Dan Cunningham

So I figured I’d formally unveil something I’ve had in development for quite a while. This has nothing to do with video encoding so, unless you’re a CTO or network administrator struggling to remediate application licensing issues and crack down on unwanted and potentially harmful applications installed across your userbase, you can safely skip this

So, the Software Compliance Tool is a small application designed to reduce the overhead in managing unwanted applications in a business environment. While Windows Vista and Windows 7 have made a lot of headway in easing reduced user rights into the Enterprise, it’s still very common that Local Administrator rights are given to end users. The reasoning for this is usually to work around application compatibility (both external and in-house). However, this introduces the ability for end users to install whatever they want on their computers, including games, peer-to-peer software and security vulnerable applications. It is the company’s responsibility to ensure that copyrights are not infringed, and that their network is secure. This is where SCT comes in (I love my acronyms don’t I?).

When implemented in your environment, SCT starts as a hidden application, scans the Windows Installer DB and the registry for application details. It then compares the found applications to the blacklist policy. If no matches are found, the application closes without any notification to the end user.

If a match is found, SCT displays a dialog to the end user and tries to remove the application automatically. For Windows Installer applications, this is generally fairly straightforward. For non-MSI based installs, the default uninstall string is used (from the registry) which can be further augmented with additions (ie, “/s” for a silent uninstall) or completely replaced with a custom action string.

Here’s what the end user sees if something is in breach of the policy:

So with regards to the policy, it can work in a number of ways:

• Firstly, an exact name match whereby you say ‘iTunes’ is not allowed.
• Secondly, you can specific that a partial match can occur. This is important for applications that write version information as part of the installation, for example, Firefox 3.5. With a partial name match, you can blacklist ‘Firefox’ and catch every version. This is also useful to blacklist types of applications, for example ‘Poker’
• Thirdly, you can blacklist against the previous two types, but also have a version restriction. So let’s say that you allow, but don’t support Adobe Flash for Firefox. Flash is notorious for having security issues, so you could have a version restriction to the latest patched version and all previous versions will be automatically removed.
• Lastly, you can apply a blacklist but also allow exclusions through Active Directory groups. Just specify the group name in the application policy, populate the group with users, and they will be automatically excluded from the automatic removal of the application. This is especially convenient for administration applications, that you KNOW your standard user shouldn’t have on their workstation.

In order to prevent against tampering with the policy, it’s encrypted on first run, changing from an XML file to a .ECF file (encrypted compliance file, told you I loved my acronyms). This prevents the more technically adept users from modifying it.

In addition to this, it’s also possible to log all policy deviations to a SQL database, which can be tracked internally for repeated breaches, and subsequently actioned by IT or HR depending on your policies.

Since this is a standalone application, it can be deployed and rerun with whatever mechanism you want, ie. login script, SCCM, or a simple script that pushes it down to each users workstation and puts a HKLM\Software\Microsoft\Windows\CurrentVersion\Run key in place. Updating the policy is as simple as replacing the .ECF file.

So, I have this pretty much completed, and testing has been going extremely well. I’d like to gauge whether this is of interest to people though, to release and maintain.

Thoughts, questions and feedback would be most welcome!

Last but not least, although this tool has been built from the ground up, it’s been heavily inspired by something that two colleagues of mine in the Netherlands produced a few years ago (Yury Dijkhuizen’s idea which was developed by Erik Zalm), and I owe them both a lot of credit!

Dan

So I finally got time to trim the fat and clean up the code last night and it’s now available on GitHub

It’s been fun working on both EncodeHD and WMA over the past few years and I appreciate all the support they’ve gotten. I’ll try to continue contributing bits and pieces and I’m really hopeful that someone or some people can pick up on both of these projects. If not, then I hope the code helps people better understand both FFmpeg and USMT respectively.

Regarding support for both apps, I’ve been trying to decide how best to handle this. I get dozens of emails a day and, probably to my own downfall, reply to every single one! So, over the next few days I’ll probably get rid of the GetSatisfaction support pages and start only occasionally trawling through support emails.

Update 06/10/2009: I’ve marked myself as inactive in the GetSatisfaction pages and i’ve taken the Feedback tab off this site.

So what’s next? Well, I’ve got an interesting tool in the works for sysadmins. It’s kinda like Win 7’s AppLocker – but retrospective. Rather than whitelisting, it uses a blacklist to remove applications automatically. I’ve sent it out to a few testers and if it proves worthwhile, then maybe it’ll see the light of day. I’m also learning Objective-C, so I’m hoping my next app will be for the Mac

Okay guys, so I’ve made a number of decisions over the past few days based on some great feedback. I’ve decided to open source EncodeHD and the Workstation Migration Assistant. I’ve spent the past few evenings doing some code cleanup on EncodeHD – removing some unnecessary stuff and fixing a nasty bug. I’ve also built the final (well, by me anyway) binary build. So, here it is.

Changelog:

• CHANGE: Removed all update checking code
• CHANGE: Removed About dialog
• CHANGE: Updated FFmpeg to r20060
• CHANGE: Updated MediaInfo to 0.7.22
• FIX: If the input audio was not AAC and the bitrate was too low, encoding would fail (due to an attempted stream copy)

You can download in the EncodeHD section.

I’ve decided to put EncodeHD on GitHub, and you can find all of the source code here.
Please note that the GitHub source doesn’t include any binaries and is only the source code so it won’t run unless you’ve got the rest of the EncodeHD binaries (ie, FFmpeg, MediaInfo etc).

The Workstation Migration Assistant will follow, I still need to do some code cleanup here.

Hope this makes everyone happy

Dan

Mainly a bugfix release just to wrap up a few outstanding issues. Here’s what’s changed:

• NEW: /SOF Parameter. Shut down the machine when finished encoding
• CHANGE: If the audio bitrate is too low on input files with AAC audio, the stream will now be copied instead of re-encoded (to preserve quality)
• CHANGE: AppleTV Profile now forces 25fps in order to meet Apple specs on 720p content
• CHANGE: Output file extension is now lower-case to ensure thumbnail generation
• CHANGE: Removed Donation screen on first start / version upgrade – it’s proven highly ineffective
• CHANGE: Updated FFmpeg to r19974
• FIX: Some more aspect ratio fixes

Download in the EncodeHD section.

In addition, if you haven’t already seen it – please read my previous post and post a comment. The fact that it’s been 2 days and there isn’t yet a single comment makes me wonder why I’m bothering at all. I may be completely misguided but there’s a lot of daily visits and downloads – I had thought there was some sort of community behind these apps?

Dan

It’s been ages since I’ve had the energy to spend quality time on either EncodeHD or the Workstation Migration Assistant. This is partly because I’m so busy with work, that when I get home I don’t actually have the brainpower to do it, and it’s partly because my heart isn’t in it anymore – although that could be systemic of being so busy

So at this point I’m wondering if I should just open-source both apps. This might (hopefully) relieve me of some unwanted extra stress (do you know how many support / feature request emails I reply to a week?!), and also hopefully entice others to pick them up and continue development, or at the very least, tailor to fit their needs.

It might also give me time to work on new projects. I’ve got something in the wings at the moment, something similar to Microsoft’s AppLocker – but haven’t had a chance to finish it. And also, I’d really like to have more time to dig deeper into OSX and iPhone development.

So, what do you guys think? Comments would be most welcome.

Dan