chentiangemalc

Netsh Trace–Use It!

chentiangemalc — Tue, 21 Feb 2012 21:26:16 +0000

One of the great advantages of Windows 7/2008 R2 is the built in network tracing capability. (I think this was included in Vista/Server 2008 but that memory has been erased from my mind)

NetSh itself has now become a vastly powerful command line tool – I highly recommend anyone providing support on Windows systems to examine all the options available here.

In the past if you wanted to do network packet tracing you needed to install a tool on end user’s machine such as WireShark or Microsoft Network Monitor. With Windows 7 that is no longer necessary.

Advantages of using NetSh Tracing:

Nothing to install
Ability to do persistent tracing (Across reboots)
Circular logging capability – so you can leave monitoring running indefinitely until issue re-occurs
Ability to focus monitoring on specific scenario
Packet traces are viewable in Microsoft’s Network Monitor with Windows parser enabled. This also allows us to see MS traffic in “Friendly” translation – i.e. SMB / WMI traffic is presented pretty nicely.
Ability to generate reports along with packet trace which includes just about everything you need to know related to the network, all gets stored in a single .CAB for easy transportation

So first – how do we start tracing?

A basic way to start persistent across reboots, circular logging, with report is

netsh trace start capture=YES report=YES persistent=YES

then when you want to stop tracing

netsh trace stop

You will get a .CAB file (Report) and .ETL file (Capture)

Included in .CAB file is

Report (Report.html / Report.xml / Report.xsl / Report.etl)

The HTML report looks like this

The Report.etl can be viewed in Microsoft Network Monitor. This contains hardware/process/software information

You will also get a string of .xml files with GUIDs in filename. These are all the network profiles on the machine

For example:

Under the Config folder of the CAB file you get the following files:

adapterinfo.txt – All installed network drivers Description, Hardware ID, GUID, Version and Provider
ConfigData.xml – some useless? data about the CAB file
Dns.txt – Combined output of IPCONFIG /DISPLAYDNS, NETSH NAMESPACE SHOW EFFECTIVE and NETSH NAMESPACE SHOW POLICY
envinfo.txt – Detailed info on Wireless & Wired adapters and network profiles. Info would include what Authentication and cipher modes your wireless adapter supported, if it supports 802.1a/b/g/n, if FIPS 140-2 mode supported, etc.

FileSharing.txt – Combined output of NBTSTAT –N, NBTSTAT –C, NET CONFIG RDR, NET CONFIG SRV, NET SHARE
GPInfo.xml – some useless? data
gpresult.txt – gpresult /v output.
LocaleMetaData – folder with MTA log files for WCM, Windows Firewall, Wireless/Wired Auto Config
Neighbors.txt – Combined output of ARP –A, NETSH INT IPV6 SHOW NEIGHBORS
netevents.xml – Some network events (i.e. FWPM_NET_EVENT_TYPE_CLASSIFY_DROP) in XML format
neteventslog.txt – to advise you above XML was generated successfully
netiostate.txt – Teredo parameters
osinfo.txt – Architecture & build version of OS. Some info like if OS was installed as upgrade or clean, if running on battery, output of SystemInfo. User name/domain/profile location
SSOInfo.xml – more useless? info
sysports.xml – system ports. related to Teredo / IP Helper service (I think)
sysportslog.txt – advising you above was generated sucessfully
upgMigInfo.xml – useless?
WCMLog.evtx – The Microsoft-Windows-Wcmsvc/Operational log (Windows Connection Manager)
WcnInfo.txt – Service status of wcnsvc, wlansvc, eaphost, fdrespub, upnphost, eaphost, WCN DLL file version info, network adapter info, network discovery status for current profile, current firewall profile information,
wfpfilters.xml – WFP filter info
wfplog.log – advising above log got generated successfully
wfpstate.xml – WFP state info
wfpstatelog.txt – adivising above log got generated sucessfully
WindowsFirewallConfig.txt – Windows Firewall Configuration

WindowsFirewallConsecLog.evtx – Windows firewall event log
WindowsFirewallConsecLogVerbose.evtx – Windows firewall event log
WindowsFirewallEffectiveRules.txt – Windows firewall effective rules
WindowsFirewallLog.evtx – Windows firewall event log
WindowsFirewallLogVerbose.evtx – Windows firewall event log
WinsockCatalog.txt – Details of all installed Winsock Catalog Providers
WLANAutoConfigLog.evtx – Wired LAN Auto-Config event log
WWANLog.evtx – Wireless LAN Auto-Config event log

When performing tracing your full options available are:

Usage: trace start [[scenario=]]
    [[globalKeywords=]keywords] [[globalLevel=]level]
    [[capture=]yes|no] [[report=]yes|no]
    [[persistent=]yes|no] [[traceFile=]path\filename]
    [[maxSize=]filemaxsize] [[fileMode=]single|circular|append]
    [[overwrite=]yes|no] [[correlation=]yes|no|disabled] [capturefilters]
    [[provider=]providerIdOrName] [[keywords=]keywordMaskOrSet]
    [[level=]level] [[provider=]provider2IdOrName]
    [[keywords=]keyword2MaskOrSet] [[level=]level2] …

Defaults:
    capture=no (specifies whether packet capture is enabled in addition to trace events)
    report=no (specifies whether a complementing report will be generated along with the trace file)
    persistent=no (specifies whether the tracing session continue across reboots, and is on until netsh trace stop is issued)
    maxSize=250 MB (specifies the maximum trace file size, 0=no maximum)
    fileMode=circular
    overwrite=yes (specifies whether an existing trace output file will be overwritten)
    correlation=yes (specifies whether related events will be correlated and grouped together)
    traceFile=%LOCALAPPDATA%\Temp\NetTraces\NetTrace.etl
        (specifies location of the output file)

Provider keywords default to all and level to 255 unless otherwise specified.

For example:

netsh trace start scenario=InternetClient capture=yes

Starts tracing for the InternetClient scenario and dependent providers with packet capture enabled.
Tracing will stop when the “netsh trace stop” command is issued or when the system reboots. Default location and name will be used for the output file. If an old file exists, it will be overwritten.

netsh trace start provider=microsoft-windows-wlan-autoconfig
keywords=state,ut:authentication

    Starts tracing for the microsoft-windows-wlan-autoconfig provider. Tracing will stop when the “netsh trace stop” command is issued or when the system reboots.
    Default location and name will be used for the output file. If an old file exists, it will be overwritten.
    Only events with keyword ‘state’ or ‘ut:authentication’ will be logged.

netsh trace show provider command can be used to display
supported keywords and levels.

Capture Filters:
Capture filters are only supported when capture is explicitly enabled with capture=yes. Use ‘netsh trace show CaptureFilterHelp’ to display a list of supported capture filters and their usage.

Now about supported specific scenarios. On Windows Developer Preview when running netsh show scenarios I get the following

AddressAcquisition       : Troubleshoot address acquisition-related issues
DirectAccess             : Troubleshoot DirectAccess related issues
FileSharing              : Troubleshoot common file and printer sharing problems
InternetClient           : Diagnose web connectivity issues
InternetServer           : Set of HTTP service counters
L2SEC                    : Troubleshoot layer 2 authentication related issues
LAN                      : Troubleshoot wired LAN related issues
Layer2                   : Troubleshoot layer 2 connectivity related issues
MBN                      : Troubleshoot mobile broadband related issues
NDIS                     : Troubleshoot network adapter related issues
NetConnection            : Troubleshoot issues with network connections
P2P-Grouping             : Troubleshoot Peer-to-Peer Grouping related issues
P2P-PNRP                 : Troubleshoot Peer Name Resolution Protocol (PNRP) related issues
RemoteAssistance         : Troubleshoot Windows Remote Assistance related issues
RPC                      : Troubleshoot issues related to RPC framework
WCN                      : Troubleshoot Windows Connect Now related issues
WFP-IPsec                : Troubleshoot Windows Filtering Platform and IPsec related issues
WLAN                     : Troubleshoot wireless LAN related issues

When running netsh trace show providers I get over 850 different providers. If you want to examine these, run it on your machine.

Running netsh trace show CaptureFilterHelp I get the following info:

Capture Filters:
Capture filters are only supported when capture is explicitly
enabled with capture=yes. Supported capture filters are:

    CaptureInterface=
     Enables packet capture for the specified interface name or GUID. Use
     ‘netsh trace show interfaces’ to list available interfaces.
    e.g. CaptureInterface={716A7812-4AEE-4545-9D00-C10EFD223551}
    e.g. CaptureInterface=!{716A7812-4AEE-4545-9D00-C10EFD223551}
    e.g. CaptureInterface=”Local Area Connection”

    Ethernet.Address=
     Matches the specified filter against both source and destination
     MAC addresses.
    e.g. Ethernet.Address=00-0D-56-1F-73-64

    Ethernet.SourceAddress=
     Matches the specified filter against source MAC addresses.
    e.g. Ethernet.SourceAddress=00-0D-56-1F-73-64

    Ethernet.DestinationAddress=
     Matches the specified filter against destination MAC addresses.
    e.g. Ethernet.DestinationAddress=00-0D-56-1F-73-64

    Ethernet.Type=
     Matches the specified filter against the MAC ethertype.
    e.g. Ethernet.Type=IPv4
    e.g. Ethernet.Type=NOT(0x86DD)
    e.g. Ethernet.Type=(IPv4,IPv6)

    Wifi.Type=
     Matches the specified filter against the Wifi type. Allowed values
     are ‘Management’ and ‘Data’. If not specified, the Wifi.Type filter
     is not applied.
     Note: This capture filter does not support ranges, lists or negation.
    e.g. Wifi.Type=Management

    Protocol=
     Matches the specified filter against the IP protocol.
    e.g. Protocol=6
    e.g. Protocol=!(TCP,UDP)
    e.g. Protocol=(4-10)

    IPv4.Address=
     Matches the specified filter against both source and destination
     IPv4 addresses.
    e.g. IPv4.Address=157.59.136.1
    e.g. IPv4.Address=!(157.59.136.1)
    e.g. IPv4.Address=(157.59.136.1,157.59.136.11)

    IPv4.SourceAddress=
     Matches the specified filter against source IPv4 addresses.
    e.g. IPv4.SourceAddress=157.59.136.1

    IPv4.DestinationAddress=
     Matches the specified filter against destination IPv4 addresses.
    e.g. IPv4.DestinationAddress=157.59.136.1

    IPv6.Address=
     Matches the specified filter against both source and destination
     IPv6 addresses.
    e.g. IPv6.Address=fe80::5038:3c4:35de:f4c3\%8
    e.g. IPv6.Address=!(fe80::5038:3c4:35de:f4c3\%8)

    IPv6.SourceAddress=
     Matches the specified filter against source IPv6 addresses.
    e.g. IPv6.SourceAddress=fe80::5038:3c4:35de:f4c3\%8

    IPv6.DestinationAddress=
     Matches the specified filter against destination IPv6 addresses.
    e.g. IPv6.DestinationAddress=fe80::5038:3c4:35de:f4c3\%8

    CustomMac=
     Matches the specified filter against the value at the specified
     offset starting with the MAC header.
     Note: This capture filter does not support ranges, lists or negation.
    e.g. CustomMac=UINT8(0×1,0×23)
    e.g. CustomMac=ASCIISTRING(3,test)
    e.g. CustomMac=UNICODESTRING(2,test)

    CustomIp=
     Matches the specified filter against the value at the specified
     offset starting with the IP header.
     Note: This capture filter does not support ranges, lists or negation.
    e.g. CustomIp=UINT16(4,0×3201)
    e.g. CustomIp=UINT32(0×2,18932)

    CaptureMultiLayer=
     Enables multi-layer packet capture.
     Note: This capture filter does not support ranges, lists or negation.

    PacketTruncateBytes=
     Captures only the the specified number of bytes of each packet.
     Note: This capture filter does not support ranges, lists or negation.
    e.g. PacketTruncateBytes=40

Note:
    Multiple filters may be used together. However the same filter may
    not be repeated.
    e.g. ‘netsh trace start capture=yes Ethernet.Type=IPv4
          IPv4.Address=157.59.136.1′

    Filters need to be explicitly stated when required. If a filter is
    not specified, it is treated as “don’t-care”.
     e.g. ‘netsh trace start capture=yes IPv4.SourceAddress=157.59.136.1′
          This will capture IPv4 packets only from 157.59.136.1, and it
          will also capture packets with non-IPv4 Ethernet Types, since
          the Ethernet.Type filter is not explicitly specified.
     e.g. ‘netsh trace start capture=yes IPv4.SourceAddress=157.59.136.1
           Ethernet.Type=IPv4′
          This will capture IPv4 packets only from 157.59.136.1. Packets
          with other Ethernet Types will be discarded since an explicit
          filter has been specified.

    Capture filters support ranges, lists and negation (unless stated
    otherwise).
     e.g. Range: ‘netsh trace start capture=yes Ethernet.Type=IPv4
                  Protocol=(4-10)’
          This will capture IPv4 packets with protocols between 4 and 10
          inclusive.
     e.g. List: ‘netsh trace start capture=yes Ethernet.Type=(IPv4,IPv6)’
          This will capture only IPv4 and IPv6 packets.
     e.g. Negation: ‘netsh trace start capture=yes Ethernet.Type=!IPv4′
          This will capture all non-IPv4 packets.

    Negation may be combined with lists in some cases.
     e.g. ‘netsh trace start capture=yes Ethernet.Type=!(IPv4,IPv6)’
           This will capture all non-IPv4 and non-IPv6 packets.

    ‘NOT’ can be used instead of ‘!’ to indicate negation. This requires
    parentheses to be present around the values to be negated.
     e.g. ‘netsh trace start capture=yes Ethernet.Type=NOT(IPv4)’

The level= option is not documented in the netsh command line help, but is documented here http://msdn.microsoft.com/en-us/library/windows/desktop/dd569142(v=vs.85).aspx

The levels are from 1-5

1 – Critical – Only critical events will be shown.
2 – Errors – Critical events and errors will be shown.
3 –Warnings – Critical events, errors, and warnings will be shown.
4 –Informational – Critical events, errors, warnings, and informational events will be shown.
5 – Verbose – All events will be shown.

Finally some tips for your monitoring:

If network monitoring Outlook traffic disable encryption for period of monitoring (During this period someone with network access between you and exchange server can potentially monitor what your emails that are sent/received/etc)
If monitoring http/https traffic please consider using Fiddler2 (http://www.fiddler2.com)
When installing Microsoft Network Monitor (http://www.microsoft.com/download/en/details.aspx?id=4865) always install afterwards the latest parsers from http://nmparsers.codeplex.com/
Viewing .ETL packet captures in network monitor you must set Windows parser. This is in Microsoft Network Monitor’s Tools | Options menu

Enjoy NetSh Trace. Let me know your NetSh success stories!

Case of the Disappearing PDF

chentiangemalc — Wed, 15 Feb 2012 20:55:40 +0000

Yesterday a colleague showed me an interesting problem. Opening a PDF from Internet Explorer would result in the following error message

There was an error opening this document. This file cannot be found.

(Apologies to the world; we were unfortunately forced to be using Windows XP and IE6 in this scenario)

To make it more interesting this only occurred for certain PDFs. Even more interesting it only occurred for certain PDFs when opened with Exchange 2010 Outlook Web Access. Way more interesting is fact the exact same PDF would work when opening the attachment if sent from certain people. On top of all this – logging onto the machine as another user, the exact same attachments all opened fine.

First tried clearing cache and trying IE with add-ins disabled. Unfortunately Adobe still failed spectacularly so we started ProcMon. (http://live.sysinternals.com/ProcMon.exe)

A ProcMon a day keeps the bugs at bay.

So with my filter set to include only items with Path contains .pdf we were ready for action

So the file is there and then suddenly disappeared. How did that happen?

I think this is a perfect example of even if you are not a Win32 developer some basic knowledge of how Windows APIs work is very helpful. With calls like CreateFile and CloseFile you might think deleting a file will show up as DeleteFile…but no. A lot of people I notice get confused by this so some explanation here.

Firstly CreateFile can be used to create files, but it is also the API used to open files. (http://msdn.microsoft.com/en-us/library/windows/desktop/aa363858(v=vs.85).aspx)

If we look at the Details column in ProcMon for the CreateFile event we can use Delete access was requested

While Windows does have DeleteFile API (http://msdn.microsoft.com/en-us/library/windows/desktop/aa363915(v=vs.85).aspx) you will never see DeleteFile in ProcMon. Instead we will see SetDispositionInformationFile event with Delete: True in the details column.

A single DeleteFile call will result in the following (or similar) operations appearing in ProcMon

OK enough going off track.

Now we know why Adobe can’t find the file. Internet Explorer deleted the file, but why?

I selected the CreateFile event, right clicked Properties and in vain checked the Stack tab for some clues…

No luck there so I now turned to my favourite web debugging proxy – http://www.fiddler2.com – Don’t leave home without it

I now wanted to compare request/response headers of working/broken versions, and also to confirm the PDF downloaded correctly.

As these sites were https:// based I had to enable Decrypt HTTPS option in Tools | Fiddler Options…

At this stage you will be prompted if you want to install the Fiddler Root Certificate so you won’t get https warnings when logging with Fiddler. If logging on a users machine remember to Remove Interception Certificates when done.

Enabling this feature requires restarting Fiddler.

So we logged our first broken/working scenario – opening the attachment from same email; but using different Outlook Web Access server.

I used Ctrl+F and searched for PDF. This highlights all web request/responses containing text PDF

The broken PDF

I first checked the file itself downloaded correctly. I saved the PDF by right clicking the event and saving the Response Body. PDF opens fine. So this at least rules out some kind of download/file corruption…

Next I compared the response headers from the working/broken PDFs

Broken Response Header
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: application/pdf; authoritative=true;
Expires: Mon, 13 Feb 2012 23:40:06 GMT
Server: Microsoft-IIS/7.5
X-OWA-Version: 14.1.323.3
Content-Disposition: attachment; filename=”Tide_Tables.pdf”
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
X-UA-Compatible: IE=EmulateIE7
Date: Tue, 14 Feb 2012 23:40:06 GMT
Connection: Keep-Alive
Content-Length: 3216993
Vary: Accept-Encoding

Working Response Header
HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 3216993
Content-Type: application/pdf
Expires: Mon, 13 Feb 2012 23:42:43 GMT
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-OWA-Version: 8.2.234.1
Content-Disposition: attachment; filename=”Tide_Tables.pdf”
X-Powered-By: ASP.NET
Date: Tue, 14 Feb 2012 23:42:43 GMT
Connection: keep-alive

A quick search around the internet found many people complaining about issues opening PDFs from IIS/7.5. Microsoft had a hot-fix available here

http://support.microsoft.com/kb/979543

But unfortunately our scenario didn’t match that of the KB article…

So we then tried our next scenario – the same PDF, opened with same Outlook Web Access, just sent by different people.

In this case the only difference we saw was broken PDF had

Content-Type: application/pdf; authoritative=true;

Where as working PDF had

Content-Type: application/octet-stream

It seems when email had been attached by different email programs it may have resulted in a different content type being used.

But this didn’t explain … why did it work as a different user?

If it worked as a different user I suspected the Request Header must be different; thus resulting in a different Response

The broken user had HTTP request that looked like this:

GET /owa/attachment.ashx?attach=1&id=RgAAAAD6A0B1FqqoQ69T0wAFn9y3BwBqT9ej25owTbmDHT%2bj1249AAAANkksAAAr69Y%2fPZnDSY%2f2aPbTHl1AAAAAAHjAAAAJ&attid0=BAAAAAAA&attcnt=1 HTTP/1.0
Accept: */*
Referer: https://webmail.somecompany.com.au/owa/?ae=Item&t=IPM.Note&id=RgAAAAD6A0B1FqqoQ69T0wAFn9y3BwBqT9ej25owTbmDHT%2bj1249AAAANkksAAAr69Y%2fPZnDSY%2f2aPbTHl1AAAAAAHjAAAAJ
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: webmail.somecompany.com.au
Connection: Keep-Alive
Cookie: s_vi=[CS]v1|279D7657051D31A9-4000012880032DB2[CE]; s_cc=true; s_sq=%5B%5BB%5D%5D; BIGipServerH_Exchange_2010__single_owa_pool=691176970.47873.0000; OutlookSession=88af8ba7095647cd9ba6e1f4e43812c6; PBack=0; sessionid=3c6fef26-a905-4db0-adb7-4c5a17324685; cadata=”4SpfNuAR3tXBNnDdHk2D8oOV4S6+gG68tDjP3s1QSd7LDfky1FBC0d8vA64/RP18oLHmFAxn+9Z1v6J04QlPueJ/UO4fhHtdfAA5gOmG1lT0=”; UserContext=df3e2c771f5844ebada88e3c33f78d04; tzid=AUS Eastern Standard Time
X-NovINet: v1.2

The working user had HTTP request that looked like this:

GET /owa/attachment.ashx?attach=1&id=RgAAAAD6A0B1FqqoQ69T0wAFn9y3BwBqT9ej25owTbmDHT%2bj1249AAAANkksAAAr69Y%2fPZnDSY%2f2aPbTHl1AAAAAAHjAAAAJ&attid0=BAAAAAAA&attcnt=1 HTTP/1.1
Accept: */*
Referer: https://webmail.somecompany.com.au/owa/?ae=Item&t=IPM.Note&id=RgAAAAD6A0B1FqqoQ69T0wAFn9y3BwBqT9ej25owTbmDHT%2bj1249AAAANkksAAAr69Y%2fPZnDSY%2f2aPbTHl1AAAAAAHjAAAAJ
Accept-Language: en-au
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: webmail.somecompany.com.au
Connection: Keep-Alive
Cookie: s_vi=[CS]v1|279D89BF851D0ADC-40000102000171FB[CE]; s_cc=true; s_sq=%5B%5BB%5D%5D; BIGipServerH_Exchange_2010__single_owa_pool=691176970.47873.0000; OutlookSession=b8a42aafc1d7412dab3ec1bd16a5c4e0; PBack=0; sessionid=6af1def4-40c6-4f0b-94fa-38c2066d45b5; cadata=”49TqgrxdNz9t7TdPNGwNXhyqNxcFpTsqdxi7qx2AVgwN/SM3SbGxNefHDKnjac15+cyh3hNjfJLHeF6L13gNG0W5OafxFtd41FtBeOwozv3w=”; UserContext=570d6a25896947b980468b2e0a9d5bed; tzid=AUS Eastern Standard Time
X-NovINet: v1.2

So did you spot the difference? The working user’s GET command is specifying HTTP/1.1 which also allows for the use of the Accept-Encoding: gzip, deflate. The broken user’s GET command was HTTP/1.0. For a detailed explanation on key differences between HTTP/1.0 and HTTP/1.1 refer to http://www8.org/w8-papers/5c-protocols/key/key.html

Checking user’s Internet Options confirmed HTTP/1.1 was disabled; enabling Use HTTP 1.1 and Use HTTP 1.1 through proxy connections all PDFs opened happily.

As for why IE chose to delete the PDF even though it downloaded fine; that is still a mystery to me. If you have any idea let me know (I would have spent more time figuring out why on IE9/10 but IE6 my care factor dropped to zero)

Case of the Quirky CreateElement and the Empty Drop-Down List

chentiangemalc — Mon, 06 Feb 2012 12:27:46 +0000

I am not a web developer, but sometimes old school websites (i.e. IE6 days) stand in the way of deploying new operating systems and technical progress. So even if you’re not a developer some basic web debugging skills are very useful.

So I was at Tullamarine (Melbourne) Airport today and my 3G speeds where just unbelievably bad so I thought I’d try the Qantas access point…

I was using Windows Developer Preview and connected to access point OK. However the page to enter credit card just did not work, no expiry date was selectable:

And no, this wasn’t some gadget purchase prevention software installed by my wife…

Right clicking the page I selected View Source

So these are lists that must get populated at runtime…now to help debug this we’ll hit F12 to get the Developer Toolbar, available in IE9 and later.

I selected the Scripts tab and searched for CreditCardExpiryMonth

I then searched for this function InitializeComplete

So I selected InitializeDom(); at the beginning of Initialize function and hit F9 to set a breakpoint there. I then hit Start Debugging

OK so we stop at my breakpoint so we know the Initialize() function is executing. I hit F5 after the breakpoint to keep going…

Mouse over the el we can see why:

The site is trying to createElement with embedded HTML control characters. As IE9 and later operate in standards mode by default this is not allowed…

Of course if you had checked the IE9 compatibility cookbook you would have known this already, with example on how to fix such code:

http://msdn.microsoft.com/en-us/library/ff986077(v=vs.85).aspx

For the IE10 developers guide refer here http://msdn.microsoft.com/en-us/library/hh673549(v=vs.85).aspx

If you didn’t use the debugger you could also enable breaking on script errors, which is disabled by default. (try browse the internet with that setting and you’ll quickly realize why it’s disabled by default)

In this case the page from user’s point of view can be fixed by clicking compatibility view icon in address bar

From a system administrators point of view if we couldn’t get the website updated we could deploy the compatibility view setting via group policy.

Some other freely available IE compatibility tools you can use if developing/testing sites:

Microsoft provided VHD virtual machines with Windows XP IE6, Windows Vista IE7, Windows 7 IE8 and Windows 7 IE9 here http://www.microsoft.com/download/en/details.aspx?id=11575
Use Fiddler http://www.fiddler2.com in combination with IE10 compat inspector http://blogs.msdn.com/b/ie/archive/2012/01/20/ie10-compat-inspector.aspx
Microsoft Application Compatibility Toolkit includes an IE8 compatibility monitoring utility. http://www.microsoft.com/download/en/details.aspx?id=7352

Case of the Broken UAC Prompt – Extended Attributes are Inconsistent

chentiangemalc — Thu, 26 Jan 2012 11:59:36 +0000

One day while happily working away on my liquid cooled Windows Developer Preview beast I came across this error when launching regedit:

Pretty quickly I found every program that tried to elevate to Administrative privileges had this problem. The UAC prompt to click Yes/No appeared very briefly then was rapidly replaced with this error message. Unfortunately this also applied to my beloved ProcMon.

So what to do?

First to find out to whom the dialog box belonged. Using Process Explorer (http://live.sysinternals.com/ProcExp.exe) and the feature to drag a target over a Windows to identify the process I found out the message box belonged to cmd.exe if run from Command Prompt, or Explorer.exe if launched from Explorer.

As WinDbg doesn’t require admin privilege (for limited user mode debugging of non-elevated processes) it was my debugging tool of choice. WinDbg is included in Windows SDK, which is available for free download here http://www.microsoft.com/download/en/details.aspx?id=8279

I first opened C:\windows\system32\cmd.exe using File –> Open Executable

I wanted to ensure any child processes got debugged as well so ran command

.childdbg 1

I then hit g to make the debugger go. Each time a new process starts you will see message like

ntdll!RtlUserThreadStart:
000007fb`a5323c64 4883ec48 sub rsp,48h

You will need to hit g again to continue further. I then launched regedit from my debugged cmd.exe. Now there are a few potential types of message boxes in Windows, so to make it easy to find out which one was being used, when I got the error message dialog box I hit ‘Break’ on the debugger and typed

!analyse –v –hang

In the stack trace I found the function that generated the message box, so I set a breakpoint for it:

bp SHELL32!SHSysErrorMessageBox

(don’t worry about could not resolve error message here)

and typed

.restart on my process

Which showed me the following:

Breakpoint 0 hit
SHELL32!SHSysErrorMessageBox:
000007fb`a342fb60 fff3 push rbx
0:000> kv <- stack trace, find what functions got called before message box
Child-SP RetAddr : Args to Child : Call Site
00000056`e904dfe8 000007fb`a349fe8d : 00000000`0000104c 00000000`0000007f 00000056`e92b74c0 00000000`000000ff : SHELL32!SHSysErrorMessageBox
00000056`e904dff0 000007fb`a33d216e : 00000056`e927fea0 00000000`00230e74 00000000`000000ff 00000000`00000000 : SHELL32!_ExecErrorMsgBox+0x23d
00000056`e904f0b0 000007fb`a32ee389 : 00000056`e904f1f0 00000056`e904f1f0 00000000`00000000 00000000`00000000 : SHELL32!CShellExecute::_DoExecute+0x33f
00000056`e904f130 000007fb`a32ee29d : 00000056`e927fea0 00000000`00008140 00000000`00000000 00000056`e904f1f0 : SHELL32!CShellExecute::ExecuteNormal+0×95
00000056`e904f160 000007fb`a32ee214 : 00000056`e904f1f0 000007fb`a37743e0 00000056`e904f1f0 00000056`e904f080 : SHELL32!ShellExecuteNormal+0x4d
00000056`e904f190 000007fb`99322faa : 00000000`00000000 00000000`00000000 00000000`00000000 00000056`e904f080 : SHELL32!ShellExecuteExW+0×54
00000056`e904f1c0 000007f6`ca0e5429 : 00000056`e9277b30 00000056`e927a300 00000056`e92755f0 000007f6`ca12d360 : fsutilext!ShellExecuteWorker+0x7e
00000056`e904f270 000007f6`ca0e5a3b : 00000056`e927bd50 00000000`00000000 00000056`e9261820 00000056`e92755f0 : cmd!ExecPgm+0x5b0
00000056`e904f530 000007f6`ca0e8158 : 00000000`00000000 00000056`e9261820 00000000`00000000 00000056`e9261820 : cmd!ECWork+0xd7
00000056`e904f790 000007f6`ca0e1306 : 00000000`0000de5c 00000056`e9261820 00000000`00000000 000007f6`ca0e16a1 : cmd!FindFixAndRun+0x54e
00000056`e904fc30 000007f6`ca10beb0 : 00000056`e9261820 000007f6`ca113890 00000056`e9261820 00000000`000000ff : cmd!Dispatch+0xab
00000056`e904fce0 000007f6`ca0f3a68 : 00000000`00000001 00000000`00000000 00000000`00000000 00000000`00000000 : cmd!_chkstk+0x50c6
00000056`e904fd40 000007fb`a2f23cdc : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : cmd!Handler+0×291
00000056`e904fd80 000007fb`a5323c85 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0×18
00000056`e904fdb0 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x1d
0:000> !gle <- get last error
TRIAGER: Could not open triage file : C:\Program Files (x86)\Windows Kits\8.0\Debuggers\x64\triage\oca.ini, error 2
TRIAGER: Could not open triage file : C:\Program Files (x86)\Windows Kits\8.0\Debuggers\x64\winxp\triage.ini, error 2
TRIAGER: Could not open triage file : C:\Program Files (x86)\Windows Kits\8.0\Debuggers\x64\triage\user.ini, error 2
LastErrorValue: (Win32) 0x7f (127) – The specified procedure could not be found.
LastStatusValue: (NTSTATUS) 0xc0000139 – {Entry Point Not Found} The procedure entry point %hs could not be located in the dynamic link library %hs.

While this was all well an interesting there was some important information missing: Primarily nothing from consent.exe. Unfortunately no way I was going to be able to debug that as standard user because I was not admin…D’oh!

So I restarted the PC and pressed F8 to enter safe mode. I then logged in with a local administrator account and as safe mode is free of UAC prompts could happily set User Account Control Settings to Never Notify

Warning! Using this setting is not recommended and will increase risk of nasty software doing bad things to your PC.

Restarting back into regular Windows I could now launch programs as admin. I launched a command prompt as Admin and reset UAC back to the previous setting.

I then went back to my comfort zone of ProcMon (http://live.sysinternals.com/ProcMon.exe)

I set a filter to include the following processes:

cmd.exe
consent.exe
regedit.exe

I also set a filter on Operation is Load Image as I wanted to look for 3rd party code being loaded.

Sure enough we find some perfect suspects. 3rd party codecs were being loaded. These codecs had been installed a few days before from an open source program Audacity and the separate download Lame MP3 Encoder Pack

I then brought out the tool that must not be left at home. Ever. AutoRuns (http://live.sysinternals.com/AutoRuns.exe) AutoRuns can disable/enable pretty much any possible location for code to startup within Windows – from drivers, services, codecs, etc, it has it all. You can also analyse offline systems such as a mounted WIM, or an unbootable partition from within Windows PE.

I disabled all codecs at first, then enabled one-by-one to find the culprit. I found two caused the issue:

msacm.avis
msacm.lameacm

Disabling these and UAC was back in all its glory.

But why is Windows loading codecs for the UAC consent dialog?

The codecs are loaded because consent.exe plays a sound effect, which required a codec to decode the audio file.

In fact I found I can also re-enable all my codecs and disable Windows Sounds, and UAC prompt will still work. Peace at last.

Enable Non-Admins to Modify ClearType & Color Calibrate in Win7

chentiangemalc — Wed, 25 Jan 2012 22:34:05 +0000

When doing colour calibration or ClearType Text Tuning in Windows 7 a standard user can happily click through the wizards until the very end…when clicking Finish…

Although ClearType is enabled in Windows 7 maybe there are people who like jagged edged fonts and want to disable it. If they’re not admin, they can’t.

Boom! UAC Prompt…

The important point here is the CLSID … let’s grab that and search the registry under HKCR\CLSID

This brings us to

Importantly there is the Elevation key

Let’s set it to 0. I don’t even have access as Local Admin, I have to right click Properties and give myself permission (You may need to take ownership of key). This registry key typically can only be modified by TrustedInstaller. You should take this as sign that this is not something you should be modifying.

Warning! I do not recommend changing these Elevation/Enabled registry key settings. I am doing this for experimentation. You should backup the key before changing, you can break components of Windows modifying these keys. In addition to potentially introducing security vulnerability this solution may also be broken by Windows Updates in the future.

OK I can now happily set Enabled to 0

The UAC Shield icon is now gone from ClearType Tuner and no errors thrown when applying settings

Using ProcMon I found it also tries to update Registry Keys under HKLM\SOFTWARE\Microsoft\Avalon.Graphics so you may need to give Users full control here too.

For Display Calibration it is different here we see DCCW.exe is involved…

In this case the executable knows to elevate because it has a manifest. This could be in format .exe.manifest or it can be embedded as a resource. To view the embedded resource I use ResEdit (http://www.resedit.net/) Use 64-bit version for 64-bit EXEs and 32-bit version for 32-bit EXEs.

To override this I created a SHIM using Application Compatibility Toolkit (ACT)(http://www.microsoft.com/download/en/details.aspx?id=7352) to apply runAsInvoker to the application. Because in this case I’m updating this for a 64-bit executable I need to ensure I’m using 64-bit version of Compatibility Administrator. If you’re not familiar with manifests please refer to Microsoft’s UAC Manifest documentation http://technet.microsoft.com/en-us/query/bb756929

For specific details on how to create SHIMs refer to ACT’s documentation.

After saving and installing my SHIM….Great. Now no UAC prompt, but Access Denied:

So I used one of my all-time favourite ProcMon (http://live.sysinternals.com/ProcMon.exe) filters – Result is ACCESS DENIED. I also could have used ACT’s Standard User Analyser + Application Verifier for a more automated report.

We see a single ACCESS DENIED event

So I granted Users full control to HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ICM

This got me much further in program, and no further errors in program. But I also found Access Denied here

I then gave Users full control over these keys and all sub keys:

Imaging Devices Control Class -

HKLM\SYSTEM\CurrentControlSet\Control\Class\{6BDD1FC6-810F-11D0-BEC7-08002BE2092F}

Monitors Control Class -

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E96E-E325-11CE-BFC1-08002BE10318}

Now colour calibration works fine, I tested changing settings and they applied fine.

So if you need to do this, understand this is an unsupported hack to allow standard users to run these tools. If you do use this I would re-test post any operating system updates.

I don’t know the security implications of allowing standard users to run these tools, although I believe the reason to require administrator is because the settings affects all users on a system, not just a single user.

PowerShell Script To Remove Office Macro Protection

chentiangemalc — Tue, 17 Jan 2012 12:36:05 +0000

In some cases in my app compat battles I’ve had to debug macros developed by those who have long since disappeared from a company. However the source is inaccessible due to Macro protection. While commercial 3rd party tools to remove such passwords have existed for a long time, I have had a habit of doing so via a Hex Editor. Apparently not everyone is in love with hex editors so here is a *rough* scripted version. Note: It is possible to completely remove the password programmatically, but it is a lot more complex. One day if I had the time to waste I might do so…until then here is the quick & dirty method. This uses a simple method that has been popular for a long time which is to replace the DPB= value in the office file with DPx=

Note: This method only removes passwords on Macros, not other types of office document passwords and does not work on .Docx/.Xlsx formats

We are also utilizing pointers in our PowerShell code. Can BASH do that?

First thing is this rough PowerShell script which is utilized in the following way:

Unlock-OfficeDocumentMacro -InputFile “c:\Support\Locked.xls” “c:\Support\Unlocked.xls”

(As WordPress destroys formatting PowerShell script download in .ZIP at bottom of page)

# Function to unlock office 2000-2003 document by @chentiangemalc
# Proof-of-Concept Code lacking performance optimization & error handling
# This should not be considered example of how to write PowerShell code.

# Binary “IndexOf”
# too lazy (or busy…) to write this code in PowerShell, couldn’t find any good PowerShell example
# And this is fast. From http://stackoverflow.com/users/649008/foubar
# at http://stackoverflow.com/questions/283456/byte-array-pattern-search
$compilerParameters = New-Object System.CodeDom.Compiler.CompilerParameters
$compilerParameters.CompilerOptions=”/unsafe”

Add-Type -PassThru -CompilerParameters $compilerParameters -TypeDefinition @”
using System;
using System.Collections.Generic;

public static class FastByte
{

    public static unsafe long IndexOf(byte[] Haystack, byte[] Needle)
    {
        fixed (byte* H = Haystack) fixed (byte* N = Needle)
        {
            long i = 0;
            for (byte* hNext = H, hEnd = H + Haystack.LongLength; hNext < hEnd; i++, hNext++)
            {
                bool Found = true;
                for (byte* hInc = hNext, nInc = N, nEnd = N + Needle.LongLength; Found && nInc < nEnd; Found = *nInc == *hInc, nInc++, hInc++);
                if (Found) return i;
            }
            return -1;
        }
    }
}
“@

Function Unlock-OfficeDocumentMacro
{
    # To-do -
    # * Check for valid office file formats. Currently works for Word/Acess/Excel 2000-2003 format
    Param
    (
        [ValidateScript({Test-Path $_ -PathType Leaf})]
        [String]
        $InputFile
        ,
        [String]
        $OutputFile
    )
    Process
    {
        # We’ll work on the copy—just in case we mess up the original
        Copy-Item $InputFile $OutputFile

        # Load our target file all at once
        # Not scalable … &c but works to test the concept
        Write-Host “Loading $OutputFile”
        $data=Get-Content -Encoding Byte $OutputFile

        Write-Host “Searching file contents”
        # The searchString is hex equivelant for string DPB=
        [Byte[]] $searchBytes = 0×44,0×50,0×42,0x3D,0×22
        [Byte[]] $replaceBytes = 0×44,0×50,0×78,0x3D,0×22

        $index=[FastByte]::IndexOf($data,$searchBytes)

        Write-Host “Found at $index”

        # update file
        # so many chances for failures here…add error checking!
        [System.IO.Stream]$stream = [System.IO.File]::Open($OutputFile,[System.IO.FileMode]::Open)
        $stream.Position=$index
        $stream.Write($replaceBytes,0,$replaceBytes.Length)
        $stream.Dispose()

        Write-Host “Update Complete! Output file: $OutputFile”

}
}

Unlock-OfficeDocumentMacro -InputFile “c:\Support\Locked.xls” “c:\Support\Unlocked.xls”

Once the unlocked file has been output there remains some manual steps.

1. On launching unprotected file office will throw warning. Just click Yes

2. Then open Visual Basic Editor. You will probably see another error like below:

3. Right click the VBAProject and select VBAPRoject Properties

4. On the Protection tab set your own password and click OK

5. Once this is done you can go back into properties and remove Lock project for viewing

The PowerShell script and sample excel file contained in .ZIP below:

http://www.tiange.com.au/MacroUnlockerDemoScript.zip

Case of the Internet Explorer Launch Failure

chentiangemalc — Thu, 12 Jan 2012 12:21:25 +0000

A Windows 7 environment with Internet Explorer suddenly had a widespread IE8 failure. Clicking the IE icon did absolutely nothing. First thought was an Internet Explorer Add-ons, but running Internet Explorer in No add-ins mode still demonstrated the issue.

You might also think “Repair IE8” but unfortunately the Microsoft KB article on how to perform this only has how to reset IE8 settings in Windows 7; which requires ability to start IE in the first place http://support.microsoft.com/kb/318378

What’s going on!

So of course first I turn to Process Monitor (http://live.sysinternals.com/ProcMon.exe) and filter by process iexplore.exe

Woah! So many events and so many say SUCCESS!

The first key to successful ProcMon’ing is good filtering …

There first thing I notice is a lot of name not found events. So I filter to include only those events. Now I see some DLL files that are “name not found”

However these are not an issue as they are later found in the C:\windows\system32 directory. This is important to remember when looking at DLL files and Registry keys that show as “not found”

Typically DLL files are searched for in the same directory as the executable; followed by c:\windows\system32 or C:\windows\syswow64 (for 32-bit process on x64 Windows) So usually only DLLs that do not get found in system32 or syswow64 folder are truly missing.

What I do notice missing though are many HKCR\CLSID registry entries. For COM based applications such as Internet Explorer or Microsoft Office if a critical HKCR\CLSID key is missing it can be seriously bad news.

So I add a filter Path begins with HKCR\CLSID. Now these class root ID keys often have many subkeys that are unnecessary – so I am only looking for ones where the root key itself is missing:

On a non-broken machine I check this registry key. OK ieproxy.dll looks like a critical Internet Explorer file registration is missing!

OK so adding this key back in and now Internet Explorer is back in business…

You’re alive!

But why did this key suddenly disappear in 1,000s of machines at once?

The Windows Application Log, Event ID 1034 offers a nice clue…A WebClient product got uninstalled… We also could have used the Reliability Monitor in Windows 7 to see all products/devices installed/uninstalled over a period of time…

Further testing proved uninstalling this product broke IE.

But it was now fixed…or so I thought…until I came across some sites failing…

Launching pop-up Windows resulted in blank page being displayed; or in some cases nothing happening at all:

While running ProcMon and launching this page I found a missing TypeLib key referring to Microsoft Internet Controls

And IServiceProvider registration key

So the final solution included adding the following keys back:

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\Interface\{6D5140C1-7436-11CE-8034-00AA006009FA}]
@=”IServiceProvider”

[HKEY_CLASSES_ROOT\Interface\{6D5140C1-7436-11CE-8034-00AA006009FA}\ProxyStubClsid32]
@=”{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}”

[HKEY_CLASSES_ROOT\TypeLib\{EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B}]

[HKEY_CLASSES_ROOT\TypeLib\{EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B}\1.1]
@=”Microsoft Internet Controls”

[HKEY_CLASSES_ROOT\TypeLib\{EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B}\1.1]

[HKEY_CLASSES_ROOT\TypeLib\{EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B}\1.1\win32]
@=”C:\\Windows\\SysWOW64\\ieframe.dll”

[HKEY_CLASSES_ROOT\TypeLib\{EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B}\1.1\win64]
@=”C:\\Windows\\System32\\ieframe.dll”

[HKEY_CLASSES_ROOT\TypeLib\{EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B}\1.1\FLAGS]
@=”0″

[HKEY_CLASSES_ROOT\TypeLib\{EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B}\1.1\HELPDIR]
@=”C:\\Windows\\System32″

[HKEY_CLASSES_ROOT\CLSID\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}]

[HKEY_CLASSES_ROOT\CLSID\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}\InProcServer32]
@=”C:\\Program Files\\Internet Explorer\\ieproxy.dll”
“ThreadingModel”=”Both”

This can also be achieved by running the following commands from Administrative command prompt

regsvr32 “C:\Program Files\Internet Explorer\ieproxy.dll”

regsvr32 “C:\Windows\System32\ieframe.dll”

(This last one will throw an error; don’t worry about it)

If on x64 bit you may also need to include

regsvr32 “C:\program files (X86)\internet explorer\ieproxy.dll”

regsvr32 “C:\windows\syswow64\ieproxy.dll”

…and voila pop-up Windows are back in business…

Moral of the story:

Uninstallers please don’t mess with HKCR keys you are not responsible for. If created captured installs of MSIs pay particular attention to these keys if they get added in your package.

In this case a captured install detected a setup.exe changing these keys. i.e. the application added PSFactoryBuffer to this existing key

[HKEY_CLASSES_ROOT\CLSID\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}]
@=”PSFactoryBuffer”

Then during the uninstall rather than just removing that value; the captured package removed the entire key.

Finally even better virtualize your apps with App-V or ThinApp or your favourite virtualization technology then your app will never touch IE in the first place!

2011 in review

chentiangemalc — Fri, 06 Jan 2012 00:22:37 +0000

The WordPress.com stats helper monkeys prepared a 2011 annual report for this blog.

Here’s an excerpt:

The concert hall at the Sydney Opera House holds 2,700 people. This blog was viewed about 54,000 times in 2011. If it were a concert at Sydney Opera House, it would take about 20 sold-out performances for that many people to see it.

Click here to see the complete report.

Using ZunePass on Windows Developer Preview

chentiangemalc — Mon, 26 Dec 2011 09:51:14 +0000

If you try to use playback Zune Pass content on Windows Developer Preview you may experience some of Zune’s wonderfully helpful error messages such as:

Media Usage Rights Error — C00D12F5

According to Zune Support page (http://www.zune.net/en-au/support/webhelp/C00D12F5.htm) this typically occurs when a component of the Windows Digital Rights Management (DRM) system on your computer is missing or damaged and needs to be replaced or upgraded.

However this article has no advice on a fix, but suggests search Microsoft Support Knowledge base.

Searching that you may come across Error message when trying to sign in to or play content from the Zune Marketplace http://support.microsoft.com/kb/929642

This article refers to a ResetDRM tool, however this fails to run on Windows Developer Preview. If you set it to run in Windows Vista compatibility mode it will then bomb out because you don’t have Windows Media Player 11 installed.

So what to do? This is how I got Zune protected content to play successfully on Windows Developer Preview x64:

1) Install latest Zune client from http://www.zune.net/

2) Ensure your location setting in Windows matches that of your Live ID & your computer time is correct for configured time zone

3) Download ResetDRM tool from http://go.microsoft.com/fwlink/?LinkID=203950&clcid=0×409

Warning This procedure affects all media files on the computer that use Windows Media DRM technology. The effect of this procedure is not limited to media files that you obtained from the Zune Marketplace. If you follow this procedure, content licenses for all protected media files on the hard disk are deleted. Other providers, such as, Napster, Netflix, MSN Music, and Wal-Mart, may have mechanisms for restoring licenses. If you have content from other providers, examine the appropriate license restoration policies before you continue.

Then run the following command to extract the contents, where /T specifies the extract folder:

ResetDRM /T:%temp%\ResetDRM /C

4) Ensure Windows Media Player & Zune client are not running then from the extracted folder run

CleanDRM /v

This should bring up a notepad display with a message of what just happened. Importantly you should see CleanDRM succeeded at the end of the log file:

5) You may now also receive errors such as :

Usage-rights Error — C00D11D0
Usage-rights Error — C00D1385

http://www.zune.net/en-au/support/webhelp/C00D1385.htm

Missing License Error — C00D0BBE

http://www.zune.net/en-au/support/webhelp/C00D0BBE.htm

This can be caused by not having an internet connection or not being signed into Windows Live ID in the Zune client. You must see your Live ID name in the upper left corner of Zune client:

In addition your computer name should be listed in Settings –> Account –> Computers & Devices section

You may also need to perform a certificate revocation list update. To do this visit http://drmlicense.one.microsoft.com/crlupdate/en/crlupdate.html and if prompted accept installation of ActiveX control. Then click the Upgrade button. If successful you should see the following page

OK now I can go back to enjoying my 30 GB+ ZunePass music collection on Windows Developer Preview…

Photo Fuse Your Holiday Photos

chentiangemalc — Sun, 25 Dec 2011 08:38:58 +0000

It’s the holidays and I’ll take a break from the usual problem solving blog and demonstrate a really powerful feature of Windows Live Photo Gallery that many people are still not aware of.

Basically a common problem: You take a photo of a group a few times, in the first photo one person looks great, but in the other photo someone else looks their best. Sure you can spend some time in PhotoShop, GIMP or Paint.NET to merge these photos, but the easy way is Photo Fuse.

Photo Fuse is a feature of Windows Live Photo Gallery, available for Windows 7, and can be downloaded at http://explore.live.com/windows-live-essentials

Once installed you can load by typing gallery into Windows 7 start menu then selecting the program

Or you can select a photo in Windows Explorer and select open with Windows Live Photo Gallery

In this case I have two photos:

Photo #1 – Hand in front of mouth

Photo #2 – Other toddler looking away

In Windows Live Photo Gallery I then select the group of photos I want to fuse by ticking their checkboxes

I then select the Create tab and click Photo Fuse

You then get asked which do you like best, click the one you prefer

I then select the region I want to change

You may need to do a few regions with trial & error to get it looking good, but the result after less than a minute is…

This is a really great & simple way to touch-up your photos rapidly.