Discovering the Terminal Server Aware Flag via MiTeC’s EXE Explorer

My colleague Jacques Bensimon sent over a great description on the  Terminal Server Aware flag and it’s impact on the use of Microsoft’s Terminal Server shadow keys (HKLM\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software) which we use extensively for user profile manipulation.

I’ve noticed more and more applications that seem to ignore the Terminal Server “shadow keys” and I thought I’d clue you into what’s going on and how to determine whether a given app will or will not “honor” the shadow keys when it looks for a missing HKCU\Software\... registry entry. Actually, I’ll save myself a lot of preliminary explanation by providing the following link to an AutoHotkey forum article I posted a while back when the author, without fully appreciating the consequences, set the so-called “Terminal Server Aware” flag in AutoHotkey and all “compiled” AutoHotkey programs: (he was nice enough to quickly fix it after I posted my concerns – the post by the way can serve as a nice refresher on what Install Mode and Execute Mode actually mean).  The quick summary is that an executable that has this flag in its header is no longer subject to the normal “Execute Mode” behavior that looks for missing HKCU\Software\... entries in the shadow keys and redirects INI file requests from the system’s Windows directory (%SystemRoot%) to the user’s private Windows directory (%HomeDrive%%HomePath%Windows).

Now that you’re back from reading the article ;), I’ll add my suspicion that, in line with my recent comments about imbecile fledgling programmers now being empowered to write application software with dumbed down versions of Visual Studio, many programmers probably check the “Terminal Server Aware” box when compiling their apps in the mistaken belief that this in and of itself somehow makes their application TS-compatible (when in fact it is supposed to be a signal to Windows that the app has been explicitly written in a such a way as not to need the help of the system to provide default HKCU settings via the Shadow Keys and that it doesn’t use INI files in the Windows directory).  Anyway, you might be interested to know that, for example, Word and Excel 2007 do *not* have the TS-aware flag set (so shadow key trickery should still work with those apps) whereas PowerPoint and Outlook 2007 *do* have the flag set and therefore will completely ignore shadow key entries.

How do you figure out if an application has the Terminal Server Aware flag set?  There is a tool called “MiTeC EXE Explorer” that gives all kinds of info about executables (not just EXEs but also DLLs etc).  When you open an EXE in this program (see screenshot of PowerPoint 2007 below), click on the “Header” tab in the top section, then in the “Optional” tab in the bottom section, and look for the “DLL characteristics” hex value: if it’s greater than or equal to 0x8000, then the TS-aware flag is ON (0x8000 is the TS-aware flag bit) – in the screenshot you see that PowerPoint 2007 has the flag value 0x8040, so it does have that flag as I mentioned earlier.  When you come across an app like that, you’ll have to find some other way to distribute user settings than the shadow keys (profile, GPP, script, etc – actually, in the case of Office 2007, there is another mechanism available that’s “beyond the scope” of this note – Hint: see HKLM\SOFTWARE\Microsoft\Office\12.0\User Settings).

Later,

JB

Click Here to Continue Reading >>

Off-Topic : $1 Tee Shirts at ConchTees.com

My buddy Alan sent over a quick message to remind me that he’s clearing out his T-Shirt inventory for a buck!

Happy Thanksgiving! Or at least I hope you had a happy Turkey Day yesterday. I just want to let you know that the "I'm with Dev/Null" t-shirts are on sale for $1 starting Black Friday through Cyber Monday. =) Your readers might like that!

Normally around 14 bucks, this is a pretty good deal and shipping is standard USPS rates.

Happy Shopping Everyone.

Click Here to Continue Reading >>

Reclaim your time! … and don’t waste mine.

With the holidays approaching, now is the time to start thinking about 2011 goals and 2010 gifts.  Why not combine the two and hand out Meeting Tokens this year! You can’t give out certificates for the Human Fund EVERY Year!  All jokes aside, I’ve found a lot of value in implementing an Inbox Zero plan for managing my email communications.  If your inbox emails number in the thousands,  give yourself a present and check out http://inboxzero.com/articles/.

Some of the concepts that I really like are dropping all the folder structures for archiving mail.  Whenever you end up looking for something, you inevitably end up using a search feature so why not save yourself some aggravation and time and just file everything in ONE folder and let Search sort it out.  Simple concepts like that can really change the way you manage your email and get through it in a timely fashion.

BTW: I know this is probably really Off Topic but the token is such a great image that I HAD to put a post together for it!

Click Here to Continue Reading >>

Microsoft Windows Security Essentials – Free AntiVirus

I’ve written about Microsoft’s Security Essentials before but I recently noticed that they have began distributing it via Windows Update.  So if you are on a PC without any virus protection, Microsoft Security Essentials Free AntiVirus will be one of the optional software installs!  Very Neat.  Normally, the machines I work on have some sort of virus protection so I am not sure when this change happened on Update but I think it is great to help the not so techy users out there protect their computers at the right price.  Of course, if you DO HAVE virus protection on your box, you will not see this option.  Kudos to Microsoft!

Once MS Security Essentials is installed, all virus updates and program updates will flow down from Windows Update.

Click Here to Continue Reading >>

Need to restart the Explorer shell Gracefully?

Sometimes you need to restart Explorer to get things straightened out on your desktop.  Maybe the Notification Area is losing it or you want to refresh your Quick Launch.   Whatever the reason, in the past I have always pulled up Task Manager and killed the explorer process.  Simple and effective but maybe too harsh for all particular situations.  Jacques Bensimon let me in on a quick and proper way to shutdown the Explorer Shell gracefully.  Basically check out the image below and know that I CTRL-SHIFT-RIGHT Clicked to get the Exit Explorer option.  Explorer shuts down gracefully and you can restart it using Task Manager/ New Task. 

Nice Tip JB! Way to promote peace.

Click Here to Continue Reading >>

Enabling FAST Cache on your EMC Clariion with Flash Drives.

If you are looking to improve you Clariion performance, why not add some Solid State Drives (i.e. Flash Drives) to the mix.  For Virtualization, Provisioning, VDI or other high IO environments, SSDs might be the right tool at the right time for you to really squeeze out some more performance from your existing SANs.  Jeff Miller sent over some great screenshots detailing the process to turn on Fast Cache on the EMC after popping in the SSDs.  Jeff went with five 100GB Flash Drives configured as RAID1 mirrors using 1 as a hot spare.  Effectively giving his Clariion almost 200 GBs of additional FAST Cache.  If you want to see some interesting performance charts leveraging Fast Cache, check out Chad Sakac’s EMC World Boston slide deck.

Flare code 30 is required for these steps so be sure to get that squared away first. Now onto the great instructions sent over by Jeff.  [Thanks Jeff!]

Once your Fast software arrives, take each cd containing a .ena file and copy from the cd into a folder on the computer that you will be using Unisphere Service Manager on.
My default location that I had to copy the software to was C:\EMC\repository\Downloads

Then from inside Unisphere click on Launch USM under Service Tasks

EMC support told me to just select all 4 disks as RAID 1 and behind the scenes it will create 2 RAID 1 mirrors.

This next screen may give you a scare, it did for me and I called support again. It should only disable SP cache for a few seconds/minutes as it rebuilds the memory map on the ram to include the SSD disks. For me it only took about 2 minutes in total and didn't appear to impact performance.

Now you should see that it is enabled so it is off to assign a hot spare.

Now go to the properties of the LUN that you want to enable fast cache on and check FAST cache.  The enable caching should also automatically check itself off.  Hit apply and sit back and let FAST cache do the work for you.

You can use Navi Analyzer to view FAST cache statistics to ensure that it is working properly.

Click Here to Continue Reading >>

Cloud Computing : Email via Microsoft BPOS

This month my company began switching over user email accounts to the Microsoft Business Productivity Online Standard Suite.  BPOS for short. Like most organizations, email is probably the most critical application in the environment.  Users know almost immediately when mail is not working.  Working in a small company with many consultants and no dedicated fulltime IT person, outsourcing the maintenance and management of the Exchange infrastructure to Microsoft made a lot of sense for us. 

The migration itself was pretty painless.  Some prep work upfront to save things like Signatures, Rules and Nicknames (NK2) files and I was set to be migrated.  The process seemed to be almost push button.  Initiate the migration process and my mail was being copied up to the cloud.  Of course, there was plenty of work configuring access, MX records and other infrastructure type stuff but luckily someone else did that. For me, it was an extremely easy move up to the cloud.

Once the migration was complete, (I could have wiped out my deleted items to speed it up a bit), all that was left was to install the Microsoft Single Sign-On tool and reconfigure my iPhone for access.  The sign-on tool took care of reconfiguring my local Outlook for me. 

The immediate benefit, aside from a more reliable infrastructure, is access to all the latest features and integrations that Microsoft Online has to offer.  Running our own exchange server, we never got around to installing Office Communications or any Live Meeting add ins.  My new cloud mail though is all set up for that.  Presence awareness and Instant meetings via Live Meeting are great!  I’m sure that once Exchange 2010 is available, it will be a push button upgrade for us.  This alone made the switch worth it.

The addition of Lync (Office Communicator's new name) is great.  Right from within an email message, I can see who is online at the time and if they are available for a quick chat.  Hopefully this cuts back on the 1 line emails that can clog up an inbox Zero plan.

I think the move to the BPOS cloud was a great step for our company and am very pleased with the user experience.

Click Here to Continue Reading >>

AppSense Environment Manager issues

I recently completed an AppSense implementation for a XenApp 6 farm running on VMware vSphere.  XenApp 6 servers that were running Microsoft Windows 2008 R2 which were being provisioned via Citrix provisioning servers.  The profile management strategy we chose for this was AppSense’s Environment Manager sitting on top of a mandatory profile solution.  The mandatory profile would be the vehicle for us to populate the initial settings while AppSense would capture user settings and lay them back in as needed.

Throughout the engagement we hit the normal bumps in the road expected during a complex software implementation but I did hit 2 particular AppSense specific issues that I think deserve a quick write up.  I couldn’t really find any information on the web related to these so I figured I would pop it up on the blog.  Unfortunately, their KB was also not very helpful.  Support was great and without them, I might still be searching for solutions.

The first involves a bug where the AppSense agent puts the Mandatory Profile into a Roaming state during login but then *OCCASIONALLY* fails to flip it back which causes it to overwrite the mandatory profile.  Since the windows servers mistakenly thinks that the profile is roaming, it tries to write it back to the ‘source’ which is the main mandatory profile.  Normal users would only have read writes to the directory but when an admin logged in, it would write back and update the system.  This would screw up profile permissions and litter it with user keys that we did not want in a shared profile.  When the next user logged in, all sorts of weird application issues would crop up due to the ‘busted’ mandatory profile.  Since the box was a provisioned server, everything would sort of straighten itself out after a reboot which made diagnosis even more sketchy.  Once we determined the problem, the workaround we came up with was to remove ALL MODIFY writes to the mandatory profile directory from everyone except one account and that one user account is explicitly denied access to the AppSense User Personalization features  which prevents it from doing it’s voodoo.  Clearly, an ACTUAL fix from AppSense would be appreciated but for now this workaround serves it’s purpose.

The second one was just a weird fluke.  During some routine User Personalization modifications, an entry for HKU\Mandy\Software\Microsoft\... found its way into an exclusion list in the console.  Mandy is typically the key name we use when loading up the mandatory profile and making modifications to it.  Once this errant value found it’s way onto the system, the AppSense AGENTS on all end points (XenApp Servers) began crashing in each session as users logged in.  During login, the entire configuration is sent down to the agent which then parses it for relevant data.  I can only assume that it was only expecting HKCU or HKLM type data so the HKU completely freaked it out and burst it into flames.  Eventually, the value was found and a simple change back to HKCU fixed the issue.  During the time with the error though, AppSense was rendered useless and all user personalization settings were trapped in the DB. L

That’s the short and long of it.  Google, Bing and Yahoo; come index this and help someone out of a jam.  

Click Here to Continue Reading >>

rant : Why do I have to log into your Knowledgebase?

I just don’t get it.  Why do I need to have a user account and password to access a vendor’s Knowledgebase?  What is so important behind that link that you do not want it indexed and searchable by Google (my primary troubleshooting tool)?  By not allowing major search engines to access your knowledgebase, you are making it THAT much more difficult for me to resolve issues related to your software.  Honestly, if someone doesn’t already own your software, I would imagine that they couldn’t care less about your knowledgebase.  And while I am at it, ONCE I actually go through the trouble of registering to get access, your search engine pales in comparison to the options that Google provides to me.  If you want to track usage, you don’t need to have actual usernames; use IPs and page views like the rest of the world.  I can only rationalize that these vendors don’t want to risk their issues dominating the search results when someone Googles for the product.. Other than that, I really can’t think of a reason to not make KB content available. If anyone out there knows why they lock up their KBs, let me know – It’s super annoying!

Click Here to Continue Reading >>