Category Archives: Microsoft

Threadlocker 128x128

ThreadLocker 2.0 is live!

Threadlocker 128x128Back in 2012 I wrote a utility called “ThreadLocker” for dealing with CPU heavy processes or multi threaded processes that have a nasty tendency to cause sluggish performance or even hangs in shared computing environments.

You can read all about the original concept here. My good friend and fellow CTP Barry Schiffer also wrote a really good article about the need for a product like ThreadLocker here.

 

Some history:

In essence, ThreadLocker was a utility for both shared and 1:1 desktop environments. It allowed you to layer in rules for processes that had a history of high or discruptive CPU usage, to protect the other users (in a shared environment) or to protect other running processes and the users interface (explorer.exe) while a large compute job was occurring.

ThreadLocker exploded with popularity and has received well over 100,000 downloads in the last three years. Alike ThinKiosk, ThreadLocker is a tool I regularly come across in my customers environments while consulting and it always suprised me with it’s uptake and popularity. I have observed ThreadLocker in VDI, SBC and even on stand alone workstations with great levels of success.

 

Moving on:

One of the frustrations I had with ThreadLocker, was any .NET based language (c#, vb.net, etc.) was never quick enough to be able to add an intelligent aspect to the utility without actually making CPU usage worse by implementing. ThreadLocker 1.0 relied on static rules and any new processes would have to be observed and added.

Recently David Coombes and I undertook the side project of redesigning ThreadLocker to run in c++, adding the raw speed we needed to be able to make intelligent decisions based on CPU usage and react in a fraction of a second to a sudden CPU spike. ThreadLocker 2.0 was designed to specifically tackle two issues:

  • Processes comsuming a large % of CPU and is multithreaded.
  • Many buggy or heavy processes, each consuming a core each.

We didnt want to tackle this with the approach of many others, where they’ll pause and resume threads many times a second creating a “SawTooth” effect on the processes CPU usage. We wanted the processes to run as fast as they need up to a certain threshold and only be restricted when contention is likely.

Having experienced other vendors approaches where process priority is dropped, many times this simply does not cut it as a heavy process, even at idle priority, will cause the other users and processes to feel slow and sluggish.

Why is ThreadLocker different?

With ThreadLocker 2.0, you can elect a percentage of your CPU cores that ThreadLocker can use for isolating these processes. When a process violates the ThreadLocking criteria, they are locked into these subset of cores to contend with any other processes that are also ThreadLocked, leaving well behaved processes to be able to take advantage of all cores in system. Once they start to behave again and do so for a certain amount of time, the processes are dropped back into the “wild” unless they decide to misbehave again.

This approach is extremely fast (ThreadLocker consumes less CPU than Microsoft’s own Task Manager) from a processing point of view and also has the benefit of allowing users to multitask with other applications while, for example, Excel hammers the ThreadLocking cores during a calculation.

The end result has been fantastic. Threadlocker can be installed and up and running in seconds. There is no longer a requirement for static rules and out of box, all aspects of the logic can be tuned to suit your environment, but more than likely wont be needed.

 Demo Video:

 


Availability

We are proud to announce the general availability of ThreadLocker 2.0 and more information can be found on our website at http://www.thinscaletechnology.com/threadlocker.

 

ThinIO Public Beta is go!

logoLets get right to it!

Warm up your labs or fire up your golden images ladies and gents, we’re delighted to announce ThinIO’s brief public beta will begin today!

This project has taught us some really interesting things about Windows IO, how Windows behaves and how the hypervisor and storage can behave. This project really felt like a David vs. Goliath task as we (members of our community with a desire to simplify this issue) attempted to tackle one of the largest issues in our industry, storage bottlenecks and Windows desktops.

What’s really unique about our approach is there are no hardware lead times, no architecture changes needed and no external dependencies. ThinIO can be installed in seconds and the benefits are seen immediately.

Continue reading

Announcing the ThinKiosk v4 Release

ThinkioskReflection

Thinkiosk Version 4.0 is the culmination of 9 months hard work, rebuilding ThinKiosk in a new development style to include the enterprise features many of you requested, adding a management server, secure key redirection technologies, local group policy control and a number of other features. After weeks of rigorous testing we’re delighted to announce the availability of ThinKiosk version 4… Today!

With the release of Version 4.0 we’re lifting the cloak on the company we’ve setup in order to support and further develop ThinKiosk, ThinScale Technology. We’ve set up ThinScale as a little software company to publish applications to the virtualisation community, tackling the smaller issues and annoyances we face day to day as consultants and administrators. More clever little products are in the pipeline, but for now enough about the company! Continue reading

ThinKiosk 4.0 preview and feature teaser:

ThinkioskReflection

Everyone having a Good Citrix Synergy week? Some great new products announced! Ready for more announcements?

Great!

After 5 months of coffee, tears of frustration and hair pulling we’re absolutely delighted, thrilled and relieved to announce ThinKiosk 4.0 is nearly ready. Complete with my new partner in crime Remko Weijnen (I’ve been saying ‘we’ for ages, now you know who… awesome eh?) we’ve worked some long nights to get this version out the door.

With that out of the way, we’re proud to announce some of the new features coming in 4.0. Bear in mind this is just a preview, the final features and details of the product are still being hammered out, but below is a taster of some of the functionality you can expect to see shortly.

 

Back to the drawing board:

ThinKiosk 4.0 is a complete rewrite and refactor of ThinKiosk. It’s built on the 4.0 .Net framework which has brought a lot of simplicity and new features to our tool-set. ThinKiosk 4.0 was built with three main aims:

  • Enterprise Ready.
  • Fool Proof.
  • Secure by Design.

With ThinKiosk 4.0, your setup time will go from days to minutes. Out of the box, ThinKiosk is ready for the following technologies without any local machine tuning:

  • Citrix XenDesktop / XenApp.
  • Citrix VDI in a Box.
  • VMware View.
  • Microsoft Remote Desktop Services.

For the exact details of each of these optimizations, follow the subsequent blog posts / documentation.

 

New Look and Feel:

Without further ado, lets start with the new look and feel:

mainWindow

ThinKiosk 4.0 has also been built on the industry leading graphical interface DevExpress giving us a really shiny, professional and sleek interface. Finally giving us an Interface we can be proud to put on your desktops.

ThinKiosk’s interface has been further improved giving you an Applications tab for Publishing desktops for VMware View, Microsoft Remote Desktop services or Citrix Desktops via ICA file or local applications.

appscreen

This Applications tab has been modelled after the windows 8 Metro err, I mean Windows 8 UI. This provides a similar look and feel to the new Windows start menu and it really breathes new life into old hardware. With this tab, you can publish shortcuts to VDI Desktops or local applications making it a one stop shop for applications.

You can flick from one tab to another easily, or disable the one you do not wish to use.

 

It’s all about the customization!

Beauty is in the eye of the beholder right? Agreed!

Themes:

 ThinKiosk 4.0 will ship with over 8 themes and wallpapers, customization of the splash screen, buttons… everything!

foggy black office 2010 black Office 2010 Blue Office 2007 Pink office 2007 Green

The Applications tab can also be completely customized to your tastes:

cust

 

 

Lock down:

As with Previous versions of ThinKiosk, every button and object in ThinKiosk can be locked down to exactly what you wish, for example here’s a stripped back browser session:

lockdown browser

 

Or a stripped back application window:

 

lockdownapps

Anyway… Enough about the appearance, Lets talk tech!

 

Introducing the new ThinKiosk Broker Service and Management console:

tkbroker

The ThinKiosk Broker, Management Console and ThinKiosk clients use an all new ThinKiosk TCP protocol (I never ever, ever want to see a tcp socket again for as long as I live, writing this protocol was a killer!) to allow you to centrally manage, catalog and report on your ThinKiosk devices. The protocol is lightening fast and secure by design.

This new framework will form a long blog post itself, but some quick fire information is below:

  • Complete off domain management.
  • Auto device registration, just point ThinKiosk at the broker and it will check in and download the default profile.
  • Remote Control / Shadowing of end point devices via the console.
  • Device Grouping for profiling multiple devices or creating an organisation structure.
  • Remote actions (power off, restart, update).
  • Device Reporting.
  • No Enterprise database software necessary.
  • Audit logging.

Unlike other Thin Client protocols and software, ThinKiosk does not accept any inbound connections, in user or system context. Removing the ability to hijack thin clients… which is all too possible with certain vendors!

The console is simple, and quick to navigate:

MC

Installation of the broker takes roughly 5 minutes and is ready to serve your Devices as soon as you configure the default profile.

 

New Profile Handler:

The ThinKiosk client has received an overhaul and with it we’ve streamlined the profile. ThinKiosk no longer requires group policies or the clunky offline config tool, we have a new profile system based on XML files with a fitting profile editor to match:

profile editor

No more configuring 5 group policies for one url, the new policy manager is clean, self explanatory, full of new functionality and uses the same interface whether you are using the ThinKiosk management console or modifying the local profile.

If you want to still use group policy to deploy configuration? No problem! just drop the file on the client via group policy preferences!

 

And the Client!

Lets talk about the 4.0 client.

 

Supported platforms:

Windows XP – Windows 8

 

Browser Ahoy!

browser

ThinKiosk is now a fully fledged browser, complete with address bar. If you want to allow your users to browse around, now you can.

 

Browser improvements:

The ThinKiosk 4.0 browser will:

  • Supress scripting errors.
  • Allow you to add your sites to the trusted sites via policy.
  • Auto tunes the browser for VDI portals.
  • Auto circumvent silly SSL untrusted or mismatched errors (great for POC’s *cough* VDI in a Box *cough*)
  • ThinKiosk now runs as an Internet explorer executable. No more flicking between iexplore.exe and thinkiosk.exe.

 

VDI Improvements:

Now to the nuts and bolts!

 

Local login pass through:

Now that you have the ability to add direct VDI connections. ThinKiosk will handle the log in experience and pass the credentials to the responsible technology:

login

This integration allows ThinKiosk to better manage the desktop experience and provide your users with a single login pane rather than the recurrent login screens you can experience with Microsoft / Citrix file connections.

These connection files can also be auto launched, to remove that pesky click first thing each day.

 

Citrix Technologies:

  • Log off screen redirection for Web interface, storefront and VDI in a box.
  • Log off the web portal when a desktop launches for the above platforms.
  • Support for Adding ICA file connections.
  • Auto configuration of Single sign on from local pc to remote desktop. (Nightmare previously).
  • VDI in a Box auto browser tuning for compatibility.
  • Optionally disable the Citrix Desktop viewer (CDviewer.exe).

 

VMware View:

  • Support for publishing multiple pool connections
  • Support for publishing multiple direct desktop connections.
  • Support for PassThrough.
  • Disables Certificate checking by default for quick POC’s.
  • Pass through ctrl alt del / Windows + l (more on this later).

 

Microsoft Remote Desktop Services:

  • Support for publishing multiple connections.
  • Support for 2012 RDS and VDI.
  • SSL Certificate warning suppression.
  • Support for login once.

 

Improved local application handling:

ThinKiosk 4.0 has an improved local application engine, When you add an application to the Applications tab, it will automatically pull in the icon window and you can also specify to launch apps but hide them (think run key entries). If ThinKiosk is restarted via admin task, it’s smart enough to know not to relaunch them.

Environment variables for paths and arguments are fully supported and i’ve also added a variable for 32bit program files paths… I always wondered why Microsoft didn’t do this, but I digress.

 

Windows secure keystroke blocking and passthrough:

You asked… (and asked and asked and asked and asked). It’s done, with ThinKiosk 4.0 you will be able to block CTRL + Alt + Del, [Windows] + [L] etc.

Pass through of these keystrokes to the remote desktop is available for VMware View already and will be coming shortly after 4.0 for Citrix and Microsoft connections.

machine lockdown

 

Group Policy Lockdown:

By default when you install ThinKiosk 4.0, it will arm the PC with the most restrictive policies via the local group policy engine, disabling access to all admin utilities and even local disks. This lockdown can be tuned or turned off via policy if required.

ThinKiosk performs privileged actions via the ThinKiosk Machine service which installs as part of the installation.

 

Auto log in account:shell

ThinKiosk will ship with it’s own user account for fast deployment. This account will be created on the local machine and gives you a quick an easy method to manage local accounts on non domain joined PC.

The accounts password is synchronized with the ThinKiosk unlock password you specify.

This account is completely optional and you can turn it off or substitute it with a domain account of your choice.

ThinKiosk will also manage the Windows Shell replacement policy itself via policy, so no more mucking around with local group policy or registry keys.

ThinKiosk also now encrypts the auto login account using LSA.

 

Active Setup:

as

With ThinKiosk as shell, you can now run Active Setup with ThinKiosk’s improved Active Setup Async.

Active setup Async is a utility we have implemented into ThinKiosk that will perform active setup 60% faster than standard Microsoft active setup via a threading and queuing engine, the end result is active setup support ( for example: HDX flash redirection) with a much faster (and prettier)  interface.

 

Start up Script:startup sript

ThinKiosk can now implement the local group policy engines start-up script to allow you to manage off domain PC’s. With the start-up script, you can install software, updates, disable services, uninstall software, delete files, profiles… anything!

The only limitation here is your own imagination or scripting abilities.

If the latter is a concern? worry not, we’ll be creating a scripting library where ThinKiosk enthusiasts can share and collaborate on similar tasks.

 

Local session control:session

ThinKiosk 4.0 offers you the ability to control local volume, printers, screen saver and even background color.

 

Improved debug logging:debug window

ThinKiosk logs everything, every action, command, hiccup… everything.

If something isn’t quite working as expected, chances are the debugging window will announce in triumphant glory exactly what is broken!

 

Redundant profile management:

ThinKiosk takes a copy of it’s profile on each check in to an FTP server or Broker server.

In the event of the server being offline ThinKiosk attempts five times to connect before failing back to the local profile allowing your users to continue working without an outage.

If the broker server becomes available again throughout the day, ThinKiosk will check back in to allow management but will not disturb the user.

 

And so much more!

I’m not going to go on and on, but as you can see… It’s awesome!

Check back in a few weeks for the release as we ready the build.

I need your help Server Based Computing / VDI Experts!

Hi Guys and Gals. I’m currently fighting the good fight with Microsoft support and require your help and backing in order to close down a long standing bug in the Windows Explorer Shell.

As you are all aware, hiding the c: drive and restricting access has been a utility we use frequently in shared computing and VDI environments. Restricting this functionality removes views of the shared drive from users and adds a layer of security and complexity* to ensure the users in question have access to only what they need in order to do their jobs day to day.

*I’m not looking to argue the merit of doing this either, it really depends on the business case or environment to dictate whether this option is set. I’m NOT saying it should be done in every case.

We all know it’s not fool proof, there are certain ways for users to circumvent this layer and I particularly don’t want to discuss them here to give potential devious users a landing page for idea’s!

The problem:

Prior to windows Vista, when you hide the c: drive and an application requests access to a c: drive folder, be it from an “open save dialog” or otherwise, Windows detects this event knows that the folder is restricted and merely redirects them to the desktop which they can see then browse to where they wish to open or save a document. This has worked fine to memory since windows server 2000.

But with the changes to Windows Vista’s windows explorer, repeating the above steps will result in the following annoying, unnecessary and interrupting error message “This operation has been cancelled due to.. bla bla blah”:

noname

This issue can be easily recreated, simply hide and restrict the c: drive, then click start > run > browse… bang.

The more annoying problem here, is after the error message, windows simply redirects back to visible folder. In most cases this is the documents library. So the error message is simply poping up then reverting to the functionality seen in previous operating systems.

So to review:

  • Issue introduced in Vista / 2008 and above.
  • error message displays.
  • Previous redirect functionality is still there and occurs after ok is pressed.

To Microsoft!

Being a pedantic individual, along with my colleague we brought this to Microsoft support and somehow lost months in the conversation as follows:

  1. Microsoft then redirected us to RES Software.
  2. Who (although very nice about it) sent us back to Microsoft.
  3. At which point I got involved.

Now with the correct audience and suitable severity, this problem has been identified as “introduced in Windows Vista” as an “Added Security feature“. How an annoying pop up box, masking previous functionality is a security feature is anyones guess, but it’s bloody annoying…

We have raised this as a bug and have requested Microsoft to fix it. The change in question was deemed as large change or substantial change due to WIndows explorer being used by all of the operating systems and basically told, without significant backing, this change wont be implemented.

Bureaucracy and broken policies, yes but that doesn’t help my customer.

Here’s where I need you:

In order to bolster this change and fix an issue in our beloved operating systems for Server Based Computing and VDI environments I need to hear from you and your customers to confirm they have had this issue, or currently face the issue and wish for a fix.

  • If you are a customer and suffer this issue, email me.
  • If you are a consultant and have customers with this issue, email me.
  • If you or your customer have enterprise support with Microsoft, I ESPECIALLY want to hear from you.

What’s in it for you?

Microsoft have provided us a work around, as a process that watches window messages and suppresses this dialog box when it occurs. If you get in touch, I’ll recompile this application with Microsofts permission and pass it on to you for use in your environment while we get “The Man” to fix it!

This fix is a bit of hack, as it’s scraping window messages but it’s light weight and scalable. Use this process for now and I’ll provide you with updates on a fix as and when I get them.

How do you contact me?

Please drop me and email on andrew{at}andrewmorgan{dot}ie with the following information:

  • Customer name:
  • Affected users:
  • Has enterprise support: (yes/no)

Once I have that information, I’ll send you back an executable via dropbox and keep you updated on the call process. This information is merely going to be fed straight to Microsoft with my personal guarantee of confidentiality. No funny business.

If you can’t share customer information, but have suffered this issue in the past, no problem! Please comment on this blog post the number of seats that were affected and roughly how many times you’ve seen it.

That’s it!

Thanks for entertaining my request for help and hopefully you too want to get this issue fixed as much as I.