NCP VPN not quite Windows 7 compatible

I got so frustrated with the NCP VPN client software, specifically a recent update, that I decided to let my frustration out by writing about it.


For a long time I used the, IT approved, Cisco VPN client to access our corporate network. And as the OS technology moved along, so did my systems, meaning Vista, Windows 7, and 64-bit. While, for the most part, our IT approved systems remained to be only 32-bit XP. Cisco, for some reason, maybe they are representative of IT organizations as whole, was late to support Vista, was late to support Windows 7, and for the longest time never supported x64.

The only Cisco compatible alternative on Windows 7 x64, was the NCP VPN client. But, at a cost, $144, per machine, very expensive.

I recently read that almost 50% of Windows 7 machines are 64-bit, and I recently read that Cisco announced VPN client support for x64 on Vista and Windows 7. I am sure this is not a coincidence.

But I digress, this post is not about Cisco, it is about the NCP VPN client.


Where to start?

The NCP software is intrusive, every time you login it shows a splashscreen, and the splashscreen remains topmost, blocking anything behind it, until it closes, by itself. I contacted NCP support, complaining about the intrusion, and they told me that it is necessary to run their software at login so that they can validate the license. I replied that validating the license need not happen at every login, and certainly should not interfere with my system. They said I could search the internet and find out how other people disabled their software.

This means a few things to me; they do not value usability, they acknowledge there is a problem, yet they do not offer a solution.

Imagine if every application you install on your system decides it is a good idea to show a splashscreen when you login.

Here is the splashscreen that pops up on every login:

In case you are wondering how to disable NCP from running at startup, they install three user session startup entries under [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run], delete or rename them


While we’re on the topic of usability, this application’s UI was probably not designed by Windows developers, or certainly not somebody that knows anything about standard Windows user interface design and principles.

In the main UI, shown below, how do you connect, where is the connect button, do you click the red button, no you need to click the gray area next to the red button. They probably though it looks cool.


Every time you login the application starts and shows its UI. How would you normally look for options in a windows app; probably [Options], or [Tools][Options], or [File][Options]. No, you need to click on [View][Autostart][No Autostart], what does the [View] menu have to do with [Autostart]?

And in case you were wondering, no, disabling autostart does not disable the splashcreen.


So what is it that made me mad enough to write this post?

I received an email that a new version was released, and the software offers a built in check for update mechanism by clicking [Help][Search for Updates]:

How big is that update? 23.792 kByte, really, 24 kilobyte, or what is a lowercase k in kByte? Or is that really 23,729 KB as in 24 megabyte?

Downloaded the update, now let’s apply it:

And then the Windows Program Compatibility Assistant pops up:


I contacted support, got an email that said no other users had reported this problem, and they asked if I am an admin on the system, but before I could respond, I got another email that said they reproduced the problem, and that I should download and install the update from the website.

Let’s download the update directly, and install it:

And then the Windows Program Compatibility Assistant pops up:


You may think it is a problem with my system, I repeated the same steps on a second system, that is how I captured the screenshots, and I ran Microsoft Process Monitor to record what is happening.


As a developer, that is familiar with writing Windows 7 compatible software, I know what is going on here.

The NCP software installs:
Three startup items: NcpBudgetGui, NcpPopup, NcpRsuGui
Three services: ncpclcfg, ncprwsnt, NcpSec
Two drivers: ncpfilt, ncplelhp


The NCP UI process is called NCPMON.exe, and is launched by explorer, runs non-elevated, at medium IL. It is the NCPMON.exe process that downloads and executes the update.

From the procmon log I can see that NCPMON.exe called CreateProcess() to launch the installer:
Date & Time:    7/21/2010 10:01:12 AM
Event Class:    Process
Operation:    Process Create
Result:    SUCCESS
Path:    C:\Users\Pieter Viljoen\AppData\Local\Temp\NCP_EntryCl_Win32_923_17.exe
TID:    6952
Duration:    0.0000000
PID:    6856
Command line:    "C:\Users\Pieter Viljoen\AppData\Local\Temp\NCP_EntryCl_Win32_923_17.exe"


This will not work, the NCP_EntryCl_Win32_923_17.exe is an installer it has to “Run As Admin” (this is an InstallShield installer, and although it does not contain a Run As Admin manifest entry, the Windows Application Compatibility subsystem recognizes InstallShield installers, and automatically runs them with elevation required), this means that when you launch this EXE using ShellExecute(), or using Explorer, you will get a UAC elevation prompt, and if approved, the installer will run elevated, and the install succeed.

There is only one explanation of how NCP could ever have shipped this, their developers and QA test with UAC disabled on their test systems.


What about the appcompat warning after the install?

Microsoft requires that Windows Vista and Windows 7 compatible applications mark their compatibility in the installer manifest.

By inspecting the resources in the installer EXE, there is a manifest, but there is no compatibility manifest, as such, this error will always show on a Windows 7 system.

I have no explanation for how NCP could allow this to ship, ignorance?


It makes me mad that an ISV advertises Windows 7 compatibility, and ships software like this. It is companies like NCP that gives Windows a bad name, and drives companies like Apple, to enforce rigorous, sometimes draconian, quality and usability standards in order to protect their own brand.

Amazon Unbox on x64 Vista

While shopping on Amazon I noticed that they were offering the Pilot of the Showtime series Nurse Jackie in HD for free, so I decided to give it a try.
The install (version went smoothly, and the 1.3GB downloaded also completed pretty quickly, and I watched the show.
Ok, now I wanted to stop the Unbox player service from running and terminate the tray icon application, I have no need to have it running all the time.
I went to [Settings][Preferences], and unchecked the [Run the Amazon Unbox service when Windows starts] option.

I then right clicked on the tray icon and selected [Exit], the tray application launched “Amazon Unbox Config.exe stop” application, requiring UAC elevation, and promptly crashed with the following message:

An unhandled exception of type ‘System.BadImageFormatException’ occurred in Unknown Module.
Additional information: Could not load file or assembly ‘ADVWindowsClientAppRoot, Version=, Culture=neutral, PublicKeyToken=091de1773ddefdbf’ or one of its dependencies. An attempt was made to load a program with an incorrect format.

I contacted Amazon support, and they provided this response:

Hello from

I sincerely apologize for the trouble you’ve had using the Unbox Video Player. From your message, I understand you received an error relating to Windows being unable to load the correct file path.

I’ve researched the issue and suggest that you update the security components of your Microsoft operating system.

Please visit the Microsoft website listed below and follow Microsoft’s instructions for updating your security components. Microsoft may require you to use Internet Explorer to access all of the functions of this page and enable Active X controls in your Web browser.

If using Microsoft’s update does not resolve your playback issue, I recommend uninstalling and reinstalling your .NET Framework.

The Microsoft .NET Framework includes a large library of coded solutions to common programming problems and a virtual machine that manages the execution of programs written specifically for the framework. The .NET Framework is a key Microsoft offering and is intended to be used by most new applications created for the Windows platform.

I hope you found this information useful.

I gave them the benefit of the doubt and tried to update the DRM components, it did not work.
I suspected I know what the problem was, and this problem reminded me of a similar problem with the Google Email Uploader on Vista x64.
My suspicions were confirmed after I used CorFlags to inspect the binaries:

CorFlags.exe “C:\Program Files (x86)\Amazon\Amazon Unbox Video\Amazon Unbox Config.exe”
Microsoft (R) .NET Framework CorFlags Conversion Tool. Version 3.5.21022.8
Copyright (c) Microsoft Corporation. All rights reserved.

Version : v2.0.50727
CLR Header: 2.5
PE : PE32
CorFlags : 9
32BIT : 0
Signed : 1

CorFlags.exe “C:\Program Files (x86)\Amazon\Amazon Unbox Video\ADVWindowsClientAppRoot.dll”
Microsoft (R) .NET Framework CorFlags Conversion Tool. Version 3.5.21022.8
Copyright (c) Microsoft Corporation. All rights reserved.

Version : v2.0.50727
CLR Header: 2.5
PE : PE32
CorFlags : 11
32BIT : 1
Signed : 1

The output indicated that the EXE file was compiled to run natively on any platform, i.e. x64 on x64 and x86 on x86, but the DLL was compiled to be x86 only.
Thus the EXE runs as x64 and tries to load a x86 binary, not allowed, causing the crash.
The CorFlags output and x64 migration is discussed in this MSDN blog post:

anycpu: PE = PE32 and 32BIT = 0
x86: PE = PE32 and 32BIT = 1
64-bit: PE = PE32+ and 32BIT = 0

To fix the problem I have to change the EXE attributes to only run in 32bit:

CorFlags.exe “C:\Program Files (x86)\Amazon\Amazon Unbox Video\Amazon Unbox Config.exe” /32BIT+ /Force

The “Force” flag is required because the binary is Authenticode signed, and after the header change the Authenticode signature is now invalid.
“CorFlags” is parts of the .NET / Platform SDK and can be downloaded from Microsoft.

After I made the changes to the EXE, I repeated the original steps, and no more crash.
I replied to Amazon with my findings, and I hope they make the necessary, and easy, changes to fully support x64.

How to install SQL Server 2008 on Windows Server 2008 R2 RC

I was trying to install SQL Server 2008 on Windows Server 2008 R2 RC.

But, when I launch SETUP.EXE, Windows warns me that SQL Server is not compatible with Windows Server.
If I ignore the warning, the install proceeds but then fails to install .NET 3.5.

After a little searching and experimentation I found a way to install without any problems:
1. Create a slipstreamed SQL Server 2008 SP1 install, follow the instructions here.
I set my my PCUSOURCE=”.\PCU” and that worked fine.
2. Add .NET 3.5 by going to server manager and adding the .NET 3.5.1 feature.
3. Install by running SETUP.EXE.

I hope this helps somebody.

Google Email Uploader on Vista x64

I am currently importing a few thousand email messages from Outlook 2007 to my email account hosted on Google Apps. Google provides an Email Uploader utility, and it is easy to use, but getting it to work with Outlook 2007 on Vista x64 was less than trivial.

The utility installed fine on my Vista x64 system, but it found no mailboxes to import. A little research showed that several other people using Vista x64 and Outlook 2007 have exactly the same problem.

Since Google kindly publishes the source for the tool, I decided to have a look. Turns out it was a relatively simple fix to get it to work.

The main application is a C# .NET application, with the build properties for the target set to “Any CPU”. This means that on a x86 / WIN32 system it will be a 32bit process and on x64 / WIN64 system it will be a 64bit process.

The problem is that the application also uses two mixed mode DLLs, and these DLLs are compiled for x86 / WIN32. When running the main EXE on Vista x64, the process is a 64bit process, and that fails to load the 32bit DLLs. The fix was simple, change the build target from “Any CPU” to “x86”.

I also had to fix a couple other small things in order to get the “Release” build to compile correctly. The DLLs are written in C++, but for some reason the developers used .MH and .MCC extensions instead of the standard .H and .CPP extensions. The “Debug” build had set custom build properties for .MCC files, and associated the files with the C++ compiler. Once I did the same for the “Release” build, the project compiled.

The last change was to set the Outlook import DLL linker options to delay load MAPI32.DLL.

You can download the binaries from here, simply extract and run.
Please remember that I provide no warranty at all, I did minimal testing, so use at your own risk.

I hope Google makes these easy changes to the main source branch so future official versions also support Outlook 2007 on Vista x64.

Getting Vista to go to sleep

I noted my troubles with the Intel GMA drivers, the Intel DG33TL motherboard, and Vista SP1 blue screen crashing in my earlier post.

Since I was running the 15.8 version of the Intel GMA drivers, and Microsoft KB948343 indicates that, based on the driver version numbers, these newer drivers should not be affected by SP1, yet the crash details were clearly the same, and no new driver was forthcoming to correct the blue screen crash, I decided to take the GMA drivers out of the picture.

I am currently using an ATI HD 26000 XT card in my HTPC, and this is a great card. I looked for the same model, the one I was using is from VisionTek, but I found a Sapphire brand card for significantly less. I am actually happier with the Sapphire compared with the VisionTek, the VisionTek fan was really loud, and since I was using it in my HTPC, I ended up buying a Zalman VF900-Cu replacement fan for the VisionTek card. The Sapphire card has no problem with a noisy fan.

I installed the ATI card, installed the drivers, and put the machine to sleep. This is where the GMA drivers would normally crash. This time there was no crash, but the machine also immediately woke up again, I could not get it to stay in sleep mode.

At this point I had had enough of the DG33TL board; it had given me more trouble than I was willing to put up with and I wanted a replacement board. Since I already had the machine open, while replacing the VGA card, I wanted a new board now, which meant instead of ordering online and waiting a few days I had to take a trip to my local Fry’s.

I knew my in store choices would be limited, so I did some research and selected a few models from Asus, Gigabyte, and Intel, with the primary requirement being ICH9 support so that I would not lose the RAID-0 configuration of my drives, and the motherboard swap would not require an OS reinstall. My first choice would have been a Gigabyte GA-G33-DS3R, unfortunately, as I suspected, it turns out that of all the options I was hoping for the only board that came close was an Intel DQ35JO.

Of the three boards on the shelf, all of them had been returns and were resealed, so this was even more of a risk, but they were marked down a few dollars so that did make me feel better, and I could always return the board.

The DQ35JO is very similar to the DG33TL. The DQ35JO is from the Executive series, and the DG33TL is from the Media series. The DQ35JO has no multichannel audio, but does have TPM and AMT. The component layouts are almost identical.

I replaced the board, powered on, the POST screen came up and then nothing. On reading the Intel support documents they recommended a BIOS reset. I removed the battery, waited a few minutes, replaced the battery and rebooted. This time the POST completed, and I could boot. I assume that since the board had been used, and I just replaced the memory and CPU, that this may have caused the initial boot failure. Before booting into Vista I first booted to my DOS bootable USB key and updated the BIOS to the latest version, then reset the BIOS configuration to defaults, and again made all the required changes, most importantly to restore the RAID drive configuration.

I booted into Vista Ultimate x64, waited a few minutes for the new drivers to load, and eventually the keyboard started working and I could login. The ATI control center application complained that there was no ATI driver installed, so I reinstalled the ATI driver, rebooted, and this time everything seemed fine. Not quite, Windows told me the hardware had changed and I had to reactivate. Activating over the internet failed, and I had to activate over the phone, that worked. I also noticed that Windows Update wasn’t working, the KB article for the error code told me to check the PC time. Since I had reset the BIOS without resetting the time, the time was off by years, on correcting the time WU started working again.

Now for the ultimate test, can the machine go to sleep? I press the sleep button and the machine sleeps, I touch the keyboard and the machine wakes up. I leave the machine idle for an hour, it goes to sleep, I touch the keyboard and the machine wakes up. Success!

There is one thing that is still not 100%, and this seems to be a problem on both the DG33TL and the DQ35JO; the case power light is not always on. E.g. after removing mains power and powering on the case power light will be on and stay on until the first sleep, and then the power light will turn off, and even resuming from sleep or rebooting will not turn the light back on.

Maybe I should have been more patient and ordered the Gigabyte GA-G33-DS3R instead, but for now I am happy.

Installing Vista SP1 with an OEM key

I received my new Lenovo ThinkPad T61 notebook, pre-installed with Vista Ultimate, but also with 3rd party software I did not care for.

I wanted a clean Vista install, and that is exactly why I made sure to order the recovery media with the notebook, thinking that this will include an OS install DVD. It turns out that the recovery media is six CDs, I don’t know why not a DVD, regardless, the recovery media does not include a Vista install DVD.

I called Lenovo support asking how to obtain a Vista DVD that will accept the OEM key, and was told that Vista install DVDs are not available, and that I should use the recovery CDs or the recovery partition.

I decided to give the recovery partition a try; boot, press F11, select restore, do a custom restore, unselect all the 3rd party software, start the install process.

The machine rebooted several times, eventually returning to the same state as when I first booted. There was no 3rd party software on the system, only the Lenovo ThinkPad software was installed.

This was much better than the out of the box version, but still not as clean as I’d like it to be.

I did some research and found several articles explaining elaborate procedures on how to install Vista using a normal Vista DVD and an OEM key.

Since I had read that Vista SP1 had made some licensing changes, I decided to experiment using a Vista x86 with instegrated SP1 DVD I downloaded from MSDN.

I was not sure if I would need the actual key used on my system, as explained by the article, which is different to the key on the OEM sticker, so to be safe I used Magical Jelly Bean Keyfinder to make a note of my current key. This key was indeed different than the key on the OEM sticker.

I booted from the Vista with integrated SP1 DVD, formatted the partition, it was interesting that the 6GB recovery partition does not show up in Vista, I did not enter a key, and started the installation.

After the installation completed I changed the product key using the key I had previously retrieved from the system. After a few seconds Windows reported that there was a problem with the key.

This is when I noticed something interesting, the activation window appearance changed, and the temporary key that was displayed changed to indicate xxx-OEM-xxx. It seems that Windows automatically switched to OEM mode.

Next I tried the key on the sticker, and after a few seconds Windows was activated.

I was intrigued by the automatic mode change, but I did not want to repeat the whole procedure just to find out if I could have used the OEM key in the first place.

If you try this procedure using Vista with integrated SP1, be sure to first try the key on the OEM sticker, you may not need the initial key retrieval step at all.