Windows Enterprise Desktop

February 25, 2011  4:01 PM

Post SP1 Install Clean-up for Win7 Needed?

Ed Tittel Ed Tittel Profile: Ed Tittel

In seeking grist for the blog mill this morning, I noticed Ed Bott’s latest ZDNet blog post “Microsoft notes Windows Update ‘inconsistencies,’ provides fix.” He reports therein that he’s monitoring the post SP1 situation in various online forums and indicates that while the SP1 release is apparently proceeding without any major hitches, a few minor ones have popped up along the way.

I was lucky enough to recover from a display driver problem in the middle of the SP1 update process on my HP HDX9203 “Dragon” yesterday, only  to have Windows Update inform me that the install process had failed. I tried again, and it worked on the second try. I’ve had other Service Pack installs go south on older Windows versions (particularly Vista) where the outcome was much less pretty: a complete re-install was the only way I could recover from a mid-stream failure with Vista SP1 on a test machine. As far as I’m concerned this particular outcome was much more positive and far less traumatic!

That said, I also noticed that Ed repoorted that when he ran the Windows Update Troubleshooter (Control Panel, Troubleshooting, System and Security, Windows Update) that it came back and told him it had found and fixed some minor problems with Windows Update. “Hmmm.” I wondered to myself “Is that just his machine, or all Windows machines?” Here’s what pops up as a result of that repair, BTW:

This popped up on every single Windows 7 machine on which I installed SP1

This popped up on every single Windows 7 machine on which I installed SP1

While I can’t say for sure that *all* PCs to which Windows 7 SP1 is applied will need such repair, all 6 of my currently available PCs (I have one out on loan, and one temporarily out of service waiting for a motherboard replacement) found something to fix with Windows Update this morning when I ran the utility on those machines. I finished installing Windows 7 SP1 on those machines yesterday, and today the repairs all took root.

To me, this suggests that Windows 7 machines against which SP1 has been applied should also be subjected to the Windows Update Troubleshooter treatment — at least, those machines that use Windows Update to keep themselves current on Microsoft’s latest security patches and other updates. Think of it as a “just in case” maneuver and you may be able to avoid trouble later that you surely won’t want to shoot if and when it might occur!

February 21, 2011  10:40 PM

Hobbyhorse Post: WHS Doesn’t Suck, Actually!

Ed Tittel Ed Tittel Profile: Ed Tittel
Download page for WHS 2011 RC Beta at MS Connect

Download page for WHS 2011 RC Beta at MS Connect

I’ve written about the HP MediaSmart Server (MSS) repeatedly over the past three years: several times for Tom’s Guide and Tom’s Hardware, and several times in this very blog. I was really bummed upon learning in December that Microsoft was planning to eliminate Drive Extender technology  from the upcoming Windows Home Server 2011 software, but have just run across a recent article by Paul Thurrott that gives me some comfort I’ll be able to keep using that technology for some time to come. You can check out the original, lengthy February 20 story entited “I’m Betting On Windows Home Server 2011” if you like, but I’ll summarize the key points here:

  • Microsoft is keeping the centralized backup feature in WHS and extending the server backup process so it will also backup the individual machine backups (this lets users like me configure the box to duplicate backups on another drive, so if one goes bad, another remains available). Better yet, MS is extending the WHS 2011 server to enable remote Internet backups as well, so you can keep another copy in the cloud. This removes most of my objections to MS dropping Drive Extender (and Mr. Thurrott’s as well, curiously enough! ;-).
  • The next version of WHS 2011 will be completely DLNA compatible (the Digital Living Network Alliance is an industry consortium of software and hardware vendors with an emphasis on home/digital media networking, sharing, and device integration). This means WHS itself will handle and share media better, instead of requiring sometimes wonky…er I mean Twonky…media extender add-ins.
  • A Silverlight version of remote access will replace the current terminal services implementation, and users will be able to instruct their WHS 2011 box to stream media to them across the Internet (another frequent impetus for add-ins or additional equipment acquisitions no longer needed).
  • Windows Phone 7 support will be delivered via an add-in, which should be great for those who buy into Windows Phone 7. It is supposed to deliver media streaming, phone-to-server photo upload support, and alert monitoring on the phone. Too bad I’m still planning to buy the 4G iPhone from Verizon as and when it becomes available…but maybe there’ll be an app for that, too.
  • WHS 2011 will support Macs running OS X, so they too can be backed up on the server, run LaunchPad on connected Macs, and do the remote access thing from a Mac, too.

I now completely understand why HP decided to get out of the MSS business (it announced it was vacating this market last year, too, and at the time that announcement took me by surprise). With all the new built-in functionality, HPs value-add was pretty much gone, gone, gone. I’ll still have fun converting my latest MSS box to run the new version when it becomes available, though, and it’s nice to know there’ s some life in the Windows Home Server software still! And because MS is calling it WHS 2011, I’m pretty sure that means we’ll see a final commercial release before the end of this year. As far as I’m concerned: the sooner, the better! If you want to get started sooner than that, the RC beta is available for download from Microsoft Connect.

February 18, 2011  5:03 PM

Exercise Care When Establishing Rapport!

Ed Tittel Ed Tittel Profile: Ed Tittel

I’m working on a book on phishing and online financial fraud right now. It’s called Cyberheist: The Biggest Financial Threat Facing American Businesses Since the Meltdown of 2008. (You can read snippets about drive-by downloads and the historical roots of phishing at the sponsor’s Web site, In researching material for the book I came across an interesting browser add-in from a banking security services company named Trusteer. This software is named Rapport, and it adds a great deal to Web browser security to block and fend off potential phishing attacks, and to improve online security for banking and other finanical transactions online.

The banner keeps running count of downloads

The banner keeps running count of downloads

According to the Trusteer site banner, Rapport has already been downloaded over 18 million times. The company also states that its primary means for distributing Rapport is via banks that license the software, and then extend it to their customers to help secure their online banking activities. According to their company overview, their customer list includes some names to reckon with, such as ING DIRECT, The Royal Bank of Scotland, CIBC, and “other leading online banks, brokerages, and internet companies.” Further investigation reveals that executive staff all come bearing lengthy, impressive, and impeccable information and financial security credentials, and presumably have an excellent understanding of information security tools, techniques, and requirements.

“That’s the stuff!” I thought to myself as I read over all this material. “I’m going to download this puppy and try it out for myself.” (Even though many users do get Rapport from a bank or brokerage, Trusteer also makes it available as a free download to anyone who’s interested.) What happened to me next is a straightforward but probably unintended consequence of locking down my IE to prevent phishing attacks from proceeding or succeeding.

As soon as I got the software installed, I went to shoot a screen capture of the tool at work. I turned first to the handy-dandy Windows Snipping Tool (part of Vista and Windows 7, it lets you grab whole screens or rectangular regions on-screen of your choosing). As soon as I opened the capture utility, both of my screens went completely gray–not just the browser window I had open, but the entire desktop. “Oops!” thought I to myself “Snipping Tool is not allowed; let’s try Corel Photo Shop Pro.” Same result. “OK, then, what about SnagIt?” No dice. Solid gray desktop every time, until I Alt-Tabbed into the capture utility and turned it off.

For somebody like me who writes about browser and security technology at work, it’s not acceptable to turn off my ability to capture screens in the name of security. I understand this happens because the software makers don’t want users to be able to make graphical grabs of sensitive data that they can’t actually capture in other ways.

This tells me two important things:

1. It reminds me of the old security dictum that if you make a system too secure, or too hard to use in the process of securing it, nobody will use the system (or more probably, nobody will use the software that has such a chilling effect.) I’m not using that software on my production desktop because it gets in the way of getting my work done.

2. It also reminds me that security experts recommend dedicating a system solely for the purpose of  doing online financial stuff, so it can be hardened and present only a minimal attack surface. I’m not sure that’s necessary in my particular case, though it  surely makes sense for companies with huge balances on deposit and in various accounts. What I’m going to do next to work further with this software myself strikes what I hope will be a happy interim between “don’t use it” and “live with its limitations.” I’m going to set up a VM and install Rapport inside that VM. And from now on, I’ll do all my e-banking and online financial stuff inside that VM and live with Rapport’s limitations within that runtime context.

It may not exactly be “the best of both worlds,” but it should be a workable compromise. As I have the chance to test Rapport’s other lockdowns and limitations more thoroughly, I’ll report on them back here.

February 17, 2011  9:18 PM

Windows 7 SP1 Is Here

Ed Tittel Ed Tittel Profile: Ed Tittel
The Windows 7 and Windows Server 2008 R2 SP1 downloads have hit TechNet
The Windows 7 and Windows Server 2008 R2 SP1 downloads have hit TechNet

Anybody who’s ever spent any time on MSDN will immediately recognize the look and feel, if not the actual content for the preceding screencap. It’s from MSDN, and it shows that the official posting date for Windows 7 and Windows Server 2008 SP1 downloads as 2/16/2011 — even though this stuff didn’t actually show up until early today (2/17/2011) on the site.

There’s an .ISO image download for SP1 itself that will build a DVD for both x86 and x64 versions, but you can now also download slipstreamed versions of Windows 7 with SP1 included for all the major versions as well. Looks like we’re still on for SP1 to hit Windows Update next Tuesday on 2/22/2011. Stay tuned: I’m downloading the .ISO right now, and will install it on a couple of test machines as soon as the download completes (it’s 1.91 GB) and I get a DVD burned for it. Download traffic is pretty heavy, so I suspect my bits are in a traffic jam, along with everybody else’s!

[PostScript 6:22 PM 2/17/2011] I’ve gotten SP1 installed on my primary test machine (i7-940, 12 GB RAM, SSD system drive, 460 GTX graphics). It took just over 12 minutes to install and reboot to a running desktop. Everything seems to work just fine, except for a graphics driver hiccup while re-running the Windows Experience Index to see if anything had changed (it hadn’t). So far, so good…

February 14, 2011  4:09 PM

IE 9 RC Goes Live Today! But there’s a catch…

Ed Tittel Ed Tittel Profile: Ed Tittel
IE 9 Release Candidate is available, but won't run without SP1 installed on Win7

IE 9 Release Candidate is available, but will not run without SP1 installed

Happy Valentines Day from Microsoft? Maybe yes, maybe no… You can’t run this still-beta version of IE 9 unless you’ve installed SP1 on Windows 7, and SP1 for Windows 7 isn’t available just yet. There is a download link available but if you try to install the IE 9 RC on Windows 7 without SP1 installed, you’ll get an error message instead of a new browser.

But here’s an interesting and perhaps cheering rumor to ponder that flies in the face of previous news about SP1: in his CMS Wire story “Internet Explorer 9 Release Candidate Hits the Streets” today, Geoff Spick reports that “…When IE9 starts shipping with new copies of Windows 7 Service Pack, its usage will certainly spike, but until then, it will be interesting to watch how it does in the market where the user picks the browser.” If this means that it’s going to be included in SP1, we should find out next week. If this means it won’t be bundled in until SP2 comes out, it could be a while.

This does make me want to dig into the contents of SP1 rather sooner than later after it hits MSDN on February 22, just to see if IE 9 is in or out. If Microsoft’s own reporting up to a month ago or so is to believed, it won’t be part of that package. It will still be fun to check, though…but I don’t think Microsoft would go so far as to put a RC (release candidate) version of their latest browser into SP1, now that I stop to think about it. Perhaps it would have been clearer had Mr. Spick said “…with the next Windows 7 Service Pack to follow after SP1 (SP1 is already in the hands of OEMs, and is expected to hit MSDN and TechNet on February 22)…”?

February 11, 2011  3:15 PM

There’s Never Time to Do It Right, But There’s Always Time to Do It Over

Ed Tittel Ed Tittel Profile: Ed Tittel

Yesterday afternoon, I came back from running an errand in the afternoon only to find a BSOD waiting for me on my production Windows 7 machine. After I got it restarted, I realized something major had gone wrong. Not only had the OS “lost” all of the security updates and patches it’s had applied to it, the update process wouldn’t complete successfully, either. Downloads went fine, install completed without a hitch, but when I cycled the machine through the restart process to do the final clean-up, I saw a new WU error message “Unable to configure Windows. Reverting to previous version.”

“This is bad!” I thought. I was right, but it took me six hours to figure out how right I was, and to take the steps necessary to restore my latest image backup (taken Sunday night, February 7). Along the way I learned numerous interesting but extremely frustrating things about the Image backup facility built into Windows 7. Here’s an abbreviated list:

  • Windows 7 scans only internally mounted hard disks when looking for the folder named WindowsImageBackup. I am in the habit of backing up to an eSATA-attached hard disk, so I had to copy that directory from my K: drive to my only internal data drive F:. 181GB, which took 45 minutes.
  • Whatever drives go into a Windows 7 image saveset must be restored for the backup to complete. Although the interface includes an “Exclude drives” option, the backup cannot be restored if any member drives from the saveset get excluded.
  • Also, no drive in the saveset can be the source for the image to be restored, because this means it would at some point have to restore itself from itself (which is the file system equivalent of the chicken and egg problem, conveniently solved by being disallowed).
  • My only internal hard drive other than the system drive (also disallowed, but because it’s an 80 GB Intel SSD and thus too small to play host to a 181 GB image file anyway) is the F: and I stupidly configured it to be part of the saveset, so I couldn’t run the image restore as things stood.

Obviously, I needed to copy the WindowsImageBackup folder one more time (another 45 minutes shot) to a different drive that was neither C: (the Intel system drive) nor F: (my other internal data drive, and a part of the image saveset). Enter Drive D: already attached to my PC through a PCI-e x1 two-port eSATA card. “OK” I figured, “the reason the Windows 7 Repair Environment won’t see D: is because it doesn’t recognize eSATA drives while conducting repairs. (The Repair Environment is a special version of the pre-installation environment, or PE,  that is included on install DVDs and appears on bootable UFDs created to house the various Win7 ISO files.)

My first thought was to simply disconnect the F: drive and use its power and data cables to hook up to D: and let the restore get underway. That’s when I learned that even if you exclude a drive from the restore instructions for an image backup, Windows 7 won’t allow it to proceed with a missing drive. If you image two drives, you must then restore the same two drives (or drives that are equal in size or bigger). With F: disconnected to hook up D: that meant no dice.

Next, I grabbed a motherboard cable set that plugs into a motherboard SATA port and a Molex 4-pin power connector, and essentially routes that connection outside the case. Alas, Windows 7 RE still couldn’t see that drive. I had thought that because I was using a third-party Silicon Image Sil3132 two-port eSATA adapter, that this might explain why Win7 RE overlooked scanning attached devices during repair maneuvers. But even when I hooked the D: drive up through the adapter card shown in the photo below, Win7 RE still blithely ignored its presence.

This kind of hardware comes bundled with many modern motherboards

This kind of hardware comes bundled with many modern motherboards

Nothing short of opening the case, plugging a new SATA cable from drive to motherboard, and plugging in a power output from the PSU sufficed to get Windows 7 to recognize the drive.

Finally with both C: and F: up and running, and available for an image restore, and another internal drive also avaialble from which the image file could be read to perform that restore, I was ready to rock and roll. Time required to go through all of the shenigans and scenarios involved was right about six hours. I don’t know how long the restore took to complete, because I fired it off at a little after 10:00 PM last night and went to bed shortly thereafter. When I got up this morning, the machine was back up and running in an apparently normal and healthy state. I copied my saved PST files from yet another external drive to the proper folder in my User file hierarchy, and thereby regained all my e-mail messages through yesterday’s debacle.

Now, I get to go and repeat my last two days’ work because that’s the only stuff that I lost irretrievably when this machine decided to go south on me. Here are the morals I extract from this episode:

1. When you build or buy a Windows 7 machine, if you want to use image backup, insert or acquire an extra internal drive, so you can use it to image all of your other drives if you choose to do so.

2. When you construct an image file saveset, include only those drives you want to be able to back up from any image in that set. As of today, I’m relying on conventional file-by-file backup for all of my drives, except for the system drive (where the image stuff matters most, because of the boot-up, operating system, and volume shadow copy stuff).

3. I’m reworking my backup schedule to go nightly for all important working directories, but will still keep making an image backup once a week (mine goes off at 0-dark-thirty on Sunday night when I am never, ever working late). Hopefully, I can avoid future data/work losses that way.

February 9, 2011  8:04 PM

Win7/Server 2008 R2 SP1 Inches Closer to Release

Ed Tittel Ed Tittel Profile: Ed Tittel

OK, so now we’ve got some dates for the upcoming release of SP1 for the combined Windows 7 and Windows Server 2008 R2 code base:

  • OEMs have already had it for a week or more
  • MSDN and TechNet will get it next Wednesday on February 16
  • RTW (Release to the Web) will occur on Tuesday, February 22

WinRumors is the lead source for these dates, as far as I can tell, though other sources are popping up all over the place to repeat this information (I got mine from Mary Jo Foley’s blog for today, 2/9/2011 “At last it’s time for SP1…“).

Headline from

Headline from

No word yet on when the Service Pack will get integrated into Windows Update (MS ususally waits 90 days before adding a new SP to its usual download scans and lineup). I’d expect that to occur some time in April, or perhaps early May. We’ll see…but it’s time for admins everywhere to get ready, and plan to start testing soon!

February 7, 2011  4:04 PM

Ed Bott Strikes Gold with 3-Part “Windows 7 and SSDs” series

Ed Tittel Ed Tittel Profile: Ed Tittel

I’m a long time fan of Ed Bott’s work with Windows 7, and frequently draw from his blog for mine. Recently, he’s put together a three-part series on Windows 7 and SSDs that includes some very useful information and pulls together lots of tips and facts. IT professionals tasked with switching Windows 7 machines from conventional to SSD system drives will find all of these stories useful, but none more helpful than the third one in this triune collection:

I’ve done this same task on a few systems myself, and have occasionally fallen prey to some myths about SSD setup that Ed omits entirely (most notably, the admonition to turn off volume shadow copy and thus also, restore points on the system drive, and to move the paging file to a different drive). His advice is clear and cogent, and includes no more tweaking and tuning than is absolutely necessary.

I would add a few tips to his excellent advice based on my own experience:

  • Make sure your target system supports AHCI before you purchase and install an SSD. Unless the disk controller lets you use this technology, you can’t take advantage of best-case SSD performance anyway (TRIM, that is). I have an old and still very serviceable Dell D620 Latitude notebook, but it has no AHCI, so I’m not going to give it an SSD, either, though it runs Windows quite nicely. The latest Intel storage driver is also a definite must, where applicable, so locate and download the latest Intel RST (Rapid Storage Technology) driver: at this time, January 2011 is the latest version.
  • Check out elpam.soft’s SSD Tweaker (or their $12.99 Pro version, if you plan on doing multiple conversions, or really want to dig deep into related Windows tweaks). It brings everything together you’ll need to convert a Windows 7 system from IDE emulation to AHCI (except for SSD firmware stuff, of course).
  • It’s easier and cleaner to reinstall Windows 7 on a Windows 7 machine you want to convert from conventional IDE (or emulated IDE) drives to AHCI drives. Though you can tweak your way to a working system, it ends up being faster in many cases to reinstall. YMMV of course, depending on how many applications get installed after the OS goes on, and how much other customization may be involved.

Adding an SSD to the Windows 7 mix definitely improves the overall computing experience, and is worth it for those willing to pay the higher costs for a fast but smaller system drive. They’re particularly good for notebooks where they also improve battery life (no moving parts) and reduce weight (by a little, anyway).

February 4, 2011  2:56 PM

Even Dozen Security Updates Coming 2/8/2011

Ed Tittel Ed Tittel Profile: Ed Tittel

Take a look at this snippet from the Microsoft Security Bulletin Advance Notification for February 2011, folks! We’ve got a dozen security updates headed our way next week:

Executive summaries from the Advance Notification

Executive summaries from the Advance Notification

Here’s how this “dirty dozen” breaks down, according to various categories of undoubted interest to Windows 7 (and other relevant version) administrators:

  • Of the 12, 3 are rated Critical, and the rest Important.
  • Of the 12, 9 require a restart, and the other three are labeled “May require restart.” Plan on restarting all updated Windows machines.
  • The severity ratings break down this way: 5 qualify as Remote Code Execution (including all 3 critical items); an equal number are rated as Elevation of Privilege, and there is one each Denial of Service and Information Disclosure.
  • Affected OSes include Windows XP (which gets a rare update, even though it’s out of conventional support), Windows Vista, and Windows 7, plus Windows Server 2003, 2008, and 2008 R2.

Apparently there’s “something for everyone” in this upcoming round of updates. For more information on such details as are presently available (the whole story won’t be made public until MS releases the updates at 11 AM EST on Tuesday, 2/8/2011) see Jabulani Leffall’s excellent story for Microsoft Certified Professional MagazineMicrosoft Preparing Hefty 12-Item Security Patch on Tuesday.”

February 2, 2011  2:40 PM

Check Out KeePass Password Safe

Ed Tittel Ed Tittel Profile: Ed Tittel

I’m always on the lookout for good, free tools for Windows 7, especially workable and usable security stuff. KeePass Password Safe qualifies on all those fronts. It’s completely free, and it’s even Open Source (OSI) Certified. It establishes and maintains a secuirty database that is locked with a master key or a key file. Thus, users need remember only one password, or select the proper keyfile, to unlock that database and access any or all of the account/password pairs that make up its contents.

The program is tiny (a 1.9 MB download), and installs in less than a minute on most machines. There is some setup time and effort involved, because you must then manually add an entry for each account/password pair you wish the program to store on your behalf. What you wind up with as a result looks something like this:

Keepass offers safe and ready access to account and password data

Keepass offers safe and ready access to account and password data

As you can see the program breaks accounts down into categories, so you can find your password data quickly and easily (one thing I don’t like about the Norton Identity Safe, which serves the same function, is that it offers a single list of all accounts and passwords only by alphabetical order: over time it gets tedious to find and manage data in that kind of set-up). The most important thing about a good KeePass setup is to choose a strong master password: I used the “Perfect Passwords” generator at Steve Gibson Research to generate some random character strings, then cut a 12-character segment out of one string that was easy for me to remember, to create a sufficiently strong one for my purposes.

If you need a good, free password manager I urge you to check out KeePass. It’s nothing fancy, but it does the job! I use it on my test machines and all of my VM images (where I routinely run free security software to keep costs to a minimum, as these things tend to come and go with amazing  frequency in my office).

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: