Booting Hyper-V R2 off a USB stick

A while ago we announced that Microsoft Hyper-V Server R2 would support booting off of a USB flash device.  We have now provided detailed documentation on how to set this up.  Even cooler than booting Hyper-V off of a USB device – is the fact that what we are doing is booting a VHD with Hyper-V installed on it off of a USB device:

http://technet.microsoft.com/en-us/library/ee731893(WS.10).aspx 

If you are like me – you will probably think: “Cool! I have to check that out!” And then after looking over that page you will think: “Eh, that seems like a lot of work…”

Thankfully Paul Despe has made a little tool that makes this dead simple.  You can grab it from here:

http://code.msdn.microsoft.com/BootHVSR2FromUSB

With this tool all you have to do is:

1. Install the Windows Automated Installation Kit (WAIK)
2. Grab Microsoft Hyper-V Server 2008 R2 and either burn it to a DVD or mount it with a virtual CD program
3. Connect your USB flash device
4. Run the tool As Administrator
5. Select your USB flash device as your target disk
   1. Warning! You can select any disk in your system – and it will get formatted.  Make sure you are selecting your USB flash disk – and you do not have any data on the disk that you want to keep.
6. Click on the Create Blank VHD button and choose a temporary location for the VHD
7. Locate your copy of the INSTALL.WIM file from the Microsoft Hyper-V Server 2008 R2
8. Hit the Start button and wait a short time (~30 minutes on my system) for everything to be setup

When it is finished you can now take your USB flash disk and boot a system off of it.  Once you have completed the standard Hyper-V Server post installation configuration – you can connect to the system remotely and start partying with Hyper-V.

You may be wondering why we are letting you do this.  Well that is captured at the top of the TechNet article, to quote:

… The scenario described in this document is only supported for original equipment manufacturers (OEM) …

… A Hyper-V Server UFD can provide virtualization capability for servers that ship with no local hard disks, and it offers the same functionality and flexibility as a Hyper-V Server installation on a physical hard-drive …

The idea here is that OEMs / System Builders that want to make diskless Hyper-V servers (where the virtual machines are stored on some form of central storage) can do so by sticking some cheap flash storage on the disk.

Myself, I just like the idea of having a Hyper-V server with me ready to go at anytime

Some notes to be aware of include:

• This is only supported for Microsoft Hyper-V Server 2008 R2.  Not for Windows Server 2008 R2.
• It is recommended that your USB flash disk be at least 8GB in size, and that you only fill your disk up to 75% to get the best performance / life span.
  • For this reason Paul's tool defaults to creating a 6000MB virtual hard disk.  You can change the size of the virtual hard disk using the File menu.
• While you can move the USB device from system to system and *most* things will work:
  • This is not supported (if you read the whole TechNet article you will see that this is only supported if you are using a USB device that is hard-wired to the system).
  • The virtual network switches will get disconnected whenever you move to a new system.
• To reduce wear-and-tear on your flash device, the page file is disabled by this tool.  This means that you should not try and allocate every last megabyte in the system to virtual machines.  Try to leave some room for processes in the parent partition.

As a final note – I did not have an 8GB flash device handy for testing this out – so I actually set this up using my PlayStation Portable (PSP).  And it works!  Now I just have to figure out how to keep Hyper-V on my PSP and still use it for playing games.

Cheers,
Ben

Understanding High-End Video Performance Issues with Hyper-V

A while ago I wrote a relatively short blog post high-lighting the fact that there are performance issues with Hyper-V when used with a high-end graphics adapter.  Since then I have been inundated with people asking questions and trying to get their heads around this issue.  Today I would like to take a chance to drill in on this:

What is the cause of the problem?

Okay – let’s grab the pertinent text from the original KB article:

This issue occurs when a device driver or other kernel mode component makes frequent memory allocations by using the PAGE_WRITECOMBINE protection flag set while the hypervisor is running. When the kernel memory manager allocates memory by using the WRITECOMBINE attribute, the kernel memory manager must flush the Translation Lookaside Buffer (TLB) and the cache for the specific page. However, when the Hyper-V role is enabled, the TLB is virtualized by the hypervisor. Therefore, every TLB flush sends an intercept into the hypervisor. This intercept instructs the hypervisor to flush the virtual TLB. This is an expensive operation that introduces a fixed overhead cost to virtualization. Usually, this is an infrequent event in supported virtualization scenarios. However, some video graphics drivers may cause this operation to occur very frequently during certain operations. This significantly magnifies the overhead in the hypervisor.

Usually when I talk to people about this – their eyes start to gloss over – so let’s dig in a little here.  With the help of Wikipedia we can get some definitions here:

• Write-combining (http://en.wikipedia.org/wiki/Write-combining):
  
  Write combining (WC) is a computer bus technique for allowing data to be combined and temporarily stored in a buffer -- the write combine buffer (WCB) -- to be released together later in burst mode instead of writing (immediately) as single bits or small chunks.

  Write combining cannot be used for general memory access (data or code regions) due to the 'weak ordering'. Write-combining does not guarantee that the combination of writes and reads is done in the correct order. For example, a Write/Read/Write combination to a specific address would lead to the write combining order of Read/Write/Write which can lead to obtaining wrong values with the first read (which potentially relies on the write before).

  In order to avoid the problem of read/write order described above, the write buffer can be treated as a fully-associative cache and added into the memory hierarchy of the device in which it is implemented. Adding complexity slows down the memory hierarchy so this technique is often only used for memory which does not need 'strong ordering' (always correct) like the frame buffers of video cards.
  
  In summary, write-combining is a method of accessing memory that is typically only used by video cards.

• Translation Lookaside Buffer (TLB) (http://en.wikipedia.org/wiki/Translation_Lookaside_Buffer)
  
  A Translation lookaside buffer (TLB) is a CPU cache that memory management hardware uses to improve virtual address translation speed. It was the first cache introduced in processors. All current desktop and server processors (such as x86) use a TLB. A TLB has a fixed number of slots that contain page table entries, which map virtual addresses to physical addresses. It is typically a content-addressable memory (CAM), in which the search key is the virtual address and the search result is a physical address. If the requested address is present in the TLB, the CAM search yields a match quickly, after which the physical address can be used to access memory. This is called a TLB hit. If the requested address is not in the TLB, the translation proceeds by looking up the page table in a process called a page walk. The page walk is a high latency process, as it involves reading the contents of multiple memory locations and using them to compute the physical address. Furthermore, the page walk takes significantly longer if the translation tables are swapped out into secondary storage, which a few systems allow. After the physical address is determined, the virtual address to physical address mapping and the protection bits are entered in the TLB.
  
  So the TLB is a CPU cache that helps with translation between virtual address spaces and physical address.  Note that these virtual address spaces have nothing to do with virtual machines – but are used to allow multiple applications on an operating system to be isolated from each other.

Summarizing all of this – video card drivers tend to use memory access methods that cause Hyper-V to need to clear out the CPU cache for memory page table mapping a lot.  This is an expensive thing to do in Hyper-V at the best of times.  In fact – the above TLB article on Wikipedia even has a section on the problems of virtualization and the TLB.

Now that we have the ground rules in place – let’s head on to some of the other questions.

How could you possibly ship Hyper-V with this issue?  Did you not test this product?

To answer the second question first – I actually was the first person (in the world) to hit this issue.  Early on in development I tried to use Hyper-V as my desktop OS on my home system with a GeForce 8800 video card.  Everything seemed to work okay (though some things were oddly sluggish) until I tried to pay Age of Empires III.  I had never played this game before, and the first time I tried to play it was on top of Hyper-V.  In short, it sucked.  Unfortunately I spent most of the weekend trying to tweak my rig and looking for patches to Age of Empires III before I thought to try disabling Hyper-V.

As soon as I realized what was happening I filed a bug and the issue was investigated.

When the issue was determined to be a specific result of the combination of the Hyper-V hypervisor and the Nvidia driver – we decided to leave things as they were for a couple of reasons:

• Windows Server does not include any video drivers other than the SVGA driver by default
• Windows Server will not install a high-end video driver automatically at any stage – you need to manually install the Windows 7 drivers

Also, Hyper-V was being developed solely for server virtualization and:

• We have always recommended that nothing be run in the management operating system, other than basic management tools
• No server workload that we tested generated anywhere near the rate of TLB flushing that these video drivers cause

Finally, this is a really hard issue to address.  In fact, there are no hypervisor based virtualization platforms that addresses this issue today – and while there are several under development I suspect that they will either have specific hardware requirements (I will get to this later) or will have simplifications / limitations to help them mitigate this issue (like only having one virtual machine).

Why does this affect Hyper-V and not Virtual PC?

Here we are seeing the difference between a hypervisor and a host VMM type solution.  With a hypervisor base platform (like Hyper-V) everything runs on top of the hypervisor – even the management operating system.  Where as with a hosted VMM platform (like Virtual PC) the host operating system still has direct access to the hardware.  To explain this better – here is a diagram:

Hopefully you can see the difference here.  It should also be noted that all desktop virtualization products available today use an architecture similar to that of Virtual PC.

How do I know if this is affecting my computer?

To check if this is affecting your system – what you need to do is open Performance Monitor (you can do this by running “perfmon” from the start menu).  Select the Performance Monitor node and click on the plus symbol to add a new counter.  Then find the Hyper-V Hypervisor Root Partition entry, expand it, select Virtual TLB Flush Entries/sec and add the Root counter.  This will allow you to keep an eye on the rate of TLB flushing in the management operating system:

So what do you look for now?  On my system – the only time I see a significant rate of TLB flushing (>10) is when I start a virtual machine.  A system that has this problem will either generate a continuous rate of TLB flushing above 100 or will generate spikes in the thousands.

What can I do to stop this / work around it?

There are a couple of options here:

1. Use the default video driver (SVGA).
   
   Yes, I know it is not sexy or fun – but if you are planning to just use Hyper-V as a server virtualization platform this is your easiest and simplest option.  It is the way we intended Hyper-V to be used, and it will always give the best performance.
   
   
2. Tone down the use of 3D graphics.
   
   Some video cards (like the Nvidia Quadro FX 1700M) seem to work fine as long as Aero is not enabled and no 3D applications are running.  If I enable Aero I start to see a fairly frequent rate of spikes in my TLB flush count (which causes annoying lurches in the window animation).  Running a 3D game (like Halo 2) is just terrible.
   
   This means that for those of you who do not want the high-end driver for 3D graphics, but instead need it for multi-monitor support or for the ability to connect a projector to your laptop (like me) this may work.
   
   
3. Choose your video card carefully.
   
   As a general rule of thumb – the less capable the video card, the less likely this is to be an issue.  My previous laptop had an integrated graphics controller – which was terrible for gaming – but worked great for Hyper-V.  When I wanted to get my new laptop and found that there was no Intel option – I tracked down a coworker with a similar graphics card in their laptop and tried out Hyper-V on it before going ahead and buying it.
   
   
4. Get a system with Second Level Address Translation (SLAT).
   
   SLAT is a technology that goes by different names depending on whether you get Intel (where it is called “Extended Page Tables” (EPT)) or AMD (where it is called “Nested Page Tables” (NPT) or “Rapid Virtualization Indexing” (RVI)).  These technologies are an extension to the traditional TLB that allow us to use the hardware to handle multiple TLBs – one for each virtual machine.  We added support for this hardware in Windows Server 2008 R2.  If you run Windows Server 2008 R2 on a system with SLAT capabilities – you will not have any problems running 3D graphics at all.
   
   Intel started shipping this technology in the Nehalem (or core i7) processor line.  AMD has been shipping this for a while now – ever since generation 3 of the AMD Quad-core family.  Unfortunately neither have shipped this technology in the laptop processors yet – though Intel has indicated that they are planning to soon.

Hopefully this has answered all of your questions satisfactorily.  If you have any further questions – please feel free to ask away.  I would also encourage you that if you have a video card that appears to work well with Hyper-V and 3D graphics – post the details in the comments so that others can benefit from your good fortune!

Cheers,
Ben

Double click to mount a virtual hard disk (Windows 7 Style)

I have been wanting to come up with a workable solution for mounting virtual hard disks by double clicking on them in Windows 7 for a while now.  The problem is that:

• There is no easily scriptable API for VHD mounting
• You need to be elevated (running “As Administrator”) in order to mount a virtual hard disk

The best idea I could think of for a simple solution was to try scripting the DISKPART tool.  Unfortunately – once I got going I got a bit carried away.  The result is this batch file:

@ECHO OFF

REM - This will be the file that I use for scripting

SET temporaryFileName=%temp%\VHDBatchTempFile_%random%.txt

REM - Parse the first parameter and go to the right lication

IF %1==mount GOTO:mount

IF %1==readOnlyMount GOTO:readOnlyMount

IF %1==dismount GOTO:dismount

IF %1==compact GOTO:compact

IF %1==install GOTO:install

IF %1==uninstall GOTO:uninstall

REM - Give a helpful error message if no parameter is recognized

GOTO:error

REM - Mounting a virtual hard disk

:mount

ECHO select vdisk file=%2 > %temporaryFileName%

ECHO attach vdisk >> %temporaryFileName%

diskpart /s %temporaryFileName%

del %temporaryFileName%

GOTO:EOF

REM - Mounting a virtual hard disk (read only)

:readOnlyMount

ECHO select vdisk file=%2 > %temporaryFileName%

ECHO attach vdisk readonly >> %temporaryFileName%

diskpart /s %temporaryFileName%

del %temporaryFileName%

GOTO:EOF

REM - Dismounting a virtual hard disk

:dismount

ECHO select vdisk file=%2 > %temporaryFileName%

ECHO detach vdisk >> %temporaryFileName%

diskpart /s %temporaryFileName%

del %temporaryFileName%

GOTO:EOF

REM - Compacting a virtual hard disk

:compact

ECHO select vdisk file=%2 > %temporaryFileName%

ECHO compact vdisk >> %temporaryFileName%

diskpart /s %temporaryFileName%

del %temporaryFileName%

GOTO:EOF

REM - Put registry keys in place 

:install

SET temporaryFileName=%temporaryFileName:txt=reg%

SET batchFileName=%~f0

SET batchFileName=%batchFileName:\=\\%

ECHO Windows Registry Editor Version 5.00 > %temporaryFileName%

ECHO. >> %temporaryFileName%

ECHO [HKEY_CLASSES_ROOT\.vhd] >> %temporaryFileName%

ECHO @="Windows.VirtualPC.HD" >> %temporaryFileName%

ECHO. >> %temporaryFileName%

ECHO [HKEY_CLASSES_ROOT\.vhd\ShellEx] >> %temporaryFileName%

ECHO. >> %temporaryFileName%

ECHO [HKEY_CLASSES_ROOT\.vhd\ShellEx\ContextMenuHandlers] >> %temporaryFileName%

ECHO. >> %temporaryFileName%

ECHO [HKEY_CLASSES_ROOT\Windows.VirtualPC.HD] >> %temporaryFileName%

ECHO @="Virtual Machine Hard Drive Image" >> %temporaryFileName%

ECHO. >> %temporaryFileName%

ECHO [HKEY_CLASSES_ROOT\Windows.VirtualPC.HD\ShellEx] >> %temporaryFileName%

ECHO. >> %temporaryFileName%

ECHO [HKEY_CLASSES_ROOT\Windows.VirtualPC.HD\ShellEx\ContextMenuHandlers] >> %temporaryFileName%

ECHO. >> %temporaryFileName%

ECHO [HKEY_CLASSES_ROOT\Windows.VirtualPC.HD\Shell] >> %temporaryFileName%

ECHO. >> %temporaryFileName%

ECHO [HKEY_CLASSES_ROOT\Windows.VirtualPC.HD\Shell\Open2] >> %temporaryFileName%

ECHO @="M&ount VHD" >> %temporaryFileName%

ECHO. >> %temporaryFileName%

ECHO [HKEY_CLASSES_ROOT\Windows.VirtualPC.HD\Shell\Open2\Command] >> %temporaryFileName%

ECHO @="CMD /S /C  \"\"%batchFileName%\" mount \"%%1\"\"" >> %temporaryFileName%

ECHO. >> %temporaryFileName%

ECHO [HKEY_CLASSES_ROOT\Windows.VirtualPC.HD\Shell\Open3] >> %temporaryFileName%

ECHO @="D&ismount VHD" >> %temporaryFileName%

ECHO. >> %temporaryFileName%

ECHO [HKEY_CLASSES_ROOT\Windows.VirtualPC.HD\Shell\Open3\Command] >> %temporaryFileName%

ECHO @="CMD /S /C  \"\"%batchFileName%\" dismount \"%%1\"\"" >> %temporaryFileName%

ECHO. >> %temporaryFileName%

ECHO [HKEY_CLASSES_ROOT\Windows.VirtualPC.HD\Shell\Open] >> %temporaryFileName%

ECHO @="Mount &VHD (Read Only)" >> %temporaryFileName%

ECHO. >> %temporaryFileName%

ECHO [HKEY_CLASSES_ROOT\Windows.VirtualPC.HD\Shell\Open\Command] >> %temporaryFileName%

ECHO @="CMD /S /C  \"\"%batchFileName%\" readOnlyMount \"%%1\"\"" >> %temporaryFileName%

ECHO. >> %temporaryFileName%

ECHO [HKEY_CLASSES_ROOT\Windows.VirtualPC.HD\Shell\Open4] >> %temporaryFileName%

ECHO @="Com&pact VHD" >> %temporaryFileName%

ECHO. >> %temporaryFileName%

ECHO [HKEY_CLASSES_ROOT\Windows.VirtualPC.HD\Shell\Open4\Command] >> %temporaryFileName%

ECHO @="CMD /S /C  \"\"%batchFileName%\" compact \"%%1\"\"" >> %temporaryFileName%

regedit /s %temporaryFileName%

del %temporaryFileName%

ECHO.

ECHO Windows VHD integration installed.  

ECHO Run "%~f0 uninstall" to uninstall windows VHD integration if desired.

ECHO.

GOTO:EOF

REM - Remove registry keys

:uninstall

SET temporaryFileName=%temporaryFileName:txt=reg%

SET batchFileName=%~f0

SET batchFileName=%batchFileName:\=\\%

ECHO Windows Registry Editor Version 5.00 > %temporaryFileName%

ECHO. >> %temporaryFileName%

ECHO [-HKEY_CLASSES_ROOT\Windows.VirtualPC.HD\Shell] >> %temporaryFileName%

ECHO [-HKEY_CLASSES_ROOT\Windows.VirtualPC.HD\Shell\Open] >> %temporaryFileName%

ECHO [-HKEY_CLASSES_ROOT\Windows.VirtualPC.HD\Shell\Open\Command] >> %temporaryFileName%

ECHO [-HKEY_CLASSES_ROOT\Windows.VirtualPC.HD\Shell\Open2] >> %temporaryFileName%

ECHO [-HKEY_CLASSES_ROOT\Windows.VirtualPC.HD\Shell\Open2\Command] >> %temporaryFileName%

ECHO [-HKEY_CLASSES_ROOT\Windows.VirtualPC.HD\Shell\Open3] >> %temporaryFileName%

ECHO [-HKEY_CLASSES_ROOT\Windows.VirtualPC.HD\Shell\Open3\Command] >> %temporaryFileName%

ECHO [-HKEY_CLASSES_ROOT\Windows.VirtualPC.HD\Shell\Open4] >> %temporaryFileName%

ECHO [-HKEY_CLASSES_ROOT\Windows.VirtualPC.HD\Shell\Open4\Command] >> %temporaryFileName%

regedit /s %temporaryFileName%

del %temporaryFileName%

ECHO.

ECHO Windows VHD integration uninstalled.  

ECHO Run "%~f0 install" to install windows VHD integration if desired.

ECHO.

GOTO:EOF

REM - Helpful error message

:error

ECHO.

ECHO VHD Batch file.

ECHO.

ECHO Usage:

ECHO.

ECHO %~n0 install

ECHO.

ECHO This command will allow you to right click on a virtual hard disk

ECHO and select and action to perform without manually running this

ECHO batch file.  Make sure you do not move or delete the batch file

ECHO after running this command without first running "uninstall".

ECHO.

ECHO %~n0 uninstall

ECHO.

ECHO Removes all information from the system about this batch file.

ECHO.

ECHO %~n0 mount "full path and name for a virtual hard disk"

ECHO.

ECHO will use DISKPART to mount the virtual hard disk specified. Note

ECHO that you need to provide the full path and name for the virtual

ECHO hard disk, and that you should not mount a virtual hard disk that

ECHO has differencing disks, undo disks or snapshot files associated

ECHO with it.

ECHO.

ECHO %~n0 readOnlyMount "full path and name for a virtual hard disk"

ECHO.

ECHO will use DISKPART to mount the virtual hard disk specified. In

ECHO read only mode.  This is always safe to do. Note that you need to 

ECHO provide the full path and name for the virtual hard disk.

ECHO.

ECHO %~n0 dismount "full path and name for a virtual hard disk"

ECHO.

ECHO will use DISKPART to mount the virtual hard disk specified. Note

ECHO that you need to provide the full path and name for the virtual

ECHO hard disk.

ECHO.

ECHO %~n0 compact "full path and name for a virtual hard disk"

ECHO.

ECHO will use DISKPART to compact the virtual hard disk specified. Note

ECHO that you need to provide the full path and name for the virtual

ECHO hard disk, and that you should not compact a virtual hard disk that

ECHO has differencing disks, undo disks or snapshot files associated

ECHO with it.  You should also not compact a virtual hard disk that is

ECHO currently mounted.

If you put this text into a .CMD file (or download the attached file on this blog) and place it where ever you want to keep it – you can do one of two things:

• Use it as a convenient command line tool for mounting and dismounting virtual hard disks
• Run it with the “install” parameter – in which case it will add registry entries to your system that allow you to double click on a virtual hard disk to have it mount (in read only mode) or right click on a virtual hard disk to get options to mount, dismount or compact a virtual hard disk

So what is it doing under the covers?  For the disk related operations this batch file builds a DISKPART script file on the fly and feeds it into DISKPART.  For installing and uninstalling it adds and removes appropriate registry keys.

After a bit of testing I can confirm that this works on Windows 7 and Windows 2008 R2, 32-bit and 64-bit, with and without Windows Virtual PC and Hyper-V and is fully compatibility with UAC.

Have fun!

Cheers,
Ben

Welcome to blog week!

While this will not surprise my regular readers – some of you will be interested to know that blogging is usually only a very small fraction of my job.  My official title is “Program Manager Lead” which means that my responsibilities roughly break down into the following buckets:

• Getting to know our customers and competitors really well
  • This involves meeting with customers regularly, doing phone calls, attending trade shows, hanging out on forums, doing online chats, reading blogs, etc…
• Making sure we are actually building software that works for our customers / is competitive
  • Here I am writing documentation, reviewing and triaging bugs, and spending time meeting with developers and testers on the team.
• Ensuring that we actually get the software shipped at the end of the day
  • Lots of status meetings and paper work to make sure that everything comes together at the end of the day.
• Managing my team of program managers
  • As a lead I manage a number of other program managers, and need to work with them to ensure that they have everything that they need to do their jobs.

As you can see – that is a lot of “non-blogging work”.  The truth is that I started out blogging mainly as a way to ensure that I used my own software on a regular basis – but it has come to be something that I really enjoy doing.  Most of my blogging is actually done after hours (and often on a Sunday afternoon).  The average blog post takes ~1 hour to write (I have a strict policy of only blogging about things that I have personally done, so that I know that there will not be errors in my information) and I aim to have 5 blogs each week (though I often fall short of this goal).

One of the interesting side effects of blogging, for me, has been that it has helped with getting to know my customers.  These days I get so much feedback from you all that there is no way for me to keep up with responses.  So while I apologize to everyone who has emailed me through the blog, and has not heard back – know that I do read every email, and I respond when I can.  All of this information gives me a very good indication of what is going on out there.

With all of that aside – back to the topic at hand “Welcome to blog week!”

Thanks to a combination of having just got back from TechEd China (lots of fun – but now I am quite jetlagged) and being without an office (due to my current office being moved to a new building) I have arranged to cancel most of my meetings / responsibilities for this week – and just focus on the blog.  I have a number of activities planned for this week.  In no particular order they include:

• Scrubbing old blog posts
• At the moment I have 877 blog posts made over the last 4 years.  During this time I have used different blog themes, and different blogging tools.  As such you can see stylistic and formatting differences over the years.  I would like to try and clean this up to make it consistent across all posts.
• Is that URL link in a post from early 2006 still valid?  I have no idea – but I intend to find out.
• Overhauling my tagging system
• My current tagging system has grown organically – and it has some significant short comings.  The biggest one is that it does not differentiate between versions of products.  If you pull up a random post from my site about Virtual PC – it is hard to tell if I am talking about Virtual PC 2004, Virtual PC 2007 or Windows Virtual PC.  It is also hard to tell when I am talking about a beta release or an RTM release.  I really need to fix this.
• Tweaking the overall style of the blog
• I would like to refine the current theme a little (add a bit more definition).  I would also like to add a dedicated “Links / Resources” page.  There are some other miscellaneous changes I would like to make.
• Getting back to unresolved comment threads
• Yup, I suck.  There are many posts out there where people have asked questions – and I never got around to answering them.  I need to get back and make sure the answer is there so that new people to the site can benefit from knowing the right information.
• Tackling some big posts
• There are a number of blog ideas in my notebook that have been there too long – because they will require a couple of hours to research and write up.  Hopefully I can get some of these done this week.
• Building up a queue of new posts
• I have a holiday coming up (four weeks in Australia) and I have always dreamed of being able to go on a holiday like this, while having blog regularly going live because I have been diligent and written them all up ahead of time.  This has never happened.  Maybe this will be my chance to change that.

Now I have some questions for you:

• Are there any topics you really want to see me write about?
• Is there anything you would like changed about my blog?
• Should I open up old posts for comments?
• At the moment comments are disabled on blog posts automatically after 60 days.  I can disable this – but the chances of me being able to reply to new comments will likely go down as a result.
• Is there anything that you think I should be doing that is not on my list?

So as not to spam my own blog, I will be posting status updates on what I am working on to Twitter.

Cheers,
Ben

Restricting Shared Drives under Windows Virtual PC

When it comes to minimizing the potential for malicious software running in a virtual machine to affect your physical computer, there are two golden rules to follow:

• Secure the virtual machine just like you would a physical computer.  This means installing antivirus / anti-malware software, configuring firewalls, regularly installing updates, etc…
  
  
• Reduce the potential paths for the virtual machine to access your physical computer.

In the latter category there are three common paths:

• Standard networking.  Here the risk is no greater (or lesser) than if you had a separate computer connected to the same network.
  
  
• Clipboard sharing.  When integration components are enabled, any data that is put into the virtual machines clipboard is automatically copied to the physical computers clipboard (and vice versa).  The potential for risk here is relatively low – but if it is a concern for you – you can easily disable this feature under the virtual machine settings.
  
  
• Shared Drives.  Shared drives allow the virtual machine to access the drives of the physical computer – without needing a network connection to be present.  This functionality is critical for most people who use Virtual PC – but it is also an obvious path for malicious software to get to data on the physical computer from inside the virtual machine.  As such I would like to spend some time talking about how to restrict this functionality appropriately.

The first thing to know is that you can configure drive sharing so that only specific drives are shared:

You should always make sure that this setting is configured appropriately for your environment. 

But what if you do not want to share and entire drive?  What if you just want to share a single folder? 

Well, I have found a handy method to do just this.  It is a little cheesy, but it allows you to drastically reduce the surface area that is exposed.  Basically – what you need to do is to create the folder that you want to share, open a command prompt, and run the following command:

subst j: c:\MySharedFolder

This creates a “virtual” drive that points to the folder you created (in this case I am mapping “C:\MySharedFolder” to J: – but obviously you can use any drive letter or folder that you want to use).  You can then map this drive into the virtual machine:

Cheers,
Ben

Virtual Machine Migration Test Wizard

I little while ago some member of the Hyper-V test team released a new tool on code.msdn.microsoft.com.  It is the Virtual Machine Migration Test Wizard:

http://code.msdn.microsoft.com/VMMTestWizard

In Windows Server 2008 R2 we introduced a new “Processor Compatibility” feature (as discussed here).  The primary purpose of this new tool is to allow you to determine if you need to enable this feature in your environment to be able to move virtual machines.

You can also use this tool to determine how physical computers should be grouped – if you want to avoid turning this feature on.

There is also a video available from the author of this Tool – Dinesh – where he talks about how it works and demonstrates it running here.

Cheers,
Ben

Understanding (and troubleshooting) Auto-Publishing in Windows Virtual PC

One of the cool features of Windows Virtual PC is how applications that are installed into Windows XP, Windows Vista and Windows 7 virtual machines automatically appear in the start menu on the host operating system – and can be launched directly without first needing to open the virtual machine in question:

These shortcuts get created through a process that we call Auto-Publishing.  What happens is that we monitor the guest operating system while it is running, and when we detect that a new application has been installed, we create a shortcut for the application in the host start menu.

Most of the time this “just works”.  When it does not work there are a couple of areas that you can look:

1. Does the guest operating system support auto-publishing?
   
   Auto-publishing is only supported for virtual machines running Windows XP SP3, Windows Vista SP1 (or later) or Windows 7.  Windows 7 virtual machines are ready to go when it comes to auto-publishing.  But Windows XP and Windows Vista virtual machines need to have an extra update installed in them in order for auto-publishing to work.  You can download the Windows XP update here and the Windows Vista update here.
   
   No matter which guest operating system you are running you will also need to ensure that the Windows Virtual PC Integration Components have been installed, and that integration features are enabled.
   
   
2. Is auto-publishing enabled?
   
   Auto-publishing is enabled by default, but we allow you to turn it off if you want to.  It is always worth double-checking this option in the virtual machine settings, to make sure you have not disabled it accidentally:
   
   
   
3. Was a shortcut for the application created in the “All Users” start menu in the guest operating system?
   
   Windows Virtual PC detects that an application has been installed in the virtual machine by looking for shortcuts that have been created in the All Users start menu.  If the application installer did not create a shortcut in the start menu, or created one in the local user start menu, Windows Virtual PC will not auto-publish the application.  You can check this by looking in the All Users start menu in the guest operating system.  Here are the locations to check under each guest operating system:
   
   Windows XP: %SystemDrive%\Documents and Settings\All Users\Start Menu\Programs
   Windows Vista: %SystemDrive%\ProgramData\Microsoft\Windows\Start Menu\Programs
   Windows 7: %SystemDrive%\ProgramData\Microsoft\Windows\Start Menu\Programs
   
   If you cannot find a shortcut in these locations – create one there and you should be good to go.
   
   
4. Is the application being blocked by policy settings?
   
   In order to stop a blank Windows virtual machine from spamming your start menu with a bunch of shortcuts when you first bring it up – we block a bunch of applications by default.  The list of blocked applications is stored in the registry inside the virtual machine at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtual Machine\VPCVAppExcludeList.  You can go here to check to see if the application you are trying to get published is on this list:
   
   
   
   If it is, you can delete the registry key for that application, and it should appear in the host start menu.

Cheers,
Ben

Installing Virtual CD Software in a Virtual Machine

Like many Hyper-V users, I have created ISO images of most of my CDs / DVDs (and in the case of my MSDN software – have downloaded in ISO format to begin with).  I then have these images stored on a file server.

It is possible to connect a CD ISO image on a file server to a Hyper-V virtual machine, as long as you are working in a domain environment and you are running the Hyper-V management user interface directly on the Hyper-V server.

If you run the Hyper-V management user interface on a remote computer, you will need to enable constrained delegation in order to use ISO images on a network share.  If you are running in a workgroup environment your only option is to enable anonymous access to the file share that holds your ISO images (obviously not a good idea from a security point of view).

Aside: The reason for these conditions is that Hyper-V requires the use of both your personal user credentials and the Hyper-V servers workstation credentials when connecting an ISO image to the virtual machine. 

Your user credentials are used to verify that you personally have permission to use the ISO image in question.  The use of your user credentials is why constrained delegation needs to be enable for remote management to work.

The Hyper-V server workstation credentials are used to ensure that we can start the virtual machine, and connect the ISO image to the virtual machine, even when you are not logged into the server (for example, if the server needs to be rebooted).  Unfortunately workstation credentials only work in domain environments – so workgroup environments need to enable anonymous access.

As I am using Windows Home Server for my file server – which does not support being joined to a domain – setting up a share with anonymous access was the only option for me.  But I found this idea so abhorrent that I would make local copies of ISO files as I needed them instead. 

Needless to say I was far from happy with this arrangement.

Furthermore, as I often use Remote Desktop to connect directly to the guest operating system in my virtual machines, I have found it irritating to need to switch back to the Hyper-V management user interface solely for the purpose of connecting a new ISO image.

Luckily I have found a simple and elegant solution to both of these problems.

What I have done is to install Virtual CD software inside each of my virtual machines.  This allows me to use ISO images that are stored on my Windows Home Server, and I can connect CD ISO images even when I am connected using Remote desktop.  For my virtual machines I am using Alcohol 52%, but other programs to look at for this include Virtual CloneDrive and DAEMON Tools.

This solution will not work for installing operating systems (but I these days I tend to use Windows Deployment Services for that – so that is not an issue for me) but it works for everything you could think of once the operating system is up and running.

Cheers,
Ben

Deploying Windows XP Mode

We have recently published a very handy video / guide / set of scripts to help with anyone who needs to deploy either a standard or customized version of Windows XP mode to a large number of virtual machines.

The first thing to look at is the deployment video – available here:

http://www.microsoft.com/downloads/details.aspx?FamilyID=f0ef9c63-2d2d-4f18-be39-57f8e794fe07

Then you can go and grab the associated white paper / scripts from here:

http://www.microsoft.com/downloads/details.aspx?FamilyID=9f142a1a-a7b7-4d0b-bd56-d9627f39c14f

This will give you the necessary tools to do such things as:

• Automate installation of Windows XP Mode
• Customize Windows XP Mode for your environment
• Build your own template Windows XP virtual machine for deployment in your own environment

Good stuff.

Cheers,
Ben

Windows Virtual PC / Windows XP Mode RTM now available for general download

Go and get it:

http://www.microsoft.com/windows/virtual-pc/download.aspx

Cheers,
Ben

Setting up Hyper-V with a UPS

People have asked me how you go about setting up a UPS (Uninterruptable Power Supply) with Hyper-V.  This is much easier than it sounds.  The first thing to understand is that when you shut down the physical computer, the virtual machines will be automatically put into a saved state.  Virtual machines that were running when the server shuts down will be started automatically when the physical computer starts back up.

This all means that – for the most part – things “just work” when you connect a UPS and configure the management operating system like you would for a stand alone computer.

Depending on your environment – there are some configuration changes that you may want to make:

1. Changing the automatic stop action
   
   As I mentioned, Hyper-V will save state any running virtual machines when the physical computer shuts down.  Depending on how much memory is assigned to the virtual machine, and the software installed inside the virtual machine, you may prefer to have the virtual machine shut down instead.  I have gone with this option on my server at home:
   
   
   
   
2. Changing the automatic start action
   
   Only virtual machines that were running when the system was shut down will be started automatically.  If you are paranoid, like me, you can go in and configure essential virtual machines to always start automatically – even if they were not running when the physical system was shut down:
   
   
   
   You can also configure start up delays, to ensure that more important virtual machines are started first.
   
   
3. Setting aside enough time for system shut down
   
   This one is critical.  It can take a while for Hyper-V to shutdown as we are trying to save state / shut down a bunch of virtual machines.  For this reason you need to ensure that your system starts shutting down with enough battery life left in order to make it through the whole shut down process.

My personal UPS story:

You would not believe, but living in north Redmond the power quality around here is lousy.  I often get strange power surges / flickers – and have to deal with half a dozen black-outs of one hour or more each year.  Needless to say I have lost a bunch of hardware over the years as a result of this.

A while ago I went out and bought a nice beefy UPS to protect my Hyper-V server and all of my networking gear.  To start with I just hooked up the power and confirmed that I could run for about 30 minutes before running out of power.  I connected the USB monitoring cable, but did not setup any monitoring software, for a couple of reasons:

1. I got an APC UPS.  I love these guys for their hardware – I hate them for their software.  For that matter, I do not know of any UPS provider where I would be happy to install their monitoring software on my servers.
2. I am lazy.

Recently, when I was performing some hardware maintenance on in my Hyper-V server I decided to go and have a look in the device manager to see what Windows thought about my UPS.  Much to my surprise I saw that Windows had detected the presence of a UPS battery with no intervention from me:

Once I noticed this I decided to have a look around – and I discovered that Windows had enabled standard power support – and was acting like my server was essentially a really big clunky laptop.  I had a battery icon in the task bar that accurately reflected the amount of charge in my battery, and when I disconnected power from the UPS – Windows immediately knew about it.

Next I opened the power policy settings and configured my system to get a low battery alert when the battery was at 75% charged, and to shut down when the battery reached 50% charged:

I have since tested this – and everything works perfectly – all with no need for anything other than the “in-box” capabilities of Windows Server 2008 R2.  Neat!

Cheers,
Ben

Hotfix needed to move R2 differencing disk to Windows Server 2008

A virtualization MVP recently bought this to my attention:

In Windows Server 2008 R2 there was a minor change to the format of differencing virtual hard disks.  As a result you will need to apply an update to Windows Server 2008 if you want to move differencing disks from Windows Server 2008 R2 to Windows Server 2008.

You can download this update from here:

http://support.microsoft.com/kb/971677

Note that this applies to Windows Server 2008 and Windows Server 2008 SP2 (not to Windows Server 2008 R2).  If you do not have this update installed and you try to use a differencing disk created with Windows Server 2008 R2 you will receive an error message that states that the virtual hard disk is corrupted or unreadable.

Cheers,
Ben

Hyper-V Hotfix for "0x00000101 - CLOCK_WATCHDOG_TIMEOUT" on Nehalem systems

We have just released a new hotfix for Windows Server 2008 R2 that address the issue that users were getting a bluescreen of death on Intel Xeon 5500 series processor-based computers with the following text:

0x00000101 (parameter1, 0000000000000000, parameter3, 000000000000000c)
CLOCK_WATCHDOG_TIMEOUT

You can download the hotfix from here: http://support.microsoft.com/kb/975530

For the curious, this issue is actually caused by a bug (or in Intel terms “erratum”) that causes these processors to generate spurious interrupts.  You can read about this in the latest Intel documentation for this process series: http://www.intel.com/assets/pdf/specupdate/321324.pdf

Cheers,
Ben

Why is F12 not working with my virtual machine?!?!

Here is a problem that I hear about at least 2 or 3 times a month:

Someone is trying to do a network installation of an operating system using either Hyper-V or Virtual PC, they setup the virtual machine appropriately, but when they try to press “F12” to initiate network installation – nothing happens.

Every time I get asked about this – the answer is simple:

If your keyboard has a “Function Lock”, “F Lock” or “Fn” key – make sure it is pressed prior to trying to use the F12 key.

Cheers,
Ben

Hyper-V Management + Delegated Administration + SCVMM

A while ago I blogged about how to allow non-administrators to control Hyper-V.  You do this by editing the Hyper-V authorization store.  What I failed to mention at that time was that this method does not work if you are using SCVMM to manage your Hyper-V servers.

When you start using SCVMM to manage a Hyper-V server, SCVMM creates their own authorization store to be used by Hyper-V.  As long as you only use SCVMM to manage your environment – this is fine.  But if you want to continue to use the Hyper-V management tools, and want to allow a non-administrator to control Hyper-V – you can do this.

All you need to do is to is follow the directions in my original post – but instead of editing “\ProgramData\Microsoft\Windows\Hyper-V\InitialStore.xml” on the system partition edit “\ProgramData\Microsoft\Virtual Machine Manager\HyperVAuthStore.xml” on the system partition.

Then everything will work correctly.

Cheers,
Ben