Category Archives: Microsoft

Print Spooler (spoolsv.exe) crashes repeatedly – find corrupt/unsupported drivers

If you find that your print spooler service continuously crashes or won’t even start at all, it could be due to an unsupported or corrupted printer driver. To help determine what the cause of the issue is, you will need to do the following.

  1. Download Windows Debugging Tools SDK from this location and install them to a location you’ll remember.
  2. Create a folder on your C: drive named debug.
  3. Open a command prompt change directory to the folder where you installed the debugging tools.
  4. Change directory again to “Debuggers\x86.” (Note: This location may change depending on operating system. You are looking for the file location of adplus.exe.)
  5. Run the following command: adplus -crash -pmn “spoolsv.exe” -o C:\debug.
  6. Start the Print Spooler service.

The adplus command will wait for the print spooler service to start then attach itself to it for debugging purposes. When the service crashes, it will create a folder inside of C:\debug with a date/timestamp similar to this: 20120807_095027_Crash_Mode. Inside of that folder will be a couple of log files. Examine the log files and search for verify. In my case, it found the following line: *** WARNING: Unable to verify checksum for C:\Windows\System32\XRZWSLAI.DLL. Next, we need to delete the printer and drivers from the registry.

To delete the printer and drivers from the registry, do the following:

  1. Open the registry editor.
  2. Browse to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows NT x86\Drivers\ (Note: If you’re running the 64-bit version of Windows, the registry location will most likely be Windows x64 rather than Windows NT x86.)
  3. There will be a subkey Version-2 or Version-3 depending on your operating system.
  4. Export the registry key before deletion to ensure you have a backup.
  5. Delete the appropriate key that relates to the corrupt/unsupported driver.
  6. Browse to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Printers.
  7. Export the registry key before deletion to ensure you have a backup.
  8. Delete the appropriate key that relates to the printer.
  9. Start the Print Spooler service.

Disable SSLv2 on IIS 6 for Windows 2003

SSLv2 should be disabled on any machine running IIS as a security precaution. To do this, open a command prompt on the target server and run the following commands to add values to the registry to disable it.

REG ADD “HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\PCT 1.0\Server” /v Enabled /t REG_DWORD /d 0 /f

REG ADD “HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\SSL 2.0\Server” /v Enabled /t REG_DWORD /d 0 /f

NPS Certificate Setup for PEAP/EAP-MSCHAPv2 Wireless Authentication on Windows Server 2008

So if you find yourself wanting to use PEAP 802.1x authentication, you will need to make sure there is a certificate bound to the PEAP authentication method on the network policy. In order to get the right type of certificate, you should follow the steps below. Note: In my case, I was unable to add a regular “Computer” enrollment so I had to follow the steps below to get it working. If you find yourself able to enroll a “Computer” certificate at step 9 below, you can ignore steps 1-8.

  1. In the Certificate Templates Console, under Template Display Name, find Computer. Right-click it, click Duplicate Template, and then click OK.
  2. In Properties of New Template, on the General tab, under Template display name, type a name for your new template. You can use something like Wireless Authentication. While you are on the General tab, you can also set a validity period. By default it will be 1 year. Do not select more than 2 years or some additional tweaking will be required (steps not listed here).
  3. Click the Security tab. Here is where you need to add permission for you to enroll. Click Authenticated Users and check the box next to Allow for Enroll. Click OK and now you’ll see the new certificate template at the bottom of the list.
  4. Close the Certificate Templates console. Click Start, Run, certsrv.msc, enter. This will open the local Certification Authority console.
  5. Right-click the Certificate Templates folder, point to New, then click Certificate Template to Issue. Scroll down the list and find the new template you created. The name I suggested was Wireless Server Auth but you might have picked something else. Highlight this template and then click OK. Now you should see that it is added to the list of Certificate Templates.
  6. While you are in this console, click on the Issued Certificates container. You should see a list here of all the certificates that this CA has issued. You can also view Pending Requests (for certificates that require approval before being issued) and Failed Requests (there was a problem issuing the cert).
  7. Go back to the local computer certificate console (Start, Run, mmc, enter, File… Add/Remove Snap-in, Certificates, Add, Computer account, Next, Local computer Finish, OK). Right-click the container under Personal\Certificates, point to All Tasks, Request New Certificate, Next, Next. You should now see the Wireless Authentication certificate. Choose it and click Enroll. At this point you should now see another certificate in the list. You can tell which one is the one you just issued by looking at the details tab and viewing Certificate Template Information.
  8. Go back to PEAP properties in the Network Policy and choose the newly created certificate.

Exchange 2007/2010 Internal Relay Receive Connector Does Not Relay

So you’re working with Exchange 2007/2010 and you’ve got the need to allow some internal applications, PCs, or servers to relay mail through the Exchange server, but it doesn’t seem to be working even though you’ve got the receive connector created with the right properties:

  1. Connector type: Custom
  2. Authentication: TLS, Externally Secured
  3. Permission Groups: Anonymous
  4. Network: IP addresses listed of the servers/PCs you want to be able to relay from

You need to do one last step to allow anonymous logon/relay, but it needs to be done with the Exchange Management Shell (EMS).

Let’s say your connector is named Internal Relay. Run the following command in EMS: Get-ReceiveConnector “Internal Relay” | Add-ADPermission -User “NT AUTHORITY\ANONYMOUS LOGON” -ExtendedRights “Ms-Exch-SMTP-Accept-Any-Recipient”

That should do it. Test relay and you should see that it is successful.

Installing 32-bit Printer Drivers on Windows 2008 R2 Asks for ntprint.inf

You may find that attempts to add certain 32-bit printer drivers to a Windows 2008 R2 print server prompt you for the location of ntprint.inf. This is a huge pain, but it can be solved by doing the following:

  1. Locate a Windows Vista or Windows 7 32-bit computer on your network and document it’s computer name.
  2. Click Browse on the prompt for ntprint.inf and type in the location to the Windows 7 machine: \\computer-name\c$\windows\winsxs\
  3. Scroll down through the window and locate x86_ntprint.inf_xxxxx then click it to open it. xxxxx is a random hex string and version number.
  4. Click ntprint.inf and click OK to select it and then OK once more to accept the path and finish the driver installation.

Autologon Domain-Joined Windows 2008 R2 Server

When a workstation/server is joined to a domain, it hides the checkbox for “Users must enter a user name and password to use this computer” from the userpasswords2 control panel.

To get autologon working, you need to restore this functionality by running the following from a command prompt to add a registry key:

reg add “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon” /v AutoAdminLogon /t REG_SZ /d “1” /f

Once that is done, it is recommended to run the following from a command prompt to add a registry key to specify the default logon domain:

reg add “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon” /v DefaultDomainName /t REG_SZ /d “domain” /f

After both registry keys have been added, launch the userpasswords2 (Start->Run->control userpasswords2) and click “OK.” to set the username/password you want to autologon with.

Please note: This tip also works for Windows 7 and Windows Server 2008.

Windows 2003 RDP Desktop session or parts of Desktop session is black

I had an issue today where I was connecting to a Windows Server 2003 machine and after logging in my RDP desktop was black.  I could see icons, but text, menus, etc., did not show up.  This is due to corrupted/incorrect color settings in the registry.

Here is what I did to fix it.  Replace the bold parts with your SID.

  1. Opened the registry and browsed to HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\PROFILELIST and found the SID associated with my login account. In this case, it was S-1-5-21-269 (part of the SID omitted)
  2. Still in registry editor, browsed to HKEY_USERS\S-1-5-21-269\CONTROL PANEL\COLORS
  3. I noticed most of the values, if not all, were set to ‘0 0 0’.  I backed up the registry key.
  4. Create a new registry editor file (.reg) and paste these values into it:
    [HKEY_USERS\S-1-5-21-269\Control Panel\Colors]
    “ActiveBorder”=”212 208 200”
    “ActiveTitle”=”0 84 227”
    “AppWorkSpace”=”128 128 128”
    “Background”=”0 78 152”
    “ButtonAlternateFace”=”181 181 181”
    “ButtonDkShadow”=”113 111 100”
    “ButtonFace”=”236 233 216”
    “ButtonHilight”=”255 255 255”
    “ButtonLight”=”241 239 226”
    “ButtonShadow”=”172 168 153”
    “ButtonText”=”0 0 0”
    “GradientActiveTitle”=”61 149 255”
    “GradientInactiveTitle”=”157 185 235”
    “GrayText”=”172 168 153”
    “Hilight”=”49 106 197”
    “HilightText”=”255 255 255”
    “HotTrackingColor”=”0 0 128”
    “InactiveBorder”=”212 208 200”
    “InactiveTitle”=”122 150 223”
    “InactiveTitleText”=”216 228 248”
    “InfoText”=”0 0 0”
    “InfoWindow”=”255 255 225”
    “Menu”=”255 255 255”
    “MenuText”=”0 0 0”
    “Scrollbar”=”212 208 200”
    “TitleText”=”255 255 255”
    “Window”=”255 255 255”
    “WindowFrame”=”0 0 0”
    “WindowText”=”0 0 0”
    “MenuHilight”=”49 106 197”
    “MenuBar”=”236 233 216”
  5. Place the .reg file on the machine in question and import the settings into the registry.  Log on with the user and all color settings should be restored.

 

Merge private key with certificate using OpenSSL

I had an issue where I needed to replace the current SSL certificate on Exchange 2010 with the same certificate that had additional SAN names added.  Unfortunately, the certificate I was provided was not signed by the provider’s (GoDaddy in this case) private key so the certificate could not be directly imported.  I used OpenSSL to sign the certificate with the provided private key and was able to import the certificate into Exchange successfully after creating a temporary certificate to assign the services while I removed the existing certificate to import the newly created one.

Using OpenSSL, run the following command to sign the certificate with the provided private key:

openssl pkcs12 -export -in server.mydomain.org.crt -inkey server.mydomain.key -out mycertificate.pfx

 

Offline Files fail to synchronize when moving to new server

You may experience a time when you move file servers due to restructuring or perhaps your old file server dies. You change the folder redirection paths to the new server, but offline files still tries to replicate from the old, non-existent server. To resolve this, you need to format the offline files database on your PC. This will remove the cached files database and old server references and fix your issue.

To format the offline file database open a command prompt and run the following command to add the necessary registry key to your PC and reboot.

REG ADD “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\NetCache” /v FormatDatabase /t REG_DWORD /d 1 /f