Blog: Windows Vista

When you setup a group policy that assigns internet settings located in User Configuration\Windows Settings\Internet Explorer Maintenance\Security\Security Zones and Content Ratings you have to copy your current internet settings to the GPO. These settings are useful if you wish to use the “preference mode” option so that the setting is set once and then the user has the ability to modify it from there. This all works fine when importing from IE6 but if you try to import settings from IE7 it will not work properly and you will get an error when trying to view the settings of that GPO:

“An error occurred while generating report:
An unknown error occurred while the HTML report was being created.”

There is rumor that this problem has been fixed in the Vista version of GPMC and I am assuming that this would include the server 2008 version but I have not tested this yet. A workaround as mentioned in the article linked below is to set the internet settings from here: User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Site to Zone Assignment List. This works great accept that you do not have the option to use the “preference mode”. [more]

http://sdmsoftware.com/blog/2008/03/gpmc_report_errors_related_to.html

 

USB power causes Blue Screen:  We had a case where a customer complained about his laptop crashing .. mostly in the mornings when he first brought up the machine. There was an error message generated that indicated the USB driver was the culprit. Several of us were involved and tried disconnecting all his USB devices but this did not fix the problem. The customer brought the machine to our office and by happenstance the error occurred and we were able to read the message generated. The message indicated several possible causes, but the first item was to “disable the selective suspend” setting in the Power Options for the USB.  Here are the steps: [more]

  • Disable the USB selective suspend setting:
    • Click Start, click Control Panel, and then click System.
    • Click the Hardware tab, and then click Device Manager.
    • Expand the Universal Serial Bus Controllers node, and then, for each USB Root Hub node, do the following:
      • Right-click USB Root Hub, and then select Properties.
      • Click the Power Management tab, uncheck the Allow the computer to turn off this device to save power checkbox, and then click OK.
  • Turn off power saving mode (non-laptop computers only):
    • Click Start, click Control Panel, and then click Power Options.
    • Click the Power schemes dropdown list, select Minimal Power Management, and then click OK.

Here is the link with other options to try if the USB power settings do not fix it for you:  http://wer.microsoft.com/responses/Response.aspx/13804/en-gb/5.1.2600.0.00000000.9.9?SGD=1f53e7cd-1385-4e41-b752-57cf112dc278#here


 

During IT audits, we routinely see banks granting all or some of their users local administrator rights on their PCs.  They are usually forced into allowing this level of access due to some software that will not work correctly without local administrator rights.  However, they can mitigate some of the risk by using a utility called DropMyRights.

In a recent Security Now! podcast, Steve Gibson talked about the DropMyRights utility.  It was written by a Microsoft engineer.  It allows you to run specific programs with less rights than your user account normally has.  For example, if you are given local administrator rights because the core banking software requires it, you can use DropMyRights to help protect yourself when running web browsers or your email client.  Simply create a shortcut for each program using DropMyRights in the command line.  For example, you could use the following command line to run Internet Explorer under a non-admin user context: [more]

C:\utilities\dropmyrights.exe "c:\program files\internet explorer\iexplore.exe"

Links to the utility and supporting documentation can be found on Steve Gibson’s website: http://www.grc.com/sn/notes-176.htm

 

I recently ran into a problem trying to restore a SQL Server 2005 database to a Windows XP machine.  The database back up was created on a Windows Vista machine and I thought that the different OS versions was the culprit.  However, it turned out to be related to SQL server instances and folder paths.  Here is full error I received when I attempted to restore the database using SQL Server Management Studio:

Restore failed for Server 'localhost\sqlexpress'.  (Microsoft.SqlServer.Express.Smo)

Additional information:
System.Data.SqlClient.SqlError: The operating system returned the error '5(Access is denied.)' while attempting 'RestoreContainer::ValidateTargetForCreation' on 'c:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\[my database name].mdf'. (Microsoft.SqlServer.Express.Smo)

I searched the Internet using the error message and found several posts stating that it was a problem with the privileges of the user account that my SQL Server Express service was running as. I hadn't changed the account it was running as and I had restored other databases in the past, but I checked the SQL Server Configuration Manager anyway.  As I suspected the service was still running as the default account (Network Service), so that wasn't it.   [more]

After I couldn't find a quick fix on the Internet I decided to look around the options in the Restore Database window.  It turns out the problem was with the paths under the restore options.  The backup was trying to restore the .mdf and .ldf files to the c:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\ directory.  The instance of SQL Server I was working with was storing all it's data files in C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\.  Once I changed the paths for the database file and log file to be the same as where my other database files were being stored the restore ran fine with no errors.  For additional reference, here is an article that explains the naming of folders for SQL Server 2005 instances: http://weblogs.sqlteam.com/tarad/archive/2006/06/07/10114.aspx


 

When I first started using Vista, I noticed I would go into a folder sometimes and the view would be something totally different than everything else (usually huge folder icons).  There wasn’t any rhyme or reason for it, and I couldn’t find any checkboxes to make it stop.  Once it started happening on one folder, it seemed to get progressively worse.  I found that clearing the “saved views” from my registry typically fixed the problem for a little while, so I created a REG file to remove all saved folder views.   At first, I would just clear the keys when I started having the issue.  But, after getting tired of digging for the REG file every few weeks, I finally decided I’d just set the file to import (delete the keys) whenever I login.  I haven’t had the problem since.

Here is the information in my REG file: [more]

Windows Registry Editor Version 5.00

[-HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU]

[-HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags]


 

Windows Vista Easy Transfer Utility is a product that comes with all Vista machines that allows you to move user settings and profiles over to your new Vista system from your old XP or Vista PC.  The utility supports both XP and Vista as sources, but only Vista can be a destination.

If you are using the Windows Vista Easy Transfer Utility, there are several things that you need to consider. Moving the settings over the network is supported, but it is time consuming and often fails.  I recommend that you use an external hard drive. This takes about 20 minutes to blow onto the drive and another 20 to blow onto the new machine but it is very reliable.

Another thing to consider is that if you are transferring a user's domain account to the new PC, you will want to add the new PC to the domain first. This will allow it to retain the correct settings and will keep you from having to create a new account for that user on the new computer.


 

I installed Vista Enterprise, and a few days later, I received a message:

“Activating Microsoft Windows Vista Volume License Products gives the following error:
Windows Activation Error: A problem occurred when Windows tried to activate. 
Error Code ________________
For possible resolution, click More Information.  Contact your system administrator or technical support department for assistance.
DNS name does not exist.”

After googling the problem I found that if you go to Control Panel > System > Windows activation and click “Change Product Key”, enter the same product key again, and then Vista will activate successfully.


 

I have had problems with Word crashing when I try to open a document, particularly when online and opening a Word document on the file server.  I can usually get it to work if I open Word first and then open a document but even that doesn't work at times.

I finally found a post online mentioning problems with add-ins.  I looked at the add-ins and my Adobe Acrobat installation had installed a PDF add-in, my scanning application had installed 2 PDF add-ins and I had the add-in from Microsoft to create PDF files.  I disabled the PDF add-ins and have not had the problem since. [more]

Also, under Vista,  in order to remove most of the add-ins, I had to have administrative access by running Word as administrator.  There isn't a "Run as administrator" option when I right-click on the short-cut.  I had to find the actual WINWORD executable and right-click on it to run as administrator.


 

I believe that after some Microsoft Update for Vista that it somehow turned off my ability to hibernate my laptop.  I found that hibernation in Vista can be turned off and on from the command line using “powercfg /h off” or “powercfg /h on”.  After I turned it on, I was able to see the Hibernate option in the start menu without rebooting.


 

The Vista firewall can only apply one profile (either Domain, Public, or Private) at a time.  So if you have one network interface that Vista has identified as connected to the domain and another network interface (a VMWare interface, for example) that Vista cannot identify, it applies the most restrictive firewall profile (Public) to both interfaces.   Obviously, this can break applications if your Public profile is locked down.

In order to fix this issue, you can either: [more]

  1. Disable the VMWare network interfaces if you don’t use them.  They are not needed in bridged mode.
  2. Tell Vista to ignore the VMWare network interfaces when deciding which firewall profile to apply.
    • Disable the VMWARE NICs (VMNET1 and VMNET8 in my case)
    • Run regedit and go to HKLM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}
    • Here you will find a list of numbers (0000 to 0024 in my case)
    • Click through these keys until you find the one with value VMnet=the name of your VMWare NICs (\DosDevices\VMNET1 and \DosDevices\VMNET8 in my case)
    • Add the key *NdisDeviceType with a DWORD value of 1 for each NIC
    • Enable the VMWare NICS
    • While connected the Compu-Share domain and with the VMWare interfaces enabled, verify the fix worked by going to Control Panel->Windows Firewall.  The Network Location should be listed as “Domain network”.
    • Note: Some people on the Internet said that these registry keys are removed when you upgrade VMWare to a new version.  If so, you will have to add them back manually.