Category Archives: Windows

How to remove orphaned hardware devices

  1. Open a command prompt
    If you are on an OS with User Account Control enabled, you need to run the command prompt as an Administrator.
  2. Type the following:
    set DEVMGR_SHOW_NONPRESENT_DEVICES=1
  3. In the same command prompt window, type:
    devmgmt.msc
  4. Device Manager opens.
  5. Select View, Show Hidden Devices
  6. Expand the various categories to display orphaned devices. They will be grayed out:
    032509_2212_Howtoremove1
  7. Right-click and select Uninstall to remove the device completely from the system.
  8. A reboot may be necessary after your have removed the devices. Sometimes Device Manager will inform you of this, sometimes not.

I find this extremely useful on virtual machines that have moved from one virtualization platform to another. In this situation old Network Interface Cards (NICs) can sometimes be problematic.

Backing up your Windows profile using Robocopy

Whenever I upgrade the OS on one of my computers or upgrade the computer itself, I always make a manual backup of the data I need to retain. There are many utilities that do this job for you, like User State Migration Tool and Windows Easy Transfer, but none of them give me that warm fuzzy feeling that total manual control provides.
The Robocopy utility, short for Robust File Copy, is one of my all time favorites when it comes to copying large amounts of data. Robocopy used to be part of the Windows Resource Kit, but at least since Windows Vista/Server 2008 it has been part of the base OS installation. This command is what I use to backup my Windows profile, which contains the bulk of my data:
robocopy.exe c:\Users\Morgan g:\ProfileBackup /E /ZB /R:0 /W:0 /XJ /NFL /XD OneDrive “Temporary Internet Files” OfficeFileCache Temp *cache* Spotify WER /XF *cache* *.ost
Note: If you decide to copy and use this command, pay special attention to the file (XF) and directory (XD) exclusions I use. You may have different requirements!
Parameter
Explanation
/E
Copy all subdirectories, even empty ones.
/ZB
Use restartable mode; if access denied use Backup mode.
/R:0
Number of Retries on failed copies, in this case 0.
/W:0
Wait time between retries, in this case 0.
/XJ
Exclude Junction points
/NFL
No File List – don’t log file names.
/XD Exclude selected directories; space delimited
/XF Exclude selected files; space delimited
Note that the command promp from which you run this command must be run as an administrator. This is because we tell Robocopy to use backup mode when it cannot access a file. The right to copy a file using the backup interface (Back Up Files and Directories) is reserved for the Administators and Backup Operators groups on Windows Vista/7.
The XJ paramtere requires some extra explanation. Windows Vista changed the layout of user profiles, making Vista profiles incompatible with profiles in earlier versions of Windows. To ensure compatibility with older applications the Windows Vista profile contains several NTFS junctions that map the old folder names to the new locations. If you try to run Robocopy without the XJ parameter the copy will loop creating nested folders in your target destination until the path length reaches the maximum (256) allowed by NTFS. Therefore we need to exclude juntions.
When you run this command you will see many files that cannot be accessed since they are in use. This can be safely ignored. These files are your actual registry hive etc that is loaded when you are logged on to the system. If you want a copy of these files as well you have to boot into WinPE and make a copy from there. Or log on as another user with administrative privileges and make a copy of the profile. I have never needed any of the data in these files.

Displaying the Volume GUID of a volume

The use of letters to identity volumes and partitions in Windows is something we have inherited from MS-DOS. Drive letters are still used today due to their ubiquity and for compatibility. However, the Windows operating system does not depend on them. Instead Windows uses a GUID to identify each volume or partition. (Windows Home Server, which is actually a custom version of Windows Server 2003 has done away with the use of drive letters completely.)This GUID is called the Volume GUID or the Unique Volume Name. The Volume GUID is assigned the first time the OS encounters a volume and it does not change. This ensures that Windows can always uniquely identify a volume, even though its drive letter has changed.

On systems with a lot of storage you will often run out of drive letters for your partitions and volumes. You can work around this by using mount points e.g., but you can also reference the volume by its GUID directly. This is actually the recommended practice in some situations. When configuring highly available virtual servers in Hyper-V with Windows Failover Clustering, for example.

So how do we find the Volume GUID? The easiest way I have discovered is by the use of the mountvol.exe utility. Running mountvol.exe without any arguments will show you help for the utility, but also the current Volume GUID to drive letter/mount point relationships.

 012609_2007_Displayingt1

To prove that the volume GUIDs really are the “true” path to the volume, copy one of the strings and past it into Explorer or the Run dialog.

 012609_2007_Displayingt2

Press enter and you will see the contents of the volume displayed.

 012609_2007_Displayingt3

(Notice the question mark by the drive icon in the navigation bar and the info pane.)

I have not been able to use the Volume GUID from the command line, but that is also the only limitation I have found. Not strange if you consider the command prompt’s origins.

You can also see all the volume GUIDs for every volume the OS has ever seen under the registry key:
HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices

 012609_2007_Displayingt4

At this location you will also find the “regular” drive letter assignments. They have the form \DosDevices\<drive letter>. If you compare the data in this key for the Volume GUID and the DOS drive letter for a given volume, you will see that they match meaning that they point to the same volume.

Strangely enough, the Swiss army knife of disk and volume management in Windows; diskpart.exe can’t display the Volume GUID. This is something that will change in future releases, hopefully. Diskpart can, however, display another interesting piece of data which resembles the Volume GUID, namely the disk signature. Just as volumes have unique IDs, so do disks (or what Windows perceives as disks). The DETAIL command in diskpart will display the disk signature as the Disk ID. It is an 8 digit hexadecimal number.

The string \\?\ is present in all volume GUIDs and it tells Windows to turn off path parsing. Windows NT/2000/XP/Vista have a maximum path length of 255 characters. It is possible to use more that 255 characters by prefixing the path with \\?\. This enables you to use paths that are up to 32,000 characters long, and is called using the “wide” version of a function. The \\?\ itself is ignored as part of the path. E.g.:

“\\?\C:\Users\Aquaman\Documents\test.docx” will be processed as “C:\ Users\Aquaman\Documents\test.docx”

Various problems with the Volume GUID may occur under some circumstances making Windows unable to boot or access the volume. Some of these situations are documented here: http://support.microsoft.com/kb/959573

How to exit explorer.exe gracefully on Windows XP and Windows Vista/7

When you install a piece of software that integrates with the Windows shell, typically explorer.exe, you have to restart your computer to complete the installation. If the installer were to close explorer.exe the user would be left without a usable GUI. However there is a supported way of closing the shell process, perhaps saving you from a reboot when installing software. Or just giving you something to test and play around with.

Windows Vista

Press the Start button, and while holding Ctrl+Shift, right-click any empty area of the menu, or the power or lock buttons. You will see this context menu:

012509_0220_Howtoexitex1

Hit Exit Explorer to exit the shell process.

Windows XP

Open the shutdown dialog, Log Off…/Shut Down/Restart, and while holding Ctrl+Alt+Shift hit the Cancel button. Explorer will exit cleanly.

So now what?

OK, so we have made our shell exit. So how do we control the computer now? Any applications you had running while the shell was running will still have their windows on your desktop, but you will not be able to do much with them. We need to restart the shell process. How, you say? Simple. Just bring up Task Manager (Press Ctrl+Shift+Esc) and select New Task… (Run) from the File menu. Enter explorer.exe and your shell will restart.

More info on Aaron Margosis’ Blog:
http://blogs.msdn.com/aaron_margosis/archive/2007/07/17/how-to-cleanly-stop-explorer-exe-on-windows-vista.aspx

Using WinPE and ImageX to recover from a failed hard drive

The hard drive storing the boot and system volumes of my main home machine failed a couple of weeks ago. The drive first started making strange noises and occasionally the machine would hang or blue screen. The hangs, which usually were recoverable, were accompanied by errors in the system log.
Index              : 270720
EntryType          : Error
EventID            : 11
Message            : The driver detected a controller error on DeviceIdeIdePort0.
Category           : (0)
CategoryNumber     : 0
ReplacementStrings : {DeviceIdeIdePort0}
Source             : atapi
TimeGenerated      : 11.01.2009 20:47:12
TimeWritten        : 11.01.2009 20:47:12
UserName           :
Before the drive finally gave out I was able to use ImageX to make a backup in a WIM file.
The first replacement drive I received, a Seagate 250GB drive, was DOA. Go figure. The second one, a Samsung 300 GB drive worked. Here are the complete steps I followed to make the backup and restore my machine.
  1. Download and install Windows Automated Installation Kit
    This package contains WinPE, which I use to capture and apply the WIM image, as well as the utility used; ImageX.
  2. Create a bootable WinPE CD-ROM containing ImageX.
    ImageX.exe is the only file I neede to add that was not already included in WinPE.
  3. Boot the WinPE CD.
  4. Run ImageX:
    imagex /capture c: d:myvistabackup.wim “Emergency Vista Backup” /compress none
  5. Replace the failed drive.
  6. Boot WinPE again.
  7. Run Diskpart to create a new partition on the new drive and set it active:
    diskpart
    select disk 0
    clean
    create partition primary
    assign drive letter=c:
    active
    exit
  8. Format the new partition:
    format c: /q /y
  9. Apply the image:
    imagex /apply d:myvistabackup.wim 1 c:
  10. Update the Boot Configuration Database (BCD):
    bcdedit /set {bootmgr} device partiton=c:
    bcdedit /set {default} device partiton=c:
    bcdedit /set {default} osdevice partiton=c:
  11. Reboot

What are the security benefits of running a service as the Local System Account as opposed to a user account?

With the release of Windows 2000 products from Microsoft, most prominently Exchange 2000, started running their services under the Local System1 account instead of using a dedicated Active Directory User account, or what is commonly known as a service account2. The reason for this was security. As time passed more and more products adapted this approach and now most products do, at least from Microsoft. A result of this is the widespread use of computer objects in Active Directory to grant permissions. The Local System account act as the host computer account on the network and as such has access to network resources just like any other domain account. On the network, this account appears as DOMAIN<machine name>$. Instead of granting permissions to the service accounts, who were typically Domain Admins, we now grant granular permissions to the computer object where the service is running. When the service on the computer accesses e.g. Active Directory it does so at the host computer account and because that computer now has rights and permissions it can access the necessary data. But why is this configuration more secure? Well, that’s what this post will try to answer.

  • Password changes
    A traditional service account (user account) typically had the User cannot change password and Password never expires settings set. This meant that you set the password of the account when you created it and never changed it afterwards. That is not a good security practice. Computer accounts on the other hand are also members of Active Directory and change their password on a regular basis, completely automatic. By using the computer account for your services you get regular password changes for your services.
  • Granular permissions
    Traditional user service accounts were usually added to the Domain Admins group. This facilitated easy access to all resources and the services always worked. If the service account, which could be used on several and sometimes all, computers on the network was ever compromised it would give an attacker virtually unlimited access to the network. By using Local System the account can only be used on the host computer and typically never have any rights on other systems. Furthermore, using the principle of least privilege, the host computer’s account can be given only the necessary permissions required to run the service.

1 Local System, or NT AUTHORITYSYSTEM which is its actual name, is a predefined local account that can start a service and provide the security context for that service. When you run something, a service, a scheduled task or a process as Local System you are running it as the host computer. This has many benefits. For example the system has access to the entire computer, meaning the local SAM, Session 0, and other protected areas which are not immediately accessible to a user, even an administrator. For an administrator to access these protected areas we have to start a process as Local System, which is something only administrators can do. There are also other accounts which represent the system, namely LocalService and NetworkService. LocalService has reduced privileges similar to an authenticated local user account, and operate on the network using a NULL sessions (anonymous). NetworkService also has reduced privileges similar to an authenticated user account, but accesses network resources using the credentials of the computer account in the same manner as a Local System service does. More information about service accounts etc is available in the Services and Service Accounts Security Planning Guide (http://www.microsoft.com/technet/security/guidance/serversecurity/serviceaccount/default.mspx).

2 What allowed this was a change in the Local System Account which enabled it to authenticate to network resources just as a regular user account.

Turning on BitLocker on my laptop

So I decided to test BitLocker on my laptop. Here is what happened.

First you need to have the correct partition layout; one 1,5 GB unencrypted system partition to store the boot manager and the Boot Configuration Database (BCD). The BitLocker Drive Preparation Tool does this for you, BDPT is documented in KB933246.

BDPT did not work on my system initially because of a hidden EISA Configuration partition courtesy of Lenovo. So that had to go first. The EISA partition could not be deleted from Disk Management so I had to use the delete partition override command in diskpart to get rid of it. The EISA partition was 5GB, but I only neede 1,5 GB, so I extended the C: drive until only 1,5 GB free space remained. The I tried the BitLocker Drive Preparation Tool again:

 102308_1838_TurningonBi1

Figure 1 Warning screen

 102308_1838_TurningonBi2

Figure 2 Creating new partition

 102308_1838_TurningonBi3

Figure 3 Moving the boot manager and BCD to the new partition

 102308_1838_TurningonBi4

Figure 4 Process complete

 102308_1838_TurningonBi5

Figure 5 Restart message

‘Remove Exchange Attributes’ á la PowerShell

The extensions to Active Directory Users and Computers for Exchange 2000 and Exchange 2003 have a task called Remove Exchange Attributes that is accessible from the Exchange Tasks menu. It removes all Exhange related attributes from the objects on which it is run. This is useful when an object is in an inconsistent state, as regards to Exchange. For example if an Exchange attribute has invalid data or not all required attributes are present.
If you remove the last Exchange 2000/2003 server from your organization you will not be able to use the Remove Exchange Attributes task, even if the extensions are still installed on a computer. I recently found myself in just that situation and had to come up with a workaround. My favorite tool lately is PowerShell so I decided to use that. This is the command I came up with, using the cmdlets from Quest Software for Active Directory:

https://gist.github.com/morgansimonsen/8040285

As you can see, this command targets groups, but it can be easily changed to apply to other object types.
I found a list of all the Exchange attributes that the Remove Exchange Attributes task removes here: