Note: This blog post is from 2013. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.

Those who know the value of common Windows shortcuts, like alt+tab, ctrl+escape, alt+home, etc., will know those work against your local machine, unless you open a maximized remote desktop in which case they then work against the remote machine. And that's great, of course.

But what if you have a remote desktop opened as a window (one of many apps visible on your local desktop)? You may find it frustrating, if you mean to be doing the equivalent of an alt+tab WITHIN the remote desktop, while viewing it as a windowed app. The keys will again work against your local machine, like with any app.

Is there a way to do such common keyboard shortcut actions against the "windowed" remote desktop? Yes there is. I find that relatively few people know about these, and most are delighted to learn of them! :-)

Summary

See below for more discussion on these, but briefly...

Note first that you can use ctrl+alt+break to toggle a Remote Desktop between full-screen and windowed mode. (If that or these don't seem to work, read the paragraph after the list.) That helps make these shortcuts all the more valuable, once you are viewing the "windowed" remote desktop, where you can use:

• alt+pageUp: to switch application windows on the remote (equivalent of alt+tab)
• alt+pageDown: to switch "backward" through applications (equivalent of alt+shift+tab)
• alt+home: to show Windows "start" menu on the remote (equivalent of ctrl+escape)
• alt+shift+home: to show Windows Task Manager on the remote (equivalent of ctrl+shift+escape)
• alt+del: to show Window menu (top left menu) in current app (equivalent of alt+space)
• ctrl+alt+end: to do the equivalent of ctrl+alt+delete on the remote
• ctrl+alt+plus (the + key): to save screenshot of current remote screen to clipboard (equivalent of PrtSc, the "print screen" button)
• ctrl+alt+minus (the - key): to save screenshot of current remote window to clipboard (equivalent of alt+prtSc)
• alt+ins: to cycle through your remote desktop applications, one app at a time (equivalent of alt+escape)

Again, these shortcuts are for using when you are in a *windowed* remote desktop. Beware also that if any don't seem to "work" for you:

• note that on some keyboards (especially more modern laptops), you may need to press a "function" (or "fn") key to execute the equivalent of one of the keys listed here. For instance, the "break" key may require fn+end, which means that first shortcut above can be a cumbersome four-fingered salute: ctrl+alt+fn+break
• As an update in 2021, on my Asus Zenbook laptops, the break key requires fn-b (and I see the same is true for some Dell laptops), so again it's a four-fingered solute: ctrl+alt+fn+b
• similarly, you may find that you have more than one set of the needed keys, such as pgup/pgdn, on your keyboard. One pair may appear on the top right, and another on the lower right, and/or within the numeric keypad. Be sure to try both, before giving up.
• it could be that you don't have the the keyboard "focus" on the windowed remote desktop session. Click within the remote desktop to be sure
• It may be that your keyboard (especially some modern laptops) may have the pageup, pagedn, home, and other keys used here mapped to some other keycode that Remote Desktop doesn't recognize (even though the keys may "work fine" for you for their normal use on your laptop). I have found a solution to that in 2018 and I intend to do a blog post with more on the solution (until then, check out the tool sharpkeys)

For still more detail and discussion on these keyboard shortcuts, read on.

[....Continue Reading....]

Note: This blog post is from 2013. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.

There is a new Adobe CF blog entry pointing to the new hotfix, and I point that out rather than the technote for the hotfix itself, because as often is the case, there has been some useful discussion related to applying the fix. Indeed, there's a warning I've shared there about a problem (hopefully temporary) with the hotfix file for users of ColdFusion 9.0.2. (Update: the confusion about 9.0.2 is resolved. The technote has been corrected. See the comments in the Adobe blog entry for more details.)

Users of ColdFusion 10, 9.0.2, 9.0.1, and 9.0 should certainly proceed to implement the fix.

I address several questions and other observations about this hotfix below.

[....Continue Reading....]

Note: This blog post is from 2013. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.

At first I was adding these as updates to the previous entry, but I fear that some who may have read it earlier in the day may then miss some of this new info, thus this "Part 2". You will definitely want to read part 1 before proceeding here.

[Update: And since writing this entry 2 weeks ago, Adobe has indeed now come out with a hotfix. I have more to say about that in the new Part 3: Adobe hotfix released for "Serious security threat for #ColdFusion servers". While you should proceed to get that fix in place, you'll likely benefit from reading parts 1, 2, and 3, as there's more discussed than just the thread and fix, itself, which could benefit you down the road.]

Among the new information shared below are such things as how the hack worked (not too much detail, though), how to determine what the exploit may have exposed, how to handle resolving things for many sites via scripting, how to lock down the /adminapi, /administrator, and /componentutils directories, and most important, why you should not skip all this just because "we already block all access to the CFIDE/adminapi" (and /administrator and /componentutils)". There may be exposure you're not considering.

[....Continue Reading....]

Note: This blog post is from 2013. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.

And note that it's NOT one that you're protected against by having applied CF security hotfixes. (Updated Jan 15 2013, as Adobe now has a hotfix for this. More below.)

There's quite a bit for you to consider regarding this recent threat, as I discuss here.

[....Continue Reading....]

Note: This blog post is from 2012. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.

[....Continue Reading....]

Note: This blog post is from 2012. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.

[....Continue Reading....]

Note: This blog post is from 2012. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.

That's not really new news, as the same option was offered in CF 6-9. But there are some new things in CF10 to consider about that option, and that's what I'd like to share here.

First, I want to show how if you chose NOT to enable the built-in web server, you CAN enable it after the fact, with just a simple modification to a single xml file (which is a different one in CF10, and I want to show where that is, share some tips on changing it, and point out where to learn more.)

But there are also still more things about the built-in web server that you can control, which you may not readily discern even from the docs, and I provide here additional info with respect to that.

Finally, while in previous releases the built-in web server (which was really the JRun web server) was something generally regarded (even warned in the installer) to be used only for development and testing, the built-in web server in ColdFusion 10 is in fact the Tomcat web server (Coyote), which is a much better web server out of the box, so you may want to consider it even for production.

I realize that last point will be "pushing it" for some. :-) Hey, I'm not saying that you should change anything, just letting you know that some might reconsider things. Hear me out, please. I'm just sharing documented info that might not be so readily found about a relatively new subject for the CF community (so don't shoot the messenger!) I'll point later to other Tomcat references making the same point, such as this 2010 article (no longer available via its original link, http://www.tomcatexpert.com/blog/2010/03/24/myth-or-truth-one-should-always-use-apache-httpd-front-apache-tomcat-improve-perform, but archived here: Myth or truth: One should always use Apache httpd in front of Apache Tomcat to improve performance?.

Background

[....Continue Reading....]

Note: This blog post is from 2012. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.

The quick answer is that there's a getInstanceName method in the runtime.cfc of the Admin API. And yes, any user can execute this code. They do not need to BE an admin. You can use this in production code. For more, see below.

If that's enough to get you going, have at it. For more info, read on.

[....Continue Reading....]

Note: This blog post is from 2012. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.

But have you ever wondered which jvm.config is used by a given instance? Or perhaps found multiple jvm.configs in your [jrun4]\bin directory and wondered which instance each went with? The answer isn't as straightforward as it may seem, when you're running CF as Windows Services. There's no single CF feature that reports this, but I do offer a solution here.

The simple answer is that one can find the information in the registry. The longer answer, including how to find that, as well as how to get that info more easily from the command line if you may prefer, follows.

[....Continue Reading....]

Note: This blog post is from 2012. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.

The common answer offered is that one should use the "system info" page in the CF Admin, and its available "update level" field.

But I will assert that's not the "right answer" after all, or certainly not the "best answer" to really know what hotfixes (plural) have been applied. Know why? If not, I'll explain here, and I'll show what I would say is the "right" answer to "what hotfixes have you applied?"

[....Continue Reading....]