Ghost Solution Suite

We recently found a bug in our software (winsnap) that causes it to crash when the screensaver starts in XP. 

I'm a noob at this so I'm not surprised this didnt work as expected.

I created a .reg file (Below) to disable the screen saver tab in display. When I doubble click the file it sucessfully changes the registy and disables the screen saver tab.

[.Reg File]
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=dword:00000000
"NoDispScrSavPage"=dword:00000001

My plan was to have GSS copy the reg file to C: of the clients machines and then execute the command: regedit /s C:\DisableScreenSaver.reg, However when the tasks executes, it does not write the information to the registry.

What did I do wrong?

The problem with your example is that it is built on the HKEY_CURRENT_USER root, which isn't any specific user. Instead, that's an alias - a symbolic link - to a completely different area of the registry on a machine, and where that link goes depends on the user which is running the code at the time (the same is true of HKEY_CLASSES_ROOT).

The underlying physical registry structure (which is built out of a collection of files) can be seen a bit more clearly under HKEY_USERS, under which the system normally mounts the individual registry files that live in per-user account profiles. This list of profiles itself comes from the system-wide registry, under the HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList key.

Under this, users are identified by their Security ID's. For local users on a machine, this is the Security ID of the machine itself (the SID value that Ghost Walker or Sysprep changes for you) plus an extra number which is the account ID in the individual machine's account database. For domain accounts, this SID is one attached to the domain itself.

There are also a small number of SIDs that are "universal", and one of these is particularly important to what GSS does. On every Windows machine, there is a special user account called "LocalSystem" (or sometimes SYSTEM, depending on which piece of user interface you're looking at). This user account has exactly the same security ID everywhere, and what is important about it is that it has the ability to do absolutely anything to an individual machine - it's the Windows equivalent of the "root" user account in UNIX systems.

Now, Windows services that need this kind of power are not common, but the GSS management client is one of them - most of the things people ask the GSS client to do need that level of access, and the GSS client always runs under that special built-in account. The thing is that because there's no actual user with that account, for any script you run using GSS, it is run under GSS such that HKEY_CURRENT_USER is pointing at HKEY_USERS\S-1-5-18 - in other words that special account that no human can log in as, but which can do anything.

So, what you first really want to do here is figure out what you really want to have happen in terms of which user accounts on your target machines you actually want to be affected by this. This means understanding whether your users have local admin accounts, or domain accounts, and how many of them.

This will generally involve modifying multiple bits of the registry; for instance, HKEY_USERS\.DEFAULT which is the template that any new user accounts are built from, and registry paths for SIDs that start with S-1-5-21 as all real-human account SIDs tend to.

For most purposes, this is easiest to do by writing a simple Windows Script Host script that loops over those parts of the registry; the WMI Registry Scripting example shows this for simple things, and the StdRegProv WMI provider includes a method for looping over sub-keys, so scripting something to alter a number of accounts under the HKEY_USERS root is probably the easiest thing to do, and then you can deploy that through the GSS console.

The other solution which may be simpler to implement if you do not want to code Nigel's solution, is to use Active Setup. This will run once for each user the first time they log in after you deploy the solution.

http://www.etlengineering.com/installer/activesetup.txt

Hi Guys!

Sorry it took so long for me to get back. I really needed something quick and simple so I figured out my own trick. Heres what I did.

Created a batch file "DisableScreenSaver.bat" and had ghost throw it in the all users folder. So next time the machine is restarted it modifies the registry and deletes its self. 

regedit /S C:\DisableScreenSaver.reg
del "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\disablescreensaver.bat"
Exit

Now take in to account there is only 1 user per machine. 

Alright I started the task friday morning to get the ball rolling and left for the weekend. Testing on a 1-task-1-machine worked fine. But aparently its having problems pushing to 68 machines. 

The task ran all weekend and when I came back it had only done 3 machines! I cancled the task and it said 0 Clients ok 68 Failed.

Anyone have any ideas?

Unless all your users are administrators, your script is not going to work. It also depends on whether regedit is enabled or disabled by group policy.

1. The root of C: is at least read only for standard users. You should never put files in there. Better to create a C:\Temp folder and put your file in there.

2. The folder C:\Documents and Settings\All Users\  is read-only for standard users, as are all subfolders, so you are not going to be able to delete the batch file from there as a standard user. This would of course cause the task to return a failure error code even if the registry entry was made successfully.

If you have login scripts and regedit is not disabled then you could run this process during login. Otherwise there are many alternative solutions that could be implemented for locked down "standard" users, so tell us more about your permissions setup on these 68 machines.

Sure thing.

These machines were originally deployed without any real IT knowlage. In fact, the original IT person left because he could not handle going from a DOS based enviroment to a XP based enviroment. So they sent a catering manager to basic IT classes, and threw him in charge. 

5 Years later, I step in and start to quickly impliment some changes. The bigest being purchasing GSS for us to try to keep a faster more reliable control on everything.

Think of these as the most basic machines you can think of:

Networking:

• Each machine is assigned its own IP group: (10.xxx.32.2) with .2 being back of house operations and .3-9 as registers. 
• Each machine uses  the same subnet mask.
• And each machine uses 10.xxx.32.1 as the default gateway
• Each machine has its host file edited for our servers.
• Out database server holds our POS database and our GSS Console
• These machines are assigned to workgroups spicific to site (CafeXXX)
• There is no domain, and no group policy set.

User Accounts:

• There is only 1 account used on each machine. This account is set up as a adminsitrator and should have full access to everything.
• Only thing that was applied before my arrival was some minor power configurations and the ip address and name.

Machines:

• All XP SP3 machines are Dell Optiplex 745 SFF
• All w7 machines (NOT Part of this update) are 790
• All have a min 1gb ram
• All have Core 2 Duo

If you need anything else, let me know. 

I would like to correct something I said earlier. The Task actually did compleate 4 Machines. The task reported 0, but when I viewed the log, it shows 4. 

Ive attached the task log.

By the way, thanks everyone for holding my hand threw this. This is my first time using ghost for anything but imaging. 

Attachment(s)

Task Log1.txt   13 KB 1 version

All the failed tasks report that the task was cancelled by the user. Assuming that there were no users involved in this, the next likely candidate is your antivirus program. What you are doing (copying a batch file into the Startup group, and copying a reg file, is typical virus behaviour and many A/Vs will block this activity. There is also a perceived difference between running a local bat file as you did in testing, and copying a bat file from a network location.

As a test, try deploying a bat file that does nothing more than delete itself, to the startup folder, and see whether that works or not. If it does not, then that is the first thing to investigate further.

As a separate consideration, never assume that the installing account has access to a valid path environment variable. Therefore supply a full path to regedit.exe - typically C:\Windows\System32\Regedit.exe 

If your batch deployment test works OK, then try a single task deploying just the .REG file and see if that works. If it is blocked for any reason, you can try changing the file extension from .REG to .TXT and see if that works. If it does, then change the call in your batch file so it calls the .TXT rather than the .REG. If you are calling regedit with a command argument, then the file extension used for the registry data file is not important, as regedit will read it anyway.

The task ran all weekend and when I came back it had only done 3 machines! I cancled the task and it said 0 Clients ok 68 Failed.

I had to cancel the task this morning because of time restraints. I figured if it hadnt finished in less then 24 hours there was a probelm. 

I will try a simple task this afternoon. I'll probally try 2 tasks, 1 where it just copies a file. And another to try the batch file. 

Alright I made a simple task to copy a file to the C: drive. This was a less then 1mb text file. I sent it to 10 machines. And It failed on the first machine stating it timed out. The task continued and is in fact still running. 

IT apears to have attempted 2 schools: 

3/12/12
Carver: Transfer Files - Failed Client Timed Out

3/13/12
Three Chopt Transfer Files - Sucess
Three Chopt Finish - Sucess

So... were right at 10 hours for 2 Locations... that sounds like 340 hours to deploy 1 file. 

Theres got to be something wrong.

Where are you copying the file from, and where are you copying the file to?

Its copying from the "data" partition on our server and to the C: (root) of the machine.

Unless you mean actual locations?

It's never a good idea to copy to the root of C:

I would always recommend using either the TEMP folder or a specially created folder for this kind of thing.

So can you determine whether the file(s) in question are getting deployed to the C: drive of your target machines?

I'm sorry for taking so long guys. I've had some other more important issues arrise throught out the past week and havent had the time to troubleshoot.

On the machines (5/10) that suceeded (over 7 days) the file was copied over to the correct directory and seams intact. on the other 5 machines, it appears it was not copied. 

Check the system and application event logs for any relevant information, and check your antivirus logs as well.

Is there any chance that the machines have been hibernating when you tried deploying to them?

Are you trying to multicast to these machines?  If so, try Unicast.

Hibernation is disabled, along with the power configuration set to "always on" (it never sleeps, etc, there instructed to turn the monitor off and thats it)

However. I was using mulitcast. I wll try with unicast.
I canged the settings in options > Unicast and in the task proerties also.

If I am correct the task network settings only apply to images, correct?

Unicast fixed it guys. Was done in no time. 

Thanks a million.

The most likely reason you are having problems with multicasting is that IGMP snooping is not configured or incorrectly configured. There are many past postings by Nigel Bree (Ghost developer) about the whole IGMP topic so have a search if interested, or post back and I will have a search in my data store.