To register the RTSP protocol with Internet Explorer you need to register it with the operating system. This is easily achieved thru a registry edit, however this article explains it all http://msdn.microsoft.com/en-us/library/Aa767914.aspx. So once you register the RTSP with the .reg file below just close Internet Explorer and open it back up. VLC will prompt you with a warning, if at this point it doesn’t show video; open TCP port 554 in your firewall outbound. If you do not have outbound restrictions, like in the case of 99% of home users; it either a bad feed or upgrade your VLC to the latest version.

Firefox will also see the registry change and when a user clicks the link; Firefox will prompt them with an application dialog box then open it in VLC Player. Just check the box to always open without prompting and it’ll work every time!

This fix will be valid for all users of the computer. I’m pretty sure you can register it under HKEY_CURRENT_USER on XP and above; to make the change for only that users.

RTSP registry edit file:

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\RTSP]
@="URL:Real Time Streaming Protocol"
"URL Protocol"=""

[HKEY_CLASSES_ROOT\RTSP\shell]

[HKEY_CLASSES_ROOT\RTSP\shell\open]

[HKEY_CLASSES_ROOT\RTSP\shell\open\command]
@="C:\\Program Files (x86)\\VideoLAN\\VLC\\vlc.exe -vvv %1"

Copy the text above into a file of RTSP.reg and double click it to merge it into the registry.

Note: You may have to change the path where your VLC lives.

To change the label of a fixed drive with removable storage (CDROM/DVDROM/DVD-RW), you need to perform a registry edit. Follow the steps below to create custom label so when you open “My Computer” or “Computer” (depending on OS version) you see the custom label. The steps below are for Windows 7, but should also work for Windows Vista, Windows XP and Windows 2000.

1. In the run/search box type “regedit”. Find the icon for regedit.exe above and right click on it and choose “Run as administrator”. Answer the UAC prompt and click OK.
2. Find the registry key of “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons”.
3. Right click on the “DriveIcons” key and select “New -> Key” then name the key the drive letter you want to label (i.e. Drive F create the key as F).
4. Right click on the drive letter and select “New -> Key” then name the key “DefaultLabel” (case sensitive).
5. To the right on the result pane of the registry editor, double click the “(Default)” REG_SZ and change the “Value data:” to the label you want to show under My Computer.
6. Logoff and/or reboot.

Note: You can also do the same last three steps to change the Icon that shows in My Computer, create a “DefaultIcon” key. Change the “(Default)” key to the path of the icon to change the icon.

The Fonts directory is located in the Windows directory and if a normal user wants to install Fonts; they cannot. If a normal users tries to install a font they are prompted with the UAC (User Account Control) dialog box and Administrator credentials are required. If you work for a school or a print shop and do not want to give out Administrator credentials to install fonts read on.

The following steps will loosen up security in your operating system, so that normal users can install fonts without administrative credentials and the UAC prompt. This modification has been tested on Windows 7; however it should also work on Windows Vista as well. Please be careful when making changes that could open security holes. As of the writing of this article there are no security holes, but be vigilant and read Microsoft Security Bulletins in the future.

Log on as an administrator to make the following changes!

First we need to make the folder writable and make it a non-system folder.

attrib -r -s c:\Windows\Fonts

Next we need to take ownership. The /f directs it to the folder of c:\Windows\Fonts the /r directs it to recurse and the /d n is default answer is no or skip.

takeown /f c:\Windows\Fonts /r /d n

Now let’s give the users permission.

cacls c:\Windows\Fonts /e /t /g users:c

There is also a font cache that allows programs to display a preview of the fonts; this needs softened up as well for the user.

cacls c:\Windows\System32\FNTCACHE.DAT /e /t /g users:c

Note: you will receive an Access is denied message, this is normal; just make sure users have change security permissions.

The last thing to do is give users permissions to register fonts with Windows 7 in the registry. Use regedit and give users modify permissions to the following key in the registry.

HKLM\Software\Microsoft\Windows NT\Current Version\Fonts

See diagram:

That’s it you done… Log out and test as a normal / non-administrator by right clicking the font and selecting “Install” from the context menu.

After some research I found a TechNet Article http://technet.microsoft.com/en-us/library/cc794902%28WS.10%29.aspx that explained the motivation behind this. Basically when Internet Explorer starts up, it starts with the default of “Automatically detect settings” checked in the “Local Area Network (LAN) Settings” dialog box in Internet Explorer Options. So every time it starts it queries for wpad.FQDN and if it resolves it then grabs the wpad.dat. When your client boots up and the DHCP will configure option 15 for the domain name it appends this to the wpad. An example: if you machine boots up and retrieves option 15 as contoso.com. Then IE will try to retrieve http://wpad.contoso.com/wpad.dat.

Now let me explain why: Microsoft uses dynamic updates in DNS. Since most people do not use wpad entries; it introduces an attack vector. A malicious user would name their client “wpad” and serve a wpad.dat file from the host of their web server. When their client boots up it will try to register itself as “wpad.contoso.com” and now potentially all of your clients are proxy-ed thru a malicious host.

Microsoft closed the hole by automatically denying resolution of wpad.FQDN entries in the “Global Query Block List”. Which regardless of which zones you host on Microsoft DNS servers it will deny resolution of the wpad.

To fix this you will need to run the commands below against each of your DNS servers:

To see the “Global Query Block List”

dnscmd [<ServerName>] /info /globalqueryblocklist

example:
dnscmd 192.168.1.1 /info /globalqueryblocklist

To fix the problem in the “Global Query Block List”

dnscmd [<ServerName>] /config /globalqueryblocklist [<name> [<name>]...]

example:
dnscmd 192.168.1.1 /config /globalqueryblocklist isatap

The following process will automate the sysprep so next reboot it will only ask for computer name. Some assumptions during this article are: you are creating an English/US install, you are using a KMS server and your timezone is EDT.

Step 1. – Download and install the latest WAIK from http://downloads.microsoft.com, the WAIK should support Windows 7 and 2008 R2 (check the date).

Step 2. – Get your media that you have installed with and mount it in the DVD-ROM or via and ISO mounting utility; if it is only and ISO. You will need to allow Windows SIM to access the install.wim in the next step.

Step 3. – Start Windows SIM and right click on “Select a Windows Image or Catalog” and find the “install.wim” in the sources directory on the media. In this tutorial I used x64 (amd64) media, this also works for x86 media; using the same steps.

Step 4. – Now we need an answer file, so right click on “Create or open an answer file” and select “New Answer File”

Step 5. – On the left hand side open the “Components” folder and find “Microsoft-Windows-International-Core”, right click and select “Add Settings to Pass 7 oobeSystem”. It will be added to the answer file in the center.

Step 6. – Fill in the settings for InputLocale thru UserLocale in the properties pane; I used en-US for English language and United States locale. The “en-US” is defined in the RFC4646 actually two standards put together: the ISO 639-1 code for known languages and the ISO 3166-1 code for assigned country codes. Microsoft has an article of supported RFC4646 locales called the LCID reference http://msdn.microsoft.com/en-us/library/cc233965%28v=PROT.10%29.aspx

Step 7. – On the left hand side under the “Components” folder and find “Microsoft-Windows-Shell-Setup_6.1.xxxxx”, right click and select “Add Settings to Pass 7 oobeSystem”. It will be added to the answer file in the center. Click on the Shell-Setup in the answer file section and fill in the TimeZone under properties. A list of these time zones can be found here http://technet.microsoft.com/en-us/library/cc749073%28WS.10%29.aspx.

Step 8. – Open the “Microsoft-Windows-Shell-Setup” folder in the answer file and find OOBE and click on it. In the properties page set “HideEULAPage” to true and Network Location to Work, Public or Home. The “ProtectYourPC” property can be set to: 1 for recommended protection, 2 for updates only and 3 for automatic protection to be disabled. These all related to the Windows Update protection. http://technet.microsoft.com/en-us/library/cc749278%28WS.10%29.aspx

Step 9. – We need to setup the first administrator account since Windows 7’s administrator account is disabled by default. Further down under “Microsoft-Windows-Shell-Setup” click on “UserAccounts” then right click on “LocalAccounts” and select “Insert New LocalAccount”.

Step 10. – In the properties of the local account on the right side; fill out Description, DisplayName and Name. The Group must be “administrators”, so that you can locally administrate the computer (i.e. login local).

Step 11. – Click on “Password” under the “LocalAccount[Name=”username”] and in the properties pane set the password for the account. The password will be saved in the XML file however it will be encrypted (the encryption used is unspecified in Microsoft’s documentation).

Step 12. – On the left hand side under the “Components” folder and find “Microsoft-Windows-Shell-Setup_6.1.xxxxx”, right click and select “Add Settings to Pass 4 specialize”. It will be added to the answer file in the center; respectively under “4 Specialize”. Click on the Shell-Setup in the answer file section and fill in the “ProductKey” with the default KMS key found here http://technet.microsoft.com/en-us/library/ff793406.aspx. These product keys will not activate via Microsoft (retail), instead they are dummy keys for a Key Management Server to activate. The product key I used was for Windows 7 Enterprise “33PXH-7Y6KF-2VJC9-XBBR8-HVTHH”. Setting this will skip the activation question during setup, but make sure you have a KMS server running. Also make sure you have met the 25 client threshold or the KMS will not activate any of the clients. http://technet.microsoft.com/en-us/library/ff793434.aspx

Step 13. – Right click on the answer file and choose “Close Answer File” when prompted save it as “unattend.xml”.

Step 14. – Copy the unattend.xml into “C:\windows\system32\sysprep” folder and create a startprep.cmd file containing the code below. The startprep.cmd file is not totally necessary, however I find it is best consistency; so the next time you do this you have the command at hand. You could just type the command into a CMD prompt.

startprep.cmd

@echo off
cd c:\windows\system32\sysprep sysprep /oobe /generalize /unattend:c:\windows\system32\sysprep\unattend.xml

Step 15. – Run the startprep.cmd and the system will sysprep revert its specialized settings and drivers and shutdown. Create an image of the workstation using your favorite image software and distribute the image to other workstations. When they restart the unattend.xml file will be run along with sysprep and you will only be prompted for computer name.

example unattend.xml

<?xml version="1.0" encoding="utf-8"?>
<unattend xmlns="urn:schemas-microsoft-com:unattend">
<settings pass="oobeSystem">
<component name="Microsoft-Windows-International-Core" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<InputLocale>en-US</InputLocale>
<SystemLocale>en-US</SystemLocale>
<UILanguage>en-US</UILanguage>
<UILanguageFallback>en-US</UILanguageFallback>
<UserLocale>en-US</UserLocale>
</component>
<component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<OOBE>
<HideEULAPage>true</HideEULAPage>
<NetworkLocation>Work</NetworkLocation>
<ProtectYourPC>1</ProtectYourPC>
</OOBE>
<UserAccounts>
<LocalAccounts>
<LocalAccount wcm:action="add">
<Password>
<Value>cABhAHMAcwB3AG8AcgBkAFAAYQBzAHMAdwBvAHIAZAA=</Value>
<PlainText>false</PlainText>
</Password>
<Description>First Admin User</Description>
<DisplayName>User</DisplayName>
<Group>administrators</Group>
<Name>User</Name>
</LocalAccount>
</LocalAccounts>
</UserAccounts>
<TimeZone>Eastern Standard Time</TimeZone>
</component>
</settings>
<settings pass="specialize">
<component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<ProductKey>33PXH-7Y6KF-2VJC9-XBBR8-HVTHH</ProductKey>
</component>
</settings>
<cpi:offlineImage cpi:source="wim:h:/sources/install.wim#Windows 7 ENTERPRISE" xmlns:cpi="urn:schemas-microsoft-com:cpi" />
</unattend>

In Windows XP and Windows 2003 this was done via the command proxycfg.exe. You would simply set and unset the “Local Machine” proxy with the commands:

The old way to set the "Local Machine" proxy:

Proxycfg –p {proxy address:port} {bypass list}

Proxycfg -p "proxy.bohack.com:8180" "<local>;*.bohack.com"

The old way to unset it:

Proxycfg –d

It basically sets the registry value below, to the values you specify in with the proxycfg command.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\WinHttpSettings

So what happened to the “proxycfg.exe” command? Starting in Vista, Windows Server 2008 and Windows 7 you will no longer find the proxycfg command. It has now been replaced with the “netsh” command. This command can be used either interactively by tying “netsh” and navigating the tree of commands or used in a one line command sequence, like shown below.

The new way to set the "Local Machine" Proxy:

netsh winhttp set proxy {proxy address:port} {bypass list}

netsh winhttp set proxy "proxy.bohack.com:8180" "<local>;*.bohack.com"

The new way to unset it:

netsh winhttp reset proxy

Check the settings with:

netsh winhttp show proxy

The new commands change the same registry value above, the only thing that changed it the command to set and unset the Local Machine proxy. Theoretically you could export out the registry setting and import it onto another machine.

The icacls.exe command was introduced in Windows 2003 Service Pack 2. It now comes installed by default in Windows Vista, Windows Server 2008 (R2) and Windows 7. So administrators will need to learn this command sooner or later. Recently I found the tool to be very flexible and I extensively documented the options. I mapped the different command line options to the GUI, for the network admins that need the GUI to understand how to use the command line.

The first point that should be made about icacls.exe is that it defaults to edit mode. The original cacls command defaults to replace mode. Next are the commands:

/grant will grant user permissions or the add option in the GUI.
/remove will remove the user from the DACL and is equivalent to
 the remove option in the GUI.

Note: /remove:g will remove only grants for the user
      and /remove:d will remove only denys for the user.

/deny is equivalent to the deny column in the GUI
 and should always be used cautiously.
/setowner is a handy little command which allows you to change
 the ownership of a file or folder to another user;
 this is similar to the linux chown command.
/findsid which finds entries in a DACL for a specified SID or user.
/setintegritylevel is a bit out of the scope of this article
 and may be in a future article.

The icacls command also has an /inheritance command which performs the same function as un-checking the “Include inheritable permission from this object’s parent” in the GUI. This of course presents you with the question of how to proceed; copy the permissions or remove all existing permissions. So the command line you can specify:

/inheritance:e to enable same as a check box in the GUI.
/inheritance:d to disable and copy the permissions
 from the parent same as the GUI.
/inheritance:r to disable and remove the
 current permissions again same as the GUI.

The next thing to learn is how inheritance is propagated for permissions. When using either the /grant or /deny statement you will build the permissions as /grant {user}:{inheritance}{permissions} everything is encapsulated by parenthesis. The default in Windows when applying permissions in the GUI is “This folder, subfolders and files”, but to achieve the default at the command line you need to use /grant {user}: (OI)(CI){permissions} and the permissions should be encapsulated in parenthesis. The table below is to help you formulate your inheritance for permissions:

This folder only
This folder, subfolders and files (OI)(CI)
This folder and subfolders (CI)
This folder and files (OI)
Subfolders and files only (OI)(CI)(NP)(IO)
Subfolders only (CI)(IO)
Files only (OI)(IO)

The last thing to learn is the permissions. You can use macro permissions, which are also called simple permissions or you can use advanced permissions. The simple permissions are the permissions found in the first properties tab under security. The advanced permissions are when you select advanced and you get the full permissions list. So building on the permissions line from above; if we wanted to grant testuser on the folder test and apply modify permissions so all subfolders and files inherited the permissions. The line would be ‘icacls test /grant testuser:(OI)(CI)(M)’

Simple Permissions

Full Control (F)
Modify (M)
Read & Execute (RX)
List Folder Contents (X,RD,RA,REA,RC)
Read (R)
Write (W)

Advanced Permissions

Full Control (F)
Traverse folder / execute file (X)
List folder / read data (RD)
Read attributes (RA)
Read extended attributes (REA)
Create file / write data (WD)
Create folders / append data (AD)
Write attributes (WA)
Write extended attributes (WEA)
Delete subfolders and files (DC)
Delete (D)
Read permissions (RC)
Change permissions (WDAC)
Take ownership (WO)

When you master this command you will be able to do anything with permissions from the command line. Including understanding the SDDL or Security Descriptor Definition Language; which Microsoft uses to create group policy permissions.

The problem exists when you use a script to create the folders and apply the permissions using the cacls.exe command on a Windows 2003 R2 server. A user on a Mac OS X client with not be able to drag files into the folder on a Windows 2003 R2 server share or perform a copy procedure and will result in the error: “You may need to enter the name and password for an administrator on this computer to change the item name “item-name”.”. You may also see the exclamation error if the file has a preview fork attached of “Couldn’t open the file. It may be corrupt or a file format that Preview doesn’t recognize.”. After much reading on this problem I was almost convinced that it was an OS X bug, but I realize now it is actually a flaw in the cacls command. We use a script similar to the snippet of code below to create the directories.

mkdir \\server\share\userdir
cacls \\server\share\userdir /e /t /g userdir:c

explanation:

cacls {file or folder} /e {edits} /t {changes on all sub directories} /g {grants} userdir:c {user:permission of change}

The problem was solved using the command that was introduced in Vista and Server 2003 R2 called icacls.exe. The icacls tool is now included in Windows Server Service Pack 2 and is standard in Vista. This command allows you to set inheritance, which is the root cause of the problem. The inheritance properties were first introduced in NTFS 5.0 with Windows 2000, however something has changed recently in the OS X 10.5 software or Windows Server 2003 R2. The problem also exists in Windows Server 2008 and Windows Server 2008 R2 so the problem is not going away and I am guessing it is OSX at fault.

When setting a directory with the code above, if you use the icacls command to export the permissions structure out to a file you can see the problem. This will export the security into Microsoft’s SDDL language which is documented here http://msdn.microsoft.com/en-us/library/aa379567(VS.85).aspx.

icacls.exe \\server\share\userdir /save aclfile.txt

notepad.exe aclfile.txt

D:(A;OICI;0x1301bf;;;S-1-5-21-123456789-123456789-123456789-12345) (A;OICIID;FA;;;DA)(A;OICIID;FA;;;SY)
(user:chage) (domain admin:full) (system:full)

The problem is not is not evident until we set the permission properly with the icacls.exe command.

icacls \\server\share\userdir /t /c /grant userdir:(OI)(CI)M

explanation:

icacls {file or folder} /t {changes on all sub directories} /grant {grants} userdir:(OI)(CI) {see below}M { change/modify }

CI CONTAINER INHERIT
OI OBJECT INHERIT
NP NO PROPAGATE INHERIT
IO INHERIT ONLY
ID INHERITED
SA SUCCESSFUL ACCESS FLAG
FA FAILED ACCESS FLAG

Complete list http://msdn.microsoft.com/en-us/library/aa374928(VS.85).aspx

D:AI(A;OICI;0x1301bf;;;S-1-5-21-123456789-123456789-123456789-12345) (A;OICIID;FA;;;DA)(A;OICIID;FA;;;SY)

Explanation:

D: - Defines the DACL
AI - is the MISSING Auto Inheritance Flag
(A;OICI;0x1301bf;;;S-1-5-21-123456789-123456789-123456789-12345) - is the user’s SID and permissions
(A;OICIID;FA;;;DA) - is the “Domain Admin” permissions identified by the trailing DA
(A;OICIID;FA;;;SY) - is the “System” permissions identified by the trailing SY

The AI in the DACL or Discretionary Access Control List is missing when using the cacls command. My guess is that the client when using Windows is responsible for the completion and writing of the DACL. When a Mac OS X client copies a file they utilize SAMBA which does not carry the DACL and consequentially fails. This would explain the empty file that gets created when an OS X client drags and drops the file. The file entry gets created, but is inherited with only the original permissions that have inheritance from above. This same problem could also exist on Linux or UNIX using SAMBA since it is SAMBA that drops the ball.

The Fix:

Use ‘icacls \\server\share\userdir /t /c /grant username:(OI)(CI)M’ to grant access to NTFS folders and replace all entries in scripts using the cacls command.

The hyperlink command in excel actually does the reverse of what I needed; it creates a hyperlink out of the URL and a friendly name and I needed the URL from the friendly name. So I dug in a little deeper and treated the URL like an object. It has properties and those properties can be exposed. The hyperlinkcell object has a type of range so it is passed to the function of GETURL. The first hyperlink in the range we will want the property of the address. Then we simply pass it back to the function so that we can display it.

To install this all you need to do is:

1. Hit ALT + F11 (Opens Visual Basic Editor)
2. Click on Insert -> Module (adds a module to your excel file)
3. Paste the code below for the function of GETURL
4. Hit ALT + Q (Closes the Visual Basic Editor)

Now use the =GETURL(cell) to get the URL

Example: =GETURL(A1) will return the URL for the Hyperlink displayed in cell A1

Function GETURL(HyperlinkCell As Range)

 GETURL = HyperlinkCell.Hyperlinks(1).Address

End Function

Yep, it’s replaced the standard Windows search companion (and the friendly dog – Rover from MS Bob). That’s all well and good, except it’s an indexed search so doesn’t necessarily reflect what’s really on disk. And since by default my program files folder isn’t indexed, it never shows any results no matter what I search for – until I go in and change the settings then wait for it to get around to indexing the folders.

There’s a link at the bottom of the tab to use the trusty old search companion, but it means clicking it every time. Oh, and before you ask, no, there isn’t an option to disable this irritating integration in WDS! I hate it when software comes along and arrogantly replaces existing functionality with itself and gives no way to remove it.

You can in fact turn it off… Simply open RegEdit (hit Start > Run then type ‘regedit‘).
Go to the following node:

HKEY_CURRENT_USER\Software\Microsoft\Windows Desktop Search\DS

Then double-click on ‘ShowStartSearchBand‘ and set the value to ‘0‘. Close that and you’re done. The next time you click ‘Search’ in explorer the old and reliable search companion will appear. This applies to operating systems before Windows Vista, since Vista has far better search that actually works!