Playing Android Games On Your Windows PC

And now, for something completely different ­čÖé

I once owned an Android phone. I didn’t only use it for making calls, I also played some games on it. When I disposed of the phone and didn’t get another Android phone, I had a problem. I still wanted to play my games.

After some searching, I found the answer: An Android emulator! You can download the BlueStacks App Player for Windows here. This App Player is free. It only asks to install some sponsored games while you use it. You don’t have to run them, but they have to be installed. Beside that, you’re totally free to install and run any app that you can find in the Play Store. You have to have a Google account, just as when using Android natively on your device.

Now just run the app…


Install your favorite game (in this screenshot, I’m updating)..


And play!


Alternatively, you can use Andy┬áto play your Android apps. It’s also free. Have fun!


Securing your browsers: Internet Explorer

As third and last, I’ll show you how to secure your browser settings for Internet Explorer.

Internet Explorer is somewhat different because it doesn’t have it’s own settings for cipher suites. It gets those from the operating system. In Windows they are implemented in one of the SSPI’s namely┬áSChannel. So to enable or disable cipher suites in IE, you need to enable or disable them in Windows.

First, let’s take care of the obvious. In IE there is an SSLv3 setting in the Advanced tab of the Internet Options. Uncheck this and IE will be POODLE-proof. SSL 2.0 should be unchecked by default.


Now, to disable cipher suites we could edit the registry. This is complicated and error prone, so we are going to use a tool. Download IIS Crypto here. I recommend version 1.6 GUI for .NET 4.0.

Start the tool with elevated privileges and have most of the work done for you┬áby clicking the Best Practices button. You’ll have to Press the Apply button and restart for the changes to take effect.

I have edited the cipher suite order and put the ECDHE_ECDSA ciphers at the top of the list, followed by the ECDHE_RSA ciphers. I have tried disabling MD5 hashing but found that some applications for RDP were not working anymore. Disable every protocol before TLS 1.0 and every cipher suite above Triple DES 168. I tried disabling Triple DES 168, but some websites wont work anymore because they are not updated to use the newer Elliptic Curve cipher suites yet. Please test what works for you and post in comments.




As you can see, I disabled all TLS_DHE_DSS suites and the RC4 suite. I use the 3DES_CBC suite as a fallback suite.

I also disabled a few RSA SHA256 and RSA SHA384 suites because Microsoft released a bad patch. The IIS Crypto site also tells us to disable these:


This concludes my ‘series’ on how to secure your browser. It may be that these settings will be deprecated real soon. It might also be that you can use these safely for a few years. All depends on the progress and development in the field of cryptography. I will keep you updated.

Starting your programs with different credentials using a Powershell script

I always start the same programs at work. Because I login with a normal user account, I start most of them with my admin credentials. This took me too much time to do at each startup, also because of the hard to type password. So I wrote a Powershell script ­čÖé Maybe it can be of some use to you.

I got some trouble starting MMC modules, but got it to work eventually. Using 8dot3 paths to bypass space-in-path problems.

# —————————————————————————–
# Script: Start-Processes.ps1
# Author: Yuri de Jager,
# Date: 2013-11-27
# Keywords: Scripting Techniques, Processes, MMC modules
# comments: Start tools with admin account.
# Start-Process, Get-Content
# YdJ – 2013-11-27
# —————————————————————————–
# First save password in password file. Run only when password changes
# $credentials = Get-Credential
# $credentials.Password | ConvertFrom-SecureString | Set-Content [path to]passwd.txt

$password = Get-Content [path to]passwd.txt | ConvertTo-SecureString
$user = [admin user]
$creds = New-Object System.Management.Automation.PSCredential $user,$password

$systemroot = $env:SystemRoot
$progs = $env:ProgramFiles
$progsx86 = “${Env:ProgramFiles(x86)}”

Start-Process $systemroot\system32\mmc.exe -ArgumentList $systemroot\system32\dsa.msc -Credential $creds -windowstyle Maximized
Start-Process $systemroot\system32\mmc.exe -ArgumentList $systemroot\system32\dfsmgmt.msc -Credential $creds -windowstyle Maximized
Start-Process $systemroot\system32\mmc.exe -ArgumentList $systemroot\system32\dhcpmgmt.msc -Credential $creds -windowstyle Maximized
Start-Process $systemroot\system32\mmc.exe -ArgumentList $systemroot\system32\dnsmgmt.msc -Credential $creds -windowstyle Maximized
Start-Process $systemroot\system32\mmc.exe -ArgumentList $systemroot\system32\Cluadmin.msc -Credential $creds -windowstyle Maximized
Start-Process $systemroot\system32\mmc.exe -ArgumentList C:\Progra~1\UPDATE~1\ADMINI~1\wsus.msc -Credential $creds -windowstyle Maximized
Start-Process $systemroot\system32\mmc.exe -ArgumentList C:\Progra~1\MICROS~3\EXCHAN~1\V14\Bin\EXCHAN~1.MSC -Credential $creds -windowstyle Maximized
Start-Process -FilePath “$progs\ConEmu\ConEmu64.exe” -Credential $creds
Start-Process -FilePath “$progsx86\RobWare\RVTools\RVTools.exe” -Credential $creds
Start-Process -FilePath “$progsx86\Remote Desktop Connection Manager\RDCman.exe” -windowstyle Maximized
Start-Process -FilePath “$progsx86\VMware\Infrastructure\Virtual Infrastructure Client\Launcher\VpxClient.exe”
Start-Process -FilePath “$progsx86\MICROS~2\Office14\OUTLOOK.EXE” -windowstyle Maximized
Start-Process $systemroot\system32\cmd.exe

Windows 8 Internet Explorer 10 Flash Player vulnerabilities thoughts

In Internet Explorer 10 the Adobe Flash Player isincluded by default. I don’t know the exact reason for this, but I don’t really care. Google is doing this for almost 2 years with Google Chrome. As soon as Adobe releases an update, Google Chrome is also updated. It seems to work and it certainly prevent users from using an ancient Flash Player plugin with dozens of vulnerabilities. I think this is why Microsoft decided to jump on this bandwagon,too.

But wait. How does Microsoft distribute it’s patches? By implementing a patch tuesday every month. The consequences of this combination of choices become painfully clear with the release of Windows 8. It contains a months old version of the Flash Player plugin that can’t be manually updated.

The update to the most recent version, that contains patches to (at least) vulnerabilities disclosed in APSB12-18 and APSB12-19, will be available no sooner then October 26th. How embarrasing. I really can’t believe noone of all those smart people at Microsoft forsaw this scenario. It must have been a management decision…. ­čśŤ

There is nothing more to say then to advise all Windows 8 users to use IE10 for 1 thing only; browse to or the Chrome release channels and download ‘the other browser’. I prefer Chromium daily builds myself, but you condemn yourself to frequent manual updates. In case of FF or Chromium, the next thing to do is to browse to the Flash Player download page and get the file for plugin based browsers and install it.

And keep the browser on your system (and keep it updated), even if you start using IE10 after it’s got the Flash Player patch. Why? Because this scenario will repeat itself unless Microsoft will find a way to release these specific patches on a day-to-day basis.

A quick note on WSUS error 0x80072EFD (Send failed with hr = 80072efd)

After installing a new WSUS server, my test machine failed to make contact. I had created a copy of the current WSUS GPO, edited it to the new server and applied it to only my test Windows 7 machine. I received the following error in the C:\Windows\WindowsUpdate.log

2012-03-05 14:34:12:187 1024 2748 Agent *************
2012-03-05 14:34:12:187 1024 2748 Agent ** START ** Agent: Finding updates [CallerId = AutomaticUpdates]
2012-03-05 14:34:12:187 1024 2748 Agent *********
2012-03-05 14:34:12:187 1024 2748 Agent * Online = Yes; Ignore download priority = No
2012-03-05 14:34:12:187 1024 2748 Agent * Criteria = “IsInstalled=0 and DeploymentAction=’Installation’ or IsPresent=1 and DeploymentAction=’Uninstallation’ or IsInstalled=1 and DeploymentAction=’Installation’ and RebootRequired=1 or IsInstalled=0 and DeploymentAction=’Uninstallation’ and RebootRequired=1”
2012-03-05 14:34:12:187 1024 2748 Agent * ServiceID = {XXXXXXX-E39D-4DA6-8A4B-XXXXXXXXXX} Managed
2012-03-05 14:34:12:187 1024 2748 Agent * Search Scope = {Machine}
2012-03-05 14:34:12:236 1024 2748 Setup Checking for agent SelfUpdate
2012-03-05 14:34:12:269 1024 2748 Setup Client version: Core: 7.5.7601.17514 Aux: 7.5.7601.17514
2012-03-05 14:34:12:279 1024 2748 Misc Validating signature for C:\Windows\SoftwareDistribution\SelfUpdate\
2012-03-05 14:34:12:353 1024 2748 Misc Microsoft signed: Yes
2012-03-05 14:34:15:667 1024 2748 Misc WARNING: Send failed with hr = 80072efd.


2012-03-05 14:34:25:587 1024 1a78 AU # WARNING: Search callback failed, result = 0x80072EFD
2012-03-05 14:34:25:587 1024 1a78 AU # WARNING: Failed to find updates with error code 80072EFD
2012-03-05 14:34:25:587 1024 1a78 AU #########
2012-03-05 14:34:25:587 1024 1a78 AU ## END ## AU: Search for updates [CallId = {XXXXXXX-9BE7-4DBC-8EC8-XXXXXXXXXX}]
2012-03-05 14:34:25:587 1024 1a78 AU #############

After some Googling it was clear it had something to do with the network. But after all usual network troubleshooting I wasn’t any closer to a solution. I decided to check the IIS server and finally got a bright moment. I installed the WSUS server on a clean Windows Server 2008 R2 SP1 installation. But I the old server has many services installed. Thus the new WSUS website was installed in IIS on port 80 while the old server was using port 8530. And because I copied the GPO and only adjusted the FQDN, it was still pointing to port 8530!

Instead of adjusting the GPO, I decided to bind the WUS website to port 8530 too. This way, when migrating to the new WSUS server, only the FQDN had to be changed.

I now got this documented, so I hope I will never waste another minute on this.

Fix (backup) errors related to missing Volume Shadow Copy System Writer

A quick note. To fix (backup) errors related to a missing vss System writer, I use the following script to (re)set the file permissions on the winsxs folder in %SYSTEMDRIVE%\Windows. Run it with administrative privileges.

vssadmin list writers
takeown /F %WINDIR%\winsxs\*.* /A /R
icacls %WINDIR%\winsxs\*.* /grant “NT Service\trustedinstaller:(F)”
icacls %WINDIR%\winsxs\filemaps\*.* /grant “NT AUTHORITY\SYSTEM:(RX)”
icacls %WINDIR%\winsxs\filemaps\*.* /grant BUILTIN\Users:(RX)
vssadmin list writers


VMware vCenter Server Active Directory Web Services LDAP error on instance ADAM_VMwareVCMSDS

While browsing the vCheck 5 report (Thank you Alan), I noticed the following error:

Active Directory Web Services encountered an error while reading the settings for the specified Active Directory Lightweight Directory Services instance. Active Directory Web Services will retry this operation periodically. In the mean time, this instance will be ignored. Instance name: ADAM_VMwareVCMSDS

Luckily this error is documented e.g. here and here.

Replace the ‘Port SLL’ REG_SZ key under HKLM\SYSTEM\CurrentControlSet\Services\ADAM_VMwareVCMSDS\Parameters

for a REG_DWORD key with the name ‘Port SSL’ and decimal value 636 (or simlpy create the key)

UPDATE: Thank you David Ho, for the correction =]

Now restart the VMwareVCMSDS service and the error should be gone.

Please note: This is a fix for vCenter Server 4.1 and 5.0 on Windows Server 2008 R2. Running vCenter Server 4.0 on Windows Server 2008 R2 is not supported until Update 3. I got this error after a fresh install of vCenter 5.

Migrating Terminal Server Licenses from Windows Server 2003 to Windows Server 2008 R2 using the Remote Desktop Licensing Manager

Here’s a step-by step guide to migrate your Terminal Server licenses from a Windows Server 2003 server to a Windows Server 2008 R2 server.

Why 2008 R2? Because it has a kind of transfer wizard that isn’t present in 2008. If you want to transfer your licenses to 2003 or 2008 server, you’ll have to get on the phone with Microsoft. In both situations you’ll need the authorization and/or license codes, so keep them at hand. If you can’t find them anymore, you can ask Microsoft to send you a license report for your company. You’ll also need a connection to the Internet so the wizard can contact the Microsoft Clearinghouse server to register your transfer.

Start the Remote Desktop Licensing Manager

Add your servers to the overview screen to the left by right clicking on All servers and choosing Connect

You’ll end up with something like this:

Right click your new server and choose Manage Licenses

The Manage licenses Wizard will start. Click Next on the welcome screen

The wizard will try to contact the Microsoft Clearinghouse server

Now choose your action. I’ll choose the first option because this a a migration and not a disaster recovery

Put in the source license server’s DNS name

I had to put in the IP address because our source license server had a name with an underscore and the wizard did not like that

Agree to discontinue using the source license server

Choose you license program

I chose Open License which required me to input the Authorization number and License number

Choose your product version, license type and the quantity

The licenses will be migrated

You’re done

If you receive the error “The Microsoft Clearhouse server could not be contacted. Ensure that you have Internet connectivity …..”, you can try to first open a browser windows to and (repeatedly) try the last step (press Back and Next) of the migration again right after the Microsoft website appears. This resolved this weird problem in my case.

VMware Workstation vmnat.exe high CPU load

Vmnat.exe provides NAT services to virtual machines running in VMware Workstation. I don’t know why, but I have experienced high CPU loads of this process on Windows 7 Professional and Ultimate x64 SP0 and SP1 versions with VMware Workstation 7 and 8. I finally know how to fix it.

If you experience high CPU load from the vmnat.exe process, do the following:

Close all VM’s and VMware Workstation. Start the Virtual Network Editor from your start menu.



Now press the Restore Default button. VMware will reset all virtual interfaces.

I ended up with a Host-only network type VMNet1 and a NAT network type VMNet8. I reckon this will be the same for you.

Don’t forget to check the VM’s that need to use a NAT network connection.

Microsoft Excel Documents open very slowly from the network or don’t open at all

A few users reported very slow opening of Excel documents from network shares. The bigger the document, the slower it opened. Sometimes Excel would just crash.

I found some posts that suggested to uninstall security patches, but I’m not very keen on that. I actually immediately suspected the new Office File Validation Add-In because we had some problems with it before. It appeared indeed related to the OFV Add-In.

It seems Microsoft issued a fix and several work arounds for exactly this problem in KB2570623. A patch was released on sept. 13th through KB2553065. We are currently testing the patch.

I’ll list the work arounds here for archive purposes. My preferred method, might the patch not fix the problem, seems to be Method 4:

Method 1:
To be able to have both the protection of the OFV, and typical performance over the network when opening files, upgrade to either Microsoft Excel 2007 or Microsoft Excel 2010.

Method 2:
Copy the file to the local workstation. Open and save it in Excel from the local hard drive. Copy the file back to the network location.

Note: If multiple users are accessing the same file, you must be cautious to collaborate with the other users before you copy the file back to the share so that you do not overwrite the changes that were made by another user. The Shared Workbook feature cannot be used with this workaround.

Method 3:
To use Excel 2003 and avoid the network performance issue, you can disable the Microsoft Office File Validation Add-in for Excel by removing the Excel portion of the OFV. This removes the additional protection of the OFV for Excel while still protecting the other Office applications.

Fix it for me
Microsoft Fix it 50748

Method 4:
To use Excel 2003 and avoid the network performance issue, you can disable the Microsoft Office File Validation Add-In for Excel by using a registry setting. This removes the additional protection of the OFV for Excel while still protecting the other Office applications.

More information about this setting is available here:

Fix it for me
Microsoft Fix it 50741

Let me fix it myself
You can use the EnableOnLoad registry entry to configure how you want Excel to handle opening workbooks for the OFV. By default, the EnableOnLoad entry is not present in the Windows registry. To add the EnableOnLoad entry to the Windows registry, follow these steps:

Exit Excel.
Click Start, click Run, type regedit, and then click OK.
Locate and then click to select the following registry key:
After you select the key that is specified in step 3, point to New on the Edit menu, and then click Key.
Type Excel, and then press ENTER.
Select Excel, point to New on the Edit menu, and then click Key.
Type Security, and then press ENTER.
Select Security, point to New on the Edit menu, and then click Key.
Type FileValidation, and then press ENTER.
Select FileValidation, point to New on the Edit menu, and then click DWORD Value.
Type EnableOnLoad, and then press ENTER.
Note: The default value is 0 which disables the validation.
On the File menu, click Exit to quit Registry Editor.

%d bloggers like this: