• Free Webcasts from Microsoft’s US Central Marketing Organization (USCMO)

    The US Central Marketing Organization (USCMO) here at Microsoft is putting on a new and improved webcast and I wanted to put them up for those who wish to view them.  Each webcast will stream live with interactive Q&A and will be made available on demand.  These webcasts run for about 30-60 minutes.  Please feel free to register at any time.

    Protect Your Business Against Online Fraud
    January 20, 2015
    In recent years the online fraud epidemic has become a reality.  Is your business secure?

    Social in the Enterprise
    January 21, 2015
    FOX Business Network anchor Maria Bartiromo, the first journalist ever to report live from the floor of the NY Stock Exchange, shares why a good social strategy is crucial. Social networking expert and best-selling author Gary Vaynerchuk shares the secrets to social success in the enterprise. Charlene Li, renowned author and leadership and social consultant, provides concrete recommendations for how organizations can build effective networks to become leaders in the digital era. Andy Sernovitz, leader of the word of mouth movement, explains how building internal communities increases productivity and effectiveness. And host Alex Bradley, Microsoft Office, presents new, innovative social solutions. 

    Windows Server 2003 Migration: Hardware Modernization
    January 22, 2015
    With the Pending End of Support in July 2015, organizations must understand their rationale for migration from WS03.  This is not just a support issue but importantly an opportunity to enlist the power and flexibility of modern infrastructures running platforms like Windows Server 2012 and Azure.  Migrating simply sets your infrastructure up to harness you Enterprise Cloud strategy both on and off premise.  You want to make sure that you hardware keeps pace with these dynamic technologies.  This webcast covers some of the most important aspects of upgrading the workloads on modern hardware.

    It’s a New Year, Be Ready to Adapt
    January 22, 2015
    It’s a new year, be ready to adapt. Every New Year brings both the promise and the challenge of a quickly changing business environment. Staying ahead of the curve! Whether it’s your customers’ needs, security risks or compliance that require instant access to the data that will support good decisions.

    HIPAA Compliant Cloud Solutions with Microsoft BAA
    January 23, 2015
    Join us for this important webcast on January 23rd at 11:00AM PST to learn about Microsoft’s HIPAA Business Associate Agreement (BAA). This discussion will help you to better understand how healthcare organizations with a Microsoft BAA can move toward a contemporary plan for using Microsoft’s cloud services. This webcast will show how the Microsoft BAA provides healthcare organizations with the opportunity to use cloud solutions to improve patient outcomes while maintaining compliance with the privacy and security regulations that are outlined in HIPAA.

    Announcing the Enterprise Cloud Suite
    January 26, 2015
    With Enterprise Cloud Suite (ECS), Microsoft is now able to offer a comprehensive solution to customers that provides:
    • End-to-End Productivity: provide users with tools to collaborate and stay in sync anytime, anywhere
    • Data Protection: enable strong authentication, encryption and access controls across devices
    • Device Management: manage devices and applications across PCs, smartphones and tablets
    • Unified IT environment: leverage existing investments for identity and device management across on-premises software and cloud services
    • Pricing: ECS provides the best pricing through built-in suite discounts vs. buying components separately

    Get a fresh start in 2015 with new Windows devices
    January 28, 2015
    Celebrate the New Year and get more productive in 2015 with the latest technology powered by Windows 8.1. Whether you’re looking for laptops, 2-in-1 devices, or tablets, there is definitely a lot to choose from. Join us on January 28th to check out a broad range of Windows 8.1 devices and special offers. In the meantime, visit the Windows for Business ( website to stay up to date!

    Need fast AND affordable? Why not try SQL Server?
    January 29, 2015
    Why did RSI Retail Solutions, Lifetime Products, and Havas Media migrate to SQL Server? SQL Server runs mission critical workloads, provides top-of-the-line security features, and enables customers to leverage existing assets and knowledge base – without costing a fortune. By switching or adding new workloads to SQL Server 2014, you can improve your data platform performance and your bottom line on your terms.  Join Marcello Benati, Microsoft Solution Specialist, to learn how to easily migrate existing and new mission-critical workloads to SQL Server 2014.

    Mobile Productivity in the Modern Workplace
    February 4, 2015
    Mobility is changing our personal and professional lives.  People are bringing their personal devices and apps to work. Employees expect more dynamic work environments to take advantage of mobile capabilities and work from anywhere. Apps, including productivity tools, need to work well on mobile devices and in the business scenarios these devices are used. To get work done from anywhere, mobile devices with basic services, like email, aren’t enough. In this webcast you will learn how Microsoft provides the richest productivity solution across any device, for any type of worker, in a secure, enterprise-grade way.

    Windows Server 2003: Most Common Application Migration Concerns
    February 5, 2015
    Build your migration plan - do it yourself, collaboration with a partner, or use a service.  Find out about your options whether moving your applications to the cloud or keeping in your infrastructure. 

    Enabling Customer Insights Using Business Analytics
    February 12, 2015
    Business analytics is about capturing that information in real-time and empowering people to put it to use, by combining data in new ways, to generate new insights. Hear from Pier 1 on how they use business analytics to drive their business.

    Windows Server 2003: Security Risk and Remediation
    February 18, 2015
    With Windows Server 2003 support ending on July 14, 2015,  many organizations find themselves in the situation where legacy, mission critical workloads and applications are running on a soon to be unsupported platform. Some organizations may be considering alternate security strategies – like ring-fencing their existing Windows Server 2003 servers –as a way to delay migration. This webinar examines the viability of common risk remediation tactics for Windows Server 2003-- and makes the case for migration is ultimately the best option.

    The Connected Workforce
    February 18, 2015
    The world has become a giant network, with people connecting in new ways using social and mobile technologies. Has your company adapted to this networked world? By delivering seamless social experiences across familiar work applications on an enterprise-grade platform, Microsoft helps over 400,000 companies worldwide engage, inform and connect employees. During this webcast you will learn how Microsoft can help your company connect, inform, and engage employees using enterprise social technologies.

  • We Are Hiring Windows Escalation Engineers in Munich, Germany

    Would you like to join the world’s best and most elite debuggers to enable the success of Microsoft solutions?   As a trusted advisor to our top customers you will be working with to the most experienced IT professionals and developers in the industry more
  • Case of the blank print jobs

    Hello Askperf! Anshuman here again with an interesting issue I worked a few weeks ago.

    The following pop-up appeared on my workstation intermittently:


    I then realized that I had the Send To OneNote printer set as my default printer.

    The next time this occurred, I paused the print queue and noticed that the “Remote Desktop Redirected Printer Doc” document was getting spooled under my account. This was interesting because I had several remote desktop sessions opened to different machines from my workstation, and did not send any prints jobs from them.


    So two questions came to mind:

    1. Which RDS session is this coming from?

    2. What was sending this print job?

    I then thought to myself, “when in doubt, run Process Monitor!”

    My first challenge was to figure out which server session this job was generated from. For this, I ensured that all the RDS sessions I established were using the command line option of of mstsc.exe (mstsc /v:servername). Next, I started process monitor on my workstation with a specific filter of “Process Name is mstsc.exe” and “Path contains .spl”. Since this issue was intermittent, I checked the “Drop filtered events” option. I also ensured that the Backing File option under File menu was pointing to a file, instead of Virtual Memory (pagefile). After a while the issue occurred, and procmon captured the following events:


    One of the first things I noticed was the CloseFile operation immediately after the CreateFile operation. Typically, you will see a WriteFile operation in between these two operations. So mstsc is connecting to which server? That was easily found by examining the Command Line entry of mstsc captured in the pml file:


    I logged into the problem server and launched procmon, ensuring that the Backing file option was set to point to a .pml file on a drive with enough space, and “Drop filtered events” was selected. Next I set up a filter “Path Contains tsclient” as well as “Path Contains RdpDr”. I then established an RDS session to the server from my work station and waited for the mysterious 0Kb print job. Once it happened, I had the following events in the pml file from the ProblemServer:


    So there was an addon service that got installed on the printer server with a print driver. Disabling this ensured that those mysterious 0kb jobs ceased to occur.


  • How to migrate local ports when doing print migration

    Hello Askperf! My name is Tingu, and today I’m going to talk about an interesting print migration issue I had a few weeks ago.

    We had a case where an application server was running on Windows 2003, where more than 400 print queues were created. The port was created as a local port to forward the print job in case of a failure as noted in the “Transfer documents to another printer” Technet article.

    The port was configured as \\printservername\printer.  See example screenshot below:


    Here, we were trying to move the application to a 2012 R2 server and wanted to migrate all the print queues to the new server. We used printbrmto migrate all of the local printers.  But the problem we ran into is that it did not migrate the local ports.

    When we started the migration, we did not see the local ports listed:


    Additionally after the migration, the port was not present:


    We tried to add the port manually, but gave us the error “port already exists”.  Additionally, the registry shows that the printer is set to use the forwarder.


    We really needed to get the local ports migrated as it can be a tedious task to re-create all the ports and map to their respective print queue. 

    We created a test lab and saw the same issue while migrating.  It did not matter from/which OS we were migrating.  During the migration, we saw an event ID 81 on the 2012 R2 server. (This event is not triggered if you are migrating to 2003 or 2008R2):

    Log Name:      Microsoft-Windows-PrintBRM/Admin
    Source:        Microsoft-Windows-PrintBRM
    Date:          12/25/2014
    Event ID:      81
    Task Category: Restore
    Level:         Error
    Keywords:      Print Queue
    User:          Joe
    Computer:      12345

    Printbrm.exe (the Printer Migration Wizard or the command-line tool) failed to restore print queue test. The restore process will continue, skipping this queue. Error: 0x80070057 which is “invalid parameter”
    Error: 0x80070057 which is pointing to “invalid parameter”

    So what we determined is that when you use printbrm for migration, it will not migrate the local ports.  The reason is that the local port is specific to the server, and it may cause conflicts or not work if you migrate it to a different server.  But in our case it’s a forwarder, and we need it to be migrated.

    Further testing revealed that if a local port to which the printer is mapped is already present on the destination server, then the migrated printers will use that local port for the printers.

    For example: on the source server you have a printer mapped to LPT1, and the destination server has LPT1 port available; then after the migration, the printer will be set to use that port. We created a forwarder on the destination server for a test printer before migration, and after importing the printer, we see that the port is mapped accordingly.

    Now the question is, how do we migrate multiple local ports at a time?

    Here is what we did…

    From the print management on a 2012 R2 server, we added the 2003 server.  Then we exported the list of ports to a .csv file:


    This gave us the list of all ports needing to be migrated.  We then created a script to add the ports to the destination server.  As in our case, the destination server was Windows 2012 R2 server, so we used the powershell command Add-PrinterPort.

    We copied all of the required ports into notepad, and saved it as a .ps1 file:


    We ran the .ps1 file as admin, and all of the ports got created on the destination server!


    Note If you have already tried the migration before creating the ports on the destination server, it may give you the error ‘port already exists’ while running the powershell command.  You may need to delete the printers migrated and restart the spooler and then retry the powershell command to complete the port creation.

    After that, we followed the normal migration procedureand all printers got mapped to the correct port.

    I hope this information will come in handy the next time you are working through a printer migration. 


  • How to make your existing Bitlocker encrypted environment FIPS complaint

    Hello, my name is Mayank Sharma and I am a Technical Advisor here at Microsoft. In this blog, I will discuss FIPS compliance with Bitlocker. Microsoft's solution for completely encrypting data inside laptops, desktops and removable drives. So let’s get started...

    FIPS stands for Federal Information Processing Standard and is United States Government standards that provide a benchmark for implementing cryptographic software. It basically means that if a software is approved by one of the labs that do the testing for FIPS compliance, the software meets the government standard for cryptography. Thus can be commonly used by US Federal government and organizations around the world. There is a lot that can be written about FIPS. Better I route you to the following link:

    FIPS Compliance

    To enable FIPS on a computer, i.e. tell it you have to be complaint with the government policies, we need to alter the following group policy

    Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options

    The name of the policy is following:

    System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing

    Now that we know what FIPS is and what it does, let’s focus our attention back on Bitlocker, Microsoft’s security solution for protecting data across laptops and desktops. Bitlocker uses multifactor authentication to ensure Bitlocker encrypted drive(s) will always remain in good hands. To accomplish this task, it uses multiple protectors to protect a volume. While some are ‘primary’ protectors which will be used most of the times, namely TPM, TPM and PIN, Password etc., some will be used when Bitlocker senses something has changed and goes in a lockdown mode. During a lockdown mode, it will ask user to prove that user is genuine. Examples of protectors include recovery password, recovery key, Data recovery agent, etc.

    Now here comes the tricky part. Whether or not Bitlocker is FIPS complaint is decided by if one of the cryptographic keys that protector is using is indeed FIPS compliant. Password protectors for the operating system drive/fixed data drive are not complaint with FIPS specification, so does the recovery password until Windows 8.  The below article discusses this in more detail:

    The recovery password for Windows BitLocker is not available when FIPS
    compliant policy is set in Windows Vista, Windows Server 2008, Windows 7
    and Windows Server 2008 R2

    Let’s say there is a ‘happy go lucky’ organization that uses TPM+PIN protectors to authenticate the OS drive of user’s laptop running Windows 7 and storing recovery passwords in MBAM database. If a user gets locked out, Helpdesk will provide the information of recovery password to the user to unlock the machine. This is the happy ending of the story until one day FIPS were to be mandatorily implemented.

    a. Will this happy go lucky Organization be FIPS complaint? No, as it is using recovery password as a protector which is not FIPS complaint.
    b. Does this means while infrastructure needs to be rebuilt from scratch? Of course not!

    Steps to make this environment FIPS complaint;

    Step 1:

    We need to get rid of the recovery password which is making the infrastructure non FIPS complaint. First thing would be to delete the associated recovery password with this Windows 7 machine. Run the following from an elevated command prompt:

    manage-bde -protectors -get c:

    This lists all the protectors

    Volume C: [OSDisk]
    All Key Protectors

        TPM And PIN:
          ID: {161941A3-8CB3-439C-8FC6-1642D0C97C8D}
          PCR Validation Profile:
            0, 2, 4, 11

        Numerical Password:
          ID: {C6DF1E74-467F-4BE8-9C59-C9A9F345B9A0}

    Note the ID of the Numerical password protector and to delete it run the following command:

    manage-bde -protectors -delete c: -id {C6DF1E74-467F-4BE8-9C59-C9A9F345B9A0}

    This will delete the recovery password protector.

    Step 2:

    Now, imagine if the user forgot the PIN or because of any other reasons gets locked out. We should need to have a way to break back into machine. So we need to add some protectors that will help us in lockdown situations. Fortunately, we still have a choice to make here. We can add any of the two protectors which are FIPS compliant.

    a. Data recovery agent

    How to use Bitlocker Data Recovery Agent to unlock Bitlocker Protected Drives

    b. Add a recovery key to the volume, this is as simple as running the command where e: is the destination drive where you want to store the .BEK file.

    manage-bde -protectors -add c: -rk e:

    Just save this file in a safe place.  If a machine gets locks out, copy it over to a USB drive.  More information can be found  here:

    What is a BitLocker recovery key?

    Step 3:

    Though not mandatory, once we will enable the group policy for FIPS, it will not allow creation of FIPS. We can additionally disable the creation of any more recovery passwords. Just disable the policy like I did below under Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption.


    As "Password" is not a FIPS complaint protectors, you cannot use it with fixed data drive either. We can either use a smart card protector or a DRA… And happy go lucky should be happy again!

    As stated above, this is specifically meant for Windows 7/Vista and Windows Server 2008/2008R2. Had the company been proactive in moving along to a newer version of Windows (i.e. Windows 8/8.1, Windows Server 2012/2012R2), it would not have any effect on them. The recovery password is FIPS compliant for Windows 8 and above operating systems.

    So this is pretty much it. Keep your machines encrypted until next time.

    I thank Himanshu Singh for taking time out to go through this blog.

    Mayank Sharma
    Technical Advisor
    Windows Deployment Services

  • Troubleshooting Windows activation failures on Azure VMs

    If you are experiencing Windows activation failures on an Azure VM, please try the following steps to resolve the issue. An example of an error message you may see is: Error(s): Activating Windows(R), ServerDatacenter edition Error: 0xC004F074 The Software more
  • Disk Performance Internals

    Abstract: Storage is the slowest component of most computer systems. As such, storage is often a performance bottleneck. This article discusses the disk performance kernel provider, partition manager.  By understanding how the disk performance provider more
  • Driver Object Corruption Triggers Bugcheck 109

    My name is Victor Mei, I am an Escalation Engineer in Platforms Global Escalation Services in GCR.  Some customers I worked with have strong interests in debugging; but usually they got frustrated when I told them “To find the cause from this dump more
  • Recovering Azure VM by attaching OS disk to another Azure VM

    If you are unable to administer an Azure VM because of RDP or SSH failures, in many cases rebooting or resizing the VM may resolve the issue. You can troubleshoot the VM by attaching the OS disk as a data disk to a different Azure VM using the steps more
  • Surface Pro 3 Hibernation Doesn’t Occur on Enterprise Install

    Hi my name is Scott McArthur and I want to call out a recently published KB article:

    Surface Pro 3 doesn't hibernate after four hours in connected standby

    If you are deploying an image to Surface Pro 3, you are missing out on the feature where after 4 hours in Connected Standby the device will hibernate. This is a key feature related to battery life so I would recommend that all Enterprise customers install KB2955769 and incorporate these PowerCfg commands into your deployment.

    If you use Microsoft Deployment Toolkit 2013 for your deployments this is super easy. Here are the steps

    1. Under Packages, import KB2955769


    2. Create PowerCfg_Sp3.batthat contains the following commands:

    REM sets CS battery saver time-out to four hours:
    powercfg /setdcvalueindex SCHEME_CURRENT e73a048d-bf27-4f12-9731-8b2076e8891f 7398e821-3937-4469-b07b-33eb785aaca1 14400
    powercfg /setacvalueindex SCHEME_CURRENT e73a048d-bf27-4f12-9731-8b2076e8891f 7398e821-3937-4469-b07b-33eb785aaca1 14400

    REM sets CS battery saver trip point to 100:
    powercfg /setdcvalueindex SCHEME_CURRENT e73a048d-bf27-4f12-9731-8b2076e8891f 1e133d45-a325-48da-8769-14ae6dc1170b 100
    powercfg /setacvalueindex SCHEME_CURRENT e73a048d-bf27-4f12-9731-8b2076e8891f 1e133d45-a325-48da-8769-14ae6dc1170b 100

    REM sets the CS battery saver action to hibernate:
    powercfg /setdcvalueindex SCHEME_CURRENT e73a048d-bf27-4f12-9731-8b2076e8891f c10ce532-2eb1-4b3c-b3fe-374623cdcf07 001
    powercfg /setacvalueindex SCHEME_CURRENT e73a048d-bf27-4f12-9731-8b2076e8891f c10ce532-2eb1-4b3c-b3fe-374623cdcf07 001

    powercfg /setactive SCHEME_CURRENT

    3. Save PowerCfg_Sp3.bat to your Deploymentshare\Scriptsfolder

    4. Open up the task sequence you use to deploy Windows and add a custom task in the state restore phase called PowerCfg-SP3


    5. In the properties of this task sequence step, edit the following:


    6. Click the Options tab and add conditional for “Task Sequence variable model equals Surface Pro 3”


    Note:This ensures this only runs on Surface Pro 3 devices using the model variable

    Hope this helps with your Surface deployments and keep eye on this blog for more tips and tricks for Surface

    Scott McArthur
    Senior Support Escalation Engineer

  • Your technical answers and automated solutions via

    Hello folks,

    One of our Engineering PMs that supports our Diagnostics and Automated solutions published a blog regarding Bing and how you can use it to answer your technical questions and provide automated solutions.  Here is a brief overview:

    Bing Technical Instant Answers provide concise answers to technical questions directly within search results and hopefully answer your question (or help you solve an issue) without you having to actually visit the web pages linked within the answer. The answers are triggered by specific search phrases, and they try to provide a unique benefit either by precisely matching your intent or by providing additional content related to your intent. In some cases, the instant answer will link to an automated fix or troubleshooter that you can run directly from the Bing search results. Microsoft will constantly be adding new technical answers, so if you have a technical problem with a Microsoft product or service try asking Bing to see if we have an instant answer for you!

    Go check out his blog via the link below:

    Using Bing for technical instant answers and automated solutions


  • Cross Post: Using Bing for technical instant answers and automated solutions

    This is a cross post from William Keener’s Support Diagnostics and Automated Solutions blog that we wanted to add to our site.  It relates to Bing and instant answers about Microsoft Products/Technologies/Support issues and here on the AskCore site, we are all about getting this type of information out there.  Any comments made should be made on the originating post so it can be properly seen, heard, or answered.


    Using Bing for technical instant answers and automated solutions

    Bing has been providing factual instant answers (and translation instant answers) for some time now, but recently they added "technical" instant answers for questions about Microsoft products and technologies or technical support issues. My previous team built the content management system that our internal content delivery teams are now using to add technical instant answers to Bing. Here's an example technical instant answer for the "Cortana" search term: 

    Now that I'm working on support diagnostics and automated solutions again, I have been working with the Bing and content delivery teams to get some instant answers created with links to some of our automated solutions.

    And I'm happy to announce that the first one is live! So you can now search for "Windows Update Troubleshooter" (or a variety of related terms and error messages) and the first result will be a technical instant answer with a link to download and run our automated troubleshooter to fix problems with Windows Update.

    When you click the link in step 3, you will be prompted to open (or run) or save the troubleshooter.

    Just click Open (or Run) to launch the troubleshooter.

    The content delivery teams will be constantly adding more technical instant answers, and we hope to have more live with automated solutions soon!

    Note that technical instant answers are also available in the Bing app on Windows Phone. To see the phone experience, tap Search and then type or say "cortana" on your Windows Phone. Then click the "See More" link at the bottom of the second result (after the ad - "Meet Cortana on Windows Phone 8.1") and swipe left or right to view the content on each of the tabs.

  • Understanding ATQ performance counters, yet another twist in the world of TLAs

    Hello again, this is guest author Herbert from Germany. If you worked an Active Directory performance issue, you might have noticed a number of AD Performance counters for NTDS and “Directory Services” objects including some ATQ related counters. In this more
  • Unable to restart server due to registry bloat over 2GB

    Hello AskPerf!  Pushing up a blog today to discuss the registry bloat issue that has been recently addressed in the following KB:

    Computer cannot be restarted if the registry hives are larger than 2 GB


    • You have a computer that is running the x64-based version of Windows 8.1, Windows Server 2012 R2, Windows 8, or Windows Server 2012.
    • The registry hives for the computer are larger than 2 gigabyte (GB).

    This problem occurs because of the 2 GB size limit of the registry hives in x64-based version of Windows.

    Install this patch to resolve the issue.


    When you get into this state, you may experience one of the following issues:

    1. You can boot to a stop error.
    2. You can boot and not be able to log in due to the RQL (Registry Quota Limit).
    3. You can boot and be logged in with a temp profile and not be able to install any software due to the RQL.

    If this happens, KB2978366 should be installed.

    With that, the following questions may come to mind:

    • How does this issue occur?
    • How do I prevent this issue in the first place?
    • How do I fix this issue once the hotfix is installed?
    • What happens if I see this problem on another OS version?
    • Are there any tools I can use to troubleshoot this issue?

    Question: How does this issue occur?

    Answer: There are many reasons that cause registry hives/keys to bloat.  Some of the ones we have seen are related to KB2871131, which refers to the “..\Printers\DevModes2” key bloat.  This hotfix does not “fix” the issue, but prevents it from occurring in the first place.  You still have to clean the keys first.  Additionally, there is a known issue with SQL Server 2012 SP1 that can cause the registry to hit the 2GB limit and put the machine in a no-boot state.  Please see KB2793634 for more details on this.

    Question: How do I prevent this issue in the first place?

    Answer: There really is no good answer for this outside of installing the hotfixes noted above, and keeping a close eye out on your registry hives.  You can use Performance Monitor however to monitor the “System\ % Registry Quota In Use” counter.  If this counter gets over 50 %, then you should start investigating what registry keys/hives are growing.


    % Registry Quota In Use is the percentage of the Total Registry Quota Allowed that is currently being used by the system.  This counter displays the current percentage value only; it is not an average.

    NOTE The following Registry hives point to their corresponding files:

    • HKLM\BCD00000000 - \Boot\BCD
    • HKLM\COMPONENTS - %windir%\System32\config\Components
    • HKLM\SAM - %windir%\System32\config\SAM
    • HKLM\SECURITY - %windir%\System32\config\SECURITY
    • HKLM\SOFTWARE - %windir%\System32\config\SOFTWARE
    • HKLM\SYSTEM - %windir%\System32\config\SYSTEM
    • HKU\.DEFAULT - %windir%\System32\config\DEFAULT
    • HKCU - %userprofile%\NTUSER.DAT
    • HKLM\HARDWARE - This is dynamic and gets built with the OS boots (volatile hive)
    • HKLM\CLUSTER - %windir%\Cluster\CLUSDB
    • HKU\<SID of local service account> - %systemroot%\ServiceProfiles\LocalService\Ntuser.dat
    • HKU\<SID of network service account> - %systemroot%\ServiceProfiles\NetworkService\Ntuser.dat
    • HKU\<SID of username> - \Users\<username<\Ntuser.dat
    • HKU\<SID of username>\Classes - \Users\<username>\AppData\Local\Microsoft\Windows\Usrclass.dat

    Question: How do I fix this issue once the hotfix is installed?

    Answer:  After installing the hotfix, you may need to copy your Registry file to another machine that includes the hotfix.  After you have cleared out the bloated entries (whitespace will remain), then simply load the hive up, and then unload it.  This process will shrink your registry key back down pre-bloat. If a system is unbootable due to registry bloat install the hotfix on another system. Boot the problem system from DVD, copy the bloated registry hive to external storage, put on system with hotfix and use regedit to remove the bloated registry info and whitespace. The hive can then be copied back to problem system to allow it to boot normally.

    Question: What happens if I see this problem on another OS version?

    Answer:  Simply copy your hive over to a Win 8/ Server 2012 machine that has this hotfix installed, then follow the steps above.

    Question: Are there any tools I can use to troubleshoot this issue?

    Answer:  Coming Soon


    How to Compress "Bloated" Registry Hives


  • RDP Fails with Event ID 1058 & Event 36870 with Remote Desktop Session Host Certificate & SSL Communication

    Hello AskPerf!  Sanket here from the Windows Platforms team here to discuss an issue with Remote Desktop Services where RDP does not work when you try to connect from a remote machine.  With that, let’s get started!

    I’m sure most of you have come across the following message when connecting to a machine via RDP:

    Remote Desktop Connection

    This computer can't connect to the remote computer. Try connecting again. If the problem continues, contact the owner of the remote computer or your network administrator.

    This is a generic that can be caused by numerous varying reasons.  We have a fairly detailed troubleshooting KB article that talks about this error and what to do to fix it:

    Remote Desktop disconnected or can’t connect to remote computer or to Remote Desktop server (Terminal Server) that is running Windows Server 2008 R2

    Assumptions are that most of you have followed this KB and resolved your issue.  However, there could other reasons that could cause RDP to fail as well.

    I recently worked an issue with same error where RDP from a remote machine was not connecting to a Windows 2012 Server.  NOTE the same error can occur on previous OS versions as well.

    There was a mystery as to what was changed on the server that could have caused this start.  Possible assumptions were user intervention, or some application may have changed/removed certain permissions.

    During the course of troubleshooting, we double-checked the KB article noted above, and noted the following Error events in the System Log:

    Log Name:      System
    Source:        Microsoft-Windows-TerminalServices-RemoteConnectionManager
    Date:          7/27/2014 12:16:59 AM
    Event ID:      1058
    Task Category: None
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      XXXXXXX
    Description: The RD Session Host Server has failed to replace the expired self-signed certificate used for RD Session Host Server authentication on SSL connections.
    The relevant status code was Access is denied.

    This error indicates that there is already a Certificate in place, however there is no sufficient permissions, and/or the default permissions on “C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys” may have been modified.
    Log Name:      System
    Source:        Schannel
    Date:          --
    Event ID:      36870
    Task Category: None
    Level:         Error
    User:          SYSTEM
    Computer:      XXXXX
    Description: A fatal error occurred when attempting to access the SSL server credential private key. The error code returned from the cryptographic module is 0x8009030D.
    The internal error state is 10001.

    There was a fatal error accessing the Private Key for secure communications.

    At this point, I decided to capture a Process Monitor (Procmon) log on the destination server where the connection was going to.  As you may already know, Procmon allows us to monitor/record real-time file system, Registry and process/thread activity on Windows Workstations/Servers.

    Per the Procmon log, we found an “Access Denied” error to the following path:


    The above cert key f686aace6942fb7f7ceb231212eef4a4_xxx is associated with RDS, and this GUID like number is the pair key for both the computer and user.

    If you use the certutil -key command, you would see this Cert key with TSSecKeySet1:

    f686aace6942fb7f7ceb231212eef4a4_xxxxxxxxxx: AT_KEYEXCHANGE

    From the Procmon Logs:
    12:39:53.5364585 AM lsass.exe 588 CreateFile C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f686aace6942fb7f7ceb231212eef4a4_xxxx ACCESS DENIED Desired Access: Generic Read, Disposition: Open, Options: Sequential Access, Synchronous IO Non-Alert, Non-Directory File, Attributes: N/A, Share Mode: Read, Allocation Size: N/A,
    12:40:24.3692803 AM lsass.exe 588 CreateFile C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f686aace6942fb7f7ceb231212eef4a4_xxxx ACCESS DENIED
    Desired Access: Generic Read, Disposition: Open, Options: Sequential Access, Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, Share Mode: Read, Allocation Size: n/a, Impersonating: NT AUTHORITY\SYSTEM
    12:40:23.9265708 AM svchost.exe 1012 CreateFile C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f686aace6942fb7f7ceb231212eef4a4_xxxx ACCESS DENIED
    Desired Access: Generic Read, Disposition: Open, Options: Sequential Access, Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, Share Mode: Read, Allocation Size: n/a
    So, what are the default permissions?  Well, you can use icacls to find this:
    C:\>icacls C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\
    Everyone :(R,W)
    BUILTIN\Administrators :(F)
    BUILTIN\Administrators ::(R)

    In case if you want to grant permission using icals you can provide the same using following command :
    icacls C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f686aace6942fb7f7ceb231212eef4a4_xxxxx /grant " NT AUTHORITY\NETWORK SERVICE :( R)
    icacls C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f686aace6942fb7f7ceb231212eef4a4_xxxxx /grant " NT AUTHORITY\SYSTEM :(F)
    icacls C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f686aace6942fb7f7ceb231212eef4a4_xxxxx /grant " NT AUTHORITY\NETWORK SERVICE :(R )

    Fig 1.1 (Permission in Windows Explorer)

    As you can see above, the SYSTEM accounts needs the proper permissions.  If these permissions have been changed, then they need put back to defaults.  The certs under this key should be inheriting the above permissions from the parent folder MachineKeys.

    You can restore permissions, grant the permissions back using icacls, or use the Windows Explorer GUI.  Correcting the default permission on the cert should allow RDP to now work correctly.

    Considering if this would have been easily reproducible, there is always an option to enable the Auditing on the cert key f686aace6942fb7f7ceb231212eef4a4_xxxxx under “C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys”.  This can be done using the Security Tab on Properties of the cert key as seen in the screenshot below:

    NOTE Adding Auditing on this object will log Events to the Security Event Logs.  You will want to keep this enabled until you are able to reproduce the connection issue.

    Hope you find this information helpful.

    Additional Resources

  • Updating Surface Pro 3 firmware (Cross Post)

    Hi this is Scott McArthur and I just wanted to call attention to a blog that I worked on with some of our PFE engineers that just posted related to Surface. 

    How to Update the Surface Pro 3 Firmware Offline using a USB Drive

    This blog shows you how you can update firmware from a Bootable WindowsPE USB flash drive.  This is useful for some scenarios where you need updated firmware BEFOREyou do a deployment to the device.  Hope it helps with your Surface deployments

    Scott McArthur
    Senior Support Escalation Engineer

  • Asset Tag Tool for Surface Pro 3

    Hi my name is Scott McArthur and I want to call out a tool that recently came out that allows Enterprise customers to set Asset Tags on Surface Pro 3.

    This tool is available for download at the following location:

    The tool requires the following:

    • Surface Pro 3(other Surface devices not supported)
    • UEFI firmware version or newer

    It can be run from within Windows or from WindowsPE.  The download comes with a README.TXT that contains the following reference:

    This tool gets or sets the proposed Asset Tag, which will be applied on next reboot.

    The current Asset Tag is an SMBIOS setting which can be queried via WMI:

    (Get-WmiObject -query "Select * from Win32_SystemEnclosure").SMBiosAssetTag

    To get the proposed asset tag:

    AssetTag -g

    To clear the proposed asset tag:

    AssetTag -s

    To set the proposed asset tag:

    AssetTag -s testassettag12

    Valid values for this can be:

    • up to 36 characters long
    • valid characters including A-Z, a-z, 0-9, period and hyphen

    You can view the Asset Tag in the UEFI settings under Device Information.


    Here is a PowerShell script demonstrating way to get proposed value and interpret errors.

    Note that stout contains the Asset Tag and stderr contains error messages.

    AssetTag -g > $asset_tag 2> $error_message
    $asset_tag_return_code = $LASTEXITCODE
    $asset_tag = $asset_tag.Trim("`r`n")

    if ($asset_tag_return_code -eq 0) {
         Write-Output ("Good Tag = " + $asset_tag)
    } else {
         Write-Output (
              "Failure: Code = " + $asset_tag_return_code +
              "Tag = " + $asset_tag +
              "Message = " + $error_message)


    Hope this helps with your Deployments.

    Scott McArthur
    Senior Support Escalation Engineer

  • Configuring Azure Virtual Machines for Optimal Storage Performance

    In support, one of the most common questions we get is: How do I achieve the best disk performance for Azure virtual machines? Platform Planning: In the standard tier of virtual machine in Azure, the maximum IOPS is 500 per disk . When planning more
  • Windows 10 Preview available for review

    Good morning AskPerf!  It’s been a while since our last post, and we apologize for that.  We’ve been quite busy here on the Support side knocking out customer issues…

    Any who, we have some upcoming blogs in the oven that need a little more time to bake.  One of which is a short series on Windows Event Forwarding which I am very excited about.  Look for that to come out in the coming months.

    Even though we are commonly known as the Performance team, internally we are known as the Reliability team.  Some of the technologies we support are as follows:

    Windows Client/Server OS

    • Printing
    • RDS / TS
    • Performance which includes System Hangs, High CPU, Memory issues, etc.
    • Base WMI functionality
    • COM/DCOM – base functionality
    • Explorer (Shell)
    • Desktop Search
    • MUI and IME
    • MSI – basic functionality
    • Themes/Fonts/Screen Savers/Wallpaper
    • Task Scheduler
    • WinRM – basic functionality
    • Windows PowerShell – install and basic functionality
    • ACT

    There are many other smaller technologies, but these are the main ones.

    Now back to our original topic:  The Windows 10 Preview is available for download/testing.  To get it, click the following link:

    Windows 10 Preview

    Finally, we always welcome feedback on topics you would like for us to blog about here on the AskPerf blog site.


  • Virtual Machine Checkpoint fails with Access Denied when running on a Clustered Shared Volume

    When you attempt to create a CheckPoint of a virtual machine that is running on a Cluster Shared Volume (CSV) , you may receive a General access denied error as shown below.


    You will receive this error if the virtual machine’s VHD is placed on the root of the drive.



    The reason for the access denied error is due to the VM worker process (VMMS) not having relevant permissions on the CSV volume.  Below are default permission that is present for a typical CSV volume.  It is strongly recommended that these permissions not be changed.


    To resolve the issue, migrate the storage from Failover Cluster Manager or reconfigure the VM and place the VHDX in a folder off the root.  By moving the VHDx to a subfolder or if the VM is reconfigured, the VMMS service updates the permissions on the subfolder as it should.

    For example, this is the current location of the file: 

    C:\ClusterStorage\Volume1\Test Lab.Vhdx

    You would want to move it (and any other VHDX files present) to a subfolder you can create, such as this: 

    C:\ClusterStorage\Volume1\Test Lab\Test Lab.Vhdx

    There are several options you can run through to accomplish this task.

    Option 1:

    Using the Virtual Machine Storageselection from Failover Cluster Manager, move it to the folder you created.  This is an option that can be done without affecting production as it can be done while the virtual machine is online and running.



    Option 2: 

    Shut the virtual machine down and, in Explorer, move the VHDx from the root of CSV to a folder you create.  In Failover Cluster Manager, bring up the settings of the virtual machine and manually change the path of the relocated VHDx.  This is an option that can be done but will affect production as it cannot be done while the virtual machine is online and running.  So you would need to schedule downtime to accomplish this task.

    General Rule:

    Microsoft has always not recommended to keep any type of data files in the root of a drive.  Even though things may appear to work fine, problems could arise from this configuration.

    Shasank Prasad
    Senior Support Escalation Engineer
    Microsoft Corporation

  • Remove Lingering Objects that cause AD Replication error 8606 and friends

    Introducing the Lingering Object Liquidator Hi all, Justin Turner here ---it's been a while since my last update . The goal of this post is to discuss what causes lingering objects and show you how to download, and then use the new GUI-based Lingering more
  • How to identify a driver that calls a Windows API leading to a pool leak on behalf of NT Kernel?

    Hello my name is Gurpreet Singh Jutla and I would like to share information on how we can trace the caller which ends up allocating “Se  “ Pool tag. When we use the Windows debugger and investigate the pool allocation and the binary associated with more
  • Announcing public availability of MBAM Compliance Data Cleanup Tool 2.5

    We are happy to announce public availability of MBAM Compliance Data Cleanup Tool 2.5 (clean-mbam.exe), aka MBAMCDCT 2.5.
    MBAM Compliance Data Cleanup Tool 2.5 (clean-mbam.exe) is a command line tool which enables you to delete machine records from the ‘Compliance Status’ database of the MBAM 1.0 and MBAM 2.0, MBAM 2.0 SP1 and MBAM 2.5 standalone.


    There have been situation where you as a MBAM Admin had to delete the entries of older/reimaged machine records from the MBAM compliance database. The only solution in this case was to run complex SQL queries to delete machines from the database. This tool helps you report the true state of encryption compliance in your environment by deleting the obsolete information from the MBAM Compliance Status database.


    This is a command line tool which enables you to schedule it stale data deletion as a task to automate deletion of obsolete machine records from the MBAM compliance database.

    This tool provides three different ways to delete machine records from the MBAM Compliance Status database:

    1.     Delete machines which have not reported in last X days.

    2.     Delete machines specified in a comma separated list via command line.

    3.     Delete machines specified in a text file.




    This tool doesn’t delete the recovery information or any other data from MBAM Recovery and Hardware Database. All delete operations are performed strictly on the MBAM Compliance Status Database.

    This tool is available for download from the TechNet website as a self-extractable compressed file, which includes the executable and documentation.

    Hope this tool helps you report the true state of encryption compliance in your environment by deleting the obsolete information from the database.


    This tool and documentation are provided "as-is". You bear the risk of using it. No express warranties, guarantees or conditions are provided. The tool supplied in this document is not supported under any Microsoft standard support program or service. However, you can report issues and bugs in the comments section on this page. Microsoft will, at its sole discretion, address issues and bugs reported.



    Himanshu Singh

    Windows Core Team

  • We Are Hiring Windows Escalation Engineers in Charlotte, Dallas, and Redmond

    Would you like to join the world’s best and most elite debuggers to enable the success of Microsoft solutions?   As a trusted advisor to our top customers you will be working with to the most experienced IT professionals and developers in the industry more
  • Windows Troubleshooting – Stop 9E Explained

    What to do if a stop 9E occurs.  How you can solve the issue yourself. more