Howto: Do not display the name of the user who has locked a Windows computer or server

April 24, 2009 — Julie

Normally when a Windows workstation or server is locked, you’ll see something similar to the following Windows Security message:  

This computer is in use and has been locked.
 
Only DOMAIN\USER (user name) or an administrator can unlock this computer.
 
To not show the name of the user who has locked a computer, the following can be defined in a workstation level GPO
 
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Display user information when the session is locked.
 
There are three choices if you enable this policy:
 
  • User display name, domain and user names (default setting)
  • User display name only
  • Do not display user information
 
Besides being able to apply this to Active Directory GPOs, this setting appears in the local security policy on my Windows XP SP3 VM.  The setting is not available on my XP SP2 laptop, but I see from KB837022  there is a hotfix that corrects this problem in XP SP2.


Alternatively, the following DWORD can be created in the registry of XP SP2, Windows Vista, and Windows Server 2008 machine to accomplish the same thing:
 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\DontDisplayLockedUserId
 
User display name, domain and user names = 1
User display name only = 2
Do not display user information =3
 
You need to restart the machine for the change to take effect.
 
You may also be interested in the related Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Do not display last user name setting. This security setting determines whether the name of the last user to log on to the computer is displayed in the Windows logon screen.

If this policy is enabled, the name of the last user to successfully log on is not displayed in the Log On to Windows dialog box.  If this policy is disabled, the name of the last user to log on is displayed.

Posted in Group Policy, Windows, registry. Tags: , , , , , , , , , , , . Leave a Comment »

Global Fix: Windows Media Player audio works, video does not

April 15, 2009 — Julie

Hearing sound but not seeing video is a very common problem associated with many versions of Windows Media Player.  The solution is to turn down the video acceleration inside of WMP (not Windows).  To do this, access WMP’s Performance options and slide the video acceleration from full down to medium, or even none if necessary. 

I have seen this issue across my enterprise, and was hoping I could control this setting through Group Policy.  Unfortunately, this is not a setting found in the wmplayer.adm file.  
 
To fix this problem, I used Nir Sofer’s RegFromApp utility to determine which changes are made to the registry when WMP’s video acceleration settings are lowered.  Here is the resulting .reg file, which I pushed out globally to clients via login scripts.  Tested with WMP 9, 10, and 11.
 
Medium video acceleration settings
 
Windows Registry Editor Version 5.00
 
[HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences\VideoSettings]
“PerformanceSettings”=dword:00000001
“UseVMROverlay”=dword:00000000
“DontUseFrameInterpolation”=dword:00000001
“DVDUseVMR”=dword:00000000
“DVDUseVMROverlay”=dword:00000000
“DVDUseVMRFSMS”=dword:00000000
“DVDUseSWDecoder”=dword:00000000
 
No video acceleration settings
 
Windows Registry Editor Version 5.00
 
[HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences\VideoSettings]
“PerformanceSettings”=dword:00000000
“UseVMR”=dword:00000000
“UseVMROverlay”=dword:00000000
“UseRGB”=dword:00000000
“UseYUV”=dword:00000000
“UseFullScrMS”=dword:00000001
“DontUseFrameInterpolation”=dword:00000001
“DVDUseVMR”=dword:00000000
“DVDUseVMROverlay”=dword:00000000
“DVDUseVMRFSMS”=dword:00000000
“DVDUseSWDecoder”=dword:00000000
Posted in Windows Media Services. Tags: , , , , , , . Leave a Comment »

Fix: The World Wide Web Publishing Service (WWW Service) did not register the URL prefix http://x.x.x.x:80/ for site 1. The site has been disabled. The data field contains the error number

March 12, 2009 — Julie

Fix for The World Wide Web Publishing Service (WWW Service) did not register the URL prefix http://x.x.x.x:80/ for site 1. The site has been disabled. The data field contains the error number.

System log Event: 1004 Source: IIS-W3SVC Error received when trying to start the stopped web site: 

The process cannot access the file because it is being used by another process. (Exception from HRESULT: 0×80070020)
 
To verify nothing else is using the x.x.x.x:80 IP address and port (which would be a different issue), launch administrative command prompt and type:
 
netstat -ano |findstr 80
 
Verify no other process is listening on the x.x.x.x IP and port 80 (or whatever port the web site is running on).  If you are running the affected web site on a port other than 80, substitute that port number in the netstat command listed above.  If something is listening on that IP and port when the web site is stopped, this is probably not going to fix your problem.  
 
FIX:
 
From administrative command prompt type:
 
net stop http
 
In regedit browse to
 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\ListenOnlyList
 
If an IP address is listed in the ListenOnly List, change the IP address to 0.0.0.0
 
From administrative command prompt type:
 
net start http
 
From the services applet , restart the World Wide Web Publishing Service
 
Restart the affect web site by opening Server Manager > Roles > Web Server (IIS) > Internet Information Services (IISM) Manager > Your Server Name > Sites.  Highlight the affected site and select Restart.
 
My issue was caused by an old, invalid IP address being specified at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\ListenOnlyList.  This happened because I had previously ran the web site on a different IP address on this server.  
 
See KB 890015 details on the solution.
Posted in IIS. Tags: , , , , . Leave a Comment »

After upgrading to BES 4.1.3 or higher for Groupwise, excessive GWXMLData::ContactSyncRecordToXML warnings appear in the Windows Application log

February 11, 2009 — Julie

Blackberry KB15941 exlains that starting with BES 4.1, additional warnings are logged to the Blackberry Messaging and Windows Application log.  These warnings are informational in nature, and do not indicate a problem.

If you’d like to reduce or eliminate these messages, KB04342 says to edit the EventLogLevel DWORD value  of the appropriate BES service located at : 

HKEY_LOCAL_MACHINE\Software\Research In Motion\Blackberry Enterprise Server\Logging Info
 
DWORD values and Event Types correspond as follows:
 
0 = Disable all event logging
1 = Errors
2 = Warnings
3 = Information
4 = Debug
5 = Other
 
Unforturnately, I was unable to determine which service was generating these excessive GWXMLData warnings, so I had to contact RIM directly.  Their response was that the Mailbox Agent service needs to have it’s EventLogLevel changed to 1, which would log errors only.
 
I made this change on my BES server, and the event logs are now much slimmer!
Posted in Blackberry. Tags: , , , , , , , . Leave a Comment »

Howto: Stop Backup Exec from failing entire backup jobs when corrupt files are encountered

December 4, 2008 — Julie

Here is the registry entry to stop Backup Exec from failing backup jobs when corrupt files are encountered

[For Backup Exec versions 9x and 10x]
HKEY_LOCAL_MACHINE\SOFTWARE\VERITAS\Backup Exec\Engine\Backup

[For Backup Exec versions 11x and 12x]
HKEY_LOCAL_MACHINE\SOFTWARE\SYMANTEC\Backup Exec for Windows\Backup Exec\Engine\Backup

On the menu bar, select Edit | Add Value

In the Value name field, type in Fail Jobs On Corrupt Files

For the Data Type, select REG_DWORD

In the right window, double-click Fail Jobs on Corrupt Files

Change the Value to 0 (zero)

Restart the Backup Exec services or restart the Windows server.

Posted in backup, howto. Tags: , , , , . 4 Comments »

Microsoft has finally fixed their methodology for disabling Autorun on Windows operating systems

August 19, 2008 — Julie

Technet article 91525 describes a registry key that can be set to disable the Autorun feature in Windows operating systems. 

The registry key is NoDriveTypeAutoRun, which can be found at HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer

This key disables the Autoplay feature on all drives of the type specified.  Autoplay begins reading from a drive as soon as media is inserted in the drive. As a result, the setup file of programs and the sound on audio media starts immediately.

Unfortunately, this key did not produce the desired result of disabling the Double Click and Contextual Menu features.  Microsoft just released KB 953252, which describes how to obtain updates that correct these broken registry key settings in the following Windows Operating Systems:

Windows 2000
Windows XP Service Pack 2
Windows Server 2003 Service Pack 1 and 2
Windows Vista

Note: Windows Server 2008 is not affected.

The main purpose of Autorun is to provide a software response to hardware actions that you start on a computer. Autorun has the following features:

• Double Click
• Contextual Menu
• AutoPlay

These features are typically called from removable media or from network shares. During AutoPlay, the Autorun.inf file from the media is parsed. This file specifies which commands the system runs. Many companies use this functionality to start their installers.

Please see KB 952252 for security updates to each applicable operating system to disable autorun capabilities.  This KB also describes Group Policy settings to disable all Autorun features, plus instructions on selectively disabling specific Autorun features.

If you’re still not sure why you’d want to disable Autorun, check out Scott’s article on Autorun attacks.

Posted in Windows. Tags: , , , , , . 2 Comments »

Setting the Windows default logon domain

June 24, 2008 — Julie

We deploy the majority of our Windows XP computers through imaging. We use several different imaging solutions – Ghost, Zenworks, Acronis, and the Microsoft imaging tools found in Windows Deployment Services, which used to be called RIS.

One of the challenges I have experienced is after you join the Active Directory domain post-imaging, Windows prompts you to login to the local computer rather than the domain by default. I came across Ronni’s post the other day, which shows the appropriate registry entries that can be added using the reg.exe utility that will change the logon target from the local computer name to the domain.

Execute both of the commands found below:

reg.exe add “HKLM\software\microsoft\windows nt\currentversion\winlogon” /v altdefaultdomainname /t REG_SZ /d “yourdomain” /f

reg.exe add “HKLM\software\microsoft\windows nt\currentversion\winlogon” /v defaultdomainname /t REG_SZ /d “yourdomain” /f

Replace yourdomain with the name of your Active Directory domain. Reg.exe is built into Windows XP+ and is available for download from the Windows 2000 Resource Kit.

Note that these values are set only for the initial logon. After a user logs into the machine for the first time these values are overwritten.

Posted in registry. Tags: , , . Leave a Comment »

Blocking Apple software updates through Group Policy due to Safari for Windows security concerns

June 3, 2008 — Julie

I’m a big fan of keeping my software applications up to date on client machines, but I hate the fact that Apple is trying to push new Safari installations whenever users update iTunes on my Windows machines.  I found Dan’s blog post specifics on how to edit the appropriate registry keys to forbid automatic installations of Apple software, but the post’s comments showed some differing results users experienced when implementing the registry changes.

Further down in the comments I came across Eric S’s suggestion for creating a software restriction policy that disallows Apple Software Update from running. 

“To disallow Apple Software Update in Group Policy:
- Computer Configuration > Windows Settings > Security Settings > Software Restriction Policies > Additional Rules
- Right-click or Action > New Path Rule…
- Path: C:\Program Files\Apple Software Update
- Security Level: Disallowed

This would prevent Apple Software Update from running, regardless of whether the user installed it, or what version was installed.”

In theory a network administrator could then push approved Apple updates to the client computers via Microsoft System Center Configuration Manager, Novell Zenworks, or other application deployment solution.

Also note that as of My 30 2008 Microsoft Security Advisory 953818 is warning of a “blended threat that allows remote code execution on all supported versions of Windows XP and Windows Vista when Apple’s Safari for Windows has been installed.  An attacker could trick users into visiting a specially crafted Web site that could download content to a user’s machine and execute the content locally using the same permissions as the logged-on user. “

This means that if the user is running with Administrator level privledges, the machine is easily owned by the bad guys.  According to Nitesh, who originally discovered the issue, the problem stems from the fact that the “Safari browser cannot be configured to obtain the user’s permission before it downloads a resource.  Safari downloads the resource without the user’s consent and places it in a default location (unless changed)”

Microsoft’s suggested action is to:

  1. Change the download location of content in Safari to a location other than ‘Desktop’
  2. Launch Safari. Under the Edit menu select Preferences.
  3. At the option where it states Save Downloaded Files to: select a different location on the local drive
Posted in Group Policy. Tags: , , , . 2 Comments »

Howto: Configure the Windows 2008 Server Core Screensaver Activation Period

March 18, 2008 — Julie

By default the Windows 2008 Server Core screensaver will activate after 600 seconds (10 minutes) of inactivity.

To change the amount of time the screensaver waits to activate, edit the following registry key:

HKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaveTimeOut

I changed mine from 600 seconds (10 minutes) to 1200 seconds (20 minutes).

Sander has several other Desktop related settings you can configure for Server Core on his blog.

Posted in Server Core, howto. Tags: , , , , . 2 Comments »

It’s the day after Patch Tuesday, and my Vista Business machine has lost ALL network connectivty

February 13, 2008 — Julie

I try to be a responsible security professional, and practice what I preach. I know it’s important to keep operating systems and applications updated with security patches, so I have Microsoft’s Automatic Update configured on my home Vista PC to install automatically. I tell my friends to do this, since I don’t want them to get 0wned. I have my mom’s PC set for AU since I don’t have the time to deal with her computer gremlins that are a result of her unsafe surfing.

What did this bring me? A Vista Business 64-bit machine with no network connectivity. Of course it happens when I’m late for a client appointment and I need the machine so I can print out a Google map to the site. To top it off, it snowed six inches last night, and I know the roads are going to suck.

I rebooted my machine, logged in normally, and still had no network connection. I tried to release and renew my IP, but was told the network adapter was not connected.

Begrudgingly, I fired up Event Viewer and found a number of entries for Event 4375:

Windows Servicing failed to complete the process of setting package KB938371_40 (Update) into Staging(Staging) state

and Event 4385:

Windows Servicing failed to complete the process of changing update 942831-1_RTM_neutral_LDR from package KB942831(Security Update) into Staging(Staging) state

KB 938371 explains the patch contains updates to several internal components that Windows Vista requires in order to install or to remove Windows Vista Service Pack 1 more reliably. This update must be applied separately before you install Windows Vista SP1 to make sure that Windows Vista SP1 can be installed or removed from the computer. Update 938371 is necessary to install and to remove Windows Vista SP1 on all versions of Windows Vista.

Great. Looks like I won’t have to worry about Vista SP1 breaking anything on my machine, since it won’t be getting installed!

KB 942831 ended up being a fix for MS08-005, Vulnerability in Internet Information Services that could allow elevation of privileges. Microsoft considers this an important, not critical fix, so I decided I could disregard this error for the time-being. I pretty satisfied these Automatic Updates were not the root cause of my networking issues.

The final error I found was Event 1060:

\SystemRoot\SysWow64\Drivers\GEARAspiWDM.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.

I searched my system for this file, and found it located in the F:\Windows\System32 directory, which is not my operating system’s boot drive – Its an almost dead hard drive that used to run my 32-bit Windows XP machine. I’ve been trying to resurrect data off it, and had mounted it in an external USB caddy.

Interestingly enough, I’ve had this old 32-bit XP drive plugged into my Vista 64-bit system for over two months, and have never seen the Event 1060 error. I’m wondering if these two failed Microsoft updates have anything to do with it. On a whim, I renamed the GEARAspiWDM.sys file to GEARAspiWDM.sys.old and rebooted, and got my network connection back.

I did notice GEAR posted updated 64-bit drivers two weeks ago, so maybe I’ll try to install them. I also found the GEAR driver is a part of iTunes, which was not previously supported on 64-bit Vista (who knew?) If updating the drivers and/or iTunes doesn’t fix my problem I may uninstall both, then manually clear up all the GEAR registry entries, then start with fresh installs of both.

My suspicion is something new with the XP 32-bit GEARAspiWDM.sys messed with Vista’s 64-bit driver signing system, which threw the network card offline. I’ll do some more investigation tonight and post an update if I find anything.

On a semi-related note, the GEAR wiki states:

There appears to be an incompatibility between older versions of the GEAR Software drivers and the Intel Application Accelerator with certain combinations of Intel chipsets and operating systems.

To determine which Intel chipset is being used on the motherboard, download the Intel Chipset Identification Utility from Intel’s website.

To date the problem has been detected on systems with the following combinations of chipsets and operating systems:
- Intel 815E chipset and Windows 2000
- Intel 845E chipset and Windows 2000
- Intel 850 chipset and Windows 2000
- Intel 860 chipset and Windows 2000

This issue can be corrected by completing either of the following:

1) Download and install the latest GEAR driver set.
2) Uninstall the Intel Application Accelerator.

I’m using an AMD CPU so this isn’t my issue, but hopefully it will help someone with a similar problem.

Posted in Windows, diagnostics, registry, windows update. Tags: , , , , , , , , . 6 Comments »
« Older posts