7

These type of blog entries were always popular in the Windows XP and Windows Vista time frame. You'll notice that this list is smaller than the Vista post-RTM / pre-SP1 list I made a few years ago. It isn't a coincidence. There were some major overhauls and redesigns in the Vista time frame.

Despite what the press might have said, and what users experienced during the early days of buggy Vista drivers, the end results have been mostly worth it. You see Windows 7 getting "rooted" must less often than XP, and the same can be said for malware especially if you leave UAC enabled. I tend to restart my laptop only when security updates come out, otherwise I put it to sleep or hibernate. Some of these fixes listed below are related to sleep and hibernation issues and have definitely helped me.

Keep in mind, if you aren't having issues with the items below, you can safely skip installing these. Many of these are corner cases or uncommon scenarios, but I happen to hit a few of them.

Core OS
KB 977346 - The Welcome screen may be displayed for 30 seconds during the logon process after you set a solid color as the desktop background in Windows 7 or in Windows Server 2008 R2

KB 977542 - A hotfix is available to block standard users from logging on to a Window 7-based or Windows Server 2008 R2-based computer in safe mode

KB 976746 - Error message when a Windows Server 2008 R2-based or a Windows 7-based computer enters hibernation: "STOP: 0x0000000A"

KB 975992 - After you enable large pages for a process in Windows 7 or in Windows Server 2008 R2, the process stops responding intermittently

KB 975680 - Virtual Disk Service (VDS) crashes when you try to extend a dynamic volume in an NTFS file system on a computer that is running Windows Vista, Windows Server 2008, Windows Server 2008 R2, or Windows 7

IDE/SATA/Firewire
KB 976418 - After you change the SATA mode of disk devices to use the AHCI specification, the computer or certain applications randomly stop responding for 60 seconds or for longer in Windows 7 and in Windows Server 2008 R2

KB 977178 (newer than KB 976418) - You receive various Stop error messages in Windows 7 or in Windows Server 2008 R2 when you try to resume a computer that has a large SATA hard disk

KB 975500 - Low performance when you transfer a large file between an external IEEE 1394 device and a computer that is running Windows 7 or Windows Server 2008 R2

KB 977186 - Error message when you try to resume a Windows 7-based or a Windows Server 2008 R2-based computer from hibernation: "Stop 0x0000009F"

Multimedia
KB 975538 - Audio devices are missing or are displayed as "Not plugged in" after you restart a the computer that is running Windows 7 or Windows Server 2008 R2

KB 975450 - You may experience display corruption issues on certain Intel graphics processing unit (GPU) chipsets in Windows 7 (hardware bug - use driver 15.4.4 or higher)

KB 979303 - Audio playback and capture applications hang

KB 975806 - The video image flickers when you configure Windows Media Player 12 to display the subtitles of a DVD in Windows 7 or in Windows Server 2008 R2

KB 975617 - An update is available for the UDF file system driver (Udfs.sys) for Windows 7 and Windows Server 2008 R2

KB 976417 - High CPU usage in the Explorer.exe process when you open a folder that contains corrupted .wav files in Windows 7 or in Windows Server 2008 R2

Networking
KB 976658 - The memory of the nonpaged pool may leak when you enable IPsec on a computer that is running Windows Server 2008 R2 or Windows 7

KB 975851 - When you resume a computer that is running Windows 7, WWAN devices do not automatically connect to the target 3G network

KB 978869 - Error message when you try to open a network-shared application on a client computer that is running Windows 7 or Windows Server 2008 R2: 0xc000000f

USB
KB 978258 - USB devices that are connected to a computer may not work after the computer is idle for more than one hour Windows 7 or in Windows Server 2008 R2

KB 974476 - The computer stops responding when an USB device resumes from the USB Selective Suspend state in Windows 7 or in Windows Server 2008 R2

KB 975599 - Stop error when you put a computer that is running Windows 7 or Windows Server 2008 R2 to sleep or into hibernation, or when you restart the computer: "0x9F"

Virtual PC / Windows XP Mode
KB 977632 - A computer that is running a virtual machine in Windows Virtual PC may stop responding or restart when you resume it from sleep or from hibernation in Windows 7

This definitely the strangest bug I've ever encountered with Windows 7 but I have experienced it on numerous systems because on any system that I have control over, I typically set my background to black. No wallpaper. No pattern. Just black. I also do this on Windows 2008 R2.

I would typically hear some applications loading in my tray and "ding" me for UAC access to hardware, but would still be sitting at the Welcome screen.

I originally wrote it off as a fluke when it first happened but after installing the hot fix, there is a definitely a difference in behavior.

Consider the following scenario:

You have a computer that is running Windows 7 or Windows Server 2008 R2.
You set a solid color as the desktop background.
The Desktop Window Manager Session Manager service is running.
You log on to the computer locally.

In this scenario, the Welcome screen is displayed for 30 seconds during the logon process.

This issue does not occur when one or more of the following conditions are true:
You log on to the computer by using Remote Desktop Connection.
The Desktop Window Manager Session Manager service is stopped or is disabled.
You set an image file as the desktop background.

You can read about the issue and download the fix from here.

I have come across this situation a few times now out in the field so I thought it might be a good time to describe the problem and some easy ways to mitigate or avoid the issue. The January 2010 OCS Server updates related to NTLM reminded me about this issue.

It is pretty common place to lock down, with a GPO or registry setting, the NTLM settings on member servers, domain controllers and client computers. Although uncommon, there are scenarios where you can effectively break any NTLM negotiation between domain controllers, member servers and clients.

Thankfully, these are well documented in KB 823659, “Client, service, and program incompatibilities that may occur when you modify security settings and user rights assignments”.

Consider this scenario:

OCS servers and internal network (local LAN) clients are Active Directory domain joined.
Non-domain joined clients connect through an OCS Edge.

If NTLMMINCLIENTSEC and/or NTLMMINSERVERSEC differ between clients and servers, for the internal clients and servers, Kerberos authentication will still be functional, assuming you haven't set the pool to only accept NTLM.

Clients that connect through the Edge will be rely entirely on NTLM because Kerberos is not available as an authentication method, as noted in the excellent OCS 2007 R2 Resource Kit.

If NTLM is “broken” inside the domain between domain controllers and OCS servers (front End/edge), the Office Communicator client will act as if the user entered an invalid username or password. The error message on the client computer is very misleading and everyone external will not be able to log in.

As noted in TechNet here, OCS is very particular about the NTLMv2 settings.

These settings, for server and client, can be set in a group policy under Network security: Minimum session security for NTLM SSP based (including secure RPC), or by use of a registry setting.

To directly quote Technet:
Sometimes the server will be configured to require encryption, and the client will not. In this case, the client NTLM request is not passed on by the front-end server. This situation primarily affects external users, because NTLM is the only authentication protocol that external clients can use to sign in. For example, if the server key is configured to have a value of 0x20080030, which specifies 128-bit encryption, and clients are not, clients will be unable to sign in. You should ensure that this key on the client is configured to match the server’s setting.

As operating systems have evolved, the default security settings for NTLMMINCLIENTSEC and NTLMMINSERVERSEC have been changed, which is a good thing.

By default, anything older than Windows 7 and Server 2008 R2, these registry settings will be configured to not require 128-bit encryption and not require NTLMv2 session security.

Windows 7 and Server 2008 R2 require 128-bit encryption by default, only.

As Microsoft de-emphasizes NTLM in favor of Kerberos and other plug-in authentication methods, you most likely will want to raise the minimum for NTLM for everyone as legacy operating systems are retired from your environment.

You might even want to follow the Server 2008 Security Guide (http://www.microsoft.com/downloads/details.aspx?FamilyID=5534bee1-3cad-4bf0-b92b-a8e545573a3e) when setting up your policies, which specifies requiring 128-bit encryption and NTLMv2 session security.

In a misconfigured environment, the packets going back and forth between the OCS Edge and OCS Front End will look normal except that the NTLM negotiations will always fail.

The obvious fix is to make sure you have these settings consistent across your organization to begin with and you will never see this problem. It can be problematic if you configure all the servers without configuring all clients with identical settings because clients will be unable to connect to your OCS servers through the Edge without modifying their default operating system settings.

In particular, if you have an unmanaged client environment outside of the office (a very common scenario), you might want to provide the following registry file as a way to help secure your environment and enable unmanaged clients to connect:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0]
"NtlmMinClientSec"=dword:20080000
"NtlmMinServerSec"=dword:20080000

Those registry settings above are equivalent to configuring the following group policy with these options, for client and server:




On a somewhat related note, since we are touching upon NTLM, one of the best tutorials about NTLM gotchas appeared in the August 2006 Security Watch article by Jesper Johansson.

In particular, pay attention to the section detailing the specifics of LMCompatibilityLevel.

In group policy, LMCompatibilityLevel, has a description that looks promising as a potential “most compatible secure” setting but does not behave like the description might lead you to believe.

If you set LMCompatibilityLevel to 1 (Send LM and NTLM – use NTLMv2 session security if negotiated), LM, NTLM and NTLMv2 will be accepted but NTLMv2 will never be sent from the client.

Using 1 might look appealing in a debugging scenario but I would use LMCompatibilityLevel set to 5 to eliminate use of the LM and NTLMv1 protocols.

The gory details are best explained in the above mentioned Security Watch article.

Overall, assuming all your software and operating systems on your network work properly with NTLMv2, I recommend using the recommendations from the Server 2008 Security Guide and setting NTLMMINCLIENTSEC and NTLMMINSERVERSEC to 0x20080000 for all servers and clients. You’ll avoid the OCS Edge headache and you will help avoid older l0phtcrack attacks.

Windows 7 and Server 2008 R2 add some handy NTLM auditing policies that can be used to restrict NTLM but also audit NTLM usage. You can configure the restrictions in audit only mode to see what servers and clients are using NTLM for authentication. It can be handy as a debugging tool and I used it originally when I initially ran into this issue. A good writeup about this can be found here on the Microsoft site. Using these new tools, you might be find applications you never knew that were using NTLM and potentially verify that you can enable NTLMv2 only everywhere.

This update (KB 976135) contains the following fixes:

KB 978161 - Office Communicator 2007 R2 crashes when you receive an incoming instant message notification

KB 978162 - A hyperlink is converted to plain text format when you input the hyperlink into an Office Communicator 2007 R2 conversation window

KB 978163 - You cannot call a user by using the Actions button in Office Outlook 2007, but you can call the user through Office Communicator 2007 R2

You can download the update here.

I'm not sure if this client update addresses the compact delta GAL/stale GAL problem mentioned here yet or not.

Update: I had the version wrong in the title originally and a few new discoveries have surfaced. This version has the proper 64-bit MAPI/EWS/API support for 64-bit Office 2010, which means that Outlook integration (missed call notification, voice mail notification, "In a meeting" status) works for people brave enough (like me) to go completely 64-bit with Office 2010.

Also of note, which might be a side effect of the new 64-bit support, the client is now reporting "x64" instead of "x32" to the OCS Client Filter, as already noted numerous places. Read more about it here and here. For now, it is best just to duplicate your "x32" directory structure as "x64" until a "real" x64 client is available with patches or further guidance is provided from MS. I'm going to update my Client Filter post to reflect this shortly too.

If you head over to the Adobe labs section, you can pick up the new beta version of Flash Player 10.1 for IE and non-IE browsers. While you are at it, if you have an ATI/AMD video card, pick up the new Catalyst 9.11 that add support for this feature in most newer card. What does this bring to the table? Lower CPU usage and potentially better battery life.

I do believe that there are also new NVidia and Intel video card drivers out or coming out shortly to add direct support for this feature. Pretty neat.

If you want a quick reference for customers or yourself, which seems to be updated as more products become supported under 2008 R2, go to the Microsoft website here.

The most interesting aspect, at least to me, is that there looks to be upcoming support for Server 2008 R2 for OCS 2007 R2 and later versions, and as mentioned on the Exchange blog, support for Exchange 2007 SP2+. The reversal of support on Exchange is a very welcome one in my eyes.

What I am about to describe below definitely falls under the 'unsupported' and 'not-an-intended-use' category for Intel Turbo Memory. I debated about posting this for a few months but it has worked well enough for me that I feel secure in describing how to do this. Of course, if something breaks, please let me know in the comments section and we'll get it documented.

Typically Intel Turbo Memory is included as a mini-PCIe option on laptops and some desktops, and provides an embedded version of ReadyBoost and/or ReadyDrive. Most computers have enough RAM these days so the boost from ReadyBoost is pretty minimal.

With that in mind, I figured I would try to see if I could re-purpose the Turbo Memory. In Windows 7 (as of driver version 1.10.0.1012), the memory is exposed to the OS as a Storage Controller with a disk volume of IMD-0.



By default, it will automatically enable and control the entire volume.



What you want to do is open diskmgmt.msc and look for a volume that is about 75% of advertised size of the RAM. In my case, I have 2GB which shows up as 1.37GB due to some of the space being used for ReadyDrive.

If you set the View to Disk List, the Device Type will be listed as UNKNOWN instead of IDE or USB or SCSI.

You'll want to delete this volume but make sure it is the Turbo Memory! After deleting the volume, create a new simple MBR volume from what you just deleted. Format the drive as FAT16 with 64KB cluster size. You can use other block sizes if you want less waste on smaller files. NTFS is a bit of an overkill for most scenarios too. Feel free to experiment and report your findings.

After formatting, assign it a drive letter and enjoy a persistent RAM disk, as long as you don't rebuild your computer or upgrade your Turbo Memory driver.

The end result will look something like this:



Uses for this new drive

1. Store your Windows Search index on the new drive. In my case, under R:\TEMP\INDEX\. You can easily move your index by going into the Control Panel, under Indexing Options, under Advanced and selecting Select New. After restarting the Windows Search service, the index will move from the original location to the newly created Turbo Memory drive.

Why do this? Less hard drive thrashing overall and faster search results inside Windows and Outlook. Instead of the index and the content residing on the same drive spindle, you have a 'pseudo' SSD dedicated to your Windows Search index. The old joke about making Vista faster was to do net stop wsearch, but this is no longer needed using this method.

2. Set your TEMP and TMP environment variables to use the drive for temporary storage/scratch space. In my case, I set my user TEMP and TMP variables to R:\TEMP\USER and my system TEMP and TMP variables to R:\TEMP\SYSTEM. Make sure to create these directories on the drive before applying the settings.

3. Internet Explorer disk cache location - I set IE to store cache inside R:\TEMP\IE and limit the size to a small amount.

4. Firefox disk cache location - Using about:config, I set browser.cache.disk.parent_directory to R:\TEMP\FF. In order to avoid stalls on fsync on Firefox 3.x due to SQLite, you can also add toolkit.storage.synchronous set to 0 in about:config. I know this quirk is being addressed in Firefox 3.5+, so it will soon be a non-issue. You do have a slight risk of corruption of Firefox SQLite tables, but in practice, I have not experienced any.

Things to watch out for
If you do upgrade the Turbo Memory driver in the future, you will want to reset your TEMP and TMP variables back to the original values in order to ensure that you can log in properly into your computer. The Windows Search index and IE/FF caches can be dynamically regenerated after you redo the drive setup.

I have experienced scenarios/programs that required more than 1.3GB of free temporary space so I sometimes set the variables back to the original hard drive location on a case by case basis.

Conclusion
Please let me know if you think of new uses for this and I will add them to this blog entry. It has worked well for me since W7 RC and it should work well for you too. It has even inspired me into looking into cheap 4GB Robson modules or a secondary bay SSD.

Meeting Location:
Partners in Dental Care
2565 Forest Hill Ave SE Suite #200
Grand Rapids MI

(lower level - use side entrance
from parking lot on North side)

Time: 6:00p.m. to 8:30p.m.

Between now and October 22, 2009 the new Operating System will be rolled out to the different channels and then available for the consumer to purchase.
Come listen to Matt Hester, Microsoft TechNet Presenter, as he shares with us the latest offerings and availability on Windows 7 and Server 2008 R2.

Do you have questions? Of course you do!

Oh yeah - if the topics don't interest, you maybe some of the door prizes he will bring for our members will change your mind ... but you can say it was the educational material and networking!

Unless something comes up last minute, I plan on being there too to answer any questions people might have.

Host a Windows 7 house party and potentially win a PC, and at the very least, get a copy of Windows 7 Ultimate. I applied and hopefully will be chosen. Sounds like it could be a fun event.

Read more about it here.

Side note: I've been gone from the blog for a few weeks but I have plenty of blog entries related to Windows 7 and OCS shortly.

I'm just trying to highlight some of the lesser known documents that are coming out now that Windows 7 has been released - everyone else does a great job of covering the major downloads so I don't typically clutter up my blog with those type of announcements. This also is a good time killer when stuck in an airport lobby.

In particular, here is a good document explaining the changes related to 3G/EVDO/etc mobile broadband drivers with Windows 7:

Windows 7 mobile broadband drivers use the new features introduced by Network Driver Interface Specification (NDIS) 6.20. In Windows 7, mobile broadband devices integrate differently with Windows 7 than they did with Windows Vista® and Windows XP, when they appeared to the operating system Ethernet or dial up networking/modem devices. This paper discusses important changes in the mobile broadband drivers for Windows 7. This information applies for the Windows 7 operating system.

Download the document from here.

You can download the release candidate for Windows 7 XP Mode here.
You can download the release candidate for Virtual PC (for Windows 7) here.

Also, there is an update to support RemoteApp for Vista SP1 and XP SP3 virtual machines.

I blogged about a post-SP2 Outlook 2007 release that optimized Exchange server connections and now there is a new cumulative update available that adds some performance improvements for certain operations with Windows 7 and for those that have experienced slow performance with Office 2007 Service Pack 2.

The June 30th, 2009 Outlook update (KB 970944) includes many updates that are of interest mostly to developers but I have highlighted a few of the updates that have proven to be noticeable to end users:

This hotfix provides an improvement to Outlook 2007 if performance is slow after you install 2007 Office Service Pack 2 (SP2).

In your mailbox, a folder contains thousands of subfolders, such as the Inbox folder or the Calendar folder. After you install the February cumulative update, when you try to check the size of the folder, you receive an error in the Folder Size dialog box. After that, when you try to open the folder or some subfolder, you receive the following error message: Cannot display the folder. Your server administrator has limited the number of items you can open simultaneously. Try closing messages you have opened or removing attachments and images from unsent messages you are composing

You start Outlook 2007 in Cached Exchange Mode and with the reading pane active. If an e-mail message that contains a custom form that has code is displayed in the reading pane, CPU usage increases or Outlook even crashes. This problem occurs after you install Office SP2.

When you are running Outlook 2007 on a Windows Vista-based computer that uses high DPI (for example, 120 DPI), icons for custom forms will not be displayed.

On a computer that is running Windows 7, the Delete and Sync operations perform slowly in Outlook 2007 after you install SP2.

A hotfix enables you to set the download mode for IMAP accounts in Outlook 2007 and to configure the setting to sync the mailbox when you exit Outlook 2007

When you send an e-mail message from a shared mailbox in Outlook 2007, the sent message is not saved in the Sent Items folder of the shared mailbox

In Outlook 2007, when you view a group schedule in Calendar, the text in the group schedule is blurry. In this case, visually-impaired users cannot read the text in the group schedule.

In the past, NVidia had the upper hand when it came to driver quality in Windows 2K/XP era, but these days, ATI/AMD seems to have the more stable drivers for Vista and Windows 7.

With that said, check out the new release mentioned here and download them from here.

As always, for the mobility chipsets, I recommend using the Driver Heaven ModTool.

As seen here, take a short survey before June 30th 12pm PDT for a chance to win a copy of Windows 7 Ultimate.

The survey link is here.

This one might seem obvious but it actually makes a difference in performance numbers overall. You also avoid the journaling aspect of NTFS that is unneeded with a cache device.

If you dedicate the device to ReadyBoost, you will only have one file on the filesystem, so any slack/waste in the 64K cluster size will be made up from the lack of $MFT reservations.

Also noteworthy but often overlooked, you can multiplex ReadyBoost devices in Windows 7 so you can use multiple ReadyBoost drives if you really want. This helps out XP Mode on memory starved machines quite a bit.

If you are looking for a Windows 7 compatible version of the Turbo Memory driver from Intel, use version 1.10.0.1003 or higher. You can find a version of this on Station Driver's page here. I don't believe these have reached Intel's page yet, even though they are WHQL signed. The interesting side effect is that the new driver will enable ReadyBoost on the Turbo Ram without assigning a drive letter or file system to it. Pretty cool.