19 September 2011

Windows 7 N, K, KN, E versions

I came across this again today so I figured i'd just make a proper note of this for once.

There are a few version of Windows 7 available.

These are determined by geographic location and based on the ruling legislation.

Here is the break down of what they are:

Windows 7 N: 
Meant for European market, and includes the same functionality as Windows 7, except that it does not include Windows Media Player and related technologies such as Windows Movie Maker.

Windows 7 K: 
Meant for Korean market, and includes the same functionality as ordinary Windows 7, except that it includes links to a Media Player Center Web site and a Messenger Center Web site.

Windows 7 KN: 
Meant for Korean market, and includes the same functionality as Windows 7 K, except that it does not include Windows Media Player and related technologies such as Windows Movie Maker, links to download Windows Live Messenger, or links to a Media Player Center Web Site and a Messenger Center Web site.

Windows 7 E: 
Meant for European Commission countries, including UK, and includes the same functionality as ordinary standard flavor of Windows 7, except that it does not include Internet  Explorer 8 (IE8)

The missing Media Player and associated technologies can be add back by installing:
 Media Feature Pack for Windows 7 N with Service Pack 1 and Windows 7 KN with Service Pack 1 (KB968211) 

This is probably a good idea since there are a few things that do not work properly with these components removed. Here is the list of items that are removed. and the list of impacts on other components.  (from http://support.microsoft.com/kb/968211)

  • Windows Media Player User Experience: This feature enables Windows Media Player components, and lets you perform the following actions:
    • Play media files and audio CDs
    • Manage media in a library
    • Create a playlist
    • Provide metadata (including album art) for media
    • Create an audio CD
    • Transfer music to a portable music player
    • Play streamed content from the Web
  • Windows Media Player ActiveX Control: This feature exposes methods and properties for manipulating multimedia playback from a Web page or from an application.
  • Shell Media Property Display: This feature enables the display of metadata such as artist, song, and album information for media files in the Windows user interface, especially in the Music folder.
  • Windows Media Player Visualizations: This feature contains visualizations that let you see visual imagery that is synchronized to the sound of the media content as it plays.
  • Windows Media Format: This feature provides support for the following components:
    • The Advanced Systems Format (ASF) file container
    • Windows Media audio and video codecs
    • Basic network streaming capability
    • Digital Rights Management (DRM)
  • Windows Media Digital Rights Management: This feature enables the secure delivery of protected content for playback on a computer, a portable device, or a network device.
  • Windows Media Device Manager: This feature enables communications between an application, the Windows Media DRM system, and portable audio players.
  • Media Sharing: This feature enables music, pictures, and videos on the computer to be shared with other computers and devices on the network. Media Sharing also enables the computer to find music, pictures, and videos on the network.
  • Media Foundation: This feature provides support for content protection, audio and video quality. Media Foundation also provides interoperability for DRM.
  • Windows Portable Devices Infrastructure: This feature communicates with media devices and storage devices that are attached to the computer, including Media Transfer Protocol devices. This system supersedes both Windows Media Device Manager and Windows Image Acquisition. This system lets computers communicate with music players, storage devices, mobile phones, cameras, and other kinds of devices.
  • Windows Media Center: This feature lets you access the digital entertainment library on their personal computer or on their television. You can also use the mouse or the Media Center remote control to perform the following actions:
    • View photos in a cinematic slide show
    • Browse their music collection by cover art
    • Easily play DVDs
    • Watch and record their favorite TV shows
    Media Center also lets you download movies and watch them in a 10-foot mode on your television.
  • Windows DVD Maker: This feature lets you create video DVDs of home movies and photos that can be viewed on DVD players, regardless of geographical region codes. Windows DVD Maker is included in Windows 7 Professional, Windows 7 Enterprise, and Windows 7 Ultimate. DVD Maker is removed from Windows 7 Professional N and KN, Windows 7 Enterprise N and KN, and Windows 7 Ultimate N and KN.
  • Sample Ringtone: Media files in the .wma format are removed from Windows 7 N and from Windows 7 KN.
  • Sample Media: Sample content for movies, music, and TV is not included in Windows 7 N or in Windows 7 KN.
  • "Turn Windows features on or off" user experience: The media playback applications that let a user add or remove Windows DVD Maker, and Windows Media Center are removed.

Impact on other components
The following components were not removed from Windows 7 N and from Windows 7 KN. However, these components are affected by the media programs that were removed from Windows 7 N and from Windows 7 KN.
  • HomeGroup: You cannot share integrated media by using streaming features in Windows 7 N or in Windows 7 KN.
  • SideShow: This feature does not work in Windows 7 Professional N or in Windows 7 Professional KN. This feature is not included in Windows 7 Starter N or in Windows 7 Starter KN.
  • Windows Experience Index: This feature does not work in Windows 7 N or in Windows 7 KN.
  • Windows 7 Games: Games that are included in Windows 7 N and in Windows 7 KN work but do not play back sound effects.
  • Windows Mobile Devices: Media synchronization, image acquisition, and file browsing are not supported in Windows 7 N or in Windows 7 KN.
  • Windows Photos: Cameras that use the Picture Transfer Protocol (PTP) do not function together with Windows 7 N or with Windows 7 KN.
  • Sound Recorder: This feature only records files in the .wav format in Windows 7 N and in Windows 7 KN.
  • Group Policy for removable disks: This feature enables computer administrators to set read and write permissions on removable disks. This feature does not work in Windows 7 Professional N or in Windows 7 Professional KN. This feature is not included in Windows 7 Starter N or in Windows 7 Starter KN.
  • Microsoft TV Technologies: These do not work in Windows 7 N or in Windows 7 KN.
  • MPEG-2 and Dolby Digital Codecs: These codecs are collectively known as “DVD Components.” They enable Windows 7 software experiences such as Windows Media Player and Windows Media Center to support activities including the following:
    • DVD playback
    • DVD video burning
    • Television recording and playback
    The MPEG-2 components do not function in Windows 7 N or in Windows 7 KN. These features are not included in Windows 7 Starter N or in Windows 7 Starter KN.
  • VC-1, MPEG-4, H.264 codecs: These codecs are collectively known as “standards-based codec” components. They enable Windows 7 software experiences to support various activities. These activities include playing back multimedia files and creating multimedia files. These files are encoded with the standards-based codecs. The "standards-based codec” components do not work in Windows 7 N or in Windows 7 KN.
  • Windows Premium Sound Schemes: Windows 7 Home Premium and higher editions contain additional sound schemes encoded by using the MP3 codec format. These schemes are not included in Windows 7 N or in Windows 7 KN.
  • Sensor and Location Platform: This feature does not work in Windows 7 N or in Windows 7 KN.

  • 16 September 2011

    Using SQL aliases to make database migration much simpler

    I recently saw an entire SharePoint farm be destroyed while attempting to simply move from one SQL server to another.  The problem is that SharePoint like a lot of other application have multiple places to configure the SQL database server(s), Miss one and your migration will fail.

    After a lot of late night reading and finding this answer all over the place - The easy solution to migrating is to create SQL aliases on the farm members.  The ideal way though is to initially build the farm using SQL aliases.

    (For my fellow administrators and non DBAs - a SQL alias is like having a local host file IP entry, but for SQL)

    Configuring the SQL alias
    This process should be done on all servers making connections to the SQL server.

    • Run c:\Windows\System32\cliconfg.exe
    • Select the Alias Tab click add
    • Specify the server alias (this is what you will now be able use to refer to as the SQL server)
    • Specify Server name and instance name if there is one

    This will now create an alias called "SQLALIAS" and we can use this to connect to MOSSDRSQL\MOSS

    To verify everything is working properly we art going to configure two ODBC connection.  The one will use the server name and the other the alias.  (This is jusr for testing you do not need ODBC connection for your alias to work.)

    Connecting using the actual name

    • Start  - Admin tools - Data sources ODBC
    • User DSN
    • Add
    • SQL Driver
    • Name SQLNAME
    • Server: MOSSDRSQL\MOSS

    Complete the Wizard and test the data source

    Connecting using the alias

    • Start  - Admin tools - Data sources ODBC
    • User DSN
    • Add
    • SQL Driver
    • Name Alias
    • Server: SQLALIAS

    Complete the Wizard and test the data source

    You should now see that you can connect to the same server and databases using either the actual name or the alias.  If your application is configured, even if it is at multiple places to use the alias you only need to change the alias server name and all those configuration will now point to the new server.

    So when it is time to migrate to a new SQL server you can move the databases and by simply changing your alias you can skip having to reconfigure your entire application.  The advantage to building your farm using an alias is that you won't be restricted to remain using the "old server" name.  This can be especially useful if the "old server" is a common SQL environment that might be serving other databases you might still need to access with the old name.

    12 September 2011

    Finding malware infection attempt source machines

    It is a very common problem to have.  You have your machines being protected by an antivirus solution and you a number of infection attempts being blocked.  You can however not always determine WHERE the attack is coming from.

    Some malware will persistently and very frequently attempt to infect the same machine, through something like a brute force password attempt.  We can use this pattern or behavior to determine the source.

    Using netstat
    This system utility "Displays protocol statistics and current TCP/IP network connections."

    The option are as follows

    NETSTAT [-a] [-b] [-e] [-f] [-n] [-o] [-p proto] [-r] [-s] [-t] [interval]

      -a            Displays all connections and listening ports.
      -b            Displays the executable involved in creating each connection or
                    listening port. In some cases well-known executables host
                    multiple independent components, and in these cases the
                    sequence of components involved in creating the connection
                    or listening port is displayed. In this case the executable
                    name is in [] at the bottom, on top is the component it called,
                    and so forth until TCP/IP was reached. Note that this option
                    can be time-consuming and will fail unless you have sufficient
      -e            Displays Ethernet statistics. This may be combined with the -s
      -f            Displays Fully Qualified Domain Names (FQDN) for foreign
      -n            Displays addresses and port numbers in numerical form.
      -o            Displays the owning process ID associated with each connection.
      -p proto      Shows connections for the protocol specified by proto; proto
                    may be any of: TCP, UDP, TCPv6, or UDPv6.  If used with the -s
                    option to display per-protocol statistics, proto may be any of:
                    IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, or UDPv6.
      -r            Displays the routing table.
      -s            Displays per-protocol statistics.  By default, statistics are
                    shown for IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, and UDPv6;
                    the -p option may be used to specify a subset of the default.
      -t            Displays the current connection offload state.
      interval      Redisplays selected statistics, pausing interval seconds
                    between each display.  Press CTRL+C to stop redisplaying
                    statistics.  If omitted, netstat will print the current
                    configuration information once.

    By executing the netstat with the default you can get a very nice output of active connection as they are established   Furthermore you also get the connection ports from both the source and local.  Specifying a refresh interval will continually run and refresh your list of connections.

    You can output this to a text file for easier analysis with Excel. To do this use the following command:

    netstat 1 >c:\logfile.csv

    Using netstat -n 1 >c:\logfile.csv  will you you a faster refreshing log since there is no name look up involved

    Working with the results
    Open excel and start a new workbook

    • From the Data Tab select From Text
    • Specify the path of the logfile you created earlier
    • Select Delimited as the original data type
    • Start import from row 4
    • Next
    • Select Space as the Delimiter
    • Finish

    You will now have a easy to work with table.  As an example - If your machine is a web server you might want to exclude all connection attempts against port 80 as this is probable legitimate traffic.

    You can also refresh the table to continually get the latest log import.

    There is also a free sysinternals tool to do the same thing but with an easier GUI.  There is also a command line version with a few more options, especially useful is to output to a csv file.


    If you know what to look for you can determine if a machine is persistently making unsolicited connections to your machine.  This can be indicative of malware trying to get in.  If you have more detailed knowledge of the malware floating around your network you can streamline this process by tailoring your excel filters.  This is a very manual process but it might help you if you are getting hit hard.

    08 September 2011

    Network device discovery and profiling with Angry IP Scanner

    Finding active machines on your network is an essential part of network security.  No security administrator wants any unauthorized machines connected to their network spreading malware, doing packet sniffing etc.

    There are a number of ways to do this,  This is probably the simplest and quickest way to go about it.

    You will need Angry IP Scanner http://www.angryip.org/w/Download  This great little utility allows you to do loads of discovery and profiling.

    In this tutorial I will cover scanning for windows machines only and enabling a easy RDP connection opener.

    You will need to know which IP ranges you want to scan.  Scanning large number of subnets will result in very long scan times and bulky results.

    Launch your angry ip scanner and follow these steps.

    Setting Preferences
    From the file menu select Tools -Preferences
    Set your scanning preferences as follows:

    On the scanning tab

    • Delay between starting threads: 20ms
    • Maximum number of threads: 50
    • Ping method: Windows ICMP
    • Number of ping probes: 1
    • Ping timeout: 2000
    • Check - Scan dead hosts, which don't reply to pings
    • Check - Skip likely broadcast IP addresses

    The reason for scanning dead hosts is to also scan machines that might be dropping ICMP ping requests because on having a firewall enable and configured to do so.  Enabling this setting will also do the port scan on those hosts.

    On the Ports tab
    By being specific about what we scan for we can expect certain machines to return certain results.

    • Default port connection timeout: 2000
    • Ports 135,3389
    • Check  - For each host, add requested specific ports

    Port 135 is the RPC port and is virtually guaranteed to be open on a windows machine.
    Port 3389 is for RDP and this is a further indicate and it lets you know if you cold RDP to that host.

    This process is what is referred to as profiling.  Include other ports if you are looking for other servies.  As an example: Scanning for port 80 and getting the result without 135, probably indicates a Linux based web server.  Take this a step further and you have OS fingerprinting.

    On the display tab

    • Select Hosts with open ports only
    • Uncheck - Ask for confirmation before starting new scan
    • Uncheck - Show Info dialog after each scan

    These setting will streamline your result and only show the windows hosts you are looking for.

    Define Custom Opener
    I include this because in my environment most machines are managed with remote desktop and this simplifies connection to them.

    • From the File Menu select Commands - Open - Edit Openers
    • Click Add
    • Opener Name:  Remote Desktop
    • Execution string: mstsc.exe /v:${fetcher.ip}
    • Working directory: c:\windows\system32


    • Specify the IP Range start address and to address
    • Click the => Start button

    As the result come up we can see and use the setting specified earlier.

    You should only see Windows hosts that are alive.
    You should also see which machines you can Remote Desktop to (3389 shows up)
    You can then use your custom opener to easily connect to the machine

    There are many different was of doing this.  This is a relatively simple way to go about it as the tool is easy to use and understand.  the result are easily exported to a CSV file from where it can be further manipulated,

    For more info check out the full Angry IP Scanner site.

    For more advanced network probing look at something like NMAP - http://nmap.org/

    07 September 2011

    Sophos Endpoint does not communicate to Enterprise Management Console

    On machines with Multiple network adapters you might experience that there is not communication with the Enterprise Management console.  This will indicate the machine as un-managed in the console.  Re-installing Sophos Anti-Virus on the computers does not resolve this issue.

    This problem is becoming more prevalent as more virtual machines and therefore virtual network adapters are being installed on PCs and servers.  This is a problem with Vmware, VirtualBox, Hyper-V and Virtual PC.

    The solution to this is documented in http://www.sophos.com/support/knowledgebase/article/12507.html - but here is the solution:

    Follow the procedure below. This forces the Remote Management System to listen on one IP address only, so the certificate manager will have only one, correct, IP address to bind to.
    Note: In the following procedure, the example in step 7 assumes that the IP address you chose is You must enter the correct value for your system, as obtained from the list of IP addresses in step 2.
    1. Log on at the server. Determine the IP addresses of the server. On the menu bar, click Start|Programs|Accessories|Command Prompt. In the Command Prompt window, type ipconfig -all .
    2. Make a note of all the IP addresses allocated to the computer, and determine which one is on the same subnet as your client computers. (If you are unsure of this, check your system documentation.)
    3. Click Start|Run and type regedit. Click 'OK'. The Registry Editor window opens.
      Warning: Before attempting to edit the registry, read the warning issued by Microsoft.
    4. Browse to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
    5. In the right-hand pane, double-click 'ImagePath'. The Edit String dialog box opens.
    6. The 'Value data' field displays the value:
      "C:\Program Files\Sophos\Remote Management System\RouterNT.exe" -service -name Router -ORBListenEndpoints iiop://:8193/ssl_port=8194
    7. Change this to:
      "C:\Program Files\Sophos\Remote Management System\RouterNT.exe" -service -name Router -ORBListenEndpoints iiop://
      (Replace with the IP address you noted in step 2 above.)
    8. Click 'OK'.
    9. Browse to HKEY_LOCAL_MACHINE\SOFTWARE\sophos\Messaging System\Router.
    10. In the right-hand pane, double-click 'ServiceArgs'. The Edit String dialog box opens.
    11. The 'ServiceArgs' field displays the value:
      "-ORBListenEndpoints iiop://:8193/ssl_port=8194"
    12. Change this to:
      "-ORBListenEndpoints iiop://"
      (Replace with the IP address you noted in step 2 above.)
    13. Click 'OK', and close the Registry Editor.
    14. Open the Services window on your server.
    15. Scroll down to the Sophos Message Router service. Right-click the service and select 'Restart'. Click 'OK' or 'Yes' to any messages you receive about service dependencies.
    16. In the same Services window, ensure that all other services starting with the word "Sophos" are running. It is not necessary for SQLAgent$Sophos to be running.
    Your computers should now be able to retrieve certificates from the server and, over a short period, will start to appear as managed in the Enterprise Console.

     For other potential problems check:


    Sophos Endpoint Message Router fails to start Error 1067

    On Machine with the Forefront Firewall client installed you might experience the following:

    The machine is working correctly as per the installed state, but there is not communication to the Enterprise Console.

    If you look at the services you should notice that the Sophos Message Router service continually starts and stops.  The system event log should also indicate the problem. With a number of Event ID 7031 Service Control

    If you manually attempt to start the service you will get - Error 1067: The Service Terminated Unexpectedly

    The sophos log will also indicate the following:

    06.09.2011 14:31:02 11D4 I SOF: C:\ProgramData/Sophos/Remote Management System/3/Router/Logs/Router-20110906-123102.log
    06.09.2011 14:31:02 11D4 I Sophos Messaging Router starting...
    06.09.2011 14:31:02 11D4 I Setting ACE_FD_SETSIZE to 138
    06.09.2011 14:31:02 11D4 I Initializing CORBA...
    06.09.2011 14:31:02 11D4 I Setting connection cache limit to 10
    06.09.2011 14:31:02 11D4 E ACE_Select_Reactor_T::open failed inside ACE_Select_Reactor_T::CTOR: An operation was attempted on something that is not a socket.
    06.09.2011 14:31:02 11D4 E (1148|4564) ORB Core unable to initialize reactor: An operation was attempted on something that is not a socket.
    06.09.2011 14:31:02 11D4 E Router::Start: Caught CORBA system exception, ID 'IDL:omg.org/CORBA/INITIALIZE:1.0'
    TAO exception, minor code = 0 (ORB Core initialization failed; unspecified errno), completed = NO

    06.09.2011 14:31:02 11D4 I Restarting...

    The network communications report will also not indicate any errors.

    To resolve the issue you need to uninstall the Forefront Firewall Client.  Simply disabling it does not resolve the problem.

    06 September 2011

    Root certificate update with Windows update catalog

    Automatic updates should in theory download an install all the required updates including the ones pertaining to updating the local machines root certificate store.  This store should contain the latest list of  certificates form the Microsoft Root Certificate Program Members CA's

    If however for some reason you machines is unable to update these you can manually download the required Windows updates for this.  Your machine might be updating from your corporate WSUS server where these updates might not have been approved.

    Browse to the Microsoft Update Catalog http://catalog.update.microsoft.com/v7/site/home.aspx and search for "Certificate update"

    You can filter down the list to your required OS by searching for "certificate updates windows server 2008"

    You can get an overview of the update by clicking on the update title.  If you still need further information there is also a link to the support KB article

    Add the update to your basket, download and install.  Alternatively, if your are the WSUS administrator you will now have the KB number(s) of the update(s) to approve in WSUS