Mark Minasi's Windows Networking Tech Page
Issue #70 June 2008

Document copyright 2008 Mark Minasi; please see below for info on subscribing, unsubscribing or copying portions of this text.

What's Inside

  • News
    • If You're at TechEd Next Week, Please Stop By My Sessions -- and How to Get an Advance Peek at Them
    • Server 2008 and Vista classes coming to Seattle, Dallas, New York
  • Tech Section
    • Fixing a Class of Vista 64 Incompatibilities
  • To Subscribe, Unsubscribe, Read Old Newsletters or Change Your Email Address

News

Hi all —

Short newsletter this month, but I hope it'll be a useful one.  I decided to surrender and get a cell phone that could sync with Windows Mobile 6.1 on Vista 64. Nothing worked... until I remembered an old trick. But first, two words from our sponsor...

If You're at TechEd Next Week, Please Stop By My Sessions -- and How to Get an Advance Peek at Them

This year, the TechEd folks gave me a bunch of sessions, so if you're coming to the TechEd for IT Pros next week, then please consider joining me at one or all of these appearances:

  • Tuesday Noon: lunchtime panel on "The Consumerization of IT" (room N220D)
  • Tuesday 3 PM: Windows IT Pro panel on current events in our industry (no location yet)
  • Wednesday 8:30 AM: DNS 2008 Style: How Name Resolution Changes in Windows Server 2008 Infrastructures (room N320A)
  • Wednesday 1-2:15 PM: Windows Vista, Take Two: Understanding Windows Vista SP1 from A to Z (Room S320A)
  • Thursday 8:30-9:45 AM: Wait, Don't Turn Off IPv6: A Guide for the Reluctant (N230)
  • Thursday Noon-12:45PM: Panel Discussion on Security Threats and the Impact on Today’s IT (N220D)
  • Thursday 1-2:15 PM: Windows Logins Revealed (Room N320 A)
  • Thursday 2:45-4 PM: Going Cold Turkey on the GUI: Server Core Setup Step-by-Step (Room S320 C)
  • Friday 1-2:15 PM: Windows Logons Revealed (repeat) (Room S320E)

I've been working hard on polishing these talks, as most are new.  Although I've done Windows Logons Revealed many times, I've changed it somewhat to include some surprises (all good) that I discovered in Vista and 2008.  IAnd while the other talks are each under a year old, I've been able to work on them because the DNS, IPv6 and Server Core talks because they are essentially components of my two-day Server 2008 class, and I've had the chance to shake down the Vista SP1 talk in the highly enjoyable (for me, anyway) one-day Vista road shows I've been doing for TechTarget. 

If you'd like to get a notion of what I'll be talking about, please visit my site to give a look at the PPTs I'll be presenting.  I've been diligent about getting the PowerPoints on Microsoft's site but sometimes they don't actually get the site up and running at full strength for a day or two, so I've posted my PPTs in PDF form here:

http://www.minasi.com/te2008/

I hope to see some of you in Orlando!

Server 2008 and Vista classes coming to Seattle, Dallas, New York in September/December

Many of you have asked if we'll do more public classes — thank you! — and while this is an incredibly busy year, we've carved out some time to visit Seattle and Dallas in September. We also plan to get to New York in December, but don't have any firm dates and locations yet. So far, we're scheduled in Seattle on 15/16 September for the Server 2008 class, and Dallas on 22/23 September for the Vista class and 24/25 September for the Server 2008 class.

Attend one or both of our classes and in just two days, you'll save yourself months of poring over white papers, testing Vista and/or 2008 to see how they tick, and puzzling over quirks and surprises. Even better, you'll quickly learn how to get the most out of what you paid for! Find out about the Vista class here, and the Installing, Managing and Troubleshooting Windows Server 2008 class here. To see more about our public seminar schedule, please visit www.minasi.com/pubsems.htm, and thanks!

Tech Section:  Fixing a Class of Vista 64 Incompatibilities

Over the years, I've seen people walk around with Blackberries and the like and considered buying a phone that let me read and respond to email. It's never seemed a necessity before, but the amount of travel that I'm doing these days made convinced me to leave behind my trusty Razr and buy a Samsung i760 (the Verizon version -- where I live, Verizon's the only service that offers more than a bar or two) and to try to convince it to sync to Outlook, pick up email on the road and the like.  So I charged it up, figured out how to place regular calls and verified that its battery life is way worse than the Razr -- which didn't surprise me, as I've had Windows Mobile phones before -- and its "voice command" software was leagues worse, which did surprise me, as my previous Samsung that ran Windows Mobile had a terrific voice control system.  With the basics out of the way, it was time to get my calendar/task list/contacts onto the phone.

Getting the phone to synchronize my Outlook 2007 contacts, task list and calendar to the phone's  involves a few steps:

  • First, download and install Windows Mobile 6.1, something that apparently didn't come with Vista Service Pack 1.
  • Second, get the phone and the PC connected.  The phone comes with a custom USB cable (unlike the generic mini-USB cable the Razr used, arrgh) and a Vista 64 "modem" driver from Samsung.  That loaded fine despite using the dread 64-bit platform, and showed up in Device Manager without a quirk. 
  • Finally, start up Windows Mobile... which doesn't recognize the phone.

(Just as an aside, let me ask you:  do you ever find yourself wondering, while you're trying to do something that should be simple on a computer, "how the heck do NORMAL people do this?"  Seems like in the year 2008 I shouldn't have to reach back through decades of Windows experience to get my phone to work, doesn't it?)

The first obstacle was easy.  Like many cell phones, Windows Mobile phones let you "tether" them to your computer, allowing you to use them as wireless modems offering a range of possible line speeds depending on what sort of service you have and how close you are to the 25 largest cities in the country.  That feature works fine on the i760, but in order to get Windows to sync with a phone, you've got to make an adjustment:

  • On the phone, tap Settings / System / Data Connection
  • In the "Data Connection" dialog, choose the "Internal Data Call" radio button when syncing with a Windows Mobile phone, and the "As the modem through USB" radio button when using the phone as a wireless modem.

At that point, it looked like success -- Windows Mobile detected the phone, and started trying to connect... and trying to connect... and trying to connect... and finally failing.  So a look at Device Manager showed a device called "Windows Mobile-Based Device," which couldn't start." Googling it yielded nothing, so, frustrated, I decided to just return to it tomorrow, called it a day and poured myself a glass of wine.

It must have been good wine, because halfway through the glass, I remembered something like this happening in the past with Windows Mobile and XP x64.  The answer was to put the Local Service account into the local Administrators group.  (At the time, apparently whoever wrote the "Windows Mobile-Based Device" driver needed that driver to be able to do something that relied on the Local Service account, but also required the Local Service account to have some administrative power.  You may also know this sort of issue as a "bug.")  So I opened up an elevated command prompt and typed

net localgroup Administrators "Local Service" /add 

After that, I rebooted the computer, connected the phone and Windows Mobile came up without a hitch.  (Well, one hitch -- I wanted to synchronize my Outlook Notes, but I've got several hundred of them and apparently the synchronizations software can't handle that.)

Now, let me caution anyone tempted to do this:  this fix lowers the security of your operating system.  Local Service is a low-power user account that Microsoft specifically created so that they could run services (a class of programs that run in the background all of the time and that are a common target of attack by cybercriminals) under that account.  Local Service is a big improvement over an account called "LocalSystem," which most services run under.  LocalSystem has complete control over your system and that's bad because if a bug in Windows makes it easy for a bad guy to gain control of some service program that runs under the LocalSystem account on your computer, then that bad guy can do anything he or she wants to do to your system.  In contrast, if a bad guy got control of a service running under Local Service, then he'd have a lot less power. 

This a much bigger topic, but in general one of the most important things that an operating systems designer -- like Microsoft -- can do to shore up their OS's defenses against attacks on that OS's services is to run the services not under all-powerful accounts like LocalSystem, but instead to tailor accounts for each different service, ensuring that each service has just enough power to get is job done -- but no more than it needs.  One of the great unsung security features of Vista and Server 2008 is their ability to let you (with a little effort) dial in just the privileges that a service needs, and no more.

Anyway,  the fact that putting the low-power Local Service account into the local Administrators group and rebooting solved the problem means that some programmer just got lazy and never bothered to check the driver that he/she wrote on a 64-bit system.  But putting Local Service into the Administrators group weakens your system's security because now you've basically pumped up Local Service almost to LocalSystem's power, so any bad guy finding a way to seize control of a service running under Local Service now has local administrative power.  (That's security geek-ese for "at that point, it's 'game over' security-wise for your system.") The long-term answer is to bug Microsoft for a correctly-written copy of the 64 bit Mobility Center -- and when that happens, I'll un-do what I did by opening an elevated command prompt and typing

net localgroup Administrators "Local Service" /delete

A reboot will then finish re-securing my system.  I suspect this technique will solve a goodly number of 64-bit compatibility issues -- I wish you luck in attacking yours.

To Subscribe/Unsubscribe, Read Old Newsletters or Change Your Email Address

To subscribe, visit http://www.minasi.com/nwsreg.htm. To change e-mail or other info, link to http://www.minasi.com/edit-newsletter-record.htm.  To unsubscribe, link to http://www.minasi.com/unsubs.htm. Visit the Archives at http://www.minasi.com/archive.htm. Please do not reply to this mail; for comments, please link to http://www.minasi.com/gethelp.

All contents copyright 2008 Mark Minasi. You are encouraged to quote this material, SO LONG as you include this entire document; thanks.