Windows Client - Morgan's Blog

30.01.2009

How to disable hibernation on a computer running Windows Vista/Server 2008

The hibernation feature in Windows, first introduces in Windows 2000, enables a computer to save its state in a hibernation file on disk. State in this context means the contents of the computer's memory at the time of hibernation. The hibernation file, hiberfil.sys located on the boot volume, is the same size as the installed memory in a computer.

For portable computers, and maybe workstations, hibernation is a great feature, but probably not for servers. A server is not a machine you typically want to hibernate. As stated above the hibernation file is the same size as the installed memory, so if your server has 16 GB of memory you will see a 16 GB hiberfil.sys on your system volume. This is a big vaste of space for something you probably will never use. So how to disable the hibernation functionality and remove the hiberfil.sys file?

Windows Vista introduces a great new command line utility called powercfg.exe which enables you to configure every aspect of Power Management on a system. By using powercfg.exe with these parameters you can disable the hibernation feature and remove the hiberfil.sys file:

powercfg.exe /hibernate off

After this command has been execute Windows will remove the hibernation file automatically.

No all server systems enable hibernation, so you wil not always see the hiberfil.sys on all systems. Remember also to turn on the ability to see system files in explorer to be able to see the hiberfil.sys file.

This info is also documented in this KB article:

How to disable and re-enable hibernation on a computer that is running Windows Vista

http://support.microsoft.com/kb/920730

Posted at 10:46 by Morgan Simonsen | Category: Windows Client | Permalink | Email this Post | Comments (0)

29.01.2009

Backing up your Windows Vista/7 profile using Robocopy

Whenever I upgrade the OS on one of my computers or upgrade the computer itself, I always make a manual backup of the data I need to retain. There are many utilities that do this job for you, like User State Migration Tool and Windows Easy Transfer, but none of them give me that warm fuzzy feeling that total manual control provides.

The Robocopy utility, short for Robust File Copy, is one of my all time favorites when it comes to copying large amounts of data. Robocopy used to be part of the Windows Resource Kit, but at least since Windows Vista/Server 2008 it has been part of the base OS installation. This command is what I use to backup my Windows profile, which contains the bulk of my data:

robocopy.exe c:\Users\Morgan g:\ProfileBackup /E /ZB /R:0 /W:0 /XJ /NFL /XD "Temporary Internet Files" Temp cache WER/XF *cache*

Parameter	Explanation
/E	Copy all subdirectories, even empty ones.
/ZB	Use restartable mode; if access denied use Backup mode.
/R:0	Number of Retries on failed copies, in this case 0.
/W:0	Wait time between retries, in this case 0.
/XJ	Exclude Junction points
/NFL	No File List - don't log file names.
/XD	Exclude selected directories; space delimited
/XF	Exclude selected files; space delimited

Note that the command promp from which you run this command must be run as an administrator. This is because we tell Robocopy to use backup mode when it cannot access a file. The right to copy a file using the backup interface (Back Up Files and Directories) is reserved for the Administators and Backup Operators groups on Windows Vista/7.

The XJ paramtere requires some extra explanation. Windows Vista changed the layout of user profiles, making Vista profiles incompatible with profiles in earlier versions of Windows. To ensure compatibility with older applications the Windows Vista profile contains several NTFS junctions that map the old folder names to the new locations. If you try to run Robocopy without the XJ parameter the copy will loop creating nested folders in your target destination until the path length reaches the maximum (256) allowed by NTFS. Therefore we need to exclude juntions.

When you run this command you will see many files that cannot be accessed since they are in use. This can be safely ignored. These files are your actual registry hive etc that is loaded when you are logged on to the system. If you want a copy of these files as well you have to boot into WinPE and make a copy from there. Or log on as another user with administrative privileges and make a copy of the profile. I have never needed any of the data in these files.

Posted at 14:48 by Morgan Simonsen | Category: Windows Client | Permalink | Email this Post | Comments (0)

25.01.2009

How to exit explorer.exe gracefully on Windows XP and Windows Vista

When you install a piece of software that integrates with the Windows shell, typically explorer.exe, you have to restart your computer to complete the installation. If the installer were to close explorer.exe the user would be left without a usable GUI. However there is a supported way of closing the shell process, perhaps saving you from a reboot when installing software. Or just giving you something to test and play around with.

Windows Vista

Press the Start button, and while holding Ctrl+Shift, right-click any empty area of the menu, or the power or lock buttons. You will see this context menu:

Hit Exit Explorer to exit the shell process.

Windows XP

Open the shutdown dialog, Log Off…/Shut Down/Restart, and while holding Ctrl+Alt+Shift hit the Cancel button. Explorer will exit cleanly.

So now what?

OK, so we have made our shell exit. So how do we control the computer now? Any applications you had running while the shell was running will still have their windows on your desktop, but you will not be able to do much with them. We need to restart the shell process. How, you say? Simple. Just bring up Task Manager (Press Ctrl+Shift+Esc) and select New Task… (Run) from the File menu. Enter explorer.exe and your shell will restart.

More info on Aaron Margosis' Blog:
http://blogs.msdn.com/aaron_margosis/archive/2007/07/17/how-to-cleanly-stop-explorer-exe-on-windows-vista.aspx

Posted at 03:20 by Morgan Simonsen | Category: Windows Client | Permalink | Email this Post | Comments (0)

24.01.2009

Using WinPE and ImageX to recover from a failed hard drive

The hard drive storing the boot and system volumes of my main home machine failed a couple of weeks ago. The drive first started making strange noises and occasionally the machine would hang or blue screen. The hangs, which usually were recoverable, were accompanied by errors in the system log.

Index              : 270720
EntryType          : Error
EventID            : 11
Message            : The driver detected a controller error on \Device\Ide\IdePort0.
Category           : (0)
CategoryNumber     : 0
ReplacementStrings : {\Device\Ide\IdePort0}
Source             : atapi
TimeGenerated      : 11.01.2009 20:47:12
TimeWritten        : 11.01.2009 20:47:12
UserName           :

Before the drive finally gave out I was able to use ImageX to make a backup in a WIM file.

The first replacement drive I received, a Seagate 250GB drive, was DOA. Go figure. The second one, a Samsung 300 GB drive worked. Here are the complete steps I followed to make the backup and restore my machine.

Download and install Windows Automated Installation Kit
This package contains WinPE, which I use to capture and apply the WIM image, as well as the utility used; ImageX.
Create a bootable WinPE CD-ROM containing ImageX.
ImageX.exe is the only file I neede to add that was not already included in WinPE.
Boot the WinPE CD.
Run ImageX:
imagex /capture c: d:\myvistabackup.wim "Emergency Vista Backup" /compress none
Replace the failed drive.
Boot WinPE again.
Run Diskpart to create a new partition on the new drive and set it active:
diskpart
select disk 0
clean
create partition primary
assign drive letter=c:
active
exit
Format the new partition:
format c: /q /y
Apply the image:
imagex /apply d:\myvistabackup.wim 1 c:\
Update the Boot Configuration Database (BCD):
bcdedit /set {bootmgr} device partiton=c:
bcdedit /set {default} device partiton=c:
bcdedit /set {default} osdevice partiton=c:
Reboot

Posted at 17:36 by Morgan Simonsen | Category: Windows Client | Permalink | Email this Post | Comments (1)

20.08.2008

Installing PowerShell with Package Manager on Windows Vista

Package Manager (Pkgmgr.exe) is a new Windows Vista command-line tool that you can use offline to install, remove, or update Windows packages. You can add a package, provided as a .cab file, to an offline Windows image. Package Manager can also enable or disable a Windows feature, either offline or on a running Windows installation. And it is this last piece of functionality that we are going to be using here.

When you install the PowerShell package (KB928439) on Windows Vista it extends the list of optional features that can be selected to enable or disable. A lot of updates behave like this, eg. the Remote Server Administration Tools (RSAT) package. You can run optionalfeatures.exe to use a GUI to enable or disable the available features. But as mentioned you can also use Package Manager (pkgmgr.exe) to enable or disable the same features. The command to enable PowerShell is:

start /w pkgmgr.exe /iu:MicrosoftWindowsPowerShell

To disable PowerShell; run:

start /w pkgmgr.exe /uu:MicrosoftWindowsPowerShell

The start /w part is necessary because the default behaviour of pkgmgr.exe is to return immediately to the command line even when it is still performing its tasks. So to have the command prompt wait for the pkgmgr.exe process to finish before returning, add start /w.

Package Manager requires elevation to run, so either start it from an elevated prompt or be prepared to approve the elevation with the UAC prompt. To check the result of the Package Manager operation run echo %errorlevel% after Package Manager has finished.

To enable or disable other features have a look here for the names:

Windows Vista packages: http://technet.microsoft.com/en-us/library/cc722041.aspx

Windows Server 2008 packages: http://technet.microsoft.com/en-us/library/cc748930.aspx

Posted at 22:21 by Morgan Simonsen | Category: Windows Client | Permalink | Email this Post | Comments (0)

22.02.2007

Zone Information for downloaded files and NTFS Alternate Data streams

Since Windows XP Service Pack 2 was launched, every time you try to run or open a file that has been downloaded from the Internet, or more correctly, from the Internet Zone in Internet Explorer. You are prompted with the following warning message:

What this message does, basically, is to warn you that you are opening a file that is downloaded from an un-trusted location. You can see further evidence of this if you view the file's properties:

Notice the Unblock button on the lower right. If you select it, the next time you try to open the same file you see no warning. Somehow, by pressing Unblock, you have told Windows that you want to allow this particular file, even if it is from the Internet. But where is this information stored? I searched in all the places I could think of; attributes, DACLs, SACLs, details. What prompted me to do this was that I wanted to unblock several file and was looking for a command line utility to do it. Not even Google knew where this information was stored.

The reason I wanted a command line tool was this. If you download an archive from the Internet and then extract the files in it before you unblock it, all the extracted files are also marked as coming from the Internet and require individual unblocking.

When I attended Tech Ed IT Forum last week in Barcelona I asked Microsoft Security Guru Steve Riley about this, and, not surprisingly, he knew the answer. The information is stored in an NTFS alternated data stream!

NTFS alternate data streams are a little known feature of the NTFS file system, and have been available since Windows NT 3.1. This feature allows you to store data of any kind in an alternate location within a file. When we use files normally we are accessing stream 0. When you open an EXE file or a DOC file you are reading stream 0 of that file. But as I said, you can add several more streams. A while back, ADSs was the cause of a security scare. Someone had read about ADS and found them to be a security risk. What if a malicious user stored a virus or malware in an ADS? The user and all his anti-virus and anti-malware software, would be oblivious! As it turned out, this quickly blew over and now several anti-virus/malware packages scan for the presence of ADSs within files.

So how does this apply to files from the Internet? Consider this example; you have a file you have downloaded from the Internet. In my case it is called daemon408-x86.exe and is the installer for Daemon Tools. When I try to run this file I receive the warning mentioned earlier. Now that I know that this is caused by an alternate data stream I can use a tool to view and delete that stream. There are several tools available, but I chose streams from SysInternals. This is the output from streams for my file:

As you can see, this file has an ADS called Zone.Identifier:$DATA. To see what it contains we use the more command, which is part of Windows.

This is the raw data that is stored in the additional stream. Not very much in this case, just two lines of text. But this is what Explorer looks for when you ask to open a file.

To delete this additional stream so that the file opens without warning we again use streams from SysInternals.

If you want to know more about NTFS Alternate Data Streams, check out these links:

You can download the streams tool from the SysInternals site:

http://www.microsoft.com/technet/sysinternals/Utilities/Streams.mspx

Until next time!

Posted at 21:51 by Morgan Simonsen | Category: Windows Client | Permalink | Email this Post | Comments (0)

Nice tricks with the context menu in Windows Vista

For a long time, we have been enjoying a Windows XP Power Tool called "Command prompt here" on our directories' and drives' context menus. I recently discovered that Windows Vista has this functionality build in.

If you right-click your directory or drive while you press the SHIFT key, you get a few more choices. One of them is Open Command Windows Here. You also get Copy As Path which copies the path of the folder or drive to the clipboard. That is also very nice.

I wanted to have the command line available at all times so I had to do some digging in the Registry. The paths for the context menu actions for a directory and drive are the following:

Directory:
HKEY_CLASSES_ROOT\Directory
Drive:
HKEY_CLASSES_ROOT\Drive

Under these you will find the shell key, it contains all the context menu actions associated with the drive or directory objects. E.g. cmd for command prompt, find for Search etc. The first thing to notice is that the cmd action is already there, so why isn't it showing up all the time?

The answer is the value you will find under the cmd key kalled Extended. If this value is present the action will only show up if you hold down the SHIFT key while you right-click. We want the prompt available at all times so we go ahead and delete the Extended value from both the Directory and Drive keys. Now the option is always available.

But what if we want an elevated prompt in the directory? We are all, of course, running User Account Control so we need to elevate to enable our Administator privileges when we need them. To have the option to open an elevated command prompt for your drives or directories we need to take some additional steps.

First we need a copy of cmd.exe, the command line program that we will set to always run elevated. Go to your system32 folder and create a copy of cmd.exe that you call cmd_elevated.exe or a name of your choice. Then select the properties for this new file and select that it should always run as an administrator.

Next, you export the cmd action from the Directory and Drive keys in the registry. We are now going to create a new action that will launch the elevated command prompt. First merge the two exported registry files into one so that you can easily import both changes. Then you need to change the alias of the command so that our new item does not overwrite the old normal command prompt. The old alias is cmd, call the new one cmd_elevated or something. You will then have a file that looks like this:

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\Directory\shell\cmd_elevated]
@="Open Command Window (Elevated) Here"
"NoWorkingDirectory"=""

[HKEY_CLASSES_ROOT\Directory\shell\cmd_elevated\command]
@="cmd_elevated.exe /s /k pushd \"%V\""

[HKEY_CLASSES_ROOT\Drive\shell\cmd_elevated]
@="Open Command Window (Elevated) Here"
"NoWorkingDirectory"=""

[HKEY_CLASSES_ROOT\Drive\shell\cmd_elevated\command]
@="cmd_elevated.exe /s /k pushd \"%V\""

Notice that the Extended key is missing from both the actions, that is so that the option will always appear. Now you can import the file and you will have two shiny new options whenever you right-click a drive or directory:

Posted at 21:50 by Morgan Simonsen | Category: Windows Client | Permalink | Email this Post | Comments (0)

03.01.2007

The Case of the Missing File Transfer Manager

Everyone downloading from MSDN, the MCT Download Center or any other semi-open Microsoft download site, is familiar with the Microsoft File Transfer Manager application. It is a rather nice utility that is installed on your machine the first time you start a download from one of the sites I mentioned. It supports queuing and resume of downloads. As I said; nice.

It has, however, a rather nasty habit of disappearing once you close it. This makes it hard to resume your downloads if they did not finish, and to view your download history. The only way (well, not really, but more on that later) to start it again is to visit one of the Microsoft download sites and start a new download. Then it will launch again and you can examine the command line in Process Explorer and find where it is stored so that you can launch it again later without having to start a download. Or not…

I have gone through this exercise many times and I know where the FTM is installed, or at least I used to know, back when I was running Windows XP. Then it was something like c:\windows\Microsoft File Transfer Manager. But now I am running Vista, and it's not at that location any more. I set out to find it, I mean, how hard could it be?

First I searched the machine for a filename containing trans, using Windows Desktop Search which is integrated into Windows Vista. No matches. Then I tried some variations on the filename; still nothing. So now I started looking in the Program Files and Windows directories trying to find it using empirical observation. Meaning that I manually looked in each folder in those directories. Still nothing. This was getting frustrating so I signed in to MSDN and started a new download. After the FTM started I checked it's command line in Process Explorer:

And there it was; in c:\windows\Downloaded Program Files\TransferMgr.exe. Success! So now let's go there and make a shortcut on the desktop so that I have it ready next time I need it. This is how that folder looks in Explorer (with 'show hidden and system files' turned on):

This was getting really frustrating. Switching to my old friend, the command line I got some more info:

Finally I could see all the files. Now how do you make a shortcut from the command line? That's right, you can't (at least I don't know how). So that left me with trying to view the actual files present in the Downloaded Program Files directory in Explorer, where I could create a shortcut.

A folder's layout in Windows is controlled by a file called desktop.ini. It is present in almost all directories on a Window system and controls everything from the icon of the folder, it's name and localized name. You can do some cool stuff with desktop.ini, but that is beyond this post. My guess was that it was the desktop.ini file that was responsible for the limited view I could see in Explorer. So let's get rid of it.

C:\Windows\Downloaded Program Files>del desktop.ini
Access is denied.

OK. So what are the file permissions?

C:\Windows\Downloaded Program Files>cacls desktop.ini
C:\Windows\Downloaded Program Files\desktop.ini NT SERVICE\TrustedInstaller:F
BUILTIN\Administrators:R
NT AUTHORITY\SYSTEM:R
BUILTIN\Users:R

The only account that has Full Control permission to the desktop.ini file is the NT SERVICE\TrustedInstaller principal. So who is the owner?

subinacl.exe /file "c:\windows\Downloaded Program Files\desktop.ini" /display=owner

+File c:\windows\Downloaded Program Files\desktop.ini
/owner =trustedinstaller

Again, the NT SERVICE\TrustedInstaller principal.

Note: subinacl is not included in any Windows version and must be downloaded from the Microsoft Download site. It is included in the Windows Server 2003 Resource Kit, but that version does not work.

Note: You must run the above command from an elevated command prompt.

So let's take ownership of the file, then we can change the permissions and delete it:

subinacl.exe /file "c:\windows\Downloaded Program Files\desktop.ini" /setowner=Morgan
c:\windows\Downloaded Program Files\desktop.ini : simonsen\morgan is the new owner
c:\windows\Downloaded Program Files\desktop.ini : 1 change(s)

And change it's permissions so that we can delete or rename it:

cacls "c:\Windows\Downloaded Program Files\desktop.ini" /G simonsen\morgan:F /E

Make a backup:

copy desktop.ini c:\Users\morgan.SIMONSEN\Downloads\desktop.ini.bak

And finally delete it:

del desktop.ini

Now the view in Explorer is quite different:

Note: You have to close Explorer if it was open during the desktop.ini manipulation. Otherwise the customizations in desktop.ini are cached and remain in effect.

Now I could finally create a shortcut on my desktop:

Puh, what an operation!

Now for the real killer. This was all a waste of time! Remember that I said the only way to launch the FTM was to visit a Microsoft download site and start a new download? Well, once the FTM is running you can click on the Options button, and you see this:

D'oh!

Actually I knew that the option was there. Trying to save time, my first attempt was just to try to locate it in the file system and then launch it and click the option. But then I couldn't and as I started investigating I discovered some interesting stuff about Windows Vista and that made it all worth while.

By the way, if you are trying this on your own system, you can set the system back to it's default state with these commands:

copy c:\Users\morgan.SIMONSEN\Downloads\desktop.ini.bak .\desktop.ini
cacls desktop.ini /R simonsen\morgan /E
subinacl.exe /file "c:\windows\Downloaded Program Files\desktop.ini" /setowner="NT SERVICE\trustedinstaller"

You, of course, have to replace my paths with your own.

Now for some sleep!

Posted at 01:40 by Morgan Simonsen | Category: Windows Client | Permalink | Email this Post | Comments (0)