Windows fast user switching + Zone Alarm = bad IT day

Posted on By Mark Wilson
This content is 17 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

My poor colleagues had to put up with a lot of complaining yesterday. I was having a bad IT day (when nothing seems to go well). And it seems to be continuing today.

I recently rebuilt my company notebook PC to run Windows Vista and Office 2007. That’s going well but then there’s all the stuff that goes on top (anti-virus software, corporate VPN client, etc.). My colleague and trusted advisor, Garry, helped me to get all that in place, an administrator added my machine to the corporate domain and before I left last night I logged on so that I had a profile for my domain account with cached user credentials (for working at home today).

It should have been fine but I didn’t log out from my original account because I was in the middle of something – I used the fast user switching feature instead and then waited… and waited… and waited… as Windows tried to set up my profile.

In the end I gave up and logged out, only to find a load of Zone Alarm messages popped up under the original account.

“Blah blah blah is trying to do something… do you want to allow this?” I don’t know – probably! Just let me get on with logging in.

Today it’s more of the same, as switching back to my old (non-domain) profile to run Windows Easy Transfer resulted in the same problem.

I think Garry was quite disturbed to see how I (and another colleague) quickly tired of reading these incessant firewall popups and just clicked the “allow” button (and the “don’t bug me again” checkbox) every time – which proves a point I made about firewall messages almost two years ago. And anyway, what’s wrong with the Windows Firewall? If I didn’t have to use Zone Alarm to meet VPN access policies then I wouldn’t. Grrr.

The good news is that Windows Easy Transfer was really useful for migrating my application settings from my old profile to the new domain profile (I didn’t use it for the files as it’s easier to just drag and drop them in Explorer).

Windows Vista volume activation failure

Posted on By Mark Wilson
This content is 17 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

When I upgraded my Vista installation from a (not-yet activated) copy of Windows Vista Business Edition to Windows Vista Enterprise Edition, the activation counter was reset to 30 days; however, since then it’s been bugging me with the following message

Volume activation has failed.

Your computer could not be activated.

Error:
0x8007232B
Description:
DNS name does not exist

Cryptic though the message is, it’s really quite simple – this is a volume licensed (Enterprise) copy of Windows Vista so it is looking for a key management server (KMS) to activate itself. I’m at home today, so it can’t find one but in any case, as I had not provided a product key during installation, Vista could not activate. Once I provided the appropriate multiple activation key (MAK), Vista was able to activate via the Microsoft servers.

It was interesting to see the changes in the system properties as activation took place. First the remaining time to activate dropped from 24 days (30 days minus the 6 since I upgraded the PC) to 5 days when the MAK was accepted. Then, once activation had completed successfully, Windows acknowledged that it was activated and genuine.

There’s more information about this error in Microsoft knowledge base article 938107 and Christian Mohn has blogged about a similar experience he had with Windows Vista Business Edition requiring the product key to be re-entered.

Confirmation that it is possible to upgrade from a retail edition to a volume license edition of Windows Vista

Posted on By Mark Wilson
This content is 17 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

Just before I went on holiday, I rebuilt my company-supplied notebook PC to run Windows Vista (running Linux doesn’t look too good when you work in the Microsoft Practice of a major IT company). At the time, I didn’t have any volume license media and whilst I knew that all of the retail editions were contained in a single image on the retail DVD, that doesn’t include Windows Vista Enterprise Edition. Nevertheless, I installed Windows Vista Business Edition, choosing not to supply a product key (Vista allows 30 days before activation is required). Since then, a colleague has sent me the correct media and license keys, so tonight I was ready to rebuild on Windows Vista Enterprise Edition.

I say rebuild because I didn’t expect an in-place upgrade to work but it did – “upgrading” my Windows Vista installation to a new edition was as simple as dropping in the CD and running the installer. It seemed to take a lot longer than a fresh install (understandably) but I still have my user accounts, profile and data from prior to the upgrade. So, just to confirm, it is possible to upgrade from a retail to a volume license (enterprise) edition of Windows Vista.

Problems copying files from a backup… restored by thinking laterally

Posted on By Mark Wilson
This content is 17 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

I don’t generally talk about my work (at least not directly) on this blog but, a couple of weeks back, I moved into a new role, which is going to involve working very closely with a certain software company from Redmond (and no, it won’t have any effect on the editorial content here – nothing on this site should be interpreted as representing the views of my employer or their partners). Clearly running Red Hat Enterprise Linux on my laptop wasn’t politically correct (I might have got away with Novell Enterprise Linux) so I needed to rebuild on Windows Vista.

As many of my corporate applications still require Windows XP and IE 6, I run a domain-joined (Windows XP) virtual machine to access them. I had been using VMware Server as the host but as VMware recently sent me a license for VMware Workstation 6.0 (as a VCP benefit) I decided to use that instead following the Vista rebuild. I backed up the virtual machine files to an external disk, rebuilt on Windows (including reformatting the internal disk) got 94% of the way through the restoration of the VM and then I was presented with this message:

Error 0x80070079: The semaphore period has expired.

Not good. I was in the middle of a restore – those files were my backup and the three problem files represented 30% of the virtual disk that makes up my D: drive (i.e. my data).

I’d written the files without errors but clearly something was wrong when reading them. I thought of buying a copy of SpinRite to check that the disk was fine but, before parting with any cash, I tried reading them on another machine and thankfully they restored without any difficulty. I don’t know if the issue was with my Vista machine’s USB device drivers (the successful restore was on my wife’s Windows XP machine), a timing issue (my wife’s machine is older and the external disk was USB 1.1) or something else (like that this is a 60GB FAT32 volume and Windows has a limit of 32GB for FAT32 volume creation – as the virtual machine files totalled 36.5GB in size, maybe the three 1.99GB files that Vista couldn’t read were physically located across and after the 32GB point on the disk) but my experience goes to show that it’s worth trying another machine before giving up totally on the data.

Improvements to the Windows firewall in Vista

Posted on By Mark Wilson
This content is 17 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

I recently attended a Windows Vista security session at Microsoft, presented by Steve Lamb. Windows Vista security is too broad to cover in a single presentation (or even in a single blog post!) but some of the key points that Steve concentrated on were around the Windows firewall and IPsec. This post picks up on the main points from Steve’s presentation.

The Windows XP firewall was criticised by some because it only inspected inbound traffic. Microsoft responded to customer demands and, in Windows Vista, the firewall also inspects outbound traffic; however it should be noted that a compromised machine can have its firewall disabled, so the presence of the firewall is not a reason to feel complacent; indeed Steve Lamb used the term security theatre (http://en.wikipedia.org/wiki/Security_theatre) to highlight security products that promise much and offer little.

Consider the following process:

The fundamental issue with client firewalls

I wrote about this problem a while back, but in short, outbound control can only be relied upon where the computer is not compromised and the user cares about security – i.e. not on those machines where it is needed (compromised computers where the users don’t care about security)! It can be useful for restricting known software from communicating; however in such cases, prompting should be disabled.

Trying to find a balance between ease of use/flexibility and security, the default actions for the Windows firewall are:

  • Inbound – block most traffic, with a few exceptions.
  • Outbound – allow all interactive traffic but restrict services.

Allow/block rules can be configured for programs, services, users, computers, protocols or ports.

The Windows Vista firewall feature list is extended in other ways too:

Windows XP SP2 Windows Vista
Direction Inbound Inbound and outbound
Default action Block Configurable for direction
Packet Types TCP, UDP, some ICMP All
Rule types Application, global ports, ICMP types Multiple conditions (programs, services, users, computers, protocols or ports)
Rule actions Block Block, allow, bypass; with rule merge logic
UI and tools Control Panel, netsh Control Panel, netsh, MMC
APIs Public COM, private C More COM to expose rules, more C to expose features
Remote management None Hardened RPC interface
Group policy Administrative template MMC, netsh
Terminology Exceptions; profiles Rules; categories

The Windows filtering platform (WFP) is a series of APIs, designed to allow developers to hook into the network stack without requiring kernel changes. WFP provides authenticated communication, dynamic firewall configuration, a foundation for the Windows firewall and IPsec, works with encrypted traffic, and because it is fully documented there is little risk that a service pack release will break third-party applications. Architecturally, this also provides improvements with synchronous API calls, exposure of the user context for auditing policy changes, access control lists on API calls (no longer using registry ACLs and escaltion of privilege) and incremental policy updates.

Firewall configuration is still available from the Control Panel (with a few minor presentation differences); however a new Windows Firewall with Advanced Security MMC snap-in is provided which can also be used to assign settings to remote computers and to apply IPsec configuration. The new MMC snap-in is complemented with a new netsh advfirewall command line interface.

When merging and evaluating rules, the following order is applied, from highest priority to lowest:

  • Service restrictions (restricting connections that can be established by services – operating system services are configured appropriately by default).
  • Connection rules (restricting connections from particular computers using IPsec for authentication and authorisation).
  • Authenticated bypass (allowing specified computers to bypass other rules).
  • Block rules (explicitly blocking incoming or outgoing traffic).
  • Allow rules (explicitly allowing incoming or outgoing traffic).
  • Default rules (the default behaviour for a connection).

It should be noted that these rules are stored in the registry; however editing them directly is unsupported.

Firewall exceptions are also more flexible, including the ability to filter based on:

  • Active Directory user accounts and groups.
  • Source/destination IP addresses/range.
  • Source/destination TCP/UDP ports.
  • Comma-delimited list of ports.
  • IP protocol number.
  • Interface type.
  • ICMP type and code.
  • Services.

Support is also provided for multiple network profiles:

  • Domain – domain joined and connected to the domain (i.e. able to authenticate).
  • Private – connected to a defined private network (home or work).
  • Public – all other networks.

Network location awareness (NLA) detects networking changes and assigns each connection a GUID, whereby the network profile service (NPS) creates a profile upon connection and notifies the firewall whenever NLA detects a change. Local administrator privileges are required in order to define that a network is private and the computer defines the category when multiple interfaces are in use based on the logic in the accompanying diagram.

Determining network state with multiple interfaces

Windows Firewall group policy processing is also enhanced. Previously, computer policies were applied on operating system boot and user policies at logon, with a periodic refresh. Windows Vista extends this to apply computer and user policies when establishing a VPN connection or when resuming from hibernation/standby. Of course, firewall policies are set at the computer level, although they can be further restricted with per-user settings as previously described.

Windows Vista enhanced IPsec capabilities are integrated with the Windows Firewall, eliminating confusion with overlapping rules and allowing firewall rules to be IPsec-aware. IPsec configuration has been simplified in Windows Vista but it is still a complex subject, worthy of a separate post; however there are a couple of points worth noting:

  • Authenticated headers (AH) traffic is not compatible with network address translation (NAT) as it cannot be routed – an alternative is to use encapsulated payload (ESP) with 0-bit encryption to effectively provide the same function.
  • Shared secrets are stored as plain text in the registry so should not be used in production scenarios – certificates or Kerberos should be used instead for authentication.

In summary, Microsoft has made significant improvements to the Windows Firewall in Vista and anyone who is not using a third party product (and I would question the need for the use of third party firewalls in Vista) should turn it on right away, otherwise they are asking for trouble.

Group policy in Windows Vista

Posted on By Mark Wilson
This content is 17 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

Windows Vista makes a number of changes to the implementation and management of group policy objects (GPOs) and, as group policy is something that I haven’t worked with for a while, I figured it was time to take another look. A week or so back, I spent the morning at Microsoft, where Steve Lamb presented a session on using Group Policy in Windows Vista to control user behaviour and network security.

Policy has existed in various versions of Windows for a long time but group policy was introduced in Windows 2000 (enforced by Active Directory) and many group policy settings are also available as local computer policies (used when a machine is not authenticated by an Active Directory domain controller). Each new version of Windows brings more control over what can be controlled using policies and Windows Vista is no exception with a significant increase in the available options (Microsoft quotes various figures but they all indicate at least 2000 new settings). The new areas covered include removable device management, power management and user access control. There are also new management tools the group policy management console (GPMC) is now included with Windows (previously, it was a separate download ) and the group policy editor (gpedit.exe) now supports filtering of administrative template policy settings via a context-sensitive option on the view menu to show, for example, only those settings that apply to at least Windows XP Professional with SP2.

Windows Vista also makes improvements to policy control around network awareness, detecting changes in network conditions (e.g. connecting to a new network) and enforcing new policy settings accordingly. There are also improvements to the application of policy (with fewer requirements for synchronous application of policy).

It’s important to note the difference between a policy – stored in a subfolder (machine or user) on the domain controller under %systemroot%\sysvol\sysvol\domainname\policies\guid\ – and policy definition files – stored at the same location but simply defining the available settings.

Although Windows Vista will still act on legacy (.adm) policy definition files, policy definitions created under Windows Vista use a new XML-based file format with an .admx extension. Furthermore, Windows Vista group policy uses separate .adml files to provide the language-specific textual components of each policy.

When editing policy on a Windows Vista computer, the policy definition files are stored at %systemroot%\policydefinitions\ with one .admx file for each area of control and associated .adml files in each language subfolder (e.g. en-us).

These can be copied to the central store (really just a grand name for the policies folder that is replicated as part of sysvol) in order to make them available for administration from multiple locations. Central store copies of policy definitions will then take precedence over local copies (but legacy clients will be unaffected by the new settings).

Although legacy clients will simply ignore policy settings that they do not understand, Microsoft recommends that once Windows Vista policies are implemented, then no further policy edits should be made from pre-Vista computers. The reasoning for this is that even opening the policy definition on a pre-Vista computer will cause the legacy .adm files to be created on the sysvol and this leads to a phenomenon known as sysvol bloat. By using only Windows Vista clients for group policy management, this bloat can be avoided. It’s also worth noting that GPO reporting should be performed within the Windows Vista version of the GPMC (rather than using the resultant set of policy MMC snap-in) and that new policy backups should be taken using the Windows Vista GPMC to avoid issues when restoring policy backups taken from GPMC running on Windows XP/Server 2003. Further details for managing group policy administrative template (.adm) files can be found in Microsoft knowledgebase article 816662.

For bringing forward settings from legacy (.adm) policy templates, Microsoft has licensed the ADMX Migrator utility (from Full Armor).

Another new feature with Windows Vista group policy is the ability to define multiple local policies (administrator, non-administrator and per-user) and even to disable local policy altogether on domain-joined computers. Whilst the local computer policy remains (and is created by default), further local policies may be created using the group policy editor. This is useful for computers over which some control is required but which fall outside the scope of management for Active Directory (e.g. kiosks or computers deployed in a DMZ).

Troubleshooting group policy is aided with Windows Vista’s improved event logging (with more useful events and links to support information on the Internet) as well as the ability to view events in friendly (human-readable) format or XML (for analysis/processing). The new event viewer also supports the ability to create subscriptions. Actions can also be associated with events (e.g. send an e-mail, or execute a script).

Filters can be used to view just group policy events and by drilling down into the appropriate logfile, an activity ID can be extracted from a failure event to further filter events, or to view with the group policy log view (gplogview.exe) – another free download from Microsoft. This allows for step-by-step group policy processing to identify the failure point and any error codes, after which changes can be made and gpupdate.exe used to apply the new settings for re-analysis.

For enterprise customers, Microsoft has a new tool for advanced group policy management – GPOVault is part of the desktop optimisation pack for software assurance (DOPSA), gained as part of Microsoft’s acquisition of DesktopStandard.

Further information

Microsoft resources:

MVP and community resources:

Working around UAC

Posted on By Mark Wilson
This content is 17 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

There’s been a lot written about Windows Vista’s user account control (UAC) and personally I can’t see what the criticsm is about (Mac OS X and Linux both have similar mechanisms, although the implementation is slightly different); however it was interesting to hear Steve Lamb mention at a recent event that commands launched from a command shell (cmd.exe) running as administrator will not invoke UAC.

Of course it goes without saying that, just as when running a root shell in Linux, the use of such sessions should be limited and I’ve written previously about how the shortcut to run cmd.exe as an administrator can be modified to make it very obvious that elevated permissions are in use.

Steve also pointed out that, if developers wrote less code that requires privileged execution, then UAC would not appear so frequently. Although UAC behaviour can be modified in group policy, it is not recommended.

Windows Vista and ATI display drivers

Posted on By Mark Wilson
This content is 17 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

My IBM T40 is not an old PC. Well, it may be three years old but it’s still a perfectly capable machine. One of its great features is the S-Video display output – perfect for watching films from the computer on a TV – at least it would be if I could get it to work under Windows Vista.

The trouble is that the T40 has an ATI Mobility Radeon 7500 graphics chipset. The Windows Vista setup routine had installed the standard VGA graphics adapter driver (v6.0.6000.16386) but there is no supported Windows Vista driver for this chipset. I could rant on about how this lack of device support is a terrible way for ATI to treat customers and how it’s not as if I have any option to upgrade the graphics in a notebook PC but that won’t get me anywhere (and my blood pressure is already high enough). Nor will it sell me another PC, which is what hardware manufacturers really want, rather than developing modern drivers for old products. Instead, I spent far too much time today trying to get it working:

  • I found a forum post that suggested the Windows XP drivers would work (at least on pre-release versions of Vista) so I downloaded the latest available drivers from the IBM website, extracted them to a folder on my hard disk and let Windows Vista look there for updated drivers. After a successful installation (v6.14.10.6547) Windows reported the correct adapter type and provided support for multiple displays. So I was half way to my goal but without ATI-specific device options to enable advanced features (like the S-Video) connection.
  • Next, I tried running the full installer for the XP drivers and all the associated bloat but all I got was a blue screen of death (ati3duag.dll PAGE_FAULT_IN_NON_PAGED_AREA)… not a good result.
  • So I downloaded and installed the latest version (v7.5) of the ATI Catalyst Control Center (CCC) – except that it ignored my graphics adapter completely and just gave me some Catalyst Install Manager (CIM) links for updating/uninstalling CCC. At one stage, I was even dumped back to 4-bit 640×480 graphics and had to roll back my driver to the standard VGA before reinstalling the XP driver that had previously been working in Vista.
  • I tried running individual installers from within the extracted CCC package (e.g. ccc-graphics-full-existing.msi) and something happened to make a desktop right-click option for ATI CATALYST(R) Control Center appear (I hate excessive capitalisation in menu items!) but CCC still doesn’t load, so I guess it doesn’t like the XP display driver.
  • After reading Koroush Ghazi’s ATI Catalyst Tweak Guide, I tried Ray Adams’ ATI Tray Tools but these just produced memory errors on Vista, even when run as Administrator.
  • Finally, I went back to my extracted driver package and ran the ATI Control Panel (v8.133.2.1.1-061116a0949984C) setup (from the CPANEL folder, rather than the top level CIM installer). Even though Vista informed me that “this program has known compatibility issues” and that “ATI Control Panel is incompatible with this version of Windows”, it gave me access to all the advanced display settings but I couldn’t get it to recognise that the TV was connected.

ATI Control Panel

Now it’s the end of the day and I’m giving up. I guess I’ll have to go back to XP to use my TV-out (or watch videos on the laptop display). Grrr.

Creating a Media Center Mac

Posted on By Mark Wilson
This content is 18 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

It’s not often that I come away from a Microsoft event as excited as I was after the recent Vista after hours session.

You see, we have a problem at home… our DVD player has stopped recognising discs. That shouldn’t really be a problem (DVD players are cheap enough to replace) but it’s a CD/DVD player, tuner and surround-sound amplifier and I don’t really want to have to replace the entire system because of one broken DVD drive. So I took it apart (thinking that Sony might use the same drives in their consumer electronic devices as in a normal PCs), only to find that the externally slim slot-loading drive is actually a huge beast with cogs and is actually nothing like anything I’ve ever seen before.

Faced with the prospect of a hefty repair bill, I began to think that this (combined with the fact that we never know what is on our video tapes) could be the excuse I need to install a media PC in the living room? Well, possibly, but there are some hurdles to overcome first.

I’ve been toying with a media PC for a while now but, however hard manufacturers try, pretty much none of them is likely to pass the wife approval factor (WAF) – not even the lovely machines produced by a French system builder called Invasion.

It’s not that my wife is demanding – far from it in fact – but she wasn’t too keen on my “black loud cr@p” (my semi-decent hi-fi separates) when we first moved in together and the shiny silver box (the one that’s now broken) was the replacement… I just can’t see anything that isn’t similarly small and shiny being tolerated anywhere other than my den.

I even saw an article in the July 2006 edition of Personal Computer World magazine, which showed how to build a living room PC using old hi-fi separates for the case; however you need a pretty large case for anything that’s going to make use of full-size PC components. Then there’s the issue of the system software… I tried Media Portal a while back but found it a bit buggy; Myth TV is supposed to be pretty good but I believe it can also be difficult to set up properly; the Apple TV sounded good at first – except that it doesn’t have PVR capabilities and relies on many hacks to get it working the way I would like it and (crucially) lists a TV with HDMI or component video inputs as one of its prerequisites – I was beginning to think that the best answer for me may be a Mac Mini with a TV adapter hooked up to my aging, but rather good, Sony Trinitron TV.

Then, at the Vista After Hours event, I saw the latest version of Windows Media Center – Mac OS X includes Front Row but Media Center has some killer features… and I have two spare copies of Windows Vista Ultimate Edition (thank you Microsoft)! Why not install Vista on a Mac Mini, then plug in a USB TV tuner (maybe more than one) and use this as a DVD player, PVR and all round home entertainment system?

I’ve written previously about installing Windows Vista on my Mac but I never activated that installation and I later removed Boot Camp altogether as I found that I never actually bothered to boot into Windows. The latest Boot Camp beta (v1.2) includes Windows Vista support (including drivers for the remote control) so I thought I’d give it a try on my existing Mac Mini before (potentially) splashing out on another one for the living room.

After downloading and installing Boot Camp and running the Boot Camp Assistant to create a Windows driver CD, I moved on to partitioning the disk, only to be presented with the following error:

The disk cannot be partitioned because some files cannot be moved. Backup the disk and use Disk Utility to format as a single Mac OS Extended (Journaled) volume. Restore your information to the disk and try using Boot Camp Assistant again.

Backing up and restoring my system… sounds a bit risky to me.

Then I found Garrett Murray’s post about how the problem is really caused by files over 4GB in size. That may have worked in Garrett’s case (FAT32 disks will not support files over 4GB) but despite using WhatSize to track down a DVD image that was taking a chunk of space on my disk, I couldn’t get past the message (even after various reboots, starting the system in single user mode to run AppleJack and even starting the system without any login items). In the end, I gave in and accepted that my system disk required defragmenting, setting about the lengthy process of backing up with Carbon Copy Cloner, booting from the backup disk, erasing the system disk and restoring my data. Thankfully this worked and left me with a defragmented system disk, which Boot Camp Assistant was able to divide into two partitions.

After catching some sleep, I set about the installation of Windows Vista. I had a few issues with Boot Camp Assistant failing to recognise my DVD (either the one I created with the RTM files from Microsoft Connect, or a genuine DVD from Microsoft) – this was the message:

The installer CD could not be found. Insert your Windows CD and wait a few seconds for the disk to be recognized.

It turns out that Boot Camp Assistant wasn’t happy with me running as a standard user – once I switched to an Administrator account everything kicked into life and I soon had Vista installed after a very straightforward installation. Furthermore, Apple has done a lot of work on Windows driver support and items that didn’t work with my previous attempt (like the Apple Remote) are now supported by Boot Camp 1.2 and Windows Vista. Sadly, my external iSight camera does not seem to be supported (only the internal variants). It also seems that my Windows Experience Index base score has improved to 3.3 (it was 3.0 when I installed Vista as an upgrade from Windows XP with Boot Camp v1.1.2).

After this, it wasn’t long before I had Media Center up and running, connected to the TV in my office – although that’s where the disappointment started. The Apple Remote does work but it’s so simple that menu controls (Media Center and DVD menus) necessitate resorting to keyboard/mouse control – basically all that it can do is adjust the volume, skip forward/backwards, play and pause. What I needed was a Windows Media Remote (and so what if it has 44 buttons instead of six? The Apple remote is far more elegant but six buttons clearly isn’t enough!):

Apple remote control Windows Media Center remote control

(It’s a pity that I didn’t see the pictures of the prototype Windows Vista Media Center remotes first, or else I would have tried to get one of the alternative remotes from Philips).

Also, after switching back to my monitor, the display had reverted to basic (2D) graphics and I needed to re-enable the Windows Aero theme. Clearly that’s a little cumbersome and would soon become a pain if I had to do it frequently; however in practice it’s likely that I’ll leave the computer connected to either the TV or the monitor – not both.

I also needed a TV receiver – I was able to pick up an inexpensive Freeview (DVB-T) USB adapter (£29.99 including postage) and a Windows Media Remote (£21.99). Although the Digital terrestrial TV signal in my house is weak, I was pretty sure that I’d be able to boost it, and anyway, having a portable Freeview device will always be handy. Windows Vista didn’t recognise the device natively but I downloaded the latest drivers and despite being unsigned, they installed without issue. Unfortunately, Windows Media Center still didn’t recognise my tuner but the problem turned out to be that I had plugged the device into the Apple keyboard (which I think is USB 1.1) and once I plugged it into on of the Mac’s own USB 2.0 ports then I was able to set up the TV functionality within Windows Media Center – no need to bother with the TV guide and tuning software supplied with the device (although it did take a while to download the TV program guide and to scan for channels).

My local TV transmitter is at Sandy Heath and, although I tried other transmitters too, using the supplied aerial I could only pick up channels in multiplex D. Even the cheap £9.99 Labgear aerial that sits on top of my TV could pick up those channels! Ideally, I’d use an externally-mounted roof aerial but that wasn’t an option and for £19.99 I picked up the highly-rated Telecam TCE2001 at and was able to pick up 53 channels in mutiplexes 1, 2, B, C and D (and that was without using the signal booster). By boosting the signal the scan picked up 70 channels, although not all of them were strong enough to view.

As for the Windows Media Remote, I found that it didn’t work with the built-in IR receiver (it needed to use the supplied, but rather bulky Microsoft receiver); however this is not as bad as it sounds – the Microsoft receiver has a long USB cable, meaning that it can be placed next to the TV (the logical place to point the remote at), rather than wherever the computer is.

So, with working drivers and a functioning remote control, Windows Media Center was happy enough to let me watch and record TV using it’s built in electronic programme guide…

The final piece of the puzzle was pre-recorded media in a variety of formats such as QuickTime movies and DivX. After transferring the files from an OS X hard drive to something that Windows could read, I decided to see what Windows Media Center could play. I’m still working out exactly which codecs I need – I tried various combinations of XviD/DivX/3ivX plus the AC3 filter and ffdshow – these seemed to enable most of my content; however I’m still experiencing difficulties with some movies that were originally encoded as AVI and then converted for QuickTime/iTunes on the Mac (using Apple QuickTime Pro) and also some unprotected AAC audio with JPEG stills in the video track – e.g. some of the podcasts that I listen to. Through all this codec troubleshooting, one tool that I found incredibly useful was GSpot.

[the original version of this post referred to a codec pack which I have been advised may contain illegal software. As it is not my intention to publicly condone the use of such software, and as I’m not convinced that it is required in order to make this solution work, I have removed it from this post and edited the corresponding comments.]

After going to all of this effort to get Media Center running on my Mac, was it worth it? Yes! The Windows Media Center (2007) interface is excellent, without a hint of the standard Windows interface (as is right for a consumer electronics device) and is simply (and intuitively) controlled using the remote control. It’s not perfect (very few interfaces are) but it is better than Front Row. If I do carry on using this to record TV though, I will need to provide more disk space. One feature that I particularly liked though, was how, even when working in other Windows applications, a discrete taskbar notification appeared, showing me that Media Center was recording something:

Windows Media Center recording notification

So, having tested this Media Center Mac concept on the Mac Mini that I use for my daily computing, I need to decide whether to donate it for family use in the living room and buy myself something new (MacBook Pro or Mac Pro are just too pricey to justify… but should I get a MacBook or another Mac Mini?) or just to pick up a second-hand Mac Mini for the family. The trouble is that second-hand Mac Minis cost almost as much as new ones. Still, at least I’ve proved the concept… I’ll have to see if this technology bundle passes the WAF test first!

Windows Update error 80245003

Posted on By Mark Wilson
This content is 18 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

One of my Windows Vista PCs has been refusing to download updates from Windows Update, reporting that:

Windows could not search for new updates
Error(s) found:
Code 80245003

A bit of googling turned up various forum threads/blog posts about this article but most of them recommend stopping the Windows Update service, renaming/removing the %systemroot%\SoftwareDistribution folder, restarting the Windows Update service and attempting an update. That seems to work but Jeroen Jansen’s post on the subject included a very useful comment with this little gem:

“Actually you don’t have to delete the entire SoftwareDistribution folder, just the folders inside it with update cache. This way you can keep the update history.”

I renamed each folder one at a time and it seems that it was WuRedir that was causing the error on my system (that is to say that after that folder was renamed, Windows Update ran successfully, even after restoring all of the other folders, therefore maintaining my history and other configuration).

I’m not sure if it was as a direct result, but I’m pretty sure Vista switched from using Windows Update to Microsoft Update at the same time.