

Docking / Undocking

2009-01-17T23:25:00.009-05:00

This article is part of my series on exploring Linux. In my last article I was quite disappointed at how difficult it was to get my dual monitors configured just the way I wanted; although it sounds like a lot of the fault lay at the feet of ATI and their proprietary drivers.

My multi-phased procedure for getting a perfect monitor configuration made me doubt whether my settings would be permanent. Would my configuration survive an undocking and redocking of my laptop (my 2nd monitor going away and coming back)? It was time to test!

I decided to kill two birds with one stone and test the networking results as well. Up to this point I had been using the internal Wifi features of the laptop and ignoring the wired ethernet port on my docking station. By configuring the laptop to use the wired port, I could see what happens when I undock and leave that port behind.

Talk about another easy process! I connected the dock to the wall via RJ-45 cable - Ubuntu immediately noticed and connected to my wired network. Not only did it start to use the wired network, but it remained connected to my wireless network as well:

Interesting result. Not only does the network drop-down give a wonderful summary of my network status, it also lets me disconnect from my wireless connection if I wish.

Now that I'm using my dock's wired network connection and a desktop spread onto my dock's monitor, it's time to disconnect. I turned off the laptop and took it out of the dock. I powered it back on and everything worked perfectly! My main desktop panels had moved to the small laptop screen (normally they were on the large LCD) and Ubuntu kept my mouse from wondering off the screen realestate. Clearly the desktop occupied only one screen. The networking also worked flawlessly. I was surfing wirelessly with no configuration required.

Satisfied that the test was a success, I was eager to see what would happen once I rejoined my dock. Would the dual-head screen configuration I had worked so hard for be a distant memory? I needn't have worried. When I rejoined my dock, Ubuntu started using my two screens and wired network connection as I had configured previously. This is the kind of professional, smooth experience I expect from my operating system.

BTW, have you noticed the screenshots I've been adding to my articles? These come to you courtesy of GIMP, the graphics program bundled with Ubuntu. GIMP really puts MS Paint to shame. Have you ever seen such pretty icons?

Dueling with my Dual Monitors

2009-01-14T00:09:00.003-05:00

This article is part of my series on exploring Linux. In my last article I was astounded at how easily I was able to connect to my network printers with duplex and colour printing supported.

I still haven't tried to figure out why the touch or Wacom tablet features aren't working. I also haven't tested features like the web cam or thumb scanner or card reader... It was all these extras that attracted me to this HP tx2600 series laptop as a testbed for Linux - it certainly wasn't the call of the 1280 x 800 display occupying only 12.1 inches - which reminds me...

Time to fire up the second monitor, a Samsung T220 22" 1680 x 1050 screen - I want to be comfortable when running these experiments after all. I plugged the D-sub VGA connector into the laptop. I tried a few things and got various results, none of them great. Basically, when I boot the system it thinks it has one desktop of 1440 x 900 pixels. It is mirrored on both screens. The laptop screen is forced to pan around a larger desktop, while the second monitor has vertically stretched an image and is doing the ugly "non-native" thing. What I need is a desktop that is spread across two monitors that are each displaying in their proper native resolutions.

Under SystemPreferences I did find the Screen Resolution interface. At some point it did display two boxes that could be used to specify a relative position of two monitors, but it never showed the proper resolutions and when I enabled the feature, my second monitor went black. I know I'm in the right area, but I suspect I have a driver issue. I fear I must tell Ubuntu more about my ATI Mobility Radeon HD 3200. BTW, I should mention that Linux is losing at this point. When I booted into my 64-bit Windows Vista, it came right up and supported a dual monitor configuration beautifully. (Mind you, Vista did come pre-configured, so maybe it wouldn't have worked out-of-the-box in that case either).

I was pleasantly surprised when I did a search on the ATI site. There I found 64-bit Ubuntu drivers for my card and all other supported ATI cards! They also include something called the ATI Catalyst Control Center.

At this point I was in for another pleasant Linux surprise. Before attempting to download and install the driver, I decided to read the documentation. I was instantly able to read the Adobe Acrobat pdf documents. I got no warning about a missing reader and the documents appeared almost instantly - much faster than in Windows. It turns out that an open source Document Viewer was bypassing Adobe's product and just displaying the files - neat.

The ATI drivers installed cleanly and I soon found shortcuts to the Catalyst Control Center (CCC) under my Applications menu. The application has a pleasant interface. It provided great system information and accurate information about my attached monitors. It also offers fine-tuning of color and 3D settings. But the part I was interested in was the Display Manager that lets me set my screen resolutions and relative positions. -- This part sucks!

Although CCC knew the native resolutions of my monitors, it would not give them to me. I could get different parts of the desktops on each display now, but one monitor is being forced to pan and the other is displaying in a rather low resolution. Playing with it and rebooting multiple times got me a variety of results, but never the results I was looking for. I only got relief from my frustration once I did more research on the web.

I lost hours to this research and to endless reboots of my system as I tested various solutions. I'll spare you all the details, but I'll share what I learned in the hopes that I save someone else some time. Of course, everyone has a different set of circumstances, but my combination of steps seemed to be a unique solution I had not found elsewhere.

The GUI environment is presented by something called XServer. People just simply refer to it as "X" or "XVideo". As with everything else, the desktop configuration is stored in a config file - xorg.conf in this case. Nowadays drivers/software are supposed to manage this config file for you, but it is obvious that things can go squirly and the file needs to be edited directly. Forums are constantly describing entries for this file and posting the entire text of their files in hopes of troubleshooting things. I'm not entirely convinced that xorg.conf is the only place that stores desktop config information because I was changing resolutions and seeing no changes in the file.

The ATI Catalyst Control Center (CCC) is one of the modern tools that is supposed to manage that file. It clearly didn't work properly for me however. Many forums discussed a more traditional tool called aticonfig that my driver download had also installed. This tool was far more sensible and worked more predictably, but it didn't get me all the way to my solution.

Many forums talk about using an aticonfig --initial option to reset the xorg.conf file so that you can sort of start things off from ground zero. I found I still had pollution in this file that prevented me from being successful.

The best thing I ever did was open the config file and delete all of its contents:

I opened a terminal window (ApplicationsAccessoriesTerminal).
I opened the file with the command: gksudo gedit /etc/X11/xorg.conf
I selected everything and deleted it.
I saved my changes.

I then used the aticonfig tool to reinitialize this file with values that suited me:

sudo aticonfig --initial=dual-head --screen-layout=left

(Notice that sudo command again? I learned about it while fixing my sound.)

The command told Linux to operate each monitor independently and to put my main screen to the left of my secondary (there may be some reverse logic here due to the way my monitors were detected - you may want to try "right" instead).

A quick reboot revealed dual screens but still with the wrong resolutions and some weird behaviour. By the way, rather than going through the entire reboot process, you can just restart the XServer part by hitting CTRL+ALT+Backspace.

The following command fixed a lot of the weirdness I was seeing:

sudo aticonfig --add-pairmode=1680x1050+1280x800

But I still wasn't getting my native resolution I was after. At this point I resorted to the usual Screen Resolution interface found under SystemPreferences. It only offered to configure the resolution of my external monitor - but that was what I needed and it let me choose 1680x1050! Yay! (I would have provided a screen shot, but subsequent config steps seem to prevent this interface from appearing anymore.)

There was only one problem left. My mouse could glide between my two screens but I was unable to drag application windows between them. Using the ATI CCC solved this problem. I was able to use it to enable a feature called Xinerama from Display OptionsX ConfigurationXinerama. It's hard to tell, but a grayed out square means it is selected. Xinerama is the feature that gets these applications to glide between the screens.

There. I'm done. I have the screens configured exactly as I wanted. I could tell it was possible, but it was one hell of a horribly long road to get there. I ended up using all the tools I had seen (xorg.conf, aticonfig, CCC, Screen Resolution), but at least I didn't have to manually insert specific values throughout the file.

Obviously, Vista gets a big win in this category. Ubuntu / Linux sucked when it came to my dual monitor config! But apparently this may be largely specific to the ATI drivers and software that ATI provides. It sounds like users with Nvidia graphics cards may fair quite a bit better.

Now because this blog article isn't long enough... I'm going to end with a copy of my xorg.conf file - just like all those other Linux bloggers I found. After that, I'm linking to a number of helpful forums I found in case they can be more helpful than I have been. See you soon!

Section "ServerLayout"
Identifier "aticonfig Layout"
Screen 0 "aticonfig-Screen[0]-0" 0 0
Screen "aticonfig-Screen[0]-1" LeftOf "aticonfig-Screen[0]-0"
EndSection

Section "Files"
EndSection

Section "Module"
EndSection

Section "ServerFlags"
Option "Xinerama" "on"
EndSection

Section "Monitor"
Identifier "aticonfig-Monitor[0]-0"
Option "VendorName" "ATI Proprietary Driver"
Option "ModelName" "Generic Autodetecting Monitor"
Option "DPMS" "true"
EndSection

Section "Monitor"
Identifier "aticonfig-Monitor[0]-1"
Option "VendorName" "ATI Proprietary Driver"
Option "ModelName" "Generic Autodetecting Monitor"
Option "DPMS" "true"
EndSection

Section "Device"
Identifier "aticonfig-Device[0]-0"
Driver "fglrx"
Option "PairModes" ""
BusID "PCI:1:5:0"
EndSection

Section "Device"
Identifier "aticonfig-Device[0]-1"
Driver "fglrx"
BusID "PCI:1:5:0"
Screen 1
EndSection

Section "Screen"
Identifier "aticonfig-Screen[0]-0"
Device "aticonfig-Device[0]-0"
Monitor "aticonfig-Monitor[0]-0"
DefaultDepth 24
SubSection "Display"
Viewport 0 0
Depth 24
EndSubSection
EndSection

Section "Screen"
Identifier "aticonfig-Screen[0]-1"
Device "aticonfig-Device[0]-1"
Monitor "aticonfig-Monitor[0]-1"
DefaultDepth 24
SubSection "Display"
Viewport 0 0
Depth 24
EndSubSection
EndSection

(See, no mention of my chosen resolutions.)

Helpful links:

http://wiki.cchtml.com/index.php/Configuring#Troubleshooting

http://wiki.cchtml.com/index.php/Troubleshooting

http://ubuntuforums.org/showthread.php?t=221174

http://ubuntuforums.org/showthread.php?t=301941

http://ubuntuforums.org/showthread.php?p=1773710

Printing before writing

2009-01-11T02:05:00.005-05:00

This article is part of my series on exploring Linux. In my last article I experienced some of the difficulties of working with a 64-bit OS when there was no Adobe Flash player available. Luckily I found Adobe's beta product that worked beautifully (and just happened to be available for Linux before Windows).

I'm realizing that as I experiment with Ubuntu, I really need to print information I discover. I should setup printing before I try things like handwriting recognition with the touch screen. But I've been dreading this test. I have fairly recent printers (an HP2605dn and HP2600n) and I wonder if there will be drivers to properly support them. To complicate things, these are colour printers - one with a duplexer. They are both acting as print servers over the LAN (one wirelessly). -- see why I'm worried?

Well, my fears were unfounded! This was the easiest setup I have ever done - easier than Vista even. Here's how it unfolded:

I went to System|Administration|Printing and clicked on "New".
The system automatically scanned and found my printers (my wireless one didn't respond until the 2nd attempt however).
Ubuntu recognized my printer and offered to go out and find drivers.
It found drivers! It clearly stated that they were provided by HP. It gave me all sorts of details so I could have trust in the driver. It told me what features were supported and what testing had been done by Ubuntu, etc.
It then downloaded them when I was ready, using the package manager I had encountered in the past. No visits to the printer manufacturer site! How cool is that?!
I was given a chance to nicely identify the printer's name, location, etc. so that I could more easily work with it in the future.
I was then able to investigate the printer properties. I was able to set default and sharing options. All very clear and pretty. I was able to setup my colour options and duplex printing preferences no problem at all.
Then it printed!

It really could not be much easier than that!

In truth, there were one or two flow issues. The screens don't hand-hold you very well when downloading the printer drivers. The progress indicator went instantly from 0% to complete. Then I was left at a screen wondering if it was finished - not realizing I needed to click a different button now. Also, the driver for the 2nd printer came in with the first, so there was no need to download it - which the system told me. But the system said I could just continue with the "next" screen but left the "next" button deactivated. It was another flow issue. I just had to cancel the download and choose to use an existing driver.

I am not unhappy with the flow issue at all, and it only lost me 10 seconds or so. But I think this printer installation demonstrated a clear difference between Windows and Linux. I know Windows would never allow a flow issue like that, but there are so many other things wrong with its installation that Linux has licked. Linux provided an end-to-end installation experience (no visiting a manufacturer site). Linux communicated clearly in detail so I knew exactly what I was configuring. At the end, I had a printer published the way I wanted, performing exactly as I expected. No surprises, no mystery. I don't know if this experience can be said about all Linux printer installations, but in my case, I was impressed.

Emboldened, it's time to configure my second monitor for dual-head display! (Actually, I've already started playing, Ubuntu isn't doing so well with this one...)

Flash me!

2008-12-28T01:11:00.005-05:00

This article is part of my series on exploring Linux. In my last article I had to do some fast learning to resolve some audio issues. I had to learn how to edit a config file with root credentials and find what settings would give me full sound. After that success I decided to reward myself with a little Youtube time...

Well, it certainly didn't take me long to stumble into my next problem - no Flash plugin! (Youtube uses flash to play its videos). Firefox helpfully offered me a link to get the plugin. It fired up the same package manager that I had seen for the Ubuntu updates and for the media player plugins. But alas, none of the plugins offered would work.

With a bit of research I learned that my problem may be caused by the fact I am playing in a 64-bit world. I had tried to get Adobe Flash, but they haven't actually released a 64-bit version yet. But then I learned some great news - Adobe was currently working on Flash 10 (a 64-bit version) and their first alpha release was for the Linux platform - it was made available only 2 weeks ago! Do I have great timing or what!

The download introduced me to a tar.gz file. This is the Linux world's version of a zip or rar file. Firefox helpfully offered to open it for me with an "archive manager" which turned out to be File Roller. It's a world of new file types and applications, but the experience is basically the same. I got an interface that let me extract the files to a location or drag the files somewhere, etc.

Now I was faced with a new problem. The only thing in the package was a single .so file. Nothing was helping me to work with that extension. More research revealed that this was an actual plugin file that could be found in (or should BE in) a browser's plugin folder (no installer here)... More difficulty tryng to find a valid plugin folder for my version of firefox... Then trouble trying to copy the file to the folder. I'm glad I just finished learning about Sudo so that I could overcome the security restrictions. The final command I typed into my terminal window was:

sudo cp /home/gordon/Downloads/libflashplayer.so /usr/lib/firefox-3.0.5/plugins

This copied my downloaded flash plugin to Firefox's plugins folder despite security restrictions,

When I closed and restarted Firefox, I immediately went to Youtube where it offered its bounty to me. Life is glorious once again. I decided to conduct one more test... I called my 10 year old over and had her fire up her Webkinz account (a rich online world / gaming site for kids that relies heavily on flash). It worked like a charm. We are all smiling here.

This little fix took me a couple of hours with all of the research factored in. Again, I don't think this is something our aging parents would succeed with, but on the plus side, our aging parents probably aren't playing in 64-bit so probably wouldn't experience this in the first place. I also like that this fix isn't possible in the Windows world yet - I give Linux the win for this round.

Hello...TESTING, 1, 2, 3...

2008-12-26T01:33:00.003-05:00

This article is part of my series on exploring Linux. In my last article I was busy being impressed with how nice and easy the install went and how well everything was working. Even my 720p video sample played well - but I realized that my sound was playing at just a whisper...

There was no user setting I could adjust to get my sound up to useable levels. My first Linux glitch! Time to roll up my sleeves and figure out what to do about it.

My default approach to any problem is to fire up Google and find a generic expert blog out there like mine. I obviously suspected a bad interaction of Ubuntu with my sound card, but I didn't know exactly what sound card my laptop utilizes. I decided to do a search using the name of my laptop model: "Ubuntu low sound hp tx2604ca". I found nothing. Realizing my highly specific model number defines my RAM options, etc., I generalize it a bit. I had seen my model mentioned as being part of a series, so I tried: "Ubuntu low sound hp tx2600". Still nothing. But I did get results that told me how similar my tx2600 series was to the tx2500 series - you can guess my next search. Suddenly I hit paydirt. Choosing the right amount of generality can avoid either too few or too many results. I suddenly started getting all sorts of valuable results regarding my low sound problem.

It seems sound problems are a remarkably common phenomenon in Linux - as evidenced by this long web page: https://wiki.ubuntu.com/Gutsy_Intel_HD_Audio_Controller

In rather short order I had the solution to my problem. This is how I fixed the sound on my laptop so my video sample would play at full volume:

Opened Applications|Accessories|Terminal
Edited a config file by typing: sudo gedit /etc/modprobe.d/alsa-base
Pasted to the end of the file: options snd-hda-intel index=0 model=acer
Saved it, closed it and restarted.
Done.

I didn't know what the options meant, but it was a remarkably simple solution - the problem was actually knowing enough to execute it. I never did find one all-encompassing clearly described solution. Instead I had to use my technical experience to piece the solution together. For instance, I had found numerous solutions that suggested modifying the alsa-base file and adding various "option" lines to it. I had to try a few options before I got it right. But before I could try a few, I had to figure out how to modify the darn file (doing it through a GUI editor was a no-go). I had to get acquainted with the Terminal window. I then had to learn that "sudo" is a pre-command you use to get full system (root) access when you need to make changes to system files.

The lessons I learned were valuable and the skills will clearly be called upon regularly. Everything in Linux can basically be controlled from the terminal (command line) in an environment where security has always been of upmost concern. I'm liking this. But I think that a 'normal' user like our aging parents would never get to the final solution alone and would still be sitting with negligible sound. This could be a problem.

Now that I've got sound problem licked, I think I'll go relax with some Youtube videos...

That was easy!

2008-12-20T01:00:00.014-05:00

This article is part of my series on exploring Linux. In my last article I just finished the Ubuntu installation and was rebooting...

I was faced with a multi-boot menu that contained both my new Ubuntu install and my old Vista install. After 9 seconds Ubuntu started automatically.

The desktop that greeted me was not altogether foreign:

The only initial indication of something strange was seeing 2 task bars (called "panels" in this world) and no Vista logo. Otherwise things are remarkably similar. Programs I have running are shown in the bottom panel. The Ubuntu logo at the top takes me to my applications and there are also quick launch icons available - very similar to Vista! (Of course, this interface is highly customizable - and if you don't like this Gnome environment, you can swap it out for some other one like KDE.)

I also found a very useful set of icons on the far right:

I like that the power on/off icon is out and easily available. It offers the usual options I've come to expect from a Vista laptop like: Logout, Suspend, Hibernate, Restart, Shutdown - plus a few more I'll have to try.

I quickly spotted the bar graph that would indicate WiFi networking. I was met by a very user-friendly interface that allowed me to quickly find my home network and enter my security information. I immediately launched Firefox that came pre-installed and was on the internet - uber cool! (I'm actually posting this article from Ubuntu as I type.)

Next was the bluetooth icon. Another simple experience. In two steps I had my Logitech bluetooth keyboard and mouse connected and working. All the buttons and wheels on my mouse are working as they should. This was a sore point for me a few years ago when I tried to use these same peripherals under Windows XP. I wasn't able to use a generic bluetooth receiver, but had to stick with the Logitech version that had other limitations. No limitations now! I don't know if this is a credit to Ubuntu or HP's bluetooth receiver.

Things are going way too smoothly... I wonder what that scary looking red arrow with the exclamation point is all about... It turns out that icon is notifying me of system updates. Now that I am on the network I have 189 waiting for me! Another nice interface listing the details of each update and giving me the option to install each one or not. Let's give this a shot...

... I'm back - after 5 hours! Talk about slow data transfer. They must have a lot of people hitting their servers (there does appear to be a way to stage downloads locally for enterprises though). Interesting thing - no automatic reboot of the system. I'm liking this already! I had heard that Linux can upgrade and restart many of its services on the fly. My only indication that something had happened was a request to reauthenticate to my wifi network - obviously the network services had to be restarted. Also, the red arrow icon had now become a refresh icon that was indicating I should restart the system when it was convenient for me. [As a side note, I have noticed that in the past week there have been about 5-10 new patches every day!.)

I've been quite impressed that my basic laptop hardware, wifi and bluetooth devices have all functioned perfectly. Very impressive. I have yet to get to the web cam or fingerprint scanner however. I have noticed that my touch screen and Wacom tablet functions elicit no reaction. I will have to look into this.

Remember that video sample that was unwatchable in Vista? Let's see how Ubuntu handles that.

But first I needed to retrieve the video from a share on my other system. As with Windows, I was able to browse to Network Places, and then find my workgroup, server and shares. It was just as easy as being in windows - maybe easier in fact, because it also displayed the hidden shares on my server.

Back to the video test - here are the video's details:

resolution: 1280 x 720
codec: H264 (mkv file)
framerate: 24fps
audio: AC-3, 5.1 surround

I decided to try the preinstalled Movie Player. It claimed to need some new plugins and used the same mechanism as the system updates to get them. After 10 minutes or so (slow updates!) it was ready to play. Wow! Smooth video! Not like the Vista experience at all. But the system is working hard - I notice the occasional frame drop if I have other applications running in the background. But Ubuntu is clearly superior to Vista in this test.

-- But hold on a sec! Why is my audio so quiet in the video? Why can't I turn it up past a whisper? hmmm... this bears some investigation...

Into the looking glass

2008-12-14T23:53:00.000-05:00

As mentioned in my last article My Linux adventure begins..., I am embarking on a Linux adventure. Before I can step through the looking glass I must choose from one of the dozens (hundreds?) of Linux variants available. Choosing a flavour of the Linux operating system is tough when you know almost nothing about the OS. I figure I'd stick with the most popular in the hopes it will have the best features and driver support. Two good choices appear to be OpenSUSE and Ubuntu. I expect to ultimately use an enterprise version of SUSE since I am an enterprise type guy, but I don't feel that would be appropriate at this stage. OpenSUSE is the basis for Novell's Enterprise SUSE and looks very impressive as a personal OS, but I'll take a pass on it as well. I'm going to give Ubuntu a try. My main reasoning is that I have seen Ubuntu in the press a lot lately and it seems very popular. I'm hoping that it's popularity will translate into support for all the hardware I plan to throw at it. It would also be nice to be familiar with an additional Linux distro if I am to eventually end up in a SUSE flavour Linux.

So off I go to the Ubuntu site to get a FREE operating system... The current version available is 8.10 released October 27, 2008. This does indeed look promising - look at this feature!:

3G Support
For constant connectivity public WiFi has limitations. Improvements to the network manager in Ubuntu 8.10 makes it simple to detect and connect to 3G networks and manage connectivity. This connectivity is delivered through an inbuilt 3G modem, through 'dongle' support, through a mobile phone or through Bluetooth. It is a complex environment that Ubuntu 8.10 simplifies through a single interface and the auto-detection of many of the most popular devices.

There's my Wifi and Bluetooth mentioned in one spot! I'll have to borrow an iPhone to see how the 3G works out...

I chose to download the 64-bit Desktop version. It's a CD ISO image only 699 MB in size!

The download page offered all these resources:

Read the Ubuntu documentation: https://help.ubuntu.com/

Get help:
- Visit the Ubuntu forums: http://www.ubuntuforums.org/
- Ask questions via e-mail: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
- Instant help via online chat: https://help.ubuntu.com/community/XChatHowto
- Commercial, paid support: http://www.ubuntu.com/support/paid
Join the Ubuntu community, there are many ways to get involved.

I'm feeling welcome so far - let's hope this positive energy stays with me :-)

I quickly found a document aimed at me: Switching from Windows. A good read. But it is scaring me slightly. I looked at the Dual Booting Windows and Linux section where is talks about how to partition my drive. I don't like that it threatens me with the statement:

After finalizing the installation, however, the hard disk will be re-partitioned and all existing data stored on it will be lost.

That is a rather blanket statement! I hope to keep my Vista partition and my HP recovery partition for the moment. I'm assuming that statement was overly generalized and that it will in fact only blow away partitions that must be modified in some way (when it makes the Windows partition smaller or something). I retreat.

I decide to use a new Windows Vista feature to shrink my Vista partition without losing data - making room for Linux (before Linux touches it). Vista makes this very easy. Under Computer Management | Disk Management I was able to right-click on my primary partition and select Shrink Volume.... From there I was able to reclaim 100GB for my Linux project. Hopefully now Linux will let me keep my "data".

Booting Ubuntu was quick and easy. Within 2 seconds I was presented with a colourful logo and great choices. I chose to install Ubuntu rather than just use it as a "Live" CD. I experienced a long period with a black screen as errors like this flowed past:

Buffer I/O error on device sr0, sector ...
end_request: I/O error, dev sr0 ...

As a normal Windows user, I might have been worried seeing all these "errors" because I am normally isolated from the underlying system. But I remember that Linux users like a verbose world and the systems always seem to spout messages. Linux doesn't just stay silent until it can tell me I have a critical problem, it knows "too much information" can be great when trying to diagnose issues.

Eventually the graphic interface appears and starts asking me questions. I am impressed by all the supported languages and keyboards. I like selecting my timezone by choosing a nearby city from an animated map - very cool. The partitioning interface was interesting. It was clear and quite usable but a bit cryptic for a Linux neophyte - so many choices! I felt somewhat better when finalizing my partition choices. The installer tells me:

WARNING: This will destroy all data on any partitions you have removed as well as on the partitions that are going to be formatted.

It then proceeds to identify exactly which partitions are going to be formatted. Much better messages than the one I saw earlier in the documentation. I'm not worried at all now. I think it might actually have been able to shrink my Vista partition for me without damaging anything. I'll save that test for another day though.

Eventually the install completed and had me reboot. Looks good! I have a multi-boot menu and can see Vista there. Stepping through the mirror into Ubuntu Linux land!...

Topic: Linux

2008-12-13T01:56:00.015-05:00

(Vista Vitals articles organized by topic)
These articles cover anything related to Linux:

My Linux adventure begins... - Here I explain what I am up to - exploring Linux. I describe the computer I am using and my goals.

Into the looking glass - I pick a Linux Distro and install it. I discuss my thoughts during the process.

That was easy! - My initial boot into Ubuntu. I share my thoughts while connecting to wifi and bluetooth. I test Ubuntu's performance by playing a 720p video that was unplayable under Vista.

Hello...TESTING, 1, 2, 3... - I describe the first problem I encountered with Linux (low sound volume) and how I solved the problem.

Flash me! - I had no Flash plugin for 64-bit Firefox! This article describes how I added an Alpha version of Flash 10 so that I could use sites like Youtube.

Printing before writing - I configure Ubuntu to print. It couldn't be easier to configure my colour duplex network printer!

Dueling with my Dual Monitors - Yikes! Dual monitor configuration in Ubuntu / Linux sucks! Want to read the sordid details? Thankfully I've documented my many fixes so others can benefit...

Wiimote goodness - I connected my Wiimote to my Linux OS and got readings from it! I also link to similar solutions for Mac and Windows. I also discuss some more dual-monitor issues that I experienced.

Thanks for the memory - I learned how Ubuntu allows me to explore memory cards and thumb drives. I loved the eject icon. I learned how to format partitions using GParted.

Ubuntu Reference Book - Thought you should know about a good Ubuntu book I found...

Using the terminal (command line) - Found another book called Linux 101 Hacks. It has some interesting tips, tricks and shortcuts for working with the terminal commandline.

Word! - I explored the issue of word processing. Tried out Open Office. Then tried to get MS Word 2007 working using Wine.

RDP to Windows from Ubuntu - I found a replacement for Microsoft's RDP so I can remotely access Windows desktops.

Closing down my 64-bit Ubuntu Linux experiment - Little irritations have lead me to end my experiment with Ubuntu. Read the details.

My Linux adventure begins...

2008-12-13T00:56:00.006-05:00

Any of you who have followed my blog for the past year have probably witnessed the frustration I have felt with Vista. It's been a long road - I really tried to get over that "initial resistance" that all us techies are supposed to have to new technologies. I couldn't fall in like with this OS. I appreciate many of the technologies Vista has to offer and many of its thoughtful little features that are supposed to make my life easier. I just couldn't get over my astonishment at some of the basic ways the OS fell on its face. I couldn't get over how the engineers so often seemed to paint themselves into corners and came up with yet another band-aid solution. Where was the master architect??? I need something better.

Why don't I try Linux. I know people like it. I know it's been around a long time and that the technology is proven. I have to stop being so ignorant to this large portion of the personal computing world. In truth, although I am a reformed Novell man and senior Microsoft techie, I do have some limited experience with Linux. I installed my first Linux distro in 1992 when it was released on 90 diskettes (I think I have installed it twice since then). I have used Cygwin to create a Linux environment within Windows so I could run unique applications only available in the Linux world. Let's not forget those embedded devices! I find Linux in the most unlikely places - like on my Tivo or shoved onto someone's Xbox, etc. It's been around and I've edited the occasional config file or set the occasional permission, but it was always when following instructions and hardly because I knew what I was doing.

I want you to know where I am coming from so that perhaps you can relate to the adventure I am about to undertake. It might explain some of the assumptions I make or some of the troubles I create for myself.

I am going to install Linux. I am going to start using Linux. I am going to slowly try to use it for everything I want to do and wheen myself off of MS. I'm retooling this blog - it is now going to be a diary that follows my progress. Jump in with comments or suggestions anytime - I welcome the feedback! I won't pretend to be an expert - my articles will reveal all my warts (ignorance).

Although this is a home project, I won't be easy on myself or Linux. To start with, let's take a look at the computer I have chosen for my project. It is a small 12.1" HP tx2600 series laptop, but it is pimped out with features:

AMD dual-core QL-60
Dual Layer DVD burner w/ Lightscribe
ATI Radeon HD3200
Dual screens
Card reader for SD/MMC/MS/MS PRO/xD
Ethernet 10/100/1000
Wifi 802.11a/b/g/n
Bluetooth
IR receiver and remote
Fingerprint scanner
Touch screen (finger-based)
Wacom tablet features (pen-based)
Webcam

Have I missed anything? I even got a dock to test changing configurations. I want all this stuff to work in the end. If I can get all this stuff working - and working well, I think that will say a lot about Linux. Then it'll be time to explore the world of Linux applications.

At the moment the laptop is running 64-bit Windows Vista Home Premium. I've familiarized myself with all the features and how they should operate 'normally'. I'm quite impressed actually - I think I better multi-boot this puppy so I can go back and forth between operating systems.

I tried playing a full-screen 720p video sample under Vista using the VLC player from VideoLAN. It was unwatchable. The sound played but the video skipped constantly and dramatically. I'm curious to see if I get better performance using the same player under Linux...

Wrapup and retool

2008-12-12T23:23:00.002-05:00

I'm back!

It's been 5 months since you've seen me cursing the mundane details of the OS called Vista. Although my focus hasn't been on Vista lately, I haven't gone far. I've been hard at work developing an automated installation process for Server 2008 using the Microsoft Deployment Toolkit.

I must say that I was quite impressed by Server 2008 - it's hard to believe it shares the same kernel with Vista. But I know the problems I found in Vista are present in Server 2008 as well - it's just that they aren't problems you are going to encounter in that OS because it is just used differently.

In the past 5 months I have still been using Vista and watching its evolution. There hasn't been much change that I can see. On the plus side, those articles I started writing over a year ago are still relevant. In fact, I suspect many of them will still be relevant for Windows 7 (I hope I'm wrong on this) since the underlying architecture should continue to present the same hurdles.

Looking back on my old articles I realized I didn't get around to delivering one piece of simple advice. Many of my later UAC articles (User Account Control (UAC) (16)) discussed the inability of Vista to elevate the Windows Explorer and all the problems that causes. But I never delivered the punchline...

It seems to me that Microsoft made a big engineering mistake by tying Windows Explorer processes to the main desktop process. Under UAC you want to elevate Explorer but the fact that it is already running in order to present the desktop makes that impossible. Well, you can fix this shortcoming! If you have had to drastically alter the way you work because of this limitation and wish you hadn't, here's how you go back. Use a different Windows Explorer. Don't use the product provided by Microsoft, but rather use a third party explorer - one that isn't tied to the desktop. There are many fine examples out there. Some have drastically expanded functionality that you may enjoy, but more importantly, they can all elevate! Xplorer2 is one fine example that you should play with. Their free trial will be enough to show you what I mean.

I'm now looking for my next computing adventure... Judging from some of the recent statistics, many frustrated Microsoft users are casting their gaze at Linux. I too am glancing in that direction. Those Linux users appear to be having a good time and aren't exhibiting the kind of frustration I have been of late. Join this Microsoft user on his Linux adventure!

Roll your own MS Windows OS!

2008-07-18T01:26:00.003-04:00

Just when you think you've seen it all... there is a new twist on everyone's attempts at avoiding Microsoft's Windows Vista OS. Say hello to Windows Workstation 2008!

You've probably heard by now that Windows Server 2008 and Windows Vista share the same kernel (right down to the version number). But somehow Server 2008 doesn't seem to be as bloated and sluggish as Vista. So a Microsoft engineer had the bright idea of using Server 2008 as the OS for his workstation (must be nice to get free Windows licenses). Here's his blog entry: The Way I See It by Vijayshinva Karnure

This news caused a number of hackers to get involved and to start experimenting. They've created a dedicated blog for their effort called www.win2008workstation.com. An automated conversion tool has even been created to simplify the installation process. It can be found here. Apparently, in addition to much better stability, benchmarks are reporting a 17% speed increase - all while running your favorite applications.

A reporter with InfoWorld, Randall C. Kennedy even gave it a try and wrote a series of articles on his experience (it doesn't look like he'll be going back to Vista):

If you try this approach, please post your results here. I've got other fish to fry at the moment.

XP: How to continue getting it after the June cutoff

2008-07-17T23:06:00.000-04:00

There have been quite a few articles in the media about XP and people's desire to keep using it rather than moving on to Vista. Microsoft announced XP Support for 6 more years and companies such as Dell and HP announced they would make XP available after the June 30th deadline.

Well now PC World Australia has put it to the test. They actually went to nine US PC manufacturers to see what it would take to get a PC from them with Windows XP preinstalled: What does it take to get a PC with XP?

The article is loaded with great information. It will save you gobs of time when trying to get your favorite hardware bundled with XP. It will also help you cut through all the misinformation you are likely to get from various customer support reps.

Folder Redirection: IE7 Favorites Bugs

2008-06-27T01:29:00.010-04:00

I have been amazed at how many different problems people are having just using something as simple as Favorites in IE7 under Vista. I am no different - I can't save my Favorites within IE. I have come across all sorts of possible solutions having to do with NTFS permissions and even Integrity Levels. The solutions work for some people - but not for everyone - and certainly not for me. But before I get started ranting about the IE7 bug I found, I thought I'd link to a number of the alternate solutions I found in case they are a solution for you:

Here's a Microsoft blog that describes the trouble-free way to redirect the IE Favorites folder.

Here's a blog that describes why NTFS permissions can stop IE Favorites from working properly.

Here's a blog that describes how to fix the Integrity Levels that impact IE's ability to work with Favorites.

Here's another blog that provides some additional ways of setting the integrity levels.

My Problem

Windows Internet Explorer 7 is unable to save - or even open Favorites. When trying to save Favorites I will get "access denied" errors or unspecified errors like this one:

Here is the "cannot find" error I get if I try to open a shortcut stored in a UNC path:

Who is Affected

Windows Vista users of Internet Explorer 7 (IE7) using all of the following features:

Protected Mode (if you aren't using protected mode you won't experience the problem).
User Account Control (UAC needs to be turned on in order for Protected Mode to work).
Folder Redirection of the Favorites folder to a local location (there is no problem redirecting to a network location).
Folder Redirection to UNC path (GPOs can only redirect to a UNC path on the network).

The Solution

As I mentioned, you only have the problem if you use all of the features shown above. If you can avoid using any one of those features, you can avoid the bug and go back to looking at permissions issues if the problem persists. For the rest of us that must use all of those features listed, there is no solution. You have stumbled into an IE7 bug. Microsoft is currently working on it - I'll post if I receive a fix.

What's Going On

Basically, IE7 Protected Mode gets upset when it encounters a UNC path for the Favorites folder that points to a location on the local machine. It seems to interpret the UNC path as some sort of web address and applies some zone rules or something to it. When it sees the local machine name in the URL, it seems to think a baddie is doing an end-run around its security or something and shuts it down.

IE7 doesn't kick into this mode if a local drive letter path is used and doesn't seem bothered if the UNC path refers to some other computer. But unfortunately I must redirect to a UNC path because that is the only kind of path that the Folder Redirection GPO will allow in my situation.

I felt I had somewhat of a unique situation that got me into this predicament, but the more that I look around, I suspect that the problem is quite a bit more common. Tell me if this sounds familiar.... I have a large organization that wishes to manage things like Folder Redirection via GPO. This is not a problem for my environments with dedicated servers. But my satellite offices with less than 10 people get their shares from a non-dedicated server/workstation. These users also move about the office. When they use a simple workstation with their redirected folder pointing to another computer, there is no problem. But when a worker finds himself on the non-dedicated server, the GPO redirects the favorites folder to a local location on that machine and IE7 has a fit.

Cute eh? Obviously these people want to continue roaming and I don't want to strand their data on individual machines. I won't bother discussing any of the work-arounds I have found because they are all messy and awkward and prone to failure. I'm stuck until Microsoft solves this problem.

For those of you who would like to recommend Firefox to me, let me stop you right here... Firefox stores its Bookmarks in the Roaming AppData folder. But I've had to strand that folder locally and not use folder redirection because of another Vista problem.

Yay Vista!

XP Support for 6 more years

2008-06-25T00:57:00.006-04:00

It looks like companies that are planning to continue using Windows XP beyond the June 30th deadline may be onto something. InformationWeek posted details of the ongoing support and availability of Windows XP in their article: Microsoft Pledges Windows XP Support Through 2014.

Having another 6 years of support for this product is nothing to sneeze at. It now makes the strategy of entirely skipping Vista a viable option. It is already clear that Microsoft is racing to develop Windows 7 as quickly as possible (likely hoping to sell something ASAP to those who want to skip Vista). So there will be plenty of time for Windows 7 to get released January 2010 and a Service Pack or two to follow before an organization is forced to step off its stable XP platform.

I've read plenty of articles talking about how software companies are still developing for XP (some not developing for Vista at all). Large computer manufacturers like Dell have announced that they will continue to make XP available - this of course means that drivers will also continue to be developed for the various PC components from companies like ATI, etc.

So it looks like all the pieces are in place to allow the whole world to tick along and happily pretend that Vista never existed. Frankly, after working with Vista for the past 1.5 years, I think it is a prudent strategy. But don't worry - I've already boarded the Vista boat - I'm still bailing and will continue to post when I find something of value to talk about.

Want your Windows Vista bug fixed?

2008-06-20T01:17:00.000-04:00

I found a great plea from Soma, a Microsoft developer, on his blog Shipping Seven. It's a bit old but very relevant - I felt you should all see it so I am reprinting it here:

Do you hit the same annoying Windows Vista crashing bug day after day?

Please, please, please click the 'Send information' button when you see this crash dialog.

Why?

If in the very unlikely event that you are the first person to encounter and report this bug, a new entry in our bug database is entered automatically.

If anybody else encounters the same bug, and reports it, our automated crash reporting system finds the correct bug in our database, and then updates a counter. (Basically, there is a field in the bug that indicates that X people on the internet have encountered this bug.)

If you don't report the crash, that counter is not updated.

Why is that important?

Our ship room (a bunch of guys who decide which bugs should get fixed and added to SP1, and which bugs are too minor to be fixed) rely a lot on this counter. If the counter reaches more than [redacted], we fix it.

So, every time you encounter any crash - hit that 'Send information' button. Please.

Windows Explorer: Magic file deletions

2008-06-19T01:11:00.001-04:00

In my article, UAC: Elevate Windows Explorer, I grumbled about how Windows Explorer is rather uncommunicative and can be quite confusing. I mentioned how outcomes can be quite unpredictable and that you'd need to spend time getting to know Windows Explorer. To help you in that endeavor, I'd like to describe the confusing behaviors of a simple file deletion...

Consider the case where you wish to replace an executable file on a network share (I happen to be scripting some installs at the moment). It is entirely possible that someone else has accessed that share and is currently executing (holding open) the file we wish to replace. (In my case, my executable hung on my test PC and I needed to fix my bug - my test PC held the file open.)

If I tried to delete an open file in the XP days, I would have received an error message like this:

Now that's a great error message! It tells me what file is at issue and figures out that it might be a problem with the file being in use. If I try the same action in Vista I won't get any message at all. The file will simply be deleted -- but not so fast - the file just LOOKS like it is deleted.

If I now attempt to replace it with a file of the same name, I get the following error from Vista:

The message doesn't discuss my file at all. It leads me to think I have permission problems with my 'E' folder. Incredibly misleading when you find out what is really going on. If I refresh Windows Explorer's view of the folder (hit F5 or reopen Windows Explorer, etc.) I find that my old file is back! It wasn't deleted at all. And since the file is probably still in use, I am unable to replace it with my new file. How's that for strange behaviour?

But wait! - There's more! Let's pretend that we don't know what is going on and have no idea what computer is holding my file open. Let's pretend we wander off and play a great round of golf - what a great day! In the mean time, back at the office, the PC holding my file open, for whatever reason, stops holding it open - suddenly the file gets deleted! Somewhere there is a pending delete file request that actually gets actioned!

Kind of a neat feature I guess, but incredibly confusing - perhaps dangerous. Certainly no fun when you are trying to figure out what the heck is going on with Windows Explorer.

(BTW, my team managed to create a silent install of Visual Studio 6 for SMS if anyone is interested. A very, very complicated procedure to say the least. I haven't been covering any scripting yet, but I can write an article on it if there is interest.)

Quick Command Prompt

2008-06-17T00:27:00.001-04:00

Previous articles have made a compelling case for the use of the Command Prompt in Windows Vista. It is an essential tool for an administrator. I think we would all prefer to work in a GUI, but Windows Explorer just doesn't get the job done. Well Tim Sneath, a Microsoft Client Platform Technical Evangelist, tells of a way to help us have the best of both worlds with his article: Windows Vista Secret #1: Open Command Prompt Here. He tells of an extra hidden item on a folder's context menu that opens a command prompt in that location (use the shift key). It has an interesting feature, but also an unfortunate limitation.

Naturally, any shortcut that speeds our navigation through the system is welcome. Being able to quickly open a command prompt at the current location is no exception. In fact this shortcut goes a step further - if you are accessing a folder in a network location (no drive mapping), the CMD prompt will temporarily map a drive letter to the location and then disconnect it when you are done. A very nice feature! I have often been disappointed that Vista dropped its old love of drive mappings for sexy UNC paths but didn't bother teaching the CMD prompt how to use them.

Unfortunately this handy shortcut doesn't support the Run As Administrator feature. As you probably know, we usually find ourselves running to the CMD prompt because of the administrative work we must perform. There's really not much point getting into a CMD prompt quickly if it doesn't elevate us to the level we need.

Note that this shortcut is not available from the left pane of Windows Explorer. It is only available from the shift-context menu of the right pane.

So, like so many of the patches that have been added to Windows Vista, this is another thing that doesn't go far enough. I know that Microsoft has been demoing some fancy Windows Explorer features for the upcoming Windows 7 - I just hope they have learned how we want to use it by the time they release that product.

Need to install XP on Vista hardware?

2008-06-16T02:56:00.000-04:00

Judging from the petition to save Windows XP and the lack of Vista uptake in my region, a good many organizations are taking advantage of the downgrade licensing option. This option allows companies to buy Vista licenses but actually use XP instead. HP and Dell are offering to support these customers by continuing to pre-install Windows XP when customers request it. But there are plenty of systems being manufactured out there with the expectation that they will only see Vista.

Many companies haven't developed Windows XP drivers to support their hardware. In fact, you may not even be able to run the XP install on such hardware because basic things like SATA drivers are missing. If you are considering the downgrade option, you should obviously avoid companies that don't provide XP support. However, if you are stuck in the unenviable position of already owning hardware like this, I may have found a solution for you. Edmonton Geek published a great article: The easiest way to downgrade a Windows Vista machine to Windows XP. In this article they describe how to create a custom XP install disk with integrated SATA support from other sources. This hack probably isn't for everyone, but if you're in a bind, this may just be the solution you've been looking for!

Folder Redirection: Problems with the Well-known Folder Cache

2008-06-14T20:37:00.004-04:00

Microsoft recently published KB951049 which describes a folder redirection problem for Windows Vista and Server 2008.

If you use folder redirection to redirect your User File Folders and they either disappear or give a "currently unavailable" error after a reboot, this KB may be for you. Apparently, if you log in too soon after a reboot, Windows Explorer may attempt to display the Desktop before the Workstation service has started. This creates Well-Known folders caching problems.

I don't think I've experienced this problem myself, but I'd be curious to know if this is a common problem for any of you.

Microsoft not branding web sites

2008-06-14T20:07:00.004-04:00

I'm starting to notice an odd trend. Teams within Microsoft are creating their own web sites - but without branding them or clearly advertising them as Microsoft property.

I first noticed this when Microsoft advertised their Windows Vista AppReadiness site during a Springboard Live! Virtual Roundtable. The AppReadiness site is devoid of any Microsoft logos, common-look-and-feel or any Microsoft copyright information. The only clue is the Vista subject material and the fact that Microsoft sends you there. Very odd.

Here is another interesting example... It appears that Microsoft Windows Sysinternals Team has decided to try a new distribution method for their Sysinternals tools. This new web site has all of the individual Sysinternal executables available for download and immediate execution (no installation required). Although extremely useful (check it out), it looks just like an FTP listing with absolutely no branding, logos, etc. One would think it was a pirate site if not for the readme that claims otherwise. I'm surprised that they wouldn't have a quick instant Microsoft template for whipping up a common-look-and-feel and that they wouldn't use it.

I am thankful that these sites exist, I just find it a little odd.

UAC: Elevate Windows Explorer

2008-06-05T23:36:00.002-04:00

Back in March I wrote the article UAC: How to elevate anything, where I discussed the various methods for elevating non-executables (such as .VBS scripts). At the time, I highly recommended using an elevated DOS CMD prompt and barely mentioned using Windows Explorer. Windows Explorer would seem like the logical choice, but is rarely used for elevated work. Let's cover it now. It's time to learn how to elevate Windows Explorer and discover some of its shortcomings.

The first trick is finding the darn thing (I have traditionally used the Windows+E key to launch it). To ask it to Run As Administrator, you need an actual shortcut to click on. For some reason, even though I run the thing all the time, it doesn't show up at the top of my Start menu with the rest of the recently run programs. You'll find it under Accessories:

Unfortunately, just selecting the Run as Administrator option won't get Windows Explorer to elevate. Sure, it looks like it does by providing elevation prompts - but if you try to do anything requiring elevation, it will fail - or maybe it will provide the elevation prompts again before finally doing something. The problem is caused by the fact that Windows Explorer is always running in the background in order to display your desktop. UAC can only elevate an application to a higher token when it is launching a new process - it can't elevate an existing process. Windows Explorer is already an existing process. To get around this problem, you need to set a Folder Option in Windows Explorer:

That last option "Launch folder windows in a separate process" is the one you need. With this option checked, the Windows Explorer windows you ask for will launch in a new process separate from the Desktop that is already running. This gives UAC a chance to elevate when you ask to Run as Administrator. Nice eh? It should really be the default setting. It changes Windows Explorer from being useless to being somewhat useful. But there are limitations...

You cannot have any Windows Explorer windows open when you want to elevate to the high level token. Any instance of Windows Explorer (including things like Control Panel) will already be using the separate process (all Windows Explorer windows share the same process). Again, if you accidentally leave a window open, no elevation will occur. Also, since all Windows Explorer windows will use the same process, all subsequent windows will be elevated as well - the process only dies and returns to a standard user token once all windows have been closed.

For those who wish to work the way Microsoft recommends with one standard user account and a separate administrative account, this trick still won't help. In this case you can provide credentials for another account, but it won't actually work. You either get a new window that is still using the standard token of the first user account or you get no window at all. The different behaviors will depend on how the "Launch folder windows in a separate process" option is set for the administrative account - it actually affects the behaviour in the standard user account! (You get no window if the option is set.) So even with this trick there are many occasions when you still must use a DOS CMD window.

The most annoying part is the lack of error messages when Windows Explorer fails to elevate. If you don't use the separate process trick or you mistakenly try to elevate while another window is open, Windows Explorer will never tell you. It will just sit there quietly letting you believe that you had achieved the elevation you desired. Maddening. You will just have to try things and test the results until you learn how it behaves - don't trust that it is doing what you asked it.

Also, be warned that the Vista SP1 upgrade drastically changed the rules for Windows Explorer. If you think you knew how Explorer behaved before SP1, look again - most things behave differently (in most cases better).

There are many more Windows Explorer behaviors/bugs/features that you should know about. I will cover those in future articles.

Who needs COFEE!?

2008-05-30T00:36:00.003-04:00

Talk about timing! This is the perfect follow-up to my previous article about Microsoft's Computer Online Forensic Evidence Extractor (COFEE).

Remember I said:

Actually, my outrage is dramatized for purposes of this article. Most of us know this game of security we play only stops the casual passer-by. If someone has physical access, it's only a matter of time before they get in. If not through back doors created by Microsoft then through bugs or unknown technical trickery.

Despite Microsoft's claim that Vista is their most secure OS ever (Vista is 'more secure' says Gates), I just found a demo of the easiest hack ever! It uses the exact same trick I used on XP years ago - but much more dramatically.

On XP I used a Linux boot CD to mount my disk volume. This allowed me to bypass Windows security and do such things as hack the passwords file to gain access to the administrator account. This got me what I wanted but was hardly stealthy - it would be quite clear to anyone wanting to log into the laptop afterward that someone had really messed things up since the old passwords would no longer work.

If I was into true esponiage, I would want something much more subtle. Something that would give me access over the long term without being discovered. The Vista hack demonstrated above basically gives a spy that ability! By temporarily modifying the Ease of Access button (Utilman.exe) to gain access to Vista as the elevated system account, I would be able to do anything I wanted on the system. I could setup scheduled tasks or services (keyloggers, etc.) or examine user data. But there would be no evidence that I had been there! The existing accounts would not be damaged by me and system logs would show no evidence of me even accessing the computer. This is key to me getting something into the system and allowing it to remain for an extended period of time (very bad).

I've really been enjoying showing the video to people this week. Those in the know give a good belly laugh and those who believe the hype get this empty, sick look on their face -- try it! BTW, there is more discussion about the video on Microsoft's own Channel9 blog. There are some additional perspectives there, but they kind of miss the point.

Want to protect yourself from this threat? There is no fool-proof way - but you can at least make it more difficult:

Using Bitlocker to encrypt the harddrive is the most obvious approach because the Linux boot CD will be unable to even find the System32 folder. But Bitlocker isn't practical for everyone since it requires all sorts of key management.
The easiest approach is to prevent someone from booting with Linux by turning off the system BIOS options that allow booting from USB thumb drives or CD/DVD devices. But this also means you must password protect the BIOS. It would also be a good idea to lock the case so that the BIOS override jumper can't be used to reset the BIOS. A lock would also prevent the harddrive from being temporarily removed from the system and placed in some other computer that does allow booting (maybe the spy has an external USB chasis on his laptop). But now you are managing real keys and your IT staff have a bit more work to do before they can boot from a recovery CD or something.
I found another novel approach was to disable the Ease of Access Button as described on the How-To Geek site. But don't be fooled. It turns out that someone just replaced Utilman.exe with an executable of their own :-) But it is a nice demo of how the hack can be done using a Windows install program without a Linux boot CD being needed at all.

I wish you all the best in securing your Vista environment. If you think you have a secure approach, share it with others here.

COFEE

2008-05-20T01:10:00.003-04:00

If you haven't heard about Microsoft's Computer Online Forensic Evidence Extractor (COFEE), it's high time you did. Here's a little intro from the Seattle Times.

I'm all for eliminating any excuse for law enforcement to take away my computer hardware, but this goes too far! This is basically a USB key that lets anyone into my computer and past any encryption that may be protecting me. I know the article says it's for law enforcement only - but how long before an officer leaves one in a donut shop and it finds its way onto the Pirate Bay? -- hold on, I better see if it's already there -- phew, not yet.

Actually, my outrage is dramatized for purposes of this article. Most of us know this game of security we play only stops the casual passer-by. If someone has physical access, it's only a matter of time before they get in. If not through back doors created by Microsoft then through bugs or unknown technical trickery.

I myself hacked a system once in my past. I was helping a director from another department with his laptop. XP was locked down by his IT folks but he really needed to get a program installed while at this conference. I had no prior hacking experience or skills to help me. I did a quick Google search and in 10 minutes burned a bootable Linux CD. It knew how to mount the NTFS volume, find the passwords file and examine its contents. Within 15 minutes I had this director in his laptop as administrator working with his critical application. Scary.

Actually, physical access isn't even needed either. I'm not talking about a generic virus or trojan. It is possible for someone to target your PC and run a program on it that can extract whatever they need remotely - without ever touching it. This past March this very thing was done to a Mac and a Vista machine at the CanSecWest conference as part of a contest.

But if you still care about the COFEE application and the dangers of making user-friendly hacking tools available...

Benjamin J. Romano from the Seattle Times wrote a follow-up to his article.
Here's the Microsoft press release that got it all started:

COFEE, a preconfigured, automated tool fits on a USB thumb drive. Prior to COFEE the equivalent work would require a computer forensics expert to enter 150 complex commands manually through a process that could take three to four hours. With COFEE, you simply plug into a running computer to extract the data with the click of one button --completing the work in about 20 minutes.

I like this article at C|Net news where Microsoft claims the tool is just in beta but that it has 2,000 users already. This obviously won't stay secure for long.

That darn desktop cleanup wizard

2008-05-19T23:57:00.003-04:00

This screen cap made me chuckle :o)

Windows Doesn't Know When to Shutup

I just had to share.

Has anyone ever found that wizard to be helpful in any way? I wonder how you turn that bugger off. I never thought it was a big deal but I guess it would be to some :-)

Better Desktop.ini support please!

2008-05-17T01:17:00.000-04:00

I swear that 60% of the traffic coming to my blog comes in on a Google search for Desktop.ini information. I've written numerous articles on the subject and have often wished that Vista and Windows Explorer did a better job of supporting the new Desktop.ini behaviors (read Vista's support for multiple languages & Folder Redirection: Not to the user's home directory).

Well, I just saw this Windows 7 Explorer demo on Youtube. I'm shocked to see a demo of that OS so soon (if it's genuine). But it got me thinking that I need to be more vocal and clear about my desire to have Vista and Windows Explorer fixed.

Windows Explorer needs an option where we can turn off its interpretation of the Desktop.ini and just show folders as they really are. Currently, many of us are resorting to a CMD prompt to do this. Let's face it, it just makes sense. The whole reason the Desktop.ini exists is to handhold (read "fool") users by showing them a folder name the OS thinks they want to see rather than the real underlying one. Anything that prevents you from seeing the truth is going to be problematic. Microsoft knew this when they allowed us to see hidden files or see hidden extensions - so why not now that they are hiding whole folder names?

I've also come to realize that more than just Windows Explorer needs to be fixed. In my article Vista's support for multiple languages I mentioned how the Start Menu didn't do a very good job - now I've found more problems. Microsoft seems to have thought the Desktop.ini would be a clever way of dealing with their multilingual problems. They thought they could now give users the Windows experience in their mother tongue while letting the OS play behind the scenes in English. The Desktop.ini would just hide everything - but it doesn't.

Take the example of a French OS. Users expect to find their programs under a folder called C:\Programmes. In the Windows XP days the users saw that folder and the programs were actually stored in a folder by that name. With Vista, the user still sees the expected folder but the system is actually storing them in C:\Program Files instead. Vista figures that since it is able to show the users one thing and the programs another, it's job is done and it can go back to sleep. But they forgot one little problem. Vista never tells the programs what folder name the user is expecting to see.

I was running a version of Visual Studio's MSDN Library on a French Vista OS. It encountered an error:

I liked my French message , but did'nt expect the English folder path. I can't use that path. When I browsed using the Dossiers (folders) pane on the left I couldn't find the path specified (the Desktop.ini hides it from me). The only way I could get to the folder was to manually type it in the address bar at the top of the Windows Explorer.

I realized that the application had no way of giving me the path I need because Vista never tells it what I am expecting to see. Programs are used to asking the OS where directors are located by using variables like %ProgramFiles% - and Vista is happy to tell them. But I think we now need variables like %DesktopProgramFiles% or something which tells the program what path to show users in messages. The two paths could be very different. Perhaps an API where you feed it a real path and it goes looking for Desktop.ini files and returns a path with all the relevant substitutions.

You might think this wouldn't be such a big requirement if I could tell Windows Explorer to ignore the Desktop.ini and allow me to navigate to the real folders. Although I tend to agree, it probably is still a requirement. I'm sure Germans or Egyptians don't want to find the programs under a C:\Program Files folder.

Do you know someone at Microsoft? Care to pass on the message?

More DRM woes for Vista users

2008-05-16T22:20:00.004-04:00

My article, I don't like DRM, linked to a user who was having difficulty with DRM. He was being blocked from playing movies he paid for because his computer system was too high-res. Well, Vista users are suffering again.

This week Windows Vista Media Center users were being blocked from time-shifting some NBC shows. It's unclear if the broadcaster set the flags in error or whether Vista Media Center responded to them improperly. What is clear is that only Vista users were affected. TiVo and DirecTV who also respond to copy protection flags did not prevent their users from recording.

Have any of you seen this message?

[EDIT 19/5/2008] There is a good update regarding this issue here: Microsoft confirms Windows adheres to broadcast flag. Apparently Microsoft is implementing an FCC rule that was struck down in 2005. [/EDIT]

Microsoft's Springboard series

2008-05-14T20:55:00.009-04:00

It appears that Mark Russinovich is presenting a Springboard area on Microsoft's web site to ease Windows Vista implementation pain by providing some much-needed guidance.

He kicked things off last month with a Springboard Live! Virtual Roundtable. He assembled a panel of experts (including Mark Minasi) and three Vista early adopter clients. They spent an hour discussing topics related to adopting Windows Vista. You know me, I'm a sucker for learning what Microsoft is thinking when it comes to Vista so I dove right in.

I found the roundtable to be a good use of my time - you likely will too - very informative. They pointed to some interesting resources that might help those of you considering a Vista deployment:

Microsoft Assessment and Planning Accelerator (MAP) - is supposed to be an enterprise inventory, assessment and reporting tool that can assess your readiness to move to numerous Microsoft products such as Vista.
Windows Vista Hardware Compatibility List - is basically a comprehensive listing of PC systems and peripherals known to be compatible with Vista (very comprehensive). Despite this simple list being incompatible with Firefox, I'm sure this information will be more reliable than the failed "Vista Capable" program.
Windows Vista AppReadiness - another comprehensive list - but this time of legacy software applications and their Vista compatibility.

I'm not so sure about that last one though... If I hadn't heard a Microsoft talking head send me to the site, I would have been suspicious of the strange URL, complete lack of Microsoft branding and poor resolution of the logo certificates. I'm also not sure I trust what it is telling me. I took a look at Visual Basic 6 which I am having trouble packaging for BDD at the moment. The site claims it "Works with Windows Vista". It doesn't qualify that or provide any additional guidance. However, when I attempt to run the silent install, I am only greeted with the following Vista AppCompat message and am unable to proceed:

The roundtable goes on to remind us about new features of Vista SP1 such as:

Bitlocker can now support multiple partitions (not just the first one).
Improved file copying (see Vista copies files like a duck).
Microsoft Deployment Toolkit replacing BDD.
Volume Licensing has Vista and SP1 integrated in one package (recommended for new installs).

However the three clients who were Vista early adopters were a major disappointment. Despite them being friends of Microsoft that presumably got lots of support, I was expecting them to give me hope that great Vista implementations were possible - that my own failures were somehow my own fault. They tried their best. They nodded their heads at the right places and smiled while describing how great their deployments went. But if you actually listen to the things they said during their discussions, you quickly realize the reality was very different:

one client admitted to turning off UAC! Not something we want to do - and certainly not what I would consider a feature of a successful Vista install.
while talking about hardware demands of Vista, another client admitted to only deploying to new PCs. That means he is maintaining a heavily mixed environment and can hardly be considered a successful implementation of Vista (too limited for my taste).
although that same client claimed to have installed Vista to laptops, you quickly realize that his "traveling nurses" probably have received a stand-alone treatment without the need for features like Offline Files.
another client who claimed to have rolled out to the majority of his organization, admitted to have avoided laptops. They were planning to wait for SP1 before tackling those - he had Offline Files problems no doubt.
that same client also admitted to having to install XP virtual machines to support some older legacy apps! That's two windows licenses and double the support per PC! Hardly what I would consider a successful Vista deployment.

But these guys were smiling and nodding their heads! Are these the BEST examples Microsoft could find? Am I the only one that doesn't know what a successful deployment means anymore? I'm so depressed.

Vista copies files like a duck

2008-05-14T00:47:00.004-04:00

Odd title - but let me explain... I think everyone in the industry has complained about Vista's seeming inability to copy files quickly. Like a duck, it just seems to float along in no particular rush to get to the 100% mark. Maybe it looks like it is progressing quickly at one point - only to suddenly get distracted by something shiny and slow things down again. We can't believe the glacial pace of these copies and keep telling ourselves that Vista MUST be doing something remarkable in the background to justify these results.

Well, it turns out that just like a duck, Vista has indeed been paddling mightily below the surface the whole time. Mark Russinovich does a great job of describing what has been happening in his blog article: Inside Vista SP1 File Copy Improvements. This is a must read article. It really helped me to understand what has been going on and to realize that despite appearances to the contrary, technology is moving forward.

This article is going to kick off a new topic in my blog called "Windows Explorer". This is probably the last time I will have anything positive to say about that product. I have observed many other Windows Explorer behaviors that I will be discussing.

Topic: Windows Explorer

2008-05-13T01:04:00.005-04:00

(Vista Vitals articles organized by topic)
These articles cover anything related to Windows Explorer. This includes File Copying, launching programs, UAC, navigation, etc. :

UAC: Microsoft Programs act weird - a little warning about Windows Explorer, Internet Explorer & Outlook.

Vista copies files like a duck - Mark Russinovich provides excellent details regarding the file copy process and how it has changed for Vista and again for Vista SP1. A must read.

UAC: Elevate Windows Explorer - Ever tried to launch Windows Explorer with Run as Administrator and fail? Find out why.

Quick Command Prompt - talks about a shortcut for opening CMD windows directly in any folder using Windows Explorer shift-context-menu.

Windows Explorer: Magic file deletions - a warning about Windows Explorer's surprising handling of attempted deletions of open files. Scary behavior you should be aware of.

Wrapup and retool - This is my wrapup to my Vista articles. I finally get around to delivering my punch line about Windows Explorer.

Windows XP SP3 deployment not going so well

2008-05-12T22:10:00.003-04:00

Microsoft seems to be meeting the same success rolling out Windows XP SP3 as they did rolling out Vista SP1 (remember SP1 Hiccup: don't install KB937287! ?). These products must be getting too complex to anticipate all behaviors under all scenarios.

There are reports all over the web of people experiencing reboot issues once XP SP3 is installed. The best article I've seen is from the Register. It makes reference to Jesper Johansson's blog where you can find some solutions to the various problems.

Arm yourself with the solutions before your attempt a rollout of SP3 in your organization.

UAC: Microsoft Programs act weird

2008-05-09T23:53:00.004-04:00

(This article uses a lot of technical UAC terms. If you have trouble understanding it, check out my UAC glossary: Let's Talk UAC for the Enterprise)

I thought I'd warn you about some Microsoft programs that behave rather weirdly under Vista. When I say "weird", I mean they don't act at all like generic Vista documentation says they should. This was a big problem for me in the beginning when I was trying to learn about Vista and UAC.

The programs I am talking about are Windows Explorer, Internet Explorer and Outlook. Whenever I look at my task bar, these are programs that are always running - no matter what else I might be doing. So naturally when I wanted to learn about UAC and elevation, I started playing with the ones staring me in the face. Big mistake. Confused the hell out of me.

When learning UAC, avoid Windows Explorer, Internet Explorer and Outlook. Microsoft has built extra barriers and behaviours that cause these programs to act differently. If you want to learn how programs generally behave, pick something safe like Notepad to test with.

Internet Explorer and Outlook are problematic because Microsoft has given them special attention. Historically Windows has been exploited by trojans and viruses coming from the web via web pages or e-mail. These two applications had a bad habit of letting these badies into the system to have a good time. Microsoft has introduced barriers to minimize the opportunity for these badies to get into Vista. Some good examples are Protected Mode and Low Integrity levels. I haven't done much work with these technologies, but here's an article that gives you an idea how confusing it can get when trying to understand what's going on:

http://xato.net/bl/2007/03/12/why-doesnt-ie7-protected-mode-mark-downloaded-files-as-low-integrity/

Windows Explorer's behavior is difficult to understand for different reasons. You have likely wanted to elevate Windows Explorer to an administrative token in order to perform
some work on files in a sensitive area like System32 - but failed. Explorer just wouldn't elevate for you. In this case the problem is more technical in nature resulting from Vista's design.

Vista's UAC can only elevate applications to use different tokens when the application is being launched - when a new process is being initiated. You may think this problem doesn't apply to you because you were right-clicking on Windows Explorer and choosing "Run as Administrator" when launching the program - but you'd be wrong. It turns out you weren't launching a new instance of Windows Explorer at all.

Windows Explorer does more than just show you a file management window when you demand it - it is also used to present the user interface (desktop, etc.). You are actually using Windows Explorer just by logging in and looking at the screen or navigating the Start Menu. This means the Windows Explorer is always running. When you think you are launching Windows Explorer fresh with the "Run as Administrator" option, you are actually just asking for a new file management window in an application that is already in progress. As a result, Vista is unable to elevate Windows Explorer to an Administrative Token.

I will be talking more about the problems Windows Explorer has and tricks for overcoming them in future articles. I just wanted to warn you to watch out for these three apps - they won't behave in ways you are expecting for generic applications.

Topic: Folders & Folder Redirection

2008-05-07T23:51:00.003-04:00

(Vista Vitals articles organized by topic)
These articles cover anything related to folders. This includes Folder Redirection, Offline Files, Client Side Cache (CSC), Desktop.ini, etc. :

Introducing the User Files Folders! - introductions are needed - they have changed a lot since the XP days. You really need to get you head wrapped around this.

User Files Folders and the Desktop.INI - describes changes in folder behavior because of new Desktop.ini features - it even affects XP!

User Files Folders are Bilingual - describes how the new Desktop.ini makes it possible to support multiple languages with only one folder. (There are some problems you should know about though.)

Folder Redirection: Specifying a target share - a very important article on configuring Folder Redirection. You must use a GPO and can no longer redirect to a drive letter!

Folder Redirection of database files causes corruption - this is an outdated article so long as you are using SP1.

Folder Redirection: Duplicate User Files Folders - Vista has a nasty habit of creating duplicate folders for users. This article talks a bit about that.

Folder Redirection: Not to the user's home directory - Vista leaves a number of traps lying around. This one is a doozy! Make sure you never redirect user folders to the root of their network drive like you did in the XP days.

Folder Redirection: Amateur Magician - Vista really isn't good at working with redirect folders. You need to understand its limitations.

Folder Redirection: A case study - details a critical problem Vista has redirecting folders like the AppData folder for legacy applications. Unfortunately the work-around I describe breaks with Vista SP1 - so no solution is currently available.

User Files Folders: What's with all these extra folders - this article details more Vista problems caused by the new User Files Folder design.

Duplicate Folder Problems? Talk to me! - This is a roll-up of my articles that have anything to do with folder duplication because so many readers have been experiencing these problems.

Folder Redirection: Back to talk about Settings - this article is a lead-in to two other articles I wrote talking about the Move Data feature of the Folder Redirection GPOs - another Vista design flaw.

Folder Redirection: Duplicate User Files Folders II - this article describes how the Move Data option causes folder duplication and how to avoid it.

Folder Redirection: Misbehaves after target move - this is one of my most important articles! I provide a script for preventing a major Vista design flaw from wreaking havoc on your network.

Offline Files: Doesn't sync files modified while offline - this is an outdated article so long as Vista SP1 is being used.

Vista's support for multiple languages - this article demonstrates Vista's new approach to multilingual support and the problems it causes.

Better Desktop.ini support please! - another example of how the Desktop.ini doesn't go far enough to provide a user experience in their mother tongue. A request for Microsoft to make some improvements.

Folder Redirection: Problems with the Well-known Folders Cache - a KB article describing a problem with missing User Files Folders after a reboot.

Folder Redirection: IE7 Favorites Bugs - a description of a bug IE7 has. Protected Mode prevents access to Folder Redirection UNC paths that reference the local machine (think non-dedicated servers).

Topic: User Account Control (UAC)

2008-05-07T23:50:00.003-04:00

(Vista Vitals articles organized by topic)
These articles are primarily focused on Windows Vista's new User Account Control (UAC) feature. But many other topics are covered because UAC affects so many different areas of the Windows system:

UAC: An introduction to User Account Control - Everything the web has to teach about UAC. I introduce 10 detailed information sources about UAC. A great starting point for users, administrators and developers!

UAC: Is Windows Vista secure? - my opinions and those of experts regarding Vista security. You need to know the limitations of what Vista and UAC have to offer.

UAC: Vista UAC vulnerabilities - many more discussions on the web about Vista security for those who care.

UAC: Local Admin vs. Domain Admin - one of my more important UAC articles. If you can follow it, your life as an enterprise administrator will be greatly simplified.

Disabling UAC - despite linking to instructions on disabling UAC, I actually discourage you from doing it!

Let's Talk UAC for the Enterprise - this is a must read article. This is a glossary covering many UAC terms - it summarizes them and puts them into some context. Most of the remaining articles in this topic are written with the expectation that you understand these terms.

Logon Scripts: A Token Effort - read this if you want to make your login scripts work in Vista. I discuss in detail how to overcome the barriers that UAC tokens create.

Become a Token Geek - links to articles that will teach you more than you ever wanted to know about tokens.

UAC: Avoid elevation like the plague! - a rather important article. I wish more developers knew about this.

UAC: How many tokens did I get? - describes how to figure out how many tokens a user has.

UAC: How to elevate anything - you probably have realized that you need to be able to elevate things other than .exe and .bat files (scripts, registry files, etc.). I don't think Microsoft realized that when developing UAC though. Here are some way to get around the limitation.

Welcome back Command Prompt! - the command prompt is one of the ways to get around UAC limitations. CMD has more valuable uses now under Vista than ever before! Learn about it here.

UAC: "Run As" like XP from the GUI - a review of SysInternal's ShellRunAs command. A valuable tool for your arsenal, but you need to know when to avoid using it.

UAC: This explains a few things - did you know Microsoft introduced UAC to annoy users? Read the article here.

UAC: Microsoft Programs act weird - a little warning about Windows Explorer, Internet Explorer & Outlook.

UAC: Elevate Windows Explorer - Ever tried to launch Windows Explorer with Run as Administrator and fail? Find out why.

Wrapup and retool - This is my wrapup to my Vista articles. I finally get around to delivering my punch line about Windows Explorer.

Topic: Windows Vista Service Pack 1 (SP1)

2008-05-07T23:49:00.000-04:00

(Vista Vitals articles organized by topic)
These articles all discuss Windows Vista Service Pack 1 (SP1). There is some good technical information here that will let you know what to expect from SP1:

Service Pack 1 (SP1) for Vista is coming - well, it's now here (kinda out of date). But I discussed some spectacular ways that it broke previous functionality.

SP1 and a new kernel! - discusses SP1 changing the OS version to 6001 - the same as Windows Server 2008!

SP1 Hiccup: don't install KB937287! - don't bother with this one - out of date.

Vista SP1 Technical Information - get all your Microsoft SP1 guides here.

Vista Service Pack 1 is here! - a link to Microsoft's download site - get SP1 from here.

Vista SP1 unavailable from Windows Update? - can't get SP1 through Windows Update? Here's your answer.

Reclaim disk space from Vista's SP1 - introduces Microsoft's VSP1CLN tool which can shrink the size of OS images (deletes files that are no longer useful).

New deployment tools for Vista SP1 - these are must have tools for administrators of a Vista environment. Includes replacements for ADUC, GPMC, etc.

Vista SP1 makes some undocumented changes - good information about how the Terminal Services Client has changed.

Topic: Miscellaneous

2008-05-07T23:48:00.007-04:00

(Vista Vitals articles organized by topic)
These articles cover a range of unique topics:

Vista's GPMC: Don't trust it - this is an outdated article covering the GPMC that was bundled with Vista. This tool was removed if you upgraded Vista to SP1.

Let's talk Roaming User Profiles - introduction to Roaming User Profiles as they pertain to Vista. Mentions some cohab issues with XP and identifies some reliability issues.

Vista deleting user profiles and data! - this outdated article describes how a buggy GPO caused the deletion of user profiles and data. The bug has been fixed as part of Vista SP1.

I don't like DRM - leads to an interesting article by Davis Freeburg describing his suffering at the hands of Vista's DRM.

Local Administrator Trumps GPO - think your GPOs have ultimate control of your enterprise workstations? Think again. - or - how to override your GPOs locally when you wish to test some alternate configurations.

GPAnswers: Group Policy Preference Extensions - an introduction to Group Policy Preference Extensions (GPPE). You will want to learn about this if you manage GPOs for your organization.

Microsoft's Springboard series - a 1 hour video discussing Vista deployment. I outline the highlights and provide a commentary.

More DRM woes for Vista users - leads to an article about Windows Vista Media Center users who were prevented from time-shifting their TV shows.

Who needs COFEE!? - a follow-up to a previous article about Microsoft's Computer Online Forensic Evidence Extractor (COFEE). Points to a demonstration of how to completely circumvent Vista security using a Linux live boot CD.

Microsoft not branding web sites - Points to some Microsoft sites that have absolutely no branding on them - weird. But useful sites nonetheless - particularly the Sysinternals executables that are ready to run.

Want your Windows Vista bug fixed? - An interesting plea to click on that Send Information button when you experience a Windows crash.

Roll your own MS Windows OS! - There is a movement out there that is hacking Windows 2008 Server to create a Windows 2008 Workstation that is one lean, mean Vista machine.

Topic: In Other News

2008-05-07T23:47:00.006-04:00

(Vista Vitals articles organized by topic)
These articles predominantly link to other news services that provide information about or criticism of Windows Vista:

Need to Virtualize Vista Home Versions? - news that Microsoft eased license restrictions for Vista Home on virtual machines.

Microsoft Windows Releases - Windows 7 rumors.

"Vista Capable" lawsuit is now a class action

Has Vista lost all credibility? - links to more class action details.

Vista criticism in the news

News tidbits clearance! - good stuff here from free MS support for Vista to NVidia & Creative Labs naughtiness.

More news of interest - some linux stats, better installs of upgrade licenses and extended support for some versions of XP.

A petition to save Windows XP - details why people want XP to stick around and what they're doing about it.

Windows XP Service Pack 3 is here!

XP available after the June 30th deadline - but maybe not for home users.

Windows XP SP3 deployment not going so well - oops - some endless reboot problems for some people who installed SP3 - arm yourself with the solutions to the problems before proceeding.

COFEE - information about Microsoft's latest forensic tools for law enforcement.

Need to install XP on Vista hardware? - Find out how to create a custom XP install disk that incorporates SATA drivers from alternate sources.

XP Support for 6 more years - Microsoft announced support for Windows XP until 2014. Some links and comments about the viability of skipping Vista entirely - go for it!

XP: How to continue getting it after the June cutoff - PC World actually jumped through the hoops with 9 different PC manufacturers to see what it would take to get hardware preloaded with Windows XP!

Topic: Vista Humor

2008-05-07T23:46:00.001-04:00

(Vista Vitals articles organized by topic)
Some Vista humor to lighten the mood:

Happy Halloween!

Vista: Even the packaging needs instructions

Some humor at Vista's expense

That darn desktop cleanup wizard

XP available after the June 30th deadline

2008-04-28T02:26:00.002-04:00

Good news! It looks like you can get Windows XP past the June 30th deadline. C|Net has reported the news a couple of times - their latest article is here: PC Makers Find Way to Extend XP's Life.

The solution turns out to be quite a good one. Both HP and Dell are taking advantage of the downgrade option for Vista Business and Ultimate. For the next year you can buy either version of the Vista OS from these companies and request that they install XP at the factory.

This is fantastic on so many levels:

You won't be forced to move to Vista before you're ready.
You'll be able to give Vista time to mature and eliminate even more bugs.
You can give your in-house software developers and other software vendors more time to rewrite their software to support Vista.
You will have your Vista licenses bought and paid for when you are ready to make that step.
You know HP & Dell will continue to make drivers to support their hardware under XP.
It may actually be feasible to hold off migrating to Vista and move to Windows 7 when it is released.

Vista SP1 makes some undocumented changes

2008-04-23T00:36:00.005-04:00

Microsoft MVP Rick Strahl has a very informative blog article: Vista SP1: Terminal Services /console switch no longer working. Rick and the follow-up comments provide some valuable information about the disappearing /console switch. His anger and frustration are palpable.

It also makes me sad. Here Microsoft made a rather simple change and handled it quite terribly. They didn't document or publish the change and they didn't provide backward compatibility by continuing support for the old parameter. Could they have made any more mistakes? - And this was a simple change!

The reason this makes me sad is that I have been hoping for massive changes to Vista. Me, and many of my colleagues, regularly encounter ill-conceived approaches to the design and implementation of Vista. When we hear Steve Ballmer make statements that Vista is a "work in progress", we get our hopes up that some of this stupidity will get resolved. I've long said that SP1 was coming out too quickly and was so focussed on bug fixes that we wouldn't see any real changes until SP2. But the poor handling of the /console switch retirement causes me to lose hope.

I'm beginning to realize that the changes I want made to Vista are just too big. Too many dependencies will be broken or change behaviors to be manageable. I realize now that fixing UAC or improving the intelligence of Folder Redirection just isn't possible in a Service Pack. I think Microsoft realizes this as well. There's a reason we are getting mixed messages out of Redmond about a Windows 7 release schedule. I think various stakeholders are making realizations and the script is being rewritten on a daily basis. I know Microsoft still has many more lessons to learn from Vista before moving on, but I also know that I won't get what I want until Windows 7 (maybe).

Windows XP Service Pack 3 is here!

2008-04-22T23:26:00.004-04:00

The much anticipated - and I suppose latest Microsoft OS release is here! Microsoft released Windows XP SP3 to manufacturing on Monday. The release schedule for North America is as follows:

April 21: OEM Channel
April 29: Windows Update
April 29: Download Centre
May 2: MSDN/Technet Download
May 19: Windows XP SP3 Fulfillment Media
June 1: VL Customers via download
June 10: Automatic Updates

C|Net reported the release in their article: Windows XP SP3: A quick painless upgrade
Microsoft has a Windows XP Service Pack 3 Overview available for download. But information is limited. I imagine a full list of hotfixes included in the service pack will be published soon.

I've seen griping by people that XP SP3 doesn't include DirectX 10 (available in Vista). But I'm not sure XP users are really missing out on all that much. There are quite a lot of sites comparing DirectX 9 to DirectX 10 and finding negligible differences. Here's a site that actually demonstrates the differences quite well in one of the few DirectX 10 supported games - Crysis. It goes on to describe how to eliminate a "false ceiling" in DirectX 9 mode and allow the use of very high detail normally only available for DirectX 10 mode.

Vista criticism in the news

2008-04-22T00:05:00.002-04:00

I'm sorry I haven't had time for much more than links lately. The job search is eating up a lot of time. I am working on some new articles though...

In the mean time I've found some articles criticizing Vista recently. Take them for what they are worth.

A lot of people have linked to the Register's article: Ballmer bitch slaps Vista. I'm not sure it's as important as everyone makes out. It just tells me that Microsoft is definitely aware of the Vista problems and that they are willing to do something about it. Maybe we will see much needed changes coming to SP2. (But I doubt it. My next article will be a good demonstration of why Microsoft's hands are basically tied.)
Softpedia has a rather long and confusing article that makes the point that Vista has a whole host of ways to harvest various pieces of information and transmit it back to the mothership. I felt like I was being asked to put my tin foil hat back on - but I suppose it doesn't hurt to be reminded of what is possible.

Some humor at Vista's expense

2008-04-21T23:43:00.003-04:00

There was a lot of Vista humor this month. I thought I'd share...

I think a lot of us have felt this guy's pain - nice conclusion though.
Here is an internal Microsoft video where a Bruce Springsteen look-alike sings about Vista features. Pretty lame...
Here's an excerpt from the Vista source code - very witty.

UAC: This explains a few things

2008-04-12T16:38:00.002-04:00

Ars Technica published the article Vista's UAC security prompt was designed to annoy you, in which they quote Microsoft's David Cross as saying "The reason we put UAC into the platform was to annoy users. I'm serious."

The article goes on to describe Microsoft's thinking on that approach and the flaws in that thinking.

More news of interest

2008-04-04T01:28:00.001-04:00

I swear I have no plans to become just another news linking site, but there's just been so much notable Vista related news these days! I found today's news on the pages of Slashdot and Digg and thought I'd better post it before it slides off the front pages into history...

1) c|net has a commentary on the latest stats from W3Counter. The commentary is focused on the 65% growth of Linux's market share which now stands at just 2.01%. That may not sound like much until you consider that Windows Vista only commands 6.48%. I find the Vista story far more interesting. When you consider the product has been out for over a year - when you consider how many copies Microsoft claims it has sold - when you consider all the money, marketing and leverage Microsoft can throw at the product - it's barely got triple Linux's penetration! I don't care what you think - that's significant. Remember those numbers when we check back next year. There should be a very interesting story to tell. BTW, have I mentioned that I'd like my next blog to be about an enterprise Microsoft IT guy that explores Linux and figures out how to support it in an enterprise environment? (If only I had the time.)

2) The Industry Standard has big news that Microsoft extends XP through 2010 for ultra-low-cost laptops. This only applies to Windows XP Home edition, but it is significant nonetheless. In my opinion its the first crack in the floodgates of an extension for XP beyond the June deadline. At any rate it's an admission by Microsoft that they don't have a current product for that market segment and can't bear to just hand it to Linux on a silver platter.

3) There's a great article for those of you who are able to save licensing dollars by buying Vista upgrade licenses. Windows Secrets has the article It's official: upgrade hack included in Vista SP1. At first I wasn't interested because Scott is just going on about how to defeat the validation scheme - not something I could consider. But near the end of the article he raises some very good points about why you would even want to use the trick if you are doing things legally. (I'm about to ruin the punchline so you might want to stop reading now and check out the link.) Basically, Vista doesn't allow you to prove you have a prior license just by sticking in an install disk - it instead insists that the install be run from the qualifying upgradeable product. Not good if you want to have a fresh start in the world. The trick involves installing Vista without a license key and then using that install to launch the install again - using Vista as the qualifying product! Great hack that blows Microsoft's validation scheme to hell but which really improves life for those legal users as well.

4) BTW, my contract with my current client will be coming to an end in a few weeks (end of April). Since my travails for my client's Vista implementation are inspiration for this blog's stories, I do wonder how I'll keep this thing going. Hopefully I can find another client in this town with an interest in Vista. If any of you have suggestions for possible leads, please drop me a line.

UAC: "Run As" like XP from the GUI

2008-04-02T01:19:00.000-04:00

It's no secret that basically every enterprise admin is upset that Vista's "Run as Administrator" feature is not a replacement for XP's "Run As" functionality. I've written a few articles that mention the problem: UAC: Local Admin vs. Domain Admin, Welcome back Command Prompt!, UAC: How to elevate anything. In fact I just got off the phone today with a large organization that is taking a pass on Vista - they cited the "Run as Administrator" as one problem that affected their decision.

Well, Mark Russinovich has released a new Microsoft Sysinternals utility called ShellRunAs in an attempt to meet the demand for an XP-like "Run As" command. I've had a chance to play with it so here is my review...

As the name implies, ShellRunAs gets RUN AS to the shell. As a local administrator I am now able to specify other user accounts when running programs - Yay! This is what I need when managing my network but isn't enough when I wish to manage the local Vista machine. The problem is that ShellRunAs is too faithful to the RUN AS paradigm which seems to have been borrowed from the XP days without being updated to reflect the whole Vista reality.

Traditionally under Vista, non-administrators must switch to an administrator account and elevate if they hope to do such things as edit the HKLM registry locations. Naturally Run As Administrator comes into play at this point. But if the non-administrator has any extra rights (like a Power User does), the Run As Administrator command only presents the Consent dialog and offers no opportunity to switch to the desired administrator account. This is the kind of behavior that has lead people to plead for the old RUN AS functionality to be brought back and a place where I now logically tried ShellRunAs. But when I specified to run Regedit as my administrator account it gave me the error "Error launching application: The requested operation requires elevation". Clearly ShellRunAs is allowing me to switch users but is not allowing that user to run elevated. The tool doesn't help me with this particular type of problem.

So I tried another scenario that needs help... Let's pretend that my Power User must maintain or design the Welcome Center. The files for that are stored in C:\Windows\System32\oobe which can only be edited when an administrator is elevated. This time I want to edit a text file by launching Notepad. Run As Administrator still doesn't allow me to specify a different account so I use ShellRunAs and specify the administrator account. It launches with no problems - Yay! I edit the document and attempt to Save. I get the message "You don't have permissions to save in the location - save in Documents instead?" - The same message normal users and unelevated administrators get. Further proof that elevation doesn't occur. There is still no real solution to this kind of problem except to carefully design your environment so that you don't run with multiple tokens on your normal user account (see my past article: UAC: Avoid elevation like the plague!)

For giggles I tried something different. I created a session as my administrator and ran Notepad as a normal user account using ShellRunAs (not a typical scenario - but could happen). I got interesting results - rather than the familiar message about not having rights to save in System32, Vista allowed me to save the document. Even more interesting, Notepad is able to see the file as having been saved but Windows Explorer refuses to show it to me. ShellRunAs is getting Notepad the AppCompat treatment and being redirected to a shadow storage area for System32! How unexpected is that without adequate documentation?

I got other interesting results during my tests. At times I could click Save As repeatedly and get no messages at all - the dialog box would remain as if I had done nothing. It seems ShellRunAs is causing launched applications to receive unexpected messages from the system that it doesn't know how to cope with.

I also had interesting results with my User Profile. Having switched Notepad to another account using ShellRunAs, I was unable to Save As in the new User Files Folder that was shown to me - it just wouldn't allow me into the folder tree. It displayed the entry in the Save As browser but clicking on it got me nowhere. This is because the User Files Folders for my users are redirected to the network. I guess ShellRunAs doesn't ask Vista to make the connection to that redirected location.

Since ShellRunAs is unable to connect to redirected locations and doesn't recognize the Home Folder specified for the user in AD and certainly doesn't map drives defined in a logon script, I see no point in using the product in its default mode. But is has another mode called NetOnly that I quite like. NetOnly seems to give up on the half-hearted attempt of swinging Vista over to a new user profile and just uses the original profile you were already using. This was just fine. It was great for being able to use my network management tools and still have access to the User Profile and mappings of the initial user. I just wish NetOnly had been described in documentation so I didn't have to waste time trying to figure out what it had meant.

This will work well for the scenario where I have a Power User or Local Administrator who needs to switch accounts in order to manage the network with GPMC, etc. (Functionality that Vista did not previously allow.) They can maintain all their existing drive mappings and User File Folder access. They don't even have to expose themselves to the risk of running elevated while doing it either! But don't bother trying to use ShellRunAs for anything local - things just get weird and basically useless. If an administrator wants to do some local over-the-shoulder support for a power user (such as editing the registry), this tool does nothing for them because it is not possible to get an elevated token - there is still no way to do this in Vista without logging the user out or without forcing all users to always enter credentials at every UAC prompt. (It was possible in XP.)

ShellRunAs is one more patch in the patchwork of Vista and there are still many holes in the quilt. We need a proper way to specify the account and token we wish to use when launching a program. We need a solution that works properly with the User Profiles and with the drive mappings. It needs to be easy and exhibit predictable behavior so we don't have to devote our lives to getting the darn thing to work. Keep working Microsoft!

Here are some more observations:

ShellRunAs continues in the tradition of Run As Administrator and only makes itself available on the context menu for EXE and BAT files. I would still like to have support for files like VBS, HTA, VBA, etc.
ShellRunAs isn't multilingual - it doesn't display messages in the language of the OS or GUI of the user - only English.
The NetOnly version of the program doesn't flash up a black CMD window as described, but rather keeps the CMD window open until the called application (such as Notepad) is closed. (This is the clearest indicator that ShellRunAs is a bit of a hack tacked onto the OS rather than a fix to the OS itself - a traditional Sysinternals tool I suppose.)
The /accepteula parameter is not described on the web page or in the help screen but it is important to know about if the application is to be deployed in an organization. That was almost a deal breaker for me until I found the note at the top of the eula window.
I have an issue with the right-click context menu... This tool can add one or two entries - giving us a total of three entries - and we still don't have all the functionality we need for specifying accounts and tokens. We need fewer entries - not more. These three and any others to come need to be combined into one command. My XP machine already has such a long context menu that I can't see all of the entries on the screen at once - and it doesn't scroll!

One suggestion I've made to Microsoft a couple of times in the past is that Vista's Consent dialog be made more robust. I think it should present the Consent button but also have the fields available in case someone wishes to make a switch to some other account. That seems like the easiest improvement with the biggest benefits while staying true to the original vision of UAC. Although there is currently a great variety of UAC elevation prompts, they are very simplistic and offer very little in the way of flexibility.

News tidbits clearance!

2008-03-31T21:24:00.006-04:00

There's been a lot of Vista news floating around lately. I haven't really been in the mood to just repeat what has already been written out there, but some of it is good to know... so here it comes...

1) Microsoft surprised many when it quietly announced through a blog post that it was going to start offering free Vista SP1 support for installation and compatibility issues. Here's their official page:

https://support.microsoft.com/oas/default.aspx?ln=en-us&x=8&y=7&prid=11274&gprid=500921

I'm sure many of you will make good use of this over the coming year. I wouldn't mind hearing what kind of success you have with the phone support.

2) It turns out that 30% of Vista's crashes over the past year (that have been reported) are the fault of NVidia and faulty drivers. I don't know how to feel about this. Some have suggested that this means we have been unfairly blaming Vista and that maybe Microsoft is due for an apology. Maybe. But why has NVidia been having so much trouble successfully writing drivers for Vista? I don't think their developers want to have a failed product - and I don't think they have suddenly gotten stupid - so why has this happened?

3) Could NVidia have been doing what Creative Labs has been doing? It looks like Creative Labs has been purposely crippling and ruining Vista drivers for older sound cards. This comes from Daniel_K who wrote improved drivers by basically revamping previously released Creative Labs drivers. There is a great deal of outrage all over the net because Creative Labs asked Daniel_K to cease and desist release of working drivers. I would like to add my voice to the chorus of outrage! Not so much for the take-down request as for Creative Lab's choice not to release working drivers. I experienced the same problem many years ago at the hands of HP. Microsoft released Windows 95 and HP decided that my 1 year old expensive scanners with feeders, etc. should remain as Windows 3.1 only devices and not receive updated drivers. Planned obsolescence does not make me a happy customer. In the past decade I have refused to even consider HP scanner products. They have lost out on a dozen scanner sales and plenty of bad publicity for that stunt. (I much prefer Microtek scanners where one driver seems to work for all their scanners - no matter how old.) I've said it before - companies have to treat their customers right.
[UPDATE 01/04/2008] Wired has an explanation from the now famous Daniel Kawakami. A good read. He is now allowed by Creative to continue some modding and receive donations. His mods for Creative sound cards are here: http://hosted.filefront.com/braziliantech/, but you'll probably need to figure out what the files are for first...[/UPDATE]

4) A lot of web news outlets have published the story of Linux winning a hacking/security contest over Mac and Vista. I just mention it here because there has simply been so much coverage. I think it validates Linux's design when you consider that its basic approach has changed very little and yet it can still win contests like this. Windows has been flipped on its head (Vista), making users feel pain (UAC) and still didn't win. Will bugs get ironed out so that maybe Vista can win next year? Or does Microsoft still have an inferior design?

5) I found this detailed article describing how Vista licensing has been circumvented yet again. This hack doesn't just avoid licensing nags, it actually makes the OS look fully licensed. This really bugs me. I have to suffer by jumping through licensing hoops and maintaining licensing servers - don't even get me started talking about the labs! - while the pirates can still get access to whatever they want anyway. Frustrating.

Welcome back Command Prompt!

2008-03-29T02:31:00.000-04:00

After years of trying to kill off the command line, Microsoft seems to be acknowledging the importance of command line interaction. So much so that the upcoming Windows Server 2008 OS can be run completely without a GUI through a Powershell command line. Vista too has come to rely on the command prompt. In fact, there are many tasks that can only be performed from CMD as no GUI equivalent is offered.

It turns out that UAC prevents many tasks from being performed in the GUI at all and the only solution is to go back to the Command Prompt. Some of the UAC related tasks I'd like to highlight are:

Elevating scripts such as VBS, HTA or VBA.
Working with multiple files that must all be elevated.
Running as another user when you already have two tokens.
Copying files to sensitive folders like System32.

All of these tasks can be performed from a CMD prompt using the default Vista configuration. In every case there is no GUI equivalent available using Vista defaults. In some cases there are GUI workarounds or specific configurations to enable the functionality needed. These GUI tricks will be presented in future articles, but it is good to know how to work without them using a CMD prompt - you just might venture to a workstation that hasn't been configured to your liking.

1. Elevating scripts such as VBS, HTA or VBA:

There are certainly many file types in use that could require elevation. I just mention VBS, HTA and VBA because they are quite commonly used for administrative scripting and may need elevation. Microsoft has not provided a facility for scripts to carry their own manifest detailing elevation requirements (unlike executables). For a script to get elevated, it must be done manually by an administrator.

The problem is that Windows GUI does not provide any way to manually elevate these scripts. Windows reserves the "Run as Administrator" in the context menu and in the properties screen for executables only. The only recourse is to launch a CMD window elevated. CMD.EXE is an executable and therefore has the option to "Run as Administrator". Furthermore, any processes (read scripts) launched from the CMD window will maintain the elevation afforded CMD by using the same token. (To understand how tokens work, read my article: Let's Talk UAC for the Enterprise.)

Once you get over the ugliness of a fixed width, grey, courier font on a black background, it is really quite a nice way to fly. From an elevated CMD prompt you can launch as many processes as you wish and they will all launch with the Full Token with absolutely no UAC prompting because no token switching takes place. Many techs I work with simply elevate a DOS window at the beginning of their session and return to it throughout the day - they only see one UAC prompt.

The CMD window even helps us to remember what we've done by changing its name - it appends "Administrator" to the front:

Despite CMD giving us added functionality, I still wish Vista would get its act together and let us do our work from the GUI.

2. Working with multiple files that must all be elevated

A similar problem to the scripting elevation difficulties shown above is the problem of working with data files in sensitive areas. You might be modifying the Welcome Center which stores all of its files in the System32\oobe folder. If you were to simply click on a .txt file stored there to edit it - Notepad would open and you would modify it. But when you go to save the document you will get errors like "cannot create" because Notepad is not running with a full token.

I guess the way Microsoft expects you to edit this file is as follows:

Identify the type of file and a suitable application to edit it.
Go find that application and ask to "Run as Administrator".
Use the application's Open dialog to navigate back to your folder and open the file.
Edit as necessary and then save.
Now repeat this process for each and every file you need to work with.

The easiest approach is actually to use the same elevated CMD solution I outlined above. All you have to do from an elevated DOS prompt is:

Navigate to your folder (the TAB key helps a lot with this).
Type in the name of the file you wish to edit.
CMD will find the associated application and run it with the same elevated token.
When you then choose to save the data, it will save without any problems or prompting.
Now type in the name of the next file you wish to edit...

CMD makes it much easier for you to do your work as an administrator than the Vista GUI can.

3. Running as another user when you already have two tokens:

Microsoft made what many techies consider a big mistake when they implemented the "Run as Administrator" feature. It replaces XP's old "Run As..." entry on the context menu but not all of its functionality. There are many posts on the web about it and I wrote my own lengthy article on the subject. The problem is that if you have two tokens when you activate "Run as Administrator", the feature will only ask your consent to elevate to your second token - that's it - you get no other options (I'm ignoring an optional policy setting that forces consent at all times for everyone). This means that if a power user or local administrator wishes to change to another account such as a Domain Admin account when running an app, they are completely unable to. The default Vista GUI provides no capability to do this without setting a group policy that forces all users to get prompted for credentials every time they elevate (impractical).

CMD to the rescue! It turns out that CMD still has a RunAs command that seems to have been ported directly from Windows XP. So much so that the RunAs command knows nothing about tokens and elevation. This is both a blessing and a problem.

The blessing is that the only thing RunAs wants to see is a username. It quite happily runs applications as any userid - no matter what tokens you might have. This is great if a Local Admin wishes to switch to a Domain Admin account in order to manage the network through tools like ADUC or GPMC - problem solved.

But RunAs not understanding tokens still leaves some scenarios out in the cold. If a Power User wishes to switch to a Local Administrator account, he can only do so using this RunAs command from a CMD window. But since RunAs doesn't understand tokens, it simply runs the application using the default, User Token. Somehow the application gets launched directly and Vista misses its opportunity to inspect the manifest and elevate the application. If I use RunAs to switch to a Local Administrator account when launching Regedit, I will just get the following error:

Oh well, even if the command prompt can't give us everything, it's pretty darn handy.

4. Copying files to sensitive folders like System32:

An elevated command prompt is also wonderful for copying files to sensitive folders such as System32. Use any copy command such as Xcopy or Robocopy and it will succeed from an elevated Administrator Token. Try the same thing using Windows Explorer and almost anything can happen.

Windows Explorer has many different ways of behaving depending on how it's options are set and what token(s) a user has. Putting all the variables together results in very unpredictable behavior from the user's perspective. Windows Explorer could just perform the copy as requested, or it might ask a few confirmation and elevation questions before ultimately failing to copy. (I will cover some of these details in a future article.)

I hope I've demonstrated how vital the command prompt has become in Vista. So pull out those old DOS books - talk to 40 somethings in your office and learn how to work with DOS once again!

New deployment tools for Vista SP1

2008-03-26T02:28:00.007-04:00

Now that Microsoft Vista Service Pack 1 and Microsoft Server 2008 have been released, Microsoft is releasing many updated tools to support them. I just thought you might want to know about them.

The most exciting release for me came out Monday - Remote Server Administration Tools (RSAT)! It replaces the old Administration Tools Pack (AdminPak) and Group Policy Management Console (GPMC). Although the old AdminPak can still be installed from an elevated DOS prompt, GPMC was taken out of Vista by SP1 with a complete loss of that functionality. I'll be taking this for a spin as soon as I finish my current task - look forward to a real-life review shortly...

The rest of the tools are related to automating Vista deployment:

Version 936330AIK of the Windows Automated Installation Kit (AIK) was just released this month to support the new versions of Windows. As a result of this upgrade, the Business Desktop Deployment 2007 (BDD) is no longer compatible. You need to upgrade to BDD 2007 v3.2 which was released just last week. The latest version will now allow you to deploy Vista SP1 in your organization.

But if you really want to stay current, Microsoft is rebadging BDD by bundling it in the new Microsoft Deployment Toolkit (MDT) 2008 which was also made available last week. They are leaving behind the BDD name because the tool now handles Windows Server 2008 deployment in addition to desktop deployment. Here is a nice blurb about it from the Windows Vista Team Blog.

Reclaim disk space from Vista's SP1

2008-03-25T23:06:00.003-04:00

Vista Service Pack 1 is big - huge in fact. During installation it actually requires something like 7GB of free disk space just to complete the install process. But the story doesn't end there. SP1 keeps backups of all the files it replaces. It does this so that you can actually perform a complete uninstall of SP1 and return to the previous system state if need be. But that adds up to a lot of wasted disk space if you know you will never revert to a pre-SP1 state.

As an enterprise administrator, I know that the OS image I am creating for distribution will never revert back to pre-SP1 and I know that my image must also be as small as possible. Thankfully Microsoft realized this too and released a cleaner tool with SP1 called VSP1CLN.exe. This little 600K tool gave me over 4GB of my drive space back! Which in turn means a 4GB smaller image file - sweet! (But mileage may vary - I have also recovered as little as 100 MB.)

[Thanks to Aaron for some corrections to this article. - Comments were deleted to eliminate confusion.]

A petition to save Windows XP

2008-03-23T01:36:00.008-04:00

I was surprised to find this InfoWorld article: 100,000 customers tell Microsoft to save XP.

But I understand where it comes from. June 30th is supposed to be the last day you can buy a Microsoft Windows XP license. My client started working on their Vista implementation even before Vista had been released. They have thrown more budget and bodies at this Windows release than at any other - and yet we will barely squeak under that deadline. I know that few other organizations will be able to end their reliance on Windows XP in time.

Now this doesn't really affect most enterprise customers. From what I understand, most have the right to buy Vista and downgrade to XP. But this is a long article with some great detail on the issue. Who knows, you may even want to sign the petition.

Certainly June 30th will be a date worth watching.

[EDIT 26/03/2008] I am now seeing quite a bit of press on this topic. Here is a great ComputerWorld article that describes product and support lifecycles in great detail. Some good information here. [/EDIT]

[EDIT 14/04/2008] News of the petition has now made it to MSNBC! Actually, their article Windows XP Fans Don't Want it to XPire has lots of good detail and summary of the issue. [/EDIT]

[EDIT 28/04/2008] Microsoft hasn't exactly backed off of the June 30th deadline, but it looks like we can still get what we want for at least another year. Here's my latest article with the details: XP available after the June 30th deadline [/EDIT]

Vista SP1 unavailable from Windows Update?

2008-03-20T11:49:00.003-04:00

Microsoft has posted a detailed KB article (KB948343) covering eight possible causes for not being able to install Vista Service Pack 1 from Windows Update.

There are quite a range of causes from language pack issues to incompatible drivers. Definitely worth a read!

The Vista Team Blog has additional details regarding these issues. This blog also happens to have hundreds of user comments attached. Many are complaining about various aspects of Vista and SP1 incompatibility. I suspect it would be worth your time to do a quick search on that page for products you use in your Vista environment. Maybe you'll avoid a few surprises...

Vista Service Pack 1 is here!

2008-03-18T15:31:00.003-04:00

Vista SP1 has now been officially released to the general public. Download it here.

Watch for it in the retail channels in the next week or so as well.

UAC: How to elevate anything

2008-03-07T00:21:00.011-05:00

Before reading this article, I need you to know a little something about UAC. At the minimum you should read my article Let's Talk UAC for the Enterprise. To get a little deeper into the subject, consider reading some detailed articles found here: UAC: An introduction to User Account Control.

After educating yourself on Vista's UAC, you should be aware that there are a great many things that cause elevation of applications:

Vista can autodetect that an installation program should be run elevated.
Vista knows that certain programs like GPMC should be run with the highest available token.
An application's manifest can specify that an elevated token should be used.
An administrator can specify in the properties of a file that an executable must run with an administrator token.
A user can right-click on an executable and specify that it be "Run as Administrator".
...

But what do you do if the thing you need to elevate isn't an application? It seems to me that Microsoft hasn't really accommodated this possibility when designing Vista - but it needs to happen more often than you think. The most common example would be a script that needs to make system changes. What if you have a Visual Basic Script (.VBS, .VBA, .HTA, etc.)?

Not only can the script not have a manifest specifying an elevated token, but there is no obvious way to request elevation. You cannot specify it in the properties of these files since they are not executables. You cannot even right-click and specify that it be "Run as Administrator".

It turns out that there are a number of approaches to this problem (none of which are obvious). All the approaches rely on a basic pair of principles. Vista can only elevate executables (by initiating a new process) AND any processes launched by an elevated process will also be elevated. Each approach may look radically different, but it always boils down to exploiting these principles.

The approaches to elevating non-executables are as follows:

Elevate a command prompt (CMD) and launch anything needing elevation from there.
Elevate an instance of Windows Explorer so that anything you launch with it is also elevated.
Add Run As Administrator to the context menu for additional file types by modifying the registry.
Find the associated application and run it elevated, then open the required file.
Create a launcher script that opens the required file with elevation specified.

Elevating a command prompt (CMD) is by far the easiest and most common method for elevating scripts. You'd laugh if you walked through the offices of our technical staff. They all sit there with this pretty Vista OS but the only thing you see is these black CMD windows because it is the only practical way for them to work.

I will write an article on each of the approaches and turn the bullets into links as they are written. But hopefully I've given you some useful hints in the mean time if you can't wait for me :-)

Vista SP1 Technical Information

2008-03-02T00:40:00.007-05:00

Kris over at the Words Within blog posted a PDF document that combines all of Microsoft's SP1 related documents:

Deployment Guide for Windows Vista Service Pack 1
Hotfixes and Security Updates included in Windows Vista Service Pack 1
Notable Changes in Windows Vista Service Pack 1

-- Handy!

Read it. You will find nuggets like this:

After you install SP1, you will be temporarily unable to manage domain-based Group Policy from that computer because of the following changes:

• The Group Policy Management Console (GPMC) will be uninstalled.
• Gpedit.msc will default to the Local Group Policy Editor.

Because of these changes, use Remote Desktop to connect to another computer to manage Group Policy. Shortly after the release of Windows Server 2008, an updated GPMC with greater functionality will be released as part of the Remote Server Administration Tools (RSAT)...

Don't forget that if you have configured Folder Redirection with Vista's version of GPMC, then you will have no choice but to keep a Vista PC handy that doesn't have SP1 until RSAT arrives. You have been warned :-)

[EDIT 30/03/2008] RSAT is here! Get links to it and other new deployment tools for Vista SP1. [/EDIT]

Has Vista lost all credibility?

2008-03-01T23:26:00.006-05:00

As a follow-up to my article "Vista Capable" lawsuit is now a class action, I found this opinion piece at APCMag.com: Has Vista Lost All Credibility?. It's quite a good opinion piece.

It offers a nice summary of the e-mails that surfaced as part of the class action. It also comments on the recent price drops for Vista. But the most surprising news is that Microsoft has announced even more retail versions of Vista in an attempt to boost sales.

Which leads us to this month's poll - would you consider switching to Linux?

[EDIT 09/03/2008] Here is another good article covering the e-mails discovered in the class action. I hope other companies learn from this - you have to treat your customers fairly. [/EDIT]

UAC: How many tokens did I get?

2008-02-28T22:14:00.000-05:00

My recent article UAC: Avoid elevation like the plague! gives you a good idea of how radically different a Vista user experience can be if a user gets assigned either one or two tokens. I explained that it's important to set things up so users receive only one token. But how do you tell how many tokens a user is receiving? It would be kind of nice to know as you design your Vista implementation.

Vista clearly knows how many tokens a user has because it is smart enough to add and remove shields from icons as a result. But this is hardly a good barometer since it doesn't always change those shield icons in a timely manner. Unfortunately, Vista doesn't seem to be interested in sharing this small tidbit of information with us. It does appear that there are .Net APIs that can query for all user tokens which would lead to resolving the number. But we're enterprise admins here and we have no interest in compiling a small .Net program and adding it to various computers to get this answer.

If you know about some dialog box or command that reports the number of tokens, please share it with me.

The only way I've been able to figure it out is to try it. The easiest way to try out the tokens is to run Regedit. Regedit is rather unique. You would consider it an administrative application because it can be used to change registry settings that affect or corrupt the whole computer. Indeed, you do need to elevate to an Administrative Token if you wish to make changes to HKey Local Machine (HKLM). But Regedit can also be used by anyone (it uses that HighestAvailable manifest we discussed in the other article). If a Standard User with only one token attempts to run Regedit, they will be successful and will not be prompted for elevation at all. (A Standard User is only able to modify keys in their personal user profile (HKCU).) Power Users have similar limitations to Standard Users, but will be prompted for elevation since they have two tokens.

That's about it, short and sweet. Let's recap - to find out what tokens a user has, run regedit:

If the user goes right in with no prompt, they are a Standard user with only one token - a Full Token.
If the user gets prompted for elevation, they are using their Filtered Token and are attempting to elevate to their second token.
If the elevated user is able to modify or add keys in the HKLM area, that user has a Full Administrator Token in addition to their Filtered Token.
If the elevated user is unable to modify HKLM, they are something less than an administrator (perhaps just a Power User) and have a Full Token in addition to their Filtered Token.

Now keep in mind that tokens are created during the logon process. You can't test for tokens immediately after changing group memberships or User Rights Assignments. You must log the user out and back in again before running Regedit and checking the tokens.

"Vista Capable" lawsuit is now a class action

2008-02-25T03:20:00.002-05:00

Slashdot's post links to the relevant articles.

The lawsuit against Microsoft rises from the 2006 pre-holiday season when they used "Windows Vista Capable" stickers to boost sales of machines loaded with Windows XP. It turns out that many of the machines could only function with the stripped down Home Basic edition of Vista. If your organization got stung by the "Windows Vista Capable" campaign, watch for an opportunity to make a claim if the class action ever succeeds.

SP1 Hiccup: don't install KB937287!

2008-02-21T12:12:00.003-05:00

On February 12th, Microsoft released KB937287 as an automatic update. This was in preparation for the upcoming SP1 release. It is intended to improve reliability and performance when installing future Vista updates.

Unfortunately the hotfix has had rather undesireable results for a number of users. Many computers have entered an endless reboot scenario. Here's a forum that has been discussing the problem and has found some solutions in an attempt to avoid a complete OS rebuild.

Microsoft has now decided to pull the hotfix to avoid any further disruption while they try to find a solution. Their announcement is rather vague. They don't describe which customers would be affected and don't offer much help in backing out of the problem. But the attached comments are worth a read - the outrage is palpable.

Although Microsoft has pulled the update, I worry that the threat might still exist for us enterprise admins (hence this article). Those of us who don't allow automatic update into our organizations but use systems such as SMS to apply updates could still have this hotfix pending - you should check and make sure to pull it. Also, the KB article on this hotfix shows that it has been integrated into the SP1 package and will be applied if necessary. I suspect that installing SP1 could expose you to some additional risk - hopefully Microsoft can provide some additional clarification here.

What does this do to the release timeline for SP1? If the current package has a problematic hotfix in it, we will have to wait for a new one. If this prerequisite hotfix for SP1 has been pulled and needs to be reengineered, how long will it be before SP1 can be delivered via automatic update for the population at large?

BTW, I have installed my RTM edition of SP1 with no problems. I'll be checking all of the behaviors described in past articles to ensure that they remain accurate - 500 hotfixes must have changed some of them...

UAC: Avoid elevation like the plague!

2008-02-19T23:19:00.008-05:00

When talking about UAC, we always focus on elevation - how to trigger it, how to preserve it, how to understand it... It is a complex subject that deserves our attention. But before embarking on my next series of articles on this very subject, I think it's important to remind everyone to simply avoid elevation.

There are countless articles complaining about the elevation experience and we KNOW users hate it. So let's be sure to create an environment where elevation just doesn't happen. I'm not talking about turning UAC off or softening any UAC settings - I just want you to be aware of avoidable conditions that are ripe for elevation.

Before reading this article, I need you to know a little something about UAC. At the minimum you should read my article Let's Talk UAC for the Enterprise. To get a little deeper into the subject, consider reading some detailed articles found here: UAC: An introduction to User Account Control.

With that little bit of business taken care of, let's get started...

At first blush it might seem rather easy to avoid elevation - just don't run any administration tools - users shouldn't be using them anyway. Listening to Microsoft you'd think this is all that would be necessary. But a little manifest feature called "HighestAvailable" causes us a lot of problems. Applications written for Vista can specify which access token is needed to successfully run the program. Unfortunately, many Vista versions of applications were written before developers fully understood Vista - or indeed, sometimes before Vista was even available for testing. Developers were sprinkling the "HighestAvailable" requirement like pepper on food they hadn't even tasted yet.

I'm sure developers were thinking it was important that their application have as much access to the system as possible. Asking for the HighestAvailable token just made sense. Unfortunately this requirement means an elevation prompt is needed in order to move from the default filtered token to the user's full token - irritating users. You'd be amazed at how common this approach has been - even when the application clearly had no need of those extra rights. Quark Xpress is a fine example - it's a graphics/publishing program that needs no special access to Vista's system resources and yet asks for the user's highest available token.

I actually find the HighestAvailable manifest to be an odd beast. Developers are basically admitting that they have no idea whether users will be Standard Users or a Power Users or Administrators, but that they'll be happy if their program gets whatever rights the user has (this isn't a request for an Administrator Token afterall). I also find it frustrating that we can manually set properties of an executable to demand an Administrator Token, but we aren't allowed to force an executable to be happy with a filtered token.

But I digress... the problem here is that we have too many requests for the Highest Available Token presenting our users with the elevation prompt... The solution is a simple one for those who think of it. Make sure the user only has one token! Make sure users aren't unnecessarily Administrators or Power Users. Don't give users unnecessary User Rights Assignments. If users are only standard users, no filtered token will need to be created to filter away extra rights. This will result in one single token for the user - the user will always be using their highest available token because that is the only one they have.

It's simple, but when a user launches an application such as Quark Express, it will notice that the user is already using their highest available token and just go ahead and execute with no extra prompting.

Actually, it's neat to see what else happens... It turns out Vista is pretty clever when it comes to applying those shield icons to shortcuts that lead to programs needing elevation. If a program's manifest indicates that it needs elevation, Vista adds the shield icon - but it's smart enough to know when the user won't be asked and removes the shield as well. Here's my Quark icon as it appears on a Power User's desktop and then on a Standard User's Desktop:

Neat eh?

I should have mentioned that we are also talking about a lot more than just avoiding elevation prompts. If you can keep your user always using the same single token, the user will not be forced to leave any resources behind when switching tokens. This means that users will always have their drive mappings when using applications of this type!

Hopefully application developers will eventually learn that the HighestAvailable manifest is not the preferable, default manifest, but rather the manifest of last resort when trying to get applications to work in Vista.

Become a Token Geek

2008-02-12T00:34:00.000-05:00

I think I've made it clear through my past articles that tokens are an important element of UAC and Vista. The existence of various user tokens and the demand for them by applications has a huge impact on system behavior. My articles will continue to explore this relationship between token and UAC on a fairly practical level.

But if tokens intrigue you and you wish to learn more about how they work, you should check out this series of articles by Randy Turner of Microsoft's Directory Services Team. He will take you to a whole new level of token understanding - perhaps transforming you into a Token Geek:

In addition to providing great low-level detail about how the Windows systems rely on tokens, Randy links to numerous software tools that can be used to troubleshoot your environment.

SP1 and a new kernel!

2008-02-05T22:33:00.000-05:00

The Microsoft Vista Product Management Group has just released Service Pack 1 to manufacturing! It's now locked in stone. But we need to wait 6 - 8 weeks before getting it into our hot little hands.

I'm curious to see if this is the long overdue solution we have all been needing - or if it was released way too soon under pressure - causing us to wait for SP2 before having a desirable product.

I found a very interesting article that discusses the new kernel for Vista SP1. Vista SP1 will now be version number 6001. It is being synchronized with the version number for Windows Server 2008 since the two OSs will now share the same kernel. I'm sure that this is useful internally for Microsoft, but it makes things interesting for us enterprise administrators.

Many of us are used to building WMI filters and scripts that check Windows version numbers in order to target specific versions of the product. It looks like this is now a little more complicated. Receiving the number 6001 won't be enough to distinguish between a server or workstation product. You will need to expand your queries to include a product name or some other unique identifier.

Logon Scripts: A Token Effort

2008-02-04T03:00:00.000-05:00

How many of you have been struggling to make your logon scripts work when Vista's UAC is enabled? (I'm holding my hand up here.) Let me share my effort with you so you can avoid the same problems.

Basically all of the difficulty stems from the way UAC isolates processes. Logon scripts are processed by a process :-) - it's important to know what integrity level the process operates with and what token the end user is using. (If this last sentence made no sense to you, you better read my article Let's Talk UAC for the Enterprise before continuing.)

I'm sure many of you have read or been told that launching scripts by Group Policy Objects (GPO) is the way of the future. Indeed, I too was launching my scripts via GPO, but it is this very thinking that got me into trouble.

Logon scripts launched via GPO are processed using the user's "highestAvailable" token. This causes resources such as drive mappings to be associated with that Full Token. The other thing to remember is that the user's session and desktop are then presented using the Standard Token. There's no problem for basic users because they only get one token - their Full Token and Standard Token are one and the same.

But UAC starts causing troubles for all the other users who have split tokens (Administrators, Power Users, etc.) - anyone with two tokens. The GPO maps drives as a resource of the higher token and the user is left to operate in Windows with their lower token. UAC prevents the lower token from seeing the resources of the higher token. Therefore the users don't get the mappings you've assigned them.

It's unfortunate that Vista isn't smart enough to process scripts and assign resources against all the user tokens it creates during the logon process. But Microsoft is aware of the problem and has tried to offer a few solutions (none of which work 100%). The first and most common solution offered comes from their guide, Deploying Group Policy Using Windows Vista
- the Group Policy Scripts can fail due to User Account Control section describes the problem (but not entirely accurately). It goes on to offer a solution that I will call the LaunchApp solution.

The LaunchApp Solution

The LaunchApp solution suggested by Microsoft is a horribly kludgy affair that doesn't work 100%. Basically, Microsoft is providing a LaunchApp script that is capable of creating a scheduled task that launches another script. Microsoft just expects your logon script GPO to call the LaunchApp script instead - that will then schedule an immediate task to run the script you originally wanted to use to map drives. (confused yet) The idea is that the scheduled task will trigger your script to run once the desktop is created, which will cause it to run using the user's Standard Token rather than the user's Full Token. The users will then be able to see the mappings because they are operating with the same token that has been assigned the mappings.

Some small problems...
1) The scheduled task fires off when the Desktop session is created. The other thing that fires off at that moment is anything in the user's Startup folder. One nice example is Microsoft's own Outlook product. Users typically put that in the Startup folder so that they always see their e-mails. It will often be configured to store things like a Personal Address Book on a mapped network drive - guess what hasn't been mapped yet when Outlook goes looking for a PAB file? The results aren't so good.

2) The LaunchApp acrobatics gets the mappings to associate with the Standard Token but still does nothing for the user's elevated token. When a user elevates a program, all mappings are unavailable to the elevated program. Quite an inconvenience to say the least.

The Merged Mapping Solution

Microsoft's latest suggestion for solving the mapping problem is described in KB937624. I call this the Merged Mapping solution - it is by far a better solution, but it also has its problems. Basically, Vista has a wonderful little registry key that tells it to merge the drive mappings between all of a user's tokens: HKLM \Software \Microsoft \Windows \CurrentVersion \Policies \System \EnableLinkedConnections = 1. What could be simpler right? Create this key on every workstation and it will tell the OS that the mappings associated with one token are to be mirrored into the other token as well.

I'm not sure if Vista understood that key right out of the box or whether it was added later as part of a hotfix. All I know is that I was made aware of it rather late in the game. I did use this solution for a while before discovering the problem it has...

When I first implemented it, it worked great. Mappings created against one token were made available against the other token - no matter whether the user was an Administrator or a Power User (remember Full Administrator Token vs. Full Token). Well, the installation of Service Pack 1 (SP1 RC1) changed all that - Vista stopped merging mappings between the Standard Token and a Full (non-admin) Token. It now only merges mappings between the Standard Token and a Full Administrator Token. -- Not so good when all of my users are Power Users -- completely useless in fact.

I've opened a Premier Support call on this problem. It's been over a month and they are still trying to decide if it is really a problem or if there is an easy solution. You see, if you read the KB article mentioned above, you may notice that it only mentions it as being a fix for Administrators and doesn't mention other cases at all (but I know it used to work!) -- I of course thought that the discussion of only Administrator wasn't a specific limitation but rather Microsoft's usual over-simplification of the discussion. I'll update this post when I know more.

The AD Profile Solution

Ultimately, I found the best results for mapping drives were achieved by avoiding the logon script GPO entirely. Instead, I fell back on a tried and true method that has been around for a decade or so - I now launch my logon scripts via user profile in Active Directory.

Not only is this method extremely simple, but it is extremely effective. Logon scripts launched in this way are processed with the user's Standard Token - the same one the user is using when they are first presented with their desktop. It doesn't matter if the user is a Basic User, Power User or Administrator - the user will be able to see the mappings assigned to them because they are associated with the correct token. Stop wasting your time with a GPO script - it's not worth the effort.

Despite the script being processed by a Standard Token, it is still processed before the desktop is made available to the user. This ensures that all drive mappings are created before any application in the user's Startup Folder are processed - all applications in the Startup Folder should launch successfully as a result.

If you choose to adopt this new old approach, I still recommend you implement the merged mapping solution described in KB937624. In your environment it might merge the mapping with all types of user tokens, or it might just merge them for administrators - either way it will still be an improvement. Keep in mind though that this solution cannot do anything to merge mappings between two different user accounts. So it cannot help enterprises that make an administrator use a standard user account for routine tasks and then a separate administrative account for admin tasks. (I will be looking for solutions to this in future articles.)

GPAnswers: Group Policy Preference Extensions

2008-02-01T23:28:00.000-05:00

If you are an enterprise administrator responsible for GPOs, I'm sure you've heard of Jeremy Moskowitz and his GPanswers.com site. If you haven't, it's high time you did.

GPanswers has an active forum of knowledgeable people trying to deal with GPO issues. Being the author of the book Group Policy: Management, Troubleshooting, and Security, Jeremy has a lot of knowledge to share. He also offers courses to those who really want to get into it.

Anyway, he just wrote a great introduction to Group Policy Preference Extensions (GPPEs) that you really should check out:

The original Group Policy feature set includes items like Administrative Templates, Software Installation, Security Settings, and Folder Redirection Settings. In all, there are 18 things you can do with the original Group Policy. The Group Policy Preference Extensions feature set adds 21 new features to the existing set, bringing the total number of categories to 39. The goal of the GPPEs is to help you do more with Group Policy and reduce the reliance upon logon scripts. The kinds of things administrators have always wanted to do using Group Policy are now available...

Let's Talk UAC for the Enterprise

2008-01-29T01:45:00.000-05:00

In my initial UAC article UAC: An introduction to User Account Control I provided you with links to lots of UAC literature. My hope was that you could use that literature to get yourself up to speed on UAC and start to mull over its implications. I plan to write future articles that build on that basic UAC knowledge by examining aspects specifically relevant to enterprise administrators. But I realized that those links provide an overly simplified model of UAC (believe it or not). The literature is very focused on the workstation OS itself and does not consider administrators that have rights outside the OS - my article UAC: Local Admin vs. Domain Admin discusses this.

I present here a glossary of terms for UAC that will accommodate future discussion of UAC in the enterprise environment:

Accounts / User Accounts: generally refers to any users or userids in your environment.

Local Account: is a user account that has been created on a local Vista workstation and has no standing in the Active Directory Domain. Vista's default Administrator account is a good example.

Domain Account: is a user account that has been created in Active Directory and has standing in your enterprise's domain.

User / Standard User / Basic User: is a user that has standard user privileges on the local workstations. The user will be a member of the predefined local group Users and will have only basic rights. It is assumed that the user also has no extraordinary rights out in the domain, unless otherwise stated. The words 'standard' or 'basic' are used to emphasize this user's lowly status :-) Standard Users receive only a Full Token at logon time.

Power User: is a user that belongs to the predefined local group Power Users. Users are made a member of this group for legacy backward compatibility purposes and are not expected to receive any additional rights. However, Power Users do receive both a Full and Filtered Token at logon time. This is different from a standard user and will affect the behavior of UAC. I use the Power User for examples where I need a user with a Split Token without having a Full Administrative Token.

Administrator / Local Administrator: is a user who belongs to the predefined local group Administrators. This user has full administrative rights over the local Vista OS, but doesn't necessarily have any administrative rights on the domain. Local Administrators receive both a Full Administrator Token and a Filtered Token at logon time. A lot of UAC discussion is focused on this type of account because it is the one that has the most potential to be used to do damage to a system.

Domain Administrator: I don't use this term to refer specifically to an actual Domain Administrator, rather I use this term to refer to any user that has some administrative privileges on an enterprise's AD domain. A Domain Administrator is not necessarily a Local Administrator. In many environments Domain and Local Administrator rights are granted separately.

Token / Access Token: Tokens are assigned to user accounts at logon time. They contain data on a user's group membership, authorization and access. They are used to control what Vista resources and tasks can be accessed by a user account. Windows XP assigns only one token per user - Vista assigns up to two tokens per user when necessary. It is UAC that controls which available token is used or whether additional tokens must be assigned.

Standard User (Access) Token: Every account that logs into Vista is assigned a Standard User Token. Standard Users are assigned only one token, and this is it. This token represents all of the privileges of a standard user. Even administrators receive this token - it is the token they use when performing routine activities in Vista.

Full Administrator (Access) Token: Accounts that belong to the local Administrators group are assigned a Full Administrator Token in addition to a Standard User Token. This token represents privileges over and above those of a standard user - it is the token used when performing administrative tasks.

Full / Unrestricted (Access) Token: The highest access token available to an account is referred to as a Full Token. For Standard Users, the Full Token is the same as the Standard User Token. For Administrators, the Full Token is the same as the Full Administrator Token. But if an account has more rights than a Standard User and Fewer Rights than an Administrator, the account receives a unique Full Token that represents those extra rights. Accounts that are members of the following groups receive a Full Token in addition to a Standard User Token: Power Users, Account Operators, Server Operators, Printer Operators, Backup Operators.

Filtered / Restricted (Access) Token: You've already met the 3 possible tokens an account can receive. The term Filtered Token is used to refer to the Standard User Token for accounts that receive more than one token. Standard Users do not receive a Filtered Token because they did not have any extra rights that needed to be "filtered away".

Split (Access) Token(s): Accounts that have been assigned two tokens are referred to as having Split Tokens because their rights have been "split" between two tokens. Their Standard User Token represents their standard rights and their Full Token represents any additional rights they may have. Sometimes the term "Split Token" is used to refer to a user's Filtered Token.

Default (Access) Token: The Default Token is the first token that an account is using after it has initially logged into Windows Vista. Explorer.exe will have been run using this token in order to present the Desktop to the user with the least privileges possible. Now let's see if you've been paying attention :-) Which of the above tokens is being used at this point? Actually it's easier to ask which token can't be used at this point -- The only token which could not be used by default is a Full Administrator Token - Administrators would have a Standard User Token which would be getting used instead. For Basic Users, their Standard User Token would be used - which is the same as their Full Token. For other types of users, their Standard User Token would also be used - but it could be either their Filtered or Split Token. Confused yet?

Elevation / Elevated Process: It is difficult to have a technical discussion about Vista without someone using the word "Elevation". Vista protects itself by only allowing users with a limited security level to launch processes at a similar security level. The more secure operation a user wishes to perform, the higher level they must operate at. The user must have a sufficient Access Token to be able to Elevate a process to a sufficiently high security/integrity level. An Elevated Process is usually one that has been launched by someone with a Full Administrator Token and runs with a High Integrity Level.

User Interface Privilege Isolation (UIPI): Is the new Windows Integrity Mechanism that provides a barrier around elevated processes in Vista. All processes and objects have integrity levels that restrict the accesses that are granted to a process by the Windows Discretionary Access Control (DAC) security model.

Integrity levels (IL): Processes can have one of four Integrity Levels: Low, Medium, High, System. Internet Explorer runs at a Low IL so that it is prevented from doing any harm to the system. The Desktop and most user applications have a Medium IL and can be accessed by any user (Standard User Token). Most administrative processes, such as Computer Manager, have a High IL and can only be accessed by users with a Full Administrator Token. Other tools like Regedit can be run with a user's Full Token (whatever that might be) and will only allow access to appropriate areas of the registry. System is the highest Integrity Level - normally only some services and some system processes run with System IL. The UIPI prevents processes operating at a lower IL from accesses processes with a higher IL, but there is a Medium IL process called uiAccess that can actually access High IL processes. uiAccess is needed to give user interface devices such as mice and keyboards access to all processes.

Elevation Prompt: When UAC detects that a process is to be run with a higher Integrity Level than the current process or user token allows, an elevation prompt is presented to the user. An elevation prompt serves two functions. First, it ensures that the user is aware when processes are trying to access more sensitive areas of the system. Second, it gives the user control over the granting of that access.

Consent Prompt: Is a type of UAC Elevation Prompt. If UAC determines that the current user has an available token of a sufficiently high Integrity Level (such as Full or Administrator Token), the Consent Prompt will be used to elevate a process. The Consent Prompt simply asks the user to Consent to the elevation by choosing to "Continue" or "Cancel".

Credentials Prompt: Is a type of UAC Elevation Prompt. If UAC determines that the current user does not have a token of sufficiently high Integrity Level (maybe just a Full or User Token), the Credentials Prompt will be used to elevate a process. The Credentials Prompt asks the user to provide a username and password of a user who would have sufficient rights. Vista will then create the necessary token for that user and use it to elevate the process -- In fact, Vista will revert to an entire profile for the user with the high token and run the elevated process within that environment, using different shell folders, etc.

Manifest: Applications developed for Vista should have an accompanying Manifest that specifies what token is needed for successful execution of the program. When a manifest is found, UAC will kick into gear and ensure that the requisite tokens are used to properly elevate the application. In addition to manifests, Vista has predefined other processes and application types that need elevation. Users also have the option to manually force elevation when launching applications.

highestAvailable: can be specified by a manifest. It tells UAC to elevate the user to the highest token available. No elevation is necessary if the calling process is already using the highest token, or if it's a Standard User who only has one token anyway.

requireAdministrator: can be specified by a manifest. It tells UAC to elevate to a Full Administrator Token. Any Full token is not sufficient - the user must be a member of the local Administrators group in order for elevation to succeed.

Microsoft Windows Releases

2008-01-22T23:50:00.000-05:00

This post is a week late - but some of you may not have heard. Microsoft has released a new Release Candidate for Vista Service Pack 1 called "SP1 RC Refresh". ZDNet brought us news of the release: Near-final Vista SP1 goes public

In other news... Rumors have already started to fly about Microsoft's next Windows platform - Windows 7. It sounds like Microsoft is moving the release date forward to next year: Vista successor, Windows 7 to be released next year?

Need to Virtualize Vista Home Versions?

2008-01-22T00:12:00.000-05:00

This just in - Microsoft is finally easing their license restrictions that prevented you from installing Vista Home Basic and Vista Home Premium in a virtual environment: http://arstechnica.com/news.ars/post/20080121-microsoft-relents-vista-virtualization-ban-lifted.html

This will be great news for some of my past clients. I have no idea why Microsoft erected this false barrier to Vista Home adoption in the first place. Developers test in virtualized environments like VMWare - preventing them from testing their products on Home editions of Windows Vista does the end user a great disservice.

Disabling UAC

2008-01-20T00:12:00.000-05:00

Tonight I'd just like to make some quick comments about people disabling Vista's User Account Control (UAC) feature. If you have been doing any research on Vista you've read people's complaints about UAC and the constant UAC elevation messages.

In an effort to minimize the messages and smooth the computing experience, many people have opted to disable the UAC feature:

Indeed, this may be a valid alternative for home users since home editions of Vista don't support configuration of UAC behaviors such as Admin Approval Mode, Elevation Prompt behavior or application installation behavior (see Microsoft's Windows User Account Control Step-by-Step Guide). But the decision to disable UAC should not be taken lightly - particularly in an enterprise environment.

Everyone must understand that Vista's UAC is much more than a set of prompts that irritatingly pop up at the most inopportune times. UAC is a vital part of Vista's architecture that touches many aspects of the system. When UAC is disabled, other Vista security features such as Registry Virtualization and Protected Mode for IE7 also stop functioning.

Another thing to consider is that Vista really was developed around the UAC functionality. It may not be so easy to anticipate how all of Vista's technologies will behave when UAC is not active. A case in point is the configuration of network printing. Philip Wiffen's Mind Circus blog points out that it's not possible to install a shared network printer when UAC is disabled -- Thankfully he also points us to a Microsoft hotfix to correct this.

My point is, think long and hard before disabling UAC. If it's the prompts that are giving you and your users grief, look into some of the UAC configuration options that can mitigate things a little. I'll provide more information about these in the future (but I've got a few other articles to write first).

Service Pack 1 (SP1) for Vista is coming

2008-01-12T22:15:00.000-05:00

Release Candidate 1 (SP1 RC1) has been available for a few weeks now. People have started kicking its tires in hopes that it will fix a lot of what's broken in Vista.

I know in my case SP1 RC1 has amalgamated a lot of past hotfixes but many of the fundamental architecture and feature problems remain. Can you believe that SP1 RC1 contains almost 500 hotfixes!?! That's roughly two hotfixes a day since Vista was first released.

For a complete list of the hotfixes included in SP1 RC1, check out the documentation Microsoft just released: http://technet2.microsoft.com/WindowsVista/en/library/b984ce70-701b-4565-868e-51d1ba47555d1033.mspx?mfr=true

I'm also here to tell you that SP1 RC1 has exhibited some unexpected behavior that has broken some functionality I rely on:

1) I happen to use the registry setting described in KB937624 to make my drive mappings visible between a user's filtered and elevated UAC tokens. It had been working beautifully for me until I installed SP1. SP1 continues to allow the registry setting to do its job for administrative users but has stopped functioning for Power Users. I am working with Microsoft to find out why.

2) Remember my clever registry hack that fixes Folder Redirection data moves and improves application compatibility and the user experience? (If you don't, take a look at the articles: Folder Redirection: Misbehaves after target move , Folder Redirection: A case study) Well, SP1 makes that hack fail in a spectacular way! When Folder Redirection encounters a mapped drive letter in the registry at boot-up time, it decides the best course of action is to completely delete the corresponding redirected folder on the network! It completely kills the folders! Not only that, but the Users Files Folders appear as blank icons with no labels or properties. The Folder Redirection Functionality is permanently broken. I haven't found a smooth way to recover - other than to delete the user's profile and start fresh. This is just nasty. I am working with Microsoft to find out why this is happening and hopefully find a solution (this didn't happen in the SP1 Beta version by the way).

The hack does still work if a UNC path is used instead of a drive letter. I will modify my two articles (linked to above) to reflect the new reality and remove all mention of drive letters. Sadly, although the move data problems will continue to be avoided with the hack, the application compatibility and better user experience features have been lost.

Here's hoping that the final version of SP1 will make all of our problems go away.

Local Administrator Trumps GPO

2008-01-07T03:19:00.000-05:00

Okay, I admit, I'm a big fan of Mark Russinovich. I may be biased because this guy modifed PSExec for me, but I believe he has some great stuff to teach us. His latest Technet blog article is a case in point: http://blogs.technet.com/markrussinovich/archive/2008/01/02/2696753.aspx

I've always assumed that GPO settings I create to manage my organization's desktops and users give me ultimate control. It didn't matter what setting someone changed locally, if I had a contradictory setting in my GPO then it would get changed back in short order. How wrong I have been.

Mark's blog shows local administrators how to use regedit to set permissions that will prevent GPOs from being able to configure their settings. Don't forget that although you may edit GPOs using pretty GPMC templates, the policies only manifest themselves on a local machine by making changes to registry settings. If the system loses its right to change a registry setting then the GPO is essentially neutered. This is not new to Vista - this was also possible in XP.

I don't like DRM

2008-01-07T03:02:00.000-05:00

This is a little off topic, but I've never been a fan of Digital Rights Management (DRM). I understand that intellectual property owners must protect their property, but too often DRM is used to maximize profit at the cost of a consumer's fair use. But I find that DRM has backfired. Consumers aren't dumb. They know when they are being punished for being honest citizens and they see the pirates enjoying a better quality experience for free. DRM is driving people away from legal sources of intellectual property. Publishers finally seem to be realizing their mistake and are slowly abandoning DRM.

But in the mean time, DRM content is still being sold and there have been a few buyers. Here's an interesting DRM experience documented by a Vista user:

http://davisfreeberg.com/2008/01/03/bad-copp-no-netflix/

Not only has DRM driven people away from media products but there are people who have sited it as a reason for not moving to Vista. This is the first concrete example I have seen that validates those people's fears. It's one of the reasons I have chosen to only use Vista on my laptops at home.

UAC: Local Admin vs. Domain Admin

2008-01-03T03:53:00.000-05:00

My article UAC: An introduction to User Account Control links to a number of UAC articles - many written by Microsoft. Have you noticed that virtually every article talks about administrator accounts in a generic sense and never distinguishes between a Local Administrator or a Domain Administrator?

These two types of administrators are very different beasts. A Local Administrator is a user that has been made a member of the Administrators group on a local Vista computer. This user basically has complete access to do anything they want on the local Vista computer. What I call a Domain Administrator (for purposes of UAC discussion) is a user who has administrative rights of some kind on the enterprise domain. They don't necessarily have to have full domain admin privileges - they might just have rights to administer a specific OU in Active Directory for instance. The thing to notice is that these two types of administrators are very different and you can very easily be one type without being the other. It bothers me that this distinction is not made when talking about UAC.

When talking about UAC, Microsoft seems to think that if you are a Local Administrator you will also be a Domain Administrator. I say this because Microsoft never makes the distinction between one type of administrator or another, and indeed, UAC works very well for this scenario. But the wheels kind of fall off if you are only a Domain Admin or only a Local Admin. Let me explain...

Being a both a Local and Domain Admin

Microsoft's Getting Started with User Account Control on Windows Vista is a fine example of a document that talks about UAC without ever making the distinction between a Local and Domain administrator. Here is an excerpt where it shows the experience for an administrator performing an "administrative task":

User Account Control consent prompt
The following example shows how an administrator in Admin Approval Mode is prompted for consent when attempting to perform an administrative task.
To view the consent prompt
Log on to a Windows Vista computer with an administrator account in Admin Approval Mode.
Click the Start button, right-click My Computer, and select Manage from the menu.
At the User Account Control dialog box, click Continue.

After reading this you will be forgiven for thinking that Microsoft's Active Directory Users and Computers (ADUC) tool would also be included in this behavior since it is typically used for "administrative tasks" (and I think if you are reading this blog you will be well aware of how dangerous this tool can be). If you happen to be a Domain admin in addition to a Local admin, you will indeed see that you experience a similar behavior for ADUC. If you attempt to run ADUC, you will be presented with the Consent Prompt.

If you are a fan of UAC, you will like what you are seeing at this point.

Now lets watch the wheels fall off this UAC wagon...

Being a Domain Admin Only

I have worked in many large enterprises. I have found that financial and military organization like to exercise a great deal of control over their computing environments. Typically these organizations will give you the rights you need to do your job but no more. This typically means that you may well be a Domain Administrator with rights to manage users, but will only be a standard user on your computer with no rights to even change the screen saver. With this scenario in mind, let's see what happens...

It turns out that Vista will NOT notice the awesome power that this user holds on the domain. Vista will only see that the user belongs to the lowly local User group and will treat the user as such. If this user attempts to run Manage for instance, he will not receive the Consent Prompt, but rather will be presented with the Credentials Prompt so that he can enter the credentials of someone with the appropriate rights. -- So far so good.

Now let's try running ADUC. One would expect that Vista would consider this to be an "administrative task" and offer up the Consent Prompt to our all powerful Domain admin. But this isn't what happens at all. Vista simply runs ADUC for you with no UAC elevation prompt at all. It turns out that Vista has only seen the user's lowly Local User status and apparently decided that the user can do no harm on the domain. Try GPMC - the same thing happens.

It turns out that if these organizations try to create a more secure environment, they lose the benefit of UAC protection on their domain. If a trojan gets onto the computer of a Domain Administrator who is just a member of the local User group, the trojan can go about its business of touring the domain unchallenged.

Being a Local Admin Only

Now let's consider the experience of a more liberal enterprise. Perhaps this organization specializes in application development or has a large number of traveling users who must be able to modify their laptop configurations. This organization will have made the decision to make their users a member of the local Administrators group whether or not they are also Domain Administrators. Let's see what happens to one of these Local Admins who has no rights to administer the domain...

If this user runs Manage, he will be presented with UAC's Consent Prompt and be able to manage his computer as he sees fit. This is expected behavior. Now what happens if this user runs ADUC?

Remember what happened previously? You might expect that since the user has no rights on the domain that ADUC would simply let the user in to browse the domain. This shouldn't be considered an "administrative task" because the user doesn't actually have the rights to make any changes in our domain.

But again, Vista has no idea what is happening out in the domain, it is only making decisions based on what it can see locally. Since the user is a member of the local Administrators group, it decides that an "administrative task" might be occurring and prompts for consent. At this point you might be thinking "You're splitting hairs Gord, I can live with an extra Consent Prompt." -- you can't.

Here's where the wheels fall off. If the user just wanted to browse the Active Directory then an extra Consent Prompt is no big deal. But what if a change in the domain is needed? Obviously this user doesn't have the rights, but he likely has a Domain Administrator doing some "over the shoulder" work for him. This Domain Administrator has probably walked up and seen what the user's problem is and now wants to quickly tweak something in the user's AD profile or something.

Remember that when ADUC is run, Vista thinks that it is the user (Local Admin) running it. It presents the Consent Prompt. The Consent Prompt does not offer a way to enter any credentials for another user. You either Continue or Cancel. UAC actually entirely prevents the "over the shoulder" Domain Administrator from being able to do his work. If the user had been a lowly local User, then a Credentials Prompt would have been presented and the Domain Administrator could have continued on with his work.

Now at this point some of you experienced enterprise admins are smirking to yourselves thinking I have forgotten about the secret Run As... option on a shortcut's context menu. I've got news for you - in Vista it is now called "Run As Administrator" and it won't work. The only way you can use RUN AS in the traditional way is through a DOS CMD prompt. (More about this in a future article.)

Another work around to this problem is to do a "Fast User Switch" where the domain admin quickly creates a second session for himself where he can do his work. But there are problems with Fast User Switching which cause some organizations to turn this feature off. (More about this in a future article.)

All Said and Done

So when it's all said and done, how do you think UAC will impact your organization? Like many Vista features, there are many ways to use UAC but there are also many unexpected behaviors that manifest themselves. UAC does have 8 GPO settings that can change UAC's behavior in ways that may help your organization. I will be covering these in future articles.

The important lesson to take away from this article is that you cannot assume anything in Vista. When architecting your environment, test every possible scenario you may have and understand how Vista is going to respond - it often won't respond in the way you'd expect.

By the way, Microsoft assures me that they are working on a solution to the problem described above. It will be interesting to see what they come up with. Of course, this is also a warning to keep your eyes peeled for more unexpected behavior as these behaviors get changed in a future hotfix or service pack :-)

Watch for future articles where I get down into the details and explain how Vista makes some of the decisions it does.

UAC: Vista UAC vulnerabilities

2007-12-21T01:45:00.000-05:00

I just found out about an important security update for Vista: KB943078. Betanews published the related article Microsoft acknowledges Vista kernel elevation vulnerability on December 14, 2007 that links to the Microsoft Security Bulletin MS07-066 - Important. Basically, a vulnerability has been found that enables a trojan to elevate itself to full administrator without the user's knowledge, thereby gaining complete control of the system. (This is what they mean when they say that UAC is not a security boundary.)

While we are on the subject of vulnerabilities, here are some other oldies worth knowing about...

PC World published the article Vista's UAC Warnings Can't be Trusted, Symantec Says on February 22, 2007. Basically this is a vulnerability that tricks a user into thinking it is safe to elevate a process. It does this by tricking the system into displaying the trusted green elevation dialog that indicates that the elevation request is coming from a trusted Windows process rather than from an unknown process (that would be displayed with a yellow/orange title bar). You can see samples of the various elevation dialogs here: Getting Started with User Account Control on Windows Vista

That was followed up by eWeek.com on May 16, 2007 with the article Researcher Reveals 2-Step Vista UAC Hack. This article shows that the theoretical vulnerability found by Symantec could actually be exploited. Remember, that this exploit is a weakness in the design of UAC so it won't be patched like was done with the critical security update above. This is a good reminder that your user population should not be given administrator privileges unnecessarily.

While we're on the topic of weakness in UAC design, you will want to have a look at ZDNet's article Hacker, Microsoft duke it out over Vista design flaw posted February, 2007. It points out the compromises made to Vista's elevation procedures when it comes to installing legacy applications. It is important to note that Vista's requirement that you must be admin to install some of these applications is less secure than XP where sometimes you had the opportunity to install products with only basic user rights.

[EDIT 22/01/2008] George Ou who blogs on ZDNet wrote a thoughtful article discussing the link above. He spoke with the two parties involved and got some good insight. Read: What the UAC 'hole' is really about

I also found another article written from the perspective of third party Vista security vendors: Reports of Vista's security weakness 'overblown'
[/EDIT]

UAC: Is Windows Vista secure?

2007-12-13T03:02:00.000-05:00

It's the question everyone's been asking. Is Windows Vista secure? The short answer is - "NO". A more fair question is, "Is Windows Vista more secure than XP?". It also happens to be a much harder question to answer.

The short answer is, "Maybe, maybe not.".

Want to watch a senior Microsoft architect attempt to answer that question? This is a one hour interview with Mark Russinovich, Technical Fellow with Microsoft's Core OS team (I have a lot of respect for this guy - he has a lot to teach us.). The Vista security discussion starts at the 18 :45 mark. The topic of rootkits comes up at 31:30. If want to skip the deep architectural discussions or need to cut to the chase quickly, start watching at 39:40.

I have asked the question of security here because it gives me a chance to talk about UAC and Vista security at a more general level before my future articles just deal with individual pieces of technology. There are some important things for you to think about if you plan to deploy Vista in an enterprise.

I should mention that you will want to have some understanding of UAC before reading this article. For a primer on UAC, read my article UAC: An introduction to User Account Control and follow one of the first links.

To be fair, Vista has been built from the ground up with an eye to security. It isn't just User Account Control (UAC) - there are many, many features which combine in an attempt to provide security. Vista has architectural details like the integrity levels that separate the kernel, system, and users or the Address Space Library Randomization (ASLR) which makes system calls harder to find. Microsoft has also added features like Bitlocker and Windows Defender to help protect Vista. Even applications like Outlook and Internet Explorer do their part to lock down the OS.

One of the problems keeping Windows Vista from being secure is that it is the evolution of an insecure product. All new technologies must accommodate the architectures that came before. Vista must remain compatible with past applications developed for XP or risk alienating all of their customers. Not only has Microsoft had to add features like Virtualization and UAC to aid Vista with backward compatibility, but it has had to make fundamental accommodations in its architecture as well. Let's face it, Windows operating systems are general purpose platforms that try to meet the needs of home and enterprise users on countless hardware platforms - the OS must be pliable and customizable in order to make it work in each environment. It is the customizable element of Windows Vista that makes it vulnerable.

I feel strongly that Vista is not where Microsoft wants to be with security. Rather, it is a transitional OS that is leading the industry to where Windows must go. Currently, Vista must allow many program installers administrator access so they can reconfigure the OS. Vista must allow unsigned drivers to execute. Vista is unable to cordon itself off behind security boundaries but must instead put up numerous walls and gates in an attempt to confuse and slow the advance of rogue elements. Although Vista has separated itself between system and user environments, there are few applications that currently respect this division.

Let's expand this last point as an example of insecurity. Microsoft's marketing would have you believe that Vista is secure because it now makes it possible for users to operate without administrator privileges. This may be true someday, but the reality is that it isn't feasible now. While it is true that Vista can run some applications with Standard User rights instead of the Administrator rights required under XP, the truth is that there are still a high percentage of applications that require full administrator rights in order to install - or even function. Every time an installer must be elevated to admin or a user must be given local administrator rights permanently in order to use an application, rogue elements are given an opportunity to flourish. The opportunities may be fewer than with XP, but I think they are still too numerous to make any real difference today. I do expect this situation to improve in the future as applications are redesigned to accommodate the way Vista wants to lock down the OS.

It has been argued that the UAC prompts one receives when the core system is being accessed by a process will limit the power of a rogue element to function within the system. I don't give this argument much credit. I think well written trojans will arrive that can skirt many of these protections. I think a user's ability to know when to disallow elevation of a process will be spotty at best. But the biggest problem that I have is with access to data. All of Microsoft's discussions about security are very much focused on the protection of the OS. Although that is well and good, I can rebuild an OS automagically within hours - my real concern is for my data. UAC will not give me any prompts if an existing trojan begins to send all of my database files on the network to a remote pirate's server.

In my view, it is UAC itself that causes Vista security to lose points to Windows XP. In many cases, UAC requires users to enter their admin credentials (username/password) in a dialog box. The appearance of the elevation dialogs can feel unpredictable to most users. This dialog box can be easily spoofed. If a trojan creates a real looking dialog box and presents it to the administrator at plausible times, it can harvest username and password combinations and send them out to the web. This really wasn't a problem in XP because elevation to an alternate account was much more rare and in those situations it was always a user initiated action with one predictable dialog appearing.

UAC also has people and process problems that may lead to reduced security. Most of Microsoft's UAC documentation speaks of splitting the user's token between user and admin functions as a way of protecting the system. People can't be faulted if they begin to believe that one account for administrative users will be sufficient - but this isn't the case. Heed Microsoft's warning in Chapter 2 of the Windows Vista Security Guide that discusses the need for admin and user accounts to separate out an administrator's tasks. This is about the only place you will find this discussion. The process problems come when you learn how UAC elevation works. You will find that UAC wasn't really designed with Microsoft's security ethos in mind. UAC can really fight you in some situations when you use a two account model. (There will be lots of future discussion on this.) Functionally, the biggest roadblock is the loss of the Run As context menu action to the "smarter" Run as Administrator context menu action (I'll talk more about this in the future as well).

The thing that I think helps Vista score the most security points against XP, is the support it gets from Outlook and Internet Explorer. These two products are the entry points for the bulk of the attacks against our systems. These products work very hard with Vista to limit the power of rogue elements that come from either of these sources. It is Vista's architecture that makes this possible. But there are problems even here. Outlook and Internet Explorer have become so restrictive that it can be difficult for internally developed scripts to send messages or display html info. In fact, I have seen instances where Outlook and Internet Explorer have been elevated to full administrator status in order for systems to continue functioning - kind of defeats the purpose doesn't it?

In the end, I grudgingly give the security trophy to Vista for three reasons. Vista can be customized to mitigate some of its weaknesses (i.e. forcing CTRL+ALT+DELETE before every elevation). Microsoft will adjust Vista as they learn how we enterprise administrators wish to use it and we'll adapt our security policies and procedures to it as well. But the main thing Vista has going for it is that it is new and there aren't many trojans and spyware programs written to work against it yet. It will be interesting to see what the future holds.

Vista's support for multiple languages

2007-12-10T23:56:00.000-05:00

In my article User Files Folders are Bilingual, I talked briefly about Vista's multilingual features. A coworker of mine took a Vista screenshot that I thought I should show you guys. It sums up Vista's support for languages other than English rather nicely:

This Vista OS was installed using the French language. If you view the full size image, you can see that it changes icon labels and things to the French language quite nicely. In fact, it is remarkable how much the root English OS can transform itself into a French looking OS. But presented here are some of the things that betray the underlying English OS.

If you look at the Windows Explorer window, you will see the folders you would expect to see on a French Vista OS - namely Programmes for the Program Files folder and Utilisateurs for the Users folder. But it turns out that these folders aren't really there. Windows Explorer knows to present those names because of the Desktop.ini file that each of those folders contains. The folders have a Friendly Name just like the User Files Folders do (see User Files Folders are Bilingual).

To see the real underlying name, one just has to go to a DOS CMD prompt. The CMD prompt does not interpret the Desktop.ini. You can see from the example provided that the Utilisateurs folder cannot be found but the Users folder can be. I don't know why Microsoft never saw fit to make the CMD prompt smart enough to interpret the Desktop.ini file. But it's probably a good thing they didn't because they also never made the Windows Explorer smart enough to suppress interpretation of the Desktop.ini so that the real file folders could be managed. (This was highlighted as a big issue in my article Folder Redirection: Not to the user's home directory.) It is a shame that the two views of the folders can't be consistent and that we users have to be smart enough to understand what is going on here.

Now the third example in the screenshot is something I really don't understand. Did you notice the Start Menu? When you type "C:\" in the Search Box, the start menu endeavors to show you the files and folders on the C: drive. But it doesn't show you them the way the Windows Explorer shows them to you - it chooses to show them to you the way the DOS CMD window shows them to you - without the Desktop.ini interpretation. I don't know why it does this since I would expect this GUI interface to be very much a user interface - whereas I can forgive the CMD oversight since it is often just used by administrators who hopefully have half a clue.

What's also puzzling about the start menu behaving this way, is the fact that the "Search Box" is supposed to be used to search for stuff on your computer - but it won't find the Utilisateurs folder because it doesn't interpret the Desktop.ini.

Now here's a question... If you are writing a guide for French users, which folder path would you tell users to follow?

C:\Programmes\...
C:\Program Files\...

The first choice is in the language of your users and is likely the folder name they are used to from the Windows XP days. This folder can be easily browsed to using Windows Explorer. But if the user actually types the path into the Search Box or into a CMD window, the path will be invalid.

The second choice is clearly not in the user's language and not a name they are familiar with. The user can't even browse to it since Windows Explorer doesn't display that folder name. BUT if the user types the path into a CMD window or Search Box or Windows Explorer address box, the path will be valid and succeed.

Which do you choose?

UAC: An introduction to User Account Control

2007-12-07T01:20:00.000-05:00

It's high time that I get on with my articles about UAC. I have a lot of good info to share - so come back often to read the latest articles about UAC. Let's try to make sense of it together.

User Account Control is one of the major features of Windows Vista. Vista's UAC feature touches all aspects of the operating system and certainly has a huge impact on the user experience. It changes the way users, administrators and developers work within the environment. If you are going to work with Vista, it is important that you understand this feature.

Because the details of UAC are so diverse, it is not possible to describe them to you in one short article and leave you with a good understanding. Instead I present to you many of the best UAC articles I have found on the web.

In future articles I will build on the general information presented here. I will tackle individual aspects of UAC and discuss strategies for coping with the new paradigm as an enterprise administrator.

You will probably want to read these pages in the order I have presented them. They start with general concept and progress to in-depth analysis:

Wikipedia: User Account Control
Read this. The best introductory article on UAC. It avoids the romp through the UAC feature acronyms and gets down to the business of explaining UAC to you. It should give you a good grounding for the rest of the articles to come.

Getting Started with User Account Control on Windows Vista
This is a very nice Microsoft article that does it's best to describe how UAC manifests itself when a user or administrator wants to go about his daily tasks. It shows the different prompts one would see and provides sample actions that would trigger their appearance. Different UAC configuration choices are also discussed.

Inside Windows Vista User Account Control by Mark Russinovich
Ready for some detail? This article is quite heavy on the technical details, but if you can get through it, you will have a very good understanding of UAC.

Understanding and Configuring User Account Control in Windows Vista
This is a very long Microsoft document aimed at most IT professionals. It gives a tour of many of the UAC features from an administrator's perspective. It covers concepts like Integrity Levels, Elevation Prompts, Admin Approval Mode and Application Compatibility. It attempts to give many of the UAC features context, but often overly simplifies complex paradigms - I consider it the UAC brochure. This document is a very useful resource, but will still leave you scratching your head when you meet real world examples.

UAC - What. How. Why.
Do you have an hour? Watch this video! Microsoft's Jon Schwartz, UAC Architect, and Chris Corio, UAC Technical Program Manager, discuss in detail, the development history and architecture of UAC. This video will give you great insight into what the developers were thinking and what problems they were trying to solve. They almost get you thinking that UAC is a desirable feature ;-) The attached viewer Q&A is also very educational.

Teach Your Apps To Play Nicely With Windows Vista User Account Control by Chris Corio
Although aimed at application developers, this article is a valuable read for everyone. It is written by UAC's Technical Program Manager and provides valuable details about how and why UAC does some of the things it does.

The Long-Term Impact of User Account Control by Dr. Jesper M. Johansson
Aimed at anyone who is concerned about security, this article tells you exactly what UAC is and IS NOT from a security perspective. The points made in the article are accurate and can't be stated strongly enough. UAC is not a security boundary - use the best practices suggested to protect yourself.

Windows Vista Application Development Requirements for User Account Control Compatibility
(Also available as a downloadable Word document)
This is a very long Microsoft document aimed at developers. It takes them on a tour of UAC by covering such topics as Access Control List (ACL) Settings, User Interface Privilege Isolation (UIPI), Virtualization and UAC Architecture. It covers many of the UAC features and is therefore a very useful resource. However, despite it's length, it only just touches most topics and does not give the reader enough of an appreciation of how the features will impact their development work.

In-depth analysis of Vista UAC and the creation of CreateProcess...Elevated() APIs by Thomas Hruska
A must read for application developers and some scripting admins. This article looks at how to elevate applications that require full administrative access to the system. It discusses the ShellExecuteEx() with the undocumented "runas" verb and the much talked about manifests. You will understand the UAC Virtualization feature after reading this article. This is a very detailed in-depth article - not for the faint of heart.

PsExec, User Account Control and Security Boundaries by Mark Russinovich
Aimed at the extremely technical administrator, this is an extremely well-informed article. It discusses the UAC security model and how Integrity Levels relate to it. You will know you have a good understand of UAC if you are able to follow this article. BTW, if you are unfamiliar with PSExec, look into it - one awesome tool!

Had enough? Go forth into the world and play with UAC. See how you like it. I think you will quickly find that UAC impacts your life in some rather unexpected ways. As an enterprise administrator and scripter I have bumped into many of these undocumented "features" and behaviours.

I have learned to overcome some limitations and cope with others. In some cases I am still struggling. Perhaps we can work together to achieve workable environments that include UAC. Check back often for many upcoming articles about UAC. (I hope to continue writing two articles per week.) Feel free to ask questions or comment on any of the upcoming articles... now where should I start....

Offline Files: Doesn't sync files modified while offline

2007-12-06T00:59:00.000-05:00

One of my most popular articles for Google searches has been Folder Redirection of database files causes corruption! Well, it turns out that the Offline Files feature isn't finished providing us with surprises.

The Offline Files feature is supposed to cache network files locally so that users still have access to them when the network is unavailable. This is invaluable for Laptop users who may wish to work on projects while traveling. Users are able to modify the documents in their local cache and have them synchronize automatically when they return to the office and connect to the network. -- That's the theory at least. 90% of our laptop users have reported failures synchronizing their files. The Sync Center reports "Access Denied" for some files and refuses to sync them.

Further investigation revealed that Offline Files was able to sync newly created files but was unable to sync pre-existing files that were modified while offline. This was traced to yet another bug in the Offline Files feature. Here is Microsoft's KB article for the bug:

http://support.microsoft.com/kb/935663

The Offline Files feature won't be usable until you incorporate the hotfix described in the article. The hotfix is expected to be part of SP1. (It's starting to look like SP1 will fix a lot of Vista bugs after all - Bravo!)

Vista deleting user profiles and data!

2007-12-06T00:34:00.000-05:00

It's been an interesting week full of bug fixes and data loss for me. The most exciting case was when I started getting calls from various Vista users claiming that they had lost all of their user settings.

Investigation revealed that users were in fact losing their entire user profiles. All trace of their local profile was completely gone - including all of the user's local folders and files. If we hadn't been using Folder Redirection all of these users would have lost all of their data. Disastrous.

Microsoft was able to quickly find the cause of the problem. It turns out that there was a bug in the GPO "Delete user profiles older than a specified number of days on system restart". The GPO is supposed to delete user profiles from the Vista computer that have been unused for a set number of days. It turns out that the GPO simply deletes the user profiles the set number of days after the user profile was created - whether the profile is being used or not. I guess the logic picked the wrong date to look at.

Two days after resolving my problem, Microsoft posted this KB article:

http://support.microsoft.com/kb/945122

I'm glad to see them react so quickly to such a critical issue. I strongly recommend that you get the hotfix described in this article to prevent the GPO from wiping out your user's data. The fix should be released as part of SP1 - I certainly hope it is.