October Security Bulletins available for XPE

The October set of Windows XP Pro security bulletins is out for XPE, and has been posted to the OEM Secure Site for use by XPE customers.  What's posted are the updates to the runtime for use with the (inaccurately named) Desktop QFE Installer tool.  Look for the database updates toward the end of next week on the OEM Secure Site and the Download Center.  We do the desktop updates first for two reasons:

1. Devices deployed in the field are much more susceptable to attack than devices that have not yet been built.
2. There were six security updates this month that affect XPE.  When we componentized them, we had three database updates due to component overlap.  That means nine separate releases in two locations - quite frankly, that was too much for us to handle, so we prioritized the desktop releases per reason #1 above.

Issue

One thing to note is that we had a bit of a problem with the package installer - again.  Now, before you start hurling tomatos or other sharp pointy things at my head, this one is easy to work around, and we're working with the team that owns the installer to make sure this is the only month this happens (actually, I'd like to give them some credit - once we found the problem, they found the solution in a few hours, and we weren't delayed in releasing anything).

In short, you need to add a dummy.cat file to your runtime before you execute the update on the runtime.  Details on are the download pages for the desktop updates, and are repeated here for completeness.  Follow these steps to get any of these six updates to run on your device:

1. Create the following folder on the device:
   \Windows\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}
   
2. Create a file in this folder called dummy.cat. The contents and size of the file are not important. The following command line can be used to create this file:
   copy con dummy.cat
   CTL-Z<ret>
   
3. Execute the update package

You can create a zero-length dummy.cat and copy it over as part of a DUA script or SMS script as well - you just need to have the file in the folder specified before running the update on the runtime.  And have the DQI installed, but that's another story...

DirectX 9.0c for XPE now available

Check out the Embedded Download web page, and you'll see a new feature listed at the top - DirectX 9.0c for XPE.  This has been a long time coming, and we're happy to finally have it done (well, almost done - it's still being released to the OEM Secure Site, but that should happen Monday).

Windows XP Embedded Service Pack 2 Tech Preview

You may have already heard about this, but if you head over the the download center, you can get the Tech Preview version of XPE SP2.  This is the RC version - the final version should be available fairly soon.

You can read more about the tech preview on MSN Money as well.

Sygate providing XPE Security Solution for State of Iowa Judicial Branch

Pretty cool - the State of Iowa Court Information SYstem is using XPE thin clients and Sygate's Security Agent 4.0.

STATE OF IOWA JUDICIAL BRANCH SELECTS SYGATE'S ADVANCED ENDPOINT SECURITY FOR WINDOWS XP EMBEDDED THIN CLIENTS

Robothon - SRS Mini Challenge

Here's a cool website for Robothon - SRS Mini Challenge, a robotics challenge.  One of our internal partners has built a robot based on XPE for this - here are the details he's given me (with personally identifying info removed, of course):

It's built around a Via EPIA 5000 motherboard running XP Embedded with .NET Framework 2.0 Beta 1 off a Compact Flash card.  It can be remote controlled over 802.11b as well as running .NET applications locally.

Its I/O device is an Acroname Brainstem (5 A/D ports, 5 Digital I/O ports, 4 PWM ports, 2 I2C ports).  Its sensors include GPS with WAAS & Logitech QuickCam for image processing.  I'll be adding additional sensors such as a digital compass, MEMS accelerometer, MEMS gyroscope, temperature sensor, and Sharp IR object detectors.  Unfortunately time is short (1 week left) before the Seattle Robotics Society contest, so I'm not such how many of these other sensors I'll get integrated before the contest.

As soon as I get more info, I'll pass it along...

Sean Liming starts XP Embedded Center

Sean Liming, author of the books "Windows XP Embedded Advanced" and "Windows NT Embedded Step-By-Step" has opened the XP Embedded Center, a new web site around XPE.  If you have need of an experienced consultant with tons of embedded experience, drop by Sean's site and see what he can do for you.

Sygate press release

From Sygate:

Sygate Technologies introduced today version 4.0 of Sygate Security Agent for Windows XP Embedded, expanding its market leadership position by offering the most advanced security solution for Microsoft Windows XP Embedded devices. In addition to enhanced virus protection and anti-application hijacking, other key enhancements increase performance and manageability of the solution. These include a dramatically reduced, single-agent footprint, seamless integration with Microsoft’s Target Designer and the availability of a run-time version of the agent. Sygate Security Agent 4.0 for Windows XP Embedded is the second in a series of releases that began in May. Sygate will continue to roll out new releases in an aggressive strategy to protect solutions built on Windows XP Embedded. Sygate Security Agent 4.0 for Windows XP Embedded will be available to OEM vendors, financial institutions, major retailers and other end-user customers deploying Windows XP Embedded devices, by September 30, 2004.

Read the whole thing here.

WE-DIG Inaugural Meeting Summary

The first meeting of the Windows Embedded Developer's Interest Group (WE-DIG) was last Wednesday evening.  I would have posted a summary sooner, but shortly after the meeting, I was on vacation...

Anyway, the first meeting was focussed on Windows CE 5.0 - not exactly prime subject material for this blog.   We had Mark Miller (CE Architect) and Chip Schnarel (CE Group Program Manager) available for a Q&A session at the start of the meeting.  They were able to answer a lot of questions from the floor as well as some scripted interview questions.

The second half of the meeting was broken into a few sections.  First, we had some show and tell of some cool embedded devices (all CE based, I'm afraid), and some cool tools from Entrek.  We also had an open Q&A session where people brought up problems that had been plaguing them and we brainstormed some possible solutions.

At the very end (and here's the reason to show up if you're in Seattle) we had a drawing for some cool prizes.  The featured giveaways here were an HP 2210 iPaq and a Motorola 220 Smartphone, but there were t-shirts, hats, and some books being given away as well.  The meeting ran long, but there was pizza half way through, so it wasn't too bad.

Next months focus is on XPE, and if you're in Seattle, stop by - we'll be talking about XPE SP2, showing off some demos and hopefully making announcements about availability (hopefully).

Some info on SDI and Remote Boot

I've been doing some work for a customer or two involving Remote Boot Services (RBS) and SDI, and have found a few things of interest.

First, SDIMGR.WSF does run under XPE runtimes.  As with most everything XPE-related, however, there are a few caveats:

• You need to add SDIMGR.WSF and SDIAUT.DLL to the runtime (either manually or in a custom component you create - we don't have an SDI component).
• You need to register SDIAUT.DLL before proceeding (manually on the runtime using regsvr32, or as an FBA resource in a custom component).
• The runtime has to have the Windows Script Engines component in it (this is a "duh" info point).
• The runtime has to have the Primitive: Mlang component in it (this was new, and has been bugged).

Second, you can use RBS and SDIMGR.WSF as a deployment mechanism.  Basically, this involved remote booting your device with the media you intend to ship in the device (use the workaround posted earlier), then use SDIMGR.WSF to write the image you wish to ship onto that media.  Note that this means you need two SDI images - one to Remote Boot from, and one to write to the underlying media.  There are some things to be careful of:

• If you use /WRITEDISK, the size of the disk you created the deployment image from will be reflected on the shipping media.  For example, if you created the SDI from a 128Mb flash drive using /READDISK, you will have a 128Mb partition on whatever flash you deploy to, even if it's much larger.  The rest of the space will be unused.
• If you use /WRITEPART to overwrite an existing partition, there will be a disconnect between the partition table and the BIOS parameter block (BPB).  Because /WRITEPART doesn't overwrite the partition table, it will still have the original partition size, but the BPB will have the partition size from the SDI file.  Using the above example, if you use /READPART to create a 192Mb SDI, then use /WRITEPART to write it over an existing 256Mb partition, you should still have a 256Mb partition when you're done.  This doesn't seem to affect the runtime, although CHKDSK may complain about it.  To be honest, I haven't tested it yet.

That's about it, although there is one benefit that is strictly personal.  By engaging in these recent RBS issues, I reconfigured the test machines in my office a little - I now have a private network with a Win2K3 server acting as my remote boot server, one machine acting as a gateway straddling the private and corporate networks, and have trashed an older test machine and replaced it with a better one from the lab (actually, it's an XBox Development Kit machine).  In short, I'm in a much better testing position than I was a month ago, and even have a private network to play around with - no more explaining to our IT department why I need rogue DHCP server on the corporate net!

Building Servicable Devices

There's a new whitepaper on MSDN that I've authored called Building Servicable Devices.  It's been in the works for a while - I wrote the bulk of it a few months back, but then ran out of bandwidth with all the XPE SP2 work I was doing.  By the time someone got traction on it, it was July.

Anyway, the paper is there and covers some high level topics on how to think about servicing XPE devices.  There are links to key Windows technologies that can help, and there's talk that a more in depth paper is coming as well - more on that as it happens.

Let me know if any reads the whitepaper (or this blog for that matter).

Remote Boot deployment issues

I've been working on an issue for two different customers who are trying to use Remote Boot Server (RBS) as a deployment tool.  The scenario goes like this - build a remote boot image, boot a device using that RBS image, then copy a different image from your network to the underlying media on the device.  The steps for building the RBS SDI include booting the device through FBA, then cloning the image using FBReseal.  After the cloning, you build an SDI from that golden master image to capture the image ready for remote booting.

The problem occurs when the media you built the RBS SDI on differs from the underlying media now in the machine.  For example, if you built the RBS SDI on a 256 Mb flash card, but the device you're booting now has a 128Mb flash card, you cannot see or access the 128Mb flash.  This is a known issue for us - we have a bug on it.

The good news is there is a workaround for this issue (which is 99% of the way to resolving the issue for one customer).  Creating the RBS SDI is a two step process - copy the golden master image to a partition in an SDI file, then read that partition into a second SDI file that becomes the remote boot image.  Before you create that final SDI, but after the image has been cloned, you need to delete the following registry key:

HKLM\SYSTEM\ControlSet001\Control\CriticalDeviceDatabase\gendisk

This key is created during FBA and is tied to the underlying media.  Because the media is changing between the time of cloning and the time of booting, there is no longer a connection between the two, so if the media changes, the connection is lost and you can't see the media anymore.  By removing this registry key, PnP will detect the underlying media, recreate the key, and make the link between the two.  Viola!  Now you can see the underlying media (usually as drive D:, since the RAM disk is drive C:).

No need to thank me - that's what I'm here for.  Well, that and the free soda...

Inaugural WE-DIG meeting date set

I just joined the Windows Embedded Developer Interest Group (WE-DIG), based here in Seattle for now.  It's a group of embedded developers who use Microsoft technology - that includes Windows CE, Mobile, and of course, XPE.  Our first meeting is set for September 1, 6:30pm-9:00pm, on Microsoft campus - if you find yourself in Seattle around that time, drop me an e-mail and I'll give you directions and make sure you can get in.  The meetings are open to all embedded developers, not just MS employees - in fact, the group was spearheaded and is being led by Paul Yao, an eMVP who focuses on CE development.

I'd also encourage everyone, even if you can't get to Seattle for the meetings (first Wednesday of every month, same time), to go to the WE-DIG web site and sign up.  We've got plans for original content, a wiki for everyone to contribute to, and regular news items.  Everything's RSS enabled as well, so once you've signed up, you can keep up to date in your favorite RSS reader.

There are plans to expand WE-DIG to other cities - we've got some people interested in setting it up in other locations as we speak (or as we type and read, whatever).  We want to see how this works in Seattle right now, then we franchise.

NIST document on securing Windows XP

Last week, I found an interesting document from the NIST (National Institute os Standards and Technology) titled Guidance for Securing Microsoft Windows XP for IT Professionals: A NIST Configuration Checklist (PDF version).  It's an interesting read - they cover a lot of ground, and it is aimed at XP Pro boxes living used in business environments (they do cover small home-based business PC's as well as large enterprise installations, so it's fairly wide ranging).

A while ago, I remember working on a document that gave XPE specific commentary on some whitepapers that covered XP Pro.  The whitepapers came from MS, and the document I provided was fairly light - it said, here's the doc on XP Pro, and here's how this works on XPE (unfortunately, the doc isn't on our web site, but there is a collection of security documents available).  So in that spirit, I want to write a similar XPE based document that covers some of the NIST recommendations.  I'll be pitching the doc to the team later this month, but I wanted to list some of my thoughts here.

First, the document covers XP Pro SP1, and doesn't cover SP2 security features in the main document (it does cover them in Appendix B, but covers the Beta version).

Second, since the NIST doc is aimed at IT pros managing XP Pro systems in an enterprise environment, some of the security recommendations won't fly depending on your device environment.  Stuff like Active Directory, group policies, automatic updates, and account policies are a "use 'em if you got 'em" proposition for most embedded developers.

Third, because the doc is aimed at securing Pro devices, most of the recommendations cover how to change settings in the UI.  One of the challenges I'm going to have is mapping the UI they provide to component settings or registry keys you can tweak.

Lastly, the document is very complete - it 147 pages of tight text and specific recommendations.  While I'm not a fan of government documents in general, this one is fairly well done - I don't think it would be much lighter had it come as a single document from us.

I like this document - it covers a lot of ground, doesn't waste a lot of time, and brings together a bunch of key security concepts along with some practical advice as well as samples.  If you haven't read it yet, get it and read it.  And if you have to print it, go with double-sided four pages per sheet - it is long.

Brad Coombs webcast on Wednesday

July 14, 11:00am PDT, you'll want to go to the MSDN Webcast site for a webcast by Embedded MVP Brad Coombs (host and owner of XPE Files) for a talk on Windows XP Embedded.  I'll be there listening to him, and you should be too, especially if you're not quite sure if XPE is right for you.

Testing BlogJet

I have installed an interesting application - BlogJet. It's a cool Windows client for my blog tool (as well as for other tools). Get your copy here: http://blogjet.com

"Computers are useless. They can only give you answers." -- Pablo Picasso

Goodbye to Devcon

Well Devcon is almost over - it's the last day of the conference, and not much is happening. I was able to review my speaker stats for the two labs and the session I gave - not bad, all around a 7 of out of 9 rating. The docs for these labs and sessions will be available at some point in the future - as soon as I know where they are, I'll let everyone know.

All in all, it was a good show. I was pleased that my labs and sessions went well. I was even more pleased when I winged in an addition to the SP2 lab, adding a Bluetooth demo to the lab on the fly - it worked flawlessly. I like Bluetooth, and will be buying myself some Bluetooth HID devices in the near future (soon as I can find a BT Natural keyboard).

I was able to attend a couple of other labs and sessions as well - Joe Morris' lab on patch management went over well, and Sean Liming's labs drew big crowds and delivered. We went to dinner last night and by the time we got back to the hotel, the big Beach Bash party was already over (well, not over, but they were closing the bar, so it was coughing up blood). We headed back to the Gaslight district and hit a dance bar, but I called it an early night - I'm way too old to be dancing like that. I'll try to post some pics of the conference and San Diego over the weekend - got some pics of the MS crew here, as well as some of our MVP's (Mr. Vorchak looks a lot scarier in person than he does in the pictures...)

I mentioned in an earlier blog about getting more memory for my laptop in order to run Virtual PC. Well, it works well - my laptop is still responsive even running an XPE image in VPC. Problem is, when the VPC is backgrounded, it's responsiveness is roughly analogous to the reflexes of a frozen bag of 12-count shrimp. The solution? Keep the VPC in the foreground. It won't ever be as responsive as a real machine, but foregrounding it means it'll respond more like an iguana next to an air conditioner.

And I've heard from John Vorchak that Fedora Core 2 will run in a VPC - I'll have to try that later...

OK, Devcon is here. I'm in the speaker room sitting next to John Vorchak, typing in my blog and reading some news articles. I need to track down Mike Hall so I can make sure my labs are correctly setup for tomorrow, and I need to make sure the whole thing runs smoothly, but other than that, today is an easy day. Of course, it's still early, plenty of time for the fickle finger of fate to induce some mental vomiting...

And with that bit of imagery, I bid you good morning!

Well, Devcon is coming up fast - I'm busy putting the finishing touches on the last lab I'm doing (a basic XPE lab) and wanted to make sure the readers here that are going to Devcon know this:

Go to the Devcon Attendees site, and print out the materials for the labs and sessions you want to attend.

I can't stress this enough - we'll have copies of the materials on hand, but from what I know, there won't be a big binder full of content handed out this year. I might be wrong, but if you print out your own copies, you'll be sure to have them. Plus, there are last minute changes going on all the time, so if you print them the day before you arrive, you're sure to have the latest content.

Plus it saves me spending all day Monday printing up the latest copies of the lab manuals.

Not exactly XPE related, but cool anyway - atomic teleportation. Basically, NIST scientists have figured out how to transfer quantum properties from one atom to another with no movement involved. Reminiscent of quantum teleporation, but in this case the particles are bigger and the goal is more attainable - data transfer with computing applications.

My only problem is gonna be trying to figure out the front-side bus speed of gold connectors v. copper on my new Quantum 2010 motherboard... :-)

Atomic particles 'teleported' - News - ZDNet

You know, I need to be more diligent before posting to my blogs. I've got the Google toolbar on my machines, with a Blog This! button on them. I find a cool website, I click Blog This! and create the post.

Problem is I have two blogs - one for XPE, and the other a personal blog for political issues. If I'm not careful, I wind up posting political essays to this blog - not good juju.

If you catch one of these, ignore it - I try to keep them straight, but sometimes one slips through the cracks. When I do catch it (usually shortly after I've clicked "Post") I go in a move the post to the right place.

BTW, the time interval between when I click "Post" and I notice the blog setting is wrong is known officially as an "ignosecond".

Well, my memory arrived for my laptop today. Got an e-mail from our Admin Assistant saying "Come and get it!" When I got to her office, she wasn't there, the door was locked, and my memory, wrapped in pink bubble-wrap, tempted me from forty-eight inchesaway. OK, so four of those inches were solid oak door, but still, it's agonizing.

In any case, I've got a machine that runs VPC, so I'm working my labs on it. Once I get my laptop up to snuff, the files get moved over and I'm ready to roll.

Not exactly technically related, but good to know - mainstream media is now learning about blogs, blogging, and bloggers.

TIME.com: Meet Joe Blog -- Jun. 21, 2004

If you caught the last post, sorry. I have a politically oriented blog as well, and posted an entry to wrong place.

Just a quick update today. Been working on a spec for a really cool tool. I wish I could say more about it, but it's still in the planning/review stage. Once it's something more than vaporware, I'll make a small announcement.

Also been working to make sure the Devcon XPE SP2 CD's are good to go.

We had a meeting today on the lab machines we're gonna use at Devcon. Mike Hall is setting everything up for us and gave us the skinny - they're smokin' 2GHz machines with 1+Gb memory, and we'll be using Virtual PC to run our images in. This is causing some wringing of hands for people who count on EWF to work (I don't personally know if EWF will work in VPC), and I'm concerned about Bluetooth working in a VPC as well. To make things easier, I'm gonna implement VPC on my laptop, but I need to upgrade it - VPC loves memory, so I'm gonna upgrade my laptop from 512Mb to 1+Gb to accomodate it.

On a personal note, I'm getting some CD's from the local library - Aaron Copland's Rodeo Ballet overture. You've heard the key theme before - it's the background music to the "Beef - It's What's for Dinner" commercials. Now you know.

I thought, coming in today, I'd be able to handle a newsgroup issue about old QFE's not having additional info docs in them - easy breezy day, run down some info, fill in some doc forms, piece of cake. I had left early Monday evening to catch game 7 of the Stanley Cup Finals (Calgary should have won it Saturday night, but it was entertaining, at least), so there was some late mail waiting for me when I hit the door. Knew I should have called in sick...

OK, here's the scoop on part of XPE SP2 - the install is handle by our XPE QFE installer. We're not delivering a completely new database this time - we're delivering a database update, so you don't have to uninstall SP1 to get SP2. Now, the XPE QFE installer is just a small app that reads an INF, then imports some SLD's into the DB. In the case of SP2, it's about 200Mb of SLD files, but the principle is the same.

Now, we want you to be able to get back to SP1 without having to uninstall the whole thing, so we added this cool feature, where the installer would pop up a dialog before the install started telling you to backup your DB. We even wrote a doc on how to do it and put a link to it in the dialog. Cool so far - it had all been tested and has been working fine for two weeks now...

Last night, one of our guys took a look at the dialog I had designed (did I mention that the XPE QFE installer is my project?) and said, "That's crap". Unfortunately, he was right - it was crap. It looked like something from a Junior College VB class. It had to be redone, which meant talking with the dev and tester to get everything lined up again, then updating the design spec for the new stuff that needed to be there so the dialog looked OK. Minor panic attack first thing in the morning, but I'm tough, and I've got the meds to prove it.

There was also some questions about my uninstall doc (yes, we tell you how to uninstall SP2 from your DB too - calm down, not that tough). Seems someone in our "extended" family (i.e. someone who uses XPE but isn't on the XPE team) didn't read the instructions and assumed I had missed a step. I hadn't, and that problem went away quickly as well.

And then I had time to write the additional info docs...

Oh, and if you haven't heard, Devcon 2004 is scheduled for the end of June in sunny San Diego. Although I'd prefer to continue heading south to Tijuana, I'll be stopping in San Diego to talk, run a lab or two, meet and greet, and basically do what I'm paid to do - try to make XPE make sense to everyone.

We're giving out XPE SP2 CD's at Devcon - not Beta, but not RC either. Something in the middle with pop-ups that look like Junior College VB projects (RC and RTM will have the real installer).

Hi all! Remember me? Been a while, but there's a good reason why... I'm not in charge of QFE's anymore. My colleague, Jay (you can meet him at Devcon in June) has taken over the XPE QFE efforts, and he's doing a great job at it. He's a new member of the Customer Strike Team - you may have heard him at one of our recent webcasts.

So what have I been doing instead of QFE's? I've been concentrating on XPE SP2, along with some new features that should ship after SP2 does. So instead of continuing this blog as a discussion of QFE's in XPE, I'll be renaming it to a general XPE talk.

If you come to Devcon, Jay will be talking about QFE architecture and some of the new stuff we're doing to help ease servicing of embedded devices. I'll be talking about some of the new features of SP2. Hope to see you there.

My friend Mike Hall (famous for his Windows CE insights) has a blog setup on MSDN. If you're not interested in reading my scant ravings on XPE, you might want to check out his slant on things new and exciting in the Windows CE space.

Mikehall's WebLog

OK, this isn't specific to QFE's in XPE, but it is a very cool device.

Cornice unveils tiny 2 gigabyte magnetic media "storage element"