FreakoutITGeek's Blog

Random IT postings from Freakz

Category Archives: Windows

Stick to the script

My first taste of real IT was as part of a one weeks high school “works experience” at Strathclyde University’s IT department back in the 90’s (it probably was called data processing or something back then). The systems were all unix and I was used to an Acorn Electron and BBC Master, both running a version of the BASIC programming language, it was a tough learning curve, especially when I was given a manual, pad of paper and asked to write a script. I can’t remember what the script was supposed to do but I remember being lost in this manual, trying to figure out this strange programming language that made no sense to me.

The university IT guys obviously didn’t understand my situation as their experiences were all with Unix shell scripting and possibly some C programming. To them I was a waste of space as ‘all computers worked the same’ and this should be simple for a kid with a home computer.

As I grew up I learnt Pascal, C, COMAL, COBOL at college and tried to teach myself Assembly language and C++ (both with not much luck) at home.

It’s not until recently that my programming skills have come back into use. Not just for my Open University courses on Java / Object Oriented Programming (which would have helped back in the 90s when I was trying to get my head round Objects after 2 years of procedural programming in Pascal and years toying with BBC BASIC) & web design using JavaScript. My programming has come into use more recently as part of my current support role.

The last year (or so) I have written more programs in AutoIT and Batch (DOS) scripting than I have done in a long time.

As with all programming languages, sometimes there are ‘quirks’ that you have to get your head around but it’s amazing what you can do with a bit of creativity.

One of my most recent Batch scripting triumphs was to resolve an issue we have with Altiris.

We have a wide range of sites in one of our sections ( 13 large sites with servers and 51 smaller sites with a Local NAS each), with each site needing support via Altiris. The central Altiris server does not have the spare capacity for all the installs and whilst the network links are sufficient for standard use, pulling multiple installs over the links can bring sites to a crawl.

My aim was to create a script that could be used to determine the site, check the local data store ( NAS or server) for the install and if not present copy the files from the central Altiris server to the local data store, then run the install. This sounds quite simple bit you need some safeguards to prevent multiple PCs from copying the files. some way to check the files copied successfully last time and a check that if the copy was taking too long that another computer would take over (assuming that the original had failed to copy the files – ie powered off or disconnected from the network ).

So what appeared, at first look, to be a simple little script, soon became a challenge.

I’m happy to announce that the script is currently working. So what does the script do?

First it determines the site, originally this was done using the computer name as each site names it’s PCs with a site specific prefix. After a bit of planning it was realised that some support staff take the computers to one of the larger sites when the machines are rebuilt or if there is a large number to be built. So to account for this it was realised that the unique identifier for each site was the IP address, or in our case the gateway address, using a FOR loop it was easy to strip the gateway address from the IPConfig command.
Another FOR loop then striped the IP into the data we needed and then compared it to a CSV file to get the Server / NAS details.

So that was the easy part done, we know the site & local server / NAS ( data store) but what about the rest?

Checking for the files is easy using IF EXIST, but what if it’s not there. It would be easy to just copy the files but what if 20 machines are all trying to copy at the same time? Simple, create a lock file. Each machine ruining the job cheeks for the file, if it exists it loops until the file is deleted. If the lock file doesn’t exist it is created with the name of the creating PC (for manual error checking) before using robocopy to copy the files/ directories over (other tools are available & better but Robocopy comes with Windows 7 and a version exists for Windows XP – so the easy option was taken), once
Robocopy completes the lock file is deleted and all the PCs continue with the install from the local data store.

So what if the files exist but there have been changes ? This was a bit trickier, I used the DIR command to check the number of files in the directory (and sub folders) as well as using DIR to report the size of the directory(s). This should be a simple (but not completely fool proof) way to check for changes and act accordingly.

So what if a PC is powered off and the lock file exists? Well there are two checks, the first is when the script runs – it checks the date of the lock file and if it doesn’t match the current date then it’s deleted (keeping it simple). The second check is if the batch script comes out of the loop and the lock file is still there then it sends an error back.

There are loads of other error checking in the script and there is a heavy use of CALL, IF and FOR commands within the script to do what it does, but it does everything I had planned and more than the original concept.

So, after a lot of testing and a few changes, I’m now off to look at my next challenge.

If this post is of interest please let me know by liking or posting a comment and I may add some more of the same.

Altiris For Apple Mac systems

I’ve mentioned in other posts that I have previously managed to get Apple systems (most Windows people call them Macs) on Deployment server and I have been asked how I did it…

Firstly look over the Symantec connect article “Installing the DS and NS Agent for Macintosh” which provides a step by step description and a lot of discussion about the process.

From my own experience I was using Altiris Deployment Server 6, the Altiris agent (known as the Dagent on Win 7 or Deployment client/agent) was Altiris-adlagent-2.6-54.Darwin.zip. In order to get it working I also had to disable the auto update feature on the console as it tried to upgrade the agent to the latest version (which in my case didn’t work).

With some basic unix /Command line knowledge, Altiris is quite a handy tool ( it’s not as good as Apple Remote Control, but if you have Altiris and can’t afford ARD it’s a good second choice) which you can use it to image an Apple system if you have an Apple server (or similar) running NetBoot and I’m sure if you have some scripting (AppleScript) skills you will reduce your workload considerably (not to mention allow some standards on the organisation’s Apple systems).

There is a note, that I made when I started testing the Apple client, about an issue (I assume this has been resolved since) where the ADLagent spawned multiple processes.

To uninstall / remove the ADLagent from OSX please look at http://www.symantec.com/business/support/index?page=content@id=HOWTO10704
, basically the (terminal) command appears to be sudo sh /opt/altiris/deployment/adlagent/bin/uninstall.app and after responing to the prompts, the software should be uninstalled. Once uninstalled you can sudo rm -r /opt/altiris and sudo rm -r /etc/altiris to clear out the related folders.

If I can remember anything relevant I’ll add it later, hopefully what is posted here will help, but since the organisation I currently work for no longer support Apple systems (why?) I may struggle with further advice at this point.

Altiris: Part 1

I thought I’d give my insights into what I believe to be best practice when it comes to creating deployment jobs.

Looking back at my early days creating Altiris deployment jobs, most of them appear to be a case of push out the installer and hope for the best (something it appears my colleagues still do !!?). So what do I suggest has to be considered before creating an Altiris deployment job?

Here are my top recommendations.
(more details to follow in further posts)

  • What Operating system is the software compatible with? Are there different installers for different OS ?
  • What software does the installer rely on (ie prerequisites)? Is the required software already installed? Can you check? Can you install it if not?
  • Is there sufficient space on the client to Install the software? (Some jobs may need to copy the install locally before they are run)
  • Are other installs (ie Windows update, previous Altiris jobs) running, which could cause the install to fail?
  • Which type of installer does the application use? Does it support silent / quiet / unattended / admin install? How can you tell?
  • Has the installer really worked and not just returned successfully? How do you check?
  • Have you cleaned up any temporary files and/or folders created during the install?
  • Have you updated the inventory?
  • Has the installer completed before the ‘get Inventory’ task runs?
  • Are there any permissions / access changes required? (registry keys / folders)
  • Are changes needed to the program, config files, shortcuts? Or Is additional software required to check for access (ie to a network share)?
  • Have you tested your install? Is there a standard build / department build you can test it with?

More to follow…

Hacking scorch active X installer

I don’t tend to put how-to stuff on my blog as it’s not really what I intended it for. As I will probably need this in the future and it may help out other IT support people, I’ve made an exception.

My Issue was that the Music department in the High School I work in requested Sibelius Scorch installed on their Windows XP PCs. This should be an easy task but Sibelius/Avid only provide the software as an Active X plugin for Internet Explorer or an .exe installer for Firefox, Oprah, Netscape etc.

Since the staff and pupils are blocked from installing plugins, or any other software, (for security reasons) I needed to find an installer that would install Scorch that I could then distribute to the PCs using Altiris.

After a lot of searching I was no further forward.. So the only option was to start hacking..

I downloaded the Active X .cab file from Sibelius.com and saved it to the desktop of my test Windows XP computer. Once on the PC I extracted the files and was left with a setup.inf and setup.exe files. The setup.inf file is read by windows and starts the setup.exe file.

So I manually ran the setup.exe file and ,due to the restrictions in place on my test PC (proxy settings), the setup.exe failed and gave an error message with a details button. Clicking the details button brought up a URL of where the setup.exe file was attempting to downloading a Microsoft installer file from. (The URL is also recorded in a log file under the profile of the account being used)

With this Info I could just browse to the URL and download the MSI file and use this to deploy the software to the PCs required (after testing).

Hope this info is of use to others in the same situation 🙂

Why Apple?

One of the two questions I get asked, fairly regularly, is “why do you like Apple [XYZ product]” (The other one is why am I vegetarian, but that’s another issue for another day).

My journey started many decades back, as a kid I had an Acorn Electron home computer which I thought myself how to use and program. The Acorn Electron was sold as an education system so did not have all the games and fancy distractions that other home computers (such as the ZX Spectum, Atari and others) had. I learnt to search out joysticks and find the stores that stocked the parts I needed to do what I wanted ( even going so far as to type in code for a printer driver for the colour dot matrix printer we bought later as there were no drivers for it, only a printout of the code).

Later I progressed into a BBC B micro from the same company before I went to college to learn how to program in (the now dead) languages such as Turbo Pascal, C on Amstrad AT PCs and unix terminals.

I eventually managed to get my hands on one of the old PCs when the college eventually upgraded them and tried to teach myself machine code (with little success) and kearn more about DOS 5/6 and windows 3. My family had bought an IBM PC with IBM OS on it at the time so I knew the hardware could do more that Microsoft were doing with it, especially as games were coming out with colour graphics & decent sound.

I played about with PCs for many years and it became my career to build, upgrade and repair Windows PCs. But my sights were a bit wider than my colleagues and I also used an Amiga 1200, upgraded with internal HDD, external HD floppy, chip upgrades etc to run a small ‘off-line Bulletin board system (BBS) called Phoenix which had members on PC, Mac and Atari (I also had an Atari ST).

Every now and then I had a chance to try something new, I got my hands on an Apple PC in high school & had a chance of doing word processing on green screen Apple (probably a classic) which had a graphical desktop & mouse, when other computers were clunky with command line driven interfaces.
My dad decided to replace the IBM with an Apple clone (during Apple’s bad years) and I still kick myself to think we could have gone for an original iMac if only I hadn’t been so blind and realised Apple had seen the demise of the floppy disk, which back then were the only real option for saving data (CDs were too expensive).

At work I have always had the odd chance to get my hands on Apple hardware, from the odd OS 7 system that came in for repair, to working on upgrading OSX systems within schools.

So why Apple?

well after all these years of using different makes and models of computers, Apple is the only one that still makes me feel like a kid. They make the type of computer I wish I could build myself, they get it right first time, every time.

I remember back in the 90’s being at a Microsoft event and bring told how great Windows NT 5 was going to be and what it was capable of. I remember saying to customers it was going to be great. So what happened? NT 5 was delayed time and again and eventually came out as a cut down (my opinion) version under the name of Windows 2000. At that point I realised that Microsoft promised the future but delivered mediocrity.

Apple, on the other hand, do things differently. I attended an Apple event (hopefully the related Non Disclosure Agreement has expired) many years back. Their new OS was due for release or just released, but a feature which they were working on wasn’t ready on time so they were not happy to release a sub standard feature & didn’t release that feature in the initial product. Being the sort of company they are they proceeded to explain about the feature and how it could be used once they had resolved their issues. This meant that the community could get up to speed and develop their software so that it was ready for Apple to release the feature silently as part of a future update. So rather than promising and not delivering they delivered what was expected and were planning more improvements as that were sure they were happy with them. ie promise the possible, deliver the future when it arrives. (or ‘under promise, over deliver’ if you want the boring version)

Even Apple’s view on OS pricing appears to be so much fairer. Would Microsoft sell Windows 8 for the same price as Apple are due to release Mountain Lion? I can’t see it happening and I suspect that MS will force users to update their hardware ( remembering the ‘Vista Ready’ fiasco) when Windows 8 finally gets released.

So what I’m saying is Apple produce stunning technical and visually appealing products that go beyond the rest of the industry and bring back the fun and excitement into IT.

Side note: There are loads of IT people that try to guess what Apple will come up with next, but I don’t want to know. I’m that kid at Xmas, eager to rip into the presents, but knowing there’s no point in peeking as it spoils the excitement of opening them on the day. Sometimes things are more than the sum of their parts and Apple know this.

Just when you think they’re dead

At work we get our new PCs imaged before they are delivered to the organisation. This is pretty common practice in modern companies, especially ones that realise that their IT support staff are busy enough installing apps and diagnosing/repairing faults.

My issue comes from the recent batches of PCs that came into my work recently. This is the first batch of Windows 7 machines and has been a massive learning curve for most of us, especially when there has been little obvious testing before the machines were sent to the sites.

As much as I could rant on about the lack of planning and how myself and my colleagues have been firefighting instead of providing a great service to our customers, that is not what this is about.

The reason for this blog posting is that I received a system that was imaged and configured for another organisation. The logical thing would be to send it back for our supplier to resolve but I have been asked to re-image the machine. Simple enough request you’d think, until you realise that the machine in question has had a BIOS password set, and you’ve probably guessed that it’s not our password and the settings are not correct for our defined security policy.

One of the issues with the BIOS is that the boot from Network (PXE Boot) has been switched off, so I can’t even image the machine with our defined image until we find out what the password is.

So I investigated how to reset the password and after trying ‘backdoor’ passwords and removing all power and internal backup power to no avail, I found a utility from the Hardware manufacturer that could record the settings from a machine that had the correct settings, store them to replay them on the faulty machine.

Now here comes the zombie bit…

The program will only work on DOS.. I thought in the age of USB pen drives, Windows PE, Windows 7 and Windows 8 just round the corner that DOS was dead and buried years ago..

Luckily I dug up my stash of old floppy disks and was able to hunt down an external (USB) floppy Drive that the new PC detects. I still have some old decaying Win 98 install floppies In my stash so I copied one and amended it to work with the program. So I’m crossing my fingers that I’ll be able to beat the security and I can get back to what I’m paid to do.

Why are PC hardware manufacturers not providing utilities that work under Windows? I would suggest that they should provide a CD image, but how would a user be able to save the settings file to restore on the other system? I guess a network interface would be required?

I’m sure that Apple don’t turn round and ask you to create system 7 images to update their hardware.. when will hardware vendors realise that it’s time to move past DOS. Most people don’t even know what it is/was, or maybe that’s the reason.. To prevent novice users from using what is after all an administrative tool designed for deployment and configuration of PCs?

Anyway it’s been a blast from the past with floppy disks, even an LS120 SuperDisk drive (Immation) which didn’t work. I guess this is the reason that DOS disks are still available for Microsoft’s TechNet downloads (which I don’t presently have a subscription to) , and it has kept me in touch with my past.. even though I prefer to be looking to the future.

HP OfficeJet Pro 8000

From time to time I’m asked to recommend a printer for the different departments within the organisation I work for and recently I have been recommending the HP OfficeJet Pro 8000.

The 8000 is a great printer for general printing, for £50-100 you can get a colour network inkjet printer that’s suitable for a small group of occasional users (up to 10 users) that prints A4.

The printer has separate ink tanks (4) which are accessible from the front of the printer and replaceable print heads (2) which allows for easy replacement of inks as they run out and print heads as they become blocked or near their End of Life.

The print quality and speed are acceptable at 15 pages 1200x1200dpi per minute black and 11 pages 4800x1200dpi per minute for colour (speed calculated using OSI standard).

The printers green credentials are good as it is Energy Star compliant and uses a max of 48w, usually consuming only 25.2w and reducing down to 3w on power saving.

The printer also supports common OSs including Windows XP, Windows 7, Windows Server 2000 – 2008 & Mac OS X 10.4 and up.

For home users or offices that use Wi-Fi, you can purchase the a version of this printer with a Wi-Fi for not a lot more than the normal version.

For larger offices, an Enterprise version of this printer is available. The enterprise version has a memory upgraded from the original 32MB to 256MB and the print speed is improved, presumably because of the memory.

All 3 models come with a 250 sheet input tray and the output tray can hold 50 pages, however users that need an additional input tray then an additional 250 sheet tray is available for all models.

All in all the printers appear to be great for small groups of users or homes that want to share their printer over their home Wi-Fi. I also believe that the price of the ink isn’t to bad either 🙂

UPDATE: The basic 8000 model no longer appears to be available. There also appears to be some issues with these printers.

The enterprise version supports HP Universal Print Driver driver, however the basic model still uses the specific printer driver for that model (note the model number is different for the enterprise and basic model), which adds an additional level of support if you have both installed on your Windows server.

I’ve also had reports that the printer has trouble printing multiple copies of the same document, this could just be an issue with the application that is sending the prints (Office 2000 pro) but the issue appears to affect both basic and enterprise versions [further information to follow].

MacGuard & user permissions

Following on from my recent posting on MacDefender, I noticed the same site had an updated page relating to MacGuard ( for original article see Reed Corner Design [Thomas Reed] http://www.reedcorner.net/news.php/?p=204 )

From the article it appears that MacGuard relies on a similar tactic to install itself on OS X machines as MacDefender, i.e. by Safari automatically starting the installer if “Open ‘safe’ files after downloading” is still ticked in the Safari preferences (see the ‘MacDefender Info’ article in this blog for further details).

The big difference between MacDefender and MacGuard appears to be that if a user has administrator rights then the install will run and the application will install without any prompts. If the user only has user rights then the installer will fail.

In reality, I believe that most home users do not know if they are using their machine as a user or admin, so this could be a risk to home users. For companies that have properly trained IT staff then no one should have admin rights on a Mac unless they are IT staff, but smaller companies may be left at risk.

As usual it appears that the risk is from lack of user awareness, that users need to realise the importance of the different types of account and the risks involved. This issue is one of awareness is not just limited to OS X users but Windows users as I believe that most Windows users are sitting using their Admin accounts in a daily basis. I believe that the industry as a whole need to look at the issues of user account permissions more seriously in the future.

Viruses and malicious content

There has been an increasing amount of press recently about malicious applications appearing for the Apple OS X operating system.

To be honest I don’t use any security software in the two OS X computers I use at home, which are connected to the home broadband Internet connection.

I would never consider doing the same for a Windows OS machine, before any PC is connected to the Internet I always advise to patch it to the latest service pack, install Norton Internet Security (or McAfee), download any updates to NIS using a machine that is already protected before connecting and running windows update.

I have seen a Windows OS machine become infected using a dial up connection in seconds with McAfee Installed from CD but not patched. The machine in question was being connected to pull down McAfee updates and Windows Updates so was open to attack.

By comparison I believe that the few risks found to target OS X machines require the users to provide authentication details before the software can be installed on these systems. I have yet to hear of a virus getting on an OS X machine through a security flaw on an Unpatched OS X machine, installing itself, spreading itself and the user not being aware of any of this happening.

I believe that the risk to OS X users from scareware such as MacDefender (which is just the Windows Defender, also known as fakeAV, setup so that it detects Safari browser) and the other scare mongering press stories, is so small as not to worth worrying about at the moment.

If you believe there is a risk then the solution is as simple as it is for Windows machines. Install a reputable security package like Norton Internet Security Dual ( which protects up to two OS X machines running OS X and windows under bootcamp or similar).

As the press try to create a false sense that OS X is at threat, more Anti-virus and security companies are jumping on the bandwagon to provide software for those that want it. I believe that Norton, McAfee, Sophos and other organisations currently provide some form of AV for OS X.

As I have stated, if you feel that there us a risk, protect yourself, otherwise OS X is safe from all the current threats as long as you don’t install software that you don’t know what it is, what it dies or where it came from.

Safe and secure on Windows & OS X

For a few years now I have had to use a secure USB device for storing files ( drivers, installs, etc) as it’s company policy and the PCs have security software to prevent anyone (even us in IT) from using non secure devices.

My main issue with this has been that we support both Windows and Apple systems so have had to use Integral Crypto devices for the PCs and non secure devices for the Apple OS X machines.

I always thought it was a poor situation and I’m sure I ranted about it at the time.

I have just found that Integral now not only now produce a Mac version of the Crypto but have recently launched a Crypto Dual device, which works on both Windows and OS X!!

The device also has some handy extra features, including a unique code etched into the device for easy identification (something that was really needed in the original versions), The ability to have all the devices in your organisation to have a company hardware ID set on the devices ( allows security software to identify the devices that the company have purchased and which ones users have purchased and brought in ) and lastly, it allows for an administrator account password to be set in addition to a user password, allowing IT departments to recover data when the user has forgotten their password, so long as they have not exceeded the 5 allowed attempts which I believe still results in the data being deleted.

I have done a bit of checking and the devices are all available in the UK from Insight prices are roughly (Inc VAT) for the 32 GB versions..
PC basic version: £127
Mac 140 version: £147
Dual version: £132

Alternatively for PC users I have seen the PC only version as PC World in the past. For Mac users the Apple store sells the Mac only versions (well the on-line store does at time of writing this)

The Security level may vary slightly between these versions so I would suggest checking the prices on Insight and the specifications on Integral.

If anyone from Integral is reading this feel free to contact me with full details or to give me a review model so I can give the Dual version a try!! Hey if you don’t ask you don’t get!! 😉

Update:

For those unfortunate enough to have a Windows PC at work and an Apple at home and have been given one of the Windows only versions (ie you are in a Windows only workplace but have a Mac at home), I have tested a solution to your Issue.

On my Apple iMac ( Intel Duo circa 2006) at home I have installed the free VirtualBox software from Oracle (was Sun) and installed Microsoft Windows 7 onto the virtual PC created by the software. By installing the VirtualBox add-on pack into Windows 7 you can set it to allow access to the Secure pen drive. This works like a dream and I can copy files off and onto the device without any issues.

I assume that Bootcamp, Parallels etc will do a similar job, but I can not test this as my iMac uses an external
monitor due to a damaged LCD panel / controller so I can’t use it for bootcamp and I don’t have parallels or it’s competitors.

I assume that this will only work with Intel Macs (ie I suspect that older PPC apple devices won’t be able to get it to work as they don’t have the Intel chipset)

Of anyone wants to know more feel free to contact me.