Blog: Windows

I have run into this issue recently with updates on several Windows 7 embedded thin clients.  The error code translates to a corruption in the Windows component store.

Running "sfc /scannow" on the systems indicated that it did find errors, but could not fix them.

The System Update Readiness tool (KB947821) was successful in repairing component store problems in all cases for me.  The download link is https://support.microsoft.com/en-us/kb/947821.

After installing the patch, running Windows Update again to install patches was successful.


 

There has been a lot of discussion about whether a BitLocker pre-boot PIN increases security or not. The primary argument we have had is related to the PIN providing a layer of security between an attacker with physical access and the Windows credentials.

If a user is running Windows 8 or later and has encrypted the OS volume, there is a GPO designed to protect against Windows password guessing. If Windows credentials are cached, which is common for laptops, it is possible to bypass account lockout settings if the system doesn't have access to a domain controller. However, this GPO will help protect a system even if it can't reach a domain controller.

Administrators can set the “Interactive logon: Machine account lockout threshold” Group Policy under \Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options.

When applied, this setting will cause the following message to be displayed shortly before the machine account threshold is reached. After the threshold is exceeded, the system will reboot and require a BitLocker recovery key in order to boot.


 

We have a backup internet connection that is tied into our Test Lab environment. As a part of this, I needed to change the default gateway on all of my Test Lab VMs so that everything would go out the proper connection. Now, I could RDP into each one and make the change, but that is boring and this is a LAB! It’s time to play a little bit and see if we can change this efficiently.

My initial thought was to use a combination of "psexec" and "netsh" commands to change that IP. I figured out the netsh command necessary to change an IP address (including the default gateway) and just left the IP address information out of the command. Much to my surprise, it set the adapter to DHCP, yet statically configured a default gateway. For our LAB this doesn't work since DHCP doesn't grab an address, but at least now I know. So how do you go about scripting a change to the default gateway for multiple Windows systems?

Use a route add command, of course! Using psexec to push the command out, I ran “route add -p 0.0.0.0 mask 0.0.0.0 10.1.1.1” where 10.1.1.1 is my new default gateway. Much to my surprise, it changed the default gateway entry on the adapter without issue.


 

I was recently working on a PowerShell Script that used Excel COM objects to pull data from remote computers put it into a spreadsheet. I finished up the script and tested it under my own account and got the result I was looking for—the data was pulled from the remote computers, an Excel spreadsheet was created and saved to a network share, and an email was sent out with the spreadsheet as an attachment.

Pleased with the script, I set it up as a Scheduled Task and set it to run under the credentials of an existing service account. When I manually ran the scheduled task, however, the script would not run. I tried using my own account for the scheduled task and it still would not run. I was using some formatting in Excel that would have been lost if I went with a CSV file and having to remember to manually run the task at the scheduled interval while I was logged in would not have been the best solution, so I decided to look for a solution rather than re-write the code.
 
After some digging, I discovered PowerShell scripts that use Excel COM objects—and presumably other COM objects—that run while a user is not logged in require the SystemProfile have a Desktop folder in order to run as scheduled tasks. The folder, however, does not exist under the C:\Users directory as you might expect. Instead, it is located at:
 
C:\Windows\System32\config\systemprofile\Desktop
                *AND*
C:\Windows\SysWOW64\config\systemprofile\Desktop
 
The empty “Desktop” directory itself needs to be created and nothing more—no special permissions or registry hacks. In the case of a 32-bit OS, only the first directory needs to be created. In the case of a 64-bit OS, *both* directories need to be created. In my case, I was on a 64-bit OS and the directory in System32 existed but the directory in SysWOW64 did not. Once I created the missing directory I was able to use the original service account to successfully run the scheduled task whether or not it was logged in to the system.


 

I was helping out with a customer’s Active Directory migration and a different IT support group used a profile migration tool to help “ease” the transition between domains. But soon after the users started complaining that IE was not allowing them to save passwords. They would get prompted to store the credentials for a website and click yes, but as soon as they closed and reopened IE their stored credentials would disappear. Our suspicion was that the profile migration tool had corrupted the credential store in the registry.

I started a remote session with one of the users, checked the IE password store in the registry (HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2), and saw several of the user’s old entries. In order to allow the user to store passwords again, I had to delete this registry key, reopen IE, and save credentials for a website. Once I clicked “yes” to the prompt to save credentials, the registry key was automatically recreated and the credentials got stored.


 

For several months, I dealt with the occasional task of having to restart my laptop (Windows 8.1) because the memory usage would get close to 100%, even with no apps running. There were no processes in Task Manager indicating high memory usage, so I suspected I had a memory leak in a faulty driver.
 
I first ran rammap.exe from Microsoft Sysinternals (https://technet.microsoft.com/en-us/sysinternals/bb545021.aspx). This tool showed that the non-paged pool memory usage was very high. But this didn’t tell me what process was causing the leak.

Next I downloaded and installed the Windows Driver Kit 10 from Microsoft (https://msdn.microsoft.com/en-us/windows/hardware/dn913721.aspx). This kit supports Windows 7 through Windows 10. I had to reboot to complete the install then wait until my system was running low on memory before continuing my diagnosis. Once I noticed I was low on memory again, I ran "poolmon –b –p" from C:\Program Files (x86)\Windows Kits\10\Tools\x64. The –p switch enables using Non-paged and Paged pool memory  and the –b switch sorts descending by bytes. At the top of my list was the tag "AVDT".

So how do you figure out what the tag is referring to? I opened an admin command prompt and entered "findstr /s AVDT *.sys". This searched all *.sys files (most driver files are *.sys) in all subdirectories (/s) on the C: drive for the string "AVDT". This returned a screen full of mostly non-readable text which was the contents of *.sys files containing the string "AVDT". It was fairly easy to see a path "\Program Files\WIDCOMM\Bluetooth Software\bin\btwavdt.sys". Looking at the properties of the file indicated what was obvious from the path, it was related to Bluetooth.
 
Whenever I would connect my iPhone via Bluetooth to my laptop and play music (in order to use my external speakers), the driver would eat up non-paged pool memory to the "tune" of 1 MB every 5 seconds! By opening Task Manager and viewing Memory on the Performance tab, I could literally watch the consumption of non-paged pool memory increase with every measure. Just having the phone connected via Bluetooth didn’t cause this, only when music was playing. At a rate of 1 MB every 5 seconds, it consumed about 2.8 GB of memory to listen to music for half of the day!
 
I searched to find a solution to this bug but did not not find one. So until I can get an updated driver, I won’t listen to music from my phone on my PC via Bluetooth. Or if I do, I know I only have a few hours before a reboot is needed.


 

I was using a scanning tool to scan some servers and workstations.  I could pull some information from the scan, but it would fail when attempting to collect information via Remote Registry.  After checking that the Remote Registry service was started and the firewall was not enabled, I attempted to connect to one of the systems remotely using regedit instead of the scanning tool.  The connection would appear to succeed, but as soon as I attempted to click on an entry, I would get an error message “Cannot open HKEY_LOCAL_MACHINE: Error while opening key.”  [more]After doing some research, I found this TechNet article (http://support.microsoft.com/kb/892192).  It explains that systems that were upgraded from Windows 2000 may experience this issue because Windows 2000 ran Remote Registry under the “Local System” account, while XP/Server 2003 runs it under the “Local Service” account.  Once you give “Local Service” read access to a specific registry subkey on the target system, Remote Registry works.


 

Download link: http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx

What is PsExec?  "PsExec is a light-weight telnet-replacement that lets you execute processes on other systems, complete with full interactivity for console applications, without having to manually install client software. PsExec's most powerful uses include launching interactive command-prompts on remote systems and remote-enabling tools like IpConfig that otherwise do not have the ability to show information about remote systems." [more]

I needed to reset some WSUS IDs on systems that were cloned in order to get them to check in to WSUS properly.   I used psexec to run commands as though I were typing them into the PC locally to start/stop services, delete a registry key, and check for updates from WSUS Server in the following example.

psexec \\remotePC net stop wuauserv
psexec \\remotePC REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientId /f
psexec \\remotePC net start wuauserv
psexec \\remotePC wuauclt /detectnow

You can also use this to run ipconfig and it will show you the results from the REMOTE system which could come in handy. 


 

The other day I got a call from a customer whose laptop was having some major performance issues.  The hard drive was full of bad sectors and was causing Windows to perform very poorly, if at all.  I got the laptop from them and started down the road of data recovery and hard drive replacement.  Thankfully, I was able to boot the laptop with a Fedora Live CD, mount the NTFS OS partition and recover most of the files in the various user profiles.  I purchased a replacement hard drive that was the same size as the bad one and thought I'd first try to image the old drive to the new one.  This proved to be very slow (because of the 1000s of bad sectors) and never really worked.  The old hard drive had a recovery partition at the tail end of the disk.  Unfortunately, I wasn't able to get Windows to perform well enough to burn recovery media from the recovery partition.  So, I was a little stuck.  I decided I'd try to capture the partition table and the recovery partition off the failing hard drive.  To do this, I used the Fedora Live CD and the 'dd' command. [more]

To capture the partition layout from the first sector of the disk:
dd if=/dev/sda of=partition_layout.img bs=512 count=1

To capture the recovery partition:
dd if=/dev/sda2 of=recovery_partition.img bs=512k conv=noerror

Thankfully, since the recovery partition is put on the hard drive long before it starts to fail, and isn't ever re-written, it didn't have any errors.

After successfully capturing the images, I was able to replace the failing hard drive with the new drive.  I booted the machine again with the Fedora Live CD and restored the images using similar dd commands.

Restore partition layout:
dd if=partition_layout.img of=/dev/sda

After restoring the partition layout, I had to run 'partprobe' to have the OS re-read the partitions on the disk.  Then I restored the recovery partition.
dd if=recovery_partition.img of=/dev/sda2

I used 'fdisk' to set the recovery partition as the "active" partition (so it would boot).
fdisk /dev/sda

After this, I rebooted the machine and the HP recovery process started up and I was able to get the laptop back to its original factory condition.


 

Several of our customers have been confused recently regarding the number of Microsoft licenses they own.  The issue is confused by Microsoft’s process itself.  When a customer purchases licensing they are issued an Open Business Authorization certificate which states the number of licenses purchased.

The client is also issued a set of keys to install the purchased licenses.  The license number and the number of times the customer can use the key are very confusing.  In fact the key can be used roughly 5 times per 1 license.  As an example, if a customer purchases 10 Windows Server licenses, the associated key may state a quantity of 50.  This actually means you can activate the key 50 times on the same 10 licenses.

If you seem to have extra licenses that magically appeared, make sure you are looking at your certificate and not the number associated with the keys.