Moving the Offline Folder Cache in Windows 7, Windows 8 and Windows 8.1

WARNING:  This post involves playing around with your operating system’s registry.  You use this information at your own risk.  For other warnings, please see the disclaimer.

I’m a big fan of Windows’ offline folder caching and have used it on my laptops for over a decade.  One thing I don’t like about it, however, is how difficult Microsoft has made it for the cache to be moved out of the Windows folder.  (By default, it’s found at \Windows\CSC).

WARNING:  If this isn’t a FRESH installation of Windows, make sure you have synchronized your offline files.  This procedure will ERASE ALL EXISTING OFFLINE FILES AND FOLDERS!!!

In order to move the cache, follow these steps:

1. Clear the content of your existing cache
Yeah, you have to do this.  And, it’s not a very obvious procedure.  You end up creating a registry key that resets the cache at startup and then deletes itself.  Here’s the command to create the registry key (you can do this at a command prompt):

REG ADD “HKLM\System\CurrentControlSet\Services\CSC\Parameters” /v FormatDatabase /t REG_DWORD /d 1 /f

Once you’ve done this, reboot.

2. Create the folder in the location where you’d like to have your cache
I always like to keep my data separate from my OS by storing it on a different drive (or, at the very least, a different partition).  For this example, I’m using the path X:\Data\Cache

3. Create a new registry value
Open Registry Editor and browse to:


This is the same key we modified before.  Notice how there’s no “FormatDatabase” value even though we added it prior to the last reboot.

Right-click on Parameters, hover on New and select String Value:

String Value Key Menu

Name the new string value “CacheLocation”:


Double-click on CacheLocation and input the path to the new cache location and then click “OK”:

Edit String

Notice the “\??\” in the value.  This is an NT Object Path used by the OS to reference the local path.  (If it was “\??\UNC\, it would be referencing a network path.)  You must use this format.

You’ll see the value populated now in your registry editor:

CacheLocation Populated

4. Reboot
 Once the OS is back up, it should be using the new location.  You can test this by opening the new folder and you should see a folder in there called “v.2.0.6”.  You should get a permission error if you try to open that folder.

I hope you find this useful!  If you see anything wrong, please let me know.

Exporting an SSL Certificate in Windows

Sometimes it’s useful to be able to get a certificate being used on one server and move it to the other server without having to go through the whole enrollment process.  In Windows, SSL certificates can be exported to a file so that you can then import it somewhere else.  While there are a lot of considerations and restrictions on how you would use this exported certificate, I’m simply going to look at how to perform the export.

1. Open Internet Information Services (IIS) Manager and select the server

IIS - Select Server

 2. Double-click on the “Server Certificates” icon in the Features View of the server

IIS - Select Server Certificates

3. In the “Server Certificates” pane, select the certificate you wish to export and click on “Export…” in the “Actions” pane

Select Cert and Export2

4. In the “Export Certificates” window, fill in the required information and click “OK”

Export Certificate

You must assign a password in order to export the certificate.  Make sure you record this somewhere because there is no way to recover the password if you lose it.

Exporting an SSL certificate from Windows is a pretty easy task.  I hope this has been useful information.  Please let me know what you think!

Installing an Intermediate CA Certificate in Windows

When downloading an SSL certificate from a Certificate Authority (CA) , the CA will generally include a separate Intermediate CA certificate which also needs to be installed on the server.

Installing the certificate is pretty straightforward, except that Windows does not include a Certificates console in the Administrative Tools folder.  So, you’ll have to create that one yourself.

1. Right-click on the Windows icon and select “Run”

    Start Menu

2. In the “Run” box, type “mmc” and hit <ENTER>


3. When the MMC console is up, hit <CTRL>+M and the Add Snap-Ins window appears


4. In the left pane of the “Add or Remove Snap-ins” Window, select “Certificates”, and click on “Add”

Add or Remove Snap-ins 1


5. In the “Certificates Snap-In” window,  select “Computer Account” and then click “Next”

Select Computer Account

5. In the “Select Computer” window, accept the default “Local computer: (the computer this console is running on)” and click “Finish”.

Select Computer

6. Back in the “Add or Remove Snap-ins” window, click “OK”.

Add or Remove Snap-ins 2

7. Expand the “Certificates” node, right-lick on “Intermediate Certification Authorities” node, hover on “All Tasks” in the context menu and then select “Import…”

All Tasks and Import

 8. Click on “Next” on the welcome screen for the Certificate Import Wizard

Welcome Cert Imp Wiz

9. Browse to the file provided by your CA and click “Next”

File to Import10.  In the “Certificate Store” window, select “Place all certificates in the following store”, browse to the “Intermediate Certification Authorities” store and click “Next”

Certificate Store

11. The “Completing the Certificate Import Wizard” window appears giving you a summary of the operation

Completing the Cert Imp Wiz

12. You should see a window saying the import was successful

Import Successful

That’s it!  The certificate is now installed in your Windows server.  This is the procedure you follow for installing certificates in Windows, regardless of where you get them.

I hope this has helped someone out there!  As always, your feedback is welcome.



Installing an SSL Certificate in Windows

SSL is the protocol used to secure connections to web servers by encrypting the session so prying eyes can’t see what’s going on between the client and the server.  I need to install an SSL certificate for a web site on one of my servers, so I’m going to document the process here in case someone else could use the information.

Generally speaking, installing an SSL certificate is a pretty straightforward procedure:

1. Generate a certificate request from the device on which you wish to use SSL
2. Submit the request to a Certificate Authority
3. Retrieve the completed certificate from the CA
4. Install the certificate on the device along with CA certificates
5. Configure the device to use the certificate for SSL

I will be doing this on a Windows Server 2012 R2 server using the Default Web Site as an example.

Generating the Certificate Request:

1. Open Internet Information Services (IIS) Manager and select the server

IIS - Select Server

 2. Double-click on the “Server Certificates” icon in the Features View of the server

IIS - Select Server Certificates

3. In the “Actions” pane, click the “Create Certificate Request…” link

Server Certificates

4. In the “Distinguished Name Properties” window, fill in the required information and click “Next”.

Distinguished Name Properties

The fields here need to be filled out accordingly:

Common name: This is the fully-qualified domain name (FQDN) for the website.  For example, if your website is, this is what you put in this field.  Do not include the “http://” or “https://” prefixes in your common name.

Organization: This is the legally registered name of your organization.  The organaztion must be the legal registrant of the domain name in the certificate request. If you’re a sole proprietor, put your name in this field.

Organizational Unit: This is the internal department within the organization that is responsible for the maintenance of the certificate and/or site.   If you’re a sole proprietor, enter your DBA (doing business as) name in this field.

City/Locality: This is the city in which your organization is located.  This needs to be spelled out; do not abbreviate.

State/Province: This is the state/province/region/territory in which your organization is registered.  This needs to be spelled out; do not abbreviate.

Country Code: This the country in which your organization is registered.  Unlike the City/Locality and State/Province fields, you will abbreviate the country using the two-letter International Organization for Standardization (ISO) format country code.

5. In the “Cryptographic Service Provider Properties” window, select the appropriate bit length and select “Next”

Cryptographic Service Provider Properties

The bit length requirement is set by the Certificate Authority from who you are requesting the certificate.  For most providers, the required length is 2,048 bits.

6. In the “File Name” window, browse to where you’d like to store the request file and give it a name.  Click “Finish”.

File Name

The file you save here is what you’ll submit to the CA when you submit your request.

Submitting the Request to a Certificate Authority:

Each Certificate Authority will have its own procedure for submitting the certificate request.  You’ll either upload the file or submit it by opening it in a text editor and copying/pasting the contents into a form on the CA’s site.

The contents of the file will look something like this:


When cutting and pasting this information into the CA’s website form, make sure you copy everything including the ” —–BEGIN NEW CERTIFICATE REQUEST—–” and “—–END NEW CERTIFICATE REQUEST—–” lines.

Retrieving the Certificate from the Certificate Authority:

The CA will process your request and issue your certificate after completing a few administrative procedures.  The CA will keep you informed of what’s going on and will let you know when the process is complete.

Once the certificate is ready, you’ll download a file from your CA which will contain your certificate along with one or more other certificates that identify the CA and establishes the identity chain required to validate your certificate when others connect to your web site.

Installing the Certificate:

There are two steps in installing the certificate from the CA.  The first step is to install the Intermediate CA Certificate on the server.

Once that’s completed, you’ll install the SSL certificate on the web server.

1. Open Internet Information Services (IIS) Manager and select the server

IIS - Select Server

2. Double-click on the “Server Certificates” icon in the Features View of the server

IIS - Select Server Certificates

3. In the “Actions” pane, click the “Complete Certificate Request…” link

Select Complete Req

4. In the “Specify Certificate Authority Response” window, browse to the file you downloaded from the CA, assign the certificate a Friendly Name and click “OK”

Specify Certificate Authority Repsonse

The friendly name is not actually part of the certificate; it’s simply a way for you to give the certificate a name so that it is easily identifiable when you attempt to use it later.

Keep the certificate store set to “Personal”.

You should now see the certificate listed in your IIS Manager.

Configuring the Web Site for SSL

Now that the certificates are installed, it’s time to finally get SSL running on the web site.

1. In your IIS Manager, select the web site which will use SSL

IIS - Default Web Site

In my example, I’m just using the Default Web Site.

2. In the “Actions” pane, select “Bindings..”

Select Bindings...

3. In the “Site Bindings” window, click on “Add…”

Site Bindings

4. In the “Add Site Binding” window, complete the fields and click “OK”

Add Site Binding

Type: This must be set to “https”
IP address: Select the IP address to use for the site
Host name:  Leave this blank
SSL certificate:  Use the drop-down to select the certificate

5. Double-click on “SSL Settings” in your web site’s Features View pane

SSL Settings Select

6. In the “SSL Settings” pane, put a check in the “Require SSL” box and then click on “Apply” in the “Actions” pane

Require SSL and Apply

You’ll see a message that says “The changes have been successfully saved”.

Your site now uses SSL!

I hope this has been useful for you.  Your feedback is always welcome!

Installing OpenSSL in Windows 8.1

Windows doesn’t have a good tool for manipulating SSL certificates.  So, if you want to do anything serious with SSL, you need to grab yourself a copy of OpenSSL.  I’m installing the Windows x64 version of OpenSSL provided by Shining Light Productions.

First, you’ll need to download and install the Microsoft Visual C++ 2008 Redistributable Package (x64) from Microsoft.  Just accept all of the defaults for the installation.  (If you’re running a 32-bit version of Windows, you’ll need to install 32-bit versions of everything.  This example is for 64-bit.)

Once you have that installed, download the latest “Light” version of OpenSSL.  If you’re not developing software, you don’t need the full versions; the “Light” version is intended for end-users.

Accept the defaults for the installation until you come to the “Select Destination Location” window.  Figure out where you want OpenSSL to be installed.  I like to keep everything in my Program Files directory, so that’s where I’m putting mine:


I don’t worry too much about Start Menu locations, but the “Select Additional Tasks” window is important:

DLL Location

Wherever you put the DLLs is up to you, but I put them in their own directory rather than the System directory.  It just makes more sense to me.

Once you complete the installation wizard, you’ll end up at the following window:


Whether you donate or not is up to you, of course.  You can simply clear the check box and hit “Finish” and the software will work fine.  I’d like to encourage you to make a donation, though.  Everyone thinks open source software is “free”.  In actuality, it’s extremely expensive in time and resources and if you benefit from its use, please support the developers by donating when you can.

The last thing to do is to modify the Path system variable so you can launch the OpenSSH shell from anywhere at a command prompt:

1. Right-click the Windows icon and select “System”

Start Menu

2. Select “Advanced System Settings”


3. On the “Advanced” tab, click the “Environment Vairables…” button


4. Find the “Path” variable in the “System variables” selection window and click on “Edit…”

Find Path

You’ll have a “Edit System Variable” dialogue box appear.  Append “;C:\Program Files\OpenSSL-Win64\bin” to the end of the path information and click “OK”.  Notice there is a semi-colon at the start of the string.  This is a delimiter which tells Windows that this location is a separate location and not part of the path immediately before it.

Edit System Variable

Click “OK” a few times and you’re done.

Once you’ve completed the installation and path configuration, you can launch OpenSSL from a command prompt window:


For more information about how to use OpenSSL’s commands and syntax, refer to the official documentation.

I hope this helps someone and saves some time.  If you see anything wrong, please let me know.

Installing and Configuring an SSL Certificate on Cisco 3000 Series VPN Concentrator

Some of the equipment on our network is a bit dated as we have some customers who still rely on those services for their day-to-day operations.  One of the oldest pieces of equipment we have is a Cisco 3030 VPN Concentrator.

Generally speaking, installing an SSL certificate is a pretty straightforward procedure.  Unfortunately, this is a bit of a challenge on the Cisco VPN Concentrator due to its age and lack of support for more current certificate file formats.  When following the normal enrollment procedure within the concentrator’s UI, one receives the following error:

ErrorSo, in order to keep the concentrator’s SSL certificate current, a workaround will have to be performed.  To do this, you’ll need access to a computer with Internet Information Services (IIS)and OpenSSL.

The certificate itself is going to be created and installed on a Windows server via IIS using the VPN concentrator’s information.

Next, export the certificate, ensuring you’ve recorded the password assigned to the exported certificate.  At this point, you have a certificate in PKCS#12 format which is not supported by the VPN concentrator as it requires a certificate in PKCS#8 format.

To convert the certificate from one format to the other, we’ll use OpenSSL.  What’s interesting here is that you can’t just convert from PKCS#12 to PKCS#8.  Instead, you have to convert from PKCS#12 to PEM and then from PEM to PKCS#8.

NOTE: Make sure you launch the command prompt as Administrator or you might get “unable to write ‘random state'” errors.

So, converting the file to PEM:

Convert 12 to PEM2

pkcs12 is the OpenSSL command that indicates we’re working with a PKCS#12 format file
-in is the parameter that indicates the next input is the name of the file to be reformatted
D:\Temp\ExportCert.pfx is the path and filename of the file to be reformatted
-out is the parameter that indicates the next input is the name of the reformatted file
D:\Temp\ExportCert.pem is the path and filename of the reformatted file

You can see that I was prompted for the password of the exported certificate file.  Once that was supplied and verified, OpenSSL prompted me for a passphrase for the reformatted file.  I just used the same password I had used before to keep things simple.

Now, we’re going to convert from PEM to PKCS#8.  The commands are almost identical as the ones we used for converting to PEM from PKCS#12:

Convert PEM to 8

Hopefully, the syntax here is rather obvious with the only differences being the use of “pkcs8” rather than “pkcs12” as the OpenSSL command.  Also, you’ll see the -topk8 switch which tells OpenSSL the incoming private key is to be converted to the PKCS#8 format.

If you look at the contents of the .pk8 file, you’ll see something like this:

<A whole lot of random-looking characters>

Create a new text document in your favorite text editor and copy and paste the contents of the .pk8 file into it.

Once you’ve done that, open the .pem file you created when converting from .pfx and you should see a section that has the certificate you were issued by the CA:

<A whole lot of random-looking characters>

Cut and paste this section into your new text document immediately following the private key contents from the .pk8 file.  It should look like this:

<A whole lot of random-looking characters>
<A whole lot of random-looking characters>

Save this file so you don’t lose what you’ve accomplished so far.

The next step is to install the certificate bundle you received from the CA which contains the Intermediate and Root CA certificates.  This should be okay to install straight into the concentrator via the UI.

Go to Administration > Certificate Management > Installation and choose “Install CA Certificate” and upload the file from the CA.  I’ve been able to do this without any problems.

Next, go to Administration > Certificate Management and look for the “SSL Certificates” section.  You should have three interfaces listed there:  Private, Public and External.  You’ll want to perform this operation on each of the interfaces:

1. Click on “Import”
2. Select “Cut & Paste Text”
3. Copy and paste the contents of the text file which contains the private key and certificate
4. Type in the password for the private key
5. Click on “Install”

That’s it!  Hopefully, this will save you a bunch of time and some heartache.  I know this problem has frustrated me for quite some time.

Let me know what you think!

Scheduling a Task in Windows 8.1

Backing up your data is the single most important thing you can do to maintain your mental and emotional health as a computer user.  As an IT professional, I stress again and again to my customers that their backups must be a top priority and they must also be frequently tested to ensure they are working properly and consistently.

Of course, this means my own data is vulnerable as I almost never backup my own stuff.

I’m trying to mend my ways and backup the things I find most useful and I do have some pretty spiffy backup software that I use to take image snapshots of my drives.  However, I also want some simple backup jobs that just grab a file here and there so I don’t have to go and muck around with scheduling an entire recovery task.

I’ve created a couple of small batch files that grab some data here and there for my most often-used applications and I scheduled those tasks to run at midnight every night.  If you’ve never scheduled a task in Windows, it’s pretty straightforward.


1. Open your Control Panel
In Windows 8.1, you can just right-click on the Windows icon in the lower left corner of the screen and select “Control Panel”.

Start Menu 8.1

Control Panel

2. Select “Schedule Tasks” from the Control Panel
You’ll find this by selecting “System and Security” and looking under the “Administrative Tools” heading.

CP Schedule Tasks

3. In the Task Scheduler interface, select “Create Basic Task” and go through the wizard.
I’ve highlighted it below with a red box.

Create Basic Task Select

Give your task a name.  The description is optional.

Task Name

You have a lot of options for scheduling the task to run.  Feel free to play around with those.  I’m scheduling mine to run daily at midnight, so I’ll keep the default of “Daily”.

Task Trigger

Set your start day and start time and recurrence.  The only time you have to worry about the time zone synchronization is if your computer might be in different time zones as you travel.

Daily Trigger

The next window is a bit frustrating as Microsoft has deprecated two of the options available for scheduled tasks.  This means that those features will be unavailable in a future (probably the next) version of Windows.  So, if you need to automatically send an email or display a message, you’ll want to use PowerShell.  In my case, I don’t need those features, so I’ll keep “Start a program” selected and just click “Next”.

Start a Program

Now, browse to the script you’d like to execute on this schedule and then click “Next”.  (If you have command line arguments or options, you’ll want to specify those in the “Add arguments (optional):” field.)

Select Program

Review the task information and click “Finish”.


4. Check to make sure the task is active

Once you click “Finish”, you’ll find yourself back at the Task Scheduler interface.  Look under “Active Tasks” and make sure the task you’ve just created appears there.  If so, you’re good to go!

Check Active Task

I hope this helps someone and saves some time.  If you see anything wrong, please let me know.

Accessing Another Windows Computer’s Registry from a Disk in Windows 8.1

WARNING:  This post involves playing around with your operating system’s registry.  You use this information at your own risk.  For other warnings, please see the disclaimer.

Recently, I had to recover some data from another computer which had crashed and the only thing I had left was its hard drive.

While this is a fairly common occurrence, what made this unusual for me was some of the information I needed was in that computer’s registry.

While I’m familiar with access the local machine’s registry as well as a remote machine’s registry, I wasn’t familiar with accessing the registry files directly from a disk.  Here’s how you do it:

1. Open your Registry Editor
Click your Windows icon, type “regedit” and select regedit.exe from the list of apps.

2. Select the desired registry hive
There are several different hives which are stored on disk for your operating system.  To see the file locations for the hives, you can go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\hivelist.  To save you the trip, here they are:

HKEY_LOCAL_MACHINE\SYSTEM:  %windir%\system32\config\SYSTEM
HKEY_LOCAL_MACHINE\SAM:  %windir%\system32\config\SAM

You can also find the Default User registry hive in the same directory:

HKEY_USERS\.DEFAULT:  %windir%\system32\config\DEFAULT

For Windows Vista or later, If you want to find specific users, go to the \Users folder on the root of the drive (assuming you have the old “C:” drive or boot drive) and look for NTUSER.DAT in the root of the user profile directory.  For Windows XP and earlier, you’ll find the profiles under \Documents and Settings.

3. Load the desired registry hive
It doesn’t really matter what hive you want to look at; the process works the same for any.  In this case, I want to look at the old machine’s SOFTWARE hive, so select HKEY_LOCAL_MACHINE.


Now, click on the File menu and select “Load Hive…”.


Browse to file location on the hard drive and select the hive which you wish to load.


The hive you’re loading is going to show up as a registry key in Registry Editor.  Click “Open”, and give the new key a name.


You’ll see that the new registry key appears under HKEY_LOCAL_MACHINE.


4. Unload the hive once you’re done
Once you’ve found the information you need, make sure you get rid of this key you’ve created.  It most likely won’t harm anything if you forget (after all, nothing in the OS is going to look for information there), but better safe than sorry.  You can’t just delete the key (you’ll get an error).  Instead, you have to unload the hive.  Just select the key, go to the File menu and select “Unload Hive…” and you’re done.



I hope this helps someone and saves some time.  If you see anything wrong, please let me know.

The Affordable Care Act – Easy, Affordable Healthcare that is Difficult and Expensive, Part Four

“But the plans were on display…”
“On display? I eventually had to go down to the cellar to find them.”
“That’s the display department.”
“With a flashlight.”
“Ah, well, the lights had probably gone.”
“So had the stairs.”
“But look, you found the notice, didn’t you?”
“Yes,” said Arthur, “yes I did. It was on display in the bottom of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying ‘Beware of the Leopard’.”   – Douglas Adams

To my surprise, I found out my kids had married each other last week.  For some reason, this caused our application to be held up by the state.  Fortunately, we got that resolved, which allowed us to move on to:

Step Nine – Find Out You’re Not Your Daughter’s Father
My ex-wife was unfaithful several times.  However, I’ve never really questioned the parentage of my children.  There are just too many family resemblances.  So, you can imagine my shock when I called back (at this point, just assume I called the insurance company who then placed me on hold while they waited on hold for the state.  Each day I do this takes up 3-4 hours.) and found out that our application had been kicked up to the same mystery department because there was a problem with the information on it.  Fortunately, I found The Competent Employee at the state who actually was able to pull the information and do something about it.  I know what you’re thinking.  Yes, there is a competent employee who works in the state health care system.  Anyway, we found out that my step-son was actually my daughter’s father.

Me:  “Excuse me?”
Rep:  “It says here that he is her father.  That’s why it got held up.”
Me:  “Seriously, do you know how hard it is to be a 16 year old single father trying hard to raise your 16 year old daughter by yourself?  They should receive special consideration for that.  They shouldn’t be punished because of a tragic accident involving a condom and a time machine.*”

The rep got that fixed, so we just had to wait for the application to go through.

Step Ten – Discover Your Step-Son Makes More Money Than You
You’ll never guess, but when I called back, our application was once again in the PWAGTD (Place Where Applications Go To Die) Department.  This time, it was because my step-son made too much money for us to qualify for insurance.  Not bad for an unemployed 16 year old high school student.

Step Eleven – Really Get Approved… Sort of
It finally happened!  Our application was completed and approved!  The only problem now was the start date was a month later than it should have been!

Step Twelve – Give Up On Getting the Correct Start Date
When we started this process, we were within the deadline to have our insurance begin February 1st.  Of course, by the time we got done with this, we were past that deadline and our insurance was set to begin on March 1st.  I went back to the state and started the process of getting the starting date back-dated so anything that happened in February would be covered.  We had a couple of doctor’s visits during February, but nothing major (thank the Lord!) so it ended up not being a big deal.  I just gave up and let the insurance begin on March 1st.

There you have it, folks.  And some people said government healthcare was a bad idea.

*I shamelessly stole that line from The Hitchhiker’s Guide to the Galaxy by Douglas Adams