January 2010 Archives

How To: Unblock Executables On Vista

By Konstantin Boyandin on January 27, 2010 5:36 PM | | No TrackBacks
Executable files downloaded to your Vista system may cause a security warning ("The publisher could not be verified/Are you sure you want to run this software?"). To prevent that dialog windows from appearing (in case you think the file is safe), follow these steps:

1. Open Explorer, locate the file, and select 'Properties' after right-clicking.

2. Switch to 'General' tab.

3. CLick 'Unblock' button and confirm by clicking 'OK'.

To disable this feature for all the files, use Group Policy. Navigate to
User Configuration - Administrative Templates - Windows Components - Attachment Manager
and enable policy named  "Do not preserve zone information in file attachments".

How To: Troubleshoot Group Policy

By Konstantin Boyandin on January 27, 2010 1:33 PM | | No TrackBacks
There's a quick guide on how to troubleshoot GPO-related problems.

1. Open Event Viewer, look for Administrative Events in Custom Views. Look for Group Policy events there and read the details.

2. While in Event Viewer, look under
Applications and Services Logs\Microsoft\Windows\Group Policy\Operational
filter records using event ID, look for patterns in events,read details.

3. While viewing the operational log mentioned above,study policy processing sequence, to find out the failure points and corresponding error codes. Use that to determine at what step and what policy record malfunctions. Use the information to block policy processing until everything works as expected.

How To: Perform Complete PC Backup In Vista From Command Line

By Konstantin Boyandin on January 27, 2010 9:30 AM | | No TrackBacks
Every now and then, when a significant amount of changes was done to your Windows Vista-operated computer, making a backup is a good idea. Not only that will save you time required to install and tune all the software you need, it will also save whatever important data you kept.

The method described performs the entire system volume backup as a .vhd (Virtual Hard Drive) file. To do that, you need one more HDD to store the data.

To perform that from command line, run the cmd.exe as an administrator and type

wbadmin start backup -backupTarget:X: -include:C: -quiet

X: is your backup volume drive letter.

You can also run such a command via Task Scheduler. Don't forget to run the task as an administrator.

Note: when you run the command for the first time, it creates the mentioned .vhd file
All the subsequent backups will update this file.

How To: Create GPO Affecting Given Windows Version Only

By Konstantin Boyandin on January 21, 2010 5:38 PM | | No TrackBacks
If there is a mix of Windows types and versions in the intranet, they all can be within the same organizational unit (OU). The problem could be: how to make a GPO be effective only for computers running a definite version/type of the operating system?

The answer is "WMI filtering". To add a filtering rule, open Group Policy Management Console, right-click on the WMI Filters node, select New, and add the following WMI query string:

Select * from Win32_OperatingSystem where Caption like "%string%"

where '%string%' is, for example, '%Vista%' if you choose to have a GPO working only for Windows Vista.

After the WMI filter has been added, you can use the WMI Filtering control at the bottom of the Scope tab when any GPO is selected to apply the filter to that GPO. 

How To: Secure USB Ports

By Konstantin Boyandin on January 21, 2010 3:14 PM | | No TrackBacks
USB ports on desktop computers may result in significant security risks. Two reasons are: sensitive data may be copied onto USB-connected removable media; also, software can be run off the removable media, thus resulting in a number of possible threats to both the computer inserted into and the whole intranet.

To handle this in Windows XP, a registry tweak should be used, to make all the plugged USB devices read-only.

To achieve that, open your registry editor and navigate to
HKLM\System\CurrentControlSet\Control
and create a new key StorageDevicePolicies. Within that key create a new key StorageDevicePolicies, and within it,
add a REG_DWORD value with name WriteProtect and value of 1.

The change mentioned may be distribute it via logon script; you can also use group policy to do that.

How To: Delay Startup Services

By Konstantin Boyandin on January 21, 2010 11:31 AM | | No TrackBacks
It can be necessary to delay a particular service start, in order that other processes such as protocols initialization be run first. It can especially be useful when using out-of-date or otherwise slow peripheral hardware. For example, DNS or other network service should only be started when its network adapter(s) has been initialized.

To handle that, a service dependency can be used.

To create a new dependency, start regedit or other registry editor and navigate to
HKLM/System/CurrentControlSet/Services

Select the subkey referring to the service you wish to create dependency for and create a new value:
Name: DependOnService
Type: REG_MULTI_SZ

When offered to enter value, enter name of service(s) to start before this service, new line separated. The name of the service should be exactly as it appears under the services key.

How To: Disable Run-As Command

By Konstantin Boyandin on January 20, 2010 5:41 PM | | No TrackBacks
It might be necessary, for security considerations, to disable the 'Run-As' command. For a standalone computer under XP, in a workgroup environment, the following registry 'hack' will do the trick. Open (or create) this section:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer

and create a new DWORD named HideRunAsVerb with a value of 1,

In case of domain environment, you can use Software Restrictions Policies feature of Group Policy. Open the appropriate GPO using Group Policy Object Editor and find the following node in the console tree:

Computer Configuration/Windows Settings/Security Settings/Software Restriction Policies

Right click on it and select New Software Restriction Policies. Right-click on Additional Rules and select New Path Rule. Specify the path to runas.exe and make sure the policy is set as 'disallowed'.

You can apply this restriction to specific users only. Use a GPO linked to an OU where the user accounts reside and configure Software Restriction Policies using User Configuration instead of Computer Configuration, e.g.:

User Configuration/Windows Settings/Security Settings/Software Restriction Policies

How To: Find Locked Out User Accounts

By Konstantin Boyandin on January 20, 2010 2:36 PM | | No TrackBacks
It may be necessary to find quickly all the locked-out user accounts. The Saved Queries feature available in Windows Server 2003 and above can be the most convenient tool to achieve that.

At the Active Directory Users and Computers console right-click on Saved Queries and select new query creation. You will need to specify the query root (where in the namespace to start searching). You will need to use custom search, since there are no standard queries to fulfill your task. AT the Advanced tab and enter the following query string:

(&(&(&(objectCategory=person)(objectClass=user)(lockoutTime:1.2.840.113556.1.4.804:=4294967295))))

Click OK twice to create and run the saved query. Note that the mentioned query requires at least Windows Server 2003 SP1.

There's an alternate query to try to achieve the same:
 
(&(objectCategory=Person)(objectClass=User)(lockoutTime>=1))

How To: Find Groups User Belongs To

By Konstantin Boyandin on January 20, 2010 9:33 AM | | No TrackBacks
When permissions do not work as expected, it might be necessary to check what groups a user belongs to. Groups are usually used to make the permissions control simpler. Thus, especially in large environments, it could be necessary to have a list of all the groups the user belongs to.

There's no obvious means to do that. To browse the members of a chosen group, especially y if there are many membersin it, can be quite tedious. Especiallyif there are many groups. What's worse, if your domain works under Windows 2003 or in forest functional level, groups can be nested, thus complicating the task even more.

However, there's a simple way: log in as the user, open a command prompt and type
whoami /groups
That will report all the groups the current user belongs to, including special ones like Everyone.

There's a pitfall, though: if the suer belongs to a distribution group, the output of the above command may be incomplete: whoami doesn't display groups nested within distribution groups. Thus, the practical piece of advice is: do not nest distribution groups within security groups, since that can complicate access rights troubleshooting.

How To: Enhance File Server Performance

By Konstantin Boyandin on January 19, 2010 5:47 PM | | No TrackBacks
Feature known as Shadow Copies allowed users to recover previous versions of files they are working on (much like common version control systems). Although it can prevent severe problems resulting in accidental data loss, the service can also lead to severe performance degradation in case of Windows server configured as file server.

The reason: when Shadow Copies are in effect, every file is actually written twice. In case of heavily loaded file sever, this can quickly result in poor performance.

To avoid the problem, specify a different partition (spindle) to keep Shadow Copies storage on. This can be configured in volume properties, look for Shadow Copies tab and specify a separate spindle in Settings.

Roaming Profiles Caveats

By Konstantin Boyandin on January 19, 2010 1:23 PM | | No TrackBacks
Roaming profiles should only be used, when a user can indeed login and work at several workstations. They can be mostly problems rather than solutions; there are few suggestions, however, that could make roaming profiles management much easier:

1. Do not set too strict disk quotas for users with roaming profiles. Profiles tend to grow and the user can easily lose important information. Forcing users to cleanup their profiles is also a good practice, otherwise your domain conrtoller will end up transferring a lot of fiels not  required for regular work.

2. Encrypted File System (EFS) is incompatible with roaming profiles. Do not store them on such a system.

3. Make sure users have only full control over their own roaming profiles. You can also use the trick of adding dollar sign to share name to make the share invisible to users browsing the network neighborhood.

4. Make sure the profiles are stored on NTFS-like filesystem. All its extended features are important to make roaming profiles work smoothly.

5. Offline Folder Caching should not be applied to roaming profile shared directories. The synchronization will most probably fail, leading to unpredictable results.

How To: Enable Remote Desktop Remotely

By Konstantin Boyandin on January 19, 2010 8:39 AM | | No TrackBacks
When remote desktop is enabled, it's possible to use many a capability the console provides, as if you were sitting at a real console. However, when this is disabled, the situation looks hopeless.

In order to enable remote desktop, one should already have a desktop open.

However, WMI (Windows Management Instrumentation) allows to solve that, if the computer you need remote desktop allowed to, is available in the intranet.

At the command prompt of another Windows computer, type

wmic /node:server_name rdtoggle WHERE server_name="computername" CALL SetAllowTSConnections 1

(wmic is WMI console command-line utility). "computername" should be replaced with host name of the computer (as seen in network neighborhood)

How To: User Remote Desktop Client From Command Line

By Konstantin Boyandin on January 18, 2010 5:39 PM | | No TrackBacks
The standard Microsoft remote desktop client is located at
%systemroot%/system32/mstsc.exe.

If run without command-line parameters, it makes the desktop connection program run. However, there are several ways to fine tune the remote desktop client operation by using appropriate command-line parameters.

The command line syntax is:
mstsc.exe (ConnectionFile | /v:ServerName[:Port]) [/console] [/f] [/w:width/h:height]

/v - specifies the remote computer and port (optional) you wish to connect to
/console - connects to the console of a Windows Server 2003 based system
/f - starts the remote desktop connection in fullscreen mode
/w and /h - specifies the width and height of the remote desktop connection

These can be very convenient if, for example, you need to run the service at non-standard port and/or need to specify a different size for the desktop window.

The client may be configured, via group policy, to run at startup time. It's useful when the computer needs to connect to the remote server to  be able to do anything.

How To: Find Unused User Accounts

By Konstantin Boyandin on January 18, 2010 2:35 PM | | No TrackBacks
In many domain-controlled environments, especially in large companies, "dormant" (unused" user accounts may start to appear. Such accounts' activity should be well-monitored, but first they should be found out.

The simplest way is to use the standard 'dsquery' command-line utility to filter out users by a given criteria. For example, the command

dsquery computer -inactive NumberOfWeeks

where NumberOfWeeks is an integer value. The above example will list all the users that haven't logged in for the specified time interval.

Note that the above assumes you're using Windows Server 2003-level environment. If yours still has Windows 2000 computers in it, or is running in mixed-mode functional level, try this command instead:

dsquery computer -stalepwd NumberOfDays

Hidden Partition May Make Setup Fail

By Konstantin Boyandin on January 18, 2010 11:30 AM | | No TrackBacks
Windows system can only support four primary partition per disk drive. However, there are cases when this limit may cause the Windows setup to fail. An example: an attempt to set up  Windows Server 2003 on a computer where the hard drive has already four primary partitions containing data, setup proces fails with a message like "Setup cannot create a new partition".

It looks logical, but there are cases when the computer with only three primary partitions returns exactly the same error. The setup can't create another partition, and this could seem strange.

However, if you examine the disk, a hidden disk partition can be found. It is a common practice to create, say, a hidden partition containing OS distribution files, to re-install OS ab initio quickly. A number of OEM use this practice.

Thus, before trying to install Windows product, in case multi-boot configuration is desired, make sure thre's at least one unused primary partition record.

How To: Detect Hung Services

By Konstantin Boyandin on January 15, 2010 3:57 PM | | No TrackBacks
Certain Windows services may misbehave and can hung (respond no longer). It may be quite tricky to determine the actual service state.

A Windows service may be in one of four states:
SERVICE_STOPPED
SERVICE_START_PENDING
SERVICE_RUNNING
SERVICE_STOP_PENDING

When a service is stopped, its state through services.msc control panel applet
and from net.exe command will both report it as stopped. When it's running,
they both will report it as running. However, when a service is in a pending state,
it will be reported as running as well.

The solution is to use sc.exe from Resource Kit and use its query syntax to determine the
actual service state, i.e.

sc.exe query servicename

It will return the true service state. Also, the sc.exe can be used to control, create,
modify or delete service, as well, thus providing all the necessary interface in command-line mode. IPHost Network Monitor.

How To: Display Windows Service Not Running

By Konstantin Boyandin on January 15, 2010 12:16 PM | | No TrackBacks
The standard utilities provided with Windows aren't capable to sort out the services, to find what services are in a given state. Fortunately, there's a sc.exe utility from the Resource Kit, and it can be of help. Use its 'query' syntax to find out services; e.g., to find all the services that are not running at the moment, type

sc query type= service state= inactive

Note: the spaces after equal signs are mandatory.

If you only need to determine a state of a given service, type

sc query servicename

How To: Determind Why A Service Won't Start

By Konstantin Boyandin on January 15, 2010 9:19 AM | | No TrackBacks
A sc.exe utility from the Resource Kit can be used to determine whether a given service has actually started when the computer has booted up. Just type

sc query servicename

to determine the state of a service named 'servicename'. Look for the WIN32_EXIT_CODE field in the output printed. If it's zero, the service has started successfully; if not, the value will be non-zero. The actual value (error code) is service-specific.

To determine what a particular error code means, use 'net helpmsg' command to retrieve a text description of a given error code. E.g., if a service returned error code of 413 (decimal), use command

net helpmsg 413

That will in most cases be enough to narrow the search for the problem origin to find out the problem reason

How To: Disable Services Using Recovery Console

By Konstantin Boyandin on January 14, 2010 7:23 PM | | No TrackBacks
After a server upgrade there could be problems related to misbehaving services. In certain situations, it's impossible to boot into Safe Mode, either. To handle such a case, use the Recovery Console.

The situation mentioned above can be used ny out-of-date driver or service misconfiguration. The latter case can be handled this way:

Type
listsvc
to display the list of all the services and drivers on your computer. You will see the name of a service you could be willing to disable.

Now type
disable servicename
to modify the startup type of the service to 'Disabled'.

After that you should reboot the computer to see whether the problem was related to the service disabled.

How To: Enable Services Using Recovery Console

By Konstantin Boyandin on January 14, 2010 1:29 PM | | No TrackBacks
There are cases when the server won't reboot, since a critical service does not start; there can be several reasons, one of them may be there's another service, the given one depends upon, that isn't started automatically.

If booting into Safe Mode can't help you, try using Recovery Console to do that. When you use your product removable media to boot into the Console, use the

enable servicename starttype

command to enable automated startup of the service in question. The starttype is one of
SERVICE_BOOT_START
SERVICE_SYSTEM_START
SERVICE_AUTO_START
SERVICE_DEMAND_START

(self-explaining). Consult the Troubleshooting Guide, Appendix A (Windows Server 2003 Resource Kit) to learn what the startup type should be for any given service.

The List Of Processes You Should Not Try To Terminate

By Konstantin Boyandin on January 14, 2010 9:32 AM | | No TrackBacks
Task Manager allows to view the list of currently running processes; it can be used to change the priority of a process and/or terminate a process. However, certain processes are vital for normal Windows operation and terminating them will result in unstable or hung operating system, thus leading to possible losing valuable data.

Here's the list of processes that should never be terminated:
alg
csrss
dfssvc
explorer
lsass
msdtc
services
smss
spoolsv
svchost
system,
System Idle
taskmgr
winlogon
wmiprvse

Some of them couldn't be, in fact, terminated via Task Manager, but that operation should not be attempted in any case.
« December 2009 | Main Index | Archives | February 2010 »

About this Archive

This page is an archive of entries from January 2010 listed from newest to oldest.

December 2009 is the previous archive.

February 2010 is the next archive.

Find recent content on the main index or look in the archives to find all content.