Operating systems - 5

SElinux is a beautiful thing. I love it! However, the drawback of a very fine-grained security control is, that the policy needs to be exactly right. Almost right won't do it.

This bite me when I realized, that systemd couldn't control StrongSWAN's charon - IKE-daemon. It worked flawlessly, when running a simple strongswan start, but failing on systemctl start strongswan. Darn! When the thing works, but doesn't work as a daemon, to me it has the instant smell of SElinux permission being the culprit.

Very brief googling revealed, that other people were suffering from that same issue:

• Bug 1444607 - SELinux is preventing starter from execute_no_trans access on the file /usr/libexec/stro
  ngswan/charon.
• Bug 1467940 - SELinux is preventing starter from 'execute_no_trans' accesses on the file /usr/libexec/strongswan/charon.

Others had made the same conclusion: it's a SElinux -policy failure. Older bug report was from April. That's a month before Fedora 26 was released! But neither bug report had a fix for it. I went to browse Bodhi and found out that there is a weekly release of selinux-policy .rpm-file, but this hadn't gotten the love it desperately needed from RedHat guys.

Quite often self-help is the best help, so I ran audit2allow -i /var/log/audit/audit.log and deduced a following addition to my local policy:

#============= ipsec_t ==============
allow ipsec_t ipsec_exec_t:file execute_no_trans;
allow ipsec_t var_run_t:sock_file { unlink write };

I have no idea if that fix is ever going to be picked up by RedHat, but it definitely works for me. Now my IPsec tunnels survive a reboot of my server.

Update 10th Sep 2017:

Package selinux-policy-3.13.1-260.8.fc26.noarch.rpm has following changelog entry:

2017-08-31 - Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-260.8
- Allow ipsec_t can exec ipsec_exec_t

... which fixes the problem.
To test that, I dropped my own modifications out of local policy and tested. Yes, working perfectly! Thank you Fedora guys for this.

It took me less than 4 years to finally revisit this subject. I'd like to thank all the people who commented the original blog post. It looks like for those years SystemD (am I writing it wrong?) was in constant evolution and new features were added.

This is what I'm running in production. Containing System and omitting Unit and Install -parts as they are unchanged:

[Service]
Type=forking
PrivateTmp=yes
User=nobody
Group=nobody

RuntimeDirectory=dhis
RuntimeDirectoryMode=0750

ExecStart=/usr/sbin/dhid -P /run/dhis/dhid.pid
PIDFile=/run/dhis/dhid.pid

This also makes my RPM spec-file simpler, I got to remove stuff there, because temporary directory creation is taken care. Finally, I think that this one is done and ready!

If you want to download my source RPM-package, go here.
If you want to know more about RPM-specs, read Maximum RPM - Taking the RPM Package Manager to the Limit.

In my previous post, I un-boxed my new Wi-Fi access point. This is the part for running something in it.

For this to happen, the obvious prerequisite is DD-WRT binary image built specifically for TEW-818DRU. DD-WRT supported devices -list doesn't say much. Little bit of poking around results in build 23720 back in the 2014 for this one. It is at: https://www.dd-wrt.com/site/support/other-downloads?path=betas%2F2014%2F03-13-2014-r23720%2Ftrendnet-818DRU%2F. As I wanted something newer, I went for November 2016 build 30880 at: ftp://ftp.dd-wrt.com/betas/2016/11-14-2016-r30880/trendnet-818DRU/.

My typical approach for flashing new firmware is to stay connected with a wire. In practice that means, that I'll hook up an ethernet cable to my laptop and the other end to the access point's LAN-switch. Then I'll configure a static IP-address at the laptop's operating system. This makes sure, that I'm 100% connected whenever the box is running. Doing this over wireless connection and/or using dynamicly assigned IP-address may or may not work. As these boxes are expensive enough, I didn't push my luck. The downside of this approach is, that I'll need to know what the actual management IP-address will be.

Ok, let's start!

On out-of-box-experience the web GUI is at 192.168.10.1:

After login, there is a nice setup-wizard. Which of course, we'll just skip by acknowleding the alert:

Now we're at the normal administrator environment:

For me, the word "advanced" is like honey to a grizzly bear . I'll always home towards it, I know that all the goodies are stored there:

And also this time I was right, firmware upload/upgrade has its own menu item. Its clear, that this device is 100% designed by engineers, they cannot even seem to be able to agree on a single terminology. Menu has "upload", page title has "upgrade". Any self-respecting user experience designer would yell "You're confusing the user with that!", but I guess this stuff is for nerds only, and they don't care.

After selecting the trendnet-818dru-webflash.bin file to be uploaded, there is yet again a nice warning:

It will take couple minutes for the flashing to complete:

There is very little indication, that the process completed. I didn't notice any lights blinking or something like that. It just completed, rebooted and stayed silent.

Now the IP-addess will change. DD-WRT is 192.168.1.1 at out-of-box-experience:

And that's pretty much it for firmware upgrade. At this point I did my wireless access point -setup including:

• Admin username and password
• AP's LAN IP-address, my LAN isnt' at 192.168.1/24
• Enable SSH-service
• Enable GUI-access for HTTPS and SSH
• Wireless network setup for 2.4 GHz and 5 GHz, WPA2 Personal with pre-shared key as security

DD-WRT is for knowledgeable administrators, no setup wizards or mumbo-jumbo. Just the settings.
Btw. configuration docs can be found at: https://www.dd-wrt.com/wiki/index.php/Configuration_HOWTOs

Hands down KB3200970 is the worst update I've seen for Windows 10!

In general I hate Windows 10 TiWorker-process. It sucks CPU like there is no tomorrow. I cannot comprehend how difficult it is to determine if an update is needed or not. If you compare to any Linux .deb or .rpm packaging, a simple update check in Windows 10 is way too heavy. I find this kind weird. When Microsoft announced simplifying servicing models for Windows 7 and Windows 8.1, the reasons were to reduce scan times and finding right patches easier. It certainly doesn't feel like it to me.

So, there is Cumulative update for Windows 10 Version 1607 and Windows Server 2016, released November 8, 2016. This is also known as KB3200970 and boy, do people have trouble installing it!

This is what happened to me:

For about 8 hours it was stuck there in the preparing phase. While doing absolutely nothing, this was my CPU-load:

Well done idiots!

Net is full of stories like mine: How to fix Windows Update in Windows 10 if it becomes stuck, Windows 10 KB3200970 issues: install fails, high CPU usage, battery drain and more and Cumulative Update for Windows 10 Version 1607 for x64-based Systems(KB3200970).

The Reddit-article had a link to KB971058, How do I reset Windows Update components? which helped some. I gave it a try and it did help.

First some services needed stopping. This is what you would run as an administrator cmd.exe:

net stop bits
net stop wuauserv
net stop appidsvc
net stop cryptsvc

In my case the wuauserv didn't stop, I had to find the process id for it and kill it manually. After all that, I attempted renaming:

Ren %systemroot%\SoftwareDistribution SoftwareDistribution.bak
Ren %systemroot%\system32\catroot2 catroot2.bak

First one failed, so I don't know what the impact was. Then I ran the entire list:

cd /d %windir%\system32

regsvr32.exe atl.dll
regsvr32.exe urlmon.dll
regsvr32.exe mshtml.dll
regsvr32.exe shdocvw.dll
regsvr32.exe browseui.dll
regsvr32.exe jscript.dll
regsvr32.exe vbscript.dll
regsvr32.exe scrrun.dll
regsvr32.exe msxml.dll
regsvr32.exe msxml3.dll
regsvr32.exe msxml6.dll
regsvr32.exe actxprxy.dll
regsvr32.exe softpub.dll
regsvr32.exe wintrust.dll
regsvr32.exe dssenh.dll
regsvr32.exe rsaenh.dll
regsvr32.exe gpkcsp.dll
regsvr32.exe sccbase.dll
regsvr32.exe slbcsp.dll
regsvr32.exe cryptdlg.dll
regsvr32.exe oleaut32.dll
regsvr32.exe ole32.dll
regsvr32.exe shell32.dll
regsvr32.exe initpki.dll
regsvr32.exe wuapi.dll
regsvr32.exe wuaueng.dll
regsvr32.exe wuaueng1.dll
regsvr32.exe wucltui.dll
regsvr32.exe wups.dll
regsvr32.exe wups2.dll
regsvr32.exe wuweb.dll
regsvr32.exe qmgr.dll
regsvr32.exe qmgrprxy.dll
regsvr32.exe wucltux.dll
regsvr32.exe muweb.dll
regsvr32.exe wuwebv.dll

Lot of them failed, but that's what the KB971058 told to do. Then starting the services:

net start bits
net start wuauserv
net start appidsvc
net start cryptsvc

Still this update tested my patience. It ran couple hours preparing after it announced, it's ready to go install. The installation took yet another couple hours. After the installation was completed and the obligatory reboot was done, Windows still reported that a reboot is required. This update really sucks ass!

Ultimately my laptop spent more than 50 hours to install all this. There were number of retrys and times than I didn't care to look to closely what's going on, so the machine had to wait for user interaction. Still the process was paintakingly long.

This is the abridged version as most steps are exactly like in OS X El Capitan. See my article about that.

Step 1: Go download

As any upgrade, go to App Store, it should look like this:

Beware, it is quite a chunk (almost 5 GiB to be exact). If your Internet connection isn't too fast, be prepared to wait a while:

When the download is done, the installer will start automatically. It will look like this:

That's your cue. Do not proceed with the installation, but quit the installer instead:

Now all the necessary files are on your machine.

Step 2: Go USB

The recipe is classic, insert an USB-stick of suitable size, unmount it, prepare it for install, copy installation files to it and you're done!

Unmount (your volume name will differ, unless the stick had an Arch Linux installation in it):

sudo diskutil umount /Volumes/ARCH_201607/

Pay attention to the output, it will give a clue about the device identifier of your USB-stick on your machine it can and will vary. My output was:

Volume ARCH_201607 on disk3s1 unmounted

Now that we know which disk it was, partition and format the stick as JHFS+:

sudo diskutil partitionDisk /dev/disk3 1 GPT jhfs+ "MacOS Sierra" 0b

It will take a while and during operation it will say something like this:

Started partitioning on disk3
Unmounting disk
Creating the partition map
Waiting for the disks to reappear
Formatting disk3s2 as Mac OS Extended (Journaled) with name MacOS Sierra
Initialized /dev/rdisk3s2 as a 7 GB case-insensitive HFS Plus volume with a 8192k journal
Mounting disk
Finished partitioning on disk3
/dev/disk3 (external, physical):
#:                  TYPE NAME        SIZE    IDENTIFIER
0: GUID_partition_scheme             *8.0 GB disk3
1:                   EFI EFI        209.7 MB disk3s1
2:             Apple_HFS MacOS Sierra 7.7 GB disk3s2

Now the stick is good to go, transfer the installation image into it:

cd /Applications/Install\ macOS\ Sierra.app/Contents/Resources/

sudo ./createinstallmedia \
   --volume /Volumes/MacOS\ Sierra/ \
   --applicationpath /Applications/Install\ macOS\ Sierra.app/ \
   --nointeraction

Again, that will take a while and output something like:

Erasing Disk: 0%... 10%... 20%... 30%...100%...
Copying installer files to disk...
Copy complete.
Making disk bootable...
Copying boot files...
Copy complete.
Done.

That's it. The stick is ready.

Step 3: Go update

This is the part, that you'll be repeating on each newly upgraded/installed machine.

Follow the installation procedure and boot to the newly installed macOS. If this doesn't make any sense to you, see my previous article about that.

Step 4: Finishing touches

After boot, you'll end up in a classic login-screen. Login and upgrade will continue there.

The only new items are:

My choices for those new questions are:

• no, absolutely not I won't be storing my data into iCloud, I have the freebie 5 GiB of space there and with my files I'd run out pretty soon
• no, absolutely not I won't be enabling Siri (aka. spy-machine)

Step 5: Done!

That's it, enjoy your upgraded operating system.

Couple of glitches here and there, but the most important one was that my SSH didn't do agent forwarding anymore. I'm not alone with that, other people reported same issue:
ssh -A stopped working in macOS Sierra and keychain is not unlocked at login

The second thing is, that MD5 signed root certificates aren't accepted anymore as default. Unless you're doing some weird shit like I, you won't notice this change. This is fully documented and know before. In optimal world we wouldn't have any MD5 signed root certificates anymore.

Other than those two, I continued using my macs as usual.

I wrote couple of posts about Windows 10 upgrades, but there are no more free upgrades. See:

From now on, you'll just have to pay for it.

There are couple of issues I bumped into while upgrading about dozen PCs last month alone and I'll be blogging about those later. There is no rush, as the free upgrade window closed (pun intended).

Before release of Windows 10 build 10565 in October 2015, it was pretty much impossible to do a clean install for upgrading Windows 7 or 8 without first running the upgrade on the target machine. The announcement said:

Device activation improvements: Microsoft has received a lot of feedback from Insiders on making it easier to activate Windows 10 on devices that take advantage of the free upgrade offer to genuine Windows by using existing Windows 7, Windows 8 or Windows 8.1 product keys. If you install this build of the Windows 10 Insider Preview on a PC and it doesn’t automatically activate, you can enter the product key from a qualifying Windows 7, Windows 8 or Windows 8.1 used to activate the prior Windows version on the same device to activate Windows 10 by going to Settings > Update & security > Activation and selecting Change Product Key.

In short: You can whip up your install USB and do a clean install on a machine. If its not an OEM-machine, just enter your Windows 7 or Windows 8 key at install, and the thing should activate. Nice an easy.

And to clarify the exact build number situation your box is running, go to Settings, System, About. It should have something like this:

As suggested by Ilpo in a comment he left in my blog, there is an alternative method described by article How to Directly Clean Install Windows 10 without having to Upgrade First. Of course I had to try that! And thanks Ilpo, for the suggestion.

What you need is a Windows 10 install USB-stick. Go create one with your favorite method, and if you don't have a favorite, just go for Media creation tool, it can download an install image and store it to your USB-stick for later booting.

When your install-stick is ready, go find <your USB-stick drive>:\support\gatherosstate.exe into the target machine to be upgraded. Do NOT run in at the USB-stick, COPY it. I just dragged the file into my desktop. When ran, the application will create a XML-file containing a fingerprint from the machine ran. That fingerprint can be used to active the upgraded Windows 10 installation later. Needless to say, this type of activation will work only for valid upgrade paths. You cannot upgrade Windows 8.1 with Bing into Windows 10 Pro (I tried).

Second important thing: Run the gatherosstate.exe as an Administrator. I tried to validate the run-as-Admin -requirement after the upgrade was done, but it was too late. The file generated will differ. My thinking is, that it is not necessary to run as Admin, but that's what the original instructions said.

Take a copy of the generated GenuineTicket.xml-file. You will need that later. At this point you're good to go with a clean install. Replace hard drives or just re-partition the original one, whatever your install plan is. I'm guessing you wouldn't be doing the upgrade this way if it wasn't absolutely necessary.

During Windows 10 installation do NOT enter a license key. It is possible to "skip this" and "do this later" and ultimately when the install ends run a perfectly good non-activated Windows 10.

Now its time to go activate the newly installed Windows 10. You need to locate your saved GenuineTicket.xml-file and copy it to directory %ProgramData%\Microsoft\Windows\ClipSVC\GenuineTicket. Like this:

Now the activation is only a reboot away. Go ahead and boot the thing, and confirm:

Done! Simple as pie.

One of my own boxes runs a Fedora Linux. A while back my upgrade failed miserably due to Fedora installer not getting an IP-address from my ISP, Elisa. I had a minor skirmish for an hour or so with the installer, but no avail, Fedora installer beat me on that one. As I love to have that box up and running, I gave up and decided to investigate that later. Now that day came and I'm victorious!

Basics

DHCP is what pretty much everybody has for getting an IPv4 address in 2016. Mobile connections have something different, but everything else including Wi-Fi hotspots, ADSL-routers, Fiber-to-the-Home -connections, etc. etc. issue an IP-address (mostly IPv4, sometimes IPv6) to any well-behaving customer of theirs. Today, the de-facto is that the IP-address is allocated out of a well known broadband address range, or pool. Lists of those are generally available, so that home customers can be differentiated from data centers and companies.

To put DHCP simply, it is a mechanism for allocating an unique address for your Internet connection. The Wikipedia definition for Dynamic Host Configuration Protocol uses more words and isn't as concise as mine, but you'll get the idea.

Details of the problem

In case of mis-use or unpaid internet bill, they'd naturally decline any DHCP-requests for an IP-address. Since everything I tested, including various Windowses, OS Xes and Linuxes worked it wasn't about that. The connection was ok, the DHCP server issued a valid DHCP-lease as it had been doing for couple years, but not for my Fedora installer. Duh?

At this point I went to google for the symptoms and quite soon I landed into RedHat Bugzilla. It contains bug 1154200 which is titled as "not getting a dhcp address assigned". Mr. Krovich reports that his Fedora 21 installer won't get an IP-address from ISP. I pulled up a Fedora 20 installer for the previous version. It worked ok! Yep, they changed something into Fedora 21. The change affects Fedora 22, 23 and the latest 24. It does not affect RedHat nor CentOS (yet).

Fix (aka. trial and error)

In the comments of bug 1154200 they're talking about Option 61 commit which was introduced for Fedora 21 release. A possible fix would be to use DHCP-configuration: send dhcp-client-identifier = hardware;

I downloaded Fedora 24 installer and tested it out. It didn't help any. After a lot of wiresharking the traffic, I isolated this:
In the DHCP Discover -packet, there was an Option 61 present.

More poking for man 5 dhclient-options revealed that it was possible to specify a fixed string for identifier. So, again I edited /etc/dhcp/dhclient.conf (btw. the file didn't exist to begin with, I had to create one) to contain:
send dhcp-client-identifier = "";

That did the trick! Now even Fedora 24 installer got a a valid IP-address and it was possible to install.

Specs

In the early days, all IP-addresses were assigned manually. Everybody was given an IP-address and they punched all the details manually. That was frustrating and error-prone, so somebody invented BOOTP to automate the entire setup. Quite soon, that evolved into DHCP, defined by RFC 1531. When DHCP gained traction and more and more vendors joined the dynamically allocated -game, couple of clarifying iterations later, we're at RFC 2131 for current breed of DHCPing. It is basically the original BOOTP, but with most wrinkles ironed out.

The options are defined at RFC 1533 for DHCP Options and BOOTP Vendor Extensions. Looks like nobody supported Option 61 for a long time. Windowses don't, Apple doesn't, most Linux Distros don't, but RFC 4361 for Node-specific Client Identifiers for Dynamic Host Configuration Protocol Version Four (DHCPv4) must have done it for Fedora-guys. They chose to implement request 560361 (Dhclient doesn't use client-identifier; may cause issues in certain bridged environments) and make sure everybody uses it, with assumption that all ISPs that won't support Client Identifiers will merrily ignore the option. Nice!

Afterwards

I'll target equal blame to my ISP. The Option 61 is well-defined and it should be possible to ignore it. Looks like they're running Alcatel-Lucent hardware there and for some reason it is configured to spit on Option 61 requests.

Naturally I reported the error to my ISP, but you can assume how well that goes. Any regular customer facing clerk won't know DHCP or what it does, nor any options of it. So all I got back is the classic "we'll investigate" -style response. I'm not keeping my hopes up. I have more hope on my own Bugzilla request 1357469 to have an option to enable or disable usage of Option 61 on Fedora. They might even implement that one day.

Anyway, I'm hoping that this post will help somebody strugging to install their Fedora.

I'd like to be clear on this: I did not figure this one out myself, I just bumped into Philip Yip's page about this. All the credit should go to him, I just tested this and confirmed it to be working.

One of the upgrades I did earlier this month was for a Windows Vista. Computer geeks point out two things immediately: 1) Vista! Really? Who would use that voluntarily? 2) well, it cannot be upgraded into Windows 10. Both very true. It just so happened, that there was an OEM Vista running on a computer. Vista will cease to have security upgrades on 10th April 2017, so I suggested to upgrade the thing into a 10 while I did some other work on the thing. Obviously the person owning the poor computer didn't want to pay for the upgrade, so I chose to go with Mr. Yip's method on it.

Prerequisites

For this to happen you will need:

• An USB-stick, minimum size 4 GiB
  • This will be used to host the Windows 10 installation image
  • I went to a supermarket and got a brand new 16 GiB USB3 stick for the speed improvements
• Ability to boot the target computer from the above USB-stick
  • Most computers I've worked with can do this
• Windows 10 ISO, build 10130
  • Ok, this one is harder one to come by, but it is generally available in the Big Net. I'm talking about software piracy here.
  • You will need this specific build. Older or newer ones won't do the trick.
• A piece of software to write this ISO-file into the above USB-stick and make it bootable.
  • My favorite thing for doing that is Rufus. It is a solid piece of software to write images into USB-sticks.
• Windows 10 media creation tool
  • You can get one from Microsoft's website
• Possibility to disable internet connection from the target machine and enable it when needed
• Finally: Possiblity to change the BIOS/UEFI date on the target computer.
  • This trick solely relies on the fact, that you can pretend the date to be in the history.

Also please note, that there is NO UPGRADE possibility here. This is effectively a fresh install. If you choose to re-install on top of your existing Vista installation, please take care no to lose any precious data. I installed a bigger hard drive to the computer, so I made sure that the old drive was intact during this process.

Steps

This is how the entire process goes:

1. Use Rufus to create Windows 10 build 10130 USB-stick
   
2. Boot into BIOS/UEFI setup, set date to anything around September 2015. I just bumped back the year and did my installation in "July 2015".
3. Make sure, there is no Internet connection during the installation. THIS IS IMPORTANT!
4. Boot from Windows 10 build 10130 USB. Make sure there is no Internet connectivity on the machine, so that it is impossible for it to update date via NTP or talk to Microsoft.
   1. Run Windows 10 install (for the first time)
   2. During installation, don't bother installing any security upgrades, you will re-install entire Windows 10 after this one completes.
      
   3. Wait couple of hours. This depends on your hardware speed.
   4. Remove the USB
5. Create a recent Windows 10 install USB
   • I had my own computer for media creation and didn't have to use the target computer for this. This can be a parallel process.
   • When asked about the edition, choose Win 10 Pro
6. Turn off internet time when install done. I found that one to be little tricky, but the setting is there.
   
7. Set a specific license key. For this you'll need to open CMD.exe as Administrator. If you attempt this as a regular user, ie. not right clicking the cmd.exe and selecting "run as administrator", you'll notice that soon. The command to execute is:
   slmgr /ipk 6P99N-YF42M-TPGBG-9VMJP-YKHCF
   
8. Connect to internet. THIS is the first time the install machine is allowed to get there. If your box did connect to The Net before this, you have failed.
9. Activate Windows (remember: Admin prompt):
   slmgr /ato
   
10. Now you have an activated Windows 10 running. You can go to My Computer and Properties to confirm.
    
    However, it's an old edition and you don't want to keep that. The important thing is, that now your computer's fingerprint has been stored into Microsoft's server and any subsequent Windows 10 installations will proceed without entering any license key.
11. Just insert the USB install stick with the newer Windows 10 installer (the one you created on step 5) and run setup.exe on that. There is no need for reboot or anything, just run the installer.
12. Install it again! This is your second installation.
    • I choose to keep nothing. This just makes sure, that all the old garbage will be gone after you're done.
    • Please note, that when asked for license key, don't enter any. Always select "Do this later" or "Skip". This is not needed and your newly installed Windows 10 will be activated at the end.
    • Wait 15 minutes
13. You're done! Your Windows is ready to be used.
14. Remove the first installation stored into C:\Windows.old, you don't need to keep any of that. However, the files are protected by operating system and deleting the entire directory prooved to be little tricky. I ended up booting from the USB-installation stick into rescue-mode and chose the cmd.exe from that. On prompt I entered two commands:
    del /S /F /Q c:\Windows.old
rd /S /Q c:\Windows.old

Finally

This process worked for me on 5th July 2016. I don't think this has anything to do with July 29 free upgrade -limitation.

Also I'm sure guys at Microsoft keep track of their installations. They'll know exactly how many licenses they gave out using this method. My thinking is, that they simply don't care. Pretty much all of the competition is giving out operating systems for free and they cannot for some strange reason. Anybody choosing this method needs to be aware, that in an unfortunate scenario they would deactivate all licenses distributed this way.

Happy installing! I know I created one ex-Vista user very happy with this.

Recently I've been doing a lot of Windows 10 upgrades. The free upgrade offer is about to end in less than 15 days:

There is a counter in Windows.com.

My own adoption to Win10 is pretty high, only one box left to upgrade. I'll have to resort to virtual machines for things, that I really, really need Windows 7 for.

The real-time Windows 10 adoption gauge @ gosquared.com shows one third:

That's pretty good, but not the number Microsoft guys are aiming for.

I regularily follow Mr. Gordon Kelly, a writer who publishes @ forbes.com. In December 2015 he wrote a piece with a title 'Free' Windows 10 Has An Expensive Secret. There he pretty much speculates, that Microsoft really wants to get to one billion (1.000.000.000) Windows 10 installations as fast as possible. Not giving away free upgrades to pretty much everybody wouldn't help in that. However, his post after Microsoft's May 2016 press release (Three Reasons Microsoft Stopped Free Windows 10 Upgrades) indicates, that even he gave up hope on prolonged free upgrades being available. I guess, they didn't want to get to one billion that bad. That's something Mr. Richard Hay @ winsupersite.com predicted last December.

It seems that it is possible to prolong your free upgrade offer by enabled assistive technologies. See Microsoft's blog post about that. But unless you do that, it's time to act on it or do some trickery after July 29th.

For my Windows 10 weeks, I'll be posting couple of articles what I did earlier this month with my various upgrades.

I was about to upgrade an old CentOS 6 box into 7. It was all planned, backups taken, necessary information gathered and USB stick prepared with 7.2 DVD image in it. A shutdown and boot from the installation USB, bunch of settings, date/time, keyboard, network, but Däng! No dice.

My initial attempt was to install from USB, but for some reason the server didn't see the USB volume as a valid installation source. No problem, I thought, let's go for network-install then. The interface was already up and the box could reach Internet ok. Installing from a mirror shouldn't take too long. But no. All I could accomplish was a "Error setting up base repository". I went googling about this and found CentOS 7.2 Netinstall Guide – Network Installation Screenshots.

First I set up installation source as On the network: http://mirror.centos.org/centos/7.2.1511/os/x86_64/ and then This URL refers to a mirror list: Checked. No avail. It took about 8 minutes to get the error, but this approach failed miserably. What /tmp/packaging.log had was:

ERR packaging: failed to grab repo metadata for anaconda: Cannot find a valid baseurl for repo: anaconda
ERR packaging: metadata download for repo anaconda failed after 10 retries

Argh! 8 minutes to determine, that the thing didn't work.

There was plenty of time to plan for the next move. I went to see CentOS mirror list, and picked the local Finnish mirror at nic.FUNET. Setting that as source: http://ftp.funet.fi/pub/mirrors/centos.org/7.2.1511/os/x86_64/ and with This URL refers to a mirror list: set as Unchecked got me butkus, /tmp/packaging.log had:

ERR packaging: failed to grab repo metadata for anaconda: failure: repodata/6990209f63a9fd811f13e830ac3c6de4c5d70a42b1c6873e4329b523d394c3bd-primary.xml.gz from anaconda: [Errno 256] No more mirrors to try.
http://ftp.funet.fi/pub/mirrors/centos.org/7.2.1511/os/x86_64/repodata/
6990209f63a9fd811f13e830ac3c6de4c5d70a42b1c6873e4329b523d394c3bd-primary.xml.gz: [Errno 14] HTTP Error 404 - Not Found

Finally a tangible result. Obviously the HTTP/404 was correct. There is no such file in that directory. It took me about 15 seconds to determine, that the URL should be http://ftp.funet.fi/pub/mirrors/centos.org/7.2.1511/os/x86_64/repodata/
0e54cd65abd3621a0baf9a963eafb1a0ffd53603226f02aadce59635329bc937-primary.xml.gz. Something was off in the installer metadata. But where?

I checked treeinfo at http://ftp.funet.fi/pub/mirrors/centos.org/7.2.1511/os/x86_64/.treeinfo, but no avail. Then my poking around landed at /var/run/install/repo/repodata. It has among others, a file named repomd.xml. Looking at the network version from http://ftp.funet.fi/pub/mirrors/centos.org/7.2.1511/os/x86_64/repodata/repomd.xml made everything clear as crystal.

• Drive had:
  • revision 1449702798
  • 6990209f63a9fd811f13e830ac3c6de4c5d70a42b1c6873e4329b523d394c3bd, the file that doesn't exist in the mirror
• Network had:
  • revision 1449700451
  • 0e54cd65abd3621a0baf9a963eafb1a0ffd53603226f02aadce59635329bc937, the file that does exist

But how to fix this?

My initial attempt was to wget http://ftp.funet.fi/pub/mirrors/centos.org/7.2.1511/os/x86_64/repodata/repomd.xml into /var/run/install/repo/repodata and retry, but that didn't change anything, still the same frustrating error after 10 minute delay.

I rebooted the box and relized, that my change persisted on the USB-drive. Whoa! Anyway, I got things cooking this time. Finally the base repository was accepted, I got to go make installation selection and got the install forward.

What the hell was going on there? Where did the incorrect repomd.xml come from? It isn't in the installation image. Or it is, but it comes from a place I didn't find. Whatever it is, there is something seriously off in the process. Why doesn't the installer try to get the most recent version from the network. It is a network install, after all!! After frustrating couple hours later than anticipated, I finally got the box upgraded. Hopefully this information saves you that time.

Microsoft's policy to annoy every Windows 7 and 8.1 user to the point every single one of them will be crazy is something I've addressed earlier. My previous posts are here and here.

Couple days ago I decided to go and upgrade one of my existing Windows 7 boxes. It's roughtly 2 months time left for me to get my free upgrade, also I had been staring enough the re-releases of Update for Windows 7 for x64-based Systems (KB3035583), which every single time I see the upgrade being offered makes me laugh out loud. As you can see:

It reads:

Recommended update

Install this update to resolve issues in Windows. For a complete listing of the issues that are included in this update, see the associated Microsoft KnowledgeBase article for more information. After you install this item, you may have to restart your computer.

Ok. I chose to "resolve issues" in my Windows. In reality that's just crap that forces me to look at Windows 10 being forced down my throat. That one causes more issues than it resolves. That's a complete lie!

I carefully made sure I have backups and all necessary information and decided that I'm good to go for upgrade. But quite soon I realized, that ... there is no easy way for me to upgrade. As I wrote in my previous blog posts, I've taken drastic measures to deflect any/every possible Microsoft attempt to inject anything related to the upgrade, upgrade widgets, upgrade tools or upgrade pre-loaded files.

So, I decided to go google "windows 10 upgrade", landed at page https://www.microsoft.com/en-us/windows/windows-10-upgrade which very helpfully offers to download a tool called GetWindows10-Web_Default_Attr.exe. Downloading and runnin that does absolutely nothing! I took a peek what it does and it simply runs GWX.exe. Which of course, as a result of my deflector shields again does absolutely nothing. It just fails quietly and exits.

A new plan was needed.

Then I landed on another Microsoft page: https://www.microsoft.com/en-us/software-download/windows10. That one prooved to be much more useful. On that page, there is a download for Windows10Upgrade9252.exe which actually could upgrade my Windows.

The upgrade went fine, I didn't lose too many applications and my user profile survived the upgrade well too. The only thing I had to do was to disable IPv6 privacy randomization. This is my recipe which I run on every one of my Windowses:

netsh interface ipv6 set privacy state=disabled store=active
netsh interface ipv6 set privacy state=disabled store=persistent
netsh interface ipv6 set global randomizeidentifiers=disabled store=active
netsh interface ipv6 set global randomizeidentifiers=disabled store=persistent

Other than that I didn't do much else. And as a result I get to see forced advertisements for Office365. Crap!

Those pushhy bastards at Microsoft really, really want to upgrade every Windows 7, 8 and 9 into a 10. (Yes, Windows 9 doesn't exist.) They even re-released KB3035583 to make sure that any previous blocking since March 2015 wouldn't be affected anymore. This is what my Windows 7 started doing:

This wasn't supposed to be happening. See details of Part 1. I downloaded latest version of GWX Control Panel, I think it is 1.7.3, but it showed nothing special:

There were some deleted Windows 10 files and a single process running, but I re-zapped them with GWX CP. That didn't make the KB3035583 disappear from the updates list.

A solution to make it gone was simpler than I originally thought:

Just selecting Hide update will make it stay gone. I guess MS-guys will be re-re-releasing it eventually, but for the time being, I'm happy with the result.

The problem

Ok. Microsoft has amped up their "upgrade now" campaign to a ridiculous level.

First Microsoft Marketing chief Chris Capossela "warned" about Windows 7 being insecure. Warned in quotes because my initial reaction was: "Oh really!? Is it really possible, that a Windows can not be secure operating system."

While this machine is eligble for a free Win 10 upg, I just don't want to do that yet. I will upgrade eventually, but at the time I choose, not some ignorant corporate chose for me. So, Mr. Capossela explained that users who choose Windows 7 do so “at your own risk, at your own peril” and he revealed Microsoft has concerns about its future software and hardware compatibility, security and more.

Now the latest development is, that Windows 10 upg is a recommended update as they're now aggressively pushing Windows 10 upgrades. Meaning, that have to actively dodge it every time I'll upgrade this box of mine.

Further details about KB2952664 a Compatibility update for upgrading Windows 7 patch @ Softpedia article.

The information

The annoyance looks like this:

In the process list of the victim machine, there is a GWXUX.exe producing that. Actually there are other GWX-prefixed processes capturing your machine, but for the sake of this blog post I'm ignoring that crap.

Ages ago Microsoft release KB article ID 3080351, How to manage Windows 10 notification and upgrade options. It contains all kinds of useless information about modifying registry entries like HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\OSUpgrade value ReservationsAllowed.

What the article doesn't mention is, that it also hijacks your disk space at C:\$Windows.~BT and C:\$Windows.~WS. I got a tip from an article and found 5 GiB of crap already loaded to my computer. I ran cmd.exe (with administrator credentials) to free up my SSD-space:

C:\Windows\system32>attrib -h "C:\$Windows.~BT"
C:\Windows\system32>attrib -h "C:\$Windows.~WS"

C:\Windows\system32>cd "C:\$Windows.~BT"
C:\$Windows.~BT>takeown /f . /R /D Y
C:\$Windows.~BT>icacls . /grant Administrators:(OI)(CI)F /T

C:\Windows\system32>cd "C:\$Windows.~WS"
C:\$Windows.~WS>takeown /f . /R /D Y
C:\$Windows.~WS>icacls . /grant Administrators:(OI)(CI)F /T

After doing all that, reading all the information, changing all the registry values and removing pre-loaded waste...   It didn't work. What the article doesn't mention, that one of the GWX-processes runs in background and snoops those registry values and changes them back! Yes. You read it right. The fuckers go to your computer and make better choices for your registery. Their flawed reasoning is, that you obviously have to be some sort of moron not to go for their ultimate product right now, or preferably yesterday. And as you (the moron), the owner of your computer running a lesser "insecure" OS, need Microsoft's help to make better decisions.

OH, COME ON! Not cool.

I'm NOT upgrading to Windows 10 yet, because I (as in me) am in control here. Not Microsoft (as in them).

The solution

After spending countless hours and experiencing a number of setbacks, when the timers kicked on I stumbled into somebody having exactly the same problem as I do. He also had a solution for it. Here is the article Using GWX Control Panel to Permanently Remove the 'Get Windows 10' Icon.

GWX Control Panel looks like this:

With this application, no need to game of Whack-a-Mole anymore. The not wanted and not needed crap will just fly out with a click of a button. Example of getting rid of pre-loaded Windows 10 installation files:

Ultimately the cleaned up machine will report:

List of goodies include:

• Is 'Get Windows 10' icon app running? App not found
• Is 'Get Windows 10' icon app enabled? App not found
• Windows 10 Download folders found? No

Oh yes!

The application has an option to stay as a background process to keep monitoring, that evil Microsoft processes stay gone. I didn't test that, as just kicking all the crap out of my computer did the trick. Now I was back on the drivers' seat. Now I can decide when to do the upgrade.

In my hugely popular article about Transferring Windows 7 OEM license to a new hard drive, I kept insisting, that you absolutely positively need to know your SLP-key before processing. Couple days ago I was working on a recovery of a failed hard drive and realized, that it's not completely true.

As the troubled drive had already been replaced with a brand new SSD, I had the HDD in an USB-dock for investigation purposes:

The new Windows 7 OEM had already been installed, but not activated. As I didn't know the SLP-key I was planning to do the phone activation with COA-key. At that point I realized, that it was possible to use the Magical Jelly Bean Keyfinder from another drive:

It wasn't much simpler than that! A simple copy/paste -operation to get the key in and Windows activated.

The requirement seems to be to point to a %windir% and system32\config\ is assumed on top of that.