Microsoft Windows Archives - Page 5 of 10

Windows Live OneCare Safety Scan

Posted on Wednesday 29 November 2006Tuesday 15 May 2007 By Mark Wilson

This content is 18 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

Based on the content I write, I imagine that most readers of this blog will be IT professionals. That generally means two things:

Your family don’t understand what you do (e.g. “Mark works in computers”).
Your family and friends think that because you “work in computers” that you can fix their PC.

I fell foul of this a couple of times over the last few days. The first time was no big deal – a few months back, I had given my parents an old laptop and now they are really getting into e-mail and the web; however it was booting very slowly because a well-intended friend of theirs had installed the popular (and free for non-commercial use) AVG Anti-Virus (along with a load of unnecessary applications) and it was performing a full scan on every boot (I had already installed Symantec AntiVirus which was working quite nicely in a far less obtrusive manner). Once I removed AVG, performance was back to normal… so much for well-intentioned friends.

The second instance was last night, when my brother said he’d applied some updates to his PC and now he couldn’t get into Excel. That was easy enough (Microsoft Office XP required the original media to complete installation of an update), but I decided to check out the general state of the PC and was a little alarmed. Because the PC is only connected to the Internet via a modem, downloading updates takes a long time – automatic updates will trickle feed and my brother had kept his anti-virus definitions up-to-date but it still needed a lot of attention. Microsoft Update told me that it would need most of the night to download it’s updates, so I took it home (disconnected everything else from my LAN as a precaution) and hooked it up to my ADSL line, before spending the next couple of hours downloading and applying 61 Microsoft updates (as well as updating AdAware SE Personal Edition, which was over 700-days out of date).

Having given the PC a clean bill of health with AdAware (luckily the dial-up connection had minimised the spyware threat and it just had 52 tracking cookies to remove), I decided to check out another tool that, ironically, an Apple support page had alerted me to the existence of – the Windows Live OneCare Safety Scan.

Other antivirus vendors have online scanners (e.g. McAfee, Symantec and Trend Micro) but the advantage of the Microsoft version is that the full scan checks for viruses, spyware, disk fragmentation, temporary files, redundant registry data, and open network ports – what would appear to be a fairly thorough healthcheck, all through one ActiveX control.

Another feature is that you can run individual scans for protection, cleaning up or tuning the system (each effectively a component of the full scan described above). Finally, for Windows Vista users, the Windows Live OneCare site also provides a beta for a Vista-aware full service safety scan.

Some tips for grabbing screenshots

Posted on Sunday 1 October 2006Friday 9 March 2007 By Mark Wilson

Coming from a Windows background, I’m used to grabbing a copy of the entire screen using the PrtSc key or the current window with Alt+PrtSc. When I first bought my Mac, I couldn’t work out how to do this without using the Grab application (which seems a little cumbersome for a simple screen shot) until Alex explained to me that, like so many things in OS X, there is some arcane keyboard shortcut that feels like it will induce a permanent strain on my fingers to do the job for me (I used to think the Ctrl-Alt-Del three finger salute was bad enough). I keep forgetting the keystrokes, so I’m blogging them here:

Command+Shift+3 – capture entire screen and save as a file
Command+Control+Shift+3 – capture entire screen and copy to the clipboard
Command+Shift+4 – capture dragged area and save as a file
Command+Control+Shift+4 – capture dragged area and copy to the clipboard
Command+Shift+4 then Space – capture a window, menu, desktop icon, or the menu bar and save as a file
Command+Control+Shift+4 then Space – capture a window, menu, desktop icon, or the menu bar and copy to the clipboard.

For more on this, see the O’Reilly description of OS X screenshot secrets, which also links to a really useful hack to take a screenshot from DVD Player in OS X – simply type screencapture -i ~/Desktop/dvd.png in a terminal window, then hit Space and click on the DVD Player window to avoid the annoying restriction illustrated in the error message below.

Error when attempt to screen grab from DVD Player

It’s time to practice safe computing – whatever the operating system

Posted on Friday 29 September 2006Friday 9 March 2007 By Mark Wilson

I recently switched my primary home computer to a Mac but I also use Windows and Linux. I don’t consider myself to be a member of the Mac community, or the Linux community, or the Windows community – because (based on many forum posts and blog comments that I read) all of these “communities” are full of people with bigoted views that generally boil down to “my OS is better than your OS” or “Duh… but why would you want to use that?”.

Based largely on Apple’s advertising though, one of the things that I did assume with Mac OS X was that I’d be secure by default. Nope. It turns out that’s not true as there is an obscure flaw in Mac OS X (surely not?!) whereby a malformed installer package can elevate its privileges in Mac OS X and become root. After running Windows for 16 years I’m used to these sort of flaws but surely His Jobsness’ wonderful creation is above such things!

Frankly I don’t care that Mac OS X is flawed. So is Linux. So is Windows. So is anything with many millions of lines of code – open or closed source – but I thought better of Apple because I believed that they would keep me safe by default. It’s well known that running Windows XP as anything less than a Power User is difficult and that’s one of the many improvements in Windows Vista. All the Linux installers that I’ve used recently suggested that I create a non-root user as well as root but the OS X installer is happy for me to breeze along and create a single administrator account without a word of further advice. I appreciate that an OS X administrator is not equal to root but nevertheless it’s a higher level of access than should be used for daily computing and because I didn’t know any better (I’m just a dumb switcher) I didn’t create a standard user account (until today).

I read a lot of Mac and Linux zealots singing the praises of their operating systems and saying how Windoze is a haven for spyware and viruses. Well, it’s time to wake up and smell the coffee – as Mac OS X gains in popularity (I heard something about the new MacBooks having a 12% share of all new laptop sales recently) then Mac users will have to start thinking about spyware, viruses and the like. Now is the time to practice safe computing – whatever the operating system – with most users running as administrators then that could quickly become a major issue.

Sharing disks between Mac OS X and Windows

Posted on Sunday 23 July 2006Thursday 5 February 2009 By Mark Wilson

I wrote a couple of months back about the Toshiba PX1223E-1G32 320GB external hard disk that I bought (and which I’ve been very pleased with). Well, nowadays the aluminium case makes it a perfect companion for my Mac Mini and my Fujitsu-Siemens S20-1W widescreen monitor.

The trouble is that, in common with most external hard disks, the drive comes pre-formatted for the NT file system (NTFS), used by all modern versions of Windows. NTFS is a great file system – but it is also Windows-specific, at least from a read/write perspective (Linux and MacOS X systems can only read NTFS-formatted partitions). So, to use the disk with a Mac requires a reformat – either using one of the Macintosh file systems, such as HFS+/MacOS Extended (Journalled), the Unix file system (UFS – but not ext3), or FAT32 (MS-DOS file system). Of these choices, only FAT32 is universally accepted by Windows, Mac OS X and Linux systems but it does have some pretty serious limitations, as I soon found.

Firstly, although FAT32 supports file systems up to 2TB in size, the format utilities within Windows support a maximum partition size of 32GB; however by formatting the drive using another operating system or third-party tools, this limit can be overcome and Windows is able to read or write larger volumes. Secondly, and more significantly, FAT32 only supports files up to 4GB in size. That doesn’t sound like an issue until you start copying .ISO DVD images and digital video files around. Pretty soon it became apparent that FAT32 was not the answer.

The solution was using a software product called Mediafour MacDrive, which I found from the Wikipedia article on HFS+ and which has turned out to be really useful. Ironically, I didn’t need to use a licensed version to transfer my data from a PC to the Mac, as Mediafour make a trial version available for download which is valid for 5 days after installation. Having used that as my demonstration of how useful this software is, I decided to buy a copy (proving that users will buy genuinely good software, even if they can get by for free) – at $49.95 it’s reasonably priced (especially with the current dollar exchange rate and as Mediafour offered me a 24% discount if I purchased within 24 hours of requesting the trial version) and when I finally get around to dual-booting Windows on my Mac it will be invaluable. Sadly, the current version of MacDrive doesn’t work on Windows Vista, so I will need to upgrade one day in the future, but for now it’s a great way to share files between Windows and Mac OS X.

Creating Windows file system shares remotely

Posted on Friday 21 July 2006Friday 9 March 2007 By Mark Wilson

Yesterday, one of my colleagues came to me with a problem to solve. He wanted a user to be able to create a share remotely (i.e. without logging onto the server console physically or via terminal services). I suggested allowing the user access to a shared folder at a higher level in the directory structure and then, after they had connected to that share, they could create a new subfolder and share it out. Unfortunately, my colleague returned later to say that Windows doesn’t allow sharing of folders when connected via a share so he had to find another way around the issue – he found two possible answers:

A Windows NT 4.0 Resource Kit utility called rmtshare.exe.
A shareware application called netshareadd (but when I visit the site all sorts of popups are produced so I’m not able to recommend it to anyone at the moment).

Even though rmtshare.exe dates back to the days of Windows NT 4.0, I was able to use it to create a share (and delete it again) on a Windows Server 2003 server from a Windows Vista client (although I did have to elevate my permissions before it ran successfully).

Keeping files synchronised between data sources with SyncToy

Posted on Tuesday 6 June 2006Friday 9 March 2007 By Mark Wilson

Several months back, my mate Toffa told me about a tool called SyncToy that is great for keeping two disks synchronised (e.g. a primary and a backup). Last night I installed it (to make regular backups of my digital photos and music to my new external hard disk) and was very impressed. It’s actually a free Windows PowerToy and I was using v1.0 – SyncToy v1.2 is available and includes a number of enhancements.

The tool offers five modes of synchronisation between pairs of folders (left and right) and users can also preview the changes before running the synchronisation job:

Synchronise: New and updated files are copied both ways. Renames and deletes on either side are repeated on the other.
Echo: New and updated files are copied left to right. Renames and deletes on the left are repeated on the right.
Subscribe: Updated files on the right are copied to the left if the file name already exists on the left.
Contribute: New and updated files are copied left to right. Renames on the left are repeated on the right. No deletions.
Combine: New and updated files are copied both ways. Nothing happens to renamed and deleted files.

Microsoft are positioning this as a tool for photographers but to be honest it looks good for anyone who keeps data in multiple locations (like backing up a laptop to a server at home). I know people who swear by Novell iFolder (for keeping data synchronised, secure and available wherever they are) but SyncToy looks like a perfect synchronisation solution for many Windows users who just need to make sure that a second copy of their important files is available if the first one is lost or who want to synchronise files stored on multiple devices in a number of locations.

How not to image servers

Posted on Tuesday 23 May 2006Tuesday 15 May 2007 By Mark Wilson

This content is 19 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

A couple of weeks back, I wrote about using Microsoft’s system preparation tool (SysPrep) to prepare virtual machine images for duplication. It doesn’t really matter whether the machine is virtual or physical, the principle is still the same (my point was that cloning virtual machines using a file copy is easy but needs to be prepared in a specific way – i.e. using SysPrep).

A few days ago I was completely amazed to hear how one of my clients had duplicated some of their servers – they had simply broken a mirror, placed the second disk in a new server, then added another disk in each server to recreate the mirror (repeat until all servers are successfully duplicated). It may be ingenious, but it’s also extremely bad practice.

The client in question is in the process of preparing for a migration from Windows NT to Windows Server 2003 and Active Directory. Although NT doesn’t get too upset if servers are cloned, including their security identifier (SID), Active Directory does. They now have three choices:

Rebuild the problem servers.
Remove the servers from the domain.
Use a tool like Sysinternals NewSID to change the SIDs (both officially unsupported by Microsoft).

Whatever the decision, it’s all extra (and unnecessary) work – completely avoidable.

Finding out how Windows product activation works

Posted on Sunday 14 May 2006Tuesday 15 May 2007 By Mark Wilson

Most of the work I do with Microsoft software is carried out for clients who have a volume license agreement, so working with OEM copies of Windows Server 2003 R2 over the last week or so has been my first exposure to Windows product activation. After having built and activated a server, then wondering whether blowing it away and starting again would affect the activation status I found Alex Nichol’s description of Windows product activation on Windows XP (it’s basically he same for Windows Server 2003 R2). I decided not to rebuild the server in the end but Alex’s article was a certainly a useful description of how the activation process works and the hardware changes that can affect the validity of the software.

Using unprivileged accounts in Windows

Posted on Saturday 13 May 2006Friday 9 March 2007 By Mark Wilson

A few weeks back, Microsoft UK’s Steve Lamb presented a session on using the principle of least privileged access to reduce exposure to security threats under Windows (basically, running as much as possible as a standard, non-administrative user). Unfortunately I missed the event but I was chatting with Steve last week and he filled me in on the basic principles (which I’ve padded out with a few notes from his slidedeck).

The runas command can be used to start a program as a different user (as programs inherit their permissions from the parent process, starting a cmd shell as an Administrator and then launching an application will launch that application as an Administrator. Within the Windows GUI, there is often a right click option for runas, although for control panel applets shift and right click is used to expose the runas option. Shortcuts can be modified to run with different credentials for applications that always require a higher level of access.

There are occasions when runas just doesn’t work – for example applications that reuse existing instances (Windows Explorer, Microsoft Word) or those that are started through the shell using the ShellExecute() API call or dynamic data exchange (DDE). Unfortunately Microsoft Update is one of those applications for which runas won’t work. Aaron Margosis has some advice on his blog to help work around issues with runas and Windows Explorer.

Privileged command shell windows can be set apart using a different colour scheme, for example:

cmd.exe /t:cf /k title Administration Shell

For the GUI, the TweakUI power toy can be used to set an alternative bitmap for Internet Explorer and Windows Explorer, or Aaron Margosis’ PrivBar displays the current privilege level.

Whilst it’s true that using a local account will prevent domain-wide issues, there are side effects in that there is no access to domain resources, different profile settings (and per-user policy settings) are in effect and some applications assume that the installer is the end user. One possible resolution is Aaron Margosis‘ MakeMeAdmin tool which allows for temporary elevation of the current account’s privileges (and any applications which inherit the user context. MakeMeAdmin can be downloaded from Aaron’s blog and he has a later follow-up post with more information.

Some applications are written to run as Administrator and there’s not a lot that an end user can do about poor coding (other than replacing the application with something else). Adding the user to the local Administrators group to resolve such issues is not good practice, although it may be possible to loosen the ACLs on application-specific resources (i.e. %ProgramFiles%\applicationname\ and HKEY_LOCAL_MACHINE\SOFTWARE\applicationname\Settings) but this should not be carried on operating system resources (e.g. %windir%, %windir%\System32 and
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows). The important thing to remember is to do this in a granular fashion, applying additional permissions only to those resources to which access is required.

If an application writes to HKEY_CLASSES_ROOT, then it’s usually a bug. HKEY_CLASSES_ROOT is a merged view of HKEY_LOCAL_MACHINE\SOFTWARE\Classes and HKEY_CURRENT_USER\SOFTWARE\Classes so writing to HKEY_CLASSES_ROOT effectively goes to HKEY_CURRENT_USER if the key already exists. Consequently, problems with HKEY_CLASSES_ROOT can often be overcome by pre-creating keys under HKEY_CURRENT_USER.

If all else fails, utilities such as MakeMeAdmin can be used to allow an application to run with elevated privileges but they require the user to know the Administrator password – alternatives include Valery Pryamikov‘s RunAsAdmin and DesktopStandard PolicyMaker Application Security.

In Windows Vista, everything changes again with new functionality known as user access control (also known by other names including user access protection and flexible account control technologies):

All users run as an unprivileged user by default, even when logged on as an Administrator.
Once running, the privilege of an application cannot be changed.
Administrators only use full privilege for administrative tasks or applications.
Users are prompted to provide explicit consent before using elevated privilege, which then lasts for the life of the process.
A high level of application compatibility is achieved using redirection (which allows legacy applications to run as a normal user with HKEY_LOCAL_MACHINE\Software access being emulated by a virtual location under HKEY_CURRENT_USER and attempted writes to the %SystemRoot% and %ProgramFiles% folders being redirected to a per-user store); however this is a temporary mitigation for 32-bit product versions only (i.e. not implemented in 64-bit versions of Windows Vista).

Although Windows has come a long way to making least privileged access usable, it’s important to remember that there are some things that least privileged access can’t guard against:

Anything you can do to yourself.
Weak passwords.
Attacks on services.
Phishing.
Stupidity.

Unfortunately I’m writing this post on the notebook PC supplied by my employer with a standard corporate build and my domain account is also a local administrator. I think that probably falls into the last category listed above… doh!

Updating Windows Defender Beta 2 using WSUS

Posted on Sunday 7 May 2006Wednesday 23 May 2007 By Mark Wilson

Last year I blogged that Microsoft were pushing updates to their Windows AntiSpyware Beta, to extend the expiry date past the end of July 2005. Since then, there have been a number of updates (including renaming the product to Windows Defender) and even though Windows Defender is included in recent Windows Vista builds, my XP clients have still been running Windows AntiSpyware Beta v1.0.701 (which expires at the end of July 2006).

That started to change tonight, when one of my XP machines updated itself to Windows Defender Beta 2, and although the product is now at v1.1.1347 (engine v1.1.1303.0), the definitions went backwards from update 5841 (5 May 2006) to a new definition numbering scheme (v1.0.0.0), dated 25 January 2006. Strangely, checking for updates reported that there were no updates available for download.

Microsoft knowledge base article 915105 describes an issue with Defender does not download updates but the resolution didn’t work for me; however, I did discover that Windows server update services (WSUS) now supports Windows Defender (Microsoft knowledge base article 915597 has more details of the update delivery mechanism).

After enabling Windows Defender updates in WSUS and synchronising, I found that there were three definition updates waiting for me to approve – v1.14.1408.8 (25 April 2006), v1.14.1410.10 (27 April 2006) and v1.14.1436.4 (3 May 2006). A few minutes later, checking for updates resulted in a successful download from WSUS.

Windows Defender seems to be in an extraordinarily long beta program (considering the original Giant Company product that Microsoft bought was so well regarded), but it seems pretty solid to me. Let’s hope that the US DOJ and the EU don’t force Microsoft to unbundle important security features like this from Windows.

markwilson.it

get-info -class technology | write-output > /dev/web

Microsoft Windows