Category Archives: Windows

Customizing pinned shortcuts on the Taskbar for Windows Server 2008 R2

OK, this is one way. I am sure there are several others. Can anyone say convoluted…?

(This is mainly intended for use on Remote Desktop Servers.)

  1. Create a test user.
    My user is named Bob in this example.
  2. Log on as Bob and pin the shortcuts you want on the Taskbar, and remove the ones you do not want.
  3. Log off Bob and log on as an Administrator.
  4. Load the Default User registry hive:
    reg.exe load HKUDefaultUser c:UsersDefaultNTUSER.DAT
  5. Load Bob’s registry hive:
    reg.exe load HKUBob c:UsersBobNTUSER.DAT
    (Your path may be different.)
  6. Export the following key:
    HKEY_USERSBobSoftwareMicrosoftWindowsCurrentVersionExplorerTaskband:
    (reg.exe export HKEY_USERSBobSoftwareMicrosoftWindowsCurrentVersionExplorerTaskband Taskbar.reg)
  7. Edit the Taskbar.reg file:
    1. Remove the FavoritesResolve value.
    2. Change the key path from Bob to DefaultUser (this is the name in the registry path where you mounted the Default User hive). This so we can import the changes that Bob made to his Taskbar into the loaded Default User profile registry.
    3. Save and import
      The changes should now be in the Default User registry.
  8. Unload Bob’s hive and the Default User hive:
    reg.exe unload HKUBob
    reg.exe unload HKUDefaultUser
  9. Navigate to the following folder in Bob’s profile:
    <Bob’s profile root>AppDataRoamingMicrosoftInternet ExplorerQuick LaunchUser Pinned
  10. Copy the entire contents of the folder into the same location in the Default User profile.
    (xcopy.exe “c:UsersBobAppDataRoamingMicrosoftInternet ExplorerQuick LaunchUser Pinned*.*” “c:UsersDefaultAppDataRoaming
    MicrosoftInternet ExplorerQuick Launch”
    )
  11. Run the following commands to remove the Everyone and BUILTINUsers security principals from the Server Manager and PowerShell shortcuts. These are copied into the User Pinned folder for every new profile, and the only way to prevent this (that I have found), is to prevent access to them. The Administrator still retains access through the remaining permissions on the shortcut files.
    1. icacls.exe “%ProgramData%MicrosoftWindowsStart MenuProgramsAccessoriesWindows PowerShell” /T /inheritance:d
    2. icacls.exe “%ProgramData%MicrosoftWindowsStart MenuProgramsAccessoriesWindows PowerShell” /T /remove:g *S-1-1-0 *S-1-5-32-545
    3. icacls.exe “%ProgramData%MicrosoftWindowsStart MenuProgramsAdministrative ToolsServer Manager.lnk” /inheritance:d
    4. icacls.exe “%ProgramData%MicrosoftWindowsStart MenuProgramsAdministrative ToolsServer Manager.lnk” /remove:g  *S-1-1-0 *S-1-5-32-545
      NOTE: These file system security settings can be propagated with Group Policy Security Policies. A template file doing just that is attached to this post.
  12. Log on as another regular user (not Bob) and verify that the pinned programs are available.
  13. Duplicate the Default User profile to other servers if necessary.

References:

Security Policy Template File

Morgan

Automatic Updates Client command line parameters

The Automatic Updates Client Utility (wuauclt.exe) supports a few command line parameters. Some of them are documented, others not. Here are the ones I have found:

Parameter Explanation
/detectnow Run a detection cycle
/a /resetauthorization Resets the WSUS cookie. (If used together with /detectnow; /resetauthorization must be entered before /detectnow.)
/r /ReportNow Sends all queued reporting events to the server asynchronously.
/RunHandlerComServer
/RunStoreAsComServer
/ShowSettingsDialog Display the Windows Update settings dialogue
/ResetEulas
/ShowWU Open the Windows Update Control Panel Applet
/ShowWindowsUpdate Open the Windows Update Control Panel Applet
/SelfUpdateManaged
/SelfUpdateUnmanaged
/UpdateNow
/ShowWUAutoScan Open Windows Update Control Panel Applet and scan for updates
/ShowFeaturedUpdates Opens the Features Updates list
/ShowOptions Opens the Windows Updates Settings window
/ShowFeaturedOptInDialog Opens the OptIn dialogue for Featured Updates
/DemoUI Display Windows Update notification in tray

More info:

One thing to be aware of when it comes to wuauclt.exe is that it has no desire or need whatsoever to inform you whether any of the parameters you submitted actually worked, or were even vaild! No matter what you supply as a parameter to wuauclt.exe you will get absolutely nothing back. So check your typing. You have been warned.

Getting volume data with PowerShell

It has always irritated me that I cannot export data from the disk management snap-in in Windows. Take this example from an Exchange server:

image

It would be very nice to be able to export this data to a CSV to create a quick storage report. Unfortunately you can’t. But with PowerShell you can!

This command will export the same data:

Get-WmiObject win32_volume | select Name,Label,@{Name=”Capacity (GB)”; Expression={“{0:N2}” –f ($_.capacity/1GB)}},@{Name=”Free Space (GB)”; Expression={“{0:N2}” -f ($_.freespace/1GB)}},@{Name=”Used Space (GB)”; Expression={“{0:N2}” -f ( ($_.capacity/1GB) – ($_.freespace/1GB) ) }} | ft –AutoSize

The result:

Name        Label        Capacity (GB) Free Space (GB) Used Space (GB)
—-        —–        ————- ————— —————
C:                      72,50         18,17           54,33
E:LogLUN1 ExchangeLogs 1 249,87      1 245,32        4,55
E:         Exchange     0,97          0,93            0,03
E:DBLUN1  DBLUN1       2 046,87      1 358,92        687,95
E:DBLUN2  DBLUN2       2 046,87      1 467,69        579,19
E:DBLUN3  DBLUN3       2 046,87      1 527,84        519,03
E:DBLUN4  DBLUN4       499,87        375,19          124,68

Of course, you can export this to CSV etc.

Identifying unknown devices in Device Manager

Windows and Microsoft do a great job of providing drivers for hardware devices. A lot of drivers ship in the box with Windows and hundreds of thousands more are available online on the Windows Update site. Still you quite often end up with one or two unknown devices in Device Manager. When Windows Update or the Windows DVD cannot help you, you have to turn to the manufacturer of the computer or device. If the machine is a specific model you will probably find the drivers on the drivers page of that model. But if it’s a custom system or a system where hardware has been added or replaced you will have no help.

I recently discovered a website that was incredibly useful in discovering who made a particular device and which device it is. The site is PCIDatabase.com:

PCIDatabase.com offers a very simple and very useful search engine. You can use either vendor or device search:

So just find your unknown device in Device Manager and lookup its Hardware Ids. You find these on the Details tab of the device:

Highlight the value and press Control+C (right-clicking does not work here). Past the value into Notepad or some other text editor and copy just the numbers following VEN_. Past these numbers into PCIDatabase.com’s Vendor Search box. You will see a result like this:

So now you know who made your device. Repeat the process but this time select the numbers following DEV_:

So now you have identified you device and can start looking for a driver. I recommend going directly to the source, that is, the manufacturer of the device. Drives hosted by computer manufacturers are often hopelessly outdated. As you no doubt have noticed it is sufficient to search for the device ID, because that will return the vendor ID as well.

PS: Sometimes the manufacturer of a particular device will not let you download drivers for it from their site. You are instead forwarded to the manufacturer of you machine. This is done because sometimes computer manufacturers modify the hardware device to work a particular way. Using a generic driver in these cases can be problematic. That said I have yet to encounter a device that has been modified in such a way and have used generic drivers directly from the hardware manufacturers for all my devices.

Sometimes the device manufacturers even block you from installing their drives for devices that have been used by the machine manufacturers. The most common examples of this are GPU manufacturers. Both nVidia and ATI (AMD) will check to see if your GPU is one that has been OEMed by a computer manufacturer and prevent the generic nVidia and ATI drivers from installing for such a device. That is quite annoying, especially since the drivers work perfectly with the GPUs. To work around this you can use a custom inf file or a drives modder. The site LaptopVideo2Go provides custom inf files for nVidia drivers, for ATI you can use the MobilityModder application. I am sure there are mode sites and apps that do this, but these are the ones I have used.

Error 0x8024D007 when running Windows Update

A server I was working on refused to let me update it through Windows/Microsoft Update. It would tell me that the computer needed an update before I could update it (!). First it would download some files from the Microsoft Update site, copy them and, finally, try to register them. This last step reached 100 %, but always terminated with the error 0x8024D007.

Process Monitor revealed that regsvr32.exe was called several times and the it failed with an Access Denied error on the registry key HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionSvcHost. Looking at the permissions on that key I saw that the local Administrators group only had Read access. I changed it to Full Control and was able to restore Windows Update functionality.

In my search for a solution this particular scenario never showed up, so maybe this will help someone.

Know thy SELF…

Windows has a special security principal know as SELF (also Principal Self and NT AUTHORITYSELF).

Here’s the definition of SELF from KB243330:

SID: S-1-5-10
Name: Principal Self
Description: A placeholder in an inheritable ACE on an account object or group object in Active Directory. When the ACE is inherited, the system replaces this SID with the SID for the security principal who holds the account.

And here’s one from KB296479:

SELF is not an actual SID, but a way to reference the objectSid for the object on which it is set, which will always be unique.
The hexadecimal value of the Self SID is: 0x01 0x01 0x00 0x00 0x00 0x00 0x00 0x05 0x0a 0x00 0x00 0x00

And from TechNet:

Principal Self

Attribute Value
Well-Known SID/RID S-1-5-10
Object Class Foreign Security Principal
Default Location in Active Directory cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain>
Description A placeholder in an ACE on a user, group, or computer object in Active Directory. When you grant permissions to Principal Self, you grant them to the security principal represented by the object. During an access check, the operating system replaces the SID for Principal Self with the SID for the security principal represented by the object.

So what does all this mean?

It means that if you want to grant a security principal permissions to itself, or more accurately; the object representing itself, you can use SELF as a placeholder. Whenever the security subsystem encounters the SELF SID in an ACL it replaces it with the SID of the object that the ACL is set on.

Why use SELF?

Using the SELF principal can greatly simplify administration and cut down on ACL sizes. Let’s say you have an OU in Active Directory where you want every user to be able to update their own telephone number. Instead of editing each user object and that user permissions to its own telephone number attribute, you would just give SELF that permission, but at the OU level and each user object would inherit it. When a user wants to change his or hers telephone number the access check in Active Directory will encounter the SELF principal and replace that with the SID of the actual account.

Questions:

One thing I could not figure out while putting this together is what happens when you use SELF in an ACE on an object that is not a security principal, a file for instance. The file does not have a SID (because it is not a security principal) so there is nothing for SELF to point to. I thought that maybe SELF would point to the SID of the owner of the file, but that is the job of the CREATOR OWNER SID, not SELF. I guess that SELF, when used in such a scenario, does not do anything.

How to reset the Windows Recycle Bin

Sometimes the Recycle Bin of a partition/volume can become corrupted. When it does it prevents you from deleting files or takes up space that cannot be reclaimed by emptying the Recycle Bin, or both. To reset the Recycle Bin for a particular volume or partition, start up a command prompt with Administrative privileges and delete the $RECYCLE.BIN folder from the partition/volume in question. Needless to say you will loose everything in that folder. When you delete a file on that volume/partition next, the Recycle Bin will be automatically regenerated.

Example command:

rd /s E:$RECYCLE.BIN

Where E: is the volume or partition with the corrupt Recycle Bin.

Windows Virtual PC: Disable the Internal network DHCP server

The Internal network network in Windows Virtual PC (WVP) has a built in DHCP service that provides the clients connected to it with addresses in the 169.254.0.16 to 169.254.10.254 range. If you need to disable this DHCP service this is how you do it:

  1. Shut down or hibernate all your running virtual machines
  2. Wait for vpc.exe to close, it usually does so by itself a few minutes after the last virtual machine has been closed. If you don’t want to wait you can kill it in Task Manager.
  3. Open the file %localappdata%microsoftWindows Virtual PCoptions.xml and find the Internal Network section.
  4. In the <dhcp> section, find the tag enabled and change its value from true to false:
  5. Save the file and restart your virtual machines.

Exploring Task Scheduler

Introduction

The new Task Scheduler 2.0 included in Windows Vista and improved on in Windows 7 has the ability to send an email when a task is triggered. Also new is the ability to attach a task to an event from the Event system. You could for instance create a task that sent you an email if you received an event specifying an imminent hard drive failure. For simplicity in my test I attached a task to event 7036 in the System log, which is logged every time a service starts. The UI is actually very nice since you can create the task directly from the Event Viewer using the Attack Task To This Event action:

When you do this you can find that task in the Task Scheduler in the Event Viewer Tasks folder.

Notice also the nice History tab which shows you the history of this particular task. As you can see I have an error in the Task category Action Failed. Lets look at that.

There is no human readable explanation in the data telling us why the email wasn’t sent. But there is an error value. In this case 2147746321 (0x80040211). I had no idea what that value actually meant so I ran it through Microsoft’s Err.exe application which is able to resolve error values on Windows. The output of Err.exe looked like this:

C:UsersmorganDownloadsErrErr>err 2147746321
# for decimal -2147220975 / hex 0x80040211 :
CDO_E_SMTP_SEND_FAILED                                        cdosyserr.h
  IMAPI_E_DEVICE_NOPROPERTIES                                   imapierror.h
UPNP_E_TRANSPORT_ERROR                                        upnp.h
VFW_E_NOT_COMMITTED                                           vfwmsgs.h
# Cannot allocate a sample when the allocator is not
# active.%0
# for hex 0xffffffff / decimal -1 :
NO_TITLE                                                      ftsiface.h
USE_DEFAULT                                                   ftsiface.h
JET_wrnNyi                                                    esent98.h
# /* Function Not Yet Implemented */
LZERROR_BADINHANDLE                                           lzexpand.h
# /* invalid input handle */
MAPI_DIAG_NO_DIAGNOSTIC                                       mapidefs.h
MSIDBERROR_FUNCTIONERROR                                      msiquery.h
# function error
ERROR_UNHANDLED_ERROR                                         ntddchgr.h
# Unknown error condition
PDR_ERROR                                                     penwin.h
# parameter or unspecified error
ICERR_UNSUPPORTED                                             vfw.h
ERROR_UNHANDLED_ERROR                                         winioctl.h
# Unknown error condition
# 14 matches found for “2147746321”

As you can see Err looks at all the header files that has that error value specified in them so you are bound to get many false positives. Task Scheduler uses CDO to send mail so in this case it is the information in the cdosyserr.h file that will tell us what the error is; CDO_E_SMTP_SEND_FAILED. OK, so CDO failed to send an email, why? To find that out I did a network trace using Wireshark while the task executed. The trace uncovered this error from the SMTP server: 550 5.7.1 Client does not have permissions to send as this sender. Since this is Windows talking to an Exchange 2010 server it will automatically authenticate, and it will authenticate using the credentials of the account that is used to run the task in Task Scheduler. This particular task is set up to run as my account; SIMONSENMorgan. According to the security settings on the Exchange 2010 Receive connector I am not allowed to send using an email address I do not own. That is, that is not specified as belonging to my account in Active Directory. As a result we get the SMTP error from Exchange. To remedy this I can temporarily permit my account to send as any sender:

Get-ReceiveConnector default* | Add-ADPermission -User SIMONSENmorgan -ExtendedRights “ms-Exch-SMTP-Accept-Any-Sender”

And now I will get the message, so to speak:

The History tab in Task Scheduler now also indicates a success:

Task Scheduler successfully completed task “Event Viewer TasksSystem_Service Control Manager_7036” , instance “{3d755426-8e80-49aa-9bdf-3475b032c7dd}” , action “Task notification” with return code 0.

(Incidentally while setting this up I first specified my old SMTP server, which was no longer running the SMTP service. The error in the task history displayed another error in this situation 2147746323 (0x80040213). Translated with Err this is the error CDO_E_FAILED_TO_CONNECT.)

The ‘A service started!’ message in the email is not very helpful so I started to look for ways to include data from the event in the message. After a (very) long time I was able to do that with the help of these resources:

The short story is that you have to create a task attached to an event, and then export it and manually change what data is retrieved from the event. For reference I have included the XML export from my test here. You have to edit this task to supply your own sender, recipient and SMTP server values.

What happened to at.exe?

 

 

From Windows help:
The at.exe executable schedules commands and programs to run on a computer at a specified time and date similar to Task Scheduler. Task Scheduler and the schtasks.exe executable replace at.exe. All tasks created using the at.exe executable must run under the same account. By default this account is the local system account, but you can change this by configuring the AT service account information.

More information