Category: Windows

My sister’s computer is was infected with a bunch of stubborn malware. Even after cleaning the offending files, a lot of things won’t wouldn’t work.

Windows Update, run sfc /scannow, or DISM /Online /Cleanup-Image fails with unknown reasons, which I found it somehow related to “Windows Module Installer” service not running.

I saw something weird in services.msc: “Windows Module Installer” doesn’t exist, but I know the underlying name is “TrustedIntaller” and noticed a service named as such is there, but it cannot be started, nor there are any descriptive information.

So I searched registry for “TrustedInstaller” and got to its entry. I noticed these two:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\TrustedInstaller]
"DisplayName"="@%SystemRoot%\\servicing\\TrustedInstaller.exe,-100"
"Description"="@%SystemRoot%\\servicing\\TrustedInstaller.exe,-101"

It means the meaningful names and descriptions I saw on services.msc are generated by calling the underlying  service executable file with switches. I checked my “C:\Windows\servicing” and found that “TrustedInstaller.exe” is not there at all! Of course you cannot start a service where the file does not exist at the promised path (ImagePath).

I searched the hard drive and found only one instance of the file stored somewhere (like C:\Windows\winsxs\x86_microsoft-windows-trustedinstaller_31bf3856ad364e35_6.1.7600.16385_none_90e389a7ae7a4b6c) and I tried to move the file to “C:\Windows\servicing”. However the ownership and permissions to write to “C:\Windows\servicing” goes to “TrustedInstaller” account, not “Administrator”, so I took the ownership, gave Administrator full rights, then move the file over.

Everything worked after that! Just the mere trick of deleting TrustedInstaller.exe is enough to make the user miserable trying to clean the system up! “sfc /scannow” or the like requires TrustedInstaller/WIM to be working in the first place, so you cannot use it to repair TrustedInstaller/WIM problems.

34 total views, 1 views today

Turns out it is as easy as typing “shell:sendto” in the address bar of Windows Explorer. If I knew about it a decade ago, I would have used it more often.

86 total views, 1 views today

Back in the days, we use “net send” to display dialog boxes (I used it to chat with my friend after we dial up to the other’s computer).

Since Windows XP, there’s a more intuitive tool to do the same. It’s convenient if you want to add GUI interactions so that the user won’t ignore the text on the command prompt screen:

msg %SESSIONNAME% "your message goes here"

80 total views, no views today

Over the last decade I was wondering if I did something wrong or my computer was infected by some rootkit that some random installation files shows up in the root folder.

Turns out it’s a stupid bug (didn’t expect something this low from Microsoft) that it unpacks temporary files of Visual C++ 2008 redistributables to whatever’s that’s largest storage space’s ROOT folder!

It’s fixed in SP1, but some old programs distributing the first revision will crap all over the root folder of seemingly random drives (actually, it’s the one with the most free space). Nasty!

https://support.microsoft.com/en-us/help/950683/vcredist-from-vc-2008-installs-temporary-files-in-root-directory

I made a batch file to clean it up. It’s not robust or up to any good programming standards (should have checked the hash signature before deleting if I was paid to write that, but I wasn’t). This batch file accepts an input like where the drive letter was littered (like E:\), or without input arguments, it will just pick the root folder of the current location.

@ECHO OFF
echo.Clean up Visual C++ 2008 temporary files (due to a bug)

set "old_dir=%cd%"

if "%~1" == "" goto Main
cd /d %1

:Main
REM must be a root folder of some drive
cd /

REM Display current drive
echo.%cd:~0,1% drive is going to be cleaned. Press Ctrl+C now to abort now or any other key to continue.
pause

del install.exe 
del install.res.1028.dll 
del install.res.1031.dll 
del install.res.1033.dll 
del install.res.1036.dll 
del install.res.1040.dll 
del install.res.1041.dll 
del install.res.1042.dll 
del install.res.2052.dll 
del install.res.3082.dll 
del vcredist.bmp 
del globdata.ini 
del install.ini 
del eula.1028.txt 
del eula.1031.txt 
del eula.1033.txt 
del eula.1036.txt 
del eula.1040.txt 
del eula.1041.txt 
del eula.1042.txt 
del eula.2052.txt 
del eula.3082.txt 
del VC_RED.MSI
del VC_RED.cab 

echo.Done
cd /d %old_dir%

No warranty or support of any sort if you use it. That’s why I wouldn’t even make it downloadable. Just copy and paste it to a batch file yourself, and keep in mind that you are on your own.

99 total views, no views today

Recently I need to reorder the pre-req installation for a InstallShield installer package that has pre-reqs and MSI inside it. That means I’ll have to extract all the pre-req EXE and MSI files and write batch files to call them, then the installer again for the core software, all done silently.

I learned:

• Administrative install (/a switch) only extracts the core firmware, not the pre-req files
• /b”<target-folder>” extracts the pre-reqs as .prq files
• Need to steal the extracted .exe files by monitoring temporary folder as they go
• /s doesn’t always silent installs. Some with MSI packed inside the .exe files requires the ‘silent’ request passed to the MSI by adding /v/qn (/v passes the switch to the MSI, which is /qn, which means silent in this case)
• .NET before v2.0 requires different switches to install without prompting for license agreement, namely

  /q:a /c:"install /q"

   

142 total views, no views today

I was asked to install McAfee Enterprise Antivirus v8.8 as a favor to somebody else’s client, turns out this piece of 5h1t is a nightmare.

After I installed the agent, the main software won’t proceed to install. I looked up error code 1603 in the MSI log and upgraded a fresh Windows XP to SP3 and updated Windows Installer to 4.5, set the time back (somebody suggested potential certificate problem) and it still fails.

Without being compensated for my time, I gave up and tried to uninstall it through Add/Remove programs. Now the uninstaller complained that the program cannot be uninstalled in managed mode. Normally, I’m quite understanding towards programmers since their job is wrestling complexities, but this time there is no excuse: if you add an item in Add/Remove programs, people are expected to be able to uninstall it directly from there by definition!

After some digging, being unable to uninstall McAfee is a known common problem. The IT-crowd at University of Oregon has written an article with the solution. It boils down to running:

C:\Program Files (x86)\McAfee\Common Framework\frminst.exe /remove=agent

I bet even stoners are more competent packaging the software for release! How much productivity across the world they have drained by shipping out an incompetent software bad as malware!

Stay away from McAfee. Won’t install it even if they pay me $8k. Refuse to service anything McAfee without charging an exorbitant sum, or you won’t make your lost time back.

133 total views, no views today

I was trying to image a mSATA SSD with Ghost in Windows (I’m using version 12.0.0.8023 Corporate Edition as I bought the Altiris license) and I ran into internal consistency error 8027 right at the very beginning of the copying process.

For some reason, it doesn’t happen if I boot to the DOS version (provided by Agilent) to do the cloning.

Luckily the status bar tells me what’s going on during the process. I notice it always hangs when ghost tells me that it’s TRIMming the SSD. I looked up the help file (ghost32.exe -help) and noticed that there’s a “-NOTRIM” option. Tried it and the clone completed successfully.

Turns out Symantec is aware of it. The title of the support article is called “Cloning Solid State Disk (SSD) drives fails when using the UEFI 12.0.0.x Ghost executables“.

The summary says it since older versions (11.5.1.x) does not have TRIM, this isn’t a problem, and

“Build 12.0.0.8003 (from GSS 3.0 early build) resolved the issue with the partition restore”

I’m not sure what it means. But the solution is the same as what I did: disable TRIM when copying SSD in Windows (done by the -notrim switch).

903 total views, 2 views today

If you live in a mixed environment of Windows 7 and 8/10 computers, you might want to set the usernames to be the same so you can share the files/printers without managing Homegroup.

Nonetheless, in Windows 7/2008, if you try to create a user account using the traditional tool (Local Users and Groups) in Computer Management, you are not allowed to use email address as user name because they banned the at-mark (@):

I searched the web for quite a while, came across stuff like UPN (User Principal Name) without luck (No active directory on Windows 7, nor I want to setup a domain controller in Windows 2008 for home network). Turns out the solution is dead simple: use the “User Account” from Control panel to create the user account. No questions asked!

449 total views, 2 views today