Cloned machines and duplicate SIDs

It's been over 4 years since I wrote about the duplicate SID issue in SID error on cloned Virtual Server / VPC / VMWare OSes. I recommended using the NewSID utility from Sysinternals to fix the cloned machine.

Hyper-V wasn't around back then, and looking back it seems incredible that many of us survived without it (or your virtualization platform of choice).

Since then, I've only used sysprepped images, and the increasing reliance on virtual machines has translated into a time-saving and efficient method of creating cloned VMs at short notice. Using a sysprepped base image and differencing drives makes life incredibly simple, and even if you don't using differencing drive it works quite well. I highly recommend making at least one more copy of the base image and making the file read-only.

As far as the NewSID utility goes, Mark Russinovich recently posted about retiring it. More in The Machine SID Duplicate Myth.

Prevx Apologizes: So-Called Windows 'Black Screen' not caused by Windows Update

Interestingly, after reporting last Friday 'Black Screen woes could affect millions on Windows 7, Vista and XP', and causing a furor amongst IT pros, users and the media, Prevx apologized for claiming a patch applied by Windows Update was the cause of the so-called 'Black Screen of Death'.

In last week's post, Prevx stated:

If you Google Black Screen then you will find a whopping 80 Million plus results, mostly dominated by people searching for a fix to this problem. Thousands of users have resorted to reloading Windows as a last ditch effort to fix the problem, avoid that at all cost. We hope we can help a good many of you avoid the need to reload.

Clicking on the link provided in Prevx's blog post, and the search results are nowhere close to the "whopping 80 Million plus results" Prevx claimed in its blog post. In fact, the number is inflated by almost 100%, and there's a good chance it's not 40 million users facing the issue, or even 20, 10, or 1 million.



On Monday (11/30), Microsoft said it is investigating the issue. A Microsoft representative also said:

Based on our investigation so far we can say that we're not seeing this as an issue from our support organization. The issues as described also do not match any known issues that have been documented in the security bulletins or (knowledge base) articles."

On Tuesday (12/1), Microsoft's Security Response Communications lead Chris Budd said in a statement:

The company has found those reports to be inaccurate and our comprehensive investigation has shown that none of the recently released updates are related to the behavior described in the reports.

Microsoft also said it had not been contacted by Prevx before going public with the issue. More in Microsoft: November security updates are fine on News.com.

Prevx backtracked in a follow-up post yesterday (12/1):

Having narrowed down a specific trigger for this condition we've done quite a bit of testing and re-testing on the recent Windows patches including KB976098 and KB915597 as referred to in our previous blog. Since more specifically narrowing down the cause we have been able to exonerate these patches from being a contributory factor.

Prevx apologized for the faux pax. However, its original post and the follow-up apology says nothing about informing Microsoft about a potential issue caused by a patch.

Tempting as it is to rush to blog and tweet about a critical bug or security issue one may have discovered, the responsible behavior is to contact the vendor, report the issue and request or even demand an investigation and a fix. As a customer you have every right to do so, and depending on the severity and impact of an issue, expect a fix within a reasonable time frame. If the vendor does not investigate or provide any explanation, go public.

This is not to say that the "black screen" issue many users may have been facing isn't real, but it's no excuse for insufficient testing, irresponsible reporting, and inflating the impact (quite dramatically in this case).

Windows Search: Rebuilding the Index on Windows 7

When you use Outlook 2007 and later in Cached Exchange Mode, the Instant Search feature uses the content indexes created by Windows Search (formerly known as Windows Desktop Search). When searching in online mode, Outlook uses the content indexes created by Exchange Search on the Exchange server (Exchange 2007 and later).

If the index created by Windows Search is corrupt, you may not find the items you're looking for and expect to be returned by Instant Search. Since you're not using Exchange Search, there's little point in troubleshooting Exchange Search on the server. You may need to rebuild the content index created by Windows Search on your computer.

To rebuild the content index on Windows 7:

1. Click the start button and type Index, and then click the Indexing Options link returned by the search.
   
2. In Indexing Options, click Advanced.
   
3. In Advanced Options | Index Settings tab, click Rebuild
   
   
4. You are greeted with a prompt informing you that rebuilding the index may take a long time to complete, and some views and search results might be incomplete unitl rebuilding is finished. Click OK if you want to proceed.
   
   

The 'Catastrophic' Windows 7 bug and security vulnerability that never was

Perhaps I should've used a different headline for this post. Something like "InfoWorld's conspiracy to derail the Windows 7 product launch". But that would be giving in to exactly the temptation I want to highlight— the one many bloggers, writers, and editors fall victim to, or otherwise find hard to resist in the quest for more pageviews.

Somewhere in the blogosphere, someone reports a "critical Windows 7 bug". One tech writer sees it as a "catastrophic bug" in Windows 7 which could "derail the Windows 7 launch".

Although the writer didn't discover the bug, and I'm not quite sure if the headlines are the writer's own or the handiwork of an over-zealous editor, but the outcome is an article with a sensational headline that screams for attention— Critical Windows 7 bug risks derailing product launch.

The sub-headline is equally interesting: An apparent fatal flaw in the NTFS driver stack may bring Microsoft's Windows 7 impending victory parade to a grinding halt.

What's wrong with Windows 7? In the writer's words:

The bug in question -- a massive memory leak involving the chkdsk.exe utility -- appears when you attempt to run the program against a secondary (that is, not the boot partition) hard disk using the "/r" (read and verify all file data) parameter. The problem affects both 32- and 64-bit versions of Windows 7 and is classified as a "showstopper" in that it can cause the OS to crash (Blue Screen of Death) as it runs out of physical memory.

Sounds like a serious security vulnerability, and the writer suggests it is exactly that.

Also worth considering: This command can be executed in a nonelevated context under the looser Windows 7 UAC implementation (Vista requires elevation of this command via the normal user consent dialog before continuing). Not only is this a potentially catastrophic bug from a functional standpoint, it also opens up a new attack vector for malicious code. Hackers may be able to use this unprotected command to destabilize a system (by consuming almost all available RAM), and in extreme cases, cause it to fail altogether.

As reported, Microsoft has not been able to reproduce the bug.

I waited till I actually had the RTM code, and had the time to install and try this out on a couple of computers. Not only have I not been able to reproduce the blue screen, but as you can see in the following screenshot, UAC actually does prevent you from running chkdsk! And this is plain vanilla Windows 7 RTM with no updates, hotfixes, or changes to UAC settings.


Figure 1: UAC prevents running chkdsk /r on a computer with Windows 7 RTM.

The writer's implication of this being a catastrophic bug that opens up a new attack vector is not true. The command is not "unprotected"— Windows requires an elevated prompt to run chkdsk.

I also ran the command with an elevated prompt, and failed again! Chkdsk did consume a fair amount of available memory, but nowhere close to the "massive amounts of memory" reported by the writer. Needless to say, the much feared blue screen of death (BSOD) was never encountered. (As a sidenote, I've not seen a blue screen in a long time. The last time I saw it was when I knowingly installed an unsigned driver, bypassing Windows' warnings urging me not to do so! When was the last time you saw one?)


Figure 2: Chkdsk consumes a fair amount of memory, but nowhere close to 90%. It graciously releases memory when required for other tasks.

On further testing, I also noticed that chkdsk graciously released memory when the system required it for other tasks, such as running other programs [see screenshot]. This is not very different from how Exchange Server has historically behaved as far as memory consumption goes. Some tasks require more memory, and if more memory is available, perhaps it's intended to be used at some point?

As a more-than-reasonably-technically-savvy user, I do not recollect running chkdsk more than once or twice in almost a decade. Yet, a so-called bug that can't really be reproduced easily— or reproduced at all, somehow becomes a catastrophic bug that "risks derailing product launch". Noted author and ZDNet columnist Ed Bott responds with A killer Windows 7 bug? Sorry, no. Ed explains further why this is not at all what it's made out to be.

In an unusual response, Windows division president Steven Sinofsky left a comment on the blog that reported this issue. Says Sinofsky:

While we appreciate the drama of ‘critical bug' and then the pickup of ‘showstopper' that I've seen, we might take a step back and realize that this might not have that defcon level.

And as you may have guessed, that got faithfully reported by InfoWorld in Windows president tries to calm fears of critical Windows 7 bug. Yet another headline for InfoWorld, and no questions asked about who stoked the fear to begin with.

[Update: Steven Sinofsky explains how Microsoft deals with bug reports, partially in response to this issue. Read What we do with a bug report? on the Engineering Windows 7 blog.]

Having had my own brush with InfoWorld editors and writers in the past (Details in "Save XP" Campaign: InfoWorld responds, and the facts about downgrade rights), all I can say is— it saddens me to see what used to be a well-regarded technical journal for geeks (and still has some excellent experts and writers I admire) accelerate its pace towards becoming the MAD magazine of tech journalism.

Ready, Set, 7: Windows 7 Released To Manufacturing

Windows 7 and Windows Server 2008 R2 were released to manufacturing (RTMed) today. These will become generally available on October 22nd.

IT Pros and developers with TechNet or MSDN subscriptions will be able to download the English version on August 6th, with other languages following on October 1st.

If you've been waiting to get a new computer with Windows 7 pre-installed, you may have to wait a little longer as most hardware manufacturers complete their shipping images.

Windows 7 and Direct Access: The Anywhere Experience

Over the past few weeks, Windows 7 Release Candidate has been widely downloaded, used, praised (including by some very vocal critics), and loved. It's easy to fall in love with the Windows 7 user experience, and I don't just mean the lovely wallpapers and themes that are in stark contrast to the kind of visual content that's been generally packaged with Microsoft products in the past. You can see the images in A Little Bit of Personality on the Engineering Windows 7 blog. The Wall Street Journal's Nick Wingfield calls them "some of the most visually arresting background images ever to ship with a piece of software". More in This is Your Windows on Drugs on wsj.com.

Last night, Brandon LeBlanc revealed box shots and details of Windows 7 packaging on the Windows blog. Head over to Check out the New Windows 7 Packaging.

One of the Windows 7 features I love is called Direct Access. It's like the Outlook Anywhere version of VPNs.

Outlook Anywhere, AutoDiscover, and Microsoft Communicator: A Seamless Unified Communications Experience
Outlook Anywhere allows Outlook 2007 + Exchange 2007 users to seamlessly access their mailbox from outside (and inside) the corporate network. Yes, part of it is of course RPC over HTTP(S)— available in Exchange 2003, but another important piece that makes this experience so transparent to the user is AutoDiscover.

You get out of work (or work remotely), turn on your laptop, and if you have Internet access Outlook 2007 just works as if you were in your office. No VPN connections to establish, no wondering if the required ports are open on the firewall, no additional authentication prompts, and full Outlook access! Although Outlook Web Access has increasingly become more like a full-fledged email client, for many folks there's simply no replacement for the full blown functionality of Microsoft Outlook. With Office Communications Server 2007 implemented right, you can have a similar experience with Microsoft Communicator - seamless access to Instant Messaging, presence information, and the all-important ability to connect to the "voice world".

Yes, the voice world, still an inseparable part of our work lives. The ability to click and talk to a Contact is handy, and found in many free IM and telephony services such as Skype. However, what's more impressive and important for many— you can dial phone numbers and receive inbound phone calls on your work phone number, regardless of your location. You can check voicemail, and also redirect calls to another phone number. The voice quality is good enough that it's hard to tell if one's using an ordinary phone or a VoIP phone.

Direct Access: Extending the Anywhere Experience
Windows 7's Direct Access feature extends this Anywhere Experience. It allows you to access network resources on your corporate network, without having to establish a VPN connection. Now you can turn on your laptop, and if you have Internet access, you can access file shares on your corporate network, use client/server apps, and use RDP to connect to servers/computers "on the other side".

DirectAccess uses IPv6-over-IPSec to encrypt communication, and supports multifactor authentication mechanisms such as smart cards.

Besides the initial "Wow!" moment, which inevitably follows the first experience with Direct Access, the combined Anywhere Experience boosts productivity, and improves satisfaction levels of remote/mobile workers.

Steve Riley explains why it's one of his favorite Windows 7 features:



More about Direct Access in DirectAccess enhances mobility and manageability, or download Technical Overview of DirectAccess in Windows 7 and Windows Server 2008 R2 for a more in-depth technical look.

Windows 7's Windows XP Mode: Removing Application Compatiblity From The Equation

Earlier yesterday, Paul Thurrott and Rafael Rivera revealed a secret new feature in Windows 7— Windows XP Mode (XPM). XPM allows you to run Windows XP in a virtualized session, and includes a license for Windows XP SP3. As Thurrott & Rivera's blog post says:

Windows XP Mode dramatically changes the compatibility story for Windows 7 and, we believe, has serious implications for Windows development going forward.

Interestingly, XPM does not require you to run a separate desktop with Windows XP. Applications installed in the virtual environment are published to the Windows 7 host and shortcuts placed in the host's Start menu. Users can run Windows XP applications (installed in XPM) directly and transparently in Windows 7 desktop!

All I can say is— this is super cool! And although I haven't had a chance to try it out yet, it seems application compatibility is quickly headed to be a non-issue with Windows 7.

More details in Secret No More: Revealing Windows XP Mode for Windows 7 on Thurrott's SuperSite for Windows, and screenshots in Windows XP Mode for Windows 7 Screens.

Scott Woodgate confirmed it later in Coming Soon: Windows XP Mode and Windows Virtual PC on the Windows Blog.

Released: PowerShell Snap-in For IIS 7

The big news from MIX09 is probably the release of Internet Explorer 8, but for shell aficionados, Exchange folks and scripting geeks, the release of IIS Snap-in for Windows PowerShell is not a lesser event. The snap-in has 71 cmdlets to manage IIS, from web application pools to web site configurations, bindings, and SSL.

Download the IIS Snap-in for Windows PowerShell: X86 | x64.

For more information about the snap-in, head to IIS.net. IIS developer Sergei Antonov, who owns scripting and command-line tools, blogs here.

Curious to find out which cmdlets are included? Head over to the IIS 7 Cmdlets mini-reference.

Windows 7 Beta and Multi-Touch

Even before the release of Windows 7, laptops and desktops featuring a touch-based interface have started showing up on store shelves and online. These run Windows Vista, come with a touch-sensitive screen and perhaps a third-party add-on that provides some touch functionality. Notably, HP has a line of TouchSmart PCs, including all-in-one PCs and a cool tablet. The TouchSmart tablet recently showed up at Best Buy at a price that won't make you feel guilty for weeks later simply for having considered buying one.

Windows 7 has built-in support for multi-touch technology, called Windows Touch. Here's an interesting video showing Windows Touch in Windows 7 Beta, and tasks that are natural fits for touch - Windows Media Center, browsing through a library of music, videos or photographs.



I decided to wait till Windows 7 ships to buy a PC with multi-touch capabilities. It sure adds a lot more fun to computing (in a very iPhone way :), and it's one of the more exciting new developments in computing.

If you've already bought a PC with multi-touch capabilities and are eager to use Windows 7 beta's multi-touch functionality, head over to Enabling Multi-Touch in the Windows 7 Beta on the Windows blog.

Speech: The Other Breakthrough
The other development I've been eagerly awaiting is the PC's built-in support for speech, to the extent that I could get rid of the keyboard and use speech as the primary interface. Not just for dictating emails or documents, but actually be able to accomplish almost anything using speech commands dictated to the computer. Dragon Naturally Speaking 10 is an impressive product from Nuance. DNS V10 Standard sells for $99.99, and the Preferred version is about $150. Although it would be great to have all this functionality (and more) included in the OS, I don't mind the additional cost of DNS 10, given the convenience gained by using speech, and the resulting boost in productivity it promises after the initial effort of learning how to use it.

With PCs supporting quad-core processors now going for way under $1000, and (for the "Vista-is-a-resource-hog" crowd) 4 Gigs of memory selling for under 50 bucks, the firepower to support such applications certainly exists under the hood of common desktop PCs we'll buy this year.

CNET's Idea of Tech News

Although otherwise very readable publications/sites, some tech media outlets increasingly come up with news that really isn't news, and certainly not worthy of publication. For instance, this item in CNET's News.com: Georgetown University bans use of Windows 7 beta

Given such media coverage, you can't be blamed for wondering: "Wow, there must be something wrong with Windows 7 to prompt Georgetown to ban it!".

The fact that it's a beta, and the title of this apparently newsworthy (according to someone at CNET) item says so, doesn't quite register.

The writer quotes Paul McDougall's report from InformationWeek. It's a practice which, as you may have noticed over the past few years, absolves the quoting reporter of any responsibility to give it a serious thought or otherwise use common sense! Needless to say, "<Blah> bans the use of Windows 7 beta" is an excellent headline, bound to result in more than its fair share of page views. It sells.

Of course, there's no debate about the underlying facts - CNET's simply reporting what's been reported by another reporter in another publication! InformationWeek's original headline beats what CNET came up with: Windows 7 Beta Flunks Out Of Georgetown! It even comes with a juicier sub-title: University's IT department nixes downloads of Microsoft's new operating system.

A look at the source
To find out what Georgetown's University Information Services (UIS) really stated in its policy, let's head to the source doc on UIS' web site:

Microsoft Corporation recently released a "beta", or "pre-release", version of its new operating system, Windows 7. However, UIS strongly discourages using it.

The UIS doc goes on to explain what a beta is, and why you shouldn't install Windows 7 beta. The doc cites Microsoft's Windows 7 web site:

Microsoft's Windows 7 Web site states emphatically that there are risks associated with installing beta version of Windows 7 and that "it's not a finished product."

The doc goes on to state UIS' policy on software support.

Not trusting my own eyes, and my reading and comprehension skills, which told me the word "ban" did not show up in the UIS doc, I also used the search feature in both Internet Explorer and FireFox. As suspected, both browsers failed to find the word "ban" in the doc!

To ensure I was well into the "beyond reasonable doubt" territory, I reached out for the dictionary (the online one @ Dictionary.com), and looked up the words discourage and ban. I am now convinced, beyond a reasonable doubt, that "discourages", even when prefixed with "strongly", is not the same thing as "bans".

Unfortunately, CNET isn't the only media outlet that falls to the temptation of putting headlines and page views before fair reporting. Overall, CNET continues to do a great job of reporting tech news. (I miss Brian Cooley on CNET Radio— an important part of Silicon Valley culture for many, during the tail end of the dot com boom.)

Testing beta software
Windows 7 beta continues to receive some balanced (read "favorable") coverage, even from the naysayers.

Nevertheless, there's a reason beta software is called beta, and what's OK for an engineer at Intel may not be OK for the average non-technical user at large. Although the Windows 7 beta is remarkably stable, performs well, and is "production-ready" according to many testers and reviewers, it's not a great idea to run a beta on your "production" PCs unless you're prepared to support it yourself.

If you really want to test or play with beta software, get yourself a test box, or use virtualization software to run it in a virtual machine.

Evolution of Windows Media Center

With the public availability of Windows 7 beta announced at CES 2009, Media Center aficionados are eagerly waiting for the updated Windows Media Center experience in the new OS. For me, Media Center has been the big reason to upgrade home PCs to Windows Vista, and looks like that will continue with Windows 7.

I love the easy-to-use electronic program guide (EPG) - and my son refuses to watch TV any other way now. The built-in DVR functionality is great, the ability to easily search for TV shows and record one instance or entire series, and being able to view the recorded TV shows from a laptop outdoors or any other computer on the home network is impressive. Although none of it is earth-shattering or revolutionary, it's a great user experience, very well done, and getting better with each version.

Here's a a look at the evolution of Windows Media Center:




Another trend visible at CES: many new models of televisions you'll be able to buy in 2009 will have Media Center Extenders built-in. This means the same, well-designed Windows Media Center interface will now be shipped with the TVs - with no additional external boxes to buy or cables to run.

I also had no idea you could easily synch recorded TV from the Media Center to a Windows Mobile phone, as shown in this video.

Switcher's Lament: CNET Editor's Case Against The Mac

It's been a fun year watching those cute Apple commercials urging you to switch to a Mac. Yes, many of us love Apple's beautifully engineered hardware, and may have fallen for the charms of an iPhone (although strictly as a case study in usability... :), but switching to the Mac OS as your primary computing platform? I'm not so sure.

Having run Windows Server 2003, Active Directory, and Exchange 2003 on a Mac Mini in the past, I've come to love the form factor. They're virtually silent and virtually invisible— great for that lone server at home. However, if you need to run a few servers, Mac Minis can quickly get very expensive. Using Hyper-V on a loaded server is more effective.

Another great application for the Mac Mini form factor - Media Center PCs, aka HTPCs. Sony's great-looking HTPCs are available in a similar form factor. They are comparable, if not more attractive than the Mac Mini. But at $1350, the VGX-TP20E/W— the cheapest of Sony's HTPCs is priced more than what you may have paid for a decent high definition television this past holiday season!

Nothing against OS X per se - it has some nice usability touches, along with its own set of quirks. However, if you're used to using Windows, switching isn't exactly as easy as those Apple commercials make it seem.

CNET Editor Rafe Needleman laments:

But I moved us to Macs to avoid this kind of hackery....after two weeks of resisting, I am dropping back to Vista on my MacBook, at least during this critical week, when I will be covering both MacWorld and CES and will have no patience for a computer that gets in my way and apps that don't work the way they should.

Interestingly, Needleman arrives at the same conclusion as I did: Apple's hardware is great for running Windows Vista. It is also overpriced for running Windows Vista. More in Switcher's lament: The case against Mac on News.com.

Over the past year or two, we've come across quite a few switchers who continue to run Windows Vista or Windows XP using Bootcamp, Parallels, or something else. Very alluring, but thanks for now! I'd rather run Windows on a real PC.

Introducing Windows 7

Yes, the product so far known by its codename - "Windows 7", will officially be called Windows 7.

It's the first time the official/final/release version of Windows will have the same name as its codename.

More from Mike Nash on the Windows Vista team blog.

IIS 7 Authentication: What happened to the IUSR_MachineName account?

In previous versions of IIS, the IUSR_MachineName account is created for anonymous authentication. This is an actual user account created on the server (a domain account can be used in domain environments), and like all user accounts— it has a SID, and an account password with the accompanying management costs and risks.

One of the resulting annoyances (for me): when you install IIS first and then change the computer name, the computer name and the MachineName in IUSR_MachineName account don't match.

IIS 7 gets rid of the IUSR_MachineName account in favor of a built-in IUSR account that's guaranteed to have the same SID on all computers. This ensures ACLs copied from one web server to another work, domain accounts are no longer required, and applications can be easily deployed across multiple web servers. The IIS_WPG group (for IIS Application Pool identities) is replaced by the built-in group IIS_IUSRS.

Note: The IUSR_MACHINENAME account isn't completely gone— it is used for anonymous authentication to FTP, and gets created if/when you install FTP.

More on the IIS team blog in 'Understanding the Built-In User and Group Accounts in IIS 7.0'

- Security identifiers
- Well-known security identifiers in Windows operating systems

Save XP, Rick Mercer Style

It's June 30th! I had the date marked because of two reasons. The first one has to do with Windows XP, and if you haven't heard enough already, CBC's Rick Mercer has his own view of how to save Windows XP. Caution: May not be entirely work-safe for some.



The second reason's coming up in a post after the break, and it has absolutely nothing to do with Windows XP or Windows Vista!

Released: Windows Server 2008 Hyper-V

While I was away yesterday, Windows Server 2008 Hyper-V made its public debut (RTMed in Microsoftese). I know what you're thinking: Let the Microsoft PR storm begin, VMWare has a better virtualization product, and other unbloggable thoughts... :).

I've been using Hyper-V for a few months now, and all I can say is— it's been a great experience way before RTM, and I am impressed! Of all things Hyper-V that impress me, I'm blown away by the performance - it flies! This, on a desktop class machine (one that meets the CPU and other requirements, of course, but poorly-configured to be used as a server/Hyper-V box that's running quite a few virtual machines).

Next, the simplicity and ease-of-use. As InfoWorld's Randall C. Kennedy puts it:

As with most Server 2008 "roles," enabling Hyper-V was a simple matter of ticking a check box in Server Manager and picking a NIC for use by the virtual network manager.

Read more of Randall's review in Test Center review: Microsoft's Hyper-V does the trick.

Scott has a post with plenty of links to Hyper-V resources and blog posts— Hyper-V has RTM'd and is Available!

As Scott mentions in the post, Microsoft will have a support statement about Exchange Server and virtualization 60 days from Hyper-V RTM. This was announced at TechEd IT Pro in Orlando little over 2 weeks ago.

Starting Task Manager in RDP or VM sessions

You have a RDP (Terminal Services) session or a Virtual Machine session open, where the CTRL-ALT-DEL key combination fires up the Windows Logn/Security dialog on the host computer rather than the RDP or VM session you have open.

Getting to the Task Manager involves some mouse-clicks in such situations— Start -> Windows Security -> Task Manager (works in both RDP and VM sessions) or clicking on the appropriate shortcut in the VM client software. Hyper-V has a short-cut on its menu bar that makes it a single mouse click, but still not quick enough. It's actually annoying if you are happily pounding away at the keyboard for most part... and now need to lift your hand to grab a mouse and... you know where we're going with this!

Shorcuts exist - if you're at the cmdline, you can simply type taskmgr.exe (or Start -> Run -> type taskmgr.exe). Alternatively, you can create a desktop shortcut and point it to taskmgr.exe. If you simply want to remain at the cmdline and not bother with the GUI at all, use TaskList. You can filter the output in a number of ways - use tasklist /? to see all the options.

If you're on an Exchange 2007 box or have Windows PowerShell installed, it gets event better. Get-Process and Stop-Process commands are your friends here. You can filter by process name or PID, and also pipe the output from Get-Process to Stop-Process. For example:

Get-Process -Name svchost
Get-Process -Name MSExchange* | ft Id,Name,Handles,PM -AutoSize
Get-Process | ft Name,Company,ProductVersion,FileVersion -Autosize
Stop-Process -ID 6064
Get-Process mmc* | where {$_.Handles -gt 1000} | stop-process

Perfmon counters show up as numbers?

You're troubleshooting an important issue and fire up Performance Monitor, only to be greeted by this bizarre visual— all your Perfmon counters show up as numbers! You restart Perfmon a few times, try to choose a different performance object - but it's still numbers.


Figure 1: Performance Monitor counters and objects are displayed as numbers instead of object and counter names

Fix:

Lodctr.exe /r

It can take a little while (about 10 minutes in this case).

"Save XP" Campaign: InfoWorld responds, and the facts about downgrade rights

Note to readers: I haven't had to keep a post on hold for as long as I"ve kept this one, contemplating whether I should post it or not. After much thought, I've decided to post this, because it is important to know the facts about downgrade rights, and to clarify my position on this debate.

InfoWorld responded to my previous post (read InfoWorld's campaign to "Save Windows XP").

In a blog post titled Exchangepedia Blog Author calls "Save XP Campaign" Childish!, InfoWorld columnist J. Peter Bruzzese writes:

However, in the overall scheme of things will it budge the folks at Redmond to reconsider its plans? Not if Bharat Suneja, an MVP for Exchange and tech guru who publishes the popular Exchangepedia Blog site has anything to say about it. He has done his own research on the matter and his opinion should be heard!

Thanks for the kind words Peter - much appreciated.

To put it on record, I am not for or against Microsoft extending the deadline for Windows XP OEM and retail sales. I called Peter the saner voice (of InfoWorld) - he gets the gist of what I wanted to convey in the post:

The point Bharat is trying to make: Windows XP is an operating system that has lived past its prime, and Microsoft isn't about to pull the plug on it any time soon. (Users can move to Vista on their own timeline).

In my post, I pointed out Microsoft's Product Lifecycle Policy for Windows XP, including the facts that Windows XP mainstream support won't end till April 2009, extended support will be available till April 2014, and Volume License customers can use their downgrade rights if Windows XP licenses are no longer available from retail or OEM channels. (As it turns out, downgrade rights are not restricted to Volume License customers.)

In fact, Microsoft will soon release a new service pack— Service Pack 3, for Windows XP. You can download Release Candidate 2 of the service pack here.

InfoWorld Editor Galen Gruman comments
InfoWorld Editor Galen Gruman left a comment on the post here. What she has to say (relevant portions highlighted and bolded for emphasis):

For the record, as the InfoWorld editor who's responsible for the "Save XP" story and related content, there's one big error in this well-reasoned post: XP will not be generally available after June 30 if you are *adding* computers or people. We never said this was an issue of support. It is true that if you have a site license to Vista, you have downgrade rights to XP. But most small businesses and no individual buyers have these rights. They cannot get XP after June 30. And unless they bought new of two specific types of Vista -- the full, not OEM, versions of Vista Business and Vista Ultimate -- they do not have downgrade rights. GIven that practically everyone who buys a computer has just an OEM copy of Windows, they do not in fact have downgrade rights to XP and cannot add new XP licenses to their mix of XP systems. This forces them to have a mix of XP and Vista, whether or not they are ready for Vista. It was this concern that we heard repeatedly in the last year and led to this story. And why we advocated that XP be available for sale indefinitely -- meaning not forever but until the market as a whole is much more ready to move.

Thanks for commenting Galen. Having read your follow-up article "The "Save XP" manifesto: Time to get past the distractions", I agree with some of the arguments presented (and greatly disagree with others), and the underlying reasons for the "Save XP" campaign. However, your basic premise that setting a date for end of availability of OEM and retail licenses for Windows XP is like Microsoft giving users an eviction notice is simply not true!

I understand that the main issue Galen has is not about existing Windows XP users or computers, but about availability of Windows XP for new computers or users. Carrying the analogy further, that's more like Microsoft saying we aren't accepting new lease applications for this old, run-down apartment that is scheduled to be torn down. You can, however, lease a unit in this brand new complex we built across the street.... It is far from an eviction notice for existing tenants.

The facts about downgrade rights
As far as the downgrade rights Galen referred to (highlighted) in the above comment and in her follow-up article are concerned— she deserves the benefit of the doubt. There's clearly some misunderstanding on her part, and it probably isn't her fault. (Update: Based on our email exchange, I know she has tried to get a definitive answer to this.) Navigating Microsoft's web of licensing options and agreements can be be challenging, even for MVPs. However, to be fair to Microsoft, I was able to get the answer by searching the web, and a single follow-up call to Microsoft Pre-Sales and Licensing. The response was clear and unambiguous.

Downgrade rights are not limited to large enterprises. This Microsoft Volume Licensing Brief [download] (dated January 2007) titled Microsoft Select License, Open License, Original Equipment Manufacturer (OEM) License, and Full Packaged Product (FPP) License Downgrade Rights says:

Can I downgrade my OEM version of Windows Vista Business to Windows XP Professional?
Yes. OEM downgrade rights for desktop PC operating systems apply to Windows Vista Business and Windows Vista Ultimate as stated in the License Terms. Please note, OEM downgrade versions of Windows Vista Business and Windows Vista Ultimate are limited to Windows XP Professional (including Windows XP Tablet PC Edition and Windows XP x64 Edition). End users can use the following media for their downgrade: Volume Licensing media (provided the end user has a Volume Licensing agreement), retail (FPP), or system builder hologram CD (provided the software is acquired in accordance with the Microsoft OEM System Builder License). Use of the downgraded operating system is governed by the Windows Vista Business License Terms, and the end user cannot use both the downgrade operating system and Windows Vista Business. There are no downgrade rights granted for Windows Vista Home Basic or Windows Vista Home Premium.

Translation: If you buy a computer and it ships with Windows Vista Business or Ultimate preinstalled by the manufacturer, also known as an OEM license, you can downgrade to Windows XP Professional. You do not need a Volume License of any kind to do that - end users, small businesses with or without an Open License, and larger businesses - again, with or without a Select or Enterprise License, can downgrade to Windows XP Professional, and use it for as long as they wish.

Microsoft confirms
A quick call to Microsoft Sales/Licensing confirmed that. You are welcome to do so yourself, by calling 800.426.9400. Select option 5, then option 3. In a follow-up call, Microsoft also explicitly and unambiguosly stated that users can use the OEM media (CD) or the one that came with a prior purchase of a FPP (retail) version to downgrade. Organizations with a volume license can also use their volume license media to downgrade. "The media is not important here, the license is", added the Microsoft rep.

If you're having trouble finding your Windows XP CD or need to order a replacement copy, you can do so by calling 800.360.7561 if you bought the retail (FPP) version. The cost is $23, or $29 with taxes and shipping. Volume License customers can order CDs by calling Volume License Fulfillment at 800.248.0655. When asked how long the replacement CDs will be available, and whether these will still be available after Windows XP is no longer sold, the rep responded: "They will be available for quite a while. No plans for discontinuing that yet."

Though well-intentioned, some of the arguments presented by Galen are not as valid. Once again, I am neither for or against Microsoft continuing to sell Windows XP, nor profess that users move to Vista whether they're ready or not. However, the implication that Microsoft is forcing users to move to Windows Vista, and terms like eviction notice used in such articles, do not present the issues in the right perspective.

Given the facts about Microsoft's product lifecycle, support policies and downgrade rights, is Microsoft's stance wrong here? Or does InfoWorld's Save XP campaign amount to unfairly criticizing Microsoft, as InfoWorld's own columnist J. Peter Bruzzese states in "Save XP? Why bother?"?

PS: Tom Sullivan's response, and comment about MVPs

I was equally annoyed and amused by InfoWorld Editor Tom Sullivan's response in "On the necessity of InfoWorld's 'Save XP' campaign". Tom says:

As Peter Bruzzese points out, the author of Exchangeapedia, Bharat Suneja, suggests that the campaign won't inspire Microsoft to change its plans and keep Windows XP alive beyond June 30.

Suneja, it's worth explaining, is a Microsoft MVP. A rare breed, indeed, these disciples are devout enough that, while attending an MVP Summit back in 2001, a pair of them even got married in Redmond, Wash. and read vows from their Pocket PCs.

That said, Bruzzese writes that Suneja "has done his own research on the matter and his opinion should be heard." I agree, and particularly when he explains that mainstream support will end on April 14th, 2009, and extended support will be available for five years from that date, till April 8th, 2014, both points IT shops should research. Suneja writes, in his post, "Windows XP doesn't seem like a product that's being retired prematurely."

That, obviously, is a matter of some debate. Contrarians can easily point to the reality that Vista sales are not exactly going like gangbusters.

Tom, All I can say is, I wish you had read my original post before commenting. Perhaps that's just one of those good old journalistic niceties that we simply don't have time for any more. :)

If you did read my original post, please accept my apologies.

MVPs are also some of Microsoft's sharpest critics. An excerpt from the article in Computerworld:

Paul DeGroot, an analyst at Directions on Microsoft, a research firm in Kirkland, Wash., agreed that MVPs are both "in Microsoft's camp" and its "best critics" at the same time.

"They criticize from a position of deep knowledge about the products and how customers use them," DeGroot said. "So when they say something, they know what they're talking about, and they're not inclined to take cheap shots. They'd rather fix things than lay blame."

MVP or not, my opinion and criticism of InfoWorld in this matter wouldn't have changed. It is sad to note that what is otherwise a well-regarded tech journal is increasingly sounding like the MAD magazine of tech journalism on this topic.

'Crapware'-free: Longhorn Server does not include useless desktop apps

We've been hearing a lot about 'crapware' apps installed by hardware vendors on desktops and laptops - apps like AOL (or other ISP) software, myriad browser add-ins and toolbars, trial versions of anti-virus, firewall, and security software that you may never use - perhaps because your organization has standardized on some more manageable enterprise versions of such apps, or the apps installed are either not the the ones you would choose, or they're completely useless. Annoying as it is to get these apps installed by default, what's even more annoying is the fact that most vendors generally give you no choice to get a computer with a "clean"/base operating system installed.

Given the razor-thin margins in the PC industry, vendors cannot resist augmenting their bottom line through such deals with application vendors.

However, little attention has been paid to the crapware that comes with the operating system itself. For instance, why does a server OS need Windows Media Player installed by default? Cursors of different shapes and sizes? Themes and wallpapers? NetMeeting? It's a long list.

It's a common practice in many organizations, where servers are deployed/redeployed on a regular basis, to build a secure server image sans all these apps and services that are of no use on a server (further locked down using the organization's secure server build procedures).

Luckily, that's not the case with Longhorn server. None of the crapware or desktop-like apps get installed by default. Should you want to, features like "Desktop Experience" can be installed.


Click here for a complete screenshot

Additionally, Server Core - a barebones install of the OS sans the Windows Explorer GUI interface (can be managed locally from the commandline or remotely from a workstation with management tools installed), and purposing a server based on server roles - 17 of them available in Beta3, ensures Longhorn servers are leaner, with a reduced attack surface.

It's important to realize that the Windows management experience is going to change from the everything-turned-on-by-default model of previous versions of Windows (server and client OSes), where you disabled or removed the components you did not need, to one where you get a basic install that makes the OS functional, requiring other components to be added/enabled/configured later, as required.

One component that does get installed by default is Internet Explorer. It would be great to get rid of this as well - though a web browser may be seen as an essential component of the OS by many, particularly - as the argument goes - for the ability to download patches/updates/drivers, etc., do you really want to browse web sites from the server? Using IE?

Computerworld: The deal on the Windows DNS bug

The still unpatched Windows DNS Server bug has been the topic of many a security discussions during the past few days. If you're running your DNS on a Windows Server (using DNS Server service), this affects you. Computerworld's Gregg Keizer has a nice write-up about this issue that I just stumbled upon, thanks to Sunbelt Software's WServer News newsletter.

According to Computerworld, there are at least 5 exploits in proof-of-concept form floating out there. Chris Budd from the Microsoft Security Response Center says Microsoft has "teams around the world working twenty-four hours a day". An update/hotfix is expected around May 8th, in time for next month's Patch Tuesday.

Update on Vista's Auto-tuning: problem limited to hotels

Ran into Steve Riley (Steve is Microsoft's senior security strategist in the Security technology unit, and a "hypnotic" speaker with a great sense of humor. His sessions at technical conferences like Microsoft's TechEd are popular and frequently standing room only... ) at Exchange Connections earlier today. I complained about Vista's auto-tuning feature and my experience with it [read previous post "Windows Vista won't get newsgroup list from news.microsoft.com"].

He directed me to his blog post, where he talks about this feature, and the fact that this problem with auto-tuning is generally seen only when connecting from hotels. Come to think of it, I didn't see the problems mentioned in the above post until this week in Orlando, toting a laptop running Windows Vista as my primary laptop. (However, it doesn't explain the problems I've had copying large files, as mentioned in the post - but I'll have to test some more once I get home to come to a conclusion.)

Read more in this post titled "Windows Vista v/s Hotels" on Steve's blog.

Windows Vista won't get newsgroup list from news.microsoft.com

Unsettling as the loss of a laptop is - with plenty of other data, I also lost my "database" of over 7000 posts to Microsoft Exchange public newsgroups :( - it is even more unsettling to use a temporary laptop that's running a new operating system - Windows Vista.

Don't get me wrong - I love Vista, I love the new UI, and no matter what the detractors say I would move for the new UI and the Aero Glass interface. I've been using it on a second/standby laptop in the past, but not as my primary one. Now I have no options but to use Vista as it shipped on this laptop.

I fired up Windows Mail client to get to the Microsoft newsgroups, and Vista would keep timing out after about 60 seconds, showing me Exchange newsgroups for every other language but English! After Googling it for a little bit, the conclusion was Vista's auto-network tuning feature was the culprit.

I turned it off using the following command:
netsh interface tcp set global autotuning=disabled

Voilà - the problem's gone, I instantly got the entire list of newsgroups!

Another issue that this auto-tuning feature was clearly responsible for - I could not RDP to my servers at home - it created the connection, I can see the server's screen but it's blank - no login GUI (GINA) from those servers. When I VPNed into work and tried to access the servers using RDP from a Windows Server 2003 box, it worked like a charm.

The above fix took care of that as well, and I could RDP directly from Vista. Yes, that's weird - I've used Vista before on the other laptop and it never had these issues...

Nevertheless, I'm happy I got both of the above fixed, and in the process realized the issues stuff like auto-tuning might be creating for users. I've stopped claiming any kind of expertise on client operating systems for a while now, so I'm not sure under what scenarios the auto-tuning feature may actually be useful. For what it's worth, these are the performance enhancements from the "next generation TCP/IP stack".

On a second thought, this probably explains the inability to copy an 18 Gig virtual machine image (VHD file) on another laptop running Vista - it would get stuck at 5% and not move beyond that. Windows XP copied the same file in a few minutes!

What is the *real* maximum password length?

I've for long been an advocate of using long passwords, using entire phrases/sentences instead of a single more complex but short password.

Some Windows Server 2003 documentation states the maximum password length is 28 characters (e.g. Enforcing Strong Password Usage Throughout Your Organization says "Although Windows 2000, Windows XP, and Windows Server 2003 support passwords up to 28 characters, ... "). The Change Password dialog box that users normally use (the one that shows up when you choose Change Password after hitting CTRL-ALT-DEL) lets you enter only 26 characters. Using AD Users & Computers, you can reset it to 32 characters.



Adding to the confusion, the help text for the Reset Password dialog box states that it provides space to type a password up to 127 characters (which it doesn't, as we've seen in the above screenshot - it's limited to 32 characters).



What's the real maximum?

The Answer: The ResetPassword dialog box does provide a space for up to 127 characters. However, the way the edit box controls work (in the above Reset Password dialog box), when you continue to enter characters past the 32-character width of the control, it does not scroll characters to the left, but continues to accept the longer password. This can be observed when you delete the long password - it deletes the 32 visible characters (though it doesn't visibly display the scrolling effect, it has indeed scrolled), then scrolls to the left to display the remaining characters in the 32-character window. Here's a Flash demo that shows that. :)

In the above demo, when the password being entered reaches the visible limit of the edit box, you feel it's not taking the rest of the password. Wait a few seconds till the password is being deleted.

The Change Password dialog box behaves similarly.

Windows Vista RoI: BitLocker drive encryption enough to justify upgrades?

According to analyst Jon Oltsik of Enterprise Strategy Group, Windows Vista's BitLocker drive encryption system provides enough RoI to justify the upgrade for enterprise customers. PC encryption tools have now become a "must-have" and most enterprises are considering deploying such tools.

Standalone drive encryption utilities cost $100-$200 per system in acquisition cost alone. Add to that installation, configuration and ongoing support costs, and the upgrade to Windows Vista - which includes drive encryption (and other security and management features) - begins to look quite attractive.

More on CNET News.com - "Windows Vista and the secret of full disk encryption".

Installing Windows Server 2003 Admin Tools on Windows Vista

Like many IT folks, if you're ahead of the pack and now have Windows Vista RTM running on your laptop or workstation, you're probably wondering about or may already have tried running Windows Server 2003 admin tools (adminpak.msi) and Exchange System Manager on Vista.

These admin tools are not officially supported on Vista yet. MVP Daniel Petri has a workaround for installing adminpak on Vista. We'll probably have to wait a little longer for Exchange System Manager.

Short complex passwords easier to crack than simple long ones

Infoworld columnist Roger Grimes provides some interesting information in his Security Adviser column about (short) complex passwords being easier to crack than longer "non-complex" ones. I've always encouraged users to use phrases or short sentences as passwords rather than sticking to the short password lengths imposed by I.T. departments, and Grimes confirms that.

Some interesting tidbits:
-Conventional wisdom says that because end-users have 94 characters to choose from on a 101-key keyboard, breaking an eight-character, complex password -- out of 94^8 = 6,095,689,385,410,816 different possible passwords -- is not a trivial task.

- .....if you require an eight-character-minimum password, most users will choose an eight-character password.
- If you require a capital letter, they will put it at the beginning because we are trained in writing class to do that.
- If you require a number, most users will put the number at the end, and the number will be 1 or 2.

-Even though users have 94 characters to choose from on the keyboard, 80 percent of passwords will contain the same 32 characters and symbols -- as mentioned in my previous columns. Most passwords by English authors contain a root English word, many of which can be found in a password-cracking dictionary containing just 30,000 words.

Grimes actually ran a contest to have password hashes cracked, with interesting results. Read the entire column on infoworld.com.

And when it's time to implement a new password policy, think about raising the minimum character length, and going lighter on the complexity bit.... because the complexity part is what forces users to do crazy stuff like write passwords on sticky notes and paste them on monitors! :)

Chat with your Windows MediaCenter!

As reported by Engadget.com, you'll love this concept and way geeky app to remotely tell Windows MediaCenter to record a tv show - just chat with it over MSN Messenger!

Stuck in a car with no way to record a tv show? You can now do it over a Windows Mobile phone (signed in to MSN/Live Messenger of course!). The idea of having an interactive dialog with a bot that can give you your tv guide listings and walk you through recording a particular show never occurred to me, but as the author suggests this is the next best thing to actually being able to call your Windows MediaCenter PC on the phone and simply talking to it.

As a sidenote, having worked at Nuance - the leading speech (recoginition is one part of it... ) company - not very long ago, I feel strongly about speech apps, and I'm super-excited about Exchange Server 2007's Unified Messaging (Outlook Voice Access, AutoAttendant, et al) capabilities.

Talking to your MediaCenter PC can't be too far away, given reports of Windows Vista's built-in speech interfaces (no, I have't had a chance to test any of that yet.... ). However, till such an app comes into existence, you can go to brains-n-brawn.com to find out how the /mobileRecord bot for Windows MediaCenter works.

Add/Remove Windows Components and other time-saving shortcuts

Keyboard/command-line short-cuts that get you to a particular control panel applet or Windows dialog box are usually such great time-savers if you use them enough and (therefore) can remember them. Here's a list of some great time-saving short-cuts - (some will impress even your IT Pro colleagues... ):

The number one time-saver for me is the command to:

1. Open Add/Remove Windows Components dialog box - usually accessed from Add/Remove Programs, 4 mouse-clicks that really slow you down if you do this on a frequent basis. (The Add/Remove Programs applet itself takes a while to open before you can press the Windows Components short-cut):
control appwiz.cpl,,2

2. Add/Remove Programs - if you haven't already guessed it:appwiz.cpl

3. Network Connections applet: ncpa.cpl
What would be really cool along with this: being able to get to TCP/IP Properties of a network interface... has anyone figured that out yet?

4. Display Properties: desk.cpl

5. To set resolution, et al from the Display properties, Settings tab:control desk.cpl,,3

6. System properties: sysdm.cpl
System properties | Computer name: control sysdm.cpl,,1
System properties | Remote: control sysdm.cpl,,6
List of all values for System properties
General(0), Computer Name(1), Hardware(2), Advanced(3), System Restore(4), Automatic Updates(5), Remote (6)

7. Active Directory Users & Computes: dsa.msc
8. Active Directory Domains & Trusts: domain.msc
9. Active Directory Sites & Services: dssite.msc
10. DNS Management Console: dnsmgmt.msc
11. Computer Management Console: compmgmt.msc
12. Disk Management: diskmgmt.msc
13. Show Desktop (minimizes all programs): Windows key + D
14. Hibernate (great for a short-cut that you can than place in the quick launch bar in the Task Bar: %windir%\system32\rundll32.exe powrprof.dll,SetSuspendState Hibernate
15. Event Viewer (an old NT favorite): eventvwr

Using Consolas as the Windows console font

If you don't like the font choices (or lack thereof) in Windows console, or want Consolas (a new font available by installing IE7 or Windows Vista) as your console font, you can add it as an option by going to HKLM\Software\Microsoft\WindowsNT\ CurrentVersion\TrueTypeFont.

Scott Hanselman shows you how in this blog post.

Question for the Windows Vista folks - why not make it available as a choice by default? As the name suggests, it's an ideal fit for the console/text-based apps.

Calibri - a new font from Windows Vista

I recently saw a new font installed on my "production" laptop (running Windows XP SP2) - Calibri.

Calibri is a beautiful humanist sans serif typeface, and one I started using immediately as the default in Word documents and email. My earlier attempts at using another font that seems to have been installed with Vista (no, I don’t have Windows Vista beta/CTP installed on my production laptop yet… but more about that in a moment) became quite unpopular around here.

I’m trying to figure out if it was the IE 7 beta that installed these fonts on my laptop, or perhaps Office “12” beta.

Either way, as someone who’s very interested in typography and graphic design, I do love Calibri enough that I’m using it for this blog. ("Update: In a later redesign, Calibri was replaced with the equally beautiful and very readable Cambria.) You may (or may not… ) have noticed the change when you view these pages in your browser. If you don’t have the font, it will get substituted for some other sans serif font on your computer.

If you’re curious enough to find out what Calibri looks like, head over to Wikipedia (Wikipedia as a type catalogue... great!). If you search the web, you may be able to find links to download the font.

I would love to find out what you think about Calibri – leave a comment here if you feel strongly about this font (and the others included with Windows Vista / IE 7 / Office “12”).

Useful Utility: SysInternals Process Explorer

A trusted friend of most experienced Windows folks, Process Explorer is one of Sysinterals' bag of free utilities that provide welcome relief from some of Windows' quirks and inadequacies.

I have found Process Explorer extremely useful and a great substitute for Windows Task Manager. On the topic of Task Manager, have you seen it change a lot since NT 4.0 days? There have been some improvements, but it's time Microsoft replaced it with something more extensive and powerful.

Process Explorer provides a lot of info about processes. In particular, it shows you all services running in the svchost processes. It also shows all files open/locked by a particular process. Ever tried to delete/replace a file and kept getting "file in use" errors with no clue as to which process was holding the particular file hostage? You can use PE to detect the process and kill it.

Besides, it can show DLLs being used, and has search capability to search for a file handle or dll.

You can download Process Explorer from Sysinternals web site: http://www.sysinternals.com/Utilities/ProcessExplorer.html

Q. How do I see memory consumption of each process in Process Explorer?
A. View | Select Columns | Process Performance | select Working Set Size.

SID error on cloned Virtual Server / VPC / VMWare OSes

If you simply copy an existing Windows OS image to create multiple virtual servers/workstations, and try to log on to a domain controller, you may get the following error:

The system or security ID (SID) of the domain specified is inconsistent with the trust information for that domain.

This happens because the SID of the computer was not changed when you made a copy of the virtual hard disk containing the OS. A good way to use a base drive image would be to Sysprep it first.

Nevertheless, if you haven't done that, log in to the computer locally. Use the PsGetSID and NewSid utilities from Sysinternals web site (www.sysinternals.com). Use PsGetSID (command-line - type PsGetSID to get the SID of local computer, copy to notepad, type PsGetSID \\DomainController -u username -p password to get the SID of the domain controller, and compare the two. If they're the same, now you know the reason why.

Proceed with the NewSID utility to generate a random SID for the computer. This takes a little while as NewSID replaces the old SID with the new one in the registry, amongst other things. Once done, the computer will reboot automatically (there's a checkmark to reboot... leave it unchecked if you don't want to reboot.)

You can now log in to the domain without getting the SID error.

The 24-hour Linux phenomenon

Interesting observation by InfoWorld columnist Neil McAllister. He quotes Jim Allchin (Group VP of Platforms at Microsoft).

Excerpts from the Open Enterprise column (emphasis mine). Standard disclaimers (including "take this with a pinch of salt") etc. apply... I do think there's some element of truth in this - having heard from or of people who've bought cheap desktops with unheard of OSes and installed Windows.... or taken Apple's "Switched" campaign too seriously and then returned to Windows... few hundred (or thousand) dollars poorer.. :

Microsoft gave up pretending that Linux isn't a threat to its Windows server business a long time ago. But when the soft-spoken Allchin first brought up the server market during our conversation that afternoon, he dropped the L-word with such candor that I was frankly shocked.

"Linux is the expected winner," Allchin says, "with its lineage from Unix. But we're happy, because we're winning market share." Got that? Not only is Linux a formidable competitor in the server market, but now Microsoft actually paints itself as the underdog.

Allchin was far less charitable (about Linux on the desktop) ..... attributing Linux's reported growth in the desktop market to something he called the 24-hour Linux phenomenon."

According to Allchin, most customers who buy a new computer outfitted with Linux instead of Windows are doing it solely as a cost-cutting measure. They avoid the Windows license fee at the cash register when they ask for systems with Linux preinstalled. Once they get the hardware home, however, that Linux OS is quickly erased and replaced with a pirated copy of Windows -- often within 24 hours.

Allchin calls the practice of replacing the default OS with Windows "flipping," and he says it's particularly prevalent in Asian markets, where software piracy is rampant. In China, he says, shipments of desktop Linux are actually declining. The reason? Vendors who once shipped systems with Linux preinstalled are now switching to free or low-cost versions of DOS. That's because it's a lot easier for a customer to flip a system loaded with that bare-bones OS than it is to flip a comparatively more Byzantine Linux system.

Read it on Infoworld.com - http://www.infoworld.com/article/05/04/25/17OPopenent_1.html

Long string error viewing/editing Group Policy in GPO editor

If you try to view/edit a GPO in the Group Policy Object Editor on Windows Server 2003, Windows 2000 Server or Windows XP SP1, you get the following error:
The following entry in the [strings] section is too long and has been truncated.



Why does this happen? Older version of GPO Editor cannot interpret some string types with more than 255 characters. You will typically see it when you edit the GPO from a workstation and later try to view/edit the GPO from the domain controller (or another workstation/server). KB842933 explains this in detail and has hotfixes.

Windows 2000 (SP3/SP4): Windows2000-KB842933-x86-ENU.EXE

Windows XP: WindowsXP-KB842933-v3-x86-enu.exe
NOTE: Not an issue with Windows XP SP1.

Windows Server 2003: WindowsServer2003-KB842933-x86-enu.EXE

Reinstall XP without activation

Ever needed to reinstall the OS on the same system and wondered if it'll still activate?

This lets you reinstall Windows XP without having to activate it again:

1. 
   Copy the file %systemroot%\system32\wpa.dbl (to removable media like floppy/CD if you plan to reformat the drive and do not have
2. Reinstall Windows XP
   
3. Copy the file back to %systemroot%\system32

This only works if you are reinstalling XP on the same hardware - it's not a mechanism to use the same copy of XP on another system and bypass activation.

Alternatively, (if setting up from a network source or creating a bootable CD) copy WPA.DBL to $$\OME$\$$\system32.

Activating during unattended installation
To activate Windows XP during an unattended installation, insert the following line in the [Unattend] section of your answer file (unattend.txt or winnt.sif):
AutoActivate = YES

Note: %systemroot% is a system variable that points to your Windows installation directory, usually C:\Windows.

Windows Beats Linux in Live Security Contest

Interesting... I've since long held Windows as a more easily "securable" (provided you know how) OS.

This just came in - from WinInfo Daily Update (Paul Thurrott, creator of SuperSite for Windows, part of the Windows IT Pro mag network).
-----------------------------------------------------

Windows Beats Linux in Live Security Contest

During a live duel of sorts between backers of Windows 2003 and Red Hat Enterprise Linux during the RSA Conference 2005 this week in San Francisco, a surprising victor emerged.

Based on the previously agreed upon rules, Windows 2003 came out ahead, emerging as the more secure OS.

How could this happen, you ask? After agreeing to terms, backers of both OSs evaluated the security-oriented performance of Windows 2003 and Red Hat Enterprise Linux during the past year, looking at such key criteria as number of reported security vulnerabilities and the amount of time that elapsed between the public disclosure of a security flaw and the release of a fix. But doesn't the open-source model practically guarantee that fixes are released more quickly than they are with proprietary OSs? I guess not.

Results of the competition will be released next month, but here's the gist: Windows 2003 won every part of the competition. It had fewer flaws overall. The average time between Windows 2003 flaw reports and fixes was less than half that of Red Hat Enterprise Linux. Less than half.

Does this mean that Windows is more secure than Linux on the server? Not necessarily. But it certainly provides an interesting real-world example of why assumptions about Linux security are completely bogus, as I've often noted.

Track Hotfix/Patch Installation

What's the best way to track when and which hotfixes/patches were applied? It's an endless debate amongst IT pros. Some would like to do it through dedicated patch management software. Some store this info in databases, even spreadsheets.

Here are a few handy ways to track this info - I've used a combination of these to track stuff.
i) On Dell servers installed using Dell's Server Assistant CD, there's a installsummary.htm file in the root (C:\). Every time I apply a bunch of hotfixes/patches, I simply open this html file and add the info at the very bottom of the list. If you do this from Windows Update, all you need to do is copy the list of hotfixes from the Windows Update web page (AFTER it finishes installing, but before you hit OK to reboot if a reboot's required). Just add a line break tag at the end of each line.
Additionaly, I also copy this html file to a web server every time I do this, adding the server name to the end of the filename.

ii) For all recent hotfix installations, just filter the System event log for Event ID: 4377, source: NtServicePack. This event lists the hotfix applied, date, time and the username.

Got Win2003 Adminpak on XP and don't see the Dial-In tab..

Adminpak installed on XP Pro does not reveal the Dial-In tab on user's properties.

Here's how to make it show up :
Registry Entries - copy the following text in notepad and save as dialin.REG (don't forget to change file type drop-down to All):

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\RasDialin.UserAdminExt]
@=""

[HKEY_CLASSES_ROOT\RasDialin.UserAdminExt\CLSID]
@="{B52C1E50-1DD2-11D1-BC43-00C04FC31FD3}"

[HKEY_CLASSES_ROOT\RasDialin.UserAdminExt.1]
@=""

[HKEY_CLASSES_ROOT\RasDialin.UserAdminExt.1\CLSID]
@="{B52C1E50-1DD2-11D1-BC43-00C04FC31FD3}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MMC\NodeTypes\{19195a5b-6da0-11d0-afd3-00c04fd930c9}\Extensions\NameSpace]
"{B52C1E50-1DD2-11D1-BC43-00C04FC31FD3}"="RAS Dialin - User Node Extension"

Then double-click the file or on command prompt type :
Regedit /s dialin.reg

Type the following commands - replace ServerName with a Windows Server 2003 domain controller:
cd /d %SystemRoot%\System32
copy \\ServerName\Admin$\System32\mprsnap.dll *.*
copy \\ServerName\Admin$\System32\rasuser.dll *.*
copy \\ServerName\Admin$\System32\rtrfiltr.dll *.*
regsvr32 rasuser.dll

Now open AD Users & Computers console and check a user's properties. The Dial-In tab should be there.

[From John Saviill's FAQ in Windows & .NET mag.]

Calling Control Panel applets from shell

A list of command line options for calling control panel apps. Particular pain points - adding/removing programs and Windows components takes too many mouse clicks, and so does getting into a network adapter's TCP/IP properties.

You can call the Add/Remove Programs wizard by typing appwiz.cpl, and to get into Add/Remove Programs | Windows Components - type: rundll32.exe shell32.dll,Control_RunDLL appwiz.cpl,,2