Merry Christmas!

Hopefully everyone is doing well out in the world. I would like to thank all the readers who visit my web site. Traffic has gone up from 50 unique visitors per day in January to over 200 unique visitors per day in December. The goal of this site is to spread as much knowledge as possible and to document what I and others have learned. Therefore, I would like to read your own “in the trenches” stories and post them here…something cool, something weird, something complicated, whatever you found interesting in your own work as a technician. Send them to web at leinss.com with the subject “Readers Story”. Maybe you found an interesting blog post of how someone got a 1985 DOS program to work in Windows Vista: send that in too!

For next year I hope to have continuing coverage on Windows Vista and how to use it (and more importantly, how to fix it). Of course, more “in the trenches” stories that anger Microsoft personnel will be in order (at least Windows Vista does HAL detection so Michael Niehaus can’t chastise me for forcing HALs anymore. :O) )

Last, but not least, the reason for the season we celebrate each year:

For of Him, and through Him, and to Him, are all things. To Him be the glory for ever! Amen. (Romans 11:36)

Sola Scriptura

Sola Gratia

Solo Christo

Sola Fide

Soli Deo Gloria

Symantec Antivirus: All Faith is Lost

No product has failed me this bad lately, but Symantec Antivirus version 10 certainly has! You might remember my article last year on Symantec Antivirus 10. As I was working on a test box PC and running Process Monitor from Sysinternals, I noticed a rundl132.exe file trying to connect to a bunch of PCs on our network. I promptly rebuilt the PC 5 times only to have it yet again reinfected each time. This machine was running the latest version of Symantec Antivirus and had the latest virus definitions. Even when I turned off file and print sharing by stopping and disabling the server service, I kept getting reinfected. Apparently, 1732 executables on my main machine’s second partition were infected with Looked.P and this is how I was getting re-infected. This worm goes and searches every directory on your hard drive, leaving a _desktop.ini file to mark each directory it has visited. It also infects every executable on your hard drive, except if it’s in C:windows.

Worse yet, I wasn’t the only one infected with this virus. Somehow this nasty worm got past SAV client with the latest definitions (note this worm has been out in the wild since July of this year, it is NOT a new worm). Not only that, but Symantec Antivirus 10 also refuses to clean them! To add insult to injury, this worm also infects SAV executables, making the antivirus program itself quite useless. To clean up this mess, I had to go around and disable the server service to turn off file and print sharing. Once the PC was isolated, I then had to boot into safe mode to pull all the files back out of the quarantine as Symantec wouldn’t clean them (and in some cases, I had to copy VPC32.EXE from the server share as it was quarantined!). I then had to boot from BartPE and run a command line version of Mcafee which could clean the version. Mcafee basically saved my bacon and I will recommend Mcafee to all techs I meet now!

A call to Symantec tech support yielded equally disappointing results regarding our problem. “All we know is what is on our web site“. I’m glad we pay yearly maintenance to these guys, because it certainly seems to be helping, NOT!

– Soli Deo Gloria

To Boldly Go Where No Technican Has Gone Before

Windows likes to hide certain files and folders in its operating systems. As technicians, we sometimes need access to said files and folders. One of the famous ones is where Internet Explorer stores its temporary cache files. This is in the folder C:documents and settingslocal settingsTemporary Internet Files.

Upon looking at this folder in Windows explorer, we see this:

The fact is, this is not a true representation of what is really in the folder. For that, we have to hit a command prompt:

Another folder with this restriction was C:windowssystem32dllcache. In at least Windows 2000, if you tried to navigate to this folder from Windows explorer, you wouldn’t find it. However, it appears they lifted that restriction, at least in Windows XP SP2.

So is this Windows issue or an Explorer issue? To find out, let’s load up FreeCommander 2006 and see if we can see the Temporary Internet files folder:

Lo and below, we see it! So there is code in explorer.exe to block users from seeing that folder. If you want to see all the files and folders on your hard drive, it’s best not to use explorer, but a 3rd party file program.

Windows Vista takes this a step further and removes the administrators group from system folders. That means that just because are you an administrator doesn’t mean you are a “demigod” anymore. If you have UAC enabled on Windows Vista, always remember the following: “Administrators run as standard users, even when in the administrators group with UAC turned on”. You are only given the “demigod” token when UAC prompts you to elevate for a certain action. As soon as the action is complete, the token is taken away.

This “feature” is designed so that if someone with administrative privileges runs a spyware program that program cannot inject itself into critical system folders or so Microsoft says. When you run a setup program, Windows Vista detects certain manifests within the setup program and gives it the TrustedInstaller token. This allows it to write to C:windows among other folders. So what would prevent a spyware programmer from making all of his spyware programs setup like programs? No quite sure myself. My guess is that Microsoft is trying to educate us. If you visit a web site and it wants to run a setup program, a red flag should go up right away. Hitting yes to that prompt gives that program the right to modify your system files.

If you are an administrator and need to modify files in C:windows or other folders, you now have to take ownership of said files and folders. Once you do this, you can modify the security to give yourself write access.

– Soli Deo Gloria

BDD 2007 and Windows Vista

Right now I’m playing with BDD 2007 RC1 with Windows Vista RTM and hopefully will have a write up of how it works within the next few weeks. Unforunately, none of the WinPE stuff (LiteTouch) is booting for me and there is supposedly a hotfix (KB928570) to address all this. Oh the joys of beta! However, Johan Arwidmak has a “new” site called www.deployvista.com and he gives some really nice guides on how to use BDD 2007 RC1.

One issue that I came across in Vista is using sysprep with the generalize switch. Every time I used the /generalize switch, sysprep would crash and my image would be hosed. It appears this is a known issue with the SoundMax drivers. As soon as I uninstalled the SoundMax drivers and then ran sysprep, everything worked fine. The other quirky thing I’ve run into is that sysprep refuses to read my unattend.xml file unless I copy it to C:sysprep and then run sysprep from the same directory. The WAIK documentation specifically states that sysprep must run from C:windowssystem32sysprep, but I have yet to get that to work properly. Sysprep also doesn’t remove the unattend.xml after running through the mini-setup: this could comprise product keys if you are using MAK!

Correction (12/15/06): Product keys aren’t defined in unattend.xml for Business and Enterprise editions of Windows Vista. Windows Vista will just ignore the product key if you input the product key in the sysprep (unattend) file. Defining a product key for Business/Enterprise in BDD 2007 can actually cause it not to work!

– Soli Deo Gloria

Utility Review: FreeCommander 2006

There’s tons of neat little utilites on my Tech Files sections and I rarely talk about any of them here on the blog. Here’s one that I recently discovered for file management: Free Commander 2006. Now, I know what you are thinking: why another file manager? I wanted a folder size utility to prune my disk (I actually wrote about ExplorerXP before to do that, but I didn’t think of it at the time). One of the great features is being able to sort by file and folder size. It even keeps this view when drilling several layers up and down the tree. This saves having to sort per folder view which is such a nice time time saver. To get the size of folders, you actually have to hit Folders>Size of Folders. This is done because you might not want a lot of disk I/O from it computing folder sizes.

Free Commander also has native built-in handling for opening ZIP, CAB and RAR files. Nice! I also like the handy icons in the upper right hand corner that give easy access to the Control Panel, Start Menu, Desktop, System Folders and Computer Management. This was written with a PC technician in mind! You can also map network drives, get to a Run box or Command Prompt from the Extras menu.

Free Commander also lets you edit file and folder timestamps like Total Commander. Total Commander, in my opinion, tries to do too much. Another nice thing is that you can do a RUNAS on Free Commander to run as administrator and therefore change permissions on files and folders.

– Soli Deo Gloria

Illegal Windows Vista KMS Appears on Internet

An illegal KMS in China is serving up Windows Vista activations for free for Business editions of Vista, thousands of them apparently. Under KMS, only the last 50 activations are recorded or “cached” on the server. Which brings up an interesting situation: how is KMS protected? Apparently you can use one volume license key and activate against a completely different one than is kept in the digital store of the KMS. If you are on a college campus that has a KMS, you apparently can connect and activate against it provided you can find the server.

Provided that someone makes a key generator like the one made for Windows XP, one would only have to find a KMS to activate your copy, any KMS! Since Microsoft doesn’t record KMS activations, an administrator may not even know his server is being used to activate pirated copies.

Update (12/6/06): It gets worse…supposedly, you can download an activated KMS server in VMware format and activate your PCs indefinitely at home.  Those Chinese pirates are crazy!  Pirates – 1, Microsoft – 0.

– Soli Deo Gloria

Windows Vista Released on CDs

Technet now has Windows Vista in a 5 CD version (in addition to the DVD version). Not quite sure if retail will be offered in this way. Office 2007 Ultimate is also being released on Technet.

The Office 2007 trial is now available.

Speaking of Technet and Vista, these are the versions you will have product keys for and access to if you are on Technet Direct Plus or above:

  • Windows Vista Business
  • Windows Vista Home Basic
  • Windows Vista Home Premium
  • Windows Vista Ultimate

– Soli Deo Gloria