Using Group Policy to Automate the EFS Disable Process If you would like to add the ability to push the disabled setting through Group Policy on a Windows XP systems joined to a Windows 2000 domain, you can do so by editing the Sceregvl.inf file. This file resides in the %Windir%\inf folder and represents a list of registry settings that are exposed in the Local Policy | Security Options section of security templates (Fig. 13.13 ). Figure 13.13: The Local Policy | Security Options section of security templates By adding registry information to the file, you can expose additional entries. This extends your ability to manage settings through security configuration and analysis or through Group Policy. The file has two sections: one lists registry keys, [Register Registry Values], and one details what will appear in the security template, [Strings]. First, add the registry information to the file. The following line should be placed within the other registry settings in the [Register Registry Values] section: MACHINE\Software\Microsoft\Windows NT\CurrentVersion\EFS\EfsConfiguration,4,%EfsConfiguration%,0 The syntax for the entries in the [Register Registry Values] section is: RegistryPath, RegistryType, DisplayName, DisplayType, Options The parameters listed above are briefly explained in Table 13.1 . Table 13.1: Parameters Used in the [Register Registry Values] Section of the Sceregvl.inf File Parameter Explanation RegistryPath Defines the full path to the registry key and value entry that you want to expose in the Group Policy Editor user interface (UI). Only values that exist under the HKEY_LOCAL_MACHINE root key can be configured. Notice that in the command syntax this root key is referenced by the MACHINE keyword. RegistryType Specifies a number that defines the data type of the registry value to be created. The following values are acceptable: 1 - REG_SZ 2 - REG_EXPAND_SZ 3 - REG_BINARY 4 - REG_DWORD 7 - REG_MULTI_SZ DisplayName Specifies the string that appears in the Security Options section of the Group Policy Editor UI. This is usually a replaceable parameter that refers to an entry in the [strings] section of the Sceregvl.inf file. DisplayName Indicates the type of dialog that should be displayed to allow the user to configure a specific setting. The following values are acceptable: 0 - Boolean: Causes the UI to render two radio buttons, which "enable" or "disable" the registry value. If the Enabled option is selected, the registry value is set to 1. If the Disabled radio button is chosen, the registry value is set to 0. DisplayName1 1 - Numeric: Causes the UI to render a numeric control that allows the user to type in or select a numeric value in the range of 0 to 99999. Numeric display types can specify "unit" strings, such as "minutes" or "seconds", that appear next to the spin control in the UI. These "unit" strings are defined in the Options field described below. The registry value is set to the number entered by the user. 2 - String: Causes the UI to render a text box. The registry value is set to the string entered by the user. 3 - List: Causes the UI to render a list box from which the user can select an option. The registry value is set to the numeric value associated with the option chosen by the user. The options presented to the user are defined in the Options field described below. Table 13.1: Parameters Used in the [Register Registry Values] Section of the Sceregvl.inf File Parameter Explanation 4 - Multivalued (unavailable on Windows 2000): Causes the UI to render an edit control that allows the user to enter multiple lines of text. This display type should be used to define values for MULTI_SZ types. The registry value is set to the strings entered by the user; each line is separated by a NULL byte. DisplayName 5 - Bitmask (unavailable on Windows 2000): Causes the UI to render a series of checkboxes. Each checkbox corresponds to a numeric value defined in the Options field described below. The registry value is set to the bitwise OR of the selected values. Options Qualifies different DisplayTypes as follows: If DisplayType=1 (Numeric), the options field may contain a string that defines the units for the numeric value. The unit string is displayed next to the spin control in the UI. The unit string has no affect on the value set in the registry. If DisplayType=3 (List), the options field defines the list options that are available to the user. Each option consists of a numeric value separated by the "pipe" character '|' followed by the text for the choice. The registry value is set to the numeric value associated with the choice made by the user. If DisplayType=5 (Bitmask), the options field defines the choices that are available to the user. Each choice consists of a numeric value separated by the "pipe" character '|' followed by the text for the choice. The registry value is set to the bitwise OR of the choices selected by the user. Thus, the command that we have added to the [Register Registry Values] Section (MACHINE\Software\Microsoft\Windows NT\CurrentVersion\EFS\EfsConfiguration,4,%EfsConfiguration%, 0) can be explained as follows: RegistryPath = MACHINE\Software\Microsoft\Window NT\CurrentVersion\EFS\EfsConfiguration - This adds the EfsConfiguration value to the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\EFS registry key. RegistryType = 4 - The added value must be of the REG_DWORD data type. DisplayName = %EfsConfiguration% - This references the string value in the [Strings] section of the Sceregvl.inf file. Display type = 0 - The dialog represented by the Group Policy Editor UI must have two radio buttons: Enabled and Disabled. Now, it is necessary to add a string for display in the GUI to the [strings] section of the Sceregvl.inf file, for example: EfsConfiguration = "Public Key Infrastructure: Users cannot encrypt files" After the required modifications have been introduced into the Sceregvl.inf file, save it and run the following command at the command prompt: Regsvr32 scecli.dll This command is required to register the changes. If the command is accomplished successfully, a pop-up window will appear. The list of security options available in the security template now should include your option; your options also should be found in Group Policy Objects (GPOs) examined on this machine. To use the security template, set its value to Enabled. Save the template and import it into a Group Policy linked to the organizational unit (OU) in which Windows XP computer accounts reside. Troubleshooting Windows Installer Issues In Chapter 11 , we considered Windows Installer technology and its relationship to the system registry. As outlined in that chapter, the executable file that comprises the Windows Installer service (and is installed on every Windows 2000, Windows XP, or Windows Server 2003 computer by default) is the Msiexec.exe file. By default, the Installer service runs in the LocalSystem security context and can perform any system changes. Besides this, the Installer service can install MSI packages on behalf of the user logged on to the system. The Installer service can determine if the application installation is broken or corrupt and can attempt to fix it. Finally, the Installer service can roll back an application installation if it fails before completion. Note While an application installation is in progress, Windows Installer creates temporary files (located in the %SystemDrive%\config.msi folder). During a rollback, these files are used to undo steps taken before the failure. Despite the advantages of Windows Installer, you can encounter problems when installing applications with the technology. In this section, we will briefly consider the most important problems and discuss some troubleshooting techniques. Using MSIEXEC from the Command Line As outlined in Chapter 11 , Windows Installer is a system service. It also can be invoked interactively by the Msiexec.exe command-line tool, which provides powerful capabilities for managing your *.msi packages. The syntax used by the Msiexec.exe command-line tool is: msiexec.exe /command line option <argument> Here, argument must be the path and name of the file. The most common command-line options used with the Msiexec.exe command are: /i <argument>: Install a product /f <MSI file name>: Repair a product (*) /a <MSI file name>: Install a product in "Run from Network" or Administrative mode /x <MSI file name>: Uninstall a product /j <MSI file name>: Assign a product (immediately places a shortcut on the desktop or Start menu) /jm <MSI file name>: Assign a product per machine /ju <MSI file name>: Assign a product per user /j [u | m] <MSI file name> /t <MST Transform file>: Assign a product and apply a transform /l <log file name>: Use in conjunction with one of the above operations to log install (or repair) information to <log file name> (*) /p <Patch Package Name>: Apply a patch to a product /q [n, b, r, f]: Sets the verbosity of the Install interface to /qn = No UI at all /qb = Basic UI /qr = Reduced UI /qf = Full UI /qn+ = No UI except for completion dialog /qb+ = Basic UI with completion dialog Note Actually, the list of command-line options for the Msiexec.exe tool is significantly larger. The options marked here with asterisks (*) have additional suboptions available. A complete list of these options and detailed information about their usage can be found in Microsoft's MSDN Online Library (http://msdn.microsoft.com ). Furthermore, Microsoft has published a detailed FAQ on Windows Installer, which can be found at http://www.microsoft.com/windows2000/community/centers/management/msi.faq.a sp. Windows Installer is Unavailable on Windows XP and Windows Server 2003 Although the Windows Installer service is installed by default, sometimes it might not be installed correctly. The symptoms of this problem are as follows: You repeatedly cannot run an installation of an *.msi file successfully. Note If you cannot run a single Windows Installer package successfully (but attempts to install other *.msi packages succeed), contact the vendor of that package for support on that particular product's installation. In addition, note that when you invoke an application install from the command line using msiexec.exe, you don't, by default, get the elevation of privileges that occurs when you've published or assigned an application via Group Policy. Thus, if you are not a member of the Power Users or Administrators built-in local security groups, the install might fail because of insufficient privileges. When you attempt to install a program that uses Windows Installer, you receive an error message similar to the following: The Windows Installer service could not be accessed. This can occur if you are running in safe mode or if the Windows Installer is not correctly installed. The most probable cause of this problem lies in incorrect or corrupted registration of the Windows Installer engine. To eliminate this problem, you need to unregister and then re- register the Windows Installer service by following these steps: 1. Click the Start button, select the Run command, and type the cmd command into the Open field to start the command prompt window. 2. Issue the command msiexec /unregister and press <Enter>. This procedure stops the Windows Installer service and unregisters it. 3. Issue the command msiexec /regserver and press <Enter>. This command reregisters the service and assures that it is functioning properly. Note If this procedure doesn't resolve the problem, you can remove the Windows Installer engine files and do a clean reinstallation. Enabling Windows Installer Logging For Windows NT-based applications and systems - including Windows 2000, Windows XP, and products of the Windows Server 2003 family - event logging provides a standard and centralized method for recording important system events related to hardware, software, security, etc. Windows Installer also writes entries into Event Log, which records events such as: Success or failure of the installation, removal, or repair of a product Errors that occur during product configuration Detection of corrupted configuration data Information about the missing components that cause a repair of an application Windows Installer 2 0, the latest major release for Windows Installer, provides improved logging options. In previous versions of the service, error codes fell within two or three non unique event IDs. With Windows Installer 2.0, each error receives an ID, which greatly improves how you can search for and filter Windows Installer events. Besides the OS event log, Windows Installer records errors and events in its own internal error log. The type of logging depends on the options used when enabling the logging mode. You can use various means to enable the logging mode, including: Issuing the Msiexec command with the /L option Editing the registry When enabling Windows Installer logging from the command line using the /L option, you can specify exactly what information is logged and where. To create a log, append /L<suboptions> Logfile_name to your Msiexec command line. For example, appending the /L* Logfile_name command line creates a normal log file with all suboptions except v (verbose). To produce a verbose log file, which provides more comprehensive information, use the following syntax: /L*v Logfile_name. Note If you don't specify a log file name, log files will be stored in your Temp folder under random names starting with the letters Msi. The list of suboptions available when using the /L command-line switch, is provided below. I - Status messages W - Non-fatal warnings E - All error messages A - Startup of actions R - Action-specific records U - User requests C - Initial UI arguments M - Out-of-memory or fatal-exit information O - Out-of-disk-space messages P - Terminal properties V - Verbose output + - Append to existing file ! - Flush each line to the log * - Log all information except the v option. To include the v option, specify "/l*v" To enable Windows Installer logging via the registry, start Registry Editor and create a new REG_SZ value entry named Logging under the HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer registry key. Set it to a value that could contain the characters from the list above. Note You should enable Windows Installer verbose logging only for troubleshooting purposes. After having detected and eliminated the problem, do not leave it enabled because it will have adverse effects on system performance and disk space. Each time you use the Add/Remove Programs tool in Control Panel, a new Msi*.log file is created. Resetting TCP/IP Settings in Windows XP and Windows Server 2003 If you carefully view the list of networking components for a network interface in Windows XP and Windows Server 2003, you'll notice a strange fact - the Uninstall button is disabled when Internet Protocol (TCP/IP) is selected (Fig. 13.14 ). In Windows 2000 and earlier versions, it was possible to remove the TCP/IP stack. According to Microsoft, this option is no longer offered because the TCP/IP stack is a core component of the operating system; therefore, it is not possible to uninstall it. . Windows Installer service (and is installed on every Windows 20 00, Windows XP, or Windows Server 20 03 computer by default) is the Msiexec.exe file. By default,. http://www.microsoft.com/windows2000/community/centers/management/msi.faq.a sp. Windows Installer is Unavailable on Windows XP and Windows Server 20 03 Although the