Windows Explored

Everyday Windows Desktop Support, Advanced Troubleshooting & Other OS Tidbits

Archive for the ‘Uncategorized’ Category

« Previous Entries

Crashing Config Manager Client & Remote Control Viewer after Windows 10 1703 to 1709 Update

Posted by William Diaz on May 31, 2018


…or killing two birds with one stone.

One of our tier 1 technicians asked me to look at their workstation after not being able to install anything from the Software Center or Application Catalog. Usually, this is corrected by uninstalling the CCM client and (also referred to as the SMS agent), upon restarting of the system, it is reinstalled or we just manually push the client from the CCM Manager to the problem machine again. However, in this case, that approach had no effect. The only suspect at this point was the recent Win10 update from 1703 to 1709 that we had started pre-deploying to some technician workstations to weed out problems.

Additionally, I had also received a few complaints from the helpdesk of the CCM Remote Control Viewer crashing the OS (bugcheck  or BSOD) when they were trying to connect to someone’s workstations, usually when trying to resize the viewer window. Initially, I had assumed this was related to the video system or one of its components, and running the memory dump through a debugger hinted that this might be the case:

Time is limited and in-depth crash debugging can be terrible complex so I only use WinDbg when I absolutely have to and do not jump too deep into dump analysis, so I left it at that and asked those having the issue with Remote Control Viewer to run off to computer vendor site and update video drivers. A couple days later, they still reported the issue occasionally happening, and I put this one on the back burner while I investigated the issue with the crashing CCM client, assuming they might be related as both were SMS\CCM client issues that started occurring after the 1703 to 1709 update.

Curious if there were any missing components in the CCM client install, I navigated to C:\Windows\CCM to examine the file structure of the directory. To my surprise, I saw it was littered with thousands of CcmExec.exe.****.dmp files. Basically, each time the CCM client attempted to fire, it would immediately crash and over the course of a few days it had created GBs worth crash dumps. Examining the event viewer > system logs I saw the error, event ID 7031, for the SMS agent.

I grabbed one of the CCM dumps and opened it in WinDbg, ran !analyze -v and saw right after ccmexec was firing msvcr120.dll was being called before the exception was raised.

Running lmvm msvcr120 command indicates this belongs to the Microsoft C++ 2013 visual runtime library:

The current CCM Client has a dependence on the MS C++ 2013 Redistributable. You can see this by going into the ccm setup directory:

Now, this issue was not happening with everyone who updated. They key to finding the cause finding the difference across the workstations. Fortunately, I already had my suspicion as it happens that I also created a deployment for the Citrix VDA client last year and happened to know the internals of the installer also have a dependence on the MS C++ 2013 Redistributable, which you can see if you unpack the installer. The problem machines all had the Citrix VDA client installed prior to the 1703 to 1709 update. Somewhere along the way during the update, something is causing the CCM client and VDA client to clash with the 2013 visual runtimes. Fixing was a matter of uninstalling the VDA client, restarting, and reinstalling the VDA. Since then, we have incorporated some logic into the updated task sequence for the update to uninstall the VDA client prior to the update, and reinstall at the end of the TS.

Admittedly, I don’t think I investigated running a repair or reinstall of the C++ 2013 runtime library as it was nearing the end of the week, I was about to go on vacation and wanted to clear out my tasks so I decided not invest any more time into it. Or maybe I did, forgot, and it had no effect. That might be an alternative to uninstalling the VDA if any body wants to try.

 

Update

_______________________________________________________________________________________________________________________________________________________

Repairing the C++ runtime 2013 does not fix. Additionally, we started seeing hang issues during 1709 update when including VDA install, so, instead, we have opted to simply leave the VDA in place and unregister the VDA component causing the issue as we do not use it: regsvr32 -u “C:\Program Files\Citrix\Third Party Integration\System Center Configuration Manager\SccmPlugin.dll”

Additionally, some have suggested that moving to VDA 7.15 corrects this. That is not true, at least not in our case.

Advertisement

Posted in Uncategorized | 1 Comment »

Why is the IE 11 MSI Generated from the IEAK Failing?

Posted by William Diaz on December 8, 2014


There has been some chatter about the Internet Explorer 11 MSI that is generated from the IEAK failing while the EXE is able to run successfully. I ran into this myself last week while trying to manually execute the package. The IE11_main.log always showed the same error: “ERROR:   Error downloading prerequisite file (KB2834140): 0x800c0005 (2148270085)

image

After a day or so of troubleshooting I realized the problem. When the IE11 setup runs, it needs to go out to the Internet to check Microsoft for prerequisite updates; both the MSI and the EXE do this. But the MSI (msisexec.exe) executes in the context of the local system account. By default, the local system account tries to find a direct path to the Internet, but if you are behind a proxy this is going to fail as the MSI child processes (specifically ienrcore.exe) are bypassing the proxy.

image
The EXE on the other hand when run manually executes in the context of a user account with Internet Access. That does not mean you are entirely out of the woods with the EXE package. If you are automatically deploying and leveraging SCCM the EXE (like the MSI) is still going to executed by the local system account. To overcome this, you need to configure the local system account to use a proxy (or not use a proxy, or update your proxy). This can be done via BITSAdmin with the following command:

bitsadmin /util /setieproxy localsystem MANUAL_PROXY MyProxy:8080 "<local>"

Another workaround is to simply install the prerequisites before installing IE 11. The required KBs are:

  • KB2670838
  • KB2786081
  • KB2834140
  • KB2882822
  • KB2888049

Last, you should also be able to extract the cab files from these KBs and add them via IEAK custom components step in the IEAK. I have yet to get this to work, however, as the package still wants to go out to the Windows Update site. If you have gotten this to work, let me know how you did it.

UPDATE

I have decided to use the IE11 redistributable and avoid IEAK. Injecting updates into the package via IEAK is too much work. Fortunately for us we control everything we need to via group policy so there is no need for customizations. A script to install the prerequisite updates and then IE11 is much simpler.

Note, if you install updates then install IE11 in the same script, the IE11 installer is still going to want to go out to the Internet to check updates if you just run the executable command. There are two ways to workaround this. One is to install the updates, restart, then install IE11. But this means you have to break up your deployment into two steps. Fortunately, you can work around this. The answer lies in the IE11_main.log using DISM. When a successful install (with Internet Connection) of IE11 is completed you can find the command in the log:

image

Just extract the redistributable and then install IE11 via the main CAB using DISM and then the two MSUs using WUSA. For example:

::Create temp directory if not present to extract IE11 
MKDIR "C:\temp\IE11"
ECHO Installing prerequisite updates for Internet Explorer 11
"%~dp0Windows6.1-KB2670838-x64.msu" /quiet /norestart
"%~dp0Windows6.1-KB2786081-x64.msu" /quiet /norestart
"%~dp0Windows6.1-KB2834140-v2-x64.msu" /quiet /norestart
"%~dp0Windows6.1-KB2882822-x64.msu" /quiet /norestart
"%~dp0Windows6.1-KB2888049-x64.msu" /quiet /norestart
ECHO Installing Internet Explorer 11. Please wait…
::A reboot is required here, otherwise the IE11 Installer wants to still go out to Internet to check updates
::We can avoid this by using DISM instead to install IE11
"%~dp0IE11-Windows6.1-x64-en-us.exe" /X:%systemdrive%\temp\IE11
%systemroot%\system32\dism.exe /Online /Add-Package /PackagePath:%systemdrive%\temp\IE-Win7.CAB /quiet /norestart
%systemroot%\system32\wusa.exe "%systemdrive%\temp\IE11\IE-Spelling-en.MSU" /quiet /norestart
%systemroot%\system32\wusa.exe "%systemdrive%\temp\IE11\IE-Hyphenation-en.MSU" /quiet /norestart
::Cleanup 
RMDIR C:\temp\IE11 /s /q

 

Note: if you are going to be using 32bit Configuration Manager client to execute the batch file above in 64bit Windows, you will need to replace system32 paths to sysnative.

Posted in Uncategorized | Tagged: | 6 Comments »

A Typo

Posted by William Diaz on January 30, 2014


image

Posted in Uncategorized | 1 Comment »

USB BitLocker Policy May Not Apply To Some Android Devices

Posted by William Diaz on November 21, 2013


During recent BitLocker piloting for USB mass storage devices we noticed that Android devices were not affected by our Bitlocker policy, which was to prevent writing of data if the device was not encrypted. Although we do not intend to enforce encryption on these devices for obvious reason, we still wanted to be able to deny write to the devices in the same manner that users could not write to their BlackBerry or iPhone devices where USB BitLocker policy was to deny write was working as expected.

After opening a case with Microsoft, the conclusion was that even though the Android devices were mass storage devices, they were presenting themselves as Windows Portable Devices:

>>  [Device Install (Hardware initiated) – WpdBusEnumRoot\UMB\2&37c186b&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_SMI&PROD_USB_DISK&REV_1100#7&2DEFC6D0&0#]
>>>  Section start 2013/11/12 14:30:18.871
     ump: Creating Install Process: DrvInst.exe 14:30:18.871
     ndv: Retrieving device info…
     ndv: Setting device parameters…
     ndv: Doing WU search last due to CM_DEVCAP_SILENTINSTALL flag.
     ndv: Searching Driver Store and Device Path…
     dvi: {Build Driver List} 14:30:18.949
     dvi:      Searching for compatible ID(s):
     dvi:           wpdbusenum\fs
     …

     dvi:           DrvDate      – 06/21/2006
     dvi:           Version      – 6.1.7600.16385
     inf:      Searched 1 potential matches in published INF directory
     inf:      Searched 35 INFs in directory: ‘C:\Windows\inf’
     dvi: {Build Driver List – exit(0x00000000)} 14:30:19.074
     ndv: Selecting best match from Driver Store (including Device Path)…
     dvi: {DIF_SELECTBESTCOMPATDRV} 14:30:19.074
     dvi:      Using exported function ‘WpdClassInstaller’ in module ‘C:\WINDOWS\system32\wpd_ci.dll’.
     dvi:      Class installer == wpd_ci.dll,WpdClassInstaller
     dvi:      No CoInstallers found
     dvi:      Class installer: Enter 14:30:19.089
     dvi:      Class installer: Exit
     dvi:      Default installer: Enter 14:30:19.089

 

A normal USB mass storage device, e.g. a flash drive, otherwise presents itself in manner that USB BitLocker policy could be applied to because the device is recognized as mass storage:

>>>  [Device Install (Hardware initiated) – STORAGE\Volume\_??_USBSTOR#Disk&Ven_SMI&Prod_USB_DISK&Rev_1100#7&2defc6d0&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}]
>>>  Section start 2013/11/12 14:30:16.765
     ump: Creating Install Process: DrvInst.exe 14:30:16.796
     ndv: Retrieving device info…
     ndv: Setting device parameters…
     ndv: Doing WU search last due to CM_DEVCAP_SILENTINSTALL flag.
     ndv: Searching Driver Store and Device Path…
     dvi: {Build Driver List} 14:30:16.812
     dvi:      Searching for hardware ID(s):
     dvi:           storage\volume

dvi:           DrvDate      – 06/21/2006
     dvi:           Version      – 6.1.7601.17567
     inf:      Searched 1 potential matches in published INF directory
     inf:      Searched 35 INFs in directory: ‘C:\Windows\inf’
     dvi: {Build Driver List – exit(0x00000000)} 14:30:16.937
     ndv: Selecting best match from Driver Store (including Device Path)…
     dvi: {DIF_SELECTBESTCOMPATDRV} 14:30:16.937
     dvi:      Using exported function ‘VolumeClassInstaller’ in module ‘C:\WINDOWS\system32\SysClass.dll’.
     dvi:      Class installer == SysClass.dll,VolumeClassInstaller
     dvi:      Using exported function ‘CriticalDeviceCoInstaller’ in module ‘C:\WINDOWS\system32\SysClass.Dll’.
     dvi:      CoInstaller 1 == SysClass.Dll,CriticalDeviceCoInstaller

This information is written each time you connect a USB device to a Windows computer and can be found in C:\Windows\inf\setupapi.dev.log.

The workaround is to apply a Deny Write Access to WPD devices in Computer Configuration\Administrative Templates\System\Removable Storage Access.

Posted in Uncategorized | Leave a Comment »

IE 11, Page can’t be displayed, Google.com, & SPDY/3 Protocol

Posted by William Diaz on October 28, 2013


I’ve been taking Internet Explorer 11 for a test drive recently and started to notice an odd occurrence. Upon initially opening IE 11 and typing www.google.com into the address bar, I am unable to get to the page, instead getting the generic : “This page can’t be displayed…

image

A quick refresh, however, had no problems taking me to the page afterwards. Closing IE (and making sure all iexplore.exe processes are closed via the Task Manager) and typing the same URL again would reproduce the problem roughly 8 out of 10 times. A quick look with Network Monitor should that connection was, in fact, successful:

image

Looking at one of the frames in the network capture showed the presence of an additional HTTP protocol I wasn’t familiar with in Internet Explorer, SPDY/3:

image

I remember seeing it in the Advanced tab of the Internet Explorer settings:

image

Unchecking this setting resolved the issue. I am not sure why this is happening. SPDY/3 is a relatively new open protocol introduced by Google and being adapted by IE. More about it can be read here: http://en.wikipedia.org/wiki/SPDY & http://dev.chromium.org/spdy/spdy-protocol/spdy-protocol-draft3. In short, it makes the browser speedier by reducing web page load times.

Update

Seems to be reproducible only behind a proxy, TMG in our case.

Posted in Uncategorized | Tagged: , | 11 Comments »

Failed Java Uninstalls

Posted by William Diaz on October 23, 2013


After moving to Java 7 several months ago, this issue started plaguing us. During normal troubleshooting of Java applet-website issues techs would try to uninstall our custom Java 7 package, only to encounter: “There was a problem starting C:\Program Files (x86)\Java\jre7\bin\\installer.dll. The specified module could not be found.”

image

Up until recently, the fix was to run the Microsoft FixIt Utility to Fix problems with Programs that can’t be installed or uninstalled. Afterwards, we would then need to remove the stubborn registry entries that left the Program and Features application list populated with the now removed application by running the uninstall again. With the recent expiration of Java 7 update 25 and confusion from tier 1 support, there were several updates being done to the new JRE. In order to maintain a consistent software environment, I asked to have those updated JREs put back to 7.25. This also required uninstalling 7.25 on so many workstations that my head was left spinning because the process had to be done manually and I was the “go-to” person for the Java crisis. More importantly, at some point we would need to eventually update to a new JRE and likely want to remove the old one but not have a way to automatically uninstall the previous client with the uninstall broken.

After some web research, I found that the issue was with one of the custom actions in the Java msi, UninstallJRE:

SNAGHTML1ec65f21

This should be changed to:

image

Thanks to Keith Jones. Found this gem here: http://lists.wpkg.org/pipermail/wpkg-users/2013-May/009394.html.

Posted in Uncategorized | Tagged: | 3 Comments »

Um, So We’ll Have to Lower Java Security Again?

Posted by William Diaz on October 21, 2013


So, last week with the expiration of Java 7 Update 25, Java LiveConnect stopped working on several web sites that our users frequent, forcing them to change the default Java security setting from High to Medium. For arguments sake you could update to Java 7 Update 45 and go back to using the High security setting. But then I saw some additional text on one of the common Java 7 security dialogs: “This application will be blocked in a future Java security update because the JAR file manifest does not contain the Permissions attribute…”

image

Assuming the applet is not updated by the next JRE expiration, user’s would then have to lower Java security again.

image

Posted in Uncategorized | Tagged: | Leave a Comment »

Java 7 Troubleshooting (disabled support for MD2)

Posted by William Diaz on September 4, 2013


Upon trying to connect to a vendors website application, a user was seeing an error pointing to a failed certificate validation:

image

With java logging enabled, the details were more specific:

com.citrix.sdk.jsse.CitrixSSLException: The certificate validation failed. 
    at com.citrix.sdk.jsse.SocketFactory.createSslSocket(Unknown Source)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
    at java.lang.reflect.Method.invoke(Unknown Source)
    at com.citrix.client.io.net.ip.proxy.o.a(Unknown Source)
    at com.citrix.client.io.net.ip.z.a(Unknown Source)
    at com.citrix.client.io.net.ip.z.a(Unknown Source)
    at com.citrix.client.module.td.tcp.TCPTransportDriver.s(Unknown Source)
    at com.citrix.client.module.td.TransportDriver.run(Unknown Source)
    at java.lang.Thread.run(Unknown Source)
Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Certificates does not conform to algorithm constraints
    at sun.security.ssl.Alerts.getSSLException(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
    at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
    at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
    at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
    at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)

Looking at the certificate, I could see it was using the relatively old MD2 algorithm. While the user did not experience this issue previously, its worth noting we had just moved to Java 7 from 6. Likely JRE 7 has disabled support for MD2 because it is considered unsecure. Some quick research revealed this was the case. With the site outside of our control, a need existed for the user to be able to access the application. Instead of downgrading to Java 6, enabling MD2 support in Java 7 is a simple matter of editing the java.security file in C:\Program Files (x86)\Java\jre7\lib\security to comment out jdk.certpath.disabledAlgorithms=MD2 or simply remove the MD2 part:

SNAGHTML67b4bc0

Posted in Uncategorized | Tagged: | Leave a Comment »

A Failure To Print

Posted by William Diaz on April 16, 2013


We saw a rash of complaints in one of our offices where users were unable to print to any HP printers. They would contact the helpdesk, they would delete the printer and add it back again but the issue kept returning after the initial successful print. The was no error message but the print balloon in the notification area would not indicate a printed job was sent to the printer while at the same time the print icon appeared in the notification area showing 0 pending jobs in the print queue. In the past, I had seen this in isolated instances, and it can be resolved by

  • First removing the printer (or printers if they share the same print driver, .e.g. HP Universal Print Driver)
  • Stopping and restarting the print spooler (CMD > net stop spooler > net start spooler)
  • Opening the Print Management console (Control Panel > Administrative Tools)
  • Opening All Driver
  • Select the driver package for the problem printer > right-click Remove Driver Package. This has the effect of removing the print drivers from the Windows driver file repository (64 bit Windows – C:\Windows\System32\DriverStore\FileRepository) and deleting the registry key that’s holds the various values for the driver package (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Drivers\Version-3\HP Universal Printing PCL 5 (v5.4))
  • Reconnecting to the printer. This would download the print drivers from the print server to the file repository and install them locally into C:\Windows\System32\spool\drivers\x64.

To try and determine what was causing this to occur, I asked the local office tech to contact me when he encountered another user with the same issue so I could compare the drivers in spool\driver and the file repository folders on the problem workstation with those on a behaving workstation for the HP universal print driver package but everything looked identical. Next, I compared the registry key of the two workstations and spotted the problem.

On the problem workstation:

SNAGHTML6e02c8f

On the working workstation:

image

As a proof of concept, I deleted the data for the Dependent Files value, rebooted the workstation and was able to reproduce the issue. Manually importing the missing registry data then corrected. The other two values affected are Help File and Monitor. The why of why this is happening is not fully known but there is some further discussion about the issue here: http://social.technet.microsoft.com/Forums/en-US/winserverprint/thread/e2acb625-027d-47a9-b4a7-1616e270bcbc/

Update

After seeing another rash of this outbreak in another office, I encountered issues trying to remove the HP Universal Printing PCL 5 (v5.4) package from the Print Management console:

 image

Not sure why, but the print spooler hooks one of the print driver files after it restarts. To remove the hook, got to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Print Processors\ and delete the key that corresponds to the print driver you are trying to remove, .e.g hpcpp118, stop and restart the print spooler, then remove the driver package from the Print Management Console.

image

Update

This should be resolved with KB3001232

Posted in Uncategorized | Tagged: | Leave a Comment »

Program Icons Shouldn’t Look Like System Folder Icons (and while you are at it, lets not name filenames with file extensions)

Posted by William Diaz on March 6, 2013


It confuses the users. Normal folder icon in Windows Explorer:
image

Then digging down into the folder the user encounters another folder:
image

Its described correctly as an Application but the average user is probably not going to distinguish the difference between a real Windows system folder icon and a program folder icon and completely ignore the description field telling them it is an application. And so they then try to open the folder and encounter:
image

Ack! Then the help desk wonders, “Ok, so missing config file somewhere, right?”. Nope, its right there, but it has been named to BillsArchive.exe. File extensions are turned off in Explorer and no one really pays any attention to the description (right?) so they don’t notice that the filename is really BillsArchive.exe.config.

By the way, the program icon folder looks almost exactly the same as a Windows XP system folder icon:
image
Bottom line is program icons shouldn’t look like system folder icons. This is also a great way for malware to execute itself by simply looking like some harmless folder named “Pictures”, or whatever.

Posted in Uncategorized | Leave a Comment »

« Previous Entries