The Darkside and the Geekside

This isn’t really an IT related post. It’s more of a “What makes Rigsby tick” post. I know, damned scary thought.

I know full well there are many online friends who have had their fill of my mood swings, self-deprecating comments, and overall “PMS’ing Eeyore” attitude at times and quite a few have reached the point where they’re sick of dealing with me.

I suddenly had the idea to try and dump some of what goes on in my mind into print. I know full well that what I’m going to talk about is far from uncommon, especially in our industry, so maybe my little ‘soul baring’ will make someone else feel a little better.

I’ve always had a high aptitude for technology. I’ve been into tearing apart and rebuilding anything with a power cord since I was big enough to hold a screwdriver. My first PC was a 386SX, which I promptly opened up and replaced the hard drive, added more memory, a better speaker, etc.

Basically the Analytical side of my mind has always been dominant. I had an IQ test done when I was 12 and scored in the mid 160’s. Human average IQ is from 90 – 109. I’m in no way bragging or saying I’m smarter than anyone else or any such thing. IQ doesn’t mean squat unless you pursue higher education and take advantage of it and I never really did. All it is, is your ability to learn.

It in no way makes you any more intelligent that the next person. Especially if that next person has furthered their education.

The only reason I’m even mentioning it is to set the background a bit.

It’s medically documented that individuals with higher than average aptitude for the analytical side of their mind also have a high chance for struggling with the artistic/emotional side of their brain.

Hence the saying of “There’s a fine line between Genius and Insanity”

Mind you, I’m sane and stable as a rock. But, I’ve had self-esteem issues and “negative attitude” my entire life. I do my best to balance this out with a wry wit, sarcastic humor, and “I don’t give a shit” attitude but it doesn’t always work.

Now, these situations are automatically the recipe for a rough time. Being technically inclined I naturally got into Information Technology as a career.

Well, I’ve found myself surrounded with friends who are some of the top minds in the entire industry. Brilliant, accomplished Leaders in the IT Professional industry. Microsoft MVPs and Certified Teachers, Professionals who speak at tech conferences. All around awesome people, some of the friendliest and coolest you’ll ever meet.

However, they’re intimidating as hell!

Shadows that are big enough to get frost bite when standing in them. Professionals who can have a ‘brain fart’ and forget more skills than I’ll ever have. Really difficult individuals to compare ones self to when you’ve already struggled with self-esteem issues your whole life.

Combine that with my chosen place of employment being High Tech Manufacturing, which in itself is also filled with highly intelligent, highly educated people. It is also, oddly enough, filled with old technology. By the nature of the industry the equipment used is highly expensive and built really well. So, the computers running most of the equipment are old. Running old software and old operating systems.

You’re probably not seeing where this is going.

It boils down to me, being really good with technology that’s old enough that no one else in the IT Industry cares about and, due to my employment, being in a situation where I have zero incentive to learn new, updated skills because they wouldn’t be used anyway and surrounded by toss in all my friends who are vastly smarter than I am.

Sprinkle liberally with strong doses of self-esteem issues, bouts of depression and  personal life struggles recently and shake well. What you get is,

Me.

Just Upgrade or maybe not

As IT Professionals a core element of our industry is the fact that technology is constantly evolving, advancing, and changing into newer ways of doing things.

This movement is coupled with, and magnified by, the fact that technology companies cancel support for the older products and technology.

A natural byproduct of being an IT Pro is that we develop the opinion that it’s our job to ‘champion’, or evangelize, our individual stance on what direction we feel these changes should be made with those we support.

Always pushing our employers and our customers into implementing the newest technology and replacing the systems that are no longer supported.

“The solution to your issue is  to implement BYOD now!”

“XP is no longer supported, you HAVE to upgrade immediately!”

“You’re still on OSX 10.5, are you crazy?!”

“That system is still running Ubuntu 10.04. Are you an idiot?”

“OMG! My Android phone is so much better than your stupid iPhone!”

“Why in the world did you reformat that old computer? It’s slower than my phone. Throw it away!”

The Internet is full of articles on “how” to upgrade or “why” to upgrade, all written by IT Professionals that are true experts in their fields.

I want to approach this topic from a different angle. To perhaps offer another perspective and a potential reminder to others in this industry.

1. First off, no it’s actually not our jobs to push our employers and customers into replacing their systems.

As IT Professionals we stand between an Industry that moves at unrelenting speed and the Consumer/Customer/User/Employer that implements new things at their own pace, if they do it at all.

It’s our job to provide a cushion between these two equal and opposite realities. We examine both the needs of the end user and the available new products and technology in order to be a trusted voice of reason for both sides.

We review the requirements of the user so that we can advise on the best solutions for their needs.

We also provide feedback into the industry as to those end user requirements so that we can help shape the future technology movement.

We are the only ones who have view of both sides so we are the experts at making the best fit between the two.

2. Don’t be a dick.

Seriously, the IT Professionals industry is full of Champions, Evangelists, Experts, Gurus, Consultants, etc.

What it doesn’t need are Fanboy/Fangirls.

Support your opinions and preferred solutions, sure, but don’t be a mindless zealot.

No solution to any problem was ever properly solved by someone with an agenda, on some kind of campaign.

Just look at our Governments as an example.

When you’re surrounded by round holes and all you have are square pegs, and a hammer, it’s not your job, or your right to make those square pegs fit anyway.

Shoving your views and opinions on what the end user should do down their throats, purely based on your own opinions, is an abusive use of our position.

3. I know it’s a shock but sometimes “just upgrade” is actually not the right answer.

Heresy! I’m going to be strung up on my server rack and get my coffee taken away by the flaming keyboard wielding mob of IT Professionals!

It’s a scary idea, but it’s true! There might actually be reasons that the end user is using their outdated technology.

Hardware compatibility with certain peripherals such as specialized controllers.

Software compatibility with expensive or irreplaceable software suites.

The system might still be perfectly capable of doing what it’s supposed to do.

Hell, maybe they just like it.

Or, yeah, they might not know what their options are.

Whatever the situation, there IS ALWAYS a reason someone isn’t implementing changes on their own.

Frankly you should be happy that they aren’t making their own changes because if they were, we’d be unemployed.

Use your knowledge and view of the situation to carefully review the users needs, and wants, and see if there is a way for them to get the same experience with more modern technology.

If there isn’t a way, then support their decisions, offer advice and use your skills to make their current systems work the best way possible.

If they don’t want to, or simply can’t, upgrade their XP machine, let them know all the reasons it’s important to replace it if/when they can but also go over all the options for making it as secure as possible so that they can continue using it. Then, revisit the situation at a later date to see if anything has changed.

Don’t belittle them for their decisions because when it comes down to it, you work for them. Not the other way around.

Pulling Local Admin Rights without causing the App-ocalypse

Or, what I like to call “Hah!, neener neener, No, you can’t go behind my back and install iTunes anymore!

(Disclaimer: There’s undoubted way more knowledgeable readers than me, especially in more Security related skills, that will cringe and tear apart what I’m about to write. But, this worked for my specific issue and it severely limits the security repercussions of using Local Admin. So, use these tips at your own discretion)

 

You know them, you hate them.

The poorly coded Windows software that simply will not run without Local Administrator privileges.

So, you’re forced to give your Users way more privileges than they need, simply to support some critical software that was designed wrong.

Well, I’ve found ways to fix this by changing only privileges on a granular, more focused level instead of the global use of Administrator accounts.

First some real world background on what caused me to need to learn this stuff.

We’re, (as of this writing but upgrading very soon), a Windows 2003R2 Domain. (don’t judge)

Plus we have some VERY expensive, and now irreplaceable, critical Enterprise line of business software from the XP era that was written to require Local Admin rights of the user or it simply didn’t run.

The software in question, since I’m going to reference it later, is called Agile Advantage. It’s some niche software for Product Lifecycle Management used in the Manufacturing industry.

Agile was an awesome company, but back in 2006 Oracle bought them and shut them down. Well, the software is essentially the spinal cord of our company, so here I am trying to keep it working as the Windows world advances along.

Ok, so Security Nightmare Number One. I am (now WAS, but we’re getting to that) required to give everyone who uses this software Local Admin privileges. Which, was essentially the whole company.

Now, leading into Security  Nightmare Number Two, as I mentioned above, we’re a 2003R2 Domain so we use a KIX script at log-in to map network drives. I know there are much better ways to do it, even under 2003R2, like Powershell, but it has been in place for a long time, and it works. Well, here’s the thing.

Security Nightmare Number Two The User Account Control (UAC), in Windows 7 forward, blocks the KIX script when ran under Local Administrator level accounts.

(Something I didn’t know before this, when ran under Local User UAC runs with the same privileges as Windows Explorer so it doesn’t cause this problem)

You can probably see where this is going.

Combine these two and now I’m giving Local Administrator to all my Users on Windows 7 PCs, AND turning off UAC. Both highly not recommended but I had no choice.

Moving on to the reason you’re reading this. I finally had enough and undertook the massive project of trying to turn this train wreck around.

(Tool #1 for you TL;DR visitors)
Being a huge fan of the Microsoft SysInternals suite of tools, I finally realized I could use Process Monitor to get a view of exactly what was going on behind the scenes in Windows when Agile Advantage was running.

Now, I at least have not been able to get Process Monitor to run except under Local Admin so this was a brief bump in my plan as the whole point was to test this application under Local User.

The solution in my case was to log into Windows with Local Admin privileges and then do a Right-Click Run As on the Agile Advantage exe and select a Local User level account.

This essentially tricks the application into behaving as if I was logged in as a local user but lets Process Monitor run as intended.

Process Monitor, if you happen to not know already, scans every single active system call that is going on in Windows. So, the critical trick to using it is Filters because it goes nuts when you first run it because it’s really a busy place behind the scenes of Windows.

By adding a filter for Process Name is, in this case AgileAdvantage.exe, to Include and then a filter for Result is Denied I was able to focus the background noise down to just the traffic I was looking for.

Keep in mind Process Monitor is highly customizable so I recommend playing around with the filters so you can get it to do just what you want for your specific situation.

This lead me to seeing Denied attempts against two local files in the C:Windows and C:Program Files(x86)Agile Advantage 2006 directories and also Denied against several Registry keys in the HKCR and HKLM hives.

By targeting those specific entries and changing the Advanced Security Properties for of each one to give LOCALPCNAMEUsers Admin level privileges to just those files I then got Agile to run. There was a couple instances in the Registry keys where the LOCALPCNAMEUsers account wasn’t even on the Security tab, so I just added it as needed.

Now, I used the LocalUsers group because my intention is to create a generic image for future PC roll-outs and I don’t want to re-do this every time for each specific Active Directory account that might use the PC.

Ok, so I’ve gotten the application to run, but it was still acting squirrely. Some functions that normally worked immediately were now taking a couple minutes, etc. Details are going to be different for each person and each application.

For my specific case, this lead me to poke around forums for other possible tools to use to get a deeper view of what was going on. This lead me to

(Tool #2 for you TL;DR visitors)
The Microsoft Application Compatibility Toolkit. Now, this software does way more than I even know, or needed in this project so I’d recommend playing around with it more. The part I specifically used is called the Standard User Analyzer (SUA) under Developer and Tester Tools. When I directed SUA to my target application and launched it, I got some more in-depth views of the system calls on the various tabs.

On the Registry tab there was a couple more HKLM and HKU keys getting denied and on the Other Objects tab there was a sub-directory in the hidden C:ProgramData directory that was trying to get written to and getting denied.

So, essentially what I’m saying is to use both of the tools listed above for your troubleshooting investigation.

Another similar tool that was brought to my attention by Chris Jackson, an Architect at Microsoft (@appcompatguy on Twitter) is called LUA Buglight.

For my specific instance I didn’t need this tool but it looks to be very useful for this and generates a concise text file report of the issues it runs into.

These steps fixed my specific problem that I’ve been fighting for years. It was a giant pain in the butt and I repeated these steps for a couple other key applications but combining all this work with a reference PC that I plan to use for imaging future systems, all the effort now will make future issues non-existent.

Now, some further adjustments I made because I’ve just found a lot of Windows Weirdness in the Event log over the years on systems running as Local User.

In Computer Management, Local Users and Groups, I added the following accounts to the following Groups.

NT AUTHORITYAuthenticated Users and DOMAINDomain Users added to the Distributed COM Users group. Again, I did DomainUsers versus a specific person because I’m creating a generic image system.

I also added them to a few others, like Event Log Readers, Performance Log Users, Performance Monitor Users, etc. just to make any future work I might need to do on the individuals computer under their account later easier. This is just something you can decide for your own individual instances.

Happy Hunting and I hope my project steps here help others in similar situations.

To reference back to my initial Disclaimer above. I’m sure there are reasons why what I did are probably not recommended by some professionals but I weighed the potential issues against allowing global Administrator privileges and decided these options were far preferable.