Category Archives: Windows

Troubleshooting Forefront Endpoint Protection 2010 Installations

I had a hand in rolling out Forefront Endpoint Protection (FEP) for a customer recently. Some of our clients did not get FEP installed even though the SCCM client was installed and working correctly, and they had all prerequisites present and had successfully received the advertisement and downloaded the files from the distribution point (DP). It turned out that these clients were already running Microsoft Security Essentials (MSE), which FEP does not detect or uninstall. The solution was to manually uninstall MSE first and then wait for the next installation attempt from the SCCM client.

For future reference; these are the Anti-Malware products that FEP can detect and uninstall before it installs itself:

  • Symantec Endpoint Protection version 11
  • Symantec Corporate Edition version 10
  • McAfee VirusScan Enterprise version 8.5 and version 8.7
  • Trend Micro OfficeScan version 8.0 and version 10.0
  • Forefront Client Security version 1 including the Operations Manager agent

If you want to troubleshoot FEP deployments here are som interesting logfiles:

  • C:Documents and SettingsAll UsersProgramdataMicrosoftMicrosoft Security ClientSupportEppSetup.log
    (This folder also contains other interesting files regarding the FEP install.)

An overview of all SCCM 2007 logfiles is available here:


The Case of The Strange Folder Redirection Error

I was enabling Folder Redirection for some Windows 7 Professional machines, or rather, for the users of some Windows 7 Professional machines. The users already had a server based home directory with a My Documents folder, which also had data. The purpose of the operation was to, firstly, enable Folder Redirectin, but also to merge the contents of the My Documents folder on the client machines with the My Documents folder on the network server. First, to see what kind of conflict resolution Folder Redirection had, I created a file with the same name (but different content) in both the local My Documents folder and the one on the server. After logging on the first time the Folder Redirection policy was active I found this error event in the Application log on the client machine:

Log Name:      Application
Source:        Microsoft-Windows-Folder Redirection
Event ID:      502
Level:         Error
User:          <domain><username>
Computer:      <computername>
Description: Failed to apply policy and redirect folder Documents to \<servername><share><username>Documents.
Redirection options=0x1001.
The following error occurred: Failed to copy files from C:Users<username>Documents to  \<servername><share><username>Documents.
details: This function is not supported on this system.

Originally I thought this was a problem with NTFS file permissions on the file server, but these we OK. After all, other clients were redirecting their folders without problem. Since the error details didn’t give me any clue I decided to try to remove my offending duplicate file. I deleted it from the client machine and on the next logon the My Documents folder redirected without problem.

The error in the log should have a better explanation of what is happening. Folder Redirection is definitely supported on Windows 7 Professional. The Folder Redirection specific event logs didn’t contain any more information either. The error text should have said something along the lines “File conflict; file X already exists”. Maybe in Windows 8.

Unfortunately I solved the problem before I had a chance to enable debug logging for the Folder Redirection Client Side Extension. Maybe that would have told me what the problem was. Should you want to enable debug logging for Folder Redirection you can do so with this command:

reg.exe add “HKLMSoftwareMicrosoftWindows NTCurrentVersionDiagnostics” /v FdeployDebugLevel /d 0x0f /t REG_DWORD

If you are on Windows XP/2003 or earlier this will give you a log file: %windir%debugusermodefdeploy.log. If you are running Windows Vista/2008 or newer you will simply get more events in the Windows event logs.

So, should you find yourself staring at this error in the middle of the night (or any other time), see if you have any duplicate files in the folders you are trying to redirect.

Happy redirecting!

UPDATE: The duplicate files I created were created by a different account than the user owning the client computer and home directory on the server. That means that the user actually owning the folders could not delete or move the duplicate file. That could also be the reason for this error. But the fact remains; it is still a very poor error message.

UPDATE 2: I have now had a chance to test the conflict resolution in Folder Redirection and from my tests it seems that the client wins if the same file (but with different content) exists on both the server where you are redirecting to and on the client. I performed the same experiment as outlined above; two files with the same name, one on the server and one on the client. This time they were both created by the user owning the client and the folder on the server. Upon the next logon the folder redirection policy took effect and the local files were copied to the server, merging them with the content that already existed there. But as I say, the copy of the identical file on the server was silently overwritten by the file on the client. So now you know.

Desktop.ini customizations do not take effect

You copy a desktop.ini file into a folder to customize and maybe localize it. You have correctly set the file’s attributes to Hidden, System and Read-Only, but still your customizations do not work. To make it work you need to set the Read-Only or System flags on the folder where the desktop.ini file resides. As I am sure you know, folders cannot be read-only, neither can they “remember” your settings so that all new files placed in the folder become read-only as well. So this flag is purely to tell Windows that this is a special folder and that it should look for a desktop.ini file inside it.

To change the attributes from the command line type:

attrib +R +S <your folder>

From PowerShell:

Set-ItemProperty <your folder> -Name Attributes -Value “ReadOnly,System”

It took me a while to figure this out so hopefully someone can make use of this info.

Here is a link to another issue where your desktop.ini customizations do not work:

OEM/BIOS Activating a Lenovo X1

I wanted to reinstall a Lenovo X1 portable computer. While preparing to wipe the machine I used ProduKey from NirSoft to extract the product keys for the installed software. This particular machine was sold with an OEM license, for which the product key was affixed under the machine. I quickly noticed that the key printed on the label did not match the one extracted from the machine with ProduKey. That meant that the machine was BIOS or OEM activated.

I now had two choices; I could bring the OEM activation with me over to my new install or just use the key printed on the sticker. The last option would have been the easiest, but that’s not how I roll. So how to “extract” the OEM activation?

A friend of mine had previously gone through just this scenario with a bunch of HP machines so I knew that the activation was dependent on a digital certificate, distributed by Lenovo with the machine and signed by Microsoft. Unfortunately the certificate file had been deleted by Lenovo setup. But the Lenovo recovery partition (Q:) included a WIM file called cdrivebackup.wim. This WIM was used by the recovery system to reinstall the machine in the event a failure occurred. It probably included the needed certificate. But first I had to make the contents of the recovery partition visible so I could easily copy the files to another computer and mount the WIM. This was accomplished by these two commands:

  • echo y | icacls “Q:*” /grant Administrators:F /T
  • attrib -R -A -S -H “Q:” /S /D

I then copied the entire contents of the Q drive to a memory stick and mounted the WIM with DISM on another computer:

  • dism.exe /Mount-Wim /WimFile:h:LenovoRecoveryFactoryRecverycdrivebackup.wim /index:1 /MountDir:D:wimmount /ReadOnly

Now it was time to try and find the certificate (software license certificate have an xrm-ms extension):

  • dir d:wimmount*.xrm-ms /s

This command yielded many files but only the one called lenovo.xrm-ms in the d:wimmountswworkOEM was of interest. I copied the file to a memory stick and proceeded to wipe the machine and reinstall Windows 7. After Windows 7 was installed I created a new folder under %windir%system32oem and copied the certificate into it. Now I could install the certificate and product key;

  • cscript %windir%system32slmgr.vbs -ilc %windir%system32oemlenovo.xrm-ms
  • cscript %windir%system32slmgr.vbs -ipk 237XB-GDJ7B-MV8MH-98QJM-24367

Now, the product key is kind of interesting. This key will be accepted as a valid key by Windows, but will not be able to activate the machine without the certificate file. It’s kind of like a KMS client key, but instead of a KMS Host it needs a certificate. As far as I can tell this key is Lenovo specific so I hope I haven’t infringed on any copyrights etc. by posting it here.


Script to install Remote System Administration Tools (RSAT) for Windows 7 with Service Pack 1

Here is a quick script to just install, or install and enable the Windows 7 Remote System Administration Tools (RSAT) for Windows 7 with Service Pack 1. I created it for use with the software deployment functionality in System Center Configuration Manager, but it is not limited to that.

' InstallRSAT.vbs
' v 1.0 (15.06.2011)
' by Morgan Simonsen, Atea
' Detects system architecture, and installs and enables RSAT for Windows 7 with SP1, depending on submitted arguments.
' Usage:
' InstallRSAT.vbs <Install|InstallAndEnable>
' Install: just install RSAT, must be manually enabled
' InstallAndEnable: install and enable RSAT (all components)
' If no arguments are submitted; Install will be used.
' Arguments are CASE SENSITIVE!!!
'Enable/disable debugging
strDebug = 0
Set objWSHShell = WScript.CreateObject("WScript.Shell")
Set objFSO = CreateObject("Scripting.FileSystemObject")
'Get script arguments
Set objArgs = WScript.arguments
If objArgs.Count = 0 Then
    ' No arguments submitted, defaulting to install (and not enable)
    strInstallAction = "/Install"
    strInstallAction = objArgs.item(0)
    Select Case strInstallAction
        Case "/Install"
            'Install action selected
        Case "/InstallAndEnable"
            'InstallAndEnable action selected
        Case Else
            'Invalid argument submitted; quitting!
    End Select
End If
strScriptPath = objFSO.GetParentFolderName(WScript.ScriptFullName)
'Determine CPU Architecture
strComputer = "."
Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\" & strComputer & "rootcimv2")
Set colProcessors = objWMIService.ExecQuery("Select * from Win32_Processor")
For Each objProcessor in colProcessors
    strProcessorArchitecture = objProcessor.Architecture
'strProcessorArchitecture = objWSHShell.ExpandEnvironmentStrings("%PROCESSOR_ARCHITECTURE%")
strWinDir = objWSHShell.ExpandEnvironmentStrings("%WINDIR%")
strWUSA = strWinDir & "system32wusa.exe"
strDISM = strWinDir & "system32dism.exe"
strx86Package = strScriptPath & "Windows6.1-KB958830-x86-RefreshPkg.msu"
strx64Package = strScriptPath & "Windows6.1-KB958830-x64-RefreshPkg.msu"
Select Case strProcessorArchitecture
    Case "0"
        strProcessorArchitectureHumanReadable = "x86"
        strLogFile = chr(34) & strWinDir & "LogsRSAT Install (" & strProcessorArchitectureHumanReadable & ").log" & Chr(34)
        objWSHShell.Run (strWUSA & " " & strx86Package & " /quiet /norestart /log:" & strLogFile),0,True
        If strInstallAction = "/InstallAndEnable" Then
            Call EnableRSAT()
        End If
    Case "9"
        strProcessorArchitectureHumanReadable = "x64"
        strLogFile = chr(34) & strWinDir & "LogsRSAT Install (" & strProcessorArchitectureHumanReadable & ").log" & Chr(34)
        objWSHShell.Run (strWUSA & " " & strx64Package & " /quiet /norestart /log:" & strLogFile),0,True
        If strInstallAction = "/InstallAndEnable" Then
            Call EnableRSAT()
        End If
    Case Else
        'Unknown architecture; quitting!
End Select
Function EnableRSAT()
            objWSHShell.Run (strDISM & " /Online /Enable-Feature " &_
            "/FeatureName:IIS-LegacySnapIn " &_
            "/FeatureName:IIS-IIS6ManagementCompatibility " &_
            "/FeatureName:IIS-WebServerManagementTools " &_
            "/FeatureName:IIS-WebServerRole " &_
            "/FeatureName:IIS-Metabase " &_
            "/FeatureName:RemoteServerAdministrationTools " &_
            "/FeatureName:RemoteServerAdministrationTools-ServerManager " & _
            "/FeatureName:RemoteServerAdministrationTools-Roles " & _
            "/FeatureName:RemoteServerAdministrationTools-Roles-CertificateServices " & _
            "/FeatureName:RemoteServerAdministrationTools-Roles-CertificateServices-CA " & _
            "/FeatureName:RemoteServerAdministrationTools-Roles-CertificateServices-OnlineResponder " & _
            "/FeatureName:RemoteServerAdministrationTools-Roles-AD " & _
            "/FeatureName:RemoteServerAdministrationTools-Roles-AD-DS " & _
            "/FeatureName:RemoteServerAdministrationTools-Roles-AD-DS-SnapIns " & _
            "/FeatureName:RemoteServerAdministrationTools-Roles-AD-DS-AdministrativeCenter " & _
            "/FeatureName:RemoteServerAdministrationTools-Roles-AD-DS-NIS " & _
            "/FeatureName:RemoteServerAdministrationTools-Roles-AD-LDS " & _
            "/FeatureName:RemoteServerAdministrationTools-Roles-AD-Powershell " & _
            "/FeatureName:RemoteServerAdministrationTools-Roles-DHCP " & _
            "/FeatureName:RemoteServerAdministrationTools-Roles-DNS " & _
            "/FeatureName:RemoteServerAdministrationTools-Roles-FileServices " & _
            "/FeatureName:RemoteServerAdministrationTools-Roles-FileServices-Dfs " & _
            "/FeatureName:RemoteServerAdministrationTools-Roles-FileServices-Fsrm " & _
            "/FeatureName:RemoteServerAdministrationTools-Roles-FileServices-StorageMgmt " & _
            "/FeatureName:RemoteServerAdministrationTools-Roles-HyperV " & _
            "/FeatureName:RemoteServerAdministrationTools-Roles-RDS " & _
            "/FeatureName:RemoteServerAdministrationTools-Features " & _
            "/FeatureName:RemoteServerAdministrationTools-Features-BitLocker " & _
            "/FeatureName:RemoteServerAdministrationTools-Features-Clustering " & _
            "/FeatureName:RemoteServerAdministrationTools-Features-GP " & _
            "/FeatureName:RemoteServerAdministrationTools-Features-LoadBalancing " & _
            "/FeatureName:RemoteServerAdministrationTools-Features-SmtpServer " & _
            "/FeatureName:RemoteServerAdministrationTools-Features-StorageExplorer " & _
            "/FeatureName:RemoteServerAdministrationTools-Features-StorageManager " & _
End Function
Function Debug(data)
    If strDebug = 1 Then
        WScript.Echo data
    End If
End Function

.csharpcode, .csharpcode pre
font-size: small;
color: black;
font-family: consolas, “Courier New”, courier, monospace;
background-color: #ffffff;
/*white-space: pre;*/
.csharpcode pre { margin: 0em; }
.csharpcode .rem { color: #008000; }
.csharpcode .kwrd { color: #0000ff; }
.csharpcode .str { color: #006080; }
.csharpcode .op { color: #0000c0; }
.csharpcode .preproc { color: #cc6633; }
.csharpcode .asp { background-color: #ffff00; }
.csharpcode .html { color: #800000; }
.csharpcode .attr { color: #ff0000; }
.csharpcode .alt
background-color: #f4f4f4;
width: 100%;
margin: 0em;
.csharpcode .lnum { color: #606060; }

Windows System Update Readiness Tool

A new tool is being offered through Windows Update; the System Update Readiness (SUR) Tool. It is designed to help diagnose and fix issues that are preventing Windows updates or Service Packs from installing correctly. According to the documentation it is only offered to systems that are experiencing one of the conditions that the tool could resolve. (How it can determine this without first running is beyond me.) The tool runs on Windows Vista, Windows Server 2008, Windows 7 and Windows Server 2008 R2. Like the monthly Windows Malicious Software Removal Tool (WMSRT), it runs a onetime scan of your system to determine if it is experiencing one of the issues it can detect and fix. A log of this activity is written to %SYSTEMROOT%LogsCBSCheckSUR.log. As of this writing the tool is presented in Windows Update as System Update Readiness Toll for Windows 7 for x64-based Systems (KB947821) [February 2011]. This leads me to beleive that it will be updated and offered in new “versions” further on.

You can also download the tool manually and run it, check the first link below.

On one system I experienced an error when trying to install Windows Server 2008 R2 Service Pack 1; An unknown error has occurred; error code 0x800f0818. I ran the SUR Tool and it detected an error in the %SYSTEMROOT%ServicingPackages folder, which it was able to repair. After that SP1 installed successfully.

One strange thing to note in this case was that I was installing SP1 through Windows Update, and both SP1 and the SUR tool were selected for install. For some reason the SP1 install ran first and failed, then the SUR tool ran and repaired the error that prevented the Service Pack from installing. Should have been the other way around.

More info:

GPS Fun with the Windows 7 Sensor and Location Platform


Windows 7 has a new framework; the Windows Sensor and Location Platform. In short it is a system that enables the OS to utilize different sensors; e.g. a GPS device to track your location, a light sensor to dynamically adjust your screen brightness based on the ambient lighting, an accelerometer to use for games etc. I want to focus on GPS in this post.


Up until now; the usual way to connect a GPS device to your computer was for it to emulate a COM port and then send standard NMEA GPS data to the port at a specified baud rate. This worked OK in my opinion, but with the new framework the GPS device, or sensor, is exposed directly to the OS. No more intermediary COM ports. This works the same for any sensor, by the way.

GPS in action

As of this writing, there are very few devices compatible with the new framework out there. I only know of the USB GPS Devices from ublox. To work around this you can use Michael Chourdakis’ excellent GPSDirect driver that acts as a layer between a legacy GPS device that sends NMEA data through a COM port, and the Sensor and Location Platform.

To set this up do the following:

  1. Configure your GPS to work with Windows. This can be through Bluetooth, USB or special software for use with built in devices. When done you should have at lease one new COM port that sends the GPS NMEA data, and you should also know the baud rate of this port. This screenshot is from the COM port associated with my HOLUX GPSlim236 device:
  2. Download and run the GPSDirect software and input the data from your COM port:
    Then hit Install.
  3. You should immediately be prompted by Windows if you want to enable the new sensor:
  4. Select Enable.
  5. You can now close the GPSDirect software. The driver will remain loaded until you remove it.
    Note: There is an issue with the current version of GPSDirect, v, in that it does not reconnect to the COM port if the GPS is disconnected or turned off.
  6. Open the Location and Other Sensors applet in Control Panel and configure your sensor:
    Pay special mind to who can use the sensor as you may not want you location information used by all the selected users:


Unfortunately there are very few applications that are able to use the location information a GPS device can provide. In fact I know of only one; the Windows Weather Desktop Gadget!

If you add this gadget to your desktop, and have a your GPS working, it will automatically detect that your computer is “location aware” and try to automatically find the weather forecast for your location.



Notice the little “signal” icon in the gadget. This indicates that the location was determined by using the computer’s location framework.

Don’t have a GPS?

If you do not own a GPS device but still play around with the location functionality, you can try the GeoSense application. What GeoSense does is that it uses a hybrid mix of geolocation service providers and geolocation methods to pinpoint your location as accurately as possible. It currently supports Google Location Services (WiFi) and Google Location Services (IP), with several more under consideration. GeoSense is written natively for the Sensor and Location Platform so you just have to install it to use it.

After installation you will have a new sensor in you Location and Other Sensors applet, which can be configured in the same way as GPSDirect (or any other location sensor).


Other uses

GPS is just one of many applications of the new framework. Especially for games I think we will see a whole new group of controllers that utilize the new API. One example of this is a driver written by Rajasekharan Vengalil, that lets you use the Nintendo Wiimote with Windows 7! Check it out here.

More info

Printing nuggets

Someone once told me “Users and printers take the fun out of the whole network.” The printing part I am inclined to agree with…

I met up with an old friend today that works for a large printer manufacturer and he imparted the following printing tips to me:

  • Disable bidirectional support on your printer
    This is done under the Sharing tab on the server:
    This will save traffic from the clients to the printer every time a user views the properties of the printer, thus speeding up the printer properties dialogue. If you install new equipment on the printer; temporarily enable bidirectional support to update the printer on the server.
  • Never use the driver drop down box
    This setting is found on the Advanced tab of the printer:
    Instead, use the New Driver button right next to it. If you use the drop down box it is a good chance that the printer will not load all the DLLs and other files that it needs. This is a common fault with printers not displaying the correct features etc.
  • Printer drivers use SNMP to query print devices for their supported features
    If you are having problems detecting the features of the printer, try to enable SNMP through any firewall that is between the server and the print device. Also, the SNMP functionality is usually implemented in the driver itself, and as such is not dependent on the SNMP functionality in Windows.
  • Universal printer drivers are usually slower than dedicated drivers
    This might be so, but the benefits of using only one driver per printer manufacturer far outweighs this problem, in my mind.

Happy printing!

Establishing a performance baseline


A performance baseline is a vital part of you system documentation. A baseline should be established immediately after a new system has entered production, and should be repeated with regular intervals. That way you can see how your system performs over time and make informed decisions about when a system will have to be upgraded etc.

Creating a baseline

The primary tool you use to capture a baseline on the Windows platform is Performance Monitor (or just Performance or PerfMon). PerfMon is an MMC snap-in that enables you to record various aspects of you system. These are called objects and counters. An object can be e.g. the Processor which in turn has several counters, e.g. % Processor Time.

Which counters?

Which counters you capture depends on the role of the system you are establishing a baseline for. The counters captures for a SQL server are different from those captures on an Exchange Server.
This table lists some important counters. The Role column indicates which server role the counter is applicable to.
ObjectCounter Definition Recommendations Role
Processor% Processor Time % Processor Time is the percentage of elapsed time that the processor spends to execute a non-Idle thread. It is calculated by measuring the duration of the idle thread is active in the sample interval, and subtracting that time from interval duration.  (Each processor has an idle thread that consumes cycles when no other threads are ready to run). This counter is the primary indicator of processor activity, and displays the average percentage of busy time observed during the sample interval. It is calculated by monitoring the time that the service is inactive, and subtracting that value from 100%. A CPU time of more than 90 % for extended periods of time is generally regarded as a problem. All
MemoryPages/sec Pages/sec is the rate at which pages are read from or written to disk to resolve hard page faults. This counter is a primary indicator of the kinds of faults that cause system-wide delays.  It is the sum of Memory\Pages Input/sec and Memory\Pages Output/sec.  It is counted in numbers of pages, so it can be compared to other counts of pages, such as Memory\Page Faults/sec, without conversion. It includes pages retrieved to satisfy faults in the file system cache (usually requested by applications) non-cached mapped memory files. Although it is normal to have some spikes, this counter generally remains at or close to zero. All
PhysicalDiskAvg. Disk Queue Length Avg. Disk Queue Length is the average number of both read and write requests that were queued for the selected disk during the sample interval. The number of requests should not exceed two times the number of spindles constituting the physical disk. If the number of requests is too high, you can add additional disks or replace the existing disks with faster disks. All
PhysicalDiskAvg. Disk sec/Read Avg. Disk sec/Read is the average time, in seconds, of a read of data from the disk. Should not be above 25 ms.
PhysicalDiskAvg. Disk sec/Write Avg. Disk sec/Write is the average time, in seconds, of a write of data to the disk. Should not be above 25 ms.


Tool name Description Notes
logman.exe CLI utility included in Windows Server 2003 and newer. Logman manages the “Performance Logs and Alerts” service for creating and

managing Event Trace Session logs and Performance logs.
perfmon.exe Performance Monitor Can also be launched by using perfmon.msc
Performance Analysis of Logs (PAL) Tool Open source utility on Codeplex
ExPerfWiz ExPerfWiz is a powershell based script to help automate the collection of performance data on Exchange 2007 and Exchange 2010 servers.
LogWiz Automate the collection of Performance monitor logs using logman.exe
relog.exe Relog creates new performance logs from data in existing performance logs by changing the sampling rate and/or converting the file format. Supports all performance log formats, including Windows NT 4.0 compressed logs.
Typeperf.exe Typeperf writes performance data to the command window or to a log file.
TraceRpt.exe Tracerpt processes binary Event Trace Session log files or real-time streams from instrumented Event Trace providers

and creates a report or a text (CSV) file describing the events generated.


Establish a one week performance baseline for a Domain Controller:
logman.exe create counter “Active Directory Baseline (1 Week)” -c “Processor(*)% Processor Time” “NTDS*” “DNS*” “PhysicalDisk(*)Avg. Disk Queue Length” “MemoryPages/sec” -max 50 -rf 168:00:00 -cnf