OpenVPN Windows Service Foo (Updated)

As a longtime OpenVPN user on Linux I thought it would be an easy task to set up OpenVPN as a service on Windows. Well, I was right… and couldn’t be wronger. Setting up the service is part of the installation notes for OpenVPN. Just search for “Running OpenVPN as a Windows Service” in the notes and you will find a pretty good description that should get you up and running in no time.

But the devil is of course in the detail. This kind of setup works perfect for servers, or in general for machines with good internet connectivity that never go into standby or hibernation. Once you use a laptop, which you usually put into standby on a regular basis, or you simply have a sluggish WiFi connection, then you have a problem. And the problem is, that OpenVPN is unable to re-establish the tunnels and, at least in my case, causes quite some CPU load on the machine. The problem is actually well known to the OpenVPN team (see here and here).

So what are your options to fix it. In OpenVPN’s people suggest to use either OpenVPN Service for Windows or NSSM. I tried my best with the OpenVPN Service for Windows, but I couldn’t get it to work. So sorry guys, I can’t recommend that one. Then I tried NSSM and hit similar hurdles but the documentation was better and I could get it actually to work.

So without further ado, I present to you the setup of OpenVPN as a service in Windows using NSSM.

For starters you have to download and install the latest version of OpenVPN (Download) and NSSM (Download). NSSM does not come with an installer. That means, you have to create a folder for instance in your “Program Files” directory (or whatever directory name %PROGRAMFILES% represents). And then, depending on your operating system, you copy the win32 or win64 version of nssm.exe into that directory. Now open a console with adminstrator rights and navigate to the newly created folder and you can try to execute NSSM to get the command line parameters:

C:\Program Files\NSSM>nssm.exe
NSSM: The non-sucking service manager
Version 2.24 64-bit, 2014-08-31
Usage: nssm

To show service installation GUI:

nssm install [<servicename>]

To install a service without confirmation:

nssm install <servicename> <app> [<args> ...]

To show service editing GUI:

nssm edit <servicename>

To retrieve or edit service parameters directly:

nssm get <servicename> <parameter> [<subparameter>]

nssm set <servicename> <parameter> [<subparameter>]

nssm reset <servicename> <parameter> [<subparameter>]

To show service removal GUI:

nssm remove [<servicename>]

To remove a service without confirmation:

nssm remove <servicename> confirm

To manage a service:

nssm start <servicename>

nssm stop <servicename>

nssm restart <servicename>

nssm status <servicename>

nssm rotate <servicename>

C:\Program Files\NSSM>

You can control NSSM completely from the command line, but it also has an actually usable GUI. You can start the installation process by doing the following

nssm install

or if you want to give already a service name (can’t be changed with NSSM once it is installed!). Note that if you have multiple tunnels, then you have to setup multiple services. So give it a meaningful name.

nssm install "My OpenVPN Service"

The second command should give you the following window:
NSSM Installer

The next step is filling in all the information necessary for NSSM to set up OpenVPN as a service.

Application

Path: This is the path to the OpenVPN binary and should usually be C:\Program Files\OpenVPN\bin\openvpn.exe.
Startup directory: This is the path to the directory where you store your OpenVPN configuration files. Usually that is C:\Program Files\OpenVPN\config. But if you want to run the OpenVPN UI with manual started tunnels in parallel, then you should create a separate folder, e.g. C:\Program Files\OpenVPN\config-nssm. Otherwise it is easy to confuse manual tunnels with service tunnels. In my sample I won’t use manual tunnels, so I go with the default.
Arguments: This is the configuration file for the tunnel, that should reside in the above defined startup directory.
NSSM Application Tab

Details

Display name: This is the name that is basically visible everywhere. Most of the time this is the same as the service name, but this is up to you.
Description: As the name says, this is a description, that can be viewed later on in the services area.
Startup type: This is the standard service startup type setting for a windows. Most likely you want to choose Automatic here. But you have the choice between Automatic, Automatic (Delayed Start), Manual and Disabled here.
NSSM Details

Log on

Here you can define as who this service needs to run, but unless you are doing something very special here you can leave it to the default setting (Local System Account).
NSSM Log On

Update

Running Windows 10, this tab can be more important. Using the system account you will be able to install the service, but when starting the service, you might see an error. In the event log it will show up with the following message:

Program C:\Program Files\OpenVPN\bin\openvpn.exe for service OpenVPN siteopsvpn (NSSM) exited with return code 3221225794.

This basically means, that you use an account that has no rights to execute OpenVPN. I solved it, by running the service as a user, that has administrative rights on that machine. You can even create a special user to do that.

Dependencies

The dependencies tab is important, because here we have to add the services that OpenVPN is depending on (Dhcp and tap0901).
NSSM Dependencies

Process

In this tab you can control how the service is handled by the processor. For instance if it should only run on a specific processor or a higher priority. For the normal use case this can be left alone.
NSSM Process

Shutdown

Unless you run into strange problems you can leave this one alone.
NSSM Shutdown

Exit actions

This is again a tab that you don’t have to touch under normal circumstances.
NSSM Exit Actions

I/O

Now we have to do something again. With the OpenVPN UI you have the ability to take a look at log files. Well, with services you don’t, unless you define them here. You can use the same for all redirections, but I prefer to have a separate log for stdin, stdout and stderr. Log files are usually located in C:\Program Files\OpenVPN\log.
NSSM I/O

File rotation

This tab is an extension of the I/O tab, as it configures the log rotation. I set it to rotate and left the rest alone. But you can decide on different rotation strategies, so that the files don’t get too big, too old, or whatever the problem might be.
NSSM File Rotation

Environment

This last tab can be ignored for the usual use case. But you might have a special case where you have to add or even replace the environment, then this tab is your friend.
NSSM Environment

Now a last chance to think about the service name… You are good? Okay, then click “Install Service” and NSSM will install OpenVPN as a service that can survive standby and sluggish network connections. You have to start the newly create service with either the net command, the nssm command or via the services in the control panel.

If you have to change anything you can do that by calling NSSM with the edit parameter.

nssm edit "My OpenVPN Service"

And, as mention before, you can do all this on the command line. Here is the sequence.

nssm install "My OpenVPN Service" C:\Program Files\OpenVPN\bin\openvpn.exe
nssm set "My OpenVPN Service" AppDirectory "C:\Program Files\OpenVPN\config"
nssm set "My OpenVPN Service" AppParameters myvpnconfig.ovpn
nssm set "My OpenVPN Service" AppStdin "C:\Program Files\OpenVPN\log\myservice-stdin.log"
nssm set "My OpenVPN Service" AppStdout "C:\Program Files\OpenVPN\log\myservice-stdout.log"
nssm set "My OpenVPN Service" AppStderr "C:\Program Files\OpenVPN\log\myservice-sterr.log"
nssm set "My OpenVPN Service" AppRotateFiles 1
nssm set "My OpenVPN Service" DependOnService Dhcp tap0901

Happy tunneling.

Lync CTRL-Enter Foo (Update)

It seems that Microsoft’s products creating more and more foos. This time it is Lync, also known as Skype for Business.

It is okay, that Lync uses the Enter key to send a message or the CTRL-Enter combination start a call. But it is not okay that there is no way to change these key combinations. Especially when all other instant messengers that I use, default to CTRL-Enter to send a message.

So now I have to use Lync at work, which starts a call when I want to send a message and no direct way of changing it. The only thing that is possible, is removing the CTRL-Enter key combination so that I don’t accidentally start a call.

A solution is described in a TechNet blog post. So here is what worked for me in Lync 2013 (a.k.a. Office 15.0).

First open the registry editor (regedit.exe) and navigate to the following key. If you have a different Lync/Office version you might just change the version number. Create the missing pieces of the key, if necessary. In my case I only found the Microsoft part and had to create everything else.

HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\15.0\Lync\DisabledShortcutKeysCheckBoxes

Create a new string value inside that key:

Value Name: CtrlEnter
Value Data: 13,8

Restart Lync and the CTRL-Enter foo should be gone.

Update: Fixed the registry key (Lync, not Office). Thank you Karel, for pointing that out to me.

Windows 8.1 Store App Can’t Open Foo

Windows continues to kick my behind. Out of the blue the Windows 8.1 installation on my workstation didn’t want to open the store app. Not that I really need or want it. But the same happened for the settings app, which was a little bit of a problem.

I should have taken a screenshot but the error message was something along the lines of “This app can’t open” and “Refreshing your PC might help fix it”.

It seems that I was not the only one with that problem there is even a Microsoft blog post about it. The reason seems to be that the affected apps are not registered anymore with Windows.

So here is how it can be fixed. In a command prompt that runs as administrator I ran the following commands. When you look at the blog post it seems that you don’t need administrative rights but you never know. Now enter the following commands to re-register the system apps:

Store app:

powershell -ExecutionPolicy Unrestricted Add-AppxPackage -DisableDevelopmentMode -Register $Env:SystemRoot\WinStore\AppxManifest.XML

Camera app:

powershell -ExecutionPolicy Unrestricted Add-AppxPackage -DisableDevelopmentMode -Register $Env:SystemRoot\camera\AppxManifest.xml

File Manager (One Drive) app:

powershell -ExecutionPolicy Unrestricted Add-AppxPackage -DisableDevelopmentMode -Register $Env:SystemRoot\FileManager\AppxManifest.xml

Settings app:

powershell -ExecutionPolicy Unrestricted Add-AppxPackage -DisableDevelopmentMode -Register $Env:SystemRoot\ImmersiveControlPanel\AppxManifest.xml

These execution of these commands, especially for the store app, might take a while.

This would have been easy, but of course a Microsoft products never make things easy on me. So I hit the problem that the a registry key doesn’t have the right owner and I got the error 0x8007064A.

So you have to open the registry editor (Windows + R and then regedit) and navigate to the registry key:

HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Repository\Packages

And then change the ownership of this key to SYSTEM:

  1. On the Edit menu, click Permissions.
  2. Click Advanced, and then click the Owner tab.
  3. Under Change owner to, click the new owner, and then click OK.

Windows 7 “The Computer Restarted unexpectedly or encountered an unexpected error” Foo

HP’s Windows recovery installation seems to be a little bit broken. Or at least for me it was. While restoring the Windows 7 on an HP Elitebook 8540w I ran into some issues when the drivers installed. The system just stalled and nothing was moving anymore. After a reboot I saw this nice error message:

The Computer Restarted unexpectedly or encountered an unexpected error

Well, not nice at all, but there is a way you can continue from here. Here are the steps:

  1. On that very same screen press SHIFT-F10 and a command prompt should appear.
  2. Enter “regedit” (without the quotes) into the command prompt and press enter.
  3. In the registry editor navigate to HKLM/SYSTEM/SETUP/STATUS/ChildCompletion
  4. Double click on the entry setup.exe and change the value from 1 to 3.
  5. Close the registry editor.
  6. Click OK in the error window, which will restart your machine.

After these steps you should be able to continue with your Windows setup. In my case I had some trouble getting all drivers to work, but that is a different story.

Enable Administrator Account on Windows Vista, 7 & 8

Most of you might have noticed that ye good ol’ administrator account is not available anymore in newer Windows versions. Actually it is hidden and disabled for all versions since Windows Vista. And under normal circumstances you actually don’t want to use this account anymore. But there are some use cases where you want to have this administrative access.

So, lets take a look at it. As mentioned before, the account exists. That means it just needs to be activated. Now, this can’t be done within the UI. You have to dive into the command prompt that runs as administrator. Kinda confusing to activate the administrator with a command prompt that runs as administrator, isn’t it?

Lets get started. First you need the command prompt with elevated (administrator) rights. On Windows Vista and 7 you can simply search for “command prompt” in the start menu and select “Run as administrator after right-clicking on the menu entry. Or you can use the Ctrl-Shift-Enter shortcut inside the search box.

On Windows 8.x you right-click the start button and choose the menu option “Command Prompt (Admin)”.

Now we have a command prompt and with the following command you activate the administrator account:

net user administrator /active:yes

It is important to know that this user does not have a password set at all. So everybody can log in as administrator! If you don’t want that, and usually nobody wants that, you have to set a password. This can be done with the following command on the already open command prompt:

net user administrator

If you are done with your task or you want to deactivate the administrator in general, you simply use the following command:

net user administrator /active:no

And now happy administrating! Or in other words, creating a lot of Foo.

Windows Keyboard Typing Consecutive Numbers Foo

This Windows Foo showed it’s ugly head today for the first time and I was simply flabbergasted. Whatever I typed, only the first letter appeared correctly and from there on the system was showing consecutive numbers. Something like this for good ol’ hello world:

H2345678901

It happened first in a Java application so, I suspected a problem with Java and a virus scanner, etc. But nothing could be found. After some testing, I saw that it happened even in native Windows applications like the Powershell or AutoCAD.

Some further testing revealed that the tilde (~) and the back tick (`) seem to work fine and that pressing SHIFT plus any key gives the appropriate symbol for pressing SHIFT and the number that would appear. To make it even more fun the same happened using a remote session.

The whole behavior made me cringe and I thought already I have a key logger or some other kind of malware installed. But the virus scanner showed no problem and in general the system seemed to be fine.

After some more digging and asking repeatedly the great wise oracle with the googly eyes, I found the culprit: GuardedID. According to some other posts a tool from Comcast called Constant Guard causes the same trouble. After de-installing GuardedID, all was fine again. I did my good deed for this Monday.

And now my question to the GuardedID makers: WTF?! This tool supposedly should prevent keylogging. The least I can expect is good programming and not a TheDailyWTF moment. And even worse. After looking at your web site I nearly had to puke. Are you really marketing yourself as a serious product with “as seen on TV” and some actor’s quote?! How about investing your money into a good product rather in cheap marketing campaigns!

DLL Foo… OK, it is DLL Hell

It’s been a while since the last post and now Windows makes headlines. At least here. But enough of the whining and back to business.

The DLL hell problem. Well, everybody using Windows sooner or later became acquainted with this nice place. Nowadays the hell is not as hot anymore because programs are nice and install DLL’s in the program directory and Windows looks there first. Plus, it has a lot of automagic mechanisms that try to find the correct DLL.

But what if you have two pieces of software in the same directory and they need the same DLL,… but in different versions. You might think you are in hell, but fear not, there is a solution.

There are multiple ways for Windows to load a DLL and in this particular case the standard mechanisms fail. So we have to nudge Windows into the right direction. And the best way to do that is to dive into the registry, quel surprise.

As a first step you have to create two separate folders where the DLL’s will reside. Lets call them LibA and LibB. Now we have to force Windows to use the correct DLL for the correct executable. This is done by adding a sub key to the registry to the following key:

HKEY_LOCAL_MACHINE\SOTWARE\Microsoft\Windows\CurrentVersions\App Paths

This new sub key needs to get as the name the name of the .exe file, like TestApp1.exe or TestApp2.exe.

Into the Standard value Windows needs to get again the executable but this time with the full path, like “C:\Program Files\TestApp\TestApp1.exe”.

And last, but not least, you create for each of these keys a new string value with the name Path. After you assign the path to the DLL folder to that string value (for instance C:\Program Files\TestApp\LibA) everything should work. Just restart the application and you are good to go.

Windows 7 Upgrade Installation Foo

It is, again, the time to re-install my virtual machine with Windows 7. So far so bad. I don’t like to install Windows in the first place but from time to time I needed it and Windows 7 is actually not that bad. But for a good reason ($$$) I bought an upgrade license of the Ultimate Edition. Now this would force me to install Windows Vista first, just to perform an upgrade. Sounds kinda silly, doesn’t it? So I won’t do it and I dug out an old c’t magazine (issue 24/2009) where they discuss a way to install the upgrade without going the normal upgrade path. I am sure there are some other resources out there that explain the same thing, but here is my take on it.
Continue reading “Windows 7 Upgrade Installation Foo”