Blog: Networking

In troubleshooting a SBS 2003 Server, it was discovered that the system drive was almost out of space.  Upon further investigation, most of the disk space was being consumed in the %WINDIR%\Installer folder.  In that folder were numerous MSI files that were over 100 MB each over and over. 

It was noted that earlier in the week, an update for Backup Exec kept trying to install and failed until the server was rebooted by the customer.  After rebooting the server, the install took, but all of those failed attempts seemingly left these orphaned MSI files created each hour the server tried to install the update.

In order to clean out the orphaned files in this folder, you will need to run “MSIZAP.exe T!”.  You can obtain the MSIZAP file from: http://support.microsoft.com/default.aspx?scid=kb;en-us;290301.  Syntax for running MSIZAP can also be found here: http://msdn.microsoft.com/en-us/library/aa370523.aspx. [more]

After running this program, it deleted over half of the files in the Installer directory and reclaimed approximately 10 GB of hard disk space.  It was noted that the duplicate 100 MB+ files were removed.

USB power causes Blue Screen:  We had a case where a customer complained about his laptop crashing .. mostly in the mornings when he first brought up the machine. There was an error message generated that indicated the USB driver was the culprit. Several of us were involved and tried disconnecting all his USB devices but this did not fix the problem. The customer brought the machine to our office and by happenstance the error occurred and we were able to read the message generated. The message indicated several possible causes, but the first item was to “disable the selective suspend” setting in the Power Options for the USB.  Here are the steps: [more]

• Disable the USB selective suspend setting:
  • Click Start, click Control Panel, and then click System.
  • Click the Hardware tab, and then click Device Manager.
  • Expand the Universal Serial Bus Controllers node, and then, for each USB Root Hub node, do the following:
    • Right-click USB Root Hub, and then select Properties.
    • Click the Power Management tab, uncheck the Allow the computer to turn off this device to save power checkbox, and then click OK.
• Turn off power saving mode (non-laptop computers only):
  • Click Start, click Control Panel, and then click Power Options.
  • Click the Power schemes dropdown list, select Minimal Power Management, and then click OK.

Here is the link with other options to try if the USB power settings do not fix it for you:  http://wer.microsoft.com/responses/Response.aspx/13804/en-gb/5.1.2600.0.00000000.9.9?SGD=1f53e7cd-1385-4e41-b752-57cf112dc278#here

Cisco has a feature for monitoring network connections in various manners.  The IP SLA (service level agreement) feature allows the router to track objects via ICMP, network connections, etc. and monitor things like availability, latency, and jitter, and to making routing decisions based on these.

We’ve implemented this feature to perform failover when a device becomes unavailable.  It is possible to monitor multiple items, and to make decisions based on what the aggregate result is, using either Boolean logic or based on percentages.

Finally, we ran into a problem at customer site where the “interface” keyword was not working as expected on an IP SLA object.  I changed to use the “address” keyword, and the tracked object started working as expected.

During IT audits, we routinely see banks granting all or some of their users local administrator rights on their PCs.  They are usually forced into allowing this level of access due to some software that will not work correctly without local administrator rights.  However, they can mitigate some of the risk by using a utility called DropMyRights.

In a recent Security Now! podcast, Steve Gibson talked about the DropMyRights utility.  It was written by a Microsoft engineer.  It allows you to run specific programs with less rights than your user account normally has.  For example, if you are given local administrator rights because the core banking software requires it, you can use DropMyRights to help protect yourself when running web browsers or your email client.  Simply create a shortcut for each program using DropMyRights in the command line.  For example, you could use the following command line to run Internet Explorer under a non-admin user context: [more]

C:\utilities\dropmyrights.exe "c:\program files\internet explorer\iexplore.exe"

Links to the utility and supporting documentation can be found on Steve Gibson’s website: http://www.grc.com/sn/notes-176.htm

In using Microsoft Live Meeting for desktop sharing and presentation, there are a couple of fundamentals which must be considered.

You can launch Live Meeting from the Live Meeting web site or, after you have installed the Live Meeting Client you can launch from the Client.  What I didn’t know was the invitation e-mail is different depending on how you launched the meeting.  If you launch from the website the invitee gets this email: [more]

When the invitee clicks on “Join the Meeting” he or she is taken to a webpage like this:

Notice on the page there are two options.  The first is to download the client and join the meeting.  This option is fine and probably offers more Live Meeting options.  But depending on the Invitee’s network security, his or her permissions to install software, etc.  It may not be possible to install the Client.

Notice at the bottom, outlined in red is the web access option.  The problem is that it is at the bottom of the page and does not stand out.  It is easy to miss the fact that there are two options presented on the page.

If you launch the meeting from the Client the invitee gets this email:

This email does not present the web access option.

Unaware of this, I started the session from the client sent the e-mail and begin to instruct an invitee to find the Web Access portion of the website.   He instead had been linked to the Microsoft Download page to download the client.

Long story short, we were never able to get Live Meeting to work.

Using Web Access seems to be the simplest and fastest way to get invitees into a meeting, but be sure you launch the meeting from the website and be ready to instruct them to click on the hard-to-find Web Access link. 

We had an issue last week where backups of an Exchange 2007 server began to fail after we removed the EMC Replication Manager & EMC Solutions Enabler apps. The errors that we began to see in the Application log like this:

Volume Shadow Copy Service error: A critical component required by the Volume Shadow Copy service is not registered.  This might happened if an error occurred during Windows setup or during installation of a Shadow Copy provider.  The error returned from CoCreateInstance on class with CLSID {bd902507-4491-4001-acdd-a540a2cad34b} and Name HWPRV is [0x80040154].

I went through the process described here http://support.microsoft.com/kb/940032  to reregister all the VSS stuff, but it didn’t work. After digging into the VSS CLI, I was seeing the following returned from issuing a “vssadmin list providers” [more]

Provider name: 'Microsoft Software Shadow Copy provider 1.0'
   Provider type: System
   Provider Id: {b5946137-7b9f-4925-af80-51abd60b20d5} 
   Version: 1.0.0.7

Provider name: 'ERM VSS Provider'
   Provider type: Hardware
   Provider Id: {e929a027-cf8c-47bf-90a3-cd4241c7cace}
   Version: 1.0

It appeared as if the EMC VSS provider was not removed when I uninstalled the software. The online knowledgebase for EMC, said to fix it, re-install the apps, then start the VSS service, then uninstall the apps again suggesting that the provider would not have been removed if the service wasn’t running at the time the apps were uninstalled. I had a really hard time getting that stuff installed to start with so I didn’t want to start that again. I did some testing on a VM and found that I could remove the provider by just removing the registry key which matched the Provider Id listed by the vssadmin list providers command.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\Providers\{e929a027-cf8c-47bf-90a3-cd4241c7cace}

After restarting the VSS service one time, the vssadmin list providers command provided this output

Provider name: 'Microsoft Software Shadow Copy provider 1.0'
   Provider type: System
   Provider Id: {b5946137-7b9f-4925-af80-51abd60b20d5}
   Version: 1.0.0.7

Success!! This could possibly be a problem and the fix could work with any applications that insert 3rd party VSS providers.

You might have heard the publicity that Octoshape received after Obama’s inauguration.  They used “Octoshape Grid Delivery.” Octoshape’s “grid streaming technology” is just a peer to peer network, like bittorrent, except it is geared toward live streams.

There are a number of issues with this including:

Cost-shifting to ISPs and users without informing them (approximately 30% of the bandwidth for CNN’s live stream comes from peers).

Crazy license agreement.  Here are a couple of quotes from their EULA (http://www.octoshape.com/files/EULA.html) which you have to go digging on their web site for: [more]

“You may not collect any information about communication in the network of computers that are operating the Software or about the other users of the Software by monitoring, interdicting or intercepting any process of the Software. Octoshape recognizes that firewalls and anti-virus applications can collect such information, in which case you not are allowed to use or distribute such information.”  You mean I am violating to EULA if I try to see what is using up my upstream bandwidth?

“Accordingly, you hereby grant permission for Octoshape and other end users of the Software to utilize and share the processor and bandwidth of your personal computer system for the limited purpose of facilitating the communication between you and other end users of the Software, including Octoshape.”  Including Octoshape?

Company policies may exist concerning outbound traffic and the user would be telling any number of others what video stream they are currently watching.  Of course, there could be security vulnerabilities that could be exploited.

To learn more here is an article I recommend and it has plenty of links in it to follow: http://windowssecrets.com/2009/02/05/01-Watch-a-live-video-share-your-PC-with-CNN

An open (non-commercial) peer to peer streaming solution is from the p2p-next consortium http://www.p2p-next.org.

 

I was experimenting with options for iPhone passwords - those enforced from the Exchange server.  I created a custom mailbox policy that required alphanumeric passwords.  I fiddled with it a while to see what the options meant and then went back to the original policy that just required a 4-digit PIN.  However, I was unable to go back to a numeric PIN (it kept requiring 4 characters including a special character) until I Reset All the iPhone settings (which erased my e-mail setup, network settings - including the WPA key, etc.).

So, if you're tempted to test a longer and/or alphanumeric and/or complex password on your iPhone and may want to go back to what you originally had, be prepared to Reset the phone (you don't lose applications or data but you lose all your custom settings).

If your Entourage Mac for Exchange Server stops synchronizing new e-mail from your Exchange server it might be caused by a corrupt inbox cache.  A customer was having a problem where their Mac was not synchronizing with their Exchange server and the inbox cache was the culprit for them.  The solution is to go to the properties of the mail folder and select to clear the cache.  After doing so, synchronization will download all email from the Exchange Server.  I found the solution for this problem posted on the following site: www.macwindows.com/entourage