Offline Virtual Machine Servicing Tool v2.1 (VHD)


Virtualization affects how we plan, build, deploy, operate, and service workloads. Customers are creating large libraries of virtual machines containing various configurations. The patch-state of these virtual machines are not always known. Ensuring that offline virtual machines are properly patched and won’t become vulnerable the instant they come online is critical.

I am therefore very pleased to state that the Offline Virtual Machine Servicing Tool v2.1 has now been released!

Congratulations to the Solution Accelerator team for this release!

The Offline Virtual Machine Servicing Tool 2.1 has free, tested guidance and automated tools to help customers keep their virtualized machines updated, without introducing vulnerabilities into their IT infrastructure.

The tool combines the Windows Workflow programming model with the Windows PowerShell interface to automatically bring groups of virtual machines online, service them with the latest security updates, and return them to an offline state.

What’s New?

Release 2.1 is a direct response to customer and Microsoft field requests to support the R2 wave. Offline Virtual Machine Servicing Tool 2.1 now supports the following products:
· Hyper-V-R2
· VMM 2008 R2
· SCCM 2007 SP2
· WSUS 3.0 SP2
· OVMST 2.1 also supports updates to Windows 7 and Windows Server 2008 R2 virtual machines.

Download here; Offline Virtual Machine Servicing Tool  2.1
More info;

New tool Sysinternals, disk2vhd!

I am a big fan of sysinternals tools and I use these tools quite often to debug OS related issues. These tools are quite useful when you want to understand internals of OS. Mark and his team has been doing a great job in keeping these tools up to date and adding new features once in a while. One such new tool that got released yesterday is Disk2VHD. You can download it here. Here is how TechNet link decribes this new tool.

Disk2vhd is a utility that creates VHD (Virtual Hard Disk – Microsoft’s Virtual Machine disk format) versions of physical disks for use in Microsoft Virtual PC or Microsoft Hyper-V virtual machines (VMs). The difference between Disk2vhd and other physical-to-virtual tools is that you can run Disk2vhd on a system that’s online. Disk2vhd uses Windows’ Volume Snapshot capability, introduced in Windows XP, to create consistent point-in-time snapshots of the volumes you want to include in a conversion. You can even have Disk2vhd create the VHDs on local volumes, even ones being converted (though performance is better when the VHD is on a disk different than ones being converted)


I downloaded this tool in the morning and experimented a bit on my Windows 7 system. Usage of this tool is straight forward. You see a dialog with all disk partitions as listed in the screen shot here. All you need to do is select all the partitions you want to export to a VHD and click “Create”. The VHD export will take sometime based on the overall disk size you selected. For my experiments, I just selected first two partitions. This is because I have all the BCD information on partition 1 and without that my new VHD will be meaningless. You may see lot of CPU/memory utilization while the export is in progress. On my system, it looked something like this.

Once the export is complete, I rebooted my system in to Windows Server 2008  R2 and created a virtual machine and attached the exported VHD. That is it. My virtual machine is ready with installed OS and all the applications I was running on the physical Windows 7 system.

As I powered on the VM, the first screen showed me the boot menu I usually see on my physical machine. This is because I never removed the additional multi-boot entries I had in the BCD stored on first partition.  This entries — if selected — won’t work because I did not export the partitions containing those OS images to the VHD.


At this point, I continued selecting the Windows 7 entry and started booting OS. Within a few seconds, I could see the user selection screen and after I logged in using my regualr user account, I could see all the applications working as usual. I also have Windows Virtual PC with WinXP mode in the VHD image. But — as I expected — that did not work as it requires hardware assisted virtualization which is something that will not be availble inside a virtual machine.


System Center Virtual Machine Manager 2008 R2 RTM!

Zane Adam: System Center Virtual Machine Manager 2008 R2 has RTM’d and GA via volume licensing is set for October 1. This is great news for all and I’d like to especially thank our VMM 2008 R2 Development, Product Management, and Test teams. Lots of hard work fueled by their passion in virtualization and management has resulted in a very good software release.

A 180-day evaluation version is now available, too, on the Microsoft Download site. You can access it here.

Please experience for yourself what the 10,000+ people who have previously downloaded our ‘Release Candidate’ plus organizations such as Continental Airlines, Lionbridge Technologies, and Indiana University have seen with VMM 2008 R2!

I encourage everyone to explore the new System Center Virtual Machine Manager 2008 R2 and its new features such as quick storage migration, live migration, and many others. We even offer support for vSphere 4.

To learn more on the new features and capabilities of VMM2008 R2, please try to attend our upcoming TechNet session ‘Technical Overview of System Center Virtual Machine Manager 2008 R2’. Presented by our Technical Product Manager Kenon Owens, it will be chocked full of new and cool VMM 2008 R2 items. Go here to register for this Wednesday, September 09, 2009 (10:00 AM Pacific) event.

Source :

Great Microsoft Virtualization Free E-Book

understanding-microsoft-virtualization-solutionsToday I have another great ebook to share with you. If you are interested in Microsoft virtualization solutions, then book “Understanding Microsoft Virtualization solutions” will be great resource for you. It is available as a free pdf download, and it covers Windows Server 2008 Hyper-V, System Center Virtual Machine Manager 2008, Microsoft Application Virtualization 4.5, Microsoft Enterprise Desktop Virtualization, and Microsoft Virtual Desktop Infrastructure. It’s been written by Mitch Tulloch with the Microsoft Virtualization team, it’s been published by Microsoft Press, it has 431 pages and it is available as FREE DOWNLOAD.

Download “Understanding Microsoft Virtualization solutions – from the Desktop to the Datacenter” free pdf ebook

Original article: Microsoft Press – Microsoft Virtualization Solutions Free E-Book by Brian Johnson

Pushing the Limits of Windows: Paged and Nonpaged Pool

In previous Pushing the Limits posts, I described the two most basic system resources, physical memory and virtual memory . This time I’m going to describe two fundamental kernel resources, paged pool and nonpaged pool, that are based on those, and that are directly responsible for many other system resource limits including the maximum number of processes, synchronization objects, and handles.

Paged and nonpaged pools serve as the memory resources that the operating system and device drivers use to store their data structures. The pool manager operates in kernel mode, using regions of the system’s virtual address space (described in the Pushing the Limits post on virtual memory) for the memory it sub-allocates. The kernel’s pool manager operates similarly to the C-runtime and Windows heap managers that execute within user-mode processes.  Because the minimum virtual memory allocation size is a multiple of the system page size (4KB on x86 and x64), these subsidiary memory managers carve up larger allocations into smaller ones so that memory isn’t wasted.

For example, if an application wants a 512-byte buffer to store some data, a heap manager takes one of the regions it has allocated and notes that the first 512-bytes are in use, returning a pointer to that memory and putting the remaining memory on a list it uses to track free heap regions. The heap manager satisfies subsequent allocations using memory from the free region, which begins just past the 512-byte region that is allocated.

Nonpaged Pool

The kernel and device drivers use nonpaged pool to store data that might be accessed when the system can’t handle page faults. The kernel enters such a state when it executes interrupt service routines (ISRs) and deferred procedure calls (DPCs), which are functions related to hardware interrupts. Page faults are also illegal when the kernel or a device driver acquires a spin lock, which, because they are the only type of lock that can be used within ISRs and DPCs, must be used to protect data structures that are accessed from within ISRs or DPCs and either other ISRs or DPCs or code executing on kernel threads. Failure by a driver to honor these rules results in the most common crash code, IRQL_NOT_LESS_OR_EQUAL .

Nonpaged pool is therefore always kept present in physical memory and nonpaged pool virtual memory is assigned physical memory. Common system data structures stored in nonpaged pool include the kernel and objects that represent processes and threads, synchronization objects like mutexes, semaphores and events, references to files, which are represented as file objects, and I/O request packets (IRPs), which represent I/O operations.

Paged Pool

Paged pool, on the other hand, gets its name from the fact that Windows can write the data it stores to the paging file, allowing the physical memory it occupies to be repurposed. Just as for user-mode virtual memory, when a driver or the system references paged pool memory that’s in the paging file, an operation called a page fault occurs, and the memory manager reads the data back into physical memory. The largest consumer of paged pool, at least on Windows Vista and later, is typically the Registry, since references to registry keys and other registry data structures are stored in paged pool. The data structures that represent memory mapped files, called sections internally, are also stored in paged pool.

Device drivers use the ExAllocatePoolWithTag API to allocate nonpaged and paged pool, specifying the type of pool desired as one of the parameters. Another parameter is a 4-byte Tag , which drivers are supposed to use to uniquely identify the memory they allocate, and that can be a useful key for tracking down drivers that leak pool, as I’ll show later.

Continue reading

Announcing Windows Server 2008 R2 Beta!

A quick recap of my favorite highlights:

  • While the Windows 7 client is available in both x86 and x64 versions, Windows Server 2008 R2 is Microsoft’s first 64-bit only OS. It also supports up to 256 logical processors, which opens up a whole new world of enterprise-class back-end processing power.
  • Your existing servers will run faster, too, because Windows Server 2008 R2 takes advantage of the latest CPU architecture enhancements. You’ll also get significant power management improvements via features like Core Parking.
  • Hyper-V in R2 now has Live Migration, allowing IT admins to move VMs across physical hosts with no interruption of service or network connectivity and significant network performance improvements. VMs in Hyper-V for R2 also get greater access to physical resources, namely support for 32 logical processors. It all adds up to the most flexible virtual data center in Microsoft’s history.
  • Check out PowerShell 2.0. Next to Live Migration, "more PowerShell" is the most consistent customer request we’ve had from Windows Server 2008. So, you’ll find over 240 new cmdlets out of the box along with new dev tools for building your own cmdlets that are not only more robust, but easier, too. The new PowerShell is so powerful, we’re starting to build GUI-based management consoles that are based entirely on PowerShell in the background-check out the new Active Directory Administrative Center for starters.
  • RDS is another big-time update. What used to be called Terminal Services has now evolved into Remote Desktop Services with the R2 release. Key in RDS is the new Virtual Desktop Infrastructure (VDI), which allows you to centralize Windows desktops in the data center as virtual machines in addition to the traditional session-based remote desktop model we all know and love from Terminal Services. But VDI is only one new feature in RDS. Others include better end-user fidelity with features like true multiple monitor support and high-end audio and video so you’ve got more breadth in the kinds of applications you can centralize. And the new RemoteApp and Desktop connections feature integrates tightly enough with Windows 7 that users of the new desktop OS won’t need to practically differentiate between what’s local and what isn’t. It all runs off the Start menu.
  • And speaking of Windows 7…Windows Server 2008 R2 is a powerful upgrade to any Windows Server data center all by itself. But in combination with Windows 7 on the client side you’ll enter a whole new world of manageability and productivity:
    • DirectAccess makes remote access ubiquitous (I’m nuts about this one),
    • BranchCache can improve file retrieval at branch offices while simultaneously decreasing WAN bandwidth costs,
    • New Group Policy objects allow deeper control of client desktop management, including access, system monitoring and even physical resources like power management,
    • You’ll be able to manage and keep data safe even on removable drives by using BitLocker to Go.

Source :


Windows Server 2008 R2 Datacenter, Enterprise en Standard Beta 64-bit
Windows Web Server 2008 R2 Beta 64-bit

This Post lists the best practices for securing Terminal Server or Windows XP (for use with VDI)

How can I protect my terminal servers from Spyware, Malware, Trojans, Worms, Viruses and un-authorized software?

  1. Start with a secure installation of the Operating System.  Windows Server 2003 installs by default with the users being able to create files and folders in the root of the system drive and Windows 2000 Server installs by default with the Everyone group having Full Control NTFS Permissions to the entire System Drive.  To lock down the System Drive on Windows 2000 Server, start with the following settings:

    1. Root of System Drive – Authenticated Users = "Read and Execute"

    2. Root of System Drive – Administrators = "Full Control"

    3. Root of System Drive – System = "Full Control"

    4. Program Files Directory – Authenticated Users = "Read and Execute"

    5. Program Files Directory – Administrators = "Full Control"

    6. Program Files Directory – System = "Full Control"

  2. NEVER allow anyone to logon as an administrator or power user, unless they are a member of the IT Staff / IT Consulting Firm that is responsible for the server, and they are logging on to perform administrative functions, i.e. installing software, performing a backup…

  3. Force "Empty Temporary Internet Files when browser closed" via Group Policy.  This will delete most bad files from the Temp IE location of the user’s profile, and leave only the cookie files.

  4. Implement Roaming Terminal Server Profiles, Mandatory Terminal Server Profiles or Flex Terminal Server Profiles.

  5. Enable DeleteRoamingCache in the registry, or via "Delete Cached Copies of Roaming Profiles " in Group Policy.  Since the Roaming Profile does not propagate the user’s Temp Directory, enabling this policy will usually delete that anything the user downloaded unintentionally.  This policy deletes the user’s local profile at logoff once it’s been successfully unloaded and copied to the roaming location.

  6. Install the User Profile Hive Cleanup Service , which helps to ensure user sessions are completely terminated when a user logs off.  Without this service, user profiles are often not unloaded successfully which causes the copy to the roaming profile location and DeleteRoamingCache setting to fail.

  7. Install a Terminal Server compatible anti-virus scanner on each terminal server, a VSAPI anti-virus scanner on each SMTP Server, and an anti-virus scanner at the Internet Gateway.

  8. Set the Terminal Services Configuration Permission Compatibility to "Full Security" (Windows Server 2003) , or to "Windows 2000 Users" (Windows 2000 Server) . If you use the "Permissions compatible with Terminal Server 4.0 Users" (Windows 2000 Server) or "Relaxed Security" (Windows Server 2003), each user logging on is added to the TSUser Security Group, which has permissions and rights of the Power Users Group.

  9. Enable Software Restriction Policies in Group Policy, to define which files can be executed by users.

  10. If users need only one application, specify this program to start when they logon.  This can be done for everyone via Group Policy or Terminal Services Configuration , or for specific users via Active Directory or Local User Account.

  11. Consider locking down the user environment with a FREE program like BrsSuite , designed by Terminal Server Security Expert "Fabrice Cornet", of FC Consult, Belgium .

  12. Restrict access to applications normal users shouldn’t ever use, or that do not follow the policy restrictions in place, i.e. winfile and

How can provide the most secure access to terminal servers from the Public Internet?  The RDP Protocol is secure and uses RSA Security’s RC4 cipher, at either 56 or 128 bits, however the following should be considered when providing access to terminal servers over the Public Internet:

  1. Set the RDP-Tcp Encryption Level to "High" (Windows 2000 Server or Windows Server 2003)

  2. Define and enforce a strong password policy .

  3. If you require password authentication to access a Remote Desktop Web Connection (RDWC, aka TSAC or TSWeb), do so over an SSL Connection.  Since you have to logon to the Terminal Server, there really is no advantage to requiring authentication to access a RDWC.

  4. Do NOT use traditional client-to-server VPN to provide secure access to Terminal Servers.  This may sound strange, but traditional client-to-server VPNs require connectivity over non-standard ports client software on the remote computer. These often prevent remote users from being able to connect.  In addition to the connectivity problems traditional VPN can cause, traditional client-to-server VPNs can open the corporate network to viruses, trojans or worms, because they extend the corporate network to the remote client.

  5. Do consider providing secure access to terminal servers via SSL VPN or a Terminal Server Secure Gateway , as these can provide access over standard ports like 443 or 80, which makes connectivity easy for remote users.  These devices or software applications also provide access to a specific computer, or set of computers, instead of opening a secure tunnel to the entire corporate network.

Offline Virtual Machine Servicing Tool

The Offline Virtual Machine Servicing Tool helps organizations maintain virtual machines that are stored offline in a Microsoft® System Center Virtual Machine Manager library. While stored, virtual machines do not receive operating system updates. The tool provides a way to keep offline virtual machines up-to-date so that bringing a virtual machine online does not introduce vulnerabilities into the organization’s IT infrastructure.

The Offline Virtual Machine Servicing Tool helps organizations maintain virtual machines that are stored offline in a Microsoft® System Center Virtual Machine Manager library. While stored, virtual machines do not receive operating system updates. The tool provides a way to keep offline virtual machines up-to-date so that bringing a virtual machine online does not introduce vulnerabilities into the organization’s IT infrastructure.
Download Here: Offline Virtual Machine Servicing Tool