VHD tools: vhdcompact and regedit

Posted on December 31, 2010 | 1 Comment

It is terrible to be unsure of what to blog about.  The weight of choice tends to create a vacuum.  This is most obvious when months pass by before anything new is written.  There are certainly things that have happened in that time that are worth writing about.  However, it is sometimes difficult to pick the right one.

A topic dear to my heart this last year is changing VHDs while offline.  Indirectly I have blogged about VHDs and what is inside them.  What has not been discussed is what is really going on with work.

Recently things have changed a bit and the release of the code is becoming much more real.  It is time to spill the beans.

There are two specific challenges I was given for XenClient.  The first was the ability to compact the VHDs as much as possible.  The second was to be able to get/set registry settings.  Both tasks sound fairly simple but turned out to be very hard due to constraints.  First, the tools must run in Linux.  Second, these tools must be able to run with minimum requirements.

The compaction problem was solved quite some time ago.  The core issue is that VHDs have no knowledge of the file system.  Therefore, the VHD cannot safely delete any blocks that have been written to.  In order to delete a block, it requires knowledge of the NTFS usage which, until recently, did not exist.  The tool I wrote, called vhdcompact, corresponds knowledge of VHD and NTFS to determine which blocks can be safely removed.

Without too much effort, the tool can cut out upwards of 30% of a VHD.  Given that VHDs can grow into the tens of gigabytes, this is a large amount of storage.  The real interesting bit is that the disk loses no information since the blocks are not currently being used by anyone anyways.  This only applies to dynamic and difference disks.

The registry editing can only happen once the tools understand NTFS.  Thankfully LIBNTFS handled this in Linux.  Unfortunately no one, that I know of, has created a registry editor for VHDs.  So, again luckily, the registry format has been documented by sources outside Microsoft.  I created code to support registry editing without any Windows code.  It has taken quite some time to get it to the state it is today but it is now possible to make changes in the registry from Linux.

I can hear a few of you say “Why would you do this?”.

The answer is that we need to make some minor adjustments to the VHD before it boots.  It is too late after the VHD has booted.  It is also important for us to be able to save/restore sections of the registry from the hypervisor code.  Without Windows being there, we have to depend solely on ourselves.

It does feel like I am letting the cat out of the bag but the truth is that this stuff is probably old news to most.

One of the side effects of a project like this is that it is now possible to correspond blocks to files.  This means that given any sector in the VHD, we can determine which file owns it.  This, historically, was a difficult task.  Now, it seems like a minor detail in a much larger problem space.

In theory it would be possible to re-parent a difference disk with this kind of information.  From a IT point of view, this enables the admin to update the base with the user being able to keep their changes, even it includes application installations.  At one point this seemed to be a very important part of the project.  Now it seems like a very futuristic and potentially improbable dream.  The potential for conflict is always there and it is probably the methods of handling the conflicts that are more important than the actual re-base.

I am working towards making the tools available on the Internet.  There is some hope that CDN can host items.  I would like to see Citrix Labs have tools listed so that the VHD tools could be posted there.

There are many more tools that have been written along the way.  Some of the more useful ones are strictly diagnostic.  For example, it is possible to dump the entire file directory tree from a VHD.

The point I want to clarify before going is that the tools are completely self enclosed.  In other words, vhdcompact does not use any NTFS mount code to determine the VHD content.  It directly reads the VHD metadata and determines where the NTFS information is.  It essentially knows everything about the VHD and only uses the operating system to open/reads/writes/close on the VHD file itself.

As a side benefit of how the code was created, it also supports doing the same things in Windows.  This was largely due to me being more comfortable building and debugging with Visual Studio.  The code is in C++ and is very generalized so it works with either platform.  The abstraction is good enough that the code will run exactly the same way for the same VHDs.

It has been a focus for me for more than a year now.  I am happy with things are turning out and soon the tools will find their way into the real world.  I just decided that it is worth writing a few more posts about what is going on with them in the next few weeks.

→ 1 Comment

Posted in VHD, XenClient

Tagged

Dilbert and Citrix

Posted on November 25, 2010 | 1 Comment

Back in 1993, the Citrix Engineering team used to get amusement from Dilbert.  I remember posting clippings on the outside of my cubicle wall for others to read.  Later I linked my personal website (1994) to the official Dilbert site.  Many of us had come from IBM and fully understood Dilbert’s world.

Continue reading

→ 1 Comment

Posted in Citrix, Citrix Marketing

Tagged ,

SSL Exploration and Analysis

Posted on November 25, 2010 | Leave a comment

During the recent investigation of certificates and SSL, a co-worker (Ola) forwarded a web link about an organization that is analyzing web SSL certificates.  The information was very relevant and interesting.

The EFF SSL Observatory


Quote from site:

The EFF SSL Observatory is a project to investigate the certificates used to secure all of the sites encrypted with HTTPS on the Web. We have downloaded a dataset of all of the publicly-visible SSL certificates, and will be making that data available to the research community in the near future.

 

The best way to get started is by looking at the slide deck.  The overall summary indicates that things need to tighten up quite a bit to provide a more secure environment.  It is too easy to make mistakes and open security holes.  The philosophy of exposure reminds me of the work done by W. Richard Stevens for TCP/IP many years ago.  The more an item is explored, the more likely its vulnerabilities and flaws will be seen.

This post resulted from cleaning up the inbox and realizing that this information was valuable enough to share.

→ Leave a comment

Posted in Certificates, SSL

Tagged , ,

XenClient – Configuring XenClient and Virtual Machines

Posted on November 19, 2010 | Leave a comment

The basics of creating virtual machines on XenClient in a “easy to consume” video format.

→ Leave a comment

Posted in XenClient

Tagged ,

XenClient – Unregistering with Synchronizer

Posted on November 19, 2010 | Leave a comment

XenClient can work with the Synchronizer service to get the latest VM images.  Synchronizer is the hub for publishing VMs and assigning them to users and their devices.  XenClient connects to Synchronizer to download new or updated VMs based on what the Synchronizer administrator has specified.

The model requires an administrator to upload a VM image to Synchronizer.  Later, a user authenticates with Synchronizer and downloads the assigned VMs.  Currently, the assignment of a user to Synchronizer is a one time event.  It appears to be impossible to reassign the laptop to a different user or connect to a different Synchronizer.

Continue reading

→ Leave a comment

Posted in XenClient

Tagged ,

XenClient Shortcuts

Posted on November 10, 2010 | 1 Comment

Say you want to get somewhere else in XenClient.  How would you do it?  If you are currently inside a VM and want to switch to another VM, what would you do?  One answer is to use the installed selector bar at the top.  Another way is to know the keyboard shortcuts.

Continue reading

→ 1 Comment

Posted in XenClient

Tagged

How to Reset a XenServer 5.6 Root Password

Posted on November 4, 2010 | 1 Comment

Recently I had a problem with a XenServer in my office.  XenCenter would no longer connect. The XenServer was using DHCP and had switched IP addresses. The cached credentials were on the old IP address.

I could not remember the password since it had been automated for so long. Without success I tried to get in but eventually had to search the web.

Found a really good location at http://xtravirt.com/how-reset-root-password-citrix-xenserver-5.  Within a few minutes the server was operational from XenCenter.

The instructions seem a bit alien at first.  The catch is to run the menu.c32 command quickly when prompted early in the boot.  After some extra selection, you get the ability to set the password using passwd.

It appears to work for all versions of XenServer at version 5 or above.

Yes, you need physical access to get this to work.

→ 1 Comment

Posted in XenServer

Tagged

Internet Explorer Enhanced Security Configuration (IE ESC)

Posted on October 14, 2010 | 3 Comments

If you ever have to install a Windows server (2008, 2008 R2) and try to use Internet Explorer, you might notice how annoying IE is related to being secure.  Essentially you have to fight it do anything useful.  At one point I was using it to install Chrome to get around the constant security popups.

Here is an example from trying to visit www.citrix.com.

It asks this for each web site that the current web site loads something from.  In this case, I was prompted five times for five different web sites that citrix.com uses.  In some cases it is impossible to keep IE ESC happy and the site never loads properly.

It is for a good cause (server security) but you might as well turn IE off completely.  Administrators are going to expect being able to install and update software from the web.  The web browser plays a key role in doing this.  Having a dysfunctional IE makes the process much more painful.

I briefly have tried to defeat this before.  Nothing worked for me so I gave up on IE and switched to Chrome.  Today, I finally found the right way to switch this off.

Continue reading

→ 3 Comments

Posted in Chrome, Internet Explorer, Microsoft

Tagged , ,

Public Key Certificate Locations in Windows

Posted on September 13, 2010 | 1 Comment

Since last week I have been looking more at depth with how certificates work.  One thing that was bugging me was not knowing where the information is stored.  There are plenty of references to the certificates being stored in files and the registry but no actual paths.

On late Friday there was a bit of a breakthrough.  Somehow I managed to identify a location in the registry that contained a certificate (this was using regedit and doing a search on ‘cert’ if I remember right).

This subkey tree is located at HKCU\Software\Microsoft\SystemCertificates.

These certificates are considered to be CurrentUser whereas the shared ones are in LocalMachine.  Searching for SystemCertificates found an excellent reference from a Microsoft web page.  It is a bit old, but contains valuable information.

CA certificate-related registry entries correlate to the physical view of the certificate-related data that can be viewed by using the Certificates snap-in.

The registry settings in this section are a subset of the registry settings in “Certificate Services Tools and Settings.” This subset makes it possible to monitor and manage key configuration options associated with CA certificates.

The following registry keys are associated with CA certificates that were distributed via Group Policy:

  • HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates

The following registry keys are associated with CA certificates that were not distributed via Group Policy:

  • HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc

This summary shows where the certificates live for the different combinations. The keys are encoded as “blob” values under GUID identifier key names. It appears that the blob is just a binary representation of the certificate.

Each subkey off of the SystemCertificates above shows up in Certificate Manager (certmgr.exe) under a slightly different name.

The mapping is not necessarily easy to work out.  Hopefully in a future post it will happen.  The most important ones to note are “my” and “root”.  ”My” is “Personal” and “root” is “Trusted Root Certificate Authorities”.  My current theory is that these folders can be a bit free form HOWEVER they do have a purpose and essentially control access to specific features.  For example, “root” is used extensively to guarantee that the root CA is trusted.  If the certificate lives in this folder, essentially all Windows cert operations (think SSL) will trust any certificated signed by this root CA.

Let’s take a look at certificate using normal tools and using the registry editor.

This is a test certificate that was built to try some Azure samples.  Note that it has a private key.  The certificate lives under “Personal” on “CurrentUser”.  This translates to HKCU with “My”.

Here is a bit more detail from certmgr:

Hopefully this will make some sense against the registry entry.  And, it does not.

This is where I admit that not everything as it seems.  It turns out the majority of the interesting certificates are actually on the disk.  The Personal certificates were found in “%UserProfile%\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates”.  How’s that for assuming the wrong place?

The directory and files (certificates) are hidden so you will have to play with ATTRIB or Windows Explorer options to get to them.  It looks like this:

This corresponds to the seven certificates seen in certmgr (MMC with snap-on certificate handler).  I just noticed that these names correspond to the thumbprint of the certificate (SHA1 : 16 bytes).  This should make it easier to find the certificate that we started with (test.cloudapp.net).

It matches one of the file names:

To get a better look at this file, I used attrib to strip off the system flag (attrib -s) and copied (copy /b) it to another directory.  Then I used my hexdump tool to display what it had inside.

Test Certificate binary content

Clearly this is the right one.  The chances of having the wrong filename based on SHA1 is almost impossible.

The next post will focus on the location of the private keys.

→ 1 Comment

Posted in Certificates, Windows

Tagged ,

GoToMyPC Saved My Day

Posted on September 12, 2010 | Leave a comment


I have been working at home now for almost eleven years.  When my job first started, it was the first time that a software developer worked remotely in my company.  There were many barriers before this time but luckily my timing was good.

Currently I am working on a project that is looking at using Cloud-based technology to make it easier for existing customers.  All of my development happens near Brisbane, Australia whereas my nearest office is in Sydney.  This works well with the help of products like GoToMeeting.  In fact, there is a need to use it almost every day.  It is my view into what is happening in Sydney and sometimes I even use it to share what I have at home.

It is so common to use GoToMeeting, it is just part of everyday work.  Without it, it would be much harder to convey important computer-based information.

Anyways, something different happened this last weekend.  On Sunday I was packing up for my trip to Sydney for a three day event in the office.  I was working on a difficult problem at the time and was very frustrated that I could not figure it out before the trip.  Usually this means that I need to move the problem environment to my work machine in Sydney and continue from there.  The problem with that is that my Sydney machine is not as strong as my Brisbane machine and does not have all the things that I need day to day.  In fact, the Sydney machine is a subset of my usual environment.

Usually I just accept this situation. However, the size of the problem and the lack of time made this unacceptable.  In the last hour before I had to leave, I decided that I should try using GoToMyPC to get access to my development machine from Sydney.  I still had an account that I had not used for awhile so I had to reset the password and get things going again.  However, within about a half an hour, it was running.

When I got to Sydney, I connected to my development machine and it worked great.  In fact it was so good to have my native environment I wondered why I had not tried it before.  It takes away the need to duplicate the environment somewhere else and it is quick enough to use without frustration.  The best aspect is that it just works.

Because I still had access to my main machine, it made it so much easier and quicker to solve the problems that happened.  Without access to GoToMyPC, it would have easily taken twice as long to figure this out.  It would have been very hard to reach the deadline in time without it.

This is a true story that recently happened.  I am very glad that this worked and it reduced my stress level in a big way.

→ Leave a comment

Posted in Angst, GoToMyPC