Monday, January 28, 2013

Add a GUI to Server Core 2012 and Overcoming Error: 0x800f0906

When Microsoft released server 2012 they included a very welcome new feature that allows you to install and remove the GUI on Windows Server core. There are a couple different levels, essentially one with the desktop experience and one without. While it seems this should be a straightforward process, it turned out more complicated than one would expect; here's how to do the install and work around those issues:

Note: You may see both Install-WindowsFeature and Uninstall-WindowsFeature referenced elsewhere; as Add-WindowsFeature and Remove-WindowsFeature. There is no difference; the later two are aliases for the first two.

Adding the GUI

At the most basic level, you need the following command to add the GUI on server core Install-WindowsFeature Server-Gui-Shell, Server-Gui-Mgmt-Infra . Unfortunately, this doesn't take into account the fact that the binaries we want aren't included on server core. (we'll get into this a bit more under removal) To re-mediate this, insert the Server2012 installation media or an equivalent source and modify the command with the -source parameter accordingly.


Install-WindowsFeature -source:D:\sources\sxs\ Server-Gui-Shell, Server-Gui-Mgmt-Infra
after completion:

shutdown /r /t 0

This will work if you are NOT using a WSUS server, which I suspect alot of you are. More on that below. This install may take awhile, so be patient.

Removing the GUI


Uninstall-WindowsFeature -remove Server-Gui-Shell, Server-Gui-Mgmt-Infra
after completion:

shutdown /r /t 0

By using the -remove switch you will delete the binaries rather than just deactivate them.

Troubleshooting/Dealing with WSUS

So this procedure is not without its flaws. Unfortunately if your server is pointed to a WSUS server you'll have problems. Note that this is a different issue than the one experienced with using Server 2012 against a WSUS 3.0 server; in this case we're using a new WSUS 2012 server. The error you'll see will be 0x800f0906, which has to do with getting updates for the binaries. It seems there is an issue retrieving those binaries when pointed to said WSUS server. The entries in the %SystemRoot%\windowsupdate.log file look like this:

Not Connected to WSUS/ Successful Update:

2013-01-23    12:17:45:088     748    7bc    Agent    *************
2013-01-23    12:17:45:088     748    7bc    Agent    ** START **  Agent: Finding updates [CallerId = TrustedInstaller FOD]
2013-01-23    12:17:45:088     748    7bc    Agent    *********
2013-01-23    12:17:45:088     748    7bc    Agent      * Include potentially superseded updates
2013-01-23    12:17:45:088     748    7bc    Agent      * Online = Yes; Ignore download priority = No
2013-01-23    12:17:45:088     748    7bc    Agent      * Criteria = "CategoryIDs contains '75f164f7-89ef-4f1c-add4-c5404c8c117f' and UpdateID='20b172e5-d0aa-4721-8186-debafe5dc89f'"
2013-01-23    12:17:45:088     748    7bc    Agent      * ServiceID = {00000000-0000-0000-0000-000000000000} Third party service
2013-01-23    12:17:45:088     748    7bc    Agent      * Search Scope = {Machine}
2013-01-23    12:17:45:088     748    7bc    Agent      * Caller SID for Applicability: S-1-5-18
2013-01-23    12:17:45:541     748    7bc    Misc    Validating signature for C:\Windows\SoftwareDistribution\WuRedir\9482F4B4-E343-43B6-B170-9A65BC822C77\
2013-01-23    12:17:46:088     748    7bc    Misc     Microsoft signed: Yes
2013-01-23    12:17:46:088     748    7bc    Misc     Infrastructure signed: Yes
2013-01-23    12:17:46:103     748    7bc    EP    Got 9482F4B4-E343-43B6-B170-9A65BC822C77 redir Client/Server URL: ""
2013-01-23    12:17:46:463     748    7bc    PT    +++++++++++  PT: Starting category scan  +++++++++++
2013-01-23    12:17:46:463     748    7bc    PT      + ServiceId = {9482F4B4-E343-43B6-B170-9A65BC822C77}, Server URL =
2013-01-23    12:17:47:954     748    7bc    PT    +++++++++++  PT: Synchronizing server updates  +++++++++++
2013-01-23    12:17:47:954     748    7bc    PT      + ServiceId = {9482F4B4-E343-43B6-B170-9A65BC822C77}, Server URL =
2013-01-23    12:17:49:032     748    7bc    Agent      * Added update {20B172E5-D0AA-4721-8186-DEBAFE5DC89F}.200 to search result
2013-01-23    12:17:49:032     748    7bc    Agent      * Found 1 updates and 4 categories in search; evaluated appl. rules of 163 out of 309 deployed entities
2013-01-23    12:17:49:063     748    7bc    Agent    *********
2013-01-23    12:17:49:063     748    7bc    Agent    **  END  **  Agent: Finding updates [CallerId = TrustedInstaller FOD]
2013-01-23    12:17:49:063     748    7bc    Agent    *************

Connected to WSUS/ Failed Update:

2013-01-25    00:02:42:866     756    6d8    Agent    *************
2013-01-25    00:02:42:866     756    6d8    Agent    ** START **  Agent: Finding updates [CallerId = TrustedInstaller FOD]
2013-01-25    00:02:42:866     756    6d8    Agent    *********
2013-01-25    00:02:42:866     756    6d8    Agent      * Include potentially superseded updates
2013-01-25    00:02:42:866     756    6d8    Agent      * Online = Yes; Ignore download priority = No
2013-01-25    00:02:42:866     756    6d8    Agent      * Criteria = "CategoryIDs contains '75f164f7-89ef-4f1c-add4-c5404c8c117f' and UpdateID='337d9460-e236-40a9-91f3-a6831e113867'"
2013-01-25    00:02:42:866     756    6d8    Agent      * ServiceID = {00000000-0000-0000-0000-000000000000} Third party service
2013-01-25    00:02:42:866     756    6d8    Agent      * Search Scope = {Machine}
2013-01-25    00:02:42:866     756    6d8    Agent      * Caller SID for Applicability: S-1-5-18
2013-01-25    00:02:42:866     756    6d8    EP    Got WSUS Client/Server URL: "https://wsus.internal.lan:8531/ClientWebService/client.asmx"
2013-01-25    00:02:42:882     756    6d8    PT    +++++++++++  PT: Starting category scan  +++++++++++
2013-01-25    00:02:42:882     756    6d8    PT      + ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}, Server URL = https://wsus.internal.lan:8531/ClientWebService/client.asmx
2013-01-25    00:02:42:913     756    74c    AU    Triggering Offline detection (non-interactive)
2013-01-25    00:02:42:913     756    6d8    Agent      * Found 0 updates and 0 categories in search; evaluated appl. rules of 0 out of 0 deployed entities
2013-01-25    00:02:42:913     756    6d8    Agent    *********
2013-01-25    00:02:42:913     756    6d8    Agent    **  END  **  Agent: Finding updates [CallerId = TrustedInstaller FOD]
2013-01-25    00:02:42:913     756    6d8    Agent    *************

Note that no updates were found.

Work Around: 

We're going to use group policy to work around this issue. Assuming you have access to do so or can convince those responsible to do so, perform the following: (note that the GPO containing the setting below cannot be overridden by a higher level GPO or this will not work)

You have two options, enable an alternative install location as outlined in this article from Microsoft, or temporarily override the WSUS setting by doing the following:

  1. Without binding it anywhere, create a new group policy object called Computer_Settings_WSUS_Disable or something similar that adheres to your naming standards.
  2. Navigate to the "Scope" tab on that group policy object and remove the "Authenticated Users" principal under "Security Filtering"
  3. Click "Add..." and add the computer object in question. You'll have to change the object types to include computers. 
  4. Right click the GPO object and select "GPO Status->User Configuration Settings Disabled". 
  5. Edit the GPO and set the setting "Computer Configuration->Policies->Administrative Templates->Windows Components->Windows Update" and change "Specify intranet Microsoft update service location" to "Disabled". This will revert it to Microsoft.
  6. Right click on the OU you would like to bind it to and click "Link an existing GPO..." and select your newly created GPO.
  7. Do a gpupdate /force on your target server and execute the command again. No reboot should be necessary. 

After completing the update feel free to un-link or delete the GPO object.

Hopefully that gets you GUI-ing. Here are some additional links below for more reading if you desire. Feel free to leave questions in the comments!

Microsoft Ask the Directory Services Team: "Windows Server 2012 Shell game"

How-To Geek: Turn the GUI off and On in Windows Server 2012

Yung Chou: Windows Server 2012 Installation Options

Jason Yoder: Error when moving from Core to full GUI in Server 2012

Friday, January 18, 2013

HOWTO Connect Powershell to SQL Server

In this article I'll be walking you through using Powershell to connect to SQL database. The objective is to be as straightforward as possible while providing context the whole way. Remember that lines marked with # are comments. Some of these will get long because we're trying to provide in-line context.


  • Powershell 2.0 or higher
  • Connecting to a MS SQL server; for other connection strings see the excellent
  • Appropriate access to the SQL DB in question with your currently logged on account
  • Guts. 

Forward (or, WTH are we doing?!)

We'll be using two different objects for this operation: System.Data.SQLClient.SQLConnection and System.Data.SQLClient.SQLCommand. The first is a connection object that allows you to attach to the DB, and the second is a command object that allows you to specify and submit your command. Both these objects are part of the .NET framework, so they should be present on any machine that can run Powershell. Avoid using Microsoft.SqlServer.Management.Smo.Server unless you need to (and you'll know it) because it requires the SQL tools to be installed. 

In this first example, we'll be doing a query and returning the results. I won't be covering specifying UserID and PW in this because that relies on 1> SQL authentication and 2> Stores UserID and PW in the script. Bad idea. 

Setting the Stage

Let's first declare some of our variables to keep things clean down the line.

 #Declare our SQL server name; Make sure to use Server\Instance for instances, or Server:Port if you're on an instance and don't have the access to the SQL Browser service (UDP 1434). Also, try to use the FQDN because it's good practice and will insure NETBIOS issues won't trip you up.  
 #Provide the database name, i.e. "Northwind"  
Now let's get to the meat; create objects, define properties, and open the connection. Here are reference links for the concepts in this section, followed by the comments and code:

ConnectionString Property
 #Create the SQL Connection Object  
 $SQLConn=New-Object System.Data.SQLClient.SQLConnection  
 #Create the SQL Command Ojbect (otherwise all we can do is admire our connection)  
 $SQLCmd=New-Object System.Data.SQLClient.SQLCommand  
 #Set our connection string property on the SQL Connection Object and tell it to use integrated auth, hopefully kerberos  
 $SQLConn.ConnectionString="Server=$SQLServer;Database=$SQLDBName;Integrated Security=SSPI"  
 #Open the connection  
Now we'll define the query and execute. 

Devguru t-sql reference
 #Define our Command with a parameter (we will cover this below)  
 $SQLCmd.CommandText="SELECT [FOO],[BAR] FROM [dbo].[table] WHERE [COLUMN] = @smalls"  
 #Provide the open connection to the Command Object as a property  
 #Set the WHERE clause in a variable to be referenced in the parameter (See section below)
 #Prepare parameters  
 #Execute this thing  
 #Init arrays to handle multiple returns
 #Parse it out  
 while ($SQLReturn.Read())  
 #Clean it up  

Bonus Section: Avoiding SQL Injection

Note the lines $SQLCmd.CommandText="SELECT [FOO],[BAR] FROM [dbo].[table] WHERE [COLUMN] = @smalls", $WhereClause="smalls" & $SQLcmd.Parameters.Add("@smalls",$WhereClause). By using @ to set that value to a parameter we can later associate the parameter to the variable which will sanitize the input if it is provided by an external data source. (Prompt, file, etc.) This will protect from SQL injections; if we had used standard variable in the first place you could inject an inline SQL statement. By adding it as a parameter SQL will essentially treat it as a string. Thanks to my buddy Austin Peters for the education on this. :)

Closing Thoughts:

  • You can have multiple SQL connections open at once. When you do so, name your object variables in a way that you can keep track of the DB that variable represents
  • To do something other than a query (INSERT, etc.) set the SQLCmd.CommandText appropriately and change the statement SQLcmd.ExecuteReader to SQLcmd.ExecuteNonQuery. 
For more information, see this post by Don Jones. 

Thursday, January 10, 2013

Quick Hyper-V VM Templates

Here's a quick guide on how to clone Server 2012 machines in Hyper-V:


  • You've decided on a standard for you VM folder structure. I won't go into detail in the steps, but if you haven't I'll make a recommendation here. This is how I do it: 
    • {Drive}:\VM\VMName\Virtual Hard Disks
    • {Drive}:\VM\VMName\Virtual Machines
  • You know the basics of VM creation, etc. Perhaps I'll cover that stuff in another article. :)
  • You're making a template server 2012, which comes with sysprep. If you're doing another MSFT OS, you should DL and leave sysprep on the image before you shut it down. If it's Linux don't worry about it.

Make the Template

Note: Do not take any snapshots of the template machine because our simple copy method won't work with snaps. If you must have them, you'll need to use the Hyper-V export functionality.
  1. Setup a new Hyper-V VM from scratch. The defaults on hardware allocation should be fine unless you're templating an older OS that uses a SMP or Uni processor kernel; in that case give it one or multiple CPUs as you desire. Set the boot disk size to your standard size now and keep it thin provisioned. (you can expand after building if needed) I recommend 60GB or more for newer versions of Windows server. After a couple years that SXS folder will get pretty big.  
  2. When naming the machine, pick something meaningful like "_Template_Server_Datacenter_2012_NoGUI" or "ZZZ_Template_CentOS_6_3" or "_Template_OS/2_3_0_Warp_with_emulated_MCA"
  3. After doing basic setup, patch the machine up as much as possible.
  4. If you want to install/configure anything else on this template so that it will be present on any machine, do so now.
  5. (Windows Only)Navigate to the sysprep folder. (c:\windows\system32\sysprep on 2012) and execute sysprep.exe
  6. (Windows Only)On the sysprep screen, select "Enter System Out-of-Box Experience (OOBE)" (that's a mouthful) and check "Generalize" then change the "Shutdown Options" to "Shutdown" and click "OK". Sysprep will do the work and then shut down the server.

  7. Document the admin password & shut it down. 

How to Use the Template

  1. Make a new folder for your VM per your standards.(named appropriately, etc.)
  2. Copy the vhdx (or vhd) to your new folder. 
  3. In the HyperV manager create a new VM (named the same as you did in step 1) and spec the hardware appropriately but stop when you get to the disk. 

  4. Specify the disk you just copied over from the template and finish the wizard.
  5. Fire up the new VM
  6. (Windows Only) Complete the "OOBE" including entering a product key and a new admin password.
You did it! Depending on how often you use the template it will eventually make sense to fire up the template as a vm, customize it, patch it, and re-sysprep it. Note that according to this, the SID is generated upon reboot, so this template should provide a unique SID every time. 

Tuesday, January 8, 2013

Just take my monies! How to fix "Something happened and your purchase can't be completed" In Windows 8

I'm trying to buy an app in the Windows store on Windows 8 and I'm greeted with this message:

Amazing. It's like a riddle. Here's how to fix it:
  1. In the Metro(oops!) interface, open up the charms bar and select "Settings->Change PC Settings"
  2. Select "Users"; your account should be referenced on the right pane. 
  3. (Variable) Most folks will need to click "Switch to a local account", but if you, like me, are on a domain account that is linked to your MSFT ID, you will need to click "Disconnect from your Microsoft account". 
  4. Log out, then back on. 
  5. Buy something from the Windows Store. You should be prompted for your ID and it *should* (see below if not) work. 
  6. You can now re-link your account by navigating to "Settings->Change PC Settings->Users" and linking your account under your username on the top right plane.  You'll be prompted for your e-mail, password, and which settings you would like to sync during the process.

If this didn't work for you like it didn't for me (why'd I write it then!?!) you may need to look deeper. In my case it turned out being the fault of a toxic combination of Displaylink software and Nvidia drivers. While the Displaylink folks noted fixes in their latest driver release I wonder if it didn't also have something to do with the fact that the NV drivers aren't all signed properly. To help determine your problem, try the following: 
  1. Re-create the issue by trying to purchase your app again. 
  2. Bring up the charms bar and hit the "Start" charm to bring up the Met..Modern UI interface.
  3. Start typing "reliability" and click "Settings" then select "View reliability history". 
  4. Look for a report from the time frame in which you re-created the problem. In my case, I had issues from "Credential Manager UI Host" and "CredentialUIBroker.exe"
  5. "Right click crash report->View Technical Details". 
  6. Look for "Faulting module path". In my case it was nvwgf2umx.dll, provided by nVidia. Taking a look at that DLL, I noted it wasn't signed correctly. 

This (and procmon, but that's an article for a different day) is what led me down the track of investigating the graphics drivers. Odd when graphics drivers can be the cause of your inability to buy something from the Windows store. Hopefully in the future MSFT builds a DRM/ID testing path tool that can be used to improve this troubleshooting routine. 

Postscript: While the fix in my case was more on the Displaylink software side, I found it interesting that the newest nVidia drivers still aren't signed right. The signing cert traces back up through the "Microsoft Digital Media Authority 2005" CA which hasn't been valid for quite some time. Two driver revs ago, however, the signing was done correctly. Someone's dev box @ NV needs attention. :) Update 4/21/2014: NVidia contacted me regarding this issue we determined that the "Microsoft Digital Media Authority 2005" certificate is actually "baked into" Vista and higher operating systems. This seems a relatively well hidden fact, but it was revealed in this paper by Symantec. Interesting to say the least... anyhow their cert still has a potential revocation issue and they are working to resolve it.

If this still doesn't work, take a look @ the Windows store logs @ %USERPROFILE%\AppData\Local\Temp\winstore.log and %windir%\temp\winstore.log . Good luck!

Thursday, January 3, 2013

Setup and Tweak Your New Asus RT-AC66U or N66U Router! (partially OT)

Asus has been doing an increasingly impressive job in the "home" WiFi router market. With impressive performance approaching enterprise class routing capability and second-to-none Wifi performance, (for an unmanaged single unit) they're hard to beat for the enthusiast market. By using something like TomatoUSB firmware you can get many enterprise-class features. While I may write an article in the future on Tomato or DD-WRT tweaking, I'm going to go through the setup here using the new "Merlin" firmware. Eric Sauvageau, the author of the modified firmware, states of this:

"The primary goals of this project are to fix bugs, add a few basic features and tweaks to the original firmware. This firmware will try to remain as close as possible to the original firmware."

Sounds good to me. I've spent alot of time with Tomato and DD-WRT on my home network, and a change of pace might be nice. Also, you get the piece of mind that you're using mainly the manufacturers' code on this newer hardware.

Note: Some ideas covered in this article may apply to other consumer or enterprise level hardware.

  • You have purchased either a RT-AC66U or RT-N66U (Update 7/6/13: RT-AC56U now supported asw well)
  • You have backed up, memorized, or otherwise, your old router settings
  • You're comfortable with the basics; I'm not going to re-cover the manual 
  • You have power and an internet connection. Setup will be easier and more reliable if you also have a house or apartment, which you should be inside of during this tutorial. 
Let's get to work:
  1. Connect the router as described in the manual. If you have a DHCP server (other than the one on the router from your ISP) you'll either need to temporarily disable it or ensure it's assigning the 192.168.1.x range excluding .1.
  2. Perform the initial "Quick Internet Setup" wizard
  3. After/if it prompts you to update firmware, go ahead and do so.
  4. If desired, (and some of my steps will assume this is done) download the "Merlin" firmware from here. In the interface click "Administration->Firmware Upgrade" and specify the path to the trx file. 
  5. Now that we've upgraded, let's highlight important setup steps. I'm not going to cover the specifics of your environment, just things I recommend you pay attention to. First, navigate to "Wireless->WPS"  and set it to "OFF". Most implementations of WPS are NOT secure at all. For more information, see: This episode of the wonderful Security Now! podcast or this lifehacker article. There are many ways to get a complex WiFi key to nearly any device securely.
  6. Navigate to "Wireless->Professional" and check the "Tx Power adjustment" and reduce it if possible. (Some experimentation required) Make sure you use the dropdown and do both 2.4ghz and 5ghz. Lowering your broadcast power will slightly shorten the range so you aren't broadcasting to your neighbors (polite) and may lengthen your hardware life. (See effect @ "Tools->Radios Temperature")
  7. If you disabled the DHCP server, make sure you go to "LAN->DHCP Server->Log DHCP Queries" and hit "Disable".
  8. To log stats, insert a USB thumb drive. It can be tiny and slow if you want. Navigate to "System Log->General Log" hit "Refresh". Copy the contents down and search them for the mount messages. In my case, the only message was "Jan  3 18:47:16 hotplug[1032]: USB vfat fs at /dev/sda mounted on /tmp/mnt/1GB", and that corresponds to @ /mnt/1GB for short since /mnt is a symlink to /tmp/mnt. Write this down. 
  9. Navigate to "Tools->Other Settings" and set "Traffic history location" to "Custom location".
  10. Set "Save history location" to the value you wrote down in step 8, select "Create or reset data files" (if this is the first time you have done this on this disk) and hit "Apply". 
  11. (Added 1/12/13) Unless you're using STP with your other switches, etc. navigate to  "Lan->Switch Control" and set "Spanning-Tree Protocol" to "Off".  Cool that it supports STP though! (Update 10/11/2013: There has been some confusion on this, so to simplify: If you have more than one switch not including this Asus router, leave STP enabled. Otherwise, disable it. If you would like to better understand see this.)
  12. (Added 1/20/13) If you aren't using IPv6 (yet), navigate to "IPv6"->"Auto Configuration Setting"->"Enable Router Advertisement" and set it to "Disable"
  13. (Added 1/20/13) Let's disable some other services that most people won't need. Unless you're using this router as a filesharing and/or DLNA device, do the following: Navigate to "USB Application"->"Media Server"->"Enable DLNA Media Server" and set it to "Off".
  14. (Continued from #13) Navigate to "USB Application"->"Network Place/Samba Share"->"Disable Share" and click "OK" to confirm disabling the service.
  15. (Continued from #13) Navigate to "USB Application"->"Miscellaneous Setting" and turn off "Force as Master Browser" and "Set as WINS Server" and click "Apply". 
  16. (Added 2/4/2013) Recommended: Though I haven't tested (update 6/7, it's fine as of now, so if you need UPnP go ahead) to see if this firmware is impacted by the recent discovery that a substantial number of firmwares expose UPnP to the external interface of the router(!!) I still recommend turning it of if it's feasible. This means you'll have to forward ports manually, but if you're reading this I suspect you know how to do so anyhow. (If not, comment as such and perhaps I'll write an article about it) To disable the UPnP service navigate to "Advanced Settings->WAN->Internet Connection->Basic Config->Enable UPnP" and set it to "No" Update 5/27/2013:  How to forward ports: 
    1. To forward ports, first determine what ports your service/application uses. While a search for "(Service) forward ports" generally returns the  ports needed for that service, you can also use something like to look it up. Note that the port spaces of TCP and UDP protocols are separate, so make sure you get the protocol right and know that the port numbers can overlap. There are some pre-baked shortcuts in the Merlin/Asus firmware on the port forwarding page (listed in the next step) that will populate the ports for you; it may be worth checking those out to save some time.
    2. After you determine your ports, open the manage interface of your Asus router and navigate to "Wan->Virtual Server/Port Forwarding"
    3. Ensure "Enable Port Forwarding" is set to "Yes". 
    4. Under "Port forwarding List" type the name of your application under "Service Name". This entry is cosmetic only and serves to identify this forward. 
    5. Under "Port Range" enter the port(s) needed for this application. To open a range, separate the lowest port and the top port with a ":". For example, to open up ports 80 through 90 you would put "80:90". You can also put non-joining port ranges on the same rule by adding more ports after a comma. For example, to open ports 80 and 90, you would put "80,90".
    6. On "Local IP" put the IP address of the machine hosting the service you would like to expose to the internet. If you don't know this address and you're (as default) using the DHCP server on the router you can find the address by going to the DHCP management on your router. 
    7. On "Local Port" you generally want to put exactly what you put under "Port Range". The exception to this rule would be if you want to expose an internal port as a different port externally. 
    8. Under "Protocol" select the proper protocol; TCP, UDP, or Both. Again, note that selecting "Both" would result in both sets of ports being opened. 
    9. Click the plus icon "Add/Delete" and then click "Apply" at the bottom. Note that if your IP address changes then you'll need to update the rule. 

  17. (Added 7/20/2013,Critical) A vulnerability has been discovered with the AICloud software. There is an official firmware that has been released that is reported but not confirmed to fix the problem, but that includes a very poor wifi driver so I would not recommend its use unless you have no 5ghz WiFi clients. The Merlin 372_30_2 build does not address this problem because Eric based it on a pre-release 372 version that didn't yet include the fix. (Confusing versioning by Asus..) If you don't run that new stock FW make sure you disable the AICloud! (AICloud->Smart Disk/Cloud Access) Update 7/24/13: There is a Merlin build that addresses this issue now available. See below for links.  Update 2/18/14: There have been stories about either this exploit and/or a potentially newly found exploit involving FTP and the AI cloud feature. I think the best advice at this time is from Eric (the author of the firmware).  The point: Because it is uncertain if this is entirely based on the old vulnerability, disable these features until the full nature of the exploit is disclosed and confirmed fixed.   Update 3/16/14: This should be fixed with the newest build (374.40) but frankly I would still leave them off.
  18. (Added 11/3/2013) If you notice that your WiFi continues to loose connectivity and you need to reboot the router to fix it, try naming your 2.4Ghz and 5Ghz radios differently. I've noticed that some dual band devices (the iPad specifically) will bounce between frequency spectra and this will cause the Asus to become confused and stop relaying requests to the DHCP server correctly. To do so go to Wireless->General and dropdown between "2.4Ghz" and "5Ghz", ensuring they have different SSIDs so that your devices will target one of the two explicitly.
If I find any other important info I'll add it. Enjoy!

Note 1: If you enable "Tools->Other Settings->Enable advanced (per IP) monitoring" it will disable hardware acceleration. While you most likely won't notice this unless you've got an internet connection approaching 100Mbit, be aware that you may loose some performance for that functionality.

Note 2: Check out "USB Application-> 3G/4G"... very interesting stuff.

Note 3: I'm investigating an issue that results in WiFi being unable to communicate with the LAN ports. It manifests itself in the log as: Jan 11 17:05:23 kernel: eth1: received packet with  own address as source address . I'll post updates on this later.

Update 2/2/2013: Merlin posted a new beta build. DiscussionChangelog .

Update 2/23/2013: More new builds & bugs fixed! Release Thread and changelog.

Update 3/16/2013: Another new build! Release Thread, Changelog

Update 3/29/2013: Eric just uploaded a new beta build based on a beta release from Asus. A couple exciting changes here including new wireless driver and tools. Note that you'll need to re-add you WoL clients (if you had any) because Asus added a new WoL tool. Also, note this warning from Eric:
"New wireless driver. This new driver brings quite a few improvements over the older one. Note that if you experience any issue with this new driver, it is strongly recommended to revert back to factory defaults, and re-configuring your router. There are a few low-level changes, and some new default values that you won't pick up until you revert back to factory defaults.Release Thread, Changelog, Download

Update 4/4/2013: It looks like some folks are having issues on the new build with the 5Ghz radio. There is quite a lively discussion going on and Eric has answered quite a few questions.

Update 7/6/2013: A new build has been released that introduces support for the RT-AC56U! Release ThreadChangelog, Download

Update 7/24/2013: Another new build, ( this time fixing the AI Cloud security issue and introducing the Yandex DNS filtering service. Be wary though that Yandex is in Russia, so if you use this feature (off by default) it may noticeably slow internet browsing since it redirects all your DNS queries. Release Thread, Changelog, Download.

Update 10/3/2013: Eric has been hard at work on a new build( based on a new source that includes fixes to general performance, parental controls, and more. Note this warning from Merlin: 

Due to the SDK change on the RT-N66U, you *MUST* revert back to factory default and manually reconfigure your router if coming from an older firmware! The only exception is if you were previously running either the Pixie Dust release (, or a previous beta of (except for the -sdk5 Beta, of course).

Asus also recommends doing the same for the other models, however feel free to try without doing so. It might work fine for most people, but be prepared to do a factory default reset + reconfiguration if you run into any odd issues.

And by "manually reconfigure", I really mean it. Reloading saved settings would totally nullify the action of resetting to factory defaults, since you will just end back to where you started, with all the same (possibly invalid) settings.

Release Thread, Changelog, Download.

Update 12/14/2013: New build! ( GPL 374.339 (Time machine support for some models), Asus' OpenVPN implementation. (Note this is a total overhaul), Namecheap DDNS, and more.  Release Thread(With Changelog), Download.

Update 1/22/2014: New build! ( GPL 374.2078, major driver/SDK changes. RT-N16 is not supported by this build. This is SDK6 only. In short, if you have issues with this build, particularily with wi-fi performance, fall back to an earlier build. That said, the feedback in the forum regarding this build has been great thus far. Note: in most situations, Eric does recommend resetting to factory defaults & manually re-configuring. Release Thread With Changelog, Download

Update 2/16/2014: New build, out for a bit. ( Dumps SDK5 and adds a new parental control option to use DNS services to block category based URLs as well as bug fixes. Release Thread, Changelog, Download

Update 3/16/2014: New build: 374.40. Not stable for the RT-AC68U but fixes the RT-N16. DNSFilter enhanced along with IPv6 fixes. This build should also address the highly publicized security issues from last month, but I would still recommend highly against enabling FTP, "Cloud AI", or any other outward facing services on principal. Release Thread, Changelog, Download.

Update 6/6/2014: New build: 374.43. Another new release from Eric today, mostly bugfixes. One feature added; the ability to force a DDNS refresh after a configurable number of days. Release Thread, Changelog, Download. Also, SmallNetBuilder forum member "000111" (7?) had the great idea to start a donation thread for Eric. If you appreciate his efforts it's worth considering heading over to this thread and throwing him a few bucks for the effort.

Update 11/7/2014: New build: 376.48_1. Merge with Asus code, Samba upgraded to 3.6.24, Miniupnpd to 1.9, Dropbear to 2014.66, OpenSSL 1.0.0o, SNMP enhanced, RT-AC68P support. Release Thread, Changelog ,Download. Also, Eric (Merlin) warns of a but that causes wifi issues. Quoting him: "Note: Previous firmwares (both Asuswrt-Merlin and stock Asus) suffered from a bug where some nvram settings might end up being corrupted, which can lead to the loss of the 2.4 or 5 GHz settings on the webui with newer firmwares. To fix the issue, either do a factory default reset, or run the following commands over SSH:

nvram set wl0_band=2
nvram set wl1_band=1
nvram commit

The actual bug was fixed both on my end and by Asus a few releases ago, however the corrupted setting will cause issues starting with newer firmware versions if not corrected.

Update 8/292015: There have been several new builds, the last of which was great, but this update is to address how to perform source based routing with Merlin/Busybox:

In my case I've got two different internet connections and I want to selectively route different machines through different internet gateways. To accomplish routing traffic based on the source, we'll use the ip rule and ip route commands.  First, make the rule:

ip rule add from [IP]/[CIDR] table [NAME]

where [IP] is the from addr or range, [CIDR] is the applicable CIDR bitmask, and [NAME] is a unique integer to call the route, i.e.

ip rule add from table 10

then the custom route:

ip route add default via [Gateway IP] table [NAME] dev [ADAPTER]

where [Gateway IP] is the IP of the desired gateway, [NAME] is the same integer as referenced above, and [ADAPTER] is the NIC to which the rule applies, i.e.

ip route add default via table 10 dev eth0

You can re-use the route for multiple rules if desired. To make these rules persistent you'll need to use user scripts.I use services-start with a 10 second sleep in the beginning. Have fun!