Monthly Archives: January 2012

Removing Screen Resolution and Personalize shell extensions from a users desktop session.

11 Comments

While working in a XenApp 6 proof of concept I came accross this little feature and decided its time to share it!

When a user right clicks on the desktop, by default they get access to commands to manipulate the appearance of the desktop. As I restricted access to the control panel, the two options below were generating errors in the users sessions:

The error generated is your standard group policy restrictions error message as below:

While digging into this further I found the following registry key that corresponds to the two prompts we see above.

HKEY_CLASSES_ROOTDesktopBackground

Under this key, you can see both entries that appear on the shell extension menu;

The problem with this key is, its owned by the TrustedInstaller account, and by default administrators cannot modify it. To modify this  key and hide this menu from users (but maintain it for administators) please follow the below steps.

Please note, any hotfixes from microsoft may remove your hard work, so be prepared to redo this work if Microsoft decide to work with this key in future.

  1. Take a backup of this key, you’ll thank me if you get it wrong!
  2. Browse down to desktopbackgroundshelldisplay
  3. right click this key, choose permissions, click advanced then owner
  4. Select administrators from the list, then choose “Apply”.
  5. browse to the permissions tab and remove the “users” group.
  6. Click “apply”, then “ok”.
  7. The “screen resolution” menu should now disappear from any current and future sessions.
  8. Repeat step 2 to 8 on DesktopBackgroundShellPersonalize.
  9. Tada! go grab a coffee to celebrate your domination over the windows operating system.

And that’s it, you should now have a lean, clean and  error free shell extension menu when right clicking on the desktop.

Pedantic, begrudging scripters note:

Now if you’re a pedantic scripting so and so like me, you wont be satisfied to leave this job as a manual task. And despite spending more time than I’d like to admit, I couldn’t perform this work in powershell despite what I tried. Luckily the task was extremely easy to do with Helge Klein‘s setacl program.

Below is an example of a script to achieve this:

setacl.exe -on HKLMsoftwareclassesDesktopBackground -ot reg -actn setprot -op dacl:p_nc;sacl:p_nc -rec yes

SetACL.exe -on HKLMsoftwareclassesDesktopBackground -ot reg -actn ace -ace “n:system;p:read” -ace “n:administrators;p:read” -actn clear -clr “dacl,sacl” -actn rstchldrn -rst “dacl,sacl” -rec yes

The curious case of missing file shares on a Microsoft File Server Cluster.

3 Comments

I had a very unusual issue recently where, after a fail over one of my file cluster resources didn’t publish all shares to the users. Some shares did come up, but many of the shares were missing resulting in users being locked out of their network drives.

I immediately jumped to the registry HKEY_LOCAL_MACHINEClusterResources and found the resource by guid of my misbehaving file cluster. I could see all the shares missing were still published as resources as below:

Upon reviewing the event logs, each time the cluster was failed over, each missing share was logging the following event:

Log Name: System
Source: Microsoft-Windows-FailoverClustering
Date: xx/xx/xxxx 08:00:27
Event ID: 1068
Task Category: File Server Resource
Level: Warning
Keywords:
User: SYSTEM
Computer: XXXXXXXXXXX.Domain.com
Description:
Cluster file share resource 'File Server FileServer' cannot be brought online. Creation of file share 'Vedeni' (scoped to network name Fileserver) failed due to error '5'. This operation will be automatically retried.

Upon reviewing the share permissions, an over zealous administrator had trimmed the NTFS permissions, removing the local system account. Upon each cluster resource coming online, the cluster uses the local system account to enumerate the shares and present them. Remove this account and your shares wont come online!

This  account doesnt need to be on every folder, just each folder a share is based on. E.g. if you share d:sharefinance as serverfinance, only the finance folder needs access granted to the system account.

To resolve, configure the system account to have access to the folder on “this folder only” then restart the file server resource. The resource will come on-line and your shares will be available again!

Retrieve adobe flash version with PowerShell

4 Comments

Just a quick powershell script to start the year.

I recently needed to audit the version of adobe flash on the machines a script was running. This code was originally written for visual studio but translates well to powershell.

to retrieve the version of adobe flash on the local machine, use get-adobeflashversion. The code for the get-adobeflashversion can be found below:

[sourcecode language=”Powershell”]
function get-adobeflashversion{
try{
$flashobject = new-object -ComObject "shockwaveflash.shockwaveflash"
$version=(($flashobject.getvariable("`$version")).replace(",",".")).trimstart("WIN ")
}
Catch{
write-warning "Could not create Com Object, are you sure Adobe Flash is installed?"
}
return $version
}
[/sourcecode]