The following post is from Roy Levin, distinguished engineer and managing director, Microsoft Research Silicon Valley.

On Tuesday, we dusted off the source code for early versions of MS-DOS and Word for Windows. With the help of the Computer History Museum, we are making this code available to the public for the first time.

The museum has done an excellent job of curating some of the most significant historical software programs in computing history. As part of this ongoing project, the museum will make available two of the most widely used software programs of the 1980’s, MS DOS 1.1 and 2.0 and Microsoft Word for Windows 1.1a, to help future generations of technologists better understand the roots of personal computing.

In 1980, IBM approached Microsoft to work on a project code-named “Chess.” What followed was a significant milestone in the history of the personal computer. Microsoft, at the time, provided the BASIC language interpreter for IBM. However, they had other plans and asked Microsoft to create an operating system. Without their own on hand, Microsoft licensed an operating system from Seattle Computer Products which would become the foundation for PC-DOS and MS-DOS.

IBM and Microsoft developed a unique relationship that paved the way for advancements in the nascent personal computer industry, and subsequent advancements in personal computing.

Bill Gates was interviewed by David Bunnell just after the launch of the IBM PC in the early 1980s for PC Magazine’s inaugural issue, and provided the backstory: “For more than a year, 35 of Microsoft's staff of 100 worked fulltime (and plenty of overtime) on the IBM project. Bulky packages containing computer gear and other goodies were air-expressed almost daily between the Boca Raton [IBM] laboratory and Seattle [Microsoft]. An electronic message system was established and there was almost always someone flying the arduous 4,000 mile commute.”

Following closely on the heels of MS DOS, Microsoft released the first DOS-based version of Microsoft Word in 1983, which was designed to be used with a mouse. However, it was the 1989 release of Word for Windows that became a blockbuster for the company and within four years it was generating over half the revenue of the worldwide word-processing market. Word for Windows was a remarkable engineering and marketing achievement, and we are happy to provide its source code to the museum.

It’s mind-boggling to think of the growth from those days when Microsoft had under 100 employees and a Microsoft product (MS-DOS) had less than 300KB (yes, kilobytes) of source code. From those roots we’ve grown in a few short decades to become a company that has sold more than 200 million licenses of Windows 8 and has over 1 billion people using Microsoft Office. Great things come from modest beginnings, and the great Microsoft devices and services of the future will probably start small, just as MS-DOS and Word for Windows did.

Thanks to the Computer History Museum, these important pieces of source code will be preserved and made available to the community for historical and technical scholarship.

Hi! Its Linda Taylor here again from the Directory Services Escalation team in the UK. In this post, I want to tell you – We are hiring in the UK!!

Would you like to join the UK Escalation Team and work on the most technically challenging and interesting Active Directory problems? Do you want to be the next “Ned Pyle”?

Then read more…

We are an Escalation Team based in Microsoft Campus in Reading (UK). We are part of Microsoft Global Business Support and we work with enterprise customers helping them resolve the most critical Active Directory infrastructure problems as well as enabling our customers to get the best of Microsoft Windows and Identity related technologies. The work we do is no ordinary support – we work with a huge variety of customer environments and there are rarely two problems which are the same. We are the experts in our field and we work closely with the product group to help make Windows and all our other technologies better. 

You will need strong AD knowledge, great customer services skill, strong troubleshooting skills and great collaboration and team work.

You can find more of the job details here:

https://careers.microsoft.com/jobdetails.aspx?ss=&pg=0&so=&rw=1&jid=130665&jlang=EN&pp=SS

Linda.

It’s finally here! After pages and pages of comments from you requesting the ability to clean up the WinSxS directory and component store on Windows Server 2008 R2, an update is available.

http://support.microsoft.com/kb/2852386

As a refresher, the Windows Server 2008 R2 update is directly related to my previous blog post announcing a similar fix for Windows 7 client. 

The Windows 7 version of this fix introduced an additional option to the Disk Cleanup wizard that would cleanup previous versions of Windows Update files. KB2852386 adds a Disk Cleanup option on Windows Server 2008 R2, similar to the Windows 7 update. 

What does this mean for Windows Server 2008 R2? After installing this update and prior to being able to perform the cleanup, the Desktop Experience feature must be installed. Why you ask? Disk Cleanup is not installed by default on Windows Server 2008 R2. It is instead a component installed with the Desktop Experience feature. 

Why was the update not included as a DISM switch like Windows Server 2012 R2? 

This was evaluated, however, due to the amount of changes required and the rigorous change approval process, it was not feasible to back port the functionality this way. Knowing that it would be some time before everyone could upgrade to Windows Server 2012 R2 and based on feedback from an internal survey taken of a subset of enterprise customers, it was determined that this update would still be useful in its Disk Cleanup form, even with the Desktop Experience prerequisite. We hope you agree. However, we are aware that for some of you, the Desktop Experience requirement will be a deal breaker, but decided to release it anyway hoping it will help in some instances. 

How can I get the update?

The update is available on Windows Update. It can also be manually downloaded from the Microsoft Update Catalog. The KB article listed above will also direct you to a download link in the Microsoft Download Center.

Let’s Cleanup those Old Windows Update Files!

First, let’s take a look at our starting point. Looking at my Windows 2008 R2 Server with SP1 installed, according to Windows Explorer, the size of my Windows/WinSxS directory is as follows: 

The size of the WinSxS directory will vary by server. Some of you will have smaller WinSxS directories, some larger.  

Installing the update is just like installing any other update. Just download and double-click on the .msu file: 

Installing the update does not require Desktop Experience to be installed beforehand, but if you check your WinSxS directory again, you’ll see there has been no change to the size. This is expected as we need to run Disk Cleanup in order for this to take effect. It also does not require a reboot to install the hotfix. 

But…we can’t do anything with what we just installed until we get Disk Cleanup which is installed with the Desktop Experience feature. 

When installing Desktop Experience, it does require additional features. Select the button to Add Required Features and click Next and then Install: 

A reboot is required to finalize the install. 

Click Close and Reboot when prompted. 

After we reboot, a Disk Cleanup option can be found under Start --> All Programs --> Accessories --> System Tools:

On launch, Disk Cleanup prompts for the drive you want to clean up: 

After clicking Ok, a scan is performed: 

Several options are provided for cleanup, including a new option for Windows Update Cleanup:

Just like the Windows 7 cleanup, mileage will vary. Also like Windows 7, the actual cleanup occurs during the next reboot. After the reboot, taking a look at the WinSxS directory, it has shrunk to the following: 

Automation

My super knowledgeable scripting cohort Tom Moser wrote a PowerShell script that automates THE ENTIRE PROCESS. Can I get a cheer? Ok. So maybe it is a bit much to expect IT admins to cheer, but can I get an appreciative grunt?  The script certainly beats the alternative of doing this all manually. 

You can find the script on the TechNet Script Center here: 

http://gallery.technet.microsoft.com/scriptcenter/CleanMgrexeKB2852386-83d7a1ae

What does the script do? 

In short, the script does the following: 

1) Installs Desktop Experience, if not previously installed, and performs a reboot. 

2) Sets the appropriate registry keys to automate the cleanup. The script will cleanup not only previous Windows Update files as well as Service Pack files. 

3) The script then initiates the cleanup. 

4) If Desktop Experience was not previously installed, the script uninstalls it.

5) Performs final reboot. 

For more details, read below.  

The script can be run from any directory on the server. It has two parameters: LogPath and a switch called NoReboot. LogPath will allow the user to specify a log location or if none is specified, by default, the script will create a log in the same directory from which the script was executed. NoReboot allows the user to suppress reboots, but will require manual reboots by an administrator. 

Note: Make sure to check the log file to verify the process completed successfully and to verify there is no manual interaction required. If the script has completed successfully, the log will end with CleanMgr complete.

The script has several phases, using a registry key to keep track of progress. After initial run, it inserts itself as a scheduled task, which runs as local system. The final phase removes the task.

Depending on pending reboots, etc, we have found that this phase may generate a few reboots. Do not be concerned if the server reboots a few times. 

Other Options

Aside from the cleanup mechanism included with this fix, if you have applied SP1 and have not cleaned up afterwards, I’d highly recommend doing so by running the following command from an administrative command prompt:

dism /online /cleanup-image /spsuperseded

or 

If you have installed the Desktop Experience feature and thus have the Disk Cleanup utility, you can select the following option to do the same thing: 

Specifying the /spsuperceded switch or choosing to remove service pack backup files will remove the ability to uninstall the service pack. If you haven't done it before, it is certain to free up some space. 

The Origins of this Update (Hint: Windows Server 2012 R2)

I’ve mentioned a couple of times that this is a back port. What does that mean? Well, it means that this functionality is already built into a later operating system. In this case, that operating system is Windows Server 2012 R2. Not only do we have several mechanisms to automatically cleanup previous versions of Windows Update files like this update does, we even have the ability to more accurately determine the size of the component store (aka the WinSxS directory). 

The command to accurately determine the size of the component store on Windows Server 2012 R2 is as follows: 

Dism.exe /Online /Cleanup-Image /AnalyzeComponentStore

Running this command analyzes the component store to determine the size and whether cleanup is recommended. Notice in the screen shot that it provides you with the Windows Explorer reported size and the actual size: 

Notice that the component store is much smaller than Windows Server 2008 R2 right out of the gate? This isn’t because I’ve used Features on Demand to remove roles and features. It’s because by default in Windows Server 2012 R2, we compress all unused binaries. Another win for Windows Server 2012 R2!

Looking at the breakdown of the 5.12GB. We see that Shared with Windows accounts for 3.83GB of the 5.12GB. Shared with Windows refers to the size of the files that are hardlinked between the WinSxS directory and the Windows location of the file. Because these hardlinks appear to take up space, but don't really, we can subtract them from our component store size. Therefore, the actual size of the component store is the total of Backups and Disabled Features plus Cache and Temporary Data or 1.28GB. 

But back to our cleanup. 

In the above screen shot, it’s stated that component store cleanup is recommended. We can manually cleanup the component store on Windows Server 2012 R2 by running the following command:  

Dism.exe /online /Cleanup-Image /StartComponentCleanup 

What does this do? When this runs, Windows cleans up the previous versions of the component that was updated. In other words, it is doing exactly what our update does for Windows Server 2008 R2 SP1. It removes previous versions of the files updated by Windows Updates. 

After running /StartCompomentCleanup, upon analyzing the size again, we see it is as follows: 

So no notable difference really. Largely because we’ve been running this cleanup all along. This same command is run every 30 days as a scheduled task with a time limit of 1 hour. 

With the scheduled task however, the task will wait at least 30 days after an updated component has been installed before uninstalling the previous versions of the component. This scheduled task can be found in Task Scheduler under the Task Scheduler Library\Microsoft\Windows\Servicing\StartComponentCleanup directory: 

More information on this can be found here:  http://technet.microsoft.com/en-us/library/dn251565.aspx  

If you’re in all out spring cleaning mode and want to perform super deep cleanup, you can use the /resetbase command with the /startcomponentcleanup to remove all superseded versions of every component in the component store: 

Dism.exe /online /Cleanup-Image /StartComponentCleanup /ResetBase 

This removes the ability to uninstall any updates applied until this point in time. 

And don’t forget the ability to completely remove any role or feature which also reduces the size. Take a look at one of my earlier blogs for more details on Features on Demand:  http://blogs.technet.com/b/askpfeplat/archive/2013/02/24/how-to-reduce-the-size-of-the-winsxs-directory-and-free-up-disk-space-on-windows-server-2012-using-features-on-demand.aspx  

Here’s a handy table showing when we introduced the various different cleanup and WinSxS size reductions by operating system: 

Want more information on how all this works under the covers? 

Check out the following series on the AskCore team blog for an in-depth look at servicing improvements on Windows Server 2012 R2: 

What’s New in Windows Servicing: Part 1

What’s New in Windows Servicing: Reduction of Windows Footprint : Part 2

What’s New in Windows Servicing: Service Stack Improvements: Part 3 

More on the Desktop Experience Feature

The Desktop Experience feature includes the following components and features:

* Windows Media Player

* Desktop themes

* Video for Windows (AVI support)

* Windows SideShow

* Windows Defender

* Disk Cleanup

* Sync Center

* Sound Recorder

* Character Map

* Snipping Tool

* Ink Support 

Most of these are not automatically turned on with the exception of Windows Defender whose service is started after reboot. You’ll likely want to stop the service and disable it after reboot. Not all 3rd party anti-viruses conflict with Windows Defender, but there have been reports that some do. 

~ Charity Shelbourne and Tom Moser, Spring cleaning servers since 1998

Update May 15th, 2014

We are aware of a method of copying in the appropriate Disk Cleanup/CleanMgr files into the appropriate location to avoid installing the Desktop Experience. If this were a tested and supported option, we certainly would have included these details in this post and definitely would have used this method to automate the cleanup. However, it was determined early on that this method would not be supported. If you decide to do this, do so at your own risk.

Today, we are thrilled to announce a preview release of the next version of the Enhanced Mitigation Experience Toolkit, better known as EMET. You can download EMET 5.0 Technical Preview here. This Technical Preview introduces new features and enhancements that we expect to be key components of the final EMET 5.0 release. We are releasing this technical preview to gather customer feedback about the new features and enhancements. Your feedback will affect the final EMET 5.0 technical implementation. We encourage you to download this Technical Preview, try it out in a test environment, and let us know how you would like these features and enhancements to show up in the final version. If you are in San Francisco, California, for the RSA Conference USA 2014, please join us at the Microsoft booth (number 3005) for a demo of EMET 5.0 Technical Preview and give us feedback directly in person.  Several members of the EMET team will be demonstrating at the Microsoft booth for the entire Conference.

As mentioned, this Technical Preview release implements new features to disrupt and block the attacks that we have detected and analyzed over the past several months. The techniques used in these attacks have inspired us with new mitigation ideas to disrupt exploitation and raise the cost to write reliable exploits. The EMET 5.0 Technical Preview also implements additional defensive mechanisms to reduce exposure from attacks.

The two new features introduced in EMET 5.0 Technical Preview are the Attack Surface Reduction (ASR) and the Export Address Table Filtering Plus (EAF+). Similar to what we have done with EMET 3.5 Technical Preview, where we introduced a new set of mitigations to counter Return Oriented Programming (ROP), we are introducing these two new mitigations and ask for your feedback on how they can be improved. Of course, they are a “work in progress.” Our goal is to have them polished for the final version of EMET 5.0.

Let’s see in detail what these two new mitigations do, and the reasoning that led us to their implementation.

Attack Surface Reduction

In mid-2013, we published a Fix it solution to disable the Oracle Java plug-in in Internet Explorer. We received a lot of positive feedback and a number of suggestions on how we could improve the Fix it. The most recurring suggestion we received was to allow the Oracle Java plug-in on intranet websites, which commonly run Line-of-Business applications written in Java, while blocking it on Internet Zone websites. In addition to that Java-related customer feedback, we have also seen a number of exploits targeting the Adobe Flash Player plug-in. For example, the RSA breach was enabled by an Adobe Flash Player exploit embedded inside a Microsoft Excel file and a number of targeted attacks have been carried out by Adobe Flash Player exploits embedded in Microsoft Word documents, as described by Citizen Lab. We decided to design a new feature that can be used to mitigate similar situations and to help to reduce the attack surface of applications. We call this feature Attack Surface Reduction (ASR), and it can be used as a mechanism to block the usage of a specific modules or plug-ins within an application. For example, you can configure EMET to prevent Microsoft Word from loading the Adobe Flash Player plug-in, or, with the support of security zones, you can use EMET to prevent Internet Explorer from loading the Java plug-in on an Internet Zone website while continuing to allow Java on Intranet Zone websites.

The example below shows ASR in action, preventing Microsoft Word from launching an Adobe Flash Player file embedded in the document. By default, EMET 5.0 Technical Preview comes pre-configured to block certain plug-ins from being loaded by Internet Explorer, Microsoft Word and Microsoft Excel. The feature is fully configurable by changing two registry keys that list the names of the plug-ins to block, and, if supported, the security zones that allow exceptions. For more details on how to configure ASR please refer to the EMET 5.0 Technical Preview user guide.

EAF+

We also added new capabilities to the existing Export Address Table Filtering (EAF). EAF+ consolidates protection of lower-level modules and prevents certain exploitation techniques used to build dynamic ROP gadgets in memory from export tables. EAF+ can be enabled through the “Mitigation Settings” ribbon. When EAF+ is enabled, it will add the following additional safeguards over-and-above the existing EAF checks:

• Add protection for KERNELBASE exports in addition to the existing NTDLL.DLL and KERNEL32.DLL

• Perform additional integrity checks on stack registers and stack limits when export tables are read from certain lower-level modules

• Prevent memory read operations on protected export tables when they originate from suspicious modules that may reveal memory corruption bugs used as “read primitives” for memory probing

For example, the third protection mechanism in the list above mitigates the exploitation technique developed in Adobe Flash Player used in some recent Internet Explorer exploits (CVE-2013-3163 and CVE-2014-0322), where the attacker attempted to build ROP gadgets by scanning the memory and parsing DLL exports using ActionScript code. Exploits for these vulnerabilities are already blocked by other EMET mitigations. EAF+ provides another way to disrupt and defeat advanced attacks. The screenshot below shows the exploit for CVE-2014-0322 in action on Internet Explorer protected by EMET 5.0 Technical Preview with only EAF+ enabled.

Other improvements

This Technical Preview enables the “Deep Hooks” mitigation setting. We have been working with third-party software vendors whose products do not run properly with Deep Hooks enabled. We believe these vendors have resolved the application compatibility issues that previously existed with Deep Hooks enabled. We enable Deep Hooks in the Technical Preview to evaluate the possibility of having this setting turned on by default in the final EMET 5.0 release because it has proven to be effective against certain advanced exploits using ROP gadgets with lower level APIs. We have also introduced some additional hardening to protect EMET’s configuration when loaded in memory, and fixed several application compatibility issues including a common one that involves Adobe Reader and the “MemProt” mitigation.

Acknowledgments

We’d like to thank Spencer J. McIntyre from SecureState, Jared DeMott from Bromium Labs, along with Peleus Uhley and Ashutosh Mehra from the Adobe Security team for their collaboration on the EMET 5.0 Technical Preview.

We are excited for this Technical Preview and we hope that the additions are as valuable for our customers as they are for us. We invite you to install and give EMET 5.0 Technical Preview a try; we look forward to hearing your feedback and suggestions on how to enhance the new features that we have introduced. We would also welcome any suggestions for additional new features you’d like to see included in the final version of EMET 5.0. We greatly value the feedback we receive, and we want to build a product that not only provides additional protection to systems but is also easy to use and configure. We then invite you all to download EMET 5.0 Technical Preview and drop us a line!

• The EMET Team

Hi All!

My name is Saurabh Koshta and I am with the Core Team at Microsoft. Currently I work in the client space so supporting all aspects of Windows 8 and Windows 8.1 is my primary role.

We very often get calls from customers who are evaluating Windows 8/Windows 8.1 for deployment, but are concerned about some of the changes in the UI that may confuse their users. A typical concern we hear is that users are used to having shortcuts on the desktop for Computer, Documents, and Network. So, I wanted to take a minute to show you how you can easily add those shortcuts (or others) to desktops using Group Policy Preferences.

I have an OU in my domain called “Domain Computers”, which has Windows 8 machines.

The next step is to create a policy and link in to the “Domain Computers” OU. In this case it is called “Shortcut”

Edit the policy and go to the following location:

Computer Configuration -- > Preferences -- > Windows Settings -- > Shortcuts

Highlight Shortcuts and on the right pane, right click and select new Shortcut

In the ‘New Shortcut Properties’, make the following changes so the values look like below:

1. Action : Update

2. Target type : Shell Object

3. Location : All Users Desktop

4. For Target object, click on the browse option and then chose ‘Computer’

5. Name : My Computer

Leave rest of the options as default. Once you have made all the changes, it would look like below:

Similarly for Network the options are:

1. Action : Update

2. Target type : Shell Object

3. Location : All Users Desktop

4. For Target object, click on the browse option and then chose ‘Network’

5. Name : My Network Places

And for Libraries the options are:

1. Action : Update

2. Target type : Shell Object

3. Location : All Users Desktop

4. For Target object, click on the browse option and then chose ‘Libraries’

5. Name : My Documents

So we have the following three shortcuts

Restart the client and once logged in with a domain user, the desktop would have the three shortcuts as listed above and it would look something like below:

The above steps also work with Windows 8.1. Here is how it looks:

Hope you all find this information useful.

Thanks,

Saurabh Koshta