Home - Morgan's Blog

19.01.2010

Windows has a special security principal know as SELF (also Principal Self and NT AUTHORITY\SELF).

Here’s the definition of SELF from KB243330:

SID: S-1-5-10
Name: Principal Self
Description: A placeholder in an inheritable ACE on an account object or group object in Active Directory. When the ACE is inherited, the system replaces this SID with the SID for the security principal who holds the account.

And here’s one from KB296479:

SELF is not an actual SID, but a way to reference the objectSid for the object on which it is set, which will always be unique.
The hexadecimal value of the Self SID is: 0x01 0x01 0x00 0x00 0x00 0x00 0x00 0x05 0x0a 0x00 0x00 0x00

And from TechNet:

Principal Self

Attribute	Value
Well-Known SID/RID	S-1-5-10
Object Class	Foreign Security Principal
Default Location in Active Directory	cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain>
Description	A placeholder in an ACE on a user, group, or computer object in Active Directory. When you grant permissions to Principal Self, you grant them to the security principal represented by the object. During an access check, the operating system replaces the SID for Principal Self with the SID for the security principal represented by the object.

So what does all this mean?

It means that if you want to grant a security principal permissions to itself, or more accurately; the object representing itself, you can use SELF as a placeholder. Whenever the security subsystem encounters the SELF SID in an ACL it replaces it with the SID of the object that the ACL is set on.

Why use SELF?

Using the SELF principal can greatly simplify administration and cut down on ACL sizes. Let’s say you have an OU in Active Directory where you want every user to be able to update their own telephone number. Instead of editing each user object and that user permissions to its own telephone number attribute, you would just give SELF that permission, but at the OU level and each user object would inherit it. When a user wants to change his or hers telephone number the access check in Active Directory will encounter the SELF principal and replace that with the SID of the actual account.

Questions:

One thing I could not figure out while putting this together is what happens when you use SELF in an ACE on an object that is not a security principal, a file for instance. The file does not have a SID (because it is not a security principal) so there is nothing for SELF to point to. I thought that maybe SELF would point to the SID of the owner of the file, but that is the job of the CREATOR OWNER SID, not SELF. I guess that SELF, when used in such a scenario, does not do anything.

Posted at 14:18 by Morgan Simonsen | Permalink | Email this Post | Comments (0)

06.01.2010

How to reset the Windows Recycle Bin

Sometimes the Recycle Bin of a partition/volume can become corrupted. When it does it prevents you from deleting files or takes up space that cannot be reclaimed by emptying the Recycle Bin, or both. To reset the Recycle Bin for a particular volume or partition, start up a command prompt with Administrative privileges and delete the $RECYCLE.BIN folder from the partition/volume in question. Needless to say you will loose everything in that folder. When you delete a file on that volume/partition next, the Recycle Bin will be automatically regenerated.

Example command:

rd /s E:\$RECYCLE.BIN

Where E: is the volume or partition with the corrupt Recycle Bin.

Posted at 23:08 by Morgan Simonsen | Permalink | Email this Post | Comments (0)

What I do when I prepare to reinstall my computer or move to a new one

Make a manual copy of my entire profile.
See instructions on how here.
Export my favorites, feeds and cookies using IE’s Export function.
Export all my certificates.
Retrieve my product key if reinstalling the same computer or moving license to another computer.
Key finders here.
Copy folder that are outside of the profile, e.g.. c:\Apps.

Posted at 18:29 by Morgan Simonsen | Permalink | Email this Post | Comments (0)

Identifying unknown devices in Device Manager

Windows and Microsoft do a great job of providing drivers for hardware devices. A lot of drivers ship in the box with Windows and hundreds of thousands more are available online on the Windows Update site. Still you quite often end up with one or two unknown devices in Device Manager. When Windows Update or the Windows DVD cannot help you, you have to turn to the manufacturer of the computer or device. If the machine is a specific model you will probably find the drivers on the drivers page of that model. But if it’s a custom system or a system where hardware has been added or replaced you will have no help.

I recently discovered a website that was incredibly useful in discovering who made a particular device and which device it is. The site is PCIDatabase.com:

PCIDatabase.com offers a very simple and very useful search engine. You can use either vendor or device search:

So just find your unknown device in Device Manager and lookup its Hardware Ids. You find these on the Details tab of the device:

Highlight the value and press Control+C (right-clicking does not work here). Past the value into Notepad or some other text editor and copy just the numbers following VEN_. Past these numbers into PCIDatabase.com’s Vendor Search box. You will see a result like this:

So now you know who made your device. Repeat the process but this time select the numbers following DEV_:

So now you have identified you device and can start looking for a driver. I recommend going directly to the source, that is, the manufacturer of the device. Drives hosted by computer manufacturers are often hopelessly outdated. As you no doubt have noticed it is sufficient to search for the device ID, because that will return the vendor ID as well.

PS: Sometimes the manufacturer of a particular device will not let you download drivers for it from their site. You are instead forwarded to the manufacturer of you machine. This is done because sometimes computer manufacturers modify the hardware device to work a particular way. Using a generic driver in these cases can be problematic. That said I have yet to encounter a device that has been modified in such a way and have used generic drivers directly from the hardware manufacturers for all my devices.

Sometimes the device manufacturers even block you from installing their drives for devices that have been used by the machine manufacturers. The most common examples of this are GPU manufacturers. Both nVidia and ATI (AMD) will check to see if your GPU is one that has been OEMed by a computer manufacturer and prevent the generic nVidia and ATI drivers from installing for such a device. That is quite annoying, especially since the drivers work perfectly with the GPUs. To work around this you can use a custom inf file or a drives modder. The site LaptopVideo2Go provides custom inf files for nVidia drivers, for ATI you can use the MobilityModder application. I am sure there are mode sites and apps that do this, but these are the ones I have used.

Posted at 01:42 by Morgan Simonsen | Permalink | Email this Post | Comments (0)

16.12.2009

Fast User Switching with Remote Desktop

A Windows Vista machine has a user called fourthcoffee\joberry logged on. Another user, fourthcoffee\henrikjensen logs on with Remote Desktop.

fourthcoffee\henrikjensen receives this message, and presses Yes:
The logged on user, fourthcoffee\joberry will see this popup on her desktop and press OK:

While fourthcoffee\henrikjensen waits for fourthcoffee\joberry to respond, this message is displayed in his Remote Desktop window:
fourthcoffee\joberry will be disconnected from her session and the screen on the Windows Vista machine will display Press CTRL+ALT+DELETE to log on:
If she presses Ctrl+Alt+Del she will see that she is just disconnected and not logged of:
The currently logged on user, fourthcoffee\henrikjensen can also see this if he opens Task Manager and displays processes from all users:
fourthcoffee\henrikjensen logs off from Remote Desktop, fourthcoffee\joberry can now press Ctrl+Alt+Del and log in again.

If fourthcoffee\joberry tries to log on before fourthcoffee\henrikjensen has logged of, the process happens in reverse.

fourthcoffe\joberry presses Ctrl+Alt+Del and logs on, she receives this message:
The prompt is presented to fourthcoffee\henrikjensen (logged on via Remote Desktop):

While waiting for fourthcoffee\henrikjensen to reply, this message will display on fourthcoffee\joberry’s desktop:
fourthcoffee\joberry is logged on to her session and sees her desktop as it was when she was disconnected. fourthcoffee\henrikjensen is also still logged on. He has to reconnect, disconnecting fourthcoffee\joberry temporarily, to log off from his session.

Posted at 17:09 by Morgan Simonsen | Permalink | Email this Post | Comments (0)

Windows Virtual PC: Disable the Internal network DHCP server

The Internal network network in Windows Virtual PC (WVP) has a built in DHCP service that provides the clients connected to it with addresses in the 169.254.0.16 to 169.254.10.254 range. If you need to disable this DHCP service this is how you do it:

Shut down or hibernate all your running virtual machines
Wait for vpc.exe to close, it usually does so by itself a few minutes after the last virtual machine has been closed. If you don’t want to wait you can kill it in Task Manager.
Open the file %localappdata%\microsoft\Windows Virtual PC\options.xml and find the Internal Network section.
In the <dhcp> section, find the tag enabled and change its value from true to false:
Save the file and restart your virtual machines.

Posted at 13:52 by Morgan Simonsen | Permalink | Email this Post | Comments (0)

15.12.2009

Exploring Task Scheduler

Introduction

The new Task Scheduler 2.0 included in Windows Vista and improved on in Windows 7 has the ability to send an email when a task is triggered. Also new is the ability to attach a task to an event from the Event system. You could for instance create a task that sent you an email if you received an event specifying an imminent hard drive failure. For simplicity in my test I attached a task to event 7036 in the System log, which is logged every time a service starts. The UI is actually very nice since you can create the task directly from the Event Viewer using the Attack Task To This Event action:

When you do this you can find that task in the Task Scheduler in the Event Viewer Tasks folder.

Notice also the nice History tab which shows you the history of this particular task. As you can see I have an error in the Task category Action Failed. Lets look at that.

There is no human readable explanation in the data telling us why the email wasn’t sent. But there is an error value. In this case 2147746321 (0x80040211). I had no idea what that value actually meant so I ran it through Microsoft’s Err.exe application which is able to resolve error values on Windows. The output of Err.exe looked like this:

C:\Users\morgan\Downloads\Err\Err>err 2147746321
# for decimal -2147220975 / hex 0x80040211 :
CDO_E_SMTP_SEND_FAILED                                        cdosyserr.h
IMAPI_E_DEVICE_NOPROPERTIES                                   imapierror.h
UPNP_E_TRANSPORT_ERROR                                        upnp.h
VFW_E_NOT_COMMITTED                                           vfwmsgs.h
# Cannot allocate a sample when the allocator is not
# active.%0
# for hex 0xffffffff / decimal -1 :
NO_TITLE                                                      ftsiface.h
USE_DEFAULT                                                   ftsiface.h
JET_wrnNyi                                                    esent98.h
# /* Function Not Yet Implemented */
LZERROR_BADINHANDLE                                           lzexpand.h
# /* invalid input handle */
MAPI_DIAG_NO_DIAGNOSTIC                                       mapidefs.h
MSIDBERROR_FUNCTIONERROR                                      msiquery.h
# function error
ERROR_UNHANDLED_ERROR                                         ntddchgr.h
# Unknown error condition
PDR_ERROR                                                     penwin.h
# parameter or unspecified error
ICERR_UNSUPPORTED                                             vfw.h
ERROR_UNHANDLED_ERROR                                         winioctl.h
# Unknown error condition
# 14 matches found for "2147746321"

As you can see Err looks at all the header files that has that error value specified in them so you are bound to get many false positives. Task Scheduler uses CDO to send mail so in this case it is the information in the cdosyserr.h file that will tell us what the error is; CDO_E_SMTP_SEND_FAILED. OK, so CDO failed to send an email, why? To find that out I did a network trace using Wireshark while the task executed. The trace uncovered this error from the SMTP server: 550 5.7.1 Client does not have permissions to send as this sender. Since this is Windows talking to an Exchange 2010 server it will automatically authenticate, and it will authenticate using the credentials of the account that is used to run the task in Task Scheduler. This particular task is set up to run as my account; SIMONSEN\Morgan. According to the security settings on the Exchange 2010 Receive connector I am not allowed to send using an email address I do not own. That is, that is not specified as belonging to my account in Active Directory. As a result we get the SMTP error from Exchange. To remedy this I can temporarily permit my account to send as any sender:

Get-ReceiveConnector default* | Add-ADPermission -User SIMONSEN\morgan -ExtendedRights "ms-Exch-SMTP-Accept-Any-Sender"

And now I will get the message, so to speak:

The History tab in Task Scheduler now also indicates a success:

Task Scheduler successfully completed task "\Event Viewer Tasks\System_Service Control Manager_7036" , instance "{3d755426-8e80-49aa-9bdf-3475b032c7dd}" , action "Task notification" with return code 0.

(Incidentally while setting this up I first specified my old SMTP server, which was no longer running the SMTP service. The error in the task history displayed another error in this situation 2147746323 (0x80040213). Translated with Err this is the error CDO_E_FAILED_TO_CONNECT.)

The ‘A service started!’ message in the email is not very helpful so I started to look for ways to include data from the event in the message. After a (very) long time I was able to do that with the help of these resources:

The short story is that you have to create a task attached to an event, and then export it and manually change what data is retrieved from the event. For reference I have included the XML export from my test here. You have to edit this task to supply your own sender, recipient and SMTP server values.

What happened to at.exe?

From Windows help:
The at.exe executable schedules commands and programs to run on a computer at a specified time and date similar to Task Scheduler. Task Scheduler and the schtasks.exe executable replace at.exe. All tasks created using the at.exe executable must run under the same account. By default this account is the local system account, but you can change this by configuring the AT service account information.

More information

Posted at 21:52 by Morgan Simonsen | Permalink | Email this Post | Comments (0)

10.12.2009

WinRM and TCP ports

WinRM, or Windows Remote Management, is an HTTP based remote management and shell protocol for Windows. The Windows Remote Management Service is responsible for this functionality. If WinRM is not configured for remote access, but the service is started, it listens for local requests on TCP port 47001. If you create listener it will still listen on 47001, but also on the default TCP ports 5985 (HTTP) and 5986 (HTTPS).

Posted at 16:29 by Morgan Simonsen | Permalink | Email this Post | Comments (0)

Upgrading to a higher edition (SKU) of Windows 7/Windows Server 2008 R2 using DISM

The Deployment Image Servicing and Management (DISM) tool is a new tool included with Windows 7 and Windows Server 2008 R2. DISM enumerates, installs, uninstalls, configures, and updates features in Windows images, in either WIM or VHD format. DISM can also work against online (running) instances. Of special interest for this post are the editions commands; Get-CurrentEdition, Set-Edition, Get-TargetEditions, and their side-kick Set-ProductKey. With these you can upgrade a Windows instance from the command line without access to media. For Windows 7 and Windows Server 2008 R2 all the bits for higher editions are present in the instance or image. This is great news, because with previous versions of Windows you had to pop in the media, usually a CD/DVD, and perform an upgrade manually. For offline images (WIM/VHD) this is supported for both Windows 7 and Windows Server 2008 R2. But for running instances, or online, it is only supported for Windows Server, and only if the server is not a DC.

Find the current edition for a running instance (online):
dism.exe /online /Get-CurrentEdition
Find the current edition for an offline image:
dism.exe /image:c:\mounted_image /Get-CurrentEdition
Find the valid target editions for a running instance (online):
dism.exe /online /Get-TargetEditions
Find the valid target editions for an offline image:
dism.exe /image:c:\mounted_image /Get-TargetEditions
Upgrade a running instance (online):
dism.exe /online /Set-Edition:”ServerDatacenter” /ProductKey:AAAAA-BBBBB-CCCCC-DDDDD-EEEEE
Upgrade an offline image:
dism.exe /image:c:\mounted_image /Set-Edition:”Professional” /ProductKey:AAAAA-BBBBB-CCCCC-DDDDD-EEEEE

When using Set-Edition, the parameter ProductKey is also required. Note that ProductKey in this case is a parameter for Set-Edition and not the Set-ProductKey command. Set-ProductKey can only be used against the current running instance and against offline instances. (If you do not have a product key, you can use the KMS key for the edition you are upgrading to. This will, of course, not get you a free license or anything, but it is convenient for testing. Find the KMS keys here.) For offline images it is also important to note that the images has to be generalized before you can upgrade it. Use sysprep.exe /generalize to do this.

Transcript of the upgrading of a VHD file:

C:\Users\administrator>diskpart

Microsoft DiskPart version 6.1.7600
Copyright (C) 1999-2008 Microsoft Corporation.
On computer: HOME-HYPERV

DISKPART> select vdisk file=E:\Hyper-V\lab-w2k8r2quicktest\lab-w2k8r2quicktest.vhd

DiskPart successfully selected the virtual disk file.

DISKPART> attach vdisk

100 percent completed

DiskPart successfully attached the virtual disk file.

DISKPART> list volume

Volume ### Ltr Label        Fs     Type        Size     Status     Info
---------- --- ----------- ----- ---------- ------- --------- --------
Volume 0     F                       CD-ROM          0 B No Media
Volume 1     C                NTFS   Partition    465 GB Healthy    System
Volume 2     D                NTFS   Partition    931 GB Healthy
Volume 3     E                NTFS   Partition    931 GB Healthy
Volume 4     G   System Rese NTFS   Partition    100 MB Healthy
Volume 5     V                NTFS   Partition    126 GB Healthy

DISKPART> exit

Leaving DiskPart...

C:\Users\superman>dism /image:v:\ /get-Targeteditions

Deployment Image Servicing and Management tool
Version: 6.1.7600.16385

Image Version: 6.1.7600.16385

Editions that can be upgraded to:

Target Edition : ServerDataCenter
Target Edition : ServerEnterprise

The operation completed successfully.

C:\Users\superman>dism /image:v:\ /set-edition:ServerDataCenter

Deployment Image Servicing and Management tool
Version: 6.1.7600.16385

Image Version: 6.1.7600.16385

Starting to update components...
Removing package Microsoft-Windows-ServerEnterpriseEdition~31bf3856ad364e35~amd64~~6.1.7600.16385
[==========================100.0%==========================]
Finished updating components.

Starting to apply edition-specific settings...
Finished applying edition-specific settings.

The operation completed successfully.

C:\Users\administrator>diskpart

Microsoft DiskPart version 6.1.7600
Copyright (C) 1999-2008 Microsoft Corporation.
On computer: HOME-HYPERV

DISKPART> select vdisk file=E:\Hyper-V\lab-w2k8r2quicktest\lab-w2k8r2quicktest.vhd

DiskPart successfully selected the virtual disk file.

DISKPART> detach vdisk

DiskPart successfully detached the virtual disk file.

DISKPART> exit

Leaving DiskPart...

C:\Users\administrator>

This VHD is actually from a Hyper-V server, and has been generalized before it was mounted on the host and upgraded.

Some more info about DIMS and image servicing: http://technet.microsoft.com/en-us/library/dd744543(WS.10).aspx

Posted at 16:17 by Morgan Simonsen | Permalink | Email this Post | Comments (0)

02.12.2009

Exchange 2010 not receiving mail

My Inbox had been awfully quiet for a few days. Time to investigate:

Putty with manual SMTP session:

220 <servername> Microsoft ESMTP MAIL Service ready at Wed, 2 Dec 2009 12:53:01 +0100
ehlo server1.nowhere.com
500 5.3.3 Unrecognized command
ehlo server1.nowhere.com
250-<servername> Hello [<client IP>]
250-SIZE
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-X-ANONYMOUSTLS
250-AUTH NTLM
250-X-EXPS GSSAPI NTLM
250-8BITMIME
250-BINARYMIME
250-CHUNKING
250-XEXCH50
250-XRDST
250 XSHADOW
mail from:test@nowhere.com
452 4.3.1 Insufficient system resources
rcpt to:morgan@simonsen.bz

That’s not good. What does the event log say:

Event Log:

Index              : 5950
EntryType          : Error
InstanceId         : 3221502622
Message            : Microsoft Exchange Transport is rejecting message submissions because the available disk space has
                      dropped below the configured threshold.

                     The following resources are under pressure:
                     Queue database logging disk space ("C:\Program Files\Microsoft\Exchange Server\V14\TransportRoles\
                     data\Queue\") = 88% [Medium] [Normal=86% Medium=88% High=90%]
                     Physical memory load = 95% [limit is 94% to start dehydrating messages.]

                     The following components are disabled due to back pressure:
                     Inbound mail submission from the Internet
                     Mail submission from Pickup directory
                     Mail submission from Replay directory
                     Content aggregation

                     The following resources are in normal state:
                     Queue database and disk space ("C:\Program Files\Microsoft\Exchange Server\V14\TransportRoles\data
                     \Queue\mail.que") = 88% [Normal] [Normal=92% Medium=94% High=96%]
                     Version buckets = 0 [Normal] [Normal=80 Medium=120 High=200]
                     Private bytes = 8% [Normal] [Normal=71% Medium=73% High=75%]
                     Batch Point = 0 [Normal] [Normal=1000 Medium=2000 High=4000]

Category : ResourceManager
CategoryNumber : 15

Source             : MSExchangeTransport
TimeGenerated      : 29.11.2009 21:45:58
TimeWritten        : 29.11.2009 21:45:58
UserName           :

That’s worse. The server had about 1.6 GB free disk space, and had hit the threshold set for the Queue database. I extended the disk to 32 GB and all was well. Hopefully not too many messages have been lost. SMTP has a default retry period of 48 hrs so I should have a lot of new messages as the various sending servers retry to deliver their messages.

Posted at 22:40 by Morgan Simonsen | Category: Exchange | Permalink | Email this Post | Comments (0)

RSS Feed

1 - 10

Morgan's Blog