MDT

The Ultimate Event, Sweden, October–Do not Miss this!

The Deployment Bunny - Mon, 09/02/2013 - 05:31

(In Swedish)

Kollegor, vänner, det är nu det händer. I oktober månad åker Jag(Mikael Nystrom), Johan Arwidmark och Mark Minasi ut på en turné, vi kommer att besöka Malmö, Göteborg, Stockholm, Umeå och sist men inte minst Oslo. Denna gång ger vi oss ut med ett demo mania kring Windows Server 2012 R2, Windows 8.1 och System Center 2012 R2. Vi har sedan I våras vridit, vänt, lekt, testat och nu vill vi att DU ska förstå vad som är fantastiskt och vad som kanske inte var helt genomtänkt. Vi kommer att lägg ner tid på både klienten men också server och datacenter hantering, det blir lagom med deployment och lagom med management. Att sedan Mark Minasi följer med är inte bara roligt för vår egen skull, Mark är helt klart en av dom bästa föreläsare som finns, underhållande och kompetent. Det finns en risk att eventet blir fullbokat, särskilt när den här affischen sitter uppe I Stockholms tunnelbana!


Categories: MDT

Keeping VM Configurations in Sync with Hyper-V Replica

Virtual PC Guy's WebLog - Thu, 08/29/2013 - 01:41

Yesterday I posted about my new home setup, which makes heavy use of Hyper-V Replica.

When you first setup Hyper-V Replica for a virtual machine – we copy the virtual machine configuration and storage from the primary server to the replica server. From that point on we replicate any new data that is written to the virtual machine storage – but we do not replicate any new changes to the virtual machine configuration.

Why?

Well – there are two reasons for this:

  1. We have many deployments where the Hyper-V administrator on the primary and replica servers are different people (e.g. a small business replicating to a local service provider). In this case the administrator on the replica server is not going to want the administrator on the primary server to be able to make arbitrary configuration changes.
  2. There are a number of configuration changes where you want things to be different. E.g. you may want the virtual machine on the replica server to be connected to a different network or to have a different amount of memory, etc…

While this all makes sense, it has tripped me up a number of times. The scenario I have experienced is this:

  1. Enable Hyper-V Replica on a virtual machine
    … months pass …
  2. Make a configuration change to the virtual machine, forgetting that it is configured for replica
    … months pass…
  3. Perform a planned failover of the virtual machine for some reason, and wonder why all the settings are wrong!

After having this happen to me a couple of times – I have taken to using PowerShell to perform quick sanity checks on my virtual machine configurations. This is actually quite easy to do – as PowerShell allows you to target multiple physical computers with one command.

Some checks that I have done include:

Checking memory configurations:

This command will get all the details of the memory configuration from two servers:

get-vm -computername Hyper-V-1, Hyper-V-2 | select name, DynamicMemoryEnabled, MemoryStartup, MemoryMinimum, MemoryMaximum | Sort-Object name | ft

Which looks like this when it is run:

Checking startup delay:

This command shows you all the startup information:

get-vm -computername Hyper-V-1, Hyper-V-2 | select name,automaticstartaction, automaticstartdelay | Sort-Object automaticstartdelay, name

Checking MAC address configuration:

I use DHCP with MAC address reservations in my house, so it is critical that virtual machines not change their MAC address. This command shows you what MAC addresses are being used, and whether dynamic mac address generation is enabled or not:

get-vm -computername Hyper-V-1, Hyper-V-2 | Get-VMNetworkAdapter | select VMName, macaddress, DynamicMacAddressEnabled | sort-object VMName, macaddress

Cheers,
Ben

Categories: MDT

Automate importing and creating driver packages in SCCM 2012 R2

Coretech Blog » Kent Agerlund - Wed, 08/28/2013 - 05:46
  I take that you are familiar with drivers and manually creating driver categories and driver packages in Configuration Manager. Here I will show you how you can optimize the process by running a very need little PowerShell script called ImportDrivers.ps1 (main developer is Claus Codam). There are a few prerequisites that needs to be [...]
Categories: MDT

Hyper-V in my House - 2013

Virtual PC Guy's WebLog - Wed, 08/28/2013 - 00:56

A while ago I talked about how I was using Hyper-V in my house.  These days I have a quite different configuration in place.  I updated my household deployment immediately after Windows Server 2012 was released.

I had a couple of goals with my new architecture:

  1. I wanted to minimize downtime due to hardware servicing.

    My Hyper-V server handles DHPC, DNS, Internet Connectivity, hosts the kids movies, etc…  All this means that if I need to turn it off for any reason – I have to do it after everyone else has gone to bed.  Not fun.

  2. I wanted to minimize the frequency with which I needed to service hardware.

    The leading cause for me needing to work on hardware has been hard drive failure.  So logically, more hard drives means more weekends working on servers.  Fewer hard drives means fewer weekends working on servers.

  3. I need high levels of data protection.

    My server has all the family photos on it – data loss is not an option!

  4. I need lots of storage.

    At this point in time I have about 5TB of data on my family file server.  So realistically I need 7-8 TB of storage for my file server and all other virtual machines.

  5. I want to keep the cost down.

    Hey, no one likes to waste money!

With all of this in mind – here is what I ended up deploying:


 
I setup two Hyper-V servers.  Each server has a single quad-core processor (I do not use a lot of CPU), 16 GB of ram and 3 1 gigabit network adapters.  Each server also has 6 hard disks.  The first two disks are configured in RAID1 using the onboard Intel RAID.  The next four disks are configured as a 6TB parity space to give me the most capacity possible (note – in practice these four disks are a mix of 2TB and 3TB disks).

I then run half of my virtual machines on each server, and use Hyper-V Replica to replicate them to the other server.

This configuration gives me a high level of data protection (both from a single disk failure and an entire server failure).  It also means that if I have to replace a physical disk / fix a hardware problem with one of the servers – I just move all the virtual machines to the working server, and get to take my time fixing the broken server.

I have been running this configuration for almost a year now – and for the most part it has worked just fine.  I have had three separate occasions where I needed to work on a server, and my family did not notice it (for the most part – other than the general cursing and complaining that I was making while working).  That said, there have been some lessons learned for me:

  1. Low storage IOPs can really hurt sometimes.

    When I built this system I knew that the storage throughput of the 6TB data disk would not be great, but I accepted this as a reasonable trade off in the space / price / performance matrix.  For 90% of the time it has also not been an issue – but there have been a couple of times when I have been surprised by how long operations took.

  2. I need more memory.

    My previous setup was a single server with 8GB of memory.  So two servers with 16GB should be huge – right?  This was my thinking when I built the system – but I was wrong.  First, I need to make sure that I do not oversubscribe my memory so that I can run all my virtual machines off of one server when I need too.  Thankfully dynamic memory makes this easy to do, and ensures that when my virtual machines are spread across both servers I get to use all the memory.  Second though, as soon as I had the memory available I started firing up new virtual machines simply because I could – and it was not long until I was at my limit again.

Anyway – now that I have gotten this all written down, I am planning to blog about some of the experience I have had with this setup over the last year, and the lessons learned in the process.

Cheers,
Ben 

Categories: MDT

Thanks!

Xtreme Deployment - Sun, 08/25/2013 - 23:44

UPDATE:

Time passes, and most of the members of the Xtreme Deployment Consulting Team have moved on.

We can be reached at the following:

Tim Mintner – http://www.linkedin.com/pub/tim-mintner/2/740/6a1

Keith Garner – http://www.linkedin.com/pub/keith-garner/24/719/474

Dave Field – http://www.linkedin.com/in/davefield

Polly Reese – http://www.linkedin.com/pub/polly-reese/1/441/a84

Micah Rowland - http://www.linkedin.com/in/micahjrowland

Thanks to our clients and friends.


Categories: MDT

Bulk Registering Virtual Machines with PowerShell

Virtual PC Guy's WebLog - Wed, 08/21/2013 - 13:56

I recently rebuilt a Hyper-V server – where all of my virtual machines were shutdown first and stored on a secondary disk.  Once I had finished installing the operating system and had Hyper-V up and running – I wondered what the most efficient way to get the virtual machines all reconnected would be.  I ended up using PowerShell to do a bulk import; however this did involve a bit of experimentation to get right.

The first thing I had to deal with was the fact that our “import-VM” command requires that you provide a .XML file to import.  An initial listing of all XML files in my virtual machines folder revealed a problem – there were XML files for virtual machines and for snapshots – and I needed to be able to differentiate between the two.

I ended up relying on the fact that the virtual machine XML file is always in a folder called “Virtual Machines” while the snapshot XML file is in a folder called “Snapshots”.  So this piece of PowerShell got me the right files:

Get-ChildItem e:\vms -Recurse -Filter "Virtual Machines" | %{Get-ChildItem $_.FullName -Filter *.xml} | select fullname

As shown here:

The next concern that I had was that I did not know if I had all the files I needed / had named virtual switches correctly / etc…

If I were importing these virtual machines one at a time it would be easy to fix them up – but that would be annoying for a bulk import.  What I decided to do was to check if any virtual machines would fail to import – and then move them to another location for individual treatment later on.  To do this I used this piece of PowerShell:

Get-ChildItem e:\vms -Recurse -Filter "Virtual Machines" | %{write-host "VM Name: "$_.Fullname; Get-ChildItem $_.FullName -Filter *.xml} | %{Compare-VM $_.FullName -Register} | %{$_.Incompatibilities.message; write-host}

Shown here:

What this PowerShell does is use the Compare-VM commandlet to let me know if any of the virtual machines would have compatibility issues with my new Hyper-V server.  After running this I either moved problematic VMs to a separate folder (the screenshot above is actually taken after I did this) so I could manually register them one at time later on.

Finally – I ran my command to import all of the known good virtual machines:

Get-ChildItem e:\vms -Recurse -Filter "Virtual Machines" | %{Get-ChildItem $_.FullName -Filter *.xml} | %{import-vm $_.FullName -Register}

The result of this was that in under a minute I had all of my virtual machines back and functioning on my new Hyper-V server.  Neat!

Cheers,
Ben

Categories: MDT

Nice to Know–Deploying Applications using System Center Virtual Machine Manager 2012 (SP1/R2) in UI or in PowerShell

The Deployment Bunny - Wed, 08/21/2013 - 06:28

Yes, I know, there other methods to deploy applications, but sometimes it make sense to use SCVMM to deploy applications to the host machines that you manage. If we look on this from a new and more modern way, SCVMM will be the System Center member that does the deployment of the “only” needed physical machines, that is the Hyper-V hosts and the fileservers used to store the VHDx files over the the SMB network, maybe there is no Configuration Manager Server in this datacenter for any reason.

The App = HP Service Pack

In this case we are going to deploy the HP Service Pack to our hosts since we need that to be able to monitor correctly using OpsMgr (When using an Agent) amongst many things. The Application can be “pushed” from a central location but in this case we are going to run the application locally on each and every server and reboot it if needed. The Command to make a silent express install is HPSUM.exe /express_install and you download the Service Pack for the Proliant servers from HP.com (https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=HPICE#Download). After downloading the ISO, mount and extract and share the folder so it is accessible to all your hosts.

The GUI Method

Rater easy actually, we can use the “Run Script Command” that is available on every server in the SCVMM Console and then fill out all the parameters

Fill out the parameters like this:

-Executable program: \\vmm01\CD\hp\swpackages\hpsum.exe

-Parameters: /express_install

-Timeout: 1800

-Advanced:

–Standard Output: Do not match

–Standard error: Do not match

–Exit Code: Do not Match

–Action when matched: Warn and Continue

–Job restart action: Ignore Script

–Always restart after the script has finished running: Checked

–Restart the computer or virtual machines if the specified exit code is returned: Unchecked

Summary using the UI:

This will work, but not they way I wanted it to, the problem is that I cannot define my own values in the dialg boxes, as an example the application HPSUM.exe will return exit code 1,2 or 3 when it needs a reboot and that cannot be “picked” in the dropdown list, however, using PowerShell well be easier, better and faster since you can define all the applications in an XML file wit all the different settings. so lets drop the UI and switch over to what works and make sense, PowerShell

The PowerShell Method

In this case we will use the same engine, but fire it of using PowerShell instead, it gives us more flexibility and more control

Step Number One – Create the Apps.XML

Here we create an XML file that contain all the settings for all the different application we would like to deploy and here it how it looks:

as you can see it contains the application, arguments, reboot settings and all the return codes this application could return when it “feels” that it needs a reboot

Step Number Two – Create the Deploy-Apps.ps1 script

The script uses the Parameter function to read in data from the command line and then it reads the XML file, we also need to make sure that some of the data from the XML file is parsed correctly as strings or as Boolean. Then we use all that data set some static settings and last we use the Invoke-SCScriptCommand to execute the command on the host, the script looks like this:

Step Number Three – Execute!

Execute the script like this:

And wait for the job in the log and after a while it will inform you that the job did finish with warnings, the reason for the warning is that is actually a real warning from the application that is picked up up by the output

The hpsum.exe detects the version of windows as 6.2 (and that is correct), but even if HP claims that is supported, the HPSUM.exe does not have the same opinion . Hopefully HP will fix this later.

So in the Job log it will show up like this:

Summary using PowerShell:

This gives a more stable solution which can be extended and automated and that I like…

You can download the scripts from here:


Categories: MDT

Better Together - The New Windows Server 2012 R2 Innovations – Download Now

Microsoft Deployment Toolkit Team Blog - Tue, 08/20/2013 - 12:00

There are quite a few products that make up the Microsoft Cloud OS vision. Windows Server 2012 R2 is in preview right now and ready for your evaluation.  We also have a strong management platform that make up the System Center family of products. They are designed to have tight integration with the core being Windows Server.

If you are looking for information on Windows Server 2012 R2, we have been rolling out detailed information though Brad Anderson’s What’s New in 2012 R2 blog series.  That will continue but we thought you would like a short consolidated list for consideration.  Here are some of the new innovations in Windows Server 2012 R2.

Storage transformation – Delivers breakthrough performance at a fraction of the cost

  • The storage tiering feature of Storage Spaces in Windows Server 2012 R2 automatically tiers data across hard disks and solid state drives based on usage to dramatically increase storage performance and cost efficiency.

Software defined networking – Provides new levels of agility and flexibility

  • Network virtualization in Windows Server 2012 R2, along with the management capabilities in System Center 2012 R2 provides the flexibility to place any virtual machine on any node regardless of IP address with isolation. 
  • New in-box gateway in Windows Server 2012 R2 extends virtual networks to provide full connectivity to physical networks as well as access to virtual networks over the internet.

Virtualization and live migration – Provides an integrated and high-performance virtualization platform

  • Cross-version live migration enables virtual machines running on Windows Server 2012 to be migrated to Windows Server 2012 R2 hosts with no downtime.
  • Live migration compression provides dramatic time savings (approximately 50% or greater) by using spare CPU cycles to compress live migration traffic with no special hardware.
  • Live migration with RDMA enables offloading of the process to the NICs (if they support RDMA) for even faster live migrations.

Access & Information Protection – Empowering your users to be productive while maintaining control and security of corporate information with Windows Server 2012 R2

  • Enable users to work on the device of their choice (through BYOD programs or on personal devices) by providing a simple registration process to make the devices known to IT and be taken into account as part of your conditional access policies
  • Deliver policy-based access control to corporate applications and data with consistent experiences across devices
  • Protect corporate information and mitigate risk by managing a single identity for each user across both on-premises and cloud-based applications and enabling multi-factor authentication for additional user validation

Java application monitoring – Enables deep application insight into Java applications.

  • Provides performance and exception events as well as level alerting within Operations Manager for Java applications.
  • Supports Tomcat, Java JDK, and other Java web services frameworks.
  • Line-of-code level traceability with performance and exception metrics for .NET and Java application monitoring for more actionable, tool-driven dev-ops collaboration

This is by no means a comprehensive lists of new features and benefits, but we just wanted to give you some information on the key focus areas.  For those of you interested in downloading some of the products and trying them, here are some resources to help you:

Categories: MDT

Better Together - The New Windows Server 2012 R2 Innovations – Download Now

The USMT team blog - Tue, 08/20/2013 - 12:00

There are quite a few products that make up the Microsoft Cloud OS vision. Windows Server 2012 R2 is in preview right now and ready for your evaluation.  We also have a strong management platform that make up the System Center family of products. They are designed to have tight integration with the core being Windows Server.

If you are looking for information on Windows Server 2012 R2, we have been rolling out detailed information though Brad Anderson’s What’s New in 2012 R2 blog series.  That will continue but we thought you would like a short consolidated list for consideration.  Here are some of the new innovations in Windows Server 2012 R2.

Storage transformation – Delivers breakthrough performance at a fraction of the cost

  • The storage tiering feature of Storage Spaces in Windows Server 2012 R2 automatically tiers data across hard disks and solid state drives based on usage to dramatically increase storage performance and cost efficiency.

Software defined networking – Provides new levels of agility and flexibility

  • Network virtualization in Windows Server 2012 R2, along with the management capabilities in System Center 2012 R2 provides the flexibility to place any virtual machine on any node regardless of IP address with isolation. 
  • New in-box gateway in Windows Server 2012 R2 extends virtual networks to provide full connectivity to physical networks as well as access to virtual networks over the internet.

Virtualization and live migration – Provides an integrated and high-performance virtualization platform

  • Cross-version live migration enables virtual machines running on Windows Server 2012 to be migrated to Windows Server 2012 R2 hosts with no downtime.
  • Live migration compression provides dramatic time savings (approximately 50% or greater) by using spare CPU cycles to compress live migration traffic with no special hardware.
  • Live migration with RDMA enables offloading of the process to the NICs (if they support RDMA) for even faster live migrations.

Access & Information Protection – Empowering your users to be productive while maintaining control and security of corporate information with Windows Server 2012 R2

  • Enable users to work on the device of their choice (through BYOD programs or on personal devices) by providing a simple registration process to make the devices known to IT and be taken into account as part of your conditional access policies
  • Deliver policy-based access control to corporate applications and data with consistent experiences across devices
  • Protect corporate information and mitigate risk by managing a single identity for each user across both on-premises and cloud-based applications and enabling multi-factor authentication for additional user validation

Java application monitoring – Enables deep application insight into Java applications.

  • Provides performance and exception events as well as level alerting within Operations Manager for Java applications.
  • Supports Tomcat, Java JDK, and other Java web services frameworks.
  • Line-of-code level traceability with performance and exception metrics for .NET and Java application monitoring for more actionable, tool-driven dev-ops collaboration

This is by no means a comprehensive lists of new features and benefits, but we just wanted to give you some information on the key focus areas.  For those of you interested in downloading some of the products and trying them, here are some resources to help you:

Categories: MDT

Better Together - The New Windows Server 2012 R2 Innovations – Download Now

There are quite a few products that make up the Microsoft Cloud OS vision. Windows Server 2012 R2 is in preview right now and ready for your evaluation.  We also have a strong management platform that make up the System Center family of products. They are designed to have tight integration with the core being Windows Server.

If you are looking for information on Windows Server 2012 R2, we have been rolling out detailed information though Brad Anderson’s What’s New in 2012 R2 blog series.  That will continue but we thought you would like a short consolidated list for consideration.  Here are some of the new innovations in Windows Server 2012 R2.

Storage transformation – Delivers breakthrough performance at a fraction of the cost

  • The storage tiering feature of Storage Spaces in Windows Server 2012 R2 automatically tiers data across hard disks and solid state drives based on usage to dramatically increase storage performance and cost efficiency.

Software defined networking – Provides new levels of agility and flexibility

  • Network virtualization in Windows Server 2012 R2, along with the management capabilities in System Center 2012 R2 provides the flexibility to place any virtual machine on any node regardless of IP address with isolation. 
  • New in-box gateway in Windows Server 2012 R2 extends virtual networks to provide full connectivity to physical networks as well as access to virtual networks over the internet.

Virtualization and live migration – Provides an integrated and high-performance virtualization platform

  • Cross-version live migration enables virtual machines running on Windows Server 2012 to be migrated to Windows Server 2012 R2 hosts with no downtime.
  • Live migration compression provides dramatic time savings (approximately 50% or greater) by using spare CPU cycles to compress live migration traffic with no special hardware.
  • Live migration with RDMA enables offloading of the process to the NICs (if they support RDMA) for even faster live migrations.

Access & Information Protection – Empowering your users to be productive while maintaining control and security of corporate information with Windows Server 2012 R2

  • Enable users to work on the device of their choice (through BYOD programs or on personal devices) by providing a simple registration process to make the devices known to IT and be taken into account as part of your conditional access policies
  • Deliver policy-based access control to corporate applications and data with consistent experiences across devices
  • Protect corporate information and mitigate risk by managing a single identity for each user across both on-premises and cloud-based applications and enabling multi-factor authentication for additional user validation

Java application monitoring – Enables deep application insight into Java applications.

  • Provides performance and exception events as well as level alerting within Operations Manager for Java applications.
  • Supports Tomcat, Java JDK, and other Java web services frameworks.
  • Line-of-code level traceability with performance and exception metrics for .NET and Java application monitoring for more actionable, tool-driven dev-ops collaboration

This is by no means a comprehensive lists of new features and benefits, but we just wanted to give you some information on the key focus areas.  For those of you interested in downloading some of the products and trying them, here are some resources to help you:

Categories: MDT

Better Together - The New Windows Server 2012 R2 Innovations – Download Now

The Deployment Guys - Tue, 08/20/2013 - 12:00

There are quite a few products that make up the Microsoft Cloud OS vision. Windows Server 2012 R2 is in preview right now and ready for your evaluation.  We also have a strong management platform that make up the System Center family of products. They are designed to have tight integration with the core being Windows Server.

If you are looking for information on Windows Server 2012 R2, we have been rolling out detailed information though Brad Anderson’s What’s New in 2012 R2 blog series.  That will continue but we thought you would like a short consolidated list for consideration.  Here are some of the new innovations in Windows Server 2012 R2.

Storage transformation – Delivers breakthrough performance at a fraction of the cost

  • The storage tiering feature of Storage Spaces in Windows Server 2012 R2 automatically tiers data across hard disks and solid state drives based on usage to dramatically increase storage performance and cost efficiency.

Software defined networking – Provides new levels of agility and flexibility

  • Network virtualization in Windows Server 2012 R2, along with the management capabilities in System Center 2012 R2 provides the flexibility to place any virtual machine on any node regardless of IP address with isolation. 
  • New in-box gateway in Windows Server 2012 R2 extends virtual networks to provide full connectivity to physical networks as well as access to virtual networks over the internet.

Virtualization and live migration – Provides an integrated and high-performance virtualization platform

  • Cross-version live migration enables virtual machines running on Windows Server 2012 to be migrated to Windows Server 2012 R2 hosts with no downtime.
  • Live migration compression provides dramatic time savings (approximately 50% or greater) by using spare CPU cycles to compress live migration traffic with no special hardware.
  • Live migration with RDMA enables offloading of the process to the NICs (if they support RDMA) for even faster live migrations.

Access & Information Protection – Empowering your users to be productive while maintaining control and security of corporate information with Windows Server 2012 R2

  • Enable users to work on the device of their choice (through BYOD programs or on personal devices) by providing a simple registration process to make the devices known to IT and be taken into account as part of your conditional access policies
  • Deliver policy-based access control to corporate applications and data with consistent experiences across devices
  • Protect corporate information and mitigate risk by managing a single identity for each user across both on-premises and cloud-based applications and enabling multi-factor authentication for additional user validation

Java application monitoring – Enables deep application insight into Java applications.

  • Provides performance and exception events as well as level alerting within Operations Manager for Java applications.
  • Supports Tomcat, Java JDK, and other Java web services frameworks.
  • Line-of-code level traceability with performance and exception metrics for .NET and Java application monitoring for more actionable, tool-driven dev-ops collaboration

This is by no means a comprehensive lists of new features and benefits, but we just wanted to give you some information on the key focus areas.  For those of you interested in downloading some of the products and trying them, here are some resources to help you:

Categories: MDT

Reversal of fortune: Sirefef’s registry illusion

Microsoft Deployment Toolkit Team Blog - Mon, 08/19/2013 - 19:38

​I have mentioned in a previous blog that the use of the right-to-left-override (U+202E) unicode character is nothing new. This blog also went on to show the various file name tricks used by malware.

But now we see something different: the use of this trick by variants of the Sirefef family of malware. The variants use the right-to-left-override character in the registry in order to hide its presence by mimicking a setting instantiated by a Google Chrome installation.

When a user installs an enterprise version of Google Chrome the application sets the following entries in the registry for the Google update service.

The update service shows up in the list of services as follows:

Looking at the properties gives you the details of the service, including the location of the file and description.

In the case of Sirefef, the registry entry appears to be the same as the one for Chrome:

There appears to be two "gupdate" registry entries. The real Google update entry is marked in the image above. There are now two entries in the services list which are almost identical, including the description of the service:

The real service is marked in the image above. Looking at the properties of the Sirefef service, you can see the difference to the real service.

Of course the illusion breaks down if the Sirefef registry entry is viewed without Unicode support:

The image below is the Unicode string including the RLO character used by Sirefef:

This demonstrates yet another concerted attempt by malware to hide itself in plain sight by pretending to be something it is not. It may make it difficult for someone doing a cursory check to determine if they are infected. As always, make sure you have up-to-date antimalware software and install the latest Windows updates.  Raymond Roberts
MMPC        

 

Categories: MDT

Reversal of fortune: Sirefef’s registry illusion

The USMT team blog - Mon, 08/19/2013 - 19:38

​I have mentioned in a previous blog that the use of the right-to-left-override (U+202E) unicode character is nothing new. This blog also went on to show the various file name tricks used by malware.

But now we see something different: the use of this trick by variants of the Sirefef family of malware. The variants use the right-to-left-override character in the registry in order to hide its presence by mimicking a setting instantiated by a Google Chrome installation.

When a user installs an enterprise version of Google Chrome the application sets the following entries in the registry for the Google update service.

The update service shows up in the list of services as follows:

Looking at the properties gives you the details of the service, including the location of the file and description.

In the case of Sirefef, the registry entry appears to be the same as the one for Chrome:

There appears to be two "gupdate" registry entries. The real Google update entry is marked in the image above. There are now two entries in the services list which are almost identical, including the description of the service:

The real service is marked in the image above. Looking at the properties of the Sirefef service, you can see the difference to the real service.

Of course the illusion breaks down if the Sirefef registry entry is viewed without Unicode support:

The image below is the Unicode string including the RLO character used by Sirefef:

This demonstrates yet another concerted attempt by malware to hide itself in plain sight by pretending to be something it is not. It may make it difficult for someone doing a cursory check to determine if they are infected. As always, make sure you have up-to-date antimalware software and install the latest Windows updates.  Raymond Roberts
MMPC        

 

Categories: MDT

Reversal of fortune: Sirefef’s registry illusion

​I have mentioned in a previous blog that the use of the right-to-left-override (U+202E) unicode character is nothing new. This blog also went on to show the various file name tricks used by malware.

But now we see something different: the use of this trick by variants of the Sirefef family of malware. The variants use the right-to-left-override character in the registry in order to hide its presence by mimicking a setting instantiated by a Google Chrome installation.

When a user installs an enterprise version of Google Chrome the application sets the following entries in the registry for the Google update service.

The update service shows up in the list of services as follows:

Looking at the properties gives you the details of the service, including the location of the file and description.

In the case of Sirefef, the registry entry appears to be the same as the one for Chrome:

There appears to be two "gupdate" registry entries. The real Google update entry is marked in the image above. There are now two entries in the services list which are almost identical, including the description of the service:

The real service is marked in the image above. Looking at the properties of the Sirefef service, you can see the difference to the real service.

Of course the illusion breaks down if the Sirefef registry entry is viewed without Unicode support:

The image below is the Unicode string including the RLO character used by Sirefef:

This demonstrates yet another concerted attempt by malware to hide itself in plain sight by pretending to be something it is not. It may make it difficult for someone doing a cursory check to determine if they are infected. As always, make sure you have up-to-date antimalware software and install the latest Windows updates.  Raymond Roberts
MMPC        

 

Categories: MDT

Reversal of fortune: Sirefef’s registry illusion

The Deployment Guys - Mon, 08/19/2013 - 19:38

​I have mentioned in a previous blog that the use of the right-to-left-override (U+202E) unicode character is nothing new. This blog also went on to show the various file name tricks used by malware.

But now we see something different: the use of this trick by variants of the Sirefef family of malware. The variants use the right-to-left-override character in the registry in order to hide its presence by mimicking a setting instantiated by a Google Chrome installation.

When a user installs an enterprise version of Google Chrome the application sets the following entries in the registry for the Google update service.

The update service shows up in the list of services as follows:

Looking at the properties gives you the details of the service, including the location of the file and description.

In the case of Sirefef, the registry entry appears to be the same as the one for Chrome:

There appears to be two "gupdate" registry entries. The real Google update entry is marked in the image above. There are now two entries in the services list which are almost identical, including the description of the service:

The real service is marked in the image above. Looking at the properties of the Sirefef service, you can see the difference to the real service.

Of course the illusion breaks down if the Sirefef registry entry is viewed without Unicode support:

The image below is the Unicode string including the RLO character used by Sirefef:

This demonstrates yet another concerted attempt by malware to hide itself in plain sight by pretending to be something it is not. It may make it difficult for someone doing a cursory check to determine if they are infected. As always, make sure you have up-to-date antimalware software and install the latest Windows updates.  Raymond Roberts
MMPC        

 

Categories: MDT

Hyper-V WMI v2 Porting Guide

Virtual PC Guy's WebLog - Mon, 08/19/2013 - 17:13

I have been getting more and more questions about how to use the Hyper-V v2 WMI namespace recently – so I have just created a TechNet Wiki article that links to a number of samples / documentation pages about how to do this.  You can get all the details here:

http://social.technet.microsoft.com/wiki/contents/articles/19192.hyper-v-wmi-v2-porting-guide.aspx

Cheers,
Ben

Categories: MDT

Installing IE10 into your Windows 7 image? You’re missing an update or two…

cluberti.com - Mon, 08/19/2013 - 09:57

If you’re like me, you like to make sure the latest version of Internet Explorer supported by your organization is baked into the images you push into production, and IE10 on Windows 7 is no different.  Whether you’re slipstreaming it into the base image, or (better) using MDT to rebuild your base image and including IE10 into it, Microsoft has provided a handy list of updates that you should have already included before you attempt to install IE10 on Windows 7:
How to obtain prerequisite updates for Internet Explorer 10 for Windows 7 that fail to install

That article lists 4 hotfix packages you will need – KB2533623, KB2670838, KB2729094, KB2731771, and KB2786081.  However, the astute amongst you have probably noticed that the IE10 installer, when left to it’s own devices during install, actually installs 6 hotfix packages, not 5.  That “extra” hotfix package is:
“0×00000050″ Stop error after you install update 2670838 on a computer that is running Windows 7 SP1 or Windows Server 2008 R2 SP1

I don’t know that Microsoft will update their KB article to include the additional update (it isn’t a required package to install IE10, technically), but there you have it.  If you’re trying to match what IE10 does natively when it installs when integrating it into your own Windows 7 images (and you probably should), you will likely want to install that additional update as well as the required 5.

Categories: MDT

System Center 2012 R2 Available October 18th

Microsoft Deployment Toolkit Team Blog - Wed, 08/14/2013 - 09:00

In important news today, we are extremely excited that on October 18th, eligible customers will able to download Windows Server 2012 R2, System Center 2012 R2, and use the latest update to Windows Intune. This is the same day that Windows 8.1 will be available to consumers and businesses worldwide. Microsoft Vice President Brad Anderson details this exciting news in his latest blog, "Mark Your Calendars for October 18th, the R2 Wave is Coming".

Read the news and give these new products a try today! You can download the preview bits here, and learn more about all the new innovations in the R2 products by following Microsoft Vice President, Brad Anderson’s special blog series, “What’s New in 2012 R2”  now underway.

 Get more news on the R2 wave of products by following @System_Center and Brad Anderson @InTheCloudMSFT on Twitter!

Categories: MDT

System Center 2012 R2 Available October 18th

The USMT team blog - Wed, 08/14/2013 - 09:00

In important news today, we are extremely excited that on October 18th, eligible customers will able to download Windows Server 2012 R2, System Center 2012 R2, and use the latest update to Windows Intune. This is the same day that Windows 8.1 will be available to consumers and businesses worldwide. Microsoft Vice President Brad Anderson details this exciting news in his latest blog, "Mark Your Calendars for October 18th, the R2 Wave is Coming".

Read the news and give these new products a try today! You can download the preview bits here, and learn more about all the new innovations in the R2 products by following Microsoft Vice President, Brad Anderson’s special blog series, “What’s New in 2012 R2”  now underway.

 Get more news on the R2 wave of products by following @System_Center and Brad Anderson @InTheCloudMSFT on Twitter!

Categories: MDT

System Center 2012 R2 Available October 18th

In important news today, we are extremely excited that on October 18th, eligible customers will able to download Windows Server 2012 R2, System Center 2012 R2, and use the latest update to Windows Intune. This is the same day that Windows 8.1 will be available to consumers and businesses worldwide. Microsoft Vice President Brad Anderson details this exciting news in his latest blog, "Mark Your Calendars for October 18th, the R2 Wave is Coming".

Read the news and give these new products a try today! You can download the preview bits here, and learn more about all the new innovations in the R2 products by following Microsoft Vice President, Brad Anderson’s special blog series, “What’s New in 2012 R2”  now underway.

 Get more news on the R2 wave of products by following @System_Center and Brad Anderson @InTheCloudMSFT on Twitter!

Categories: MDT

Pages