Q.

How can I configure the authentication dialog box to use a local account rather than a
domain account?

A. Typically, when an authentication dialog box prompts for a username, it defaults to the
domain name, or you can specify the domain by using the format (NetBIOS domain
name)\user (e.g., savilltech\john) or user@(FQDN of domain)--for example,
john@savilltech.com.

If you want to use a local account on the machine, just pass the machine name instead of the
domain name--for example, localmac\bob. If you can't remember the local computer name,
just use a period (.) instead--for example, .\bob.

USING THE TITLE COMMAND TO MAKE YOUR MS-DOS

SESSIONS EASIER TO IDENTIFY
Normally, when you start an MS-DOS window, Windows NT displays a default title in the window.
Normally an MS-DOS window is called command Prompt. If youre running multiple DOS sessions on
your workstation, it can become confusing to find the program you want to view from your Taskbar.
Fortunately, you can execute the DOS Title command to change the current window title. The
command is very easy to use. The format for the Title command is: TITLE STRING
Where string specifies the new text for the windows title. For example, to change a DOS window title
to Accounting Software, you enter the command: TITLE ACCOUNTING SOFTWARE from the DOS
command line of the DOS window. Windows NT then changes the title of that MS-DOS session to
Accounting Software.

REVEALING NT EASTER EGGS

The developers of Windows NT couldnt resist hiding a few buried treasures in the operating system.
NTs 3D Text(Open GL) screen saver alone contains three Easter Eggs. To view them, right-click on
the desktop and choose Properties to open the Display Properties dialog box. Click the Screen Saver
tab in this box and select the 3D Text(Open GL) from the Screen Savers drop-down list. Then click the
Settings button and enter the name of one of the Easter Eggs described below in the Text field. When
the 3D Text (Open GL) screen saver launches, it will the display the Easter Egg you requested.
Volcano-This Easter Egg displays the names of all of the volcanoes in the West Coast portion of the
Ring of Fire. (Is there only one volcano with multiple names or several volcanoes?
I Love NT-This Easter Egg zooms the word good followed by a question mark around the screen.
Not Evil-The name of this Easter Egg is an anagram for I Love NT. It displays the a full listing of NTs
developers.

EFFICIENT NTFS PARTITIONS

by Lance Jensen, Executive Software Technical Support Director
How you set up and use an NTFS partition can have a great deal of effect on performance. All
partitions are not created equal! In fact, two brand-new but differently set up partitions can yield
drastically different performances. Response time can degrade over time, even if you keep the partition
defragmented. In this article well discuss the main factors involved in keeping NTFS partitions
efficient.

The Partition Itself

Partitions should be created NTFS, not converted from FAT. On a newly formatted NTFS partition, the
Master File Table (MFT) is created at the beginning of the disk, and about 12 % of the disk is
reserved for the MFT. But when you convert a FAT partition to NTFS, the MFT is placed wherever
there is free space. It almost always ends up badly fragmented. (See my article MFT Fragmentation
in Volume 3 Issue 3 of this eLetter for details).
Large partitions should be avoided. They take a lot longer to back up and to restore, data corruption
becomes more likely because there is so much more writing going on, and access to the disk becomes
slower (it takes longer to find, read and write files). Of course, there are valid reasons for very large
partitions - if you have a 5 GB database or you work with large video files, youll need big partitions.
Just dont make them big if you can avoid it; 1 to 2 GB is about right.
Its also a good idea to have specialized partitions: System, Applications, Data, Temp, etc. This will
increase safety and performance. (See the article Configuring Windows NT Partitions in eLetter
Volume 2 Issue 10 for details. Note: That article recommended FAT for the system partition; You may
find that NTFS is better, especially if you are security conscious, but also because of the NTFS self-
repair capabilities.)

Directories
-----------

Its nice to have deep, multi-branched directory trees; I like the logical organization, keeping separate
types of files neatly sorted.
The bad news: Deep trees can really slow things down. The good news:
Its easy to tidy up deep trees so they dont slow things down. Here are the details:
Under NTFS, each directory is a file just like any other, but with a special internal structure called a
B+ Tree. Its fairly complicated, but for our purposes its enough to say that it is a very good
structure for a directory tree, but can be weak on handling changes. In other words, the more changes
you make, the more complicated it gets internally, so the longer it takes to locate your file. Since files
are listed in the directory file alphabetically by file name, adding new files (or directories) can require
changes in the middle of the tree structure. Many such changes can make the structure quite complex,
and more complexity means less speed.
Files are located by searching through the directories. If you are looking for a file in a tree that is ten
levels deep, you have to locate ten directories before you get to the one that points to the file itself.
That takes a lot longer than locating a file that is only three levels deep. Plus, if the directories have
been changed a lot so that their internal structure has become complex, finding files can become very
slow.
Directories tend to grow, but rarely shrink. Sometimes when you add a new file or directory, it can be
fitted into the space left by a deleted file, but often it uses a new space. The directory grows and can
fragment, slowing down access even more.
Diskeeper 3.0 can defragment directories, which helps a lot, but this will not handle the internal
complexity. To clean that up and restore the directory to its initial perfect state, just copy the directory
(with the copy under the same parent directory as the original, of course), giving it a new name, then
delete the original, then rename the copy to the original name. This should be done periodically (once
or twice a year?) if you frequently create and delete files, or whenever you delete a large number of
files from a single directory. Since this changes the location of the directory file, its a good idea to
make a list of all of the directories that you want to clean up, and do them all at once. Then use
Diskeeper to do a boot-time consolidation afterwards. This will move the directories together and
defragment them.
One additional thing: Long file names can cause directories and the MFT to fragment. The way the
file names are stored, each character requires two bytes. For computer efficiency, the DOS 8-dot-3
format is best. On the other hand, for human efficiency, 20 to 30 character names are much better. Of
course, there are exceptions, such as files on a CD-ROM or an archive partition where they wont be
re-written, but in general, dont go over thirty characters.

Cluster Size
In the article called Cluster Sizes (eLetter Volume 2, Issue 15), I described the pros and cons of
NTFS cluster sizes. New data regarding the MFT and its internal functions leads me to recommend
4096KB as the best cluster size, especially if you will have a very large number of files or will be using
compression. Never use less than 1024KB, as this will allow MFT records to fragment, and never
exceed 4096KB, as compression and Diskeeper will not work.
DEALING WITH THE PRINT SCREEN
If you press Print Screen, Windows NT copies the entire window to the Clipboard; if you press Alt-
Print Screen, NT copies only the active window to the Clipboard. But what about printing the screen in
Windows NT 4.0? If you press Print Screen to copy the screen to the Clipboard, you can use Paint to
print the Clipboard contents. Just open Paint and choose Edit, Paste. This will paste all Clipboard
contents into Paint. Now you can use Paint to print the screen: Simply choose File, Print.

SHORTCUTS ON THE TASKBAR

You probably already know that anything you place in the /windows/start menu folder gets placed in
the Start button menus; and that anything placed in the /windows/start menu/startup folder gets run
automatically at startup. Well, Don pointed out to me that any shortcuts you place in the
/windows/application data/microsoft/internet explorer/quick launch folder will appear as an icon on
your taskbar alongside the icons for Launch Outlook Express, View Channels, Show Desktop
and so on. Its a cool way to customize IE4 and maybe to get some clutter off your desktop! I wish Id
thought of this tip a couple dozen shortcut icons ago.

MEMORY USAGE
by Lance Jensen, Executive Software Technical Support Representative
There are a number of things you can do to increase system performance and productivity. One of the
first things we usually think of is simply to plug in more memory. While this will likely boost your
system performance, there are settings in Windows NT that can enable more efficient use of your
systems memory.
Here are some of the most significant ones that I have found workable:

L2 Cache
If you have more than 256KB of L2 cache, Windows NT may not be using all
of it. To correct this,
1. Run Regedt32.exe
2. Bring up the window HKEY_LOCAL_MACHINE (on the local machine)
3. Select System \CurrentControlSet \Control
\SessionManager\MemoryManagement
On the right side of the window you will find SecondLevelDataCache.
This defaults to 0, which is the correct value for 256KB of L2 cache. Double-click
SecondLevelDataCache to bring up the DWORD Editor. Click the Decimal radio button, enter the
amount of L2 cache you have, then click OK. Exit RegEdt32, and your machine should be a lot
faster.
If you dont know how much L2 cache you have, you may be able to find out during boot-up. Each
brand of BIOS has its own display format, but look for L2 Cache, Secondary Cache, or
something like that. The value should be 256, 512, or 1024.

I/O Rate
If your system is fairly I/O intensive, you may benefit from raising the I/O Page Lock Limit, which can
increase the effective rate at which data is read from or written to the hard disks.
First, benchmark your common tasks. See how long it takes to load and save large files, how long it
takes to search a database or run a common program; just do your normal tasks, timing them to record
how fast they are. Then follow these steps:
 1. Run Regedt32.exe.
2. Bring up the window HKEY_LOCAL_MACHINE (on the local machine)
3. Select System \CurrentControlSet \Control
\SessionManager\MemoryManagement
4. On the right half of the window, double-click IoPageLockLimit
5. Click the Decimal radio button

This value is the maximum bytes that can be locked for I/O operations. A value of 0 defaults to
512KB. Raise this value by 512KB increments (simply entering the number 512, 1024,
etc.), then exit regedt32 and benchmark your system after each increment. When an increase
does not give you a significant performance boost, go back and undo the last increment.
Caution: There is a limit to this. I recommend you do not set this value (in bytes) beyond the
number of MB of RAM times 128. That is, if you have 16 MB RAM, do not set
IoPageLockLimit over 2048 bytes; for 32 MB RAM, do not exceed 4096 bytes, and so on.
Thats the safe method. You may be adventurous or impatient and want quick results. If so, try
this:
1. Benchmark
2. Calculate your maximum IoPageLockLimit value (MB of RAM times 128)
3. Set IoPageLockLimit to this value
4. Benchmark again

If you get little or no improvement, work down by 512 byte decrements till you note a drop in
performance, then go back up 512 bytes. If you did see an improvement, continue with step 5.
5. Raise IoPageLockLimit to maximum
6. Benchmark again

If you get little or no improvement in the third benchmark, work down in 512 byte decrements.
If you do get improvement, work up from maximum. And if the first increase from shows
little improvement, work down from .
Unless you dont do much I/O, this should give you a significant boost in performance.

UPDATING THE EXPLORER

You may notice that when you add a new folder in Explorer, you have to refresh either by restarting it
or pressing F5 in order for the new folder to show up in all the places its supposed to. Heres a trick,
which will cause Explorer to be automatically updated immediately on creation of a new folder,
without you having to refresh it:

Co to the hive HKEY_LOCAL_MACHINE on the Local Machine. Click on the key called System,
then the CurrentControlSet, then Control, then Update. Once you have done that, you will notice the
value UpdateMode in the right-hand window. Double click it, which will bring up the DWORD Editor.
In the DWORD Editor, put in a 0.
For this to take effect, you ll needto log out, then log back in.

BROADCASTING URGENT NETWORK MESSAGES

NT 4.0s Messenger Service makes it easy to broadcast urgent messages to other NT4.0 users on the
network. To do so, open the Command Prompt window and use the NET SEND command with the
following syntax:
NET SEND {computername| * |/DOMAIN[:domainname] /USERS} message
So, to broadcast an urgent message to everyone on the network, type
NET SEND * This is an urgent message! The Server is shutting down!
Then press the [ENTER] key, and everyone on the network running NT4.0 Workstation or Server will
see your message. Remember, dont enclose the message in quotes. NTs default installation enables
the Messenger Service. To prevent broadcasts from reaching your desktop, you must stop this service
in the Control Panels Service applet.

NT PASSWORDS EASILY CRACKABLE WITH PHYSICAL

ACCESS TO SV
If you want to comply with C2 security, and generally want your NT passwords to be safe, you
REALLY need to lock your NT servers in a secure room that no one has physical access to, except for
the administrator(s), and use long passwords with random characters. Why?
You can make a copy of the SAM database (there are different ways to do this, like copy from the
repair directory or boot with NTFS-DOS ( http://www.sysinternals.com/ ). Then download the l0pht
password cracker ( http://www.l0pht.com/ ) and let this cracker loose on the SAM. Some results that
came from some one on our NTSYSADMIN listserver who tried this in his own environment:
500 accounts:
60% of the passwords found in less than half an hour (on a P200)
80% after 3 hours
90% at the end of the day

I was completely astonished! My user account password with 3 letters

and 3 digits was found in less than 3 minutes
A 5 digits password was found in 20 seconds
My Admin account with 17 letters/digits and special characters was not found after a complete day
of computation.

The conclusion is clear. Lock up your servers and use long and random passwords! Having a tool that
scans for weak passwords and alerts you which ones they are helps too, but in any case lock up those
servers. Microsofts passfilt.dll from Service Pack 3 can help you enforce your security policies. I
suggest you read L0phts technical rant at http://www.l0pht.com/l0phtcrack/rant.html, but its
conclusions are softened up with Microsofts suggestions at
http://www.microsoft.com/security/l0pht20.htm. If you want to learn more about hashing passwords,
this is the best place to start:http://www.rsa.com/rsalabs/newfaq/q94.html

CHANGING THE LOCATION OF YOUR PRINTER SPOOLER

FOLDER
When you install a printer, Windows NT creates a folder to temporarily store print jobs before sending
them to the print device. By default, Windows NT creates this folder in the path %SystemRoot
%\System32\Spool\Printers. If you share your printers with a lot of others, your printer spooler folder
can grow to be quite large, taking up much needed disk space and negatively affecting disk I/O in your
boot partition. Fortunately, you can move the location of your printer spooler folder out of your boot
partition and preferrably to a second physical disk. To do so, open Printers in the Control panel and
choose Server Properties from the File menu. In the Print Server Properties dialog box, select the
Advanced tab and enter a new path for your printer spooler folder in the Spool Folder field. Then click
OK to save your changes and restart your system. Windows NT will then create a new printer Spool
folder in the new location that you specified.

DOES YOUR SERVER OR WORKSTATION HAVE A PAGING

PROBLEM?
If youve noticed that your server or workstation has suffered an overall performance hit, you might
want to investigate the possibility of excessive paging. Using Performance monitor, examine the values
of the Paging Files %Usage object and the Physical Disks (which contains the pagefile.sys) Avg. Disk
Sec/Transfer object. The product of these values is equal to the percentage of disk access time devoted
to providing virtual memory for applications. If the product is greater than .10 for extended period of
time, excessive paging is occurring. Unfortunately, increasing the size of your paging file wont
alleviate this problem. To reduce the amount of disk access time devoted to paging, we recommend that
you make more memory available to applications by adding physical RAM to your system and
removing any unnecessary device drivers or system services.

KEYBOARD SHORTCUTS FOR COPYING AND MOVING FILES

When dragging a file from one directory to another, NT moves the file. If you would like to make a
copy while leaving the original file in the original directory, press and hold the [Ctrl] key before you let
go of your mouse button. You will notice a small + below the file to be copied.
When you drag a file from one drive to another, NT will make a copy of the file on the new drive. To
move the file, press and hold the [Shift] key before you drop the file on the new drive. You will notice
the + disappears when you hold the [Shift] key.

USING THE SMTP SERVER FROM THE NT 4.0 OPTION PACK

From Exploring Windows NT

If you installed Microsoft Internet Information Server (IIS) 4.0, and you do not have Exchange Server,
chances are you also installed the SMTP server. Using this server, you can send mail from your NT
Server to any e-mail address, as long as you are on the Internet and have a valid DNS. To configure
your SMTP server to send mail from your local machine, you will have to change the Relay
Restrictions. Launch the Internet Service Manager and expand the Internet Information Server node.
Double-click on the Default SMTP Site node to display the Default SMTP Site dialog box. Next, select
the Directory Security tab and click on Edit in the Relay Restrictions section to launch the dialog box
shown in Figure C. Select the Allowed To Relay radio button and click OK. Apply the configuration
changes and your SMTP server is ready to send e-mail. You will need to configure your mail reader to
use the local host IP address of 127.0.0.1 as the outgoing mail server.

DISABLE THE SAVE PASSWORD OPTION

The Dial-Up Networking (DUN) program allows you to save a user name and password for each of
your dial-up connection. While this is convenient, its very insecure, especially when most dial-up
networking is done using laptops, which are easily stolen.
To prevent users from saving passwords, launch RegEdit and add the REG_DWORD value
DisableSavePassword value to the
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters key and set it
to 1. Once this is done, DUN will no longer display the Save Password checkbox and it will forget all
the passwords it had been told to remember. Remember to backup your Registry before making any
manual changes to it.

RATING THE CONTENT OF YOUR WEB SITE

You can quickly and easily place ratings on any web pages you feel may have content not suitable for
children. These ratings, when combined with a properly configured web browser, can prevent
unsuitable viewers from looking at your web site.
To rate a web page, right click on the page in Internet Service Manager and from the pop-up menu,
click Properties. In the dialog box displayed, select HTTP Headers and click on Edit Ratings... to
launch the Content Rating dialog. Select the Ratings tab and click on the Enable Ratings for this
resource checkbox.
You then need to rate your page in each of the four Recreational Software Advisory Council (RASC)
categories: violence, nudity, sex, and language. Highlight the category and use the slider to rate your
page. Finish by entering your name and the date.

BOOT WINDOWS NT WITH NUMBER LOCK ENABLED

To set number lock on by default in Windows NT 4.0, change
HKEY_CURRENT_USER\Control Panel\Keyboard\InitialKeyboardIndicators to 2.
CLEAR SYSTEM PAGEFILE AT SHUTDOWN
A few of the publicly available attacks on Windows NT security rely on the fact that the NT pagefile is
left intact on the shutdown, and can subsequently be scanned for useful information. To clear the
pagefile at shutdown, add the REG_DWORD value.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory
Management\ClearPageFileAtShutdown value and set it to 1. This value causes NT to clear the
pagefile when it shuts down.

E-MAIL VIRUSES
I'm sure you have all received e-mails warning you of dire consequences if you read e-mail with
subjects such as "Good News!" or "AOL4FREE". These are hoaxes intended to damage free
communication by making people afraid to use e-mail. When you consider the time wasted reading and
forwarding such things, they are as destructive as the real thing.

It is not possible -- NOT POSSIBLE -- to get a virus by just reading an e-mail, unless the e-mail
contains a macro or attachment that you then execute.

Here are two simple rules that, if followed, will protect you from any e-mailed virus:

1. If you open a mail message and get a warning that the mail contain macros, make sure you select the
option to disable macros before you continue.

2. If you receive a mail message from someone you do not know and that mail contains an attachment,
do not open the attachment till you have made sure the attachment does not contain a virus. There are
programs on the market that can be used to check such things.

You should also be aware that both Microsoft Excel and Microsoft Word have a built-in macro checker
that will alert you to the existence of a macro in a file that you open as long as you do not disable this
function.

The next time you get one of these hoaxes, instead of forwarding it, please reply to it with this article.

Sources of Viruses

Computer viruses are not as common as most people believe, and rather easy to avoid. Commercial
software on commercial CD-ROMs is almost guaranteed to be virus-free, but any software on floppy
disks or non-commercial CDs can be a risk. Anyone can make floppies and non-commercial CDs, and
can put anything they want on them. It doesn't matter who wrote the program; someone else can add to
it or alter it. Commercial CDs have data, usually the name of the company that burns the CDs, burned
into the inside track and visible to the naked eye. Recordable CDs lack this, and usually have a batch
number on the unsilvered area of the hub. Be wary of any CD that lacks this identification, and
certainly of anything with a stick-on label. Of course, even a commercial CD could be infected, since a
criminal could hack into the manufacturer's system and plant a virus before the CD master is made, but
this is extremely unlikely. By far the most common source of a virus infection is downloaded software.
Anything downloaded can be infected, even from big, reliable, long-established companies. It's not
easy for criminals to break into such systems, and it certainly is very rare, but it has been done. A
public bulletin board (BBS) is probably the easiest place to plant a virus. A good Sysop (the System
Operator for the BBS) can keep the BBS clean, but some are careless. Some viruses attach themselves
to programs on the infected system, and are transmitted to other systems when the programs are copied.
If a friend gives you a copy of a program, check it for a virus, even if you trust your friend; his system
may be infected.

Protection

It is a good idea to have an anti-virus program; they are cheap, easy to use, and easy to keep updated.
You do have to keep getting the updates, because these programs use an anti-virus database to
recognize viruses, and this database must be upgraded when new viruses are discovered. Sometimes an
anti-virus program will interfere with the installation of new software, especially if you are installing a
Service Pack. That means you should disable the anti-virus when installing new software, but that
leaves you unprotected should there be a virus. What now? The best defense is to have a test machine,
not on a network, not connected to anything else. You disable the anti-virus on the test machine, load
the new software, then start the anti-virus and test. Once you have established that the software is
clean, you can load it onto your production system. Or, since most of us can't afford to have a machine
we only use for virus checking, the next best solution is a test disk. On my home machine, Disk 0 is a
2GB IDE disk, with two 1GB partitions. The first is a secondary Windows NT installation which I use
to repair my primary system partition as needed. The other partition has Windows NT installed, but the
disk configuration only sees the two partitions on Drive 0. I boot to it and do virus checks. I figure the
worst a virus can do is wipe out the two partitions on Disk 0, and they are easily rebuilt. Naturally, no
system or procedure can guarantee absolute safety. But if you are reasonably careful, use an anti-virus,
always virus-check new software, and keep your backups updated, you should never have any
significant trouble from a virus.

For more data on virus hoaxes, try these sites:

http://kumite.com/myths/home.htm

http://sassman.net/virus

SPEED UP THE TASKBAR

In Windows NT 4.0, the user interface has been enhanced with the taskbar. If you have a small screen,
you can configure the taskbar to disappear when you're not on it and reappear when you slide your
mouse to the bottom of the screen. Depending on the speed of your computer, it may take too long for
the taskbar to appear. You can speed up this appearance, as well as the appearance of other taskbar
menus by adding a REG_SZ value named
HKEY_CURRENT_USER\ControlPanel\Desktop\MenuShowDelay. This value expresses the number
of milliseconds the operating system will pause before displaying the taskbar. In other words, if you
want the taskbar to wait 1 second before appearing, you would set the value to 1000. Remember to
back up your Registry before making any manual changes. After you are satisfied that your Registry
changes have done what you want them to, update your Emergency Repair disk.

CONVERING FAT TO NTFS

As time passes, more and more Windows NT users are running into problems because their Master File
Tables (MFTs) are fragmenting. This is because the MFT is used for every disk I/O. While much of the
MFT can be cached, so that an actual disk I/O does not have to be done every time a file is used, it is
still true that on most systems the MFT is accessed more than any other file. This means that MFT
fragmentation is likely to have more impact on the system than fragmentation of any other single file.
The worst cases occur on partitions that were converted from FAT to NTFS, because the conversion
process usually fragments the MFT as it is created.

In this article, we lay out the procedures for creating clean NTFS partitions. For an article about the
MFT itself, click here:

<http://www.execsoft.com/tech-support/articles/art-0004.htm>

For an article about MFT fragmentation, click here:

<http://www.execsoft.com/tech-support/articles/art-0020.htm>

Most Partitions
The Boot partition is the one that your BIOS checks to start the boot process, usually C:. The System
partition is the one on which Windows NT is installed. Usually this is also the Boot partition. If the
partition you want to convert is not Boot or System, you can convert from FAT to NTFS by simply
copying the entire partition to a tape or another partition, reformatting the partition as NTFS, and
copying the files back. This does not work on System because that's where you have the files used to
do the formatting, or on Boot because the reformat would wipe out the boot sector and you would not
be able to reboot your machine.

Converting System to NTFS

The system partition created while installing Windows NT is a FAT partition. If you choose during
installation to use the NTFS format, the partition is still created as FAT, and only converted to NTFS
after the first boot. This means you get the initial system files written to the beginning of the disk, then,
when the conversion is done, the MFT is created.
If you are installing Windows NT on a new disk, select to install it to C:, making C: a FAT partition, not
NTFS. Do a minimum installation, because you will be deleting these files shortly. When the
installation completes, Bring up Disk Administrator (click Start, go to Programs, Administrative Tools,
and click Disk Administrator) and create a new partition with NTFS format.

If you already have Windows NT installed on your boot partition, create a new NTFS partition as
described above (or select an existing one). Now do your full installation of Windows NT to the new
partition and boot into it; this is now your permanent system partition.

Converting Boot to NTFS

If Boot is also the System partitionl create a new system partition as described above.

Now follow these steps:

* Start Windows NT Explorer

* Click the C: partition
* On the Menu Bar, click View, Folder Options
* Click the View tab
* In the Advanced Settings box, locate Hidden Files
* Under Hidded Files, click the "Show all files" button
* Click Apply, then OK.
* In the C: folder you will see a file called Boot or Boot.ini. Copy
this file to your system partition.
* Delete all files on C:
* Copy Boot.ini back to C:
* Reboot to the system partition
* Delete boot.ini from C:
* Click Start, Run
* In the Open box, type "convert C: /fs:ntfs" (omit the quotes)
* Copy Boot.ini back to C:

Why These Methods Work

When a partition is created as NTFS, about 12% of the partition is pre-allocated as the MFT zone,
which is expansion space for the MFT. The MFT is placed at the start of the MFT zone. Thus you have
a large contiguous expansion space, and the MFT should not fragment unless you fill the partition too
full. But when you convert a partition from FAT to NTFS, there are already files at the start of the
partition, so the MFT zone has to be placed wherever there is space available. It is very rare to have
12% of a partition as contiguous free space, so the MFT zone is created as dozens or hundreds of
fragments. As the MFT extends, it too becomes very fragmented.

Using the method described above, you empty the partition completely, then put back one file. Now all
you have is the C: folder and boot.ini. When you reboot, the "next free space" pointer for C: is reset to
point to the very first free space, right at the start of the partition. Now when you run the convert
command, the MFT zone goes at the start of the disk where it belongs. You may have the C: folder file
and boot.ini in the MFT zone, but that only adds two fragments to the MFT; two fragments is not
significant.

Incidentally, never use a 512 byte cluster size on an NTFS partition. The MFT records are all 1024
bytes, so the smaller cluster size means MFT records may get fragmented. Don't worry about wasting
disk space. First, files that are small enough are stored entirely within their MFT records, and second,
disk space is so cheap now that the time you lose because of slow I/O is much more expensive.

KILL A TASK

Suppose you have a task running that you want to kill, but it just wont die. The solution is a little
utility in the Windows NT 4.0 Resource Kit. The command is TLIST. If you type TLIST at a command
prompt, you will see all tasks that are running on you server. From there, you can use the KILL
command to get rid of the task. For example, KILL 204, where 204 is the task number. But sometimes
the task just won't die.
Use TLIST again but with the -T extension. This will show you the child or children of each task. Now
you can kill the right task without shutting down your server.

MAKE A RECOVERY DISK

Can't boot your Windows NT installation? Misplaced your rescue disk? Here's how to make another
one: Boot from a DOS diskette. Run NTFS4DOS (www.sysinternals.com) to mount your NTFS
volume (if that's where your NT system directory is-this directory is usually called WINNT). Switch to
the NTFS volume. Find the REPAIR directory in your system directory. Copy all the files you find in
the REPAIR directory to a blank disk. You just made a brand new recovery disk.

ENABLE SNAP TO DEFAULT BUTTON

There is a useful feature of the X Windows interface that gives you the ability to have your mouse
pointer jump to the default button of any dialog box or alert that appears. As each dialog appears, you
don't have to drag your mouse to the OK button or the Next button, because it will jump there all by
itself. By changing an entry in the Registry, your NT 4.0 interface can act the same way.
To enable this feature, set the value of HKEY_CURRENT_USER\Control
Panel\Mouse\SnapToDefaultButton to 1. Although it may take a while to get used to this feature, it can
be extremely helpful on a high-resolution monitor, or when using a control device that makes it hard to
move the pointer quickly.

SPEED UP THE TASKBAR

In Windows NT 4.0, the user interface has been enhanced with the taskbar. If you have a small screen,
you can configure the taskbar to disappear when you're not on it and reappear when you slide your
mouse to the bottom of the screen. Depending on the speed of your computer, it may take too long for
the taskbar to appear. You can speed up this appearance, as well as the appearance of other taskbar
menus by adding a REG_SZ value named
HKEY_CURRENT_USER\ControlPanel\Desktop\MenuShowDelay. This value expresses the number
of milliseconds the operating system will pause before displaying the taskbar. In other words, if you
want the taskbar to wait 1 second before appearing, you would set the value to 1000. Remember to
backup your Registry before making any manual changes. After you are satisfied that your Registry
changes have done what you wanted them to, update your Emergency Repair disk.
TURN OFF POWER AFTER SHUTDOWN
If you've installed NT on a laptop, this customization may come in very handy! Most laptops allow the
operating system to turn off the hardware after shutdown, instead of displaying the message telling you
it's now safe to turn off your system. You can take advantage of this capability by enabling the Power
Down After Shutdown feature.

To enable this feature, simply add a REG_SZ value named

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\Powerdo
wnAfterShutDown and set it to 1.

Next, tell NT to shut down and see if the machine turns itself off after shutting down. If it doesn't,
change the value back to 0 to restore normal operation.

SEND ALERTS DURING A CRASH

In addition to the crash log file, you can also enable two other methods of crash notification and
logging. You can enable an administrative alert by changing the value of
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\CrashControl\SendAlert to 1.

The next time the system crashes, an administrative alert will be sent that may provide the first sign of
the crash.

You can also make NT log the crash in the event log by changing the value of
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\CrashControl\LogEvent to 1 instead of its
default 0. Now, the exact time of the crash will be permanently recorded.

DISABLE THE SAVE PASSWORD OPTION

The Dial-Up Networking (DUN) program allows you to save a user name and password for each of
your dial-up connection. While this is convenient, it is very insecure, especially when most dial-up
networking is done using laptops, which are easily stolen.

To prevent users from saving passwords, add the REG_DWORD value DisableSavePassword value to
the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters key and
set it to 1. Once this is done, DUN will no longer display the Save Password checkbox and it will
forget all the passwords it had been told to remember.

UPDATE A PROGRAM WITH A NEW DLL

I was recently at a client site that needed to update its virus program with a new DLL that ran as part of
a Windows NT service. We wanted to update the service by copying the new file using a logon routine,
but the desktop was locked down with a policy that did not let users stop a service. Because we couldn't
stop the service, we couldn't delete the old file in preparation for the new file copy. We got around the
problem by renaming the DLL with a different extension and copying the new DLL. Because the old
DLL was already loaded in memory, the service did not change and did not appear to behave strangely-
the system scanned and disinfected files as expected. Later, we restarted the machine, which loaded the
new DLL. I have done this with other services and, unless the directory where the file is also has NTFS
permission restrictions, it appears to work just fine. I hope this tip makes someone's job a little easier.
USE ALL OF YOUR L2 CACHE
If you have more than 256KB of L2 cache, Windows NT might not be using all of it. To correct this:

1. Make an Emergency Repair Disk (rdisk /s).

2. . Run Regedt32.exe.
3. . Under HKEY_LOCAL_MACHINE, select
System\CurrentControlSet\Control\SessionManager\MemoryManagement.

On the right side of the window you will find SecondLevelDataCache.This defaults to 0, which is the
correct value for 256KB of L2 cache. Double-click SecondLevelDataCache to bring up the D_WORD
Editor. Click the Decimal radio button, enter the amount of L2 cache you have, and click OK. Exit
RegEdt32.
I have found significant performance increase when using this tip!

ENABLE SNAP TO DEFAULT BUTTON

There is a useful feature of the X Windows interface that gives you the ability to have your mouse
pointer jump to the default button of any dialog box or alert that appears. As each dialog appears, you
don't have to drag your mouse to the OK button or the Next button, as it will jump there all by itself.
By changing an entry in the Registry, your NT 4.0 interface can act the same way. to enable this
feature, set the value of HKEY_CURRENT_USER\ControlPanel\Mouse\SnapToDefaultButton to 1.
Although it may take a while to get used to this feature, it can be extremely helpful on a high-resolution
monitor, or when using a control device that makes it hard to move the pointer quickly.

THE EMERGENCY REPAIR DISK, PART 1

By Lance Jensen, Executive Software Technical Support Director

A current Emergency Repair Disk (ERD) is one of the vital tools needed tomaintain a Windows NT
system. Unfortunately, most Windows NT sites do notmaintain their ERDs because many
administrators have never been taught howto use them. We would like to help correct that situation.

In this article the designation, "%systemroot%" will refer to the system folder. The default name is
WINNT, but whoever actually installed Windows NT on your system may have given it a different
name.

Many of the files in the %systemroot% tree are hidden files, and many are read-only. To see hidden
files, start Windows Explorer, go to the Menu Bar and click "View", "Folder Options", and the "View"
tab. In the Advanced Settings box, under "Hidden files", click the "Show all files" button, then OK.
You will now be able to see all files. Before you can copy or edit a read-only file, you must right-click
the file, then click "Properties". Under the General tab, in the Attributes section, uncheck the Read-only
box.

What Is the ERD?

The ERD is a floppy disk containing the files in the %systemroot%\repair folder, that are the
configuration files and Registry information. If your Registry or startup environment become damaged
in any way, the ERD will usually be able to fix it. However, the ERD is not a substitute for a full
backup. It's more like a "Backup Lite" which can frequently save you from having to do an entire
restore from backup.

The files "sam._" and "security._" on the ERD are often not kept updated, because they can be too big
to fit on a floppy. You probably won't see this except on a server with over a thousand users and groups.
If these files are too big for a floppy, you can back them up using your regular backup utility or the
regback.exe utility in the Windows NT Resource Kit, and you can save copies in a special folder on the
disk.

I strongly recommend keeping several ERDs for each machine. The first one should be made when you
first install Windows NT. If you did not make one at that time, now is a good time to do so. Then make
a second copy and store one off-site. As you expand and change your Windows NT system, keep these
original ERDs as a safety measure. For convenience, you could also create a second repair folder (let's
call it \repair2) and copy the original files from \repair into it.

If you do back up the "sam._" and "security._" files (which you should do if you can), you may some
day find that you can no longer fit all of the files on a floppy disk. Remember that the entire contents of
the %systemroot%\repair folder are copied to the ERD, so you must keep its size under 1.44MB.
Should the folder grow too large, take the ERD from the original Windows NT installation (or from
\repair2) and copy ONLY the "sam._" and "security._" files into the %systemroot%\repair folder. The
folder should now be small enough to make an ERD. If it's not, you need to reduce the size of
setup.log. Edit setup.log and locate the line "[Files.WinNt]", which is followed by a long list of file
names. You can safely delete any of these file names that do not begin with %systemroot
%\SYSTEM32\. At some point in this list you may find a line "[Files.InRepairDirectory]"; do not
delete anything after this line!

There are two things you should keep in mind:

1. The files "sam._" and "security._" contain your security database. If these files are included on the
ERD, then your system could be invaded if a criminal should get his hands on it. Keep all copies of the
ERD safe and secure, from theft as well as from damage.

2. When you do a repair from an ERD, the "sam._" and "security._" files may be replaced with the ones
from the ERD. If these files were too large to fit on the ERD, you have to recover them from someplace
else. The easiest handling for this is a third folder, \repair3, in which you copy just the "sam._" and
"security._ files".

Making an ERD

The ERD is created using the RDISK utility. You should make a new one whenever you make any
significant change to the system, such as adding a new application or Service Pack, or changing the
Registry. This is the procedure to use if you are including the security data on your ERD:

1. If you have not already done so, create \repair2 and copy the files from \repair into it. If you do not
have an original ERD, make one now by using these steps, but leave off the /S switch in step 3.
2. Click Start, go to Programs, and click Command Prompt.
3. Type RDISK /S <ENTER>.
4. When prompted "Do you want to create an Emergency Repair Disk?", respond "Yes".
5. Follow the prompts.
6. Label and date the ERD.

The /S switch in step 2 is necessary because the files in the %systemroot%\repair folder are not updated
when your system is modified; you have use RDISK to do it manually. The /S switch tells RDISK to
update the repair files, including the "sam._" and "security._" files. This is the procedure to use if you
are not including the security data on your ERD:

1. If you have not already done so, create \repair2 and copy the files from \repair into it. If you do not
have an original ERD, do steps 6 to 9 now to make one.
2. Click Start, go to Programs, and click Command Prompt.
3. Type RDISK/S- <ENTER>. (The /S- switch updates the files, but does not proceed to create an
ERD.)
4. Copy the "sam._" and "security._" files from \repair into \repair3.
5. Copy the "sam._" and "security._" files from \repair2 into \repair.
6. Type RDISK <ENTER>.
7. Click the "Create Repair Disk" button.
8. Follow the prompts.
9. Label and date the ERD.

The ERD just created can be used to get your system running again if something goes wrong while
modifying your system. Now go ahead and make the system changes. When you have finished and
tested and you are satisfied that the change is done, repeat the steps to update your system with your
new modifications, and make two new ERDs. The second ERD should be stored with your offsite
backups. If you don't keep offsite backups, you may not want a second ERD; I like to have one in case
the first copy gets damaged. Is the ERD Really Needed?

You may never have made an ERD, or you might lose it, or it might get damaged. If you ever have to
do a repair without an ERD, you have several options:
1. Sometimes you can do a repair without any ERD at all. If the repair procedure can find your
Windows NT install directory, it may be able to directly access the repair directory. Sometimes it
works, sometimes it doesn't.

2. If that fails, you may be able to create a new ERD. First you need a floppy disk that was formatted
on a Windows NT system. If the %systemroot%\repair folder is on a FAT partition, you can boot to a
bootable DOS floppy and copy the repair files to the new floppy. Some are hidden, so be sure you get
them all. The files are:

autoexec.nt
config.nt
default._
ntuser.da_
sam._
security._
setup.log
software._
system._

It's harder to access the folder if it's on an NTFS partition, but here are some ways to do it:

A. There are applications available that run under DOS and can read NTFS partitions. You can use one
of these to create the floppy as described above.
B. You could move the hard disk to another machine that is running Windows NT and create the floppy
there.
C. You could make another Windows NT installation on the same machine, boot into it, and make your
new floppy.

3. Last, you may be able to copy the files from a backup tape. You might restore %systemroot%\repair
folder, or copy it to another machine.

4. If all of this fails, you must reinstall Windows NT. As you can see, it's a lot simpler to make sure you
always have a current ERD.

PREVENT USERS FROM CHANGING VIDEO RESOLUTION

One of the most useful features of NT is the ability to change video resolution and color depth on the
fly. Unfortunately, some users will try to push their systems beyond the configuration's capabilities.
You can prevent users from changing the video settings by changing the permissions on the settings
key for the video card. The exact location of this key will vary, depending on the specific type of video
card, but our key was located at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware
Profiles\Current\System\CurrentControlSet\Services\mga_mil\Device0. You should be able to find your
card type in place of mga_mil, and you may have more than one device listed. Change the permissions
for each device you wish to restrict.

KILL HUNG PROCESSES WHEN LOGGING OFF

When you tell Windows NT to shut down, it first sends shutdown requests to any running processes.
Most 32-bit applications honor these requests and shut down, but older 16-bit apps running in the
Virtual DOS Machine often won't. When this occurs, the operating system prompts you with a dialog
box asking if you want to kill the task, wait for the task to die on its own, or cancel the shutdown. By
modifying the Registry, you can automate this process. You can force NT to kill all running processes
on shutdown by adding a REG_SZ value named
HKEY_USER\<SID>\ControlPanel\Desktop\AutoEndTasks and set the value to 1. You can also add
this value to HKEY_USERS\.DEFAULT so that all new accounts will shut down the same way.

REMOVING ENTRIES FROM CONTROLS PANEL

ADD/REMMOVE PROGRAMS .
Here is a retread of a previous tip. It has come up frequently on tech calls and I want you to be familiar
with it. In Control Panel/Add Remove Programs, you may have some titles that won't disappear after
you have deleted or uninstalled them. Here is the procedure. Start/Run and type REGEDT32. Go to
HKEY_LOCAL_MACHINE/SOFTWARE/MICROSOFT/WINDOWS/CURRENTVERSION/UNINS
TALL. Select the title that you want to vanish and hit your DELETE key. Say `bye-bye' to that
annoying entry. This is also to the advantage of those who do not want titles visible for whatever reason
in Add Remove Programs. The disadvantage is that you won't be able to uninstall the product without
recreating the entry so a cut and paste to save it to a file would be prudent.

FAILING LOGON IF MANDATORY USER PROFILES ARE NOT

AVAILABLE
By default, users of Windows NT Workstation 4.0 can log into the domain with their local profiles if
the mandatory user profile is not available. If you do not want them to be able to do this, change the
user's profile folder from profile_folder_name (where profile_folder_name equals the name of the
user's profile folder which equals the user's NT user name) to profile_folder_name.man (by adding
.man to the folder name). Then make the same change in the profile path in User Manager for
Domains. The user will now not be able to log into the domain unless mandatory profiles are available

ENABLE FILENAME COMPLETION

If you've ever used a UNIX shell, such as the C Shell (CSH) or the Bourne Again Shell (BASH), you'll
fondly remember the wonders of tab filename completion. By typing the first few characters of a
filename and pressing [Tab], the entire name would appear on the command line. Well, you can have
that same feature at your Command Prompt by adding a REG_DWORD value named
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar and setting its
value to the hex value of the character you wish to use for command completion. The tab character is
0x09.

CHKNTFS:
HOW TO PREVENT CHKDSK AT REBOOT AFTER THE DIRTY
BIT IS SET
When you select CHKDSK /F in Windows NT 4.0 you have set the "Dirty Bit".The Dirty Bit is a flag
that tells Windows NT to force a CHKDSK /F at the next reboot if one can not be performed
immediately. But what if you change your mind? Perhaps there is a vital deadline coming up, and you
can't afford the time to let CHKDSK run. There is no way to clear the Dirty Bit once it is set, except by
running CHKDSK /F, but there is a way to keep CHKDSK from running on NTFS Partitions at the
next reboot.
As you may already know, Service Pack 4 includes a ten-second window at reboot where you can
cancel a CHKDSK /F when the Dirty Bit is set. Canceling the CHKDSK /F does NOT clear the Dirty
Bit. It will just prevent the run at this time; at the next reboot, CHKDSK /F will run unless canceled
within the same ten second window until it is finally allowed to run. As mentioned above, ONLY A
CHKDSK /F CAN CLEAR THE DIRTY BIT.
But there is another option on NTFS Partitions: You can use Service Pack 2's CHKNTFS command-
line utility to prevent CHKDSK from automatically running during reboots when the Dirty Bit is set.
>From the COMMAND PROMPT:

D:\>chkntfs /?
CHKNTFS drive: [...]
CHKNTFS /D
CHKNTFS /X drive: [...]
CHKNTFS /C drive: [...]

drive: Specifies a drive letter.

/D Restores the machine to the default behavior; all drives are checked at boot time and chkdsk is run
on those that are dirty. This undoes the effect of the /X option.
/X Excludes a drive from the default boot-time check. Excluded drives are not accumulated between
command invocations.
/C Schedules chkdsk to be run at the next reboot.

If no switches are specified, CHKNTFS will display the status of the dirty bit for each drive.

Here's an example of a call with no switches specified, and CHKDSK /F not set:
D:\>chkntfs d:
The type of the file system is NTFS. D: is not dirty.

When you set CHKDSK /F for the d: partition, you will get this display:

D:\>chkntfs d:
The type of the file system is NTFS. D: is dirty. You may use the /C option to schedule chkdsk for this
drive.
Even if you do not use /C a CHKDSK /F will be run at the next reboot. You can use the /X switch to
exclude a drive from the default boot-time check.
D:\>chkntfs /x d:
The type of the file system is NTFS.

After invoking the above command, CHKDSK will not run at the next reboot. But it does not clear the
dirty bit, it adds a key to the BootExecute Regedt32 key that reads like this: Under the
HKEY_LOCAL_MACHINE subtree, in the following subkey:
\SYSTEM\CurrentControlSet\Control\Session Manager

the BootExecute entry :

was:

autocheck autochk *

is:

autocheck autochk *
autocheck autochk /k:D *

As mentioned above, this does not clear the dirty bit:

D:\>chkntfs d:
The type of the file system is NTFS.
D: is dirty. You may use the /C option to schedule chkdsk for this drive.

But it keeps chkdsk from running on this partition until the setting is cleared regardless of the amount
of rebooting that occurs. When the /X is canceled by /D:
D:\>chkntfs /d

The settings in the regedt32 key change to this:

autocheck autochk *
autocheck autochk *

And the chknfts displays this:

D:\>chkntfs d:
The type of the file system is NTFS. D: is dirty. You may use the /C option to schedule chkdsk for this
drive.

Now the CHKDSK /F will run at the next reboot.

There is a caveat to this: With the /X set, this partition will NEVER run CHKDSK /F on the specified
partition, even if the system crashes. This can be a bad idea and cause you to lose data if a CHKDSK /F
is truly needed. If you use the CHKNTFS utility, only use it as a short term solution and be certain to
restore the defaults with a CHKNTFS /D for normal Windows NT operation.

CREATE A CASCADED CONTROL PANEL FOLDER IN THE

START MENU
If you hate opening Control Panel to get a file, you can place a cascaded Control Panel folder in the
Start menu just above the Programs folder. Right-click Start and click Explore, which brings you to
your profile. You can also change to the All Users profile directory if necessary. Next, create a new
folder at the same level as the Programs folder and name it:

"Control Panel.{21EC2020-3AEA-1069-A2DD-08002B30309D}." (without the double quotes).

NOTE: You must place a period after Control Panel and after the last } symbol.

Instead of making a standard folder and creating shortcuts from the standard Control Panel, you've just
created a real Control Panel that is dynamic and runs through the Control Panel class just like the
standard Control Panel. Any new Control Panel applications that you might install will show up
automatically.

BACKUP STRATEGY
There are some pretty crafty Administrators out there! What they are doing is this: They have another
install of Windows NT from which they do a complete backup of their working system. They have
loaded their Tape Device drivers or CD Writer and backup software. When they boot to this
installation, the original boot is dormant. All files are closed which gives them the ability to make a
perfect image of the WINNT directory and Program Files and all the rest. They do not worry about
getting the system back perfectly when an unrecoverable crash occurs. They simply boot to the second
install and restore the complete system.

QUICK REBOOT OPTION

While we're on the subject of system restarts, you can reduce the time needed to reboot by making a
Registry modification to skip certain portions of the shutdown procedure. This method might be the
best or only way to recover when a system is in a tight CPU loop and cannot respond to a GUI request
for the Start menu or the Ctrl-Alt-Del dialog box. Go to the Registry path
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, add the
value EnableQuickReboot:REG_SZ: 1, and restart the system. You initiate the quick reboot with the
key combination Shift+Ctrl+Alt+Delete. This operation generates an Event ID 6008 unexpected
shutdown record in the system event log. According to Microsoft Support Online article Q219885
(http://support.microsoft.com/support/kb/articles/q219/8/85.asp), this is a new feature in SP4. However,
I made this modification on a system running SP3. The shutdown was instantaneous, and the restart
worked fine. Curiously, I didn't get a CHKDSK scan at restart, and because I'm not running SP4,
nothing was recorded in the system event log.

ADD CACLS TO YOUR WINDOWS NT TOOLBOX

Have you ever needed to alter file permissions - after the fact? For example, your partition has already
been in use for some time, with all of your users creating files and sub-directories with security
restrictions, and now you need to make a change globally to file permissions. How can you do it
quickly and easily?
The best way is to go to the Command Prompt and run CACLS (Change ACLs).Here's a question I've
had to deal with, which makes a good example of how to use CACLS: Do you have an NTFS partition
without SYSTEM group access?
While security may be tight on your network, you should always allow the group SYSTEM to have
FULL CONTROL over all files and directories on all NTFS partitions. This group represents the
Windows NT operating system and having it included allows such actions as creating a pagefile on a
partition and defragmenting all files. If you have no real restrictions on security, (if you leave
EVERYONE with FULL CONTROL for instance), then this is not an issue.

You could use Explorer to modify security settings globally on the partition/directories/files, but there
is a problem with this. This is in fact a destructive method of applying security settings, because it
replaces the existing settings; Explorer is fine for changing permissions in one directory or one file, but
it should only be used globally if you want to set all permissions on all files and/or sub-directories to
the same values. If you want to add or remove permissions without destroying the existing ones, you
need to use the CACLS command line interface executed from the root of the partition:
D:\>cacls/?
Displays or modifies access control lists (ACLs) of files

CACLS filename [/T] [/E] [/C] [/G user:perm] [/R user [...]]
[/P user:perm [...]] [/D user [...]]
filename Displays ACLs.
/T Changes ACLs of specified files in
the current directory and all
subdirectories.
/E Edit ACL instead of replacing it.
/C Continue on access denied errors.
/G user:perm Grant specified user access rights.
Perm can be: R Read
C Change (write)
F Full control
/R user Revoke specified user's access rights (only valid
with /E).
/P user:perm Replace specified user's access rights.
Perm can be: N None
R Read
C Change (write)
F Full control
/D user Deny specified user access.

Wildcards can be used to specify more that one file in a command.You can specify more than one user
in a command.

SPECIAL NOTE: You must be at the root directory level of the partition in question. Use this
command:

CD drive_letter:

Now the command line:

CACLS * /e /t /g SYSTEM:F
SPECIAL NOTE: If you see this message: "Unable to perform a security operation on an object which
has no associated security" you are executing this from a FAT partition. ACLs are only used on NTFS
partitions.
The /e switch tells the CACLS command to EDIT the ACLs rather than REPLACE the existing
permissions, and the /t switch tells it to apply the edit to subdirectories. Any number of
ACCOUNT:PERM sets may follow the GRANT (/g) switch. As you can see from the above listing,
there is additional flexibility built into the CACLS command - its only limitation is the extent of
selections for PERM values.
You may also need to add SYSTEM to the drive itself. Do that through Explorer with these steps:

1) Start EXPLORER
2) Right click the partition in question
3) Click PROPERTIES
4) Click the SECURITY tab
5) Click the PERMISSIONS button
6) If SYSTEM is not listed, click ADD and select SYSTEM
7) Highlight SYSTEM
8) Set TYPE OF ACCESS to FULL CONTROL
9) Clear the REPLACE PERMISSIONS ON EXISTING FILES check box (it is checked
by default)
10) Click OK

CACLS is an excellent addition to your Windows NT toolbox. It can definitely pull you out a jam when
NTFS permissions are not set properly

CREATING A FAT 32 EMERGENCY BOOT DISK

Did you know that the Windows 98 CD-ROM contains a program you can run to quickly create a Boot
Disk that's capable of creating and reading FAT32 partitions? The program is called Fat32ebd.exe and
it's located in the Tools\Mtsutil\Fat32ebd folder on the CD-ROM. Just place a disk in the floppy drive
and double-click the Fat32ebd.exe file. Then follow the on-screen instructions to create the bootable
disk. When finished, it is recommended that you write-protect the disk to protect it from viruses.

TIP: DISCONNECT IDLE USERS

Here is a Registry entry that will help systems administrators with users who don't log off when they
are supposed to. To disconnect idle users after a certain length of time, try this Registry entry.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters Look for
the value name "AutoDisconnect" of type REG_DWORD. The default value is 15 minutes. You can set
this value from 0 to 0Xfffffff in minutes.

TIP: AUTO-COMPLETE LONG FILE NAMES

Have you ever wanted to use the UNIX feature that lets you auto-complete long file or folder names on
Windows NT? Here's how.
Open REGEDT32.EXE and open the following key:
HKEY_CURRENT_USER\Software\Microsoft\Command Processor. Change the value of
"CompletionChar" to 9. Open a Command prompt, type in "CD W", and press the tab key. I think you'll
find this feature useful.

DISPLAY THE NT TASK MANAGER

This is a simple tip, but great to know. In Windows NT 4.0, an easy way to display the NT Task
Manager is to press Ctrl-Shift-Esc (an easy one-handed move). Few people know this convenient
shortcut exists.
MOVING THE PRINTER SPOOL FILES TO ANOTHER DRIVE
One thing you can do to reduce the risk of your NT partition running out of space is to move the printer
spool directories onto another drive. By default, NT will hold the spool files in
WINNT\SYSTEM32\SPOOL\PRINTERS. In previous versions of NT, changing this path meant
editing the registry, but in NT4 you can change the path for the spool`files much more easily. Start by
double clicking the Printer icon in Control Panel, then from the File Menu, choose server properties.
Click on the Advanced tab and change the path in the Spool Folder field to where you want to store
your spool files. Once you have restarted the machine, NT automatically creates the new spool
directory

VIEW ALL FILE TYPES

I spend most of my day looking at remnants of files with mysterious extensions (e.g., *.waa *.me
*.abc). I've found that by placing a notepad.exe shortcut in my C:\WINNT\Profiles\All Users\SendTo
directory, I can view the file by right-clicking Send To. In addition, I have a multipurpose viewer that
views almost anything. I've added a shortcut to this in my C:\WINNT\Profiles\All Users\SendTo
directory.

Turn off CD-ROM AutoRun

One feature that many power users and administrators find annoying is CD-ROM AutoRun. Each time
you put a new CD into the drive, AutoRun kicks in and starts the CD's install program. While this may
be helpful to users who don't know how to use NT Explorer, it's of little value to most technical users.
To turn this feature off, simply add a REG_DWORD value named:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\AutoRun and set its value
to 0. The next time you slip a CD into your drive, you won't have to sit and wait as it tries to help you
install it.

ENABLE X WINDOWS STYLE MOUSE

If you've ever worked on a UNIX workstation using X Windows, you probably remember being able to
bring a window to the front just by placing your mouse pointer on it. You can enable a similar feature
in NT by setting the value of
HKEY_CURRENT_USER\Control Panel\Mouse\ActiveWindowTracking to 1.Changing this value
will set the focus to whatever window the mouse is pointing to, although it won't bring it up to the top
of the stack. You'll need to log off and back on before this change will take effect.

DETERMINE A COMPUTER NAME OR LOGGED-ON

USERNAME
Do you support users where the hardest part is trying to determine their computer name or the logged-
on username? Wouldn't it be great if this information were always on the desktop?

- Start regedt32.exe and go to HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-

08002B30309D}.
- Select the <No Name> value and Delete.
- From Edit, select Add Value.
- Leave the value name blank and set the type to REG_EXPAND_SZ.
- Click OK and enter the text "User: %USERNAME% on: %COMPUTERNAME%".
- Click OK.
- Click the desktop and press F5 (refresh) for the change to take effect.
Now, when each user logs on to the workstation, the My Computer icon on the desktop will have the
text "User: xxxxxx on: wwwwww" in place of the text "My Computer." The usual warnings and
disclaimers about editing the Registry apply.

VIEW ALL FILE TYPES

Many people spend too much time looking at remnants of files with mysterious extensions (e.g., *.waa
*.me *.abc). By placing a notepad.exe shortcut in the C:\WINNT\Profiles\All Users\SendTo directory,
you can view the file by right-clicking Send To. In addition, if you have a multipurpose viewer, you can
add a shortcut to that viewer in the C:\WINNT\Profiles\All Users\SendTo directory.

KILL HUNG PROCESSES WHEN LOGGING OFF

When you tell NT to shut down, it first sends shutdown requests to any running processes. Most 32-bit
applications honor these requests and shut down, but older 16-bit apps running in the Virtual DOS
Machine often won't. When this occurs, the operating system prompts you with a dialog box asking if
you want to kill the task, wait for the task to die on its own, or cancel the shutdown. By modifying the
Registry, you can automate this process.
You can force NT to kill all running processes on shutdown by adding a REG_SZ value named
HKEY_USER\<SID>\ControlPanel\Desktop\AutoEndTasks and set the value to 1. You can also add
this value to HKEY_USERS\.DEFAULT so that all new accounts will shut down the same way.

CREATE A NETWORK FAVORITES FOLDER

Each user has a Favorites folder used by Internet Explorer and Microsoft Office to store shortcuts and
documents most often used.You might find it helpful to create a networked Favorites folder so all users
can see and use these favorite files.
In order to create a network Favorites directory, you must first create the directory and share it from
one of your file servers. Be sure to set the appropriate share and NTFS permissions. Next, on each
machine you want to use the network Favorites folder, change the value of
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell
Folders\Favorites from its existing path to the Universal Naming Convention (UNC) path of the new
folder. For example, the new Favorites directory could point to a shared Favorites directory on the
server Jupiter, which has a UNC path of \\Jupiter\Favorites. You may also want to make this change to
the HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell
Folders\Favorites value so each new user will also share the network Favorites folder.

CHANGE A USER'S PASSWORD

Have you ever wanted to change a user's password stored in a local directory database without having
to visit the user's computer. Here's how you do it. Click Ctrl+Alt+Del and select the Change Password
button. In the Username box, type the username for the local account, and in the Domain text box, type
the computer name where the local account is held. Enter the appropriate Old Password, New
Password, and Confirm New Password. You should receive a message indicating "Your password has
been changed."This tip also applies to directory databases on domain controllers and is especially
useful if you want to change a password in a directory database that is outside your domain. A trust
relationship doesn't need to exist between the domains, and you don't have to be logged on with
administrator rights. This tip is also useful when users need to change their password outside the
allowed logon hours or when the password has expired and the user is not able to log on.

DISABLING AUTOPLAY FOR CD-ROMS

If you'd rather that Autoplaying CDs didn't, you can turn off the Autoplay facility by changing a setting
in the registry. Using REGEDT32, navigate to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom. Here you will find an
entry called Autorun. Edit the entry by double-clicking on it and then changing the data field from 1 to
0. You will need to re-boot for the change to take effect. After you have made the change, if you do
want a CD to Autoplay, you can double-click on the CD icon in Explorer or My Computer. The
Autoplay will then run as if you had just put the CD in.

TIP: HIDE A MACHINE FROM NETWORK NEIGHBORHOOD

For security reasons, it's sometimes desirable not to have a machine show up in Network
Neighborhood--or in anything that displays the browse list. An easy way to hide a machine is to type
the following at the command prompt:
Net Config Server/Hidden

This command configures the server service and works on Windows NT Workstation and Server. The
command creates a dword value "hidden" with the value set to 1 in the Registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters

This parameter works with the server service, so you can still attach to shares on the hidden machine,
which is something that hiding a machine by stopping the server service wouldn't allow. And although
this change hides the machine, it doesn't mask the workgroup or domain. If you don't want a
suspicious-looking empty workgroup, you can put the machine in a group with other, visible members.
For more information on this change, including how to undo it, see Microsoft Support Online article
Q128167.

CREATING USER TEMPLATE ACCOUNTS

An easy way to reduce the administrative overhead of creating large numbers of user accounts is to
make template accounts for each type of user or area in your organization. Set the template accounts up
with all of the necessary file permissions, account restrictions and user rights. Then when you want to
create a new account, highlight the template user and press [F8], or select Copy from the User menu. If
you start the names of all your template accounts with an unusual character such as a dollar sign ($)
then they will always appear at the top of the list when you start User Manager.

IDENTIFYING THE SECURITY ID (SID) OF A USER

Have you ever wondered which security ID Windows NT has assigned to a specific user? You can find
out by selecting the following Registry key within Registry Editor:
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\ProfileList\SID
Once you've accessed this key, observe the data in the ProfileImagePath value (in the right-hand pane).
You'll see the name of the profile folder for the user associated this SID. For example, if you have a
user who's logged on to your server as Fred, you should see a ProfileImagePath of %SystemRoot
%\Profiles\Fred associated with this user's SID.

TWO QUICK KEY COMBINATION TIPS

Here are two quick and easy tips you might not know about for getting around in Windows NT or
Windows 95.
1) To quickly open Windows Explorer: Press the Windows Button + E
2) To quickly open the Run Window: Press the Windows Button + R

CUSTOMIZING WEB VIEW BACKGROUND

When you pull down the View menu in My Computer or Windows Explorer and select the As Web
Page command, Windows 98 automatically uses a cloud image for the background of the Web view.
However, if you'd like to use your own image for that Web view background here's what you need to
do:
1) Open either My Computer or Windows Explorer and access the C:\Windows\Web folder.
2) Locate and rename the file Wvleft.bmp.
3) Open Paint, press [Ctrl]-E and type 242 and 600 in the Width and Height text boxes respectively.
4) Create your image and save it in the C:\Windows\Web folder as Wvleft.bmp.

CREATING A CONTROL PANEL FOLDER ON YOUR START

MENU
You can create a Folder on your Start menu that contains all of the Control Panel options by doing the
following. Right click the Start button on the taskbar, and then choose Open from the menu. In the Start
Menu dialog box that appears, click on the File menu, then choose New| Folder. Name the folder as
follows:
Control Panel.{21EC2020-3AEA-1069-A2DD-08002B30309D}

Make sure that you type the number exactly and include the brackets. Now, when you click on the
Start button you should have a menu option called Control Panel. Click on the Folder Icon and a new
fold out menu will appear with all of the Control Panel icons on it.

CLIENT CONFIGURATION FOR EXCHANGE

When you're setting up client access to Exchange, you have three options. You can use Outlook(r) or
Outlook Express to retrieve your e-mail using POP3 (Post Office Protocol v3), IMAP (Internet
Message Access Protocol) or a regular Web browser pointed to the company Web server on which
Exchange is installed (or to the Exchange server with IIS installed). Each configuration has advantages
and disadvantages.

POP3 is quick and simple to use. Employees can use just about any program to retrieve e-mail
remotely. The disadvantage is that unless users set the option to leave messages on the server, their e-
mail client won't be in sync with the computer on their desk.

IMAP helps keep remote and local desktops in sync by downloading only the message headers to the
remote desktop unless users specifically download the messages themselves. The disadvantage of
IMAP is that it can be slow over a dial-up link, due to the extra work it's doing in the background to
keep everything in sync. To operate offline with IMAP (without a live connection to your Exchange
server), users will have to download all messages to be viewed.

If your company doesn't want to deal with supporting remote client problems, your users can use a
standard Web browser. If they do, they will be able to reach their mailboxes from just about any
computer.

CLEARING THE PAGE FILE ON SHUTDOWN

For the extremely security conscious here is a tweak to empty the contents
of your paging file. RUN: regedt32 and go to HKEY_LOCAL_MACHINE \SYSTEM
\CurrentControlSet \Control \Session Manager \Memory Management. Double
click on "ClearPagefileAtShutdown". In the new Multi Screen Editor window,
choose the DWORD radio button and enter a "1" in the data field then click
OK. Close the registry.
When you shutdown the contents of the paging file will be emptied so that
the data is not available. As I said, this is for the extremely security
conscious.

TIP: HARD DISK FREE SPACE WARNING

By default, Windows NT posts an alert when the amount of free space remaining on your hard disk
falls below 10 percent. To alter this behavior, you need to edit a Registry key. Go to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters and
add the value DiskSpaceThreshold with a type of REG_DWORD. Set this value to the percentage of
free disk space remaining before the OS sends an alert. The allowable range is 0 to 99 percent.
CHANGING LOCAL PASSWORDS EASILY

Want to learn a neat way to edit the local PCs SAMs? Go to the User Manager menu for Domains, and
choose Select Domain. You typically use this setting to edit other PDCs in other domains, but if you
type \\computername in the same field you would usually enter the domain name, you will be editing
the local SAM database on that PC and you can change passwords, add local groups, and more.

TIP: SHORTCUT FOR PDCs AND BDCs

Try this one on your PDCs and BDCs because this shortcut is much faster than Server Managers'
kludgy interface:

1) Right-click on the Desktop, and select New Shortcut.

2) In the command-line field, type Net Accounts/sync, and click Next.
3) In the Select a Name for the Shortcut field, type Sync Domain, or some such descriptor, and click
Finish.
All done! Now, when changes are made to the directory database (i.e., new user or changed password),
simply double-click the new icon and a quick CMD window will pop up and complete the command
successfully. Your domain directory database will also start its synchronization process.If you're slick,
you can put this shortcut in your Start Menu, and give it a cool icon and a keyboard shortcut.

ADDING APPLICATIONS TO YOUR SEND-TO MENU

You can add your favourite applications to the Send To menu Windows NT displays when you right-
click on a file. Just create a shortcut to the application and drop it in the %systemroot
%\profiles\username\sendto folder where "username"is the user name. For example, if you frequently
use Microsoft Word, you can add it to your Send To menu. When you right-click on a file, you can then
send the file to Word.

Note: The Send To folder is usually hidden, so make sure you set your folder options to show all files
(Explorer | View | Folder Options | View | Hidden Files | Show All Files in Windows NT 4.0).

TIP: REMOVE ORPHANED ADD/REMOVE PROGRAMS

ENTRIES
Have you ever installed a program (perhaps shareware) that did not have a normal uninstall procedure?
Have you tried to remove that program using the ADD/REMOVE PROGRAMS PROPERTIES Control
Panel applet and received the message "Unable to find DEISL1.ISU" or similar error message? Try the
following edit to remove that entry from the ADD/REMOVE PROGRAMS box:
Run REGEDIT Go to
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall Locate the folder
with the same name as the application in the ADD/REMOVE listDelete that entire folder

Now check the ADD/REMOVE PROGRAMS box again. The entry should be gone; however, this
procedure will not remove the program.

Changing the graphic displayed behind the Logon dialog box

By default, Windows NT displays its logo (either Windows NT Server or Windows NT Workstation)
behind the Logon dialog box. You can change this graphic by editing the Registry. You might want to
change this graphic if you want to have Windows NT display your company's logo instead of the
default logo.
To change the graphic, begin by starting Registry Editor. Access the key
\HKEY_USERS\.DEFAULT\Control Panel\Desktop. In the right- hand pane, double-click on the
Wallpaper value. By default, Microsoft displays the data in the Wallpaper value as (Default) which tells
your computer to display the Windows NT logo. To change this value, type in the path and name of the
bitmap file you want to display instead. For example, to display a file named "logo.bmp" that you've
stored in the c:\winnt folder, you would type c:\winnt\logo.bmp. (Note: Whatever graphic you want to
use will need to be in the bitmap format.)

DETERMINE THE AVERAGE BANDWIDTH USED BY

TERMINAL SERVER CLIENTS

Q: I'm doing capacity planning. How can I determine the average bandwidth used by Windows NT
Server 4.0, Terminal Server Edition clientsessions?

A: Although Microsoft claims that each terminal client session will use 2-6Kbps of network bandwidth,
I have found that this estimate isn't always accurate. To get a more accurate picture of how Terminal
Server sessions will affect your network, you can use Network Monitor in conjunction with
Performance Monitor. First, install the Network Monitor Tools and Agent in the Services tab of the
Network Control Panel. This will add the Network Segment object to Performance Monitor (the other
object you'll need--Network Interface--should already exist as it installs with TCP/IP).Monitor the
%Network Utilization counter of the Network Segment object to track the total bandwidth being used
on the network segment where the terminal server is. The Network Interface object's Bytes
received/second and Bytes total/second counters provide the total bytes received or processed
(respectively) by the server's adapter. If possible, use the version of Network Monitor that comes with
Systems Management Server (SMS) or a third-party software product such as Data General's NetXRay,
not the NetMon that comes with NT or Windows 2000(Win2K). NT's NetMon can only monitor the
traffic to and from its own adapter, and I've found this version's % Network Utilization counter to be
unreliable at times, especially on Fast Ethernet and 100Mbps networks.

Selectively turning off the AutoRun feature on CD-ROMs

In a previous tip, we showed you how to turn off the AutoRun feature permanently on your server by
editing the Registry. You can selectively prevent Windows NT from running the AutoRun on a CD-
ROM by holding down your computer's [Shift] key whenever you insert a new CD into your drive.

CREATE RIGHT-CLICK OPTION TO OPEN COMMAND

PROMPT WINDOW
If you're from the old school and still use the command prompt regularly, then this tip is for you. You
can create a new right-click option to open a command prompt window from the directory you're
currently working in. Open your Registry using RegEdit (not RegEdit32), and find the key
HKEY_CLASSES_ROOT\Directory\shell. Create a new sub key called "CommandPrompt" as in
HKEY_CLASSES_ROOT\Directory\shell\CommandPrompt. Change the value of default within the
key to equal the text you would like on the right-click menu, for example 'Open Command Prompt....'
Create another new subkey under the key you just created, and name this subkey "command" as in
HKEY_CLASSES_ROOT\Directory\shell\CommandPrompt\command. Change the value of default
within this key depending on your OS to equal either:

Windows 9x
command.com /k cd "%1"

or

Windows NT
cmd.exe /k cd "%1"
Now right-click a folder, and the new option of "Open Command Prompt..." should be available.

Stopping the Windows NT shutdown process

If you've ever clicked the Shutdown button by mistake (and then had to suffer through waiting for your
computer to reboot), here's a cool tip. Once you've started the Shutdown process, but before you see the
small window, which shows the status of the Shutdown, press [Ctrl][Alt][Delete]. You'll then see the
Windows NT Security dialog box. Click Logoff, and Windows NT will simply log you off rather than
shutting down your server.

Configuring an automatic logon in Windows NT

You can configure a Windows NT-based computer with the information it needs to automatically log on
as a specific user rather than prompting for a username and password. Although this can be a security
risk on a work computer, you might use an automatic logon on your home computer. You configure an
automatic log on by editing your computer's Registry. Begin by making sure that the DefaultUserName
value contains your username (or the user you want to use for the automatic logon). This value is stored
below the HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\ Winlogon
key. Next, add the following values (replace "password" with your username's password):

AutoAdminLogon REG_SZ: 1
DefaultPassword REG_SZ: password

If you're using Novell's Client32, you'll also need to add the following values to the
HKEY_LOCAL_MACHINE\SOFTWARE\NOVELL\NWGINA\ Login key:

DefaultNetWareUserName REG_SZ: username

DefaultNetWarePassword REG_SZ: password
NetWareAutoAdminLogon REG_SZ: 1

Adjusting the screen saver password grace period

If you've upgraded your Windows NT computer to Service Pack 4, you might notice that Windows NT
uses a longer grace period before prompting you for a password whenever the screen saver is activated.
You can change this grace period by adding a value to your computer's Registry. In Registry Editor,
access HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon. Add
the value ScreenSaverGracePeriod with a data type of REG_SZ. In the Data Type text box, type the
number of seconds to which you want to set the grace period. By default, Service Pack 4 sets the grace
period to five seconds. You can set it to a number from 0 to 2,147,483 seconds.

Adding the Command Prompt to your shortcut menu

If you find that you frequently open a Command Prompt window and change to a specific directory,
you can add the Command Prompt to your shortcut menu. This option enables you to right-click on a
folder within Windows NT Explorer and choose the Command Prompt--which opens a Command
Prompt window with that folder as your active directory.

Begin by creating a batch file. For example, you could create a batch file named StartPrompt.cmd. Add
the following commands to your batch file:

@echo off
cd /d %1
Title %~f1

Save this batch file to your Windows NT root directory (which is usually C:\WINNT). Next, open
Windows NT Explorer. Choose View |Options to display the Options dialog box. Select the File Types
tab. In the list of Registered File Types, select Folder then click Edit. Next, click New to display the
New Action dialog box. In the Action text box, type Command Prompt. In the Application Used To
Perform Action text box, type:

cmd.exe /a /k c:\winnt\StartPrompt "%l"

Click OK to close the New Action dialog box, then click Close twice. Open Windows NT Explorer,
then right-click on a folder. You should now see a new option called "Command Prompt" on the
shortcut menu. If you choose this option, Windows NT opens a new Command Prompt window with
the selected directory as your current directory

Connecting to a non-standard ftp port through ftp

If you need to connect to an ftp server that uses a non-standard ftp port, you can't simply connect to the
server by using the ftp client utility. Instead, you must connect by performing the following steps:

1. At a command prompt, type ftp and then press [Enter].

2. 2. At the ftp prompt, type open ftp_site port_number.

Replace ftp_site with the name of the ftp server to which you want to connect (such as
ftp.company.com). Replace port_number with the port number assigned to the ftp server.

Preventing changes to drive mappings with Windows NT

Have you ever wanted to prevent users from changing their drive mappings? If so, you can prevent
Windows NT users from mapping new drives or disconnecting their existing drives by modifying the
Registry. Begin by accessing the Registry key
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer. Next, add
the value NoNetConnectDisconnect with a data type of REG_DWORD and a value of 1. This value
removes the Map Network Drive and Disconnect Network Drive from the menu in Windows NT
Explorer and from the shortcut menu displayed when users right-click on the Network Neighborhood
icon.
(Note: Your users must be using Windows NT with Service Pack 2 or later to support this setting.)

DELETING DEVICE DRIVERS AND SERVICES

If you have a service or device driver that you want to remove, in Control Panel /Services or /Devices,
locate the service or driver and Stop it (if it is started). If it won't STOP, configure StartUp as Disabled
and reboot. In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services, locate the object,
highlight it, and delete it.

Configuring Windows NT to enable the NumLock key

By default, Windows NT doesn't enable the [NumLock] key when a user first logs on to a Windows
NT-based computer--and even if the user turns on [NumLock], Windows NT turns it off again
whenever the user logs off if he is not a member of Administrators. You can make the [NumLock] key
stay on for non-administrative users by editing the Registry.
Note: You must either log on as the user or have the user log on and edit their Registry remotely. To
turn on the [NumLock] key, set the following Registry value to 2: HKEY_CURRENT_USER\Control
Panel\Keyboard\InitialKeyboardIndicators
By default, Windows NT sets the InitialKeyboardIndicators value to 0 (which turns the [NumLock] key
off). You can turn on the [NumLock] key in the default profile so that all new users who log in to a
computer have NumLock enabled by setting the following Registry value to 2:
HKEY_USERS\.DEFAULT\Control Panel\Keyboard\InitialKeyboardIndicators
Deleting a folder and its contents in Windows NT

If you want to delete a folder, including all files and folders within the folder, you can use the rd
Command Prompt utility. (This command is very similar to the DOS deltree command.) To delete a
folder and all of its contents, type the following:

rd x:\folder /S

Replace x:\folder with the drive letter and name of the folder you want to delete. If you don't want rd to
verify that you really do want to delete the folder and everything below it, you can type the following
commandz

rd x:\folder /S /Q

Adding the /Q parameter runs rd in "quiet" mode--which means you won't be prompted to confirm the
deletion of the folder and its contents. (So be careful!!)

TIP: HOW DO I CREATE A COMMON FAVORITES FOLDER ON

MY SERVER?

If you want to have a common Favorites folder for all users on your network:
1. Create a folder on a network share and set the share and folder permissions appropriate to your
environment.
2. Use Regedt32 to navigate to each user's
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell
Folders
3. Double-click the Favorites value name and set the String to the UNC path to the common
Favorites share. Example: \\ServerName\FavShrNm. To verify that this worked, start Internet
Explorer (IE) and click Organize Favorites on the Favorites menu.

Synchronizing clocks on Windows NT computers

One of the Windows NT Resource Kit utilities, TimeServ, enables you

to configure your Windows NT-based computers (running Windows NT
version 3.5 or later) to synchronize their clocks either by modem
or over the Internet. TimeServ enables you to configure a computer
to synchronize its clock with a number of different time sources
including the National Institute of Standards and Technology's
Atomic Clock. Before you use this utility, make sure you download
the latest version of it from

ftp://ftp.microsoft.com/bussys/winnt/winnt-public/reskit/nt40/i386/

Microsoft has documented a bug with the version of timeserv.exe

that originally shipped in the Windows NT Resource Kit.

You should configure one computer on your network to act as a primary

time server by having it synchronize its clock with an official time
server. You can then configure all of the other computers to set their
time via your primary time server. To install TimeServ on your primary
time server, log on as a user with administrative privileges and copy
timeserv.exe and timeserv.dll to your server's \%SystemRoot%\System32
folder. (For example, if you installed Windows NT Server to C:\WINNT,
you should copy these two files to C:\WINNT\SYSTEM32.) Next, Copy the
file named timeserv.ini to \%SystemRoot%. Finally, start TimeServ by
running either timeserv - automatic or timeserv - manual from the
command prompt. (If you use the automatic parameter, Windows NT will
automatically restart the service whenever you reboot your server.
If you use the manual parameter, you must manually restart the
TimeServ service yourself.)

Note: By default, the timeserv.ini file configures your computer to

dial the United States "atomic clock." In addition, it assumes that
your computer is using a standard modem on COM1 and doesn't dial a
PBX prefix (such as 9). If you want to configure your computer to
use different settings, you'll need to edit the timeserv.ini file
to reflect those settings. You'll find detailed instructions on
how to edit the timeserv.ini file in the TimeServ documentation
(TimeServ.htm) included with the Resource Kit.

Once you have configured a primary time server to set its time by
the Atomic Clock, you can configure your other Windows NT-based
computers to set their clocks by the primary time server by using
the net time command or by installing TimeServ as a service on
their computers. If you use the net time command, you'll need to
permit Domain Users to change the date/time on those computers by
modifying User Rights in User Manager for Domains. If you use
TimeServ to set their clocks, you'll need to edit the timeserv.ini
file to indicate that the client obtains its time from your primary
time server.

Synchronizing clocks on Windows NT computers

One of the Windows NT Resource Kit utilities, TimeServ, enables you to configure your Windows NT-
based computers (running Windows NT version 3.5 or later) to synchronize their clocks either by
modem or over the Internet. TimeServ enables you to configure a computer to synchronize its clock
with a number of different time sources including the National Institute of Standards and Technology's
Atomic Clock. Before you use this utility, make sure you download the latest version of it from
ftp://ftp.microsoft.com/bussys/winnt/winnt-public/reskit/nt40/i386/

Microsoft has documented a bug with the version of timeserv.exe that originally shipped in the
Windows NT Resource Kit. You should configure one computer on your network to act as a primary
time server by having it synchronize its clock with an official time server. You can then configure all of
the other computers to set their time via your primary time server. To install TimeServ on your primary
time server, log on as a user with administrative privileges and copy timeserv.exe and timeserv.dll to
your server's \%SystemRoot%\System32 folder. (For example, if you installed Windows NT Server to
C:\WINNT, you should copy these two files to C:\WINNT\SYSTEM32.) Next, Copy the file named
timeserv.ini to \%SystemRoot%. Finally, start TimeServ by running either timeserv - automatic or
timeserv - manual from the command prompt. (If you use the automatic parameter, Windows NT will
automatically restart the service whenever you reboot your server. If you use the manual parameter,
you must manually restart the TimeServ service yourself.) Note: By default, the timeserv.ini file
configures your computer to dial the United States "atomic clock." In addition, it assumes that your
computer is using a standard modem on COM1 and doesn't dial a PBX prefix (such as 9). If you want
to configure your computer to use different settings, you'll need to edit the timeserv.ini file to reflect
those settings. You'll find detailed instructions on how to edit the timeserv.ini file in the TimeServ
documentation (TimeServ.htm) included with the Resource Kit. Once you have configured a primary
time server to set its time by the Atomic Clock, you can configure your other Windows NT-based
computers to set their clocks by the primary time server by using the net time command or by installing
TimeServ as a service on their computers. If you use the net time command, you'll need to permit
Domain Users to change the date/time on those computers by modifying User Rights in User Manager
for Domains. If you use TimeServ to set their clocks, you'll need to edit the timeserv.ini file to indicate
that the client obtains its time from your primary time server.

HOW DO I STOP USERS FROM TAMPERING WITH THE

WINDOWS NT EXPLORER VIEW OPTIONS?
Starting with Service Pack 4 (SP4), you can remove the Options menu from the View menu,
preventing users from altering your settings for hidden files and other options. Use Regedt32 to
navigate to:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
On the Edit menu, Add Value name NoOptions as a type REG_DWORD. Set the data value to 1 to
remove the Options menu from the View menu. The user must restart for this setting to take effect.

Uses of the Windows key in Windows NT

In a previous tip, we explained that you can press the Windows key along with the letter "E" to launch
Windows NT Explorer with all drives collapsed. We've since found other uses for the Windows key
including:

[Windows]F: Opens the Find dialog box

[Windows]M: Minimizes all open windows
[Windows]R: Opens the Run dialog box
[Windows][Break]: Opens the System Properties dialog box
[Windows][Tab]: Cycles through the programs on your taskbar
[Windows][F1]: Opens Windows NT Help (regardless of the program you're working in--pressing [F1]
by itself opens the current program's Help)

DISABLING THE WINDOWS LOGO KEY

Administrators commonly disable browsing on public terminals by defining a system policy that
revokes user access to Windows Explorer, the Run command, and the Find command. But even after
you've removed Explorer, users can access disabled features using shortcuts with the Microsoft
Windows logo key (e.g., logo key+E). Here's a quick script you can use with the Microsoft Windows
NT Server 4.0 Resource Kit utility regini.exe to disable the right and left Windows logo keys and lock
down your public or high-security systems. Create a file with an .ini extension, enter the commands
below, and run the script by entering its full name (e.g., nologoskey.ini) at a command prompt. You
must reboot the system to disable the Windows logo keys. Of course, you can also make these
modifications manually with a Registry editor and reboot.

; This mapping disables both Windows logo keys

;
\Registry\Machine\SYSTEM\CurrentControlSet\Control\Keyboard Layout
Scancode Map = REG_BINARY 24 \
0x00000000 0x00000000 3 \
0xE05B0000 0xE05C0000 \
0x0

See Microsoft Support Online article Q181348

(http://support.microsoft.com/support/kb/articles/Q181/3/48.asp) for an explanation of the binary
values that appear in the script. The article states that if you encounter problems, you can delete the
Registry key this script creates
(HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\KeyboardLayout\Scancode Map)
with a Registry editor running locally or over the network. If you delete the key, you need to reboot the
system to restore access to the Windows logos keys.

AUTOMATIC LOGON IN WIN2K AND NT 4.0

When you're debugging code such as a device driver that takes down a system, you'll appreciate
knowing how to enable an automatic system logon. The Registry's Winlogon key contains many entries
that control how the logon process works. Two of these entries let you set up a system for automatic
logon after a system restart or a logoff so that you can use the extra time to focus on cleaning up your
code. Go to the following Registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon
Enter a valid account name in the DefaultUserName (type REG_SZ) entry and the password for the
account in the DefaultPassword (type REG_SZ) entry. If either entry doesn't appear in the Winlogon
key, create it with a Registry editor. If you forget to enter a DefaultPassword, the OS automatically
changes the AutoAdminLogon key value from 1 (true) to 0 (false), which disables the
AutoAdminLogon feature. If the AutoAdminLogon entry disappears, you can recreate it manually--it
has a data type of REG_SZ. A value of 1 enables AutoAdminLogon and a value of 0 disables the
feature. Reboot the system to activate the changes. When automatic logon is enabled and you want to
log on to the system as a different user, hold down the Shift key after logging off or restarting and
you'll see the regular logon dialog box--a technique that works with Windows NT 4.0 and Windows
2000 (Win2K). Keep in mind that if you configure a system for automatic logon, anyone can restart the
system and log on, so making this change exposes a potential security vulnerability. See Microsoft
Support Online article Q97597 (http://support.microsoft.com/support/kb/articles/Q97/5/97.asp) for
details.

KEEPING RAS CONNECTIONS ACTIVE AFTER LOGOFF

The KeepRasConnections value entry in the Registry's Winlogon key controls whether RAS maintains
active connections after a user logs off. If you want your dial-up or VPN connections to remain live, go
to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, add
the value entry KeepRasConnections: REG_SZ: 1, and reboot. This entry doesn't typically appear in
the Winlogon key; you must create it with a Registry editor. See Microsoft Online Article Q158909
(http://support.microsoft.com/support/kb/articles/q158/9/09.asp) for more information.

PREVENTING GUEST ACCESS TO EVENT LOGS

Default Windows NT configuration gives guests the ability to view event logs (system and application
logs). The security log is protected from guest access by default; it's viewable by users who have the
"Manage Audit Logs" user right. To restrict guest access to the event log files, use the Registry Editor
to open the key \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\.
For each [LogFileName] add (or change) the key value as follows:

RestrictGuestAccess
data type: REG_SZ
value: 1

Set the value for each of the logs to 1. The change takes affect on the next reboot. Needless to say,
you'll have to change the security on this key to prevent access to everyone except Administrators;
otherwise, malicious users can reset these values.

Removing menu choices from the shortcut menu in Windows NT

Explorer

When you install certain applications such as WinZip, they add choices to your shortcut menu in
Windows NT Explorer. (You get the shortcut menu whenever you right-click on a folder or file.) You
might find that if a program doesn't uninstall properly that you'll need to manually remove these menu
choices. While removing menu choices from the SendTo folder is easy (simply delete the shortcut from
the SendTo folder below your profile), removing other options isn't quite as easy. If you find that you
want to remove menu choices from your shortcut menu, you can do so by editing your Registry. Begin
by accessing the Registry key HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers. Within the
ContextMenuHandlers key, you should see a key for each of the menu options added to your shortcut
menu. If necessary, delete the keys that correspond to the menu options you want to remove.

CUSTOMIZE YOUR SEND TO BUTTON

You're just a right-click away from customizing your Send To button so that it includes your frequent
tasks. In Windows NT, go to the WINNT\Profile\All Users\Send To folder. Right-click a blank space
on the screen, and select New, then Shortcut. At the Create Shortcut window, make your selection. (You
can include administrative shares to a serve--i.e., \\servername\c$).) This tip works great on
workstations frequently used for copying files.

Adding shortcuts to your Network Neighborhood folder in Windows

NT

If you find that you frequently access computers that aren't in your domain or workgroup, you can add
shortcuts to those computers in your Network Neighborhood folder. Windows NT displays only the
computers in your domain or workgroup in the top-level of the Network Neighborhood. To add a
shortcut to another computer to your Network Neighborhood, begin by double-clicking on the Network
Neighborhood icon on your desktop to open the folder. Next, from the Start menu, choose Find |
Computer. In the Named text box, type the name of the computer you want to create a shortcut, then
click Find Now. When you see the computer name, right-click and drag it to your Network
Neighborhood folder. From the shortcut menu, choose Create Shortcut(s) Here. You'll now have a
shortcut to that computer in your top-level Network Neighborhood folder--even if the computer is in a
different domain or workgroup.

REPLACE A DLL WHILE THE SYSTEM IS USING IT

I have a quick tip that might be helpful. If you need to replace a DLL that the system is currently using,
you won't be able to remove or rename the DLL using Windows Explorer; however, you can remove or
rename it using the command line. First, copy the new DLL to the correct location (e.g., xxx.dll_new).
Then, replace the current DLL using the following syntax:

rename xxx.dll xxx.dll_old

rename xxx.dll_new xxx.dll

Reboot the machine. Upon startup, the system will be using the new DLL. You should always keep the
old DLL in case of any problems on startup.

WINDOWS NT SHORTCUTS AND TIME SAVERS

From time to time we like to provide our readers with tips and tricks that help speed you through the
normal workday. You know, those brilliant little keyboard manipulations that not only save you time,
but also provide some of those interesting "secret" keystrokes and shortcuts.
Keyboard Shortcuts

If you hold down the Shift key when you insert a CD-ROM, the AutoPlay feature will be disabled.
This is advantageous when upgrading an application such as Diskeeper which requires that the original
CD-ROM be inserted. If the original CD-ROM AutoPlays, you may accidentally reinstall the original
instead of the upgrade.

If you hold down the Shift key when logging on, any program that is in the Startup folder will not
automatically start. This is useful when you are troubleshooting, or any other time you do not want to
wait for any automatic program startups.

If you press Tab while holding down the Alt key, a list of icons for your open applications will appear,
with a frame around one. (Keep holding down the Alt key to continue to view this list; releasing the
Alt key causes the framed application to become the current window). Pressing the Tab key again,
while still holding down Alt, will move the frame to the next icon. Holding down Shift while you press
Tab (still depressing the Alt key) moves the frame in the other direction. As noted above, when you
release the Alt key, the application represented by the icon currently in the box will become the current
(top) window. If the application is minimized, it will be expanded.
With several applications open in windows on your desktop, Alt-Esc brings up the next application, and
Alt-Shift-Esc brings up the previous one. (Note that this won't work with minimized windows). If you
only have a few applications active, this can be faster than using Alt-Tab.
Print Scrn will put a snapshot of the entire screen into the Clipboard; "Alt-Print Scrn" will save only
the active window. After capturing the snapshot, open Paint (or your favorite graphics editing
program) and Paste the snapshot into a new file. Use "File/Save as" to save the image. This tool can
be invaluable when communicating a problem to Tech Support, as it shows us the exact error message
displayed.
In Windows NT Explorer and in Microsoft Outlook, if you select a folder then press "*" on the numeric
keypad (Num Lock can be on or off), the entire tree of sub-folders under the selected folder will be
expanded. Pressing "-" on the keypad will collapse the tree again. However, if you now click on the
"+" by the folder name, the entire tree will appear again. To go back to the default of displaying a
folder's immediate sub-folders only, you must either click each "-" individually, or exit Windows NT
Explorer or Microsoft Outlook and then re-open it.

You can open the Start menu by pressing Ctrl-Esc; Ctrl-Shift-Esc will open Task Manager.

If you print a lot of documents, try "drag-and-drop" printing. Select Control Panel / Printers, then click
and hold the printer you usually use and drag it to the desktop. Now you can drag a file from Windows
NT Explorer (or Microsoft Outlook or any similar file list) and drop it on the printer icon. If it's a
printable file, it will print.

Your Interface

There are many ways to set up the interface between you and your computer. Each has advantages and
disadvantages, so the only advice we can give is try different things and use what suits you. I make
shortcuts to all of my commonly used programs and drag them to the desktop, then use the Microsoft
Office suite Desktop toolbar. I keep it "Always on Top" and "Auto Fit into Title Bar area". The
applications I want to keep open, such as Microsoft Outlook, are accessible from the Taskbar. The rest
I access from the Microsoft Office Toolbar and close when I'm finished.

Here are some other interface tricks you can try.

Did you know you can set a shortcut to open a program in the size window you prefer? Highlight and
right click the shortcut. Click Properties, select the Shortcut tab and pull down the menu in the Run
field. Here you will find MINIMIZED, NORMAL WINDOW and MAXIMIZED. The default is
NORMAL WINDOW.

Within the same shortcut tab, you will see a field called SHORTCUT KEY. Select that and type in any
key you like. This will cause the shortcut to be called when ever you select Ctrl + Alt + the key you
selected - instant hot key! Be aware that if you use that same key again in another shortcut, it no longer
will point to the previous one; one key per shortcut.

If you don't like having shortcuts on your desktop, you can put any shortcut you like into your Start
menu:

a. Create a shortcut to any program you will use by selecting the .exe file in Windows NT Explorer,
right clicking and selecting CREATE SHORTCUT.

b. Highlight the shortcut, right click and select CUT.

c. Right click the START button and select OPEN.

d. Right click anywhere in the window and select PASTE.

Viola, you have loaded your shortcut into the start menu!
You may want to set the TASK BAR PROPERTIES to SHOW SMALL ICONS ON START MENU if
you have a lot of shortcuts in there:

a. Right click on an unused area of the task bar (usually at the bottom of the screen).

b. Select PROPERTIES.

c. Enable the SHOW SMALL ICONS ON START MENU option.

CREATING A FILE CONTAINING YOUR USER AND GROUP

ACCOUNTS IN WINDOWS NT
The Windows NT 4.0 Resource Kit includes a utility, addusers.exe, that you can use to create a comma-
separated file containing a list of users and groups from your domain (or member server). You can use
the addusers utility to export users and groups to a file--and you can also use addusers to import that
file to create the same accounts on another server. You might use the ability to import a file created by
the addusers utility to automate creating accounts on another Windows NT computer.

To create a file containing your user and group accounts, usethe following syntax:

addusers \\computer_name /d filename

For example, to export the users from a computer named sales_server to a file named users.txt, you
should use thefollowing syntax:

addusers \\sales_server /d users.txt

Once you've created an export file containing your users and groups, you can then import it into a
server by using the following syntax:

addusers \\computer_name /c filename

For example, if you want to import the file named users.txt into a server named acctg_server, use the
following syntax:

addusers \\acctg_server /c users.txt

WINDOWS 2000 PRO Q&A: KILL HUNG PROCESSES AT

SHUTDOWN
When you issue a shutdown command, the OS sends a request to all active processes to close down so
that it can complete the shutdown process properly. Most applications, especially 32-bit applications,
usually honor this request. Once in a while, you run into a misbehaving 16-bit application that ignores
the shutdown request. Although the system prompts you to kill the task or wait for a while so it can kill
the task for you, you can automate terminating a hung process at shutdown.
If you want hung processes to terminate automatically for all users who log on to your computer, you
can modify the default user profile. Otherwise, modify only the current user's profile. Run regedt32.exe
and go to HKEY_USERS\.DEFAULT\Control Panel\Desktop (to modify only the current user profile,
go to HKEY_CURRENT_USER\Control Panel\Desktop). On the right side, you'll see an entry
AutoEndTasks with a default value of 0. Change this value to 1.

DISABLING VIDEO TEST AT SYSTEM RESTART

Here's a nifty Registry edit that eliminates the video test Windows NT 4.0 performs when you reboot
after updating or replacing a video driver. After you install the new driver, start regedt32.exe, go to the
path HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers and delete
the keys NewDisplay and RebootNecessary that appear under this entry. This edit lets you bypass the
usual dialog box that prompts you to test and set the video refresh rate after you reboot to load the new
driver. Microsoft Support Online article Q253296
(http://support.microsoft.com/support/kb/articles/Q253/2/96.asp) documents this Registry modification
and provides additional references

LOCKING THE TASKBAR

You can prevent users from changing the Taskbar in Windows NT by editing the registry.
1. Select Start | Run.
2. Type Regedt32 and click OK.
3. Go to the [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
Policies\Explorer] hive and set the value of "NoTrayContextMenu" = 1.
This will also prevent users from right-clicking the Start button and selecting Open or any other
command.

DUAL BOOTING WINDOWS 95 AND WINDOWS NT

WORKSTATION
If you want to access Outlook(r) Express mailboxes and address book from either operating system,
install Outlook Express under Windows 95 and log on as the user RSC. Boot to Windows NT as
Administrator, install Outlook Express, and then change two Registry keys, thus letting the Windows
NT version access the data from the Windows 95 install. For the Windows NT address book, change
HKEY_CURRENT_USER\Software\Microsoft\WAB\WAB4\Wab File Name to the value that points to
the address book location under Windows 95 (e.g., key name: Default).
Key value: C:\WIN95\Profiles\rsc\Application Data\Microsoft\Address Book\rsc.wab
Old value: C:\winnt\profiles\administrator\applicationdata\microsoft\address book\administrator.wab
For the data (Mailboxes), change the value under HKEY_CURRENT_USER\Identities\{B5088BD0-
A847-11D3-A7AB-0010100003C5}\Software\Microsoft\Outlook Express\5.0.
Key name: Store Root
Old value: "%UserProfile%\Application Data\Identities\{B5088BD0-A847-11D3-A7AB-
0010100003C5}\Microsoft\OutlookExpress\"
New value: "c:\program Files\outlook express\rsc"
Note that Windows NT generates the value {B5088BD0-A847-11D3-A7AB-0010100003C5} and uses
it to locate and identify the profile in Windows NT, but it's irrelevant to the actual location of the data.

CHANGING THE DEFAULT LOCATION FOR INSTALLING

APPLICATIONS
Most programs install in C:\Program Files by default. You can change this default by editing the
registry. Open the Registry Editor by selecting Start | Run | Regedt32. Navigate to
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version.
In the right pane, double-click ProgramFilesDir and change the path in the String Editor to the drive
and folder you want (i.e. D:\Program Files). You must also modify the entry for ProgramFilesPath.
Exit the Registry Editor and restart your computer. Be aware that some programs still require
installation in the C:\Progam Files folder.
TIP: OPENING A COMMAND PROMPT IN A SELECTED
FOLDER IN EXPLORER

The best way to open a command prompt in a selected folder in Explorer is to add a context menu
option to folders that will then open a command prompt at the selected folder.
Use regedit.exe to browse to HKEY_CLASSES_ROOT\Folder\Shell. Add a new key (using the Edit
menu) called MenuText. Double-click the default of this new key and enter the text you want to display
when you right-click a folder (e.g. "Open Command Prompt").
Select the key MenuText and add a new key under it called "Command." Double-click the default of
this key and enter <system dir>\system32\cmd.exe /k cd "%1"--where system dir is your system
directory (e.g., c:\winnt). Close the Registry editor.
You don't have to reboot the machine for this to work. Now, when you select a folder in Explorer and
right-click, a new option in the menu called Open Command Prompt takes you to the currently selected
folder.

TEMPORARILY DISABLING SHORTCUTS IN YOUR STARTUP

GROUP IN WINDOWS NT
On occasion, you might want to log on to Windows NT without running any of the shortcuts in your
Startup group. You can temporarily prevent these programs from starting by holding down the [Ctrl]
key when you click OK to log on in the Windows NT Logon Information dialog box. When you log on
to Windows NT next time, the Startup programs will start normally.

LOGON CREDENTIALS
Windows NT's default configuration caches the last logon credentials for a user who logs on to a
system interactively. This feature is provided for system availability reasons, such as a situation in
which the user's machine is disconnected or one in which none of the domain controllers is online.
Even though the credential cache is well protected, in a highly secure environment, you may want to
disable this feature. You can do so by setting the following Registry key:
Hive: HKEY_LOCAL_MACHINE
Key: Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Name: CachedLogonsCount
Type: REG_SZ
Value: 0

SENDING A QUICK EMAIL MESSAGE

If youre using Microsoft Outlook, you can send a quick email message by using the mailto command.
Begin by choosing Start | Run. Next, type mailto: in the Open text box and click OK. Youll see a new
message dialog box. Click Send when youre ready to send the message. Note: Although Outlook
doesnt have to be running for you to create and send a new message using mailto, your message wont
be sent until you open Outlook

FORCING REPLICATION BETWEEN TWO WINDOWS 2000

DOMAIN CONTROLLERS IN A SITE
In Windows NT 4.0, you can force replication between domain controllers using Server Manager. In
Windows 2000, you can also force domain controller replication using the following steps:
1. Start the Active Directory Sites and Services Microsoft Management Control (MMC) snap-in.
Expand the branch that shows the various sites. (The default site, Default-First-Site-Name, might be
your only site.)
2. Expand the site that contains the domain controllers.
3. Expand the servers. Select the server to which you want to replicate and expand it.
4. Double-click that server's NTDS settings.
5. Right-click the server you want to replicate. Select Replicate Now from the context menu. In the
confirmation dialog box, click OK. The replication is one-way. For two-way replication, you need to
replicate in each direction.

TIP: ALLOCATING DISKS AND CD-ROMS DURING LOGON

By default, Microsoft Windows NT lets any program access files on disks and CD-ROMs. In a highly
secure, multiuser environment, you might want to let only the person logged on interactively access
those devices. An interactive user can write sensitive information to these drives, confident that no
other user or program can see or modify that data. When you operate in this mode, the disks and/or
CD-ROMs on your system are allocated to a user as part of the interactive logon process. Because
these devices are automatically freed for general use or for reallocation when that user logs off, you
must remove sensitive data from the disk or CD-ROM drives before logging off.
To allocate disks during logon, use the Registry Editor to create or assign the following Registry key
value:

Hive: HKEY_LOCAL_MACHINE\SOFTWARE
Key: \Microsoft\WindowsNT\CurrentVersion\Winlogon
Name: AllocateFloppies
Type: REG_SZ
Value: 1

To allocate CD-ROMs during logon, use the Registry Editor to create or assign the following
Registry key value:

Hive: HKEY_LOCAL_MACHINE\SOFTWARE
Key: \Microsoft\WindowsNT\CurrentVersion\Winlogon
Name: AllocateCDRoms
Type: REG_SZ
Value: 1

If the value does not exist or is set to any other value, disks or CD-ROM devices will be available on
the system for all processes to use. The value you set will take effect at the next logon. If a user is
already logged on when this value is set, it will have no effect for that log on session. For the device(s)
to be allocated, the user must log off and log on again.

Note: NT lets all users access, read, and write to any tape in the drive. In general, this access is not a
concern because only one user at a time is interactively logged on. However, in rare instances, a
program that a user starts can continue to run after the user logs off. When another user logs on and
puts a tape in the tape drive, the first program can transfer what might be sensitive data from the first
tape to the second tape. If this is a concern, restart the computer before using the tape drive.

SPEEDING UP WINDOWS 9X LOG-ONS

If you have Windows 9x clients on your Windows NT network, you can reduce the amount of time it
takes for these clients to log on to your domain by not configuring them to require a separate Windows
password. You'll need to make this change by editing your Windows 9x clients' Registry, so make sure
that you back up before you start.

When you're ready, begin by choosing Start | Run. Type regedit in the Open text box, and then click
OK to start Registry Editor. Next, you'll need to navigate to the
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Network key.
Create a new value in this key by choosing Edit | New | DWORD Value. In the New Value #1 text box,
enter DisablePwdCaching. Double-click on the DisablePwdCaching value to open the Edit DWORD
Value dialog box, and enter 1 in the Value Data text box. Click OK; you should now see this value in
the right-hand pane of Registry Editor. Your last step is to close Registry Editor and restart your
computer.

AN UNDOCUMENTED WIN2K FEATURE RELATED TO

COMPATIBILITY: LOCAL DLLS.
If you run into a situation where an application requires a particular DLL version, try the following
procedure:

1. Copy the DLL(s) in question into the same directory as your application.
2. Create an empty text file using Notepad. Save it with the name: <app>.exe.local (replace <app> with
the name of the .exe file for your program)

Run the program as usual. The dummy <app>.exe.local file acts as a flag and causes Win2K to load the
copy of the DLL from the local directory instead of from the Windows/System32 directory tree.

MORE CACHE FOR IIS

Increasing the amount of cache on your Internet Information Services (IIS) server will provide faster
access time. By default, 3 MB of cache is set aside for WWW, FTP, and Gopher processes. You can
change this amount by editing the registry as follows:

1. Click Start | Run, then type Regedt32.

2. Navigate to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\InetInfo\Parameters.
3. From the Edit menu, select Add Value, provide the name MemoryCacheSize, set the Data Type to
REG_DWORD and press [Enter].
4. Double-click the new value you created and input the amount of memory you want to use for the
cache (in bytes). For instance, 4000000 would be 4 MB. Click OK to continue.
5. Exit the Registry Editor.
6. Stop and restart all IIS services for the changes to take effect.

WINDOWS 2000 PRO Q&A: USING SYSTEM FILE CHECKER

TO CHECK FOR DAMAGED FILES
Q: A few weeks ago, our building experienced some power problems. We lost power several times
throughout the week, causing dozens of improper shutdowns for all our Windows 2000 Professional
systems. This week, we've noticed strange behavior from a few of the computers--namely, odd lockups
and bluescreens. How can I tell if the power failure damaged any of the Windows files?

A: Although "act of God" failures will always be a problem for computers, you're in luck: Microsoft
has included a new tool in Win2K Pro called the System File Checker. It's designed to check the files
on your system for data corruption, improper versions, and missing files. If the System File Checker
finds any questionable files, it will replace the file with a known good copy.
Launch the System File Checker by running sfc.exe from a Win2K command prompt. You'll see
several options; you'll probably want to choose the /SCANNOW option to immediately scan your
system. Sfc.exe checks every protected file on your system (most .sys, .dll, .exe, .ttf, .fon, and .ocx
files). If any of the protected files on your system are missing, corrupt, or an incorrect version, SFC
retrieves a replacement from the cached copy in the folder %systemroot%\system32\dllcache, or from
your Win2K Pro CD-ROM. If this process doesn't correct your situation, your problems are probably
application specific, and you need to reinstall your third-party applications. Good luck!
ADJUSTING scrolling with a wheel mouse
If you've made the move to a wheel mouse, you know just how handy using the wheel to scroll through
Office documents and Web pages can be. By default, wheel mice move up or down three lines for each
notch you roll on the mouse wheel. While you can adjust this setting within the software that came with
your mouse, you'll typically be able to choose between the following settings: 3 Lines, 6 Lines, Screen,
and None. If you have one of the larger monitors and are using a high resolution setting, you'll
probably find that you'll want to use a setting other than these. You can fine-tune how far your mouse
scrolls with each one-notch rotation by editing the following Registry value:

\HKEY_CURRENT_USER\Control Panel\Desktop\WheelScrollLines

You can set the WheelScrollLines to a value from 0 to 4294967294. A value of 0 disables scrolling
altogether, and 4294967294 configures your mouse to scroll one page with each one-notch rotation.

FORCING A SYSTEM SHUTDOWN WITHOUT SAVING ANY IN-

PROCESS DATA
This trick is also known as the four-finger salute because it uses the keystroke combination control-alt-
shift-delete. You can enable the feature on any NT 4.0 Service Pack 4 (SP4) system or later.

1. Launch regedit.
2. Go to HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon.
3. In the right pane, right-click and create a new string value EnableQuickReboot and set the text string
to 1.
4. Exit regedit and reboot.

Some descriptions of this process indicate that it writes an unexpected event shutdown message to the
system log. When I tested the procedure while writing this tip, it generated no system log message.
Remember, if you have open applications with unsaved data, you'll lose that data if you enable this
feature.

WINDOWS 2000 PRO TIP: AUTOMATE REMOTE ACCESS

DIALING WITH RASDIAL
Have you had a situation where you needed to automate some type of network connection operation--
perhaps dialing a remote network, transferring a file, then disconnecting? I've run into this situation
while developing solutions for clients, but Microsoft's standard interface for dialing up remote
networks is GUI-based and difficult to automate. Fortunately, Windows 2000 has a helpful command-
line utility called RASDIAL that automatically dials a remote network for you. The proper syntax for
RASDIAL is

RASDIAL <pre-defined ras entry name>

If you've defined a dial-up network connection on your system, you can use this command to
automatically log on, assuming you've saved the username and password information associated with
that dial-up connection. For example, if you have a dial-up networking connection called "Earthlink,"
you simply type "RASDIAL Earthlink" on a command line to remotely log on to the network. From
there, you can build a batch routine to copy files from one location to another, do an FTP file transfer,
or perform other functions. After you complete your transactions, disconnect your system with the
following command:
RASDIAL <pre-defined ras entry name> /DISCONNECT
CHANGE THE DEFAULT LOCATION OF THE PROGRAM
FILES DIRECTORY
If you're like a lot of Windows power users, you have more than one drive installed on your computer.
And I'm willing to bet that your location of choice for installing new applications isn't the same drive
that hosts your system files. So every time you install a new application, you have to edit the path so
the application doesn't install itself in the local Program Files folder. If you want to change the default
location to another drive or directory, you can perform a simple registry edit.

1. Open Regedit and go to

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion.
2. You need to change two values to reflect where you want the default installation directory to be:
- ProgramFilesDirectory
- ProgramFilesPath
3. Double-click those values and edit the value data as appropriate.

MAKE THE MY COMPUTER ICON SHOW CURRENT USER

NAME AND MACHINE NAME
Each Windows desktop has a My Computer icon. Clicking the icon opens the My Computer folder,
displaying available resources such as hard disks, printers, DUN, scheduled tasks and mobile device
connections.
Did you know that you can change the folder name to display the locally logged-in user's name? To do
so, open regedt32.exe and navigate to HKEY_CLASSES_ROOT\CLSID\ subtree, locate the key
named 20D04FE0-3AEA-1069-A2D8-08002B30309D, and follow one of the two instruction sets
below, depending on whether you have Windows 2000 or Windows NT 4.0.
For Windows 2000 systems, select and edit LocalizedString. Copy its text contents to a safe location
such as Notepad. The contents should be similar to "@D:\WINNT\system32\shell32.dll,-9216@1033,
My Computer," without the quotes. Next, delete the LocalizedString value. Create a new value with the
same name (LocalizedString) whose type is REG_EXPAND_SZ. Paste the saved text into the text field
of the newly created value, but edit the prefix before saving it. Replace the text "My Computer" in the
string with "%username% on %computername%," without the quotes. For example, a modified string
might read @D:\WINNT\system32\shell32.dll,-9216@1033,%username% on %computername%.
For Windows NT 4.0 systems, select the <No Name> item in the right pane and delete it. On the Edit
menu, click Add Value and leave the Value Name blank. Select a Data Type of REG_EXPAND_SZ,
and in the string box enter "%userName% on %computername%," without the quotes. Now close
Regedt32 and refresh the desktop to see the new display caption.

WINDOWS 2000 PRO Q&A: LOCKING WIN2K WITH SYSKEY

When Windows NT 4.0 first appeared, passwords stored on the system were encrypted in the SAM, but
they weren't encrypted very well. Because of security concerns, Microsoft improved SAM encryption
by offering a new tool called SYSKEY as a post-Service Pack 2 (SP2) hotfix. SYSKEY uses strong
encryption to protect the private account information on an NT system. SYSKEY uses a 128-bit
cryptographically random key, known as a password encryption key. Windows 2000 Professional
already has SYSKEY built in and enabled by default, which is good for overall security. But if you
must lock your system down, you can go a step further. By default, SYSKEY buries its secret
password encryption key on your system. When you boot your system, Win2K reads the password and
decrypts the account information on your system. However, SYSKEY can store the secret password on
a disk instead of on the system itself.
If you choose this option, you need to insert the disk with your key on it every time you boot a
Win2K system. However, if you ever lose the disk, you won't be able to get into that Win2K
installation.
To move your system key from your workstation to a disk, run SYSKEY from a command prompt.
You'll see that SYSKEY is enabled by default. Click Update, and select "Store Startup Key on Floppy
Disk." Now, every time you boot Win2K, you must insert the disk with the key to get the system
running. I recommend making some extra copies of your key disk--perhaps a few dozen--just in case!

ENABLING STRONG PASSWORDS IN WINDOWS NT

As you've probably already heard, there are many software programs available now that can guess your
users' passwords if they're using words that are in the English dictionary. Beginning with Service Pack
2, Microsoft introduced a DLL file (passfilt.dll) that enables you to protect your systems against such
programs. This DLL forces users to use passwords that meet the following criteria:

1. Passwords must be at least six characters.

2. Passwords must contain three of the following four types of characters:
- Uppercase letters
- Lowercase letters
- Numbers
- Non-alphabetic characters such as punctuation marks
3. Passwords can't contain your user name or any part of your full name.

Even though passfilt.dll is included in Service Pack 2 and later, it isn't active until you install it. You
install it by completing the following steps:

1. Install the latest Service Pack.

2. Copy passfilt.dll to \%systemroot%\system32.
3. Open Registry Editor and access the key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
4. If necessary, add the value "Notification Packages" with a data type of REG_MULTI_SZ
under the LSA key.
5. Double-click the value "Notification Packages" and add the value PASSFILT. (Note: If you
see the value FPNWCLNT already, add PASSFILT below it.)
6. Close Registry Editor and restart your computer.

WIN2K DOESN'T ENABLE UDMA/66 SUPPORT

You've upgraded your new system to Win2K Pro and think, "Now I'm finally going to get top
performance out of the Ultra DMA/66 IDE hard drives I've been using," only to find that your disk
performance hasn't improved. By default, Win2K doesn't enable UDMA/66 support. You need to add a
UDMA 80-pin ribbon connector to the drive (be sure that your system supports UDMA) and manually
enable this support.

1. Open Regedit.
2. Open
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4D36E96A-E325-11CE-
BFC1-08002BE10318}\0000.
3. Open the Edit menu, and select New | DWORD Value
4. Name the new value EnableUDMA66.
5. Set the data value to 1.
6. Close Regedit and reboot.

WINDOWS 2000 PRO TIP: REPAIR BROKEN APPLICATIONS

WITH THE WINDOWS INSTALLER
Let's face it--application troubles are an annoying part of today's computing environment. Applications
have grown so complicated that diagnosing problems quickly is becoming an art. Simply re-installing
the application isn't always the best option, and tracking down buggy DLL files can take an excessive
amount of time, especially if the product isn't well documented. Applications based on Windows
Installer must be self-repairing. I haven't taken time to delve into what Microsoft's definition of self-
repairing actually is (never assume too much), but the Windows Installer service does present some
nice command-line options for trying to repair buggy applications.
At the command prompt, type:

MSIEXEC /fe packagename.msi

MSIEXEC starts the Windows Installer service. The /f switch informs the Windows Installer service
that you want to repair a product. The e option next to the /f switch tells the Windows Installer service
to reinstall missing files or tells it whether an equal or older version is installed. A number of options
are available for the /f switch, including:

c - Reinstall if file is missing or the checksum is invalid

a - Force all files to be reinstalled
u - Rewrite all required user-specific entries
m - Rewrite all required computer-specific entries

The packagename.msi file is the .msi file for the application that you want to repair, such as Office
2000.
You might still have application problems, but with the ability to easily repair them, you shouldn't have
as much of a problem in the future.

DETERMINING IF YOUR HARD DISK IS FAST ENOUGH

Windows NT's Performance Monitor Counter lets you know if your hard drive is too slow. Before you
can run the disk counter, you must activate the physical and logical disk counters. To do this, you must
be logged on as a member of the Administrators group.
At the command prompt, type diskperf to view a Help document about how to turn diskperf on and off.
(Type diskperf -y to set the system to start disk performance counters.) This will also show you whether
the disk performance counters have already been activated. Restart the computer to activate the disk
performance counters.

1. Open Performance Monitor (Start | Programs | Administrative Tools | Performance Monitor).

2. Choose Physical Disk from the Object drop-down menu.
3. Choose Avg Disk Bytes/Transfer from the Counter.

Let this counter run for several days. A value greater than 20 KB indicates that the disk drive is
generally performing well; low values result if an application is accessing a disk inefficiently, and you
should consider replacing it with a faster drive.

PERSONALIZED MENUS
The Personalized Menus in the new Microsoft products can be infuriating. You can use the following
steps to disable them:

To turn off the Windows 2000 Scrolling Program Menu,

1. Go to the Taskbar, Start, Properties.
2. On the Advanced tab, clear the check box for Scroll the Programs menu.

To turn off the Win2K Personalized Programs Menu,

1. Go to the Taskbar, Start, Properties.
2. On the General tab, clear the check box for Use Personalized Menus.

To turn off Internet Explorer's (IE's) Close Unused Favorites folders in Win2K, change "yes" to "no" in
the following registry key:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FavIntelliMenus

To turn off the Personalized Menu in Office 2000,

1. Go to Tools, Customize.
2. On the Options tab, clear the check box for "Menus show recently used commands first."

DISABLING SERIAL PORT CHECKING IN WINDOWS NT

By default, Windows NT attempts to automatically detect if you have a mouse on your computer's
COM ports every time you start up your computer. While this is good if you actually do have a mouse
connected to a serial port, you might run into some problems with this auto-detection if you have other
devices connected to your computer's serial ports. For example, you might use a COM port to connect
a UPS to your computer.

You can disable COM port checking by modifying the boot.ini file. Windows NT uses this file during
the boot process. Begin by opening Windows NT Explorer and accessing C:\. You'll find the boot.ini
file in this folder. Because this file is automatically configured with the Read-Only and Hidden
attributes, you won't be able to see it unless you've configured Windows NT Explorer to show hidden
files. (If you don't see the file, choose View | Options. Select Show All Files, and uncheck Hide File
Extensions For Known File Types. Click OK.) Next, you'll need to remove the Read-Only attribute
from the boot.ini file by right-clicking on it and unchecking Read-Only.
You're now ready to edit the file. Double-click on boot.ini-and Windows NT will automatically open
Notepad and the boot.ini file. To disable the checking of your serial ports, add /NoSerialMice to the end
of each line you see in the [operating systems] section of the boot.ini file. Finally, save the file and
close Notepad. Windows NT will no longer attempt to automatically detect devices on your computer's
serial ports.

RUN AN EXECUTABLE AS A DIFFERENT USER

Have you ever gone to a user's machine to fix a complaint only to find that when you logged on with
your Administrative account, the problem disappeared, or the built-in Windows 2000 tools you need to
fix or diagnose the problem aren't available to you because of the limited rights the local user has to his
own machine?
I'm sure you already know that you can connect to any network machine, and Win2K or Windows NT
prompts you for username and password to the network resource if the current account isn't authorized.
You can use Win2K's Runas utility to accomplish the same thing. Runas lets you run any application,
control panel utility, or shortcut as a different user. There are several ways to make the utility available;
however, they're not consistent throughout the UI.
To run an executable as a different user, hold down the Shift key and right-click the target file. Select
Run As from the context menu, which prompts you for the user context (username and password) that
you want to use.
This method doesn't work if you are selecting a Control Panel applet, however. First select the applet
(left-click), then Shift+right-click to bring up the context menu with the Run As option.
You can also use Runas to open a Command Prompt window, either by launching it with the Start,
Run option or by creating a shortcut to the Command Prompt and treating the shortcut like any
application, as described above. Any command line utilities you run in that window will run in the
context of the Runas selected user.

Typing "runas" at the command line returns these instructions for its use:
RUNAS USAGE:
RUNAS [/profile] [/env] [/netonly] /user:<UserName> program

/profile if the user's profile needs to be loaded

/env to use current environment instead of user's
/netonly use if the credentials specified are for remote access
only
 /user <UserName> should be in form USER@DOMAIN or DOMAIN\USER
program command line for EXE

Examples:
> runas /profile /user:mymachine\administrator cmd
> runas /profile /env /user:mydomain\admin "mmc %windir%\system32\dsa.msc"
> runas /env /user:user@domain.microsoft.com "notepad \"my file.txt\""

Note: Enter user's password only when prompted.

Note: USER@DOMAIN is not compatible with /netonly.

DESKTOP PERFMON IMPROVED BY READERS!

A number of you have written to say thanks for the little "Perfmon Wallpaper" desktop trick that I
wrote about in last week's column. For those of you just joining us, here's the Cliff-Notes recap: Make
up a performance monitor view, then save it as an HTML file. Put it in your %SystemRoot
%\Web\Wallpaper, then change your desktop wallpaper to the Perfmon view you just saved and voila!
Instant Perfmon desktop!
However, the new Perfmon desktop will, by default, take up ALL of your desktop. No right-clicking
to get to your desktop properties or other desktop tricks. Admittedly, this was a bit of a hassle. Alert
reader Michael Engle sent me a great little workaround to this problem: Just edit the HTML file so that
it doesn't take up your whole screen! (Note to self: Duh! Why didn't I think of that?)
To quote Engle: "If you want to set up the Perfmon wallpaper so it doesn't take up your entire
desktop, you can open the HTML file in Notepad and change a few values:

<body text="#000000" bgcolor="#C0C0C0" link="#0000EE" vlink="#551A8B" alink="#FF0000">

This will give it some color in the background. Now change the width andheight values from 100% to,
say 50%.
<div align=right><object ID="DISystemMonitor1" WIDTH="50%" HEIGHT="50%"

Reset the wallpaper selection and voila--you're all set. You can still right-click the other parts of the
desktop to access context menus."

You can now launch this application by pressing its hotkeys.

Windows NT enables you to assign hotkey combinations to your favorite applications. For example,
you can assign the hotkey combination [Ctrl][Alt][C} to the Calculator so that it will pop up whenever
you press that combination of keys. Use the following steps to assign hotkeys:

1. Right-click on the Start menu and choose either Explore or Explore All Users. Choosing
Explore All Users enables you to modify the shortcuts that are the same for all users on your computer.
2. Browse your Start menu's folders until you find the shortcut for the application for which you
want to assign hotkeys (or create the necessary shortcut).
3. Right-click on the application shortcut and choose Properties.
4. Click in the Shortcut Key text box, and then press the combination of keys you want to use as
your hotkeys for that application. (Note: Windows NT automatically forces your hotkeys to include
[Ctrl] and [Alt].)
5. Click OK to close the Properties dialog box for your application.

You can now launch this application by pressing its hotkeys.

Controlling access to removable media
Controlling access to removable media has always been a problem when managing Win2K and
Windows NT clients, and Win2K adds removable hard disk media to the mix. You can find access
control to removable media at:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

There are quite a few values here, but we're concerned with only three of them:
AllocateFloppies
AllocateCDRoms
Allocatedasd

With AllocateFloppies and AllocateCDRoms, the default value is 0, which lets all users access the
device. Changing this value to 1 lets only locally logged-on users access the removable disk or CD-
ROM. To enable this restriction, you also need to delete the administrative shares that are created by
default.
Allocatedasd (DASD is an old mainframe term for Direct Access Storage Device--a hard drive) has
three possible values to control access:
- 0 Only members of the computer's Administrator group.
- 1 Only members of the Administrator and Power Users groups.
- 2 Only members of the Administrator group and the local current user.

Tuning Your System for Broadband

NT and Win 2000 Installation Instructions
The key is a DWORD value and is located under Parameters. Remember you may have to create the
key yourself.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
"TcpWindowSize"=dword:00007fff

When you're finished updating the registry, be sure to reboot.

Configuring your SendTo menu in Windows NT

In Windows NT (as well as Windows 9x), when you right-click on a file, you'll see a SendTo menu that
includes shortcuts to various locations such as a floppy disk. You can customize the SendTo menu to
include shortcuts to just about anything, including applications or folders. To add to your SendTo
menu, begin by running Windows NT Explorer and accessing the path
\winnt\profiles\user_name\SendTo.Next, in the right-hand pane, right-click. From the shortcut menu,
choose New | Shortcut. When prompted for the Command Line, type the name of the application or the
folder you want on your SendTo menu (or use the Browse button to find it). Finally, name the shortcut
as you want it to appear on your SendTo menu.

If you add a folder to your SendTo menu, you can then send a file to this folder simply by right-
clicking on the file, choosing SendTo | shortcut_name. Note that when you "send" a file, you're actually
moving that file. If you want to copy the file instead of moving it, hold down the [Ctrl] key when you
choose the folder name on your SendTo menu.

TIP: WIN2K MODEM WON'T START

When you run Windows 2000 and forget to turn on your external modem, the modem won't start.
Instead of restarting Win2K to detect your modem, you can right-click My Computer, select Properties,
Hardware, and Device Manager. A list of installed devices appears on the screen. Select Hardware
Change. Your modem will be detected and ready for you to use.

DISPLAY ADDITIONAL PROPERTIES IN EXPLORER

WINDOWS
It never ceases to amaze me what cool little things you can find within Windows 2000 when you
accidentally click something the wrong way in the wrong place. For example, earlier today I needed to
sort one of my Explorer windows by the date field to find out which files in that directory had most
recently been updated (this works only in the Details style view). Instead of left-clicking the modified
column to sort it, I accidentally right-clicked instead.
I was surprised to find that right-clicking a column in an Explorer window opens a list of additional
fields that you can display. I never knew that I could customize the columns in my Explorer windows!
Try it yourself: Open an Explorer window (any window will do), an right-click the column fields.
Depending on the type of window you have open, you'll see a menu of additional fields that you can
display in the detail view. For example, if you're in an Explorer window for your C:\ directory, right-
clicking the column headers shows that you can display additional fields such as comments, creation
date, or date last accessed. But, the real fun comes when you select the "More..." option.
Under the "More..." option, you can customize the placement of the columns by using the Move Up
and Move Down buttons or add more fields such as owner, title, pages, sample rate, frame rate, and
even strange things such as caller-ID (bonus points to whoever can email me and tell me definitively
what that field is actually used for). Just select which fields you want to use by checking the
appropriate boxes.
I added the Pages option to my Details view and noticed that Win2K can tell me how many pages are
in a Word document--sometimes. Some documents it just couldn't seem to figure out. However, the
other fields--attributes, creation date, owner--are a necessity in my book. Definitely a helpful addition
for a power user.

Running a 16-bit application in protected memory in Windows NT

By default, Windows NT runs all 16-bit applications in a shared memory pool in order to simulate the
old Windows 3.x environment. The only problem with this shared memory pool is that if one of the
applications hangs, all of the 16-bit applications you're currently running will also hang. While the
easiest solution to this problem is to upgrade to 32-bit applications, sometimes you don't have that
option-such as when you're using a custom-designed application that's too expensive to rewrite. In this
scenario, you can help to make the 16-bit applications you do run more reliable by running them in
separate areas in memory instead of within a shared memory area.

You can use any of the following techniques to run a 16-bit application in a separate memory pool:

--Choose Start | Run. In the Open text box, type the name of the 16-bit application you want to run (or
browse for the appropriate file). Before you click OK to run the application, check Run In Separate
Memory Space.

--On your desktop, create a shortcut to the 16-bit application. Modify the properties of the shortcut.
Select the Shortcut tab, then check Run In Separate Memory Space. Make sure you save your changes
to the shortcut.

--Open a Command Prompt window. Run the 16-bit application by running the command start
/separate <application_name>. For example, if the name of the executable file for your 16-bit
application is wpdos, you would start it from the command prompt by running the command: start
/separate wpdos.
REGISTRY TWEAK
Here's a little registry tweak that lets you right-click a file without an extension, or a file that doesn't
have a program associated with it. The registry gives you a menu option that lets you open the file with
Notepad, and you don't have to see the "Open With" window.

Navigate to HKEY_CLASSES_ROOT\Unknown\Shell.
Add a new Key named Open With Notepad. Open the new key.
Add another new key named "command."
Add string REG_SZ and make the value "c:\windows\notepad.exe %1" for Windows 9x and
"c:\winnt\system32\notepad.exe %1" for Windows 2000 and Windows NT.

TIP: CHANGE MY COMPUTER ICON TO A TASK BAR

If you drag the My Computer icon to the top of the screen, it will change to a task bar with all drives
showing. If you take the created task bar over to the side, you can create a box with all the drives
(mapped drives included) that is readily accessible from the desktop.

CACHED CREDENTIALS: ANOTHER SECURITY ISSUE

Conveniences that may be in place on your organization's network could make cracking network
security easier. Retaining cached credentials is one such convenience that may be putting your network
at risk.

By default, Windows NT workstations cache the last ten sets of logon credentials received from a
domain controller. This reduces the number of times a workstation has to contact a domain controller
for verification of a logon request, and it often makes it possible to log on to a domain even when the
domain controller isn't available on the network.

There's a registry tweak you can employ if you want to prevent these credentials from being cached.
Using Regedt32, add a REG_SZ value named CachedLogonsCount beneath the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon subkey.
Set its value to 0 to prevent any caching, or to the number of cached credential sets you're willing to
allow. This edit will work with Windows 2000 Professional as well.

NEGATIVE DNS CACHING: WHY YOU MAY BE

ENCOUNTERING INVALID HOST NAME ERRORS
Windows 2000 relies nearly exclusively on DNS for name resolution. This means we can eventually
abandon NetBIOS name resolution and WINS, which is a good thing, but it also means acquiring some
new troubleshooting techniques because the default behavior of DNS name resolution differs from
NetBIOS name resolution.
All Windows 2000 computers come with a DNS client resolver service. This resolver submits lookup
queries to the DNS server or servers configured in the TCP/IP properties of the LAN interface on the
computer. If the DNS server responds to a request, the client caches this response for a period of time
so that it does not need to send another lookup request if the user wants to contact the same host again.
One change that Microsoft made to DNS caching in Windows 2000 was incorporation of RFC 2308
specifications for caching negative responses. This means that a Windows 2000 DNS client caches
both successful lookup requests and negative responses (No ACKs, or NACKs).
If you arent accustomed to this behaviour, it can cause surprising results during troubleshooting. For
instance, you have users who cannot contact a given server. You determine that the cause is a missing
host (A) record on the DNS server. You fix the problem by creating a host record but you are
disappointed to find that clients still get Invalid host name when they ping the server name. Whats
the problem? The clients cached the NACK they received from the original query and they are not
going back to the DNS server for a fresh lookup.
You can verify this by viewing the contents of the DNS cache using the IPCONFIG tool as follows:
IPCONFIG /DISPLAYDNS. Look for entries like this: servername.somedomain.com.
Negative cache entry for name error
You can also use IPCONFIG to resolve the problem quickly by flushing the DNS cache to force the
clients to go back to the DNS server. The syntax is:
IPCONFIG /FLUSHDNS
You can prevent the problem by disabling NACK caching completely. It is controlled by the following
Registry entry:
HKEY_Local_Machine\System\CurrentControlSet\Services\DNSCache\Parameters\Neg
ativeCacheTime
Set the value to 0 to disable NACK caching.
There is no Group Policy for this entry, but you can distribute the change to your clients by including a
Registry update in a logon script. Use Regedit to save the Registry entry to a .reg file such as
NACK.REG then include a line in the logon script to import the entry such as: REGEDIT /I
NACK.REG. Youll need to have a copy of the .reg file in the same location as the logon script.
By default, records are cached for the timeout interval specified in the Start Of Authority (SOA) record
at the primary DNS master for the zone that contains the record. In Windows 2000, the default timeout
interval is an hour. You can change this value to reduce or increase the caching interval at your clients.
Reducing the cache interval can cause increased network traffic while increasing it can make it take
longer for changes in IP addresses to be recognized by clients.
To change the default cache interval:
Open the DNS Management console at the Windows 2000 DNS server that is the master primary server
for the zone. If you use Active Directory integrated zones, you can make the change at any domain
controller running DNS.
Right-click the top of the zone and select Properties from the flyout menu.
Select the Start of Authority (SOA) record.
Change the value for the Minimum Default TTL (Time To Live) entry.
Click OK to save the change.

If you have Windows 2000 DNS secondary, they will get the change immediately thanks to update
notification. If you have non-Windows 2000 secondary, you may need to force a zone transfer to
propagate the change throughout your network.
Little changes like this in Windows 2000 can be very frustrating if you are not aware of them.
Hopefully, this tip will help to reduce a Windows 2000 gotcha that you may have been experiencing.

STOP USERS FROM CHANGING THE MY DOCUMENTS PATH

If users right-click the My Documents icon on their desktops and click Properties, the Target tab lets
them change the path of this folder. If you want to remove this possibility, you can use the Prohibit user
from changing My Documents path group policy, User
Configuration\AdministrativeTemplates\Desktop. If the policy is Not Configured, you can use
Regedt32 to navigate to
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
On the Edit menu, select Add Value name DisablePersonalDirChange, a REG_DWORD data type, and
set the data value to 1

Create an Windows NT icon to lock workstation

For Windows NT, an icon to lock the workstation. I'm sure you guys already know this, but I gotta try
to get one of those T-shirts!!! Create a shortcut to %windir%\System32\rundll32.exeu
ser32.dll,LockWorkStation.
You can then go to the properties of the shortcut and pick the groovy lock. Click this shortcut to lock
the workstation.
Do you know that you can install printer driver remotely for
Windows NT 4.0 Workstation? YES, you can.
How do you do it?
Make sure you have Administrator rights to the machine.
Log on to your local workstation.
Click Start, Find, and your computer name (for example, PAR1234)
Once it finds the computer, double-click it. By default all Windows NT 4.0 Workstations share the
Printer folder, so you will see it automatically if it's not logged on to a local machine.
Double-click the Printer folder.
Double-click Add Printer.
The Add Printer Wizard will open. Then choose the default, which is Remote Print Server \\computer
name, and click Next.
Choose your port. Is it going to be a local or network printer ? Then click Next.
Choose correct printer driver, manufacturer, and printer model. Then click Next.
Type in the printer name, and click Next.
Specify whether you want this printer to share or not share. Click Next.
Specify whether you want to do a test page. Then click Next.
Insert or locate the i386 folder for printer, or if you have the printer driver on diskette you can specify
it; for example: C:\i386 or a:\*.inf.
Once the driver is installed, you will see the icon.
You are done with installing a printer driver remotely.
Have fun!!
This saves me a lot of trips and time.

Adding Destinations to Send To

Do you frequently copy files to a particular drive or folder? You can speed up this process by adding
the destination to your Send To list. Your Send To folder is located in your profile folder -- generally
%systemroot%\profiles\your username. To add a folder or drive, simply drag the folder or drive icon
using the right mouse button to the Send To folder and select Create Shortcut.
Now when you want to copy a file to the drive or folder, right-click the file, select Send To and select
the appropriate location.

Add Register / Unregister (using regsvr32) to the right-click shortcut

menu for .dlls.
This tip is especially helpful for developers. Many times you would like to be able to quickly register
or unregister a dll when you make changes to it. This tip will help you do so.
Using Regedit, browse to the key:
HKEY_CLASSES_ROOT \dllfile
Add one key called Register and one called Unregister.
Under each of these keys add another key called Command.
Double click on the (default) in the rightmhand pane.
For Register, enter the value regsvr32 %1.
For unregister, enter the value regsvr32 %1 /U.
Note As always, editing the registry can be dangerous. Be sure to back it up, and have a current
Emergency Repair Disk (ERD) available.
When programming or performing hardware repairs, you reboot a
lot.
One of my favorite timesavers is: On the Shutdown screen, move the radio button to Restart The
Computer, but before you hit return (or whatever) hold the SHIFT key down. This reboots Windows
only, and doesn't restart the hardware devices.
A pretty good time saver for lots of rebooting :)

WINDOWS 2000 PRO TIP: CONDITIONAL PROCESSING AT

THE COMMAND PROMPT,
One of the most valuable benefits I get from writing this section of the Windows 2000 Pro newsletter is
the reader feedback. Many of you come up with new and improved ways to implement tips that I've
shared, which I can then share with the rest of you. This week is no exception. Last week's tip
showed you how to create conditional processing on command prompt commands by using the && and
|| separators. To recap, if you type a command on a command line and follow it with && and another
command, the second command executes only if the first one is successful. If you use a || between two
commands on a command line, the second command executes only if the first one fails.
Reader Jim Ruby wrote to share some more information about this type of command processing. He
wrote, "Did you know you could chain the && and || pipes on a command line? This allows you to
make a 'do this if it succeeds, do this if it fails' single command line. For example:

dir c:\ && Echo Drive Exists || Echo Drive Doesn't Exist

displays the listing followed by 'Drive Exists' when used with a defineddrive letter, and displays 'Drive
Doesn't Exist' when used with anundefined drive letter."
For this procedure to work properly, the first command on the line must have some way to indicate to
the system whether it succeeded or failed. Simple commands, such as DIR, will work correctly, but not
every command-line program behaves in the same manner; you'll have to try the procedure on your
own commands to see whether it works. For the commands that work, this is a great capability.

Stop users from logging off of their computer

If you want to stop users from logging off of their computer, you can create a system policy that
removes all logoff menu items and buttons.
But if you want to remove only the Log Off <username> entry from the Start Menu and not let the user
restore it, you can create a registry entry. Keep in mind that the Log Off entry doesn't appear on the
Start Menu by default; you need to toggle it on (or off) from the Taskbar and Start Menu Properties,
Advanced tab. Perform the following steps to keepit off the Start menu.

1. Open regedt32.
2. Go to HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\
Policies\Explorer.
3. Using the Edit menu, select Add Value and create a value named StartMenuLogOff with a data type
of REG_DWORD.
t. Set the value of the entry to 1 to enable it.

WINDOWS 2000 PRO TIP: CLEANING UP YOUR SYSTEM TRAY

The first thing I do with a new laptop or desktop is clean out all the applications and installation
routines that the hardware manufacturer preloaded on the system. The task is annoying and time
consuming, but not difficult. What's even more annoying is how many little (useless) tools
automatically load themselves into my system tray.
 Unloading items from the system tray can be tricky, depending on how well the application vendor
wrote the software; some application developers want you to see their product's icon all day long, so
they make removing it difficult. But system tray icons take up memory, so if they don't serve a purpose,
I recommend you remove them. Here's how:
1. Check the program. Sometimes, if you right-click a system tray icon, it lets you unload it and never
have it load again. My compliments to software vendors who follow this user-friendly standard.
2. Check your startup folders. Right-click your Start button, and select Open. Navigate to Programs,
Startup. Look for any icons in the start up folder. If you don't want a program to load at startup, remove
the icon by either deleting the icon or moving it somewhere else. Repeat the process for the "Open All
Users" option.
3. Check the registry. This approach is a bit trickier. Back up your registry, run regedit.exe, and
navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
Anything in this key runs at startup. Delete items carefully here because some items might be necessary
for your system to function correctly. Always note the command-line value for each entry you delete, in
case you need to add it back.
4. Check .ini files. Some old software programs still follow this standard. Before the registry existed,
Windows used .ini files to store configuration information, including which programs should load at
startup. For backward compatibility purposes, these files are still maintained today. Using Notepad,
open %SystemRoot%\win.ini and %SystemRoot%\system.ini, and look for any load= or run=
statements. If you see those statements, with references to programs, try removing the statements.
Again, remove them carefully because some files might be necessary for the proper operation of your
system.
Alert reader Claude Turner caught a few additional registry keys that slipped past me:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\IniFileMapping\Win.ini, System.ini; and winfile.ini"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Windows\Run
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Windows\Load
-
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\WinLogon\ParseA
utoexec (If you set this value to 1, commands in the autoexec.bat file will run.)

So, that's about eight different places that Microsoft lets vendors hide system tray icons that come up at
startup. Again, each of these icons takes resources (memory) from your system, so if you don't want
'em, clean 'em out!
If you follow the above methods, you can remove most of the clutter from your system tray. Your
boot times will be quicker because Windows doesn't need to load all of the extra items, and you'll have
more usable RAM in your system.

WIN-2000 COMMAND LINE FIND UTILITIES

I often find myself trying to find files that contain information about a specific topic, usually within
Word documents or text files that contain notes I've taken. Although the Win2K search application can
search for text within files, the command line has two ways to quicklysearch through files. The first is
the FIND command:

FIND [/V] [/C] [/N] [/I] "string" [[drive:][path]filename[ ...]]

/V Displays all lines that DON'T contain the specified string.

/C Displays only the count of lines containing the string.
/N Displays line numbers with the displayed lines.
/I Ignores the case of characters when searching for the string.
"string" Specifies the text string to find.
[drive:][path]filename Specifies a file or files to search.

If you don't specify a path, FIND searches the text typed at the prompt or piped from another
command.
FIND is very fast, and it's useful if you're looking for a simple expression in a known group of files.
But when I need a complex search that lets me search entire directory trees for files that contain
something I can't quite remember (the "I know it said something like xxx" search), I use the FINDSTR
command:

FINDSTR [/B] [/E] [/L] [/R] [/S] [/I] [/X] [/V] [/N] [/M] [/O] [/P]
[/F:file] [/C:string] [/G:file] [/D:dir list] [/A:color attributes]
[strings] [[drive:][path]filename[ ...]]

/B Matches a pattern if at the beginning of a line.

/E Matches a pattern if at the end of a line.
/L Uses search strings literally.
/R Uses search strings as regular expressions.
/S Searches for matching files in the current directory and all
subdirectories.
/I Specifies that the search isn't to be case-sensitive.
/X Prints lines that match exactly.
/V Prints only lines that don't contain a match.
/N Prints the line number before each line that matches.
/M Prints only the filename if a file contains a match.
/O Prints character offset before each matching line.
/P Skips files with nonprintable characters.
/F:file Reads file list from the specified file(/ stands for
console).
/C:string Uses specified string as a literal search string.
/G:file Gets search strings from the specified file(/ stands for
console).
/D:dir Searches a semicolon-delimited list of directories
/A:attr Specifies color attribute with two hex digits. See "color
/?"
strings Text to be searched for.
[drive:][path]filename Specifies a file or files to search.

Use spaces to separate multiple search strings unless the argument is prefixed with /C. For example,
"FINDSTR 'hello there' x.y" searches for "hello" or "there" in file x.y. "FINDSTR /C:'hello there' x.y"
searches for "hello there" in file x.y.

Regular expression quick reference:

. Wildcard: any character
* Repeat: zero or more occurrences of previous character or class
^ Line position: beginning of line
$ Line position: end of line
[class] Character class: any one character in set
[^class] Inverse class: any one character not in set
[x-y] Range: any characters within the specified range
\x Escape: literal use of metacharacter x
\<xyz Word position: beginning of word
xyz\> Word position: end of word

For more information about FINDSTR regular expressions, refer to the online Command Reference.
I usually create a FINDSTR search using Notepad and save it as a batch file with the results
redirected to a file that I can then search through. This approach lets me create very complex string
searches to sort through the hundreds of Word documents I've stored in multiple folders in the same
directory tree. When you've been writing for a living as long as I have, this search can be incredibly
useful.
So, if you're a Web developer, writer, or anyone that works with lots of text files and document files
(though all of these commands can also search for text in binary files), I'm sure you'll find these
command-line options useful.
Hide Control Panel applets from local Administrators
When faced with this management dilemma, a system administrator can give users Administrator rights
to their systems, but hide the functions that can get them into trouble. Here's a tip that lets you hide
Control Panel applets. The applets are still on the system, and users can access them from the command
line, but by hiding them, you prevent users who are just playing around with the system configuration
from easily doing damage to their system setup. You can make these changes using System Policies,
but you can also implement them directly in the registry.

1. Launch regedt32.
2. Open
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
3. Add the REG_DWORD value DisallowCPL, and set the data value to 1.
4. To hide an applet, add a REG_SZ key named DisallowCPL with a value formatted like so:
- 1REG_SZ access.cpl
- 2REG_SZ appwiz.cpl

This approach only hides the icons; it doesn't restrict access to the applets from the command line.

The applets you can hide are:

- access.cpl
- appwiz.cpl
- desk.cpl
- fax.cpl
- hdwwiz.cpl
- inetcpl.cpl
- intl.cpl
- irprops.cpl
- joy.cpl
- main.cpl
- mmsys.cpl
- ncpa.cpl
- nwc.cpl
- odbccp32.cpl
- powercfg.cpl
- sticpl.cpl
- sysdm.cpl
- telephon.cpl
- timedate.cpl
PREVENT LOITERING: HIDE THE NETWORK
NEIGHBORHOOD ICON
Network users frequently click around in Network Neighborhood, either to find a particular resource or
just to see what's there. A great deal of network browsing can create something of a traffic jam by
causing master browsers and backup browsers to repeatedly build resource lists. To prevent curious
users from loitering in Network Neighborhood, consider hiding the Network Neighborhood icon by
making this registry change:
Open the Registry Editor and navigate to
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer and add a
DWORD value named NoEntireNetwork. Set that value to 1. (The default is 0 if the value already
exists.) Save your changes and restart your system.
All network resources will still be available through UNC or net commands, but only the users who
really need them are likely to access them that way.
ADD A BUTTON TO THE INTERNET EXPLORER (IE) 5.0
TOOLBAR
To add a button to the Internet Explorer (IE) 5.0 toolbar that starts a certain program--for example, ICQ
(the Mirabilis program that notifies Internet users when selected users are online so they can
communicate in realtime)--follow these steps:
1. Go to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions and
create a new key, such as{E94BC608-1DBD-4C52-BCAA-4602CAD2E0F0}. However, first use the
Find feature to make sure that this CLSID doesn't already exist in theregistry.
2. Create the following string values under the {E94BC608-1DBD-4C52-BCAA-4602CAD2E0F0}
key:
- ButtonText (string value)--The value is the name of the program that will start by clicking that
button (e.g., ICQ).
- CLSID (string value)--{1FBA04EE-3024-11d2-8F1F-0000F87ABD16}.
- Default Visible (string value)--Yes/No. Choose "no" and then customize the IE toolbar, placing this
button on the toolbar.
- Exec (string value)--Path to the *.exe file that starts by clicking a button (e.g., C:\Program
Files\ICQ\Icq.exe).
- HotIcon (string value)--Path to the icon that you want to appear after you point to the button.
- Icon (string value)--Path to the icon that will be on the toolbar by default.
- MenuStatusBar (string value)--Text you want to appear on the status bar when you point to the
name of the program on the tools menu (e.g., Opens the ICQ Program Window).
- MenuText (string value)--Name that will appear in the tools menu(e.g., ICQ--Friends Online).

This approach places the ICQ button on the IE 5.0 toolbar and tools menu. If the button doesn't appear,
right-click Toolbar and click Customize. Then find the ICQ button on the left panel and drag it to the
right panel.

SLOW FILE WRITE FROM WIN2K TO NT 4.0

When you write a file from a Win2K Professional system to an NT 4.0 server, the process can take up
to four times longer than reading the same file from an NT 4.0 server. The slow performance on the
write side results from the way each OS implements the code that reads and writes remote files. On
Win2K workstations, the redirector doesnt support RAW Server Message Block (SMB) mode, but
instead uses Large File support. NT 4.0 includes Large File Read support, but not Large File Write
support.
You can speed up the NT 4.0 server response by increasing the buffer size for NT 4.0 LanMansServer,
the component that buffers data during a file write from a remote system. To do so, open a registry
editor, find the key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters, add the
value entry SizReqBuf:DWORD:65535, and reboot.
After you make this registry change, the write-process performance should approximate that of a read
operation between the two computers. Note that the SizReqBuf value controls the buffer size for CORE
SMB requests. Setting the value to 64KB will have about the same effect as Large Write support,
which uses 60KB buffers. This adjustment causes the server services to use slightly more memory.
Microsoft article Q279282 documents this problem and the solution.

DESKTOP ICON PROBLEMS

Have your desktop icons ever displayed incorrectly? For no apparent eason, my icons were suddenly
incorrect or black--or after I made changes to an object's icon, the changes didn't display correctly. The
cause is a damaged icons cache file (ShellIconCache file in the Windows folder). This file contains a
copy of the icons for desktop objects.
To recreate the cache file for desktop objects using the command prompt,follow these steps:

1. Change to the %SystemRoot% folder.

2. Type attrib -h shelliconcache and click Enter.
3. Type del shelliconcache and click Enter.
4. Log off and log back on to your computer.

You could use Windows Explorer also, but don't forget to select theoption to show all files in the View
tab of the Options dialog box.

HOW TO CREATE A PER USER FTP DIRECTORY STRUCTURE

The information in this article applies to:
Microsoft Internet Information Server versions 2.0, 3.0,

SUMMARY
You can allow validated FTP users to logon to their own directories without having to change
directories.

MORE INFORMATION
When you use FTP under Microsoft Windows NT Server version 4.0 with Internet Information Server
(IIS), and when you access the FTP site, you go to the default FTP directory.

To go to a personal directory upon login without having to change directories, a virtual directory alias
named with your FTP account name has to be established.

Run Internet Service Manager.

Select the FTP service.
Select Properties from the menu bar.
Then select Service Properties to see the FTP Service Properties for (selected computer) dialog box.

NOTE: On the Service tab, make sure the Allow Only Anonymous Connections check box is clear (not
selected). By default, the user account must have Log On Locally rights.
You must have permission to see both the FTP root directory, and the directory you want them to FTP
to.
Select the Directories tab. Click Add.
Click Browse, and select the directory on the hard drive you would like the user to have access to.
Select the Virtual Directory radial button. In the Alias: edit box, type the name of the user. This is the
same name the user will use to log onto the FTP server.

For example: Username: GEORGE Alias: GEORGE

Check the appropriate access rights check boxes: "READ" "WRITE".

NOTE: To allow the user to upload files to this directory, the user must have "WRITE" rights.
Click OK.

In the FTP Service Properties for (selected computer) dialog box, click Apply. Click OK. The user upon
logging onto the FTP server with his or her account should now be placed in the virtual directory you
created.

WINDOWS EXPLORER SHORTCUT

Find the Windows Explorer shortcut. Right-click it and select Properties. Click the Shortcut tab and
change it to read

C:\WINDOWS\EXPLORER.EXE /n, /e, /select, c:\

This change will start Windows Explorer with My Computer instead of with C: fully expanded.
DISABLING AUTODISCONNECT.
Windows NT uses two different autodisconnect parameters; one for disconnecting Remote Access
Service (RAS) connections and another for disconnecting LAN connections. The RAS Autodisconnect
parameter is well documented in the Windows NT Server Remote Access Service manual on page 82,
but the LAN version is undocumented.
You can find the LAN autodisconnect parameter in the registry at:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters
Purpose: The function is to disconnect idle sessions after a set number of minutes. The number of
minutes can be set at a command prompt using the Net Config Server command. For example, to set
the autodisconnect value to 30 minutes:
Net Config Server /autodisconnect:30
The valid value range of this REG_DWORD value is -1 to 65535 minutes at the command line. To
disable autodisconnect set it to: -1
Setting Autodisconnect to 0 does not turn it off and results in very fast disconnects, within a few
seconds of idle time. (However, the RAS Autodisconnect parameter is turned off if you set it to a value
of 0.)
NOTE: It is preferable to modify the LAN autodisconnect directly in the registry. If you modify it at
the command line, Windows NT may turn off its autotuning functions.
The valid value range if you edit the LAN autodisconnect parameter in the registry is 0 to 4294967295
(Oxffffffff). If you configure the autodisconnect option to -1 at the command prompt, Autodisconnect
is set to the upper value in the registry. This is approximately 8,171 years (not tested should be long
enough to be the equivalent of turning autodisconnect off.

MANAGE THE OPEN WITH OPTION

Have you ever used the Open With option on a context menu and accidentally selected the wrong
application? Then you wonder how to get back the application behavior that you wanted or how to
remove the errant program from the Open With list? Here's how to control this information by editing
the registry.

1. Launch regedt32.
2. Open
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.extension
\OpenWithList (where extension equals the file extension that you want to open).
3. Each program identified in the Data column is associated with aletter (a, b, c, d) in the Name
column. Delete the value name letterassociated with the errant application.
4. Edit the MRUList value name value data and delete the letter in that string that's the same as the
name you just deleted.

REMOVE ACCESS TO COMPUTER MANAGEMENT

On machines I set up for temps to use or for my children (or for anyone I don't want mucking about
with a system), I like to remove easy access to the Computer Management application. Go to Start,
Programs, Administrative Tools, and delete the Computer Management shortcut. Then, edit the registry
to remove the Manage entry from the My Computer context menu. To do this:

1. Launch Regedit.
2. Open HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer.
3. Create the REG_DWORD NoManageMyComputer and set its value to 1.
4. If you want to run Computer Management after you remove it from these two locations, simply
open the Run command and type

compmgmt.msc <enter>

to launch the Computer Management application.

PREVENT USERS FROM CHANGING FILE TYPE
ASSOCIATIONS
I've occasionally had to help users who frantically call to tell me that files they used to click to launch
an application, no longer launch the correct application (or launch any application at all). After a brief
conversation, I often discover they've been mucking about in Windows Explorer--specifically in the
Tools, Folder Options, File Types taband they've changed the file type associated with the
application. You can edit the registry to prevent users from casually changing these file type
associations.

1. Launch Regedit.
2. Open
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer.
3. Change the REG_DWORD NoFileAssociate data value to 1.

This change prevents any user of the machine from changing file associations through Windows
Explorer. If you want to prevent only the current user from making these changes, open
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer and make
the same change.

HOW DO I MODIFY THE W2K STARTUP LOGO?

Tired of gazing at that boring W2K-logo when booting? Here's a way to change that to your company
logo or other even more fun things. This is also at the same time a tutorial about the W2K file
protection system. When I saw that one of our Techs had done this, I asked him to write it up so here
you go:

In order to modify the W2K startup logo you have to be aware of a few things up front:

1. The logo is a 16 color (not bit) bitmap that is 640 by 480 in size. It is built into the
ntoskrnl.exe.

2. W2k file protection will not let you just modify this file and place it in the system32 directory,
it will be overwritten shortly thereafter with the original.
Knowing this you'll need a tool to pull apart the ntoskrnl.exe and replace the bitmap. I'm using a tool
called "Resource Hacker". This is available here:
http://rpi.net.au/~ajohnson/resourcehacker
It's a fairly simple program, just extract the files to a directory and run the exe. Once it's open, do a
"File/Open" and select your ntoskrnl.exe. This is located in X:\winnt\sytem32.
You'll get 3 main folders, Bitmap is the one we want to work with. If you are on W2k Pro, it's under the
directory "1" and is called "1033". If you run W2k Server, it's under "4" and is also called "1033".
You'll see the current boot time logo.
Now you can do "Action/Replace Bitmap". Select the bitmap you have created to replace the old
bitmap. Or, you could export the bitmap, modify it, then import it back in. It is very important that you
do not deviate from 640x480 w/ 16 colors. Here is a nice gallery of already created images that could
be downloaded and quickly converted to 16 color bmps:
http://www.littlewhitedog.com/reviews_other_00025.asp
In the Replace Bitmap browser once you have selected the new bitmap you'll need to select the bitmap
number in the bottom right that you wish to replace. "1" for Pro and "4" for Server (or Adv Server).
Now you need to do a "File/Save As" and save the file somewhere on your drive. Do *NOT* save it in
the same directory or it will be quickly snarfed up by Windows File Protection.
For the next step we'll need a tool that can open .CAB files as well as create them. I used WinAce:
http://www.winace.com
Now you'll need to open the latest service pack .cab file that you have in your system. This file is
located in X:\winnt\driver cache\i386 and will be called something like SP1.cab or SP2.cab. Extract the
contents of the most current one to a directory. Now take your modified ntoskrnl.exe and drop it in that
directory, it will overwrite the existing one.
Re-compress the all the files back into a .CAB and overwrite the original SP1.cab or SP2.cab (Back up
the original first just in case). Then drop your modified ntoskrnl.exe into X:\winnt\system32\dllcache
and X:\winnt\system32, in that order. This way Windows file protection has nowhere to get the original
ntoskrnl.exe and leaves well enough alone. At this point, you can reboot.

HOW DO I MODIFY THE W2K STARTUP LOGO?

Tired of gazing at that boring W2K-logo when booting? Here's a way to change that to your company
logo or other even more fun things. This is also at the same time a tutorial about the W2K file
protection system. When I saw that one of our Techs had done this, I asked him to write it up so here
you go:

In order to modify the W2K startup logo you have to be aware of a few things up front:

1. The logo is a 16 color (not bit) bitmap that is 640 by 480 in size. It is built into the
ntoskrnl.exe.

2. W2k file protection will not let you just modify this file and place it in the system32 directory,
it will be overwritten shortly thereafter with the original.
Knowing this you'll need a tool to pull apart the ntoskrnl.exe and replace the bitmap. I'm using a tool
called "Resource Hacker". This is available here:
http://rpi.net.au/~ajohnson/resourcehacker
It's a fairly simple program, just extract the files to a directory and run the exe. Once it's open, do a
"File/Open" and select your ntoskrnl.exe. This is located in X:\winnt\sytem32.
You'll get 3 main folders, Bitmap is the one we want to work with. If you are on W2k Pro, it's under the
directory "1" and is called "1033". If you run W2k Server, it's under "4" and is also called "1033".
You'll see the current boot time logo.
Now you can do "Action/Replace Bitmap". Select the bitmap you have created to replace the old
bitmap. Or, you could export the bitmap, modify it, then import it back in. It is very important that you
do not deviate from 640x480 w/ 16 colors. Here is a nice gallery of already created images that could
be downloaded and quickly converted to 16 color bmps:
http://www.littlewhitedog.com/reviews_other_00025.asp
In the Replace Bitmap browser once you have selected the new bitmap you'll need to select the bitmap
number in the bottom right that you wish to replace. "1" for Pro and "4" for Server (or Adv Server).
Now you need to do a "File/Save As" and save the file somewhere on your drive. Do *NOT* save it in
the same directory or it will be quickly snarfed up by Windows File Protection.
For the next step we'll need a tool that can open .CAB files as well as create them. I used WinAce:
http://www.winace.com
Now you'll need to open the latest service pack .cab file that you have in your system. This file is
located in X:\winnt\driver cache\i386 and will be called something like SP1.cab or SP2.cab. Extract the
contents of the most current one to a directory. Now take your modified ntoskrnl.exe and drop it in that
directory, it will overwrite the existing one.
Re-compress the all the files back into a .CAB and overwrite the original SP1.cab or SP2.cab (Back up
the original first just in case). Then drop your modified ntoskrnl.exe into X:\winnt\system32\dllcache
and X:\winnt\system32, in that order. This way Windows file protection has nowhere to get the original
ntoskrnl.exe and leaves well enough alone. At this point, you can reboot.
You hose your system, it's not my fault... I've done it about 20 times on different systems and haven't
had a problem yet. Special thanks to www.littlewhitedog.com and their forums for supplying much of
the information in this report.

BYPASSING WPA ALL TOGETHER

Some one sent me this piece of information that is quite remarkable. I have not tested it but it's from a
reliable source. I quote:
"Did you know that by replacing 11 files on a retail Windows XP CD for an existing corporate edition
CD, you can turn it into an unactivated corporate version? This has been tested and it does successfully
work! It is important to note that this does NOT hack Windows XP in any way, it merely bypasses
WPA. You do, however, need a valid 25-character PLK. It will be interesting to see if Microsoft fixes
this loophole in the first service pack release. I have not monitored my traffic logs through our
checkpoint firewall to see what was communicated yet... I really am surprised Microsoft would leave
such an obvious and easily exploitable method to get around WPA. The files you need to replace are:

i386\dpcdll.dl_

i386\eula.txt *** cosmetic only

i386\nt5inf.ca_

i386\oembios.bi_

i386\oembios.ca_

i386\oembios.da_

i386\oembios.si_

i386\pidgen.dll

i386\setupp.ini

i386\setupreg.hiv

i386\win9xupg\win95upg.inf

TIP: RESOLVING NETWORK RESOURCES

If you run a mixed Windows 2000/Windows NT 4.0 domain network, you might find that Win2K
machines take a long time to resolve network resources when you browse the network, especially when
you browse from a File Open dialog box. This slow-down occurs because the DNS name resolution
that Win2K defaults to must time out before the system attempts resolution through NetBT (WINS).

To change the protocol order your system uses to resolve network names, you first need to determine
which Control Set the system boots from. You can find this information by opening
HKEY_LOCAL_MACHINE\System\Select\Current. Compare the value to the values in the Default
(boot) and LastKnownGood keys. If a key's value ends in
1, the Control Set is ControlSet001, and if the value ends in
2, it's ControlSet002.

The Control Set version is important because making the following edit in the CurrentControlSet key
can cause the system to blue screen. You must make the edit in the Control Set that the system will boot
from, and restart the computer after you complete the edit.

1. Open Regedt32.
2. Open HKEY_LOCAL_MACHINE\SYSTEM\ControlSet(xxN)\Services\Tcpip\Parameters.
3. Add a REG_DWORD value named DnsNbtLookupOrder.
4. Set the value to 0 to use DNS resolution first; set the value to 1 to use NetBT first.
5. Exit Regedt32 and reboot.

TIP: LOCK DOWN BROWSER HOME PAGE

I needed to set up some public computers for Web browsing, and I wanted the home page for all the
browsers to point to our corporate page. I performed the following steps to lock down the browser
home page.

1. Launch regedt32.
2. Open HKEY_CURRENT_USER\Software\Policies\Microsoft.
3. Create the key Internet Explorer.
4. Open the Internet Explorer key and create a key called Control Panel, so you end up with
_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel. This key might
already exist.
5. Add a REG_DWORD named HomePage and set its value to 1. This change disables the home
page controls.
6. Other valid REG_DWORD entries that you can add include Advanced, which controls the
Advanced tab check boxes; Cach, which controls the Setting button; and History, which lets you
disable the History settings controls.

Shortcutting the Shutdown Process

If you need to shut down a system quicklywithout waiting for standard shutdown code to execute
you can use the Ctrl key to expedite the process. Press Ctrl+Alt+Delete to bring up the familiar
Lock/Logoff/Shutdown/Task Manager Screen. Next, hold down the Ctrl key and select the Shutdown
option. Win2K will then display the message, "If you continue, your machine will reboot and any
unsaved data will be lost. Use this only as a last resort." Use this method only on test systems or for
emergency purposes; when you interrupt the usual shutdown sequence, Win2K doesn't flush transaction
logs to disk, which can produce a host of disk and file problems. For more information, see Microsoft
article Q279134.

Removing and Reinstalling NetMeeting

NetMeeting presents an open door to security vulnerabilities and is a source of wasted bandwidth.
However, because NetMeeting is tightly integrated into Win2K, you cant use Add/Remove Programs
to delete the component; nor can you use the standard installation utility to remove it. Instead, you must
use a manual procedure to expunge NetMeeting from Win2K systems. Microsoft article Q267958
describes several situations where you might need to use this method to correct problems that older
versions of NetMeeting have caused. I plan to test the uninstall command and, if it works, apply it to all
end-user workstations.
To remove NetMeeting, open a command prompt and type the following command exactly as it
appears (note: the command is case-sensitive):
%SystemRoot%\System32\rundll32.exe setupapi,
InstallHinfSection NetMtg.Remove 132 msnetmtg.inf
To reinstall NetMeeting, copy the file msnetmtg.inf from the %SystemRoot%\Inf directory to the
desktop. Next, right-click the file and click Install. The install might prompt you for the Win2K CD-
ROM. When the install finishes, reboot to complete the installation.

TIP: CREATE A DEVICE MANAGER SHORTCUT

When I try to diagnose hardware problems on a Windows 2000 system, I'm frustrated by the
convoluted steps I need to follow to launch the Device Manager. I finally decided to create a shortcut
on the desktop to launch the application. Here's how:

1. Right-click the Desktop and select New, Shortcut.

2. Under Type the location of the item:, enter C:\WINNT\system32\devmgmt.msc (replace
C:\WINNT with your specific %systemroot% path).
3. Click Next.
4. Name the shortcut. (I use Device Manager.)
 5. Click Finish.

You can use this method to create shortcuts for many of the Control Panel applets, too.

TIP: DISABLE THE GETTING STARTED SCREEN

A friend called last week to ask how to prevent the "Getting Started with Windows 2000" screen from
popping up when he logged on to a system. I pointed out that he simply has to clear the checkbox
labeled "Show this screen at startup," and the screen won't come back. However, he wants to disable
the screen so that when he creates a new user account on a new test machine, the screen won't launch
on first logon. I pointed him to the appropriate registry settings, as I show below.

1. Launch regedit.
2. Open either
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer or
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer.
3. Note that the HKEY_CURRRENT_USER setting will override the HKEY_LOCAL_MACHINE
setting.
4. Add a REG_DWORD value name NoWelcomeScreen. A data value of 1 disables the screen, 0
enables it.

If you ever want to see the Getting Started screen after using this method to disable it, you can still
launch it from Start, Programs, Accessories, System Tools, Getting Started.

HOW CAN I ENABLE LOAD BALANCING WITH MULTIPLE

NETWORK ADAPTER CARDS?
If you have two or more network adapter cards in your system, you can use a randomizing algorithm to
distribute the number of connections or sessions among the adapters. To use the algorithm, perform the
following steps:

1. Start the registry editor (e.g., regedit.exe).

2. Navigate to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters.
3. From the Edit menu, select New - DWORD value.
4. Enter a name of RandomAdapter, and press Enter.
5. Double-click the new value, enter 1 to enable or 0 to disable, and click OK.
6. Close the registry editor.
7. Reboot the machine.

ADD DOMAINS TO YOUR BROWSE LIST

Getting your client machine to browse properly in multidomain environments or when moving between
domains can be difficult. The situation can be aggravating, because browsing in multidomain
environments might work fine on one system but might not work properly on another. To solve this
problem, you can add a registry entry that identifies the domain you want to add to your browse list.

1. Launch regedt32.
2. Open
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters.
3. Add a REG_MULTI_SZ value named OtherDomains.
4. Enter the domain name you want to browse. You can add multiple domains--one on each line.
You can also use this tip to remove unwanted domains from your browse list. Just follow the same
steps, and delete the unwanted domains from the existing OtherDomains value.

ADD TLDS TO INTERNET EXPLORER'S AUTOSEARCH

Internet Explorer (IE) 5.x has a built-in AutoSearch feature: If you type a word into the Address bar, IE
automatically scans for relevant Web sites. By default, IE searches for the word you enter suffixed with
the domains .com, .org, and .edu, as well as prefaced with www. However, more top-level domains
(TLDs) are appearing on the Internet, and you might want to extend this search to include domains
such as .info or .biz (remember that your DNS needs to be able to resolve those domains for you to find
them). To extend the AutoSearch capabilities (IE 6 already added the .net domains for you), perform
the following steps:

1. Launch regedt32.
2. Open HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Url Template.
3. Click Edit, Add Value.
4. For Value Name, enter the next number available (by default that should be 4 or 5 depending on
your version of IE).
5. Select REG_SZ as the Data type.
6. In the String editor, use the syntax www.%s.[new TLD] (such as www.%s.biz).
7. Add additional TLDs as desired.

TIP: DISABLE BALLOON TIPS

Windows XP's balloon tips can be annoying. Their behavior is erratic, and often they pop up and get in
the way. You can easily turn off balloon tips by following these steps:

1. Launch regedit.
2. Open
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced.
3. Create a new DWORD value called EnableBalloonTips.
4. Give the entry a value of 0 to disable the tips and a value of 1 to turn them back on.

MINIMIZE OUTLOOK TO THE SYSTEM TRAY

If you usually have a cluttered task bar, you can configure Microsoft Outlook XP to minimize to the
system tray, rather than to the task bar. Outlook still places the envelope icon in the tray when you
receive new mail. To minimize Outlook to the system tray, perform the following steps:

1. Launch regedit.
2. Open HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Outlook\Preferences.
3. Add a REG_DWORD data type named MinToTray.
4. Set the data value to 1.

HOW CAN I CREATE A SHORTCUT TO THE DEVICE

MANAGER IN WINDOWS XP AND WINDOWS 2000?
You typically access the Device Manager through the System Control Panel applet (go to Start,
Settings, Control Panel, System, Hardware, Device Manager). To create a Device Manager shortcut on
the desktop, perform the following steps:

1. Right-click the desktop.

2. Select New - Shortcut from the displayed context menu.
 3. For the item's location, type devmgmt.msc, and click Next.
3. Name the shortcut Device Manager, then click Finish.

PREVENT USERS FROM ADDING LOCAL ACCOUNTS.

I recently discovered that some of our interns were creating extra local accounts on their Windows
2000 Professional systems. I didnt want to further lock down the accounts that they were using, so I
manually removed this ability from the computers by performing the following steps:
1. Log on to the computer as a member of the Local Administrators group.
2. Open a command prompt, and use the net command

net localgroup users NT AUTHORITY\INTERACTIVE /DELETE.

3. Log out.

This process removes the ability for a local account to create a new account on that machine. An
administrator can reverse the process if necessary.

REMOVE HELP OPTION FROM START MENU

A friend asked me how to remove the Help option from the Windows 2000 Start menu. He swears that
he has a good reason to turn off the option, and I can envision a situation where you might want to lock
down a machine in a standalone environment. I offered him the following procedure:
1. Launch regedt32.
2. Open
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer.
3. Add a new REG_DWORD with the name NoSMHelp.
4. Set the data value to 1.

Unlike with many registry edits, you must log off and back on for this change to take effect. Reversing
the change, by setting the value to 0, will take effect as soon as you exit the registry editor.

TIP: RUN SCHEDULED TASKS IN THE BACKGROUND

Q. How can I run scheduled tasks in the background when they run as the currently logged-on user?
A. Scheduled tasks usually run under the SYSTEM context and run in the background. However, if you
change a service to run as a user account and that account is currently logged on to the machine, the
scheduled task will run in the foreground. To change this behavior, perform the following steps:
1. Start a registry editor (e.g., regedit.exe).
2. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon.
3. Double-click Shell (which is explorer.exe).
4. Modify this value to <c:\windows>\Explorer.exe, (dont type the quotes but do type the
comma) where <c:\windows> is your local machines system root.
5. Click OK.

TURN OFF BALLOON HELP

Windows Balloon Help can be useful, especially when youre learning a new OS, but after a while, it
can become annoying. I turned off the feature on my Windows 2000 systems, but turning it off under
Windows XP requires a different registry edit.

1. Launch regedit.
2. For Win2K, open the
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer subkey.
3. For XP, open the
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ Advanced subkey.
4. Add a subkey called EnableBalloonTips.
5. Set the DWORD value to 0.

After you complete these steps, youll have no more cartoon balloons.

TRACK WINDOWS UPDATE

If you hate not being able to watch or track the process when you run Windows Update, heres a
solution: A simple registry edit can change your Windows Update downloads to debugging mode. In
debugging mode, the system prompts you at each step as you download and install the update, so you
can track the entire process. The following registry edit works with Windows XP and Windows 2000
systems:
1. Launch regedt32.
2. Navigate to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup subkey.
3. Enter a new String Value called SteppingMode.
4. Enter Y as the value of SteppingMode. (To disable SteppingMode, change the value to N.)

DISABLE DRAGGING TO THE START MENU

In both office and home situations, accidentally dragging application icons to the Start menu is easy to
do. Users often ask me how an icon got on the menu and how they can remove it. You can use Group
Policy to control the ability to drop items on the Start menu, but you can also disable this ability with
the following registry edit.
1. Launch a registry editor.
2. Open HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\
Explorer.
3. If the value name NoChangeStartMenu doesnt exist, add it as a REG_DWORD.
4. Set the data value to 1 to disable the ability to drop items on the Start menu (0 to enable).

COMPUTER BROWSER TIPS AND TRICKS

This article will provide you with some tips on how to configure some of your Network Neighborhood
settings to empower the Networks Administrator and remove (what may be unnecessary) end-user
interaction. The computer browser service can be a useful resource when configured to do so. Improper
configuration can, on the other hand, become yet another hassle you need to deal with. It cuts into both
your productivity and the end-user's. The main focus here is manageability. I'll briefly touch on
concepts such as security and resource overhead as they relate.
Hiding machines from the Computer Browser:
I need to hide my machines from end-users who aren't supposed to access them.
When it is in your interest to block a User's access to network machines that they do not need to access,
there are various ways to go about it. I'll propose one good approach and also mention faulty
techniques that, if implemented, can actually remove some helpful functionality.
This is commonly done using one of two mechanisms. One method is to disable the Browser Service
on a given machine; the other is to actually hide that machine. It is important to note that this is
superficial "security".
Modifying the service start up value can be done via a Registry Editor. This can be used to disable the
service.
Startup values for services can be found in the registry at HKLM-System-CurrentControlSet-Services-
Browser-Start.
Hiding a machine can be done from a command line or via the Registry. The path to the registry hive is
(HKLM-System-CurrentControlSet-Services-LanManServer-Parameters-Hidden).
The command: NET CONFIG SERVER /HIDDEN:{YES or NO} can hide or unhide a system from the
Browse list.
You can read Microsoft Knowledge base articles Q102878, Q136712, Q188001 for more information
on these topics.
Again, a hidden machine is not by definition, a secure machine. This only accomplishes hiding a
machine from an end-user who likely doesn't have the knowledge to discover that machine by other
mechanisms. For example, hidden machines can easily be accessed via a UNC path or IP address, and
it does not address the infamous 'Null Session' vulnerability.
There is a better solution...
These are some helpful edits you can do to restrict typical user access to Network Neighborhood. These
tips will allow you to restrict end-users from exploring network shares that they shouldn't. Use pre-
defined mapped drives to limit their network access through explorer. Using these techniques you can
prevent end-users from browsing the network while not removing this functionality from the persons
who should (namely the network administrators).
1. Disabling the "My Net Places"/"Network Neighborhood" on a workstation.
This is an excellent technique that I highly recommend to keep end users from fumbling around the
network via Network Neighborhood/My Network Places. You can wholly remove the Icon from the
desktop/Explorer.
There are two ways to do this. The easiest mechanism is to establish a Policy that removes it. This can
be done by:
System Policy editor (NT) poledit.exe, or Group Policy editor (Win2k) gpedit.msc.
For all intents and purposes, this will remove Network Browsing capabilities from Explorer. Mapped
drives, "Net View" commands, and UNC paths are still allowed.

Secondly you can, of course, edit the registry to accomplish the same goal. This is done by:
Starting the registry editor (use Regedit)
Move to the
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
From the Edit menu select New - DWORD value.
Enter the name "NoNetHood" (don't include the quote marks)
Press Enter
Double click the new value and set to 1.
Click OK.
Close the registry editor.
Log off and log on, and Network Neighborhood will be hidden!
2. Hiding other Domains from a browser.
Here is a handy solution for the user who needs to navigate through Network Neighborhood to
machines in the local domain, but should not access, machines in other domains. "Other Domain"
browsing is disabled only on the machine where this is implemented and it does not remove a
functionality from an administrator who may require the connectivity.
This is done by:
Run the registry editor by typing regedit.exe from a command line.
Navigate to HKEYCURRENTUSER-Software-Microsoft-Windows-CurrentVersion-Policies-Network
(You may need to create the key "Network" if it doesn't exist).
Right-click on the right hand pane in an empty location, then expand "New", and select "DWORD
value".
Type in "NoEntireNetwork" (don't use the quotes though), then press Enter.
Right-click on NoEntireNetwork, and enter "1". Then click on OK.
Close Regedit.
You may need to log off and back on for the changes to take effect.
You can also perform this procedure with a Group Policy Object (GPO) by selecting User
Configuration, Administrative Templates, Windows Components, Windows Explorer, then No Entire
Network in My Network Places.

Disabling of Browser challenge:

So now that you've restricted the end-users from browsing you may bring up this concern...
Adding workstations to the browse list congests it, and all I need is to be able to connect to servers.
In those cases I recommend this:
Now, ideally you have setup up an NT 4 network using a naming convention that somewhat organizes
the computers by category. For example Bob's NT4 workstation machine in accounting is called "WK-
ACC-BOB-NT4". In this computer name all the data is present to easily sort it in an explorer browse
list. However, realistically speaking, over time, it is difficult to maintain a naming convention;
especially if more than one person is building and naming machines. And it would certainly be a
monumental task to engage in a network wide renaming. Active Directory addresses Machine
organization by allowing for creation of organizational units using the forest/tree structures.
Without implementing AD however, there is a technique you can use to assist in network organization.
It is called server comments. When machines are displayed in Network Neighborhood/My Network
Places, you have the option to select to view "details". By display details, you are opting to display the
"server comments" section as well.
Comments can be easily added to a given machine using the Net Config Server command as well.
The syntax is NET CONFIG SERVER /SRVCOMMENT:"your comment here"
You can use this to add additional information to machines displayed in Net neighborhood. So if you
have a network with machines were whatever the System Administrator felt was a good name at the
time like \\JARJARBINKS or \\HOLYHANDGRENADE, you can easily add "comments" to
distinguish the machines functionality. For example, \\HOLYHANDGRENADE's comments could
include "SRV-W2K-FILE" and \\JARJARBINKS could say "SRV-NT4-DB". You can then easily sort
using the comments column and quickly navigate to the machine you need.
OK, now I've organized my network, but I can't afford the overhead...
Won't all this Browser Traffic impede my network performance?
Though it is very rare to see a network these days that is impacted by Computer Browser traffic, there
are ways to minimize it. Typically as a machine logs onto the domain it starts a challenge. That
challenge is done to attempt to control management of the Master Browse List. The biggest kid on the
block gets to keep the browse list for the network. The way to determine who the biggest kid on the
block, is by broadcasting a challenge. That challenge basically says what the machine OS and SP is.
Servers always win over workstation OS'es and newer OS'es always win over older ones. Typically
Domain Controllers are the "biggest". Given this, one can create a relatively static Browse based
environment. To do this requires some changes to Registry information, on all machines. Again, unless
you are running a WAN with 56k links between sites, you'll probably never notice it or need to limit
this. I won't engage in too much detail as there are many resources to further detail browse clients.
HKLM-System-CurrentControlSet-Services-Browser-Parameters-
IsDomainMasterBrowser ---the options are (NO, YES, or AUTO).
1. The default for workstations is AUTO, which indicates that the machine will challenge for
supremacy if needed.
2. NO indicates that it will never participate as a Browser. It will still announce itself to the Master
Browser, just not challenge or keep the list locally.
3. YES, means it will challenge. This is the default for NT Servers. It will become either the Domain
Master Browser or a Backup Browser. Either way, it will maintain a list.
MaintainServerList ---- This value determines whether the Browse List will be stored on a given
machine. Registry Key "IsDomainMasterBrowser" will also have input as to this value's settings.
To automate registry changes (where policies aren't available) you can use login scripts or a product
such as Sitekeeper [discussed elsewhere in this eLetter-Editor] to distribute the changes

TIP: USING NETBEUI WITH WINDOWS XP

I know that although Microsoft no longer supports NetBEUI, the company still ships NetBEUI with XP
for user installation. Simply follow these steps to install NetBEUI on the XP client machine.
1. From the folder Valueadd\MSFT\Net\NetBEUI on the XP distribution media, copy the file
nbf.sys to your WINNT\System32\Drivers folder.
2. Copy netnbf.inf to the WINNT\Inf folder. Usually, this folder is hidden, so youll need to make
it visible in Windows Explorer from Tools,Folder Options,View menu,Show hidden files and
folders on the folder menu.
3. Open Network Connections.
4. Right-click the Network Connection on which you want to install NetBEUI and select
Properties.
5. Select the General tab.
6. Click Install.
7. Click Protocol.
8. Click Add.
9. Select NetBEUI from the drop-down menu.
10. Click OK.
11. When the installation completes, reboot the computer.

TIP: CONTROLLING THUMBNAIL-IMAGE SIZE IN WINDOWS

XP
If you use a high-resolution monitor, certain features of the Windows XP OS might not appear the way
that you like. One such feature is the size of the thumbnail images that Windows Explorer displays of
image file types that it recognizes. The images tend to be too small to differentiate, especially if you
have a lot of similar images. To resize the displayed thumbnails, follow these steps:
1. Launch regedt32.
2. Open HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer.
3. Create a DWORD named ThumbnailSize.
4. Set a decimal value between 32 (smallest) and 256 (largest).
5. Exit regedt32.
6. Reboot.
HOW TO BYPASS THE RECYCLE BIN AND DELETE FILES
DIRECTLY
To configure an XP or Win2K registry so that the system bypasses the Recycle Bin and deletes the files
directly, follow these steps:

1. Launch regedit.
2. Open
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket.
3. Change the NukeOnDelete value to 1 to enable immediate deletion or to 0 to disable immediate
deletion (i.e., to turn the Recycle Bin back on). If the NukeOnDelete value doesn't exist, create it as a
DWORD value.

TIP: SPECIFYING THE DOMAIN BY DEFAULT IN WINDOWS

XP AND WIN2K
A reader asked me how to change the behavior of the Domain drop-down list that appears at logon to
users who have multiple domains available to them. The reader wants to change the default domain that
his users see rather than requiring them to scroll through the domain list to find the proper domain. To
change the default domain on the domain list, you can edit the registry:

1. Launch regedit.
2. Open HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon.
3. Set DefaultDomainName and AltDefaultDomainName to the requested domain.

TIP: CONNECTING WINDOWS XP TO WIN2K TERMINAL

SERVER
I'm a big fan of using Windows 2000 Server Terminal Services as the appropriate tool for remote-
server management. So, I was surprised when a friend asked whether I knew why his Windows XP
system, which he was trying to connect to a Win2K Terminal Server (full license, not just the
administrative license), kept returning a security-error message and failed to connect. XP includes a
Terminal Server Client Access License (CAL). Adding an XP client to an existing Terminal Server
shouldn't be a problem, regardless of licensing-allocation issues. What I discovered is that a bug exists
that you can correct with a couple of registry edits.

On the Win2K Terminal Services machine:

1. Launch regedt32.
2. Open the
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService\Parameters
registry subkey.
3. Delete the value names X 509 Certificate and X 509 Certificate ID.
4. Exit the editor and restart Terminal Services.

On the XP computer:
1. Launch regedt32.
2. Open the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSLicensing
registry subkey.
3. Delete the key MSLicensing.
4. Reboot, then reconnect to the Terminal Services system. If this doesn't solve the problem, contact
the Microsoft Clearinghouse to reactivate your licensing server
TIP: DISABLING WINDOWS MESSENGER
Many readers who use Windows XP have told me that they don't want Windows Messenger to start
every time they log on to their systems. These readers usually follow up with another email message
telling me that although they've succeeded in turning off Windows Messenger, it now starts every time
they launch Microsoft Outlook. Here's how to disable Windows Messenger in the registry so that it
defaults to off and doesn't launch when Outlook launches.

1. Launch regedt32.
2. Open HKEY_CURRENT_USER\Software\Policies\Microsoft\
Messenger\Client.
3. Add a DWORD called PreventRun and set its value to 1.
4. Add a DWORD called PreventAutoRun and set its value to 1.
5. Open HKEY_CURRENT_USER\Software\Policies\Microsoft\
Office\10.0\Outlook\InstantMessaging.
6. Add a DWORD called ForceDisableIM and set its value to 1.

If necessary, you can reenable the automatic launching of Windows Messenger by resetting all the
values to 0.

TIP: DISABLING WINDOWS XP BALLOON POP-UPS

While merrily working away on your Windows XP desktop, you might have noticed that every now
and then you get pulled away from your work by a balloon tip popping up from the notification area of
the taskbar (the space on the right-hand side where the System Tray is). After one too many
notifications interrupted my concentration, I figured out how to turn those balloon pop-ups off. Here's
how:

1. Launch regedit.
2. Open
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced.
3. Create a REG_DWORD named EnableBalloonTips.
4. Set the value data to 0.
5. Close regedit.
6. Reboot the computer.

Setting the value to 1 will turn the balloon tips back on if you decide you can't live without them

HOW CAN I STOP WINDOWS 2000 FROM USING AN

ENCRYPTED FORMAT WHEN I COPY ENCRYPTED FILES
TO A SERVER?
By default, when you copy locally encrypted files to a server, Win2K retains the encryption format.
However, you might not want server-based files to be encrypted. For example, a laptop user might want
to encrypt files locally for security reasons but want the server-based files to be unencrypted so that
other users can view the files.

To stop Win2K from copying files to a server in an encrypted format, perform the following steps on
the destination server:
1. Start a registry editor (e.g., regedit.exe).
2. Navigate to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem
registry subkey.
3. Select the NtfsEncryptionService value, then select Edit, Delete from the menu bar.
4. Close the registry editor.
 5. Reboot the server for the change to take effect.

After you make this change, you'll no longer be able to encrypt files on the server and Win2K will
decrypt any encrypted files that users copy to the server.

HOW CAN I STOP WINDOWS FROM CACHING A .DLL FILE

AFTER I CLOSE THE PROGRAM THAT WAS ACCESSING
IT?

A. Windows caches .dll files to speed disk I/O. However, even after you close the calling program,
the .dll file remains cached. To stop Windows from caching .dll files after youve closed the calling
program, perform the following steps:
1. Start a registry editor (e.g., regedit.exe).
2. Navigate to the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer registry
subkey.
3. From the Edit menu, select New, DWORD Value.
4. Enter the name AlwaysUnloadDLL, then press Enter.
5. Double-click the new value, set it to 1, then click OK.
6. Close the registry editor, then reboot the machine for the change to take effect.

TIP: TURN OFF "LOW DISK WARNING" IN WINDOWS XP

Lately, when I configure and set up test computers, I use disks that I attach to the computers with 1394
and USB 2.0 connections. The disks I move between computers are usually almost completely full, and
to my annoyance, Windows XP generates a persistent Low Disk Warning on the taskbar. Because I
know that, for my purposes, disk capacity isn't a problem, I need a quick way to turn the warning off.
To do so, I take the following steps:
1. Launch regedit.
2. Open HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Policies\Explorer.
3. Add a new value of type REG_DWORD and name it NoLowDiskSpaceChecks.
4. Set the entry data value to 1.

TIP: FORCING AN ACL TO ACCOMPANY A FILE ACROSS

SHARES IN WIN2K
When you drag files across shares on Windows 2000 servers, you need to check to make certain that
each file's necessary permissions are set in the new location. By default, a file inherits the permissions
of the folder you drag it to--it doesn't automatically retain the permissions it had in its previous location
because the file's ACL doesn't accompany the file to its new location. However, with a simple registry
edit, you can force Win2K to take a file's ACL along with the file from NTFS volume to NTFS volume.
Take the following steps:

1. Launch regedt32.
2. Open HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Policies\Explorer.
3. Add a subkey of type REG_DWORD and name it ForceCopyAclwithFile.
4. Set the data value to 1.
5. Log off, then log back on to make the change take effect.
ADJUST WINDOWS XPS SEARCH FUNCTION
A reader recently sent me an email message telling me that the Search function in Windows XP is
broken. The reader insisted that the Search function never seemed to see certain files on his computer. I
asked the reader what kinds of files he was searching for, and he told me that when he used the Search
for a word or phrase option, he never seemed to find the files he wanted. He had a large collection of
notes he had taken during meetings, and he wanted to be able to search through those files to find
comments to follow up on.
The readers problem was that he was using his own convention for labeling his notesspecifically, a
four-digit date (e.g., 0208) as the file extension. By default, XPs word or phrase search function
requires that the file extension be a registered file type. Rather than tell the reader that he had to change
his naming convention and go back through a years worth of files to rename them, I showed him the
following steps to quickly edit the registry to allow XPs search function to look for files with unknown
extensions.
1. Launch regedit.
2. Open HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ContentIndex.
3. Double-click FilterFilesWithUnknownExtensions, in the right-hand pane.
4. Change the data value to 1.
5. Exit the registry editor.
6. Reboot the computer.

DISABLING THE PREFETCHER COMPONENT IN WINDOWS

XP
One feature in Windows XP that can complicate application troubleshooting--particularly in
applications that launch at start-up--is the XP prefetcher. This component exists to speed up application
launching. However, because the prefetcher runs as a background process while other applications are
running or loading, it can complicate the diagnosis of application problems, particularly if an
application is causing the system to lock up or fail spectacularly in some other fashion. You can disable
the prefetcher component by making a registry change. Take the following steps:

1. Launch regedit.
2. Open
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SessionManager\Memory
Management\PrefetchParameters.
3. Double-click the EnablePrefetcher value name.
4. Write down and save the current value that EnablePrefetcher is
set to. (Don't neglect this important step. If you decide that you need to reenable the prefetcher, you'll
need to reenter the data value you wrote down.)
5. Set the value to 0 to disable the prefetcher.
6. Exit the registry editor.
7. Reboot the computer.

DISABLING EFS IN XP AND WIN2K

A reader who supports traveling users dropped me a line to ask whether he could stop these casually
connected users from using Encrypting File System (EFS) in Windows XP and Windows 2000 to
encrypt files and folders on their computers. A slight change to the registry can disable this OS feature.
Take the following steps:

1. Launch regedit.
2. Open the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EFS
registry subkey.
 3. Create a subkey of type REG_DWORD and name it EfsConfiguration.
4. Set the data value to 1.
5. Exit the registry editor.
6. Reboot Windows.

How Can I Reset the "Always ask before opening this type of file"
Functionality in Microsoft
When you open attachments, Outlook displays a dialog box that prompts you to either "Open it" or
"Save it to disk." The dialog box also includes an "Always ask before opening this type of file" check
box. If you clear this check box, Outlook will in the future always open that file type without
prompting you. To reset the default behavior so that Outlook will prompt you to open or save the file
type, perform the following steps:
1. Open the Control Panel Folder Options applet.
2. Select the File Types tab.
3. Scroll down to the extension type that you want to reset.
4. Select the extension type, then click Advanced.
5. Check the "Confirm open after download" check box, then click OK.
6. Click Close to close the Folder Options dialog box.

Hide Date and Time Information in the System Tray Notification

Area
In the May 29 issue of Windows Client UPDATE, I showed you how to make registry changes in
Windows XP to hide the icons in the notification area of the system tray from users. A few readers
responded that they want to keep the icons but hide date and time information because it occupies so
much space. Doing so is easy with the following registry change:
1. Launch regedit.
2. Open HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
policies\Explorer
3. Create a HideClock value of type REG_DWORD and set the value to 1.
4. Exit regedit and reboot the computer.

How Can I Prevent Windows XP from Reminding Me to Enter

Microsoft Passport Details?
After you install XP, the OS prompts you to enter a Passport account to enable access to certain Internet
communication features. To turn off this reminder, perform the following steps:
1. Start a registry editor (e.g., regedit.exe).
2. Navigate to the HKEY_CURRENT_USER\Software\Microsoft\MessengerService registry subkey.
3. If the PassportBalloon registry value doesn't already exist, go to the Edit menu; select New, Binary
Value; enter a name of PassportBalloon; then press Enter.
4. Double-click the PassportBalloon value, set it to 0A 00 00 00, then click OK.
5. Close the registry editor.

Configure Windows XP Searches to Default to Your Preferences

One feature in Windows XP that irritates me is the built-in search function. I find it annoying to have to
configure the advanced search options to my preferences every time I use the search engine.
Fortunately, I've found that you can make some registry edits to configure searches to default to your
preferences. (You can continue to use the GUI to change the Advanced parameters in the search
engine.) To make the registry changes, take the following steps:
 1. Launch the registry editor.
2. Open HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer.
3. In the right pane are a couple dozen entries. You need to be concerned with only five:
CaseSensitive, IncludeSubFolders, SearchHidden, SearchSlowFiles, and SearchSystemDirectories.
4. To change the default behavior (i.e., turn it on or off) for each of these five entries, double-click the
value name and set the value data to 1 to enable or 0 to disable.
5. Log off to enable the changes.

Tip: Helping XP and Win2K with GDI Scaling

I've written several columns for Windows Client UPDATE, as well as Windows & .NET Magazine,
about using high screen resolutions with Windows OSs and using settings higher than the normal
96dpi. As I write this, I'm using a 22" monitor running with a 2048 x 1536 screen resolution, so getting
the contents of my windows to scale properly is important. One problem is that Windows XP (through
the graphics device interface--GDI) doesn't automatically scale according to screen density. Microsoft
Internet Explorer (IE) 6.0) attempts to scale proportionately, but many objects don't scale well, if at all.
The next version of Windows (code-named Longhorn and officially introduced last week) will provide
GDI scaling as part of the basic set of OS features.
In the meantime, here is a minor registry edit you can make to help IE 6.0 with its scaling problems
in Windows XP and Windows 2000. This change won't affect non-IE applications.
1. Close all IE instances.
2. Launch regedit.
3. Open HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main.
4. Create a subkey with a value of type REG_DWORD and name it UseHR.
5. Set the data value to 1.
6. Exit the registry editor.
7. Open IE.

Changing Disk Optimization Settings in XP

I've been using large hard disks in external enclosures connected over USB 2.0 to move data and
applications between computers. When I recently tried to set up a fresh disk in this configuration,
Windows XP wouldn't let me format the disk, presenting blank entries in the File System and
Allocation Unit Size fields in the Format dialog box. I solved the problem by changing the optimization
for the disk from Optimize for Quick Removal to Optimize for Performance. I noticed that my
FireWire (IEEE 1394)-attached disks experienced a performance boost with this configuration, too.
To change the disk optimization settings in XP, take the following steps:
1. Launch Computer Management from the Administrative Tools menu.
2. Select Disk Management.
3. In the lower right pane, you'll see small boxes with labels for available disks (e.g., Disk 0, Disk 1).
Right-click the label that applies to the physical hard disk you want to modify.
4. Select Properties from the context menu.
5. From the Properties dialog box, select the Policies tab.
6. Select the "Optimize for Performance" check box.
7. Click OK.
8. Exit and reboot the computer.

How Can I Stop Internet Page Links from Opening in My Microsoft

Internet Explorer (IE) Session?
If IE is open on your system and you click a hyperlink to a Web page from another application in
Windows (e.g., from an email message, from the Run command), Windows will attempt to open the
Web page in your existing IE session. To prevent this behavior and force Windows to open a new IE
session, perform the following steps:
 1. Start a registry editor (e.g., regedit.exe).
2. Navigate to the HKEY_CURRENT_USER\Software\Microsoft\Internet
Explorer\Main registry subkey.
3. Double-click the AllowWindowReuse value or create this value (of type REG_DWORD) if it
doesn't already exist.
4. Set the value data to 0 to force Windows to open a new IE session, then click OK (setting the value
to 1 will let Windows use an existing IE session).
5. Close the registry editor.
6. Log off and log on for the change to take effect.

Find Out What Process is Using a Port

We see a lot of questions from readers who want to know what process is using a particular port on a
server or firewall. You can use third party shareware and freeware solutions to find out, but Windows
Server 2003 includes the -o switch in the netstat command that allows you to figure out the answers
without installing any extra software:

Open a command prompt, type the following command: Netstat -nao

You'll see a list of local addresses and ports. If you see a local address of 0.0.0.0, that means that port is
listening on all addresses on all interfaces. Find the TCP or UDP port number you're curious about.
Then go to the end of that line and check the value in the PID column. This is the process ID of the
application or service using the port.
Press CTRL+SHIFT+ESC to bring up the Task Manager. Click the Processes tab. Click the View menu
and then click the Select Columns command.
Put a checkmark in the PID checkbox and click OK. Click the PID column header to sort the entries by
PID. Match up the PID that you discovered using the netstat command with the process owning the
PID.
Now you can easily find out which process is responsible for using a port.

Can I force Outlook 2002 to minimize to the system tray?

To send the Outlook icon to the Windows system tray (and not to the taskbar) when you minimize the
application, add the MinToTray entry (of type REG_DWORD) to the
HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Outlook\Preferences registry subkey and
give the entry a value of 1.
See the Exchange & Outlook Web page for more great tips from Sue Mosher.

Leave My Current IE Browser Window Alone!

If you're tired of clicking URLs in email messages or applications only to have the resulting window
take over the Microsoft Internet Explorer (IE) browser you're currently using, try this simple registry
edit. It will enable a new browser window to open and won't affect the current browser window.

1. Launch a registry editor in Windows XP or Windows 2000.

2. Open the HKEY_CURRENT_USER\Software\Microsoft\Internet
Explorer\Main\AllowWindowReuse subkey.
3. Set the subkey's value of type REG_DWORD to 0.
4. Exit the registry editor.
5. Log off, then log back on to activate the change.
How can I prevent users from adding home email accounts (e.g.,
MSN Hotmail, POP) or other email accounts to their Outlook
profiles?
To prevent a user from adding an outside email account to an Outlook profile, create a DisableHTTP
entry of type REG_DWORD in the
HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Outlook\Options registry subkey and set
the value to 1. Beginning with Microsoft Office XP Service Pack 2 (SP2), you can create registry
entries to prevent users from adding POP, IMAP, Exchange, and other accounts to their profiles. You
would need to create DisablePOP3, DisableIMAP, DisableExchange, and DisableOtherTypes
REG_DWORD entries in the
HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Outlook\Options subkey and set the value
of each to 1 to disable the addition of any such account. Set the value to 0 to let users add such
accounts. For more information about these changes, see the Microsoft article "OL2002: The Options
to Prevent an Exchange, POP3, IMAP, and Other Server Types Accounts Are Not Available"
(http://support.microsoft.com/?kbid=317819).

What other security-related registry settings does Outlook 2002

support?
If you need to send a message by using a digital certificate that doesn't match your email address, you
can change the HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Outlook\Security registry
subkey's SupressNameChecks entry of type REG_DWORD. Set the entry value to 1 to stop Outlook
from trying to match your email address with your security certificate. For more information about this
change, see the Microsoft article "OL2002: How to Turn Off E-mail Matching for Certificates"
(http://support.microsoft.com/?kbid=276597).

When you open an attachment from a mail message, Outlook copies the file to a system folder, then
opens the copy. By default, Outlook generates a random folder name and creates that folder in the
Temporary Internet Files folder. To create these temporary attachment copies elsewhere on the system,
enter a new path as the value for the OutlookSecureTempFolder entry in the
HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Outlook\Security subkey.

If you permit POP, IMAP, or HTTP accounts, you might want to disable password caching to disk. In
the HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Outlook\Security subkey, create a
REG_DWORD entry named EnableRememberPwd and set its value to 0. For more information about
this change, see the Microsoft article "OL2002: Disabling Password Caching for Internet Protocols"
(http://support.microsoft.com/?kbid=299377).

Outlook 2002 Service Pack 1 (SP1) and later let you disable HTML message content to thwart many
spammers and avoid dangers from as yet unknown Microsoft Internet Explorer (IE) vulnerabilities. To
the HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Outlook\Options\Mail subkey, add a
REG_DWORD entry named ReadAsPlain and set its value to 1. After you restart Outlook, all messages
that aren't digitally signed or encrypted appear in plaintext format. For more information about this
change, see the Microsoft article "OL2002: Users Can Read Nonsecure E-mail as Plain Text"
(http://support.microsoft.com/?kbid=307594).

To ensure that Outlook overwrites deleted information from a Personal Folders (.pst) file or an offline
folders (.ost) file when you shut down Outlook, add a REG_DWORD entry named
PSTNullFreeOnClose with a value of 1 to the
HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Outlook\PST subkey. For more
information about this change, see the Microsoft article "OL2000: New Outlook 2000 Feature
Removes Deleted Data from .pst and .ost Files" (http://support.microsoft.com/?kbid=245776).
Can I prevent people from using .pst files?
Beginning with Microsoft Office XP Service Pack 2 (SP2), Outlook supports a DisablePst entry of type
REG_DWORD in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\10.0\Outlook
registry subkey. Set the value of DisablePst to 1 to prevent users from creating or opening Personal
Folders (.pst) files. For more information about this change, see the Microsoft article "OL2002: The
Options to Prevent an Exchange, POP3, IMAP, and Other Server Types Accounts Are Not Available"
(http://support.microsoft.com/?kbid=317819).

How can I stop the My eBooks, My Videos, and My Music subfolders

from appearing in the My Documents folder in Windows XP and
later?
A. Each new version of Windows seems to add a new set of subfolders to the My Documents folder. If
you delete these subfolders, Windows will automatically recreate them the next time you log on. To
stop Windows from creating these subfolders every time, perform the following
steps:
1. From the Start menu, select Run, enter the command

regsvr32 /u mydocs.dll

to unregister the .dll file, then click OK.

2. Navigate to My Documents, then delete the automatically created folders that you no longer want
to appear.

The steps above disable the My Documents functions, so if your system is missing some functionality,
you'll need to reregister mydocs.dll.
If you want to reregister the .dll file, perform the above steps again but use the command

regsvr32 mydocs.dll

Can I tell Outlook 2002 and Outlook 2000 which Deleted Items folder
to use when multiple users access the same mailbox?
If you're logged on to someone else's mailbox as a delegate with the right to delete items, Outlook
typically places any items you delete into your Deleted Items folder. However, you might want to let
the mailbox owner see which items you've deleted. Open the
HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Outlook\Options\General
registry subkey and add a REG_DWORD entry named DelegateWastebasketStyle. Set the entry's value
to 4 to store deleted items in the owner's mailbox, or set the value to 8 to store the items in your
Deleted Items folder. Note that you need at least the Author role on the Deleted Items folder in the
other person's mailbox to add items there. For more information about this registry edit, see the
Microsoft article "OL: Items Deleted from a Shared Mailbox Go to the Wrong Folder"
( http://support.microsoft.com/?kbid=202517 ).

Q. Does Windows Server 2003 provide a way to let users change their
passwords remotely on the Web?
A. The version of Internet Information Services (IIS) 6.0 that ships with Windows 2003 includes some
Web-administration tools that are disabled by default. To enable the tools, perform the following steps:
1. Start the Microsoft Management Console (MMC) IIS Management snap-in by clicking Start,
Programs, Administrative Tools, Internet Information Server (IIS) Management.
2. Navigate to Web Sites, Default Web Site.
 3. Right-click Default Web Site. Select New, then select Virtual Directory. You'll see the Virtual
Directory Creation Wizard Welcome screen.
4. Click Next.
5. Enter an alias of IISADMPWD and click Next.
6. For the actual publish folder value, enter C:\windows\system32\inetsrv\iisadmpwd (where
C:\windows is the directory in which Windows is installed). Click Next.
7. For virtual directory permissions, select the Read and Run scripts check box, if it isn't already
selected. Click Next.
8. Click Finish.

You can access the new interface at http://<server

address>/iisadmpwd/aexp2.asp to change a local account password or at
http://<server address>/iisadmpwd/aexp2b.asp to change a domain password. The figure at
http://www.winnetmag.com/articles/images/042604_T&T_figure1.gif shows a sample Web interface
for changing a domain password.

--------------------

Q. How can I create a Web page where users can change their
passwords?
A. You can write an Active Server Pages (ASP) script that creates a password-change Web page. ASP
gives you complete access to Microsoft Active Directory Service Interfaces (ADSI), which lets you
perform a variety of functions, such as changing passwords or creating accounts.
When you write such a script, you must consider factors such as the user account under which the
script will run and the permissions you want to use when the script runs. The basic ADSI command to
change a user's password is

set usr = GetObject("LDAP://CN=John

Savill,CN=Users,DC=savilltech,DC=com")

usr.put "userPassword", NewPassword

The first line (shown as two lines because of space constraints) assigns a handle to user John Savill in
domain savilltech.com. The next line puts the text NewPassword into the userPassword attribute.

I've written a short ASP script that prompts the user to enter a username and password (remember to
change the domain from savilltech.com to your domain). The script, which is available at
http://www.winnetmag.com/articles/download/changepass_asp.zip, is listed below.

<%
strUserCN = request.form("cn")
strNewPassword = request.form("newpass") strPassVerify = request.form("passverify")

if strUserCN="" then
response.write "<html><head><title>Change Password</title></head><body>"
response.write "<center><h1>Web Password Reset</h1></center>"
response.write "<hr><br><br><form method=post action=changepass.asp><table>"
response.write "<tr><td>CN: </td><td><input type=text name=cn></td><tr>"
response.write "<tr><td>New Password: </td><td><input type=password
name=newpass></td></tr>"
response.write "<tr><td>Verify Password: </td><td><input type=password
name=passverify></td></tr>"
response.write "<tr><td colspan=2 align=center><input type=submit value='Reset
Password'></td></tr>"
response.write "</table></body></html>"
response.end
else
if strNewPassword = strPassVerify then

set usr = GetObject("LDAP://CN=" & strUserCN &

",CN=Users,DC=savilltech,DC=com")

usr.put "userPassword", strNewPassword

response.write
"<html><head><title>Results</title></head><center><h1>Update
Results</h1></center><hr><br><br>"
response.write strUserCN & ": password was successfully updated"
response.end

else

response.write "<html><head><title>Error!</title></head><body>"
response.write "<center><h1>An Error Has Occurred!</h1></center>"
response.write "<hr><br><br>"
response.write "The password and confirmation do not match. Please go back and try again."
response.end

end if
end if
%>

Windows Server 2003 provides its own Web pages for password changes, which I discuss in the FAQ
"Does Windows Server 2003 provide a way to let users change their passwords remotely on the Web?".
However, you might find the sample ASP script useful for creating password-change interfaces on your
own Web pages or sites.

Q. How can I create a file that contains a list of all objects in a

domain?
A. You can use the Csvde utility, which is included in Windows Server
2003 and Windows 2000 Server, to create a comma-separated value (CSV) file that lists all objects in a
domain. For example, to list all objects in the demo.local domain, you'd run the command

csvde -d "dc=demo,dc=local" -f domain.csv

The -d parameter specifies the root of the distinguished name (DN) from which to start the output to
the .csv file, and the -f parameter provides the output filename. Running this command displays the
following messages on screen:

Connecting to "(null)"
Logging in as current user using SSPI
Exporting directory to file domain.csv
Searching for entries...
Writing out entries
.........................................
.........................................
.........................................
Export Completed. Post-processing in progress...
201 entries exported

The command has completed successfully.

You can easily refine Csvde's output further. For example, let's say you want to create a file that
contains a list of the domain's organizational units (OUs). To do so, you'd run the command

csvde -d "dc=demo,dc=local" -f ous.csv

-r"(objectClass=organizationalUnit)"

(The command wraps to two lines here because of space constraints.) Notice that the command is the
same as in the previous example, except that the output filename is different and the command includes
the -r parameter. The -r parameter creates a Lightweight Directory Access Protocol (LDAP) search
filter so that the output will include only objects of class organizationalUnit.
The .csv file that Csvde creates typically contains a large amount of data that's relevant to the
domain's objects (230 attributes in total). You can load the Csvde utility's output into a Microsoft Office
Excel spreadsheet to view it more easily.

Q. How can I configure Microsoft Exchange Server 2003

administrators so that they can access all users' mailboxes?
A. Unlike Exchange Server 5.5, in Exchange 2003 administrators don't have Send As or Receive As
permissions--in fact, such permissions are explicitly denied to administrators by default. To grant Send
As and Receive As permissions to administrators (and other users), perform the following steps:
1. Open the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in,
create a security group called MailBoxAccess, and to this group add users to whom you want to grant
Send As and Receive As permissions.
2. Start the Exchange System Manager (ESM) utility (click Start, Programs, Microsoft Exchange,
System Manager).
3. Navigate to the database to which you want to grant access (e.g., <org>, <Administrative Groups>,
<admin group>, Servers, <Server
name>, <storage group>, <database>).
4. Right-click the database and select Properties.
5. Select the Security tab.
6. Click Add.
7. Enter the MailBoxAccess group and click OK.
8. Check to verify that the group has Send As and Receive As permissions and click OK.

Users in the MailBoxAccess group will now have access to all mailboxes. Remember that Exchange
administrators are explicitly denied access by default. However, we've explicitly granted access at the
actual mailbox database level, which overrides the inherited permission (i.e., the Send As and Receive
as permissions that are explicitly denied to administrators).

Q. How can I enable the Security tab at the Exchange organization

level?
A. By default, the Security tab isn't displayed on an Exchange organization's properties page. To
display the tab, perform these
steps:
1. Start the registry editor (regedit.exe).
2. Navigate to the
HKEY_CURRENT_USER\Software\Microsoft\Exchange\EXAdmin subkey.
3. From the Edit menu, select New and click DWORD Value.
4. Enter a name of ShowSecurityPage and press Enter.
5. Double-click the new value and set it to 1. Click OK.
6. Close the registry editor.

The Security tab will now be displayed on the Exchange organization's properties page. At the Security
tabbed page you can turn off the Send As and Receive As deny settings, which I discuss in the FAQ
"How can I configure Microsoft Exchange Server 2003 administrators so that they can access all users'
mailboxes?" to grant Exchange administrators full access to all mailboxes in the organization. The
Security tab method is a simpler way to grant administrators access to users'
mailboxes than the technique described in the FAQ; however, it lets you grant access only to all
mailboxes (or none).

How can I determine the location of an executable file on my

Windows Server 2003 system?
A. Your Windows 2003 environment contains a PATH variable that's created by using the system path
variable and a user-specific path variable. When a program resides in a folder that appears in the PATH
variable, you can start the program simply by typing the executable's filename (e.g., dcdiag.exe); you
don't have to precede the executable name with the full pathname. (The Windows 2003 Support Tools
must be installed on your Windows 2003 system for the PATH variable to work.) You can check your
PATH variable by running the command

echo %path%

from a command prompt; you'll see that the variable contains one or more paths, such as c:\program
files;c:\program files\support tools.
Using this PATH variable as an example, if the executable resides in either the Program Files or
Support Tools folder, you don't need to type the complete path.
Sometimes you might want to check the location of an executable file (e.g., a command). To do so,
start a command prompt (cmd.exe) and type

where <executable filename>

For example, entering the command

where dcdiag.exe

displays the following results:

C:\program files\support tools\dcdiag.exe

Outlook Tip: Preventing Users from Adding Email Accounts to

Outlook
To prevent a user from adding an outside email account to an Outlook 2002 profile, create a
DisableHTTP entry of type REG_DWORD in the
HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Outlook\Options
registry subkey and set the value to 1. Beginning with Microsoft Office XP Service Pack 2 (SP2), you
can create registry entries to prevent users from adding POP, IMAP, Exchange, and other accounts to
their profiles. You would need to create DisablePOP3, DisableIMAP, DisableExchange, and
DisableOtherTypes REG_DWORD entries in the
HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Outlook\Options
subkey and set the value of each to 1 to disable the addition of any such account. Set the value to 0 to
let users add such accounts. For more information about these changes, see the Microsoft article
"OL2002: The Options to Prevent an Exchange, POP3, IMAP, and Other Server Types Accounts Are
Not Available" (
http://support.microsoft.com/?kbid=317819 ).
Enabling Concurrent RDP Sessions in Windows XP SP2
One feature in the beta release of Windows XP Service Pack 2 (SP2) that isn't in the final version was
the ability to configure XP to support two simultaneous Remote Desktop sessions. I found this feature
very useful, given the way I use RDP in my daily tasks, and I was disappointed that it was gone.
However, you can re-enable this feature with a simple registry edit.
1. Open Registry Editor (Start, Run, regedit).
2. Navigate to
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal
Server\Licensing Core.
3. Create a new REG_DWORD value named EnableConcurrentSessions.
4. Set the value to 1.
5. Exit the editor.

You'll then have support for two concurrent RDP sessions.

How can I trigger an action to be performed when certain Windows

events occur?
A. Solutions such as Microsoft Operations Manager (MOM) have highly configurable options for
performing actions that depend on Windows events. However, Windows XP and later provide a tool,
eventtriggers.exe, which lets you schedule an action to be performed when certain events occur. The
basic command syntax for creating a trigger is

eventtriggers /create /tr "<friendly name for trigger>"

/eid <event ID to trigger on>
/l <log to monitor, or omit to track all logs> /t <type of event to monitor for, e.g., ERROR> /tk <task to
perform when event is found> /ru <username to run the action under; by default, the local system is
used>
/rp <password of specified user account>

To display a detailed list of the triggers you've created, run the command

eventtriggers /query /v

You can configure the query to create the output in a specific format.
For example, to create a comma-separated value (CSV) format, add the argument

/fo csv

to the end of the previous command (/fo means format). Other format options include table and list.
If you need to troubleshoot a trigger action, you can view the log file at \%systemroot
%\system32\wbem\logs\cmdtriggerconsumer.log.
However, the log doesn't give much information. Typically, the best way to debug a trigger action is to
try to run the trigger action manually.
Remember that specifying credentials (i.e., the /ru and /rp arguments) to use might fix the problem
because by default the action will run under the local system context.
To remove all the triggers on your system, use this command:

eventtriggers /delete /tid *

We use Windows Server 2003 Terminal Services and Windows 2000
Server Terminal Services to remotely administer our servers. As
my company's information security officer, I want to make sure
that we use the strongest possible encryption for RDP traffic. I
also want to make sure that administrators can't, as a
convenience, save their passwords in RDP connections that they
set up. What's the best way to accomplish these objectives?
A: Although Windows 2003 and Windows XP let you use Group Policy to centrally control Terminal
Services, Win2K doesn't. To configure Terminal Services centrally on Windows 2003 and XP
platforms, open a Group Policy Object (GPO) that's applied to your servers and navigate to Computer
Configuration, Windows Settings, Administrative Templates, Windows Components, Terminal
Services. You'll find a host of settings related to Terminal Services; the settings for RDP encryption are
under the Encryption and Security folder. Select that folder and double-click "Set client connection
encryption level," as Figure 1, at http://list.windowsitpro.com/t?ctl=7192:3AFAE , shows. Select High
Level to signal Terminal Services to require 128-bit encryption for RDP traffic between the client and
server.

With regard to your other requirement, you can't prevent your administrators from saving their
passwords in RDP connections they create, but you can reduce the risk that doing so causes. In the
Encryption and Security folder, double-click "Always prompt client for password upon connection"
and enable this policy. Now, if the administrator violates your policy and saves a password in the RDP
connection, Windows will still prompt for his or her password. Thus, an attacker who gains access to
the administrator's workstation while he or she is logged on as the administrator or who succeeds in
logging on as the administrator won't inevitably have access to your server through Terminal Services.
You can learn more about Terminal Services at http://list.windowsitpro.com/t?ctl=718D:3AFAE

Adjust the Bandwidth Available to System Services

I've recently received some reader email about the Microsoft's Automatic Updates service running
under Windows XP. The email messages referenced various problems that occurred when the update
service was downloading new updates to client computers. About half the messages complained that
Internet browsing slowed when users received notification that an update was being downloaded. The
other messages had a similar concern--how to get updates to download faster. I schedule updates to
download at 4: 00 A.M., and although I'm occasionally working at that time, I've never noticed an
update slowing down my system. The readers with questions were all in environments in which the
computers were turned off at the end of the business day and, as a result, ran the update during business
hours.
By default, XP uses as much as 20 percent of the connection bandwidth for its own communications.
If you feel this amount is too much (or too little), you can make a policy change that will reduce or
expand the amount of bandwidth available to system services. You can even make the policy change on
a standalone system. To make the policy change, perform these steps:
1. Go to Start, Run.
2. Enter gpedit.msc into the Open dialog box and Click OK.
3. In Group Policy Editor (GPE), click Computer Configuration.
4. Click Administrative Templates.
5. Click Network.
6. Click QoS Packet Scheduler.
7. Double-click "Limit reservable bandwidth."
8. Click the Enabled radio button.
9. Set the Bandwidth limit (increase or decrease).
10. Click OK.
Q. Do Windows 2000 or later DHCP clients renew their existing lease
on restart?
A. When a Win2K or later client that already has a DHCP lease tries to boot, it attempts to renew its
lease with its previous DHCP server by sending a DHCPRequest packet. If the DHCP server responds
with a DHCPAck packet, the client renews its lease. If the DHCP server responds with a DHCPNack,
the client restarts the lease process. If the DHCP server doesn't respond, the client pings the default
gateway defined in the current lease. If the Ping succeeds, the client continues to use its current lease,
attempting to renew at 50 percent of its assigned lease time. If the Ping fails, the client autoconfigures
the IP address and continues to attempt to find a DHCP server in the background.
You can configure clients to release leases on shutdown by performing this registry change:
1. Start the registry editor (regedit.exe).
2. Navigate to the
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\
Interfaces\{&lt;Interface ID} registry subkey.
3. From the Edit menu, select New, DWORD Value.
4. Enter a name of ReleaseOnShutDown and press Enter.
5. Double-click the new value and set it to 2 to release the lease according to the DHCP server's
instructions (which is the default) or 0 to configure the client to not release the lease on shutdown.
Click OK.

To configure the DHCP server to instruct clients to release their lease when they shut down, perform
these steps:
1. Start the Microsoft Management Console (MMC) DHCP snap-in (Start, Programs, Administrative
Tools, DHCP).
2. Expand the DHCP server.
3. Open the scope whose options you wish to modify. Select Scope Options, and click the Advanced
tab.
4. Select Microsoft Options from the Vendor class drop-down menu and select Default User Class
from the User class drop-down menu. Under Available Options, select the "002 Microsoft Release
DHCP Lease on Shutdown Options" check box, as the figure at http://list.windowsitpro.com/t?
ctl=F366:3AFAE
shows. Set its value to one of these options:
1 = DHCP clients send a DHCPRelease message on proper shutdown, which means they'll give up their
lease.
0 = DHCP clients don't send a DHCPRelease message on proper shutdown, which means that when the
clients restart they'll attempt to renew their existing lease.

How can I set the default domain user profile?

Most people are aware that you can set the default base profile on a per- workstation basis by replacing
the "C:\Documents and Settings\Default User"
folder on each local workstation. However, instead of performing this action on every workstation, you
can specify a domainwide default profile. To do so, you need to save the required profile to the
domain's Netlogon folder as name "Default User" by performing the following steps:
1. Create a profile that you want to use as the default profile for all new users and log off as the user.
2. Log on to the workstation as a domain administrator.
3. Start the System Control Panel applet (Start, Settings, Control Panel, System).
4. Select the Advanced tab.
5. Click Settings in the User Profiles section of the tab.
6. Select the profile you created in the first step and click Copy To.
7. In the "Copy profile to" field, enter a location of &lt;domain controller&gt;\netlogon\default user.
In the "Permitted to use" field, click Change and set to Everyone, as the figure at
http://list.windowsitpro.com/t?ctl=1218F:3AFAE
shows. Click OK.
8. Click OK to the User Profiles dialog box, then click OK to the System Properties dialog box.
When a new user logs on to a workstation for the first time, he or she will now have a profile based on
the default profile stored on the Netlogon share. However, because end users can easily change these
default profile settings, you'll typically want to use Group Policy instead of this method to set the
mandatory configuration options. Group Policy settings will override attempts by the user to modify
the profile settings.

Q. How can I run a Control Panel applet or Microsoft Management

Console (MMC) snap-in configuration file as another user from
the command line?
A. Normal best practice for administrators is to log on to a system under a user account and, as needed,
use Runas or Winternals' Psexec utility (which you can download at http://list.windowsitpro.com/t?
ctl=13335:3AFAE ) to run programs with Administrator privileges. However, you can't use this method
to run some items (e.g., .cpl and .msc files). To work around this limitation, you can use the Psexec
utility and call the file by adding a "cmd /c start" prefix to the command. For example, the following
code will fail to run the System Control Panel applet:

C:\WINDOWS>psexec -d -i -e -u Administrator sysdm.cpl

However, if you add "cmd /c start" to the command, as the following example shows, the command
will run the applet.

C:\WINDOWS&gt;psexec -d -i -e -u Administrator cmd /c start sysdm.cpl

You could include such commands in batch files and place the files on your desktop menus for fast
access to the applications within the correct user context.

Q. How can I start a process or program as the local system account?

A. In the FAQs, "How do I schedule commands?"
(http://list.windowsitpro.com/t?ctl=1332D:3AFAE ) and "I am unable to stop a process from Task
Manager even though I'm an Administrator, what can I do?"
( http://list.windowsitpro.com/t?ctl=1332E:3AFAE ), I explain how to submit a command by using the
scheduler service with the /interactive switch to start a program. Because the scheduler service runs as
the local system, the program would also run with local system credentials. You can use Winternals'
Psexec utility (which you can download at http://list.windowsitpro.com/t?ctl=13335:3AFAE ), with the
-s switch to run a program as the system account. The following sample execution shows how to start a
cmd.exe session under the system
account:

whoami
SAVILLTECH\john

psexec -s cmd.exe

PsExec v1.60 - Execute processes remotely Copyright (C) 2001-2005 Mark Russinovich Sysinternals -
www.sysinternals.com

Microsoft Windows XP [Version 5.1.2600]

(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>whoami
NT AUTHORITY\SYSTEM
C:\WINDOWS\system32>exit
cmd.exe exited on WKSSAVD800 with error code 0.

When you use the -s switch, Psexec temporarily installs on the computer a service named "psexec
running psexesvc.exe," which is removed after the application running as system is closed. Thus, to run
under the system context, you'll need permissions to install services.

Disable the Start Menu's Newly Installed Application Feature

I'm often asked how to turn off the Windows XP feature that highlights newly installed applications on
the Start menu.
Here are the steps for turning off the feature.

1. Right-click Start and select Properties.

2. Click Customize on the Start Menu tab.
3. Click the Advanced tab.
4. Clear the "Highlight newly installed programs check box."
5. Click OK.

Some users have told me that this feature has been re-enabled without their interaction. I don't know
why this occurs, but I usually direct them to the registry setting that controls this functionality.
1. Launch the registry editor.
2. Open the
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ex
plorer\Advanced registry subkey.
3. Double-click the Start_NotifyNewApps entry in the right panel.
4. Set the value to 0.

Password Cracking Made Easy

Many of you probably test the strength of your users' passwords now and then to ensure that people are
picking something strong enough to resist attack. Others of you might test password strength as part of
your consulting services for various customers. Of course, sometimes you might need to recover a lost
password, in which case you need a password cracker.

Several tools that attempt to crack passwords of various types are available, including LCP (at the first
URL below) and John the Ripper (at the second URL below). Both these tools can brute-force guess
passwords; however, they can take some time, depending on the complexity of the password. Another
tool, pwdump2 (at the third URL below), dumps password hashes from within Active Directory (AD)
or the Windows SAM database. You'll need pwdump2 or a similar tool to use LCP or John the Ripper.
http://list.windowsitpro.com/t?ctl=199DB:3AFAE
http://list.windowsitpro.com/t?ctl=199D9:3AFAE
http://list.windowsitpro.com/t?ctl=199C8:3AFAE

Another method of cracking passwords is to use rainbow tables, which are sets of possible password
hashes and their precomputed plain text equivalents. Having the hashes computed ahead of time saves
a lot of time when password cracking because then the cracking software just needs to find the hash of
the unknown password in the tables. Once the hash is found, the plain text version of the password is
also found.
The downsides to this approach are of course the lengthy computation time required to create the tables
and the storage requirements for the tables, which can be in the hundreds of gigabytes, depending on a
variety of parameters including possible password lengths, character sets, and hash algorithms.

Tools are available to produce rainbow tables. One toolkit, called RainbowCrack, includes tools to
generate and sort rainbow tables and a tool to discover an unknown password--assuming of course that
you have a copy of the password hash.
 http://list.windowsitpro.com/t?ctl=199D6:3AFAE

If you don't want to generate your own tables, you can buy precomputed tables or use the recently
launched RainbowCrack-Online, a subscription service that can crack your passwords for a fee. The
fee, which can range from $29.95 per month to $2499 per year, depends on the number of passwords
you want to crack and the length of time you want to use the service. As you would guess, the service
uses massive rainbow tables to make password discovery relatively quick.

Using the service to test password strength is probably not practical in many cases. However, you could
use the service to discover unknown passwords for a variety of systems because the service supports
passwords hashed with LAN Manager, NT LAN Manager (NTLM), Message Digest 5 (MD5),
Message Digest 4 (MD4), Secure Hash Algorithm 1 (SHA1), Cisco PIX, and MySQL. Check it out at
the URL below.
http://list.windowsitpro.com/t?ctl=199D7:3AFAE

Q. How can I monitor registry activity during logon and

logoff?
A. The Regmon tool, which you can download at http://list.windowsitpro.com/t?ctl=1BB12:3AFAE , is
handy for monitoring registry access and modification. However, it runs as part of the interactive
desktop, which means when you log off, the Regmon process terminates. To solve this problem,
combine Regmon with PsExec (which you can download at http://list.windowsitpro.com/t?
ctl=1BB0C:3AFAE ) to configure Regmon to run under the local system in the background. This
approach allows the Regmon process to survive a logon or logoff. To configure Regmon, open a
command line, and type

C:\>psexec -i -s -d "c:\program files\misc\regmon.exe"

The -i switch instructs PsExec to run Regmon as interactive; the -s switch tells it to run under the local
system; and the -d switch tells it to launch the application and not wait for it to terminate.
After a user logs off and logs back on, the Regmon window will appear again and will have captured
all activity. (Make sure that you don't close the Regmon application before logging off!) You can use
PsExec to run any other applications that need to survive a logoff and logon.

Q. How can I migrate shares and their data between servers?

A. Microsoft provides the Microsoft File Server Migration Toolkit (FSMT), which you can download
from http://list.windowsitpro.com/t?ctl=22CBF:3AFAE . The tool lets you migrate shares and data
from any server running Windows NT 4.0 or later to a Windows Server 2003 (or Windows Storage
Server
2003) machine.

The utility also interfaces with DFS, which lets you maintain the original UNC path of the data and
avoid complications with accessing data once it has been migrated. However, Windows Server 2003
Enterprise Edition lets you maintain the original UNC path, and if the old UNC path doesn't need to be
maintained, DFS isn't required.

Q. How do I enable Send As functionality for a user in

Microsoft Exchange Server?
A. You can grant users a "send on behalf of " ability so that the receiver of a message will see the
message is from <sender> on behalf of the person who wanted the message sent. Alternatively, you can
give users a true "Send As" ability, in which the recipient will think the message came from the
mailbox owner rather than the person who actually sent the message. To grant true Send As
functionality, perform these
steps:
1. Start the Exchange version of Active Directory Users and Computers (Start, Programs, Microsoft
Exchange, Active Directory Users and Computers).
2. From the View menu, select Advanced Features.
3. Right-click the user who wants to let other people send messages on his or her behalf and select
Properties.
4. Select the Security tab.
5. Click Advanced.
6. Select the Permissions tab and click Add.
7. Enter the users who require the Send As permission, then click OK.
8. The list of permissions will be displayed. Ensure "This object only" is selected for the "Apply
onto:" field, then scroll to the bottom and select the Send As permission, as the figure at
http://list.windowsitpro.com/t?ctl=28B06:3AFAE shows. Click OK.
9. Click OK to the Advanced security dialog box, and click OK to the User Properties window.

The sender of the message now needs to enable the From option in the sending email (Options, From),
as the figure at http://list.windowsitpro.com/t?ctl=28AFE:3AFAE shows.
Then enter the person from whom the message should come from. The message will appear to the
recipient as if it was sent from that person directly. For the From field, make sure you select the name
from the address list rather than typing in the name. I've seen problems occur when I type in the name
of the sender. If you're using Microsoft Outlook in Cached Exchange Mode, you might also need to
force a download of the Offline Address Book (OAB) to see any changes you've made (Tools,
Send/Receive, Download Address Book).

Q: I have a Windows 2000 machine that won't allow the user

to log on.
When we try to log on with a domain account, we see a message that the computer name isn't
recognized by the domain. We don't know the local administrator's password, so we can't log on as the
administrator. Is there a way to bypass the logon screen?

A: There's no way to bypass the logon screen native to Windows--even if you use the recovery console,
you'll need the appropriate password.
However, I can recommend two things to try. First, disconnect the computer from the network and
attempt to log on with a domain account that has logged on in the past. Windows should use the cached
credentials because the machine isn't on the network. After you're logged on, you can further diagnose
the problem--you'll probably need to delete the computer's domain account and rejoin the computer to
the domain. If logging on with cached credentials doesn't work, you'll have to take the more drastic
measure of resetting the local administrator's password.

One way to reset the password is to boot up DOS with a floppy disk, load Sysinternals' free Ntfsdos
utility (available at http://list.windowsitpro.com/t?ctl=289D0:3AFAE ), then delete the SAM file,
which you'll typically find in C:\winnt\system32\config. After deleting the SAM file, reboot. Windows
will replace the SAM file with a default SAM file that contains only Administrator and Guest. The
Administrator password will be blank. Be aware that this method destroys any local users and guests as
well as user-right assignments, account policy, and audit policy.

If you don't want to destroy the SAM, you can try using the Ntpasswd utility to reset the password.
Ntpasswd, written by Peter Nordhal, is available at http://list.windowsitpro.com/t?ctl=289CE:3AFAE .
When you boot with a floppy disk that contains Ntpasswd, it loads a small version of Linux, then a
custom program displays Administrator and the local users in the SAM. After you select the desired
user, Ntpasswd lets you enter a new password. Exit Ntpasswd, reboot, and you can log on as the user
using the new password. These utilities usually work, but they use methods unsupported by Microsoft
and should be used only as a last resort.
Can I use Group Policy to prevent users from changing
Microsoft Office 2003 Service Pack 2's (SP2's) anti-
phishing setting?
No. The anti-phishing feature is turned on by default. If the user clicks Tools, Options, Junk E-mail and
clears the Don't turn on links in messages that might connect to unsafe or fraudulent sites. To help
protect your security, we recommend that you leave this check box selected check box, Outlook stores
that preference in the user's mail profile settings in the Windows registry. Group Policy Objects (GPOs)
can't manage mail profile settings without the assistance of a third-party tool.

Specifically, the registry setting that stores the user's preference is a REG_BINARY entry named
000b042a in
HKEY_CURRENT_USER\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\WindowsMessagingS
ubsystem\Profiles\profile name\0a0d020000000000c000000000000046. When the entry is absent or
has a value of 00 00, links are disabled in suspect messages. When the entry has a value of 01 00, links
in suspect messages are left active.

Fixing Permissions on Shared Folders

I've heard from readers and I've seen firsthand that various security and networking applications will
make previously available shared folders on a Windows XP computer unavailable to users from other
computers, even though it appears that permissions have been set correctly to allow the network shares
to be hosted. When you attempt to access a previously shared folder, the system generates a message
such as "<Computer Name> is not accessible. You may not have permission to use this network
resource."

The problem is that the application the user is running has reset the registry value for
restrictanonymous to 1 from 0. To change the value back, perform the following steps:

1. Launch the registry editor.

2. Open HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA.
3. In the right pane, double-click the restrictanonymous value.
4. Change the data value to 0.
5. Exit the registry editor.
6. Reboot the computer.

Q. How can I modify the registry to enable the option to

display the full path in the Windows Explorer address bar?
A. Typically, you configure Explorer to display the full path in the address bar by going to the Folder
Options settings (Tools, Folder Options, View) and checking the "Display the full path in the address
bar." You can also enable the feature via the registry:
1. Start the registry editor (regedit.exe).
2. Navigate to the
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CabinetState
subkey.
3. Double-click the "FullPathAddress" value or (create the DWORD- type value if it doesn't exist.
4. Set the value to 1 to enable it or 0 to disable it.
5. Click OK and close the registry editor.
Q. How can I enable friendly trees in Windows Explorer?
A. Friendly trees enable automatic folder expansion when you select a disk, and any other expanded
disks will collapse giving a cleaner view:
1. Start the registry editor (regedit.exe).
2. Navigate to the
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced registry
subkey.
3. Double click the "FriendlyTree" value (or create the DWORD type value if it doesn't exist).
4. Set the value to 1 to enable the feature or 0 to disable it.
5. Click OK and close the registry editor.

Preventing Users from Disabling a Screen Saver

Q: How can I prevent my users from disabling the password-protected screensaver that I configure
when setting up new systems?

A: If your computers and user accounts are part of an Active Directory (AD) domain, you can use one
Group Policy Object (GPO) to deploy a policy to all your users that prevents them from disabling the
screen saver. If you don't use AD, you'll need to configure the setting in the local GPO of each
computer.

Whether editing a GPO in AD or a computer's local GPO, maneuver to the User

Configuration\Administrative Templates\Control Panel\Display folder in the Microsoft Management
Console (MMC) Group Policy Object Editor and enable the "Hide Screen Saver tab" policy. Now when
users open the Display applet in Control Panel, the Screen Saver tab just won't be there for them to
access. Note that the Display folder also contains other policies that enable you to configure the screen
saver itself as well as its timeout value and other parameters.

Viewing Images in Windows XP

If you've been unable to view images with Windows XP's Windows Picture and Fax Viewer and you
can't see thumbnails when you're browsing folders that contain images, it's because the OS has lost the
proper registration of the Shimgvw.dll file. To fix this problem, do the following:

1. Close all Microsoft Internet Explorer (IE) windows.

2. Click Start, Run.
3. In the Run dialog box, type

regsvr32 /s %systemroot%\system32\shimgvw.dll

4. Click OK.

At this point, you should be able to view thumbnails properly.

To check that the viewer works correctly, do the following:

1. Open a folder that contains images.

2. Right-click an image.
3. Select Preview from the context menu.
Q. The Windows XP disk defragmenter doesn't work on my
computer. What's wrong?
A. I've heard of cases in which the disk defragmentation engine stops functioning, resulting in several
problems, such as:
- When you attempt to Analyze or Defragment, Disk Defragmenter performs no actions.
- When you try running Defrag.exe from a command line or batch file, you receive a Windows cannot
connect to the Disk Defragmenter engine error message.
- When you right-click a local hard disk and select Properties, the Defragment Now button isn't
available on the Tools tab, or if it is available, pressing it displays the following error message:
"The Disk Defragmenter is not installed on your computer. To install it, double-click the Add or
Remove Programs icon in Control Panel, click the Install/Uninstall tab, and then follow the instructions
on your screen."

To resolve the problem, force a reinstallation of the disk defragmenter

engine:
1 Navigate to the %SystemRoot%\INF folder (Start, Run,
%SystemRoot%\INF) and click OK.
2 Right-click the dfrg.inf file and press Install.

Q. How can I modify the Microsoft Exchange Server 2003

Outlook Web Access (OWA) timeout that's applied when
OWA has forms-based authentication enabled?
A. By default, when OWA has forms-based authentication enabled, sessions have a 15-minute
inactivity timeout for public or shared computers and 24 hours for a private computer. If you're using a
public computer to compose a long email message that takes more than 15 minutes to write, the session
will time out and you won't be able to send the message. You can change this timeout value (which is
the cookie lifetime) by using this procedure:
1. Log on to the Exchange server as an Administrator.
2. Start the registry editor (regedit.exe).
3. Navigate to the
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeWEB\OWA
subkey.
4. From the Edit menu, select New - DWORD value.
5. Enter a name of PublicClientTimeout and press Enter.
6. Double-click the new value and set it to the desired number of minutes before a timeout (1 to
4320), set the type to decimal, and click OK.
7. To set the timeout period for a private client, repeat the process of creating a DWORD value, but
this time enter a name of TrustedClientTimeout and again set the value to the number of minutes before
a timeout (The value for private computers should be significantly higher than for public computers.)
8. Stop and restart the World Wide Web (WWW) Publishing service by using these commands at the
command line:

net stop w3svc

net start w3svc

Q. How can I deploy a printer to clients by using Windows

Server 2003 R2?
A. Windows Vista and Longhorn Server will provide printer publishing using native Group Policy. In
the interim, Windows 2003 R2 allows printers to be pushed out via Group Policy and a small piece of
client- side code that runs as part of the logon process. It looks at Group Policy and checks which
printers it should add, then adds them. Your Active Directory (AD) needs to be running the Windows
2003 R2 schema changes that support printer deployment. To deploy printers, follow this process:

First, on the Windows 2003 R2 server, you need to add the Print Management Component:
1. Start the "Add or Remove Programs" Control Panel applet (Start, Settings, Control Panel, Add or
Remove Programs, "Add or Remove Windows Components," "Management and Monitoring Tools,"
then check the Print Management Component.
2. Click Next and when prompted, point to the Windows 2003 R2 disk 2 location.
3. Click Finish.

A new Print Management snap-in is now available in the Administrative Tools folder. To deploy a
printer, perform these steps:
1. Start the Microsoft Management Console (MMC) Print Management snap-in (Start, Programs,
Administrative Tools, Print Management).
2. Expand the Print Servers branch, then expand the print server hosting the printer and select
Printers.
3. Right-click the printer you want to deploy with Group Policy and select "Deploy with Group
Policy."
4. Click Browse to select the Group Policy Object (GPO) name to use.
5. Click the "new" GPO icon (or select an existing GPO) and name it Deploy Printers. Click OK.
6. Check either or both "The users that this GPO applies to (per user)" or "The computers that this
GPO applies to (per machine)" and click Add.
7. Click OK to the deploy dialog box.

Make sure the GPO you created (if you created one) is linked to a domain or OU to ensure that users
and computers receive the pushed printer. When you open the GPO you'll notice a new Deployed
Printers branch, which lists deployed printers in the GPO.

Currently the selected printer won't deploy because the client doesn't understand the Group Policy
settings since they're new to R2 and not expected by older clients; you need to configure the
PushPrinterConnections.exe utility (found in the %systemroot%\PMCSnap
folder) to execute. To do so, perform these steps:
1. Open the Microsoft Management Console (MMC) Group Policy Object Editor and open the GPO
you used for the printer deployment.
2. If the printer is deployed to users, navigate to User Configuration, Windows Settings, Scripts
(Logon/Logoff); if it's deployed to computers, navigate to Computer Configuration, Windows Settings,
Scripts (Startup/Shutdown).
3. Right-click Startup or Logon, and click Properties.
4. In the Logon Properties or Startup Properties dialog box, click Show Files. The location of the
folder used at logon is shown in the Address field (e.g.,
\\savilltech.com\SysVol\savilltech.com\Policies\{EAB0039E-A677-4C89-
9CF2-053576CDA1FC}\Machine\Scripts\Startup).
5. Copy and paste the PushPrinterConnections.exe file from the c:\windows\PMCSnap folder to this
location and close the window.
6. In the Logon Properties or Startup Properties dialog box, click Add.
7. Enter "PushPrinterConnections.exe" in the Script Name box (to enable logging, enter "?log" in the
Script Parameters box). Log files are written to %windir%\Temp\PpcMachine.log (for per-computer
connections) and %temp%\PpcUser.log (for per-user connections) on the computer on which the policy
is applied).
8. Click OK

For per-user deployed printers, you now need to log off, then log on; for per-machine printers, you
need to restart the targeted computer.

Q. How do I disable Windows Vista's User Access Control

(UAC)?
A. The UAC feature, which strips a session of elevated privileges until the privilege is needed, drew a
lot of hostile attention in early Vista beta builds. It's been refined in the final release, but some people
still find it intrusive. The UAC feature can be disabled via the User Accounts Control Panel applet.
Simply click "Turn User Account Control on or off," as the figure at

shows, and clear the "Use User Account Control (UAC) to help protect your computer" check box.

Turning off UAC is not a good idea. A better option is to use the local security settings that are
available via the Microsoft Management Console (MMC) Administrative Tools snap-in. Under Local
Policies, Security Options are a number of User Account Control options, which include options to
automatically elevate privileges when required, as the figure at

shows. The setting doesn't disable UAC, but raises privileges when needed without prompting. You can
configure the setting for all users or just for administrators. Additional settings exist around
signed/unsigned executable behaviors and installation behaviors.

Q. What's the different between Windows Vista's sleep and

hybrid sleep modes?
A. Pre-Vista Windows versions had options to hibernate, which saved the computer's memory state to
disk followed by a shutdown, and standby, which placed the computer into a low power-consumption
mode. Vista has the sleep and hybrid sleep modes. In the basic sleep mode, the computer enters a low
power-consumption mode, keeping programs and data state in memory; in hybrid sleep mode, the
computer enters a low power- consumption mode, keeping programs and data state in memory but also
writes the memory content to disk, which means in the event of a power outage the computer's state
can be recovered from the disk version of the memory state. Hybrid sleep takes slightly longer to go
into low power-mode because the memory content has to be written to disk. On my computer, sleep
takes 2 seconds to enter, whereas hybrid sleep takes 16 seconds. The extra 14 seconds is worth it to
avoid losing data in the event of a power outage.

The Sleep button on the computer puts the computer into sleep or hybrid sleep mode, depending on the
configuration of the computer. To configure the sleep options, follow these steps:
1. Start the Power Options Control Panel applet (Start, Control Panel, Power Settings).
 2. Select the "Change plan settings" option for the current power plan.
3. On the settings dialog box, click the "Change advanced power settings."
4. Scroll down to the Sleep option, expand "Allow hybrid sleep" (on a laptop additional options for
On battery or Plugged in" will be
displayed) and click On or Off to allow/disallow hybrid sleep, as the figure at
http://list.windowsitpro.com/t?ctl=49FB8:1B38AB1927B33C74DBE81A3AADC84490 shows.
5. Click OK and close open dialog boxes.

This setting updates the ACSettingIndex (1 for enabled, 0 for disabled) under the
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\User\PowerSch
emes\[GUID of scheme] key.

Q. How do I enable the Full Network Map in Windows Vista

when the machine is part of a domain?
A. By default, the new Link Layer Topology Discovery (LLTD) protocol that's responsible for
discovering information about a network is disabled when a Vista machine is part of a domain. (It's
only enabled when the network is designated as Home, instead of Work or Public.). If you try to select
the "View full map" from the Network and Sharing Center, a message will appear that says, "Network
mapping is disabled by default on domain networks. Your network administrator can use Group Policy
to enable mapping."

To enable this functionality locally on a machine, start the Group Policy Editor (GPE--gpedit.msc) as
Administrator and navigate to the Local Computer Policy, Computer Configuration, Administrative
Templates, Network, Link-Layer Topology Discovery branch. Double-click "Turn on Mapper I/O
(LLTDIO) driver" and set it to Enabled, and select the check boxes for "Allow operation while in
domain" and "Prohibit operation while in public network," as the figure at
http://list.windowsitpro.com/t?ctl=49FB5:1B38AB1927B33C74DBE81A3AADC84490 shows. Click
Apply, then click OK and close the GPE.

The option "Turn on Responder (RSPNDR) driver" allows the machine to participate and return
information to LLTP requests from other machines and again can be enabled for domain environments.

You can find more information about the LLTD and other connectivity technologies at
http://list.windowsitpro.com/t?ctl=49FC0:1B38AB1927B33C74DBE81A3AADC84490 .
By default, XP machines don't have a Link Layer Topology Discovery
(LLTD) responder to allow the XP machine to be placed in the network map. For XP Service Pack 2
(SP2) machines, a LLTD responder is available from http://list.windowsitpro.com/t?
ctl=49FB2:1B38AB1927B33C74DBE81A3AADC84490 .
The responder will allow XP machines to show in the network diagram as known devices. The
savdalwks01 machine in the figure at http://list.windowsitpro.com/t?
ctl=49FB9:1B38AB1927B33C74DBE81A3AADC84490
is an XP machine with the LLTD responder installed.

Q. How do I enable Microsoft Office 2007 applications to be

able to save files in PDF format?
A. Microsoft has created an add-on for Office 2007 that enables output to PDF and the XPS format (a
Microsoft alternative to PDF). Once installed the PDF and XPS formats will be available. You can
download the add-on at http://list.windowsitpro.com/t?
ctl=4F702:1B38AB1927B33C7440E2A05A81E7A4EB .
Q. How do I create an administrative installation of Microsoft
Office 2007?
A. As with earlier versions of Office, an administrative mode is available with Office 2007. To perform
an administrative installation use the "setup /admin" switch, which opens the Office Customization tool
that the figure at http://list.windowsitpro.com/t?
ctl=4F70D:1B38AB1927B33C7440E2A05A81E7A4EB
shows. If you receive an error that components are missing, check that you have the admin folder at the
root of your media. Some versions don't have this folder so administrative setup isn't possible.

Once you've made your desired customization changes, save the setup file to a Windows Installer Patch
(.msp) file. You then pass it to setup.exe by using this command:

setup.exe /adminfile off2007admin.msp.

Because of the reliance on setup.exe, you can't deploy Office 2007 via Group Policy unless you wrap it
in a .zap file; however deployment via Microsoft Systems Management Server (SMS) is supported and
documented at http://list.windowsitpro.com/t?
ctl=4F70B:1B38AB1927B33C7440E2A05A81E7A4EB .

Q. How do I enable hibernation on my Windows Vista

machine?
A. If the hiberfil.sys file on the system partition is removed, the option to hibernate is not available. A
common reason for the hiberfil.sys to be deleted is from running the Disk Cleanup Tool, as explained
in the Microsoft article "The hybrid sleep feature and the hibernation feature in Windows Vista may
become unavailable after you use the Disk Cleanup Tool" (http://list.windowsitpro.com/t?
ctl=4F712:1B38AB1927B33C7440E2A05A81E7A4EB ).

To create the hibernate file and reenable hibernation, use the following command:

C:\>powercfg -h on

This command will re-enable hibernation. Likewise, you can use -h off switch to delete the hibernation
file and disable hibernation

Q. How can I determine which sleep states are available on

my Windows Vista machine?
A. You can use the powercfg tool with the /a switch to display the sleep states supported on a machine,
as the following example and output show:

C:\>powercfg /a

The following sleep states are available on this system: Standby ( S1

S3 ) Hibernate Hybrid Sleep
The following sleep states are not available on this system:
Standby (S2)
The system firmware does not support this standby state.

The power states of a machine are:

- S0: Working. This is the normal state of the computer when switched on.
- S1: Suspend / Sleeping 1: The CPU suspends activity but retains all its contexts in a very low-power
state.
 - S2: Suspend / Sleeping 2: The CPU is powered down and loses its contexts, but the memory retains
all of its data.
- S3: Suspend / Sleeping 3: Same as S2 but devices will need to be reinitialized at the next wake-up.
- S4: Hibernation / suspend-to-disk: All contexts are written to disk in a hibernation file and the
system is powered off (same as S5).
- S5: Soft-off: Everything has been shut down.

How can I easily send command output to the Windows

clipboard?
You might be familiar with the notion of piping command output to "more" (| more). Doing so allows
the output to be advanced one line at a time. A similar facility is provided by "clip," an external
program that takes any input and writes to the clipboard. So, simply pipe the output of your command
to "clip"
(| clip). For example, to send the output of a directory list to the clipboard, use

C:\>dir | clip

Q. In Windows Vista, how can I take ownership of a file from

the command line?
A. Vista retains the Takeown command, which lets you take ownership of a file. A number of switches
(e.g., /s) let you specify a remote system, along with the user context to use (e.g., /u and /p for
username and password). Here's some sample usage for taking ownership of a specific file:

takeown /f intlcfg.exe
SUCCESS: The file (or folder): "D:\Temp\intlcfg.exe" now owned by user "SAVILLTECH\john".

To take ownership of a folder and all its content, you can add the /r switch for recursive execution:

takeown /f . /r
SUCCESS: The file (or folder): "D:\Temp" now owned by user "SAVILLTECH\john".
SUCCESS: The file (or folder): "D:\Temp\boot.wim" now owned by user "SAVILLTECH\john".

You can also use the /a switch to make the ownership go to the Administrators group instead of the
current user:

takeown /f intlcfg.exe /a
SUCCESS: The file (or folder): "D:\Temp\intlcfg.exe" now owned by the administrators group.

Q. What is Windows Vista's Cacls replacement?

A. Vista introduces Icacls, which performs the same functions as Cacls and introduces many more
capabilities. Some new functionality includes the ability to back up and restore ACLs on entire
directory structures to a file, in addition to letting you swap SIDs in ACLs or find all entries that
contain a certain SID. For example, to find all files with savilltech/john in an ACL, I would use

icacls *.* /findsid savilltech\john

For full information about using the utility, try running

icacls /?
which also gives examples for the usage of the various options.

Q. What are the new symbolic linking facilities in Windows

Vista? And How do I create symbolic links in Windows
Vista?
A. A symbolic link is a file system object that points to another file system object. The object being
pointed to is called the destination object. Symbolic links are transparent to users and are a standard
part of the OS; the symbolic links appear as regular folders and files to the user. They're useful because
they allow a single interface point on the file system to access data in multiple locations on the local
and even remote computers without the user needing to know.

Windows XP and Windows 2000 had junction points, allowing access to folders and volumes on the
local computer, but junction points were hard to manage natively and have been replaced with the new
symbolic linking feature.

A. Windows Server 2008 and Windows Vista provide the Mklink utility, which creates both file and
directory symbolic links. The command has three optional
parameters: /D creates a directory symbolic link instead of the default file symbolic link, /H creates a
hard link instead of a symbolic link, and /J creates a directory junction.

Suppose you have calc.exe in the windows\system32 folder, and you want to run it as addup.exe
instead. You can use the command

mklink addup.exe calc.exe

symbolic link created for addup.exe <<===>> calc.exe C:\Windows\System32>dir addup.exe Volume
in drive C has no label.
Volume Serial Number is E0BA-564B
Directory of C:\Windows\System32
05/17/2007 11:08 AM <SYMLINK> addup.exe [calc.exe]
1 File(s) 0 bytes
0 Dir(s) 235,354,234,880 bytes free

Notice that the directory entry shows a symbolic link with the real file name in square brackets.
Using /H instead and creating a hard link makes the entry appear as if it's actually the file instead of
looking like a shortcut, which is what you get by default. For example, in the output below, you see a
standard symbolic link and then a hard link, which appears exactly like a normal file:

mklink /H addup2.exe calc.exe

Hardlink created for addup2.exe <<===>> calc.exe

dir
05/17/2007 11:10 AM <SYMLINK> addup.exe [calc.exe]
11/02/2006 10:00 AM 188,416 addup2.exe
11/02/2006 10:00 AM 188,416 calc.exe

For folders, you essentially have the same symbolic link and hard link options, and with folders a hard
link is known as a junction point, created with the /D and /J switches respectively. With either type of
link, you can navigate the folders, and any added/deleted content will update the target
folder:

mklink /d testlnk test1

symbolic link created for testlnk <<===>> test1

mklink /j testlnkhd test1

Junction created for testlnkhd <<===>> test1
dir
05/17/2007 11:20 AM <DIR> test1
05/17/2007 11:21 AM <SYMLINKD> testlnk [test1]
05/17/2007 11:21 AM <JUNCTION> testlnkhd [D:\temp\test1]

Q: How important is it to configure servers to use NTLMv2 for

authentication?
A: Configuring servers to use NTLMv2 is of medium to high importance, depending on your
environment. Windows uses the Kerberos authentication protocol by default. However, Windows uses
NT LAN Manager (NTLM) or
NTLMv2 when Kerberos isn't available, which can be the case if you have users that use local accounts
instead of domain accounts, log on to computers outside your domain, or use an OS that doesn't
support Kerberos.

NTLMv2 provides better protection than NTLM by making it more difficult to crack any challenge and
response data gleaned from authentication packets traveling over the network. To capture those
packets, an attacker has to trick the network switch into forwarding packets to his or her computer,
which requires either physical access to the network or remote control of a computer on the network.
Sniffing packets on a modern, fully switched network is more difficult than on older, hub- based
networks. For an attacker who successfully captures authentication traffic, cracking NTLMv2
challenge/response pairs is more difficult than cracking NTLM. However, weak passwords are easily
cracked no matter what protocol you use--even Kerberos.

To force systems to use NTLMv2 rather than NTLM and reject any computer that attempts lower-level
authentication, you can open Group Policy Management Console (GPMC), select a Group Policy
Object (GPO) that's applied to all the computers on your network, navigate to Computer
Configuration\Windows\Settings\Security Settings\Local Policies\Security Options, and set the
"Network security: LAN Manager authentication level" field to "Send NTLMv2 response only/refuse
LM & NTLM."

Q. My Windows Vista machine won't boot, and the problem

seems to be related to a bad boot sector. Can you shed
some light on this?
A. The Vista media has a great recovery environment that you can use in this situation in two ways.
The first (and most likely to succeed) way is to boot from the Vista media and select the Repair My
Computer option, which (after you select the Windows installation) offers a number of repair options.
The first option is Startup Repair, which performs a scan of the environment and fixes problems that
are preventing your computer from booting, including replacing the boot sector.

If this fix doesn't work, boot from the Vista media again and select the Command Prompt option. From
the Windows PE command prompt, you can use the Bootrec command-line tool, which offers options
to replace the Master Boot Record (MBR) with a Vista-compatible version, replace the boot sector, and
rebuild the Boot Configuration Data (BCD).

To replace the MBR (which doesn't erase the partition table, so you won't lose your partitions), run the
Bootrec /fixmbr command. To replace the boot sector use the Bootrec /fixboot command. Both
commands shouldn't harm a healthy installation, so they're safe to run. After you execute the
commands, reboot the installation.
Q. How can I change the friendly name of an entry on my
Windows Server

2008 or Windows Vista boot screen?

A. I recently installed Server 2008 on my laptop on a second partition to test some functions. The
laptop already had Vista installed, and after installing Server 2008, my Vista boot name entry was
"Windows Vista (TM) Ultimate (recovered)." I wanted to get rid of the "(recovered)" text.

First, I listed the contents of the Boot Configuration Database by using the Bcdedit /enum command. I
received the following data:

Windows Boot Manager

--------------------
identifier {bootmgr}
device partition=C:
description Windows Boot Manager
locale en-US
inherit {globalsettings}
default {default}
resumeobject {2766589b-6c50-11dc-8886-cc4638c140ef}
displayorder {default}
{current}
toolsdisplayorder {memdiag}
timeout 30

Windows Boot Loader

-------------------
identifier {default}
device partition=E:
path \Windows\system32\winload.exe
description Microsoft Windows Server 2008 locale en-US inherit {bootloadersettings} osdevice
partition=E:
systemroot \Windows
resumeobject {560495d8-8a18-11dc-978d-a24297fc2be9}
nx OptOut

Windows Boot Loader

-------------------
identifier {current}
device partition=C:
path \Windows\system32\winload.exe
description Windows Vista (TM) Ultimate (recovered) osdevice partition=C:
systemroot \Windows
resumeobject {8e3b1889-7f29-11dc-9a9c-806e6f6e6963}

Notice that the identifier for the Vista entry is "{current}." To solve the problem, I'll use this identifier
when I modify the description with the /set parameter, as you see below. The boot menu will then have
the name I specify, with no "(recovered)" text appended.

bcdedit /set {current} description "Windows Vista (TM) Ultimate"

The operation completed successfully.

Q. How can I configure the authentication dialog box to use a

local account rather than a domain account?
A. Typically, when an authentication dialog box prompts for a username, it defaults to the domain
name, or you can specify the domain by using the format (NetBIOS domain name)\user (e.g.,
savilltech\john) or user@(FQDN of domain)--for example, john@savilltech.com.

If you want to use a local account on the machine, just pass the machine name instead of the domain
name--for example, localmac\bob. If you can't remember the local computer name, just use a period (.)
instead--for example, .\bob.

Slow Vista File Copy Nightmare Solved!

WSN Reader Nick's Vista Horror story in last issue has a follow-up. He wrote: "I MAY have finally
turned the corner on Vista turning me gray and bald, although what little hair I have left after the last 4
weeks is definitely going gray :) I bought a MS Wireless Desktop 1000 to install on that Latitude ATG
620 with Vista Business that has been torturing me. Certified for Vista. Install Intellipoint 6.1 off the
disk. Plug in the receiver. No joy. It wants the disk. Says the disk has no drivers. WTF. Download and
install Intellipoint 6.2. Plug in the receiver. No joy. It wants the disk.

Now, we've been to 'Trinity and Beyond.' Where do we go from there? Chixulub asteroid impact? Call
MS hardware support (They were good). Eventually discover that NO new hardware (i.e. thumb drives,
wired keyboards, anything) will install. OK. Uninstall SP1. Install Intelli point 6.2 again and Lo! and
behold! the hardware installs. Great.

Test the network response time without SP1. Now, there is nothing particularly old, creaky or obscure
in my setup. I've got a PowerEdge 800 running SBS 2003 for a server and a Cisco SB2024 Gigabit
switch. It took 5 MINUTES to copy a 61 MB file. Sigh. Install SP1 again. Hey, the hardware still
works AND I can install other new hardware. It's a miracle. Test the network response time, again.
Now it takes 40 seconds to copy that 61 MB file. XP only takes 8-10 seconds. It beats 5 minutes, but it
still ain't great. So I start googling for post-SP1 slow-file-copy bug problems. Eventually, I come across
a reference to Mark Minassi's blog that deals with the autotuning feature of the new TCP stack and that
even relatively new switches and routers may not like the autotuning 'feature'. (SP1 by default undoes
all the tweaking that poor bastards like me have been flailing away at to try and fix this EVIL.) So I
enter the following into an Administrative cmd window:

C:\> netsh interface tcp set global autotuninglevel=disabled

Now I tried that pre-SP1 and it didn't make a darn bit of difference. But Lo and behold! The 61 MB file
now comes down the pipe in 6 seconds. So I test pull the SP1 mega-executable from the server (434
MB) Takes 1 minute 34 seconds. Run the same test on XP. Takes 1 minute 53 seconds. It's a miracle.
We still aren't smiling. Its been a full year, a service pack, and a command line tweak to get
performance better than what XP had to offer. MS has burnt a lot of credibility with me with their utter
silence on this issue--and how, if they eat their own dogfood, that this issue ever got out the door
without being caught and killed. But there is light at the end of the Vista tunnel--and maybe all the hair
I have pulled out will grow back in brown and not gray :)

Q. How can I enable single sign-on for my Remote Desktop

connections?
A. Its possible to configure your logon credentials to be sent to a target computer, so that you arent
prompted for credentials to use. To do so, you have to configure delegation for your credentials to be
used on specific servers. You wouldnt want to enable this for any target as doing so would be an easy
way for computers to harvest credentials.

You can configure this delegation by using either a local computer policy or Group Policy. Follow
these configuration steps for Group Policy.
1. Open the Group Policy Object (GPO) youll enable the setting on.
2. Navigate to Computer Configuration/Administrative Templates/System/Credential Delegation.
3. Double-click Allow Delegating Default Credentials.
4. Select Enabled and click the Show button.
5. In the Add servers to the list text box, which the following screenshot shows, enter the server name
in the form TERMSRV/server name (forward slash, not a backslash). You need an entry for each
possible way you might type the server name; for example, you need an entry for both the fully
qualified domain name (FQDN) and the NetBIOS name if you use both names. If you wanted to enable
all Terminal Services servers in the domain, you can use *.domainfor example, *.savilltech.net.
However, I dont recommend doing so because of the point raised earlier regarding possible
illegitimate servers harvesting credentials. Likewise, to allow connection to any Terminal Services
server, simply enter TERMSRV/*. Click Add to add an entry and when done, click OK.
6. Click OK to return to the main policy.
7. Refresh the policy, and the change will take effect immediately.

Locking Down PCs' Portable-Media Drives

XP SP2 adds a registry setting that lets you disable write access to "block storage devices" such as USB
devices. The WriteProtect DWORD value resides under the
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies subkey.
When you set WriteProtect to 1, Windows prevents users from writing to USB devices. Setting the
value to 0 enables write access.

Q. How do I customize the Windows 7 logon screen?

John Savill

A. You can set a custom background for the logon screen in the release candidate and release to
manufacturing versions of Windows 7, as shown here.
Click to expand.

To set a custom picture, place a JPG named backgroundDefault.jpg in the %windir

%\system32\oobe\info\backgrounds folder. Now go to the registry and navigate to
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\Background. There
should be a DWORD value named OEMBackground (create it if it's missing). Set the value to 1 and
click OK.

Now when you log off or switch users the new background picture will be displayed. No reboot is
necessary.

You can also place custom files in the backgrounds folder with the name background<resolution> to
have different pictures for different resolutions. For example, a 1024768 resolution picture should be
save as background1024x768.jpg.

Tech Section: Playing with the "God Mode" Easter Egg

A few days into the new year, word arrived about an interesting and newly-discovered Easter Egg in
Windows 7 and 32-bit Vista that folks have named the "God Mode console" or "GMC." God mode?
It's touted as a windows app that many bloggers have described as a single, does-it-all window to let
you control everything about your computer and, with a bit of a stretch, one could call it that --
although you'd probably have to do Pilates every day before you could safely execute that stretch.

More accurately, however, GMC is simply an Explorer window containing a single all-in-one-place
listing of all control panel pages. Even that, however, can be quite useful, as you can see from this
screen shot.
In this picture, you can see a couple of things about the GMC. First of all, is just a folder (albeit a
special one, as we'll see), viewed with Explorer. Here, I've arranged the window so that the portion you
can see -- there are zillions of Control Panel settings, so there's no way I could show you the whole
thing -- displays the items in the Network and Sharing Center. Now, one of the places that I use the
most in the Network and Sharing Center is the "View network connections" page. It's the place where
you get a list of all of your NICs, where you can bring up their network properties, re-order network
bindings (a once-again valuable tool in a world where we'll soon all be doing both IPv4 and IPv6), and
the like. Normally it takes a few clicks to get to the "View network connections" page, but from the
GMC, it's just one click so hey, that ain't bad. What the GMC does not do, however, is show any
"hidden" or "secret" features, as some Web pages have claimed. (Of course, the fastest way to get there
is to just click Start and then type "ncpa.cpl" in the "Search programs and files" field, then press Enter.)

So how to get a GMC of your own? Simple.

First, create a new folder. You can do it anywhere on your computer -- any drive, second-level folders,
you name it.

Second, name it anything.{ED7BA470-8E54-465E-825C-99712043E01C} where anything can be,

well, anything, any text. Every Web page I've seen so far says that the anything text must be the phrase
"godmode" but a look at my screen shot above shows that I named mine Hi.{ED7BA470-8E54-465E-
825C-99712043E01C} and it works just fine.

Now open up the folder, and voila, you've got a GMC. But that's not all that you can do with it; I was
sort of surprised to find that

Deleting it can be a problem. In some experiments, I've been unable to delete the folder, and get an
error that the folder's in use elsewhere, no matter how careful I am to shut down other Explorer and
Control Panel windows. In those cases, just rebooting let me delete the GMC folder.
You can do it on either an NTFS or FAT32 drive.
You can put it on a removable drive and carry it around. Whether on a CF card, a USB stick, or an
SDHC card, a GMC folder works like a charm when plugged into a compatible computer.
It responds to different views. It comes up in Details view by default, but others work as well. Try out
List view, it's more concise.
Finally, which operating systems support a GMC? I've made it work on

Windows 7 x64
Windows 7 x86
Vista x86
Windows Server 2008 R2 Standard Edition
Windows Server 2008 x86
It has not, however, worked on 64-bit Vista; trying to open an Explorer that contains one of the GMC
folders causes Explorer to crash. If that happens to you, just open up an elevated command prompt and
type

rd /s /q

And then press "Tab" until the folder name like "Hi.{ED7BA470-8E54-465E-825C-99712043E01C}"
or whatever you named it to appears, then press the Enter key. Also, you might do your experiments
not with a folder at the root level, but instead a second-level folder -- create Hi.{ED7BA470-8E54-
465E-825C-99712043E01C} inside a folder named "c:\test" rather in c:\ so if you do end up with a
system that doesn't like GMCs, you can still open up Explorer on C: without crashing Explorer.

I hope I've offered a bit of insight and a few ideas on using what might better be called the "flat-mode
Control Panel View." I'd love to hear of your experiences with it!
Q. Is there a way to maintain all the applications from my
Windows XP installation when I upgrade to Windows 7
without third-party tools?
A. There's no upgrade path from Windows XP to Windows 7, which means all the applications you've
installed in Windows XP will be lost. While it would be possible to upgrade from Windows XP to
Windows Vista, then to Windows 7, this isn't optimal and would result in a lot of junk moving to
Windows 7.
Another option is to back up the Windows XP installation to a virtual machine (VM), which can then
be loaded into Windows Virtual PC and run on a new Windows 7 installation. The easiest way to do
this is to use disk2vhd to capture the Windows XP system disk to a virtual hard disk while using the
"Fix up HAL for Virtual PC" option, as shown below.

You can take the VHD file and use it as the virtual disk for a new VM on a fresh installation of
Windows 7. Boot the new VM and install Windows XP SP3 and the Windows Virtual PC integration
tools. Next, install the XP SP3 RemoteApp add-in.

The user can now access the Windows XP applications through the Windows XP VM. You can go one
step further and enable Auto Publish for the VM and boot the XP virtual. The applications will now
show in the Windows 7 Start Menu and will launch seamlessly.

Click to expand.

If you're not already running an anti-virus program in the VM, install one, such as the free Microsoft
Security Essentials.

I tried the above procedure and it worked fine, but obviously, all my applications and data are still
within the Windows XP VM. Ideally, you want your applications and data within your primary OS.
Over time, you should install Windows 7 compatible applications in the primary OS, instead of running
them from the VM.

Delete Files Older Than Date Using Batch Files

This problem has nagged at me for years. Here is a batch command to delete files on a Windows 2003
machine.

Forfiles -pC:\backup -s -m*.* -d-5 -c "cmd /c del /q @path"

This will delete all files in my backup directory older than 5 days. To test it first, use this:

Forfiles -pC:\backup -s -m*.* -d-5 -c "cmd /C Echo 0x22@Path\@File0x22"

Browse By Category
Active Directory & Group PolicyExchange & OutlookNetworking & HardwareOffice &
SharePointScripting SecuritySQL ServerStorage/Backup/RecoverySystems
ManagementVirtualizationWindows OSadvertisement

Get Newsletters
Get the Latest News
Product Updates
Helpful Tricks
Productivity Tips
Subscribe Now!

Close
Thank you for recommending Windows IT Pro - the leading independent community for IT
professionals.
Your recommendation has been successfully processed.
Close
Your Name * Your Email *
Sender name is a required field.
Sender email is a required field.
Email address should be in the proper format (Ex: test@test.com).

Q: Can I hide the account information of a locked Windows

desktop?
Q: By default, Windows displays a users account information when the user locks his Windows
desktop. Is there some way to change this behavior and hide account information from the Computer
Locked dialog box
?

A: Yes, this behavior can be changed using a registry hack. In a Windows domain environment, you
can also use a Group Policy Object (GPO) setting.

The GPO setting is called Interactive Logon: Display User Information when the session is locked and
is located in the following GPO container: Computer Configuration\Windows Settings\Security
Settings\Local Policies\Security Options. When you enable this setting, you can set one of these three
options:

User display name, domain and user namescorresponding to registry value 1

User display name onlycorresponding to registry value 2
Do not display user informationcorresponding to registry value 3
The corresponding registry key is called DontDisplayLockedUserId (REG_DWORD) and is located at
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System. To hide the account information
from the Computer Locked dialog box, set this registry key to a value of 3.

A side effect of hiding the account information from the Computer Locked dialog box is that when you
try to log in to a locked machine, Windows won't show the name of the user who's currently logged on
in the logon dialog box. To unlock your logon session, you must type your password and retype your
account name.

Q. What's location-aware printing in Windows 7?

A. Windows 7 introduced location-aware printing, which lets a different default printer be specified
based on the network a computer is connected to, as shown here.

To use location-aware printing, open the Devices and Printers Control Panel applet, select a printer,
then click Manage default printers. Now you can set the option to Change my default printer when I
change networks. Select the networks known to the machine and the printer that should be used as the
default for the location.

Q: In Windows Vista and later, how do I stop Remote Access

Service connections from closing at log off?
A: In Windows XP, creating the DWORD registry value
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\KeepRasConnections and setting to 1 would keep Remote Access
Service (RAS) connections open even after a logoff. This no longer works in Windows Vista and later.
However, all that has really happened is the key has changed. For Windows Vista and later, perform the
following:
1. Start the registry editor (regedit.exe).
2. Move to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters (if the key
doesnt exist, create it).
3. Create a new value called KeepRasConnections of type REG_SZ.
4. Set the new value to have a value of 1.

Retrieving a Sick Drive's Recoverable Files Quickly with

Robocopy
My desktop includes a second hard drive where I keep data files of various kinds, but the two biggies
are the "VMs" folder (virtual machines) and the "Photos" folder. A few days ago, it started acting
wonky and I realized that it'd developed some bad areas which were causing Windows Backup to sort
of run in the background pretty much all of the time, as it would first fail, and then apparently go back
to that part of the drive that it couldn't read and keep trying, and trying, and trying... Now, I appreciate
that it's a determined little terrier and really, really wants to read that sector for the five millionth time
just in case it can get that data, but I'm not sure that constantly pounding an already-sick drive is a good
idea -- and so I got a replacement drive and set out to copy the data from the dying drive to a new
drive. Yes, I've got other backups, but they're not handy at the moment and basically all I want to do is
to quickly get a copy of every file on the drive that's copy-able so I can throw away the bad drive and
start off with a drive that's got 99.9% of the files from the bad drive.

The trouble is, it's really hard to do that. Basically there are two types of in-the-box or free approaches
to transfer all of the contents of one drive to another: block-by-block copies (ImageX, Windows
Backup/wbadmin) or file-by-file (Explorer, copy, xcopy, robocopy). Unfortunately, nearly all of them
have the same problem: what to do when you try to read a bad sector? Some of them hit a bad sector,
think about it for a bit and just give up, recovering no data at all (the image part of Windows Backup,
wbadmin.exe), others hit a bad sector, think about it for five minutes, and then stop and ask you what to
do, meaning that you've got to babysit the whole process, which isn't any fun when trying to recover
files (Explorer). Still others just try and try and try and try, which, again, probably puts the last nails in
the sick drive's coffin (robocopy, the file-by-file part of Windows Backup).

Scouring the documentation about wbadmin.exe, the Ghost-like drive copy system in Windows, I could
not find a "skip bad sectors" option... darn. But what about robocopy? Here was my original robocopy
attempt to get whatever was recoverable from the sick drive (e:) to the new one (f:).

robocopy e:\ f:\ * /s /mov /mt:10

That says to move all files and folders from drive E: to drive F: -- that's the "e: f: *" part -- and to
recreate E:'s folder structure onto F: (/s), to move the files, meaning to delete any files from E: once
they're safely on F: (/mov), and to create multiple threads to do it, getting it done more quickly and
making the best use of my drive channels (/mt:10, which creates ten simultaneous threads). That
worked extremely well, except for one problem: robocopy just wouldn't give up on the impossible-to-
read files, waiting 30 seconds every time a particular "read" operation failed, and then trying it again,
and again, and.... "Well, how many times is the silly thing going to retry?," I thought, and then
remembered.

One. Million. Times.

Really -- I'm not kidding. Robocopy is the terrier of terriers here, and its creator baked in "do those
retries a million times" as a default. So, I thought, there must be a way to stop retries, and of course
there was: "/r:0," which means "do no retries." Heck, there's even an option "/REG," which says,
"remember that particular desired number of retries in the Registry, and use it henceforth as the new
default from now on." I friggin' love robocopy. The final command, then, was

robocopy e:\ f:\ * /s /mov /mt:10 /r:0

I was then able to go off to bed, arise the next morning and find that The Job Had Been Done, in about
two and a half hours. Yes, I'd lost eight files, but I've got them on that distant backup. Oh, and in the
process, I got an excuse to upgrade that "data drive" to a Seagate Momentus XT, a 750 GB 7200 RPM
2.5" drive with a bit of NVRAM built in to offer a bit better speed... very nice. I love a happy ending,
don't you?

Data Recovery Options

If the hard drive on your computer dies you basically have three options:
Replace the failed drive with a new one and then restore all your data from a recent backup.
You DO have a recent backup, don't you?
Try to recover the data yourself by following the do-it-yourself (DIY) approach.
Remove the drive and ship it off to a data recovery agency together with your wallet.
Which option you choose will probably depend on your testosterone level and appetite for risk, but it
should really depend on how much you value your data. For example, if the drive has business-critical
data from your server, then you'll probably NOT want to try putting the drive in a ziplock bag and
leaving it in your deep freezer for a few hours...
But before we continue, I tried to find a funny XKCD comic related to the topic of data loss and instead
discovered this interesting post on the XKCD "blag":
http://www.wservernews.com/go/1331289076927

The DIY Approach

Yes it's apparently true--if your hard drive goes flakey you might be able to recover your data from it
by enclosing the drive in an airtight bag and leaving it in the freezer overnight because doing this
shrinks the parts slightly which lets the bearings turn more freely (assuming that frozen bearings are the
problem). Then in the morning when you take the drive out and plug it into an external hard drive
enclosure connected to another computer, you may be able to copy some or all of your data off of the
drive before it warms up to room temperature again. Or you could run your hard drive while it's still in
your freezer as this Hack N Mod post suggests:
http://www.wservernews.com/go/1331289277509

But first let's back off a bit. So the hard drive in your computer has failed--what should you do first?
The First Rule of Data Recovery is to immediately stop trying to use the computer as any additional
disk activity may make it harder to recover data from the drive. The approach you choose to follow
next for attempting to recover the data from your failed hard drive (assuming you can afford to lose
your data if your efforts fail) depends on the type of failure being experienced. For example, let's say
your PC won't boot, so you take the drive out and add it as a second drive in a different PC but the
other PC won't even see the drive in the BIOS. Let's say also that you noticed that when you tried
booting the original PC from the failed drive you could hear the drive platters spinning and the heads
seeking (clicking). That means the data might still be there on the drive and the drive's controller may
simply have gone kaput (perhaps it got fried by a power surge). If you have another identical drive to
one that failed (or if you can get a used one on eBay) you could try swapping the controller boards on
the two drives if you're geeky enough to do this (it sometimes just involves removing four screws
though they may be torx bits but other times it may involve some finicky soldering or fiddling around
with cabling). There are some hazards however with following this approach as the following articles
indicate:
http://www.wservernews.com/go/1331289314157
http://www.wservernews.com/go/1331289338223

If your drive is still being detected in the BIOS of your PC but Windows is unable to read it, you could
try booting from a Debian/Ubuntu CD and running gddrescue (gddrescue can sometimes read data
from drives that Windows won't let you read from because it works at the block level and tries to force
a read on failing disk sectors). You can then dump the image to a new drive (make sure it's larger than
the original), mount the image, and extract the files you want to recover from it. And if you are unable
to mount image, you can try using PhotoRec to extract your data:
http://www.wservernews.com/go/1331289349239

Another approach is to get hold of a good data recovery utility and use it. Some of these are free while
some others are expensive. Some of the ones that have been recommended to me by other IT pros
include the following:
SpinRite from GRC:
http://www.wservernews.com/go/1331289363314
MiniTtool Power Data Recovery:
http://www.wservernews.com/go/1331289374387
PC Inspector from CONVAR:
http://www.wservernews.com/go/1331289384841
R-Studio from R-Tools Technology:
http://www.wservernews.com/go/1331289395863

Recommended Data Recovery Agencies

I've talked with lots of people who have used various data recovery agencies, and while I can't
personally vouch for any of the ones I've listed below I nevertheless offer them to you "as is" as
recommendations from others in the IT pro community. Before you contact any of them however, make
sure you set a budget for how much recovering your data is worth to you and also set your expectations
with regard to turnaround time.
Kroll Ontrack (world leader, excellent but may be expensive)
http://www.wservernews.com/go/1331289479276
My Hard Drive Died (highly recommended)
http://www.wservernews.com/go/1331289508928
DriveSavers (popular and reportedly quite reliable)
http://www.wservernews.com/go/1331289519545
Crucial Data Recovery (free evaluation/consultation)
http://www.wservernews.com/go/1331289529148
Data Retrieval (full range of offerings)
http://www.wservernews.com/go/1331289712596
Hard Drive Savers (cheap)
http://www.wservernews.com/go/1331289739505

Share your expertise!

Do you have any tips or tricks of your own for recovering data from failed hard drives? Or any data
recovery agencies you can recommend? Contact me at wsn@mtit.com

Printing Pitfalls
The Print server role isn't one of the sexier roles of Windows Servers, which probably explains why the
Windows Printing Team Blog hasn't been updated for over two years:
http://www.wservernews.com/go/1336642423961

But since the much-vaunted paperless office still hasn't arrived for most of us, print servers are still
essential in most business environments. Security improvements like UAC in Windows Vista and later,
coupled with the phase-out of 32-bit servers with Windows Server 2008, have led to some frustrations
in the formerly benign and placid area of getting stuff printed. Let's look at a few issues and how to
resolve them.
Installing drivers from print servers
Allowing standard users (i.e. users who aren't local admins on their computers) to install print drivers
from print servers can be done by enabling and configuring this Group Policy setting:
Computer Configuration\Policies\Administrative Templates\Control Panel\Printers\Point and Print
Restrictions
Specify the names of trusted print servers on your network and configure the two security prompt
settings to Do not Show Warning Or Elevation Prompt. And if you still have Windows XP clients in
your environment, you should configure the similarly named policy setting found under User
Configuration.
For more information see "Control Printer Driver Installation Security" in the TechNet Library at:
http://www.wservernews.com/go/1336642444305

Using Windows 7 x64 with legacy 32-bit print servers

If your current environment is still Windows XP PCs and 32-bit Windows Server 2003 SP2 servers
(yikes) and you plan on migrating your PCs to Windows 7 x64 but keeping your old servers for a while
(yikes again!), will your 64-bit Windows 7 users have any problems printing to your 32-bit print
servers?
Nope. As long as you add 64-bit drivers for your printers to your print servers (if your dusty old
printers have 64-bit drivers available for them) everything should be OK.
For more info, see the post "How to: Add 64-bit print drivers on 32-bit Windows Server 2003 or
Windows Server 2008 print server" from awhile back on the TechNet blog called "The troubleshooters
and problem solvers" at:
http://www.wservernews.com/go/1336642529133

Migrating to Windows Server 2008 R2 print servers when you still have Windows XP clients
What if your current environment is Windows XP/Windows Server 2003 and you plan on using the
Print Migration Wizard (Printbrm.exe) to migrate your print servers to Windows Server 2008 R2 while
keeping at least some of your clients running Windows XP for a bit longer? (Hmm, you like playing
with fire, don't you--I'll bet you're still driving an 82 Datsun too.) Do you need to make any changes to
your Windows XP clients or can they just keep their current print drivers since you're not changing the
printers, just the print servers?
Yep. You'll need to delete all printer connections and driver references on your Windows XP clients and
create new printer connections for them. To do this you'll probably need to do some custom scripting
that leverages the Prnmngr.vbs and Prndrvr.vbs scripts. See here for a list of in-box commands and
scripts in Windows 7:
http://www.wservernews.com/go/1336642608821

Also see the Print Services Migration Guide in the TechNet Library:
http://www.wservernews.com/go/1336642587759

Enumerating the drivers on a Windows installation

How can I know what printer drivers are available in-box in Windows? And how about out-of-box
drivers? Michael Murgolo of The Deployment Guys blog has a script and post that shows you how to
obtain this information:
http://www.wservernews.com/go/1336642594821

This could be useful if you're planning a print server migration for your environment.
Print/Fax Forum on TechNet
Finally, if you have printing problems in your Windows Server environment, a good place to seek help
is the Print/Fax TechNet Forum, which is maintained by MVPs and by Product Group experts at
Microsoft:
http://www.wservernews.com/go/1336642600415

Got more printing tips?

Share your expertise with our readers by sending your printing tips wsn@mtit.com

Q: How do I enable boot to desktop in Windows 8.1?

By John Savill
A: Windows 8.1 allows a machine to boot directly to the desktop instead of the Start Screen after
logon. To make the change, perform the following:
1. Right-click the Task Bar and select Properties.
2. Select the Navigation tab.
3. Under the Start Screen area, select Go to the desktop instead of Start when I sign in.
4. Click OK.

Robocopy (originally called Robust File Copy Utility) has been

around a long time--since the Windows NT 4.0 Resource
Kit if I remember correctly.
This command-line tool has been enhanced over the years and is an in-box utility in recent versions of
Windows. One way that copying files with Robocopy differs from doing it with Windows Explorer is
that Robocopy doesn't enumerate the size and number of files to be copied before beginning the copy
operation. By contrast, the Windows Explorer file copy dialog tries to estimate how long it will take to
copy your files, sometimes without success as this classic XKCD comic illustrates:
http://www.wservernews.com/go/1374754468569
Anyways, what if you want to use Robocopy to copy some files but before you do so you want to get
some idea of how much data will be copied? On Windows 8 and Windows Server 2012 you can do this
by running the following Robocopy command:
Robocopy/E /NFL /NDL /MT /L
This command will perform a multithreaded scan of the contents of the source directory without
actually copying any files to the target directory. You can then re-run the command without the /L
switch to actually perform the copy operation.
Note that this command also works on earlier versions of Windows, but the execution is single-
threaded on those platforms, which means enumeration can take longer.

Copying only subtotals in Excel

I use this so much at work and it has always frustrated me not knowing how to do it that I thought I
would share.
If you ever subtotal a list (Simple Example Below) and then want to copy only the rows that you see to
a new sheet for further analysis, it doesn't work. You select the information, copy and paste to a new
sheet and all the rows come with it:

Figure 1
The secret? Highlight the rows, press ALT + ; (that is, hold the ALT key while pressing the semicolon).
This selects only the visible rows and allows you to paste them wherever you want.

Change the case of a list in Excel

I was training a group in Microsoft Excel and was asked if there was a simple way to change a list into
all upper case text. I demonstrated how to add a temporary column next to the list and use the formula
=UPPER(cell_reference). Use auto fill to populate the formula to the full list range. Then copy and
paste special - values over the original text. The =LOWER(cell_reference) and
=PROPER(cell_reference) Functions can be used the same way.
This wasn't the crowd pleaser though. I got wows and "why didn't you tell us this before?!" from a
simple function key toggle. In Microsoft Word and Outlook you can highlight any amount of text and
press SHIFT + F3. This is a three-way toggle between upper, lower and proper cases.

Retrieving OEM product key from UEFI BIOS

If you have a PC with a UEFI bios running Windows 8 or later and you need to retrieve the unique
OEM product key that was used to install Windows on the machine, you can do this by opening an
admin-level command prompt and typing the following command:
wmic path SoftwareLicensingService get OA3xOriginalProductKey