Windows Server 2003 requires a second reboot to accept RDP connections, after installing patches

This is a problem that has been around for a very long time, but doesn’t affect every W2K3 server, and is not guaranteed to affect the same ones every time… it’s come onto my radar again today so I thought it worth covering it…

The scenario is this:
On a Winodws Server 2003 server you install patches (or possibly add a component or 3rd party product requireing a restart) and then reboot the server.
The server has no apparent problems restarting, but it is not reachable by RDP - the server simply doesn’t respond and the connection times out.
You reboot the server again, and Remote Desktop is working again.

This most typically gets reported shortly after Patch Tuesday, when a security update requiring a restart is applied to hundreds of thousands of servers worldwide, and a fraction of them experience this weird issue.

The cause is a timing issue, where the Terminal Services service (TermSrv) manages to get started before the TermDD.sys driver is loaded, so the service has nothing at the network layour to bind to and so is cut off from all network interfaces.

The timing issue comes from the post-reboot actions from the installation of the software, which is why a subsequent restarts do not have the problem.

There is a simple workaround, requiring a minor registry edit under the key HKLM\SYSTEM\CurrentControlSet\Services\TermService - the value to edit is the REG_MULTI_SZ named DependOnService.
To this value you need to add the entry termdd - this will then synchronize the startup of the Terminal Services service with the loading of TermDD.sys.

I didn’t think I would be writing blog entries on W2K3 in 2013, but seeing as it’s still got a couple of years’ worth of security updates left and there are many installations still out there, I guess it’s worth it! :)

Windows XP extended support phase - 1 year left

From 8th April 2014 Windows XP will no longer get updates, including security ones.

Microsoft Product Lifecycle

Running “Star Wars - The Old Republic” (SWTOR) as a standard user on Windows 8

I recently upgraded my home PC with a new SSD disk and installed Windows 8 on it, then went through the process of installing my games to the 1TB SATA drive to avoid using up gigabytes of precious space on the fast drive.

I run as a standard user on my machine, providing alternative admin credentials when I trigger an OTS prompt, so installation of software will typically require me to authenticate the administrative action, as expected.

However, once the product is installed it should be possible (in most cases) to run it as a standard user - and SWTOR’s Launcher.exe triggers the OTS prompt every time as it has been coded to require administrative privileges.

Checking the folder to which SWTOR was installed, Everyone was already granted full access, so it seemed unlikely that it really did require this level of privilege (and I hate running programs as admin if I can avoid it, why take the risk?).

So I downloaded the Windows Assessment and Deployment (ADK) Toolkit for Windows 8 and installed the Application Compatibility Toolkit (ACT) and Microsoft SQL Server 2012 Express components to create a shim for Launcher.exe.

The process of creating a shim database is quite straightforward:

  1. Launch Compatibility Administrator (32-bit) with admin credentials
  2. With the new database selected in the left pane, click Fix in the toolbar to start the application fix creation wizard
  3. The first field is the display name that will appear for this shim in “Add or remove programs”, so “SWTOR Shim" or something similar would be appropriate
  4. The third field is the path to Launcher.exe, then Next is hit twice (we skip past the compatibility mode stage)
  5. Clear all the compatibility fixes except for “Force Admin Access”, then click Next again
  6. Clear all the matching information fields except for “File Description" (which is "SWTOR Launcher" so has no chance of a false positive yet is flexible enough to continue working if a patch updates the other fields)
  7. Save the database with a meaningful name (e.g. “swtor-shim.sdb”)
  8. The shim can now be installed on any machine with the following command from an elevated command prompt:
    sdbinst.exe swtor-shim.sdb

Now launching the game when logged on as a standard user works without any prompt, and it works as normal.

The same principle can be used for other problematic games, so long as they do not actually require administrative privileges and the permissions on their folders allow at least Authenticated Users or Everyone write access.

It does not grant any extra rights to standard users, and if the game uses the user profile to store data then per-user settings may need to be reapplied (or copied between the profiles).

If the game triggers an automatic patch process that installs an MSI package, then this will still trigger an OTS prompt.

The fewer processes running elevated, and the fewer privileges held be logged-on users, the better (and safer).

Internet Printing on Windows Server 2008 R2 - sorting the list by printer name

In the Internet Printing feature of Windows Server 2008 R2 the list of printers returned by the query sent to the Print Spooler service is not sorted, so it is displayed in “natural” order.

To sort the list on any field is quite trivial, but requires editing of the following file (taking ownership & granting write permission is required):
%windir%\Web\Printers\ipp_0001.asp

Rather than reinvent the wheel, this page has details on what changes need to be made to sort the list using the location field, and minimal modifications are needed for it to sort the list using the name field…

The first thing to note is the first step is missing from that page, and it is vital as it is how the sortArray() function can be called.

The reference to my.inc is needs to be added to ip_0001.asp, so this line needs to be added:
<!— #include file = “ipp_0001.inc” —>

The best place to put this line is probably directly after this line:
<!— #include file = “ipp_util.inc” —>

The last instruction provided makes a call to arraySort() but requests that the collection be sorted by location (field 2), so we need to change this to be name (field 1):
rgADSIGetPrinters = arraySort(rgPrinters, 1, “a”)

After testing these changes in my lab environment, I found that the collection indexing changes after the sort, so a 3rd alteration is needed in the GenTableBody() function in ip_0001.asp - the first For loop needs to work backwards from UBound(rgPrinters)-1 to 0, or the first printer will not be found and the row left blank.

The line should read as follows:
For i = ubound(rgPrinters, 2)-1 To 0 Step -1

I did very little testing with these changes implemented, but the page now renders with the list sorted by printer name even if printers are added or removed, or if the Print Spooler service is restarted.

Those with VBScript/ASP skills can also customize the page further as needed - just make sure you back up any files first.

An enterprise hotfix rollup is available for Windows 7 SP1 and Windows Server 2008 R2 SP1

Microsoft may not have plans for a second service pack for Windows 7 / Server 2008 R2, but there is a quietly-released hotfix rollup package available for these products at the SP1 level:
http://support.microsoft.com/kb/2775511

Unlike regular LDR packages, it is not downloaded directly from the KB article on support.microsoft.com, but instead through catalog.update.microsoft.com:
http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB2775511

This has the beneficial side effect that it can be imported into WSUS for distribution on a controlled & wider scale in enterprises, and it contains 90 public hotfix packages rolled into this one update.

I strongly recommend those deploying new Windows 7 SP1 / Server 2008 R2 SP1 machines to consider testing this package before putting it into your base sysprep’d deployment image and/or importing into WSUS and approving.

Are you suggesting coconuts migrate?

Under my time at Microsoft I created and maintained a TechNet blog:
http://blogs.technet.com/b/mrsnrub/

As of 2013-04-04 I am no longer a Microsoft employee, so I can no longer keep that blog updated.
It has a few entries which have many references both public and internal at Microsoft, so it will not be deleted, just made read-only.

So this is my personally-run blog, which I shall use if I have any potentially useful updates to share (my new job outside of Microsoft is still directly related to Windows, only not exclusively and now as a customer/user):
http://blog.adams-family.me.uk/

(“Are you suggesting coconuts migrate?" is homage to Monty Python and the Holy Grail.)