KDCAD Tech Blog

I recently jumped ship from my ATT Fuze to the iPhone – in reality it was a jump from the Windows Mobile OS to the iPhone OS. All my reasons for the change are worthy of a few standalone blog posts, but in brief I was looking to simplify my life and the iPhone fit the bill. That being said, I do have needs. I need my cell phone to do a little more than just make calls – including handle Exchange email, POP and IMAP email, browse the web, provide remote access to the servers at work, and act as a modem on the road. The ATT version iPhone does all of this EXCEPT the last. ATT iPhones do not offer tethering and that’s a deal breaker for me, so I turned to the internet and jailbreaking.

Easier said than done of course. It seems I had the perfect storm of issues to prevent me from getting a clean break. But I pulled info from several different sites and finally got it working beautifully. Since it was such a pain to get through it all, I thought I’d pull it all together here. Note that I cannot guarantee this will work on the 3G or the iPod Touch. I should also note this is not a sanctioned activity by Apple and if you screw it up they will not help you. Additionally, if you screw it up, I will not help you either.

First my system specs:

• Windows 7 64-bit
• HP EliteBook 8530w
• iTunes 9.0.2.25
• iPhone 3GS

Now the steps…

Preparation (with iPhone NOT attached to computer):

1. Make sure you have a complete sync/backup of your phone (if you care about keeping any of it) using iTunes.
2. Download the latest clean Apple firmware from here: iphone3gs3. This is just in case it all goes wrong and you need to to recover your phone. To use it, hold the shift key while clicking the Restore button in iTunes. This will prompt you to pick a file.
3. Download the latest version of Blackra1n from here: blackra1n.com and place it in the root of your C: drive.
4. Change the properties of the blackra1n.exe to be compatible with Windows XP SP2 and check the box to run as administrator.
5. In iTunes, turn off automatic syncing:
6. Now close iTunes and go to the Task Manager and end the iPodService.exe and the iTunesHelper.exe processes.
7. Now attach the iPhone to the computer via USB. iTunes should NOT fire up.
8. Watch this YouTube Video several times:

Jailbreaking:

1. Following the instructions in the video above, run Blackra1n.exe, holding down the power and home buttons, releasing them as instructed. THIS IS THE KEY – IF YOU READ THIS and wonder what I’m talking about WATCH THE VIDEO AGAIN.
2. Trusting that you followed the steps correctly, Blackra1n should be installed on your iPhone. Find the app and run it.
3. Install SNOW to Unlock the phone.
4. You phone is now Jailbroken and to be modified for tethering.

Tethering:

1. In Safari on the iPhone, goto http://tr.im/oS1h and scroll down to the Mobileconfigs section:
2. Download Mobileconfigs, select your country, and then your carrier. The message reads: “IMPORTANT: The authenticity os “US AT&T” cannot be verified. Installing this profile will change settings on your iPhone.” Changing settings is exactly what we’re trying to do. Confirm with “Intall Now”.
3. NOW, on the iPhone go to Settings>>General>>Network and you will see a new option for Internet Tethering.
4. Turn that on and you are done!

Earlier I posted my steps for getting the Watchguard SSL VPN Client to work on Vista Business x64. Now we have a few test users upgraded to Windows 7 Professional 64-bit and once again SSL VPN is a problem child. Actually, that’s a little unfair – the problems with installation are result of Microsoft’s increased "security measures" in Win7. As you might guess, this article outlines and advocates disabling these some of these measures, so think about it before try it. And if you do try it, be sure to go all the way to the bottom of the article to see some of the other "fixes" you need to do. (**UPDATED 11/25/09 – check it out…)

For the most part, the steps are the same as those required for Vista. You need the lastest RC release of OpenVpn (currently 2.1 RC 20), and you need to NOT install the Tap driver that comes with the WG SSL VPN. The changes in the process are the changes to Windows 7 that you need to make because the OpenVPN Tap driver is not digitally signed. Windows 7 x64, by default, does not allow the installation of unsigned drivers. Now, there are a couple ways to disable this limitation – one is provided by MS at boot time, another is more "permanent" and the one I chose. Here we go:

1. Turn off User Access Control: From the Start Menu type "UAC Control" in the search bar and select "Change User Account Control settings". Take the slider to the bottom, click OK, and then restart your computer.
2. Disable Driver Signing: Once you are back in, from the Start Menu, select All Programs, then Accessories. Right click on the Command Prompt and select ‘Run as administrator’. At the command prompt, type the following and reboot your computer afterward:
   

   bcdedit.exe -set loadoptions DDISABLE_INTEGRITY_CHECKS
   bcdedit.exe -set TESTSIGNING ON

3. Install the OpenVPN Tap Driver: If you haven’t already, download the latest OpenVPN from here: http://www.openvpn.net/index.php/open-source/downloads.html (currently c2.1_RC20). Run the installer as Administrator (by right clicking the OpenVPN executable and selecting "Run as administrator"), but UNCHECK all items except the Tap Driver and complete the installation. Note: I rebooted here, but you may not need to.
4. Install the Watchguard SSL VPN Client: Download and run the SSL VPN installer (as administrator).

At this point, it should work. You can go back and turn UAC back on if you need to and while I think it’s a complete pain in the butt, I have to recommend that you do. Leaving it off can cause unexpected problems with other programs (such as GotoAssist Express which is service I used to use but will be ditching as soon as the contract is up).

If you are still having problems connecting, here are some other tips based on my experience. These are in no particular order:

• Turn off Windows Firewall completely and reboot. With version 10.2.9 of the SSL VPN client, you still need access to port 4100 and 443.
• If you already tried to install the Tap driver without first disabling the driver signing, Windows will permanently tag it as having an unsigned driver. SO you need to open the Device Manager, look under Network Adapters, and uninstall the Tap driver and reboot. If you have disabled the driver signing, go ahead and reinstall the OpenVPN Tap driver.
• If you don’t want to permanently disable driver signing, you can TRY temporarily disabling it by pressing F8 at boot time (like you are booting to Safe Mode) and selecting ‘Disable Driver Signing Enforcement’. **UPDATE 11/25/09**  I had few opportunities recently to try this one and it works like a charm. So if you just have to install the VPN client on someone else’s computer, this method is the quickest.

Once you have all that squared away, you may notice that you have a watermark in the lower left of your screen stating "Test Mode Windows 7 Build 7600". Since you have turned off Driver Signing, Windows has decided you are obviously in some temporary "test mode".  To rid yourself of the watermark, go HERE and to download the RemoveWatermark patch.

Since I wrote this article originally, I found this website which offers more information on bypassing Driver Signing and links to some cool free tools for managing it on the fly. Swing by and take a look.

Good luck and feel free to log into the Watchguard forums and request that they fix this!

Here’s the problem:
You have one, two, three, or more mapped drives that everyone in the office needs access to, you just got a new PC, and you are dreading having to map these drives everytime someone new logs in to the PC.

Here’s the solution: (special thanks to John Savill over at Windows IT Pro for the original outline) This solution assumes you are in a Windows Domain environment (not a home PC). It also assumes it’s a small office that doesn’t use logon scripts pushed down from a domain controller.

1. Log into the PC with a domain user account that has Local Administrator privileges (JDOE, for example).
2. Manually map the drives you need, selecting the “Reconnect at login” option.
3. Now log out and log back in as the actual Local Administrator.
4. From the Start Menu select Run, type in REGEDIT, and click OK to open the registry editor. (Do I need to mention that if you are not comfortable editing the registry – don’t? You can really do some damage if you screw it up…)
5. Select HKEY_USERS and from the File menu select Load Hive.
6. Browse to the profile you used to map the drives (like C:\Documents and Settings\JDOE) and select the NTUSER.DAT file. When prompted, give it the name “DefaultU”. (Note: You need to have “Show hidden files and folders” turned on to see the NTUSER.DAT file…)
7. Notice that now there is a new entry under the HKEY_USERS key called “DefaultU”.
8. Browse to HKEY_USERS\DefaultU\X (where X is one of the drive letters you mapped), right click on it and select Export to export the key to a REG file. Do remember where you save it. Repeat for all the drives you mapped.
9. Highlight the DefaultU key and from the file menu, select Unload Hive.
10. From the file menu, select Load Hive and browse to the profile of the Default User (see, different that the earlier steps). Select the NTUSER.DAT file. When prompted, give it the name “DefaultU”.
11. Now you need to import the REG files you exported earlier. Find them, and double click them one at a time to import them back into the registry.
12. The last steps are a little tricky so pay attention. Browse to the HKEY_USERS\DefaultU\Network\X key and highlight the X.
13. In the right pane, select the UserName value, right click and select Delete.
14. From the Edit menu, select New> Expandable String Value.
15. Give it the Value Name: UserName, and for the String (with the quotes): “%UserDomain%\%UserName%” (case sensitive).
16. Repeat for all the drives you mapped.
17. Highlight the HKEY_USERS\DefaultU key and unload it (File>Unload Hive).

That’s it – you’re done! Test your results by logging in as someone else or by renaming the profile you used to originally create the mapped drives (C:\Documents and Settings\JDOE to C:\Documents and Settings\JDOEX) and then log in as JDOE.

Let me know how it goes!

This is a solution for those folks who are not System Admins and/or are not connected to a network. It’s a great solution for a home PC that has multiple users or for a PC in an office that gets used by multiple users.
Most computers come with some preset home page that is covered with ads and links that do nothing but annoy you and put more money in the pockets of the PC manufacturers. So here’s a tip for presetting the home page in Internet Explorer for every user that ever logs in to a single PC:

1. From the Start Menu, pick Run, type in GPEDIT.MSC and click OK.
2. Under User Configuration (middle of left pane), click the + next to Windows Settings.
3. Then click the + next to Internet Explorer Maintenance.
4. Now click on URLs.
5. In the RIGHT pane, double click Important URLs. This will open a dialog box where you can edit the Home page URL.
6. Check the box next to Customize Home page URL. This will turn the text box below from gray to white.
7. Type in http://www.kdcad.com (or what ever you want your home page to be) and click OK.
8. Close the Group Policy Editor.

Now, when a new user logs in to the PC for the first time, their home page will be whatever you entered in the dialog box. They can still change it, but they won’t be bothered by the default home page set by the manufacturer.

Good luck!

After an excessively difficult time of upgrading a CD-ROM to a DVD RW, XP added insult to injury doing a number on me with drive letter assignments. A little background on the system – it is an older Dell Dimension that got a hard drive upgrade about 6 months ago. The original 30GB hard drive was imaged to a new drive – which included (ugh!) the Dell management partitions. The original 30GB drive was left in because the client wanted to be 100% sure all the data was imaged over to the new drive – which meant the original management partition was still there. So basically there are now four hard drive partitions, a and DVDRW, four mapped network drives (starting with G:) and they wanted to add a USB flash drive and external hard drive. Oh, and a floppy drive just for fun.

After the CD-ROM to DVDRW upgrade, XP decided to assign drive letters to the management partitions – F: and G:! SO now the first mapped network drive didn’t work and neither of the USB drives showed up in My Computer. Naturally, my first stop was the Disk Management console to change (or remove) the drive letters for the management partitions. Unfortunately, when I right clicked on either of the management partitions, my only option was “Help” – not helpful.  I knew there had to be another way to change drive letters without using the management console and found the solution in the registry with some help from the great folks at Petri IT Knowledgebase.

The steps below came from Daniel Petri and it should be made very clear that this procedure is not to be taken lightly and should be used as a last resort only.

To change or swap drive letters on volumes that cannot otherwise be changed using the Disk Management snap-in, use the following steps:

Note: In these steps, drive D refers to the (wrong) drive letter assigned to a volume, and drive C refers to the (new) drive letter you want to change to, or to assign to the volume.

1. Make a full system backup of the computer and system state.
2. Log on as an Administrator.
3. Start Regedt32.exe (or Regedit.exe in Windows XP).
4. Go to the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices

1. Click MountedDevices.
2. On the Security menu, click Permissions.
3. Check to make sure Administrators have full control. Change this back when you are finished with these steps. (I logged is as a member of the local admin group and had full control already)
4. Quit Regedt32.exe, and then start Regedit.exe.
5. Go to the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices

1. Find the drive letter you want to change to (new). Look for "\DosDevices\C:". (Typically at the bottom of a long list.)
2. Right-click \DosDevices\C:, and then click Rename. In Windows 2000 you must use Regedit instead of Regedt32 to rename this registry key.
3. Rename it to an unused drive letter "\DosDevices\Z:". (This will free up drive letter C: to be used later.)
4. Find the drive letter you want changed. Look for "\DosDevices\D:".
5. Right-click \DosDevices\D:, and then click Rename.
6. Rename it to the appropriate (new) drive letter "\DosDevices\C:".
7. Click the value for \DosDevices\Z:, click Rename, and then name it back to "\DosDevices\D:".
8. Quit Regedit, and then start Regedt32 (not required in Windows XP).
9. Change the permissions back to the previous setting for Administrators (this should probably be Read Only).
10. Restart the computer.

It worked perfectly for me, but again – back up the registry before you make any changes. That’s just “best practice” and should never be ignored. Here is the link to the original post as well as a few others:

• http://www.petri.co.il/change_system_drive_letter_in_windows_xp.htm
• http://www.mydigitallife.info/2007/11/08/change-or-delete-system-drive-letter-via-registry-to-remove-conflict-usb-or-firewire-drive-letter/
• http://support.microsoft.com/kb/223188

We have recently added a few XP x64 PC’s to our network and thought it would be simple since there are x64 drivers for the CM4521 and I managed to get it to work on Vista x64. Either I forgot what I did or Vista x64 works a little differently that XP x64, but we could not get the Account Tracking to work. The dialog where users would normally enter their acct code was grayed out and inaccessible. For those who use the Oce CM series printers or Konica-Minolta and NEC equivalents with Account Tracking, you know that users cannot print without having their code entered in the local printer properties.

The x64 driver was installed on the print server (see my earlier post on how that went), and when I added a network printer using the Add a Printer Wizard, it would actually show up in the list of available printers. However, as I mentioned, the “Authentication/Account Track…” button in the Default Settings for the printer only opened an inaccessible dialog box. After much trial and error, I decided to just install the printers locally using TCP/IP port for a direct connection to the device. This at least gave me access to enter the Account Tracking codes and get the printers working.

I noticed that when I did this, there was quite a bit of file/driver activity while the printer was being installed – even though I had already installed it once from the print server. So I decided to give installing from the server another shot and  – ta-da – it worked.

Here are my steps as best I can remember them:

1. Add a local printer and create a new “Standard TCP/IP Port” using the IP address of the printer.
2. Navigate to where you saved the x64 drivers (preferably on the network somewhere) and select the appropriate driver for your device.
3. If prompted replace the existing drivers SELECT YES!
4. Give it a name you will recognize (you’re going to delete it later).
5. Set it as default (or not) and DO NOT print a Test Page.
6. Don’t bother configuring the printer…
7. Now add the network printer. It should be a pretty quick install.
8. Open the properties for the network printer and verify you can access everything you need.
9. Enter the user’s Account Tracking code and print a test page.
10. If the page comes out OK, then delete the local printer you installed by right clicking and select Delete.
11. DONE!

There are a few ways to change the default application associated with a file extension. Here is an example of the simplest way I know. I am saddled with Windows Vista right now, and while the images are a little different, the process is the same for XP.

1) Right click on a file with the extension you want to re-associate and select “Open With”…

2) This opens the “Open With” dialog box. In Vista, you are presented with the current default program. Click the little down arrow to view other options.

3) Scroll through that list to find the correct program. If you don’t find it in the list (it happens), click the Browse button to navigate to the file that contains the right program executable (i.e. WINWORD.EXE). Before clicking ‘OK’ to re-associate the file extension, be sure the box is checked next to “Always use the selected program to open this kind of file.”

Once you click OK, the all files with the extension of the one you selected will open with the program you  chose.

I have Vista Business x64 installed on my laptop (not recommended btw) and our print server runs Windows Server 2003 x86. Our printers are typically initially installed using a vbs logon script that’s pushed via group policy. Well, that doesn’t work for my configuration for two reasons: 1) Vista account controls are are a complete pain in the a** (and no, I’m not referring User Access Control), and 2) because x64 drivers can’t be installed on a x86 server – well, not directly – and if they can’t be installed, they can’t be served up when an x64 workstation needs them. While trying to install our Oce CM4521 Office MFC, I finally got fed up and pushed to figure it out.

At first, I tried to add the x64 driver to the 2003 server using the Additional Drivers button on the Sharing tab for the printer. Unfortunately, I get told that either this is the wrong hardware or that it can only be installed from a remote system running an x64 OS.

After much searching, I discovered that it was really much easier than expected. On my workstation, I went through the motions of installing the network printer. When I got to the point where it told me the the correct drivers were not installed, I downloaded and installed the x64 drivers. This got the printer installed – for me. In a ‘production’ environment of many x64 workstations the server has to push the drivers down…

So anyway, like I said, it was easier than I thought. I simply went to the Sharing tab of the printer I installed and used the Additional Drivers button. (NOTE: That I did not actually share the printer.) Checking the x64 box here, pushes the x64 drivers back to the server making them available to other x64 PC’s.

I guess that’s exactly what the instructions told me in the first place, although only for this printer. The Dell printer (used in the example above) only told me that the driver wouldn’t work for the “requested processor architecture.” Go figure…

This is a pretty simple one, but since I keep forgetting the registry key, I’m putting it here:

In order to use these steps, you need to know the machine name or IP address of the remote computer.

• Use Regedit to connect to the registry of the remote machine. (File menu > Connect Remote Registry)
• Find the key: HKLMSYSTEMCurrentControlSetControlTerminal Server
• Under that key, find the value: fDenyTSConnection and change the value from 1 to 0
• Close Regedit and try the remote connection.

If you still cannot connect to the remote machine, you may need to restart it. Here is the remote restart command (also lots of fun to try on your coworkers):

• shutdown -m \computername -f -r

This one was a doozy – a real pain in the you-know-what. This was the problem: I had a client that tried to update his Norton 2006 using Symantec’s online purchase and update process. Somewhere in the middle of the update process it quit and when he tried to get back online to find out what happened and/or restart the process and/or get some help from Symantec, he found that he could not get back on the internet. His wife’s laptop and and old Windows 98 machine still connected fine – so it was just the one machine.

I discovered the machine could ping IP addresses, but not Domain names. I could also get IE and Firefox to go to Googleand other website using the IP address, but not the name. There were several possible solutions I found on the web which included repairing the TCP/IP STACK (netsh int ip reset reset.log) & WINSOCK (netsh winsock reset catalog), running the Norton Removal Tool, updating NIC drivers, flushing the DNS, pointing the nic to specific DNS servers… I tried all of the these and nothing worked.

I also scoured the machine for viruses, trojans, malware, etc using HiJackThis, SuperAntispyware, Avast, McAffee’s Stinger, and Malwarebytes. There was the typical long list of tracking cookies, but otherwise clean. The HOSTS and LMHOSTS files were squeaky clean as well.

Ultimately what did work was a solution provided by the fine folks at Zone Alarm (even though ZA had never been installed). It turned out to be a problem with a previous Windows Security Update: (KB951748). Once I uninstalled that update per the ZA directives, the Internet worked immediately, no restart required. Both browsers came back online and were recognizing domain names. 6 hours to research, 30 seconds to fix. Go figure.

Side note: Norton will not be reinstalled. It has been replaced by Avast Home Edition (free) and SuperAntiSpyware (Free edition). For the record, even though the new Norton 2007 has been rebuilt from the ground up, so to speak, I encourage everyone to refrain from purchasing software from a company that has such a horrible track record when it comes to providing stable software and anything that resembles customer service!

Link to Zone Alarm Advisory (the solution)

Link to the forum that lead to the solution