15. June 2010 by Myke.

Microsoft issued a new Security Advisory for a flaw in the Windows Help and Support Center as reported by Ars Technica. The vulnerability only affects Windows XP and Server 2003, Vista and 7 are unaffected.

The worry with this vulnerability is that the help links in the Help Center can be hijacked to run executables on the victim’s computer. The details of the vulnerability and possible attack are as follows:

In Windows XP and Windows Server 2003, clicking on an hcp:// link launches helpctr.exe via a registered protocol handler; this is normally a safe way to launch help content thanks to an allow list that Help and Support Center checks before navigating to a given help page. A Google security researcher discovered, however, that a help page with a cross-site scripting vulnerability can be paired with a mechanism to abuse the allow-list functionality to access that page with an exploit querystring. Thus, clicking on a malicious hcp:// link leverages the XSS vulnerability to circumvent helpctr.exe’s safety controls and ultimately run an arbitrary executable on the machine.

Microsoft says that they are monitoring the problem and is so far unaware of any attacks in the wild. They may prepare a patch for the next Patch Tuesday or it could come earlier. Microsoft has outlined some mitigating factors which are also in the Security Advisory.

• The first is that if the attack is web-based the attacker would host a web page to exploit the vulnerability or host advertisements on another website. Victims can’t be required to visit the pages and the hacker would try to get people to visit with social engineering tactics like emails.
• The vulnerability can’t be manipulated directly from an email, the user would have to click a link.
• A hacker that successfully executed the attack could gain the same user rights as the user logged in. If users aren’t logged in as an admin the damage could be lessened.

Microsoft has one workaround where the registry is edited to unregister the HCP protocol. They detail two methods of doing this in the Security Advisory but they warn that after editing the registry it will obviously break all help links that use HCP.

This vulnerability was discovered by Google who alerted Microsoft to the problem on June 5 and then turned around and kindly disclosed it to the public on June 9. Microsoft was none too happy with Google about that and said:

Public disclosure of the details of this vulnerability and how to exploit it, without giving us time to resolve the issue for our potentially affected customers, makes broad attacks more likely and puts customers at risk.

Posted in Security, General Hardware, Microsoft, Desktops, Laptops | No Comments »

20. April 2010 by Myke.

With the increase in blade systems and the decrease in optical drives on servers, it is becoming more and more of a USB drive World everyday.  I had a couple of e-mails come in asking fro help creating USB drives that are bootable with Server 2008 on them.  Easy enough, just follow the steps below and you should be golden (as long as you have at least a 4GB thumb drive).

First we need to format the thumb drive.

1. from a DOS prompt execute: diskpart
2. list disk
3. select disk 1    (assuming disk 1 was your thumb drive in the above list disk command)
4. clean
5. create partition primary
6. select partition 1
7. active
8. format fs=fat32
9. assign
10. exit

Now we need to get the files copied over from the DVD to the thumb drive.

xcopy d:\*.* /s/e/f e:\   (assumes your DVD is drive D and your thumb drive is drive E)

Make sure the server is set to boot from USB drive and away you go.

Cheers.

Posted in Technical Questions, Microsoft, Servers | 1 Comment »

3. March 2010 by Myke.

Microsoft released a new security advisory regarding Internet Explorer on a Windows 2000 or XP system. To exploit the vulnerability,a malicious site reaches through the web browser by using VBScript and accesses “inherently unsafe” Windows Help files.

To complete the attack, a user must push F1.

The article at PC World suggests users to log off Windows or close Internet Explorer via Windows Task manager when a site prompts a user to hit F1.

Posted in Security, Microsoft | 1 Comment »

15. February 2010 by Myke.

Microsoft has been tracking some odd issues that occur on Windows 7 and Windows Server 2008 R2. These bugs are not typically fixed via Windows Update, because these hotfixes should only be applied to systems that are experiencing specific problems. So if you are not severely affected by either of them, wait for the relevant service packs. Here are the four most prominent issues, listed in order of decreasing severity.

The first manifests itself when the computer crashes after it runs for some time, with the user seeing the following BSOD (the four parameters vary depending on the computer):

STOP: 0x0000000A (parameter1, parameter2, parameter3, parameter4) IRQL_NOT_LESS_OR_EQUAL

Microsoft explains that the issue occurs because Power Manager opens an Advanced Local Procedure Call (ALPC) port and closes another port instead of closing the ALPC one, resulting in a successive memory leak, leading to an eventual crash. If you’re affected, this is for you: Hotfix Request.

Few users realize the second issue is a bug. As described in KB958685, it affects all versions of Vista, Windows Server 2008, and Windows 7. If the user puts the notebook to sleep while its lid is still open and then afterwards closes the lid while the computer is still asleep, Windows will only display a blank screen and a mouse pointer upon wake. This continues until a key is pressed or the mouse is clicked. You can wait for the next software update that contains this hotfix (SP1 on Windows 7 and Windows Server 2008 R2, SP2 on Vista) or you can click this: Hotfix Request.

The third issue is described in KB978789 and specifically applies to computers with chipsets from the Intel 5 Series or the Intel 3400 Series families coupled with Windows 7 Home Premium, Professional, or Ultimate. Using a USB bulk storage device that has pending control and bulk traffic with such a Windows-based computer will result in the device becoming unresponsive, with the iPhone mentioned as a culprit.

Microsoft doesn’t have a hotfix for this problem, suggesting that the user contact the computer/motherboard manufacturer for a BIOS update.

The last problem is explained in KB975360 and affects all editions of Windows 7. It is only evident with computers that have a quad-core processor and support multitouch, and involves the Microsoft Rebound game from the Microsoft Touch Pack for Windows 7 not responding if you try to launch it. Since this is entirely a Microsoft problem, here’s the solution: Hotfix Request.

Microsoft is expected to offer SP1 for Windows 7 and Windows Server 2008 R2 this fall.

post information: Emil Protalinski
posted by: Myke Reinhold

Posted in Microsoft | 1 Comment »

14. February 2010 by Myke.

“…oops I did it again…”  No we are not going to discuss Britney Spears but some folks at Microsoft are scrambling for answers after a serious update failure.  The MS10-015  update bulletin is causing some systems to lock up and then during the boot up they BSOD into a never ending boot cycle.  Ouch.

Here is the crazy part of the equation, some systems do just fine.  I have tested the updates on 10 workstations and 4 have crashed out and died while the other 6 were perfectly fine.  I need to clarify one piece though, each of these systems are exactly the same…EXACTLY.  Each one is a virtual desktop with the exact same applications, updates and I used the exact same disc to build the machines.  I ran updates on all 10 systems one at a time.

On the four dead systems here is what I did to repair them.

• Boot from your Windows XP CD or DVD and start the recovery console
• Once at the repair screen - Type this command: CHDIR $NtUninstallKB977165$\spuninst and hit ENTER
• Type this command: BATCH spuninst.txt and hit ENTER
• Type this command: systemroot and hit ENTER
• When complete, type this command: exit and hit ENTER

Of course this may or may not fix your system, but so far it has worked for my dead test systems.

Confused?  You are not alone on this one.  Folks have been trying to figure out what happened and everyone seems to be testing this like crazy.  My final thought on the issue…TOO MANY security fixes and tweaks in one bulletin.  Each time Microsoft tries to update systems with a large amount of security fixes and tweaks it seems like they get a large amount of failures.  Seems like they should have broke this months updates into 2 for the month…which they have done before.

Other related stories on this issue.
MS update gives some XP boxes the Blue Screen
New Patches Cause BSoD for Some Windows XP Users

Microsoft Blog post on this issue.
Restart issues after installing MS10-015

Microsoft’s workaround for this issue.
Microsoft Security Advisory: Vulnerability in Windows Kernel could allow elevation of privilege

As always, enjoy your updating and let us know if you encounter any other nasty issues.

posted by: Myke Reinhold

Posted in Security, Microsoft, Desktops, Laptops | No Comments »

24. November 2009 by Myke.

This post contains information on how to edit and modify your Windows Registry.  It is always recommended that you take a backup of the Registry before editing any of the values because any improper editing can cause strange behaviour and at worst could even corrupt your operating system completely, requiring you to re-install Windows.

We encourage you to try out the registry changes,  but only if you know what you are doing and if you do it with care.

After building a brand new Windows 7 ENT x64 laptop I ran into some issues.  The issues started shortly after finishing some updates.  Explorer.exe kept crashing every time I would right-click on an icon or try to use anything that used explorer.exe.  After searching the web for hours I found nothing that actually resolved the issue.  Pretty much everything out there pointed to doing a full restore or a clean installation.  I also found a couple posts that said once they deleted their profile and rebuilt it, everything worked.  Each of these is true but why waste the time and effort.  I am not sure about you but hearing from a Microsoft employee and having them tell you to do a clean install because it is hardware related or due to 3rd party software is getting real old.  Well you are in luck folks, because I have a solution that does not harm the machine and it can be done within 2 minutes.

Here is the error we were getting in our event logs;
The program Explorer.EXE version 6.1.7600.16404 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.
Process ID: 810
Start Time: 01ca6d1f1aca747c
Termination Time: 0
Application Path: C:\Windows\Explorer.EXE
Report Id: 3fe9620d-d913-11de-8a55-00242cbe9d84

I ran every application I had that would point me in a direction of figuring out what was causing it and found nothing.  I decided to go through the 34 updates I had applied the day before and found an issue finally.  One of the updates was forcing the CEIP to execute.  *Dear Microsoft, why place something like this in an OS when you know it causes problems?*

The cause of the Windows Explorer crash is related to the SQM Client, which is part of the Customer Experience Improvement Program (CEIP). Under the default setting, where MachineThrottling is enabled in the registry, any calls to WinSqmStartSession in ntdll.dll file will cause Explorer to crash, or Windows Installer installation to fail.

So instead of waiting for a hotfix or an update from Microsoft, just remove and delete the MachineThrottling registry entry from system registry. The MachineThrottling registry entry is located inside the following registry key: HKLM\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions

*NOTE*  If you do not know what you are doing within the registry, stop and do not proceed.  Ask someone for help that knows what they are doing and can recover your registry if a failure occurs.

To make it easy you can just create your own little batch file with the following command;
reg delete HKLM\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions /v MachineThrottling /f

At this point you can close the registry and right-click on your file or icon and you should be good to go.

posted by: Myke Reinhold

Posted in Scripting, Registry, Microsoft, Desktops, Laptops | No Comments »

6. October 2009 by Myke.

Going back to an old school issue.  What do you do when you switch out an end user’s computer and they freak out because all of their auto fill addresses in outlook are no longer there?  Easy, switch over their .nk2 file to the new computer and call it a day.

Do you miss the convenience of Outlook automatically completing people’s names as you begin to type them on your new computer? Are you upgrading to a new computer and don’t want to lose all the names stored in your Outlook AutoComplete feature? Wouldn’t it be nice if Outlook installed on your new computer just “remembered” the names and filled them in for you?

You can copy the names in AutoComplete from your old computer to your new one.

Copy the names in AutoComplete to another computer

Important  You must exit Outlook before starting the following procedure. The names will be included in AutoComplete when you restart Outlook.

1. On the computer with the saved AutoComplete names, go to drive:\Documents and Settings\user name\Application Data\Microsoft\Outlook.Note  Depending on your file settings, this folder might be hidden. To view the files in this folder, do one of the following:

   Microsoft Windows XP

   1. Click Start, and then click My Computer.
   2. On the Tools menu, click Folder Options.
   3. Click the View tab, and then, under Advanced settings, under Hidden files and folders, click Show hidden files and folders.

   Microsoft Windows 2000

   1. Double-click My Computer on your desktop.
   2. On the Tools menu, click Folder Options.
   3. Click the View tab, and then click Show hidden files and folders.

2. Right-click profile name.nk2, and then click Copy.Tip  You can copy the file to removable media, such as a floppy disk or a CD, and then copy the file to the correct location on the other computer. Or you can attach the file to an e-mail message and send the message to yourself. On the new computer, open the attachment in Outlook, and then save it to the correct location.
3. On the computer where you want to populate the AutoComplete feature, copy the file to drive:\Documents and Settings\user name\Application Data\Microsoft\Outlook.
4. If the Outlook user profile name is different on the computer where you are moving the .nk2 file, you must rename the file with the same Outlook user profile name after you copy it to the correct folder. For example, if you move Kim Akers.nk2 from the original computer with an Outlook user profile name of Kim Akers, and you copy the Kim Akers.nk2 file to the new computer, you must rename it with the Outlook profile name being used on the new computer.
5. When prompted about replacing the existing file, click Yes.
6. Open Outlook to view changes.

source: Microsoft Office Online

Posted in Technical Questions, Microsoft, Desktops, Laptops | 1 Comment »

30. July 2009 by Myke.

As simple and easy as this task is, we received about 10 emails over the last 2 weeks asking, “I have my users set up to use a mapped drive for their personal data stored on the network.  How can I make that available to them while they are not on the network?”

Easy, open up My Computer and right-click on the mapped drive and select “Make available offline”.  That’s it.  Once the wizard pops up you can detail what you want the offline files to do and once you complete the wizard, it will begin the sync of the files to the local PC.  You are now done.  Cheers.

Posted in Technical Questions, Networking, Microsoft, Desktops, Laptops, Storage | 1 Comment »

24. July 2009 by Myke.

Enable-ExchangeCertificate : The certificate with thumbprint XXXXXXXXX was found but is not valid for use with Exchange Server
(reason: PrivateKeyMissing).
At line:1 char:27
+ Enable-ExchangeCertificate <<<< -Thumbprint XXXXXXXXX -Services “IIS”

The above error is a result of a glitch with Exchange 2007. This issue does not happen all the time as it is completely random, but when it does happen no certificate can be installed or removed through the Exchange Management Shell (EMS). For whatever reason it may be, the system forgets where it placed the Private Key or the certificate store is damaged.

Repair Damaged Certificate Store:

1) Open MMC (Microsoft Management Console) to the Certificate Manager (Certificates Snap-in) for the Local Computer account.
2) Double-Click on the recently imported certificate (It will be missing the golden key).
3) Go to the Details tab.
4) Click on the Serial Number field and copy down that number. (Leave window open)
5) Open up the command prompt (DOS Prompt — CMD.exe)
6) Type: certutil -repairstore my “SerialNumber”( SerialNumber is that what was copied down in step 4.)
7) After running the command, go back to the MMC and right-click Certificates and select “Refresh”.
One should now see the golden key associated with the certificate.
9) Double-check in the Exchange Power Shell with: Get-ExchangeCertificate

Alternatively if the above does not work try the following:
Note: Follow these steps if running Windows Server 2008 only

1) Open MMC (Microsoft Management Console) to the Certificate Manager for the Local Computer account. (Certificates Snap In)
2) Look in the Personal section of the Certificate Manager and there should be icon(s) without a little golden key. (Those with the key have the private key bonded to them.)
3) Delete the icons without the golden key.
4) Go back to the EMS.
5) Run the Import-ExchangeCertificate and Enable-ExchangeCertificate in one line like so: [ Import-ExchangeCertificate -Path c:\exchange.comodo.com.crt | Enable-ExchangeCertificate -Services “SMTP, IMAP, IIS, POP” ]
*** Please modify the command according to your needs. ***

Posted in Security, Exchange, Microsoft | 1 Comment »

14. July 2009 by Myke.

“I cannot put my Citrix server into install mode.  It keeps saying I am not an administrator and my account is a domain admin.  WTF gives man?” 

Over the last few weeks we have received multiple e-mails asking why they cannot get a Terminal/Citrix server in install mode.  Each time they do this they encounter the following error, “Only members of the Administrators group may enable Install Mode”.  The problem is not due to your account and the privileges it has.  These new Operating Systems have elevated security as compared to Server 2003 and Windows XP.  If you just right-click on CMD.exe (located at C:\Windows\System32) and select “Run as Administrator” and then place the server or machine into Install Mode (change user /install) you should be fine.  This is annoying to a point but at the same time a nice security feature.  As always with Microsoft, it irritates us at first but we soon learn to do it out of habit.

Note - If you have renamed and/or disabled your built-in Administrator account, you can still run the task above.  If you still have any questions please feel free to let us know.  Cheers.

Posted in Citrix, Technical Questions, Microsoft, Servers | 2 Comments »