15. June 2010 by Myke.

Microsoft issued a new Security Advisory for a flaw in the Windows Help and Support Center as reported by Ars Technica. The vulnerability only affects Windows XP and Server 2003, Vista and 7 are unaffected.

The worry with this vulnerability is that the help links in the Help Center can be hijacked to run executables on the victim’s computer. The details of the vulnerability and possible attack are as follows:

In Windows XP and Windows Server 2003, clicking on an hcp:// link launches helpctr.exe via a registered protocol handler; this is normally a safe way to launch help content thanks to an allow list that Help and Support Center checks before navigating to a given help page. A Google security researcher discovered, however, that a help page with a cross-site scripting vulnerability can be paired with a mechanism to abuse the allow-list functionality to access that page with an exploit querystring. Thus, clicking on a malicious hcp:// link leverages the XSS vulnerability to circumvent helpctr.exe’s safety controls and ultimately run an arbitrary executable on the machine.

Microsoft says that they are monitoring the problem and is so far unaware of any attacks in the wild. They may prepare a patch for the next Patch Tuesday or it could come earlier. Microsoft has outlined some mitigating factors which are also in the Security Advisory.

• The first is that if the attack is web-based the attacker would host a web page to exploit the vulnerability or host advertisements on another website. Victims can’t be required to visit the pages and the hacker would try to get people to visit with social engineering tactics like emails.
• The vulnerability can’t be manipulated directly from an email, the user would have to click a link.
• A hacker that successfully executed the attack could gain the same user rights as the user logged in. If users aren’t logged in as an admin the damage could be lessened.

Microsoft has one workaround where the registry is edited to unregister the HCP protocol. They detail two methods of doing this in the Security Advisory but they warn that after editing the registry it will obviously break all help links that use HCP.

This vulnerability was discovered by Google who alerted Microsoft to the problem on June 5 and then turned around and kindly disclosed it to the public on June 9. Microsoft was none too happy with Google about that and said:

Public disclosure of the details of this vulnerability and how to exploit it, without giving us time to resolve the issue for our potentially affected customers, makes broad attacks more likely and puts customers at risk.

Posted in Security, General Hardware, Microsoft, Desktops, Laptops | 4 Comments »

20. April 2010 by Myke.

With the increase in blade systems and the decrease in optical drives on servers, it is becoming more and more of a USB drive World everyday.  I had a couple of e-mails come in asking fro help creating USB drives that are bootable with Server 2008 on them.  Easy enough, just follow the steps below and you should be golden (as long as you have at least a 4GB thumb drive).

First we need to format the thumb drive.

1. from a DOS prompt execute: diskpart
2. list disk
3. select disk 1    (assuming disk 1 was your thumb drive in the above list disk command)
4. clean
5. create partition primary
6. select partition 1
7. active
8. format fs=fat32
9. assign
10. exit

Now we need to get the files copied over from the DVD to the thumb drive.

xcopy d:\*.* /s/e/f e:\   (assumes your DVD is drive D and your thumb drive is drive E)

Make sure the server is set to boot from USB drive and away you go.

Cheers.

Posted in Technical Questions, Microsoft, Servers | 4 Comments »

3. March 2010 by Myke.

Microsoft released a new security advisory regarding Internet Explorer on a Windows 2000 or XP system. To exploit the vulnerability,a malicious site reaches through the web browser by using VBScript and accesses “inherently unsafe” Windows Help files.

To complete the attack, a user must push F1.

The article at PC World suggests users to log off Windows or close Internet Explorer via Windows Task manager when a site prompts a user to hit F1.

Posted in Security, Microsoft | 3 Comments »

15. February 2010 by Myke.

Microsoft has been tracking some odd issues that occur on Windows 7 and Windows Server 2008 R2. These bugs are not typically fixed via Windows Update, because these hotfixes should only be applied to systems that are experiencing specific problems. So if you are not severely affected by either of them, wait for the relevant service packs. Here are the four most prominent issues, listed in order of decreasing severity.

The first manifests itself when the computer crashes after it runs for some time, with the user seeing the following BSOD (the four parameters vary depending on the computer):

STOP: 0x0000000A (parameter1, parameter2, parameter3, parameter4) IRQL_NOT_LESS_OR_EQUAL

Microsoft explains that the issue occurs because Power Manager opens an Advanced Local Procedure Call (ALPC) port and closes another port instead of closing the ALPC one, resulting in a successive memory leak, leading to an eventual crash. If you’re affected, this is for you: Hotfix Request.

Few users realize the second issue is a bug. As described in KB958685, it affects all versions of Vista, Windows Server 2008, and Windows 7. If the user puts the notebook to sleep while its lid is still open and then afterwards closes the lid while the computer is still asleep, Windows will only display a blank screen and a mouse pointer upon wake. This continues until a key is pressed or the mouse is clicked. You can wait for the next software update that contains this hotfix (SP1 on Windows 7 and Windows Server 2008 R2, SP2 on Vista) or you can click this: Hotfix Request.

The third issue is described in KB978789 and specifically applies to computers with chipsets from the Intel 5 Series or the Intel 3400 Series families coupled with Windows 7 Home Premium, Professional, or Ultimate. Using a USB bulk storage device that has pending control and bulk traffic with such a Windows-based computer will result in the device becoming unresponsive, with the iPhone mentioned as a culprit.

Microsoft doesn’t have a hotfix for this problem, suggesting that the user contact the computer/motherboard manufacturer for a BIOS update.

The last problem is explained in KB975360 and affects all editions of Windows 7. It is only evident with computers that have a quad-core processor and support multitouch, and involves the Microsoft Rebound game from the Microsoft Touch Pack for Windows 7 not responding if you try to launch it. Since this is entirely a Microsoft problem, here’s the solution: Hotfix Request.

Microsoft is expected to offer SP1 for Windows 7 and Windows Server 2008 R2 this fall.

post information: Emil Protalinski
posted by: Myke Reinhold

Posted in Microsoft | 5 Comments »

14. February 2010 by Myke.

“…oops I did it again…”  No we are not going to discuss Britney Spears but some folks at Microsoft are scrambling for answers after a serious update failure.  The MS10-015  update bulletin is causing some systems to lock up and then during the boot up they BSOD into a never ending boot cycle.  Ouch.

Here is the crazy part of the equation, some systems do just fine.  I have tested the updates on 10 workstations and 4 have crashed out and died while the other 6 were perfectly fine.  I need to clarify one piece though, each of these systems are exactly the same…EXACTLY.  Each one is a virtual desktop with the exact same applications, updates and I used the exact same disc to build the machines.  I ran updates on all 10 systems one at a time.

On the four dead systems here is what I did to repair them.

• Boot from your Windows XP CD or DVD and start the recovery console
• Once at the repair screen - Type this command: CHDIR $NtUninstallKB977165$\spuninst and hit ENTER
• Type this command: BATCH spuninst.txt and hit ENTER
• Type this command: systemroot and hit ENTER
• When complete, type this command: exit and hit ENTER

Of course this may or may not fix your system, but so far it has worked for my dead test systems.

Confused?  You are not alone on this one.  Folks have been trying to figure out what happened and everyone seems to be testing this like crazy.  My final thought on the issue…TOO MANY security fixes and tweaks in one bulletin.  Each time Microsoft tries to update systems with a large amount of security fixes and tweaks it seems like they get a large amount of failures.  Seems like they should have broke this months updates into 2 for the month…which they have done before.

Other related stories on this issue.
MS update gives some XP boxes the Blue Screen
New Patches Cause BSoD for Some Windows XP Users

Microsoft Blog post on this issue.
Restart issues after installing MS10-015

Microsoft’s workaround for this issue.
Microsoft Security Advisory: Vulnerability in Windows Kernel could allow elevation of privilege

As always, enjoy your updating and let us know if you encounter any other nasty issues.

posted by: Myke Reinhold

Posted in Security, Microsoft, Desktops, Laptops | 2 Comments »

7. January 2010 by Myke.

This is an follow up and update to the following post;  http://homerun-networks.com/2009/12/10/commvault-simpana-8-saving-lives-disk-space-and-relieving-stress/

We have been running Commvault Simpana 8 for 4 months and to be quite honest, it has been flawless and great.  As I mentioned before, we were concerned with future growth and what it would cost us for hardware for backups and more importantly, could we actually get backups the way we needed them?!?  Well, we nailed everything and then some.

We have had to restore multiple files including Exchange (single message and multiple messages), Exchange store (testing purposes), Server 2008 DC (testing purposes), VMWare virtual server (testing purposes), SQL database, Server 2008 system state (testing purposes) and multiple files on file shares.  Every single restore took less than 5 minutes except for the testing recoveries.  The testing recovery is part of an on-going plan to prepare for a major project, but it was still rock solid and flawless.

Domain rebuild recovery - We are in the planning process of re-building the entire domain and infrastructure of our company and I have begun the testing of Server 2008 recoveries and disaster recoveries.  So far I have tested recovering a 2008 domain controller after deleting multiple users and groups and replicating the change.  Easy as pie my friend, everything went into place and the replication took place and the domain was back up and running in minutes.  This domain rebuild has allowed me to test for just about every disaster possible and to document exactly every step in the case I get hit by a bus/train and the boss man has to take over for me.

All in all I could not be happier with our choice of moving our backups to Commvault.

*We received some e-mails in regards to Commvault and we have included those below*

What was your installation process like and how much time did it take you to convert from Symantec to Commvault?
-  The process itself was very easy and simple.  We disabled all the Symantec software and services and installed Commvault.  The install itself took about 2 hours, which included getting all the clients installed.  Once the suite was up and running we set the backup policies and that took another 2 hours.  All in all, it was smooth and very easy.

Did Commvault pay you for this article? (we got about 15+ of these emails)
-  No.  I firmly believe that sharing IT/IS knowledge with others in the industry is key to making all of our lives easier.  If I find something that rocks, I will tell everyone that wants to listen.  If I find something that sucks, I will tell everyone that wants to listen.  Any product that makes life as a systems engineer/systems admin/network engineer easier, why not share it with others?!  p.s. If Commvault is reading this article…I wear XXL shirts, love fast Italian cars, good beer, steak dinners and Amazon.com gift cards.

What do you think of the Commvault deduplication?
-  Do you remember Smeagol and his precious?  Well consider me being Smeagol and Commvault deduplication being my precious.  We must haves it, haves the precious we must.  We are currently getting a savings of 90.25% on physical storage space.  Or even easier to understand, we are getting an average of 13.4TB of backup data on 1.3TB of physical space.  Must haves the precious!

As always, if you have any questions please feel free to ask away.

posted by:Myke Reinhold

Posted in Backups | No Comments »

21. December 2009 by Myke.

Everyone knows that surfing the web can/is/will always be a dangerous thing to do.  As a systems engineer/administrator we always have the task of protecting end users who are educated on the security risks and the end users who have no clue at all.  No matter how much knowledge you have as an end user you can always get hit by doing something very innocent on the Internet.  But what can be done to help prevent this?  For myself, I registered with the elite group over at MalwareURL and started importing their database into my firewall.  Now this does not protect me 100% but it sure helps to say the least.  To date they have 33,944 domains listed and 8,787 IP addresses listed.

Here are the two best reasons to check out MalwareURL.  First of all, you can use their information to infect a virtual/physical machine to practice clearing out nasty little bugs and teaching yourself how to reverse engineer problems.  Just remember to infect a test machine, not a production box.  Second, you can also report any sites you find that are not listed yet.  This helps build the database and the best way for us to protect ourselves is to share information with each other.

Posted in Security | 1 Comment »

10. December 2009 by Myke.

I recently implemented Commvault version 8 with a company that was running Symantec Backup Exec.  The Symantec software was having trouble backing up the Exchange mailboxes (Exchange 2007) and this was a mission critical issue for the executives.  The Symantec software was also having a difficult time backing up Server 2008 and Citrix Xen Server.  After numerous calls and emails (18 calls and 22 emails) to tech support it was still not resolved.  So now the company was missing a massive amount of data and could not get the software to backup to an IP NAS device (Seagate Black Armor).  In the end this would have spelled disaster for the IT team and there would have been some very bent employees with a very bad taste in their mouth for the IT staff.  I made one suggestion…Commvault.  I used it in the past as a stand alone and in conjunction with Exagrid disk storage.  I loved it very much and wanted to get it in house ASAP.

First step was getting the management staff on board after showcasing it for the Director of IT/IS.  The Director loved it and only had one thing to say.  “Prove it in the first month of use and I am sold forever.”  The budget was approved and the purchase was made.

Second step was scheduling the fun of turning off Symantec and kick starting Commvault.

It was a warm fall day in 2009 and Myke the Master Geek went to work in his workshop.  I started by disabling the Symantec service on all servers and disabling the software on the backup server.  Next up, getting my Commvault Media Agent and Commserve on-line and ready to go.  The Media Agent was a new Dell R710 loaded with Server 2008 64 bit with a Powervault connected to it.  Then we added 2 Seagate Black Armor 4.5TB devices for the disk storage.  The Commserve was actually a VMWare virtual server loaded with Server 2003 32 bit.  Once the devices were loaded, connected and talking…it was on to deploying the agents on each server to be backed up.

The ultimate goal was to have about 4 weeks of backup data on disk and then a weekly full backup on tape.  We had a decent size of data that was backed up daily so we purchased the deduplication license with our Commvault software.  This would allow us to deduplicate our data and use less disk space for our backups.  With that in mind we expected a disk savings of about 50% to 60%.  We were wrong and wrong big time.  After running the Commvault backups with deduplication for about 2 months, we were getting a disk savings of 89.88%.  We were storing 10.074TB of data on 1.019TB of actual disk space.  That was saving us 9.055TB of disk space.  We were very excited about this as this gave us a great amount of room for growth and gave us a baseline to look forward to in the future.  Needless to say, the Director of IT/IS was very happy.

So with backups running to disk and tape now we had to verify that everything worked as planned.  So I began to test restores of data.  I started by restoring data from disk back to file servers, mailboxes and SQL servers.  Everything worked as planned and with great speed.  Now I began the tape restore process.  I selected a file and the software came back and told me what tape it need and bam, there it was…restored.  I tested about 35 different files ranging from SQL to Exchange to general Office file types.  Everything worked as planned and promised.

To this day everything has worked perfect and we have been very happy with our backups since.  This has saved on restless nights of sleep having nightmares about backups and restores and it has dropped our stress level by a huge margin.

Thanks Commvault!

I would also like to say that the new Dell R710 server runs like a champ and is a solid server.  We are also very pleased with our low cost NAS devices from Seagate, Black Armor 440.

p.s.  If you are from Symantec or really like Symantec and find this post to be offensive…good.  That is exactly what it was meant to be.  Once Symantec bought Backup Exec, the software fell apart and has fallen way behind the times and needs of the IT/IS world.

posted by: Myke Reinhold

Posted in Backups, Storage | 14 Comments »

24. November 2009 by Myke.

This post contains information on how to edit and modify your Windows Registry.  It is always recommended that you take a backup of the Registry before editing any of the values because any improper editing can cause strange behaviour and at worst could even corrupt your operating system completely, requiring you to re-install Windows.

We encourage you to try out the registry changes,  but only if you know what you are doing and if you do it with care.

After building a brand new Windows 7 ENT x64 laptop I ran into some issues.  The issues started shortly after finishing some updates.  Explorer.exe kept crashing every time I would right-click on an icon or try to use anything that used explorer.exe.  After searching the web for hours I found nothing that actually resolved the issue.  Pretty much everything out there pointed to doing a full restore or a clean installation.  I also found a couple posts that said once they deleted their profile and rebuilt it, everything worked.  Each of these is true but why waste the time and effort.  I am not sure about you but hearing from a Microsoft employee and having them tell you to do a clean install because it is hardware related or due to 3rd party software is getting real old.  Well you are in luck folks, because I have a solution that does not harm the machine and it can be done within 2 minutes.

Here is the error we were getting in our event logs;
The program Explorer.EXE version 6.1.7600.16404 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.
Process ID: 810
Start Time: 01ca6d1f1aca747c
Termination Time: 0
Application Path: C:\Windows\Explorer.EXE
Report Id: 3fe9620d-d913-11de-8a55-00242cbe9d84

I ran every application I had that would point me in a direction of figuring out what was causing it and found nothing.  I decided to go through the 34 updates I had applied the day before and found an issue finally.  One of the updates was forcing the CEIP to execute.  *Dear Microsoft, why place something like this in an OS when you know it causes problems?*

The cause of the Windows Explorer crash is related to the SQM Client, which is part of the Customer Experience Improvement Program (CEIP). Under the default setting, where MachineThrottling is enabled in the registry, any calls to WinSqmStartSession in ntdll.dll file will cause Explorer to crash, or Windows Installer installation to fail.

So instead of waiting for a hotfix or an update from Microsoft, just remove and delete the MachineThrottling registry entry from system registry. The MachineThrottling registry entry is located inside the following registry key: HKLM\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions

*NOTE*  If you do not know what you are doing within the registry, stop and do not proceed.  Ask someone for help that knows what they are doing and can recover your registry if a failure occurs.

To make it easy you can just create your own little batch file with the following command;
reg delete HKLM\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions /v MachineThrottling /f

At this point you can close the registry and right-click on your file or icon and you should be good to go.

posted by: Myke Reinhold

Posted in Scripting, Registry, Microsoft, Desktops, Laptops | 10 Comments »

6. October 2009 by Myke.

Going back to an old school issue.  What do you do when you switch out an end user’s computer and they freak out because all of their auto fill addresses in outlook are no longer there?  Easy, switch over their .nk2 file to the new computer and call it a day.

Do you miss the convenience of Outlook automatically completing people’s names as you begin to type them on your new computer? Are you upgrading to a new computer and don’t want to lose all the names stored in your Outlook AutoComplete feature? Wouldn’t it be nice if Outlook installed on your new computer just “remembered” the names and filled them in for you?

You can copy the names in AutoComplete from your old computer to your new one.

Copy the names in AutoComplete to another computer

Important  You must exit Outlook before starting the following procedure. The names will be included in AutoComplete when you restart Outlook.

1. On the computer with the saved AutoComplete names, go to drive:\Documents and Settings\user name\Application Data\Microsoft\Outlook.Note  Depending on your file settings, this folder might be hidden. To view the files in this folder, do one of the following:

   Microsoft Windows XP

   1. Click Start, and then click My Computer.
   2. On the Tools menu, click Folder Options.
   3. Click the View tab, and then, under Advanced settings, under Hidden files and folders, click Show hidden files and folders.

   Microsoft Windows 2000

   1. Double-click My Computer on your desktop.
   2. On the Tools menu, click Folder Options.
   3. Click the View tab, and then click Show hidden files and folders.

2. Right-click profile name.nk2, and then click Copy.Tip  You can copy the file to removable media, such as a floppy disk or a CD, and then copy the file to the correct location on the other computer. Or you can attach the file to an e-mail message and send the message to yourself. On the new computer, open the attachment in Outlook, and then save it to the correct location.
3. On the computer where you want to populate the AutoComplete feature, copy the file to drive:\Documents and Settings\user name\Application Data\Microsoft\Outlook.
4. If the Outlook user profile name is different on the computer where you are moving the .nk2 file, you must rename the file with the same Outlook user profile name after you copy it to the correct folder. For example, if you move Kim Akers.nk2 from the original computer with an Outlook user profile name of Kim Akers, and you copy the Kim Akers.nk2 file to the new computer, you must rename it with the Outlook profile name being used on the new computer.
5. When prompted about replacing the existing file, click Yes.
6. Open Outlook to view changes.

source: Microsoft Office Online

Posted in Technical Questions, Microsoft, Desktops, Laptops | 16 Comments »