Archive for the ‘Tips’ Category

Forcing Windows to identify a special-purpose network

February 3, 2013

One problem that comes up moderately frequently when dealing with Windows servers is that the Network Location Awareness service (NLA) doesn’t allow you to assign a particular adapter to a particular network.  On ordinary networks NLA seems to do a reasonable job, but typically it can’t cope with special-purpose networks such as SANs or point-to-point links; these are all lumped together as the “Unidentified Network” which by default is contained in the Public network profile.

Why is this a problem?  Because the Windows Firewall is configured on a per-profile basis.  That’s fine if Windows Firewall doesn’t interfere with whatever you’re doing on the special-purpose network.  Unfortunately, sometimes it does.

If you search the internet, you’ll find a number of scripts which change which network profile the “Unidentified Network” is put into.  You can also do this with group policy.  This means you can make unidentified networks Private, and turn Windows Firewall off (or set relaxed rules) for Private networks.  Is this a solution?  Not really, because it doesn’t just affect your special-purpose network, it affects every unidentified network from now on.  So if, for any reason, NLA ever fails to identify the network associated with your primary internet connection, your firewall will go down.  I’m not happy about that.

I’ve found a possible workaround.  IMPORTANT: I haven’t tested this thoroughly, and at the moment I’m not planning to use it on my production server (or at least only if every other option fails).  I’ve only tried it on Windows 2012 although I suspect it will work on older versions as well.  It is entirely possible that it only works for certain ethernet drivers.  Try this only at your own risk and please take proper and adequate precautions.

In addition to adapter settings such as the DNS prefix, NLA uses the default gateway’s MAC address to uniquely identify the network.  Special-purpose networks don’t generally have a default gateway; if yours does, you probably don’t have this problem in the first place!  The idea is to create a fictitious default gateway, with suitable parameters, and the trick is that you have to give the fictitious gateway the same ethernet address as the local network adapter on the special-purpose network in question.  If you give it a make-believe ethernet address, it won’t work; you could instead give it the address of another machine on the same network, but then it won’t work if that machine is ever off-line.

(If your special network is a point-to-point link, you might instead prefer to specify the actual IP address at the other end of the link as the default gateway, if you don’t mind that NLA will see it as a new network if the ethernet address ever changes.)

So, for example: when I use get-netadapter in PowerShell I see the following results:

PS C:\Users\Administrator> get-netadapter

Name                      InterfaceDescription                    ifIndex Status       MacAddress             LinkSpeed
----                      --------------------                    ------- ------       ----------             ---------
Ethernet 2                Broadcom BCM5709C NetXtreme II Gi...#42      13 Disconnected 00-10-18-EC-7F-84          0 bps
SAN 2                     Broadcom BCM5716C NetXtreme II Gi...#41      15 Up           08-9E-01-39-53-AB         1 Gbps
SAN 1                     Broadcom BCM5709C NetXtreme II Gi...#43      12 Up           00-10-18-EC-7F-86         1 Gbps
UoW                       Broadcom BCM5716C NetXtreme II Gi...#40      14 Up           08-9E-01-39-53-AA         1 Gbps

In order to assign a specific network to the third adapter (interface index 12) I would use the following commands:

new-netroute 0.0.0.0/0 -interfaceindex 12 -nexthop 192.0.2.1 -publish no -routemetric 9999
new-netneighbor 192.0.2.1 -interfaceindex 12 -linklayeraddress 001018ec7f86 -state permanent

The first command assigns the default gateway for the interface.  I chose IP address 192.0.2.1 because it is reserved and will never be used by a real device; I suggest you do the same.  We don’t want this route to be published, and we set the metric to 9999 so that it won’t ever be used.  (The system uses the default gateway with the lowest metric.)

The second command assigns the fictitious IP address an ethernet address; as discussed before, we use the same ethernet address as the adapter we’re assigning it to.  Note that the ethernet address must be entered in a different format to that in which it is displayed; just remove the hyphens.  We make the mapping permanent.  (You can use the remove-netneighbor command if you want to remove it later.)

I hope this is helpful.  If you do try it, please let me know how it goes.

Preventing executables from requiring UAC elevation

September 23, 2011

I’ve just found this great tip over at Stack Overflow.

In Windows Vista and later, an application can be coded to require UAC elevation.  If you try to run it as a non-administrator, you get asked for an administrator username and password, and if you don’t provide them the application doesn’t start.  That’s all very well, but some developers set this flag when it isn’t really needed (I’m looking at you, beepa) which locks out all non-administrators.

This isn’t usually a big problem on a home machine, because you probably have an administrator account even if you don’t use it for everyday activities.  In a teaching lab, however, as in many other contexts, it’s fatal; the students don’t know the administrator password (or at least I devoutly hope they don’t!) and obviously we’re not going to tell them what it is.

It turns out that this is as simple as setting an environment variable.  Set __compat_layer to RunAsInvoker, and Windows will ignore the application manifest.  You could set this globally via group policy, or write a simple wrapper program around specific applications that need it.  (Of course, if an application really does require administrator privilege it may fail in strange and unexpected ways, so take care.)

Hope this helps – and Norbert, if you’re reading this, thank you.  Knowing about this is going to come in very handy.

Disabling the Sun Java Updater

June 2, 2010

If you are seeing proxy authentication dialogs appearing from nowhere now and then, one of the reasons may be the Sun Java Updater.  (If you are wondering what jusched.exe is doing in your process list, this is it.)

I knew there was a registry setting for this, but I couldn’t find it on Sun’s web site.  Thanks to James McMahon, here it is:

HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy

this is a DWORD that should be set to zero to disable Java Update.  The process jusched.exe will still start up when a user logs in, but it exits shortly thereafter.

The reason this has become particularly painful lately is that, unlike earlier releases, the Sun Java runtime and Sun JDK installers no longer preserve this value – so you have to reset it to zero each time either is installed or updated.

Harry.

Resetting a password in Windows 7 or Windows Vista

March 9, 2010

One problem that comes up now and again for any OS (well, any modern OS) is how to recover administrative access to the system when the password has been forgotten.

There’s a reasonably straightforward solution [1] for Windows 7, which I haven’t seen on the web so far, so I thought I should publish it.  Be aware that I can’t offer or provide any warranty, support, or assistance with this procedure, apart perhaps from clarifying any part of the instructions that aren’t clear.  It’s always worked for me, but that’s all I can promise.

Additional note 13 June 2012: see also this question on superuser.com, which provides a number of alternatives.

This procedure also works on Windows Vista; the underlying technique works on Windows XP as well but is not usually feasible because the Windows XP install CD does not contain a command-line recovery option.

One important caveat: since this resets the password rather than letting you find out what it is, any encrypted files belonging to the user will be permanently lost.

This is the short version, for advanced users and sysadmins:

  1. Boot to Windows 7 from the installation or repair DVD, or from Windows PE 3 boot media, or from a Windows 7 installation on another HDD.  If the target OS is Vista, use the Vista installation DVD, or Windows PE 2, or another Vista installation.  (Booting to a mismatched version of Windows might work, but I’ve never tried it; if the registry file formats aren’t exactly the same between versions, this could result in a corrupted registry and an unbootable system.)
  2. Load the SYSTEM registry hive from the target OS.  Back it up first.
  3. In the Setup key, change SetupType to 2 and CmdLine to cmd.exe.
  4. Boot the target OS.  You’ll get a command-line window in system context.

The long version, for everyone else:

  1. Boot to your Windows 7 or Windows Vista installation DVD, whichever matches the installed OS.  If you purchased your computer from a responsible vendor, they’ll have provided you with one, although unfortunately many vendors don’t.
    Additional note 8 September 2011: In Windows 7, there is an option in the Start Menu (under Maintenance) to Create a System Repair Disc.  The CD or DVD this option creates is perfect for the job.  However, you have to be an administrator to use it, so unless you’ve done it ahead of time or can use a friend’s Windows 7 machine you’re out of luck.
    Additional note 1 September 2011: If your computer is 64-bit capable (you don’t need to actually be running a 64-bit OS) then you can use the install disk for Microsoft’s free server product, Hyper-V.  You can find it here.  Note, however, that it is a fairly big download, a little more than a gigabyte.
    Additional note 5 May 2011: Nommo was kind enough to point me to this post on Microsoft Answers which provides a link to downloadable repair disks for Vista and Windows 7.  I can’t from my own knowledge confirm that these disks are legitimate, and Microsoft aren’t telling, so use only at your own risk.  Indications are that they are probably OK.  (Personally, I wouldn’t use the charged-download option until I’d checked how much my OEM was going to charge to provide an installation disk.  Make sure the OEM knows you need a Windows installation disk, not a system recovery disk.)
    A vendor system recovery disk might offer the same functionality, and in some cases you can order an installation DVD from your vendor (or from Microsoft?).
  2. Select your language options on the first screen and press Next to continue.
  3. Choose “Repair Your Computer”.
  4. Choose “Use recovery tools…” and select your OS.  Make a note of which drive letter it is on, e.g., C: or D:.  This might not be the same drive letter you see when booted normally.
    Additional note 1 September 2011: if you get an error message when you press Next, this might be because the install disk you are using is not compatible with the version of Windows you have installed.  This will happen, for example, if you are using the Hyper-V install disk.  Don’t panic.  Just press SHIFT-F10 to open a command prompt and skip ahead to step 6.
  5. Select Command Prompt.
  6. In the command prompt window that appears, type “regedit” and press ENTER.
  7. Select HKEY_LOCAL_MACHINE and then choose Load Hive from the File menu.
  8. Find and open the file named SYSTEM on the drive you noted in step 4.  If Windows is in the default configuration, this will be in windows\system32\config.
  9. Enter a key name, e.g., “xxx”.
  10. Click the plus icon to the left of HKEY_LOCAL_MACHINE to open this key.  Select the xxx key.
  11. Select Export from the File Menu.  Change the Save as type to Registry Hive Files.  Type a name for the backup, for example, systembackup, and press Save.  (This step creates a backup of the unmodified SYSTEM registry hive as a precaution.)
  12. Open the xxx key, and select Setup.
  13. Double-click on SetupType in the right-hand pane.  Enter 2 and press OK.
  14. Double-click on CmdLine.  Enter cmd.exe and press OK.
  15. Close Registry Editor.  Type “regedit” and press ENTER to open it again.  (This step does not appear to be necessary in Windows 7, but in Windows Vista if you do not do this the next step might fail with an Access Denied error.)
  16. Open HKEY_LOCAL_MACHINE, select xxx, and choose Unload Hive from the File Menu.  Push Yes.
  17. Close the command window and the Registry Editor.  Remove the installation DVD and select Restart.
  18. When your computer boots up, another command window should appear.
  19. Type “net user foo bar”, replacing foo with the username of the account whose password you want to reset, and bar with the new password.  For example, you might type “net user Administrator letmein”.  Press ENTER.
  20. If you want to use the built-in Administrator account, you will probably need to enable it: type “net user Administrator /active:yes” and press ENTER.
  21. If you don’t know what the administrative username(s) are, type “net localgroup administrators” and press ENTER to find out.
  22. Type “exit” and press ENTER.
  23. When the logon screen appears, use the username and the new password to log in.

Note that if the entire disk is encrypted, this procedure will not work at all.  System administrators who want to prevent users from using techniques like this one to reset passwords should consider disk encryption. [2]  Another option is to configure the system BIOS to disallow booting from removable media, although if the user can open the case of the machine this can usually be reset.

Hope this helps.

Harry.

[1] Well, for some definitions of straightforward, anyway.

[2] I’ve heard tell of some administrators whose “solution” to this issue is to use the network firewall to block access to any web sites with instructions on resetting passwords!  Whether they also inspect all printed material entering the building, and ban anybody they think might be smart enough to just remember how to do it, I don’t know.