Thursday, May 17, 2012
Wednesday, May 16, 2012
Windows 7 and Windows Server 2008 R2 Print Driver Isolation
I was having and issue with print drivers and print processes at a
client and this information and article helped me out tremendoulsy.
There are three basic modes of isolation that can be configured for individual print drivers:
Anytime shared or isolated mode is used for a print driver, a new process – PrintIsolationHost.exe – is launched by the DCOM Server Process Launcher for each “print sandbox”. The print processor, the rendering module, the configuration module and the miscellaneous driver files are loaded into the address space for the new process, instead of the spooler’s process. The spooler essentially proxies calls for the print processor and other driver components in the PrintIsolationHost.exe process and DCOM is used for inter-process communications. Something to note here – if you examine the spooler closely you’ll find that the print processors are loaded into both the spoolsv.exe and the ProcessIsolationHost.exe processes when shared or isolated modes are used. For the print driver that you put into shared or isolation mode however, all the processing takes place in the processor in the ProcessIsolationHost.exe process. The duplicate loading of print processors is to accommodate drivers that may be running in “none” mode at the same time.
Let’s look at what this looks like in Process Explorer. We’ll look at Isolation Mode since that is the most complex of the three modes. In this mode, there are a number of differences from the printing model that we have been used to. As we mentioned above, the print processors and print driver components for each isolated driver are loaded into a separate PrintIsolationHost.exe process. Within the spoolsv.exe process and all PrintIsolationHost.exe processes, there is a new DLL, PrintIsolationProxy.dll that proxies the calls for specific printers between the processes. In the screenshot below, we can see that the spoolsv.exe process is running as normal – the printers installed are all running with no isolation mode specified.
Now let’s take a look at what happens when we put two print drivers into Isolation mode. Initially you won’t see anything in your Process Explorer view. However, once the printer is used, you’ll see the PrintIsolationHost.exe processes and the PrintIsolationProxy.dll
The reason that you don’t see the PrintIsolationHost.exe process spawn immediately after switching a driver to isolation mode is for better resource management. The process is called when needed, and is closed when not required. In shared mode, the printing model is very similar to isolated mode, except that you will only see one PrintIsolationHost.exe process – unless you also have drivers running in full isolation mode at the same time.
Now that we’ve covered some of the basics of PDI, let’s talk about configuring PDI via Group Policy. There are two new group policy settings that you can use to control the isolation mode of drivers on machines to which the policy applies. Both settings are in the Computer Configuration\Administrative Templates\Printers. The two settings are:
To wrap up this post, we’ll take a look at some of the registry values that can be used to modify PDI behavior – specifically the lifetime and recycle behavior of PrintDriverIsolation.exe processes. These values exist in the HKLM\SYSTEM\CurrentControlSet\Control\Print\ key.
In instances where you might suspect isolated drivers leaking memory
or if you have a large number of PrintDriverIsolationHost.exe processes,
these settings may be worth tweaking.
http://blogs.technet.com/b/askperf/archive/2009/10/08/windows-7-windows-server-2008-r2-print-driver-isolation.aspx
There are three basic modes of isolation that can be configured for individual print drivers:
- None – in this mode, print driver components are loaded into the spooler process. This is essentially the model found in previous versions of Windows
- Shared – multiple drivers that are set for isolation are loaded into a single shared process space that is separate from the spooler process. Although this protects the spooler process, the drivers that are in shared mode can affect one another
- Isolated – each driver is loaded into its own process space. This protects the spooler from individual driver failures, and also protects drivers from each other
Anytime shared or isolated mode is used for a print driver, a new process – PrintIsolationHost.exe – is launched by the DCOM Server Process Launcher for each “print sandbox”. The print processor, the rendering module, the configuration module and the miscellaneous driver files are loaded into the address space for the new process, instead of the spooler’s process. The spooler essentially proxies calls for the print processor and other driver components in the PrintIsolationHost.exe process and DCOM is used for inter-process communications. Something to note here – if you examine the spooler closely you’ll find that the print processors are loaded into both the spoolsv.exe and the ProcessIsolationHost.exe processes when shared or isolated modes are used. For the print driver that you put into shared or isolation mode however, all the processing takes place in the processor in the ProcessIsolationHost.exe process. The duplicate loading of print processors is to accommodate drivers that may be running in “none” mode at the same time.
Let’s look at what this looks like in Process Explorer. We’ll look at Isolation Mode since that is the most complex of the three modes. In this mode, there are a number of differences from the printing model that we have been used to. As we mentioned above, the print processors and print driver components for each isolated driver are loaded into a separate PrintIsolationHost.exe process. Within the spoolsv.exe process and all PrintIsolationHost.exe processes, there is a new DLL, PrintIsolationProxy.dll that proxies the calls for specific printers between the processes. In the screenshot below, we can see that the spoolsv.exe process is running as normal – the printers installed are all running with no isolation mode specified.
Now let’s take a look at what happens when we put two print drivers into Isolation mode. Initially you won’t see anything in your Process Explorer view. However, once the printer is used, you’ll see the PrintIsolationHost.exe processes and the PrintIsolationProxy.dll
The reason that you don’t see the PrintIsolationHost.exe process spawn immediately after switching a driver to isolation mode is for better resource management. The process is called when needed, and is closed when not required. In shared mode, the printing model is very similar to isolated mode, except that you will only see one PrintIsolationHost.exe process – unless you also have drivers running in full isolation mode at the same time.
Now that we’ve covered some of the basics of PDI, let’s talk about configuring PDI via Group Policy. There are two new group policy settings that you can use to control the isolation mode of drivers on machines to which the policy applies. Both settings are in the Computer Configuration\Administrative Templates\Printers. The two settings are:
- Execute Print Drivers in Isolated Processes– there are two settings
- Disabled – Completely disable driver isolation, resulting in all the print drivers being loaded into the print spooler process as in previous OS versions. This would be a way to force “legacy” mode
- Enabled or Not Configured – Allows driver isolation, in which case the driver isolation modes can be set as needed (or as specified by the OEM)
- Override Print Driver Execution Compatibility Setting Reported by Print Driver– again, there are two settings
- Enabled – Forces drivers flagged as incompatible with PDI to run in “shared” mode
- Disabled or Not Configured – whatever isolation compatibility advertised in the .inf file for the driver is honored
- PrintDriverIsolationExecutionPolicy
- PrintDriverIsolationOverrideCompat
To wrap up this post, we’ll take a look at some of the registry values that can be used to modify PDI behavior – specifically the lifetime and recycle behavior of PrintDriverIsolation.exe processes. These values exist in the HKLM\SYSTEM\CurrentControlSet\Control\Print\ key.
| Value Name | Type | Description |
| PrintDriverIsolationIdleTimeout | REG_DWORD | Time in milliseconds that specifies the maximum time a printer driver isolation process should remain idle before it is shut down. |
| PrintDriverIsolationTimeBeforeRecycle | REG_DWORD | Time in milliseconds that specifies the maximum time span a printer driver isolation process should be used for before it is shut down / restarted. The shut down and restart sequence reclaims memory potentially leaked by drivers |
| PrintDriverIsolationMaxobjsBeforeRecycle | REG_DWORD | Specifies the maximum number of operations a printer driver isolation process should be used for before it is shut / down and restarted. Again, the shut down and restart sequence reclaims memory potentially leaked by drivers |
http://blogs.technet.com/b/askperf/archive/2009/10/08/windows-7-windows-server-2008-r2-print-driver-isolation.aspx
Tuesday, May 15, 2012
Facebook Raises IPO Price Range Making $12.1 Billion Public Offering
Facebook Inc. raised the price range for its initial public offering. The stock was said to open at $28 a share. Then it was bumped up from $28 to $34. We then heard that the stock was bumped up again to $34 to $38 a share. This makes Facebook's IPO to raise 12.1 billion. Making it Silicon Valley's biggest public offering.
Facebook executives have been pitching the social network's stock to investors on a roadshow since last Monday.
The jump in price was said to be due to overwhelming demand by investors on the roadshow. The company's initial price range put Facebook's evaluation at $77 billion to $96 billion With this recent hike puts Facebook's evaluation at $93 billion to $104 billion. Facebook will pick a final price Thursday Night. Thursday night its final IPO documents must be filed with the Securities and Exchange Commission. They must do this before its first day of trading Friday.
A new poll out by Associated Press-CNBC poll
http://news.yahoo.com/poll-half-americans-call-facebook-fad-040615340--finance.html
shows more then half of Americans think Facebook is a fad and that it will be the next MySpace.
Monday, May 14, 2012
Oracle Zero Day Vulnerability Still Not Patched
Oracle Zero Day Vulnerability Still Not Patched after April’s patch release with had 88 patches. The vulnerability allows an attacker to perform a man in the middle attack and capture information exchanged between clients and databases. The vulnerability was reported in 2008 and has believed to been around since 1999 when the TNS Listener feature was added to Oracles product line. Oracle has workarounds for the zero-day flaw which was found in there database server products. Oracle has gone as far to release a security alert:
Oracle Security Alert for CVE-2012-1675
http://www.oracle.com/technetwork/topics/security/alert-cve-2012-1675-1608180.htmlThe vulnerability is in the TNS listener which has been recently disclosed as “TNS Listener Poison Attack” affecting the Oracle Database Server. The products affected are Oracle Database 11g Release 2, versions 11.2.0.2, 11.2.0.3, Oracle Database 11g Release 1, version 11.1.0.7, Oracle Database 10g Release 2, versions 10.2.0.3, 10.2.0.4, 10.2.0.5, Fusion Middleware, Enterprise Manager and E-Business Suite. Oracle has released work arounds which can be found at My Oracle Support Note 1340831.1 and My Oracle Support Note 1453883.1.
Saturday, May 12, 2012
President Obama and Bill Clinton
This is a picture that has been circulating the internet it's funny and I just thought everyone might get a laugh out of it. The circulation of this picture started with the whole secrete service scandal.
Friday, May 11, 2012
Apple Releases Security Update for OSX Lion
According to the release notes 10.7.4 includes fixes that improve the stability, compatibility, and security of your Mac.
This addresses the nasty bug that exposed FileVault passwords in plain text which we spoke about in
http://www.helixzone.net/2012/05/apple-update-makes-lion-login-passwords.html
Here’s the list of fixes from the release notes:
- Resolve an issue in which the “Reopen windows when logging back in” setting is always enabled.
- Improve compatibility with certain British third-party USB keyboards.
- Addresses permission issues that may be caused if you use the Get Info inspector function “Apply to enclosed items…” on your home directory. For more information, see this article.
- Improve Internet sharing of PPPoE connections.
- Improve using a proxy auto-configuration (PAC) file.
- Address an issue that may prevent files from being saved to an SMB server.
- Improve printing to an SMB print queue.
- Improve performance when connecting to a WebDAV server.
- Enable automatic login for NIS accounts.
- Include RAW image compatibility for additional digital cameras.
- Improve the reliability of binding and logging into Active Directory accounts.
- The OS X Lion v10.7.4 Update includes Safari 5.1.6, which contains stability improvements.
Thursday, May 10, 2012
Apple Update Makes Lion Login Passwords In Clear Text
The latest Lion security update, Mac OS X 10.7.3, Apple has accidentally turned on a debug log file outside of the encrypted area that stores the user’s password in clear text. An Apple programmer, apparently by accident, left a debug flag in the most recent version of the Mac OS X Lion. In a specific configurations applying OS X Lion update 10.7.3 turns on a system-wide debug log file that contains the login passwords in clear text of every user who has logged in since the update was applied. Anyone who used FileVault encryption on their Mac prior to upgraded to Lion but kept the folders encrypted using the legacy version of FileVault is vulnerable. FileVault 2 will full disk encryption is unaffected by the security flaw. The Mac OSX patch10.7.3 was released on February 1, 2012. The good news is that log file are only kept by default for several weeks. Meaning that users do not have months of unencrypted passwords sitting on there PC. Apple needs to fix this issue ASAP. When a patch is released people need to ensure the log file has been deleted and your password has been changed. I hope Apple takes care of this VERY SOON!
Subscribe to:
Posts (Atom)
Sociable
