VirtualBox, KeyAccess

September 20th, 2008

Quick post about recent stuffs.  Work’s been busy…

VirtualBox rocks my socks.  The end.  No raw disk support (a la boot camp) yet, but it is coming.  I only boot camp for games anyways.

I have been working with Sassafras to track down a KeyAccess audit bug that happens during audits with Altiris SVS running.  I’m not sure if KeyAccess, Software Virtualization Services, or a corrupt chunk of crap in my newest Windows image’s registry is to blame.  I should have some time to troubleshoot and grep through debug files this week.  Turning off auditing (setting the license from Full to Basic) seems to have given me reprieve for now.

F6 is for losers

July 28th, 2008

FYI, the driver INF list you get if you hit F6 when installing XP might be longer the 4 devices you can see.. Try scrolling UP to see other devices to install…

Rutter shared this jewel with me:

cscript c:\windows\system32\slmgr.vbs -skms [FQDN of your KMS]

I just activated Vista Enterprise from home over VPN!

From an email that I just sent to a colleague:

First, copy the install DVD(s) to a network share. A few files you’ll need to make/touch:

application.xml.override

This file needs to go in all of the payload folders (okay, not _all_ of them, but it is just easier that way, trust me). It should look like this for a silent install:

###

<?xml version="1.0" encoding="utf-8"?>
<Configuration>
<Payload>
<Data key="Serial" protected="0">yourserialnumberwithouthyphens</Data>
<Data key="Registration">Suppress</Data>
<Data key="EULA">Suppress</Data>
<Data key="Updates">Suppress</Data>
</Payload>
</Configuration>

###

Next, look in the deployment folder for deployment.xml or something that indicates installing in your country and language. It should look like this (at least for DP (Design Premium), other bundles or individual apps are really similar):

###

<Deployment>
<Properties>
<Property name="installLanguage">en_US</Property>
<Property name="serialNumber">yourserialnumberwithouthyphens</Property>
</Properties>
<Payloads>
<!--Adobe Acrobat 8 Professional (At install, older versions get upgraded)-->
<Payload adobeCode="{AC76BA86-1033-0000-7760-000000000003}">
<Action>install</Action>
</Payload>
<!--Adobe Dreamweaver CS3-->
<Payload adobeCode="{00E5C764-9525-44C3-8404-712AD06AE12A}">
<Action>install</Action>
</Payload>
<!--Adobe Flash CS3-->
<Payload adobeCode="{3BC8460B-085E-47F3-9C62-8FFCBAF11D78}">
<Action>install</Action>
</Payload>
<!--Adobe Flash Video Encoder-->
<Payload adobeCode="{7BB7F66A-D798-45A3-A383-0727FB1EBF8E}">
<Action>install</Action>
</Payload>
<!--Adobe Illustrator CS3-->
<Payload adobeCode="{C4519961-AC64-4565-B3AF-9050296B5D5A}">
<Action>install</Action>
</Payload>
<!--Adobe InDesign CS3-->
<Payload adobeCode="{24D77A7C-E10B-4057-9974-FAB8BFDAC853}">
<Action>install</Action>
</Payload>
<!--Adobe Photoshop CS3-->
<Payload adobeCode="{30C4B843-28DA-466F-AFCA-CB0ED153C826}">
<Action>install</Action>
</Payload>
</Payloads>
</Deployment>

###

In the above example I took out Version Cue so it won’t get installed. The line with ‘<Property name=”serialNumber”>’ isn’t necessary for Design Standard/Premium (or Web Standard/Premium, I don’t think), but some apps require it for passing along the serial number to install third party content (Audition, Encore, Premiere Pro all need this).

After you make/edit those files all you need to do is call the setup.exe with some parameters. I run a script like this from Deployment Solution:

###

call "\\server\software\adobe\cs3\win\Adobe CS3\setup.exe" --mode=silent --deploymentFile="\\server\software\adobe\cs3\win\Adobe CS3\deployment\deployment.xml"
copy /y \\server\keyed\cs3\acrobat.exe "C:\program files\adobe\Acrobat 8.0\Acrobat\acrobat.exe"
copy /y \\server\\keyed\cs3\dreamweaver.exe "C:\program files\adobe\Adobe Dreamweaver\CS3\dreamweaver.exe"
copy /y \\server\keyed\cs3\flash.exe "C:\program files\adobe\Adobe Flash CS3\flash.exe"
copy /y \\server\keyed\cs3\illustrator.exe "C:\program files\adobe\Adobe Illustrator CS3\Support Files\Contents\Windows\illustrator.exe"
copy /y \\server\keyed\cs3\indesign.exe "C:\program files\adobe\Adobe InDesign CS3\indesign.exe"
copy /y \\server\keyed\cs3\photoshop.exe "C:\program files\adobe\Adobe Photoshop CS3\photoshop.exe"
del /f /q "C:\documents and settings\all users\desktop\adobe acrobat 8 professional.lnk"

###

In this case I have already created zero-footprint keyed *.exe files for our Sassafras Keyserver. I also don’t like icons on the desktop. If the exit code is anything except 0 you need to do some troubleshooting. Check for logs in “C:\program files\Common Files\Adobe\Installers”. The installer log will likely be a GZIPPED UNIX FORMATTED TEXT FILE (OMG, why would you do this Adobe? We are obviously on Windows!)!

A few notes:

You can’t install _just_ Acrobat from any of the bundled packages (Design Premium, Web Standard, etc.) because you need to launch another of the BIG applications in order to start the licensing; i.e. you need to launch Photoshop before you can use Acrobat. Photoshop is a popular application, so I never really worried about this in my labs. If you only install Acrobat you won’t have any of the BIG applications to activate the licensing on that computer. Stoopid, right? Tough. There is no way around it.

It takes a fast (single-hard drive) computer about 30 minutes on gigabit Ethernet to install CS3 DP. I don’t like installing while users are logged in because sometimes the installer will fail if it needs to touch browser plugins (DW and Flash) or Outlook (Acrobat stuff).

If you have less than 1GB of memory and less than 1024×768 resolution, the installer will fail. No way around it that I know of. The video/production applications check for other hardware (microphone/non-integrated video, etc.).

I tried putting all of CS3 DP into an Altiris SVS layer. Since the licensing daemon needs to run at startup, I never got it working right. Mind you, I didn’t really try that hard since I had some reservations over pushing out a several gigabyte VSA…

There is a deployment PDF on the DVD that has most of this information. Also check out www.appdeploy.com for some really good hints and for application-specific ‘gotcha’’s.

I’m still working on slipstreaming updates into the payloads. I haven’t tried too hard yet. Right now I’m just downloading the updaters and repackaging them.

I’m ran into a problem with running windows services inside of an software virtualization services (SVS) layer. If the service runs as LocalSystem, there are no problems. Actually, I was quite surprised that services with a mode set to automatic start up as soon as the layer is activated. Pretty neat.

If the services needs to run in another security context, stuff gets messed up and the service won’t start on a machine other than the one that the VSA was created on. A simple sc sdset blah-blah-blah after the layer is activated should suffice, but that is a PITA. A better way, there has to be.

I suppose I could check out the Juice forums, huh? =) Between BF2, work, and carrying firewood I’ll eventually have enough time to attain SVS guru status. Until then…

Just an FYI: Daemon Tools (disk image mounting utility) doesn’t work while Windows is running in Parallels virtualization on a Mac. It won’t let you mount any fake devices–it just lets you know that you have chosen an invalid image. Everything works fine when booted into Windows on my Intel iMac (boot camp). No biggie for right now, but once 3D support is mainstream with Parallels and Fusion (the latter of which I haven’t tested with DTools yet) I would like to be able to mount disk images to play games that require the media be present (BF2, which I legally own a copy of, is one of those games).

–update– Brad tested Daemon Tools in Fusion and it works fine, but BF2 did not launch…

In other news, it’s not possible AFAIK to create a virtual software package (Altiris SVS) for Daemon Tools. Duh.
Meh.

…because I had the MS Office 2007 File Format Converters for Office 2003 installed. The installer just crapped out and left a bunch of meaningless crapola in the eventvwr. I then uninstalled the O2007FFC and Office 2007 started installing just fine.

Wow.

I stumbled across the pieces to make up this little chunk of WMI goodness.

Const BELOW_NORMAL = 16384
strComputer = "."
Set objWMIService = GetObject("winmgmts:\" & strComputer & "rootcimv2")
Set colProcesses = objWMIService.ExecQuery _
("Select * from Win32_Process Where Name = 'Notepad.exe'")
For Each objProcess in colProcesses
objProcess.SetPriority(BELOW_NORMAL)
NextProcess

Priorities in Windows get funny numbers, not like nice. Check out this MS article on what the numbers really mean. Save that text in a *.vbs file and you are good to go. Maybe even add it to a scheduled task to make sure that a certain process gets the right amount of processor time.

Oh noes!

Symptoms: You log into Windows and everything is groovy for about 2 minutes. Then you lose the ability to map drives, your AV software spikes for a bit, your computer slows way down, and a mysterious svchost process hogs your CPU indefinitely. Oh, and explorer reverts to the ‘classic’ skin for the start menu. Random services stop including Computer Browser, Workstation, Server, Telephony, etc..

Problem: The automatic updates service is hosed. Its svchost process is destroying things on your computer. Your AV spikes to 100% CPU because AV software sucks.
Solution: Delete your C:\windows\softwaredistribution folder and reboot.

I don’t know if this has anything to do with the latest round of patches (including the reloaded ANI vuln. patch), but I have seen several machines in different environments do this (all XP SP2).

setuid for Windows?

April 3rd, 2007

I needed a way for normal users to stop a service at login time. The service was running as a privileged user. I made up a scheduled task that ran as the owner of the service, but that sucked. Basically I wanted to run a script setuid root… Then I ran across this utility. It encrypts username and password information into a *.job file and then runs your app/script/whatever with the encrypted credentials. Pretty straight forward. Use in conjunction with cmdow.exe and your users will never see anything. (I tried to find a link to cmdow.exe, but I guess it is on a lot of people’s lists as a hacking tool… No good results on the first few pages of google for me.)