Latest Publications

Configuration Manager 2007 – Object Naming Standards.

Posted in 13th June 2010 ¬ 1:45 pmh.ToneNo Comments »

Package

Name The name of the package, up to 50 characters. This entry is required.
Version The version of the package, up to 32 characters. This entry is optional.
Publisher The publisher of the package, up to 32 characters. This entry is required.
Language The language version of the package, up to 32 characters. This entry is required.
Comment An optional comment about the package, up to 127 characters.

Program

Name The name of the program, up to 50 characters. This entry must be unique within a package and is used when defining advertisements. This entry is required.
Comment An optional comment about the program, up to 127 characters.
CommandLine Specifies the command line for the program, up to 127 characters. This entry is required.
StartIn The working folder for the program, up to 127 characters. This entry is optional.
AdditionalProgramRequirements Optional text that can include any other information or requirements for client computers, up to 127 characters.

Advertisements

Name Specifies the name of the advertisement, up to 100 characters. This field is required.
Comment Specifies optional text about the advertisement, such as a description. You can use up to 127 characters.

Collections

Name Specifies the name of the collection, up to a total of 127 characters. This field is required and must be unique within the Collections node.
Comment An optional comment about the package, up to 127 characters

Folders

Valid folder names are up to 127 characters and must not contain any of the following characters / | \ : * ” < >

Microsoft System Center Configuration Manager 2007, SCCM

SCCM ACT Connector error -2146232060 (ACT 5.5)

Posted in 29th March 2010 ¬ 10:11 amh.Tone3 Comments »

You see error -2146232060 when attempting to configure your ACT database using the following steps:

  1. In the Configuration Manager console, navigate to
    System Center Configuration Manager / Site Database / Computer Management / Application Compatibility Toolkit Connector/ Application Compatibility Toolkit Server
  2. To open the properties of the ACT server right-click the ACT server in the results pane and select Properties. Alternatively you can select Configure ACT Server in the Actions pane or click the Actions menu and select Configure ACT Server.
  3. To specify the Microsoft SQL server that contains the ACT database type the name of the server and click the Connect button. Alternatively, you can click the drop down and select Browse for more to open the Select Server dialog box. Select the server you want to use and click OK.
  4. Specify the ACT Database to connect to using the drop down and selecting the database.
  5. To close the ACT Configuration properties dialog box, click OK.
configure act server properties

configure act server properties

At this point you receive the following error:

Check Connection

Cannot connect to COMPUTERNAME.

[-2146232060] Windows NT user or group ‘DOMAIN\ COMPUTERNAME$’ not found. Check the name again.

‘DOMAIN\ COMPUTERNAME $’ is not a valid login or you do not have permission.

check connection -2146232060

check connection -2146232060

Microsoft will not be releasing a fix but the following modified script can be used to configure ACT connector to work with ACT 5.5 install, just change XXXX in the script as per the comments.

Server = "XXXXXX"    '<- Name of ConfigMgr server where ACT Connector is installed
SiteCode = "XXX"    '<- Three letter side code of ConfigMgr server where ACT Connector is installed
ActServer = "XXXXXX"    '<- Name of SQL server where ACT is installed
ActDatabase = "XXXX"    '<- Name of ACT database on SQL server (set during ACT install)
MachineAcct = ""    '<- Machine Account (Optional parameter)!  If the ACT is installed on different
'   server than the ACT Connector, then provide the machine account name the ACTC
'    provider runs under (domain\machineaccount$) where the machine account name is
'    the ConfigMgr server where the ACT Connector is installed.

Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & Server & "\root\sms\site_" & SiteCode)
Set wbemObjectSet = objWMIService.InstancesOf("SMS_ActConfig")

'domain\smsserver$
If LCase(Server) = LCase(ActServer) Then
MachineAcct = ""
End If

For Each wbemObject In wbemObjectSet
wbemObject.Server = ActServer
wbemObject.Database = ActDatabase
wbemObject.Put_
If MachineAcct = "" Then
wbemObject.AddLinkedServer ActServer, ActDatabase
Else
wbemObject.AddLinkedServer ActServer, ActDatabase, MachineAcct
End If
Next

If Err.Number = 0 Then
msgbox "Success"
Else
msgbox "Failure " & Err.Number
End If

The original script can be found here Support for ACT 5.5 with the ACT Connector

Application Compatibility Toolkit, SCCM,

Creating Vista, Windows 7, Server 2008 Collections for SCCM SP2 using VBScript.

Posted in 22nd January 2010 ¬ 2:02 pmh.Tone14 Comments »

Service Pack 2 for Configuration Manager 2007 delivers new platform support for Windows 7, Windows Vista SP2, Windows Server 2008 R2 and Windows Server 2008 SP2.

After installing SP2 you will need to create collections for Windows 7, Server 2008 R2 and possibly Windows Vista and Server 2008 if you have not already done so, I used the following script to create 4 new collections:

Click View Source to view\copy script

The script does not check for existing collections and I have only used it in a test environment so use at your own risk.

' Modified CreateDynamicCollection script from SCCM SDK.
' winDeploy 2009
Set swbemLocator=CreateObject("WbemScripting.SWbemLocator")
Set swbemconnection=swbemLocator.ConnectServer(".", "root\sms")
Set providerLoc=swbemconnection.InstancesOf("SMS_ProviderLocation")

For Each Location In providerLoc
    If location.ProviderForLocalSite = True Then
        Set swbemconnection = swbemLocator.ConnectServer(Location.Machine, "root\sms\site_" + Location.SiteCode)
        Exit For
    End If
Next

Call CreateCollection(swbemconnection, "All Windows Vista Systems", "select sms_r_system.ResourceID,sms_r_system.ResourceType,sms_r_system.Name,sms_r_system.SMSUniqueIdentifier,sms_r_system.ResourceDomainORWorkgroup,sms_r_system.Client from sms_r_system where OperatingSystemNameandVersion like '%Workstation 6.0%'")
Call CreateCollection(swbemconnection, "All Windows 7 Systems", "select sms_r_system.ResourceID,sms_r_system.ResourceType,sms_r_system.Name,sms_r_system.SMSUniqueIdentifier,sms_r_system.ResourceDomainORWorkgroup,sms_r_system.Client from sms_r_system where OperatingSystemNameandVersion like '%Workstation 6.1%'")
Call CreateCollection(swbemconnection, "All Windows Server 2008 Systems", "select sms_r_system.ResourceID,sms_r_system.ResourceType,sms_r_system.Name,sms_r_system.SMSUniqueIdentifier,sms_r_system.ResourceDomainORWorkgroup,sms_r_system.Client from sms_r_system where OperatingSystemNameandVersion like '%Server 6.0%'")
Call CreateCollection(swbemconnection, "All Windows Server 2008 R2 Systems", "select sms_r_system.ResourceID,sms_r_system.ResourceType,sms_r_system.Name,sms_r_system.SMSUniqueIdentifier,sms_r_system.ResourceDomainORWorkgroup,sms_r_system.Client from sms_r_system where OperatingSystemNameandVersion like '%Server 6.1%'")

Sub CreateCollection(connection, newName, queryForRule)
	'Update this collection on a schedule.
	Set Token = swbemconnection.Get("Sms_St_RecurInterval")
	Token.DaySpan = 1 'Use Token.HourSpan = 1 or for Token.MinuteSpan = 30 for test environment
	Token.StartTime = GetStartTime()

    ' Create the collection.
    Set newCollection = connection.Get("SMS_Collection").SpawnInstance_
    newCollection.Name = newName
	newCollection.Comment = newName + "."
    newCollection.OwnedByThisSite = true
	newCollection.RefreshSchedule = Array(Token)
	newCollection.RefreshType = 2

    ' Save the new collection and save the collection path for later.
    Set collectionPath = newCollection.Put_    

   ' IMPORTANT: If you do not specify the relationship, the new collection will not be visible in the console.
    Set newSubCollectToSubCollect = connection.Get("SMS_CollectToSubCollect").SpawnInstance_
    newSubCollectToSubCollect.parentCollectionID = "COLLROOT" ' Define to what collection the new collection is subordinate.
    newSubCollectToSubCollect.subCollectionID = CStr(collectionPath.Keys("CollectionID"))
    newSubCollectToSubCollect.Put_  ' Save the subcollection information.

    ' Create a new collection rule object for validation.
    Set queryRule = connection.Get("SMS_CollectionRuleQuery")
    validQuery = queryRule.ValidateQuery(queryForRule)   ' Validate the query (good practice before adding it to the collection). 

    ' Continue with processing, if the query is valid.
    If validQuery Then
        ' Create the query rule.
        Set newQueryRule = QueryRule.SpawnInstance_
        newQueryRule.QueryExpression = queryForRule
        newQueryRule.RuleName = newName + "." 

        ' Add the new query rule to a variable.
        Set newCollectionRule = newQueryRule

        ' Get the collection.
        Set newCollection = connection.Get(collectionPath.RelPath)
        newCollection.AddMembershipRule newCollectionRule ' Add the rules to the collection.
        newCollection.RequestRefresh False ' Call RequestRefresh to initiate the collection evaluator.
	  Else
	    MsgBox("Invalid Query: " + queryForRule)
     End If
End Sub

Function GetStartTime()
  Set objSWbemServices = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2")
  Set colTimeZone = objSWbemServices.ExecQuery ("SELECT * FROM Win32_TimeZone")

  For Each objTimeZone in colTimeZone
   strBias = objTimeZone.Bias
  Next

  dtmCurrentDate = Date
  GetStartTime = Year(dtmCurrentDate)

  dtmMonth = Month(dtmCurrentDate)
  If Len(dtmMonth) = 1 Then
   dtmMonth = "0" & dtmMonth
  End If

  GetStartTime = GetStartTime & dtmMonth

  dtmDay = Day(dtmCurrentDate)
  If Len(dtmDay) = 1 Then
   dtmDay = "0" & dtmDay
  End If

  If Len(Hour(Now())) = 1 Then
   Hours = "0" & Hour(Now())
  Else
   Hours = Hour(Now())
  End If

  If Len(Minute(Now())) = 1 Then
   Minutes = "0" & Minute(Now())
  Else
   Minutes = Minute(Now())
  End If

  GetStartTime = GetStartTime & dtmDay & Hours & Minutes & "00.00000"
  GetStartTime = GetStartTime & Cstr(strBias)
  GetStartTime = GetStartTime & "+***"
End Function
Microsoft System Center Configuration Manager 2007, SCCM, , ,

BlueScreenView – Minidump viewer

Posted in 22nd December 2009 ¬ 2:10 pmh.ToneNo Comments »

Had a blue screen of death and wondered which driver caused the error before you had chance to write down the stop code and parameters?

Normally I would load up the dump file in the Debugging Tools for Windows to find the culprit until I found this great utility by NirSoft called BlueScreenView.

It scans your minidump files and displays the time of the crash, the basic crash information and the details of the driver that caused the crash.

Download BlueScreenView

bluescreenview-xp-style

bluescreenview-all-drivers

Utilities, Windows

Extracting Hyper-V R2 Drivers

Posted in 28th October 2009 ¬ 1:43 amh.Tone2 Comments »

Logon on to a virtual Machine and insert integration service setup disk.
If you do not have a virtual machine up and running you can mount %windir%\system32\vmguest.iso

Extract the drivers by performing an admin install on the msi packages.

msiexec /a d:\support\amd64\Windows5.x-HyperVIntegrationServices-x64.msi TARGETDIR=C:\AIPx64
msiexec /a d:\support\x86\Windows5.x-HyperVIntegrationServices-x86.msi TARGETDIR=C:\AIPx86

rename C:\AIPx64\Hyper-V Integration Services C:\AIPx86\ Hyper-V_x64
rename C:\AIPx86\Hyper-V Integration Services C:\AIPx86\Hyper-V_x86

Copy Hyper-V_x64 and Hyper-V_x64 to your driver folder and you should end up with the following drivers and folder structure:

Hyper-V drivers directory

Hyper-V drivers directory

Disk Virtual Machine Bus Acceleration Filter Driver
Hyper-V Heartbeat
Microsoft Emulated S3 Device Cap
Microsoft Virtual Machine Bus Input Device Miniport
Microsoft Virtual Machine Bus Network Adapter Net
Microsoft Virtual Machine Bus Video Device
Storage miniport driver SCSI Adapter
Virtual Machine Bus

Hyper-V,

Server 2008 R2 XP SP3 Remote Desktop Disconnected

Posted in 7th October 2009 ¬ 1:48 pmh.ToneNo Comments »

Network Level Authentication is an authentication method that can be used to enhance Remote Desktop Services Session Host server security by requiring that the user be authenticated to the RD Session Host server before a session is created.

Remote Desktop Connection

Remote Desktop Connection

Network Level Authentication completes user authentication before you establish a remote desktop connection and the logon screen appears. This is a more secure authentication method that can help protect the remote computer from malicious users and malicious software.

Network Level Authentication will disconnect XP SP3 Remote Desktop Connection with the following error message

The remote computer requires Network Level Authentication, which your computer does not support.For assistance, contact your administrator to technical support.

Remote Desktop Disconnected

Remote Desktop Disconnected

To enable Network Level Authentication on a XP SP3 client some registry settings must added which can be found in KB951608

The registry settings were tested using the Registration Entries (.reg) file below.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Security Packages"=hex(7):6b,00,65,00,72,00,62,00,65,00,72,00,6f,00,73,00,00,\
00,6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,73,00,63,00,68,00,61,00,6e,00,\
6e,00,65,00,6c,00,00,00,77,00,64,00,69,00,67,00,65,00,73,00,74,00,00,00,74,\
00,73,00,70,00,6b,00,67,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders]
"SecurityProviders"="credssp.dll"

So after adding the registry settings and rebooting the workstation the following error message may appear if you connect to the Remote Desktop Services Session Host using an IP address, the error should not appear if you use the hostname of the remote computer.

An authentication error has occurred (0×80090303)

Remote Computer: 172.16.0.100

Remote Desktop Connection 0x80090303

Remote Desktop Connection 0x80090303

To fix this you need to download and install KB953760 which updates the following files

File name File version File size Date Time Platform
Kerberos.dll 5.1.2600.5615 299,520 05-Jun-2008 13:50 x86
Msv1_0.dll 5.1.2600.5749 133,120 23-Jan-2009 17:05 x86

Once WindowsXP-KB953760-x86-ENU has been installed and files updated you can access the Remote Desktop Services session using an IP address.

Remote Desktop Services, Server 2008 R2, Windows, XP SP3, , ,

Internal Consistency Evaluators (ICE) Reference

Posted in 24th September 2009 ¬ 5:09 amh.ToneNo Comments »

Internal Consistency Evaluators

Internal consistency evaluators also called ICE’s are custom actions written in VBScript, JScript or as a DLL or EXE. When these custom actions are executed, they scan the database for entries in database records that are valid when examined individually but that may cause incorrect behavior in the context of the whole database.

On basic level ICE01 to 105 are a set of predefined rules created by Microsoft to confirm the contents, logic and structure of Windows Installer package (MSI).

The table below also includes the recent additions ICE101 to ICE105 which were introduced with Windows Installer 5.0

ICE Reference Table

ICE Description
ICE01 Simple test of ICE mechanism.
ICE02 Circular reference test for File-Component, Registry-Component KeyPaths.
ICE03 Basic data and foreign key validation.
ICE04 Validates file sequence numbers against the LastSequence numbers of the Media Table.
ICE05 Validates for “required” entries in particular tables.
ICE06 Validates for missing column or tables in the database. Any column defined in the _Validation table must be found in the database.
ICE07 Validates that fonts are installed to the FontsFolder.
ICE08 Checks for duplicate GUIDs in the ComponentId column of the Component table.
ICE09 Validates that the permanent bit is set for every component marked for installation into the SystemFolder.
ICE10 Ensures that advertise feature states among children and parents are compatible.
ICE12 Validates type 35 and type 51 custom actions and their locations in the sequence tables.
ICE13 Validates that dialogs are not listed as actions in the execute sequence tables. Dialog actions are only allowed in the user interface sequence tables.
ICE14 Validates that feature parents do not have the msidbFeatureAttributesFollowParent bit set. Also validates that the entries in the Feature and Feature_Parent columns are not the same in the same record.
ICE15 Validates that a circular reference exists between every entry in the MIME table and the corresponding extension in the Extension table.
ICE16 Validates that the ProductName in the Property table is not greater than 63 characters in length.
ICE17 Validates control type dependencies in the Control table. Covers PushButtons, RadioButtonGroups, ListBoxes, ListViews, and ComboBoxes.
ICE18 Validates the KeyPath column of the Component table when it is null. In this case, the key path is a Directory.
ICE19 Validates the advertising tables: Class, TypeLib, Extension, PublishComponents, and Shortcut.
ICE20 Validates that the required dialogs are in the Dialog table.
ICE21 Validates that all components in the Component table map to a feature in the FeatureComponents table.
ICE22 Validates that the Feature_ and Component_ columns in the PublishComponent table.
ICE23 Validates the tab order of controls in all dialog boxes.
ICE24 Validates certain properties in the Property table.
ICE25 Verifies merge module dependencies and merge module exclusions.
ICE26 Validates required and prohibited actions in the sequence tables.
ICE27 Validates the organization and order of the sequence tables.
ICE28 Validates actions that must not be separated by ForceReboot.
ICE29 Validates that your stream names remain unique if truncated to the 62-character limit.
ICE30 Validates that the installation of components containing the same file never install the file more than one time in the same directory.
ICE31 Validates the text styles listed in the Text column of the control table.
ICE32 Compares the column definitions to validate that keys and foreign keys are of the same size and type.
ICE33 Checks the registry table for entries that belong in other tables.
ICE34 Validates that every group of radio buttons has a default.
ICE35 Validates that any files from a cabinet file cannot be set to run from the source.
ICE36 Validates that icons listed in the Icon table are used in the Class, ProgID, or Shortcut tables.
ICE38 Validates that components installed under the user’s profile use a registry key under HKCU as their key path.
ICE39 Validates the Summary Information stream of the database.
ICE40 Performs various miscellaneous checks.
ICE41 Validates that entries in the Extension and Class tables refer to components belonging to the referenced feature.
ICE42 Checks that Class table entries do not have .exe files set as InProc values, and that only LocalServer contexts have arguments and DefInProc values.
ICE43 Checks that non-advertised shortcuts are in components with HKCU registry keys as the key paths.
ICE44 Checks that dialog events in the ControlEvent table (NewDialog, SpawnDialog, SpawnWaitDialog) reference valid Dialogs in the Dialog table.
ICE45 Checks for reserved bits that are set.
ICE46 Checks for custom properties that only differ from defined properties by their case.
ICE47 Checks for features with more than 1600 components per feature..
ICE48 Checks for directories that are hard-coded to local paths.
ICE49 Checks for non-REG_SZ default values in the registry table.
ICE50 Checks that advertised shortcuts have correct icons and context menus.
ICE51 Checks that TTC/TTF fonts do not have titles, but that all other fonts do.
ICE52 Checks for non-public properties in the AppSearch table.
ICE53 Checks for registry entries that write private installer information or policy values.
ICE54 Checks for components using companion files as their key path file.
ICE55 Checks that LockPermission objects exist and have valid permissions.
ICE56 Validates that the directory structure of the .msi file has a single valid root.
ICE57 Validates that individual components do not mix per-machine and per-user data.
ICE58 Checks that your
Media Table does not have more than 80 rows.
ICE59 Checks that advertised shortcuts belong to components that are installed by the target feature of the shortcut.
ICE60 Checks that if a file in the
File Table is not a font and has a version, then it also has a language.
ICE61 Checks the
Upgrade Table.
ICE62 Performs extensive checks on the
IsolatedComponent Table for data that may cause unexpected behavior.
ICE63 Checks for proper sequencing of the RemoveExistingProducts action.
ICE64 Checks that new directories in the user profile are removed in roaming scenarios.
ICE65 Checks that the
Environment Table does not have invalid prefix or append values.
ICE66 Uses the tables in the database to determine which schema your database should use.
ICE67 Checks that the target of a non-advertised shortcut belongs to the same component as the shortcut itself, or that the attributes of the target component ensure that it does not change installation locations.
ICE68 Checks that all custom action types needed for an installation are valid.
ICE69 Checks that all substrings of the form [$componentkey] within a Formatted string do not cross-reference components.
ICE70 Verifies that integer values for registry entries are specified correctly.
ICE71 Verifies that the
Media Table contains an entry with DiskId equal to 1.
ICE72 Ensures that the only custom actions used in the
AdvtExecuteSequence Table are type 19, type 35, and type 51 custom actions.
ICE73 Verifies that your package does not reuse package codes or product codes of the Windows Installer SDK samples. For more information, see
Package Codes and
Product Codes.
ICE74 Verifies that the
FASTOEM property has not been authored into the
Property Table.
ICE75 Verifies that all custom action types that use an installed file as their source are sequenced after the
CostFinalize Action.
ICE76 Verifies that no files in the
BindImage Table reference SFP (WFP) catalogs.
ICE77 Verifies that in-script custom actions are sequenced after the
InstallInitialize Action and before the
InstallFinalize Action.
ICE78 Verifies that the
AdvtUISequence Table either does not exist or is empty.
ICE79 Validates references to components and features entered in the database fields using the
Condition data type.
ICE80 Validates that
Template Summary Property and
Page Count Summary Property correctly specify the presence of 64-bit components or custom action scripts.
ICE81 Validates the
MsiDigitalCertificate Table, MsiDigitalSignature Table and MsiPackageCertificate Table.
ICE82 Validates the
InstallExecuteSequence Table.
ICE83 Validates the
MsiAssembly Table.
ICE84 Checks the sequence tables to verify that required
Standard Actions are not set with conditions.
ICE85 Validates that the SourceName column of the
MoveFile Table is a valid long file name.
ICE86 Issues a warning if the package uses the
AdminUser property in database column of the
Condition type.
ICE87 Validates that the following properties have not been authored in the
Property Table.
ICE88 Validates the DirProperty column of
IniFile Table.
ICE89 Validates that the value in the Progid_Parent column in
ProgId Table is a valid foreign key into the ProgId column in ProgId table.
ICE90 Posts a warning if it finds that a shortcut’s directory has been specified as a public property.
ICE91 Posts a warning if a file, .ini file, or shortcut file is installed into a per-user profile directory that does not vary based on the
ALLUSERS property.
ICE92 Verifies that a component without a Component Id GUID is not also specified as a permanent component. Verifies that no component has both the msidbComponentAttributesPermanent and msidbComponentAttributesUninstallOnSupersedence attributes.
ICE93 Issues a warning if a custom action uses the same name as a standard action.
ICE94 Issues a warning if there are any unadvertised shortcuts pointing to an assembly file in the global assembly cache.
ICE95 Checks the
Control Table and
BBControl Table to verify that the billboard controls fit onto all the billboards.
ICE96 Verifies that the
PublishFeatures Action and the
PublishProduct Action are entered in the
AdvtExecuteSequence Table.
ICE97 Verifies that two components do not isolate a shared component to the same directory.
ICE98 Verifies the description field of the ODBCDataSource Table for an ODBC data source.
ICE99 Verifies that no property name entered in the Directory table duplicates a name reserved for the public or private use of the Windows Installer.
ICE100 Checks the authoring of the MsiEmbeddedUI and MsiEmbeddedChainer tables.
ICE101 Checks that no value in the Feature column of the Feature table exceeds a maximum length of 38 characters.
ICE102 Validates the MsiServiceConfig and MsiServiceConfigFailureActions tables.
ICE103 Validates the MsiPrint and MsiLaunchApp control events.
ICE104 Verifies the MsiLockPermissionsEx and LockPermissions tables.
ICE105 Validates that the package has been authored to be installed in a per-user context.

MSDN – Package Validation

Windows Installer, ,

Creating an Internal Consistency Evaluator

Posted in 23rd September 2009 ¬ 11:03 pmh.ToneNo Comments »

Example of Creating an Internal Consistency Evaluator (ICE) using Orca

Whilst the ICE list is pretty comprehensive there will be a point where you need to validate information that is not covered by the standard ICE unit tests, to do this you will need to add your own Internal Consistency Evaluator.

Here is an example of creating a vbscript Internal Consistency Evaluator wdICE01 to check that no hard coded paths (c :\) have been entered into the Registry table, wdICE01.vbs will be used to populate necessary tables in darice.cub

1.       Append the .ibd file extension to your vbscript                  example: wdICE01.vbs.ibd

2.       Using Orca, Open C:\Program Files\orca\darice.cub

3.       Select Binary table and add new row (CTRL & R).

Binary Table add new row

Binary Table add new row

Enter Name of VBScript in name field.

Enter the path to the location of ibd file into the Data field (or Browse…) and click OK to add new row.

4.       Select CustomAction table and add new row

Custom Action table add new row

Custom Action table add new row

Enter ICE name into Action field

Enter Type into Type field (see table below)

Enter VBScript into Source field

Enter ICE name into Target field and click OK to add new row.

5.       Select _ICESequence table and add new row

_ICESequence table add new row

_ICESequence table add new row

Enter ICE into Action field
Leave Condition empty

Enter sequence number into Sequence field and click OK to add new row.

Its a good idea to use a sequence number is greater than 1000 as not to interfere with built-in ICE sequences.

Save darice.cub (CTRL & L)

6.       Open MSI package and Validation Output (CTRL & L)

Validation Output Windows

Validation Output Window

Click Go (ALT & G)

When validation has completed results are displayed, Click Close

The Table Error symbol |appears to the left hand-side of Tables containing ICE messages

Orca ICE Validation Window

Orca ICE Validation Window

The validation pane lists Warning and Errors found when the validation has been run and can be used to quickly change the table list window and table view focus highlighting the location of a specific validation error.

Example

Here is an example vbscript if you want to try it out

Function wdICE02()
On Error Resume Next

	Set recInfo=Installer.CreateRecord(1)
	If Err <> 0 Then
		wdICE02 = 1
		Exit Function
	End If

	'Give description of test
	recInfo.StringData(0)="wdICE02" & vbTab & "3" & vbTab & "wdICE02 - Performs a non case sensitive search for C:\ hard coded into the IniFile table  "
	Message &h03000000, recInfo

	'Give creation data
	recInfo.StringData(0)="wdICE02" & vbTab & "3" & vbTab & "Created 23/03/07. Last Modified 23/03/07."
	Message &h03000000, recInfo

	'Is there a IniFile table in the database?
	iStat = Database.TablePersistent("IniFile")
	If 1 <> iStat Then
		recInfo.StringData(0)="wdICE02" & vbTab & "3" & vbTab & "'IniFile' table missing, wdICE02 cannot continue its validation."
		Message &h03000000, recInfo
		wdICE02 = 1
		Exit Function
	End If

	'process table
	'					[1]	   [2]	    [3]	    [4]
	Set View = Database.OpenView("SELECT `IniFile`,`FileName`,`Key`,`Value` FROM `IniFile`")
	view.Execute

	If Err <> 0 Then
		recInfo.StringData(0)="wdICE02" & vbTab & "0" & vbTab & "view.Execute_1 API Error"
		Message &h03000000, recInfo
		wdICE02=1
		Exit Function
	End If 

	Do
		Set rec=view.Fetch
		If rec Is Nothing Then Exit Do

		'check for hardcoded string.
		If InStr(1,rec.StringData(4),"c:\",1) > 0 Then
			'Name of ICE  Message Type  Description  Help URL or location  Table Name  Column Name  Primary Key  Primary Key  Primary Key
			'(repeat for as many primary keys as needed)                  	http://msdn2.microsoft.com/en-us/library/aa369205.aspx
			rec.StringData(0)="wdICE02" & vbTab & "2" & vbTab &  "Path [4] is hard coded in [3] key within [2]" & vbTab & "" & vbTab & "IniFile" & vbTab & "IniFile" & vbTab & "[1]"
			Message &h03000000,rec
		End If
	Loop

	'Return iesSuccess
	wdICE02 = 1
	Exit Function
End Function
Windows Installer

Disabling USB storage devices using Group Policy

Posted in 20th September 2009 ¬ 2:02 pmh.ToneNo Comments »

How to prevent users from connecting USB storage devices

To stop users connecting USB storage devices

The following items must be carried out to ensure that the USB storage driver
cannot be accessed, in cases where the USB storage driver has been installed the
services should be disabled.

  • Deny Access to usbstor.inf and usbstor.pnf
  • Disable the USB storage service

1.Deny Access to usbstor.inf and usbstor.pnf

Open the Group Policy Object and drill down to File System

Computer Configuration -> Windows Settings -> Security Settings -> File System

Right click and select Add File…
Enter %SystemRoot%\inf\usbstor.inf
Click OK

Assign the Deny permissions to Authenticated Users and System

Click OK
Click Yes
Click OK

Carry out same procedure for %SystemRoot%\inf\usbstor.pnf

2.Disable the USB Storage Service

The Start Dword value must be set to 00000004 (disable) in the registry

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usbstore]
"Start"=dword:00000004

To disable this service using Group Policy create an adm template.

Copy the following section into a text editor and save the file as usbstore.adm

CLASS MACHINE
  CATEGORY  !!CATUSBManagement
     POLICY !!POLUSBManagement
        EXPLAIN !!POLUSBManagement_Help
          KEYNAME "System\CurrentControlSet\Services\usbstor"
             PART !!Part00 DROPDOWNLIST
                VALUENAME "Start"
              ITEMLIST
            NAME !!Name00 VALUE NUMERIC 0
         NAME !!Name01 VALUE NUMERIC 1
       NAME !!Name02 VALUE NUMERIC 2
      NAME !!Name03 VALUE NUMERIC 3
     NAME !!Name04 VALUE NUMERIC 4 DEFAULT
    END ITEMLIST
   END PART
  END POLICY
 END CATEGORY

 [strings]
 CATUSBManagement="USB Management"
 POLUSBManagement="USB Storage Service"
 POLUSBManagement_Help="Enables the changing of the startup type for the USB Storage Service.\nDisabled should be selected from startup type.\n\nYou should also set permissons on following files:\n\n%SystemRoot%\Inf\Usbstor.pnf\n%SystemRoot%\Inf\Usbstor.pnf"
 Part00="Startup type"
 Name00="Boot"
 Name01="System"
 Name02="Auto Load"
 Name03="Load On Demand"
 Name04="Disabled"

As this isn’t quite as simple as setting a Group Policy more instructions are included below, detailing how to load adm template using the Group Policy snap-in.

Add Administrative Template usbstore.adm

Open the Group Policy object that you want to edit.

usbstor-adm-01-small.png

Console tree, Administrative Templates

In the console tree, right-click Administrative Templates
Click Add/Remove Templates

usbstor-adm-02

Add/Remove Templates dialog

Click Add

usbstor-adm-03

Browse to template

Browse to .adm template and open, Click Close

usbstor-adm-04

The adm preference template is added

If you can see the policy\preference skip next two screens, if you see:
“There are no items to show in this view”

usbstor-adm-05

Filtering Menu

Right click in left pane
Select
View
Select Filtering…

usbstor-adm-06

Remove Filtering

Deselect\Untick
Only show policy settings that can be fully managed

usbstor-adm-07

Preference Preview

Double click the policy\preference, in this case USB Storage Service

usbstor-adm-08

Enable Preference

Select Enabled
Select startup type: Disabled
Click Apply\OK

This is a preference rather than a group policy so it will tattoo the registry:

This registry setting is not stored in a policies key and is thus considered a preference. Therefore if the Group Policy Object that implements the setting is ever removed, this setting will remain

A copy of the template used to disable usbstore service can be found here: disable usbstore adm

Adapted from KB823732 KB555324

Security,

MSI Import tool for SMS 2003.

Posted in 18th September 2009 ¬ 11:56 amh.Tone5 Comments »

MSI2SMS tool imports MSI and MST packages into Systems Management Server 2003 creating Package, Programs, Advertisement and desired settings without the need to use SMS console, the information is extracted directly from the MSI Package.

The MSI2SMS import tool not only saves time and effort it also ensures that a standard naming convention is used for Package, Programs and Advertisement throughout Systems Management Server 2003.

Systems Management Server 2003