Mr T. says DO NOT TURN OFF UAC in VISTA, FOOL!

I am going to be blunt, and if I offend some people, I am sorry.

Turning off UAC in Vista == stupid!!! Period. That people run as admin, by default, on previous versions of Windows, when the NT team implemented an excellent security model that was never enforced, was also a bad decision.

(1.) Now, for those that don’t get it: UAC is NOT just about the prompting. In fact, the requests to elevate are of only minor benefit. HOWEVER, that applications that do not require elevation are running with least user privileges and lower integrity IS THE BIG WIN!!! Let me repeat that: Running IE, FireFox, Word, mIRC, MSN messenger, AIM, GAIM, Outlook, Eudora, Adobe Reader, etc, etc, etc, as a standard user BY DEFAULT is the BIG WIN with UAC.

(2.) That the user is also given a chance to say no if something bad is attempted is ALSO a solid win. Trust me, when you are browsing along in IE (or other app) and suddenly a UAC prompt appears out of nowhere because some embedded code on a page leveraged a hole in IE (or other app), you will be damn glad that you had the chance to click cancel.

Example scenario on XP or Vista with UAC disabled: I run “superduper IRC client”, which it turns out has a buffer overflow problem when parsing certain IRC output and as a result is a target for remote code exploit (yes, this has happened). Since I, the script kidiot on the other end of the exploit now has control of that process, and that process is running with NT Administrator (God/root/etc.) privileges, I can embedd all kinds of terrible things in the exploit code, such as cross-process code injection (via debug facilities), loading a kernel mode driver and patching the kernel (on 32bit XP and Vista). With UAC enabled these automatic silent attacks ALL WOULD FAIL and your machine would stand about 99% better chance of not getting owned.

(3.) Be thankful that UAC is as non-invasive as it is. On my ‘nix boxes I have to SU or get prompted for credentials for admin apps, utilities or global actions, JUST LIKE on Vista, but I have to carry out at least eight keystrokes for my password. Any other solution, such as a suid bit (trust this app) or the “unlock” model that other systems use, are potentially dangerous and programmatically exploitable.

(4.) Stop the “it has no value because it just trains users to click okay” argument. Even if users do click okay to everything, it STILL has tremendous value just in item 1 above. Furthermore, take the time to educate yourself and other users as to what UAC actually is and what it is doing.

(5.) Last, but not least, re-read items 1 & 2 and understand that you can do EVERYTHING RIGHT from a user standpoint (e.g. not downloading suspicious apps, running AV, etc.) but you can STILL get owned through no fault of your own. Running your processes with super-user privs is equally dangerous on EVERY platform. So, for your own sake and others, leave UAC on. It is the RIGHT thing to do.

Coolest Icon Trick EVAR!

I didn’t know this until 24 hours ago:

If you are running Vista, click on the desktop and then hold your Ctrl key down while using your mouse wheel to zoom the icons larger and smaller until you achieve a look you are happy with. You can also do this in any explorer window as a quick way to increase your live preview icons.

How cool is that?

1.21 Jiggawatts (or how much memory can Windows use?)

Do you remember when 1 Megabyte of memory seemed enormous (one THOUSAND and Twenty Four Kilobytes!)? The notion that the 32bit address space would run out seemed possible, but a distant event. Surely, we would have computers with 10s or 100s of Megabytes of RAM, but multiple Gigabytes in our lifetime?! Well, we have officially pushed the 32bit world as far as it will go, and now the consumer enthusiast space is moving slowly past the 2GB nominal limit of average 32bit hardware.

So to help navigate the waters, rather than write up my own “sitrep”, I am going to give it you directly from the horses mouth, or in this case Mike Tricker – Senior Program Manager for the Windows (NT) Kernel Platform Group (e.g. a really smart guy):

There are three questions to ask that will tell you the maximum amount of memory your copy of Vista will be able to use:

1. What SKU/Edition have you installed?
a. 32-bit Vista is limited to a maximum of 4GB, and cannot see any pages above 4GB*.
b. 64-bit Vista can use between at least 8GB and 128GB (for now – I believe that upper limit may grow) depending on SKU.

2. What address range can your processor actually access?
a. Typically that’ll be 40-bit addressing today for x64 (Intel EM64T/AMD64), but older processors may be limited to 36-bit (aka “PAE”) or even 32-bit

3. Can your chipset map memory above 4GB?
a. The vast majority of desktop/mobile chipsets on sale today cannot – but some newer ones can
b. Workstations (that typically use chipsets developed for single or dual proc servers) usually can

( * Starter Edition is special and doesn’t figure in this conversation – it’s also OEM-only so “normal” US-based users won’t ever encounter it )

Significant chunks of address space below 4GB (the highest address accessible via 32-bit addressing – see points 1 & 2 above) get reserved for use by system hardware:
· the BIOS – including ACPI and legacy video support
· the PCI bus including bridges etc.
· if you’ve got PCI Express support that’ll reserve at least 256MB

If you fancy that nice shiny new video card with 256MB or maybe even 512MB of video memory in Best Buy – hey, that’s another 256 or 512MB of address space below 4GB that Vista cannot now use.

What this means is that on a typical system you may see between ~512MB and 1.5GB of address space below 4GB reserved for hardware use that Windows cannot access (and nor can any other OS for that matter). Intel chipset specs are actually pretty good at explaining exactly what address ranges gets reserved by default and in some cases call out that 1.5GB is always reserved and thus inaccessible to Windows.

What can you do? :

Windows can remap memory from below 4GB to above 4GB and use it there HOWEVER that relies on all three of the above points:

1. Can your SKU of Vista actually access memory above 4GB?
a. Not if it’s 32-bit it can’t. So 64-bit Vista may help you here

2. Can your processor actually access memory above 4GB?
a. If it’s recent then there’s a good chance it can, and if it’s either AMD64 or EM64T it’s almost certain to

3. Does your chipset allow pages to be remapped above 4GB?
a. Actually, probably not – and that’s what’s catching out a lot of folks who install 64-bit Vista to work around point 1 then find they still cannot see above 4GB

“I’ve tried 64-bit Vista and I still can’t see all my memory – now what?”

Sadly the only answer may be to get a newer system that allows you to remap memory above 4GB – and since this is a relatively new problem you may find that you have to dig into the system vendor’s website to find some of this info – don’t count on many of the sales folk in Best Buy or CompUSA having the answers you need. In rare cases the system vendor may be able to tweak their BIOS to reserve less memory for platform use, but we’re not talking 100 of MB’s here – but you can check for updates in case they help.

As 64-bit Windows becomes more widely available with 3GB+ of memory as the norm we’ll see this addressed by more mass-market chipsets supporting larger address ranges, but for now unfortunately you’ll have to do some research before buying a new system.

Additional Notes about 36bit PAE on 32bit SKU’s:

Physical Address Extension (PAE) support in Windows pre-Longhorn/Vista is described at http://www.microsoft.com/whdc/system/platform/server/PAE/PAEdrv.mspx for those who are interested, and can be summarized as supporting greater than 4GB addressing (typically 36-bit, so 64GB) on 32-bit processors.

For all 32-bit Vista SKUs, and also 32-bit Standard Server, the maximum memory supported is 4GB, which coincidentally is identical to Windows XP (all editions) and Windows Server 2003 (and SP1) Standard Edition, so nothing’s changed. If you want to access more than 4GB of memory on a 32-bit SKU of Windows you need the Enterprise Edition of Server which supports 64GB (as does Windows Server 2003 SP1 EE).

If you want the detail of why PAE may be enabled on Client SKUs but you still cannot address memory above 4GB then I’d recommend reading http://msdn.microsoft.com/security/productinfo/XPSP2/memoryprotection/execprotection.aspx

Workstation-class systems typically do have chipsets that allow memory to be remapped above 4GB, which addresses point 3 above, so 64-bit Vista is a great solution for them, since Ultimate will allow access to at least 128GB.

So there you have it – the complete rundown. Remember: be very careful when choosing a system or mainboard that claims to support more than 4GB ram. Many that claim too, don’t and you will only see ~2.5GB of usable memory. In short, make sure you know the return policy for the hardware and, if possible, check with others to see what their experience has been.

I see the colors of my life and they are Red, Green and Blue

This is a great white paper detailing the memory architecture of WDDM/DXGK.

Check it:

http://www.microsoft.com/whdc/device/display/graphicsmemory.mspx

That’s not a moon…

Vista’s Media Center totally rules.

Behold my BIGNESS (or, how 1920×1080 native at 40inches is cool)

"Some call you spoiled and overprivlaged – I call you my base" (Stewie Griffin at Harvard)

So a while back I posted my AD/Winbind integration whitepaper. My homeboy DortoH, A.K.A. “The Lazy Admin” published a web version of my white paper at http://thelazyadmin.com/index.php?/archives/381-LinuxUnix-Active-Directory-Authentication-Integration-Part-1.html .

I will actually be updating the whitepaper in the not-too-distant future with new, far more supportable, AD schema options and testing it all again against Fedora Core 6 and Longhorn Server.

On a different note, if you are running Vista, check out the New York Times Reader. A really cool example of an Avalon (.Net 3.0 / Windows Presentation Foundation) application.

Check it out here: http://firstlook.nytimes.com/index.php?cat=4

Wow – as bloggers go, I suck.

So I guess I should do a blog entry for this year. I work for the big M now, and as such, have been doing a lot with Longhorn Server and Windows Vista. More on that later. What I did want to do is dispel the myth that you need a superduper monster rig to run Vista.

First, Vista will run very will on any CPU made in the last four years. With that said, Vista is pervasively threaded so it likes either a fast single threaded CPU or, much better, a hyperthreaded (SMT) or multi-CPU/multi-core setup. For example, Vista on my 3+ year old 3.0Ghz Pentium 4HT system run beautifully.

Second, Vista’s UI features (in terms of eye candy and certain high-DPI scaling effects for legacy non high-DPI aware applications) are dependent on the generation of graphics hardware, not the cost of said hardware. You do not need a 400 dollar video card to experience Aero Glass. What you do need is a DX9 compliant part. What this means is that the part must have vertex and pixel shader ALU’s compliant with shader model 2.0 (a core component of the DirectX9 specification). That sounds really complicated, but basically it means any video card that is an ATI Radeon 9600 or Nvidia GeForce 5200FX with 64MB of video memory or better will do the job. If you have an older card, but your machine is still fairly capable, a 60 dollar Nvidia Geforce 6200 will run Aero Glass splendidly.

I would also recommend 1GB of RAM, but, in the event that isn’t an option, there is a great solution in the form of ReadyBoost. ReadyBoost essentially caches a large part of the system swap file in a write-through cache stored on a USB/SD or CF high-speed flash device. The reason this works is that while the sustained throughput of flash memory is slower than that of a typical ATA hard drive, the actual access latency (for a good flash device) is roughly 10+ times faster. So for scattered in-page operations of various 4-k pages, the impact is tremendous. On a system with 512MB, adding a simple 512MB high-speed USB 2.0 thumb-drive will let the system perform at XP equivalent levels WITH all the cool eye-candy and indexing features turned on. (Keep in mind though that you need a good high-speed flash device – a lot of cheap so-called highspeed flash devices aren’t very fast or use trickery such as a small high-speed region of flash with the majority of the flash memory being made up of slower, cheaper cells).

So, as an example, I decided to take a six year old Dual Pentium 733 and upgrade it to Vista. This particular machine, a Dell Precision 220 workstation, had a 7200RPM PATA hard drive a 4x DVD-ROM drive, a GeForce 2 GTS video card, 512MB of 800Mhz RDRAM. It was still a pretty decent XP box, but since I am moving everything on my home network to either Longhorn or Vista (that isn’t a Linux test bed) I wanted to see if I could make it run Vista and Office 2007 well enough for daily use.
So what upgrades did I do to this 6 year old machine?

1. Geforce 6200 (60 bucks)
2. Belkin 4 port USB 2.0 to PCI adapter (40 bucks)
3. Memorex Flyer 512MB USB thumb drive (15 bucks).

Total cost: ~120 USD.

The result was far better than I had expected. The system runs Vista 5728 (Sep EDW) surprisingly well and is fully usable, and while Glass doesn’t default on, once I had enabled it, it ran very well, even at 1600×1200 with many window objects on screen. Were it not for the old 133Mhz FSB and RDRAM memory, the system would score a solid 2.x on the Winsat score (memory ops score drags the system to a 1.8). In terms of actual usability, the system works great. Load times for Office 2007 are reasonable (though slower than Office 2003 on XP on this system) and actual responsiveness is better (less UI glitching/stalling, etc.).

So, in short, if you have an older system, try running Vista on it – you might be surprised how well it actually works. Even for very old machines, 100 dollars might buy your system a whole new lease on life.

-Ned

Screenshot of my 6 year old Dual 733 running Vista with a mere 120 bucks worth of upgrades: