OK, so this post is more of a public note-to-self.
https://gist.github.com/morgansimonsen/8044861
OEM/BIOS Activating a Lenovo X1
I wanted to reinstall a Lenovo X1 portable computer. While preparing to wipe the machine I used ProduKey from NirSoft to extract the product keys for the installed software. This particular machine was sold with an OEM license, for which the product key was affixed under the machine. I quickly noticed that the key printed on the label did not match the one extracted from the machine with ProduKey. That meant that the machine was BIOS or OEM activated.
I now had two choices; I could bring the OEM activation with me over to my new install or just use the key printed on the sticker. The last option would have been the easiest, but that’s not how I roll. So how to “extract” the OEM activation?
A friend of mine had previously gone through just this scenario with a bunch of HP machines so I knew that the activation was dependent on a digital certificate, distributed by Lenovo with the machine and signed by Microsoft. Unfortunately the certificate file had been deleted by Lenovo setup. But the Lenovo recovery partition (Q:) included a WIM file called cdrivebackup.wim. This WIM was used by the recovery system to reinstall the machine in the event a failure occurred. It probably included the needed certificate. But first I had to make the contents of the recovery partition visible so I could easily copy the files to another computer and mount the WIM. This was accomplished by these two commands:
- echo y | icacls “Q:*” /grant Administrators:F /T
- attrib -R -A -S -H “Q:” /S /D
I then copied the entire contents of the Q drive to a memory stick and mounted the WIM with DISM on another computer:
- dism.exe /Mount-Wim /WimFile:h:LenovoRecoveryFactoryRecverycdrivebackup.wim /index:1 /MountDir:D:wimmount /ReadOnly
Now it was time to try and find the certificate (software license certificate have an xrm-ms extension):
- dir d:wimmount*.xrm-ms /s
This command yielded many files but only the one called lenovo.xrm-ms in the d:wimmountswworkOEM was of interest. I copied the file to a memory stick and proceeded to wipe the machine and reinstall Windows 7. After Windows 7 was installed I created a new folder under %windir%system32oem and copied the certificate into it. Now I could install the certificate and product key;
- cscript %windir%system32slmgr.vbs -ilc %windir%system32oemlenovo.xrm-ms
- cscript %windir%system32slmgr.vbs -ipk 237XB-GDJ7B-MV8MH-98QJM-24367
Now, the product key is kind of interesting. This key will be accepted as a valid key by Windows, but will not be able to activate the machine without the certificate file. It’s kind of like a KMS client key, but instead of a KMS Host it needs a certificate. As far as I can tell this key is Lenovo specific so I hope I haven’t infringed on any copyrights etc. by posting it here.
Morgan
How to reset the OneNote 2010 dialogue
reg delete HKCUSoftwareMicrosoftOffice14.0OneNote /v FirstBootStatus
Poor sound quality in Spotify
I love Spotify, but recently I have been plagued by poor sound quality. Specifically I experienced clipping, popping and variations in volume level during playback. As far as I could tell this affected all the songs I played in Spotify. At first I thought the problem was specific to Spotify, but after doing some tests with Grooveshark and Windows Media Player I discovered that the problem affected all apps playing sound. After a little digging I discovered a workaround for the problem.
Open the Sound properties:
Select Properties for the Default Device, the select the Enhancements tab:
Select Disable all enhancements. If you are playing music it will momentarily pause and then continue, hopefully (as it did for me) with now crystal clear quality.
Happy listening!
Last.FM profile: www.last.fm/user/morgands
Morgan
Script to install Remote System Administration Tools (RSAT) for Windows 7 with Service Pack 1
Here is a quick script to just install, or install and enable the Windows 7 Remote System Administration Tools (RSAT) for Windows 7 with Service Pack 1. I created it for use with the software deployment functionality in System Center Configuration Manager, but it is not limited to that.
' InstallRSAT.vbs
' v 1.0 (15.06.2011)
' by Morgan Simonsen, Atea
'
' Detects system architecture, and installs and enables RSAT for Windows 7 with SP1, depending on submitted arguments.
'
' Usage:
' InstallRSAT.vbs <Install|InstallAndEnable>
'
' Install: just install RSAT, must be manually enabled
' InstallAndEnable: install and enable RSAT (all components)
'
' If no arguments are submitted; Install will be used.
'
' Arguments are CASE SENSITIVE!!!
'Enable/disable debugging
strDebug = 0
Set objWSHShell = WScript.CreateObject("WScript.Shell")
Set objFSO = CreateObject("Scripting.FileSystemObject")
'Get script arguments
Set objArgs = WScript.arguments
If objArgs.Count = 0 Then
' No arguments submitted, defaulting to install (and not enable)
strInstallAction = "/Install"
Else
strInstallAction = objArgs.item(0)
Select Case strInstallAction
Case "/Install"
'Install action selected
Case "/InstallAndEnable"
'InstallAndEnable action selected
Case Else
'Invalid argument submitted; quitting!
End Select
End If
strScriptPath = objFSO.GetParentFolderName(WScript.ScriptFullName)
'Determine CPU Architecture
strComputer = "."
Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\" & strComputer & "rootcimv2")
Set colProcessors = objWMIService.ExecQuery("Select * from Win32_Processor")
For Each objProcessor in colProcessors
strProcessorArchitecture = objProcessor.Architecture
Next
'strProcessorArchitecture = objWSHShell.ExpandEnvironmentStrings("%PROCESSOR_ARCHITECTURE%")
strWinDir = objWSHShell.ExpandEnvironmentStrings("%WINDIR%")
strWUSA = strWinDir & "system32wusa.exe"
strDISM = strWinDir & "system32dism.exe"
strx86Package = strScriptPath & "Windows6.1-KB958830-x86-RefreshPkg.msu"
strx64Package = strScriptPath & "Windows6.1-KB958830-x64-RefreshPkg.msu"
Select Case strProcessorArchitecture
Case "0"
strProcessorArchitectureHumanReadable = "x86"
strLogFile = chr(34) & strWinDir & "LogsRSAT Install (" & strProcessorArchitectureHumanReadable & ").log" & Chr(34)
objWSHShell.Run (strWUSA & " " & strx86Package & " /quiet /norestart /log:" & strLogFile),0,True
If strInstallAction = "/InstallAndEnable" Then
Call EnableRSAT()
End If
Case "9"
strProcessorArchitectureHumanReadable = "x64"
strLogFile = chr(34) & strWinDir & "LogsRSAT Install (" & strProcessorArchitectureHumanReadable & ").log" & Chr(34)
objWSHShell.Run (strWUSA & " " & strx64Package & " /quiet /norestart /log:" & strLogFile),0,True
If strInstallAction = "/InstallAndEnable" Then
Call EnableRSAT()
End If
Case Else
'Unknown architecture; quitting!
End Select
Function EnableRSAT()
objWSHShell.Run (strDISM & " /Online /Enable-Feature " &_
"/FeatureName:IIS-LegacySnapIn " &_
"/FeatureName:IIS-IIS6ManagementCompatibility " &_
"/FeatureName:IIS-WebServerManagementTools " &_
"/FeatureName:IIS-WebServerRole " &_
"/FeatureName:IIS-Metabase " &_
"/FeatureName:RemoteServerAdministrationTools " &_
"/FeatureName:RemoteServerAdministrationTools-ServerManager " & _
"/FeatureName:RemoteServerAdministrationTools-Roles " & _
"/FeatureName:RemoteServerAdministrationTools-Roles-CertificateServices " & _
"/FeatureName:RemoteServerAdministrationTools-Roles-CertificateServices-CA " & _
"/FeatureName:RemoteServerAdministrationTools-Roles-CertificateServices-OnlineResponder " & _
"/FeatureName:RemoteServerAdministrationTools-Roles-AD " & _
"/FeatureName:RemoteServerAdministrationTools-Roles-AD-DS " & _
"/FeatureName:RemoteServerAdministrationTools-Roles-AD-DS-SnapIns " & _
"/FeatureName:RemoteServerAdministrationTools-Roles-AD-DS-AdministrativeCenter " & _
"/FeatureName:RemoteServerAdministrationTools-Roles-AD-DS-NIS " & _
"/FeatureName:RemoteServerAdministrationTools-Roles-AD-LDS " & _
"/FeatureName:RemoteServerAdministrationTools-Roles-AD-Powershell " & _
"/FeatureName:RemoteServerAdministrationTools-Roles-DHCP " & _
"/FeatureName:RemoteServerAdministrationTools-Roles-DNS " & _
"/FeatureName:RemoteServerAdministrationTools-Roles-FileServices " & _
"/FeatureName:RemoteServerAdministrationTools-Roles-FileServices-Dfs " & _
"/FeatureName:RemoteServerAdministrationTools-Roles-FileServices-Fsrm " & _
"/FeatureName:RemoteServerAdministrationTools-Roles-FileServices-StorageMgmt " & _
"/FeatureName:RemoteServerAdministrationTools-Roles-HyperV " & _
"/FeatureName:RemoteServerAdministrationTools-Roles-RDS " & _
"/FeatureName:RemoteServerAdministrationTools-Features " & _
"/FeatureName:RemoteServerAdministrationTools-Features-BitLocker " & _
"/FeatureName:RemoteServerAdministrationTools-Features-Clustering " & _
"/FeatureName:RemoteServerAdministrationTools-Features-GP " & _
"/FeatureName:RemoteServerAdministrationTools-Features-LoadBalancing " & _
"/FeatureName:RemoteServerAdministrationTools-Features-SmtpServer " & _
"/FeatureName:RemoteServerAdministrationTools-Features-StorageExplorer " & _
"/FeatureName:RemoteServerAdministrationTools-Features-StorageManager " & _
"/FeatureName:RemoteServerAdministrationTools-Features-Wsrm"),0,True
End Function
Function Debug(data)
If strDebug = 1 Then
WScript.Echo data
End If
End Function
.csharpcode, .csharpcode pre
{
font-size: small;
color: black;
font-family: consolas, “Courier New”, courier, monospace;
background-color: #ffffff;
/*white-space: pre;*/
}
.csharpcode pre { margin: 0em; }
.csharpcode .rem { color: #008000; }
.csharpcode .kwrd { color: #0000ff; }
.csharpcode .str { color: #006080; }
.csharpcode .op { color: #0000c0; }
.csharpcode .preproc { color: #cc6633; }
.csharpcode .asp { background-color: #ffff00; }
.csharpcode .html { color: #800000; }
.csharpcode .attr { color: #ff0000; }
.csharpcode .alt
{
background-color: #f4f4f4;
width: 100%;
margin: 0em;
}
.csharpcode .lnum { color: #606060; }
Computer naming schemes
I often get asked what I recommend for server/client naming schemes. Although there is no definitive answer; this always depends on your organization and what your specific requirement are, here are some pointers:
Things you would often want to include in the name of a machine:
- Your organization name or an abbreviation of it: <org>
- The machine type; laptop, desktop, workstation, server etc.: <type>
- The computers MAC address: <MAC>
- Asset tag: <asset tag>
- Make/Model: <model>
- The name of the user who owns/uses the machine: <username>
- The department it belongs to: <dep>
- A running number: <n>
- The OS the machine is running: <OS>
You can combine these any way you want; using hyphens or other separators, or not. Here are a few I often use:
- <org>-01234 (eg. BigFirm-56798)
- <org>-<type>-01234 (eg. BigFirm-l-87980)
V=Virtual
W=Workstation
L=Laptop
K=Kiosk
etc. - <org>-<asset tag> (eg. BigFirm-A5B98)
- <org>-<MAC address> (eg. BigFirm-AABBCCDDEEFF)
- <org>-<model>-01234 (eg. BigFirm-HP8100-89476)
- <org>-<username>(-<type>) (eg. BigFirm-BobH-V)
If you have any suggestions of either complete schemes or things you like to include in your machine names, please leave a comment and I will update the article.
Also, remember that Windows computers use both DNS hostnames and NetBIOS names. NetBIOS names are limited to 15 characters, but DNS hostnames are not. Windows will not stop you from using names that are longer than 15 characters, but the NetBIOS name of the machine will be limited to the first 15 characters of the name you choose. If the part of your name that makes it unique is beyond the 15th character you will have more than one machine on your network with the same NetBIOS name. Furthermore, although Windows itself will work with a name longer than 15 characters, many tools will not. An example of this is MDT 2010.
Happy naming!
Windows 7 computername length
Can the computername in Windows 7 be more than 15 characters?
Yup! 
Remote Desktop on Linux?
With the momentum behind desktop virtualization; both with VDI and Remote Desktop Sessions (formerly Terminal Services), more and more people are looking for ways to access the Windows Desktop from platform other than Windows. Citrix offers the Citrix Receiver which supports virtually all platforms, but if you want to use the Remote Desktop Protocol (RDP) your choices are limited. This is a list of the RDP clients I have found for Linux:
- rdesktop
- winconnect http://www.thincomputinginc.com/product_rdp_client_winconnect.aspx
Unfortunately none of these support more than RDP v5.1, which do not offer any of the newest features such as multi monitor support etc.
SHA1 Thumbprints for trusted .rdp publishers
Remote Desktop Connection (RDC) has a Group Policy setting that determines which publishers are to be considered trusted when launching connections (typically .rdp files served in various ways).
The publisher is identified by the SHA1 thumbprint of the certificate of the publisher (the certificate used to sign the .rdp file). You get the thumbprint from the certificate:
The setting is located under:
Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Connection Client
Setting:
Specify SHA1 thumbprints of certificates representing trusted .rdp publishers
Description:
This policy setting allows you to specify a list of Secure Hash Algorithm 1 (SHA1) certificate thumbprints that represent trusted Remote Desktop Protocol (.rdp) file publishers.
If you enable this policy setting, any certificate with an SHA1 thumbprint that matches a thumbprint on the list is trusted. If a user tries to start an .rdp file that is signed by a trusted certificate, the user does not receive any warning messages when they start the file. To obtain the thumbprint, view the certificate details, and then click the Thumbprint field.
If you disable or do not configure this policy setting, no publisher is treated as a trusted .rdp publisher.
Notes:
You can define this policy setting in the Computer Configuration node or in the User Configuration node. If you configure this policy setting for the computer, the list of certificate thumbprints trusted for a user is a combination of the list defined for the computer and the list defined for the user.
This policy setting overrides the behavior of the “Allow .rdp files from valid publishers and user’s default .rdp settings” policy setting.
If the list contains a string that is not a certificate thumbprint, it is ignored.
As you can see; no mention of how the thumbprint is to be entered!
I found out the hard way that you have to remove all spaces and convert all letters to uppercase for the thumbprint to be valid. You are not informed if the format you enter is incorrect, it is just silently ignored if not recognized as a valid thumbprint.
This quick PowerShell command will do these two operations:
(“<your thumbprint here>”).ToUpper().Replace(” “,””)
If this Group Policy setting is not in effect, either because you have not set it or the thumbprint is incorrect/invalid, your users will get a warning when connecting, even if the certificate used to sign the .rdp file is trusted:
Error: A website wants to run a RemoteApp program. Make sure that you trust the publisher before you connect to run the program.
It is interesting to note that the rdpsign.exe command line utility that is used to sign .rdp files manually, requires that the thumbprint of the certificate must be provided in just this way: http://technet.microsoft.com/en-us/library/cc753982(WS.10).aspx
More info:
- About Digitally Signing RemoteApp Programs:
http://technet.microsoft.com/en-us/library/cc754499.aspx
A note on copying the thumbprint
If you look at the highlighted/selected thumbprint in the image above you will see what looks like a leading whitespace. If you select the whole string (not as above), you will get a strange leading character in your thumbprint. Have a look at this zoomed image:
I do not know what character this is, but it invalidates the thumbprint string if you paste it into the SHA1 thumbprint field in your GPO. Even stranger is that it does not show up in the pasted text in the GPO object; it just “looks” right. As I said, I have no explanation, but remember to skip the leading whitespace when you copy your thumbprint.
This is how it should look:
Windows System Update Readiness Tool
A new tool is being offered through Windows Update; the System Update Readiness (SUR) Tool. It is designed to help diagnose and fix issues that are preventing Windows updates or Service Packs from installing correctly. According to the documentation it is only offered to systems that are experiencing one of the conditions that the tool could resolve. (How it can determine this without first running is beyond me.) The tool runs on Windows Vista, Windows Server 2008, Windows 7 and Windows Server 2008 R2. Like the monthly Windows Malicious Software Removal Tool (WMSRT), it runs a onetime scan of your system to determine if it is experiencing one of the issues it can detect and fix. A log of this activity is written to %SYSTEMROOT%LogsCBSCheckSUR.log. As of this writing the tool is presented in Windows Update as System Update Readiness Toll for Windows 7 for x64-based Systems (KB947821) [February 2011]. This leads me to beleive that it will be updated and offered in new “versions” further on.
You can also download the tool manually and run it, check the first link below.
On one system I experienced an error when trying to install Windows Server 2008 R2 Service Pack 1; An unknown error has occurred; error code 0x800f0818. I ran the SUR Tool and it detected an error in the %SYSTEMROOT%ServicingPackages folder, which it was able to repair. After that SP1 installed successfully.
One strange thing to note in this case was that I was installing SP1 through Windows Update, and both SP1 and the SUR tool were selected for install. For some reason the SP1 install ran first and failed, then the SUR tool ran and repaired the error that prevented the Service Pack from installing. Should have been the other way around.
More info: