Remko Weijnen's Blog (Remko's Blog)

About Virtualization, VDI, SBC, Application Compatibility and anything else I feel like

Archive for the ‘Windows 2008’ Category

Today I was troubleshooting a warning message that popped up when launching a network application with RES Workspace Manager:

The publisher could not be verified. Are you sure you want to run this software?

Usually this is a simple fix: add the servername (file://server) to the Local Intranet zone:

You can add and remove websites from this zone. All websites in this zone will use the zone's security settings.

That worked when I launched the application directly. However when launching the application with RES Workspace Manager I would still get the warning. Even stranger: when I clicked Cancel the application would still be launched.


ClickOnce is a Microsoft technology that enables an end user to install an application from the web without administrative permissions.

That’s great isn’t it?
While ClickOnce may sound great to developers it’s actually a nightmare for Enterprise administrators because they try to prevent users from installing software themselves.

ClickOnce also incorporates an Automatic Updates mechanism which means that users might run different or not tested/approved versions…

Virtual Environments
It get’s even worse in virtual environments such as VDI and SBC where machines are often non-persistent. Each time the users starts the application they will see a screen similar to the one below while they actually download and install it over and over again:


If the environment is persistent, it’s not guaranteed that the user works on the same machine each day. This means that the application will be installed on every box the user ever logs onto…

How does it work?
In order to understand how we can best treat ClickOnce applications we need to understand how they work since MSDN documentation does not describe this in detail.


imageSome applications use the computer’s name as a unique identifier, rather than using the user name. In a single-user-per-computer environment, this strategy works well.

However, in a Multi User environment such as Citrix XenApp or Microsoft’s Remote Desktop Services (Terminal Server), all connected users report the same computername.

If the application relies on unique computernames to handle tasks such as file and record locking, then the application will fail.

imageWe can however set an Application Compatibility Flag in the registry to return the username instead of the computername.

To demonstrate this behaviour I wrote a small Test Application called TestAppCompatFlags.exe.


My Network Places Internals

Nethood IconI am using a PowerShell script to copy some elements of from the users old profile location to a new location. This includes the Nethood ("My Network Places") folder which contains the Network Places shortcuts.

A user reported that she could not save documents to Network Places anymore and after inspection the Network Places shortcuts were broken.

I started comparing the old Nethood folder to the new and observed the following difference in Explorer:


When copying entries from the Nethood folder with Explorer manually they worked fine, so somehow Explorer gives the Nethood folder special treatment.


Switching to the Services Session

Just read a tweet from @andyjmorgan about Interactive Service Detection. This made me remember that it’s possible to switch to the Session 0 with an undocumented api in winsta.dll.

For this API to work you must have the Interactive Services Detection (UI0Detect) service running.


Remote Registry from 32 to 64 bit

imageYesterday I needed to set a few registry keys remotely from a 32 bit windows machine to a 64 bit machine.

I used reg.exe to set the key but even though it returned success the key wasn’t altered.

As I suspected the key was written to the Wow6432Node. In the help I couldn’t find any switch to force reg.exe to use the 64-bit view.

On a 64 bit machine this is not a problem since both 32- and 64 bit versions of reg.exe exists. The 32 bit version of reg.exe defaults to the 32 bit view and the 64 bit version defaults to the 64 bit view.

But luckily reg.exe has a switch (that is not listed in the help) to force the View:

Logon SIDToday I was reusing some old (pre vista) code the retrieves the Logon SID that I wrote a few years ago. The Logon SID is a special SID that identifies a logon session that has the form S-1-5-5-X-Y.

You can view your Logon SID with Process Explorer, right click a GUI process, select Properties and goto the Security Tab:

Process Explorer|Security Tab|Logon SID



The GetTokenInformation function can be used with the TokenLinkedToken Information Class on Windows Vista and higher to the linked (Elevated) token.

This is useful when User Account Control is enabled and you want to launch an elevated process e.g. from a service.

This example code fails however when User Account Control is disabled:

GetLastError() returns 1312 which is defined in winerror.h as ERROR_NO_SUCH_LOGON_SESSION with description “A specified logon session does not exist. It may already have been terminated.”

So you should check if User Account Control is enabled in such cases (or make this error non critical).

Snippet below can be used to programmatically determine if User Account Control is enabled:

SSL Certificates in termsrv.dll

I was digging around in termsrv.dll yesterday when I noticed that there are some (well 372 to be exact) SSL certificates inside the Terminal Server binary (termsrv.dll):


Two of them seem to actually contain the private keys as well, but I am not 100% sure it may be just a certificate in another format.