// This is the script to give summary on the main page.
Think IPM

Monday, December 30, 2013

"Short changed" by Citrix Provisioning Services!

By Jacques Bensimon.

A couple of years ago, a client showed me a freshly P2V’ed Windows image on which Microsoft Office programs were no longer functioning correctly (as just one of many issues, one could for example open Outlook, but Inbox messages would not open when double-clicked).  A quick Process Monitor trace session later, the cause of the issues became clear:   a large number of Office components, both EXEs and DLLs, are registered via their “short” or “8.3” paths (Registry entries that start with something like “C:\PROGRA~2\MICROS~2\Office12\...”), but somewhere during the P2V process the short name of the “Microsoft Office” folder had changed from its original “MICROS~2” (on the source disk) to “MICROS~1” (on the virtualized disk image), the net effect being that many registered components could no longer be located.  Similar issues were observed with many other programs that had fallen victim to a similar folder short name change.  I didn’t attach much importance to the issue at the time, figuring that it was the result of whatever (clearly flawed) process had been used for P2V [heck, the running joke at IPM is that I’m the old fuddy-duddy endlessly railing against wanton virtualization, so in my world view, these people were just asking for it, no? ;)] and I wound up cobbling together a custom script to restore all short names on the virtual disk to whatever they were on the source disk (which thankfully was still available for comparison).

I later ran into a similar issue at another client when a share hosting a number of network-based applications was migrated from one storage system to another (I believe RoboCopy was the main migration tool on that occasion) and an important application suddenly stopped working, again (as it turned out upon investigation) the result of its folder having acquired a new short name that no longer matched its registration on the various client computers.  Fixed easily enough, so still not panicking.

What took the cake and recently set me on a course to expose and eradicate this class of issues was something that hit much closer to home:  after reverse-imaging a Citrix Provisioning Services vDisk back to the physical disk of a XenApp server (using the standard Citrix BNImage tool, which I happen to prefer to the alternative XenConvert, an opinion that is now under serious review), it occurred to me to perform a quick spot check of the resulting file and folder short names versus those on the source disk (can you say DIR /X  ?) and was horrified [too strong?  You don’t know how seriously I take my images! :)] to discover a large number of differences. 

According to this Citrix KB article entitled “When Capturing an Operating System using BNImage.exe, Microsoft Office 2010 Might not Function as Expected” (duh!), using XenConvert (which doubles as Citrix’s P2V tool in the XenServer arena) instead of BNImage avoids the issue.  Be that as it may, now aware that most mass copy tools (including RoboCopy and the ubiquitous XCopy) suffer from this lack of any respect for existing 8.3 short names, I generalized and extended my old batch script into a full-blown ex post facto 8.3 name “compare & repair” utility, the attached Match83 (32-bit and 64-bit versions included – you cannot use the 32-bit version on a 64-bit OS).  Running it against my reverse image repaired literally *thousands* of mismatches in both folder and file names, most of which I’m sure wouldn’t have done any harm, but many of which would most definitely have.

clip_image001

To conclude, a few notes:

(1) There is apparently no functionality in SMB for remotely modifying short names, so Match83 (and the Windows tool fsutil.exe that it uses under the covers to make short name changes using the syntax fsutil file setshortname <file-specification> <new-short-name>) must target items on a local NTFS-formatted drive.

(2) Why do short name mismatches occur in such large numbers during copy operations (using short-name-unaware copy tools)?  Two main reasons:

a) The original short name of a file or folder was in most cases auto-generated by the file system during the creation of the item, so for example if the folder “Microsoft Silverlight” was created before “Microsoft Office” within the same parent folder, it would likely have acquired the short name “MICROS~1” while “Microsoft Office” acquired “MICROS~2”, but when the parent folder and all its contents are copied to a new location, the operation generally proceeds alphabetically, with the result that “Microsoft Office” is copied first and acquires “MICROS~1” while “Microsoft Silverlight” later acquires “MICROS~2” or even something else like “MICROS~5” if other “Microsoft …” folders have been added to the source since its original creation.

b) Some original short names were not auto-generated but rather were the result of an app installation (often MSI-based) by an installer program that explicitly specified particular short names for files and folders, names that bear no resemblance to what the file system would have auto-generated.  For example, on the Windows 7 computer on which I’m writing this, I have a folder called “Microsoft Research” with the short name “MI4430~1” – no way that the auto-generated short name of a copy of that folder would ever match the original.

(3) It’s of passing interest to note that Microsoft is well aware of the issues that can arise from component registrations that use short names:  starting with the Vista/2008 version of fsutil, the command  fsutil 8dot3name scan [/s] [/v] <folder-path>  became available to report all Registry entries that could potentially be invalidated by short name changes under the specified folder.

(4) Under some rare circumstances, Match83 might be unable to correct a particular item’s short name.  On the assumption that no permissions issue is involved (you should of course run this tool as a full admin), the reason will be that a *new* item has been created on the target since the original copy operation and that its system-generated short name has “hijacked” what should have been another item’s short name.  If you have reason to believe that the original item “needs” its original short name (unlikely), you can use the fsutil syntax provided above to manually swap their short names.

Happy hunting. (and New Year!)
Jacques.

Be sure to follow Jacques on Twitter: @JacqBens

Click Here to Continue Reading >>

Thursday, December 26, 2013

Updated TSFlag / TSFlag-x64 (v1.1)

You may remember Jacques Bensimon introducing us to TSFlag in this post.  He has a new version available here.

image

As long as TSFlag was already parsing executable headers, I added another item of information to the display:  the executable's so-called "subsystem" (typically either "Windows GUI" or "Windows CUI", CUI = Character User Interface, i.e. console).  TSFlag actually recognizes other possible subsystems -- here's the full list (exactly as TSFlag will display them):

· Windows GUI
· Windows CUI (Console)
· Native (Driver)
· OS/2 CUI
· Posix CUI
· Native (Win9x Driver)
· Windows CE GUI

Safe to say that if you run across one of the bottom four, you're probably doing something wrong! :)

Be sure to follow JB at @JacqBens.

Click Here to Continue Reading >>

Monday, December 23, 2013

Ever hear of 1e100.net?

Neat post from Aaron Silber.
While doing some research at a client, I noticed that IE from time to time goes out to a weird website. It was 1e100.net, so of course I googled it and found this:
What is 1e100.net?
1e100.net is a Google-owned domain name used to identify the servers in our network.
Following standard industry practice, we make sure each IP address has a corresponding hostname. In October 2009, we started using a single domain name to identify our servers across all Google products, rather than use different product domains such as YouTube.com, blogger.com, and Google.com. We did this for two reasons: first, to keep things simpler, and second, to proactively improve security by protecting against potential threats such as cross-site scripting attacks.
Most typical Internet users will never see 1e100.net, but we picked a Googley name for it just in case (1e100 is scientific notation for 1 googol).
https://support.google.com/faqs/answer/174717?hl=en
Click Here to Continue Reading >>

Wednesday, December 18, 2013

Surviving Windows 8 annoyances with HiDrop

Post by Jacques Bensimon:

Some Windows 8.x annoyances you may be up against, with solutions.

(1) By default, Windows 8 administrative shares (C$, Admin$, etc.) cannot be accessed from a remote computer, regardless of any firewall considerations.

The solution:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"LocalAccountTokenFilterPolicy"=dword:00000001

Although this looks like a policy, it’s not exposed by any policy template, so the entry has to be made manually.

(2) By default, a process that’s been “Run as administrator” (more about that later) cannot “see” or access drive mappings created by a “non-admin” process such as Explorer or a normal CMD process, even if the mappings are persistent. 

The solution:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"EnableLinkedConnections"=dword:00000001

Again, this setting is not available via any policy template and has to be made manually.  It also requires a reboot (I forget if (1) does, but you’ll want both anyway).  Unlike (1), I’m pretty sure this one and the one that follows apply to Windows Server 2012 as well.  They also apply to Windows 7 and 2008 R2 *if* you don’t configure the lowest UAC level possible.

(3) This one really annoys me and required a new utility to get around:  you cannot drag-and-drop a file from an Explorer window to an “Administrator” command prompt, a consequence of the more general principle that a process that’s been “Run as administrator” will not accept drop messages (and most other types of window messages) from normal processes. 

Before I describe the workaround, let me clarify something about the wildly inaccurate misnomer that is the “Run as administrator” launch option:  as you can see from the following partial screenshot of “Process Explorer” displaying information about a command window that’s been “Run as administrator” and one launched normally, there is in fact no difference in the user name that owns the process (so there’s no “Run As” going on here involving an actual Administrator account and a secondary logon) – the difference is in that last column (which I encourage you to add to your Process Explorer windows) labeled “Integrity” (for “Integrity Level”, which you can read all about at here) and is part of a process isolation feature that prevents processes from sending messages to or hooking processes running at higher integrity levels than themselves.  When UAC is turned all the way down in Windows 7 and Windows 2008 R2, all processes run at the High integrity level, but in Windows 8 and Server 2012, even with UAC turned down to its minimum level, most processes (including the shell itself and therefore all the processes launched normally from the shell) run at the Medium integrity level unless “Run as administrator” is used explicitly (via context menu or shortcut option) or the executable contains a manifest that requests the High integrity level (which you’ll recognize by that little “UAC shield” overlay that Explorer applies to its icon).

clip_image001

The solution:
This is where the attached “hiDrop” utility (for “high integrity Drop”) comes in:  it runs at the High integrity level *but* uses the appropriate APIs to allow drop messages from lower integrity processes, in particular from Explorer, and then turns around and drops whatever it receives into the last CMD window to have focus, a sort of “proxy drop”.  As long as I was at it, I added the option of dropping instead into the last Notepad window to have focus (useful when you want to drop fully qualified filenames rather than file contents into Notepad).  You can run two simultaneous instances of hiDrop with different targets in order to access both capabilities simultaneously (as in the screenshot below).  Since hiDrop allows dragging multiple files simultaneously, it also has options for separating multiple filenames with either a space (the default) or a newline (only allowed when Notepad is the target – too dangerous otherwise), as well as options for enclosing file paths in double-quotes always, never or only when there is a space in the path (“smart quoting”).  The multiple-file drag-and-drop capability is useful for example when you want to capture the results of an Explorer search window.

clip_image002

If you can think of any other useful features, I’ll be glad to entertain them. (Leave comments below)

One last little tidbit related to process integrity levels:  since there are High and Medium integrity levels available, you can guess that Low is another possibility (and if you read the article linked above, you’ll see that there are in fact two others: Untrusted at the low end, and System at the high end).   For example, the iexplore.exe processes corresponding to the various tabs of IE windows all run at the Low integrity level, as do some Java-related processes and some Adobe Acrobat, Flash and Shockwave processes).  Well, if you’ve ever wondered what the %USERPROFILE%\AppData\LocalLow folder and the HKCU\Software\AppDataLow Registry key are all about, they’re pretty much the only places to which processes running at the Low integrity level are (by default) allowed to write.  So, if not knowing this was annoying to you, consider this another annoyance resolved! :)

Later,
Jacques.

Be sure to follow Jacques on Twitter @JacqBens

Click Here to Continue Reading >>

Wednesday, November 27, 2013

VMware’s Message of the Day – Your vSphere client is frozen.

Every so often, I come across a client that is leveraging the Message of the Day in their vSphere vCenter configuration.  Usually, it’s a friendly reminder to disconnect any CD-ROMs an admin might have in use or reminding them to log out of the Windows sessions when done.  Occasionally it is a legal disclaimer. (ugh!)

If you happen to be in the ‘I bought it so I am going to use every feature’ camp, be aware that if you have a self signed certificate that hasn’t been accepted by the client, you could run into this frozen session state.  Unable to click ignore and unable to continue to the rest of your work.  What's the hold up?  A Message Of The Day screen HIDDEN behind the Security Warning.

ALT-F4 closes the Hidden MOD. (although since you didn’t read it, Lord knows what you might have agreed to). ;)

ScreenClip
 
Happy Turkey Day Everyone!
Click Here to Continue Reading >>

Monday, November 25, 2013

The “Goods” from Synergy 2013 session – Migrating WI Customizations to StoreFront

It’s the holidays and I’m finally getting through my TODO lists.  Things that have been in the queue that I have meant to post but haven’t had a chance to.  So I’ll continue rounding out my Sam Jacobs’ greatest hits with ‘The Synergy Goods’. :)

Citrix hosted another great Synergy this year, and Sam was honored to be able to lead a session (SNY415) during the event. If you were not able to catch the presentation in person (or just want to see it again!), you can view it on-demand on SynergyTV.

The following resources are now available for download:

If you have any questions on the above, please email the team at synergy@ipm.com.

Be sure to follow Sam on Twitter : @WIGuru

A full house - Sam Jacobs at Synergy

Click Here to Continue Reading >>

Tuesday, November 19, 2013

How to Automatically Close or Logoff from Web Interface After Launching an Application

imageMore from the Sam Jacobs Archive:

You may wish, for security reasons or otherwise, to automatically terminate a user’s session once an application has been launched. With the modifications below, you have the option of either automatically logging out of Web Interface, or automatically closing the browser window (or tab). The way it is coded, it’s set to logout or close after 10 seconds, but that value is configurable.

Part 1

Back up the file ..\app_data\include\layout.ascx and open with Notepad.
Copy and paste the contents of the attached text file:

AutoCloseWindowCode Code Modifications

right before the function doAutoLaunching() (should be approx. line #68).
Save the file. It should look somewhat like:

http://www.ipm.com/wp-content/uploads/2012/04/AutoCloseCodeInserted.png

Part 2

The next modification will depend on whether you are explicitly launching the application (by clicking it), or you are auto-launching a desktop.

For explicitly launched applications:

Back up the file \app_code\PagesJava\com\citrix\wi\pageutils\include.java
IMPORTANT – You cannot keep your backup in the same directory, or the Java compiler will be very unhappy with you.

Open with Notepad, and at line #1194, you should see:

result = result + " onClick=\"resetSessionTimeout();clearFeedback();";

If you want to logout after 10 seconds, change that to:

result = result + " onClick=\"beginLogoffSequence();clearFeedback();";

If you want to close the browser window, change that to:

result = result + " onClick=\"beginCloseSequence();clearFeedback();";

Warning! Javascript is case-sensitive!
Save the file. An IISRESET is not required.

For auto-launched desktops:

Back up the file ..\site\directLaunch.aspx and open with Notepad.
Scroll to the bottom of the file … To automatically close the browser window or tab, enter:

<script type="text/javascript" >
beginCloseSequence();
</script>

To automatically logoff the user from Web Interface, enter:

<script type="text/javascript" >
beginLogoffSequence();
</script>

Click Here to Continue Reading >>

Thursday, November 14, 2013

Email enabled ShareFile Folders

SNAGHTML11caa92Sam Jacobs sent over this great tip for anyone using ShareFile.

A client asked if ShareFile supported email-enabled folders.

They frequently exchange large documents with their clients, and wanted to know whether they could associate an email address to a ShareFile folder (e.g. clientNameDocs@ipmit.shareFile.com), and have any attachments sent to that email address get automatically uploaded to the associated folder.

Jay Tomlin (@jtmln) is now the PM of ShareFile, and informed me that ShareFile DOES, in fact, support email-enabled folders.

Full details are in this KB article but in a nutshell:

You do this by using the "Request a file" option in the folder details:

clip_image001

That  process will generate an upload URL which will look like this: 
https://Acme.sharefile.com/r/rebe49f54d59a

Take the tail end of that URL and use it as an email address with @mail.sharefile.com, e.g.: rebe49f54d59a@mail.sharefile.com

You might want to set up an alias that uses the client’s name, so that the email address is not so cryptic.

Click Here to Continue Reading >>

Friday, November 8, 2013

Citrix Web Interface End Of Life dates

From the You knew it was coming files:

If you haven’t started thinking about your Citrix StoreFront upgrade yet, consider this the start of your official countdown. 

clip_image001

The End of Maintenance date will be December 17th 2014 when updates officially stop and then the End of Life date will be June 14th 2015.  At that point there will be no more patches, upgrades or security hotfixes issued for the Web Interface 5.x product.   2015 is definitely a good distance in the future and 18 months should be plenty of time for a transition but depending on the level of customization you might have implemented on your current Web Interfaces, you should begin experimenting with StoreFront sooner rather than later.  This will allow you to be properly prepared and have the right expectations when the inevitable crunch time comes.

Of course you could pony up the cash for the Extended Support to get you to 2020 but I can only speculate on what it will actually cost.

clip_image001[8]

Click Here to Continue Reading >>

Wednesday, October 23, 2013

Not so new Cool Utility: Update the Default User profile in Windows 7/2008

This one is pretty self explanatory in it’s usefulness to VDI folk who leverage profiles to roll out customizations and default settings.  Even though you configure to use the mandatory profile, applying to the Default User Profile is a great insurance for any user who might not get the appropriate configuration.

DefProf
DefProf updates the Default Windows User Profile with the documents and settings from another user profile that you specify. You can use DefProf on Windows 7/8 where the "Copy To" button is grayed out in the "User Profiles" dialog box.

Let’s say you use a ‘setup’ user account to create a user profile that you want everyone logging onto a machine to inherit. When you logon as setup, Windows creates a C:\Users\setup profile folder. To make ‘setup’ the default profile, you just type defprof setup at a command prompt.

Download DefProf:  http://www.forensit.com/support-downloads.html

clip_image002

Click Here to Continue Reading >>

Friday, October 18, 2013

XenServer to VMware Jingle [to the tune of Fresh Prince of Bel-Air]

I’m currently on a project converting from XenServer hosts over to VMware vSphere and while doing some routine research, ran across this clever (although nerdy) lyric parody on a forum.

Click for Karaoke Version

Now this is the story all about how
Our life got flipped, turned upside down
And we'd like to take a minute, so just sit right there
And we’ll tell you how all how we moved to VMware.

In Xenserver Enterprise, born and raised
In the server room where we spent most of our days
Chilling out, maxing, relaxing all cool
And all shooting all the servers into the pool
When a couple of updates, they were up to no good
Started making trouble in our neighborhood
We had numerous crashes and the users got scared
So we said "We’re moving all the servers onto VMware"

We asked for advice and it became clear
VMware is the game that we should play here
If anything I could say that this software was rare
But I thought nah, forget it, let’s get on VMware!

We started moving servers about seven or eight
And couple of days later we were almost straight
Looked at our kingdom we were finally there
Sitting all our servers on VMware!

The original posting was on a SpiceWorks forum here a couple months ago:
http://community.spiceworks.com/topic/343785-migrating-xenserver-to-vmware-2013-remix-version

Feel free to vote it up on Reddit if you liked it.   I thought it was really clever stuff and wanted to share.  It was also pretty timely for me since I’m in the midst of this project which probably upped it’s entertainment value for me a bit more.

-Happy Friday!

Click Here to Continue Reading >>

Thursday, October 17, 2013

Provisioning Server and Firewalls

By Aaron Silber:

Provisioning Server is here to stay and I think we can all agree that this is a great thing. Recently while installing a new environment I started to run into a few issues which I immediately realized was a Firewall issue. The system was configured using Windows 2008, so I immediately went to look at the configuration and like a good consultant was about to turn it off, when the client says to me, we use the Windows Firewall and it must stay on! The nerve, right? I know, I agree!

In any case, I now had to actually look into what needed to be open to make this work which doesn’t sound too difficult, look up the Citrix Doc, get the port numbers, create a rule and I’m done. Problem is that depending on what version of Provisioning Server you are using determines which ports you need to open as they changed it in 5.6 and I found references to different ports in three different documents from Citrix. In the end, there was no single document that had all of the ports listed. 

Here is a nice document from Citrix (http://support.citrix.com/servlet/KbServlet/download/2389-102-648658/CitrixPorts_by_Port_0333.pdf) on ports used by Citrix Technologies, sounds pretty complete, but is definitely missing some, like 6969, which is listed on this page: http://support.citrix.com/article/CTX125744 and is used for the TSB; anyone care to guess what that one is? (no peeking!)

In order to save everyone from what I went through tracking this down, I present to you a script which when run will modify the Provisioning Server firewall with all of the ports necessary to make Provisioning Server work. It uses the NETSH (A very powerful command indeed) to add in the rules and even includes the description pulled from the various Citrix documents.

Enjoy and feel free to comment.

Aaron

@Echo Off

ECHO.
ECHO This script will modify the Firewall with rules necessary for proper Provisioning Server Communication
Echo.
Pause

netsh advfirewall firewall add rule name="Citrix (DHCP,PXE)" description="The DHCP server will offer an IP address to the target server. The DHCP server also offers other parameters, including: Option 60: PXE Client Address" protocol=UDP profile=domain,private,public dir=in localport=67,68 action=allow

netsh advfirewall firewall add rule name="Citrix (PXE Server)" description="The Target server will make a request to the PXE server for startup information. The PXE server will respond with Option 66: Boot Server Host Name Option 67: Bootfile Name" protocol=UDP profile=domain,private,public dir=in localport=67,4011 action=allow

netsh advfirewall firewall add rule name="Citrix (TFTP Server)" description="The target server will use the information sent back from the DHCP server to obtain the bootfile. Once the target server obtains the bootfile from the TFTP server, it launches the file, which allows the target server to begin the boot process. The bootfile contains information about contacting Provisioning Services." protocol=UDP profile=domain,private,public dir=in localport=69 action=allow

netsh advfirewall firewall add rule name="Citrix (Stream Service)" description="The target server contacts Provisioning Services requesting a vDisk." protocol=UDP profile=domain,private,public dir=in localport=6910-6930 action=allow

netsh advfirewall firewall add rule name="Citrix (License Server)" description="When the target server is online, Provisioning Services contacts the License Server to obtain a connection license." protocol=TCP profile=domain,private,public dir=in localport=27000 action=allow

netsh advfirewall firewall add rule name="Citrix (Console Communication)" description="This port allows the provisioning Server to connect to the PVS Farm." protocol=TCP profile=domain,private,public dir=in localport=54321-54322 action=allow

netsh advfirewall firewall add rule name="Citrix (Provisioning Server Farm Communication)" description="This port allows the operating system to be streamed to the targets." protocol=UDP profile=domain,private,public dir=in localport=6890-6909 action=allow

netsh advfirewall firewall add rule name="Citrix (TSB)" description="This Port is used in the boot-up process" protocol=UDP profile=domain,private,public dir=in localport=6969 action=allow

netsh advfirewall firewall add rule name="Citrix (Write Cache Communication)" description="This is for communincations between the target and the write cache" protocol=UDP profile=domain,private,public dir=in localport=10802-10803 action=allow

Click Here to Continue Reading >>

Monday, October 14, 2013

Upgrading to VMware Tools 5.1 can cause log spew

It’s not everyday you get a KB article with LOG SPEW in it’s title … 
This particular one was spotted by Aaron Silber after upgrading VMware Tools on a XenApp Server and subsequently researching the noted RPC errors.  If you look at the event log below, you will notice a warning event every SECOND or so in the Application log.  SPEW seems to be a pretty good classification for that type of behavior.
clip_image002
The quick fix is to disable logging on the Virtual Machine but the better long term fix is to upgrade your ESXi servers to 5.1 Update 1.  I think it is also interesting to note that you can trigger the change for logging by changing the settings for the Virtual Machine and then rebooting the VM (expected), but also by just vMotioning it to another host (unexpected).
You can check out the KB article here: http://kb.vmware.com/kb/2036350?src=vmw_so_vex_ccost_793
Click Here to Continue Reading >>

Wednesday, October 9, 2013

Citrix SSL Error 61 : Resolving Trust in a Security Certificate

By Sam Jacobs:

The Issue: While able to launch XenDesktop sessions from IE, Chrome and iOS, using Firefox or Safari would cause:clip_image002

This was a bit tricky, since I had made sure to test out the certificate chain with Digicert’s SSL tester, and all came up fine:
image

When I’m on the forums, I always tell users to make sure to use BOTH certificate checkers (SSLShopper, as well as DigiCert). So, I decided to follow my own advice, and, voila!

Screenshot_100913_045043_PM

Looks like an intermediate certificate might be missing.
Now, you cannot rely on IIS or the certificate snap-in, as they report everything as A-OK:

image

However, as you can see above, the server certificate links to an intermediate certificate issued to RapidSSL CA, and looking at the intermediate certificate store, that certificate is nowhere to be found:

clip_image010

So, we simply need to import it there (no password is needed here):

clip_image012

clip_image014

clip_image016

clip_image018

clip_image020

clip_image022

… and now there it is!

clip_image024

Now, after all of this, I expected to get a clean bill of health from both certificate checkers, but SSLShopper still complained about the intermediate cert. Then I realized that you need to rerun the CSG Configuration Utility whenever you change the certificate, or anything in the chain.

After running through the CSG Config Utility, we finally received SSLShopper’s blessing:

image

Click Here to Continue Reading >>

Monday, September 16, 2013

Using DISM to upgrade your OS Version

In the past, you may have used Microsoft’s DISM utility to free up and reclaim hard drive space (see here) but Chris Hahn sent over a follow up with another great use for DISM.

 

Another nice function of DISM is for upgrading the OS version. You can use it to upgrade from standard to enterprise or datacenter via the command line without reinstallation.  Super handy!  See sample syntax below -

C:\Windows\system32>Dism /online /Set-Edition:ServerEnterprise /ProductKey:xxxxx-xxxxx-xxxxx-xxxxx-xxxxx

Deployment Image Servicing and Management tool
Version: 6.1.7600.16385
Image Version: 6.1.7600.16385

Starting to update components...
Starting to install product key...
Finished installing product key.

Removing package Microsoft-Windows-ServerStandardEdition~31bf3856ad364e35~amd64~~6.1.7601.17514

[==========================100.0%==========================]

Finished updating components.
Starting to apply edition-specific settings...
Restart Windows to complete this operation.

Do you want to restart the computer now (Y/N)?

For those interested in reading up some more on DISM, here is the technet reference:
http://technet.microsoft.com/en-us/library/dd744256(WS.10).aspx

Click Here to Continue Reading >>

Friday, August 30, 2013

Troubleshooting Citrix HDX crashes

Occasionally, users have issues. ;)  Occasionally, we have to fix them.  Citrix users can be especially interesting to troubleshoot.  Personally, when I am wearing my Citrix Administration hat, dealing with actual user PC issues is low on the fun list.  As a Citrix administrator, we would like to think that if our servers are tip top and running smoothly, users would be nice enough to leave us to our server work.  Unfortunately, some Citrix related user issues can be just out of reach from a server standpoint.  No one (me) likes doing it but there are just times as a Citrix administrator that we have to investigate the user’s local PC. 

HDX crashes are one of those times when the local PC is the prime suspect for disrupting our well crafted and controlled user experience. 

image

The above error can appear on a user’s local PC with a similar counterpart on the actual Citrix Server.  Match up the times and you can see the correlation.

image

The fix for this issue seems to always be on the local PC.  Some possible fixes include:

  1. Try to see if the local machine’s graphic driver could be updated.  Faulty graphic drivers can cause HDX to crash.

  2. Possible corrupt local print drivers on PC.  If there are any print drivers the user is not using, it would be good to uninstall them (printers and associated drivers) from the PC. 

  3. Upgraded Citrix Receivers on the local PC can cause the HDX issue above.  If possible, fully uninstall the Receiver, reboot and install the Receiver fresh.  Take the opportunity to update the software if appropriate.

  4. If possible, although extreme, a new local profile on the user’s local PC is a nice last ditch effort.  After all, all the important stuff should be on the network anyway! :)

Additionally, for this particular fault error, it looked like the win32hk.dll the HDX faults on is part of a Printer package..  The faulting module in the event viewer can be a great indication helping narrow down the list of possible causes.

Hopefully this will make you next desk visit more productive and rewarding. :)

Click Here to Continue Reading >>

Friday, August 23, 2013

P2V Tips you already know but might have forgotten

Haven’t P2V’d a server in a while?  That’s because your environment is likely 90% virtual and 100% of your new machines are built as Virtual Machines.  Completely understandable to be a little rusty on the Physical to Virtual Processes…  Here are some helpful tips to shake the rust off and tackle those pesky remaining P2Vs.

  1. Double check TCP ports 902, 9089 and 443 are open between target, source and vCenter.  Especially important if one of your targets is in a DMZ.  Verify firewall ports here : KB Article.
  2. Even if you are specifying IP addresses in the conversion process, make sure to check that the target can resolve the appropriate DNS entries for vCenter and target ESX hosts for proper communication.  If your source machines are not part of a domain, hosts files are the way to go.
  3. Take the opportunity to right size and clean up the target VM.  For some tips on post P2V clean up strategies, check out http://www.vmwareinfo.com/2008/10/post-p2v-batch-file-information-to.html and http://www.vmwareinfo.com/2008/11/post-p2v-batch-file-information-to.html.

So go ahead and head into your datacenters and stalk those last beige boxes in your environment and take them down. :)

Click Here to Continue Reading >>

Tuesday, July 9, 2013

Two surprising Windows "bugs"

Follow Jacques Bensimon at @JacqBens.

On two recent occasions, I came across a Windows bug (or at the very least “unexpected and surprising behavior”) in the basic behavior of two venerable components (XCopy.exe and CMD.exe) which you’d think after all these years would long ago have been sniffed out and corrected.

XCopy.exe:

An XCopy command of the form

XCopy <some_path>\Folder1\Folder2\<some_file_pattern> <some_target_path>

will *fail* if the executing user account does not have Read (or maybe just List) permissions to Folder1, the *parent* of the folder containing the source files, even if the user has (as Everyone usually does) the “Bypass traverse checking” right (and of course at least Read permissions to Folder2, the folder that actually contains the source files).  The Copy command has no such issue, and neither does Explorer which lets the user open Folder2 directly and copy anything out of it.  Process Monitor shows that, however deep the source path, XCopy always starts off by attempting to open the source folder’s parent (why?) and, when access is denied, exits without an error message but with the message “0 File(s) copied”.

CMD.exe:

This one requires an appreciation for the so-called “C command line parsing rules” (e.g. http://msdn.microsoft.com/en-us/library/a1y7w461.aspx) which pretty much all Windows console programs (whether or not written in C) obey.  For example, if you wish to use Reg.exe to write the path “C:\Program Files (x86)\MyApp” (without the double-quotes) to a Registry value, you’d use the syntax

Reg Add HKLM\Software\MyApp /v Path1 /d "C:\Program Files (x86)\MyApp" /f

If however you did want the double-quotes around the path in a Registry entry, you would use the syntax  

Reg Add HKLM\Software\MyApp /v Path2 /d "\"C:\Program Files (x86)\MyApp\"" /f

Within a double-quoted parameter, preceding any double-quote with a backslash makes it literal, part of the parameter.  You can put these two lines into a batch file and confirm that they do exactly what they’re supposed to.  Now say that you want to put some condition (doesn’t matter which) on executing these two lines and use the following valid syntax

If %SystemDrive%==C:

(

Reg Add HKLM\Software\MyApp /v Path1 /d "C:\Program Files (x86)\MyApp" /f

Reg Add HKLM\Software\MyApp /v Path2 /d "\"C:\Program Files (x86)\MyApp\"" /f

)

Now the entire thing fails and CMD.exe spits out the message “\MyApp\"" was unexpected at this time”.  Why?  Well, after the opening parenthesis following the condition test, CMD is parsing what follows looking for the closing parenthesis that completes the command, and it’s smart enough to ignore any closing parenthesis that occurs within double-quotes (such as the closing parenthesis in (x86) within the first Reg command).  But now comes the second Reg command, and by CMD’s “na├»ve” count of double-quotes, only the first backslash is inside double-quotes, followed by C:\Program Files (x86)”outside” any double-quotes and hey, there’s the closing parenthesis it was looking for, … but wait, what’s this “\MyApp\""“ stuff that follows??  Parsing error!

To be fair, this may be unresolvable from CMD’s standpoint because it would require it to understand the parameter syntax of arbitrary programs invoked from within a batch file (though in this case the syntax in question is a pretty standard one), and this parsing issue has suddenly become more likely to occur in everyday batch files as a result of Microsoft’s (demented) decision to use parentheses in the name of a standard system folder (combined with the pre-existing use of parentheses to group commands in batch files).  Would using “Program Files x86” have somehow caused difficulties?

As far as getting around this issue should you encounter it, I see no alternative but to abandon structured syntax and fall back on good old “Goto”, as in  

If Not %SystemDrive%==C: Goto :Skip

Reg Add HKLM\Software\MyApp /v Path1 /d "C:\Program Files (x86)\MyApp" /f

Reg Add HKLM\Software\MyApp /v Path2 /d "\"C:\Program Files (x86)\MyApp\"" /f

:Skip

Later,

J3

Click Here to Continue Reading >>

Friday, June 28, 2013

Tip – Check on your Laptop Battery.

Here is a little cool tip Aaron Silber sent over.

Although the battery life on most newer laptops is really high, it is always good to know if there is anything you can do to make it better or if there are any specific processes that seem to be consuming more than their share of CPU or resources, which translates to more battery consumption.

If you have ever dealt with managing the Power profile on your Citrix servers from the command line, you have of course used the PowerCfg command to set the system to the “High Performance” scheme (PowerCfg –S <SCHEME_GUID>), well, did you know that this little tool can also give you a lot of information on your systems settings and how your battery is doing!

This works beginning with Windows 7, so open up a command prompt and issue the command:

PowerCfg -energy

Give the system a minute and you will have a really nice, HTML report waiting for you in your profile folder! (CD %UserProfile%)

You should see the following output:

clip_image002
Looking at the report, you will see something like this…

clip_image004

If you look towards the bottom of the report, you will also see a cool stat, the amount of charge the last time you attempted a full charge, so you can see if your battery is dying.

Enjoy!
Aaron

Follow Aaron on the Twitters : @amsilber

Click Here to Continue Reading >>

Thursday, May 23, 2013

Scripting in Outlook – Stuck Draft messages.

My buddy Jeff Miller sent over this crafty Outlook script that he thought someone might find useful.  Here it is with some background on why he wrote it.


I had a user complain about 500+ emails for an email distribution stuck in her outbox.  My current environment is Outlook 2010 and Exchange 2007.  I couldn’t figure out the reason for why they were stuck so I went down the basic troubleshooting steps.

  • Opening one of them and clicking send - did not help
  • Closing outlook and reopening - did not help
  • Clicking on send/receive - did not help
  • Moving the messages to another folder and dropping them back in outbox - did not help
  • Setting outlook to offline mode and then going back online  - did not help
  • Recreated outlook profile on that users computer  - did not help
  • Opened the mailbox as my blackberry admin on another computer  - did not help
  • I even gave up and rebooted the users computer  - did not help

After searching Microsoft forums, I did find that this is a common issue and some say the steps above helped them out, and others said it didn’t.  I found a post where someone mentioned putting them into the drafts folder and opening the email and clicking send.  This solution did work for me  but there was no way that I was going to do this 500+ times, and I am sure my user wouldn’t either.  I quickly searched and found a post on how to write a script to email all items in the drafts folder which turned out successful for me.

Link #1 & Link #2


It took me a minute to figure out the parent folder name, so I commented that explanation into the



  1. Start Outlook and choose Tools, Macro, Visual Basic Editor (or press Alt+F11) to open the VBA Editor.
  2. In the Project window, select Project1 and expand the tree until you see ThisOutlookSession.
  3. Select ThisOutlookSession and press F7 to open the Code window.
  4. Enter the following in the Code window:.


Public Sub SendDrafts()
Dim lDraftItem As Long
Dim myOutlook As Outlook.Application
Dim myNameSpace As Outlook.NameSpace
Dim myFolders As Outlook.Folders
Dim myDraftsFolder As Outlook.MAPIFolder
'Send all items in the "Drafts" folder that have a "To" address filled in.
'Setup Outlook
Set myOutlook = Outlook.Application
Set myNameSpace = myOutlook.GetNamespace("MAPI")
Set myFolders = myNameSpace.Folders
'Set Draft Folder.
The name of the parent folder is the line directly above your inbox in outlook, in this case it was the users email
address.
Set myDraftsFolder = myFolders("put name of the parent folder of your draft folder in here").Folders("Drafts")
'Loop through all Draft Items
For lDraftItem = myDraftsFolder.Items.Count To 1 Step 1
'Check for "To" address and only send if "To" is filled in.
If Len(Trim(myDraftsFolder.Items.Item(lDraftItem).To)) > 0 Then
'Send Item
myDraftsFolder.Items.Item(lDraftItem).Send
End If
Next lDraftItem
'Clean-up
Set myDraftsFolder = Nothing
Set myNameSpace = Nothing
Set myOutlook = Nothing
End Sub


Click Here to Continue Reading >>