Saturday, February 28, 2015

When a No-Op is OK

In Windows 95's Explorer, clicking "Up" while viewing My Computer produces a modal error dialog that says something like "You have reached the root" and says that you can pick another root destination from the Address drop-down if you want. (Back then, the desktop could not be viewed as a folder in an Explorer window.) This behavior is super annoying because it requires me to either move the mouse to the center of the screen to dismiss the dialog or move my hand from the mouse to the keyboard to hit the Enter key.

This is a situation when it's OK to just not do anything. I understand that you can't go up any farther from My Computer. (Or, today, the desktop.) The best option would be to just disable the Up button (which Windows XP might do, I don't remember) when it is not possible to go up. If calculating whether a button would do anything is expensive, I think it's OK just to do nothing, provided it's sufficiently obvious that the program is not in a state where it can do that.

Friday, February 27, 2015

Only Windows Server OSes Support RAID-5

Today I came across and installed four extra drives and was going to establish a RAID-5 (striping with a parity disk) array across them for the storage of WSUS update content. Unfortunately, the "New RAID-5 Volume" option in Disk Management was grayed out. I couldn't understand why until I tried using DiskPart's create volume raid and got the following message:

"The command you selected is not available with this version of Windows."

After some research, I discovered that only the Server family of Windows operating systems support RAID-5. That's really a shame, because it's actually a Windows Server VM that the storage was destined for. VMware supports the use of a volume on the host, but not a raw disk; VirtualBox doesn't support mounting a volume on the host and only supports raw disk access with some command-line trickery that seems scary to me.

I would go with the tricky command line stuff if I actually cared about the data going on the volume, but it's just the WSUS update cache, and I can easily get that again from Microsoft update servers if something breaks. I ended up using a spanned volume to maximize the usefulness of the one extra large drive in the array.

Thursday, February 26, 2015

Saving Bandwidth and Centralizing Updates with Windows Server Update Services

Today, I installed and configured Windows Server Update Services (WSUS). WSUS allows Windows network administrators to keep a repository of Windows updates on a central server from which client computers can fetch them. (It's like a mini Microsoft Update server, right on your network!) This means that it's no longer necessary for every single client computer to go out to Microsoft Update servers to get their updates and use up a bunch of bandwidth. Instead, all update traffic except the actual downloading of the updates to the WSUS server is inside your network, which is probably a good deal faster than external communication.

There are some things to be careful about with WSUS:

  • Updates by default have to be "approved" by an administrator before they'll be delivered to clients. Either manually approve updates (if you're worried about Microsoft breaking something with one) or set the auto-approve policy to approve all the things, which you can do after the original set-up.
  • It seems that the set-up wizard sometimes gets stuck and lets you press the buttons (they do the UI depress/pop-up) but doesn't do anything. Just be patient, it's working, don't cancel it!
  • Your client computers won't just magically start getting updates from the WSUS server. (It's not in DHCP.) Instead, you'll need to add the appropriate settings to Group Policy with a special WSUS administrative template. Clicking the link in the warning message about there not being any clients will tell you how to get that template set up.
  • There are a whole lot of things you could keep updates for that you probably don't have. Only choose to get updates for technologies (programs, OSes, and architectures) that are actually present on your network.
  • All these updates take a lot of space. Be prepared to dedicate at least 500GB for WSUS. I strongly recommend having a dedicated drive for it.

Wednesday, February 25, 2015

Organizing a Complicated MMC Workspace with Folders

I think this is supposed to be an obvious feature of MMC's "Add or Remove Snap-ins" dialog, but it actually took me a while to figure out, so maybe other people could learn too.

The Microsoft Management Console, as you may know, is a host for snap-ins, which are GUIs that let you do system administration tasks. Without them, MMC would be pretty useless. You can add some to your "console" (I prefer the term "workspace") by pressing Ctrl+M or choosing "Add/Remove Snap-in" from the File menu. The resulting dialog lets you move available snap-ins into the console. After you run through their short configuration wizard, they get added to the right-hand pane under the Console Root folder.

MMC, with a snap-in
You will probably notice a snap-in called Folder, which isn't actually a snap-in. Adding it creates a folder under Console Root, but even when you select it, new snap-ins aren't added as children of it. To actually put things in a folder, you have to click the Advanced button and check the box allowing snap-ins to be added to folders.

The Advanced dialog, properly configured
A drop-down now appears above the right-hand pane. If you add a folder and then select it from that list, snap-ins will be added as children of that folder when you click Add.

Now with things in folders

Tuesday, February 24, 2015

Got Malicious Root Certificates?

You may have heard about a "scandal" involving an adware program called Superfish shipped with high-end laptops produced by Lenovo. Adware isn't great, but it's not scandal-worthy. What makes Superfish so shocking is that it completely subverts SSL by installing a root certificate on the computer, intercepting HTTPS requests, making the request to the real server, injecting some ads, then re-signing the page with its own root certificate, thereby making the HTTPS lock icon appear legitimate. It would only be a shocking violation of privacy if that was it, but Lenovo also used the same root certificate on all the laptops affected (rather than generating a unique one for each computer), allowing hackers in a MITM position to supply a legitimate-looking modification of a secure site to someone with Superfish because Superfish's certificate used a really weak key and was broken easily.

The lesson learned is that malicious root certificates in the trusted root certificate list can seriously subvert web client security. In Windows, you can check your trusted root certificate list by typing "certmgr.msc" in the Run dialog to open the certificates manager. The "Trusted Root Certification Authorities" and "Third-Party Root Certification Authorities" folders together comprise the list of people your web browser ultimately trusts. You might want to check that out if you're suspicious.

This looks suspicious
However, for SSL signing, browsers require that the certificate have the "ensures the identity of a remote computer" purpose. Double-click a certificate to see what it can do.
Uh oh. (Fortunately, I knowingly made this and I have its key.)
You might be surprised who your browsers trust. (Though do be careful - don't just delete a bunch of RCA's because you don't recognize them. Research is important! Some RCA's are critical to the proper functioning of Windows, like the ones for Windows Update or Authenticode.)

Monday, February 23, 2015

Put Important Links on Text

I received a private beta invitation for Microsoft's new Skype Translator (it apparently translates conversations live) via e-mail. The problem was that I couldn't figure out how to actually download the program; it didn't auto-activate in either the desktop or Metro client. The e-mail had a link to get Windows 8.1 in case I didn't already have it, but there was no indication of what I should do to get started.

As an aside-that-turned-out-to-be-not-so-much-on-the-side, my e-mail client does not display images in messages to me unless I specifically tell it to. (It's to prevent web beacons from invading my privacy.)

You might be able to see where this is going.

The "get started" link was an image. There was no alt text and no normal text, not even a "click the link below to download", which might have tipped me off to the presence of the invisible link. Once I had the idea to enable the fetching and display of images, I could clearly see the button.

So, web developers, please always have alt text or normal text on critical links. Some people are blind, some don't like images, and most people have an e-mail program that doesn't show external images by default. Let me see the links!

Sunday, February 22, 2015

YouTube, Please Allow "Replace" Reuploads

Today, I discovered that one of the videos I had uploaded to YouTube had somehow gotten something strange done to it in processing and only supports 360p despite having been up for weeks. When I reuploaded it, I got a message saying that I can't upload duplicates of my previous videos. That's really annoying, because I had to wait the entire upload time just to be told they won't accept my video.

I'll probably end up deleting the old one outright and then reuploading, but I propose something better. (Well, I suppose the best solution would be to not butcher my videos when I upload them.) It would be really nice if YouTube would allow duplicate uploads to replace the old, clearing all the metadata - like a delete+reupload, but automatic and without the extra wait.

Saturday, February 21, 2015

FMod - Installable OS

It's possible to boot Windows PE from a hard disk, so I thought it might be kind of interesting to add a means of installing AbiatharOS to the hard drive, thereby allowing persistent changes to be made on the system volume, since it would be a hard disk rather than a RAM disk.

It turns out this was fairly easy to do. There's now an "Install" option on the OS menu, and it's hidden if the flag file indicating a persistent install is present. The presence of this flag also causes the configuration disk chooser to allow the use of the X drive. The installation wizard just prompts for the CD drive letter and the letter of the destination drive. (Good guesses fill in both boxes by default.) Once the user hits "Install", Abiathar invokes ImageX to decompress boot.wim onto the hard drive, then does a bunch of stuff with the BCD store to configure booting.

I tested it (in a VM, of course) and it works every time. It doesn't support UEFI configuration, but I don't know of any real machines (in personal use) that don't have BIOS compatibility in their UEFI implementation. I'm still not sure if anyone will want to use, much less install, this, but I'm learning a lot and having fun.

Friday, February 20, 2015

VBA Script to Search Google for Selected Text in Any Word Version

Though there is a way to tweak Word 2013 to turn the "Search with Bing" context menu option into "Search with Google", neither can be found in Word 2007. So, I wrote a little VBA script to make searching Google from Word's selected text just a keyboard shortcut or mouse click away.

To add this to your Word installation, enable the Developer tab under the advanced options (it's actually under Popular in Word 2007). On it, click Macros. Pull down "Macros in" and choose "Normal.dotm (global template)". Type "SearchGoogle" or any name without spaces into the "Macro name" textbox and click Create. The VBA Editor appears. Paste the following code into it:

Private Declare Function ShellExecute _
 Lib "shell32.dll" Alias "ShellExecuteA" ( _
 ByVal hWnd As Long, _
 ByVal Operation As String, _
 ByVal Filename As String, _
 Optional ByVal Parameters As String, _
 Optional ByVal Directory As String, _
 Optional ByVal WindowStyle As Long = vbMaximizedFocus _
) As Long
Sub SearchGoogle()
 Dim text As String
 text = Selection.text
 text = Replace(text, " ", "%20")
 Dim res As Long
 res = ShellExecute(0, "Open", "http://google.com/search?q=" & text)
End Sub

Click the Save button in the VBA Editor, then close it. Now decide whether you want a keyboard shortcut or a Quick Access Toolbar button for the macro.

If you want a keyboard shortcut, open the options and find the place to configure keyboard shortcuts. (On Word 2007, the button is on the Customize tab. On Word 2013, it can be found at the bottom of the page on the "Customize Ribbon" tab.) Choose Macros from the left list, then the macro you just created on the right. Click on the "Press new shortcut key" box and press the shortcut key you want for this. Save your changes and exit all dialog boxes.

If you want a mouse-accessible button, find the place to customize the Quick Access Toolbar under Word Options. Pull down "Choose commands from" and choose Macros. Select the macro, then click "Add >>" to move it onto the QAT. You can then modify its icon and mouseover text if you'd like, with the Modify button.

You can now use either a keyboard shortcut or a QAT button to search Google for your selected text.

Thursday, February 19, 2015

Secure Your WDS Deployment Share

I discovered today that the Unattend.xml file containing the domain joiner account's password is stored in plain text on a share readable by any domain user. Obviously, that's a problem. Everything I read on the Internet seemed to indicate that that's just how it works and that I should use unsecure domain join (no authentication to domain controller) to avoid storing passwords. I'm not a big fan of that option either, so I messed around with folder permissions a bit.

I determined that it is in fact possible to change the security on the WDS share to allow only administrators and the system to read it. This doesn't break anything - I did a successful unattended deployment after making the change. (The WDS share can be found on the WDS server under the name RemInst.) Secure it!

Wednesday, February 18, 2015

Obscure WDS Bug with Joining Domains on UEFI-Based Systems

Today I ran into a very unusual problem with Windows Deployment Services. I had configured the WDS server to join clients to the domain, but after an unattended install the client was not in fact joined to the domain. After going through all manner of documentation and help forums, I discovered that this is actually a bug with WDS.

If:
  • An unattended deployment is being performed,
  • Without an Active Directory prestaged computer account,
  • On a UEFI-based system,
The client will not join the domain. Instead, I now have to figure out the Microsoft-Windows-UnattendedJoin structure in Windows System Image Manager and try not to send my plaintext password over the wire to the PE client.

(UEFI stands for Unified Extensible Firmware Interface and is a new class of BIOS. Some implementations are really snazzy and support high-color and -res graphics and even mouse input!)

Monday, February 16, 2015

FMod - Working OS

I continued working on the just-for-fun AbiatharOS today, because messing with Windows PE is pretty fun. I discovered that DOSBox won't run under 64-bit WinPE because WinPE has no 32-bit subsystem. So, I switched the image to an x86 32-bit architecture. (If anybody ever makes serious use of this, it'll probably be because their full system doesn't have the power to run Abiathar smoothly, so being 32-bit makes sense.)

However, DOSBox still refused to run. After some investigation with Sysinternals Depends.exe and some hunting for 32-bit versions of the DLLs DOSBox calls for, I managed to get it working in WinPE. The only configuration changes I made were setting CPU cycles per second to 10,000 and enabling IPX. This was done so that the NetKeen files included in the image (with all the Galaxy games and Dreams) would be usable. Portable NetKeen disc, anyone?

I wrote the routine to create the open/save dialog when the normal .NET common dialogs aren't available. It uses P/Invoke and hopefully doesn't leak memory all over the place. (I did find and fix a particularly bad bug with a lack of null-terminator on the end of a string. Hey, I've never written anything in C++.) If possible (i.e. when not running as the PE shell), Abiathar uses a class that just forwards the property accesses to the normal .NET common dialog classes. The two folder browser dialogs that are used are just disabled when running under PE.

On PE startup, Abiathar looks for writable drives on which to place its configuration. If it finds none, it launches DiskPart, prompting the user to format a usable partition and give it a drive letter. If Abiathar can then detect a usable drive, it launches as normal; if not, DiskPart appears again and the user is given the option to shut down. (If multiple suitable drives are found, the user is prompted to choose one.)

In PE mode, an "OS" menu is added to the main menu strip that allows the user to launch a command prompt, start DOSBox, or shut down. (File | Exit is removed in PE mode because it would just cause a reboot.)

This is actually turning into something potentially useful. Of course, it'll need more testing before being declared stable, but Windows PE seems to be holding up pretty well.

Sunday, February 15, 2015

FMod - AbiatharOS

Today, I was doing some Windows deployments and reading about Windows PE (the boot images). I read that it's possible to create custom boot images, and I thought that sounded pretty interesting, so I checked it out. After some tinkering with the Deployment and Imaging Tools Environment console and some wrestling with out-of-date documentation, I managed to create a boot image that launches Abiathar.

Surprisingly, Abiathar actually worked - to some extent. I could create new level sets and mess with them all I wanted, but as soon as I tried to open or save (both of which open a Windows common dialog), Abiathar crashed immediately and the VM I was using rebooted. Also, since most items in the Help menu try to open a web browser and there is none in WinPE, nothing happens.

Before going into Visual Studio, I messed with the image some more and was able to change the WinPE desktop background picture from its blank purple to the Abiathar logo. I also successfully created an ISO file and booted from it in VirtualBox.

I spent some time poking around the code of Abiathar and determined that it wouldn't be too hard to get it working stably in WinPE. The following issues need to be addressed:

  • Where to load the config files from. Obviously, burning one into the image doesn't allow for much configurability. I rigged up a means of scanning all writable drives for a config file, and it works reasonably well.
  • What to do with the Help menu. I just had Abiathar detect whether it's running in PE and hide a bunch of menus if they would do bad things. The update checker is similarly disabled.
  • How to open and save files. I'm imagining a very basic home-grown file browser and an interface to switch between the real dialog and my custom one depending on PE-ness. (I want to keep these as the same code base.)
  • How to playtest the levels. I burned the portable version of DOSBox into the image and added a menu option for it if running in PE mode.
This might be a huge waste of time, but it's pretty fun. And who knows, maybe a lightweight bootable level editing CD might be a nice thing to have around.

Saturday, February 14, 2015

Clearing the Temporary Image File from a WDS-Captured Disk

If you use Windows Deployment Services to capture an image of a Sysprepped Windows OS, you have to save the WIM file to the local disk before uploading it to the server. This is somewhat inconvenient if you don't want to boot the computer to delete it, thereby wrecking the OOBE.

Fortunately, it's possible to get into the file system using WDS without booting up into the real OS - no other boot media necessary. Just boot into the capture image again and press Shift+10 when the wizard appears - a command prompt will come up. Navigate to the place you put the WIM file and erase it. You can cut the power to the machine safely, or close the command prompt and wizard to cause a reboot.

Friday, February 13, 2015

AJAX in ASP.NET

I did some searching on how to do AJAX with ASP.NET, and it actually took me a while to find useful information. It turns out that you don't actually have to know any JavaScript at all to get asynchronous web programming done in ASP.NET!

It's all done by using the UpdatePanel control. When a button inside one of those is clicked and if it modifies only the state of controls inside an UpdatePanel, the server will return only the contents of the panel, so there's no full postback/navigation/blink. It's so great and simple - the compiler takes care of all the JavaScript stuff. Controls can be added dynamically simply by doing a .Controls.Add(newCtl) on a Panel.

I am really looking forward to using this functionality to build great stuff with ASP.NET. Thanks Microsoft!

Wednesday, February 11, 2015

MMC: Control Panel at the Next Level

I've mentioned MMC before, but I really need to express how great it is. MMC stands for Microsoft Management Console. It's a one-stop shop for system administrators to control every aspect of their domain, a server role, or a computer. It can be accessed on any computer running the "Pro" edition of its OS - any computer that can be joined to a domain. Press Windows+R, type "mmc", hit Enter, and you get the amazing view of a blank MMC console.

It starts actually doing things when you add snap-ins. Hit Ctrl+M or choose "Add/Remove Snap-ins" under File. Add one or more snap-ins to the console by selecting them in the left pane, clicking Add, and configuring them as appropriate. (If you're a domain admin, you can remotely administer computers using MMC simply by typing the remote computer name in snap-in configuration, no Remote Desktop needed.) For example, "Local Users and Groups" lets you manage non-domain user accounts and groups on a machine. "Group Policy Object Editor" (which works whether or not you're on a domain) lets you tweak literally every setting you've ever heard of and also ones that are super obscure. "Disk Management" is great for establishing software RAID without third-party tools.

In fact, you've probably used some MMC snap-ins without knowing it. Device Manager is an MMC snap-in that, when launched from the advanced system properties, doesn't display the MMC chrome. Services and Task Scheduler are similar examples. Almost all of these can be found in Administrative Tools, but some super-big ones like Group Policy Object Editor can't be found there.

MMC is really great. Thanks Microsoft!

Tuesday, February 10, 2015

Gash - Plane Problems

I started implementing the function for NextGenGraphics that converts a bunch of raw data into pixel values. This of course has to take into account the bits per pixel of the graphics adapter and whether it shuffles the planes around like EGA. I thought it would be easy until I remembered the mask plane. If included in CGA, there would be three bits per pixel, which would be very messy if it was arranged linearly. Sadly, there is no format documentation on masked CGA data or CGAGRAPH, so I just have to figure out where CGA keeps the mask information before I can move on.

Monday, February 9, 2015

Gash - Understand Sprite Shifts

The ModdingWiki's format documentation on xGAGRAPH claims that there are 8 shorts in each sprite table entry. However, I did some reading of the ModKeen code and determined that there are 9. The extra one is the number of shifts the game will create for that sprite, used in smooth motion. The old GalaxyGraphics implementation knew about the extra short, but it simply called it "flags" and didn't know what to do. NextGenGraphics labels it appropriately and provides an enum of the three valid choices: 1, 2, 4.

Sunday, February 8, 2015

Printers are Frustrating

I am sure by now - printers are the most challenging and insanity-inducing area of information technology. There are ten bajillion drivers from which to choose and at least four ways of connecting computers to the printer.

Today I tried to connect an old (grayscale) HP LaserJet 4000 printer to my shiny new Windows 8.1 PC via a parallel card that I had to add because nobody uses parallel ports anymore. The drivers seemed to install themselves successfully after wrecking one hibernated state and then scribbling all over my mouse settings. I plugged in the printer and... nothing. The test page wouldn't print and all Windows would do was display an "out of paper" message despite there being no data activity on the printer end.

I then installed some manufacturer drivers from a mini DVD that came with the card. Those completely wiped the LPT1 port out of Device Manager. The printer continued to not work. (I do know for sure that it can print because it successfully outputted a printer configuration report page.) I tried installing drivers from other places. No dice, though the device did reappear in Device Manager.

Telecom used to be the hardest thing in IT. Now, it's printers. I'll continue trying to deal with this tomorrow.

Saturday, February 7, 2015

Do Not Use - Strange Form-Factor PCs

Today, I had to deal with an HP Pavilion Slimline 400 that would only power on intermittently despite passing all PSU tests. Though I'm fairly sure the power supply unit is OK, I spent some time researching a replacement. What I discovered is that the Slimline 400 with its half-widthness is the only PC model ever to use this style of power supply. I went to a computer store with a bajillion different types of PSUs, but all the normal ones (and crazy ones) they had were always slightly different than this one, different enough to not work.

Previous experiences just reinforce my irritation with PCs with strange form factors or cases. It just makes maintenance and upgrade more difficult. Also, it's super difficult to find parts that fit the special arrangement of the case. Sure, it's not very original, but you know why there are so many generic beige-box PCs?

They work.

Friday, February 6, 2015

A Better Way of Adding Drivers to WDS Boot Images

Today, I tried to use WDS to deploy to a laptop that had an NIC that the normal WDS boot image couldn't deal with. After a brief display of "Setup is starting", the client threw an error talking about how an error occurred while starting networking. It wanted me to add the NIC drivers to the boot image, so I looked online for instructions on doing that. I found KB923834, which seemed to perfectly match my problem at first. However, I soon discovered that the setup log doesn't contain the error spew the article mentioned and, despite having the Windows AIK installed, I don't have a "Windows AIK" directory in Program Files. Also, I really wasn't looking forward to doing the supercomplicated procedure to solve an issue that can't be that unusual.

So, I continued my search for help and turned up some very nice tutorials on doing this. In summary, that KB article is super old (for Windows Server 2003?) and WDS has come a long way since then. The general procedure for adding drivers to a PE boot image is:

  • Find the NIC driver and unpack it to an INF with supporting files
  • Disable the boot image (to prevent it from being sent to a client during servicing)
  • Add a driver package (under the Drivers section of the WDS snap-in)
  • Point the wizard at the INF and create a driver group if you want
  • Open the "add drivers to boot image" wizard for your boot image
  • Use the default search terms to search for drivers, check the box for your new drivers
  • Complete the wizard and wait a super long time for it to mount, modify, and unmount the WIM
  • Re-enable the boot image

Thursday, February 5, 2015

Deploying a Custom Windows Image with WDS, Unattended

I discovered this week that the Windows Deployment Services role on Windows Server is really great. It is possible to create your own customized Windows images to be deployed; you can load up all the software and loose files you want, no matter what type of installer your custom applications have.

The first step to getting a setup like this is installing the OS as normal on one computer. This computer will be used to perfect the configuration of the OS and all the applications and files. Do whatever you need to make the computer as all of them should be, and then generalize its configuration. Open the Sysprep utility, found at:

C:\Windows\System32\Sysprep\sysprep.exe

Choose "OOBE" from the top dropdown list, check "Generalize", choose "Shut down" from the lower dropdown list, and execute the operation. It will take a while to rip out all the machine-specific stuff, and then power off the machine.

Go to the WDS server and add the boot image for the OS, which can be found in the OS installation image (the DVD), as "\sources\boot.wim". Right-click it in the list and choose the option to create a capture image. Run through the wizard, naming it whatever you want. This creates a version of the PE image that will freeze the client computer into a WIM image for WDS. Under Install Images, create a new image group that will eventually hold the custom image.

PXE-boot the client that you just Sysprep'd into the capture image. Run through the wizard, selecting what is probably now called the D:\ drive, putting the temporary local image anywhere on the local main drive, and uploading the image to the server in the empty image group you created earlier. (This requires you to enter your credentials.) Once it completes the upload, turn off the client.

Back at the WDS server, look at the new custom install image. You're done, unless you want to make an unattend script.

To create an unattend script, you'll need the Windows System Image Manager, which is included in the Deployment Tools feature of the Windows Assessment and Deployment Kit. Install that, then export the custom install image in the WDS MMC snap-in. (The WDS image directory is not writable except by the system.) Put it somewhere on your main partition.

Open the Windows System Image Manager. Create a new answer file, selecting that exported image. Create a catalog if it asks. Then, in the lower-left pane, right-click the configuration settings you need and add them to (usually) Pass 1 or Pass 4. Pass 1 (PE settings) is the unattend script for the pre-installation environment. Pass 4 (specialization) holds settings to apply to the computer when it boots real Windows for the first time. Help with this step can be found at TechNet's Components chapter of the WDS documentation.

After you save your file in Windows SIM, open the properties of the custom install image and check the box allowing unattended installation. Specify your answer file. Then, open the properties of the WDS server itself in the WDS snap-in. Set the answer file to be the default for the appropriate architecture.

Congratulations! You can now perform an unattended deployment of a custom Windows image!

Wednesday, February 4, 2015

Determining Whether a Windows Installation was Mass-Deployed

Windows OEMs use the Windows Automated Installation Kit and Windows Deployment Services to mass-image computers before shipping. If you're curious as to whether a computer you're using was set up in such a way, you can check for the presence of a file that indicates Sysprep was run. This file is at:

C:\Windows\System32\Sysprep\Sysprep_succeeded.tag

It's a zero-byte file that is created after a successful run of Sysprep, the generalization tool run to freeze a computer before using ImageX (or a WDS capture boot image). If you're curious as to the date of imaging, it's in the action log:

C:\Windows\System32\Sysprep\Panther\setupact.log

Tuesday, February 3, 2015

Port Scanning Isn't Like Trying Doorknobs

I have recently been in discussions about port scanning and the legalities of it, and wherever I read about it on the Internet I find one metaphor that really doesn't make any sense. People liken port scanning to going down a row of houses on a street, walking up to each door on a house, jiggling the doorknob, and noting whether the door would have opened.

This is a severely bad analogy.

It implies that if the port is open - the door is unlocked - attackers or thieves could just waltz in and take all the things. It paints the picture that a single open port would let anybody walk right in and have complete control of the machine. Obviously, this is not the case. It's up to the application listening on the port whether or not the machine on the other end of the line will gain access to the computer. Most applications don't give any unauthenticated user an admin shell. And, of course, an attacker on a particular port can only do things at the privilege level of the application.

In my opinion, port scanning is more like calling a hotel repeatedly and asking to talk to the occupant of a room with whatever number. Some occupants might be more talkative than others, divulging information about the architecture of the building and the arrangement of interesting things. Some particularly gullible could be tricked into opening their room and adjoining rooms to the attacker. Most, however, will just hold a normal conversation, conversing about what they know or do.

This isn't to say that firewalls are pointless. They're a good way to protect network-internal services from the outside world and stop malware from calling home. It's always good to disconnect the phone if you have a particularly naive guest. Likewise, vulnerable yet important services (legacy systems e.g. ye olde SMBv1) should be barred from receiving connections from the outside. Defense in depth is always a good plan, just make decent analogies.

Monday, February 2, 2015

Gash - Better Bitmaps

I wrote the part of the new NextGenGraphics constructor that carves the xGAGRAPH file apart into chunks. Since decompression doesn't happen immediately, the raw compressed chunks have to be labeled with their size, taking into account the fact that some special chunks have their decompressed size hard-coded (rather than it being the first four bytes of the raw chunk).

I also realized that my existing SixteenColorBitmap class, had I tried to use it here, would have been both poorly named and really difficult to deal with. It doesn't support masking (you need MaskedSixteenColorBitmap for that) and doesn't have a very convenient way of dealing with palettes. So, I wrote a LowColorBitmap class that reduces the craziness (using the .NET Color struct instead of 4-tuples) and has built-in support for masking.

Sunday, February 1, 2015

Gash - Delay Decompress

One of the most serious issues with the existing FleexCore2 implementation of Galaxy-style graphics was that it always decompressed every chunk as soon as the files were opened. All that bit-twiddling in such a high-level language takes a lot of time, so I had to do the whole workaround with the underscore-prefixed options on GalaxyGraphicsChunkSettings to make Abiathar's EGA loading not take a million years.

To remedy this and include the special CGA/VGA features necessary for Gash, I started an entirely different FleexCore2 class called NextGenGraphics. It uses the .NET Lazy(Of T) class to delay the construction of the graphics objects. Now, chunks will not be decompressed unless the resource they represent is called for. I have not yet started the actual graphics loading for this class, but it should be pretty easy once I figure out how to genericize the code that already exists in GalaxyGraphics.