Today I learnt about FIPS and SHA1

Sha-familySystem.InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms. at System.Security.Cryptography.SHA1Managed..ctor() at ....

When I say “learnt”, it was more about reading documents to determine what happened to cause the above error.

I suspect either of these:

  1. Microsoft have released a new schannel.dll which removes and/or breaks SHA1 functionally.
  2. The Group Policy setting “System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing” has been enabled.

My quick “fix” was to change the application to use a different hashing algorithm.


MaxPatchCacheSize and Windows 7

So I was building a Windows 7 virtual machine, so I could play “Gardens of Time” as GoT doesn’t work on my Windows 2008 R2 box …, and I went looking for MaxPatchCacheSize setting in the registry.

I didn’t have access to the internet* and I wanted to set the setting so I could save space on my VM.  But the setting isn’t in the registry by default!

So as it’s a “policies” registry setting, I was able to find it in the Local Group Policy Editor (gpedit.msc):
Baseline file cache maximum size

The policy is called “Baseline file cache size”:

This policy controls the percentage of disk space available to the Windows Installer baseline file cache.

The Windows Installer uses the baseline file cache to save baseline files modified by binary delta difference updates. The cache is used to retrieve the baseline file for future updates. The cache eliminates user prompts for source media when new updates are applied.

If you enable this policy setting you can modify the maximum size of the Windows Installer baseline file cache.

If you set the baseline cache size to 0, the Windows Installer will stop populating the baseline cache for new updates. The existing cached files will remain on disk and will be deleted when the product is removed.

If you set the baseline cache to 100, the Windows Installer will use available free space for the baseline file cache.

If you disable this policy setting or if it is not configured the Windows Installer will uses a default value of 10 percent for the baseline file cache maximum size.

Changing the setting in the Local Group Policy Editor created the HKLM\Software\Policies\Microsoft\Windows\Installer\MaxPatchCacheSize key.

* – if I did have access to the internet, I would have remembered that I could have done this with a simple reg.exe command:
reg add HKLM\Software\Policies\Microsoft\Windows\Installer /v MaxPatchCacheSize /t REG_DWORD /d 0 /f

I wrote about that here.

The Case of the Windows FTP.EXE not working from the corporate network.

The heading alone should tell you the answer, particularly if I add ACTIVE FTP to it.

You see, most Corporate IT people consider ACTIVE FTP a bad thing, and block it at the internet gateway.  Sure FTP works within the company network, but as soon as you try to FTP something from outside the company network, it will fail.

The FTP clients that ship with Windows do not support passive mode. Therefore, they always need to negotiate a data port when issuing a command that returns data.
Windows FTP Client Receives Error Message 425 (MS KB271078)

But here’s the strange thing, it DID work on our network until two months ago.  I suspect our corporate IT security people have finally gotten around to locking down ACTIVE FTP, which was identified as a vulnerability back in 2000.

After much searching around, I settled on MOVEit Freely, as it’s a “drop-in” alternative to Microsoft’s FTP.EXE.

Some of the alternatives I looked at:

Send quote PASV within the FTP client.
Does not work.  It only sets the server to PASSIVE mode, not the client.

FTP_FOR_WIN32 from the GNU Project
Works, except it’s missing a couple of features, such as –s batch command(s).

NcFTP Client
Works, except it’s missing a couple of features, such as –s batch command(s).

MOVEit Freely
This is the one I decided to use, first saw it discussed here:
FTP Clients – Part 5: MOVEit Freely Command-Line Secure FTP Client

Passive FTP
Would definitely work, except that it’s a commercial product (at $29.95USD).  We’d prefer free.

TransSoft FTP Performer
Commercial product 🙁

GNU Wget
Yes it works, but the customer would have to modify their VBA scripts quite a bit to work with it.

VBscript to get the system uptime from a group of computers

One of our corporate customers doubted that we had computers being left powered on overnight.  So I quickly wrote the script below to query each computer’s uptime.

The record uptime?  93 days!

One co-worker remarked that Windows 95 & 98 had a bug which caused it to crash after 49.7 days.  I’m amazed any Windows 95/98 system would make it to 49 days, in the first place.

Set objFSO = CreateObject("Scripting.FileSystemObject")
If not objFSO.FileExists("C:\computer_lists\uptime_check.txt") Then
End If

Set ObjStream = objFSO.OpenTextFile("C:\computer_lists\uptime_check.txt",1)

Do While Not ObjStream.AtEndOfStream
   strComputer = ObjStream.ReadLine
   ' strComputer shouldn't be blank, if it is, there is something wrong with the input file.

   If strComputer = ""    Then
   End If

   If Not Reachable(strComputer) Then
      WScript.Sleep 100
   End If
   If Reachable(strComputer) Then
      wscript.Echo upTime(strComputer) 
   End If

WScript.Echo "Finished"

Function Reachable(strComputer)
   On Error Resume Next
   Dim wmiQuery, objWMIService, objPing, objStatus
   wmiQuery = "Select * From Win32_PingStatus Where Address = '" & strComputer & "'"
   Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")
   Set objPing = objWMIService.ExecQuery(wmiQuery)
   For Each objStatus In objPing

     If IsNull(objStatus.StatusCode) Or objStatus.Statuscode<>0 Then
        Reachable = False 'if computer is unreachable, return false
         Reachable = True 'if computer is reachable, return true
      End If
End Function

'Code pinched from here:
Function upTime(strComputer)
Dim objOS
Dim dtmBootup
Dim dtmLastBootupTime
Dim dtmSystemUptime
Dim colOperatingSystems
Dim objOperatingSystem
On error Resume Next
upTime = 0
objWMIServices = "winmgmts:{impersonationLevel=impersonate}!//"& strComputer &""
Set objUserSet = GetObject( objWMIServices ).InstancesOf ("Win32_ComputerSystem")
Set colOperatingSystems = GetObject( objWMIServices ).InstancesOf ("Win32_OperatingSystem")

For Each objOS in colOperatingSystems
   dtmBootup = objOS.LastBootUpTime
   dtmLastBootupTime = WMIDateStringToDate(dtmBootup)
   dtmSystemUptime = "Last system reboot occurred for "  & strComputer & " is:" & DateDiff("h", dtmLastBootUpTime, Now) & " hours, " & Int(DateDiff("n", dtmLastBootUpTime, Now)/60) & " minutes, " & DateDiff("n", dtmLastBootUpTime, Now) Mod 60 & " seconds ago." 
   'dtmSystemUptime = strComputer & "," & DateDiff("h", dtmLastBootUpTime, Now) & "," & Int(DateDiff("n", dtmLastBootUpTime, Now)/60) & "," & DateDiff("n", dtmLastBootUpTime, Now) Mod 60 & ",end" 
If Err.Number =0 Then
upTime = dtmSystemUptime
upTime = "Last reboot time cannot be retrieved from " & strComputer
End If
End Function

Function WMIDateStringToDate(dtmBootup)
   WMIDateStringToDate = CDate(Mid(dtmBootup, 5, 2) & "/" & _
        Mid(dtmBootup, 7, 2) & "/" & Left(dtmBootup, 4) _
        & " " & Mid (dtmBootup, 9, 2) & ":" & _
        Mid(dtmBootup, 11, 2) & ":" & Mid(dtmBootup, _
        13, 2))
End Function

Text mode drivers and Sysprep (on Windows XP)

I’m so glad we’ve moved away from needing to use Sysprep on Windows Vista / 7.

But since I still support Windows XP and needed to add a Intel AHCI (SATA) to our Windows XP image, I have to deal with it still.

This weeks problem was that Sysprep wasn’t injecting the AHCI driver, even though it was in the [SysPrepMassStorage] section of Sysprep.inf.

Result: Blue screen of death with a Stop 0x0000007B error.

I wasted more time than I’m proud to admit here.  I know the driver was good, as I created an Nlite WinXP image, and it worked.  As an aside, if I was building a WinXP image for home, I’d use Nlite.

Anyway, so out of desperation, I asked the rest of the team.

Adrian commented he’d seen a case of where Sysprep hadn’t updated the CriticalDeviceDatabase registry keys.

So I updated the CriticalDeviceDatabase registry key and it all worked.

“You Bastard image!  That’s an embarrassing amount of time I’ll never get back again.”

Some instructions that Adrian and myself wrote up, follows below the read more.

Continue reading

Time Zones Revisited

As a co-worker pointed out, Microsoft stores time zone information in two places,

  1. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones
    this is where the time zone database is stored.
  2. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TimeZoneInformation
    this is the current time zone information is stored.
    ie. the time zone information Windows is using currently.

Simple once you know.  And you do need to know this, if you are ever unfortunate to have to deal with Daylight Savings changes.

How to configure daylight saving time for Microsoft Windows operating systems
How to tell what Microsoft Time Zone you have

Semi-regular web-link clearance – September 2010

Automatically increasing the system font size in Windows 7

… That year, the top-of-the-range machines we were giving out to these undeserving gits weren’t coming with 1024×768 screens any more; they had nice, crisp, state-of-the-art 1400×1050 screens. While I thought they were gorgeous, not everyone agreed, insisting that the higher resolution made the fonts too small to read. This complaint was most prominent among the middle-aged salesmen who I quickly worked out were too vain to admit they were now of an age at which they needed reading glasses …

Creating a SteadyState like Windows 7 Environment

Windows SteadyStateWindows SteadyState does not support Windows 7. However, many of its features can be replicated by using native Windows 7 features and free tools from Microsoft. This document is intended primarily for IT pros who configure shared-computer access in business environments, but partners who support shared-computer access in schools, libraries, and Internet cafes will also find the information useful.

Faronics Deep Freeze is a commercial alternative to Windows SteadyState.

Repair Windows Installer Errors

I ran into a problem recently where I tried to install a program on my Windows XP machine and I got an error related to the Windows Installer service, namely
The Windows Installer Service Could Not Be Accessed
After trying  many solutions, I finally got the program to install and fixed the Windows Installer error. Depending on your OS, the solution could be different. In this article, I will go through all the solutions I tried and hopefully one of them will work!

Windows 7 & Location Awareness

Location became ubiquitous!

It’s almost two years now since people have heard about new revolution in building context-aware applications – Windows 7 & it’s context-aware APIs.

As you know, in Windows 7 Microsoft shipped a platform known as “Windows 7 Sensor Platform” and set of APIs for location awareness. Together the platform is known as “Windows 7 Sensor & Location Platform”. You can read more about the platform, progress of work on it in team’s blog here:

Location remains one of the most critical assets of context-aware computing area for next decades. The biggest problem of location is that until it’ll become ubiquitous and cheap it can’t be a game changer and bring context-aware computing vision to live.

The Win 16 Subsystem has insufficient resources …

Sometimes, you don’t ever expect to ever see a particular error message ever again.
Error message: The Win 16 Subsystem has insufficent resources to continue running.  Click on OK, close your applications, and restart your machine.

It’s been over 5 years since the last time I saw this error, quite possibly on a Windows NT4 system in 2002.

The problem was reported to me as the  "FooBat" application does not start when the user launches it.  Reading the actual error message, it tells us the actual problem.  And it’s not the “FooBat” application.   The problem is that Windows is unable to allocate any more memory to the 16-bit program handler.

This sort of problem just doesn’t happen anymore.  So I looked at NODDYPC’s Event Log, nothing real unusual there.  So I then looked at the what was running in memory:
C:\Toolbox>pslist \\NODDYPC

pslist v1.28 - Sysinternals PsList
Copyright ® 2000-2004 Mark Russinovich

Process information for NODDYPC:

Name                Pid Pri Thd  Hnd   Priv        CPU Time    Elapsed Time
Idle                  0   0   2    0      0  1333:24:32.750     0:00:00.000
System                4   8  68 1661      0     0:18:49.578     0:00:00.000
smss                572  11   3   19    176     0:00:00.046   674:54:40.395
csrss               936  13  13  705   1868     0:08:33.984   674:54:37.738
winlogon            960  13  19  644  10152     0:03:20.093   674:54:36.707

There is a clue there, and it is the amount of CPU Time the Idle process has used.  1333 hours works out to 55 days of idle-ness.

So how long has NODDYPC been running?

C:\Toolbox>psinfo \\NODDYPC

PsInfo v1.75 - Local and remote system information viewer
Copyright (C) 2001-2007 Mark Russinovich
Sysinternals -

System information for \\NODDYPC:
Uptime:                    28 days 2 hours 55 minutes 46 seconds
Kernel version:            Microsoft Windows XP, Multiprocessor Free
Product type:              Professional
Product version:           5.1
Service pack:              3
Kernel build number:       2600
Registered organization:   Office of the Yellow Taxi
Registered owner:          Toyland
Processors:                2

My advice to our support technician?  Reboot the computer and the problem will be magically solved.  Which is what the last part of the error message states – “… restart your machine.”

“But why 55 days of idle-ness, when the computer has only been up for 28 days?”, I hear you ask.
NODDYPC has 2 processors, and the 1333 hours total is for both processors.

Bookmark and Share

Saving space in a VM with MaxPatchCacheSize

I first read about MaxPatchCacheSize, and how to use it to save space in Virtual Machines, over at Jeremy Jameson’s blog.

From the Microsoft MSDN Library entry for MaxPatchCacheSize:

“The value of the MaxPatchCacheSize policy is the maximum percentage of disk space that the installer can use for the cache of old files. For example, a value of 20 specifies no more than 20% be used. If the total size of the cache reaches the specified percentage of disk space, no additional files are saved to the cache. The policy does not affect files that have already been saved.

If the value of the MaxPatchCacheSize policy is set to 0, no additional files are saved.”

But how much can it save really??? Well there is only one way to know how much it will save, and that is to test it, and measure the savings.

The Tests.
1. Office 2010 upgrade
2.Windows XP Windows Update.

I set the MaxPatchCacheSize entry to 0 by doing the following on a command line:
reg add HKLM\Software\Policies\Microsoft\Windows\Installer /v MaxPatchCacheSize /t REG_DWORD /d 0 /f

I setup a Virtual Machine with no MaxPatchCacheSize, ran the test, then reset the PC back to it’s unpatched state (aka reverted a snapshot).  Then ran the test again with MaxPatchCacheSize set to 0.

Office 2010 Upgrade
I upgraded Office 2007 to Office 2010, by accepting the default Upgrade option.
The result was disappointing, only 20 megabytes was saved.
So that’s a FAIL for MaxPatchCacheSize.

Windows XP Windows Update
I took a Windows XP SP3 PC, with no additional post SP3 security patches, and visited WindowsUpdate.  90 minutes later, I had a fully patched machine.
And a far better result for MaxPatchCacheSize.  448 megabytes.
On a 16GB hard disk, 448 megabytes is a worthwhile saving.
That’s a SUCCESS for MaxPatchCacheSize.

So in conclusion.
MaxPatchCacheSize is useful for Windows Installer based patches.  Not so much for a product upgrade such as Office 2010.

Bookmark and Share