Chris123NT's Blog

Well it looks like the screams over the past week or so have finally been heard, and more importantly, LISTENED TO.  Steven Sinofsky has made a post on the E7 blog outlining that they plan to address the concerns with 7’s UAC and make changes to make the system much more secure.  Changing the UAC level will now prompt you no matter what level you have UAC on.

I definitely applaud the Windows 7 team for finally listening, although I have a funny feeling the driving force behind this change was Steven himself along with the backlash that John received when he posted this morning that they weren’t going to change the system.

Here is the whole post from the E7 blog quoted for your reading pleasure:

When we started the “E7” blog we were both excited and also a bit uneasy. The excitement is obvious. The unease is because at some point we knew we would mess up. We weren’t sure if we would mess up because we were blogging about a poorly designed feature or mess up because we were blogging poorly about a well-designed feature. To some it appears as though with the topic of UAC we’ve managed to do both. Our dialog is at that point where many do not feel listened to and also many feel various viewpoints are not well-informed. That’s not the dialog we set out to have and we’re going to do our best to improve.

This post is an attempt to get both the blog right and the feature right. We don’t like where we are in terms of how folks are feeling and we don’t feel good – Windows 7 is too much fun and folks are having too much fun for us to be having the dialog we’re having. We hope this post allows us to get back to having fun!

To start we’ll just show representative comments from the spectrum of feedback. We’ll then talk about the changes we’re making and also make sure we’re all on the same page regarding how we move forward. In terms of comments we’ve heard the following:

@sroussey says:

You have 95% of the people out there think you got it wrong, even if they are the ones that got it wrong. The problem is that they are the one’s that buy and recommend your product. So do you give them a false sense of increased security by implementing the change (not unlike security by obscurity) and making them happy, or do you just fortify the real security boundaries?

And @Thack says:

Jon,

Thanks for sharing your thoughts.  I understand your points.

Now, I want add my voice to the call for one very simple change:

Treat the UAC prompting level as a special case, such that ANY change to it, whether from the user or a program, generates a UAC prompt, regardless of the type of account the user has, and regardless of the current prompting level.

That is all we are asking.  No other changes.  Leave the default level as it is, and keep UAC as it is.  We’re just talking about the very specific case of CHANGES to the UAC prompting level.

It will NOT be a big nuisance – most people only ever change the UAC level once (if at all).

Despite your assurances, I REALLY WANT TO KNOW if anything tries to alter the UAC prompting level.

The fact that nobody has yet demonstrated how the putative malware can get into your machine is NO argument.  Somebody WILL get past those other boundaries eventually.

Even if you aren’t convinced by my argument, then the PR argument must be a no-brainer for Microsoft.

PLEASE, Jon, it’s just a small change that will gain a LOT of user confidence and a LOT of good PR.

Thack

With this feedback and a lot more we are going to deliver two changes to the Release Candidate that we’ll all see. First, the UAC control panel will run in a high integrityprocess, which requires elevation. That was already in the works before this discussion and doing this prevents all the mechanics around SendKeys and the like from working. Second, changing the level of the UAC will also prompt for confirmation.

@mdaria510 says:

Sometimes, inconsistency with your own ideals is a good thing. Make an exception, if only to put people’s fears to rest.

That sums up where we are heading. The first change was a bug fix and we actually have a couple of others similar to that—this is a beta still, even if many of us are running it full time. The second change is due directly to the feedback we’re seeing. This “inconsistency” in the model is exactly the path we’re taking. The way we‘re going to think about this that the UAC setting is something like a password, and to change your password you need to enter your old password.

The feedback is that UAC is special, because it can be used to disable silently future warnings if that change is not elevated and so to change the UAC setting an elevation will be required.  To the points in the comments, we also don’t want to create a sense or expectation of security that is not there—you should still not download code and run it unless you trust the source. HTML, EXE, VBS, BAT, CMD and more are all code and all have the potential to alter the environment (user settings, user files) running as a standard user or an administrator. We’re focused on helping people make sure that code doesn’t get on the machine without consent and many third party tools can help more as well. We want people to be comfortable with the new UAC control and the new default setting, so we’ll make the changes outlined above as the feedback has been clear.

While we’re discussing this we want to make sure we’re all on the same page going forward in terms of how we will evaluate the security of Windows 7. Aside from the UAC setting, the discussion of the vulnerability aspects of the Windows 7 Beta  have each started with getting code on the machine, which the mechanisms of Windows have prevented in the cases shown. We have also heard of security concerns that involve multiple steps to demonstrate a potential exploit. It is important to look at the first step—if the first step is “first get code running on the machine” then nothing after that is material, whether it is changing settings or anything else.  We will treat very seriously the ability to get code on a machine and run without consent. As Jon’s post highlighted briefly, the work in Windows 7 is about the increased protections in place to secure your PC from acquiring and running code without your consent, and of course we continue to make sure Windows code is secure from both tampering or circumventing the protections in the system.

We want to reiterate the security of the system overall. Windows 7 is SD3+C and is designed to be more secure that Vista—that’s our priority. None of us want to have Windows 7 be perceived as being less secure than Vista in any way, because our design point is to make sure it is more secure that Windows Vista, by default.

We said we thought we were bound to make a mistake in the process of designing and blogging about Windows 7. We want to continue the dialog and hopefully everyone recognizes that engineering, perhaps especially engineering Windows 7, is sometimes going to be a lively discussion with a broad spectrum of viewpoints expressed. We don’t want the discussion to stop being so lively or the viewpoints to stop being expressed, but we do want the chance to learn and to be honest about what we learned and hope for the same in return. This blog has almost been like building an extra product for us, and we’re having a fantastic experience. Let’s all get back to work and to the dialog about Engineering Windows 7. And of course most importantly, we will continue to hear all points of view and share our point of view and work together to deliver a Windows 7 product that we can all feel good about.

–Jon and Steven

 

Source: E7 Blog

Here is a little clearer description of the Windows 7 SKU’s for those who didn’t quite understand what was posted yesterday. Now, there is only 3 “mainstream” editions of Windows 7; Windows 7 Home Premium, Windows 7 Professional, and Windows 7 Ultimate/Enterprise. Below is a description of each edition, quoting Ed Bott from ZDNet:

Windows 7 Home Premium – This is the successor to Windows Vista Home Premium, and Microsoft expects it to be the most common edition sold, the standard for virtually all consumer PCs. It includes the Aero interface with its Windows 7 enhancements, plus Windows Media Center, DVD playback support, and multi-touch and handwriting features. I’m also told (but can’t yet confirm) that image-based backup is included in this edition for the first time.

Windows 7 Professional – This edition drops the Business label used in Windows Vista and goes back to the old XP-era name, presumably to give XP users more comfort in their upgrade decision. Unlike Vista Business, this edition contains all features in the Home Premium edition, including Media Center. For the extra cost, you get more traditional business features like the ability to join a Windows domain, group policy based management tools, Remote Desktop host capabilities, network-based backup features, and support for the Encrypting file system.

Windows 7 Ultimate/Enterprise – In the retail channel, this edition will be called Ultimate; for corporate customers with a Select license agreement, it will be called Enterprise. In either case, the feature set includes everything in Professional edition plus support for BitLocker whole-drive encryption (and the new BitLocker To Go feature, which adds high-grade encryption to removable media). This edition also includes all supported language packs (those cost extra for other editions) and the capability to boot from a VHD.

Source: ZDNet

So today information has emerged about the final skus for Windows 7.  One thing I find particularly surprising is that all of the SKU’s Home Premium and higher come with Media Center in box.  I think this is a great move on Microsoft’s part and simplifies the SKU feature set.  Customers can now buy Pro and get most of the features.  You will only need Ultimate if you have a need for the bitlocker related features or the VHD mounting feature.

The SKU’s are as follows according to Neowin:

Windows 7 Starter
Market: Emerging markets, with new PCs only
Key features: Enhanced taskbar, Jump Lists, Windows Media Player, Backup and Restore, Action Center, Device Stage, Play To, Fax and Scan, basic games
What’s missing: Aero Glass, many Aero desktop enhancements, Windows Touch, Media Center, Live thumbnail previews, Home Group creation

Windows 7 Home Premium
Market: Mainstream retail market
Key features: Aero Glass, Aero Background, Windows Touch, Home Group creation, Media Center, DVD playback and authoring, premium games
What’s missing: Domain join, Remote Desktop host, advanced backup, EFS, Mobility Center, Offline Folders

Windows 7 Professional (superset of Home)
Market: Mainstream retail market
Key features: Domain join, Remote Desktop host, location aware printing, EFS, Mobility Center, Presentation Mode, Offline Folders, Media Center
What’s missing: BitLocker, BitLocker To Go, AppLocker, Direct Access, Branche Cache, MUI language packs, boot from VHD

Windows 7 Enterprise
Market: Volume-license business customers only
Key features: BitLocker, BitLocker To Go, AppLocker, Direct Access, Branche Cache, MUI language packs, boot from VHD
What’s missing: Retail licensing

Windows 7 Ultimate
Market: Retail market, limited availability
Key features: BitLocker, BitLocker To Go, AppLocker, Direct Access, Branche Cache, MUI language packs, boot from VHD
What’s missing: Volume licensing

There will be a Home Basic edition, but it will only be released to emerging markets. "We know emerging markets have unique needs and we will offer Windows 7 Home Basic, only in emerging markets, for customers looking for an entry-point Windows experience on a full-size value PC", said Windows General Manager Mike Ybarra. Paul Thurrot is reporting that Home Basic will lack "Aero Glass, Live Thumbnail Previews, Internet Connection Sharing, and a few other goodies."

I am glad that Home basic will be restricted to emerging markets.  There was just too much confusion with Vista having 2 home editions and some will argue that Home Basic is not really Vista (which I happen to agree with).  Now there will be two mainstream versions avalable.  Home and Pro, and if users choose they will be able to get Ultimate if they have a need for the higher feature set.

What are your thoughts on this new SKU set?  Do you think it will simplify things for the consumer and the OEM PC buyer?  Post your thoughts, I’m curious to see what people think of this.

So this is a question that’s been bouncing around in my mind for quite a while now.  The fact is, that while Internet Explorer 8 does include some very innovative features, one has to ask themselves, will the browser be successful in today’s market?

The market for web browsers these days is all about creating a rich user experience on the web.  And part of achieving that vision is achieving true unification across different browser platforms.  How is this achieved you may ask?  Well the easiest way is to accomplish that goal is to achieve true standards compliance, something the IE team was touting at the beginning of the beta cycle.  But the fact remains that IE8 has fallen quite a bit short in achieving the goal of standards compliance.  Sure, it passes the acid2 test, but the result on acid3 is absolutely abyssmal, and the real world results leave a bit to be desired as well.

To this day, IE8 will not render aspects of an invision board correctly (specifically the reply and new topic pages, the text box is rendered incorrectly).  It also mangles other sites, including Microsoft’s own connect site (try hovering over a feedback item and watch the popup flicker as if it’s trying to trigger an epyleptic seizure).  Yes, IE8 does have a compatibility mode, but in most cases it doesn’t fix the rendering issues.  But more than that, the compatibility mode can be seen by some as an admission of partial failure in their goal.  Yes it’s there primarily for sites written for IE6/7, but they have a list on their end that IE looks at periodically that includes some sites that render fine in Firefox, Chrome and Opera, which are all standards complaint browsers these days.

Is there time to fix IE8?  Of course, but Microsoft has to be willing to commit to fixing some of these rendering bugs before release.  And I honestly hope they do.  I may not be a user of Internet Explorer, but I realize that if they do not fix these issues and people use IE8 and their sites don’t work, they will start to look for alternatives that will render their sites correctly.  At the end of the day this could mean a reduced userbase for IE and a pretty decent impact to Microsoft’s marketshare.

I personally don’t hold out much hope for IE8, let’s just hope IE9 will be the version of IE that finally conforms to the true standards.  Hell, maybe they will scrap trident altogether and use an engine that is standards compliant already.

So welcome to the new look for this blog.  Hope you all like it.  Decision behind this was to create something sleek, yet lightweight.  And standards compliance was an absolute must.  Now that goal has been achieved and this site renders well in all browsers we have tested, INCLUDING IE8 (Yeah I know, amazing isn’t it?).

So I hope you all like it, leave your feedback in the comments section and I will read through it.

Big thanks to Kristan Kenney for his work on the theme .

So today we did the first episode of the Geeksmack podcast.

Join Greig Mitchell (filling in for Ryan Price as he couldn’t make it), Chris Holmes, Iian Kehn, and in this premiere episode our special guest Rafael Rivera from WithinWindows.com to discuss the latest technology news freshly picked from our front page, along with a few discussion topics.

Here’s what will be discussed in the first ever episode of the GeekSmack Podcast:

News Discussion:

Quick Launch Returns!

Windows Live; Office Live to Combine

Apple Says No to Netbooks and to A Low-End iPhone

Circuit City Closeout Deals Not Deals At All?

Intel To Focus On 32nm Fabrication Process

The Main Discussion:

Will Windows 7 Save Microsoft?

Will Windows 7 Be a Linux Killer?

The infamous CEIP bug, and why it shouldn’t have happened

Windows Experience Index ratings for Hard Drives are completely wrong.

The podcast can be downloaded or obtained via iTunes (coming soon).

Name: GeekSmack Podcast – Episode 1

Track #: 1

Duration: 51:22

File Size: 117MB

Download: Episode 1 – iTunes (not available yet)

Discuss: GeekSmack Forums

As you all know, I posted last night that Microsoft have made the CEIP fix available through the action center.  So when you hit the bug it will actually pop up and tell you exactly how to fix it.

I want to pass on a message I received from a Microsoft employee.

The fix in the action center will be permanent, you will not have to repeatedly fix it.

Here is the statement from Microsoft on the issue, as seen on Mary Jo’s blog:

Microsoft deployed a configuration change which exposed this (installer) problem. New machines installing Windows 7 Beta will not experience this problem. An issue related to the Customer Experience Improvement Program (CEIP also known as SQM) client in the Windows 7 Beta is causing crashes of Explorer, MSI-based installers and other applications. In order to resolve the issue, impacted customers need to run the following script from an elevated command prompt. This script will stop crashes related to CEIP and removes those changes (registry keys) to prevent further CEIP related crashes.

I recommend that you ALL turn the Customer Experience Improvement Program back ON.  In order to do that, do the following:

1. Open gpedit.msc
2. Expand Computer Configuration, expand Administrative Templates, expand System, expand Internet Communication Management, and then click Internet Communication settings.
3. In the details pane, double-click Turn off Windows Customer Experience Improvement Program, and then click Disabled.

That’s it, that should turn CEIP back on, and with Microsoft’s published fix in action center you will be good to go.

NOTE: I have also updated the old post with the fix instructions as to no longer instruct people to disable CEIP.

So remember the issue I talked about two posts down about the Explorer and MSI crashes?  I was playing around tonight and made the issue happen again to test something, and this little guy popped up:

So as you can see, Microsoft have acknowledged the issue and posted the fix.  Looks familiar doesn’t it?

Also one thing I would like to note for everyone.  CEIP is one of Microsoft’s biggest avenues for feedback in betas especially.  You may want to turn it back on.  Although turning it back on may cause the issue to come back periodically, at least the action center will pop up telling you HOW to fix it now.

As many of you undoubtedly know already, in Windows 7 Beta 1, disabling UAC also causes the gadgets to stop working.  This can be very annoying, especially for the power users who turn off UAC, or for those who are turning it of in order to avoid that nasty token elevation bug that rears it’s ugly head out of random on some machines.

The reason for this is that Microsoft made the assumption that the sidebar process would never be run in an elevated state.  So when you try to start it with UAC disabled it detects that it would have to run elevated, so it just does nothing to abide by the pre-set rules set by Microsoft.  Thankfully there is an undocumented registry setting to correct this issue.

1. Open Registry Editor (regedit.exe)
2. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Sidebar\Settings
3. Create a new DWORD Value called AllowElevatedProcess
4. Set the value of the new DWORD to 1
5. Close the registry editor.  Your gadgets should work now.  No reboot or anything necessary.

So there you have it, an actual fix to the issue that doesn’t require swapping out the sidebar executable like some sites suggest *cough* mydigitallife *cough*.

Many users have started experiencing random crashing of explorer and msiexec.exe when trying to start Windows Update or install anything that uses an MSI based installer.  This issue is bad enough that some people have even formatted because of it, only to have it come back again.

Rafael has discovered that the fault lies with the SQM Client which is part of the Customer Experience Improvement Program.  It seems that ANY process that calls WinSqmStartSession in ntdll.dll will start crashing when MachineThrottling is enabled in the registry, which seems to happen as a result of CEIP running.

Use the following to fix the issue.

1. Open a Command Prompt as Administrator
2. Type reg delete HKLM\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions /va /f and press enter.
3. That’s it, no further action is necessary