When Windows Updates turn bad

Posted on By Mark Wilson
This content is 17 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

Last night, as I got ready to shut down the notebook PC that I use for work, I noticed that it had some Windows updates to apply. I left Windows doing its thing and went to bed, stopping this morning only for long enough to put the PC into my bag as I headed off for the station. Only when I was on the train did I fire it up to find that the PC would not boot, greeting me instead with the following message:

Windows Boot Manager

Windows failed to start. A recent hardware or software change might be the cause. To fix the problem:

1. Insert your Windows installation disc and restart your computer.
2. Choose you language settings and then click “Next.”
3. Click “Repair your computer.”

If you do not have this disc, contact our system administrator or computer manufacturer for assistance.

File: \Windows\system32\winload.exe

Status: 0xc000000f

Info: The selected entry couple not be loaded because the application is missing or corrupt.

I spent the rest of the journey to London contacting colleagues to see if anyone could bring a Vista DVD in with them (with no success). After that failed, I asked the local IT support guys (no chance – they view anyone who doesn’t run the corporately-sanctioned Windows XP build as a renegade who can make their own support arrangements). A colleague used his MSDN subscription to start downloading a DVD image for me onto another colleague’s computer, but after almost 3 hours it was still only 60% downloaded (and he needed to leave the office). So I gave up and headed home.

Once home, the recovery process was straightforward. I booted from DVD, followed the directions for a startup repair and, after a reboot or two, I could log on as normal but it does leave me wondering whether, as I finally get stuck into today’s work at 4pm (after leaving home for the office at 6.30am), blindly applying updates is such a good idea?

I don’t think there is a single “correct” answer to this. On one hand, I run a risk that an update turns bad on me – and losing a day’s productivity is fairly minor in the scheme of things (next time it could be far worse). On the other hand, what is the risk of waiting to apply updates until after they have been tested (even critical ones)? After all, at home I’m on a NATted network segment, protected by a firewall, and at work the protection from the outside world is even stronger. But what about protection from the inside – from colleagues and internal servers? What about when I work on a public 3G or WiFi network? I guess, like any security decision, its a balance between risk of a security breach and the convenience of continued system stability.

In the meantime, I’ll carry on applying updates when Microsoft pushes them at me. It’s the first time an update has turned bad on me (and that system is operating with around 1.5% free disk space, which may be a factor in the issues that I experience with it). Hopefully next week I’ll finally get my new notebook and start the switch to using Windows Server 2008 as my daily computing platform for work.

Windows Server 2008 RTM and launch plans

Posted on By Mark Wilson
This content is 17 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

This will probably be one of the most-reported news items of the year (and I don’t really do news) but Microsoft released Windows Server 2008 to manufacturing yesterday (in the middle of the night here).

I’m not sure quite how widely available the images are at the time of writing but beta testers can certainly download a copy from Microsoft Connect for the next 30 29 days and I’m told it’s also available to MSDN subscribers, as is Windows Vista SP1. I expect the product will also be made available to volume license customers over the next few days (if not already). There’s more information on Windows Server 2008 elsewhere on this site (and in the Microsoft press release).

The official launch date is still 27 February 2008, and in the UK the main customer event is planned for 19 March at the ICC in Birmingham. The various user groups are also in the process of planning a community launch event for 8/9 April at Microsoft’s UK Campus with session planning currently in progress – I’ll post more information as it becomes available.

Windows Server 2008 moves a step closer to release

Posted on By Mark Wilson
This content is 17 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

I don’t normally cover new product releases here but there are one or two products on the horizon that are what might be considered "significant releases".

The first of these is Windows Server 2008 and around about now, Microsoft is due to announce release candidate 1 (RC1), marking another step forward towards product release (and launch in February 2008).

Windows Server 2008 RC1 doesn’t include any major build updates (compared to RC0) but it also coincides with Windows Vista service pack 1 (SP1) RC1, effectively bringing Windows Vista onto the same codebase as Windows Server 2008.

Also on track for launch in the same timeframe as Vista SP1 is Windows XP SP3 (whilst I’ve not seen any details yet on the ship date for this, I expect it to be made available at around about the same time as Windows Vista SP1 and Windows Server 2008).

Getting Vodafone Mobile Connect and Windows Vista to play nicely together

Posted on By Mark Wilson
This content is 17 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

VodafoneIn order to be effective, I need to be online for a large part of my working day. Right now I’m spending a big chunk of my week either travelling or at a client site where their policies prevents me from connecting my notebook PC to the LAN and the only access I have to the Internet is via a Wyse terminal to RDP onto servers (which don’t have any of the software installed that so many websites need – for example Flash/Silverlight plugins, Java, etc.).

I’ve been given a Vodafone PC Express Card (one of the new 7.2Mbps HSUPA Option Etna cards) but I’ve been struggling to get it working with Windows Vista. Vodafone’s website indicates that Vodafone Mobile Connect (VMC) version 9.1 will work with Windows Vista and that’s certainly the experience of a colleague with an older card but each time I installed the Vodafone Mobile Connect software, the wireless LAN connection failed to obtain an IP address, falling back to automatic private IP addressing (which Vista reports as local access only).

The Option Express card is supplied with Vodafone Mobile Connect 9.2.1.6545, which is reported to resolve issues with previous VMC clients including application conflicts and failing LAN/WLAN connections. I’d tried a custom installation without Vodafone’s WLAN components as Windows Vista is perfectly capable of managing my notebook’s built-in Intel PRO/Wireless2200BG (Centrino) chipset and was just about to try Vodafone Mobile Connect Lite v3.0.3.112 instead when I stumbled across a comment on a blog post that suggested installing VMC without the optimisation software – that seemed to resolve the issue and allowed me to use the WLAN connection with the VMC software installed.

Screenshot of Vodafone Mobile Connect v9.2.1.6545 with a working (but weak) 3G connectionI still couldn’t get a data connection; however that problem turned out to be a little more basic – swapping SIMs with my mobile handset confirmed that the new SIM that Vodafone had supplied with the data card was not activated (despite the shipping note stating that it was). A quick call to Vodafone this morning resolved that particular issue and I now have a working 3G connection (seamlessly dropping back to GPRS as required).
Vodafone USB Broadband

BDD 2007 overview

Posted on By Mark Wilson
This content is 17 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

It’s been almost three years since I wrote a post about the Microsoft Solution Accelerator for Business Desktop Deployment (BDD) and since then it’s been updated twice – first with BDD v2.5 and now with BDD 2007 (the latest version of which is now known simply as Microsoft Deployment).

According to Microsoft:

The Solution Accelerator for Business Desktop Deployment (BDD) is best-practice guidance for desktop deployment. BDD is targeted at companies that want to reduce deployment time, effort, and cost by increasing the level of automation. It allows administrators to deploy desktops with Zero Touch and Lite Touch interaction at the target PCs. This solution also helps organizations move to a managed environment with standardized desktop images.

Effectively, BDD is a framework that brings together a variety of deployment tools with business logic in order to implement best practices.  In it’s simplest form, known as Lite Touch Installation (LTI), BDD allows administrators to create/capture operating system images, customise these and deploy them to other workstations.  This requires very little infrastructure and as such is suitable for small and mid-size business; however there is also a Zero Touch Installation (ZTI) option that integrates with Microsoft Systems Management Server (SMS) 2003 or System Center Configuration Manager (SCCM) 2007 for enterprises that have the required infrastructure in place.

Supported on Windows X, Server 2003, Server 2003 R2 and Vista, BDD can be used to deploy Windows clients, together with applications (e.g. Office 2007) and customisations.  Available in both x86 and x64 editions (with both versions supporting installation of clients on either architecture), BDD 2007 is finally looking like a product, rather than a collection of tools glued together with scripts and HTML applications.  There’s still a few strange interfaces, but the hub of BDD 2007 is the BDD Workbench – an MMC 3.0 snap-in.  Other requirements for BDD are Windows Script Host (WSH) 5.6 and it also makes use various other tools that may be downloaded from within the BDD Workbench:

  • Windows Automated Installation Kit (WAIK).
  • Application Compatibility Toolkit (ACT) 5.0.
  • User State Migration Tool (USMT) 3.0.
  • MSXML 6.0.
  • Key Management Server (KMS) (and associated management pack).
  • Volume Activation Management Tool.
  • Office Migration Planning Manager.
  • Windows Vista Hardware Assessment

Screenshot of the BDD 2007 Workbench

After installation of BDD (supplied as Windows Installer .MSI file, together with a quick start guide and deployment tools overview – both of which are worth reading), the primary folders are held in %programfiles%\BDD 2007\ and consist of:

  • \BIN – BDD Workbench console and supporting files.
  • \Documentation – documentation.
  • \Downloads – storage for components downloaded by BDD 2007.
  • \ManagementPack – BDD management pack files.
  • \Samples – sample task sequence scripts.
  • \Scripts – scripts used by the BDD Workbench.
  • \Templates – master template files used for defaults in unattended Windows installations.
  • \Temporary – temporary storage space.

Other tools (e.g. the WAIK and ACT) add their own folders to the BDD file structure.

The installation also creates a \Distribution folder on the drive with the largest amount of free space (or at a custom location supplied during installation).  This contains the following subfolders and except \Scripts and \Tools are empty at installation time:

  • \$OEM$ – files and folders to be copied to the destination computer during Windows Vista setup.
  • \Applications – any application files that are installed as part of deployment.
  • \Captures – images captured using ImageX.
  • \Control – storage of files used by the BDD execution engine.
  • \Operating Systems – any operating system files that are installed as part of deployment.
  • \Out-of-Box Drivers – driver files not delivered by default with Windows Vista.
  • \Packages – Windows Vista-compatible packages for installation with the operating system (security updates, language packs, service packs, etc.) in cabinet file (.CAB) or Windows Update (.MSU) format.
  • \Scripts – scripts used by the Lite Touch deployment engine.
  • \Tools – tools used by the deployment engine and the location of USMT source files.

Configuring BDD to deploy an operating system and applications consists of:

  1. Install BDD.
  2. Update/install additional components (e.g. WAIK, USMT) from within the BDD Workbench.
  3. Add one or more operating systems to the distribution share from within the BDD Workbench.  This could be a full set of source files, a custom image (.WIM) file (i.e. an image captured from a reference computer) or an image from a Windows Deployment Services server.  This operation can either copy the installation or move it from another location.
  4. Add any applications to the master image from within the BDD Workbench – applications can be moved/copied to the distribution share or existing locations may be referenced via a UNC path.  Specify any application settings (e.g. command line switches for a silent installation, or a working directory).
  5. Add any additional device drivers that are required within the master image, using the BDD Workbench.  The BDD tools will look for .INF files in the process of scans all subfolders in the specified directory.
  6. Add any additional packages, such as operating system updates and language packs, using the BDD Workbench.

Once the master image is established, it’s necessary to define one or more builds.  Each build has an identifier (which must not contain spaces) as well as a name and a number of associated comments.  The build defines an operating system, along with key details such as product keys and the Administrator password and, once created, the build properties can be amended to customise settings, optionally launching the Windows System Image Manager to edit the unattend.xml file that controls the Vista installation.

Finally, the deployment point must be configured:

  • Builds may be deployed using the local BDD distribution point (shared as \\%computername%\Distribution$), a separate share on the local or a remote computer, as a .ISO image for use on removable media (DVD, USB flash drive, etc.), or via SMS 2003/SCCM 2007 (which facilitates ZTI installations).  Note that SMS 2003 requires the SMS 2003 Operating System Deployment (OSD) Feature Pack whereas SCCM has OSD functionality built into the product.
  • Various options exist to control the user experience during deployment (e.g. the selection of other applications during installation).
  • It may be necessary to create/update the Windows pre-installation environment (WinPE) images that are used to connect to a deployment point.  The resulting .WIM files (found on the distribution point in a \Boot folder) can be added to a Windows Deployment Services (WDS) server as a bootable PXE image for bare-metal deployment whereas the .ISO file equivalents can be mounted in a virtual machine or booted from removable media.  During the creation of these images, tasks are logged in %temp%\DeployUpdates_x86.log.  Generic images are generic_x86.wim and generic_x86.iso.

At this stage, BDD is ready to deploy builds to workstations; however there are some additional capabilities:

  • It is possible to define a SQL Server database to store details of deployed computers.
  • Images may be captured using BDD deployment points such that there is no requirement to separately run SysPrep or ImageX.  The Windows Deployment Wizard (invoked from the Windows PE images created earlier) automatically runs both of these utilities in order to prepare and capture an image.

Mounting virtual hard disks in Windows Vista

Posted on By Mark Wilson
This content is 17 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

Microsoft’s Virtual PC Guy (Ben Armstrong) wrote a blog post last year about using the VHDMount utility from Virtual Server 2005 R2 SP1 with a few registry edits to enable right-click mounting/dismounting of virtual hard disk (.VHD) files.

As .VHD files become ever more prevalent, this is a really useful capability (for example, Windows Vista’s Complete PC Backup functionality writes to a .VHD file).

The trouble is that, as supplied, Ben’s script does not work on Windows Vista as attempting to run vhdmount.exe will return:

Access Denied. Administrator permissions are needed to use the selected options. Use an elevated command prompt to complete these tasks.

An elevated command prompt is fine for entering commands directly (or by running a script) but what about Ben’s example of providing shell-integration to mount .VHDs from Explorer? Thankfully, as Steve Sinchak noted in TweakVista, Michael Murgolo wrote an article about elevating commands within scripts using a free PowerToy called elevate which is available from the Microsoft website. After downloading and extracting the elevate PowerToy scripts, I was able to confirm that they would let me run vhdmount.exe using the command elevate vhdmount.exe

Following that, I edited Ben Armstrong’s registry file to read:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Virtual.Machine.HD]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Virtual.Machine.HD\shell]
@="Mount"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Virtual.Machine.HD\shell\Dismount]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Virtual.Machine.HD\shell\Dismount\command]
@="\"C:\\Program Files\\Script Elevation PowerToys\\elevate\" \"C:\\Program Files\\Microsoft Virtual Server\\Vhdmount\\vhdmount.exe\" /u /d \"%1\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Virtual.Machine.HD\shell\Mount]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Virtual.Machine.HD\shell\Mount\command]
@="\"C:\\Program Files\\Script Elevation PowerToys\\elevate\" \"C:\\Program Files\\Microsoft Virtual Server\\Vhdmount\\vhdmount.exe\" /p \"%1\""

[HKEY_CLASSES_ROOT\.vhd]
@="Virtual.Machine.HD"

Note the /d switch in the dismount command. I had to use this (or /c) to allow the disk to be unmounted and avoid the following message:

The specified Virtual Hard Disk (VHD) is plugged in using the default Undo Disk option. Use /c to commit or /d to discard the changes to the mounted disk.

I chose the discard option as most of my .VHDs mounting is simply to extract files but others may prefer to commit.

A few more points to note about VHDMount:

How Windows PowerShell exposes passwords in clear text

Posted on By Mark Wilson
This content is 17 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

I’m attending a two-day Windows PowerShell course, delivered by my colleague Dave – who I know reads this blog and should really think about starting his own…

I’ve written before about Windows PowerShell (twice) and I think it’s a great product, but it is a version 1.0 product and as such it has some faults. One (which I was horrified to discover today) is that this product, which is intended to be secure by default (for a number of good reasons) has the ability to store user credentials in clear text!

All it takes is two lines of PowerShell script:

$cred=get-credential username

(the user wil then be prompted for their password using a standard Windows authentication dialog)

$cred.getnetworkcredential()

(the username, password and domain will be displayed in clear text)

Some people ask what’s wrong with this? After all there are legitimate reasons for needing to use credentials in this manner. That may be so but one of the fundamental principles of Windows security is that passwords are never stored in clear-text – only as a hashed value – clearly this breaks that model. Those who think there is nothing wrong with this argue that the credentials are then only used by the user that entered them in the first place. Even so, I’m sure this method could easily be used as part of a phishing attempt using a fake (or altered) script (digitally signing scripts may be the default configuration but many organisations will disable this, just as they do with signed device drivers and many othe security features).

After searching Microsoft Connect and being surprised that I couldn’t find any previous feedback on this I’ve raised the issue as a bug but expect to see it closed as “Resolved – by design” within a few days. If it really is by design, then I don’t feel that it’s a particularly smart design decision – especially as security is tauted as one of the key reasons to move from VBscript to PowerShell.

Tab completion in Windows

Posted on By Mark Wilson
This content is 17 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

Many people will be familiar with the command line tab completion functionality that can be used to complete folder and filenames in recent versions of Windows, but what I wasn’t aware of (until I just used it, following some instructions from Microsoft in a hands-on lab training manual) was that wildcards like *.reg <tab> can be used to tab-complete filenames. This technique can even be used as arguments to a longer command, e.g. notepad *.reg <tab>.

Dustin L makes a good point in his comment on the Lifehacker article that discusses command line tab completion – Unix admins will already be familiar with the concept but there are a couple of differences between the Windows and Unix/Linux CLI tab completion implementations:

  • “In the Windows command line, if there is more than one match for what you’ve typed, successive presses will cycle through all of the matches rather than just display a list of the matches.
  • Windows will not complete commands, only files and directories.”

Virtualised demonstrations eating all your memory? Try a ReadyBoost USB key

Posted on By Mark Wilson
This content is 17 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

Even though Windows Vista will run on lower-specification PCs (it’s fine on my ThinkPad T40 with 512MB RAM), once you add a few applications (like Office 2007), it really starts to bog down and I was struggling recently with 1GB RAM on my work notebook (it’s been fine since I added another gig). If you also run virtual machines (e.g. for product testing or demonstrations), then its not long before the requirements for physical RAM run up against the limits of a 32-bit address space.

Last week, my colleague Alistair (soon to be an ex-colleague as he’s off to Conchango – where I used to work, proving that the UK IT industry is a very small world!) was raving about the Corsair Flash Voyager USB drives. Not only are they shock and water-resistant, but the GT model is ReadyBoost compatible, meaning that if you need a bit of extra RAM in your PC you can plug in your USB key. USB will be slower than on-board memory, and other ReadyBoost compatible drives are available, but the Flash Voyager GT is heralded as one of the fastest such devices available today. Even better, the ReadyBoost memory is a separate address space, so you can exceed the 4GB limit for a 32-bit architecture.

There’s a useful ReadyBoost FAQ at Tom Archer’s blog.

Windows 7

Posted on By Mark Wilson
This content is 17 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

With the Windows Vista launch now history and the Windows Server 2008 launch date set for 27 February 2008 (expect to see the first service pack for Vista, codenamed Fiji, around about the same time), speculation has started about the next version of Windows codenamed Windows 7, formerly codenamed both Blackcomb and Vienna.

Of course, at this stage, Microsoft is keeping quiet about what’s in, and what’s out of Windows 7 (very wise) but a good place to watch is Paul Thurrott’s Windows 7 FAQ.