How to always run applications as administrator in Windows 8

I recently got a new laptop with Windows 8. I’ve been trying to not hate the removal of my start menu too much. One of the changes they also made, is that User-Account-Control can’t really be disabled without a registry change– and if you make that registry change, most of the Metro/Modern UI apps will no longer work! Having certain applications not run as administrator can really be a problem, however… Visual Studio needs admin access to create IIS web applications, for instance. Additionally, shelling out to cmd.exe for doing a multitude of different things will be very frustrating when you don’t have those admin privileges that are rightfully required to do administrative things…

Unfortunately, there’s no easy GUI way to tell Windows 8 to always launch applications as an administrator. You can right click on a shortcut and select ‘run as admin’ each time– or even define a shortcut and set ‘run as administrator’ on the compatibility tab– but this doesn’t work if you use start->run->’cmd.exe’, such as I do… It also doesn’t work if you’ve pinned solutions to your task bar, such as I do for Visual Studio.

Thankfully, after some searching, I found a solution. You can have any executable on your computer run as admin(assuming you have permission to do so), by adding entries to this registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers\

Simply add a new string value, paste the full path to the executable(such as c:\windows\system32\cmd.exe), and then edit the value to say ‘RUNASADMIN’. Next time you start that executable– through a shortcut, by going to start->run, through entries pinned to your taskbar, or double-clicking on an associated file in explorer, Windows 8 will actually run it as an admin, as you require.

Windows 7 not saving RDP credentials when connecting to servers

In my line of work, I connect to many servers daily. I have these pinned to the Windows 7 taskbar, enabling me to easily connect to a server by simply right clicking on the taskbar icon and selecting the server. One thing that has annoyed me with Windows 7, is that when connecting to a server, I am always prompted for credentials– even if I’ve selected the option to save the credentials.

Well, I finally looked into it, and found a way to fix this. I’m sure Microsoft would claim there’s a “security” reason that it’s not enabled by default– but IMO, the checkbox to save credentials shouldn’t be there if it’s not configured to work…

To enable Windows 7 to save RDP credentials when connecting to Windows 2008 R2 servers, you must complete these steps on your client computer:

  1. Start->Run->gpedit.msc
  2. Navigate to Local Computer Policy -> Computer Configuration -> Administrative Templates -> System -> Credentials Delegation
  3. On the right, double click ‘Allow Delegating Default Credentials with NTLM-only Server Authentication’. Set the setting to ‘ Enabled’, click ‘Show’, and enter ‘*’ for the Value. Click ‘OK’ when done.
  4. Do the same with ‘Allow Delegating saved Credential with NTLM-only Server Authentication’

Now, the Remote Desktop client will remember your credentials– including ones you’ve previously saved. This may seem like a minor thing, but shaving seconds here and there will turn into hours saved later– plus any frustration/annoyance/distraction from fat-fingering passwords when connecting.

Resolving “Network path is not found” errors

Multiple customers of mine have had issues with the error message “Network path is not found”. Windows can throw this error message for a number of reasons.  This often becomes a problem when you’re trying to remotely monitor event logs, services, disk space, etc. using network monitoring software such as Overseer Network Monitor.

If you’re having this issue, try these things:

  • Make sure both Windows PCs(your computer and the remote computer) are running on the same network/LAN.
  • Disable the Windows firewall. If this works, you know it’s the firewall blocking traffic, and you can find what rule to add to the firewall to make things work.
  • Disable UAC!. Note that you may have to disable remote UAC in addition to the GUI disabling of user account control
  • Check the clocks on both computers. If the times are not within 15 minutes of each other, this problem may occur. Be sure to check the date and the time, as it’s easy to miss a different year when looking at just the time or day.
  • Check the status of these services and make sure they’re running on both ends:
    • Remote Registry Service
    • Server
    • Workstation
    • Computer Browser
    • Remote Procedure Call
    • TCP/IP NetBIOS Helper Service
  • Check your network card(s) properties, and check these options:
    • Client for Microsoft Networks
    • File and Printer Sharing for Microsoft Networks
    • Also make sure “Enable NetBIOS over TCP/IP” is enabled
    • Make sure “802.1x” authentication is disabled(potentially buried under ‘configure’ tab for network adapter
  • If using local accounts, be sure you’re referring to them as MACHINE\username, and **not** .\username. If you use .\username, you will get “network path was not found”, which is a very unhelpful in resolving this problem.

 

EventLogSession/EventLogReader error remotely accessing Windows XP/W2K3 machines

Sometimes, when searching Google it takes all of 30 seconds to find an answer to a question. Other times, it can take minutes, or even hours. I’m writing this blog post, because I was just researching an issue that took me hours to figure out– and in the end, it was so simple, yet disappointing at the same time…

For the new version of Overseer, the network monitoring software I write, I was adding support for extended event logs– these are the “Applications and Services Logs” event logs below the regular ones in W2K8’s event viewer. I found I had to use the new EventLogSession/EventLogReader API. I found it required .NET 3.5, so I upgraded my software to require .NET 3.5(it was v2 compatible up to this point).

I got things working, and I was able to monitor event logs(new and old style) using the code remotely accessing Windows 2008 and Windows 7 computers. I got an error when accessing Windows XP machines(and I’m sure W2K3 machines, but I didn’t have any to test with at the time). The error was “UnauthorizedAccessException – Attempted to perform an unauthorized operation.”  To most, including myself, this seems like a permissions issue– so I looked into all sorts of potential impersonation problems, etc. I scoured the web looking for anyone even having the same problem, but didn’t find it.

Eventually, I found a reference buried in some forum reply, that one of the API calls that the new EventLogSession/EventLogReader calls is Vista/W2K8+ only. That’s just great– the whole API is now Vista/W2K8+ only… Why Microsoft wouldn’t add a compatibility layer for Windows XP and Windows 2003 is beyond me… But once I found this, I at least was able to move on, realizing that I had to detect the version of Windows running on the remote machine and use the different API’s accordingly… If only Microsoft had included proper documentation clearly specifying this new API was Vista/W2K8+ only, had an error message indicating something of that sorts, or actually did the right thing and wrote a compatibility layer into it, I wouldn’t have wasted so much time on such an unproductive search.

 

 

Linux Permission denied– not really

One of the things that pisses me off with Linux, is the lack of good error messages. Today I wasted a good amount of time tracking down this error:

_WARN: config: path “/var/lib/amavis/.spamassassin/user_prefs” is inaccessible: Permission denied

Now, you’d think based on the message that the user_prefs file or the directory above it didn’t have the proper permissions for the user/executable accessing it… That’s what “permission denied” means, right?  WRONG. After hours dicking around, I eventually found that the problem was that the permissions were TOO OPEN… Instead of 700 on the .spamassassin directory, I had it set to 666(and 660 at one point)… As soon as I set the permissions on the .spamassassin directory to 700, the problem went away…

Now, I’d guess this is the amavis developers’ fault at least partly– I’ve seen other linux-based apps say “permissions are too open” regarding file permissions before(ssh key files, for one)… Possibly there’s something in the file-accessing API that you can request that permissions aren’t too open, and they just have a single fall-thru that says “permission denied”…  Either way, this type of thing causes me to waste considerable amount of time, and is the primary reason I’m very shy about adopting Linux for too many things– as much as I’ve tried over the past 13 years… In this case, I was configuring a front-end mail server using postfix+amavis+dovecot+spamassassin, as I don’t know of any good alternative for Windows(MS SMTP front-end is incredibly weak).

IPv6

I just read this on the wiki, when Googling for a general piece of information about IPv6:

“While IPv6 is supported on all major operating systems in use in commercial, business, and home consumer environments,[3] IPv6 does not implement interoperability features with IPv4, and creates essentially a parallel, independent network. Exchanging traffic between the two networks requires special translator gateways, but modern computer operating systems implement dual-protocol software for transparent access to both networks either natively or using ‘tunneling’ such as 6to4, 6in4 or Teredo. In December 2010, despite marking its 12th anniversary as a Standards Track protocol, IPv6 was only in its infancy in terms of general worldwide deployment. A 2008 study[4] by Google Inc. indicated that penetration was still less than one percent of Internet-enabled hosts in any country at that time.”

12 years, and <1% deployment! This is what happens when you don't have a good transition plan from one technology to the next-- no one adopts it... I personally think it's likely 12 years from now, IPv6 still won't be the 'standard' used for the Internet... Many IPv6 proponents claim IPv4 is "end of life", as the IANA just assigned the last big /8 net block-- claiming "all the address are used up!" What they fail to understand, is that addresses aren't consumed-- they can be re-used, and they're allocated by the IANA in huge blocks, and all those organizations that they allocate to, then sub-allocate to other organizations that allocate to end users.

Multiple monitor RDP connections

I typically work with 4 1080p LCD monitors on Ergotron arms. I have the same setup and layout at work as I do at home. When I remote in from home, I’ve found in Windows 7, I can check ‘use all my monitors’, and the remote desktop actually uses all the monitors, even in my non-square and non-linear layout(my monitors are roughly in a + shaped pattern).

The one negative of this, is that the speed wasn’t great. Flipping windows and such, there’d be a noticeable lag. It was usable, but not comfortable. I figured this was due to my 1Mbps upload speed at the office. I watched a bandwidth meter on the router, and I noticed it wasn’t maxing out the 1Mbps upload speed… I have noticed, however, that when I do a speed test, the upload always starts slow, and doesn’t reach full speed for a couple seconds… I was thinking, “maybe the RDP packets are always in the start of that incline and can never reach full speed”…

Well, recently I found that Time Warner Business Class in my city just added ‘Wide band’ service. I was able to upgrade for a reasonable price to 35/5 service– that’s 5Mbps upload speed! I can use the bandwidth for other purposes as well, but I was particularly excited about having a faster RDP experience when I do work from home, trying to be fully productive with all 4 screens…

Well, I just tried the connection, and the RDP experience is MUCH better! I don’t see a constant lag when working. I looked at the same router bandwidth meter, and it was often spiking to 2Mbps or so– definitely above the 1Mbps it wasn’t reaching before… So I think my hunch about the upload connection starting slow was definitely the issue… To prove how awesome the connection was, I played a video someone posted on facebook, and it was actually watchable over RDP! Sure, it maxed the 5Mbps bandwidth meter, but it was watchable! I did try to put it full screen to see how I could push it, and that didn’t fair so well… But I’m certainly not watching video through an RDP connection for any real purposes…

Windows 2008 R2 DNS issues

So, I’ve had issues with Facebook pictures for at least a few weeks now. About half of them would just come up with the “unable to load image” icon. I experienced this in IE, Firefox, and Chrome, so I knew it wasn’t a browser issue… I figured it was a Facebook server or code issue.

I spent some time today with Wireshark to figure out where it was failing. I found that my internal DNS server was failing. This server runs W2K8 R2, and is my domain controller for my small network here.  I checked the event logs, and found multiple event 5501’s– saying that it received a malformed packet from another DNS server… I did a little research on this, and stumbled upon this blog entry that details the problem:

http://weblogs.asp.net/owscott/archive/2009/09/15/windows-server-2008-r2-dns-issues.aspx

I disabled the EDNS probes as the article suggested, and my problems instantly went away.  Why MS shipped a default that doesn’t play nicely with standard DNS servers is beyond me… But I suppose it’s not a first… I’m just glad I’ve resolved my issue.