Installing Windows from a USB Stick (and copying it to that stick from an ISO)

(Quick public dump so I can find the tool link again easily)


  1. Download the Windows 7 USB/DVD tool from here. (NB links to the page, not the EXE)
  2. Download ISO image from store or MSDN
  3. Run Win7 USB DVD Tool and point it to ISO and USB Stick
    • Label stick
    • Seriously Tristan, label the damn stick
    • You know what happens when you don’t.
  4. Boot from stick, or run Setup from stick
  5. ???
  6. Profit!

Works for Windows 8, worked for Windows 8.1 Preview, no reason to think it won’t work for Windows 8.1 RTM, or Windows Server 2012 R2 etc.

Good if you’re planning a clean installation; otherwise, simply double-clicking the ISO is probably enough to do the upgrade as of Windows 8, which can mount ISOs and VHDs from a double-click.

Come to the Windows 8 and Windows Server 2012 Premier Roadshow

Australian Premier Support customers: Join us for an overview of the new stuff in Windows Server 2012 and Windows 8!

This series of events will run for the entire day in each city and showcase 4 sessions of about 90 minutes, on a range of Windows Server 2012 and Windows 8 client topics. All topics will be presented by the best Premier Field Engineers across Australia and New Zealand.

Except they got me for Sydney! I’m covering the new Networking features.

Windows Server 2012 – Networking

Connect from anywhere, more working and less waiting, better network management via cost-aware networking. Sound interesting? This session provides a general overview, including many of the improvements to DirectAccess, BranchCache, and general networking improvements in Windows 8 and Server 2012.

Details and signup:


And if you’re at Tech.Ed 2012 AU, you can catch Darth Chad and I presenting on the enhancements to Windows Server 2012 DirectAccess.


A weekend’s worth of tips in the Windows 8 Consumer Preview

Just some notes recording what I’ve picked up from a couple of days using the Windows 8 Consumer Preview on my main desktops:


The hit target for the Start button is the very bottom left corner – like, the four pixels in that region. Just slam the mouse there and click – when you get used to it, it’s cool!


The sides of the screen work consistently that way – each is a slam-to-any-corner, then mouse up or down to get to the functionality on that border. This makes it fast without permanently cluttering screen space (I haven’t tried multimon yet).

Task switching – slam to top-left, then drag mouse straight down. (Or, bottom-left-as-in-Start, and slide up). Has grown on me greatly; I often now have a metro app side by side with the Win32 stuff/desktop. Alt+Tab still works.

imageCharms – slam to top-right or bottom right, then drag down or up, but be quickish, it fades! Or just Win+C.

Charms are important – each app has its own Settings (Win+I to skip the Charms menu step) now, and you print (for example) through the Devices charm by picking the Printer. Share through the Share charm. And so on.

On Settings – you can get to Settings (as in, that big list of Win8 style settings) by going Charms, Settings, More Settings (at the bottom). It’s arguably easier just to hit your username and Change Picture.

Drag straight down (violently!) from the top to throw away (i.e. terminate, I think) any Metro app. Otherwise, drag it to the region you want it in.


Start-and-type to search and run programs still works like in Windows Vista and 7 – you just hit Start and without waiting for anything, type a bit of the name of the program you want to run, and it searches for it. Ctrl+Shift+Enter probably still elevates that program to Admin. The difference from Windows 7 is that there’s no search box before you start typing. Well, that and there’s a full-screen list of programs.

Tip: The Start screen goes away as soon as you’re running a Win32 app, just like the old Start menu*. If all you run is Win32 apps, it’s big, sure, but it’s fluid.

If you’re still Win+R ing to Run apps, that works too.


imageimage The Remote Desktop Metro app behaves subtly differently from the MSTSC Win32 app when remoting to a Win8 target.

I’d summarize this as: the Metro one is optimized for fullscreen touch interfaces (and won’t entirely capture your mouse when in fullscreen – if you mouse to the bottom left, you get the local OS start menu), while the MSTSC version works basically how it always did. Plus extra buttons and stuff. If you were working on a touch-only device, swiping for the local start menu makes a lot of sense (how else are you going to escape!?)

As I’m working on a touch-enabled desktop but mostly keyboard-and-mousing, I tend to prefer the MSTSC behaviour over Remote Desktop Metro.

If you’re using Win8 MSTSC, it’s faster to click the (new) Start button in the MSTSC connection bar (at the top of the windowed desktop) than try to hunt for the lower left pixel if it’s windowed, at least right now, as far as I can tell, YMMV, cheques may not be honoured. Just connect Fullscreen, and slam that mouse around!

As long as you’re capturing the Windows key in your RDP session, other handy non-hunting tips: Win+C = Charms, Win+I = Settings


* except again, it’s full screen. I’m OK with that – it wasn’t like I scrutinized the Start menu every time it appeared.

Note: Tristan has no inside information on Windows 8, he’s experiencing the Consumer Preview along with the rest of the world.

RemoteFX (with Hyper-V) is a serious business tool. For games.

The Setup

My downstairs PC (on the dining room table) is an HP Touchsmart all-in-one Core 2 Duo Intel Integrated Graphics 965-based box, which makes it absolutely abominable for games.

Upstairs, my internet connection plugs into my Hyper-V host (actually, a TMG instance on it), and I’ve a sort-of-gaming PC set up next to that, which has a nice video card, and chair, and half-assembled steering wheel.

I’ve GigE running all over the place.

Back to the downstairs PC, though: I once tried Borderlands on it, and at the lowest settings, I could’ve made a faster PowerPoint deck. Pretty sure my WP7 phone has more 3D graphics grunt.

The Problem

Recently, I’ve been playing a lot of Jagged Alliance, because it seems like there’s just so much of it about, and I really loved the earlier incarnations.

But to play Jagged Alliance Online, or Jagged Alliance: Back In Action, I’ve needed to move from downstairs, where I like to hang out in the dining/living room, to upstairs, or The Man Room, where I’m quite isolated from my girlfriend, the TV, and the small family of woodpeckers that’s moved into the dining room table.

The Solution: RemoteFX!

The Hyper-V box got upgraded to a Core i7 (from a Q6600) with 16GB RAM recently. This means SLAT/EPT is available, which means that I now have the possibility of sexy 3D GPU graphics without actually crippling the performance of the VMs running on it.

Also, it got me thinking about RemoteFX:

Could I get reasonable 3D gaming performance from the Hyper-V host, using the downstairs box as just a screen?

Not having used RemoteFX before, I did some research. Then some more research. Then some more. Everyone and their dog was trying it with an unsupported GPU (“for business purposes”… suuuuure), but there were some success stories around, so I persevered despite not really understanding what I was doing. (It’s a good quality. Honest.)

Note: This should not be taken as endorsement or condonement of using an unsupported GPU. If stuff just randomly stops working, or a driver update breaks this, there’s no recourse. So if you need a supported, working, supportable solution, DO NOT DO THIS. (yes, just like Xbox Live through TMG).

I jammed an Nvidia 9400 (or something; the only spare PCIe card I had) in the server as a proof of concept (depending on what you read, you either need more than one card, or the Intel isn’t a suitable RemoteFX GPU anyway).

  • Pre-work: Disabled Live Mesh’s Remote Desktop support (it installs a video adapter driver that I’m pretty sure isn’t WDDM and I didn’t want to fiddle around with it; RDP is fine)


  • Installed the RemoteFX role (Virtualization Host)
  • Created a Hyper-V VM and Installed Windows 7 Ultimate X64 SP1
    • Uses the External Hyper-V network (my internal home LAN, with DHCP, a proxy, etc)
    • 2 procs
    • 4GB RAM (was 2GB, but figured I had the RAM spare, might offset the slow disk I’ve got it on)
  • Installed the RemoteFX adapter into the VM  (if you’re following this as a guide DO NOT DO THIS NOW)
    • (1600×1200 (client res is 1680×1050; close enough))
    • Noted that the refresh of the VM properties was now quite slow. Driver? Whizbang feature thing? Comes and goes.
    • Screamed and cursed while shutting the VM down again because I’d forgotten to enable Remote Desktop first, and the Hyper-V remote window won’t connect to a RemoteFX enabled VM.
    • Removed remoteFX adapter from VM.
  • Enabled Remote Desktop in the VM
    • Remoted into the VM to check it worked
    • it did!
    • Checked that my Remote Desktop settings on the client were all up to eleven (LAN, full experience, 32-bit colour)
  • Shut down the VM and re-installed the RemoteFX adapter
  • Faffed around with Cap drivers and reboots. Short version: didn’t need one
  • Used the Group Policy Settings to un-balance RemoteFX performance as much as possible (only ever likely to be me using it at once)

To CAP or not to CAP?

The literature commonly refers to installing the RemoteFX Cap Driver because most servers don’t use WDDM drivers for their inbuilt video cards.

Mine did have a WDDM driver (the i7 has Intel Integrated HD Graphics)… but I didn’t know that, so I assumed it was XPDM and installed the Cap driver; turns out I simply didn’t need to, and there was much installing and uninstalling of the cap driver, with reboots required. (Which take out my house’s Internet connection).

In short: looks to me like if your inbuilt server adapter is WDDM, no need for the CAP driver. But like I said – I removed the ?XPDM? Live Mesh adapter before starting.


It worked, but the 9400 didn’t support new niceties like Shader Model 3.0, so BIA was out. And JAO ran too slowly for my liking. And the card was ollllld. So assuming that’d be the problem, I figured I’d try a new one.

A new video card

So I bought a new ATI/AMD Radeon HD 6770 1GB card (and a 6790 for the gaming PC…) for $140, and dropped that into the Hyper-V box.

(Yes, I know it’s unsupported. Yes, I know there are special GPUs for this. No, I can’t help you if you run into trouble with this.)

At this point, I tried installing drivers, but it didn’t seem to work initially, possibly because I still had the Cap driver installed (there was screen blanking). Eventually, after several uninstall-reinstall cycles, it just worked. I didn’t (as of 12.1 Catalyst) need different drivers; I didn’t install Catalyst Control Center on the successful run, but I don’t think it was that anyway.

The Event Log messages about nonworking GPUs disappeared, and I had a working RemoteFX host again. (Moral of the story: if you are using a cap driver, and you need to add or change a video card, disable the cap driver first).

How does it go?

It goes alright!

Some games react weirdly to RDP-style inputs (particularly the mouse); some games have glitches they don’t otherwise have with the synthetic 3d adapter.

I would not try playing most FPSs via RemoteFX (you’re instantly dealing with input lag plus network lag plus rendering time on the server and the client, plus that mouse-movement-is-display-mouse-movement thing).

Also, keep in mind: this is a screen remoting protocol; if your box can’t do smooth full-motion 3d on its own, or smooth full-screen video, doing smooth full-motion 2d-of-3d might put a fair load on it as well. If Aero is jerky on the box (it is on the Touchsmart), that’s about the best-case frame-rate you’re likely to get from RemoteFX or anything for that matter. There are performance counters to track where bottlenecks are.

Quick summary of games I’ve tried:

I can now play Jagged Alliance: BIA on my downstairs PC pretty reliably, which is all I wanted to do in the first place. I do it a lot right now. I use 1280×720, 30Hz (seems to respond better), 2xaa, 4xAniso (or 4x whatever that last setting is), and Vsync.

JAO has some graphical weirdness (blank world map and face tiles) which fixes itself up when you play with the 9 and 0 keys (graphics detail level). Again, can now play it on the Touchsmart, which is incapable of playing it on its own.

Company of Heroes looks great, and with all the settings turned up to max, I got a “Great” score on COHmark. Can’t remember the numbers, but better than I expected. Haven’t played with it extensively yet.

I tried Civ IV, and it was the first time I’ve played it… it worked pretty well.

Frozen Synapse didn’t work at all, just crashed to desktop.

Deus Ex: GOTY – man, that game’s a pain to configure these days, what with its software rendering default and 16 bit colour! ugh! – it doesn’t really work well, input issues once the video issues are fixed.

In summary: awesome for the downstairs PC

It’s not a solution that allows me to dedicate the full unfettered power of the GPU to a single client (at least, I haven’t worked out how), but with a nice, grunty GPU in the server box, it’s nice that I won’t have to replace the touchsmart until Win8 comes out (bevel-less touch is important), and then I’ll get me one of those sexy new HP all-in-ones, and maybe play games locally again for a while. Or maybe stick with the thin screen/lots of bandwidth solution!

IUSR vs Application Pool Identity – Why use either?

(pasted from my email clippings. I’m on holiday right now, catching up on paperwork!)

The TLDR version is: using AppPoolIdentity as both the App Pool Account and Anonymous user account lets you have multiple isolated anonymous websites on one box.

IIS 7.x and upwards (as of Win2008 R2 and Windows 2008 SP2, also in IIS 8.x in Windows Server 2012 and IIS 10.x in Windows Server 2016) supports a new Application Pool account type, called an ApplicationPoolIdentity. This low-privileged account can be used to isolate distinct sets of anonymous website content, without requiring the administrator to set up a unique account for each website manually.

So whereas the default IUSR anonymous account is per-server, an ApplicationPoolIdentity is per-app-pool, and IIS creates one app pool per site, by default when the GUI is used to create a site.

So by setting the ApplicationPoolIdentity as the anonymous user account for a site, you can isolate content and configuration for that site so that no other sites on the same box can access it, even if it’s an anonymous site.

And now, the long version!


Before I start: Terminology disambiguation corner (because App Pool Identity is a horribly overloaded term nowadays):

  • Application Pool Account = the account used to run the App Pool, whether custom user, NetworkService, LocalService, AppPoolIdentity or LocalSystem
  • ApplicationPoolIdentity = the new account type that has a unique App Pool Name-based identity SID (S-1-5-82-SHA1{App Pool Name})

Also, a reminder that process identity is the basic “RevertToSelf” identity for a process, and that thread identity can be different from process identity via impersonation or explicit logon.

So, any or all of the threads in a process might be someone other than the process identity, but if any call RevertToSelf or somehow lose their token, they’ll snap back to acting as the process identity. (Which is the ultra-short version of why you don’t want that being LocalSystem or another privileged account.)


App Pool Account:

The when-not-impersonating/process identity; used to start the app pool and to read web.config files; pretty much needs permissions to everything.

On IUSR vs Application Pool Account as anonymous:


  • IUSR has the same SID on every machine.
  • IUSR is appropriate if you run one anonymous website on the computer.
  • You secure your content to IUSR with NTFS permissions, and that website can access it.
  • If you run two websites with the anonymous account as IUSR, they can access each other’s content.
  • For low-security applications and intranet sites, that might be OK.

App Pool Account as Anonymous

The alternative is to use an App Pool Account as the Anonymous account (so a thread doesn’t bother putting on its IUSR clothes on anonymous requests)

  • ApplicationPoolIdentity has the same SID on every machine with a common config (because the SID is a hash of the name), so has the same benefit as IUSR for content security, only specific to the app.
  • It’s an appropriate choice if you run multiple anonymous websites and need isolation of content.
  • Other appropriate choice: creating an explicit user account for each App Pool and using that as anonymous.
  • (i.e. the anonymous Coke application should never be able to read the Pepsi application’s files) (arguably always the case with multiple anon websites on the one box)

Using the App Pool Account as anonymous is a good idea because it allows you to secure your content at the NTFS level for just COMPUTER\Coke or IIS AppPool\Pepsi, and be assured that Windows file system security will prevent one company’s anonymous app from reading (or otherwise affecting) its competitor’s anonymous content.

Using the AppPoolIdentity as the App Pool Account in this case is just a simple, no-hassle way of having a common user account on all machines that share the IIS configuration (or at least the name of the app pool), without having to faff about creating or replicating Windows users and worrying about their permission level.

The bit I’m less confident on but still fairly sure I’m right:

When it gets to off-box (eg database) resources, you’re out of IIS-land and into app framework (ASP.Net)-land; short version is that if your token isn’t delegable (for eg, comes from an NTLM auth), it’ll fail to be passed to the next hop, and you’ll end up with process identity and any limitations/benefits it incurs.

Configuring Kerberos for SharePoint farms – a generic gotchas list

Recently, I worked on a Kerberos configuration issue with a customer; these are my notes from the visit.

You’ll see some common themes with Kerbie Goes Bananas, and it puts much of that into practice. Speaking of, I must redo Kerbie with SetSPN -S  (shameface)


1. DNS should use an A record to refer to the load balancing IP, not a CNAME

This configuration step avoids an Internet Explorer behaviour whereby IE resolves a CNAME into an A record, and requests a ticket by building an SPN for the A record, instead of the CNAME.

More information is available at . In most cases, adjusting the behaviour of Internet Explorer across all machines is harder than adjusting the DNS entry involved.

2. SPNs must be registered against the Application Pool Account

Note: use the Windows 2008 (or later) version of SetSPN to identify problems such as duplicates when updating SPNs. Any existing document using SETSPN -A should be updated to use SETSPN -S.

Only two SPNs are required for Kerberos to function against a farm – the FQDN, and the short hostname.

These must be applied to the account used by the Application Pool receiving the user request, which practically means that in most cases, only one account is usable per hostname (pair).

SPNs to be registered are:


Against the user identity of the Application Pool the user is connecting to – say, DOMAIN\SPAccount. This must be a domain account when used in a Farm scenario.

Note that no port number is used for the default port, and that these SPNs are also used for TLS/SSL.


If the individual hostname is to be used occasionally (e.g. for troubleshooting), http/machinename and http/machineFQDN should be registered against that account as well.

This should result in a list of SPNs as shown:

setspn -l DOMAIN\SPAccount

Registered ServicePrincipalNames for CN=SharePoint App Pool Account,OU=Service Accounts,DC=example,DC=com:



3. The App Pool Account must be used for authentication

In a web farm scenario, a domain account must be used as the application pool identity. Once a suitable domain account is configured as the application pool identity (DOMAIN\SPAccount in this example), Kernel-Mode Authentication must be disabled, or the configuration’s useAppPoolCredentials property must be set to true (both may be used).

If this step is not performed, the app pool will not be able to decrypt the Kerberos ticket supplied by the client.

To disable Kernel-mode Authentication

Open InetMgr (IIS Manager), browse to Authentication for the site, click Windows Authentication and open Advanced Settings (Actions pane on the right), and untick “Use Kernel-mode Authentication”.


To set useAppPoolCredentials to true:

Open a CMD window as Administrator, then:

CD %windir%\system32\inetsrv

appcmd.exe set config -section:system.webServer/security/authentication/windowsAuthentication -useAppPoolCredentials:true

Note: one line (wrapped), with no space after any dash (-) character.


4. Performance – Kerberos and NTLM

Use of Kerberos should significantly reduce traffic between WFEs and Domain Controllers.

Every NTLM-authenticated connection requires the server to make a connection to a DC to complete authentication. The number of connections available to a DC simultaneously is governed by MaxConcurrentApi registry value.

Kerberos allows the client to authenticate to a DC once for the website, and to continue to use the ticket for the ticket lifetime (10 hours by default), across multiple connections, without necessarily needing to interact with the DC again.


MaxConcurrentApi (original article) (now supports 150)

Kerberos vs NTLM authentication with ISA Server (same concepts apply with Sharepoint or any Web app)

And a third-party performance comparison of Kerb and NTLM authentication with kernel-mode authentication and without was found here (not overall site performance, just basic RPS).

TMG SP2 now out there

There I was, blathering away about Kerberos and SetSPN and sleeping – sleeping! – while the long-awaited-but-unnanounced TMG SP2 was released. And announced, I guess.

The documentation’s still being updated (the release notes haven’t made it up yet), but you can try it out from here:

Microsoft Forefront Threat Management Gateway (TMG) 2010 Service Pack 2

And topically:

New Reports
• The new Site Activity report displays a report showing
the data transfer between users and specific websites for any

Error Pages
• A new look and feel has been created for
error pages.
• Error pages can be more easily customized and can include
embedded objects.

Kerberos Authentication
• You can now use
Kerberos authentication when you deploy an array using network load balancing