Monday, March 31, 2008

News tidbits clearance!

There's been a lot of Vista news floating around lately. I haven't really been in the mood to just repeat what has already been written out there, but some of it is good to know... so here it comes...

1) Microsoft surprised many when it quietly announced through a blog post that it was going to start offering free Vista SP1 support for installation and compatibility issues. Here's their official page:

https://support.microsoft.com/oas/default.aspx?ln=en-us&x=8&y=7&prid=11274&gprid=500921

I'm sure many of you will make good use of this over the coming year. I wouldn't mind hearing what kind of success you have with the phone support.


2) It turns out that 30% of Vista's crashes over the past year (that have been reported) are the fault of NVidia and faulty drivers. I don't know how to feel about this. Some have suggested that this means we have been unfairly blaming Vista and that maybe Microsoft is due for an apology. Maybe. But why has NVidia been having so much trouble successfully writing drivers for Vista? I don't think their developers want to have a failed product - and I don't think they have suddenly gotten stupid - so why has this happened?

3) Could NVidia have been doing what Creative Labs has been doing? It looks like Creative Labs has been purposely crippling and ruining Vista drivers for older sound cards. This comes from Daniel_K who wrote improved drivers by basically revamping previously released Creative Labs drivers. There is a great deal of outrage all over the net because Creative Labs asked Daniel_K to cease and desist release of working drivers. I would like to add my voice to the chorus of outrage! Not so much for the take-down request as for Creative Lab's choice not to release working drivers. I experienced the same problem many years ago at the hands of HP. Microsoft released Windows 95 and HP decided that my 1 year old expensive scanners with feeders, etc. should remain as Windows 3.1 only devices and not receive updated drivers. Planned obsolescence does not make me a happy customer. In the past decade I have refused to even consider HP scanner products. They have lost out on a dozen scanner sales and plenty of bad publicity for that stunt. (I much prefer Microtek scanners where one driver seems to work for all their scanners - no matter how old.) I've said it before - companies have to treat their customers right.
[UPDATE 01/04/2008] Wired has an explanation from the now famous Daniel Kawakami. A good read. He is now allowed by Creative to continue some modding and receive donations. His mods for Creative sound cards are here: http://hosted.filefront.com/braziliantech/, but you'll probably need to figure out what the files are for first...[/UPDATE]

4) A lot of web news outlets have published the story of Linux winning a hacking/security contest over Mac and Vista. I just mention it here because there has simply been so much coverage. I think it validates Linux's design when you consider that its basic approach has changed very little and yet it can still win contests like this. Windows has been flipped on its head (Vista), making users feel pain (UAC) and still didn't win. Will bugs get ironed out so that maybe Vista can win next year? Or does Microsoft still have an inferior design?

5) I found this detailed article describing how Vista licensing has been circumvented yet again. This hack doesn't just avoid licensing nags, it actually makes the OS look fully licensed. This really bugs me. I have to suffer by jumping through licensing hoops and maintaining licensing servers - don't even get me started talking about the labs! - while the pirates can still get access to whatever they want anyway. Frustrating.

Saturday, March 29, 2008

Welcome back Command Prompt!

After years of trying to kill off the command line, Microsoft seems to be acknowledging the importance of command line interaction. So much so that the upcoming Windows Server 2008 OS can be run completely without a GUI through a Powershell command line. Vista too has come to rely on the command prompt. In fact, there are many tasks that can only be performed from CMD as no GUI equivalent is offered.

It turns out that UAC prevents many tasks from being performed in the GUI at all and the only solution is to go back to the Command Prompt. Some of the UAC related tasks I'd like to highlight are:

  1. Elevating scripts such as VBS, HTA or VBA.
  2. Working with multiple files that must all be elevated.
  3. Running as another user when you already have two tokens.
  4. Copying files to sensitive folders like System32.
All of these tasks can be performed from a CMD prompt using the default Vista configuration. In every case there is no GUI equivalent available using Vista defaults. In some cases there are GUI workarounds or specific configurations to enable the functionality needed. These GUI tricks will be presented in future articles, but it is good to know how to work without them using a CMD prompt - you just might venture to a workstation that hasn't been configured to your liking.

1. Elevating scripts such as VBS, HTA or VBA:

There are certainly many file types in use that could require elevation. I just mention VBS, HTA and VBA because they are quite commonly used for administrative scripting and may need elevation. Microsoft has not provided a facility for scripts to carry their own manifest detailing elevation requirements (unlike executables). For a script to get elevated, it must be done manually by an administrator.

The problem is that Windows GUI does not provide any way to manually elevate these scripts. Windows reserves the "Run as Administrator" in the context menu and in the properties screen for executables only. The only recourse is to launch a CMD window elevated. CMD.EXE is an executable and therefore has the option to "Run as Administrator". Furthermore, any processes (read scripts) launched from the CMD window will maintain the elevation afforded CMD by using the same token. (To understand how tokens work, read my article: Let's Talk UAC for the Enterprise.)

Once you get over the ugliness of a fixed width, grey, courier font on a black background, it is really quite a nice way to fly. From an elevated CMD prompt you can launch as many processes as you wish and they will all launch with the Full Token with absolutely no UAC prompting because no token switching takes place. Many techs I work with simply elevate a DOS window at the beginning of their session and return to it throughout the day - they only see one UAC prompt.

The CMD window even helps us to remember what we've done by changing its name - it appends "Administrator" to the front:


Despite CMD giving us added functionality, I still wish Vista would get its act together and let us do our work from the GUI.


2. Working with multiple files that must all be elevated

A similar problem to the scripting elevation difficulties shown above is the problem of working with data files in sensitive areas. You might be modifying the Welcome Center which stores all of its files in the System32\oobe folder. If you were to simply click on a .txt file stored there to edit it - Notepad would open and you would modify it. But when you go to save the document you will get errors like "cannot create" because Notepad is not running with a full token.

I guess the way Microsoft expects you to edit this file is as follows:
  1. Identify the type of file and a suitable application to edit it.
  2. Go find that application and ask to "Run as Administrator".
  3. Use the application's Open dialog to navigate back to your folder and open the file.
  4. Edit as necessary and then save.
  5. Now repeat this process for each and every file you need to work with.
The easiest approach is actually to use the same elevated CMD solution I outlined above. All you have to do from an elevated DOS prompt is:
  1. Navigate to your folder (the TAB key helps a lot with this).
  2. Type in the name of the file you wish to edit.
  3. CMD will find the associated application and run it with the same elevated token.
  4. When you then choose to save the data, it will save without any problems or prompting.
  5. Now type in the name of the next file you wish to edit...
CMD makes it much easier for you to do your work as an administrator than the Vista GUI can.

3. Running as another user when you already have two tokens:

Microsoft made what many techies consider a big mistake when they implemented the "Run as Administrator" feature. It replaces XP's old "Run As..." entry on the context menu but not all of its functionality. There are many posts on the web about it and I wrote my own lengthy article on the subject. The problem is that if you have two tokens when you activate "Run as Administrator", the feature will only ask your consent to elevate to your second token - that's it - you get no other options (I'm ignoring an optional policy setting that forces consent at all times for everyone). This means that if a power user or local administrator wishes to change to another account such as a Domain Admin account when running an app, they are completely unable to. The default Vista GUI provides no capability to do this without setting a group policy that forces all users to get prompted for credentials every time they elevate (impractical).

CMD to the rescue! It turns out that CMD still has a RunAs command that seems to have been ported directly from Windows XP. So much so that the RunAs command knows nothing about tokens and elevation. This is both a blessing and a problem.

The blessing is that the only thing RunAs wants to see is a username. It quite happily runs applications as any userid - no matter what tokens you might have. This is great if a Local Admin wishes to switch to a Domain Admin account in order to manage the network through tools like ADUC or GPMC - problem solved.

But RunAs not understanding tokens still leaves some scenarios out in the cold. If a Power User wishes to switch to a Local Administrator account, he can only do so using this RunAs command from a CMD window. But since RunAs doesn't understand tokens, it simply runs the application using the default, User Token. Somehow the application gets launched directly and Vista misses its opportunity to inspect the manifest and elevate the application. If I use RunAs to switch to a Local Administrator account when launching Regedit, I will just get the following error:


Oh well, even if the command prompt can't give us everything, it's pretty darn handy.


4. Copying files to sensitive folders like System32:

An elevated command prompt is also wonderful for copying files to sensitive folders such as System32. Use any copy command such as Xcopy or Robocopy and it will succeed from an elevated Administrator Token. Try the same thing using Windows Explorer and almost anything can happen.

Windows Explorer has many different ways of behaving depending on how it's options are set and what token(s) a user has. Putting all the variables together results in very unpredictable behavior from the user's perspective. Windows Explorer could just perform the copy as requested, or it might ask a few confirmation and elevation questions before ultimately failing to copy. (I will cover some of these details in a future article.)


I hope I've demonstrated how vital the command prompt has become in Vista. So pull out those old DOS books - talk to 40 somethings in your office and learn how to work with DOS once again!

Wednesday, March 26, 2008

New deployment tools for Vista SP1

Now that Microsoft Vista Service Pack 1 and Microsoft Server 2008 have been released, Microsoft is releasing many updated tools to support them. I just thought you might want to know about them.

The most exciting release for me came out Monday - Remote Server Administration Tools (RSAT)! It replaces the old Administration Tools Pack (AdminPak) and Group Policy Management Console (GPMC). Although the old AdminPak can still be installed from an elevated DOS prompt, GPMC was taken out of Vista by SP1 with a complete loss of that functionality. I'll be taking this for a spin as soon as I finish my current task - look forward to a real-life review shortly...

The rest of the tools are related to automating Vista deployment:

Version 936330AIK of the Windows Automated Installation Kit (AIK) was just released this month to support the new versions of Windows. As a result of this upgrade, the Business Desktop Deployment 2007 (BDD) is no longer compatible. You need to upgrade to BDD 2007 v3.2 which was released just last week. The latest version will now allow you to deploy Vista SP1 in your organization.

But if you really want to stay current, Microsoft is rebadging BDD by bundling it in the new Microsoft Deployment Toolkit (MDT) 2008 which was also made available last week. They are leaving behind the BDD name because the tool now handles Windows Server 2008 deployment in addition to desktop deployment. Here is a nice blurb about it from the Windows Vista Team Blog.

Tuesday, March 25, 2008

Reclaim disk space from Vista's SP1

Vista Service Pack 1 is big - huge in fact. During installation it actually requires something like 7GB of free disk space just to complete the install process. But the story doesn't end there. SP1 keeps backups of all the files it replaces. It does this so that you can actually perform a complete uninstall of SP1 and return to the previous system state if need be. But that adds up to a lot of wasted disk space if you know you will never revert to a pre-SP1 state.

As an enterprise administrator, I know that the OS image I am creating for distribution will never revert back to pre-SP1 and I know that my image must also be as small as possible. Thankfully Microsoft realized this too and released a cleaner tool with SP1 called VSP1CLN.exe. This little 600K tool gave me over 4GB of my drive space back! Which in turn means a 4GB smaller image file - sweet! (But mileage may vary - I have also recovered as little as 100 MB.)

[Thanks to Aaron for some corrections to this article. - Comments were deleted to eliminate confusion.]

Sunday, March 23, 2008

A petition to save Windows XP

I was surprised to find this InfoWorld article: 100,000 customers tell Microsoft to save XP.

But I understand where it comes from. June 30th is supposed to be the last day you can buy a Microsoft Windows XP license. My client started working on their Vista implementation even before Vista had been released. They have thrown more budget and bodies at this Windows release than at any other - and yet we will barely squeak under that deadline. I know that few other organizations will be able to end their reliance on Windows XP in time.

Now this doesn't really affect most enterprise customers. From what I understand, most have the right to buy Vista and downgrade to XP. But this is a long article with some great detail on the issue. Who knows, you may even want to sign the petition.

Certainly June 30th will be a date worth watching.

[EDIT 26/03/2008] I am now seeing quite a bit of press on this topic. Here is a great ComputerWorld article that describes product and support lifecycles in great detail. Some good information here. [/EDIT]

[EDIT 14/04/2008] News of the petition has now made it to MSNBC! Actually, their article Windows XP Fans Don't Want it to XPire has lots of good detail and summary of the issue. [/EDIT]

[EDIT 28/04/2008] Microsoft hasn't exactly backed off of the June 30th deadline, but it looks like we can still get what we want for at least another year. Here's my latest article with the details:
XP available after the June 30th deadline [/EDIT]

Thursday, March 20, 2008

Vista SP1 unavailable from Windows Update?

Microsoft has posted a detailed KB article (KB948343) covering eight possible causes for not being able to install Vista Service Pack 1 from Windows Update.

There are quite a range of causes from language pack issues to incompatible drivers. Definitely worth a read!

The Vista Team Blog has additional details regarding these issues. This blog also happens to have hundreds of user comments attached. Many are complaining about various aspects of Vista and SP1 incompatibility. I suspect it would be worth your time to do a quick search on that page for products you use in your Vista environment. Maybe you'll avoid a few surprises...

Tuesday, March 18, 2008

Vista Service Pack 1 is here!

Vista SP1 has now been officially released to the general public. Download it here.

Watch for it in the retail channels in the next week or so as well.

Friday, March 7, 2008

UAC: How to elevate anything

Before reading this article, I need you to know a little something about UAC. At the minimum you should read my article Let's Talk UAC for the Enterprise. To get a little deeper into the subject, consider reading some detailed articles found here: UAC: An introduction to User Account Control.

After educating yourself on Vista's UAC, you should be aware that there are a great many things that cause elevation of applications:

  • Vista can autodetect that an installation program should be run elevated.
  • Vista knows that certain programs like GPMC should be run with the highest available token.
  • An application's manifest can specify that an elevated token should be used.
  • An administrator can specify in the properties of a file that an executable must run with an administrator token.
  • A user can right-click on an executable and specify that it be "Run as Administrator".
  • ...
But what do you do if the thing you need to elevate isn't an application? It seems to me that Microsoft hasn't really accommodated this possibility when designing Vista - but it needs to happen more often than you think. The most common example would be a script that needs to make system changes. What if you have a Visual Basic Script (.VBS, .VBA, .HTA, etc.)?

Not only can the script not have a manifest specifying an elevated token, but there is no obvious way to request elevation. You cannot specify it in the properties of these files since they are not executables. You cannot even right-click and specify that it be "Run as Administrator".

It turns out that there are a number of approaches to this problem (none of which are obvious). All the approaches rely on a basic pair of principles. Vista can only elevate executables (by initiating a new process) AND any processes launched by an elevated process will also be elevated. Each approach may look radically different, but it always boils down to exploiting these principles.

The approaches to elevating non-executables are as follows:
Elevating a command prompt (CMD) is by far the easiest and most common method for elevating scripts. You'd laugh if you walked through the offices of our technical staff. They all sit there with this pretty Vista OS but the only thing you see is these black CMD windows because it is the only practical way for them to work.

I will write an article on each of the approaches and turn the bullets into links as they are written. But hopefully I've given you some useful hints in the mean time if you can't wait for me :-)

Sunday, March 2, 2008

Vista SP1 Technical Information

Kris over at the Words Within blog posted a PDF document that combines all of Microsoft's SP1 related documents:

  • Deployment Guide for Windows Vista Service Pack 1
  • Hotfixes and Security Updates included in Windows Vista Service Pack 1
  • Notable Changes in Windows Vista Service Pack 1
-- Handy!

Read it. You will find nuggets like this:

After you install SP1, you will be temporarily unable to manage domain-based Group Policy from that computer because of the following changes:

• The Group Policy Management Console (GPMC) will be uninstalled.
• Gpedit.msc will default to the Local Group Policy Editor.

Because of these changes, use Remote Desktop to connect to another computer to manage Group Policy. Shortly after the release of Windows Server 2008, an updated GPMC with greater functionality will be released as part of the Remote Server Administration Tools (RSAT)...

Don't forget that if you have configured Folder Redirection with Vista's version of GPMC, then you will have no choice but to keep a Vista PC handy that doesn't have SP1 until RSAT arrives. You have been warned :-)

[EDIT 30/03/2008] RSAT is here! Get links to it and other new deployment tools for Vista SP1. [/EDIT]

Saturday, March 1, 2008

Has Vista lost all credibility?

As a follow-up to my article "Vista Capable" lawsuit is now a class action, I found this opinion piece at APCMag.com: Has Vista Lost All Credibility?. It's quite a good opinion piece.

It offers a nice summary of the e-mails that surfaced as part of the class action. It also comments on the recent price drops for Vista. But the most surprising news is that Microsoft has announced even more retail versions of Vista in an attempt to boost sales.

Which leads us to this month's poll - would you consider switching to Linux?

[EDIT 09/03/2008] Here is another good article covering the e-mails discovered in the class action. I hope other companies learn from this - you have to treat your customers fairly. [/EDIT]