IE8 on Windows XP does not support SNI

, 64px-Internet_Explorer_7_Logoor “you desktop IT people have broken something”.

Just before Windows XP gets to take a well earned retirement on “the farm”, it popped it’s ugly head up this week with an end user complaining we did something to break their new website

On purpose no less.

It seems IE8/Windows XP was receiving the wrong HTTPS certificate.

Upon investigation, I realised that the issue was that IE8 on WinXP does not support SNI.

Server Name Indication allows a web browser to tell a web host what site it is connecting to.  (A web host can host multiple web sites …).  The reason why a browser needs to tell the web host it connects to, is so the web browser gets the right HTTPS certificate.

If the browser does not support SNI then the browser will get the default web host certificate.  Which may cause certificate errors to be displayed in the browser.

To prove that it was a lack of SNI support causing the issue, I used the excellent Qualys SSL Labs SSL Server Test tool.

I suggested to the customer that they use an alternate web browser, until they can replace Windows XP.

Performance: Windows XP, the now “Classic” OS and Solid State Drives.

With my last post, I mentioned that there are 3 things you should do with SSD drives on Windows XP.  I left 4 other things out, because I honestly didn’t think they’d make any performance difference.

I was wrong.

With the Intel X-18M 160B drive I tested, I saw a sustained performance improvement of 3.3%.  And a maximum total performance increase of 12.6%.

What I did % cumulative improvement change over no changes
Turn off Windows PreFetcher.
Turn on Large System Caching
Disabled System Restore
Turned of NTFS Last File Access Date feature. +1.94%
New Intel SSD Firmware +3.38%
Partition Alignment    0%

“What about this 12.6% improvement?”, you ask.

I installed the Intel SSD Toolbox utility, and ran the SSD Optimizer option.  This option causes the SSD to perform a TRIM operation.  TRIM support is a good thing

To understand what TRIM support is, you first need to understand how solid-state drives work. SSDs use NAND flash memory to store and transfer information. This flash memory is created up of small "pages" and groups of pages are called "blocks." When you tell your computer to delete a page on the solid-state drive the page isn’t actually deleted – it is merely marked for deletion. This is because data can only be deleted in blocks. You cannot delete individual pages on an SSD. Later on, when you tell your computer that you need the space, the pages marked for deletion are grouped into a block and the whole block is wiped clean. This process slows down the solid-state drive when it is writing.
Top Ten Reviews – What is TRIM Support?

So, in other words, the TRIM command frees up the deleted pages on your SSD, at the time you run the TRIM command.  Over time, the amount of deleted pages will build up, and your drive performance will get worse.

Yes, it’s worth doing these changes to your Windows XP to support your new Solid State Drive.  If I had to rate what I’d do first, I would install the latest SSD Firmware.  And then run a “TRIM” command.  Partition alignment may work for some configurations, but made nil difference when I tested it.

Update: 7th Nov.  Updated post to include details of partition alignment results.

Windows XP, the now “Classic” OS and Solid State Drives.

Intel-SSD-320(1)Solid State Drives, SSDs, are now becoming cheap enough that our corporate customers are ordering them with their new PCs.  The first Windows operating system to support SSDs*, was Windows 7, in July 2009.

Microsoft have no intention to backport SSD support into Windows XP.  But they do provide some advice on how to tune Windows XP for use with SSDs.

And that boils down to six important things:

  1. Turn off the Winows Prefetcher.
  2. Turn on Large System Caching
  3. Disable the Last File Access attribute
  4. Disable 8.3 Name Creation
  5. Disable System Restore
  6. Apply the latest SSD firmware, and run it’s “Trim” utility.

A registry file to do the first four items, can be found here.

* – ie. have the ATA TRIM command built into the operating system.

Update: 7 Nov.  Added to the list, after performing some testing.

Active Directory User account being locked repeatedly

(I don’t know the answer to this yet, so this is just an dump of what I know.)

Customer reports that they’re Active Directory User account is being locked out 2->3 times a day.

  • They have “admin” rights on their PC.
  • They are using Microsoft SQL Management studio, which may/may not be triggering the account lock.
    Googling for some answers, hasn’t been successful.  Here is some of what Google returned.
    Microsoft Account Lockout and Management Tool & download link

    Tool Description
    LockoutStatus.exe The LockoutStatus.exe displays information about a locked out account. It does this by gathering account lockout-specific information from Active Directory.
    ALockout.dll The ALockout.dll tool and the Appinit.reg script are included in the ALTools package. ALockout.dll is a logging tool that may help you determine the program or process that is sending the incorrect credentials in an account lockout scenario. The tool attaches itself to a variety of function calls that a process might use for authentication. The tool then saves information about the program or process that is making those calls into the Systemroot\Debug\Alockout.txt file
    update 13 Sep 2012: sample log extract below.

    If account lockouts seem to happen most frequently after a user is forced to change their password, you may want to determine which users’ passwords are about to expire. You can use the ALoInfo.exe tool to display all user account names and the password age for those user accounts. This will allow you to use the ALockout.dll tool and other account lockout tools to set up the tools prior to the initial account lockout. You can also obtain a list of all local services and startup account information by using the ALoInfo.exe tool.


    You can use the AcctInfo.dll tool to add new property pages to user objects in the Active Directory Users and Computers MMC Snap-in. You can use these property pages to help isolate and troubleshoot account lockouts and to reset a users password on a domain controller in that user’s local site.


    You can use the EventCombMT.exe tool to gather specific events from event logs from several different computers into one central location. You can configure EventCombMT.exe to search for events and computers. Some specific search categories are built into the tool, such as account lockouts. Note that the account lockouts category is preconfigured to include events 529, 644, 675, 676, and 681.

    NLParse Because Netlogon log files may become more than 10 MB in size, you may want to parse the files for the information that you want to view. You can use the NLParse.exe tool to parse Netlogon log files for specific Netlogon return status codes.
    Alockout.txt log file (sample):

Continue reading

Why Internet Explorer 8 crashes on Windows XP and …

not Vista or Windows 7.

The customer reported that our version of Internet Explorer 8 would crash when we visited their website.  We support IE8 on Windows XP.  IE8 was working ok for other websites.  So we fired up a “generic” Windows XP, and it’s IE8 crashed as well.
mshtml.dll error

It’s the customer’s website!

So I fired up Wireshark to see where the crash was happening.  The almost last thing received by the Windows XP PC was this:
Wireshark capture showing JQuery activity

JQuery 1.4 was causing Internet Explorer 8 to crash.  Now we know the cause, we can Google for “JQuery crashing IE8.

The solution:
Well we told the customer to fix their website, by updating their rather old JQuery.

It also turns out that the latest (August 2012) IE8 security patch, MS012-052, resolves this issue as well.  (Update: for our particular customer.  The reference site below still crashes IE8)

Crashing IE8 with two lines of code

The joys of DLL hooks and eTrust Antivirus.

This is a guest post by Allan, a bloke I work with.  Allan asked my opinion of what was wrong, and I suggested a DNS server issue.  (Our DNS servers have a habit of not replying on the first query, but I was wrong. )

Recently I have spent a lot of time troubleshooting what appeared to be a DLL conflict issue when a customer installed PowerPivot for Excel 2010.

Without PowerPivot installed, you could happily connect to the SQL Analysis service using the msolap100.dll that gets installed by default (version 10.0.2733.0)

Install PowerPivot, and Microsoft Excel starts throwing you vague error messages, but ONLY the first time you try and connect.
The following system error occurred

And in the eventlog:
PowerPivot error in event log


So as usual I ran off and started playing with regsvr32, different DLL files and all that good stuff believing it was a faulty DLL.

The big issue was, there was nothing on Google. Nothing that reflected the error message I was getting, nothing that was really remotely close.

Working for a shared service organisation, I was able to install PowerPivot on another customers SOE that was also Windows XP.

Surprise Surprise… It worked.. No connection issues, no dramas.

So the next thing was to trouble shoot Group Policy, no issues there.. Logon as local admin… Nope, still have the issue. Make sure the security settings in Excel matched between the two environments… Nope….  Same deal, same vague error message.

So I installed Wireshark and noticed I was getting “RST,ACK” on the TCP packets on the initial connection attempts…

So after banging my head against the desk trying to find a solution.. It hit me, it could be the AntiVirus. One environment uses Mcafee, the other Etrust.

Etrust AntiVirus is a wonderful product, and just to be clear… That statement is laced with a healthy dose of sarcasm.

One thing that many people may not be aware of, is that the Hooks that Etrust uses, stay in place even with the services are stopped, you need to disable the services and reboot.

And that is exactly what I did…. A lo and behold…. The connection issue disappeared. And who said AV is never at fault.. Oh wait, that was me and its usually correct.

Luckily it’s a simple matter to disable the hook in to the msolap100.dll file.

  1. Fire up regedit and navigate to HKLM\SOFTWARE\ComputerAssociates\ITMRT
  2. Double click on the HookExclude key and add msolap100.dll at the end of the list.
  3. Hit OK, then reboot your PC.

Problem solved. You should be able to connect to your SQL R2 Cubes with no issues at all.

Shell32 returns Missing Entry OCInstall

OCInstall_ErrorWhich is strange as I was applying Internet Explorer 8 security patch MS11-081, on Windows XP.

Strange because the OCInstall function was first introduced with Windows 2000 SP3/SP4.  Strange also that a Microsoft security patch was triggering it.  But it gets stranger still.

My *guess* is that because the customer wanted to go the cheap route and in-place upgrade Windows 2000 to Windows XP, that it’s caused this strange error.

The extra strangeness?  It fails when we install via SMS 2003, but if I log on as an Admin and manually run it, it works.  No, I don’t know why.

I missed the Windows XP release birthday

I’ve been working on Windows XP for a long time.  I found an old blog post with the Windows XP release dates in it:

30/06/2000 – Whistler Technical Beta begins

25/10/2001 – Windows XP Released
06/06/2002 – Windows XP SP1 Beta 1
09/09/2002 – Windows XP SP1 Released
03/02/2003 – Windows XP SP1A Released
18/12/2003 – Windows XP SP2 Beta Released
24/02/2004 – Windows XP SP2 Beta Refresh Released
17/03/2004 – Windows XP SP2 RC1 Beta Released
15/06/2004 – Windows XP SP2 RC2 Beta Released
06/08/2004 – Windows XP SP2 Released
21/04/2008 – Windows XP SP3 Released

WSUS DownloadFileInteral failed when trying to get

wsusOn a newly imaged Windows XP client, I decided to activate “Automatic Updates” via a newly installed WSUS 3.0SP2 server.

But I was seeing this error on my Windows XP client:
2011-11-14    10:31:58:524    1788    2a0    Misc    WARNING: DownloadFileInternal failed for error 0x80072f78

What the WinXP client is trying to do, is Selfupdate the Windows Update Agent.  For some reason, the existing (older) agent wasn’t looking at my new WSUS server.  After some Googling, the suggested solution was to run the proxycfg –u command, to import the user’s proxy exclusions into the PC’s WinHTTP settings.

And it worked, but I wasn’t comfortable with the solution.  Because it’s changing the machine’s proxy setting, and since I’m going to be doing this to 2500+ desktops …  who knows what problems it would cause.

So I gave it some thought, and wondered what would happen if I MANUALLY updated the WinXP client with the new Windows Update Agent, before trying to speak to the WSUS server.

It worked!  So what I plan to do next is:

* For Windows SP3 and WSUS, Microsoft KB898461 (Package Installer for Windows) is a mandatory patch, so I’ll applying/deploying it as well.

Removing old update backup files from Windows XP and Windows 7

Windows XP Update Remover

Before I release a new Windows XP standard operating system image, I use a utility called “Windows XP Update Remover”.  I do this to reduce the number of “$NTuninstall” directories and to save some disk space.

Sure, 400MB isn’t that much in the world of 1000 gigabyte drives, but if it reduces the GHOST image size but that much, it should make a desktop deployment just that little bit faster.

With Windows 7, I’d just use the built-in Disk Cleanup Utility.