Harsh Shah's eBlog

Removing Windows Firewall from SP2 Configuration to reduce footprint

harshs — Tue, 12 Oct 2004 23:32:00 GMT

Hello All,

Are you looking for low footprint SP2 Image? Here is one way to reduce the footprint, if you don't need "Windows Firewall" in your configuration (Note: In general keeping windows firewall in runtime is recommended):

1. Create a new SP2 configuration and import PMQ for your system.
2. Add any other components that you want in your configuration with the following exceptions:
    A) If you add "Retail Point of Sale Terminal" macro, go to settings of this component and uncheck "Windows Firewall/Internet Connection Sharing (ICS)".
    B) If you add "Home Gateway" macro, go to settings of this component and uncheck "Windows Firewall/Internet Connection Sharing (ICS)".
    C) If you add "Networking Application Compatibility" macro, go to settings of this component and uncheck following:
"Windows Firewall/Internet Connection Sharing (ICS)"
"Windows Firewall Control Panel"
"Core Networking"
"Connection Manager Runtime"
    D) If you add any of the following components manually in your runtime, Windows Firewall will be brought in your runtime:
Connection Manager Runtime
Security Center
Windows Firewall Control Panel
Windows .Net Messenger
3. Manually add "Core Networking" component in your configuration. Go to settings of this component and uncheck "Windows Firewall/Internet Connection Sharing (ICS)".
4. Run dependency check and build image.

Retail-optimized XP Embedded Operating System

harshs — Tue, 05 Oct 2004 21:56:00 GMT

Microsoft just announced the development of customized windows embedded OS targeted towards retail POS systems. Check it out at:

http://msdn.microsoft.com/embedded/getstart/devplat/pos/default.aspx

This is a part of Smarter Retailing Initiative from Microsoft. For information on this initiative, visit following site:

http://www.microsoft.com/resources/retail/

Windows XP Embedded with eTRUST Antivirus Software!

harshs — Tue, 05 Oct 2004 21:48:00 GMT

Computer Associates released eTrust Antivirus software for XP Embedded yesterday. It promises minimal footprint starting at under 6MB and compatability with XP Embedded SP2. It provides protection against viruses and a variety of other network-based threats and essential updates of virus signatures for ongoing security. Check it out at:

http://ca.com/channel/oem/eav.htm

Free XP Embedded SP2 Tech Preview is Available

harshs — Tue, 05 Oct 2004 21:40:00 GMT

XP Embedded SP2 Tech preview is available for download from the following site:

http://download.microsoft.com/download/D/5/5/D55A381F-F2B7-4787-8A43-0D79CF8B8C35/XPEFFI.exe

For more information on what is new in XP Embedded SP2, check out the following article:

http://www.windowsfordevices.com/news/NS9761865541.html

How to configure Firewall in XPE SP2?

harshs — Fri, 01 Oct 2004 23:12:00 GMT

Hi All:

Windows XP Embedded SP2 is coming and one of the major feature that has changed is windows firewall. Firewall is enabled by default in SP2 and you will need to open ports used by your applications. Here is how you can configure Windows Firewall in XPE SP2:

To Configure Firewall Pre-FBA (offline) you can do one of the following:

1. In TD configuration, go to "Windows Firewall/Internet Connection Sharing (ICS)" component and modify settings.

2. If you have already built image and want to change firewall options without rebuilding image, you can do one of the following:

A) You can use firewall configuration information file (netfw.inf). This file is located in your image folder under "windows\inf" directory.

This file has two sections:

[ICF.AddReg.DomainProfile] - change settings under this section to change firewall settings for all domain accounts (domain firewall policy)

[ICF.AddReg.StandardProfile] - change settings under this section to only affect local system account(s).

Following settings are available under each of the above sections (The value shown for each setting s the default value):

HKLM,"System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile","EnableFirewall",0x00010001,1

- EnableFirewall = Enable Firewall? Values: 0 = Firewall Off, 1= Firewall On (default)

HKLM,"System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile","DoNotAllowExceptions",0x00010001,0

-DoNotAllowExceptions = Don’t allow any exceptions? Values: 0 = Allow Exceptions (default), 1 = No Exceptions

NOTE:

- If you want to turn on the firewall w/o any exceptions, set EnableFirewall = 1 and DoNotAllowExceptions = 1

- If you want to turn on the firewall with exceptions, set EnableFirewall = 1 and DoNotAllowExceptions = 0

- If you want to turn off the firewall, set EnableFirewall = 0. (The value that you set for DoNotAllowExceptions does not matter until you turn on the firewall in runtime. At this point the default starting value for exceptions will be the one that you set using DoNotAllowExceptions)

HKLM,"System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile","DisableNotifications",0x00010001,0

- DisableNotifications = Disable Firewall Notifications when a program is blocked? Values: 0 = Notify when a program is blocked (default), 1=DON’T notify when a program is blocked.

All ICMP settings can be found here under IcmpSettings subkey (default setting is to NOT allow any ICMP requests).

For e.g.

HKLM,"System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\IcmpSettings","AllowInboundTimeStampRequest",0x00010001,0

- AllowInboundTimeStampRequst = Allow incoming timestamp request? Values: 0 = No (default), 1= Yes

List of Authorized Applications:

HKLM,"System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List","%windir%\system32\sessmgr.exe",0x00000000,"%windir%\system32\sessmgr.exe:*:Enabled:Remote Assistance"

The last part of the entry is formatted as:

"%windir%\system32\sessmgr.exe:*:Enabled:Remote Assistance"

(Path to program executable): (Scope – LocalSubnet or * (for any source) ): (Enabled/Disabled): (Program Name)

There is only one application that is authorized by default – remote assistance. You can, however, add more entries here. Here is an example of how you will add your application – myapp.exe in authorized application list and enable it for local subnet.

HKLM,"System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List","C:\Program Files\Applications\myapp.exe",0x00000000,"C:\Program Files\Applications\myapp.exe: LocalSubnet: Enabled: My Application"

List of Port Openings:

HKLM,"System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List","137:UDP",0x00000000,"137:UDP:LocalSubnet:Disabled:NetBIOS Name Service"

The last part of this entry is formatted as:

"137:UDP:LocalSubnet:Disabled:NetBIOS Name Service"

(Port Number(1-65535) : Protocol(UDP/TCP) : Scope(LocalSubnet/*) : Enabled/Disabled : Port Name

Port openings can be added either as enabled or disabled. If port opening entry is disabled, that port is effectively blocked by firewall, until it is enabled in the runtime. There are 7 entries for port opening by default and all of them are disabled. You can edit those entries to enable some port opening(s) or you can add new entries. For example, you can edit the above port to enable it for any source.

HKLM,"System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List","137:UDP",0x00000000,"137:UDP:*:Enabled:NetBIOS Name Service"

B) Alternatively you can open regedit and load system hive from image folder located at windows\system32\config\system.sav. Go to the following sub tree under this hive:

CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile

CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\GlobalProfile

Add/Edit/Delete the registry keys according to the settings explained above in (A). All ICMP related settings will be under “ICMPSettings” subkey. All authorized application settings will be under “Authorized Applications\List” subkey. All port opening settings will be under “GloballyOpenPorts\List” subkey.

To configure Firewall Post-FBA you can do one of the following:

If you added “Windows Firewall Control Panel” component in the configuration, you can run firewall.cpl to change all firewall related settings.
If you don’t have control panel access, but if your runtime has access to netsh shell you can use it to change firewall settings.

Using netsh:

netsh>Firewall

netsh firewall> show state (to check the current status of firewall)

netsh firewall>set opmode [enable/disable] [enable/disable]

Where first parameter is state of the firewall (enable=on, disable=off) and second parameter is whether you want to allow exceptions (enable=allow exceptions, disable=don’t allow exceptions). You can also specify interface and/or profile. Please use netsh shell help for details.

netsh firewall>set notifications [enable/disable]

enable = notify when program is blocked, disable = do not notify when program is blocked

You can also change ICMP settings, create port openings and authorized application/service using the following netsh commands.

netsh firewall>set icmpsetting (to change ICMP Settings)

netsh firewall>set service (to create authorized applications)

netsh firewall>set portopening (to create port openings)

If you have access to regedit in runtime, edit the related registry keys directly as explained above.

Configuring common user settings and Policies in runtime

harshs — Wed, 15 Sep 2004 09:19:00 GMT

Severeal common user settings and policies can be set using gpedit.msc (Group Policy Snap-in). This includes desktop, start menu, taskbar, contorl panel, logon, network and power management related settings etc. Have you ever wondered how to remove logoff or shutdown button from start menu? Or how to set wallpaper or screensaver in runtime? Or how to hide notification area or tooltip? There are so many such settings that can be done through gpedit.msc.

If your runtime configuration includes "Group Policy Core Administration MMC Snap-In" Component and some support components, you can use gpedit.msc in runtime to change above settings. Alternatively, you can use regmon (www.sysinternals.com) to identify the registry key corresponding to particular setting and use regedit to change the setting in runtime. The registry key related to most of the above settings are under the following registry branch:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies (and sub branches - Explorer, Network, System etc.)

Once you identify the key corresponding to the setting, you can create that registry key under this branch and set the value to 0 (for disable) or 1(for enable). For example, if you want to remove logoff button from your start menu, you need to create the following registry key in runtime and set the value to 1(to enable):

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\StartMenuLogoff

This is same as enabling the following policy in gpedit.msc:

User configuration->Administrative Templates->Start menu and taskbar->"Remove Logoff on the start menu" (change to 'enabled' from 'not configured')

Improved Security Agent for XP Embedded from Sygate Technologies

harshs — Tue, 14 Sep 2004 10:12:00 GMT

Sygate Technologies announced that their improved security agent 4.0 for XP Embedded devices will be available by end of this month. It promises advanced protection against worm, viruses and application hijacking. Check out the following article:

http://biz.yahoo.com/prnews/040913/nym073_1.html

EOL (End of Life) Components and Branching

harshs — Thu, 09 Sep 2004 04:56:00 GMT

Have you ever wondered what are those "End of Life (EOL)" components in XPE database and how they work?

When a new version of some application or component is available (e.g. Windows Media Player 9.0 or DirectX 9.0), old version of that component (e.g. WMP 8.0 or DirectX 8.0) is retired. To replace the old version of component, an EOL object for that component is added to XPE database which indicates that the component is no longer valid. EOL components are created by removing all resources (file, registry and any other resources) from the original component - they are essentially empty objects with special revision and visibility values. EOL objects have revision value of 100,000 or greater and they typically have a visibility of 0 (so you wouldn't see them under components list in TD). If your existing configuration already contains the component(s) that has been EOLed, Target designer can detect it and handle it correctly. Target Designer will show "(EOL)" at the end of component displayname - so that you can recognize that the component has been EOLed in the new version of the database.

To replace the EOLed component in the configuration with the new version of component, "Branching" is used. Components support a special branch resource that is added in EOL component (NOTE: Branch resource is only valid in an EOL object). The Branch resource contains a property, TargetVIGUID, which contains the VIGUID of a replacement component. Due to this branch resource, when you upgrade your existing configuration and go through dependency check, the new component replaces the EOL component in the configuration. The Branch resource also contains an optional MinRevision property that indicates the minimum revision level of the target component that may be used as a replacement for the current component. Following are special scenarios:

If MinRevision not specified or 0, any revision level may be used.
If the EOL component does not specify a Branch resource, then the component is dead, and has no replacement component.
If the EOL component specifies multiple Branch resources, then the component is replaced by all the components specified.
If several different EOL components specify Branch resources that all reference the same target component, these components are replaced by single new component.

Another XPE Blog

harshs — Tue, 07 Sep 2004 11:32:00 GMT

First, a little bit about myself: I joined Microsoft and XP Embedded team about 8 months back. Before coming to Microsoft, I did my Masters in Computer Engineering at University of Southern California and I also worked there as a Systems Analyst for about a year and a half. Even though, I have been in XP Embedded team for a short time, I have worked on several bits and pieces of XPE SP2 and I wanted to share some useful information that I have learned. So, here I am, blogging for the first time, in the hope that someone out there will find this useful.

I will use this blog primarily to talk about common XP Embedded issues raised in newsgroups and also to share news on embedded features and cool devices. I am planning to post articles on how to configure some features offline (Windows Firewall, Dr. Watson, Pop-UP blocking etc.) and tweaking registry settings. Also, whenever possible, I am planning to post some scripts and tools that I am working on. I have written scripts to backup, restore and remove XPE database which can be useful as a starting point for anyone who wants to write his/her own custom database scripts. I have also written tools to diff SLDs and SLXs.

Stay Tuned......