Just to clarify: this is a selective issue; the scope of this issue isn’t known, but not everyone is seeing this problem. The fix is outlined after the jump for the issue listed below for those of you experiencing it.

In the wonderful world of Zune, all the Zune teamsters, Zune coders, Zune pushers, and Zune lovers are busy celebrating the launch of the Zune HD. That’s not to say there aren’t any snags with which to deal. Case in point: I came across this wonderful screen when I tried to sign into my account under Zune 4.0 for the first time:

“Great, there’s no terms to which I must agree. I’ll just go ahead and click Accept,” (the result of which you can see after the jump)

(more…)

Once upon a time, a Microsoft employee said that UAC was designed to annoy people, thus encouraging people (and systems administrators) to bug application developers and get those developers to fix their use of resources in Windows. Well, it seems that one company actually went backwards, making its application more annoying than it used to be.

Of course, I’m talking about Java.

I figured I would turn Java into an example of what not to do when designing something for Windows before uninstalling it. Since Sun Microsystems clearly has no idea how to develop for Windows Vista, I’m going to direct them to this wonderful page.

I highlighted the single switch present in the command which indicates the problem: “-auto”. UAC prompts should never be automatically launched without informing the user prior to launching one. It’s very plain and very simple, and when developers start writing applications which throw consent prompts without any obvious reason as to why, they’re clearly doing something wrong.

Worse yet, Java Automatic Update decides to tell me after I click Cancel that it wants to update.

This bubble should be thrown first, followed by launching the consent prompt should the user decide to update. Doing it the other way around is mindblowingly stupid. It’s not exactly an easy thing to screw up, either, so I’m chalking this one up either to developers not knowing what they’re doing or developers testing UAC out for the heck of it to see how many people obey random UAC prompts.

If you’re seeing this, I highly encourage you to click Cancel. Better yet, go ahead and uninstall Java. That’s what I did.

Now if you’ll excuse me, I’ll be going off to celebrate my birthday away from random UAC prompts.

As those involved in the Windows 7 community may know, Microsoft has failed to fix a crucial flaw in the User Account Control feature of the operating system which allows a specific whitelist of applications to inject code that can allow any application to silently elevate. The code was released about a month ago as a proof-of-concept by Leo Davidson showcasing the flaw elevating a command prompt window using the whitelisted explorer.exe process.

The company stands by UAC in its final form, but they’re taking it a step further by blocking the program that causes the exploit using their own security software.

Today, I just happened to download the zip file that causes the exploit when Microsoft Security Essentials greeted me with a nice dialog telling me that what I just downloaded is malware, specifically HackTool.Win32/Welevate.A and HackTool.Win64/Welevate.A (depending on architecture). While I’d agree that this can be considered a form of malware, it’s just a very bad way of dealing with the situation. However, Leo noted that Windows Defender in Vista did not detect this exploit, and Bryant confirmed that the same is true for Windows 7 (where the trick would actually work), so this seems to be exclusive to Microsoft Security Essentials.

It’s not clear what method the signatures take to detect it, but I promptly recompiled the source code under the Visual C++ 10.0 toolkit using VS 2010 Beta and the application ran undetected. Not a very good solution if it actually hash checks for the specific applications.

Leo, and I (or Bryant) will update our respective pages accordingly as we discover more. Bryant is seeking official word from Microsoft on what’s going on. Meanwhile, you can see the VirusTotal report here and grab the exploit here.

Update (~Bryant): let’s take a look at what’s going on here from a different approach. Microsoft says that the vulnerability here is not actually a vulnerability and is, in fact, by design. However, they’ve also classified Leo’s proof-of-concept as malware. Logically speaking, if a process whose sole purpose is to exploit a perceived vulnerability is marked as malware, then it’s reasonable to assume that the perceived vulnerability is indeed a significant problem. Basically, Microsoft contradicted themselves by listing the proof-of-concept as malware.

Update 2 (~Bryant): A friend of mine proposed one particular argument as a potential explanation to this issue, whereby this is a bug within Microsoft Security Essentials. The reasons I don’t believe this to be the case are:

• This exploit was specifically named as HackTool:Win32/Welevate.A (A quick googling shows only three links; one is to the aforementioned virustotal link, the second and third to a Microsoft encyclopedia entry.
• This particular label only applies to this specific proof-of-concept
• A reasonable vulnerability assessment (”Medium”) was applied to this particular proof-of-concept, which makes sense given that this security vulnerability in UAC is only really an issue if either a user runs a malicious application or if some other internet-facing application were to be compromised. I covered the latter in an older post of mine where I explain how this flaw essentially raises the vectors of attack many-fold.

Leo and Bryant contributed to this post.

Rafael Rivera, as he usually does, put a massive amount of research into discovering workarounds for downloading Internet Explorer on Windows 7 E. He found and posted a rather ingenious workaround for users stuck in Europe with Windows 7 E(U-gimped). The trick, which you can read over at Within Windows, definitely succeeds in winning the “clever” label applied by Rafael, but what Rafael didn’t mention is that Windows 7 (or at least Windows Media Player) still has the Trident rendering engine somewhere within the stripped OS. This means a number of things:

1. Bad: Upgrading from Windows Vista to Windows 7 E shouldn’t be a problem whatsoever, despite what Microsoft may say. This, unfortunately, doesn’t do much for Microsoft’s image in Europe (unless Steven can come and tell us specifically why Windows Vista can’t be upgraded to Windows 7 E)
2. Good: Windows really does rely on Trident for at least a few non-browsing-related functions, which makes sense given how useful HTML can be for creating a UI. It also gives a sense of validity to Microsoft’s claims with regards to the EU.
3. Bad (for browser peddlers, Microsoft, and the user. Good for the EU): The EU, in its limited comprehension of how a browser works, might now use this as “evidence” of Microsoft being deceitful.
4. Good: Your shiny new better-than-Snow-Leopard OS won’t be as gimped as you originally thought.

This also means that any applications which use Trident for rendering any HTML to present an interface to the user will still work without needing a browser, which means that application developers should still be happy.

You can catch Rafael’s guide here. While you’re at it, if you’re a native of an EU-governed state, please email them a few one-fingered salutes on behalf of the rest of the world.

Update: Paul would like to note that Microsoft has been “very upfront” about Windows 7 E having the Trident rendering engine. The fact is, Microsoft hasn’t really done a good job at pushing this note around, and given Microsoft’s other communication issues (again, noted by Paul), I’m inclined to say that the existence of Trident actually is news.

In fact, Microsoft also posted about it on their legal blog… in typical legalese. The official statement is:

Most importantly, the E versions of Windows 7 will continue to provide all of the underlying platform functionality of the operating system—applications designed for Windows will run just as well on an E version as on other versions of Windows 7.

To those of us who assume things in the most unrealistically general sense, “underlying platform functionality” includes Trident, but this by no means makes it obvious that Trident will still be in Windows 7 E, thereby proving Paul’s previous point about communication being a problem.

Microsoft has an obsession with providing awesome deals for students. They also have a slight tendency to shoot themselves in the feet. This is a good amount of both, and thankfully (if you’re a student), it’s in your favor.

Microsoft created the DreamSpark program to give such awesome tools as Visual Studio 2005 and 2008 Professional Edition free to budding Computer Science and Information Technology students with a Windows Live ID. Now, here’s where the fun begins:

Sometime last year, Microsoft added Windows Server 2003 Standard Edition R2 licenses to the DreamSpark program. Even later, they added Windows Server 2008 x86 Standard Edition licenses. Coupled with Vijayshinva Karnure’s step-by-step guide to converting Windows Server 2008 into the ultimate desktop OS published in February of ‘08 on his MSDN blog, the non-technical masses now have themselves a fully functional, relatively-easy-to-configure OS that’s more powerful and more advanced than Windows Vista. Granted, “easy to configure” doesn’t mean “easier to configure than Windows Vista,” nor do you get to have the Windows Media Center, but there’s sadly always a price to pay for FREE. Given a choice between Windows Vista SP1 upgrade for ~65 dollars and Windows Server 2008 Standard Edition for free, which would you choose?

As for the steps provided, I’m not sure if the academic license of Windows Server 2008 allows for Hyper-V, so if you don’t care for Hyper-V support (as instructed in Vijayshinva’s post) or for running any virtual PCs, you can skip steps 1 and 10 on the guide.

The next question: Does Microsoft even support converting the server OS into a workstation/desktop OS? Yep, and not just because of Vijayshinva’s post, but that alone would be a justification for the following reason:

All opinions posted here are those of the author and are in no way intended to represent those of his employer. All posts are provided "AS IS" with no warranties, and confers no rights.

-Every MSDN, Technet, and other individual Microsoft employee blog.

Microsoft doesn’t endorse the opinions of its employees, but Microsoft does fully endorse any factual matters being discussed regarding its products, including step-by-step guides, support… anything of a non-opinionated nature which doesn’t involve compromising its products (like hex edits). Is this a technical loophole? Sure, but there’s a second, much better reason for Microsoft to support converting Windows Server 2008 into a desktop operating system: The “Desktop Experience” feature.

The Desktop Experience feature was added to Windows Server 2008 in part because of the absurdly high number of requests Microsoft received from small businesses running a server as someone’s desktop machine (plausible in smaller networks where extra server hardware would be cost-prohibitive). The process for turning Windows Server 2003 into a more desktop-worthy operating system was a bit of a pain, so the desktop experience feature was simply intended to make it a bit easier to implement this usage scenario. It’s fully supported by Microsoft.

Now here’s where the DreamSpark deal beats The Ultimate Steal: unlike The Ultimate Steal (which is limited to university students), high school students can also take advantage of DreamSpark. So, if you’re a student at just about any university or high school, go ahead and nab yourself a copy and save 65 dollars. This is probably the only thing available on DreamSpark which is highly relevant to people who aren’t developers.

(If Microsoft decides to take down the steps, which I highly doubt, you can catch the full instructions on converting Windows Server 2008 from a barebones server operating system to a desktop operating system after the break.)

(more…)

(Update: official statement appended to the end of the post)

I’m going to open this post by kindly asking you, the user, to go into the Windows 7 Action Center (Control Panel, System and Security, Action Center), clicking “Change User Account Control settings” and setting it to the maximum setting (“Always notify me when…”).

The reason for why I’m asking you to do this shouldn’t be a surprise. You may have seen the UAC posts by Rafael Rivera and Long Zheng (I’m giving more of the credit to Rafael since he actually brewed the proof of concept code). People saw their posts and immediately assumed that this issue is only relevant for users who download malware. Thus, you hear lots of users saying out loud with no apparent fear of embarrassment:

“La di da, so long as I’m not stupid with what I download, I should be fine!”

Right. Well, Microsoft basically recommends for users to install an antivirus because they don’t actually consider User Account Control to be a security feature. Anyone who knows the purpose of privilege management knows that any system which actively manages privileges is a security feature.

With this in mind, let’s take a look at why the UAC security flaw actually is a security flaw.

Update 2: Steven and Jon posted a second post about UAC today specifically addressing this flaw. Catch their response below the break.

(more…)

I got to work today and booted my macbook. Having forgotten that I switched it to boot Windows the night before, I didn’t hold the Option key to boot into Mac OS 10.5 (for work needs. I wouldn’t dare keep it otherwise). I wasn’t paying much attention to what was going on with the screen as I was in the middle of a meeting, but I got back to it after about 5 minutes and came upon the above scene unfolding on my laptop. It was vaguely familiar; Paul Thurrott reminded me later that it’s an offshoot of the Windows Recovery Environment which is now integrated into Windows 7 as opposed to being contained solely on the installation DVD.

The fact that the Windows Recovery Environment (WinRE) would be contained in the Windows 7 installation is nothing new; reviewers covered this after their reviews went live on Windows 7 keynote day at PDC. However, no one has actually seen it work, so here I am.

Yes, it actually works.

In my case, my instance of build 6801 died on an “unknown bugcheck: 12b” which led to WinRE being launched. The recovery mechanism checked for issues, subsequently asked me if I’d like to use system restore to roll back to the last working point, rolled back, and presented me with full details of all of its scans (some of which you’ll see in my quick-n-dirty BlackBerry shots). After all of that, it rebooted and voila, Windows 7!

I didn’t lose Rafael’s BlueBadging either, though Rafael did lose his mind over how irritating this feature might become for techs.

Catch the remaining three pics after the break, and feel free to leave your thoughts on whether you think this will or will not be useful to home users, nerd users, sysadmins, etc.

If you’re with the Windows Error Reporting team, please check your error reports for this one. 4th pic contains the most relevant information.

(more…)

Don’t invest money in flimsy Zune holsters or belt clips. If your jeans have snug belt loops, you can just use those. Your Zune probably won’t slip out of it, but that depends entirely on how snug the fit is. Don’t try this with a 30, 80, or 120GB Zune.

(Image from my utterly ingenious friend, Matt Boehm.)

The last couple of weeks, I have been working incredibly hard on a tool to create Vista Style Builder. Vista Style Builder supports everything that is needed to create Visual Styles for Vista:

• Import and export images
• Change, add or remove properties
• Import and export STREAM images
• Compile into a totally new MsStyles-file

In this post I will highlight some details of Vista Style Builder (VSB) which show how much easier this application makes it to edit MsStyles.

(more…)

With Vista, Microsoft redesigned Windows Explorer a lot. One of the biggest changes was the removal of the customizable toolbar. Up to Windows XP, adding or removing the buttons that were displayed in Explorer was a simple chore.
With Vista, this customization ability is gone; the toolbar is replaced by a so-called green shaded “commandbar,” and none of it can be customized unless you are willing to take a dive into the registry.

In this post, I will show you a way to add custom buttons — like in the above image — to the commandbar by adding items to the registry. Unfortunately, not all buttons (e.g. New Folder) are possible via this way.

(more…)