Tricks & Traps: Ask the Doctor

Article from Windows 2000 Magazine

By Sean Daily

SEND US YOUR TIPS AND QUESTIONS.

For answers to more of your Windows 2000 and Windows NT questions, visit our online discussion forums at https://www.win2000mag.com/forums/.

Q: The recent ILOVEYOU virus infected my company. The virus propagates by sending email messages with VBScript attachments to all the addresses in your Microsoft Outlook address book. Unfortunately, our antivirus software didn't have a signature file that could detect the virus. I'm concerned that a new virus using the same methodology might inflict similar damage. Do other methods exist for dealing with message attachments?

A: Many antivirus products can't detect a new virus unless the developer has provided a virus signature update. Additionally, the new breed of script-attachment viruses (e.g., ILOVEYOU) are especially dangerous because they're destructive and easily mutated. Within a few days of its initial appearance, ILOVEYOU had three new variants—Mother's Day, Joke, and Virus Alert. By the time you read this, dozens more will probably be circulating.

Because anyone can easily read and edit the virus code, and because legions of capable Visual Basic (VB) programmers inhabit the world, network administrators must control how email attachments reach users. You can configure security settings on the client, the server, or both. On the client side, Microsoft and other email software vendors have issued software updates to improve the security surrounding email attachments. For example, Microsoft recently provided updates for Outlook 2000—both in standalone form and bundled with Office 2000 Service Pack 1 (SP1)—that enforce new attachment-handling behavior. Similar updates exist for Outlook 98 and Outlook 97. These new options take the form of clearer and more explicit dialog-box warnings to users when they attempt to open attachments, and modified attachment-handling behavior, such as forcing users to save attachments to disk rather than letting them open the attachments directly from an email message. Another change prevents worm viruses, such as the ILOVEYOU virus, from utilizing the Outlook Address Book to propagate the virus to other users. You can find these patches - and information about how to use them - at https://office.microsoft.com/home/office.aspx?assetid=FX01085793.

However, relying solely on users or their email clients to properly handle attachments isn't a good idea for most companies. Some antivirus vendors simply treat all .vbs files as viruses. However, this strategy also has drawbacks. For example, some backup programs will fail while attempting to back up legitimate .vbs files, such as those that Windows 2000 includes. Although antivirus software is certainly a "must have," I strongly recommend that you also use server-side filtration software to control email attachments. Programs such as Content Technologies' MAILsweeper (formerly MIMEsweeper) and GFI's Mail Essentials for Exchange/SMTP let you create policy-based security for your mail server. For example, you can define a policy that instructs the server how to handle particular types of attachments, such as the VBScript files that ILOVEYOU uses. MAILsweeper's policy-oriented technology also lets you monitor other aspects of your email system, such as employee confidentiality breaches, offensive messages, unsolicited commerical email (UCE), and compliance with other email policies in your organization.

Q: I'm planning a Windows 2000 upgrade. However, I suspect that I might experience compatibility problems with my existing system because of the age of some of my hardware and software. How can I identify potential Win2K upgrade problems?

A: To check whether your system is ready for a Win2K upgrade, visit the Upgrading to Windows 2000 page of Microsoft's Web site (https://www.microsoft.com/windows2000/server/howtobuy/upgrading/default.asp). This section provides several resources for would-be upgraders, including the following:

• General system-hardware requirements

• The Windows 2000 Hardware Compatibility List (HCL)

• A searchable database that lists Win2K-compatible software

• Win2K-compliant driver updates for various hardware devices and links to the manufacturers' Web sites

• Win2K BIOS compatibility information and BIOS updates

• Technical documentation that describes steps you'll need to take when you upgrade from various OSs to Win2K

If you already have the Win2K software, you can run Setup in a special mode that doesn't actually install the product but instead inspects your system configuration and attempts to identify any potential incompatibilities between your system and Win2K. (This check also automatically occurs during the usual Win2K installation process.) To run Setup in this mode, launch the winnt32 Setup program, which resides in the CD-ROM's \i386 folder, with the /checkupgradeonly switch (e.g., D:\i386\winnt32 /checkupgradeonly). Running this program launches the Windows 2000 Readiness Analyzer, which Figure 1 shows. This utility analyzes the system and reports any incompatible components. You can obtain additional information about each conflicting component and save the compatibility report to disk.

Figure 1: The Windows 2000 Readiness Analyzer

If you don't already have the Win2K software, you can download the Windows 2000 Readiness Analyzer utility as a standalone component. Go to the Check Hardware and Software Compatibility page of Microsoft's Web site at https://www.microsoft.com/windows2000/server/howtobuy/upgrading/compat/default.asp.

Q: On several occasions, I've tried to copy a user profile from the Control Panel System applet's User Profile tab, only to receive the bizarre error message Copy Profile Error: The operation completed successfully. Despite the supposed successful completion of the operation, the profile doesn't copy. What can I do to get around this problem?

A: Your problem is common on Windows NT 4.0 systems with Microsoft Internet Explorer (IE) 4.0 or 4.01. The cause of the error message is a permissions problem on a Registry key related to the Protected Storage service. To resolve this problem, you can try manually resetting the Registry permissions on the HKEY_LOCAL_MACHINE \SOFTWARE \Microsoft \Protected Storage System Provider\SID Registry key, where SID is the security identifier of the user whose profile you're attempting to copy. (Typically, only one SID will appear, and it will be your user account's SID.) To set permissions for the profile you're currently logged on as, run the regedt32 Registry editor and locate the HKEY_CURRENT_USER \SOFTWARE \Microsoft \Protected Storage System Provider\SID Registry key. If you need to determine your SID, you can use the Microsoft Windows NT Server 4.0 Resource Kit's Getsid utility or look for the name of the user within the various CentralProfile values that exist under each of the HKEY_LOCAL_MACHINE \SOFTWARE \Microsoft \Windows NT\CurrentVersion\ProfileList Registry key's subkeys.

To fix the permissions glitch that causes this problem, select Permissions from the Registry editor's Security menu. In the Type of Access drop-down list, select Read permissions for the Administrators group. You should now be able to successfully complete the profile copy operation.

The Microsoft article "Error Message: Copy Profile Error" (https://support.microsoft.com/default.aspx?scid=kb;en-us;175667&sd=tech) discusses another potential solution for this problem. However, the solution works only if you're willing to create a new profile for the user. Another potential solution is to upgrade the browser to IE 5.0 or later.

Q: My company has several subsidiary companies, all of which have unique company and DNS domain names. These companies all use the same server for their Internet-accessible services (e.g., Web servers, FTP servers, DNS servers). Therefore, I often need to create new DNS zone files that are essentially identical to those that already exist, with the exception of the domain name portion (e.g., mycompany.com). Using Windows NT's DNS Manager utility to recreate these files from scratch is tiresome. Do you know of any tricks I can use to speed up this process?

A: To easily duplicate DNS zone files and substitute the correct domain name for the new zone file, you can use a trick inside NT's DNS Manager. To duplicate an existing zone file and its record contents to a new zone, run DNS Manager and begin creating the new domain and zone file (i.e., highlight the server name and choose New Zone from the DNS menu). This process launches the Create New Zone wizard. In the first dialog box, the wizard asks you to choose whether this zone is primary or secondary. Click Primary, then Next. The second dialog box, which Figure 2 shows, asks you to name the domain and provide the name of the DNS zone file that contains the records. To trick DNS Manager, type the new domain in the first text box but override the default zone name in the second text box (e.g., newdomain.com.dns) with the name of the existing zone file for the domain you want to duplicate (e.g., existingdomain.com.dns).

Figure 2: Tricking DNS Manager

After you select Finish to complete the wizard, DNS Manager will have created a new zone file for the new domain name. However, DNS Manager also automatically copied all records from the existing zone file and renamed all records that reference the root domain name (e.g., SOA, A, MX) so that they now reference the new domain name. Although you still need to check the data values in the right column to ensure that they're accurate for each record in the new domain, this handy tip lets you easily copy zone data from one domain to another through the DNS Manager GUI.

Q: My company uses many long filenames in the directory structures of our network's various disk volumes. Because I'm an old command-line DOS jockey, I like to work at a command prompt, but navigating with the CD command can be frustrating. For example, changing to a directory such as C:\Program Files\My Application at the command prompt requires a lengthy CD command (e.g., CD \Program Files\My Application). In general, long filenames are irritating at the command line. How can I simplify my life at the command line?

A: I know a few tricks that you might find useful in command-prompt sessions. All of these tricks work with both Windows 2000 and Windows NT.

First, when you're changing to a directory underneath the current directory at the command prompt, you don't need to type the target directory's full name. Instead, you can use an asterisk (*) wildcard with the CD command. For example, to change to a directory called Program Files underneath the current directory, simply type

cd prog*

This trick moves you into the closest directory that begins with "prog," which in this case is Program Files. (Note that this technique might not take you to the correct directory if other directories share the same match string before the asterisk. Therefore, be sure to provide as much information as necessary to uniquely match the desired target directory.)

Another tip that you might find helpful is modifying the Windows Explorer GUI so that you can easily drop to a command prompt from any Windows Explorer folder. One way to obtain this functionality is to download the Microsoft PowerToy called Command Prompt Here from https://www.microsoft.com/ntworkstation/downloads/. To install the utility, simply expand the self-extracting executable, right-click the extracted doshere.inf file, and choose Install from the resulting menu. After you install the utility, you'll have a menu option in every Windows Explorer folder window that lets you drop to a command-prompt session (with the selected folder as the default directory). You can use this tool in several ways. The primary advantage is that you can right-click a folder icon in a Windows Explorer window and choose the Command Prompt Here option from the resulting menu. Additionally, you can use the right mouse button to click the icon in the upper-left corner of any open folder and choose the Command Prompt Here option from the resulting menu.

Another command-line trick enables command-line completion. If you're familiar with UNIX, you might lament that NT won't let you use the Tab key at the command line to autocomplete filenames within the current directory. However, you can mimic this ability in Win2K or NT by editing the HKEY_LOCAL_MACHINE \SOFTWARE \Microsoft \Command Processor or HKEY_CURRENT_USER \Software \Microsoft \Command Processor Registry key. (If the value exists in both locations, the value in HKEY_CURRENT_USER will override the value in HKEY_LOCAL_MACHINE.) Using regedit or regedt32, navigate to either key, double-click the REG_DWORD value named CompletionChar (or add the value, and the Command Processor Registry subkey, if they don't exist), and set the data to 9, as Figure 3 shows. In future command-prompt sessions, you'll be able to use Tab to autocomplete filenames at the command line.

Figure 3: Enabling filename completion

Q: One Windows 2000 feature that I'm particularly excited about is the Recovery Console (RC). However, now that I've installed Win2K, I've encountered several situations in which I can't run the RC. In some cases, the RC doesn't recognize an administrator password, and in other circumstances, it fails to boot at all. Am I doing something wrong?

A: Generally, the RC works well. However, in several specific circumstances, the RC can develop problems. For example, if you started with a working copy of the RC under a beta version of Win2K, then upgraded to the final release, you might experience the password-failure problem that you describe. The solution is to uninstall the RC, then reinstall it.

The RC will also fail to run properly if you install it on a FAT or FAT32 volume and later convert that volume to NTFS 5.0 (NTFS5). Again, to restore functionality, simply uninstall and reinstall the RC.

Sean Daily is a contributing editor for Windows 2000 Magazine and the technology lead at Xcedia, a consulting firm specializing in Win2K and Exchange Server deployment and migrations. His most recent book is Optimizing Windows NT (IDG). You can reach him at sean@xcedia.com.

The above article is courtesy of Windows 2000 Magazine. Click here to subscribe to Windows 2000 Magazine.

We at Microsoft Corporation hope that the information in this work is valuable to you. Your use of the information contained in this work, however, is at your sole risk. All information in this work is provided "as -is", without any warranty, whether express or implied, of its accuracy, completeness, fitness for a particular purpose, title or non-infringement, and none of the third-party products or information mentioned in the work are authored, recommended, supported or guaranteed by Microsoft Corporation. Microsoft Corporation shall not be liable for any damages you may sustain by using this information, whether direct, indirect, special, incidental or consequential, even if it has been advised of the possibility of such damages. All prices for products mentioned in this document are subject to change without notice.

Click to subscribe