Long startup and logon delays with a shared Windows 7 desktop

I’m writing with reference to a colleague’s blog post where he has found a very useful fix for a very annoying start up and log-on delay issue in Windows 7 SP1. Here’s his post, worth a read:
http://blog.solarfusion.co.uk/2011/12/windows-7-please-wait-or-welcome-screen.html

We were finding that computers in shared areas which had been logged on by many users (i.e. 50+ user profiles) were experiencing massive delays starting up and logging on. Until he found the fix the only solution was to leave the computers on all the time, or get them to start up really early in the morning.

One fix we tried was removing all the user profiles from the computers, and this only worked some of the time. Then my colleague found the right hot-fix and all of a sudden our startup and logon times dropped back to a few minutes. Big relief!

Here’s the relevant hotfix: http://support.microsoft.com/kb/2617858

See the blog entry (linked above) for a detailed explanation.

A way to run a 64-bit process from a 32-bit script (like add a registry key)

Say you have a need to add a registry key into the 64-bit registry hive but you’re stuck with doing it from a vbscript running in a 32-bit process. For example SCCM always runs vbscript in a 32-bit process, even on a 64-bit Windows machine! If you try this normally Windows 7 64-bit will redirect the key to the virtual 32-bit hive. So running in a 32-bit process if we want to add a key to HKLM\Software\ you will find it will always end up in HKLM\Software\Wow6432Node\ no matter what you do.

I couldn’t find a way to do it directly using vbscript in the short time I spent looking into it, but I did find a sneaky indirect way. My method is to execute a command to add a scheduled task into Windows that will do it for you!

I’ve written a bit of vbscript which will create a run-once self-deleting scheduled task that can be used to run a command such as REG ADD which will be running as a 64-bit process, assuming you use it on Windows x64. The only thing you need to have is admin rights, the rest will happen automatically.

You could use it for all sorts of things, like getting access to an area of the OS that needs LOCAL SYSTEM rights for example. You must remember though it’s just for firing off a command that you don’t need a response from. You need to test whatever you fire-off because you can’t check what you’ve done from within the script!

Click here to see my function on pastebin

To use the vbscript function you need to call the CreateJob() function and pass it the command that you want to run. For example if we call the following…

CreateJob("REG ADD HKLM\Software\64BitKey /v 64BitValue /d 64BitData /f")

…then my function will create a scheduled task that runs the command between the quotes 1 minute after it is created. Once the task completes it will then delete itself automatically, whether it succeeds or fails. The command in my example will create a registry key HKLM\Software\64BitKey with a new REG_SZ value 64BitValue which has the string data 64BitData.

I’ve commented the code as best I can. Basically the scheduled task that is created will have a unique name every time due the use of a guid string for the name. The task will work on XP, Vista and Windows 7, and on 32-bit or 64-bit, but it will always be in ‘XP mode’ so that it will delete itself after it is executed.

Here’s a slightly generic example of use:

Adding a registry key HKLM\Software\RegKey with KeyName that has a DWORD value of 000000FF:
CreateJob("REG ADD HKLM\Software\RegKey /v KeyName /t REG_DWORD /d 0xFF /f")
Notice here the use of 0xFF to specify the hex value, and the /f switch to force the key to add. If we don’t use /f and the value is already there then the command will perpetually wait for a response.

Here are some screenshots proving it works…

1. running the script in an Admin CMD prompt running in 32-bit mode on a 64-bit machine

2. proving the script is running as a 32-bit process

3. showing the scheduled task about to run

4. and finally the registry key after it has been created, definitely in the 64-bit hive!

For more info about the REG ADD command either go here, try typing reg add /? in the command-line, or you could Google it.

The right way to do my precise example is use WMI as mentioned here but my way is more flexible because you can do other stuff like run apps in a 64-bit process as well…

Anyway, here’s my function. Have fun with it, and don’t forget, you’re running as the SYSTEM account when you use this, so please be careful!


Function CreateJob(strCommand)
    Const SHELL_WAIT = True
    Const SHELL_HIDE = 0
    CreateJob = False
    ' Get date & time 1 minute in advance
    ' And it must be at least 1 minute
    ' Source: w3schools, & mikeblas on hardforum.com
    Dim strDateTime : strDateTime = DateAdd("n", 1, Now())
    Dim strDate     : strDate = LEFT(strDateTime, InStr(strDateTime, " ")-1)
    Dim strTime     : strTime = MID(strDateTime, InStr(strDateTime, " ")+1)

    ' define the command we will run to create the once-only scheduled task
    ' uses a new guid for the name each time so it will be a unique task
    Dim strJobCmd   : strJobCmd = "schtasks.exe /Create /TN " & _
        getGuid & " /RU SYSTEM /ST " & _
        strTime & " /SD " & _
        strDate & " /SC ONCE /TR """ & _
        strCommand & """"
        ' on Vista/Win7 must create task as XP-readable type using /V1
        ' this is so it will delete itself propely (bug in schtasks) using /Z
        If onVistaWin7 Then strJobCmd = strJobCmd & " /Z /V1"
    WScript.echo strJobCmd
    Dim oJobShell : Set oJobShell = CreateObject("WScript.Shell")
    Dim jobRet : jobRet = oJobShell.Run(strJobCmd, SHELL_HIDE, SHELL_WAIT)
    If jobRet = 0 Then CreateJob = True
    ' here we tried to make the task and get the result to a variable
    ' if the return is non-zero then the creation of the task errored
    Set oJobShell = Nothing
End Function

Function getGuid
    ' this functions gets a unique guid and returns it as a string
    Dim TypeLib : Set TypeLib = CreateObject("Scriptlet.TypeLib")
    getGuid = Left(CStr(TypeLib.Guid),38)
    ' above line also removes some strageness at the end
    Set TypeLib = Nothing
End Function

Function onVistaWin7
    ' this function returns true on Vista or above (incl. Srv2008)
    Dim colOSver, objOSver
    onVistaWin7 = False
    Set colOSver = GetObject("WinMgmts:root\cimv2").ExecQuery _
        ("Select Version from Win32_OperatingSystem")
    For Each objOSver In colOSver
        If Left(objOSver.Version,1) >= 6 Then onVistaWin7 = True
    Next
    Set colOSver = Nothing
End Function

Event id 1021 when phoning a UM extension redirected to voicemail

We recently started trying to configure the UM role in Exchange 2007 and had to buy an AudioCodes IP gateway to translate traffic from our legacy PBX into SIP traffic for the Exchange server.
Very early on we ran into an issue where we if we diverted a phone to the Exchange UM pilot number (i.e. re-direct all calls to voicemail) then if we called that phone we would get rejected.

A lot of diagnostics and tracing later, we discovered that the calls were being rejected by the UM server, and it was throwing a 1021 warning in the Application log. The message reads:
The Unified Messaging server rejected an incoming call with the ID “<call-ref-number>@<um-server-ip>”. Reason: “The Unified Messaging server cannot find a valid UM hunt group for “<extension>” associated with UM IP gateway “<um-server-ip>”.”

So the UM server was trying to find a hunt group for the extension that we were calling, and was thinking there wasn’t one configured. We did however have a hunt group configured! We had deleted the default hunt group on the ip gateway, and configured a new one with the pilot number as the pilot identifier…big mistake…

It turned out that when you configure a hunt group in UM, if you give it any Pilot Identifier number at all, that is the only number that it will be triggered for. So what you have to do is give it a blank Pilot Identifier! Trouble is you can’t do that, when you make a new hunt group the dialog will not let you create it without typing something in. So what do you do?

Well the answer is, delete and recreate the IP Gateway configuration object in the UM IP Gateways tab of the UM Organization Configuration section. That’s all you have to do! What happens is that when you create a new IP Gateway object it automatically creates a default hunt group with a blank pilot number – and that’s what we want.

Once you’ve done that you’ll be able to call the redirected phone and leave voicemail. Phew. Working UM system!

Lesson learned today: don’t configure things in UM if you don’t know what they’re for…

Windows Biometric Service stops preventing fingerprint logon

Recently I setup one of my work laptops to allow me to login using my fingerprint without the need for any client software other than a driver. A handy new feature built-in to Windows 7, and it works fabulously well. One finger on each hand for different things, one for admin, one for my normal user. Love it!

However I have been finding occasionally that when I switch the laptop on (usually after being in hibernation or standby) that I can’t login with a fingerprint and have to resort to legacy means (typing!).

I think that this is because the “Windows Biometric Service” service has stopped. There are events notifying that it’s happened but no explanation why. I made sure the service was set to automatic (it was) and I’ve added recovery options to the service telling it to restart if it stops. Seems that hasn’t fixed it because the problem cropped up immediately afterwards when I tested it. I’m not quite sure what else to do yet…

Just thought I’d blog this in case someone else runs into it.

Outlook 2007 – Faulty policy for deleting items on a delegated mailbox

When you have been delegated the right to delete items from someone else’s mailbox the default functionality is to have the deleted items go into your mailbox’s deleted items folder instead of the owners mailbox.
This functionality can be changed with a registry key, see here: http://office.microsoft.com/en-us/outlook/HA100750921033.aspx

HOWEVER, there is a group policy introduced with Office 2007 that can alter this functionality for all users. It’s located here:
“User ConfigurationPoliciesAdministrative TemplatesMicrosoft Office Outlook 2007Tools | Options…Delegates”
The policy is called:
“Store deleted items in the owner’s mailbox instead of delegate’s mailbox”

The help text says it needs to be enabled to set the functionality to have deleted items remain in the owner mailbox.
Guess what, it’s WRONG! Yes Microsoft have not tested it properly. It turns out if you enable the policy you enforce the default, to have deleted items go into the delegates mailbox, not the owner’s mailbox.
To get this policy to work properly you must set it to DISABLED.

When disabled, a policy key is created that enforces the alternate functionality for deleting mail.
HKLMSoftwarePoliciesMicrosoftOffice12.0OutlookOptionsGeneral
DelegateWastebasketStyle = 4

Hope this helps someone else!

You can’t add the IE icon to the Windows 7 desktop

Just recently discovered that it is not and will no longer be possible to add the IE icon to the Windows desktop, as of Windows 7! Detailed in KB article KB945402 Microsoft have decided to completely remove the old functionality that puts IE on the desktop as a proper desktop item – as opposed to a simple shortcut.
I guess it saves them from being sued again over IE being a part of Windows. Annoying though, damned EU courts, it’s all their fault. Oh well…

Photoshop CS3 hangs when you exit

Got myself a new laptop recently with Vista preinstalled and when I installed Adobe Photoshop CS3 I found when I tried to exit the program it would always hang during the exit process. I’d never seen it do that before, but after searching the net I found I wasn’t alone – perhaps I had been lucky up to now.

Anyway after much messing about, reinstalling, trying various things (like turning off UAC and system restore before installing) I found a forum post from someone talking about the FLEXnet Licensing service and how it could be to blame for this stupid behaviour.
Some people said if the service was running it needed stopping and/or removing, others said if it was not running you should start it. Mine was set to manual but was running, so I was suspicious…if it’s manual then something has started it – therefore it must be needed. I wasn’t about to delete it then, and clearly it needed to run.
So I started searching for updates specifically for Macrovision FLEXnet – it is a 3rd party product after all. And low and behold I found a patch on Adobe’s site which nobody had mentioned – in this case for Adobe Acrobat 8 and 8.1. After installing the patch (which I believe replaced a dll) all was well again! Well done Macrovision and Adobe for making crap software.
Since finding the patch I did find a forum post which explains it as something to do with SATA drivers:

‘Target Principle Name is incorrect’ error with ISA 2006 using a certificate with a SAN

I recently put together a PKI and I decided it was time to experiment with certificates with subject alternative names (SANs) today. I immediately fell into an easy trap!

If you make a certificate with a SAN, you MUST have the address you use for the CN in the SAN field too. It seems if you have a SAN then ISA server will see this and only look for the DNS identity of the website it’s going to in the SAN field, instead of looking in the CN field too.

This leaves you with a “500 Internal Server Error – The target principal name is incorrect” error which is somewhat confusing!

So say you want a certificate that is valid for the following addresses:
site1.com
site2.com
site3.co.uk

What you must do is ensure you have the following field entries in your certificate:

cn=site1.com
san:dns=site1.com&dns=site2.com&dns=site3.co.uk

In that way the CN is used as an identifier, and the san’s are used in the validity verification checks by ISA. Note however that IE and Firefox will still use the CN for validity checking as well.

Wildcard certificates, ISA 2006, and the Dreaded Network Logon Failed (1790) error

One of my favourite things here at UWE is managing our ISA 2006 system, and this week I got bogged down with development websites being requested left, right and centre. To top it off they wanted their sites to have certificates too, and ISA server insists that you use one IP address per certificate. I knew about wildcard certificates (*.domain.com) but not actually tried them on ISA before, so I thought I’d solve my dev-problem with one.

Following the handy guidelines from isaserver.org, which are for ISA 2004 but still relevant for 2006, I created one listener with a wildcard certificate and rules for all the sites. Apparently one of the new things in ISA 2006 is the ability to use the wildcard certificate on the IIS site as well as on the ISA listener, but we’ll come back to that 🙂

After configuring I found http access would get to all the site just fine, ok that’s good. However when I tried https access I was always getting this error: “The network logon failed. (1790)
Searching, I found a few people had seen this problem too but no-one seemed to have managed to solve it, save for a few. They chose to relax security and terminate SSL at the ISA server, and allowed the rules to connect back on port 80. That works but it’s not secure and I’ve seen link translation weirdness doing that in the past. So what’s the fix?

Well I found that if you put the wildcard certificate on the SITE as well as the listener, things start working. Just don’t ask me why! I think it’s probably an IIS thing, I’m just not sure. So don’t follow the guidelines ‘quite’ as explicitly and you’ll get there! And please let me know if this helps you or not, I’d love to know.

ISA 2006 sites which use both http and https don’t redirect from HTTP to HTTPS correctly

Found this helpful article today: Link translation causes an endless loop when you use Web servers that redirect HTTP requests as HTTPS requests in ISA Server 2006

We weren’t getting the endless loop because we were redirecting from http://website/ to https://website/path1 but ISA was still being a real pain in the gluteous maximus and changing the redirection link to http.