The Windows Preinstallation Environment (Windows PE) 2.0 delivers a basic, no-frills operating system with limited services and no GUI capabilities that’s built upon the Windows Vista kernel. You can use it to prep a PC for Vista installation, to copy disk images from a network file server to a target machine, and to fire off Windows Vista setup and installation. To learn more about Windows PE, check out the Technet article “What is Windows PE?”
With a little foreknowledge about Windows PE at your disposal, you can’t help but find these Windows PE Walkthroughs (step-by-step instructions on building and using various Windows PE environments) on TechNet of terrific interest:
- Walkthrough: Create a Bootable Windows PE RAM Disk on CD-ROM
- Walkthrough: Create a Bootable Windows PE RAM Disk on UFD
(In case this acronym is unfamiliar to you, as it was to me: UFD = USB Flash Drive)
- Walkthrough: Create a Bootable Windows PE RAM Disk on Hard Disk
- Walkthrough: Boot Windows PE from CD-ROM
- Walkthrough: Boot Windows PE from Hard Disk
- Walkthrough: Create a Custom Windows PE Image
By the time you work your way through this material, you’ll be well-prepared to deal with most of the chores related to creating and manipulating the Windows Image (.wim) files that Vista uses for installation and setup. Definitely worth getting to know, and spending some time with. I’m pitching a book on this subject right now myself, with a Web site to go along with it, in fact. WinPE is also great for Vista troubleshooting, low-level system maintenance and repair, and more as well.
Recently, I came across an article by Lance Whitney on TechNet entitled “Utility Spotlight: Windows Installer CleanUp Utility” that might be worth a visit for those interested in that tool. Also, my colleague and occasional co-author Toby Digby–who works with me on the informative and eclectic Vizta View website–recently contacted me to share hispositive experiences in working with the for-a-fee Total Uninstall 5 product.
What this $40 program (that’s for up to 4 computers, a single computer license costs $30) does that Revo Uninstaller does not do is to detect and remove invalid or partial/failed installs and remove them on your behalf. In fact, as long as the program is installed and monitoriing your system when this occurs, it can reverse complete or partial installs with ease. It can also survey your system and detect already-installed applications, and assist with their removal as well. It uses a TripWire-like before and after snapshotting mechanism to document what apps do when they install themselves (the graphical tree this program creates to illustrate those changes is almost worth the price of admission all by itself), including all new or changed Registry items and filesystem entries.
If you’re in the market for Vista uninstall utilities, you might want to add Total Install 5 to your short list of items worth checking out, in other words. You won’t be sorry you did.
When Secunia calls a Windows security update “extremely critical” you know a serious vulnerability is being patched. The Windows security community has been abuzz since last week when a number of remote code execution vulnerabilities originally thought limited only to IE 7 turned out to affect other IE versions, and to involve general XML vulnerabilities as well. For more information on the update see “Microsoft Security Advisory (961051) Vulnerability in Internet Explorer Could Allow Remote Code Execution” and “Microsoft Security Bulletin MS08-078 – Critical.”
Security Bulletin MS08-078 specifically mentions IE 5, 6, and 7, as well as Windows 2000, Windows XP, and Windows Vista on the desktop front, plus Windows Server 2003 and Windows Server 2008, in both 32- and 64-bit versions (where applicable). This update is also associated with Pointer Reference Memory Corruption Vulnerability – CVE-2008-4844 from the Common Vulnerability and Exploits database.
The nature of the vulnerability is called “Remote Code Execution” which essentially means that an attacker can take over a system and run any code he or she wishes to at a very high level of privilege. Please visit Windows Update and download this security fix for testing and evaluation as soon as possible. Zero-day exploits have already been reported, and it is regarded as an active and hostile threat.
By itself, Vista does a pretty good job of fitting itself to the platforms on which it’s installed. But savvy administrators can do a lot more to construct custom Vista install images with a bit of time and effort, and the right tools and approaches. To get a good sense of what kinds of capabilities you can put to work, for example, read this interview from 2006 (!) Microsoft Australia’s John Pritchard. Entitled “Inside Vista’s new image-based install” it’s as good an overview of what the Windows Imaging (.WIM) file capability that drives Vista installs can do for customized images as well as standard ones. It also discusses how to integrate executable (.exe, .msi, and so forth) driver installers as part of the Vista install process to further customize Vista images for specific hardware configurations. Interested admins will also find Paul Thurrot’s “Windows Vista Review/Part 3: Installing Windows Vista” illuminating as well.
For this kind of task, however, the Windows Automated Installation Kit page on Technet provides pointers to the primary resources admins will need to explore these possibilities further. That’s where you’ll find pointers to the WAIK User’s Guide, a discussion of Windows Preinstallation Phases, the Deployment Tools Technical Reference, and the Unattended Windows Setup Reference, all of which play important roles in this activity.
In my next blogs, I’ll be digging into this task further, with some examples and illustrations, and exploring this document set in more detail. Stay tuned!
There’s no question that the Windows Debugger (windbg.exe) is a nonpareil tool when it comes to troubleshooting source code or digging into Vista crashdumps. But with the program’s requirement for current debug symbols, complex syntax (the downside of amazing functionality is detailed and demanding syntax), and vast power comes a certain amount of effort required to get things set up and working properly. If all you want is a quick peek at certain key fields in a full-blown crash dump (C:\Windows\Memory.dmp by default) or a minidump file (C:\Windows\Minidump\Minimmddyy-0x, where mmddyy maps into 120808 for December 8, 2008, and the x represents which minidump acquired that day you’re after, so that my December 8, 2008 mindump file is named Mini120808-01.dmp) the lightweight dumpchk.exe utility may be more to your liking.
Given the following filename example, here’s a pared-down snapshot of the command line input for dumpchk and its response:
c:\Temp>dumpchk c:\Windows\Minidump\Mini120808-01.dmp -e Loading dump file c:\Windows\Minidump\Mini120808-01.dmp ----- 32 bit Kernel Mini Dump Analysis DUMP_HEADER32: MajorVersion 0000000f MinorVersion 00001771 KdSecondaryVersion 00000000 DirectoryTableBase dc05e3e0 PfnDataBase 8236b850 PsLoadedModuleList 8234bc70 PsActiveProcessHead 82341990 MachineImageType 0000014c NumberProcessors 00000004 BugCheckCode 00000101 BugCheckParameter1 00000031 BugCheckParameter2 00000000 BugCheckParameter3 803d1120 BugCheckParameter4 00000001
The key information appears in the BugCheckCode entry (this maps to the Windows Stop error code that shows up on a bluescreen), and the four parameters that follow. A quick Google search on the Stop Error code presented as a Hexadecimal number of the form 0×00000101 is usually all it takes to find guidance on causes and potential fixes for such errors. In this case, I had to accept a light slap on the wrist for excessive over-clocking on my QX9650 processor and turn the clock rate back down in my PC’s BIOS (a reduction from 3.5 to 3.2 GHz did the trick nicely).
Sure Windbg.exe will do the same tricks, and a whole lot more, but why not use the quick’n’dirty dumpchk.exe if it will do the trick. If you download the Windows XP SP 2 Support Tools (Windows validation is required) you can grab and use dumpchk.exe on Windows Vista without difficulty.
Sometimes, the information I come across on Vista internals is just too good not to pass along. And when it comes to Vista internals nobody knows (or does) them better than Mark Russinovich, formerly a principal at SysInternals, now a Microsoft Fellow. In discussing paging file sizes in the context of Vista, Mark makes the following wonderful observation which accords entirely with my own experience:
There’s no end of ridiculous advice out on the web and in the newsstand magazines that cover Windows, and even Microsoft has published misleading recommendations. Almost all the suggestions are based on multiplying RAM size by some factor, with common values being 1.2, 1.5 and 2.
This comes from his November 17, 2008 blog entitled “Pushing the Limits of Windows: Virtual Memory,” wherein he also digs into process address spaces, explains how virtual memory gets mapped in the 32- and 64-bit worlds, and talks about committed memory that processes essentially get to own as they’re executing and the commit limit that sets the ceiling on such allocations. Along the way, he also uses his snazzy Testlimit (and Testlimit64) tool to demonstrate these principles in action.
All this detailed and exquisite discussion leads back to what’s really involved in sizing a paging file. It is best to understand that the commit limit imposes a ceiling on how much private (process-based) and pagefile (system-based) virtual memory can be allocated at any given moment by actively running processes. Thus the key comes from knowing the total sum of commit charges for all programs you’d like to have running concurrently. The commit limit must exceed that sum, or trouble will ensue.
His sizing approach is pretty simple: fire off all the applications you’d like to use together, then use SysInternals Process Explorer to measure the Peak Commit Charge. In fact, Russinovich recommends examining this value after running your target collection for a while to make sure you reach maximum load. After that, the formula is:
Size of Paging File = Peak Commit Charge – Amount of Physical RAM in system
If that number is negative, that doesn’t mean you want no paging file. It should be set to no smaller than whatever kind of memory dump you’ve got configured for crash reporting (default value is around 135 KB or miniscule, but a complete memory dump has to match the amount of accessible memory–same value that shows up as Total under Physical Memory in Task manager–for that memory dump to occur). By default Vista sizes the paging file to equal total memory plus 300 MB or 1 GB, whichever is larger. On my Vista machine my maximum commit limit runs at around 2.5 GB, but I’ve left the paging file alone at 3881 MB (equal to usable memory of 3,581 MB plus the aforementioned 300 MB) so I can generate a memory dump if and when I must.
On notebook and desktop PCs not quite so lavishly endowed with RAM, you can probably get by with cutting the paging file somewhat by following Mark’s formula. If you need to capture a memory dump at some point, you can always increase the paging file to accommodate that need for so long as you must capture memory dumps, then revert to earlier values after that exercise concludes.
The second Tuesday in each month is when Microsoft schedules its patches, fixes, and security updates. Recently, Microsoft has begun to offer Advance Notification for its Security Bulletins, which makes it a lot easier to tell what’s coming down the pike. For December, 8 updates have been pushed to the Windows Update servers
Of the 8 items for Vista that appeared on December 9, 6 are rated Critical and 2 Important. Here’s a brief summary of what you’ll find:
MS08-71: Vulnerabilities in GDI Could Allow Remote Code Execution
Permits a specially crafted WMF image file to inject remote code execution at the system level.
MS08-75: Vulnerabilities in Windows Search Could allow Remote Code Execution
Blocks vulnerabilities that could occur if a user opens and saves a specially-crafted save-search file in IE or clicks a similar search URL.
MS08-073: Cumulative Security Update for IE
Resolves 4 privately reported vulnerabilities including remote code execution.
MS08-070: Vulnerabilities in Visual Basic 6 Runtime Extended Files (ActiveX Controls) could allow remote code execution
Resolves 5 private and 1 public vulnerability in ActiveX controls for VB 6.0 Runtime Extended files.
MS08-072: Vulnerabilities in Microsoft Office Word Could Allow Remote Code Execution
Resolves 8 privately reported MS Office and Outlook vulnerabilities related to Word or RTF file contents that devlier access at the system level.
MS08-074: Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution
Resolves 3 privately reported vulnerabilities possible from specially-crafted Excel files that provide system-level access.
MS08-077: Vulnerability in Microsoft Office SharePoint Server Could Cause Elevation of Privilege
Resolves a privately reported item that allows elevation ofprivilege when authentication is bypassed by browsing to an admin URL on a SharePoint site (might result in DoS or unauthorized access).
MS08-076: Vulnerabilities in Windows Media Components Could Allow Remote Code Execution
Resolves 2 privately reported vulnerabilities in Windows Media Player, Windows Media Format Runtime, and Windows Media Services that could allow remote code execution at system level privilege.
The first six are rated Critical, the last two Important. Vista admins will probably want to start working with all of these that apply to their environments (including SharePoint and Windows Media, where applicable) because all come with potentially dire consequences if they remain unpatched. Hopefully, none of them will cause too many compatibility problems. Nonetheless I advise you to get testing underway ASAP.
I just saw an interesting story from Ryan Naraine on ZDNet that puts these Vista Updates into a different context. He calls this patch Tuesday a “whopper” because it mentions that 28 vulnerabilities in Windows, IE, and Office are addressed, of which 23 are rated “Critical.” He counts each of the reported items addressed in the preceding list of security bulletins to come up with these numbers, which certainly adds to the drama. I guess it’s all in how you play out and drum up those numbers! He also mentions that other security experts from Shavlik agree that it’s wise to start planning a roll-out of these patches ASAP because of the vulnerabilities they expose.
In the process of compiling data for a review on notebook PC coolers recently, I had my face slapped by some dramatically different data from the selfsame notebook PCs as I sought to document the influence of an added external cooler when it came to running a notebook. This phenomenon might be expressed as “saving electricity saves on heat output too.” Of course the physics of solid state and electrical devices are such that the more electricity they use, the more waste heat they produce as a matter of course–this is by no means rocket science, to be sure–but what is striking is the sheer magnitude of the changes involved.
A short table of values (see below) tells the story in a pretty interesting fashion. I let three different Vista notebooks run at idle and then put them to work defragmenting their system drives (using the excellent Raxco PerfectDisk 10 beta product, which I’m also currently working with right now) using all three of their predefined power regimes (called power schemes prior to Vista’s introduction, called power plans inside Vista today; see this MS Help FAQ on Power Plans for more info):
- Power Saver:
Saves power by reducing system performance, to help notebook PC users maximize battery life (also results in cooler operating temperatures).
Saves some power by reducing system performance while systems are idle, but also boosts capability (and power consumption plus heat output) during peak demand periods.
- High Performance:
Maximizes system performance and responsiveness, resulting in shortened battery life and higher operating temperatures.
Notebook-Idle PS Bal HiP Dell D620 25-27 25-41 25-53 Acer 8920G 32-36 35-38 36-40 HP HDX 18 35-37 35-38 36-47 Notebook-Defrag PS Bal HiP Dell D620 25-46 27-57 27-65 Acer 8920G 32-40 35-45 36-46 HP HDX 18 35-41 35-43 36-47 Note: PS = Power Saver, Bal = Balanced, HiP = High Performance, all temperatures are in degrees Centigrade (° C).
What’s interesting about the data in this table is that the temperatures run more or less the same for these power plans whether or not they’re plugged into a wall socket or running off battery. What this tells me is that enterprises can save money on hardware by extending its life with cooler-running power plans, to a much greater degree than might immediately seem possible. Though results do vary as the Table data shows, it’s also the case that using the Power Saver on the road/untethered, and the Balanced plan in the office/plugged-in, and High Performance never will save wear and tear on notebook PCs and let companies use them for a while longer than they may have expected them to last. Sure, they’ll also save a little on power as well, but I’d expect to see the savings on equipment overshadow those numbers significantly. The question then becomes: Will the users go along with this approach? I didn’t notice much performance difference between Balanced and High Performance, but the step down to Power Saver caused the GUI to run noticeably (though not painfully) slower.
Last week I blogged about Danish information security firm Secunia’s outstanding Network Software Inspector. In that capsule summary I neglected to mention that Secunia sends out e-mail updates to all registered users any time the rules base gets updated.
This turns out to have significant value, of course, because some updates are more important than others–Microsoft Security Updates are probably the best example, especially those pushed to Windows Update outside the usual Patch Tuesday cycle. In this case, my reminder came in the form of an observation that Sun had released a new set of Java and Java Runtime Executable (JRE) updates, which addressed some reasonably serious (Category 4) vulnerabilities from the previously-current version.
This was all the information I need to go out and grab the updates for the various Vista and XP machines that I work on every day. In an enterprise setting, the same email can trigger the download-test-push cycle that’s more typical for updates in such environments. Either way, timely access to this kind of information is absolutely invaluable, and lets us all respond more quickly as and when known vulnerabilities are patched or fixed.
The Secunia vulnerability scanning toolset is a good one, and this real-time e-mail update service only makes it better. I hope you’ll check it out, and try it out, in your own environments.
I guess those guys at TechARP really must have some good sources: less than one week after they shared leaked information about release dates and content for Windows Vista SP2, Microsoft has announced its Customer Preview Program (CPP) for a single SP2 that will cover both Windows Vista and Windows Server 2008. This leads me to several interesting observations:
- There must be much more to the common code base that purportedly exists between Vista and Server 2008 than many had previously thought–including me–because a single set of executables (32-bit and 64-bit binaries, in the usual variations) will address both OSes.
- The Notable Changes document mentions a change to the Windows Update Agent/Windows Update Service stack as a pre-req to installing this service pack.
- The Windows Update versions will be between 302 and 390 MB in size for standalone packages, and from 41 to 47 MB for Windows Update downloads (32-bit packages). For x64 64-bit packages, these numbers vary between 508 and 622 MB for standalone, and 60 and 90 MB for Windows Update versions.
- The new features list matches what I reported from TechARP exactly, except for the omission of updates to the RSS feeds sidebar gadget to improve performance and responsiveness.
- Numerous enterprise (full addition of Hyper-V into 2008, improved power management policies, and improved backward compatibility for Terminal Server license keys) and setup and deployment (single installer for both Vista and 2008, driver incompatibility checks during install, better error handling and reporting, improved installation logging and security, and another clean-up tool to rid the drive of files that SP2 will supersede) features will debut in this service pack.
- There’s also mention of running the clean-up tool offline while creating slipstream install images to reduce overall image size. I’m curious to see how this will play out in day-to-day use.
As I write this blog, the SP2 download is available only to TechNet and MSDN subscribers (drat! I gave up my TechNet subscription as of 1/1/2008, and this is the first time I’ve missed it since then). On Thursday, 12/4/08, it became available on its own Beta CPP page [added 12/5/08].
Of course this information begs a very important question for enterprise Vista admins to ponder: why would they care about this beta? Instead of thinking of it as another distraction from important tasks and activities, think of it as an early opportunity to look for potential install, deployment, and compatibility issues. Although the full-blown release won’t go live until April09 at the earliest, it’s never too soon to start weeding out the potential gotchas from the work that a full-blown rollout will inevitably bring. That’s why you’ll probably want to download and work with this beta, albeit in the context of a safe and isolated test lab setup.