Blog

I learned the reason that VMware suggests having service consoles for ESX hosts on at least two distinct networks last week. I was troubleshooting intermittent backup issues with Veeam on a customer network and couldn’t really find any pattern to the failures. Two or three backups in a row would run successfully, then 5 in row might fail. The behavior was very random. However, the failures were always on Virtual Machines associated with a specific ESX host. At first I thought the host was healthy, but after watching the VI client for an extended period of time, I noticed that the ESX host would drop offline (showing disconnected in the VI client) and then come back online again.  This indicated the problem wasn’t just affecting the management/backup server. [more]

In order to level set my troubleshooting efforts, I decided to reboot this ESX host. However, after the reboot, I could not connect to it with the VI client. I could ping the IP assigned to the service console, but couldn’t SSH or connect via the VI client. I logged in via iLO and found that an ifconfig at the command line returned IP = 0.0.0.0…..interesting. So what is responding to my pings. I checked the arp cache on one of the switches and found that a thin client had been plugged in that had the same IP as my LAN service console. What is really odd is the MAC address for the thin client was all zeros AND the IP I was using for the LAN service console is not even available to be distributed by DHCP. I was not able to connect to the thin client to see how it was configured, but I was able to connect to ESX host via a second service console port that I placed on the iSCSI network. The management/backup server has a connection to the iSCSI network to do backups to disk so I was able to change the LAN-facing service console IP to another IP and everything started working fine. The backup issue was obviously being caused by changes in the arp entries on the backup server between the thin client and the ESX host. So, be aware that at boot-time, if ESX determines that the IP it is using for a service console is already in use, it just rips it out of the configuration and continues to boot with NO WARNINGS or ERRORS on the console.

Recently, I received a Sharper Image CG-C140 Portable Folding Charging Valet which came with an adapter to use for charging my iPhone.

The first time I plugged my iPhone in, I could hear what sounded to be a high pitched electrical noise coming from the station.  As I left my phone to charge overnight, I woke up the next day to find the battery was drained.  I thought maybe I didn’t have it connected securely, so I plugged it in to the iPhone wall charger later that day.  A few days later, I put the phone on the charging valet again and woke up to a completely drained battery.  I know that it had “chirped” indicating that it was plugged in to a charger before I sat it down. 

This time, things were different.  As I mumbled about this piece of junk not working, I plugged the iPhone wall charger into the iPhone and pressed the power button.  My phone wasn’t booting up.  Ok, I’ll give it a few minutes and come back.  Still nothing.  I unplugged the charger cable and reconnected it, and there were no “chirps” or sign of life.  I decided that maybe this valet fried my battery, so I headed to the nearest AT&T store.  On the way to the store, I had my phone plugged into a car charger, and it wasn’t working either. [more]

AT&T said, you can buy another phone in the mean time, and we can send the phone to Apple for repairs.  It’ll take a few weeks to get it back, and I need my phone for work.  This brought up the obvious question, “Do I return the extra phone when I get mine back?”  No, I would then own TWO iPhones.  What!?  Ok, I’m heading to the Apple store in the mall a few miles up the road.  By now you can probably guess my opinion of AT&T.

Upon arriving to the Apple store, they told me that I would have to talk to someone in the technology “bar”.  Yes, they have some kind of cool tech bar.  Oh, and the wait time was about 3 hours.  I thought Apple products were supposed to be trouble free according to all of the television commercials.  Obviously, people have a lot of problems they need help with.

In the mean time, I used one of their Macs to search for similar weird charging issues.  One post I came across said that their phone’s charging function had been “stuck” in a state that it wouldn’t do anything.  Some lucky person had discovered that if they had their phone plugged into their PC through the USB charging cable, they could send a “jolt” to the phone that made it start charging again by shutting down the PC and then the PC back on.

Well, where I am now, all I have available is a car charger cable.  I got back in the car, started the engine, plugged in the car charger cable to the phone, turned off the car, turned on the car, and shortly after, my phone was able to be turned on and charged.  Two months later, I haven’t had any other problems with my iPhone battery.

Back several months ago I tried to update my laptop to Snow Leopard (OSX 10.6).  Most things worked great, but at the end of the week when I started doing some of my reports, I noticed lots of file system problems.  The Word documents I was editing would become read-only after I saved them once.  New documents I created would be read-only.  As I got to digging, I found that any files I created on the file server were being created with empty permissions (as viewed from my laptop), and read-only permissions (via the checkbox) as viewed from the Windows side.  I found lots of people having the same problem with no real workaround.  I noticed the permissions would fix when I viewed them from the Finder, or when I did an ‘ls –l’ from the command line.  I restored my system back to Leopard from my backup (which was nice to have available) and waited for a fix.  Well, the fix came in the recent release of Snow Leopard 10.6.3.  I’ve updated again and everything works great.

Symantec Endpoint Protection clients that have been cloned and rolled out for production may be misconfigured. I recently found out that Sysprep does not remove the hardware ID for SEP. Which prevents the client from appearing in the SEP console properly. Since all the systems will have the same hardware ID, as they check in it will replace the previous system that checked in. The clients will still receive updates, but the console will not allow you to track all the clients. To fix the problem a new hardware ID for Symantec must be created. [more]

1. Delete %programfiles%\Common Files\Symantec Shared\HWID\sephwid.xml
2. Open the registry and navigate to HKLM\Software\Symantec\Symantec Endpoint Protection\SMC\Sylink\Sylnk
3. Edit the “HardwareID” value data to be blank
4. Restart the Symantec Management Client (SMC) service in the services snap-in

 The client will generate a new unique Hardware ID and sephwid.xml

We had a problem with a new Xerox ColorQube printer that was not allowing users to use the hole punching or stapling features (something that they had been promised by Xerox would work). When printing a job they would click on the printing preferences and then try to choose either hole punch or staple and they were both grayed out. When I was logged onto my account the option was not grayed out. This at first lead me to believe that the problem was a rights issue but it turns out it was not. I noticed that when I logged on with my account onto another terminal server that the options were grayed out for me as well. This lead me to compare settings within the printing preferences on my two profiles. [more]

I finally found through this that the problem was within the paper size choice. If the paper size setting was set to mixed output you were not allowed to choose to use the hole punching or stapling features (they were grayed out). When the size was specified such as legal or letter size the options would then become available.  It makes sense why the stapling and hole punching options were disabled with that paper size, but the user interface was less than intuitive.

I think we all know better than to download executable programs (.exe's) from untrusted sources and run them.  Opening a Word document from an untrusted source could be dangerous.  Now, even opening a PDF file on a fully patched Windows machine with excellent, up-to-date anti-virus and malware software could cause your machine to get owned.

Didier Stevens, who has written some great PDF analysis tools, published a disturbing blog post the other day.  He demonstrates how to use an existing feature in PDF to execute a program on someone's computer when they open the document.  Adobe Acrobat Reader displays a message first, but the message can be changed to social engineer someone into clicking the Open button on the message.  And my favorite PDF reader, Foxit, does not even display this message.  Disabling javascript does not help. [more]

Here is the link to his article: http://blog.didierstevens.com/2010/03/29/escape-from-pdf/

I downloaded his extremely simple example and in a few seconds changed it run a batch script instead of cmd.exe.  It looks it would be trivial to make it run any sequence of commands desired.  Depending on the PDF viewer used on other operating systems such as Linux or Mac OS X, this same technique will work there.

When using Google, one might consider clicking on Quick View or View as HTML instead of viewing the actual the PDF file.

UPDATE:  Adobe finally responded to this, explaining simply how to disable this feature.  This sounds like a good thing to do for most users. http://blogs.adobe.com/adobereader/2010/04/didier_stevens_launch_function.html

I upgraded from Vista to Windows 7 about three weeks ago.  I decrypted my PGP encrypted drive before the upgrade and, after the upgrade, PGP recognized my disk wasn't encrypted and prompted me to encrypt my drive.  I started the encryption process but wound up pausing the process because of slow performance, intending to resume it after hours.  I installed some Windows and Lenovo (ThinkDamage…probably my 2nd mistake) updates which required a reboot.  After the reboot, PGP started trying to install itself and produced this error message…

"You cannot upgrade or remove PGP while a whole disk is processing. Installation terminated." [more]

I was unable to access the PGP console in order to resume the encryption, decrypt, etc.  An attempt to uninstall PGP produced the same error.  This was not good since I was scheduled to leave town on an audit within 24 hours and thought I might have to abandon the upgrade to Windows 7, restore a backup and re-encrypt the old Vista image before I left town.

A coworker suggested I log a ticket with PGP.  After doing so, I was poking around their site, searching for various terms from the error message and stumbled across a reference to a command line command.  About that same time, I received an auto-response from PGP which included several links, the last of which led me to information about the same command line command, pgpwde.

Here is the relevant section from the page above:

SECTION 2 - PGPWDE Command Line

The following commands will help diagnose and decrypt the disk. Other commands can be listed by typing pgpwde --help.

1. To begin working with the PGPWDE interface open a command prompt and change to the PGP installation directory (default directory shown) C:\Program Files\PGP Corporation\PGP desktop.
2. To list all installed hard disks in the system type: pgpwde --enum. Entering this command will give us a list of disks with numbers we will use in the next few steps.
3. Now type pgpwde --status --disk 1. Substitute the PGP WDE disk number listed in the previous step for the number 1 in the command if different. The output of this command will tell us whether the disk is still encrypted.
   • If the disk is not encrypted, "Disk 1 is not instrumented by bootguard" will be the output.
   • If the disk is encrypted, the output will display:
     • "Disk 1 is instrumented by Bootguard."
     • The total number of sectors.
     • A Highwater value (number of sectors encrypted).
     • Whether the current key is valid.
4. Type pgpwde --list-user --disk 1. This will tell us the user information contained on the disk. This will help in multi-user environments to determine which user passphrase was used to implement WDE.
5. Type pgpwde --decrypt --disk 1 --passphrase {mypasswordhere}. This will start the decryption process. To view progress, type the status command listed in step 3 and note the Highwater number, this number will get smaller and smaller as the number of sectors encrypted decreases.

This command line command allowed me to decrypt the partially encrypted disk.  I then uninstalled PGP to be safe, reinstalled PGP and encrypted my disk without further incident.

I recently upgraded a Windows server to the latest version of Symantec Endpoint Protection and the server was no longer accessible on the network after the upgrade.  The server would not respond to network requests even though the console was working.  It turned out the full SEP feature set was installed, including the SEP firewall.  Additionally, now the firewall policy was applied to the server.  This caused the SEP firewall to isolate the server from the network. 

 To fix the problem I uninstalled Enpoint Protection and reinstalled without the firewall feature set.  I also applied a firewall policy just in case the firewall feature was installed on that server again.  My suggestion is to modify the SEP installation document, so that a firewall policy is not applied.

I use a Bluetooth keyboard and mouse under Windows 7 (64-bit) that started to hang from time to time after I began using Windows 7.  I found that if I turned the BT radio off then back on it would work fine.  Sometimes it would hang after I stopped using the keyboard or mouse for just a few seconds.  Sometimes it was after I hadn't used it for several minutes.  Regardless, I couldn't see any relationship to how long it hadn't been used and when it would hang.

I found if I went into Device Manager > Bluetooth Radios and opened the properties to ThinkPad Bluetooth 2.1 with Enhanced Data Rate and then unchecked the "Allow the computer to turn off this device to save power" option, the problem went away. [more]