Fix it — great idea!


If you’re hav­ing a prob­lem with a Microsoft product, then the first stop for find­ing a solu­tion pretty much needs to be the MS Know­ledge­base. It’s solved prob­lems for me and for cli­ents times without num­ber. Often how­ever this has involved print­ing out the art­icle in ques­tion in order to fol­low a series of steps on the com­puter with the prob­lem.

A new, and very wel­come addi­tion to some art­icles on the Know­ledge­base removes the need for this — a “Fix it” but­ton, shown above, has been added. When this but­ton is avail­able, it will down­load a small file that con­tains a script or execut­able that per­forms all the steps for you. For example, if Inter­net Explorer is miss­ing from your desktop, the “Fix It” but­ton down­loads a small installer file con­tain­ing a script to put it back.

I can see this going far, and hope it’s a major change in fix deliv­ery. Help Desks in par­tic­u­lar should gear up to build loc­al lib­rar­ies of these scrip­ted fixes, in order to push them out where required. And build­ing the serv­er-spe­cif­ic fixes into Sys­tem Cen­ter Oper­a­tions Man­ager for auto­mated behind-the-scenes prob­lem res­ol­u­tion would be a great next step too.

UAC Flaw — MS listens, promises to fix.

Good news on the User Access Con­trol flaw I wrote about a few days ago — the Win­dows 7 engin­eers have prom­ised to fix it in the release can­did­ate, and have gone even fur­ther in the fix than was asked.

The addi­tion­al pro­pos­al is to run the User Access Con­trol pan­el in a mode where oth­er pro­grams can­not manip­u­late it without first gain­ing elev­ated rights. This should put and end to any poten­tial exploit via this route.

Good to see the engin­eers respond­ing to this. The fact that they had to, how­ever, leads me to won­der if they’re not a little insu­lated – they talked about “Cus­tom­er Driv­en Engin­eer­ing” in their pre­vi­ous post cla­ri­fy­ing their views on the flaw (now changed of course) but surely a little bit of com­mon sense and engin­eer­ing exper­i­ence should have told them that this was wrong, regard­less of what the beha­vi­our­al mon­it­or­ing they per­formed sug­ges­ted?

UAC flaw “by design” says Microsoft

Microsoft dis­misses Win­dows 7 UAC secur­ity flaw, con­tin­ues to insist it is “by design”:

Just because it’s by design doesn’t mean to say it’s right. This is exactly the blinkered think­ing that we heard from the people work­ing on UAC in the Vista time­frame — “This is the way it’s going to be, we know bet­ter than you.”

Since that atti­tude was prov­ably incor­rect last time, what makes it any more right this time?

(Via I Star­ted Some­thing.)

User Access Control security flaw in Windows 7 beta

Sac­ri­fi­cing secur­ity for usab­il­ity: UAC secur­ity flaw in Win­dows 7 beta:

By default, Win­dows 7’s UAC set­ting is set to “Noti­fy me only when pro­grams try to make changes to my com­puter” and “Don’t noti­fy me when I make changes to Win­dows set­tings”. How it dis­tin­guishes between a (third party) pro­gram and Win­dows set­tings is with a secur­ity cer­ti­fic­ate. The applications/applets which man­age Win­dows set­tings are signed with a spe­cial Microsoft Win­dows 7 cer­ti­fic­ate. As such, con­trol pan­el items are signed with this cer­ti­fic­ate so they don’t prompt UAC if you change any sys­tem set­tings.

The Achilles’ heel of this sys­tem is that chan­ging UAC is also con­sidered a “change to Win­dows set­tings”, coupled with the new default UAC secur­ity level, would not prompt you if changed. Even to dis­able UAC entirely.

Whoops. This one is a bit of a showstop­per. I’m very happy with the re-ima­gined User Access Con­trol in Win­dows 7 (I believe it’s pretty much what it should have been in Vista) but this def­in­itely needs fixed. I agree com­pletely with Long Zheng’s pro­posed solu­tion:

Microsoft can imple­ment without sac­ri­fi­cing any of the bene­fits the new UAC mod­el provides, and that is to force a UAC prompt in Secure Desktop mode whenev­er UAC is changed, regard­less of its cur­rent state. This is not a fool-proof solu­tion (users can still inad­vert­ently click “yes”) but a simple one.

(Via I Star­ted Some­thing.)

Windows 7 can be added to domains offline!

I have been wait­ing for this to hap­pen for twelve years, ever since my first mul­tiple-thou­sand-seat Win­dows desktop rol­lout — Win­dows 7 (and Win­dows Serv­er 2008 R2) can be added to domains without phys­ic­ally being con­nec­ted to that domain over a net­work

This is done with a new com­mand — djoin.exe — added into these products. It’s used (on an exist­ing machine in the domain) to gen­er­ate a block of inform­a­tion in a file, that can be used on anoth­er machine to auto­mat­ic­ally join the domain without being con­nec­ted at that time.

This is fant­ast­ic­ally use­ful for any­one per­form­ing big cor­por­ate rol­louts – where it’s not always pos­sible to build the machines in situ. Any con­sultancy work­ing on a build-and-cus­tom­ise desktop pro­ject for a cli­ent is going to abso­lutely love this.

Found on

How to install Vista Upgrade editions in Parallels

Installing MS Win­dows Vista into Par­al­lels is a bit of a chore if you’ve only got an upgrade edi­tions of the soft­ware. This how-to tells you the steps in order to make it work.

Firstly, make an image of your Vista DVD. This will make the install run much faster, and you’ll need to be doing two of those. Insert the vista DVD, then in Disk Util­ity, select the DVD UDF Volume and press “New Image”. Call it Vista, save it to the desktop, and change the image type to “DVD/CD Mas­ter”

Once that fin­ishes, it’s time to power up Par­al­lels. Make sure you’re run­ning at least Release Can­did­ate 1 — down­load it from the Par­al­lels web­site if not. Cre­ate a new VM and select “Cus­tom”. On the next page, make sure the OS ver­sion is set to Win­dows Vista. Leave the memory, hard disk set­tings and the net­work set­tings alone. Name the Vir­tu­al Machine (or again just accept the default).

On the next page, where you’re asked to insert the install­a­tion CD, open up “More Options”, select “ISO Image” and press “Choose” to select the image cre­ated earli­er — saved to your desktop. Press “Fin­ish” to begin the Vista install­a­tion.

Well, actu­ally, your first Vista install­a­tion. Because we’ll be doing two here. The trick is that we don’t enter your licence key the first time around, thus fool­ing Vista into installing. Unlike XP upgrades, which just needed a look at a CD or a pre­vi­ous install­a­tion to pro­ceed, licenced Vista won’t install unless it’s being installed over the top of a pre­vi­ous OS. Luck­ily, “pre­vi­ous OS” includes unli­censed Vista!

Start the install­a­tion going. The first thing it will ask you is your inter­na­tion­al set­tings. Set them as appro­pri­ate. Click onto the next page, then click “Install Now”. On the fol­low­ing page, it will ask for your product key. Do not type in your product key — instead, press “Next”, say “No” to the fol­low­ing dia­log box, then on the next page choose the ver­sion of Vista you’re installing.

(I have no idea what the dif­fer­ence between, say, Busi­ness and Busi­nessN is — can someone enlight­en me? I just chose from the non-N ones.)

Tick the box on that page, press Next, accept the licence terms, press Next. On the fol­low­ing screen the type of install­a­tion will be set to “Cus­tom”. That’s fine. Press Next to choose where to install it, the default is fine so press Next again.

At this point the install­a­tion of Vista will start. The VM will reboot sev­er­al times — just let it do so. Install­a­tion will run to com­ple­tion just fine, go away for 30 minutes.

(time passes)

Choose a user­name and on the next page, a com­puter name. These aren’t vital but you’ll need to remem­ber the user­name for the next 30 minutes. Then, on the secur­ity updates page, select “Ask me later” — one of the cur­rent Vista updates breaks Par­al­lels, and we don’t want that to hap­pen. Finally, set your timezone, then press “Start”.

Vista will then check the VM’s per­form­ance, then start up. Con­grat­u­la­tions, it’s installed. Log in, and

Do not install Par­al­lels Tools right now. It will cause you pain later.

Now we’re going to do all of this over again, this time with a licence key.

From the Start Menu, choose Com­puter, then double-click on the DVD drive. Double-click on Setup. Allow the pro­gram to run. Click on “Install now”.

On the next screen, don’t get the latest updates for install­a­tion at this time, because it might crash Par­al­lels. On the next screen, enter your product key. Accept the license, as before.

On the fol­low­ing screen, again click on “Cus­tom” for type of install­a­tion. Accept the default for the install­a­tion disk, as before, then click “OK” in the dia­log box.

Install­a­tion will then start. Anoth­er 30 minutes here.

(time passes, again)

This time, when asked for a user­name and com­puter name, choose ones you wish to stick with as this is final. Choose “Ask me later” for the secur­ity updates, then set the timezone as before.

Vista will again check per­form­ance, then start.

That’s it. We’re done. Just tidy-up to do now.

Firstly, install Par­al­lel Tools from the Mac “Action” menu. This will give prop­er integ­ra­tion between your Mac and the Vista VM. It’ll need a reboot. After that, nav­ig­ate from “Com­puter” on the Start Menu to your hard disk, then delete the “windows.old” dir­ect­ory. That was the ini­tial install.

Now, from the Mac’s “Action” menu, run the Par­al­lels Disk Com­pressor, in order to neaten up the VM’s hard disk. This takes a while. But once it’s done:

Con­grat­u­la­tions. You have a per­fectly fresh work­ing installed copy of Vista, from a Vista Upgrade CD, in a Par­al­lels VM.

Now go and enjoy before Par­al­lels bring out a new ver­sion, for­cing this to become incor­rect and me to write out a cor­rec­ted ver­sion.