Part 7: Other Technologies
Published: August 09, 2004 | Updated: September 15, 2004
By Starr Andersen, Technical Writer;Vincent Abella, Technical Editor
This document is Part 7 of “Changes to Functionality in Microsoft® Windows® XP Service Pack 2” and provides detailed information about other features of Windows XP that have been updated in Windows XP Service Pack 2. You can obtain the other parts of the paper in the Microsoft Download Center, at https://go.microsoft.com/fwlink/?LinkId=28022.
This document applies to Microsoft Windows XP Service Pack 2 (SP2) for the 32-bit versions of Windows XP Professional and Windows XP Home Edition. It does not describe all of the changes that are included in the service pack, but instead highlights those changes that will have the most impact on your use of Windows XP SP2 and provides references to additional information that may be available.
.gif "Bb457157.3squares(en-us,TechNet.10).gif")
On This Page
NetSchedule and Task Scheduler APIs
Tablet PC Enhancements
Microsoft Data Access Components
Controlling block storage devices on USB buses
Distributed Transaction Coordinator
Internet Information Services
NetSchedule and Task Scheduler APIs
What do the NetSchedule and the Task Scheduler APIs do?
The NetSchedule API is a legacy scheduling API that uses the remote procedure call (RPC) protocol to communicate with the Scheduler service, either locally on the same computer or remotely on another computer, to allow registration of an action to be activated on a schedule.
The Task Scheduler API is a newer and enhanced scheduling API that provides programmatic control for the Task Scheduler service provided with the Microsoft® Windows® Server 2003 family, Windows XP, and Windows 2000 operating systems. It provides the same functionality as the NetSchedule API, but with greater programming flexibility. It also uses RPC to communicate with the Scheduler service.
Who does this feature apply to?
Users of computers that are members of a domain
IT professionals who need to schedule events on client computers
System administrators
Developers of applications or components that use the NetSchedule or Task Scheduler APIs
What existing functionality is changing in Windows XP Service Pack 2?
Tightening RPC security in the Scheduler service
Detailed description
In Windows XP Service Pack 2, security on the RPC interface provided by the Schedule service has been tightened to require authenticated connections. The RPC server startup code in the service is now specifying RPC_IF_ALLOW_SECURE_ONLY in the RpcServerRegisterIfEx() call. RPC_IF_ALLOW_SECURE_ONLY requires that the caller be authenticated or RPC_S_ACCESS_DENIED will be returned. Security checks are being done by the Scheduler service based upon the impersonated token of the RPC call. The binding to the server will succeed even if the client is not authenticated, but the call to the server will result in access denied from RPC before the call ever makes it to the Schedule service.
Why is this change important?
The change will help increase security on computers by allowing only authenticated clients to call into the Scheduler service.
What threats does it mitigate?
This change reduces threats based on elevation of privilege attacks by denying non-authenticated calls.
What works differently or stops working?
Users of client computers that are running previous versions of Windows will be unable to use AT.exe or other clients that use the NetSchedule API to schedule tasks remotely on a computer that is running Windows XPSP2 or Windows Server 2003 Service Pack 1. The NetSchedule API in the previous versions of Windows does not set authentication information during the RPC binding process.
Users running client applications that use the NetSchedule or Task Scheduler APIs in an unauthenticated context will be unable to schedule tasks on a computer that is running Windows XP SP2 or Windows Server 2003 SP1.
How do I fix these issues?
To enable computers running Windows 2000 operating systems to use the NetSchedule API to schedule tasks on a computer running Windows XP SP2 or Windows Server SP1, you must upgrade the computer to the latest services pack of Windows 2000 which contains an updated netapi32.dll that sets the authentication information on the RPC binding. A hotfix will be prepared for users who cannot upgrade to the latest service pack.
Do not run NetSchedule or Task Scheduler API clients in unauthenticated contexts.
Tablet PC Enhancements
What do the Tablet PC Enhancements do?
Windows XP Service Pack 2 includes a number of enhancements for Windows XP Tablet PC Edition. Key improvements include the following:
A new design for Tablet PC Input Panel, which opens and floats near where you are entering text.
A redesigned Input Panel correction experience.
Context-sensitive handwriting recognition (for example, URL and e-mail addresses).
Improved handwriting recognition engines for all languages – most notably the East Asian languages.
A new lined input experience in the East Asian Input Panel.
Who does this feature apply to?
Users of Tablet PCs
IT Professional who support users of Tablet PCs
What new functionality is added to this feature in Windows XP Service Pack 2?
In-Place Tablet PC Input Panel
Detailed description
The In-Place Tablet Input Panel (IPTIP) is a dynamic and customizable in-place pen input system for the Tablet PC, dedicated to the specific task of text entry and correction. It is a new addition to the Tablet PC Version 2 feature set.
The IPTIP addresses many of the known issues with the Version 1 System TIP (currently maintained as the Classic TIP) including discoverability, low perceived throughput, and excessive cognitive overload of working with a separate user-maintained window. The overall goal of IPTIP is to provide easy access to text input for pen when and where needed by the end user, without (or only minimally) obscuring other elements of the shell and application user interface.
IPTIP works by monitoring system caret events to determine that text entry is needed, and where text entry is expected, the IPTIP displays its user interface either near the location of the system caret or text-accepting control with focus. This interface is available whenever a pen-up event results in the appearance or location change of the caret.
The IPTIP user interface also has the ability to grow to accommodate extra handwriting when the user is running out of space, as long as space is available on the screen.
Finally, the IPTIP is simple to dismiss with an easy and explicit user interface for closing, as well as intelligent heuristics that auto-dismissal or collapse it when it has not been used after invoking.
Why is this change important? What threats does it mitigate?
The IPTIP is not a security related change.
This change is important because it responds directly to customer difficulties reported while using the Tablet PC version 1 TIP. Collectively, these issues impair the experience of entering text with the pen to the degree that most users avoid this task altogether.
What works differently or stops working? Are there any dependencies?
All Tablet PC version 1 TIP functionality (also known as the Classic TIP) has been maintained. However, the Pen Input Panel (PIP) which shipped as part of the SDK version 1.5 has been deprecated in favor of the IPTIP. All applications which previously implemented the PIP will continue to work after an upgrade to Tablet PC version 2 and Windows XP, Service Pack 2.
The IPTIP is dependent on Soft Keyboard Controls and the Text and Ink Input Services. It also has a software dependency on the Tablet Reco engines.
Context for Handwriting Recognition
Detailed description
In Windows XP Tablet PCEdition version 1.0 the handwriting recognition engine treated all user input as natural text. This resulted in poor recognition accuracy with controls that accept non-natural user input such as numbers, e-mail addresses and URLs. In Windows XP Service Pack 2, Microsoft has introduced a new feature called context, which allows developers to specify the type of user input that is expected for a particular control. The handwriting engine leverages this extra information to provide dramatically improved recognition accuracy.
Why is this change important?
User input into forms and application controls is an important scenario for handwriting recognition. This change will significantly improve recognition accuracy for applications that support context.
What works differently or stops working? Are there any dependencies?
Application developers must enable context support, either programmatically or through a side-by-side context tagging file. Information about both approaches is contained in the Microsoft Tablet PC SDK. For applications that do not enable context support the user experience will be unchanged.
How do I fix these issues?
Developers should consult the Microsoft Tablet PC SDK for information on enabling context support. The Tablet PC SDK can be downloaded from the Microsoft Web site at https://go.microsoft.com/fwlink/?LinkId=28353.
Latin alphabet based recognizers: Improved Recognition Rate
Detailed description
Handwriting recognition has improved for short prose, making it faster and easier to reply to or compose e-mail messages, annotate documents, or write notes.
Special heuristics were implemented to guide the recognition of ambiguous character shapes. For example, a round shape is recognized as the letter "O" rather than the digit "0," depending on the width of the character.
Why is this change important?
Improved overall text input and correction experience for the user.
Latin alphabet based recognizers: Improved Recognition for Single Characters
Detailed description
Improved recognition of single characters benefits the user when correcting individual characters. For example, distinctions between lowercase and uppercase characters results in a higher accuracy rate, including pairs of characters with similar shapes in lowercase and uppercase, such as sS and wW.
The recognition rate improved for 94 out of 98 U.S. English characters, including punctuation, such as the comma and the exclamation mark, and special symbols, such as the at symbol (@) or the backslash (\).
Why is this change important?
Improved text input and correction experience for the user.
Latin alphabet based recognizers: Language Lexicon Improvements
Detailed description
Common abbreviations, colloquialisms, neologisms, greetings, IT, and technical terms were added to the lexicon.
Rare words that the recognizer may confuse with more common words have been removed. For example:
English "yon," which interfered with "you."
Rare German verb inflections that interfered with more common inflections or nouns, such as "wetter."
If needed, users can add rare forms or inflections to the lexicon.
Why is this change important?
Improved overall text input and correction experience for the user.
Latin alphabet based recognizers: Improved Recognition of Delayed Strokes
Detailed description
The user can add quotes or similar strokes after a word is written, which makes using handwriting more flexible and natural. It also improves the recognition of contractions, such as "I'll" and "would've."
Why is this change important?
Improved overall text input and correction experience for the user
English recognizers: Better recognition of the English Word “I”
Detailed description
The character "I" is now less likely to be returned as a digit 1 or lowercase letter “l” when it occurs in prose.
Why is this change important?
Improved overall text input and correction experience for the user.
French recognizer: Better Recognition of Characters with Diacritics and Ligatures
Detailed description
Recognition of some French characters is improved. Examples of characters with improved recognition include "é" and "æ."
Why is this change important?
Improved overall text input and correction experience for the user.
French recognizer: Conforms to French Spelling Reform
Detailed description
The addition of 20,000 new spellings (including inflections) to the handwriting lexicon accommodates "La réforme de l'orthographe." New and existing spellings are recognized, such as "connaitre" (new) and "connaître" (old), "couter" (new) and "coûter" (old).
Why is this change important?
Improved overall text input and correction experience for the user.
German recognizer: Better Recognition of Umlaut characters and “ß” Character
Detailed description
Examples of the type of character with improved recognition include the letters "ä" and "ß."
Why is this change important?
Improved overall text input and correction experience for the user.
German recognizer: Improved Recognition Rate for Compound Nouns
Detailed description
A dynamic compounding algorithm was implemented, so that words such as "Elektronikunternehmen," "Konkurrenzmarkt," "Wahlkampfhilfe" are now recognized more reliably.
Why is this change important?
Improved overall text input and correction experience for the user.
German recognizer: More Post-reform Spellings Added
Detailed description
Many words that were formerly spelled with "ß" that are now spelled with "ss" are included, such as “Abendimbiss” and “Stress.”
Why is this change important?
Improved overall text input and correction experience for the user.
Lined and Free Mode Support for All East Asian Languages
Detailed description
Lined and Free mode of handwriting text input is now available for all supported East Asian languages: Japanese, Korean, Simplified Chinese, and Traditional Chinese. The Japanese and Korean recognizers’ error rate has been reduced significantly in this version.
Why is this change important? What threats does it mitigate?
This change improves the user experience for users of East Asian languages.
Cursive support available for all East Asian Languages
Detailed description
Cursive text input is now available for all supported East Asian languages: Japanese, Korean, Simplified Chinese, and Traditional Chinese. Cursive writing is often used in quick informal writing scenarios such as note taking (that maybe converted to text later), short e-mail and chat.
Why is this change important? What threats does it mitigate?
This change improves the user experience for users of East Asian languages.
Recognition improvements for small and large Katakana and Hiragana characters
Detailed description
Recognition improvements for small and large Katakana and Hiragana characters includes special heuristics and better use of UI height information enabling the recognizer to better distinguish these characters.
Why is this change important?
This change improves the user experience for users of East Asian languages.
Added characters frequently used in Japanese names
Detailed description
Characters frequently used for Japanese names are added to the commonly used characters set to improve recognition.
Why is this change important?
This change improves the user experience for users of East Asian languages by allowing the Tablet PC to better recognize names.
Recognition improvements for data elements
Detailed description
Special attention has been given to the ability to recognize data elements (such as telephone numbers, dates, e-mail addresses and Web addresses) within a given handwriting content. In comparison with the version 1 recognition engine, the user will likely experience a significantly better recognition of these elements.
Why is this change important?
This change improves the user experience for users of East Asian languages by allowing the Tablet PC to better recognize data elements.
Microsoft Data Access Components
What do the Microsoft Data Access Components do?
Microsoft Data Access Components are technologies that provide access to information across data sources. Microsoft Data Access Components includes ActiveX Data Objects (ADO), OLE DB, and Open Database Connectivity Objects (ODBC). Data-driven client/server application deployed over the Web or a LAN can use these components to integrate information from a variety pf data sources, both relational (such as SQL) and non-relational.
Windows XP Service Pack 2 includes version 2.81 of Microsoft Data Access Components (MDAC). This version includes the security enhancements that were distributed with MDAC 2.8. Windows XP included MDAC 2.7.
Who does this feature apply to?
IT professionals that are supporting applications built using MDAC 2.7 or earlier.
Developers of applications that used MDAC 2.7 or earlier.
What existing functionality is changing?
To learn more about the changes between previous versions of MDAC and MDAC 2.8, review the MDAC Software Development Kit, which can be downloaded from the Microsoft Web site at https://go.microsoft.com/fwlink/?LinkId=32720.
Controlling block storage devices on USB buses
What does controlling block storage devices on USB buses do?
This feature provides the ability to set a registry key that will prevent write operations to USB block storage devices, such as memory sticks. When this registry key is enabled, the devices function only as read-only devices. You can implement this setting as part of a security strategy to prevent users from transporting data using these devices.
Who does this feature apply to?
Users who do not want data to be written from their computer to a USB storage device.
IT professionals who want to implement organization controls over the use of USB block storage devices
What settings are added or changed in Windows XP Service Pack 2
Setting name |
Location |
Default value |
Possible values |
|---|---|---|---|
WriteProtect |
HKEY_LOCAL_MACHINE\System\ |
DWORD=0 |
0 - Disabled 1 - Enabled |
Distributed Transaction Coordinator
What does Distributed Transaction Coordinator do?
The Distributed Transaction Coordinator (DTC) service coordinates transactions that update two or more transaction-protected resources, such as databases, message queues, files systems, and so on. These transaction-protected resources may be on a single computer or distributed across many networked computers.
Who does this feature apply to?
Users of any computers that participate in DTC transactions, either directly or through other computers.
System administrators of networks that use DTC components to perform transactions across networks.
What new functionality is added to this feature in Windows XP Service Pack 2?
Securing all network communication by default
Detailed Description
In Windows XP SP2, DTC provides the administrator with greater control over the network communication between computers. By default, all network communication is disabled.
In order to manipulate the communication settings, the DTC security settings Properties page has been enhanced. To see the page, use the following procedure:
Open the Component Services snap-in a Microsoft Management Console (MMC)
In the console tree, click the Computers folder.
In the console pane, right click My Computer and then click Properties.
Click the MSDTC tab, and then click Security Configuration.
The table below defines the new fields in the property page, along with the registry keys affected for the different settings. All the registry keys related to MSDTC are located in the following registry key:
MyComputer\HKEY_LOCAL_MACHINE\Software\Microsoft\MSDTC
Caution: Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.
The following table tells you where to find the MSDTC key specific values:
Setting |
Description |
Corresponding registry value |
|---|---|---|
Network DTC Access |
Determines if DTC on the local computer is allowed to access the network. This setting must be enabled in combination with one of the other settings to enable network DTC transactions. Default setting: Off |
Security\NetworkDtcAccess 0 = Off 1 = On |
Allow inbound |
Allows a distributed transaction that originates from a remote computer to run on this computer. Default setting: Off |
To enable this settings you must set the following registry key values to 1:
To disable this setting, you only need to set the following registry key value to 0:
|
Allow Outbound |
Allows the local computer to initiate a transaction and run it on a remote computer. |
To enable this setting, you need to set the following registry key values to 1:
To disable this setting, you only need to set the following registry key value to 0:
|
Mutual Authentication Required |
Adds support for mutual authentication in future versions and is the highest secured communication mode. In Windows XP SP2, it is functionally equivalent to the Inbound Caller Authentication Required setting. This is the recommended transaction mode for clients running Windows XP SP2 and servers running a member of the Windows Server 2003 family. |
AllowOnlySecureRpcCalls = 1 FallbackToUnsecureRPCIfNecessary = 0 TurnOffRpcSecurity = 0 |
Incoming Caller Authentication Required |
Requires the local DTC to communicate with a remote DTC using only encrypted messages and mutual authentication. Only Windows 2003 Server and Windows XP SP2 support this feature, so you should only use this if you know that the DTC on the remote machine runs either the Windows 2003 Server or Windows XP SP2 operating systems. |
AllowOnlySecureRpcCalls = 0 FallbackToUnsecureRPCIfNecessary = 1 TurnOffRpcSecurity = 0 |
No Authentication Required |
Provides system compatibility between previous versions of the Windows operating system. When enabled communication on the network between DTCs can fall back to a non-authentication or non-encrypted communication if a secure communication channel cannot be established. This setting should be used if the DTC on the remote computer runs a Windows 2000 operating system or a Windows XP earlier than SP2. This setting is also useful when the DTCs that are involved are located on computers that are in domains that do not have an established trust relationship or if the computers are part of a Windows workgroup. |
AllowOnlySecureRpcCalls = 0 FallbackToUnsecureRPCIfNecessary = 0 TurnOffRpcSecurity = 1 |
Why is this change important? What threats does it help mitigate?
These changes are important in order to secure any communication coming in or going out from the computer. By default, after installing Windows XP SP2, the computer will not accept or issue any network traffic and therefore will be less vulnerable to network attacks.
Additionally, the online network protocol has been upgraded to support a more securely encrypted and mutually-authenticated communication mode. This helps to ensure that attackers can not intercept or take over communications between DTCs.
What works differently?
After installing Windows XP SP2, all network communication coming out or getting in to DTC are disabled. For example, if a COM+ object attempts to update a SQL database on a remote computer using a DTC transaction, the transaction fails. Conversely, if your computer is hosting a SQL database that components from remote computers try to access using a DTC transaction, their transactions fail.
How do I fix these issues?
If your transactions fail because of network connectivity, you can use MSDTC security Properties, as described previously in this document, select the Network DTC Access check box, and then select the Allow Inbound and Allow Outbound check boxes, as appropriate.
If you want to change these setting programmatically as part of your Windows XP SP2 deployment, you can directly change the registry values that correspond to your desired setting as described in the table in “Securing all network communication by default,” earlier in this document. Once you have changed the registry settings, you must restart the MSDTC service.
If you are using Windows Firewall to protect your Windows XP SP2 computers, you must add MSDTC into the exception list in the Windows Firewall settings. To do so, use the following steps:
In Control Panel, open Windows Firewall.
Click the Exceptions tab, and then click Add Program.
Click Browse, and then add c:\windows\system32\msdtc.exe.
In Programs and Services, select the Msdtc.exe check box, and then click OK.
What settings are added or changed in Windows XP Service Pack 2?
Setting name |
Location |
Previous default value |
Default value |
Possible values |
|---|---|---|---|---|
NetworkDtcAccess |
HKEY_LOCAL_MACHINE \SOFTWARE \Microsoft \MSDTC \Security |
1 |
0 |
0, 1 |
NetwordDtcAccessTransactions |
HKEY_LOCAL_MACHINE \SOFTWARE \Microsoft \MSDTC \Security |
1 |
0 |
0, 1 |
NetworkDtcAccessInbound |
HKEY_LOCAL_MACHINE \SOFTWARE \Microsoft \MSDTC \Security |
n/a |
0 |
0, 1 |
NetworkDtcAccessOutbound |
HKEY_LOCAL_MACHINE \SOFTWARE \Microsoft \MSDTC \Security |
n/a |
0 |
0, 1 |
AllowOnlySecureRpcCalls |
HKEY_LOCAL_MACHINE \SOFTWARE \Microsoft \MSDTC |
n/a |
1 |
0, 1 |
FallbackToUnsecureRPCIfNecessary |
HKEY_LOCAL_MACHINE \SOFTWARE \Microsoft \MSDTC |
n/a |
0 |
0, 1 |
TurnOffRpcSecurity |
HKEY_LOCAL_MACHINE \SOFTWARE \Microsoft \MSDTC |
n/a |
0 |
0, 1 |
Internet Information Services
What does Internet Information Services do?
Windows XP Professional includes Internet Information Services (IIS), Version 5.1, which makes it possible for you to host your own Web site on the Internet or your intranet.
IIS is an optional component of Windows XP Professional and must be installed separately after you have installed Windows XP Professional on your computer. To add IIS to a computer running Windows XP Professional, open Control Panel, double-click Add or Remove Programs click Add/Remove Windows Components, and select the Internet Information Services (IIS) check box.
IIS is not available in Windows XP Home Edition.
Who does this feature apply to?
This feature applies to the following audiences:
Users of Windows XP Professional with SP2 that use IIS to host a Web site.
IT Professionals that install Windows XP SP2 with IIS.
Web developers that use IIS on Windows XP Professional to develop Web content.
What existing functionality is changing in Windows XP Service Pack 2?
Internet Information Services Configuration Options
Detailed Description
If you install a slipstream version of Windows XP that includes SP2 on a new computer, the default configuration of Internet Information Services 5.1 is changed to reduce the overall attack surface of the IIS when it is first installed. (A slipstream version integrates the operating system and the service pack.) This helps to enhance the security of the entire system so that enabling IIS in Windows XP Professional does not make the computer vulnerable to attack. However, if you upgrade a computer to Windows XP SP2 and then install IIS, the configuration is not changed, so you should run the IIS Lockdown Tool after installation to help keep the computer secure during initial configuration. You can download the IIS Lockdown Tool, Version 2.1 from the Microsoft Web site at https://go.microsoft.com/fwlink/?linkid=22848.
When IIS is installed from a slipstream version of Windows XP that includes Service Pack 2, the following settings are enabled by default:
The Check if file exists check box is selected for newly registered ISAPIs.
Request size limits are reduced to 16k.
No executable virtual directories are present by default.
No samples are shipped.
The Front page server extensions configuration option is not selected for installation.
Note If Service Pack 2 is installed on a computer that is currently running Windows XP Professional with IIS, these settings are not applied.
Why is this change important?
These changes are important because they help reduce the overall attack surface of your system. By default, IIS is not installed with Windows XP Professional. If it is installed after your Windows XP installation, it has the potential of introducing a new attack vector to your system. Now, if a slipstream version of Windows XP with Service Pack 2 is deployed, when IIS is installed using Add or Remove Programs, IIS is locked down even further and will be a more secure overall system.
What threats does it mitigate?
These changes are part of implementing a defense-in-depth Web server that will help to protect Web-facing applications that run on IIS from malicious users.