20 December 2010

Desktop Automation Pt4. The Corrections

Ok so if you've tried this series of scripts you might have noticed a slight error. Upon reboot the system can't find the mac addresses file and produces an error. Apologies for missing out this minor but very vital part.

The reason the script fails is that during execution the path is not set to the folder where the data files are. This is easily fixed with the following batch file. Copy this to a file and drop it into your C:\postghost folder. Save the file as hostname.bat then drag & drop this into the run-once tab of startup-cpl instead of the hostname.vbs file.

@echo off
cd c:\postghost\hostname
call myhostnamescript.vbs

That call line needs to be changed to whatever you called your rename and join the domain script.

19 December 2010

Xbox Live Quick Points Convertor

This is my quick lookup table for the Microsoft points system for the UK. It is based on the current conversion ratio of £8.50=1000 points. Please keep in mind that if you buy points on pre-paid cards, the value will be different.

Points: Value

_001 =  ____0.85p (850/1000)
_060 =  ___51p
_100 =  ___85p
_120 = £_1.02
_160 = £_1.36
_200 = £_1.70

_400 = £_3.40
_560 = £_4.76
_800 = £_6.80
1000 = £_8.50
1200 = £10.20

I would advise printing this and keeping it somewhere near your TV or Xbox

Automating Desktop Installation PT3. The main event

A quick recap then. In the previous sessions we have created a list of MAC addresses for all our machines (called macs.txt). We have one machine which has all our software installed which we are going to clone. We (optionally) installed Mike Lin's startup-cpl control panel applet and we have created two encrypted password files called lcl.txt and net.txt.

The first thing to do now is make sure that the macs.txt file is copied into the postghost\hostname folder so do that now.

Next we need to create the script which does the renaming and domain joining. So lets get on with it. Here is the code to do this. Copy it and save the file in the postghost\hostname folder.

' Set local admin a/c details here
Username = "Administrator"
Password = ""
strDomain = "mydomain.com" 'change this to your own domain
strUser = "mydomain\myusername" 'change this to your domain admin username
strPassword = ""
' Identify the hostname by finding from a list of mac addresses
dim maclist(8) '*shouldn't need more than this - increase if more than 8 nic's
dim macount
dim macsfile
dim strMac,strHName
dim eqpos
Dim sbox(255)
Dim key(255)
Dim fso
Dim tst
Dim Oput,strReadin,strAdminPwd,strUsrPwd
Const WIN9X_UPGRADE = 16
plaintxt = "YouAreNotATerminatorRobot" 'text to use as common key

Set fso = createObject("Scripting.FileSystemObject")
Set tst = fso.OpenTextFile("lcl.txt", 1, false) 'mode2=write (append=8) - output file
'read first
While Not tst.AtEndOfStream
strReadin = tst.readLine
if strReadin <>"" then
strAdminPwd = EnDeCrypt(strReadin, plaintxt)
Password = strAdminPwd
end if

Set objWMIService = GetObject("winmgmts:\\\root\cimv2")
Set colItems = objWMIService.ExecQuery _
("Select * From Win32_NetworkAdapterConfiguration Where IPEnabled = True")
For Each ObjItem in colItems
maclist(macount) = objItem.MACAddress
macount = macount+1
'uncomment to check first mac address is returned
'WScript.Echo "First mac =" & maclist(1)

'begin search for matching mac
Set fso = createObject("Scripting.FileSystemObject")
Set macsfile = fso.OpenTextFile("Macs.txt", 1, false) 'mode2=write (append=8)
While Not macsfile.AtEndOfStream
strMac = macsfile.readLine
if right(strMac,17)=maclist(1) Then
if eqpos<>0 then
'WScript.Echo "Found match " & maclist(1) & " = " & strHName
'Now know the hostname so rename here
Set objWMIService = GetObject("Winmgmts:root\cimv2")
' Call always gets only one Win32_ComputerSystem object.
For Each objComputer in _
Return = objComputer.rename(strHName,Password,Username)
If Return <> 0 Then
WScript.Echo "Rename failed. Error = " & Err.Number
'WScript.Echo "Rename succeeded." & " Reboot for new name to go into effect"
End If
'end of renaming code

end if
End if

Set tst = fso.OpenTextFile("c:\postghost\joindom\net.txt", 1, false) 'mode2=write (append=8) - output file
'read second
While Not tst.AtEndOfStream
strReadin = tst.readLine
if strReadin <>"" then
strUsrPwd = EnDeCrypt(strReadin, plaintxt)
strPassword = strUsrPwd
end if

'now join domain
Set objNetwork = CreateObject("WScript.Network")
strComputer = objNetwork.ComputerName

Set objComputer = GetObject("winmgmts:{impersonationLevel=Impersonate}!\\" & strComputer & "\root\cimv2:Win32_ComputerSystem.Name='" & strComputer & "'")

ReturnValue = objComputer.JoinDomainOrWorkGroup(strDomain, strPassword, strUser, NULL, JOIN_DOMAIN + ACCT_CREATE)
'ok so reboot
Set OpSysSet = GetObject("winmgmts:{(Shutdown)}//./root/cimv2").ExecQuery("select * from Win32_OperatingSystem where Primary=true")
for each OpSys in OpSysSet

Again you need to add Mike Shaffers RC4 encrypt/decrypt routines to the end of this code. The two routines required are:

Sub RC4Initialize(strPwd) &
Function EnDeCrypt(plaintxt, psw)

Also don't forget to change the plaintext keyword (below the const lines) if you changed this in the password encryption routines from the previous posts.

So that should be it. Save your script file as hostname.vbs and then drop it onto the run-once tab in startup-cpl. Shutdown your machine and clone the drive when you're ready.

At this point it is worth pointing out that there are usually other applications which require some work after cloning. Kaspersky antivirus for example (at least our enterprise version) requires a command line to individualise it which is:

c:\progra~1\kasper~1\networ~1\klmover.exe -dupfix

Other applications like SPSS require you to re-run the license utility after the hostname has changed. We discovered we could copy an older version of spssactivator.exe into our postghost folder and use the following batch file to do this:

copy spssactivator.exe "c:\program files\SPSSInc\PASWStatistics18\spssactivator.exe"
cd /d "c:\program files\SPSSInc\PASWstatistics18"
start "SPSS18Act" "c:\program files\SPSSInc\PASWStatistics18\spssactivator.exe" (add license key here)

One day I fully expect software companies to keep track of all this via their own cloud-based licensing servers. For now, the very best of luck and if you wish to express gratitude for all the work presented here, please make a donation to the charity of your choice to help make the world a little bit better.

I also forgot to mention that I didn't include code to remove the machines from the domain if they already exist. My solution was to remove the machines before cloning them using the active directory users & computers utility. If they're not there already, they can't cause a problem. :)

16 December 2010

Automating Desktop Installation - Pt 2. Postghost folder

Assuming the preghost routine has gone to plan you should now have a text file called Macs.txt which contains the hostnames and MAC addresses for all your lab machines. This is your lookup table. What you want to do now is create a folder somewhere on your machine to be cloned. I call this folder postghost as it contains any scripts I want to be run after the drive cloning process.

Within this folder I have a folder for each fix which is done after ghosting. For now just create two new folders called:


As you can guess these are for scripts to rename the PC and join it to the domain. This raises an issue of security since you need to have the local administrator account password stored on the drive if you want this to be fully automatic. Likewise if you want to automate joining a domain you need to store a password with a domain administrator account (yes that should sound alarm bells).

The way around this problem is to use a combination of encryption and permissions. Right-click on your postghost folder and go to the security permissions tab. You can remove all users from the list leaving only administrator able to read & execute. No writing is necessary and you will still need to log-in using the local administrator account to run the script.

At this point I will dish out some credit to a guy named Mike Lin. He has an excellent utility on his website called startup-cpl which adds a nice control panel applet to your system. One of the nice features of this utility is that it lets you add entries to the task schedulers run-once list just by dragging and dropping them onto the applet. In effect this means that once you have created the postghost script, you can set it to automatically run once when the local admin first logs in after cloning (so you will log in, the machine will rename and join the domain and then automatically reboot itself - how much work does that save you?)

Before we get to this stage though, we need to encrypt those privileged account passwords and drop them into our new folders. The script to do that is here:

Dim sbox(255)
Dim key(255)
Dim fso
Dim tst
Dim Oput

strAdmPwd = (inputbox("Enter local admin password:","Admin Password"))
strUsrPwd = (inputbox("Enter your network admin a/c password:","User Password"))
plaintxt = "YouAreNotATerminatorRobot" 'text to use as common key - change this for extra security

Set fso = createObject("Scripting.FileSystemObject")
Set Oput = fso.OpenTextFile("lcl.txt", 2, true) 'mode2=write (append=8) - output file
Oput.Writeline EnDeCrypt(plaintxt, strAdmPwd)
Set Oput = fso.OpenTextFile("net.txt", 2, true) 'mode2=write (append=8) - output file
Oput.Writeline EnDeCrypt(plaintxt, strUsrPwd)
wscript.echo "Created encrypted password Files"

This code is not quite complete though as it uses Mike Shaffers RC4 encryption routine which is copyrighted so not reproduced here. All you need to do is find this routine and add the code for the two functions which are:

Sub RC4Initialize(strPwd) &
Function EnDeCrypt(plaintxt, psw)

Add these sections from Mikes code to the end of the script and then run it. Also don't forget to change the plaintxt variable. You can change it to anything you like but the same value needs to be entered into the decoding routine later on. The RC4 encryption algorithm is used for WEP, WPA and SSL encryption amongst others. It may not be the most secure system available but if you are concerned about it's effectiveness my advice is to re-write the code with a more secure algorithm. The two routines mentioned above perform the encryption and decryption so only they would need to be substituted.

Once run you should have two files called lcl.txt and net.txt which hold your local and network admin passwords. Copy lcl.txt into the postghost\hostname folder and then copy net.txt into postghost\Joindom. If you open these files with a text editor they should appear to be a garbled sequence of obscure characters. I always do this just to be certain that my passwords have not been stored as plain text (which would be bad if the local admin account was compromised).

That's it for today. Next we look at the actual renaming script

Automating Desktop Installation - Pt1. Concepts

This may be familiar territory for a lot of sys-admins out there. You have a room full of computers, all requiring the same software to be installed although of course every machine needs to be slightly different. So what do you do? There are three approaches.

You could install each machine individually but that would take forever. You could set-up one machine and then copy it using drive cloning software (like Symantec Ghost for example), or you could go down the enterprise route and use sysprep to create a machine which has no individualisation which can then be cloned and reconfigured. There are in fact other options but for now we'll look at the cloning option since this is the most cost-effective for small or medium sized businesses.

Usually there are a lot of factors beyond your control however some network configurations can make life easier. For example if you have the choice between static IP addresses or DHCP, I would personally opt for static. Being able to spot malicious packets using wireshark and knowing exactly which machine is being used can save a lot of time. On the other hand DHCP can make managing desktops easier since it avoids any possibility of having multiple machines using the same IP address. Using DHCP with a wi-fi access point will also allow your users to use other devices (phones, ipads, laptops etc) without you having to allocate an IP address to each one (and also having to configure the device for use on your network).

If you use static IP addresses, you probably use the last octet of the IP address in the computers network name. For example a PC called RoomA-1 would be set to with RoomA-2 being The 3rd octet (123) may be different but this is fairly basic networking and used to be called a private class C network. These days there's a new standard (called CIDR) which would see this IP address displayed as (the /24 means the first 24 bits are used to identify the network address and the remaining bits are used to specify the machine address - in this case using the remaining 8 bits which would allow a max of 2^8 or 256 machines on this network).

With DHCP, life is simpler. You give each machine a unique host name and then let the DHCP server take care of all the IP addressing. Think of a DHCP server as being like the voter registration system used by the government - everybody should get one voting slip and only one which identifies them. DHCP also creates a problem though since we never know what the IP address is going to be (if you move house the week before voting, your voting card may not arrive at your new address in time). You could configure your DHCP server to always issue the same IP address which sort of defeats the purpose a bit. Well ok, in some circumstances you want this to happen. It's harder to configure firewalls and port-forwarding on routers if your servers keep changing IP addresses.

Back to the main issue though. You now have one machine set-up and you want to create another 10+ copies of that machine but you don't want the hassle of reconfiguring them all. What do you do?

We know that hostnames will initially be the same since we are going to copy the entire hard-drive and that will have the machine-name stored on it. We suspect that you will most likely be using DHCP if you want users to have their own devices connected to your network with the least amount of hassle. So how do you get the machines to reconfigure themselves automatically?

The answer is to use the hardware. Each network card (NIC) has it's own unique identifier called a MAC Address. It's what network switches use to direct packets of information between connected devices. They are designed to be unique so that network devices don't get confused about which messages going over the network are for them. Think of this like an RFID chip. We can question this chip to find out the MAC address and then perform a look-up using a data file. This data file will have the MAC address of each computer on our network and we will use a script to discover this hostname, set it, join our domain and then reboot the machine. To think I used to have to do this manually on over 150 Pc's each year.

Unfortunately all of this needs to be installed on our machine before we clone the drive so the first step is to collect the hardware information about all our computers. Once we have done this, there are certain other factors to keep in mind. In many cases machines are secured to desks but if one is removed (swapped because of a fault for example) just keep in mind that you will need to update your list of MAC addresses.

I like to call this initial data collection process the pre-ghost routine. The process involves running the following script on all our lab PC's. The good news is this can be done remotely from my own desktop. First of all we need a list of our current hostnames which looks like this:


We save this to a file called hostnames.txt. This file is then called from our VB script file to read the MAC addresses of those machines. The script which does this is here:

' Requires a list of machine host names in file hostnames.txt
' Must be run from domain pc with admin rights on all machines in list
' Windows management service must also be running on these PCs
Dim fso
Dim tst
Dim Oput
Dim strMachineName

Set fso = createObject("Scripting.FileSystemObject")
Set tst = fso.OpenTextFile("hostnames.txt", 1, false) 'mode1 = read
Set Oput = fso.OpenTextFile("Macs.txt", 8, true) 'mode2=write (append=8)

While Not tst.AtEndOfStream
strMachineName = tst.readLine
echoMAC strMachineName

Sub echoMAC(strComputer)
On error resume next
' strComputer = (InputBox(" Computer name for MAC address", "Computer Name"))
If strComputer <> "" Then
strInput = True
End if

Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Set colItems = objWMIService.ExecQuery _
("Select * From Win32_NetworkAdapterConfiguration Where IPEnabled = True")

For Each objItem in colItems
if objItem.MACAddress <> "00:11:67:27:B4:4E" Then
'this mac appears on all PC's - wi-fi/bluetooth maybe?
'you can probably leave out the if and end-if
'for your network but leave the oput line below
Oput.writeline strComputer & "=" & objItem.MACAddress
End if
End Sub

If all goes to plan then you will end up with a file called Macs.txt which looks similar to below. If not then todays task is to discover why this is not working and fix it. For that reason I will leave off here for now.

Macs.txt file

If you do get a machine which persistently fails to run the script, you can also obtain the MAC address using command line tools. From the start menu, select run and type in cmd.exe. Then use the following commands

ping hostname
arp -a

If this also fails you will need to login on the machines in question and start up cmd.exe again and type in

ipconfig /all

The MAC address is referred to as the physical address and looks like those above with all the : characters. If you decide to edit your macs.txt file by hand to include these, make sure that all the hex characters (A-F) are entered using CAPITAL letters or the next scripts may fail.

15 December 2010

The Future of Firmware (or software in general)

There have been a lot of privacy stories in the news recently. Articles ranging from how governments would really like to stop Wikileaks from releasing information they consider sensitive to stories of people falling foul of extreme pornography laws when their naughty holiday snaps are viewed by customs officials to stories about security professionals being detained and having their equipment confiscated at airports. While I personally beleive that all the information published by Wikileaks should be publicly available via the freedom of information act anyway (without actual names maybe - that would fall foul of the Data-Protection Act), the fact that these articles are newsworthy says much about how our governments censor and control our everyday access to media.

It may be time that manufacturers empower us with the freedom to control how much we choose to disclose about ourselves in a similar way. For laptops and computers, this issue has been addressed several years ago. There are both hardware and software encryption systems to protect our data. What about portable devices though? Is it time that manufacturers gave us the option of encrypting our camera images, our video camera footage and in fact all our digital works? There also seem to be a number of stories about security professionals being parted from their devices when they are detained at airports so let me predict the future of hand-held devices for any of those big companies out there that would like to create the next iPhone etc.

First of all encryption is going to come to all things mobile. I'm sure there are plenty of people out there that welcome this. What people consent to in the privacy of their own home or holiday apartment etc. is their own business. If they want to keep a digital momento of it then I see no harm in it but with todays cameras and camera phones you can never be sure that your 'artistic' works are safe from prying customs officials eyes. Encrytped data will become the norm and anyone who wants to be in this movement at the ground level should probably have already produced their ePDF equivalent data format by now.

I also predict encrypted backup storage in the cloud. Those security professionals need to be able to wander into any store and pick up a new device which meets this minimum specification. Within 5 minutes of purchase they should have been able to restore their contacts list and most recent data from online storage facillities. For anyone who has ever had a phone lost or stolen, you know exactly what I'm talking about. I would also expect phones to come with the ability for the owner to track where their lost phone is (or for this service to be available to police forces in the case of stolen phones). Obviously your contacts list and recent media creations will need to be encrypted and backed-up automatically or else few people would take the time. The first company that offers this sort of service will probably be the market leader for several years.

It's also likely there will be more compatability between models in terms of accessories and interfaces. You have only to look at recent historical memory card formats to see what happens to technology over time. Cameras used to have all sorts of different formats but eventually SD started to dominate due to its lower prices. These days most cameras seem to use SDHC. Not going with the flow can cost suppliers in terms of sales. I would expect this sort of convergence to continue. Along the way will be some other developments which will also be merged into the finished devices.

Batteries would be the next logical development. Being able to use standard batteries are a good selling point of many video cameras aimed at the Youtube producer market. We have been told time and again that litium polymer batteries provide more power and for longer but every manufacturer seems to provide different sized batteries. I expect to see some developments here along the lines of new battery ranges which are compatible with existing standard sizes (AA, AAA, C & D). Even if normal zinc-carbon batteries cannot power devices for more than one or two hours, the wide availability of them catches a buyers attention. It would be better to have 10 minutes talk-time in an emergency than none at all because your battery is flat. I would be surprised if we didn't also see solar and motion-powered (wind-up?) recharging facillities built into future devices.

So to summarise, mobile devices will:
Make use of encryption as standard,
Have rapid data movement to a new device,
Use standard parts and interfaces,
Implement green energy systems

At least that's my theory, feel free to differ.

Next week I hope to return to more technical postings. I intend to start with a downloadable archive of scripts for quickly setting up a number of PC's and adding them to a domain. I adapted these from various online tutorials to acheive a set of scripts which allow me to rapidly configure our lab machines here. Check back soon, it will be worth it.

11 December 2010

Yourshape lookin' good

I mentioned a couple of weeks back that we have decided to join the xbox brigade in an effort to stop junior launching wii-motes into the TV. I have to admit I've been quite enjoying Your Shape - Fitness Evolved. Despite the fact the xbox system doesn't have a linked in measuring system (like the wii-fit balance board) it has been quite compelling in other ways.

In fact for a bloke, the cardio-boxing exercises are great. None of that namby-pamby step aerobics if you please, this is serious get-your-heart-pumping stuff and the only thing missing is a small Japanese bloke shouting "wax-on, wax-off". Here we see the potential of kinect for podge-busting. Yes who would have thought getting in shape could actually be enjoyable and a little bit... macho?

Obviously this is a great starting point and I look forward to further developments along these lines. Why "Get fit with Mel B" when you could... get fit punching Mel B? Where does it go from here though? In a recent Gadget Show challenge, Jason Bradbury had a special training dummy built to learn martial arts (specifically Wing Chun). Will we ever get to the stage where you could learn these skills via a games console? It could spark a whole new revolution in gaming. Not only do you get to beat up the baddies but you genuinely learn a martial art along the way and no doubt an in-game trainer could give advice on diet and warn of the perils of drinking too much fizzy juice.

Back to the present though and this week also saw the launch of some extra training programs for YSFE. At 560 Microsoft points for the pair (another cardio-boxing and another toning program) you can't help but think that maybe this is not the best value for money. The 560 points equate to about £4.76 which is hard to justify for something which looks like more of the same. I would have liked to see completely different training programs for anything over a couple of hundred points. Since the release date is so close to the original title, you can't help feeling that these were just not quite ready for the initial release date. Have a look at the differences between wii-fit and wii-fit plus to see how it should be done.The associated web-site is good and I am enjoying setting calorie burning goals although it doesn't always seem to be as up-to-date with my scores as I would like.

According to the wii-fit I have gone from 11.5 stone to 10.75-ish in a few weeks. I was so shocked that I had to retake the body test 3 times (twice in the buff to rule out errors in my clothes weight). The question is... have I found a way to adopt a new lifestyle or is this just a fad that will lose it's appeal in a few weeks? There is no doubt that some of the exercises are a chore and the biggest problem is the inability to create your own program of exercises. Having done several of the 'Mens Health' fat loss sessions I am beginning to worry about my knees. I'm not quite sure where the fat is that requires the split-jumps to remove it. I remain skeptical that it's doing anything for my stomach or abs though. This is where a routine constructor would have been good, giving you options for building your own routines and the possibility of swapping such knee-destroying activities with something a bit more stomach-centric.

I will have to return to this topic at some point in the future but one month on, it does look like YSFE was a good buy.

7 December 2010

Amazon #fail

Once again the otherwise good name of Amazon is being degraded by those deemed trusted agents. I am of course referring to their resellers. I imagine it works well for Amazon, sitting back in control of the portal while other people take and fulfill the orders. I hadn't really given it much thought as after it was introduced the service was generally very good. The cracks are beginning to show though.

Today I received an email to say that order for an item I ordered as a christmas present has been cancelled. Nothing to suggest a reason why and a review of my Amazon orders reveals that not even the original order is stored online. So I am left baffled. Why did the reseller cancel this order? Amazon thoughtfully included a link to the product in the cancellation email which I followed out of curiosity. Strangely the item is still being offered by the same seller who apparently still has the item in stock. Had I not logged into my home email account I might have been left in a real panic this time next week when I realise the present hasn't arrived.

The real question though is what happened to the audit trail? I know I placed an order (after all I have a cancellation email about it). I just can't seem to find any information about ordering it in my account history. Now if I want to return an item or cancel an order I generally have to give a reason. I'm now really curious to know why my order was cancelled when the seller appears to be still selling the same item. I appear to have lost that buyer-seller communication. Since this sort of thing has now happened on multiple occasions I am learning to steer clear of resellers when possible. It's not that they are all bad (far from it) but I have learned a lot about shopping online over the years. First of all never buy unless the web-site clearly says the item is in stock. Luckily Amazon takes care of this automatically. The second rule is always check contact details for the seller which is much harder when dealing with resellers.

So why is Amazons reseller program having these difficulties? After all if I order something which is sold by Amazon.co.uk it usually arrives within 5 days. If I order from resellers though things sometimes don't arrive at all and then I just get a cancellation email like this (and sometimes too late). In fact last time it happened I gave the seller several weeks to sort out the delivery and then had to file a non-delivery complaint at which point I was refunded. You have to ask why Amazon are allowing their resellers to behave like this when their own core business is generally good? I have no idea but if the items I want to buy are not offered direct from Amazon then I do now look to see if I can find them from another trusted retailer, even if they are slightly more expensive. Sometimes you need to have a high level of confidence in a retailer. Sadly that's something that a few resellers are being allowed to spoil for all the others. If I were in charge of Amazon, I'd look into this further. I think I would also want to collect data on who is cancelling orders and how frequently. After all if the seller cancels a transaction, no feedback gets posted after the event to warn their future customers.