Remko Weijnen's Blog (Remko's Blog)

About Virtualization, VDI, SBC, Application Compatibility and anything else I feel like


System Center Operations Manager LogoToday I encounterd what seems to be a bug in the System Center 2012 Visual Studio Authoring Extensions. I wanted to define a Performance Collection Rule that reads out the percentage of free memory from an SNMP device.

Since the device returns only the percentage of used memory I needed to use the ComputedPerfProvider provider to substract the used memory percentage from 100.

I could of course report used memory instead of free memory but I wanted the resulst to appear in the default SCOM Performance View, which only lists Free Memory:

System Center Operations Manager | Default Performance View

Read the rest of this entry »


System Center Operations Manager LogoI am currently working on a Management Pack for SCOM and I have studies a few examples on adding processor and memory counters.

These examples all reference a Management Pack named "" but this Management Pack is not bundled with the System Center 2012 Visual Studio Authoring Extensions.

Read the rest of this entry »


I am currently working on a Management Pack for System Center Operations Manager (aka SCOM). I am using the System Center 2012 Visual Studio Authoring Extensions and during build of my project I suddenly got the following error: “MSB4018: The “MergeFragments” task failed unexpectedly“:

Visual Studio | System Center 2012 Visual Studio Authoring Extensions | C:\Program Files (x86)\MSBuild\Microsoft\VSAC\Microsoft.SystemCenter.OperationsManager.targets(234,5) | error MSB4018: The "MergeFragments" task failed unexpectedly.

I searched on this error message but wasn’t able to find anything helpful. In order to get more detailed output from MSBuild I changed the MSBuild project build output verbosity. To do this go to the Tools menu in Visual Studio and select Options. Navigate to the “Build and Run” node under “Projects and Solutions” and set both options to “Diagnostic”:

Visual Studio | Tools | Options | Projects and Solutions | Build and Run | MSBuild project build output verbosity | Diagnostic

Read the rest of this entry »


Aaron Parker was talking about the uninstall guid in his session “Hands off my Golden Image Redux” at Citrix Synergy.

I remembered that I had written a small PowerShell script to read out the uninstall GUID from an MSI file. This way you do not need to actually install the software to determine the uninstall GUID.

How does that work?

There is a logical relation between the MSI Product Code property and the install guid. In this example I’ve taken install_flash_player_11.8.800.174_active_x.msi as an example.

The Uninstall key is HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\A2E504D3D31C0D5409F28F3FDD565AD9

The interesting part of it is the GUID:


If we look into the MSI properties with (Super)Orca we see:


If we compare those GUIDS:

Uninstal    {A2E504D3-D31C-0D54-09F2-8F3FDD565AD9}

Product Code{3D405E2A-C13D-45D0-902F-F8F3DD65A59D}

We can see that we need to apply the following logic:

· First 8 bytes must be swapped right to left

· Next 4 bytes (skipping the hyphen) also swapped right to left

· Next 4 bytes (skipping the hyphen) also swapped right to left

· Next 4 bytes (skipping the hyphen) also swapped right to left

· Last 12 bytes must be byte swapped per byte (F8 -> 8F, F3 -> 3F etc).

Knowing that we can make life easier with PowerShell:

[posh]function Get-Property ($Object, $PropertyName, [object[]]$ArgumentList)


return $Object.GetType().InvokeMember($PropertyName, ‘Public, Instance, GetProperty’, $null, $Object, $ArgumentList)


function Invoke-Method ($Object, $MethodName, $ArgumentList)


return $Object.GetType().InvokeMember($MethodName, ‘Public, Instance, InvokeMethod’, $null, $Object, $ArgumentList)


function GetMsiProductCode([string]$path)


$msiOpenDatabaseModeReadOnly = 0

$Installer = New-Object -ComObject WindowsInstaller.Installer

$Database = Invoke-Method $Installer OpenDatabase @($path, $msiOpenDatabaseModeReadOnly)

$View = Invoke-Method $Database OpenView @(“SELECT Value FROM Property WHERE Property=’ProductCode'”)

Invoke-Method $View Execute | Out-Null

$Record = Invoke-Method $View Fetch

if ($Record)


Write-Output (Get-Property $Record StringData 1)




$path = “c:\Users\rweijnen\Desktop\install_flash_player_11.8.800.174_active_x.msi”

$item = “” | Select-Object Path, ProductCode, UninstallGuid, UninstallRegistry

$item.Path = $path

$item.ProductCode = (GetMsiProductCode $item.Path)

$DestGuid = ([regex]::Matches($item.ProductCode.Substring(1,8),’.’,’RightToLeft’) | ForEach {$_.value}) -join ”

$DestGuid += ([regex]::Matches($item.ProductCode.Substring(10,4),’.’,’RightToLeft’) | ForEach {$_.value}) -join ”

$DestGuid += ([regex]::Matches($item.ProductCode.Substring(15,4),’.’,’RightToLeft’) | ForEach {$_.value}) -join ”

$DestGuid += ([regex]::Matches($item.ProductCode.Substring(20,2),’.’,’RightToLeft’) | ForEach {$_.value}) -join ”

$DestGuid += ([regex]::Matches($item.ProductCode.Substring(22,2),’.’,’RightToLeft’) | ForEach {$_.value}) -join ”

for ($i=25 ; $i -lt 37 ; $i = $i + 2)


$DestGuid += ([regex]::Matches($item.ProductCode.Substring($i,2),’.’,’RightToLeft’) | ForEach {$_.value}) -join ”


$item.UninstallGuid = “{” + ([Guid]$DestGuid).ToString().ToUpper() + “}”

$item.UninstallRegistry = “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\{0}” -f $DestGuid

$item | Format-List

Sample output:

Path              : c:\Users\rweijnen\Desktop\install_flash_player_11.8.800.174_active_x.msi

ProductCode       : {3D405E2A-C13D-45D0-902F-F8F3DD65A59D}

UninstallGuid     : {A2E504D3-D31C-0D54-09F2-8F3FDD565AD9}

UninstallRegistry : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\A2E504D3D31C0D5409F28F3FDD565AD9



imageBenjamin Delpy the author of the well known mimikatz toolkit has released a very cool extension to WinDbg today.

In summary the extension can extract Windows passwords from memory dumps, hibernation files and Virtual Machine .vmem files (paging, snapshots).

Especially the ability to extract passwords from .vmem files was very interesting. So I decided to to test this out, so let’s see how it works!

Read the rest of this entry »

  • Filed under: VMWare

    imageI will be presenting a session at E2EVC in Rome next weekend.

    Recently I published an article on my blog that shows how to run an executable of choice when the Citrix Receiver exits.

    SNAGHTML29bc6f22In this session I will show you how to find such undocumented features in applications step by step. Using this example we will open the Citrix Receiver in Ida Pro and disassemble it.

    Using public resources such as the Citrix Public Symbol Server we can analyze, understand and finally make the code more readable.

    I will try to make this session not an “enter the matrix one” but one that could be considered as an intro into using Ida Pro for reverse engineering and app compat fixing.

    Hope to see you all in Rome, my session is scheduled Friday November 1 from 18.30 – 19.15. There will be room for questions so feel free to take your own Crapplication™ and ask about it after the session.

    See you in Rome!


    I wanted to do an unattended install of the Microsoft App-V 5.0 SP1 client.

    I wanted to install using the MSI’s instead of using the exe installer so I unpacked the MSI’s from the installer as documented here.

    The install failed however with MSI error 1603. I activated logging but that was not very helpful since it only logged "MainEngineThread is returning 1603".

    Manual install of the MSI gave a bettor error message:

    Microsoft Application Virtualization (App-V) Client 5.0 Service Pack 1 x86 requries Microsoft Visual C++ 2005 Redistributable (x86) with minimum version 8.0.61001

    I had already installed the MSVC++ 2005 SP1 runtime but the version was slightly lower.

    Unfortunately Microsoft doesn’t publish the build numbers with their downloads so it takes some searching to determine the correct download.

    Version 8.0.61001 is labeled as "Microsoft Visual C++ 2005 Service Pack 1 Redistributable Package MFC Security Update" and can be downloaded here.

    There is a similar requirement for the Microsoft Visual C++ 2010 runtime which should be at least 10.0.40219. This one is easier though because the required version is extracted together with the MSI files.

    As a final note you need to set the AcceptEULA MSI property to 1 for both the client and language pack MSI or the install will fail.

  • Filed under: App-V

    I wanted to run a virtual Citrix License server in my LAB.

    Unfortunately Citrix only provides the VPX License Server in XenServer format (.xva). If you want to run the VPX on VMware ESX or Microsoft Hyper-V you need to convert it first.

    The option to convert a Xen Virtual Appliance to OVF format was removed in XenConvert 2.4.1. So for a conversion you need version 2.3.1.

    Here are the direct download links:

    However when I tried to convert the downloaded VPX (Citrix_License_Server_VPX_v11.10.0_Build_12002.xva) I got the error "Failed to decode tar header record":

    Failed to decode tar header record


    Read the rest of this entry »

  • 1 Comment
  • Filed under: Citrix

    A while ago I was doing some research for Magic Filter when I stumbled upon something interesting within Receiver.

    Inside wfica32.exe is a function called _Eng_RunExecutableOnExit. That name caught my interest, I’ve made it a little more readable with Ida Pro:

    Read the rest of this entry »

  • Filed under: Citrix

    Today I was troubleshooting a warning message that popped up when launching a network application with RES Workspace Manager:

    The publisher could not be verified. Are you sure you want to run this software?

    Usually this is a simple fix: add the servername (file://server) to the Local Intranet zone:

    You can add and remove websites from this zone. All websites in this zone will use the zone's security settings.

    That worked when I launched the application directly. However when launching the application with RES Workspace Manager I would still get the warning. Even stranger: when I clicked Cancel the application would still be launched.

    Read the rest of this entry »