No really, do YOU seriously believe your IT infrastructure is safe?

Paula JanuszkiewiczRenowned Security Expert, Paula Januszkiewicz, specialized in Penetration Testing, Enterprise Security MVP and MCT and Microsoft Security Trusted Advisor, #1 speaker at premium IT conferences such as Microsoft Ignite, TechEd, RSA and more, will be in Romania for a 5-day security hands-on class in Bucharest, put together by Avaelgo Training.

During the 17th and 21st of August, Paula will host the Windows Infrastructure Masterclass, which aims to bring the specialization within hacking and securing IT infrastructures. This course especially designed for enterprise administrators, infrastructure architects, security professionals, system engineers, network administrators, IT professionals and security consultants. As an added benefit, attendees will become Certified Security Engineers (CSEN).

Therefore, if you have you’re feet on the ground and realize that you MUST know more about security, this course is a must-attend-to and you’d better make sure you have you’re agenda free during August 17 and 21.

Every now and then when I try to delete an Azure Active Directory directory it just so happens that I get this funny ‘Directory contains one or more applications that were added by a user or administrator’ error message.


error msg delete directory azure active directory

What’s so funny about it? Well, the simple fact that all the applications the message mentiones seem, at least from the portal side, to be automatically created when the directory is set up. So what can the solution be?

As it turns out, the Azure Management Portal doesn’t actually list ALL the applications it creates when you set up a new directory and not only does it do that, but it also creates a few application on your behalf (you, the administrator) when you create the directory service from within the Portal. In order to delete these AAD applications, you’re required to get your hands dirty and do some PowerShell scripting.

First, because Azure Active Directory is an upgrade from the former Microsft Online Services identity service, please be aware that you might need to install a few additional tools on your computer, namely Microsoft Online Services Sign-In Assistant for IT Professionals RTW (that sounds so Microsoft :-)) and also the Azure Active Directory Module for Windows PowerShell – it’s preferable to install the 64-bit version of these tools, as the 32-bit version is discontinued by the time of this writing.

Once installed, go back to the Azure Management Portal and create a new organizational user within that particular directory (yes, I know, you need to have max. 1 identity within a directory to delete it, but you will still need an additional user IF your single AAD global admin is a Microsoft Account):

aad new user azure active directory

Make sure you mark the new user as a Global Admin and have an additional e-mail address in handy, since Global Admins are required to provide a backup e-mail address in order to get automated e-mail from the system.

Since the New User dialog created a temporary password for this user, quickly go to http://portal.microsoftonline.com and login using the new user you’ve just created. You will be prompted to change the temporary password.

Once you did this, you can open up a new PowerShell console or PowerShell ISE window. Within PowerShell, write the following cmdlet in order to connect to the directory. When prompted, use the credentials of the user account you just created from within the Azure Management Portal.

Connect-MsolService

Next, you can use the following cmdlet to retrieve the list of applications which reside on that AAD directory.

Get-MsolServicePrincipal | Select DisplayName

This will return the list of application which are currently installed on that AAD directory and you’ll quickly realize that the list contains way more than just the two application you see inside the Azure Management Portal:

  • Microsoft.Azure.ActiveDirectory
  • Microsoft.SMIT
  • Microsoft.Office365.Configure
  • Windows Azure Service Management API
  • Microsoft.SupportTicketSubmission
  • Microsoft.Azure.ActiveDirectoryUX
  • Microsoft.Azure.GraphExplorer
  • Microsoft.Azure.Portal
  • AzureApplicationInsights
  • Microsoft Policy Administration Service
  • Microsoft.VisualStudio.Online
  • SelfServicePasswordReset

In order to delete all these applications, you can go ahead and run the following cmdlet. Be aware though that not all application can be deleted and that some deletion processes will end up in an error different from the one shown within the PS console (nuts, right?) – ignore this.

Get-MsolServicePrincipal | Remove-MsolServicePrincipal

Afterwards, go back in the Azure Management Portal and delete the organization user account you created earlier and then delete the entire directory.

Voila, worked like a charm!

itcamp-logo-white[1]For the past 5 years, two great IT community volunteers, namely Tudor Damian and Mihai Tataran, along with a team of engaged volunteers, have put together what is in my opinion the greatest community driven IT conference in Romania, namely ITCamp.

Last year’s edition gathered over 500 attendees, mostly mid- and high-level software developers, all keen to learn from and network with an impressive panel of speakers coming from all over the world, each of them an expert in the IT industry.

Given the public agenda available on http://itcamp.ro, this year’s edition will easily surpasses both content quality and quantity; let me explain:

  • on one hand, this year’s ITCamp will also host a *NEW* track of business-oriented sessions where you could get a lot of insights on how to manage IT risk, what the cloud business models are given the industry cloud-emerging market worldwide, how to become a productive product owner and, one of my very favorites, how to manage intellectual property upon application launch
  • on the other hand, ITCamp 2015 has an impressive list of speakers, such as Paula Januszkiewicz – Enterprise Security MVP, Andy Malone – Enterprise Security MVP, Daniel Petri – Directory Services MVP, Andy Cross – Azure MVP and Microsoft RD, Raffaele Rialdi – Developer Security MVP, Tobiasz Koprowski – SQL Server MVP, David Giard – Microsoft Technical Evangelist, Adam Granicz – F# MVP, to name a few (of course, myself included 🙂 )

To quickly conclude, if you haven’t yet, now is your chance to register for ITCamp 2015 at http://itcamp.ro. The ticket costs around EUR130.00, a bargain considering that this is a once-in-a-year opportunity to get really valuable networking, along with great sessions and wonderful food from the caterer – Grand Hotel Italia.

Have you ever used a public WiFi in a coffee shop? Or did you use one in an airport, hotel, restaurant or a museum? I bet you were wondering how safe these networks are and whether your HTTP traffic can be sniffed by anyone nearby! Well, to keep the answer short, public WiFi network at anything but safe and the traffic can be sniffed with ease in almost any available public WiFi.

On the other hand, did you ever try to watch movies on Netflix, listen to some good music on Spotify or Internet radio on Pandora from an Eastern-European country (e.g. Romania), just to find out that these services don’t work in Romania (yet)?

Well, Azure is here to the rescue! During this article you’ll go through all the steps necessary to create a VM hosted in one of Azure’s data centers so that all your Internet traffic goes through a secure VPN tunnel to the data center. In the end, this basically means that your traffic will look as if originates from within Azure and thus you’ll be able to use the kind of services mentioned earlier.

The infrastructure schema of what we’re trying to achieve looks something like this (please try to bear with me here – I’m totally aware my drawing skills are close to nonexistent):

Untitled

Prerequisites

There are a few requirements in order to successfully complete this step-by-step guide:

  • you will most certainly need an Azure subscription. You can either use a 30-days free trial account or a Pay-As-You-Go account. Additionally, if you have an MSDN subscription, you can also use your Azure credits, which are part of your benefits as an MSDN subscriber. Here’s a link on how to sign-up for a 30-day trial account today using your Microsoft Account
  • a SSL certificate. Yes again, there are a few options here: the obvious one is to buy a SSL certificate from a publicly available Certificate Authority (CA), or to create a self-signed certificate which you’ll manually install in the Trusted Root Certificate Authority container. In order to create self signed certificates, you can either use makecert.exe, a utility which comes with any installation of Visual Studio 2013 (or 2012, for that matter) and/or Windows SDK, or selfssl.exe, part of the lightweight IIS6 Resource Kit.

Read More →

I have to start off with two things I want you to bear in mind while you read this post:

  • this is my absolute first production deployment (ok, during these last 4 days I did hundreds of back-and-forth steps using Microsoft Deployment Toolkit (MDT) along with WDS in order to find the most manageable deployment architecture, but still…) of Windows 8.1 using MDT 2013
  • any comments are very welcome!

In order to take advantage of an easily maintainable and upgradeable, yet controllable IT infrastructure within the company, I’ve decided to deploy a few VMs running Windows Server 2012 R2 with the WDS role installed. I’ve also installed MDT 2013 (you can download it from here) and Assessment And Deployment Toolkit for Windows 8.1 Update (ADK – you can download it from here). ADK is required in order to get MDT 2013 to work. Also, make sure that you don’t have any older versions of ADK (such as, the ADK for Windows 8.0 which usually comes high up in the search results when you look for ‘ADK Windows 8.1’).

Installing both ADK (which should come first) and MDT 2013 is a child’s play, but only if you remember to sign out after you install ADK – this will force the PATH environment variable to get updated with the %ProgramFiles%\Windows ADK values. Trust me, this is a requirement for a smooth runtime experience with MDT 2013.

As a newcomer, one of the best approaches to learning MDT 2013 is by downloading the MDT Documentation archive from here, but bare in mind that there are a few best practices missing from the documentation kit and which will be extremely helpful on the long-run:

  1. When you create your first deployment share, bare in mind to use a single-worded share (UNC path), different than the default ‘DeploymentShare$’. Same goes for the deployment share name and folder name. The reason is that you will eventually boot using a customized version of Windows PE (Pre-installation Environment) which might eventually show you the list of task sequences you have defined within your deployment. If you’re like me and like to test things out, you’ll probably don’t want your production images to be mixed with the staging ones. Therefore, I’ve created a deployment share called ‘MDT Staging’.
  2. The deployment share is nothing else than the name suggests: a share – a network share to be specific. This basically means that whilst deploying the customized images of your OS, either you or your users will have to get access to the share. There are two options for this: you either manually send the share credentials out to your users, hoping that they won’t share this credentials with others and that they’ll get them right – why shouldn’t they? The second option is to configure the credentials within an initialization file called bootstrap.ini (which is actually configurable from within the Deployment Workbench directly – simply right-click on the deployment itself, choose Properties in the context menu, go to the ‘Rules’ tab and click the ‘Edit bootstrap.ini’ button). Here you can simply put the following value defaults: UserID, UserDomain and UserPassword. You might argue that this represents a security vulnerability because I’m saving a set of credentials which have access to one of my shares in clear text format. I admit that, but as long as this specific only has read access to my share (and write access to the ‘Logs’ folder within the deployment share), there’s no actual reason to concern anyway. Additionally, this user doesn’t even have to be a directory account, it can be a simple local account with read-only access to the share. And since were at the bootstrap.ini, it’s also worth sharing that the SkipBDDWelcome=YES default will help a lot as well: specifically, it will skip the welcome message on the deployment wizard.
  3. It might make more sense to go through the deployment as quickly and seamlessly as possible. Therefore, a few Skip defaults within the customsettings.ini (by the way, when you change anything within the ‘Rules’ tab in the main textbox, you’re actually updating the customsettings.ini, which is extremely convenient considering that you’d otherwise have to manually open and save a text file in an elevated Notepad) might help:
    • SkipAdminPassword=YES (if you also configure the AdminPassword default, this will force the Administrator password page to be skipped) – whether you’re creating a reference image or a target image, you’d probably be better with a unique administrator password, referenced within the Workbench rather than a bulky handwritten notepad somewhere in your office drawer
    • SkipProductKey=YES – whether you’re creating a reference image or a target image, the product key will probably be a MAK which you could safely put in the task sequence (you don’t want your curious users to write this MAK down and use back at their home, right?) or you might even use a KMS to activate your OS. If you don’t have a key altogether, don’t bother going through this deployment wizard page anyway: the installer will ask for it and you can just skip this step until you activate the OS
    • SkipDomainMembership=YES – it’s best to have the domain configured directly within the customsettings.ini file using the JoinDomain, DomainAdmin and DomainAdminPassword values. Keep in mind that Admin in DomainAdmin doesn’t mean that you need to put in your admin user’s password: instead, simply create a user within your Active Directory which is only allowed to Create Computer objects and Delete Computer objects, along with the option of configuring properties (read/write properties) on all your computers within the OU. This basically means that this will be a special user only allowed to join computers in the domain which helps a lot in automating the deployment process
    • SkipLocaleSelection=YES
    • SkipTimeZone=YES – instead, simply configure the time zone using the TimeZoneName default (e.g. ‘E. Europe Standard Time’). Remember that within Windows, you can get your current timezone and the names of the rest of the time zones using the tzutil command. After all, you’ll most likely deploy the computers based on a deployment share only within a single time zone.
    • SkipApplications=YES – makes this part of your task sequence instead; I’ll have more on this later on
    • SkipRoles=YES – same as before, make this part of your task sequence instead
    • SkipBitLocker=YES
    • SkipBDDWelcome=YES
  4. If you’re configuring a target deployment (which, as mentioned at #1, should be a different deployment share for the best deployment experience), make sure that you’re also configuring:
    • SkipCapture=YES – after all, you can both configure the DoCapture default to whatever you’d like your tasks sequence to end with and, again, having a simple wizard will be way more easy to manage on the long-run
  5. You might test out different default values and different task sequence options before you actually deploy to your hardware devices, so having some of this defaults configured to NO or not at all (such as, the domain defaults – you probably don’t want to add all your tests to your directory) might make sense. However, rather than deleting them from your file, you can comment them out using the ‘;’ symbol. This is also super helpful when you create a new deployment share, because you can simply either comment-out or un-comment settings based on your deployment share target.

When it comes to the actual deployment shares, there are a few things worth sharing:

  1. First and foremost, make sure that you always test your deployments using a VM (Hyper-V is probably one of the best virtualization technologies you can use for free right now for this purpose, especially due to the fact that Gen2 VMs can both PXE boot and are UEFI capable). This is a best practice due to the fact that you can always create a checkpoint and revert the machine back and forth just to make sure that your deployment works fine. It doesn’t make sense to wait too long for your reference deployment to be created just to find out that a variable or whatever application is messing the entire process. Additionally, using a VM will assure you that only the most generic hardware drivers will be used and no funny mouse-or-whatever-device drivers get injected if you’d use an old-PC to test your deployments (actually, you shouldn’t use an old-PC to deploy anything; you’d better get rid of it :-)).
  2. And since we’re talking about drivers, whatever you do, never ever add drivers to your reference image. Instead, add them to your target image only, because you might eventually need to buy a new PC which might have different specs than the original one: do you really want to create the entire reference image from scratch and install all the apps used within the company again?
  3. If you’re using PCs from known vendors (HP, Dell, Fujitsu, Lenovo etc.), make sure that you get the corresponding drivers from the enterprise support systems. In fact, there are some apps for that too, such as HP SoftPaq, ThinkVantage Update Retriever, but if you’re not able to use any of these, simply go through their enterprise support websites (here’s the one for Dell)
  4. Never ever download drivers from strange websites or aggregates (Softpedia and such). If the vendor has a website, use that website instead!

As a best practice, I’d also advise you to group all the drivers in an OS\Computer model hierarchy. Also, make sure that the model is exactly the same to the model specified by the vendor. You can get the model specified by your vendor by using the Get-WmiObject PowerShell cmdlet (Get-WmiObject -Class Win32_ComputerSystem).

Another best practice is to create task sequences based on the PC models you have in the company, considering these are brand PC from known vendors rather than custom-made PCs. The cool trick here is in regard to drivers: you can control the drivers which exist in the driver repository Windows is looking into when it first installs by changing the following:

  1. In the Preinstall step within a task sequence, go to Inject Drivers and change the default selection profile to ‘Nothing’, and also check the radio button option of ‘Install all drivers from the selection profile’. This might at first not make any sense, because we’re actually telling the deployment process to get all the drivers only from nowhere (?!), but the fact is that
  2. you configure (before the Inject Drivers phase) a Task Sequence Variable (from Add > General) and name it DriverGroup001 and give it the value of Windows 8.1\%model% (considering that you’re using an OS\Computer model hierarchy as advised earlier).
  • this will basically instruct Windows to look only in a computer model’s specific folder for drivers, not in the entire repository of all the drivers for all the PC you’re using in your company
  • unfortunately, if you’re using a custom-made PC you’ll get generic computer model names instead, such as ‘All Series’ if you have an Asus motherboard.

Earlier in this post I mentioned that it’s fine to skip the applications selection page. The idea is actually to get better control of the applications you’re installing and also more insights into the applications which have quite installers. Basically, rather than having the deployment process install the applications on your behalf as a bulky operation, you should create a new group right before the Windows Update (Pre-application installation) phase called ‘Custom tasks (Pre-Windows update) and have all your applications installed as Install Single Application phases. If you don’t like/need/want that kind of control, you could also create an application entry in the application group within the deployment share which depends on all the applications you want to install and have this application created as a install single application phase in your new group. Of course, you might be wondering now why you’d do that: the reason is that if you’re installing  Microsoft applications (which you probably will), you should get updated for these application too. You might be also installing chipset drivers, and this application-driver type should be installed first.

Anyway, the idea of having applications installed as install single application phases is to gain better control of the application installation process and finally to automate the entire deployment process altogether.

Another cool trick available in MDT (and not available in SCCM, at least not to my knowledge) is that you temporary suspend the deployment process for cases in which, let’s say, you need to manually download and installer or ClickOnce application or whatever. All you have to do is to copy the Tatoo phase in the task sequence, paste it wherever you need the deployment process suspended and replace the ZTITatoo with LTISuspend in the command line. This will automatically suspend the deployment process, allow you to run whatever tasks manually and when you’re done (even if you need to restart) just double-click the resume shortcut which was created on the desktop (this automatically resumes the deployment process from where it was left off). This tricks helps install ClickOnce applications which require licensing (they normally exit with any of the 0 or 3010 codes too soon and thus don’t get installed properly) or install apps or SDKs using Web Platform installer (such as, Azure SDK).

Last but not least, make sure that you select the Windows Update options in the task sequence of your deployment process to the target computers only. Downloading them during the deployment process on the reference computers will force the deployment process to take considerably longer (for example, it took in my tests an extra 3 hours to create the reference image if the computer was updated during reference image deployment) and thus doesn’t make too much sense. Instead, you might be interested into updating the target computers only. Moreover, you could also add the update packages (though it is tremendous work to keep the Packages folder up-to-date in the deployment share) or you could install the Windows Server Updating Services (WSUS) role on one of your servers and mark the update server URL within the customsettings.ini file using the WSUS Server default.

Ok, that’s it for now.

Happy deploying,

Alex

There’s a hidden feature in Windows 8.1 that for some reason (marketing?!) didn’t get public-ish… It’s slide-to-shutdown. Basically, just like on Windows phone, with slide-to-shutdown you have the option of shutting down your PC from sliding down the lock screen.

This ‘feature’ is however available on your Windows 8.1 PC by running the slidetoshutdown.exe. You can do this directly from you Run prompt or by running slidetoshutdown.exe from a custom app you might develop for yourself (and the rest of the world :-) ).

Alex

Hi guys!

First of all, have a Happy New Year!

Several people asked me ‘Why did Microsoft remove the System Experience Index from Windows 8.1′? Well, you might indeed be wondering why, but the fact is that it didn’t really go anywhere since it’s still there, but not graphycally.

So, if you want to score your PC in Windows 8.1, you have to run the Windows System Assessment Tool from command line (is there any other way?), by using the winsat command in an elevated Command Prompt. You have the option of assessing your Desktop Windows Manager (system graphics capabilities), CPU, Internal Memory, Direct 3D, Disk drives and some other features. Of course, you can also run all of these under a single test (formal test).

However, given the complexety of the output shown by Windows System Assessment Tool, I suppose that Microsoft either prepares something for Windows 8.next when it comes to the Experience Index or their planning to completely remove WEI from the next version of Windows. You still have to keep in mind though, that according to this Windows page (What is Windows Experience Index), WEI typically scores from 1.0 to 7.9 and that in a PC powered by a  64bit processor with 4GB (or less), your memory score will drop to 5.9 and therefore your overall score will also drop to 5.9. Even though, I’ve assembled a PC several months ago where I achieved scores of 8.1 in a row. Therefore, I might say that either the page is outdated or the rating system is about to get some updates, don’t you think?

Alex

Hi,

So I came across these two perculiar situation whilst running Windows 8.1 Enterprise N, both regarding Flash- or should I say that 3rd party Shockwave player embedded into Internet Explorer 11?

Basically, the situation is like this: right after installing a clean copy of Windows 8.1 Enterprise N, if I opened up Youtube without having the headphones plugged in (and thus, a ‘No microphone or speaker plugged in’ message appeared), Youtube returned the ‘An error occurred’ message with the static background and an useless ‘Learn more’ link which only redirected me to adobe.com. Now, I do admit that Flash is not the only culprit here, since Vimeo and other Flash related content on other sites seemed to work fine (not all, though! Zonga.ro – which is a Spotify-like app – works just fine).

One other thing worth mentioning is that Youtube runs smoothly under HTML5. How did I use Youtube on HTML5? Well, first you go to http://www.youtube.com/html5, select that we want to join the HTML5 trial and than you deactivate your Shockwave plugin from the Manage Add-on settings page. Another thing worth mentioning is also the fact that on the HTML5 activation page on Youtube, both H.264 and MSE & H.264 (along with HTMLVideoElement and Media Source Extensions) are found as supported.

However, after installing the usual some R&D related software, I came across another strange issue. Right before updating the OS again (more software means more updates, more updates means theoretically less headache, practically more issues i.m.h.o.), Youtube worked fine – as long as my headphones were plugged in. After updating the OS though, every single time I am trying to run a video on Youtube, IE crashes completely with the ‘Close program’ message box – I don’t even have the option of reporting the issue!

Here’s some extra info from Event Viewer:

  • Faulting application name: IEXPLORE.EXE, version: 11.0.9600.16384
  • Faulting module name: Flash.ocx, version: 11.9.900.117
  • Exception code: 0xc0000005
  • Fault offset: 0x00573ef5
  • Faulting module path: C:WindowsSYSTEM32MacromedFlashFlash.ocx
  • Report Id: 17dce16c-32a1-11e3-9c0d-d43d7ed8c58e

The reason for why I was mentioning the HTML5 facts earlier is that as soon as these issues appeared, I tried to switch the video playback back to HTML5 from Flash and found out that:

  1. after disabling the Shockwave plugin, Youtube reported that my browser didn’t support HTML5 (a small error message inside the container for the video player)
  2. on the youtube/html5, neither H.264 nor MSE & H.264 were marked as supported

One more strange thing is that when I tried to verify if there’s an update for Flash player on Adobe’s page here, Adobe no longer reported that I was visiting the site from IE11 or Windows 8.1. I therefore suppose that after updating it, the browser no longer sends out its capabilities and thus, Flash (and possibly other apps too) run into some sort on unhandled exception.

Looking into Event Viewer, I found out that the issue was related to Flash.ocx and that the error code was 0xc0000005, which was rather random. After several failed attemps of solving the issue by reinstalling audio, video, chipset and other device drivers, I decided to install the Media Pack for Windows Enterprise N and KN, which basically installs Windows Media Player and other media related software on an OS which was designed to work without this extras. Guess what!

Installing the Media Pack for Windows Enterprise N and KN (link here) solved the problem. Now, if you ask me, there is a bug somewhere, because there is no way for a piece of software to work only if your headphones are plugged in (only under given circumstances – specific websites, so specific apps) and, after updating the OS with IE related updates, to crash every single time the Shockwave plugin is used, only to recover if you install the extras which you didn’t want in the first place and which should theoretically have nothing to do with the issue itself whatsoever.

I know this is sort of a dum-dum solution, but it might get you going until there is an update available.

Alex

Today I just found out a lot of interesting shortcuts I wish I knew years ago!

For example, did you know that if you keep the control key (Ctrl) down and press the + key (it has to be the + key, not the combo += key close to the backspace key; if you don’t have a numeric keypad, you could first lock the numberpad on a laptop keyboard and then use the + key), Windows automatically resizes all your columns in a column-ish UI (such as Task Manager). There you go! 15 years of computing!

One other cool thing I found out today was that Windows allows you to balance between the open apps + windows. So if you Alt+Tab in Windows, you only scroll between the open apps. And if you Ctrl+Tab, you scroll around the open views/windows inside an app. But if you hold down the Ctrl key and click the Left-button of the mouse, you can scroll between all the views open in the application group that the mouse curso if over. You have to try this! I absolutely love it!

One more cool thing I had no idea about: if you hold down the Ctrl key when you click the New Task menu option in Task Manger, you automatically get an command prompt opened! How cool is that?

Hope you’ll find this shortcuts as usefull as I do!

Happy Easter!

Today I’ve discovered that I’m denied access to several folders in Windows 7. Now, you might be thinking ‘Did you try running Explorer with Administrative privileges?’. Of course I have!

The list of folders that I was denied access to is the following:

 

  • Access to the path ‘C:Documents and Settings’ is denied.
  • Access to the path ‘C:ProgramDataApplication Data’ is denied.
  • Access to the path ‘C:ProgramDataDesktop’ is denied.
  • Access to the path ‘C:ProgramDataDocuments’ is denied.
  • Access to the path ‘C:ProgramDataFavorites’ is denied.
  • Access to the path ‘C:ProgramDataMicrosoftWwanSvcProfiles’ is denied.
  • Access to the path ‘C:ProgramDataStart Menu’ is denied.
  • Access to the path ‘C:ProgramDataTemplates’ is denied.
  • Access to the path ‘C:RRbackups’ is denied.
  • Access to the path ‘C:System Volume Information’ is denied.
  • Access to the path ‘C:Users<username>AppDataLocalApplication Data’ is denied.
  • Access to the path ‘C:Users<username>AppDataLocalHistory’ is denied.
  • Access to the path ‘C:Users<username>AppDataLocalTemporary Internet Files’ is denied.
  • Access to the path ‘C:Users<username>Application Data’ is denied.
  • Access to the path ‘C:Users<username>Cookies’ is denied.
  • Access to the path ‘C:Users<username>DocumentsMy Music’ is denied.
  • Access to the path ‘C:Users<username>DocumentsMy Pictures’ is denied.
  • Access to the path ‘C:Users<username>DocumentsMy Videos’ is denied.
  • Access to the path ‘C:Users<username>Local Settings’ is denied.
  • Access to the path ‘C:Users<username>My Documents’ is denied.
  • Access to the path ‘C:Users<username>NetHood’ is denied.
  • Access to the path ‘C:Users<username>PrintHood’ is denied.
  • Access to the path ‘C:Users<username>Recent’ is denied.
  • Access to the path ‘C:Users<username>SendTo’ is denied.
  • Access to the path ‘C:Users<username>Start Menu’ is denied.
  • Access to the path ‘C:Users<username>Templates’ is denied.
  • Access to the path ‘C:UsersAll UsersApplication Data’ is denied.
  • Access to the path ‘C:UsersAll UsersDesktop’ is denied.
  • Access to the path ‘C:UsersAll UsersDocuments’ is denied.
  • Access to the path ‘C:UsersAll UsersFavorites’ is denied.
  • Access to the path ‘C:UsersAll UsersMicrosoftWwanSvcProfiles’ is denied.
  • Access to the path ‘C:UsersAll UsersStart Menu’ is denied.
  • Access to the path ‘C:UsersAll UsersTemplates’ is denied.
  • Access to the path ‘C:UsersDefaultAppDataLocalApplication Data’ is denied.
  • Access to the path ‘C:UsersDefaultAppDataLocalHistory’ is denied.
  • Access to the path ‘C:UsersDefaultAppDataLocalTemporary Internet Files’ is denied.
  • Access to the path ‘C:UsersDefaultApplication Data’ is denied.
  • Access to the path ‘C:UsersDefaultCookies’ is denied.
  • Access to the path ‘C:UsersDefaultDocumentsMy Music’ is denied.
  • Access to the path ‘C:UsersDefaultDocumentsMy Pictures’ is denied.
  • Access to the path ‘C:UsersDefaultDocumentsMy Videos’ is denied.
  • Access to the path ‘C:UsersDefaultLocal Settings’ is denied.
  • Access to the path ‘C:UsersDefaultMy Documents’ is denied.
  • Access to the path ‘C:UsersDefaultNetHood’ is denied.
  • Access to the path ‘C:UsersDefaultPrintHood’ is denied.
  • Access to the path ‘C:UsersDefaultRecent’ is denied.
  • Access to the path ‘C:UsersDefaultSendTo’ is denied.
  • Access to the path ‘C:UsersDefaultStart Menu’ is denied.
  • Access to the path ‘C:UsersDefaultTemplates’ is denied.
  • Access to the path ‘C:UsersDefault User’ is denied.
  • Access to the path ‘C:UsersPublicDocumentsMy Music’ is denied.
  • Access to the path ‘C:UsersPublicDocumentsMy Pictures’ is denied.
  • Access to the path ‘C:UsersPublicDocumentsMy Videos’ is denied.
  • Access to the path ‘C:WindowsRegistrationCRMLog’ is denied.
  • Access to the path ‘C:WindowsSystem32comdmp’ is denied.
  • Access to the path ‘C:WindowsSystem32configsystemprofileAppDataLocalApplication Data’ is denied.
  • Access to the path ‘C:WindowsSystem32configsystemprofileAppDataLocalHistory’ is denied.
  • Access to the path ‘C:WindowsSystem32configsystemprofileAppDataLocalTemporary Internet Files’ is denied.
  • Access to the path ‘C:WindowsSystem32configsystemprofileApplication Data’ is denied.
  • Access to the path ‘C:WindowsSystem32configsystemprofileCookies’ is denied.
  • Access to the path ‘C:WindowsSystem32configsystemprofileLocal Settings’ is denied.
  • Could not find a part of the path ‘C:WindowsSystem32configsystemprofileSendTo’.
  • Access to the path ‘C:WindowsSystem32LogFilesWMIRtBackup’ is denied.
  • Access to the path ‘C:WindowsSysWOW64comdmp’ is denied.
  • Access to the path ‘C:WindowsSysWOW64configsystemprofileAppDataLocalApplication Data’ is denied.
  • Access to the path ‘C:WindowsSysWOW64configsystemprofileAppDataLocalHistory’ is denied.
  • Access to the path ‘C:WindowsSysWOW64configsystemprofileAppDataLocalTemporary Internet Files’ is denied.
  • Access to the path ‘C:WindowsSysWOW64configsystemprofileApplication Data’ is denied.
  • Access to the path ‘C:WindowsSysWOW64configsystemprofileCookies’ is denied.
  • Access to the path ‘C:WindowsSysWOW64configsystemprofileLocal Settings’ is denied.
  • Could not find a part of the path ‘C:WindowsSysWOW64configsystemprofileSendTo’.

As you’ve probably already figured it out, the list contains also the special folders from the 64bit environment that aren’t accessible.

The thing is, as it appears, that these aren’t actual folders, but so-called junction points, created to offer backward compatibility with other operating systems (Vista, XP…).

Now, if you might have been able to see them in Vista (as shortcuts), and access them (which would have redirected you to the actual folders), there is a small glitch in Seven: you don’t see them, not even as shortcuts, and if you try to manually insert these folder paths and open them, instead of being redirected to the actual folders, you’ll get an error saying that access is denied. Honestly, I would have liked to get an ‘path does not exist’ or something similar.

So, how did I get this list? Well, I ran a folder-listing application I’ve written in .NET Framework, and the GetDirectories() method returned these folders as sub-folders of their parents (sounds fishy :)).

So here’s the thing with backward compatibility:

  1. you have an app that does some IO ops in the special environment folders
  2. the .NET Framework returns these special folders as existing
  3. you run your app with elevated privileges to make sure no errors occur
  4. boom, you get an access denied error on some special folders that don’t actually exist.

Is it just me, or is there a glitch somewhere?

P.S.: more about junction poins here: http://www.svrops.com/svrops/articles/jpoints.htm