Showing posts with label Windows 8. Show all posts
Showing posts with label Windows 8. Show all posts

Saturday, April 11, 2015

McAfee Security Center Won't Stay the **** Out of My Computer

McAfee's suite of antivirus services have come pre-installed on Windows computers for a long time. I can't speak to how efficient or not efficient their antivirus is, because I have not used it in any real capacity for any length of time. What I have done is struggle to completely remove all of the components of their software package when I want to keep the version of Windows that came with the computers I purchased.

I recently picked up a new laptop with Windows 8.1 - my first time using this version of Windows for a laptop. I was dismayed to find McAffee pre-installed, as I knew it meant having to waste time getting rid of it.

I will say this for them - they have gotten better since the last time I went through this many years ago. Better, as in uninstalling using the utility provided by McAfee did not break vital parts of the Windows operating system. Great would be if the uninstaller actually removed all of McAffee's software from the computer. Good would be if the software that was left didn't connect to the internet.

Specifically, what gets left behind is the McAfee Update Manager; a utility designed to download applications from the McAfee corporate servers and install those applications on your computer with minimal human intervention.

McAfee Security Center, Josh Wieder, registry editor, key
Registry key & path of the remaining McAfee executables

Notice the registry keys that are created:

[AddRegEntry]

HKLM,Software\McAfee\UPDMGR\InstallSettings,"Install Dir",,"%45001%"
HKLM,Software\McAfee\UPDMGR\InstallSettings,"Install Dir",0x00001000,"%45001%"
HKLM,Software\McAfee\UPDMGR\InstallSettings,"Version",,"3.0.225.1"
HKLM,Software\McAfee\UPDMGR\InstallSettings,"Version",0x00001000,"3.0.225.1"

[ObfuscatedRegEntry]

HKLM,Software\McAfee\UPDMGR,"DownloadDomain",,"download.mcafee.com"
HKLM,Software\McAfee\UPDMGR,"DownloadDomain",0x00001000,"download.mcafee.com",0x00001000
HKLM,Software\McAfee\UPDMGR,"InitialPingUrl",,"https://consumerapps.mcafee.com/mantle/1.0.0.0/"
HKLM,Software\McAfee\UPDMGR,"InitialPingUrl",0x00001000,"https://consumerapps.mcafee.com/mantle/1.0.0.0/",

I haven't had time to look into how the application is obfuscating its registry entries, but they are in fact obfuscated:

McAfee Security Center, Josh Wieder, PingUrl, Registry, Encrypted Binary Value
Note the gobble-dee-gook
https://consumerapps.mcafee.com/mantle/1.0.0.0/ appears to provide a RESTful interface for application requests.

I decompiled a few of the DLLs in the directory; nothing stood out. Unfortunately, the EXEs crashed the one 64 bit decompiler I currently have for Intel instructionsets (C4Decompiler). As a result I cannot guarantee exactly what these programs are up to. That said, given what we have seen, there is a fairly strong case that this set of programs can do the following to sum up our findings:

    - Download other applications from remote servers hosting download.mcafee.com and consumerapps.mcafee.com
    - It is likely these applications can install software it downloads without user approval, at least in some circumstances
    - The Update Manager leaves a substantial amount of registry entries behind following a complete uninstallation and reboot of everything McAfee related.
    - Fortunately, following uninstallation there do not appear to be any services left behind.

The bottom line is that at this point in the game ditching the factory-installed Operating System is a requirement for those who want to actually know what is on their computer. This can be cost-prohibitive with some Windows licensing arrangements or those not as familiar with how to install an OS, especially since most manufacturers no longer include driver disks with their computers. Stop loading up computers with spy & adware OEMs!

Monday, March 23, 2015

Windows 8.1 Error 80200056 after installing update KB2267602

Recently I noticed some strange behavior while launching an update through Windows 8.1's 'metro' menu. I launched Computer Settings app to run the update, which was a definitions update for Windows Defender (KB2267602).

The Update settings were configured to prompt prior to download & installation. This was the first task launched after awaking the computer from a Sleep state. The computer is not a virtual machine.

With Windows 8 and 8.1 the first places to look for Update failures are in the files C:\Windows\WindowsUpdate.log and C:\Windows\SoftwareDistribution\ReportingEvents.log - for those still unfamiliar with navigating the newer Windowses, you can reach a Run prompt to open these files using copy + paste by hitting the Window key and "R" key at the same time. 

The relevant entry of the ReportingEvents.log file shows me what Error 80200056 means in the most basic sense - the update failed to download; as opposed to failing to install.

{C7C93C12-61E3-4998-9EBD-B448C62540A4} 2015-03-23 19:39:34:484-0400 1 
161 [AGENT_DOWNLOAD_FAILED] 101 {FD8A47F9-2E75-4763-AE52-777D471C87C8} 201 
80200056 AutomaticUpdatesWuApp Failure Content Download 
Error: Download failed.




Right away my first instinct is a networking problem related to the sleep state. Going back to the Run prompt, I type `eventvwr` to bring up the Event Viewer log entries. I expand the Windows Log icon in the left navigation pane and select the System folder. A few seconds after the failed content download I see this: 


The browser has forced an election on network \Device\NetBT_Tcpip_{D03DC1BF-134A-4B75-B8F2-CD9086B301E1} because a master browser was stopped.

This would seem to confirm that there was in fact a networking issue; one relating to the always-disruptive Computer Browser service. The computer this issue occurred on does in fact reside on a network with a number of other Windows computers. The computer was also part of a homegroup. It was unlikely that any of the Windows computers had modified default LMHOSTS / NetBIOS over TCP/IP settings beyond configuration of the Homegroup.

This is a very long-winded blog post for what ended up being a very brainless solution. I launched the update service through the Control Panel in the Desktop user interface as opposed to the Metro user interface and the update completed successfully. Because my logs show that the a Browser election was forced and successfully completed seconds after the download failure, it is likely a retry within Metro would have worked as well.

Still, there is a reason why I described the issue in this much detail, and that is because there seems to be a great deal of misunderstanding about error and what is needed to resolve it.

First and foremost, Error 80200056 only indicates a download failure for Windows updates - not permissions failure, and it is not what I would describe as a warning sign of malware infection. Its possible I suppose that a compromised host could display this error but it is highly unlikely to be the only problem with a host that has been compromised through the updates system - there are a number of other places, like BITS and certificate trust issues, that are likely to occur as well. Quite a few of the articles I have seen on this issue on the internet are hysterical in their screams of "Its a virus!" when this issue comes up - even in paid technical support pages.

I have also seen incorrect explanations of KB2267602, where "technicians" describe this update as a one-time package. In at least one webpage I saw, a technician told a user that since KB2267602 was a package that "should have" been installed 9 months ago, that likely the last 9 months of updates were corrupted, instead of a single Virus definition. This claim is outrageous. Systems using Windows Defender should see regular downloads of KB2267602 in their Update History. Individual definition files can be told apart by their definition signature. The distinction is obvious:

Windows Defender, Josh Wieder, Definition Update logs
Windows Defender Definition Update Logs
If this issue is caught quickly, C:\Windows\WindowsUpdate.log should display a very detailed transaction history for Windows Update. If reviewing an older Update failure, older copies of this transaction log can be saved in subdirectories of C:\ProgramData\Microsoft\Windows\WER\ReportQueue\ - the exact subdirectory can be found by consulting Event Viewer. The relevant log will be reported as Event ID 1001 from source Windows Error Reporting and will look like this:

Fault bucket , type 0
Event Name: WindowsUpdateFailure2
Response: Not available
Cab Id: 0

Problem signature:
P1: 7.9.9600.17489
P2: 80200056
P3: FD8A47F9-2E75-4763-AE52-777D471C87C8
P4: Download
P5: 101
P6: Unmanaged {9482F4B4-E343-43B6-B170-9A65BC822C77}
P7: 0
P8:
P9:
P10:

Attached files:
C:\Windows\WindowsUpdate.log
C:\Windows\SoftwareDistribution\ReportingEvents.log

These files may be available here:
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\NonCritical_7.9.9600.17489_60820ed604236fc9285c92356031cd8da6466_00000000_cab_164a6aea

Analysis symbol:
Rechecking for solution: 0
Report Id: deccbe22-d1b5-11e4-8269-c7e81028dc3b
Report Status: 4


The "These files may be available here:" directory will include a copy of the relevant WindowsUpdate.log. For this error, the transaction report should provide quite a bit of detail about what was going on with the Update Service through the time of the failure:

19:39:34:015  892 191c AU #############
2015-03-23 19:39:34:015  892 191c AU ## START ##  AU: Download updates
2015-03-23 19:39:34:015  892 191c AU #########
2015-03-23 19:39:34:015  892 191c AU   # Approved updates = 1
2015-03-23 19:39:34:015  892 191c AU WARNING: Failed to get Wu Exemption info from NLM, assuming not exempt, error = 0x80070490
2015-03-23 19:39:34:015  892 191c IdleTmr Incremented idle timer priority operation counter to 2
2015-03-23 19:39:34:031  892 191c AU AU initiated download, updateId = {FD8A47F9-2E75-4763-AE52-777D471C87C8}.201, callId = {D9E27348-F835-47F4-8C48-7F6F84A58614}
2015-03-23 19:39:34:031  892 18b0 DnldMgr ***********  DnldMgr: Begin Downloading Updates [CallerId = AutomaticUpdatesWuApp]  ***********
2015-03-23 19:39:34:031  892 18b0 DnldMgr   * Call ID = {D9E27348-F835-47F4-8C48-7F6F84A58614}
2015-03-23 19:39:34:031  892 18b0 DnldMgr   * Priority = 3, NetworkCostPolicy = 6, Interactive = 1, Owner is system = 1, Explicit proxy = 0, Proxy session id = 1, ServiceId = {9482F4B4-E343-43B6-B170-9A65BC822C77}
2015-03-23 19:39:34:031  892 18b0 DnldMgr   * Updates to download = 1
2015-03-23 19:39:34:031  892 18b0 Agent   *   Title = Definition Update for Windows Defender - KB2267602 (Definition 1.193.3478.0)
2015-03-23 19:39:34:031  892 18b0 Agent   *   UpdateId = {FD8A47F9-2E75-4763-AE52-777D471C87C8}.201
2015-03-23 19:39:34:031  892 18b0 Agent   *     Bundles 3 updates:
2015-03-23 19:39:34:031  892 18b0 Agent   *       {78E75BF6-5B6F-4FCB-AD33-9A5618E50403}.200
2015-03-23 19:39:34:031  892 18b0 Agent   *       {768A90D1-09F4-475A-A4AF-6FCBB85222F1}.200
2015-03-23 19:39:34:031  892 18b0 Agent   *       {9B5A0E5A-4ED6-47B6-B0B2-B45C537C02A1}.201
2015-03-23 19:39:34:031  892 18b0 DnldMgr No locked revisions found for update FD8A47F9-2E75-4763-AE52-777D471C87C8; locking the user-specified revision.
2015-03-23 19:39:34:031  892 18b0 DnldMgr No locked revisions found for update 9B5A0E5A-4ED6-47B6-B0B2-B45C537C02A1; locking the user-specified revision.
2015-03-23 19:39:34:046  892 191c AU   # Pending download calls = 1
2015-03-23 19:39:34:046  892 191c AU <<## SUBMITTED ## AU: Download updates
2015-03-23 19:39:34:062  892 18b0 IdleTmr WU operation (DownloadManagerDownloadJob) started; operation # 760; does use network; is not at background priority; will NOT stop idle timer
2015-03-23 19:39:34:062  892 18b0 IdleTmr Incremented idle timer priority operation counter to 3
2015-03-23 19:39:34:093  892 18b0 DnldMgr ***********  DnldMgr: New download job [UpdateId = {9B5A0E5A-4ED6-47B6-B0B2-B45C537C02A1}.201]  ***********
2015-03-23 19:39:34:109  892 18b0 DnldMgr   * BITS job initialized, JobId = {8F94CFCA-5055-4CD6-B71E-13F540B0BC5F}
2015-03-23 19:39:34:171  892 18b0 DnldMgr   * Downloading from http://fg.v4.download.windowsupdate.com/c/msdownload/update/software/defu/2015/03/am_delta_48e485cc83da49bce931292934e1d75788e0629a.exe to C:\Windows\SoftwareDistribution\Download\a72da7d4ae868d3ed29b457ac7415777\48e485cc83da49bce931292934e1d75788e0629a (full file).
2015-03-23 19:39:34:203  892 18b0 IdleTmr WU operation (DownloadManagerDownloadJob) started; operation # 762; does use network; is not at background priority; will NOT stop idle timer
2015-03-23 19:39:34:203  892 18b0 IdleTmr Incremented idle timer priority operation counter to 4
2015-03-23 19:39:34:234  892 18b0 DnldMgr *********
2015-03-23 19:39:34:234  892 18b0 DnldMgr **  END  **  DnldMgr: Begin Downloading Updates [CallerId = AutomaticUpdatesWuApp]
2015-03-23 19:39:34:234  892 18b0 DnldMgr *************
2015-03-23 19:39:34:312  892 db4 DnldMgr WARNING: BITS job {F79CE1D4-F6F3-4D14-A8AB-704A88E200AC} failed, updateId = {768A90D1-09F4-475A-A4AF-6FCBB85222F1}.200, hr = 0x80200056, BG_ERROR_CONTEXT = 2
2015-03-23 19:39:34:312  892 db4 DnldMgr   Progress failure bytes total = 295552, bytes transferred = 0
2015-03-23 19:39:34:312  892 db4 DnldMgr   Failed job file: URL = http://fg.v4.download.windowsupdate.com/c/msdownload/update/software/defu/2015/03/mpsigstub_5dfd7f28a79c6fac6a908b9e5c2cf4e56320f3ee.exe, local path = C:\Windows\SoftwareDistribution\Download\f160e023de7cfeeda671dc169ba732fb\5dfd7f28a79c6fac6a908b9e5c2cf4e56320f3ee
2015-03-23 19:39:34:312  892 db4 DnldMgr CUpdateDownloadJob::GetNetworkCostSwitch() Neither unrestricted or restricted network cost used, so using current cost
2015-03-23 19:39:34:375  892 db4 IdleTmr WU operation (DownloadManagerDownloadJob, operation # 760) stopped; does use network; is not at background priority; will NOT start idle timer (task did not previously stop it
2015-03-23 19:39:34:375  892 db4 IdleTmr Decremented idle timer priority operation counter to 3
2015-03-23 19:39:34:375  892 db4 DnldMgr Error 0x80200056 occurred while downloading update; notifying dependent calls.
2015-03-23 19:39:34:375  892 12ec AU >>##  RESUMED  ## AU: Download update [UpdateId = {FD8A47F9-2E75-4763-AE52-777D471C87C8}]
2015-03-23 19:39:34:375  892 12ec AU   # WARNING: Download failed, error = 0x80200056
2015-03-23 19:39:34:437  892 18b0 DnldMgr *********
2015-03-23 19:39:34:437  892 18b0 DnldMgr **  END  **  DnldMgr: Download Call Complete [Call 5 for caller AutomaticUpdatesWuApp has completed; signaling completion.]
2015-03-23 19:39:34:437  892 18b0 DnldMgr *************
2015-03-23 19:39:34:468  892 18b0 IdleTmr WU operation (DownloadManagerDownloadJob, operation # 762) stopped; does use network; is not at background priority; will NOT start idle timer (task did not previously stop it
2015-03-23 19:39:34:468  892 18b0 IdleTmr Decremented idle timer priority operation counter to 2
2015-03-23 19:39:34:468  892 12ec AU Download call completed, hr = 0x80200056
2015-03-23 19:39:34:468  892 12ec AU #########
2015-03-23 19:39:34:468  892 12ec AU ##  END  ##  AU: Download updates
2015-03-23 19:39:34:468  892 12ec AU #############

That's pretty much it. Since this has brought the always-irritating Computer Browser service to my immediate attention, I think I will write a more detailed post about it as well as some common issues here soon - as online documentation is few and far between on it.

Saturday, December 20, 2014

Windows 7 and Windows 8 Basics: Searching by File Size, Modification Date and Other File Properties

It was one of these days, not long ago, that I work up one day and realized that I had become an Old Man. Mine is the last generation that remembers a time prior to the internet. I remember using acoustic couplers. My first laptop, a Toshiba, had dual 5 1/2 inch floppy drives, but had no hard drive. I was so excited when I got my hands on that machine. It meant I could connect to networks using my acoustic coupler from a pay phone!

My ruminations on aging is at least somewhat related to the topic at hand. You see, among the memories rattling around my grey hair ensconced head are a few about searching Windows file systems for files of specific types. This sort of thing is very important, even just for every day normal computer usage.

When your computer starts running out of space, wouldn't it be nice to be able to find all of the really large files on that computer? Or perhaps you are looking for an important document you wrote - you can't remember the name of the file but you remember the week that you wrote it. Doing this in Windows XP is straight-forward, because the Windows XP search box (what Microsoft calls the "Search Companion") includes these more advanced functions, and accessing that search box is as simple as clicking the Start button and clicking Search from the resulting contextual menu. Such a search box typically looks similar to this:

Windows XP, Josh Wieder, search, dog
Ruff!
As you can see selecting size and date modification are simple in this format. However, Microsoft, in their infinite wisdom, decided to abandon this simple and straight forward menu, replacing it with a single magnifying glass icon without any options whatsoever:

Windows 7, Josh Wieder, Search bar
Searching mad stupid.
Without the simple and easy to use Search Companion, how are we supposed to look for files based on their properties instead of their name?

The answer, unfortunately for users only accustomed to graphical interfaces, is a series of command line arguments.

Here is a list of such the available search commands for Windows 7 and Windows 8, taken from the relevant Microsoft KB article:

Example search termUse this to find
System.FileName:~<"notes"
Files whose names begin with "notes." The ~< means "begins with."
System.FileName:="quarterly report"
Files named "quarterly report." The = means "matches exactly."
System.FileName:~="pro"
Files whose names contain the word "pro" or the characters pro as part of another word (such as "process" or "procedure"). The ~= means "contains."
System.Kind:<>picture
Files that aren't pictures. The <> means "is not."
System.DateModified:05/25/2010
Files that were modified on that date. You can also type "System.DateModified:2010" to find files changed at any time during that year.
System.Author:~!"herb"
Files whose authors don't have "herb" in their name. The ~! means "doesn't contain."
System.Keywords:"sunset"
Files that are tagged with the word sunset.
System.Size:<1mb
Files that are less than 1 MB in size.
System.Size:>1mb
Files that are more than 1 MB in size.

In addition to these commands, users can also use a series of Boolean command line operators to further refine searches:

OperatorExampleUse this to
AND
tropical AND island
Find files that contain both of the words "tropical" and "island" (even if those words are in different places in the file). In the case of a simple text search, this gives the same results as typing "tropical island."
NOT
tropical NOT island
Find files that contain the word "tropical," but not "island."
OR
tropical OR island
Find files that contain either of the words "tropical" or "island."

Although the commands themselves are non-intuitive, using them is straight-forward. Simply type the appropriate command into the Windows search box, either in the Start menu or in the top-right corner of a File Manager menu. Here is an example, where we have searched for all files larger than 100MB in size in the drive C:\

Windows 7, Josh Wieder, search terms
A search example in Windows 7
There are a variety of circumstances where Windows' search implementation will fail to meet a user's needs. First and foremost, the search function is resource intensive, inaccurate and slow. Compared to Linux's `grep`, `find` and `locate` commands, Windows Search is almost laughably bad, particularly when attempting to search for strings inside of files.

There are other tools available for Windows that vastly improve on the default Windows search function. My recommendation at this time is GrepWin built by Stefan Kiing, available for download at the Google Code site.

GrepWin allows users to search by simple strings, operators and terms like those we described above, providing faster more accurate responses than those available from Windows' default search. In addition to basic search functionality, GrepWin also accepts regular expressions as input. While cryptic, and with a steep initial learning curve, regular expressions are incredibly powerful and a fundamental part of modern computer programming. With regular expressions, you may find specific and complex patterns from large datasets efficiently and quickly. We will almost certainly explore regular expressions in depth with their own post (or perhaps series of posts).

Thats it for now on Windows-based searching. When we return to searching in the future, we will likely spend more time on searching databases, arrays and other data structures as well as providing more theoretical explanations for file system search.

Sunday, November 25, 2012

List of Windows Activation Keys for KMS

Includes Keys for Windows Server 2012, Windows Server 2008, Windows 8, Windows 7 and Vista

This list of keys for KMS can be a real hassle to find in Microsoft's online documentation, so provided here in the hopes of saving you some time. Please note that these are not stolen product keys and as such publishing them is a time saver for administrators managing large deployments of fully licensed Microsoft products  - so if you are a thief or an Internet police person, sorry to disappoint but you've made it to the wrong site.

WINDOWS SERVER 2012

Windows Server 2012 Core
BN3D2-R7TKB-3YPBD-8DRP2-27GG4

Windows Server 2012 Core N
8N2M2-HWPGY-7PGT9-HGDD8-GVGGY

Windows Server 2012 Core Single Language
2WN2H-YGCQR-KFX6K-CD6TF-84YXQ

Windows Server 2012 Core Country Specific
4K36P-JN4VD-GDC6V-KDT89-DYFKP

Windows Server 2012 Server Standard
XC9B7-NBPP2-83J2H-RHMBY-92BT4

Windows Server 2012 Standard Core
XC9B7-NBPP2-83J2H-RHMBY-92BT4

Windows Server 2012 MultiPoint Standard
HM7DN-YVMH3-46JC3-XYTG7-CYQJJ

Windows Server 2012 MultiPoint Premium
XNH6W-2V9GX-RGJ4K-Y8X6F-QGJ2G

Windows Server 2012 Datacenter
48HP8-DN98B-MYWDG-T2DCC-8W83P

Windows Server 2012 Datacenter Core
48HP8-DN98B-MYWDG-T2DCC-8W83P

WINDOWS 8

Windows 8 Professional
NG4HW-VH26C-733KW-K6F98-J8CK4

Windows 8 Professional N
XCVCF-2NXM9-723PB-MHCB7-2RYQQ

Windows 8 Enterprise
32JNW-9KQ84-P47T8-D8GGY-CWCK7

Windows 8 Enterprise N
JMNMF-RHW7P-DMY6X-RF3DR-X2BQT

WINDOWS SERVER 2008

Windows Server 2008 R2 HPC Edition
FKJQ8-TMCVP-FRMR7-4WR42-3JCD7

Windows Server 2008 R2 Datacenter
74YFP-3QFB3-KQT8W-PMXWJ-7M648

Windows Server 2008 R2 Enterprise
489J6-VHDMP-X63PK-3K798-CPX3Y

Windows Server 2008 R2 for Itanium-Based Systems
GT63C-RJFQ3-4GMB6-BRFB9-CB83V

Windows Server 2008 R2 Standard
YC6KT-GKW9T-YTKYR-T4X34-R7VHC

Windows Web Server 2008 R2
6TPJF-RBVHG-WBW2R-86QPH-6RTM4

Windows Server 2008 Datacenter
7M67G-PC374-GR742-YH8V4-TCBY3

Windows Server 2008 Datacenter without Hyper-V
22XQ2-VRXRG-P8D42-K34TD-G3QQC

Windows Server 2008 for Itanium-Based Systems
4DWFP-JF3DJ-B7DTH-78FJB-PDRHK

Windows Server 2008 Enterprise
YQGMW-MPWTJ-34KDK-48M3W-X4Q6V

Windows Server 2008 Enterprise without Hyper-V
39BXF-X8Q23-P2WWT-38T2F-G3FPG

Windows Server 2008 Standard
TM24T-X9RMF-VWXK6-X8JC9-BFGM2

Windows Server 2008 Standard without Hyper-V
W7VD6-7JFBR-RX26B-YKQ3Y-6FFFJ

Windows Web Server 2008
WYR28-R7TFJ-3X2YQ-YCY4H-M249D

WINDOWS 7

Windows 7 Professional
FJ82H-XT6CR-J8D7P-XQJJ2-GPDD4

Windows 7 Professional N
MRPKT-YTG23-K7D7T-X2JMM-QY7MG

Windows 7 Enterprise
33PXH-7Y6KF-2VJC9-XBBR8-HVTHH

Windows 7 Enterprise N
YDRBP-3D83W-TY26F-D46B2-XCKRJ

Windows 7 Enterprise E
C29WB-22CC8-VJ326-GHFJW-H9DH4

VISTA

Windows Vista Business
YFKBB-PQJJV-G996G-VWGXY-2V3X8

Windows Vista Business N
HMBQG-8H2RH-C77VX-27R82-VMQBT

Windows Vista Enterprise
VKK3X-68KWM-X2YGT-QR4M6-4BWMV

Windows Vista Enterprise N
VTC42-BM838-43QHV-84HX6-XJXKV

Sunday, October 28, 2012

Changes to Windows Server 2012 Media Handling Reduce Bandwidth Requirements for Remote Desktop (RDP) and Terminal Services

RemoteFX Media Streaming Introduced

Over the years I have worked at both Internet Service Providers and server hosting companies. In both environments, customers have found thin client deployment and virtual desktop provisioning stymied by the bandwidth needs of remote desktop when used for day-to-day desktop computing style tasks. I can't remember how many times I have worked with a company whose entire network has failed or flapped because of employees downloading torrents or watching Youtube videos from a remote server. Other times, I have worked on Terminal Services capacity planning projects, and found myself impressed by the difficulty of giving reliable estimates even where good data is available.

Many companies have been completely unable to reap the rewards of hosted desktops (fast provisioning and restoring, centralized management, easy hardware replacement) because of the costs of reliable high-throughput internet connections to their office. Data center bandwidth isn't cheap, either. A number of companies have been founded (and a few, like Citrix, have flourished) around introducing appliances and applications to further compress the data on both ends of a remote desktop connection.

The rewards to the end user, then, of improving multimedia performance over RDP are huge. Microsoft is claiming to have done just that with Windows Server 2012.

Changes From Windows Server 2008 / Windows 7

Windows Multimedia Redirection (WMR) was the name for special multimedia handling in the last version of Windows. WMR had some positive innovations of its own - rendering takes place on the client side, and as a result, CPU load on the server is decreased. Under normal circumstances this is accomplished without a significant reduction in quality. There were a number of problems with the implementation - WMA, WMV, MP3 and DivX are handled, but unsupported protocols get handled without any special rendering (unsupported includes Flash, Silverlight and Quicktime - basically almost all video on the web). The client requires RDP 7.0 when connecting to take advantage of any of this. Bandwidth consumption is wholly dependent upon the bit rate of the original video. The frame rate sucks and becomes worse with scale.

Windows Server 2012 addresses the issues differently - WMR is replaced by RemoteFX. Through some secret mojo that has yet to be fully explained by Microsoft at this point, RemoteFX identifies regions of the screen that are to render video. The video content is encoded using H.264 codec and RemoteFX Progressive Codec. Audio is encoded by using the AAC codec. This is accomplished regardless of how the video is displayed - Silverlight, Flash - every protocol is supported. Because video behavior is consistent, capacity planning should become a more straightforward task, as the biggest variable for client resources finds a reduced range of possible values.

Microsoft is publishing some big claims on performance improvement. 90% bandwidth reduction claims should be greeted with skepticism, but other claims of frame rates over the WAN staying around 20 fps look promising. Testing demonstrates (I am working on embedding the video, should have it up shortly) that in a side-by-side comparison of Windows 7 and Windows 8 remote desktops using the same uplink - 2 Mbps throughput, 250ms round-trip latency, and 0.5% random loss - Windows 8 shows significant and noticeable graphical improvement, performing almost indistinguishably from a local display while playing the same Youtube video. Windows 7 struggles - several times a second, the video pauses to re-render a new image, making the display irritating and unwatchable. Keep in mind I have yet to test or see test results with multiple concurrent RDP connections, so at this point I would not recommend capacity planning using those numbers.

More testing is needed - what will be valuable is a greater understanding of the amount of resources (especially throughput) needed per RDP client, reliable maximum client per server numbers, and any additional provisos for virtual environments. If your projects are graphically intensive or involve unique image, audio or video handling, then running a few of your own stress tests is highly recommended.

When performing your own tests, note that WMR is still used for LAN connections in Windows Server 2012. Whether you are on a LAN or WAN is determined by latency - if your connection is under 30ms latency, WMR will be used. If your connection is over 30ms latency, RemoteFX is used. There are a lot of ways to control latency for testing - I am partial to NIST as Cisco's recommended WAN emulation software. Although NIST is Linux based, the previous link will take you to full installation media with detailed instructions (so you don't need to be an expert Linux administrator to get it working). That said, there are Windows-based WAN emulators too. Jperf (the java fork of iperf) and WANEM should do the trick, as well. Be sure to publish your results! Here is a link to the forums if after testing you would like to share your data with the community (I am also happy to publish your results here, or link to findings on your blog or website).

The tests so far I have seen look very promising - hopefully these changes continue to encourage the implementation of virtual desktops, as well as the adoption of Windows 8/2012 itself.

Friday, September 28, 2012

Windows 8 Rootkit Discovered in the Wild

That Was Quick

Italian security consultants ITSEC discovered the security hole following an analysis of the Unified Extensible Firmware Interface (UEFI), a successor to the legacy BIOS firmware interface, that Microsoft began fully supporting with 64-bit versions of Windows 7.

Tip of the Hat to The Register, linked above. 


[EDIT: The article specifies the payload as a "bootkit". This was deliberately omitted on my part. The word "bootkit" strikes me as part of that trend to modify prefixes of words to make them ludicrously specific, like how Watergate became EverythingUnderTheSun-Gate. Its a cheap way to feign familiarity through reference. Is there a relevant disharmony between the terms bootloader and rootkit I'm ignoring? If so feel free to shine light on my ignorance via email or in the comments.]

Since we are on the topic of hardware hacking, last week I caught a printer spamming - as in, a printer that was network available that had been compromised by malware and became part of a snowshoe spam run. While I'm sure this is nothing new, I just haven't seen too much of it - the idea of a botnet composed entirely of printers terrifies me every time I think about it. Peripherals are awful.

RAT Bastard

Earlier this week, several servers I maintain were targeted by automated attempts to upload a remote access trojan (RAT). The RAT is a simpl...