Because 365 Days to XP EOS was SO YESTERDAY!

You probably saw it mentioned a million times yesterday. End of Support for Windows XP is April 8, 2014. Today, it’s probably old news. Or you’ve noted it and moved on. 

Well, unless you’ve moved to Windows 7 or Windows 8, you still need to pay attention – yesterday’s news or not.  Check out the Springboard Series Blog and Steven Rose’s post on the countdown to the end of XP Support.

And in case you missed them, here are a few other products with End of Support dates in the recent past or near future.

Server 2003 – 7/14/2015
SQL Server 2000 – 4/9/2013
Office 2003 – 4/8/2014

Exchange 2010 SP 1 – 1/8/2013
Office 2007 SP 2 – 1/8/2013


Microsoft End of Life Dates – Mark Your Calendars!

Where is 2012 going?  It seems like just yesterday I filed away my planner for 2011 and crack open that fresh page to January 2012. Now that we are racing towards Spring, you might want to highlight a few of these special dates for the future.

Here are some future “end of life” dates for some Microsoft products you might still have floating around on your network.  Some will be supported for several more years, but it never hurts to keep your eye on the horizon.

These dates are the end of support life for the product as a whole (no more extended support), so start thinking about your budget cycles and internal support needs for the next few years.

Windows XP – 4/8/2014
Server 2003 – 7/14/2015
Windows Vista – 4/11/2017

Exchange Server 2007 – 4/11/2017
SQL Server 2000 – 4/9/2013
SQL Server 2005 – 4/12/2016

Office 2003 – 4/8/2014
Office 2007 – 10/10/2017

These dates are for specific service packs for these products, so be sure to install the latest available service pack, if you haven’t already.

SQL Server 2005 SP 3 -1/10/2012
Exchange 2010 SP 1 – 1/8/2013
Office 2007 SP 2 – 1/8/2013

For more information about other Microsoft Server products, check out the Lifecycle Info for Server Products list. –

** 11/21/14 Update **

For some current end of life dates – visit this post.  Interested in learning more about getting away from on-prem Exchange and Office?  Check out these courses from the Microsoft Virtual Academy –

SceCli Warning: Event 1202 on Windows XP

Here’s an error that was found on two of our workstations recently:

Event Type: Warning

Event Source: SceCli
Event Category: None
Event ID: 1202

Security policies were propagated with warning. 0x4b8 : An extended error has occurred.

For best results in resolving this event, log on with a non-administrative account and search for “Troubleshooting Event 1202’s”.

The warning was repeated several times a day and it looked like the machine might not be process all our group policies correctly.   A check in the “%windir%\security\logs\winlogon” log file repeatedly showed “Error 1208: An extended error has occurred. Error creating database.”

I did a little searching around on the web and suspected that the local security database, secedit.sdb was damaged.  There were a couple of KB articles that danced around what seemed to be going on (KB278316 and KB818464), but either the OS indicated wasn’t XP or I wasn’t seeing all the errors listed.  But they seemed promising, so I tried one on each workstation.

Option 1 – ESENTUTL /p

Run ESENTUTL to repair the database using the command line below.  Follow with the ever popular “gpupdate /force”.

esentutl /p %windir%\security\database\secedit.sdb

Later, I came across a mention in KB884018 that indicated using ESENTUTIL /P on Windows XP could result in tattooing some previous GPO settings in the registry, but that wasn’t a big concern for me.  We don’t often rely on GPOs to rollback to their previous settings if they are removed, we usually actively change each setting if we want to alter a GPO that was previously set. I not worried that I did anything that will affect our future policies, however if you are skeptical, use the next option instead.
Option 2 – Rebuild the Security Database

  1. Open the %SystemRoot%\Security folder, create a new folder, and then name it “OldSecurity”.
  2. Move all of the files ending in .log from the %SystemRoot%\Security folder to the OldSecurity folder. (You may need to use SAFE MODE to copy all of these, however I just skipped the ones that I couldn’t copy.)
  3. Find the Secedit.sdb file in the %SystemRoot%\Security\Database folder, and then rename this file to “Secedit.old”.
  4. Click Start, click Run, type mmc, and then click OK.
  5. Click Console, click Add/Remove Snap-in, and then add the Security and Configuration snap-in.
  6. Right-click Security and Configuration and Analysis, and then click Open Database.
  7. Browse to the %TEMP% folder, type Secedit.sdb in the File name box, and then click Open.
  8. When you are prompted to import a template, click Setup Security.inf, and then click Open.
  9. Copy %TEMP%\Secedit.sdb to %SystemRoot%\Security\Database.
  10. Reboot.

This was a longer process that the first option, but seemed to be just as effective. As I mention in the steps, I didn’t bother with using safe mode to ensure I could copy or rename all the files.  There seemed to be no ill effects with doing that, at least not in the short term.

Finally, I added a rule to System Center Essentials 2010 to watch for this error message on workstations in the future. I’d like to know sooner than later if some of the workstations in our organization are having issues processing GPOs.  We aren’t sure exactly why those two machines had issues, though they have had viruses removed from them in the past.  Perhaps trashing parts of the local security database was a result of some malware action.

A Couple 2010 Dates to Remember

Now that 2010 is officially half over, you might want to keep in mind a few upcoming dates in “Microsoft-world” that could be important to your environment.

7/13/10 – Mid-July marks the end of life for Windows 2000 and Windows XP SP2. If you have either of those OSes running, remember they will no longer have updates developed for them. Its time to get those workstation upgraded to a more recent service pack for XP or consider Windows 7 if that is something feasible. I’ll admit, I’ve still got one Windows 2000 server hanging out there – I don’t know if I’ll make it!

10/22/10 – XP Home will no longer be sold on netbooks. In my organization netbooks are either reinstalled with XP Professional once they arrive, or we could consider Windows 7 for some users, so it’s not much of a concern personally. For those of you making recommendations to friends and family, I’d go with Windows 7. There’s not really a good argument otherwise when it comes to home users.

With so many other Microsoft products touting “2010” (SharePoint, Exchange, Office…) it’s easy to get sidetracked by things that are new and shiny. Don’t forget to be ready to clean up after some of those things are reaching their end of life. Every environment has a machine or two that lags behind, don’t let an end of life issue turn into a security one.

End of Support for Window 2000, Vista RTM and XP SP2: Where are your priorities?

There’s been a lot of chatter about some of the upcoming Microsoft end of support dates that are coming due, specifically for Windows 2000 and Windows XP Service Pack 2 on July 13, 2010 and Windows Vista RTM on April 13, 2010. If you are running an OS version that has reached the end of the support life, you aren’t eligible for any support updates or security patches after these dates.

Of course, the associated message is that the best way to stay supported is to upgrade to Windows 7. I’m all for that. I love using the latest and greatest operating systems, Windows 7 and Server 2008 (R2 or original) are no exception. But when it comes to these particular announcements, I only sort of care about them. I suspect that unless you haven’t patched or upgraded a server or desktop in last 5 years, you probably only sort of care too. Here’s why:

  • Windows 2000 – This one is a pretty big deal. Windows 2000 is 10 years old and there will be no more support for the client or server versions, especially when it comes to security updates. Running Windows 2000 on your servers is like running NT 4.0 – you’re on your own! And being that Windows 2000 can’t run a version of Internet Explorer higher than 6, I’d limit the Internet access of any “2000” box you may need to keep in production this year.

  • Windows XP Service Pack 2 – This is a Service Pack, not the actual OS. Windows XP is in extended support until 4/8/2014. It’s true that you really shouldn’t be using SP2 anymore (for the IE 6 concerns alone) and Service Pack 3 has been out since April of 2008. If you are running XP SP2 and you don’t want to make any “big” moves to Windows 7 this half of 2010 then make a “little” move to SP3 for XP and buy yourself some more time.

  • Windows Vista RTM – Let’s take a closer look at the life-cycle here. The RTM version was released on 11/8/2006 and the generally available versions of Vista were released to customers on 1/30/2007. Vista, overall, is still in mainstream support until 4/10/2012. Plus, Vista Business and Enterprise versions have extended support until 4/11/2017. However, since SP1 has been out for Vista since April 2008, a version of the OS without any service pack is no longer supported. If your organization is planning on staying on Vista for the foreseeable future, you’ll want to be using SP2 for Vista, as the support for Vista SP1 ends on 7/12/2011.

So it comes down to really thinking about where the needs of your organization are now and where they really need to be come the end of 2010. I’d love to see Windows 7 on every desktop I touch, because I’m already finding myself annoyed with some of the things that XP lacks. However, I do think replacing Windows 2000 on servers takes priority over any Windows XP client.

MSI Installer Error: What Advertised Application?

I ran into an interesting error message while reinstalling a custom piece of software on my Windows XP machine recently. The software processes small text files with a custom file extension and uses them to locate a particular document in our document management application. Users can also use the software to generate these custom files to share with others via email, etc.

The program is deployed using a Group Policy software assignment. My computer was handling the files properly from my desktop, but was not working as expected when accessing the same file if it was stored in SharePoint. I had tested the SharePoint functionality previously on another computer and it worked as expected. The MSI Installer includes the option to repair the application, so I attempted to run it again in order to see if that solved my problem. Instead of a successful run, I got the following error message:

“This advertised application will not be installed because it might be unsafe. Contact your administrator to change the installation user interface option of the package to basic.”

First, the application is “assigned” not “advertised” with the GPO. Second, I’m a local administrator on my machine, so I thought it was strange I was unable to run it. I pulled our DBA over (who wrote the program) and he confirmed that I should be seeing a “repair” option when the software is run after being installed once before.

A little searching brought us to this post, which recommending running the MSI installer from the command line using the /qb switch. We didn’t bother looking for the “product state value” as Soumitra Mondal suggests in his post, but it appears my PC was a bit confused about the install state of the application and reinstalling with that switch did the trick.

Enabling Terminal Services ActiveX on IE7

As great as Windows 7 is turning out to be, many companies with Server 2008 Terminal Services Web Access (or plans to move to Remote Desktop Services in the near future) will likely have users connecting from home with Windows XP and Internet Explorer 7 for foreseeable future. However the Terminal Services ActiveX control required by TSWA is disabled by default in XPSP3 as a security measure. This control in needs to be explicitly enabled in IE7 in order to use the web access features of Server 2008.

Usually you can enable or disable an ActiveX control in IE using the “Manage Add-Ons” tool, but it’s likely that you willl be unable to see the TS specific control in IE7 on XP SP3 in that tool. The workaround is to delete the two following keys from the registry:

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{7390f3d8-0439-4c05-91e3-cf5cb290c3d0}
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{4eb89ff4-7f78-4a0f-8b8d-2bf02e94e4b2}

Once you delete these keys, the required ActiveX control should be enabled in IE7.

An Oldie But Goodie

Recently, I rolled out the Client Side Extensions for XP in order to support Group Policy Preferences. The change in the GPO to use preferences instead of scripts for mapping some drive letters was a non-event for the majority of our staff machines. But there were a few reports of the the mappings not taking place. A closer look at these machines proved that they had not recieved the update for the Client Side Extensions.

I’m running WSUS 3.0 SP1 in our office to update client machines. We have a lot of “spare” machine on the floor for use by visitors and consultants, often those machines are powered off for long periods of time. Because of this I don’t worry too much about machines that haven’t reported in to WSUS for 30+ days, unless they appear to be assigned to a regular user. When I checked WSUS for the status of the machines with the policy issue, they had not updated in a long period of time.

Those machines were throwing a “0x8024400e” error in the Windows Update log file. This error was documented a while back in the WSUS Product Team Blog. The fix to the problem is to “decline” (if not already declined) the Office 2003 Service Pack 1 update, un-decline (but not approve) it, and then decline again.

After that, the affected client machines will be able to get updates again. This worked for the all but one of the machines that I saw this problem with. The last box then threw a “80072ee2” error in the Windows Update logs.
This is related to general connectivity to the WSUS server. To solve this, I did a “hard reset” of the WSUS client by stopping the Automatic Update Service, deleting the contents of the C:\Windows\SoftwareDistribution folder and then restarting the Automatic Update service again.
Then I used the wuauclt.exe tool with the “/detectnow” switch to kick of an update immediately.

Sometime this week, I’ll have to go around at turn on all those spare computers, to make sure they all report in to WSUS and confirm that no other machines need special handling.

MS Security Advisory

Keep an eye out for this one since there isn’t a fix yet, outside of a workaround disabling some COM objects in the registry for Windows XP and Windows Server 2003.

Microsoft Security Advisory (972890) – Vulnerability in Microsoft Video ActiveX Control Could Allow Remote Code Execution

I suspect we’ll see a patch very soon. Vista and Windows Server 2008 are not affected, so those running the Windows 7 RC are likely safe too!