I don’t know how I could retype an address in the Windows help interface; however, I don’t think that would work, anyway. The cause of the problem is related to Vista’s “Preserve zone information in file attachment” feature, which is a security feature that ensures that downloaded files of certain types can’t be opened. The help files of Sysinternal tools are compiled HTML, which Vista considers a threat.

There are several ways to convince Vista that opening a Sysinternals help file is relatively safe. The easiest way is simply to unblock the .chm file in its properties menu (see screenshot). I like the explanation there: “This file came from another computer and might be blocked to help protect this computer.” I suppose most of the files on my computer come from another computer. I am glad that Vista doesn’t consider them a threat as well.

If you don’t want to be bothered by this problem again, you can just disable this zone information-in-file-attachment thing using the Group Policy Object editor (type “gpedit.msc” at the Start Search prompt). The setting can be found under User Configuration | Administrative Templates | Windows Components | Attachment Manager. Don’t forget to run gpupdate /force on the command prompt if you want the setting to take effect immediately.

Daniel Petri has described this Vista feature in more detail and offers two more methods for disabling it.

• FREE: Disk2vhd – A simple P2V tool that creates VHDs for Hyper-V and Virtual PC (9)
• FREE: Process Monitor – view file system, registry, and network activity (0)
• Tweets: Windows 7 performance – Mark Russinovich interview – Xen 3.3 – IE8 – Hyper-V news – SBS 2008 (0)
• Sysinternals Live? (7)
• FREE: TCPView – displays active TCP and UDP connections (3)

Disable the built-in Administrator account

On Vista machines the built-in administrator account is disabled by default. This is a good a thing. Of course, it is the primary target of all hackers (I don’t distinguish between hackers and crackers; it is all the same to me). I also recommend disabling the built-in Administrator account on all XP machines.

Set a password for the built-in Administrator account

In Vista, the built-in admin account has a blank password by default. I feel this is dangerous, even if the account is disabled. Johansson argues that this is not a problem, because an account with a blank password can only be used locally. However, if an attacker manages to enable the admin account (for example, if he has physical access to the machine), he can just set a password which will enable him to manage the machine remotely. Setting a strong password for the built-in admin account provides an extra level of security. You can also use tools, such as AutoAdministrator, to set the administrator password on multiple machines.

Rename the built-in Administrator account

Johansson advises against this common practice. His argument is that “no attacker worth his salt will be fooled by those tactics.” Well, that may be true, but your job as admin is not just to lock out the smart hackers. The majority of all attacks are performed by wannabe hackers. A renamed administrator account is an extra hurdle and doesn’t cost you much. However, I wouldn’t use this account, even it is renamed, as it has a well-known RID. It is safer to disable it.

Create a new local administrator account

Johansson recommends that every admin should have their own account. It makes sense for every admin to have their own domain administrator account, but, in my experience, this just isn’t practical for local accounts. It is quite time-consuming and dangerous to work with multiple local admin accounts. Having no local admin account isn’t practical either. If a machine is not able to log on to a domain, for example, you need a local admin account to find the problem. To re-install the OS every time you can’t fix a machine without an admin account (as Johansson recommends) is certainly not feasible.

Never share the local admin password with end users or external consultants

If an end user needs temporary admin privileges on a machine, you can just add their domain account to the local administrator group. Don’t forget to remove it as soon as the job is done. For external consultants, you should always create a new account.

Change the password of all local administrator accounts regularly

This is easier said than done. From my experience, it is essential that you have a fixed schedule for this. It is not enough to just decide that you will change local administrator accounts “regularly” because there will always be other things that you have to do first. How often you do this depends on how much you value security, but once a month would already be considered. I recommend choosing a fixed day. Basically, there are two methods for changing the password on multiple machines: you can run a startup script or you can change the password remotely, using a tool or script. The advantage of the startup script is that it runs automatically. The disadvantage is that machines that are offline for a long time will be excluded. Changing the password remotely is even more time-consuming because you have to make sure that all your computers are online when you run your script or your password management tool. Using a Wake-on-LAN tool can be helpful here, but in large networks this is often not practical. Of course, if you are in this situation, you will probably have a professional systems management solution that allows you to run scripts on your clients. I don’t even have to mention how essential it is to use a sufficiently complex password for the administrator account.

Try to a use unique passwords for the local administrator account

Using the same password for the local administrator on all computers is a common practice. I fully agree with Johansson that this is quite dangerous. If an attacker gets physical access to even one of your computers he can use the stored password hash to attack other systems in your network. It goes without saying that you should never ever use a domain administrator password for local accounts. Using a unique admin password on all machines is easier than you might think. Johansson offers a free tool, passgen, which allows you to generate a unique password for every desktop in your network. I will review passgen in my next posts.

• FREE: JiJi Help Desk Password Reset – Delegate password resets (0)
• FREE: NetWrix Bulk Password Reset – Change the local administrator password network wide (0)
• FREE: JiJi Self Service Password Reset – Allows end users reset their password (1)
• FREE: Elevation Gadget – Drag and drop to elevate programs (0)
• Raffle: GFI WebMonitor 2009 – Web Security (0)

A downside of tombstone reanimation is that by default, important attributes are stripped from AD objects when they are deleted. For example, user objects’ last and first name attributes are not saved in tombstone objects. Perhaps even more problematic is that the password is blank after you restore a deleted user object, which means that you won’t be able to keep it a secret that you have accidentally deleted users accounts.

The good news is that you can configure the Active Directory schema to store additional attributes in tombstone objects. The bad news is that the procedure is a bit complicated. Furthermore, this method can’t be used to restore group memberships of computer and user objects. The latter shouldn’t be a big deal if you’ve deleted only a few objects; but if the number of objects that have to be restored is too big, then you better use your backup tool to recover Active Directory.

The main advantage of tombstone reanimation compared to other restore methods is that once everything is configured, restoring Active Directory objects costs only a couple of mouse clicks. You don’t have to take your domain offline, which is necessary if you restore a backup.

To configure the attributes that are stored with the tombstone objects, you need a tool that allows you to edit Active Directory schema objects. I will use ADSI Edit in this description. This program is part of the Windows Server 2003 Support Tools (Adminpak), which can be found on the product CD. The latest version also can be downloaded. On a Windows Server 2008 machine, you can just add the Active Directory Lightweight Directory Services Tools feature, which belongs to the Remote Server Administration Tools. For Windows Vista, you have to download and install RSAT.

Note: Editing the Active Directory Schema is recommended only for advanced system administrators. In any case, you should make a backup of your Active Directory database before you mess with its schema.

In this example, we will configure the First name attribute to be stored in a tombstone object whenever a user object is deleted. The First name attribute corresponds to the Given-Name object, which you can find in the Schema hive in ADSI Edit. Double clicking the Given-Name object allows you to edit its properties. The searchFlags property is the one that will interest us here.

The searchFlags attribute also controls other behaviors. Its default value for the Given-Name schema object is 5, which corresponds to the binary number 00000101. You have to set bit 3 (the fourth position from the right as the first position is called bit 0) if you want the first name to be saved in the tombstone. However, the other bits should remain unchanged: 00001101. The values have to be entered as integers, so you have to change the attribute’s value to 13. If you are unfamiliar with binary numbers, then you can use the Windows Calculator in scientific mode. It allows you to convert integers into binary numbers and vice versa.

Well, I told you it is a bit complicated. What makes things even more complicated is that the schema objects’ names are sometimes different from the names of the attributes in the Active Directory User and Computers (ADUC) interface. Here are a few “translations” of common user object attributes:

First name = Given-Name
Last name = Surname
Initials = Initials
Display name = Display-Name
Description = Description
Office = Physical-Delivery-Office-Name
Telephone number = Telephone-Number
E-mail = E-mail-Addresses
Web-page = WWW-Home-Page

A few more translations can be found here.

If you want all these attributes stored in tombstone objects, then you have to set, for each of them, bit 3 in the searchFlags attribute of the corresponding schema object.

A schema object also controls the user password behavior, the Unicode-pwd object. Its searchFlags attribute is 0 by default. Thus to set bit 3, you have to enter the integer 8 (=1000). By the way, the schema object User-Password does not influence the tombstone object.

Please note that changes to the Schema don’t take effect immediately. You have to wait up to five minutes. However, you can “Reload the Schema” instantly with the Active Directory Schema snap-in.

One final note: Some applications change the Active Directory schema during installation. Usually, they inform you about it. You should check the schema objects you have changed after installing such an application.

• Djoin.exe – Unattended offline domain join in Windows 7 (0)
• FREE: Directory Service Comparison Tool – Restore changed Active Directory objects (0)
• Contest: MaxPowerSoft Active Directory Reports – Filters, and print preview (0)
• Contest: MaxPowerSoft Active Directory Reports – Quick LDAP Reporting (0)
• Active Directory management with PowerShell v2 (0)

Don’t store a battery that is almost empty. Stored batteries continue losing energy, albeit at a much slower pace. If the stored battery is totally discharged, it could be destroyed.

Don’t store a fully charged battery. Fully charged batteries deteriorate faster than half-charged batteries. Most articles I’ve read recommended storing laptop batteries with a 40–60% charge.

Store the battery at a low temperature. I usually put it in the fridge. It keeps my battery fresh and crisp. Check out this table at Wikipedia. 0°C (32°F) seems to be the best storage temperature. I wouldn’t put the battery in the freezer even though Li-ion batteries only freeze at approximately −40°C.

Store the battery in a dry place. A moist environment will accelerate discharging the battery.

Check the battery state every now and then. I would remove it from the fridge at least every 30 days to calibrate it (fully discharge and charge).

Let the battery warm up a little before you put it back into your laptop. If the temperature is raised too fast, it will strain the battery.

When I started this article, I thought I’d just share a few tips I’ve found on the web. But then I realized that there are quite a few things that can be done wrong with laptop batteries. That’s how I ended up with three articles. It is quite amazing that we can build space ships that have enough energy to fly to the moon but still have no decent portable energy sources for simple laptops. Perhaps fuel cells will change the picture in a few years.

Please note that even though physics was my minor in college, I consider myself a layman when it comes to battery preservation. Any comments and tips are welcome. Here are some of the articles I’ve read about this topic:

• Lithium-ion battery, Wikipedia
• How to prolong lithium-based batteries, Battery-University.colm
• Laptop Battery Care, Battery.com
• Take Care Of Your Li-On Battery, Ezine @articles
• How to Take Care of Your Laptop’s Battery and Make it Last, Associated Content
• Notebook Battery Guide, NotbookReview.com
• 5 Tipps: So halten Sie Ihre Akkus fit, PC-Welt
• Should I Remove the Laptop Battery For A Desktop Replacement Laptop?, About.com

• How to charge and discharge laptop batteries to extend their lifetime (23)
• How to take care of your laptop battery to prolong its lifespan (6)
• Some more better-together features of Windows Vista – Server 2008 (9)
• Windows Server 2008 and Windows Vista – better together? (4)
• Windows Vista from A to X (0)

Fully discharge a new battery and then re-charge it. This calibrates the battery.

Calibrate the battery every 30 charges, i.e., fully discharge it and charge afterwards.

Avoid frequent full discharges. In contrast to NiCd (Nickel-cadmium) and NiMh (Nickel-metal hydride) batteries, Li-ion (Lithium-ion) batteries show no memory effect. That is, it will do no harm to the battery if it is re-charged before it is empty. Full discharges will strain the battery.

Avoid total discharges. Total discharges, i.e., to the cut-off point, can destroy battery cells. Not all cells in a laptop have the same voltage. Your laptop’s battery gauge only displays the state of the whole battery. If a cell goes below a certain voltage it will be destroyed. Therefore, it is safer to stop working when your battery level reaches 20%. The low battery level can be configured under Vista in the advanced power settings applet. Vista will warn you when the battery reaches the low battery level.

Avoid high discharge rates. High discharge rates also strain the battery. Therefore, I would avoid power intensive tasks while working on battery. Some laptops come with special power management software that can disable unused components. Every piece of hardware that is active produces heat and wastes precious battery capacity. I also recommend checking out Vista’s advanced power management features. You will find many ways to reduce the power consumption. For example, I always set the maximum processor state to 1% while working on battery. You will be surprised at what a modern CPU can accomplish with 1% of its capacity.

Avoid full charges. Fully charged batteries deteriorate faster, especially at high temperatures. Monitor the battery icon in the systray and disable charging before it is fully charged. I guess this is not really a practical advice. Hence, it is only something for battery life-saver enthusiasts.

Avoid charging. This might sound like a rather unrealizable piece of advice because an empty battery has to be charged so it can be used again. The problem is that a lithium-ion battery only allows a limited number of discharge/charge cycles. If you are working on main, Windows will try to charge the battery whenever it falls below a certain level. This procedure is the worst thing that can happen to a battery. Usually, power management is set to high performance while the laptop is connected to AC. This increases the heat in the laptop while the batteries are being charged. One option is to disable charging while working on main. A far better option is to remove the battery if you don’t need it for the next couple of days.

In the next and final post in this series, I will give some tips on how a laptop battery should be stored to extend its lifetime.

• How to store a laptop battery properly to save it from an early death (2)
• How to take care of your laptop battery to prolong its lifespan (6)
• Some more better-together features of Windows Vista – Server 2008 (9)
• Windows Server 2008 and Windows Vista – better together? (4)
• Windows Vista from A to X (0)

There are two important keywords when it comes to battery preservation: charging and temperature. That is, how the batteries are charged, and the temperatures to which they are exposed, are key factors that determine their lifespan. Today I will write about how temperature influences the lifespan of a laptop battery, and in my next post I will cover charging and discharging.

Many people believe that low temperatures are harmful for batteries because they think of past winters when their car didn’t start in the morning after a cold night. However, the technology used in car batteries has little to do with Li-ion batteries. The same applies to non-rechargeable batteries, which can even be recharged a little by exposing them to the warm sunlight. The truth about Li-ion batteries is that high temperatures are their worst enemy. Therefore, the following tips will help prevent laptop batteries from getting too warm.

• Always use a laptop on a hard surface. Don’t put it on your lap (despite its name) or on thermal insulating materials such as cushions. If you like to work in bed with your laptop, I recommend using a laptop table. I have this one, and I am quite content with it.
• Try to avoid charging the battery while you are working with the laptop. Charging the batteries increases your laptop’s temperature. The problem is that the CPU, the graphics card and the hard disk also heat up your laptop, which adds to the temperature increase experienced when charging the battery. Many vendors deliver their laptops with software that allows you to disable charging. You also can remove the battery while you are working on AC current.
• Make sure the laptop’s ventilation can always work properly. Don’t place objects before the ventilation systems opening. Don’t run or charge the laptop while it is in its case.
• Don’t leave the laptop in the car or under the sun in summer. Use a bike. It keeps your laptop battery cool and your own battery healthy. And too much sun exposure causes only skin cancer anyway.

In my next post, I will give you some tips on how to charge and discharge a laptop battery in a way that prolongs their life.

• How to store a laptop battery properly to save it from an early death (2)
• How to charge and discharge laptop batteries to extend their lifetime (23)
• Some more better-together features of Windows Vista – Server 2008 (9)
• Windows Server 2008 and Windows Vista – better together? (4)
• Windows Vista from A to X (0)

In Safe Mode, Windows has reduced functionality, because only the core components have been loaded. In such an environment it is much easier to get rid of an application that has gone mad. Windows Safe Mode can be entered by pressing the F8 key before Windows boots up.

In order to uninstall a program in Windows, the Windows Installer Service has to be running. If you try to uninstall software in Safe Mode, Windows will just inform you that: “The Windows Installer Service could not be started.” Trying to start the service manually will only get you: “Error 1084: This service cannot be started in Safe Mode.”

The good thing is that it is not really difficult to outsmart Windows Safe Mode. All of the services that are allowed to start in Safe Mode are stored in the registry folder HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\

All you have to do is to add a REG_SZ key with the service name (not the display dame) and the value data “Service” (without quotes). The service name of the Windows Installer Service is MSIService. As such, the REG file that adds the correct key looks like this:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"

All you have to do is copy this to a text file, with the extension .reg, and drop the file into your tool box. Anytime you want to uninstall a program in Safe Mode, you just click on the REG file. You have to remove the key manually if you want to disable this feature. However, I think it usually won’t do any harm.

Please note that it is not always possible to uninstall software in Safe Mode because the corresponding installer program requires certain services to be running. In such a case you might just enable these services as well in Safe Mode by adding their service names to the Registry. The Service Name can be found in the service’s properties in the Services snap-in.

Note: If you know similar tips, please just mail them to

If I like the tip, I will post it as an article on 4sysops with your name and a link to your blog or website.

• Why Sysprep is an obligatory Windows deployment tool – Part 2: Unique SIDs are necessary (4)
• Why Sysprep is an obligatory Windows deployment tool – Part 1: All the important Sysprep functions (2)
• Microsoft’s free Windows 7 deployment tools – Part 3: Installation (6)
• Microsoft’s free Windows 7 deployment tools – Part 2: Image preparation (4)
• Microsoft’s free Windows 7 deployment tools – Part 1: Planning and compatibility (2)