Blog: Windows 2003 Server

You cannot remote control another user’s session in terminal server through terminal server manager when connected to the console.  The only way it works is by originating through another RDP session.  I guess I haven’t been in this scenario before to run into this.

I recently worked on a problem where some PCs at a customer site were not able to login. I checked the server and it showed many group-policy errors in the App OS log listing the 'GPT.INI' file.  I also noticed the group-policy mgmt console was not able to open any GPOs - said there was a rights error.  'Net View' only listed the server and no workstations.  I had one of the users experiencing the problem reboot and her system said no domain controller was available.  Further research indicated that 5 minutes after last server reboot, these services crashed:

• TCPIP Netbios Helper
• Alerter
• Windows Time
• Webclient
• WinHTTP web-proxy auto-discovery

The Windows Time was able to restart itself, all others were stopped. Restarting the netbios helper service appears to fix the main problem (all PCs came back in the net view list), including the group policy App errors and mgmt console issues.  More research on the Internet indicated others had problems with the webclient service killing the netbios helper on Server 2003 and that SBS was supposed to have the 'webclient' service disabled by default due to security issues

We had a problem with a computer that could not be connected to via RDP. There were no errors. It would blink the connecting message up on  the screen and then goes away but it never actually connected. This was a windows XP machine (I think with SP2 or 3) and had all of the configuration set correctly. The server could contact everything on the network regularly and it could be pinged from other PCs, connected to through WMI and SMB. The firewall was disabled as well. After some research I found that some had this same problem and had fixed it by updating the video card drivers. Not really expecting much results but with few options at this point I decided to update the video card drivers on the problem machine. Sure enough updating the Video card drivers fixed the problem.

When approving new updates for WSUS recently, the server I was working on ran completely out of space on its drive were the WSUS content folders were stored and this caused WSUS to crash. There is a utility located in WSUS’s ./Tools folder named WSUSUTIL.EXE. This utility can be used for many different WSUS tasks such as copying the WSUS content folders to a new location. The syntax for this is:

wsusutil movecontent contentpath logfile

contentpath = The new root for content files. This must exist ahead of time
logfile = The path and file name of the log file to create

Despite the name of the command, this does not actually “move” the content folder. It only copies the files and redirects WSUS to begin using this new folder instead. You will still need to clean up the old path. [more]

A full list of switches and commands can be found via TechNet: http://technet.microsoft.com/en-us/library/cc720466.aspx

When you setup a group policy that assigns internet settings located in User Configuration\Windows Settings\Internet Explorer Maintenance\Security\Security Zones and Content Ratings you have to copy your current internet settings to the GPO. These settings are useful if you wish to use the “preference mode” option so that the setting is set once and then the user has the ability to modify it from there. This all works fine when importing from IE6 but if you try to import settings from IE7 it will not work properly and you will get an error when trying to view the settings of that GPO:

“An error occurred while generating report:
An unknown error occurred while the HTML report was being created.”

There is rumor that this problem has been fixed in the Vista version of GPMC and I am assuming that this would include the server 2008 version but I have not tested this yet. A workaround as mentioned in the article linked below is to set the internet settings from here: User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Site to Zone Assignment List. This works great accept that you do not have the option to use the “preference mode”. [more]

In troubleshooting a SBS 2003 Server, it was discovered that the system drive was almost out of space.  Upon further investigation, most of the disk space was being consumed in the %WINDIR%\Installer folder.  In that folder were numerous MSI files that were over 100 MB each over and over. 

It was noted that earlier in the week, an update for Backup Exec kept trying to install and failed until the server was rebooted by the customer.  After rebooting the server, the install took, but all of those failed attempts seemingly left these orphaned MSI files created each hour the server tried to install the update.

In order to clean out the orphaned files in this folder, you will need to run “MSIZAP.exe T!”.  You can obtain the MSIZAP file from: http://support.microsoft.com/default.aspx?scid=kb;en-us;290301.  Syntax for running MSIZAP can also be found here: http://msdn.microsoft.com/en-us/library/aa370523.aspx. [more]

After running this program, it deleted over half of the files in the Installer directory and reclaimed approximately 10 GB of hard disk space.  It was noted that the duplicate 100 MB+ files were removed.

We had an issue last week where backups of an Exchange 2007 server began to fail after we removed the EMC Replication Manager & EMC Solutions Enabler apps. The errors that we began to see in the Application log like this:

Volume Shadow Copy Service error: A critical component required by the Volume Shadow Copy service is not registered.  This might happened if an error occurred during Windows setup or during installation of a Shadow Copy provider.  The error returned from CoCreateInstance on class with CLSID {bd902507-4491-4001-acdd-a540a2cad34b} and Name HWPRV is [0x80040154].

I went through the process described here http://support.microsoft.com/kb/940032  to reregister all the VSS stuff, but it didn’t work. After digging into the VSS CLI, I was seeing the following returned from issuing a “vssadmin list providers” [more]

Provider name: 'Microsoft Software Shadow Copy provider 1.0'
   Provider type: System
   Provider Id: {b5946137-7b9f-4925-af80-51abd60b20d5} 
   Version: 1.0.0.7

Provider name: 'ERM VSS Provider'
   Provider type: Hardware
   Provider Id: {e929a027-cf8c-47bf-90a3-cd4241c7cace}
   Version: 1.0

It appeared as if the EMC VSS provider was not removed when I uninstalled the software. The online knowledgebase for EMC, said to fix it, re-install the apps, then start the VSS service, then uninstall the apps again suggesting that the provider would not have been removed if the service wasn’t running at the time the apps were uninstalled. I had a really hard time getting that stuff installed to start with so I didn’t want to start that again. I did some testing on a VM and found that I could remove the provider by just removing the registry key which matched the Provider Id listed by the vssadmin list providers command.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\Providers\{e929a027-cf8c-47bf-90a3-cd4241c7cace}

After restarting the VSS service one time, the vssadmin list providers command provided this output

Provider name: 'Microsoft Software Shadow Copy provider 1.0'
   Provider type: System
   Provider Id: {b5946137-7b9f-4925-af80-51abd60b20d5}
   Version: 1.0.0.7

Success!! This could possibly be a problem and the fix could work with any applications that insert 3rd party VSS providers.

Sans.org published a notice today that there is a 0-day exploit for Internet Explorer in the wild.  The updates released by Microsoft yesterday did not fix this vulnerability.  The specific exploit checks to be sure it is running in IE7 on XP or 2003 before it does anything, but whether other versions are exploitable is not yet known.

The article says "At this point in time it does not appear to be wildly used, but as the code is publicly available we can expect that this will happen very soon."

http://isc.sans.org/diary.html?storyid=5458

There is a small, simple utility called clip, which takes whatever is given on it’s input stream and places it on the Windows clipboard.  There are many useful things this can be used for.  Here are a couple of things that save a lot of time and work for me.

1)  Add the clipboard to your Sendto menu.  Make a command file, like clipboard.cmd, that has this command in it.

clip < %1

Then create a shortcut to this command file in %userprofile%\sendto.  Then you can right click on a file and send it to your clipboard.

2)  Generate passwords to your clipboard.  I use wapg by Adel I. Mirzazhanov (http://www.adel.nursat.kz/apg/download.shtml) by running a command file like this: [more]

@echo off
set /p PWSIZE="Enter size of password to generate: "
wapg -M SCNL -E"?!|" -n1 -a1 -m%PWSIZE% -x%PWSIZE% | clip

Just think about all the things that you can pipe to your clipboard!

If you are using XP, you will have to copy clip.exe from a Windows 2003 server (%windir%/system32) to your machine.

I would like to mention that using a clipboard extension program will also let you see what you are about to paste.  Ditto will even let you edit it right there before pasting it.