Knowledge Base for Windows

Description/Problem:
We spent with the installation of MS Windows Server 2008 (x86/x64) systems several days. For these servers we needed to perform flexible emergency solution (fast boot-up to recovery console) which will allow us to restore the server from local or remote backups, restore critical files, remove malware, recover the corrupted system registry or file system, etc. We have chosen the Windows Server 2008 Preinstallation Environment (PE) with integrated Microsoft Diagnostics and Recovery Toolset (MS DaRT). Except the standard DVD edition, we preferred to boot-up the recovery solution also from local system. From this reason we created small script which modified the Boot Loader.

You can use this script for systems which are pre-installed via SysPrep Tool. In this situation you need to store this script into the folder “C:\Windows\Setup\Scripts” and file “SetupComplete.cmd” which will be executed after the SysPrep Process.

Solution:

• Copy from DVD “\boot\boot.sdi” to the system disk “C:\boot”
• Create new folder called “recovery” on the system disk C: and set the hidden flag for folder (only)
• Copy from DVD “\sources\boot.wim” to the system disk “C:\recovery”
• Create new batch file, save script presented below into this file and execute it

bcdedit /create {ramdiskoptions} /d "Microsoft Windows Server 2008 Recovery Console"
bcdedit /set {ramdiskoptions} ramdisksdidevice partition=c:
bcdedit /set {ramdiskoptions} ramdisksdipath \boot\boot.sdi
for /f "tokens=1-3" %%a in ('Bcdedit /store c:\boot\bcd /create /d "Microsoft Windows Server 2008 Recovery Console" /application osloader') do set WINPE_GUID=%%c
bcdedit /set %WINPE_GUID% device ramdisk=[c:]\recovery\boot.wim,{ramdiskoptions}
bcdedit /set %WINPE_GUID% path \windows\system32\boot\winload.exe
bcdedit /set %WINPE_GUID% osdevice ramdisk=[c:]\recovery\boot.wim,{ramdiskoptions}
bcdedit /set %WINPE_GUID% systemroot \windows
bcdedit /set %WINPE_GUID% winpe yes
bcdedit /set %WINPE_GUID% detecthal yes
bcdedit /timeout 10
bcdedit /displayorder %WINPE_GUID% /addlast

Description/Problem:
Find the solution without investigation and troubleshooting is sometimes not so easy. Our last issue was related to MS Windows Server 2003 (Service Pack 2, R2 Edition), including latest patches. Performance of this server rapidly decreased but all system services were up and running (very slowly). We identify some errors related to Windows Management Instrumentation (WMI) in the Event Logs. The script (published in this article) for re-register of WMI was not solving our issue. Therefore, we decided to reinstall the WMI.

Solution:

# Detect and repair corrupted WMI repository
rundll32 wbemupgd, RepairWMISetup
# Stop the WMI service
net stop winmgmt
# Comprehensive rebuild method (Windows Server 2003 installation DVD is needed)
rundll32.exe setupapi,InstallHinfSection WBEM 132 %windir%\inf\wbemoc.inf
# Start the WMI service
net start winmgmt

Description/Problem:
Some weeks ago we used the HP Insight Server Migration Pack (HP ProLiant Server) for migration of server from old to new hardware. Migration process finished successfully and everything seems fine. After standard system checks and tests we identify small problem related to execution of some EXE files. Each try to execute EXE file failed with error message: Application error: The instruction at “0×10015026″ referenced memory at “0×00000000″. The memory could not be “read”.

Solution:
Based on our investigation we identify that problem is related to the Windows Management Instrumentation (WMI). We resolved the issue by running below script.

@echo on
cd /d c:\temp
if not exist %windir%\system32\wbem goto TryInstall
cd /d %windir%\system32\wbem
net stop winmgmt
winmgmt /kill
if exist Rep_bak rd Rep_bak /s /q
rename Repository Rep_bak
for %%i in (*.dll) do RegSvr32 -s %%i
for %%i in (*.exe) do call :FixSrv %%i
for %%i in (*.mof,*.mfl) do Mofcomp %%i
net start winmgmt
goto End
:FixSrv
if /I (%1) == (wbemcntl.exe) goto SkipSrv
if /I (%1) == (wbemtest.exe) goto SkipSrv
if /I (%1) == (mofcomp.exe) goto SkipSrv
%1 /RegServer
:SkipSrv
goto End
:TryInstall
if not exist wmicore.exe goto End
wmicore /s
net start winmgmt
:End

Description/Problem:
We identify the next issue related to the to non-administrator users which were not able to logon over graphical user interface into the Windows Server 2003. This server was operated as standard file & print server with basic security settings. The users did not receive any error message, they only saw desktop background color.

Solution:

Over the Process Monitor (application from Windows SysInternals) it’s possible monitoring the logon process:

• Process winlogon.exe called userinit.exe,
• Process userinit.exe read shell from registry and called explorer.exe,
• Process explorer.exe crash during the startup procedure,
• Process userinit.exe keep running without shell,
• For small test we defined new shell over registry – winver.exe,
• User logon process running without any problem and winver.exe start as shell,
• Roll back the changes and compare results from Process Monitor,
• Difference was that process explorer.exe try to access “%windir%\registration” folder where were missing the permissions for users and system account also,
• Enable inheritance of permissions for the folder “%windir%\registration”,
• Users are able logon without any problems.

Description/Problem:
Everything worked fine for several weeks. After that we identify on Windows 2003 Terminal Server (Service Pack 2) strange issue related to Event ID 333 written to the system event log. This error indicate that operating system is not able to flush out or write to the registry hive.  The symptoms that accompany an Event ID 333 can vary between server hangs, “Insufficient resources exist to complete the requested service” errors, etc. In our case the solution was not so easy because all user profiles contain NTUSER.DAT file with size about 40 – 60 MB!

Solution:

• Took a backup of registry key and delete all the entries under it:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Hewlett-Packard

• Disable the PML Driver HPZ12 service,
• Took a backup of numerous entries under below registry keys and delete them:

  HKEY_LOCAL_MACHINE\System\ControlSet001\Control\DeviceClasses\{28d78fad-5a12-11d1-ae5b-0000f803a8c2}\##?#Root#RDPDR#0000#{28d78fad-5a12-11d1-ae5b-0000f803a8c2}
  HKEY_LOCAL_MACHINE\System\ControlSet003\Control\DeviceClasses\{28d78fad-5a12-11d1-ae5b-0000f803a8c2}\##?#Root#RDPDR#0000#{28d78fad-5a12-11d1-ae5b-0000f803a8c2}

• Delete all the user profiles on the Terminal Server,
• Logon to the Terminal Server with valid user account,
• Check that NTUSER.DAT file size will be about 200 – 400 kB.

Some additional information related to this issue are published also in TechNet article: Troubleshooting Event ID 333 Errors.

Description/Problem:
May be you also know the situation where after installation of new security updates some system services may not start or work correctly. Next step is very often the investigation what’s wrong and how to solve existing issue. One helpful solution is described also in this KB article.

Solution:
KB956189

Description/Problem:
Some weeks ago I had an issue related to non-administrator users which were not able to logon over graphical user interface into the Windows Server 2003. This server was operated as domain controller with basic security settings.

Solution:

• Set correct files system permissions to folder “%systemroot%\WinSxS” and all sub-folders
  BUILTIN\Administrators:(OI)(CI)F
  NT AUTHORITY\Authenticated Users:(OI)(CI)R
  CREATOR OWNER:(OI)(CI)(IO)F
  BUILTIN\Server Operators:(OI)(CI)R
  NT AUTHORITY\SYSTEM:(OI)(CI)F
• Set correct files system permissions to folder “%systemroot%\AppPatch” and all sub-folders
  BUILTIN\Administrators:(OI)(CI)F
  NT AUTHORITY\Authenticated Users:(OI)(CI)R
  CREATOR OWNER:(OI)(CI)(IO)F
  BUILTIN\Server Operators:(OI)(CI)R
  NT AUTHORITY\SYSTEM:(OI)(CI)F

You can use tool called Extended Change Access Control List (Xcacls) to easy setup of specific file system permissions for files or folders.

Description/Problem:
Sometimes the installation process of 16-bit application can failed without any visual notification or error messages in event logs. If you will be in the same situation don’t worry and check link to DLL files in system registry as described reported KB article.

Solution:
KB254914