Finally upgraded to Forefront TMG 2010 RTM last night. And screwed up the web listener for this site. And didn’t know it. Ooops...

It should all be good now though. At least the web publishing part.

I'm still having problems getting the VPN working. L2TP seems to be working fine, but the SSTP endpoint is complaining about certificate problems and not working correctly. Plus, web proxy clients are now trying to connect to one of the RAS demand dial interfaces instead of the internal one they're supposed to. GRRRRR! (DNS looks correct, so no idea how clients even know about the DHCP assigned address...but that's what the logging is reporting...)

Also, for some reason after applying the latest round of Windows Updates, system startup has slowed to a crawl. It's now taking 15 minutes to go from POST to the login screen. Nothing is being reported as being problematic, so no clue where to even start looking. Even worse, sometimes services don't come back up, requiring manual intervention at the console to start them. They've been different on each of the handful of reboots I've done, so now I'm getting afraid to reboot...

IPv6 support is also sorely missing. It's kind of there under the covers, and bleeds through when configuring DirectAccess stuff. But without being supported & without a UI to configure rules, whatever underlying support there is is useless.

On the bright side, recreating the old rules was a breeze. And the Best Practice Analyzer is nice; it caught a couple things that I missed.

I think the best approach is probably going to be to start over and reinstall everything. Ouch. That'll have to wait a bit though...next week (+weekend) I'm down in the Bay Area again, and two weeks later I'm in New Orleans...

Now playing: Vienna Teng – Warm Strangers – 04 Shine

I finally hopped on the solid state drive (SSD) bandwagon. Got an Intel X25-M G2 160GB drive yesterday. And ended up spending all day trying to install it. Definitely should have thought about how to go from the old drive to the new drive a bit more. But, it's working now! Unfortunately, I haven't really noticed a performance boost at all...although that might be because the only things I've done with it so far are resync my offline file cache, create silly little drawings, and write blog posts. Nothing too disk intensive there, and certainly nothing that would really benefit from the improved random access times. So I'll see how this works out in the long run.

In the mean time, this is how I migrated from the old drive to the new drive:

1. Remove encrypted (EFS) files. It turns out that for some reason I had a random encrypted file sitting around, which caused the backup procedure to fail.
2. Boot into WinPE. I used a USB drive that I've got laying around for installing Windows Server 2008 R2.
3. Use imagex (from the Windows Automated Installation Kit (WAIK)) to capture an image of the old drive's volumes.
4. Shutdown the system & install the new drive.
5. Boot using the bootable USB drive and install Windows. I did this because I needed to create the partition structure, file systems, and configure the new drive to be bootable. Windows Setup does that all for me in a lot less time than it would take me to document/chase down all that stuff and apply the changes manually.
6. Boot using the bootable USB drive again. Quick format the OS partition (or: delete everything on it).
7. Use imagex to apply the captured image.
8. Reboot. Be happy that actually worked & didn't result in weird errors from bootmgr (or even worse, "ntldr not found"! (that would have been really bad because Windows Vista, Server 2008, 7, & Server 2008 R2 don't even *have/use* ntldr anymore!).
9. (optional) Write blog post whining about how I didn't use dd, Ghost, TruImage, some other disk cloning tool, or even just did something as simple as hooking both drives up at the same time and doing a robocopy. (note that most of those would require having both drives connected at the same time, which isn't possible for me because I don't have a computer with 2 free SATA ports...yes, it's probably time I upgraded).

Now playing: Stars – In Our Bedroom After the War – 01 The Beginning After the End

This weekend I got rid of the Digital AlphaServer 4000 5/300 that I've had for a number of years. It ended up going a friend, so hopefully some good use will be made of it. Honestly, getting rid of it is probably for the best: it's a pain to move (huge + weighs a third of a ton), and I haven't used it for a while...in fact, it hasn't been plugged in since moving out to Oregon a couple years ago.

Still, I can't help but feel a little bit nostalgic & miss it a little bit...

Between this & the other stuff I've given away over the last 4 months, I'm now down to the fewest number of computers I've owned since December 2002. Huh. Seems odd to realize that.

Anyway, bye Azure the AlphaServer!

Now playing: Lifehouse – Who We Are – 05 Broken

Here's the workflow I used for analyzing the logs from this website:

1. Wait until end of day.
2. Copy the day's log file to a temp directory.
3. Run the log loading utility (this also applies the geolocation lookups, so sometimes the geoip databases need to be refreshed from www.maxmind.com)
4. After a bit (3-20 minutes usually; depends highly on the level of traffic), the log entries are all in a SQL Server database.
5. The database has a View that filters out bots, crawlers, spammers, and internal traffic
6. I view the external user records by querying the view.

That view has a horribly complicated SELECT statement. Which I found out this week had some bugs, so not all results were being correctly returned. And by "horribly" complicated I mean that it has thousands of conditions that are being evaluated.

So after wasting a bunch of time trying to chase down where the problems were, I decided to scrap that approach and come up with a better one.

What came to mind was developing some sort of "how-likely-is-it-that-this-record-should-be-hidden" score. The more pieces of "evidence" that a particular request came from a bot/crawler/spammer/etc., the higher the score.

So now I've got a basic implementation going. It's written in C# 4.0 (hey, have to play with the new stuff sometime!) and operates as a separate external utility that persists the score as another field on each log entry's record. It took that massive SELECT and refactored it down into 45 separate rule sets (classes)...much more manageable! At the moment the scores from each rule are kind of arbitrary, and will probably need to be redone/tweaked in the future. Right now I'm basically taking everything that didn't match a rule (score = 0) and treating that as legitimate external traffic...which seems to be working fairly well, but isn't really as fine grained as I originally envisioned.

Also, at some point (soon) I need to add more complex conditions. A couple of bots operate in such a way that if you look at any one individual request to the web server, that request is legitimate. But as soon as you see, say, 4 requests, repetitive patterns start to emerge and it becomes obvious that some sort of crawling is going on. So having an automated way to catch these would be nice...but also more complicated...probably just haven't thought about it enough yet...

Coolest parts of doing the new implementation: Linq to SQL, & using Linq + reflection to automatically discover all the rule sets. Just a couple lines of code to do such complex things! And it's so much simpler with that syntax!

Now playing: In-Flight Safety – We Are An Empire, My Dear – 05 Torches

Last Monday I applied a redirect rule to the site. And promptly watched (okay, so it took me 4 hours to notice...) as things went crazy & stuff broke. So, to help avoid that in the future, here's what I did & why I think it broke, and what was done to fix it.

Okay, so basically, there are 4 different domain names that can get visitors to this site. That's nice and all, but it doesn't help the search engine rankings at all. Also, it just seems kind of...repetitive (let's face it; this is probably the real reason I bothered to mess with things; having 4 different paths isn't as elegant as having just one). So I downloaded the URLRewrite add-on for IIS 7.5, installed it and created a simple rule:

   1:  <rewrite>

   2:    <rules>

   3:      <rule name="Redirect to www.ntldr.com" enabled="true" stopProcessing="true">

   4:        <match url=".*" />

   5:        <conditions>

   6:          <add input="{HTTP_HOST}" pattern="^(www.)ntldr.com$" negate="true" />

   7:        </conditions>

   8:        <action type="Redirect" url="http://www.ntldr.com/{R:0}" />

   9:      </rule>

  10:    </rules>

  11:  </rewrite>

The rule looks at every URL used to get to the site, checks to see that the destination server is not www.ntldr.com, and then redirects the request to http://www.ntldr.com/whatever-the-original-request-was. Pretty simple, tested it internally, verified it was working, then applied it to the site and went away for a few hours.

And came back to find that the logs had tens of thousands of entries. Mostly from some computer in Kansas that kept going to / over and over and over and over again. For almost 2 hours. The bots almost universally gave up after just 6 rounds.

Of course I immediately turned off the rewrite rule and frantically began looking at logs & network traces trying to figure out what the heck was going on and how I managed to not catch it in testing. It quickly became apparent that the rule worked internally, but not from outside the Forefront TMG 2010 firewall. Which narrowed down the problem quite a bit, & made me feel less incompetent (yay! the rule worked!), but more stupid (doh! for not testing like an actual user would!).

However, examining the TMG logs didn't really yield anything useful. A request would come in, it would go to the web server, a 301 Permanent Redirect would go back, and then the client would seem to reissue the same request again. Out of desperation, I decided to take a look at the rule and noticed this tab:

At the time, "Apply link translation to this rule" was checked. And one rule is used to make all 4 hosts accessible. Consequently, this is what the Link Translation Mapping looked like:

Public name: ntldr.com

Public name: ntldr.net

Public name: www.ntldr.com

Public name: www.ntldr.net

Oops. Fairly major, mind-numbingly stupid oops.

See, this is what was happening:

1. User visits http://ntldr.net.
2. Request for http://ntldr.net comes into Forefront TMG.
3. Forefront TMG processes the ntldr.com rule and forwards the request to www.ntldr.com (at this point, an internal DNS alias for the actual server, tourmaline.global.ntldr.net).
4. IIS gets the request and applies rewrite rules.
5. Rewrite rules send a reply back saying "no, you really should go to http://www.ntldr.com".
6. Reply reaches Forefront TMG. Forefront TMG applies Link Translation mappings.
7. Link Translation mappings change that to "no, you really should go to http://ntldr.net".
8. User dutifully goes to http://ntldr.net.
9. Repeat 1-8 until the user's browser either gives up (nice browsers), or the user gives up (impatient users), or I disconnect them.

So, the solution: disable link translation in Forefront TMG. Note that I not only had to do that on the rule itself, but also in the Web Filters. That might be just because I was impatient and didn't wait for TMG to fully cycle and disable the rule-level mappings. Not sure though, and haven't had a chance to find out yet.

Now playing: The New Pornographers – Challengers – 07 Unguided

Originally, this post was going to be a rant about how SQL Server Reporting Services is useless, and how Excel was so much easier for creating graphs & doing useful analysis of data. Then I spent an hour and a half messing around writing queries, executing queries, exporting & importing result sets, and then manipulating the data. So all the "oomph" has kind of gone out of that rant.

Besides, I shouldn't even be messing around with this data; there are a bunch of very nice programs/scripts sitting around on the Internet to do the analysis & reporting for me. But doing things the easy way would be cheating. So instead I keep mucking around with my own custom tools & processes.

In any case, here's a bunch of pretty graphs showing the human-like page views per week broken out by country of origin. Data for other views is a bit...messy...right now. The per-country stuff is fairly clean because I'm just using a geoip database to map requesting IP address to source country.

(yes, one would have probably been sufficient to show what I was doing, but hey, if one is good, five is even better?)

(also, in all honesty, I'm guessing I don't have enough consistent traffic to make looking at a week-by-week view meaningful; better would probably be to focus on longer time spans, like a month or so)

Now playing: Matthew Barber – Ghost Notes – 06 One Little Piece of My Love

Hmm... can this get posted from Microsoft Office Word 2010 Beta?

Here, let's try a picture too:

& how about a category too while I'm at it?

Update: okay, so can I update this too?

Okay, Hyper-V is cool. It's fast, easy to use, has a lot more features, & generally works very nicely. Much better than Virtual Server 2005 R2. Moved this website over to a new VM (upgraded to 64-bit Windows Server 2008 R2 in the process...yeah!) on my new server, and it's working great (I hope...guess I'll know for sure if any comments get posted...:)). Tried moving another VM over just by coping the VHD file, but that didn't work so well. Didn't really expect it to before trying, but then got hopeful when first starting it up and trying to install the integration components, and now have finally accepted that the two solutions (VS2005R2 & Hyper-V) are just too different for things to work.

Not sure I care that much for Hyper-V's licensing model though...yes, the basic product is free, but to get the "good" management tools you have to shell out the big $$$'s for System Center Virtual Machine Manager. Guess I'm just greedy and want everything for free... ;) (no, seriously, would it be too hard to have a management interface that allows you to see, at a glance, how many resources have been allocated to the VM's? kind of like the old VMRCplus view?)

Now playing: Stabbing Westward – Stabbing Westward – 07 Angel

Looks like my nice new Intel SR1630HGP server, with its Intel Xeon X3460 processor is affected by the CLOCK_WATCHDOG_TIMEOUT STOP error discussed in KB975530:

0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

CLOCK_WATCHDOG_TIMEOUT (101)
An expected clock interrupt was not received on a secondary processor in an
MP system within the allocated interval. This indicates that the specified
processor is hung and not processing interrupts.
Arguments:
Arg1: 0000000000000019, Clock interrupt time out interval in nominal clock ticks.
Arg2: 0000000000000000, 0.
Arg3: fffff880021e1180, The PRCB address of the hung processor.
Arg4: 0000000000000006, 0.

(additional details follow that but don't really add anything)

GRRRRR!!! Looks like, at the time of this writing, the KB article needs to be updated, since the Xeon 3400 series aren't Xeon 5500's, nor Core i5's, nor Core i7's...

Now playing: The Beatles – One – 26 Let It Be

0xc0000225 error when trying to boot into the Windows Server 2008 R2 installer? And you're running on a Broadcom HT1000 based motherboard? Solution: hide/disable the XIOAPIC functions of the HT1000.

On the Supermicro H8SSL-i board this means going into the BIOS, Advanced tab, Advanced Chipset Control menu, "HT1000 Southbridge Configuration" menu, and finally changing the "Hide XIOAPIC PCI Functions" option to "Yes". Save the changes and reboot. (Note that this applies to v1.2 of the BIOS...which based on its age is probably going to be the last one ever released for that board...)

Now playing: Emm Gryner – Public – 08 Your Sort of Human Being

Got a brand spanking new Intel Xeon X34xx (Nehalem based!) server recently (like within the last month). It’s a barebones Intel Server System SR1630HGP, with an Intel S3420GP motherboard. Which means...it supports EFI! So I'd finally be able to see what all the hype & excitement about the cool new BIOS replacement was! And I'd be able to boot off a storage array > 2TB in size! Or so I thought (insert thunderclaps, lightning, and other ominous (or just drama enhancing) signs here).

It turns out there's a bit more to getting EFI to work with Windows than just popping the DVD in the drive and powering up the computer. A brief caveat here at the beginning: these comments apply to the following firmware, so the settings may change as new releases are made:

• BIOS: S3420GP.86B.01.00.0027
• BMC: v01.14
• FRUSDR: 15
• Windows Server 2008 R2 (RTM)

So, first of all, the RAID functions of the chipset don't work with EFI. Period. Neither the Intel Matrix RAID option ROM, nor the LSI/ESRT2 option ROM, appear to support EFI. Sure, they're useable with the CSM enabled, and the system setup may make it seem like they can be enabled, but as soon as EFI is used, things just stop working and any arrays either wont be bootable or wont even be found.

Actually, even with a standalone LSI MegaRAID SAS 9260-4i, things aren't that easy to get working. The CSM has to be enabled in order to get into the controllers firmware ("WebBIOS" or something now). And there's only like half a second to press the right keys to get into it the first time... But once the arrays and any settings are configured, EFI does work with the controller and CSM can be disabled.

Oh, and if using an internal SATA DVD drive, apparently it has to be plugged into port 5, otherwise it doesn't always show up as a bootable device. This might just be a legacy of leaving the Matrix RAID enabled when it shouldn't have been, but with the drive on port 5 it always worked.

Once the storage stuff is taken care of, the big tricky bit is that Windows apparently requires a VGA BIOS to be present in order to work properly. This little nugget of crucial information can be found by digging around the Windows Hardware Design site and reading up on firmware & UEFI/EFI. In the system setup, there's a setting for "Enable Use Legacy Video for EFI OS" that becomes available when "Enable EFI Optimized Boot" is enabled. BOTH settings need to be enabled for Windows to successfully run. I think I may have been able to get WinPE to start off the DVD without the video setting enabled, but it certainly wasn't stable & reliable. May just have been that the setting didn't actually get cleared, got temporarily turned back on again, or I'm just confused by having tried too many different things.

A final bit of trouble I ran into was getting Windows Setup to not encounter errors. For some reason it kept saying that Windows couldn't be installed to the drive because the system couldn't boot from the selected drive (although Setup would let you continue with the installation, true to its word, Windows wouldn't boot after setup). To fix this issue, I had to boot into WinPE (with CSM enabled/EFI boot disabled again! otherwise you can't get a command prompt from the setup disks!), fire up diskpart, convert the disk to GPT, then manually create the EFI System Partition (ESP) and Microsoft Reserved Partition (MSR). The next time setup started from an EFI boot, the error was gone and setup worked correctly.

So, a summary of what needs to be done:

1. Make sure the DVD drive is connected to SATA port 5!
2. Get a FAT32 EFI System Partition created on the disk somehow.
3. In the firmware setup:
   1. Switch SATA controller to AHCI mode
   2. Disable AHCI Option ROM
   3. Enable EFI Optimized Boot
   4. Enable Use Legacy Video for EFI OS
4. Save changes to firmware setup, then reenter it to double check that the settings took (& to verify the boot settings...those have an annoying habit of changing all the time)
5. Start up Windows Setup and install

Now playing: Emm Gryner – Public – 05 Phonecall 45

Retracted. This scenario is not supported, and there are numerous additional issues that need to be resolved that were not covered in the original post.

Now playing: Amy Millan – Masters of the Burial – 02 Low Sail

Windows Live has this cool thing where it reminds you about your contact’s birthdays (the “Birthday Calendar” I think…). And yes, I’ve come to rely on this feature. Unfortunately, I can’t quite bring myself to trust the system completely, so whenever I get the alerts, I also get this nagging doubt that it’s not really that person’s birthday and that I’ve really just misentered their contact info…

Wow Windows XP is showing it’s age…the RTM installation disc I have is reacting badly to the >127GB hard drive I’m trying to install on…(yes, I know the way to correct this is to use SP1…which is why I’m slipstreaming SP3 onto a new installation disc right now…)

Hey! xcopy on Windows 7 seems to have a new option: /J (“Copies using unbuffered I/O. Recommended for very large files.”) Cool!

Command just used to build the Windows XP with SP3 disc: oscdimg -n -b"amd64\boot\ETFSBOOT.COM" -lWXP_VOL_EN_SP3 -t04/14/2008,07:53:59 -g -h -maxsize:4096 "E:\CD Build\windows_xp_sp3" "E:\CD build\windows_xp_sp3.iso". I’m probably a short DVD burn away from finding out just how wrong that was…(much later)…hey, that actually worked!

Oo…coool…Windows XP does have regional settings for Filipino…too bad the timezone stuff doesn’t have one (instead I end up guessing…”it’s close enough to Singapore, right?” note that this results in the timezone being "Malay Peninsula Standard Time")

Who makes & sells a DVD drive that can’t play DVD’s?!?!?! I mean, I could sort of understand a bare OEM drive…but these are boxed retail drives from HP! Grrr…

Now playing: (nothing but the sound of computer fans)

New! Improved! Now with inline hyperlinks!¹

• Thieves!
• For some reason this makes me nervous about spec'ing out anything... (via http://blogs.msdn.com/ericlippert/archive/2009/06/01/bug-psychology.aspx)
• Some people might consider my apartment bad, but this is ridiculous (note: "some people" are wrong in this case; my apartment has its electronic contents nicely organized).
• Apparently all I need to do to shed the whole nerd/geek image & become "cool" is go blow stuff up & walk away. Umm...sure...
• Mmmmm...doughnuts...
• Fun with locks! (yes Emil, you have a long ways to go with your bump keys) (via http://j-walkblog.com/index.php?/weblog/posts/locks_arent_really_effective/)
• -dsr-'s comment is hilarious (read the post first of course)
• Having this many email accounts actually isn't that impressive if you know a little about Exchange 2007 & Windows PowerShell...such as:
  for($i = 0; $i –lt 6000; $i += 1)
  {
  new-mailbox -UserPrincipalName "Me$i@ntldr.net" -alias "Me$i" -name "Me$i" -database "Storage Group 1\Mailbox Database 1" -OrganizationalUnit 'examples' -DisplayName "Me $i" -ResetPasswordOnNextLogon $true
  }
  (warning: for the kids following along at home, I don't actually have an Exchange Server anymore, so I haven't tested that command. and even if it's error free, why would you want 6000 accounts?!)
• Interested in Bing? Wondering how good the results are? Someone set up an interesting comparison site. (via http://www.istartedsomething.com/20090607/bing-vs-google-vs-yahoo-blind-search-engine-test/)

Extra special bonus feature:

So I got the following email message from my mom last week:

See your Mom on YouTube!!

Extra, extra special bonus feature:

So, there's been a bit of speculation lately about why I blog (& why it's increased lately). The general consensus amongst other people seemed to be that it's because I'm lonely & am seeking attention. LOL! Duh, it's a blog. That's like saying the sky is blue because of light's refraction through the atmosphere. ...err... maybe not quite that metaphor. Whatever...was going more for the whole "that's the way it works because that's what it means to be that" thing... (actually, there was a bunch of additional context around the whole question that makes it interesting, but I'm trying to avoid the whole emo-teen-agnst-livejournal vibe because I'm a mature technology professional maintaining a professional Internet self-marketing presence (haha...okay, so really I'm just too lazy to create & install a black-text-on-black-background DasBlog theme :P))

¹ Rose Festival/Fleet Week 2009 pictures coming later this week...or next...hopefully I'll be more punctual with this year's photos than I've been in previous years.

Now playing: Sebastien Grainger & the Mountains – Sebastien Grainger & the Mountains – 10 American Names

So for some reason you have a Lenovo X200T, a bootable USB hard drive running WinPE (Vista SP1/Server 2008 based), ImageX, and the WIM files that were originally on the recovery partition. For some reason you no longer have the recovery partition (probably because it was deleted to free up space), you don’t have the recovery discs that you burned like a conscientious computer owner, and your X200T wont start the OS (say, because you didn’t think about all the implications of encrypting the entire drive with BitLocker and then not having the recovery key…). Also, just to make it more fun, you’re on a plane!

Obviously the system needs to be restored. And because of the things you do have, you’re in luck! It’s possible! And not that hard! (yeah, right…)

First, backup everything you can off the X200T’s hard drive, because restoring things is destructive and will involve wiping the drive. If you can’t back things up…umm…learn to live with disappointment and loss? Since the system wont start the OS, you’ll probably be doing this from within WinPE. Good luck copying everything with the command line (xcopy can be useful here).

If you aren’t in WinPE yet, adjust the bios settings to allow you to boot off the bootable WinPE USB hard drive. Then boot into WinPE.

The first real part of the recovery process is to wipe the X200T’s drive and repartition it. Start diskpart and issue the following commands:

select disk 0
clean
create partition primary size=1499
active
assign letter=s
format fs=ntfs label="SERVICEV003" quick
create partition primary
assign letter=c
format fs=ntfs label="SW_Preload" quick

Next, apply the WIM files to the disk (exact paths to the WIM files will probably be different for you):

imagex /apply E:\images\x200t\sdrivebackup.wim 0 S:\
imagex /apply E:\images\x200t\cdrivebackup.wim 0 C:\

So, in a perfect world, everything would be all set to go now. Unfortunately, you my run into problems with bootmgr not being able to find the OS, or the OS thinking its on a different drive letter than it should be. To fix those issues, a little editing of the boot configuration database will be required:

bcdedit /store S:\boot\bcd /set {9dea862c-5cdd-4e70-acc1-f32b344d4795} device partition=S:

bcdedit /store S:\boot\bcd /set {3657ebe1-d4e6-11dc-88f0-ec9c0d1f1864} device partition=C:
bcdedit /store S:\boot\bcd /set {3657ebe1-d4e6-11dc-88f0-ec9c0d1f1864} osdevice partition=C:

bcdedit /store S:\boot\bcd /set {3657ebe2-d4e6-11dc-88f0-ec9c0d1f1864} device partition=C:

bcdedit /store S:\boot\bcd /set {b2721d73-1db4-4c62-bf78-c548a880142d} device partition=S:

bcdedit /store S:\boot\bcd /set {466f5a88-0af2-4f76-9038-095b170dc21c} device partition=S:

bcdedit /store S:\boot\bcd /set {ae5534e0-a924-466c-b836-758539a3ee3a} device partition=S:

Note: bcdedit is kind of sensitive about the drive letter availability when it’s run. Which is why S: was used back in the diskpart stage.

In an almost perfect world, everything would now be all set to go. Too bad things aren’t even almost perfect. One further step was required to swap get the drive letter assignments correct: the registry of the restored OS needs to have its drive letter mounts tweaked BEFORE the OS boots for the first time. This step is probably the most complicated, since it's not scriptable. Basically, start up regedit. Navigate to the HKLM\SYSTEM\MountedDevices key. Make note of the binary data for the "\DosDevices\C:" and "\DosDevices\S:" values (in my case they were something like "C4 78 A4 9C 00 00 C0 5D 00 00 00 00" & "C4 78 A4 9C 00 00 10 00 00 00 00 00"). Now load System Hive from the restored OS (it's "C:\windows\system32\config\system") in regedit. Navigate to the SYSTEM\MountedDevices key in that hive. Change/create the SAME values with the SAME data that the WinPE registry had.

After rebooting the system (remember to either unplug the USB hard drive or adjust the bios settings so its no longer the preferred boot device), everything should be back to working.

Now playing: Neko Case – Middle Cyclone – 09 Magpie To The Morning

So, from April 5th through the 8th I was in San Antonio, Texas on business for the annual Ratabase conference. I’d been planning on live blogging it again like I did last year (actually, I was planning on doing it better than last year), but things didn’t quite work out that way. So, instead of the latest news on cool new things you can do with an insurance rating calculator (stop laughing!), I’ve got a cautionary tail about relying on new equipment, planning before doing things, and generally about how I do stupid stuff with technology.

Now for a bit of background. Windows Vista & 7 have this cool feature called “BitLocker”. Basically, it encrypts your hard drive so that if the computer/drive is stolen, an attacker would have to go through the OS level security mechanisms (usernames/passwords/smartcards/ACL’s). The attacker wouldn’t be able to circumvent the OS mechanisms by, say, editing the password store to give change the passwords. Or they could go after the EFS keys and just decrypt files that you had encrypted explicitly so that other people wouldn’t be able to read them!

One “mode” of Bitlocker relies on this cool hardware device called a TPM (trusted platform module). The TPM is involved in the key management/access process, and basically serves to ensure that the entire system, starting from the beginning of the boot process, is “trusted”. After all, you wouldn’t want some nefarious person coming in, booting to a different environment that can impersonate the BitLocker process, and then unlocking/decrypting the BitLocker volume and thus bypassing all the security it was supposed to offer. If the TPM/BitLocker (not sure which actually does the checks) detects that the system is under attack (for example, the order of the devices that the system boots from has changed), the system will require that a 56 digit recovery key be entered. Assuming you created a recovery key initially…but everyone does that & keeps that key safe, right?

A week before I was to head to San Antonio, my new Tablet PC (a Lenovo X200T) arrived. Incidentally, it’s a very nice system…fast, light, long battery life, lots of accessories (I bought most of the options…X-Base so I have an optical drive, webcam, fingerprint reader, WiMAX, HSDPA/UMTS, GPS, etc.). And it has a TPM v1.2. Which was cool, because it meant I could use BitLocker!

So I put Windows 7 (beta) on the system, enabled BitLocker, created the recovery key, and used the system successfully for a week. One time while rebooting the system I had to enter the recovery key, which I thought was kind of funny at the time, but didn’t really worry that much about it. So along came Sunday morning, it’s 5:00AM and I need to head out to the airport, so I hibernate my tablet and pull it out of the docking station (X Base). Figured I wouldn’t need the optical drive, and certainly wouldn’t need the extra weight. Thought about putting the recovery key on a flash drive or the external hard drive I was taking, but then thought “nah, I wouldn’t need that”. Besides, the key would be a lot more exposed to compromise if I had it with me and, say, my flash drive got lost/stolen.

Remember how I said the boot order mattered to the TPM? And remember how 1) I installed the OS shortly before this (from a DVD), & 2) how I wasn’t taking the X-Base with the DVD drive with me? And how I ignored the fact that when I’d last attached the X-Base I had to enter the recovery key? And how I wasn’t taking the recovery key with me? (this is where it should become apparent to most people that I am, in fact, an idiot.)

Of course I got all the way to the airport, through security, and was sitting at the gate with 30 minutes until boarding started when I went to use my tablet. And of course it saw that the DVD drive was no longer present and began going “oh noes! I’m under attack!”. Which then caused me to first realize exactly what mistakes I’d made, then freak out (it’s amazing what sorts of brief, complete clarity you can have when a situation goes to crap).

Part of the freak out was calling up a trusted friend and giving him all the details of connecting back to my network via VPN (including user names and passwords). I figured “okay, get connected to the internal network, then the administrator account can be used to login to the online CA and security server to retrieve the recovery key”. Yes, it was a moment of weakness and complete stupidity. Fortunately, years ago when I got the VPN stuff working, I had the foresight to use L2TP and require certificates to connect in addition to passwords. So no VPN connection could be established, giving the passwords did absolutely no good (but no harm either), and the recovery key couldn’t be retrieved. Hurray for defense-in-depth.

I was not totally without my tablet during the trip though. Remember how I brought an external hard drive with me? Well, that drive is the bootable one that I use to make OS recovery images. And I’d used it just a week before to backup the Lenovo factory default config. So I spent the flight down to Texas doing restores until I got the system working again.

Here are some pictures from the trip (more (and higher res ones) can be found on my Windows Live Photos album for the trip):

Westin La Cantera Resort gulf course outbuilding

San Antonio, TX Riverwalk. There’s a boat ride around it that’s kind of cool too (+). Lots of people (-). On the whole, it was a cool area, and made for a good change of pace from the conference.

The Alamo (of course!).

Now playing: Greg Laswell – Three Flights From Alto Nido – 04 Comes & Goes (In Waves)

There have been entirely too few random bits posted here lately, so here's an IM conversation from yesterday...

Jeffrey says (05:34):
you're up kind of late...
Jeffrey says (05:35):
unless your computers are LIEING
Matt says (13:31):
or up early
but more likely is that my computer is full of lies
Matt says (14:10):
but you
are idle
remember Jeffrey...
idle messenger clients are the Devil's beowulf cluster
Matt says (14:11):
Now the devil has a better SETI@home score than Jesus, are you happy now Jeffrey?

Now playing: Stars – In Our Bedroom After the War – 10 Bitches in Tokyo

US Airways flight 1549 (the one that had the forced landing on the Hudson River back in January):
http://feedproxy.google.com/~r/typepad/ZSjz/~3/SSL89J3Le2M/mallons-salvage-pictures-back-online.html

Opting out of online advertising cookies & their tracking behaviours:
http://feedproxy.google.com/~r/typepad/sethsmainblog/~3/4mvAgzlGUaI/how-to-opt-out-of-cookie-sniffing-and-trading.html
(not sure I entirely believe that opting out would really do anything)

Doctor Who humour:
http://roflrazzi.com/2009/01/08/celebrity-pictures-tennant-pop-up/

Exception Driven Development (I actually added something along these lines to the app at work that I used to work on…it was quite enlightening to be notified about the crashes/errors and see 1) how alike your users think, & 2) how different that is from what you thought they’d think and the assumptions you implicitly made when building the software)
http://www.codinghorror.com/blog/archives/001239.html

Now playing: Holy F*ck – Holy F*ck EP – 04 Lovely Allen

http://www.wordplace.com/ap/index.shtml

http://www.qwantz.com/fanart/timetravelling.jpg

http://blogs.msdn.com/michkap/archive/2009/04/08/9537233.aspx

We need more Engineers

And lastly, for anyone that reads the blog just via the RSS feed and never visits the sites, my pictures are now hosted via Windows Live Photos. We’ll see how well that works out in the long run… URL is http://cid-348cb3ddffbdf313.photos.live.com/

Now playing: Emm Gryner — Get Brave

DasBlog 2.3 is out! Upgrading took longer than it should have...probably because I did a bad job of separating the application from my SharePoint migration customizations last year. But that’s been fixed, and upgrading from my custom build of 2.1+ to 2.3 went pretty smoothly.

In case I accidentally delete the files I saved these changes off into (again), here are my customizations:

• ~/web.config (I actually just copied & reused my existing web.config file, but this is the big change*):

  <system.webServer>
    ...
    <security>
      <requestFiltering>
        <hiddenSegments applyToWebDAV="true">
          <add segment="siteConfig" />
        </hiddenSegments>
      </requestFiltering>
    </security>
    ...
  </system.webServer>

• ~/siteConfig/site.config (these are in addition to the regular ones that have to be performed, like site title, notification address, root url, etc.):

  <!-- CUSTOMIZATIONS: -->
    <DisplayTimeZoneIndex>90</DisplayTimeZoneIndex>
    <AdjustDisplayTimeZone>false</AdjustDisplayTimeZone>
    <ContentDir>~/App_Data/content/</ContentDir>
    <LogDir>~/App_Data/logs/</LogDir>
    <BinariesDir>~/attachments/</BinariesDir>
    <ProfilesDir>~/App_Data/profiles/</ProfilesDir>
    <SmtpServer>localhost</SmtpServer>
    <EnableSmtpAuthentication>false</EnableSmtpAuthentication>
    <CommentsRequireApproval>true</CommentsRequireApproval>
  <!-- END OF CUSTOMIZATIONS—>

Other customizations:

• Backup from old installation and restore to new install:
  • ~/siteConfig/blogroll.opml
  • ~/siteConfig/navigatorLinks.xml
  • ~/siteConfig/siteSecurity.config
  • ~/App_Data
  • ~/attachments
• Change ACL on ~/siteConfig to grant NETWORK SERVICE modify access (ACL's on App_Data and attachments should be retained when backed up & restored; if not, grant this access to those directories too)

* I run dasBlog on IIS7, so my web.config file is actually quite a bit different than the one that ships with dasBlog. But those differences (other than the one highlighted above) were created by migrating the existing config file.

Now playing: Emm Gryner – Goddess – 07 Match

So...I switched over from SharePoint to dasBlog as the blog engine on the site. This means that the RSS feed URL has changed. The old ones should all still work, courtesy of the magic of 301 redirects, but still, everyone likes to be up-to-date, right?

The new URL for the main site feed is: http://www.ntldr.com/SyndicationService.asmx/GetRss

Now Playing: Lightning Dust – Lightning Dust – 01 Listened On

In response to this post, yes, you actually can "run" PowerShell on Windows 2000. No, there is no out of the box way for it to run. No, it's not supported in the slightest. I'm not even sure it's technically legal (haven't read that Windows EULA in a long time). And even when it is running, there are likely to be things that don't work.

That said, here's how to get Windows PowerShell v1.0 to run on Windows 2000.

What you will need

• A computer running Windows XP
• KB926139 for Windows XP
• A hex/binary editor (like Visual Studio (or something simpler))
• .NET Framework 2.0
• .NET Framework 2.0 SDK

Creating the installer (on Windows XP)

1. Install the .NET Framework 2.0 SDK. You'll need a specific tool from it, and it's easier to just install the SDK and grab the tool than it is to try and extract it somehow.
2. Extract KB926139 (run 'WindowsXP-KB926139-v2-x86-ENU.exe /extract').
3. Make a copy of the 'powershell.exe' file that was extracted from KB926139. Now break out your hex editor, a copy of the Portable Executable Format Spec, and modify the header so the Windows 2000 loader will actually run the image. Or just use your hex editor to modify the byte beginning at offset 0x00000132 in 'powershell.exe' so it is 0x00 instead of 0x01 (Windows 2000 is version 05.00, not 05.01).
4. Read the 'update\update.inf' file extracted from KB926139. This plain text file contains the instructions on how to install PowerShell on Windows XP, so all that's needed is for them to be duplicated on Windows 2000 (batch/reg files? windows scripting host? whatever you want!).
5. 'PSCustomSetupUtil.exe /install' doesn't seem to actually work on Windows 2000. So use a combination of 'InstallUtil.exe' from the .NET Framework and 'GacUtil.exe' from the .NET Framework SDK (this tool is the entire reason the .NET Framework SDK is needed).

Installation (on Windows 2000)

1. Install the .NET Framework 2.0
2. Follow the instructions in update.inf from the extracted KB926139 to install.
3. Remember to substitute 'installutil.exe' and 'gacutil.exe' for usages of 'pscustomsetuputil.exe /install'.
4. Replace the official version of powershell.exe with the one containing a modified header.
5. Maybe create a shortcut and define console window appearance settings.

For the lazy: all scripted up

I've gone ahead and deciphered the update.inf file, so if you're feeling lazy, just download this file and follow these instructions. Note that the included scripts assume that Windows is installed in C:\WINNT. If it's elsewhere, you'll have to modify all the scripts & registry files.

1. Unzip the 'install package.zip' file you just downloaded.
2. Get 'gacutil.exe' and 'gacutil.exe.config' from the .NET Framework SDK. Place them in the NETFXSDK subdirectory of the unzipped install package.
3. Get KB926139 and extract it to the KB926139 subdirectory of the unzipped install package.
4. Copy 'powershell.exe' from the KB926139 subdirectory into the bin directory. Modify it as in step 3 of "Creating the installer".
5. Take the whole install package structure, now with the PowerShell binaries/installer tools, to a Windows 2000 system and run the 'System Setup.cmd' batch file.
6. (optional) Run the 'User Setup.js' script to configure the PowerShell window's default settings to match whatever I had on whatever system I was on when I figured all this out (most useful because it enables tab completion, which isn't on by default in 2k, unlike in XP and later).

Now Playing: Basia Bulat – Oh, My Darling – 07 In the Night