SHA1 Thumbprints for trusted .rdp publishers

Remote Desktop Connection (RDC) has a Group Policy setting that determines which publishers are to be considered trusted when launching connections (typically .rdp files served in various ways).

The publisher is identified by the SHA1 thumbprint of the certificate of the publisher (the certificate used to sign the .rdp file). You get the thumbprint from the certificate:

image

The setting is located under:
Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Connection Client

Setting:
Specify SHA1 thumbprints of certificates representing trusted .rdp publishers

Description:
This policy setting allows you to specify a list of Secure Hash Algorithm 1 (SHA1) certificate thumbprints that represent trusted Remote Desktop Protocol (.rdp) file publishers.

If you enable this policy setting, any certificate with an SHA1 thumbprint that matches a thumbprint on the list is trusted. If a user tries to start an .rdp file that is signed by a trusted certificate, the user does not receive any warning messages when they start the file. To obtain the thumbprint, view the certificate details, and then click the Thumbprint field.

If you disable or do not configure this policy setting, no publisher is treated as a trusted .rdp publisher.

Notes:

You can define this policy setting in the Computer Configuration node or in the User Configuration node. If you configure this policy setting for the computer, the list of certificate thumbprints trusted for a user is a combination of the list defined for the computer and the list defined for the user.

This policy setting overrides the behavior of the “Allow .rdp files from valid publishers and user’s default .rdp settings” policy setting.

If the list contains a string that is not a certificate thumbprint, it is ignored.

As you can see; no mention of how the thumbprint is to be entered!

I found out the hard way that you have to remove all spaces and convert all letters to uppercase for the thumbprint to be valid. You are not informed if the format you enter is incorrect, it is just silently ignored if not recognized as a valid thumbprint.

This quick PowerShell command will do these two operations:

(“<your thumbprint here>”).ToUpper().Replace(” “,””)

If this Group Policy setting is not in effect, either because you have not set it or the thumbprint is incorrect/invalid, your users will get a warning when connecting, even if the certificate used to sign the .rdp file is trusted:

image

Error: A website wants to run a RemoteApp program. Make sure that you trust the publisher before you connect to run the program.

It is interesting to note that the rdpsign.exe command line utility that is used to sign .rdp files manually, requires that the thumbprint of the certificate must be provided in just this way: http://technet.microsoft.com/en-us/library/cc753982(WS.10).aspx

More info:

A note on copying the thumbprint

If you look at the highlighted/selected thumbprint in the image above you will see what looks like a leading whitespace. If you select the whole string (not as above), you will get a strange leading character in your thumbprint. Have a look at this zoomed image:

image

I do not know what character this is, but it invalidates the thumbprint string if you paste it into the SHA1 thumbprint field in your GPO. Even stranger is that it does not show up in the pasted text in the GPO object; it just “looks” right. As I said, I have no explanation, but remember to skip the leading whitespace when you copy your thumbprint.

This is how it should look:

image

Windows System Update Readiness Tool

A new tool is being offered through Windows Update; the System Update Readiness (SUR) Tool. It is designed to help diagnose and fix issues that are preventing Windows updates or Service Packs from installing correctly. According to the documentation it is only offered to systems that are experiencing one of the conditions that the tool could resolve. (How it can determine this without first running is beyond me.) The tool runs on Windows Vista, Windows Server 2008, Windows 7 and Windows Server 2008 R2. Like the monthly Windows Malicious Software Removal Tool (WMSRT), it runs a onetime scan of your system to determine if it is experiencing one of the issues it can detect and fix. A log of this activity is written to %SYSTEMROOT%LogsCBSCheckSUR.log. As of this writing the tool is presented in Windows Update as System Update Readiness Toll for Windows 7 for x64-based Systems (KB947821) [February 2011]. This leads me to beleive that it will be updated and offered in new “versions” further on.

You can also download the tool manually and run it, check the first link below.

On one system I experienced an error when trying to install Windows Server 2008 R2 Service Pack 1; An unknown error has occurred; error code 0x800f0818. I ran the SUR Tool and it detected an error in the %SYSTEMROOT%ServicingPackages folder, which it was able to repair. After that SP1 installed successfully.

One strange thing to note in this case was that I was installing SP1 through Windows Update, and both SP1 and the SUR tool were selected for install. For some reason the SP1 install ran first and failed, then the SUR tool ran and repaired the error that prevented the Service Pack from installing. Should have been the other way around.

More info:

Blue Screen (BSOD) on VirtualBox VM

I’ve got to handle it to Oracle; their virtualization software VirtualBox is amazing…and free! It’s features surpass Windows Virtual PC by leaps and are on par with VMWare Workstation. Lately I have been using it for all my host-based virtualization needs.

I am in the process of setting up a new computer and part of that means moving all my VMs. I use the export and then import feature in VirtualBox to do this. After I moved a Windows XP machine it would not boot on the new PC, and kept bluescreening continuously. This was the error:

VirtualBox Bluescreen

DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS caused by intelppm.sys.

After a brief Google search I turned up this post by Ben Armstrong (Virtual PC Guy) from the Microsoft virtualization team:http://blogs.msdn.com/b/virtual_pc_guy/archive/2005/10/25/problems-with-intelppm-sys-and-processr-sys-under-virtual-pc-virtual-server.aspx

According to Ben this driver; intelppm.sys, processr.sys and perhaps also p3.sys can cause problems when they try to do something that is not supported by the hypervisor. Apparently the problem affects Microsoft products such as Virtual PC and Virtual Server as well. There is also a ticket logged for VirtualBox regarding this issue: http://www.virtualbox.org/ticket/420

The solution is to boot into Safe Mode (F8 during start up) and entering one or more of these commands, depending on which driver is causing the issue:

  • sc config p3 start= disabled
  • sc config intelppm start= disabled
  • sc config processr= disabled

You could also follow the instructions in Ben’s post and do these changes manually in the Registry.

GPS Fun with the Windows 7 Sensor and Location Platform

Introduction

Windows 7 has a new framework; the Windows Sensor and Location Platform. In short it is a system that enables the OS to utilize different sensors; e.g. a GPS device to track your location, a light sensor to dynamically adjust your screen brightness based on the ambient lighting, an accelerometer to use for games etc. I want to focus on GPS in this post.

Architecture

Up until now; the usual way to connect a GPS device to your computer was for it to emulate a COM port and then send standard NMEA GPS data to the port at a specified baud rate. This worked OK in my opinion, but with the new framework the GPS device, or sensor, is exposed directly to the OS. No more intermediary COM ports. This works the same for any sensor, by the way.

GPS in action

As of this writing, there are very few devices compatible with the new framework out there. I only know of the USB GPS Devices from ublox. To work around this you can use Michael Chourdakis’ excellent GPSDirect driver that acts as a layer between a legacy GPS device that sends NMEA data through a COM port, and the Sensor and Location Platform.

To set this up do the following:

  1. Configure your GPS to work with Windows. This can be through Bluetooth, USB or special software for use with built in devices. When done you should have at lease one new COM port that sends the GPS NMEA data, and you should also know the baud rate of this port. This screenshot is from the COM port associated with my HOLUX GPSlim236 device:
    image
  2. Download and run the GPSDirect software and input the data from your COM port:
    image
    Then hit Install.
  3. You should immediately be prompted by Windows if you want to enable the new sensor:
    image
  4. Select Enable.
  5. You can now close the GPSDirect software. The driver will remain loaded until you remove it.
    Note: There is an issue with the current version of GPSDirect, v 0.0.0.16, in that it does not reconnect to the COM port if the GPS is disconnected or turned off.
  6. Open the Location and Other Sensors applet in Control Panel and configure your sensor:
    image
    Pay special mind to who can use the sensor as you may not want you location information used by all the selected users:
    image

Testing

Unfortunately there are very few applications that are able to use the location information a GPS device can provide. In fact I know of only one; the Windows Weather Desktop Gadget!

If you add this gadget to your desktop, and have a your GPS working, it will automatically detect that your computer is “location aware” and try to automatically find the weather forecast for your location.

image

image

Notice the little “signal” icon in the gadget. This indicates that the location was determined by using the computer’s location framework.

Don’t have a GPS?

If you do not own a GPS device but still play around with the location functionality, you can try the GeoSense application. What GeoSense does is that it uses a hybrid mix of geolocation service providers and geolocation methods to pinpoint your location as accurately as possible. It currently supports Google Location Services (WiFi) and Google Location Services (IP), with several more under consideration. GeoSense is written natively for the Sensor and Location Platform so you just have to install it to use it.

After installation you will have a new sensor in you Location and Other Sensors applet, which can be configured in the same way as GPSDirect (or any other location sensor).

image

Other uses

GPS is just one of many applications of the new framework. Especially for games I think we will see a whole new group of controllers that utilize the new API. One example of this is a driver written by Rajasekharan Vengalil, that lets you use the Nintendo Wiimote with Windows 7! Check it out here.

More info