Data Breach Mania

In light of the recent ebay databreach, I decided it was finally time for a password manager.  I typically use a permutation of about 5 different passwords and sometimes the same password across multiple sites.  I’m already up to 21 accounts on various sites: who can remember them all?  “To the cloud!” you say…well, I don’t trust the cloud.  Given that the Adobe cloud service was down for nearly a day and I can’t tell what the other guy is doing with my data on the other end, I prefer a more “manual” solution.  Enter: Keepass.  Keepass keeps all of the passwords in one KDBX file encrypted.  No cloud, no man behind the curtain.  Keepass will keep working even if the company goes out of business and the source code is completely open.

It gets even better, because there’s an Android app that can read and write to KDBX files as well. I have Keepass on an encrypted USB key (Locker+ G2) from Kingston for on-the-go situations and on Google Drive so I can get to it from my phone.  You can copy and paste the passwords from Keepass into your web browser.

– Soli Deo Gloria

Windows 10: Pushy!

Been running build 9926 on my PC for a while now.  I was in the “Fast” ring and was pushed build 10041 through Windows Update.  Rebooted and install would not progress past 8%.  It rolled back gracefully to 9926, then I changed the updating to the slow ring.  Of course, the SAME build gets pushed to me again.  ARGH!  This time it goes to 5%. Rollback.  The problem is of course you cannot turn off Windows Update in Windows 10 anymore (probably someone will figure out a way eventually…) and they kept pushing this same build out to me over and over again.  You can suppress the update for 8 hours, but then…BOOM, installing build 10041, fail and rollback again!

Finally, they offered an ISO version of 10041 and I was able to install that just fine…but this does scare me a bit.   I get that an update should not be deferred forever, but only 8 hours?  It should be days, weeks…not hours.

– Soli Deo Gloria

Download Windows 7 and 8.1 from Microsoft

Need to rebuild your PC?  Now you can re-download Windows 7 and 8.1 from Microsoft, provided you have a serial # for them.

Windows 7:

http://www.microsoft.com/en-us/software-recovery

Windows 8.1

http://windows.microsoft.com/en-us/windows-8/create-reset-refresh-media

– Soli Deo Gloria

Windows 10: A Review

So by now you’ve heard the news that Windows 10 will be free for Windows 7 and 8 users for the first year.  I recently took the plunge and updated my work PC from Windows 8 to Windows 10.  The official release is probably about 8 months away, but so far I am liking Windows 10.  It fixes a lot of what is wrong with Windows 8, namely it brings back the start menu (thank you Microsoft), gets rid of the charms bar in the corners (thank you Microsoft) and allows Modern apps to be “windowed” on the desktop (thank you Microsoft).

However, all of this stuff should have been in Windows 8 already and yet again we have another Vista on our hands: that is Windows 8.  At least Microsoft saw the error of its ways and corrected the ship instead of sinking it.  Being able to upgrade your OS with Windows Update is totally cool and long overdue!

Pros:

The search bar in the task bar.  If you know what you are looking for, it’s a quick way to have it search the whole C drive and bring it up for you.  Win.

Notifications icon in the taskbar to get to common settings quickly.

Virtual desktops: yes!  One less thing for the Linux boys to rave about.

Cons:

Even though the start menu is back, I miss drilling through a logical folder structure to get to things.  I still find myself making a shortcut to C:\ProgramData\Microsoft\Windows\Start Menu on the desktop to get the “old start menu” structure back.

Appears to be missing Windows Media Center…maybe this will come back in a later build?

Task Manager really needs to be replaced with Process Explorer or beefed up.  It’s essentially a hold over from Windows 8 showing little to no detail on running processes.

– Soli Deo Gloria

Finding Silent Install Secrets

We use a program called Velaro chat.  I contacted the vendor a few years ago asking for a “quiet installer”.  It’s 2015 and you would think that would be standard by now.  They do offer MSI files on the side, but they have issues….particularly with some .NET interop assembly file missing.  What to do?  First, I tried velaro.exe /?.  No dice.  Next, I tried strings.exe from Sysinternals.  This will give us the plain text strings from the installer:

Ah ha!  /silent.  Why didn’t the vendor clue me in on this?  No idea!  Fired this through SCCM and it works like a champ, except it throws exit code 1 for some reason, even though it is properly installed.

Nice installer guys! (NOT!).  I just fire the install and then check C$ share for the install bits afterwards.  This does saving me time remoting in and manually installing the software.

– Soli Deo Gloria

Backing Up Locked Files

One of the challenges of migrating someone from one computer to another is the data they may have on the C: drive, especially those evil PST files.  The major challenge is backing up locked files.  We can get around this by using VSC in Windows.  Starting with Windows XP, VSC or Volume Shadow Copy allows Windows to “freeze” the state of the file system in time and then copy files/folder in this frozen state.  We will use the freeware program VSCSC to tap into this power.

First we use Mapper24 to encrypt/hide the credentials for the service account that will connect to our server:

mapper24.exe <some encrypted chars> domain\username \\server\backup

Next, we make a folder with the name of the computer we are running from:

 mkdir \\server\backup\%computername%

Then we kick off VSCSC:

vscsc -exec=wkxp2.cmd C:

In wkxp2.cmd, we have this:

DOSDEV B: %1
robocopy “C:\documents and settings” \\server\backup\%computername% /B /MIR /R:0 /XF *.ost *.tmp *.bak *.dat *.mp3 /XD “Local Settings” “Temp” “Cookies” “Recent” “Nethood” “Printhood” “SentTo” “Start Menu”
DOSDEV /D B:

So here is what we are doing…we are creating a snapshot in time, then we can use any copy program we want to copy files when “time is frozen” within this snapshot.  Once we exit the script, VSCSC exits and the snapshot is gone.  In the above robocopy script: I am telling it to exclude folders like Local Settings since that is where the internet temporary files are stored.  And yes: this will copy ALL user profiles on the computer to the server, not just the one we want, so you will have to pick through the profiles and grab what you want.

We can log in as the new user on the new computer and just drop in the Desktop, Favorites and My Documents folders manually from the server.

Note that vscsc doesn’t seem to work on Windows 7.  For Windows 7 you will need to copy Diskshadow from Server 2008 or 2008R2 or as a download from here: http://jrudd.org/2010/07/using-backuppc-with-diskshadow-to-backup-open-files/.  Copy the contents of the ZIP file to System32, including the en-US folder or it will not work properly. The concept is pretty much the same:

set context persistent nowriters
set metadata C:\windows\temp\test.cab
set verbose on
begin backup
add volume C: alias C_Drive
create
expose %C_Drive% X:
exec yourbatchfile.cmd
delete shadows volume C:
unexpose X:
end backup

– Soli Deo Gloria

Anti-Malware Tools

It’s been about 5 years since I posted anything about the tools I use to clean off malware.  So, here’s my method:

1. Depending on the type of virus involved: I do a system restore to a system restore point to a time before the infection.

2. Run Hitman Pro.  This uses a combination of Bitdefender and Kaspersky definitions from the cloud.   Note that the free version will not remove the threat if the computer is domain joined, but it will usually show you where the file or registry entry is and you can remove it with another program manually.

3. Norton Power Eraser.  This this another cloud based reputation scanner along with the Symantec virus definitions.  You do need to be a careful with this one as it as a tendency of flagging uncommon/infrequently reported files.

4. ADWCleaner.   Generally finds the same files as Hitman Pro, but is completely free and will offer to clean them without asking for money.  Do note that it has a tendency to just restart Windows for the cleanup without warning you.

5. TDSSKiller.  The “go-to” rootkit remover.

6. Stinger from Mcafee.  Mcafee AV defs in a standalone program.

7. Sysinternals Suite – Specifically, the tools Process Explorer (with built-in Virustotal support) and Autoruns can help identify an infection and remove it.

– Soli Deo Gloria

Case of the Unexplained: 2014

Mark Russinovich’s famous “Case of the Unexplained” for 2014 from TechEd Europe 2014: http://channel9.msdn.com/Events/TechEd/Europe/2014/WIN-B410

– Soli Deo Gloria

Migrating from XP to Windows 7 – Inventory What’s There

In the mist of upgrading from Windows XP to Windows 7 on all of our computers, I thought I would share some of the scripts I’m using to make life a little easier.  We currently use local user profiles, printers added manually by hand through a Windows print server and sometimes statically mapped network drives for users that need to perform cross duty work in other departments.

Yes, I give you permission to laugh and yes I know there’s ways of doing these things in an automated and centralized fashion.  Going into the companies we buy, however, I’m seeing even sillier things in their environments.  One was a guy that was using Clonezilla, an external hard drive, a USB stick (at least it wasn’t a CD-ROM) and doing a custom image for each and every model of computer hardware he had.  He had an impressive talent for scripting however and I found many clever VBScript snippets all over the network he was firing via the login script to do things automated and in the background.

The below script is quick, dirty and thrown together from many different sources.  It will give you:

All the drives and UNC paths mapped under the logged in user’s profile

All of the printers networked and local under the logged in user’s profile

The default printer of the logged in user

Names of all Outlook profiles of the logged in user (this will error out if this does not exist)

List of unsorted software as given from WMI

Simply call it as the user from the login script and SCCM and dump the file to some where world writable.  It will dump the contents in plain text to a file in the format of username.computer.txt.

– Soli Deo Gloria

On Error Resume Next

Const HKEY_CURRENT_USER = &H80000001
Const r_ProfilesRoot = "Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles"

strComputer = "." 
Set objWMIService = GetObject("winmgmts:" _ 
 & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2") 
Set colInstalledPrinters = objWMIService.ExecQuery _ 
 ("Select * from Win32_Printer where Default = True") 
For Each objPrinter in colInstalledPrinters 
 PrinterDefault=objPrinter.Name 
 Next 
 
Dim objFileSystem, objOutputFile
Dim strOutputFile

Const OPEN_FILE_FOR_APPENDING = 8

Set objFileSystem = CreateObject("Scripting.fileSystemObject")

Set Shell = CreateObject("WScript.Shell")
Set WshNetwork = WScript.CreateObject("WScript.Network")
Set oDrives = WshNetwork.EnumNetworkDrives
Set oPrinters = WshNetwork.EnumPrinterConnections
oUser = WshNetwork.UserName

computername = Shell.ExpandEnvironmentStrings("%computername%")

strOutputFile="\\wksms01\logs\" & oUser & "." & computername & ".txt"
Set objOutputFile = objFileSystem.CreateTextFile(strOutputFile, TRUE)

objOutputFile.WriteLine("Network drive mappings:")
For i = 0 to oDrives.Count - 1 Step 2
objOutputFile.WriteLine("Drive " & oDrives.Item(i) & " = " & oDrives.Item(i+1))
Next
objOutputFile.WriteLine("")
objOutputFile.WriteLine("Network printer mappings:")
For i = 0 to oPrinters.Count - 1 Step 2
objOutputFile.WriteLine("Port " & oPrinters.Item(i) & " = " & oPrinters.Item(i+1))
Next

objOutputFile.WriteLine("Default Printer: ") & PrinterDefault


Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & _ 
 strComputer & "\root\default:StdRegProv")

oReg.EnumKey HKEY_CURRENT_USER,r_ProfilesRoot,subKeys

objOutputFile.WriteLine(" ") 
objOutputFile.WriteLine("Outlook Profiles: ") 

For Each profileName In subKeys
 objOutputFile.WriteLine( profileName ) 
Next

Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colSoftware = objWMIService.ExecQuery ("Select * from Win32_Product")

objOutputFile.WriteLine(" ") 
objOutputFile.WriteLine("Installed Software: ") 

For Each objSoftware in colSoftware
 objOutputFile.WriteLine objSoftware.Caption & ", " & objSoftware.installDate & ", " & objSoftware.installDate2
Next

objOutputFile.Close

Set objFileSystem = Nothing

AutoAdministator: A Nifty Free Remote Management Tool

This tip comes from the website 4sysops.com.  There is a program called AutoAdministrator that used to be payware, but is now freeware.  This program allows you to drill into your Active Directory structure and check off a bunch of computers for an action.  What can you do?

  • Password updates
  • Remote shutdown / reboot
  • Services maintenance
  • Registry maintenance
  • Network ping
  • Remote file management
  • Remote file information
  • Logged on user information
  • Execute processes locally or remotely
  • WMI queries
  • ODBC maintenance

I used it to select all the computers in an OU and then look at the logged in user to see if the computer description matched up.  I was also able to remotely execute programs against multiple computers which is very cool!

– Soli Deo Gloria