Have you implemented software restriction policies in Active Directory only to find that they stop working a few months later? Initial investigation may show the executable to still be blocked in the Group Policy - while the same executable now runs just fine on user desktops. This is because Microsoft’s software restriction policies are usually specific to the version of the .EXE file. I’ve heard all sorts of explanations for this, usually related to not wanting to block the function of service packs and other vital updates due to “overly restrictive software policies”… The truth is that Microsoft was smart enough to block program .EXE’s based on a hash value generated when the program was compiled from the prgrammers’ code - which means that changing the filename will not circumvent a software restriction policy.

This article is based on a recent, real-life scenario using the Internet Explorer executable, “iexplore.exe”, as the blocked program. The recent release of the IE 7.0 beta software and some freetime playing around by one of my client’s employees provided a chance for plenty of hours watching ESPN and YouTube videos on a warehouse floor and even slowdowns in getting and filling order downloads because of the use of all WAN bandwidth.

To troubleshoot failed software restriction policies I prefer to start on the client machine. To determine both whether a policy is applied correctly and the version of an executable blocked by software restriction:

• Open regedit
• Open the following key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\
• Inside that key will be one or more numbered branches related to the software restriction policies applied to that machine. To see what program each policy covers, open the numbered branch, then open the Hashes branch and click on each GUID.
• Inside each GUID key will be a string value with the data “program.exe (#.#.####.#) … and so on”. The numeric value #.#.####.# describes the program version. In my case the policy applied to “iexplore.exe (6.0.2900.2180)”
• Then, go check the version of the same executable that’s now installed on the system. In this case, I right-clicked on the iexplore.exe file and selected “Properties” and then the “Version” tab. Right at the top was the file version: 7.0.5335.5.

In this case, that was the answer - the IE 7.0, iexplore.exe was blocked with a new policy and everything was back to normal. In case the solution isn’t that simple, the best thing to do is to gether more data. Enable software restriction policies advanced logging by reopening the registry and:

• Navigate to the following key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\
• Create a new string value named LogFileName
• Enter the full path and filename of a text file that can be used for logging, ie: C:\sres_log.txt

Now, every executable run on the system will be logged to the file with a reason for wy it was or wasn’t allowed to run. Details include the executable name, PID number, GUID, path name, and an allowed/disallowed/unrestricted comment with a short reason why. Since EVERY program is logged each time it is run, the log can get quite long. To keep it from getting out of control, either disable advanced logging by deleting the key or add a batch script that will truncate the log file periodically.

You can leave a response, or trackback from your own site.

The newest Microsoft security fix MS06-015: titled “Vulnerability in Windows Explorer Could Lead to Remote Code Execution” breaks “My Documents” access and features in IE, Office, Explorer, nVidia, Roxio, and several other 3rd-party applications. The official hotfix for the security fix is Microsoft KB article #918165 and lists the symptoms below as indicating you will need to install it:

• Unable to access special folders like “My Documents” or “My Pictures”.
• Microsoft Office applications may stop responding when you attempt to save or open Office files in the “My Documents” folder.
• Office files in the “My Documents” folder are not able to open in Microsoft Office.
• Opening a file through an application’s File / Open menu causes the program to stop responding.
• Typing an address into Internet Explorer’s address bar has no effect.
• Right-clicking on a file and selecting Send To has no effect.
• Clicking on the plus (+) sign beside a folder in Windows Explorer has no effect.
• Some third-party applications stop responding when opening or saving data in the “My Documents” folder

Unfortunately Microsoft neglected to mention several of the third-party apps that are also broken by this hotfix. These include, but probably aren’t limited to: nVidia drivers with shell extensions, Roxio DragToDisc or Adaptec DirectCD, Hewlett Packard’s Share-to-Web software, Kerio Personal Firewall, and SolidWorkds 3D CAD products. Thankfully someone else has spent the time on the phone with Microsoft tech support to resolve these issues and posted the registry fixes not included in KB #918165.

You can leave a response, or trackback from your own site.

Microsoft has just released Virtual Server 2005 R2. The software is central to Microsoft’s planned server system, so grab the free download of Virtual Server here. Surprisingly, Microsoft has also announced support for virtualizing Linux in the Virtual Server 2005 system. Currently supported flavors of Linux include Red Hat and SuSE, in both Standard and Enterprise versions. An explanation of why Microsoft is freeing Virtual Server permanently is in this quick interview with Zane Adam, Windows Server director of product marketing.

The support for Linux on Virtual Server does make sense. Microsoft’s denial that their customers were using Linux was driving the same customers to actively search for non-Microsoft and open source replacement programs. This could continue to keep Windows Server relevant as open source OS’s improve and reduce Windows’ feature/ease-of-use advantage - provided that Microsoft can provide a decent level of support for Linux guest servers (virtual systems running inside Virtual Server) and create a good set of tools to manage those Linux systems. With Red Hat and Novell, parent of SuSe Linux, relying on support fees for income it will be interesting to see how they respond to Microsoft’s added Linux support. With the licensing and support fees for both companies’ Enterprise Linux versions this move puts all these server OS players on even closer footing.

One minor player who has responded is VMWare. A new “VMWare Server” product is now free, though it lacks a lot of the failover features and load balancing capabilities that make VMWare’s higher-end versions so useful. It will be interesting to see how VMWare Server and Virtual Server compare to each other, though VMWare has a strong lead in supporting the widest range of guest operating systems.

Article tagged: Microsoft, Virtual, Server, 2005, R2, Linux, guest, OS, support, operating+system, VMWare, virtualization, Red+Hat, Novell, SuSE

You can leave a response, or trackback from your own site.

Recent spyware and trojans hide behind Windows’ own protection for open files, while many of the new antivirus, security, and even PC-cleanup programs that are supposed to fix those also leave behind processes and open files. All of those may cause repeated “Access Denied” and “Sharing Violation” errors.

Solving the errors used to involve juggling PID’s from the Windows Task Manager and repeated use of Microsoft’s kill.exe process. Even scripting the kill.exe process at boot or from Safe Mode is common. Here’s a list of utilities to automate the process and make manual cleanups a bit faster.

I’ve always liked SysInternals’ stable and well thought-out tools and here are two great utilities: the freeware Process Explorer and PS Kill. PS Kill adds support for scrubbing networked PCs to kill.exe, while Process Explorer tracks all tied processes, DLLs, and other open files. That makes Process Explorer useful - to find everything you actually want to close and delete. The good interface makes it good even when tossing out PS Kill and using any of the cleanup tools below.

One I like is the freeware MoveOnBoot. Just right-clicking on a file lets you choose to Copy/Move/Delete a file on the PCs next boot. It’s also recommended in “How To Override “Access Denied” and “Sharing Violation” Roadblocks”, along with Unlocker Gotcha. Unlocker Gotacha is also freeware and their interface looks pretty fast. They’ve added a bit of Process Explorer’s functionality, so you just need to right-click a folder and a list of all open/locked files will pop up.

Also take a look at EMCO’s Unlock IT. Instead of adding files to a list and rebooting, Unlock IT integrates the ability to kill processes within the interface and copy, move, or delete related files immediately. Instant gratification is great - and even better when it means not needing to wait through a boot process slowed by too many viruses and trojans.

Article tagged: Windows, utility, trojan, spyware, malware, virus, clean, cleanup, fix, repair, access+denied, error, sharing+violation, message, SysInternals, kill.exe, PS+Kill, Process+Explorer, Unlock+It, MoveOnBoot

You can leave a response, or trackback from your own site.