Think IPM

Monday, September 17, 2012

The Mystery of the Disappearing Pinned Shortcuts

Here is another great article by my Colleague Jacques Bensimon.  Be sure to follow him on Twitter. (@JacqBens)

 

I don’t know if many of you have run across this issue, but it has certainly been kicking my butt ever since we started creating user profiles for Windows 7 and 2008 R2.  The mysterious behavior is easy enough to describe:

(1)    we create a template (or default, or mandatory) profile containing specific pinned items in the Start Menu and/or the Taskbar (a slightly tricky proposition, but a frequent customer request now that Microsoft has kindly eliminated the display of Start Menu root shortcuts and done away with the Quick Launch toolbar … and don’t get me started on the subject of Windows 8!),

(2)    the profile works as designed for a while, i.e. over several days/weeks, users of that profile log on to multiple machines running the same image and consistently get their pinned items, until

(3)    one day, on one or more (or all) machines, users logging on briefly see their Taskbar pinned items but, within a matter of seconds, they disappear (the icons, not the users – that would be a much less serious issue J).  If the users now look at the Start menu, they’ll see that those pinned items have also disappeared.

Further examination of a user’s profile at that point reveals that this is not merely a question of pinned items not being displayed:  they are well and truly gone!  The actual shortcut files have been deleted from the profile (i.e. from %AppData%\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu and …\User Pinned\Taskbar) and the corresponding Registry entries have been reset to “virgin” values (various entries named “Favorites…” at keys HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2 and …\Explorer\Taskband).

Investigating this behavior was simplified by the fact that, as mentioned at the top, it was observed not only on Windows 7 but also on RDS/XenApp servers running Windows 2008 R2, so it was possible to monitor system activity (using SysInternal’s ProcMon) from an admin session while an affected user account was logging on.  Two facts emerged from this monitoring:

(a)    Explorer.exe itself, as it started within the user’s session, was committing the heinous “pinnicide” (i.e. it deleted the shortcuts and reset the Registry entries – no other process was involved), and

(b)    it did so soon after several intensive rounds of querying the values at the two user Registry keys already mentioned above (HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2 and …\Explorer\Taskband) as well as those at the machine Registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage, with what looked like a particularly unhealthy obsession with a REG_DWORD entry named FavoritesRemovedChanges found under all three keys in question.

Although I can find no authoritative reference on the meaning or purpose of these FavoritesRemovedChanges values, the name suggests some sort of shortcut change and/or deletion counter.  This guess was bolstered by a review of the machine’s application installation and update reports created with the (incredibly useful and absolutely indispensable) Total Uninstall installation tracker (I’ll have to write about it someday):  this revealed that the three FavoritesRemovedChanges values always seem to match each other, to always change in lockstep,  and to increment by exactly the number of Start Menu shortcuts modified (or simply overwritten) by a setup operation (there may be other scenarios under which these values will change, but I didn’t capture any).  In any case, it quickly became apparent that machines on which pinned items were suddenly being deleted at logon were those on which some application or system component update had been performed, causing the HKLM instance of FavoritesRemovedChanges to be incremented and as a result to no longer match the corresponding HKCU instances in the Registry hives of users logging on following the image update.  I can’t say for sure whether this is an Explorer bug or intentional behavior (a paranoid “Start Menu shortcuts have changed in your absence so I no longer trust your nasty old pinned items” mechanism), but I can say this: if the user’s HKCU FavoritesRemovedChanges entries are modified to match the HKLM entry at logon before Explorer starts (e.g. from a logon script), the pinned items are never deleted and the issue is eliminated.

Here’s a batch command that will accomplish this quietly:

For /F "tokens=3" %%v in ('Reg Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage /v FavoritesRemovedChanges 2^>NUL: ^| Find /i "Fav"') do (

  For %%k in (StartPage2 Taskband) do Reg Add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\%%k /v FavoritesRemovedChanges /t REG_DWORD /d %%v /f >NUL: 2>NUL:

)

Careful:  On a 64-bit platform, the above code fragment will not work as is if the batch file runs under the 32-bit CMD.exe (because the attempt to query something under HKLM\Software with the 32-bit Reg.exe will be redirected to HKLM\Software\Wow6432Node – see this post for details on this and on what follows).  You could change “Reg Query …” above to “%SystemRoot%\SysNative\Reg Query …” to force the use of the 64-bit Reg.exe, but then the code would fail when running under the 64-bit CMD.exe (because “SysNative” has no meaning for 64-bit processes).  You think you always know whether your batch file runs as a 32-bit or 64-bit process?  Consider this:  on a TS/RDS server, if this script runs as a child of UsrLogon.cmd (the “application compatibility” root script), then it will run as a 64-bit process … until you add XenApp to the mix, at which point Citrix, ever helpful, will cause the 32-bit CtxHide.exe to launch UsrLogon.cmd, causing it to run as a 32-bit process (in fact, a different instance of UsrLogon.cmd will now run, the one found in %SystemRoot%\SysWow64 rather than the one in %SystemRoot%\System32, so be sure to always keep them  identical).  But wait, even with XenApp installed, the script might still sometimes run as a 64-bit process: when?  When you test it manually from Explorer or from a CMD prompt, that’s when J.  So, bottom line, practice defensive scripting and make sure your script will run correctly regardless of platform or “bitness”, as follows:

Set TrueSys=%SystemRoot%\System32

If Defined PROCESSOR_ARCHITEW6432 Set TrueSys=%SystemRoot%\SysNative

For /F "tokens=3" %%v in ('%TrueSys%\Reg Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage /v FavoritesRemovedChanges 2^>NUL: ^| Find /i "Fav"') do (

  For %%k in (StartPage2 Taskband) do Reg Add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\%%k /v FavoritesRemovedChanges /t REG_DWORD /d %%v /f >NUL: 2>NUL:

)

Note that it doesn’t matter which flavor of Reg.exe is used to modify the HKCU entries:  as the above-mentioned post stresses, all aspects of a user profile look identical to 32-bit and 64-bit processes.

Later,
Jacques.  (@JacqBens)

Click Here to Continue Reading >>

Tuesday, September 11, 2012

PSA - No vSphere 5.1 upgrade for PowerPath/VE 5.7 users right now.

With the availability of vSphere 5.1, I am sure those of you on the bleeding edge are starting to craft plans for upgrading but ...

If you are running PowerPath/VE, I noticed the following tweet from @VMwareKB

***ALERT: Important KB affecting customers with PowerPath/VE. See:bit.ly/OE3JMS please RT ***

There is an issue where PowerPath/VE 5.7 fails to load in a vSphere 5.1 environment.

The recommended action is to hold off with the 5.1 upgrade if you are using PowerPath/VE 5.7 and wait for EMC or VMware to release a patch fixing the issue.
Click Here to Continue Reading >>

Tuesday, September 4, 2012

Reader Question: What do you add to *your* SendTo folder?

Jacques Bensimon recently posed this question internally and I was curious to push it a bit further out to see if anyone out there had anything additional of interest.

--quote--

I am curious to know what you guys add to your Explorer “SendTo” folder – always up for good new ideas.

Here’s my list:

clip_image001Alternate Streams – mostly to “bulk-unblock” IE downloads

         <path>\AlternateStreamView.exe /FolderPath 

Dependency Walker x64 – what DLLs does this 64-bit executable require? what function calls?

Dependency Walker – ditto for 32-bit

Everything – quickly list everything in a folder tree

          <path>\Everything.exe -path

EXE Explorer – parse EXE header, show strings, hex view, etc.

Folder Search – (NirSoft SearchMyFiles) Search for files with criteria (strings, timestamps, attributes, etc.)

            <path>SearchMyFiles.exe /BaseFolder

IrfanView – view image(s)

MetaPad – view/edit text file (can handle/convert UNIX line breaks, can search & replace with newlines and tabs, etc.)

Notepad – every user on the planet needs this one

OpenArgs – launch this EXE with parameters (you need this!)

Orca – what’s in this MSI or transform? create a transform, etc.

Resource Hacker – view/extract/modify resources (icons, strings, raw version info, manifest, etc.)

TreeSize – where did all the disk space go?

TS Flag – view executable type (32-bit vs. 64-bit) and Terminal Server Aware flag status

Universal Extractor – find out what’s in this setup EXE without running it

WMatch2 – compare this folder’s contents to another

XVI32 – hex edit this file

Jacques.

--quote--

Windows Refresher: To get to the SendTo folder, you’ll need to open up an Explorer window, and then paste in the following to the address bar.

%APPDATA%\Microsoft\Windows\SendTo

- Follow Jacques on Twitter @JacqBens

Click Here to Continue Reading >>