Windows 8 Slow boot time, high disk profile and hangs at startup

I spent long time helping in deploying Windows 8 in big enterprises by testing the new O.S when it first shipped, and validating application compatibility. I have played with the original Windows 8 and Windows 8.1 ISO files in many ways. I used WDS to deliver the image [Check this post], and i even created a custom image pre-loaded with corporate software [Check this post].

I thought everything is cool, until we started to hear some feedback about slowness. Across 2000 Windows 8/8.1 sample machines, the feedback about slowness was so strong that we could not ignore anymore. We identified the problem as per the following:

When booting a Windows 8 or Windows 8.1 machine, and after entering the credentials to log on, the desktop freezes for about 3 minutes before everything suddenly start to respond. High disk profile is noticed from while to while also. This only happens after joining the machine to the domain

Investigation

We started to suspect that our custom Windows image is causing the slowness, so we started to redeploy Windows using the original ISO without any modification. This did not help.

We started to suspect the big number of group policies that the corporate has. The AD team started to consolidate group policies so that instead of applying corporate settings in the form of 25 group policies, now they reduced it to 8 policies. This did not help also.

Logs are clean, nothing is crashing. We suspected that the AntiViurs is causing such slowness, or even the data loss prevention solution deployed to workstations. Another  dead end. Problem did not go away.

One interested fact is that this slowness happens after joining the machine to the domain. We did the following to understand why joining the machine to the domain causes this slowness:

– Create an OU in AD  called “Investigating Slowness”

– Apply Block Inheritance on that OU, to prevent any group policies to be applied on machines under that OU.

-We created a computer account called (Machine1) under that OU, then we formatted a new machine with the same name, and we joined it to the domain.

– We confirmed that slowness is not happening so far even after joining the machine to the domain. So we suspected a group policy setting.

– We started to link one group policy at a time to the “Investigating Slowness” OU, and reboot the machine each time and monitor if slowness is happening.

– Finally we found the cause of the problem !

Solution

The reason behind the slowness is simply the BranchCache policy that is applied via group policy. The policy configures the BranchCache to be set to Automatic and it configures Distributed Cache mode.

I read about enhancement in BranchCache for Windows 8 and Windows 8.1, and it was a big shock for me to know that the reason of such slowness was caused by BranchCache in Distributed mode.

Anyway, after removing that group policy, machines are operating faster, and they are not freezing after booting and signing in.

Windows 8.1 AD Based Activation “Invalid product key or license mismatch” error

I was trying to add Windows 8.1 Key to Active Directory that day using Volume Activation Management Tool (VAMT) to enable AD based activation,  and i get the “Invalid product key or license mismatch”error when trying to add the Windows 8.1 KMS key using AD based activation.

Doing a quick search, i found this hot fix from Microsoft http://support.microsoft.com/kb/2885698/en-us under the title of (Update adds support for Windows 8.1 and Windows Server 2012 R2 clients to Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, and Windows Server 2012 KMS hosts). Installing the fix on the server where VAMT is installed solves the issue and saves the day!

Local System , Local Service and Network Service

I have been asked once, what are the differences between local service, local system and network service.

Well , Network Service is the least powerful context on the local machine. Local system and local service has administrative rights on the local machines.

So what are the differences ?

Things get exciting when we see which context is used when accessing network resources …

Local System will use the machine account when accessing network resources while Local Service will use Anonymous. This is only if Kerberos is used . If NTLM is used , then both the local system and local service will use Anonymous.

Network Service will always use the machine account for network resource access on the other hand.

clip_image001

UAC in Windows 7

 

Why there is UAC ?

 

I will be talking today about User Account Control UAC as most IT professionals don’t know the direct benefit of UAC.

The most basic element and direct benefit of UAC’s technology is to make users run as standard users instead of administrator users, simply making Windows more standard-user friendly. UAC is not a malware protection mechanism like most people think it is.

before UAC, in Windows XP, changing the time zone –actually even looking a the time zone with the time/date control panel applet- requires administrative rights.That is because Windows XP doesn’t differentiate between changing the time, which is a security sensitive operation,from changing the time zone, which merely affects the way that time is displayed.

In Windows 7,changing the time zone isn’t an administrative operation and the time/date control panel applet separates administrative operation from the standard user operations.Windows 7 goes further , making things like refreshing the system’s IP address, using Windows Update to install optional updates and driver, changing the display DPI, and viewing the current firewall settings accessible to standard users.

When UAC is enabled, all user accounts-including the administrative accounts- run with standard user rights. When you log to your machine using an administrative account, you will be given two access tokens ( standard token, and admin token). You will be using the standard token until you need to perform an action that requires administrative privilege. This is when elevation happens and you start using your admin token.

This also means that application developers must consider the fact that their software wont have administrative rights by default.This should remind them to design their application to work with standard user rights.If the application or parts of its functionality require administrative rights,it can leverage the elevation mechanism to enable the user to unlock that functionality.

Finally, elevation prompts also provide the benefit that they  “notify” the user when software wants to make changes to the system and it gives the user an opportunity to prevent it.Many people believe that this elevation prompts or consent prompts look and smell like a security feature and that they can prevent malware from gaining administrative rights. This is not true.

 

Why Secure Desktop ? As we have stated,the primary purpose of elevation is not security, it is convenience. If users had to switch accounts to perform administrative operations, either by logging into or Fast User Switching to an administrative account, most users would switch once and not switch back.

The main reason for the switch to different secure desktop for the prompt is that standard user software cannot spoof the elevation prompt.The alternate desktop is called a “secure desktop”, because it is owned by the system rather than the user.

What’s different in Windows 7

Users (mainly IT people) can now execute more tasks with less number of prompts ! This is done by introducing two new UAC operating modes that are selectable in a new UAC configuration dialog.

The default level will prompt the user only when a non-Windows executable asks for elevation.This means you can do most of your management tasks with elevation prompts !

The next slider position down is the second new settings and has the same label except (d not dim my desktop) appended to it. The only difference between that and the default mode is that prompts happen on the user’s desktop rather than on the secure desktop.

 

The bottom slider position turns off UAC technologies altogether and the last setting (Always Notify) whish is the selection at the top of the slider, is identical to the Vista UAC mode, which will always  prompt for elevation.

 

image

 

 

By Ammar Hasayen Posted in Windows

Mapped Drives in VISTA

I want kindly to share this with you as I faced hard time trying to figure it out…

Problem :

I have my Document folders mapped to a network drive z:\documents , I tried to install an application and I got (Error 1327.Invalid Drive: Z:\)

Explanation:

When you log on to vista and you are member of administrators ,you will have two tokens (regular user token and administrator token) .Mapped drives are created using the regular user token . Keep in mind that MSI usually checks for access to the Documents folder

When you install an application, you will be prompted for UAC. When you click (Continue) for the UAC ,your administrator token is used to handle the installation .The administrator token is not aware of mapped drives (as they are created using the regular user token) , so this error will happen.

Solution

1.Right click on Command Prompt in the Start Menu and selected Run
As Administrator.
2. Type “Net Use z: \\servershare\shares$\username\

3. Exit out of the command prompt

essentially you map it once for the user, once for the administrator

By Ammar Hasayen Posted in Windows

Vista -Managing Wireless Connection using “NETSH WLAN”

It is amazing the flexibility of the Netsh command when it comes to managing Wireless Connection in Vista .You can play with the wireless configuration ,export ,import ,delete ,etc… all from the netsh wlan command.

  • To add Wireless Profile :

NETSH wlan add profile filename=”C:\Users\WirelessUser\Documents\profile1.xml” Interface=”Wireless Network Connection”

  • Delete Wireless Profile

NETSH waln delete profile name=”Profile 1″ interface=*

  • Connect to Wireless Network :

NETSH wlan connect ssid=SSID1 name=Profile1

NETSH wlan connect ssid=SSID2 name=Profile2 interface=”Wireless Network Connection”

  • Disconnect to Wireless Network :

NETSH wlan disconnect

  • Export Wireless Profile to XML:

NETSH wlan export profile folder=C:\ Name=”MYSSID” interface = *

  • Show Commands
    1. NETSH wlan show all
    2. NETSH wlan show interfaces
    3. NETSH wlan show networks
    4. NETSH wlan show profiles
    5. NETSH wlan show settings

Looking for More information

By Ammar Hasayen Posted in Windows

Daylight saving Time

Daylight saving time (DST), also known as summer time or daylight savings time, is a widely used system of adjusting the official local time forward, usually by one hour from its official standard time, for the summer months. This is intended to provide a better match between the hours of daylight and the active hours of work and school. The “saved” daylight is spent on evening activities which get more daylight, rather than being “wasted” while people sleep past dawn.

 

Some countries like Chile, Brazil and Egypt adopt a variable Daylight Saving Time dates (DST). The initial and end dates change every year following the government decision.

 

As a result, users in these countries experience inconvenience with their Outlook meetings and appointments being off by one hour. Every year, we receive numerous calls from Stations reporting such behavior.

 

I will explain why the issue happens as well as how to minimize the impact for Outlook users.

Please refer to this document :

http://cid-ba1d6ca135b53932.skydrive.live.com/self.aspx/Public/Share%20Technical%20Knowledge/DayLight%20Saving.doc

By Ammar Hasayen Posted in Windows

Convert your Vista Machine to VHD !

I liked the option that windows Vista is offering via (Complete PC Backup) available in the vista control panel >>Backup.

This will let you convert your machine to VHD file .Well, this VHD is not bootable (i.e. you cannot boot it using Microsoft Virtual PC 2007) but you can add it as secondary disk and view it its content from there. Or you can use it via  recovery console by booting your vista using Recovery console and use Complete PC Restore.

What will be great if we can use this VHD on another machine by booting it up in recovery mode and use Complete PC restore and pointing to this VHD file. Thus migrating complete Vista Machine from hardware to another !!.

If someone can view this VHD offline and then add the required boot files ,then it may become bootable VHD that you can carry it on your own USB .( you will then have your Vista machine roaming on your own USB !! ) Adding to this that if the USB is lost , important files should be encrypted using smart card EFS certificate or any other encryption tool.

From there ,you can imagine how virtualization can be used !!

VISTA BOOT PROCESS

Introduction

I’m writing this paper to show the big difference Microsoft Windows Vista is introducing in the boot process. In order for system administrators to support and maintain windows Vista, they should know a little about the boot process in order to be able to troubleshoot startup problems and possibly multi-operating system in the same box. This writing will show only headlines about this subject but it will definitely help you in being familiar with the boot process and the new standards Vista code is utilizing.

When you first boot you machine (turn it on), the machine’s BIOS will load to memory and perform some hardware checks and then will start searching for connected disks or media (i.e. you configure the BIOS to boot from bootable CD first).

If the Boot order in the BIOS is configured to boot first from disks, then a boot disk is chosen and the Master Boot Record “MBR” on the system (Active) partition is loaded.MBR then will continue from here to located operating systems and optionally displaying boot menu to the interactive user.

This was the case for long time and this sequence of boot process is known as PC BIOS standard boot sequence.

So, things are good so far, you turn on your machine and believe it or not, it really boots! So what’s new?

 During the development of the first Intel-HP Itanuim system in mid 1990s .PC BIOS limitations were sees as clearly unacceptable for the large server platforms Itanuim was targeting. The initial effort to address these concerns was initially called Intel Boot Initiative and was later renamed to EFI (extensible Firmware Interface).

So now we have this new EFS Specification. The rest is boring, as EFS specification 1.02 was released by Intel on December 2000 and then released in mid 2002 as EFI 1.10.Now EFI Forum is responsible of this standard and the standard is sometimes named Unified EFI.

In summary, we have the old PC BIOS method or booting and now we have the new EFI method of booting which is more advance and allows for more flexibility. Believe it or not, Vista now supports this new EFI Specifications.

 

PC BIOS Boot method in Vista

 

First, when the computer is switched on, BIOS is loaded. Then the MBR of the boot disk, which can be a hard drive or external media, is accessed, followed by the boot sector of the drive or of relevant hard disk partition. For Windows Vista, the boot sector loads the Windows Boot Manager (Filename: Bootmgr.) which accesses the Boot Configuration Data store and uses the information to load the final stage, the Operating System.

 

So first step in the booting process is the BIOS which discover all connected media and disks and chooses the appreciate boot media or disk according to the boot order configuration configured on the BIOS. If the boot process is to start from a disk media, then it is the function of BIOS to search for bootable H.D .Once found , BIOS will handle the boot process to the H.D MBR.

Master Boot Record MBR

A Master Boot Record (MBR), or partition sector, is the 512-byteboot sector that is the first sector (“Sector 0”) of a partitioneddata storage device such as a hard disk.

Think of this half KB of data as the person who knows everything about the H.D and uses this information to handle the boot process. The MBR maintain a table that contains the partitions existing in this disk .In MBR maintains the Disk Signature.

Disk Signatures are a way for operating systems to differentiate different disks in case of RADI configuration for example. When you connect a secondary H.D to your machine, the windows will detect a new HD and will ask you to initialize this new H.D Initializing H.D involves stamping the H.D with a unique Signature.

As mentioned before, MBR contains Partition table (can have maximum of four entries, thus you can have maximum of four primary partitions, although you can configure the last primary partition as extended partition to hold embedded logical partitions).MBR then will look for the partition that is flagged as Active (system partition).

Windows Boot Manager and BCD

Once the Active Partition is located, the MBR invokes the Partition Boot Record (PBR) which then looks for Windows Boot Manager which then queries the Boot Configuration Data BCD. In Windows Vista, Windows Boot Manager and Boot configuration data are replacement of NTLDR.

So MBR looks for active partition and kicks of the Windows Boot Manager which stores information in something called BCD.

Boot Manager reads configuration from BCD and displays the boot menu to the user. Boot Configuration Data is a replacement of boot.ini and is stored on \boot\bcd on the system partition.

Boot Configuration Data may be altered using a command-line tool (bcdedit.exe) or by using Windows Management Instrumentation.

Boot Configuration Data contain the menu entries that are presented by the Windows Boot Manager, just as boot.ini contained the menu entries that were presented by NTLDR. These menu entries can include:

·         Options to boot Windows Vista by invoking winload.exe.

·         Options to resume Windows Vista from hibernation by invoking winresume.exe.

·         Options to boot a prior version of Windows NT by invoking its NTLDR.

·         Options to load and to execute a Volume Boot Record.

Boot Configuration Data allows for third party integration so anyone can implement tools like diagnostics or recovery options.

 

WINLOAD.EXE

winload.exe is the operating system boot loader. It is invoked by the Windows Boot Manager in order to load the operating system kernel (ntoskrnl.exe) and (boot-class) device drivers, and is in that respect functionally equivalent to (the operating system loader functionality of) NTLDR in prior versions of Windows NT.

 Disk Signature

It is very interesting the way Vista boot process handles the digital signatures of the H.Ds connected to the box. In previous NT operating systems the integrity of the disk signature was in most situations not crucial for ntldr to initiate the Windows boot process.

With Vista on the other hand, if the signature has changed or can’t be found then the successor of ntldr, bootmgr, will halt before Windows is started with the error winload.exe….. is missing or corrupt. It is an inaccurate and misleading error message because winload.exe itself has not actually moved or changed. If I alter one digit of the signature then it’s a winload.exe error, if I change it back again then Vista boots as before.

Both ntldr and bootmgr have to first identify which hard drive they should look on. The ntldr does this with the aid of the boot.ini file, which lists the hard drives by number in the same order as the computer’s BIOS sees them. The ntldr consults the boot.ini for the number of the drive that it wants and then checks the BIOS to find the location of that drive. In Vista the BCD store does not list hard drives by number at all but rather by their unique disk signature. When bootmgr queries the BCD for the drive it wants it is told the disk signature of that drive, so it then scans the connected drives till it finds the one with that signature. If no match is found then bootmgr cannot continue to look for the Vista bootloader (winload.exe) and hence displays the error message that winload.exe……is missing or corrupt.

 

Note 1: Only nonversion-specific components are stored in the root of the active partition. This means that theoretically Windows Vista could be installed on a machine running some future Windows version with the same boot structure, and it would not break the boot process for that future version. With legacy Windows, installing an older Windows version last causes the newer version to fail on start-up. This is due to version-specific code improvements in Ntldr.

VISTA MBR Integrity

 On systems that have BIOS firmware, Windows Vista and earlier versions of the Microsoft Windows® operating system install an MBR during setup of the operating system. For earlier versions of Windows, some system manufacturers provide additional tools and experiences by installing an OEM-specific MBR to “hook” the boot process. For example, an OEM-specific MBR might jump to an OEM-specific hidden partition that contains the manufacturer’s boot applications when the user presses a particular key during the BIOS phase of boot.

Microsoft recommends not replacing the MBR with any hardware specific one. BitLoacker for example uses some integrity check to validate the MBR hash values to make sure it is not changed from last reboot. Windows recovery tools can repair a H.D by replacing the MBR with a new one. To solve those issues, Vista supports the ability to define actions to perform in response to keyboard scan that is received during reboot.

 

More Info

·         EFI Standard : http://en.wikipedia.org/wiki/Extensible_Firmware_Interface

·         GPT Disk Format

http://en.wikipedia.org/wiki/GUID_Partition_Table

·         Boot Configuration Data

http://technet2.microsoft.com/windowsserver2008/en/library/85cd5efe-c349-427c-b035-c2719d4af7781033.mspx?mfr=true