Windows Enterprise Desktop

January 3, 2012  3:40 PM

MS Pushes Out-of-Band Security Update Over Holiday Weekend

Ed Tittel Ed Tittel Profile: Ed Tittel

Imagine my surprise when I sat down to my PC late morning on January 1, to see that Microsoft had pushed a security update to address “Vulnerabilities in the .NET Framework…” (MS11-100, rated Critical). This involved as many as three security patches on some of my PCs, depending on how many version of the .NET Framework were installed on those machines (for Windows 7 patches were released for versions 3.5.1 and 4; for Windows XP, patches also appeared for versions 1.1 and 2.0, as well as 3.5 instead of 3.5.1).

Headline for out-of-band MS security patch

Headline for out-of-band MS security patch

Because this update addresses zero-day vulnerabilities in ASP.NET that can lead to elevation of privilege for rogue software and execution requests, this is a patch that admins will want to fast-track through their internal testing and deployment procedures. Ryan Naraine (of the Zero Day ZDNet blog) explains why this one is worth special treatment in his post this morning entitled  “Microsoft ships emergency .NET fix to thwart hash table collision attacks.” See KB Article 2638420 for a list of “known issues” related to deploying this particular security patch (basically, it involves updating all servers that use ASP.NET authentication tickets concurrently, because the pre- and post-patch mechanisms are incompatible).

December 26, 2011  1:26 AM

An AHCI Dilemma Resolved at Long Last

Ed Tittel Ed Tittel Profile: Ed Tittel

This past summer, I had to rebuild one of my test Windows machines when the original motherboard went south. When doing the rebuild, the machine crashed during the reboot part-way through the install process, and forced me to switch from AHCI to IDE mode for the disk drives I was using, even though they’d worked fine in AHCI on the previous motherboard. I wrote it off to some issue with AHCI and my combination of parts, and simply stayed with the switch to IDE and figured that would be the end of it.

But when I was finally able to get the proper IDE drivers loaded for that machine this weekend I decided to revisit the AHCI issue on this Gigabyte P43-ES3G. I like to tinker with my systems over the holidays, and have just finished a major patch-fix-upgrade-and-repair pass over all my PCs now; the disk controller stuff all started working when I switched the BIOS from “emulate IDE” to “straight SATA” just to see what would happen. IDE kept working, but DriverAgent was suddenly able to help me find the right, current drivers for the Intel ICH10R chipset and the JMicron JMB36X SATA/IDE controller on the P43-ES3G. “What the heck,” I figured, “Let’s try AHCI now, and see what happens.” It still kept hanging during drive detect while booting.

With some assiduous poking around, I discovered that others have had issues with the BIOS hanging during the drive detect just as I have, including a variety of Asus as well as Gigabyte motherboards. As it happens, the reason I had to switch from AHCI to IDE drive mode was because drive detection would hang on the second of the two drives in that system (a Samsung 1 TB HD103UI 7200 RPM hard disk) after correctly detecting the WD 300 GB Raptor that serves as the boot drive, but before detecting the presence of the SATA DVD burner on the system.

Just for grins, I tried a different drive instead of that Samsung yesterday while fiddling with the machine, after which AHCI booted like a charm. Upon further investigation I came across a posting on a gentleman named Ivan Filippov –who just happens to work for German-based disk formatting and partitioning company Paragon Software (whose Hard Disk Manager Suite has long been a favorite of mine) that explains a possible cause for this situation.  He observes that when the disk geometry data in the first partition on a drive gets munged, it can cause disk recognition at the BIOS Level to fail. The two other drives I tried to replace the original Samsung didn’t have this problem, apparently, and the drives were recognized and the AHCI BIOS loaded successfully–and so did the Samsung itself, after I popped it into a SATA drive caddy on another machine (after backing it up, of course) and repartitioning and reformatting that drive.

Problem solved, and I learned something both interesting and valuable. I should’ve just tried another drive (I’ve always got at least a couple of spares around, sometimes more than that) when I first hit this problem and it pretty much would have solved itself. And so it goes! Another obscure but interesting Windows lesson learned, and another pesky annoyance rubbed out at last…

[Note to readers: I’m taking the rest of the year off, so you won’t see me post again until January 2, 2012. Let me take this opportunity to wish everyone a happy holiday season, and a festive and prosperous New Year!]

December 23, 2011  4:26 PM

Safari iFRAME Exploit Leads to Zero-Day BSOD, Possible Remote Execution at Kernel Level

Ed Tittel Ed Tittel Profile: Ed Tittel

Secunia posted Advisory SA47327 earlier this week, which explains that a specially-crafted Web page instantly crashes 64-bit Windows 7 Professional running the Apple Safari Web browser for Windows. According to the advisory “The vulnerability is caused due to an error in win32.sys and can be exploited to corrupt memory via e.g. a specially crafted web page containing an iFRAME with an overly large “height” attribute viewed using the Apple Safari browser.” The bulletin goes onto say that “successful exploitation may allow execution of arbitrary code with kernel-level privileges, presumably in the form of some post-crash recovery executable. The original discovery (and an instance of an “overly large value” appears in a Twitter post from 12/18/2011 by @w3bd3vil aka “webdevil”).

Here’s a novel workaround for those concerned about this vulnerability until Apple comes out with a fix: turning on Developer Tools in Safari apparently eliminates iFRAME support (see this Apple Support Communities discussion: “iFrame works until I turn on developer tools in Safari…” for more information and instructions). OTOH, states that “Safari can’t be secured 100% against clickjacking” so one had better hope that this workaround truly turns off iFRAME altogether (hurry up testing on my three PCs with Safari installed appear to confirm this, albeit in a very small sample).

December 21, 2011  5:17 PM

More Windows Troubleshooting Stories

Ed Tittel Ed Tittel Profile: Ed Tittel

OK, so lately I’ve been both a little miffed, and more than a little curious, because my Windows 7 problem reporting hasn’t been working properly. The error message information to explain why not is pretty darn cryptic and turned up a big, fat goose egg — precisely nothing, that is — when I attempted to run the problem down. Here’s what I mean:

Interesting to see group policy mentioned on a non-AD Windows client

Interesting to see group policy mentioned on a non-AD Windows client

The diagnostics program helpfully offers the options to change error reporting settings, but they’re all greyed-out because they’re not user accessible. So off I go, haring into gpedit.msc, to see if jacking around with Local Computer Policy will help. Following tips on the Internet apparently related to this problem (‘Windows Error Reporting Doesn’t Work” or “Group Policy error on Windows error reporting”) I try changing settings in Administrative Templates \ Windows Components \ Windows Error Reporting. Nothing helps.

More Internet research tells me that the start-up and troubleshooting management tool, Soluto (which I use and have blogged about here repeatedly), might be at fault. Because a new update to the Soluto software is now available — which makes it smart for me to uninstall the old version before trying out a new one, as I’ve learned to do from previous major revs of their software — I try running the “Check for Solutions” item in System Center \ Maintenance with Soluto installed, and then again, without it installed.

Bingo! That difference also makes the difference between Windows error reporting (and Check for Solutions) working when Soluto is absent, and presenting the Group Policy error screen when Soluto is present. Very interesting! I certainly hope Soluto is aware of this issue and planning to fix it soon–hopefully in their upcoming first commercial release, scheduled for later this year.

[Follow-up note 12/22/2011: Checked a couple of 64-bit Windows 7 machines also running Soluto, but not the latest version: one rev back. No issues with MS problem reporting or solution lookup on any of these machine. Even more interesting! I’m going to update one of these machines and see if the problem is specific to the 32-bit version only, or affects both 32- and 64-bit machines.]

[Second follow-up 12/23/2011: Just installed the latest rev on two of my 64-bit test machines. Prior to the rev, MS Problem reporting and solution lookup worked fine. After the rev, it showed the same group policy error that also appeared on my 32-bit machine as well. Ladies and Gentlemen: we appear to have a genuine culprit!]

December 19, 2011  4:31 PM

Microsoft’s Move Toward iOS

Ed Tittel Ed Tittel Profile: Ed Tittel

On December 15, 2011, Paul Thurrott of Supersite for Windows appeared on Windows Weekly 239 with Mary-Jo Foley (another regular commenter on Microsoft and Windows operating systems and technologies). My specific area of interest here is the company’s release of iOS apps for Skydrive, Lync, and an update for OneNote 1.3 for the iPad (iOS apps for Kinectimals, Bing, and an iOS connector for email are also available as well).

Paul and Mary Jo ponder the strange synergy between MS and iOS

Paul and Mary Jo ponder the strange synergy between MS and iOS

Of course, it’s still the case that the deepest and most effective support for MS applications occur on Windows Mobile platforms (but because this occurs at the OS level) sometimes the non-Windows mobile platforms get such support sooner than major Microsoft releases can manage. As Thurrott points out, Microsoft is not to tightly aligned that it can push out mobile OS releases in synch with features under development in various part of the company. Some Windows enthusiasts (bigots?) have expressed displeasure that iOS in general (and iPad in particular) have gathered features and functions that might not yet have appeared on mobile Windows platforms. That’s why it’s still the case that Xbox Live is better integrated into Windows mobile platforms, as is the entire Windows Office suite.

It’s going to be interesting to see how this unfolds. Given the increasing importance of mobile apps, and the proliferation of platforms (and the inescapable popularity of iOS) it’s ever more likely that MIcrosoft will reach out to competitive platforms at the same time as it makes apps to run on those selfsame platforms.

December 16, 2011  8:02 PM

MS AMD Bulldozer Performance Fix Up and Down in 24 Hours

Ed Tittel Ed Tittel Profile: Ed Tittel

On Thursday, December 15, MS released a hotfix to “optimize the peformance of AMD Bulldozer CPUs…” for Windows 7 or Windows Server 2008 R2 (KB2592546). Seems that the original code base wasn’t properly set up to take full advantage of multi-threading in the Bulldozer architecture. According to some hurry-up benchmarking work from X-bit Labs, the hotfix could boost performance anywhere from 2-10 percent, depending on the actual application involved — but only if that application is designed to run in multi-threaded fashion.

Now you see it, now you do not!

Now you see it, now you do not!

This morning, however, VR-Zone posted a story entitled “Microsoft Pulls Down the AMD Bulldozer Multi-Threaded Patch,” citing reports of user problems and peformance decreases for the reversal in course. While you can visit the Hotfix page for KB2592546, you’ll immediately notice that the download links on this page are no longer live.

Later rather than sooner?

Later rather than sooner?

I’m guessing that a development team is working feverishly to address whatever gotchas popped up following the inital drop of this release onto the Microsoft Support pages. I imagine we’ll see a round two on this stuff as soon as it’s judged to be “really working this time.”

Very interesting!

[Note on 12/19: HardOCP has since explained that the initial hotfix was incomplete, and got pulled because it demonstrated a negative effect — that is, decreased performance — on enough Bulldozer systems that MS apparently decided it was better off pulling the code than leaving it up for download.]

December 14, 2011  6:08 PM

PSI Flags Interesting Silverlight Issue

Ed Tittel Ed Tittel Profile: Ed Tittel

As anybody who reads this blog regularly knows, I use and endorse Secunia’s excellent Personal Software Inspector (PSI) software on my notebook and desktop PCs. This program takes a look at the OS, applications, and helper software components to check release versions and dates, then compares it to its voluminous database of current OS patches and fixes, application updates, and more, to determine what elements of a particular install are out-of-date and need to be made current. It’s a peachy program (a corporate version called CSI is also available for business and commercial use) and one that I  regard as essential in helping me keep my machines secure and up-to-date.

This morning, when I logged in I saw various security update bulletins that induced me to run the PSI scan on my primary desktop, it reported that my Microsoft Silverlight installation (and Google Chrome) needed updates. This struck me as odd because Patch Tuesday just hit yesterday, and I’d already updated that system. As it happens, Silverlight has just been updated to a new major version (5), but this update is not yet being distributed through Windows Update itself. Here’s what clued me into the situation:

Silverlight 4.x is now end-of-life (obsolete)

Silverlight 4.x is now end-of-life (obsolete)

It’s weird to find oneself in a situation where a piece of Microsoft software displays this kind of warning, even in the face of Windows Update. That’s how I figured out that Silverlight 5 hasn’t yet fallen under the WU umbrella (as also happens with OS Service Packs, which must be manually downloaded and installed until some time after their official release).

So now that I knew what I was dealing with, I jumped over the the Silverlight page at, where I beheld the following welcome:

The Silverlight home page checks and reports on what version you have

The Silverlight home page checks and reports on what version you have

So indeed an upgrade was needed. And once it was applied no more warnings, and everything was once again up-to-date. This is just what PSI is designed to do, and this time it made me extremely happy for it it do it for me: otherwise, I might not have realized Silverlight needs a manual update until after some no-doubt heinous exploit had already been foisted!

December 12, 2011  8:12 PM

Not everyone buys my “Heck no, we won’t go” argument for Win8

Ed Tittel Ed Tittel Profile: Ed Tittel

In my last blog — entitled “Heck No, We Won’t Go! (from Windows 7 to Windows 8, that is)” — I argued that given how happy most folks are with Windows 7, and how little non-touch machines gain from the upgrade, that many satisfied Windows 7 users are unlikely to upgrade existing machines to the new OS after it ships. Unsurprisingly, not everybody agrees with me: I’ve received email (and one comment) from a handful of readers advancing these arguments:

  • A certain class of PC user is inclined to use the latest and greatest, no matter what it may be in the interests of keeping up
  • Another class of PC user (including your humble author) is required to work with (and in some cases like mine, write about) the latest Windows version  even now, as it’s in pre-beta status

I have to concede that some people will indeed do the upgrade for all kinds of good reasons. But my argument is more along the lines of “those who don’t HAVE to probably won’t” rather than “nobody’s going to do it at all.” Of course, I also cheerfully confess that my previous post’s headline is a bit lurid and exaggerated, so I am probably overdue for a little “constructive feedback.”

For another interesting take on the interested in upgrading side of this discussion, check out Matt Egan’s very nice article for PC Advisor this morning (12/12/2011) entitled “Why 2012 will be the year of Windows 8.” His argument is worth reading, but my thumbnail sketch is that he believes that users are more interested in shared and common access to services and data, and that Windows 8’s ability to integrate apps and info across tablets, smartphones, and desktop is an unbeatable proposition that is also necessary to keep MS In the same league as Apple and Google.

Headline for "Year of Win8" story

Headline for Year of Win8 Story

FWIW, I agree. But I also observe that the only way you get these advanced Windows 8 features is on new PCs with UEFI BIOS and with iX class CPUs with SLAT (or the AMD equivalent). Thus I believe this is a case where I can have my cake and eat it, too — because my previous argument is about UPGRADING from Windows 7 to Windows 8, not about buying new systems that support the full panoply of Windows 8’s advanced features. I stick by my argument having now had more time to realize that without these razzle-dazzle features, users will either stick with Windows 7 on older hardware or bite the bullet and buy new Windows 8 capable systems. I’m already speccing-out one such system myself! I’ll probably upgrade (or dual boot) some of my older systems with Win7/8 just to see how that works, and to better understand how far behind the curve pre-2010 PCs will be in a Windows 8 world.

December 9, 2011  6:55 PM

Heck No! We won’t go! (From Windows 7 to Windows 8, that is)

Ed Tittel Ed Tittel Profile: Ed Tittel

Here’s a cheery bit of news from our friends over at MaximumPC. The story’s headline “IDC: Happy Windows 7 PC Users Won’t Switch to Windows 8” pretty much says it all. Quoting from ZDNet’s Mary-Jo Foley, the operative phrase is that “Windows 8 will be ‘largely irrelevant’ to traditional PC users.” The interior quotes are from an actual IDC report, which costs $3,500 and should therefore explain why none of us underpaid Windows hounds have the necessary scratch to obtain and quote directly from the real source. It’s entitled “Worldwide System Infrastructure Software 2012 Top 10 Predictions” from which IDC VP Al Gillen tweeted the net-net items on December 2:

01. Customer Face Confusing Choices as Virt, Cloud System SW and Information Automation SW Converge.
02. Private Clouds Will Grow Like Gangbusters, One Use Case at a Time.
03. 2012 Will Be VMware’s Last Year as King ot the Hill. Competition Starts Squeezing Hard in 2013. No More Green Field for VMware.
04. Operational Complexity Will Drive Demand for Predictive Analytics and APM.
05: Consumerization of IT Will Create New Management Challenges and Solutions.
06. Platform as a Service Will Ramp Up Slowly Due to Lock-in Fears.
07. Battle Royale Will Be Waged to Establish Linux Kernel of Cloud Computing.
08. Enterprises Will Reconsider Benefits of Infrastructure Heterogeneity.
09. There will be Layers for the Masses, Stacks for the Few.
10. Expect big success for WS8, Win Client 8 a skip-over for desktop users. Uphill battle for WC8 mobile space.

Item 10, of course, is what caught MJF’s eye and produced this magnificent quote from the actual report: “Windows 8 will be largely irrelevant to the users of traditional PCs, and we expect effectively no upgrade activity from Windows 7 to Windows 8 in that form factor.” IDC believes that Windows 8 will become generally available no later than August 2012, at which point PCs with Win8 pre-installed may be sold. I take this to mean that while new PCs may come bearing Win8, users won’t be lining up at midnight to buy the upgrade media at retail outlets, or clogging the Internet to download the new OS when the floodgates open.

At the enterprise level, of course, things will lag further behind. With many organizations in the middle of migrating to Windows 7, or having just completed same in the past 12 months, enterprises aren’t exactly eager to gird their loins and “do it again.” It’s typical for early enterprise adopters to jump on new OSes about a year after release, and for the main pack to slink onto the platform a year or two after that.

And with most regular, non-enterprise users pretty happy with Windows 7 on current PCs, there aren’t a lot of obvious and compelling reasons visible just yet to propel them to upgrade. This should be an interesting launch to watch–especially for Microsoft!

December 7, 2011  3:44 PM

Windows 8 Folds Upgrade Advisor into OS Install

Ed Tittel Ed Tittel Profile: Ed Tittel

OK, I cheerfully confess that I glossed over the November 21 Building Windows 8 blog posting by Christa St. Pierre of the Windows 8 Setup and Deployment team, thinking that because I’ve gone through a couple of Windows 8 pre-release installs that I didn’t really need to read it from stem to stern. I was wrong, not because I had some experience and thus also, some appreciation for how it works and how it compares to Windows 7,  but because that decision to “just skip it” deprived me of some valuable background information and insight into how the Windows 8 install process has been redesigned. Perhaps I should have paid closer attention to that posting’s title: “Improving the setup experience.”

But thanks to Jon Brodkin over at Ars Technica (one of my favorite sources for inside information, insight, and breaking Windows news and rumors) I started to understand more about what was going on with this part of the Windows 8 experience. The title of his article, in fact, points to some incredibly salient points–namely “Windows 8 gets faster installation, 11-click upgrade for casual users.” So, plowing through this piece I discovered information about how the Windows 8 process has been substantially streamlined so that what required multiple downloads and 4 programs to complete, and involved working through 60 screens of information, is now condensed into a single program that might require working only 11 screens. By itself, that’s pretty remarkable (and this is coming from somebody who’s had to write up detailed install descriptions and instructions for every version of Windows since 3.1 way back in the mid-1990s).

There’s also a fascinating discuss of the upgrade process (Windows 7 to Windows 8, in this case) that explains how the number of files and applications installed can affect overall install completion time. Because Windows 7 stages files for upgrading, it ends up copying files twice during that process, even though the bulk of such moves start and end in the very same folder! Simply put, Windows 8 moves what it has to more expeditiously at the folder lever when moves are required, skips unnecessary moves, and uses hard links to move things logically in the file system without actually moving stuff around on disk. This cuts upgrade time for large complex installations from 188 minutes to 46 minutes on systems with 430K files and 90 apps (about a 75% improvement)  and from 513 minutes to 52 minutes on systems with 1.44M files and 120 apps (almost 90% better). Wow!

The blog goes on to explain how Web delivery has been optimized, through better compression, elimination of duplicate OS files, and smarter download behaviors. It closes with a nice overview of the Windows 8 ADK (Assessment and Deployment Kit, which replaces the old Windows Automated Installation Kit or WAIK), along with some best practices info on building Answer Files to automate bulk and remote installs.

This post is definitely worth reading, and pondering carefully, as you start thinking about test lab, pilot, and ultimately, production roll-outs of Windows 8. Be sure to check it out!

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: