Category Archives: Misc

Windows 7/2008 + RDP8 = Incorrect source network address


A few months ago I noticed some odd IP addresses in the WLS SessionMonitor logs for a few of our hosts. After confirming that this was not the result of a compromise I began digging further into the issue.

Our networking team had started investigating usage of RDP8 to improve the user experience for remote users, and had installed RDP8 and enabled the RDP8 protocol via policy on their Windows 7 systems. When an RDP connection was made, the Source Network Address was incorrect in Security Event ID 4624 (successful logon events), TerminalServices-RemoteConnectionManager Event ID 1149, and TerminalServices-LocalSessionManager Event ID 25. Usually this was reported as “0.0.0.0”, but sometimes contained random numbers. WLS uses WinStationQueryInformationW to retrieve the source network address for the session and it returned the same information that is reflected in the event logs.

Further testing showed that this only impacted Windows 7/2008 systems with RDP8 installed and enabled. Disabling the RDP8 protocol in the policy forces the connection to fall back to RDP7 which reports the IP address as expected. Changing the RDP transport protocols did not appear to have any effect.

The RDP8 protocol policy is located at:

Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment\Enable Remote Desktop Protocol 8.0

The RDP transport protocols policy is located at:

 Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections\Select RDP transport protocols

Due to the way RDP was previously implemented, there will not be a fix provided that allows the Source Network Address to be properly reported in event logs, or a way to retrieve it via an API call. Here’s the associated KB for the issue detailed above: https://support.microsoft.com/en-us/kb/3097467

Advertisements

Adding HFS+ read support to Windows


Recently I had a coworker request the ability to read an HFS+ formatted drive with Windows. I found a few scattered articles that pointed to Apple’s “Boot Camp Support Software” including an HFS+ driver, and it does.

How to add read only HFS+ support to Windows (64-bit) using Apple’s HFS+ drivers

Download the latest “Boot Camp Support Software”

Search the Apple support site for “boot camp support software”

BootCamp

I used “Boot Camp Support Software 5.1.5640”

Extract BootCamp.msi from \BootCamp\Drivers\Apple\

BootCamp.msi

Opening the msi with Orca revealed two drivers as well as the registry entries required to make them work.

Orca_Component Orca_Registry

Extract the files from BootCamp.msi

(I used 7-Zip)

ExtractFiles

Copy the drivers

Copy AppleHFS.sys and AppleMNT.sys to c:\windows\system32\drivers

Files

Add registry entries

Based on the information from BootCamp.msi I created the following registry entries.

AppleHFS AppleMNT

Copy the text below into a .reg file and execute it to add the required entries.

REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\AppleHFS]
“ErrorControl”=dword:00000001
“Group”=”File System”
“Start”=dword:00000000
“Type”=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\AppleMNT]
“ErrorControl”=dword:00000001
“Group”=”System Bus Extender”
“Start”=dword:00000000
“Type”=dword:00000001

Reboot!