I thought I would write this blog post to describe some observed behaviour / patterns and how this file needs to be utilised for repairing some sometimes seen damage on XP computers.

The problem I sometimes run into is: Corrupt file system or Windows installation. A repair install is undertaken. After the text-mode part of the re-install, when the GUI starts, you are prompted with message “The file ‘Asms’ on Windows XP Professional CD-ROM is needed. Type the path where the file is located, and then click OK.”

What is interesting here is that the Path in which setup is looking for the installation files is something like \\GLOBALROOT\CDROM\Blah. If you change it to D:\i386 this does not help.

So we hit CTRL-F10 for a command-prompt, then we type sysdm.cpl to fire up system properties, and we look in Device Manager. We can see that the CD-ROM device is broken. This is because of the common broken Upper / Lower filters problem. The cure for this is to enter the registry, under HKLM\System\CCS\Control\Class\4D36E965… (the one that says DVD/CD-ROM drives on the right), and remove the UpperFilters or LowerFilters (see http://support.microsoft.com/kb/314060), then reboot.

So we do the above, reboot (nicely, by clicking cancel on the “asms” prompt, or ending setup.exe through taskmgr). After the reboot, setup will automatically restart from the same point, and we hope that the CDROM drive will be working and setup will be able to find the installation files.

But it doesn’t work! We are back where we started! We hit CTRL-F10 and check in device manager, and in the registry, and the UpperFilters or LowerFilters are back! It’s like we’ve been working on a temporary copy of the registry and not the proper registry! Any changes we made were lost when we rebooted!

Well this is what SYSTEM.SAV is all about. It seems that during the in-place upgrade / repair install, Setup is moving the existing SYSTEM registry to SYSTEM.SAV, and it is dumping that into a new SYSTEM each time it is started, or something to that effect.

So, if we want to make registry changes during setup that will be effective upon reboot/restart of setup, we need to make the changes in SYSTEM.SAV. Go into regedit (CTRL-F10 -> regedit). File -> Load Hive. Find the file SYSTEM.SAV in \windows\system32\config, load it, enter “system.sav” for the name. It will show up under that name. Find the UpperFilters or LowerFilters or whatever you need to modify under the system.sav part that now appears in regedit, make the changes, then highlight system.sav again and go to File -> Unload hive.

Reboot, let setup restart, and watch it work*

*You may need to remove the CD-ROM drive from Device Manager (CTRL-F10 -> sysdm.cpl) and then “Scan for hardware changes”..

The Vodafone UK supplied E72 doesn’t seem to be sim-locked and took my o2 sim card just fine, but I wasn’t happy with the Voda customised firmware, and I wanted the latest firmware update which isn’t available for the Voda product code.

As I have done many times before, I used Nemsis service suite to change the product code to 0573569, which is some EURO – BLACK product code. This product code had the latest firmware available anyway.

I then used Nokia Software Updater and it told me there was new firmware available and it did the upgrade.

That was over an hour ago and the phone has been bricked since, that is until I did a hard reset just now. Phew!

When the USB cable was plugged into the phone, the Nokia USB Flashing Parent device would be detected in device manager for about 10 seconds, then the phone would bleep and it would disappear. NSS, Nokia Software Updater, and Phoenix all couldn’t see an attached deviced.

I was getting ready to tell my supplier that I’d broke another phone (I had an E55 die after not very long ..)

I’m still not quite sure if it’s *, 3, Green/Dial that have to be held down on the full QWERTY Nokias, or if it was Shift, Space, Backspace. I think it was the latter. Anyway, the phone has sprung into life.

I have no idea why I was allowed to join a Windows 7 laptop called Julian-PC to the domain when there was already a Vista desktop called Julian-PC on the domain.

There were no warnings of duplicate names on the network, but adding a new computer to the domain with the same name as an existing computer caused the existing computer’s Computer/Machine Account to be overwritten in active directory, and so the machine was no longer a working domain member and kerberos/authentication was broken. We were seeing “cds.local 2: unauthenticated network” instead of just “cds.local”.

Hope this helps others.

As luck would have it, they work just fine with FreeSWITCH. I haven’t set up much though. I just called the FreeSWITCH test IVR on 5000, listened to some music on hold and an echo test from FreeSWITCH hosted on this laptop. I am looking forward to playing with the Exchange integration though.

The Avaya IP Telephone File Server application (MV_IPtel) is pretty horrible, and in the end I didn’t use that. I actually went through all the hassle of loading up a CentOS 5 virtual machine on this old pre-hardware-virtualization Ubuntu laptop, just so I could load up that app, and what a waste of time that was.

So, all that needs to be done is:

Firstly, the phone comes out of the box running H.323 firmware. You need to get into the phone’s settings by pressing # when first prompted. The default password is 27238 (CRAFT).
In there you need to change the signalling from H.323 to SIP with the SIG option. This means that upon the next bootup, when the phone finds the 96xxupgrade.txt script, the script will direct it to download the sip firmware.

While you’re in the phone’s setup, set the “File Server” to the IP address of your web server where you will be putting the firmware & config files. Also set the phones IP address if you’re not running a working DHCP server. The IP address of the file/web server should be settable as a DHCP option, I am not sure of the option number though.

You need to download the latest SIP firmware. As of this writing it is version 2.5. Download the firmware from here. Download the zip file.
While you are there, download the 46xxsettings.txt file, as this will become your configuration file where you will fill in the FreeSWITCH / Asterisk IP address/port, and any other options that interest you. Most options are there but commented out with “##”, so you just un-comment and alter accordingly.

Extract the contents of the firmware zip file, and place it, along with the 46xxsettings.txt file into the root of your web server – the 96xx phones use HTTP, not TFTP.

Edit the 46xxsettings.txt file: un-comment (remove the two ##’s from the beginning of) the SIP_CONTROLLER_LIST line (about line 2829 in my version of the config file), and edit the line according to the IP address and transport type of your SIP server. In my case, I am using plain SIP over TCP on port 5060, so that line looks like this:
SET SIP_CONTROLLER_LIST 192.168.1.1:5060;transport=tcp

Save that file, boot up the phone and let it do its stuff. When the phone asks you to log in, you just enter a valid extension number and password and you’re away. Now, I’d better go and buy some more of these phones before they’re all gone off eBay!

In any case, this is something to look for when EAS does not work. The IIS logfiles show the requests for /exchange-oma, which does not exist.

The key issue here is that in attempting to fix a problem, the IT person compounds the problem with exactly the same symptoms but a totally different cause. They probably then move on and fix the initial cause of the problem, but it still doesn’t work because they just goofed up the ExchangeVdir stuff.

Rather than transferring manually, here’s what I did:
fdisk
change partition type of RAID partition from type fd (linux raid autodetect) to 83 (linux ext). This might not be necessary, but it should prevent the kernel from auto-configuring RAID for that partition.
cd /etc
mv mdadm.conf mdadm.conf.old (i.e. remove the mdadm.conf configuration file, but keep as a backup just in case).
mkinitrd /boot/initrd-noraid-`uname -r`.img `uname -r`
(basically we’re doing “mkinitrd /boot/initrd-noraid-2.2.15-el5.img 2.2.15-el5″ if 2.2.15-el5 is your running kernel version.. the uname -r substitutes this for us.)
cd /boot/grub
edit grub.conf and change kernel boot parameter root= to reflect partition without raid, e.g. change from /dev/md0 to /dev/sda2, also change the initrd= line to /boot/initrd-noraid-x.x.x.img

Now the initial ramdisk has no mdadm.conf, and the partition type is no longer set to linux raid autodetect (type fd).
Power down, remove one of the RAID1 disks, and the system should boot and run now off the other disk without RAID.

VMWare converter now works. Job’s a good ‘un.

Fix: (download subinacl first).

subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=administrators=f
subinacl /subkeyreg HKEY_CURRENT_USER /grant=administrators=f
subinacl /subkeyreg HKEY_CLASSES_ROOT /grant=administrators=f
subinacl /subdirectories C:\ /grant=administrators=f
subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=system=f
subinacl /subkeyreg HKEY_CURRENT_USER /grant=system=f
subinacl /subkeyreg HKEY_CLASSES_ROOT /grant=system=f
subinacl /subdirectories C:\ /grant=system=f

It seems that when accessing OWA through Firefox or Epiphany on Linux, we’re only given the option of OWA Light, therefore exactly the same experience as with Exchange 2007.

Firefox on Win32 works as expected. How obviously intentionally lame.

Fortunately we can override the useragent in both Firefox and Epiphany (my preferred browser due to FF’s annoying right-click Linux bug).

Go to about:config in the address bar, click on the “I’ll be careful” thing to carry on, and right-click, create a new String, called general.useragent.override with the following as the data:

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.0.8) Gecko/2009032609 Firefox/3.0.8

Close and reopen Epiphany or Firefox and Exchange 2010’s OWA Premium works perfectly

Note: you must close all Epiphany or Firefox windows for this to take effect.

Even better is that you can use Prism to launch OWA “as an application”. You will need to edit /usr/share/prism/default/preferences/webrunner-prefs.js and add the following line:

pref(“general.useragent.override”, “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.0.8) Gecko/2009032609 Firefox/3.0.8″);

See screenshot below:

OWA Premium from Exchange 2010 launched through Prism on Ubuntu Jaunty

Customer’s computer appears to be infected with something.

Banking websites such as rbsdigital.com , lloydstsb.com, hsbc.com , well, the website displays perfectly except that the security phrase box asks for the whole phrase instead of just particular characters from the phrase.

It’s as though something is intercepting and re-writing the page as it’s displayed (url and cert look fine, DNS of sites resolve fine).

Computer has various infections on it by the looks of it – twext.exe which I’ve come across enough times, and various random .dll’s fired up through rundll32.

What’s concerning me is how the page is modified in-line and the url and certificate are spot on.

Here’s the analysis results for the .dll, called through Run -> rundll32. Doesn’t look good for detection.
http://www.virustotal.com/analisis/9ec1b577f2bf5688597dc1c911bea47d

Here are the results for twext.exe, called through Winlogon -> Userinit.
http://www.virustotal.com/analisis/ae4eda13de80161b65b3a18122ead92f

c:\windows\system32\a.exe , doesn’t appear to be called from anywhere that I’ve noticed yet, but obviously suspect filename and file date. Same file as twext.exe.
http://www.virustotal.com/analisis/ae4eda13de80161b65b3a18122ead92f

c:\windows\system32\userinit32.exe , called via addition to Winlogon > Userinit, hidden from Windows API and only visable with icesword, but registry modification was re-creating itself after removal. File timestamp on this one is 2004-08-11 , same as most stock XP files.
http://www.virustotal.com/analisis/cf0b882c689a513443845f3edea5cb16
Microsoft Antivirus (whatever that is) misses this one.

c:\windows\usebexuyiruburu.dll – can’t remember where this was called from. Think it was HKCU -> Run, whereas others were HKLM -> Run
http://www.virustotal.com/analisis/4407b4eb1474268be3033b8268608877
Again Microsoft Antivirus does well while nearly all the other 38 antivirus programs fail.