8 May 2022

Was the file downloaded?

If you’re ever tracking down where a suspicious came from, it can be hard to determine if it was downloaded off of the “dirty” internet, or if someone actually created the file locally on the machine. Well if you know how to check the file’s alternative data stream, it actually becomes pretty easy to determine if it was in fact downloaded. You don’t know what the alternate data stream is, or how to check? We can fix that.

First a little background. The “Zone Identifier Alternate Data Stream” is often referred to as the Mark-of-the-Web (MOTW). The MOTW was actually a security feature first introduced by Internet Explorer for determing how to run saved HTML webpages. It has since grown to become implemented into many other file types. Whenever a file is downloaded, your browser implements MOTW by utilizing a feature of the NTFS file system called the alternate data stream (ADS) to associate a data stream to that file. The browser creates an ADS called “Zone.Identifier” and then adds the ZoneId to the stream to specify where the file came from. The ADS will be <file>:Zone.Identifier.

The ZoneId can have the following values:

  • 0. Local Computer
  • 1. Local Intranet
  • 2. Trusted Sites
  • 3. Internet
  • 4. Restricted Sites

Enough of the background… Let us get back to the hands-on part.

To check the files’ ADS & ZoneId from a command prompt, use the following syntax.

notepad file.ext:Zone.Identifier

Alternatively, to check the file with PowerShell, use either of the following cmdlets.

Get-Item .\file.ext -Stream *
Get-Content .\file.ext -Stream Zone.Identifier
2 May 2022

Search GPO Settings

So if you know anything about managing Windows systems then you know about GPOs. In my honest opinion, GPOs are one of the greatest tools available in Windows. GPOs let you administratively manage all aspects of your computers. You can literally set about 99.9999% of any settings you ever wanted to configure on a computer.

One of the things that make GPOs so great is that it is expandable in that you can add new administrative templates as you add new software to your workstations in your domain. So not only can you manage just about any Microsoft or Windows setting, but you can also add in templates for third-party software from most of the big software venders and enterprise applications, as well as add new templates when new Microsoft releases new OSes and software.

The biggest downside of GPOs is that they can feel like a daunting wall when you first get started implementing them simply because there are sooo many settings that you can potentially configure – where to begin!?! And how do you figure out where to set some of those really odd settings. Well don’t worry, I don’t know anyone that remembers exactly where each setting is. For me, there are two resources that I regularly use to help me find the settings that I want to configure.

1 – https://gpsearch.azurewebsites.net/

This is an official Microsoft tool that lets you search all of the various settings that are available to you in all Microsoft products. It’s a great resource to find where things are set just by using a keyword. Think of it as “Bing” (or “Google”) for GPOs. Out of these two links, this site is the easiest to navigate when looking specifically for Microsoft and Windows settings.

2 – https://admx.help/

This site includes all of the Microsoft settings, but where it really shines is all of the third-party software settings it has indexed for you. If need to figure out where to set something in Chrome or Adobe or any other software, this site has you covered.

3 – https://reg2ps.azurewebsites.net/

So this last site is just a bonus as it is not exactly a GPO site, but it comes in handy. It’s a way to convert registry settings into powershell commands that you can run. Paste your reg key into it and it will spit out the corresponding PS command for it.

24 February 2022

Changing Your Password from an RDP Session

So here’s the scenario, you’ve RDP-ed into a server and you want to change your password. You try to hit CRTL+ATL+DEL but instead of it getting sent to the remote computer, it opens on your local machine. Blah! That is not what we want… How do we get to a place where we can change the password for the account that was used in the RDP session?

One way to send it within the RDP session is to launch the on-screen keyboard. To launch it, simply click on the ‘Start Menu’ and type “osk”, then click on the result to open the keyboard. With the OSK on screen, press and hold “CTRL+ALT” on your physical keyboard, and click “DEL” on the virtual keyboard button.

The easiest way to bring up the menu from where you can change your password is to press CRTL+ALT+END in the RDP window. Now if you are RDP-ed from a mac, you’ll need to do a CRTL+ALT+Fn+Backspace or CRTL+ALT+Fn+Right-Arrow to bring up the menu.

5 January 2022

Reset password on locked-out Domain Admin

Sometimes things happen and a password gets forgotten or lost, or in the worst case it wasn’t updated in your password management tool after it was changed. We’ve likely all had to bug another admin to reset our password for one system or another. It happens. But what happens if you are the lone Domain Admin and lock yourself out? Luckily, there is a way to get back in if you do get locked out.

  • Download the Windows Server 2016 ISO.
  • Attach the ISO to your DC virtual machine.
  • Reboot the VM into the ISO
  • Select: Repair your Computer -> Troubleshoot -> Command Prompt
  • At the command prompt, run the following commands:
cd c:\Windows\System32
ren osk.exe osk.old
copy c:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe osk.exe
  • Reboot the Server.
  • Launch the on-screen keyboard and PowerShell will open
  • At the Powershell prompt, run the following command, replacing <PASSWORD> with the password of your choice:
Net user Administrator <PASSWORD>
  • Revert file changes in your System32 folder, renaming ‘osk.old’ back to ‘osk.exe’.

And there you have it folks, you are now able to log back in with your Domain Admin account. This works because while the DC does not have a local Administrator account, it somehow realizes that and resets the Domain Admin. Yes it is a little bit of black magic fuckery in that regard… But it worked and got you back in, so who are we to complain.

30 December 2021

Open and Extract .tar files on Windows

What I’m about to say might be a surprise to you… But you don’t need to install any sort of 3rd party software (like 7zip or WinZip) to extract tarball files on WIndows. Windows 10 actually has the functionality built-in. I know, I was just as surprised to learn about it as you are. From the command line, you can use the “Tar” command to easily extract .tar, .gz, or tar.gz files.


For folks out there that don’t know;

  • A tarball file, ‘.tar’, is just a type of archived file. They are basically, a collection of files that have been merged into one single file.
  • Gzip files, ‘.gz’, are a type of compressed file and it is used to save on the amount of space that a file uses on the hard drive.
  • If you’re following along, then you’ll already have realized that a ‘.tar.gz’ file means that it is just a compressed archive file.

Here’s how to extract your tarball file in Windows 10.

Open the ‘Start Menu’ and search for “cmd”. Right-click on “Command Prompt” and select “Run as administrator“.

Enter the following command inside the window.

tar -xvzf "Path to file" -C "Path to destination"

Example:

tar -xvzf C:\Source\file.tar.gz -C C:\Destination\

This example will extract the contents of the ‘file.tar.gz’ file from the “C:\Source\” folder to the “C:\Destination\” folder. 
Note: Make sure the ‘-C’ parameter before the path to the destination is an uppercase.

The parameters explained:

  • x — instructs tar to extract the archived content.
  • v — verbose mode. This is optional to display the extraction process. Otherwise, you will only see a blinking cursor until the process is complete.
  • z — instructs tar to uncompress the content with gzip.
  • f — provides tar the name of the file you’re about to extract.
  • C — uppercase and with a hypen, this tells tar to change folders to the specified folder

9 June 2021

SCCM Client Actions

If you use SCCM or have ever had to mess with Configuration Manager on a computer that runs Software Center, then you have seen all of the client actions that you can run. That said, like most of us when we started using SCCM or Configuration Manager we knew we had to run some/all of the actions to make the changes we made in SCCM reflect on the computer we were trying to push something to. After a while, you start to realize that you can get by running just one or two actions instead of all of them. But, using myself as an example, aside from knowing you needed to run them you likely didn’t know what they actually did. For me, it was always something that I was going to “Google” later and figure out what they did at some future time. Well, I recently reached that future point-in-time and thought I’d share the collection (SCCM pun intended) of answers that I found. Hopeful what I’ve complied helps out someone else that finally decided to search about it…

  • Application Deployment Evaluation Cycle – This action re-evaluates the requirement rules for all deployments. If an application is required, and not installed when the Application Deployment Evaluation Cycle runs, Configuration Manager automatically triggers a re-install. The Application Deployment Evaluation Cycle only applies to applications and not to the packages. The default value is set to run every 7 days.
  • Branch Distribution Point Maintenance Task – Verifies any pre-staged packages and downloads any that do not exist on the branch distribution point. While Technet does not explicitly state it, I believe this task is useful only on branch distribution points and is ignored on normal clients.
  • Discovery Data Collection Cycle – This causes the client to generate a new discovery data record (DDR). When the DDR is processed by the site server, Discovery Data Manager adds or updates resource information from the DDR in the site database.
  • File Collection Cycle – When a file is specified for collection, the Microsoft System Center Configuration Manager 2007 software inventory agent searches for that file when it runs a software inventory scan on each client in the site. If the software inventory client agent finds a file that should be collected, the file is attached to the inventory file and sent to the site server. This action differs from software inventory in that it actually sends the file to the site server so that it can be later viewed using Resource Explorer. This is a part of SCCM inventory functionality.
  • Hardware Inventory Cycle – Collects information such as available disk space, processor type, and the operating system about each computer. This is a part of SCCM inventory functionality.
  • Machine Policy Retrieval & Evaluation Cycle – The client downloads its policy on a schedule. By default, this value is configured to every 60 minutes and is configured with the option Policy polling interval (minutes). However, there might be occasions when you want to initiate ad-hoc policy retrieval from the client—for example, in a troubleshooting scenario or when testing. This action initiates ad-hoc machine policy retrieval from the client outside its scheduled polling interval.
  • Send Unsent State Messages – This tool sends State Messages that are cached on the ConfigMgr client to the ConfigMgr server.
  • Software Inventory Cycle – Collects software inventory data directly from files (such as .exe files) by inventorying the file header information. Configuration Manager 2007 can also inventory unknown files — files that do not have detailed information in their file headers. This provides a flexible, easy-to-maintain software inventory method. You can also have Configuration Manager 2007 collect copies of files that you specify. Software inventory and collected file information for a client can be viewed using Resource Explorer. This is a part of SCCM inventory functionality.
  • Software Metering Usage Report Cycle – Collects the data that allows you to monitor and client software usage.
  • Software Updates Deployment Evaluation Cycle – Initiates a scan for software updates compliance. Before client computers can scan for software update compliance, the software updates environment must be configured.
  • Software Updates Scan Cycle – Just after a software update installation completes, a scan is initiated to verify that the update is no longer required and to create a new state message that indicates the update has been installed. When the installation has finished but a restart is necessary, the state will indicate that the client computer is pending a restart.
  • State Message Cache Cleanup – This tool clears State Messages that are cached on the ConfigMgr client.
  • User Policy Retrieval & Evaluation Cycle – Similar to Machine Policy Retrieval & Evaluation Cycle, but this action initiates ad-hoc user policy retrieval from the client outside its scheduled polling interval.
  • Windows Installer Source List Update Cycle – Causes the Product Source Update Manager to complete a full update cycle. When you install an application using Windows Installer, those Windows Installer applications try to return to the path they were installed from when they need to install new components, repair the application, or update the application. This location is called the Windows Installer source location. Windows Installer Source Location Manager can automatically search Configuration Manager 2007 distribution points for the source files, even if the application was not originally installed from a distribution point.

For anyone interested, the descriptions above are not my own. I’ve copied them from here and here.

23 April 2021

Cannot open the Outlook window. Invalid XML

Microsoft Outlook has got to be one of the most common business applications that just about everyone uses. So when it fails to open, it can feel like the start of a bad day. One error message that I have encountered a few times now is the “Invalid XML” message when trying to launch Outlook. The most common reason for this error is that the XML file that contains the settings for Outlook’s navigation pane has become corrupted. The navigation pane is the one that is on the left side of Outlook and lets you change between your mailbox, folders, calendar, contacts, tasks, etc.

So how do we fix the error? The first thing to try is to simply reset the navigation pane.

  1. Hit ‘Windows+R‘ on your keyboard to open the ‘Run‘ window.
  2. Type in the following command: Outlook.exe /resetnavpane
  3. Hit the ‘OK‘ button.
  4. Then re-launch Outlook to verify that everything is working.

If the above action did not resolve your Outlook issue, then the next course of action would be to delete the actual XML file and force Outlook to generate a new/fresh file the next time it opens. Here’s how we can do that.

  1. Hit ‘Windows+R‘ on your keyboard to open the ‘Run‘ window.
  2. Type in the following command: %AppData%\Microsoft\Outlook
  3. Hit the ‘OK‘ button.
  4. It will open ‘File Explorer’ and take you to the directory that the XML file resides in. Look for a file named ‘Outlook.xml
  5. Delete the XML file.
  6. Then re-launch Outlook to check that it is working now.

That is how to fix the Outlook ‘Invalid XML’ error. I hope one of these methods worked for you so you can get back to your emails.

1 January 2021

VMware PVSCSI on a new Windows install

If you haven’t already upgraded your Windows servers to Windows 2019, then you will probably be doing so soon enough. That means that it’s time to review the steps you take in building out your virtual machines (VMs). Are you running your VMs from a SAN? Then during this refresh, you should really take the time to consider using the VMware Paravirtual SCSI (PVSCSI) driver.

VMware Paravirtual (PVSCSI) adapters are high-performance storage adapters that can provide greater throughput and lower CPU utilization. They are best suited for environments where hardware or applications drive a very high amount of I/O throughput, such as SAN environments. PVSCSI adapters are not suited for DAS environments.

VMware, https://kb.vmware.com/s/article/1010398

When building new VMs there are four options you can choose from for their SCSI controller. The default LSI Logic SAS driver that is automatically selected for you will work just fine in most environments. That said, when you want to guarantee maximum performance from your VMs you will need to use the PVSCSI. Why wouldn’t you want to allow your VMs their max performance? It’s simple enough to do. Heck, do it and make a “golden image” template so you can easily redeploy it if you don’t want to repeat the steps on each VM everytime. It’s just a couple of clicks now for better performance later. Here we go…

  1. Launch the vSphere Client and log in to an ESXi host or vCenter Server.
  2. Select create a new virtual machine.
  3. In the vSphere Client, right-click on the virtual machine and click Edit Settings.
  4. Click the Hardware tab.
  5. Click Add.
  6. Select Hard Disk.
  7. Click Next.
  8. Choose any one of the available options.
  9. Click Next.
  10. Specify the options you require. Options vary depending on which type of disk you chose.
  11. Choose a Virtual Device Node and specify whether you want to use Independent mode. For data disks, choose a Virtual Device Node between SCSI (1:0)to SCSI (3:15). For a boot disk, choose Virtual Device Node SCSI (0:0) or choose the Virtual Device Node that boots in the order you require.

    Note: To set a disk to use Independent mode there must be no snapshots associated to the virtual disk, if there are existing snapshots commit them before changing the disk type.
     
  12. Click Next.
  13. Click Finish to complete the process and exit the Add Hardware wizard. A new disk and controller are created.
  14. Select the newly created controller and click Change Type.
  15. Click VMware Paravirtual and click OK.
  16. Click OK to exit the Virtual Machine Properties dialog.
  17. Power on the virtual machine.
  18. Install VMware Tools. VMware Tools includes the PVSCSI driver.
  19. If it is a new virtual disk, scan and format the hard disk within the guest operating system.
17 November 2020

SCCM Device Collection from Excel

I got tired of googling this every time I make a new collection, so I figured it was time for my own post. I am now using SCCM for work, so I have had to learn a few new tricks to make life easier. One thing I’m doing often enough is creating a custom device collection of computers. The slow and tedious way to do this is to individually add each machine. Blah! What a waste of time. To make it go as fast as possible, I try to already have an excel list of the machine names I want to add to the collection.

In my excel file, my list of machine names are in column A. I’m going to be using column B for the values I’ll copy into SCCM. The formula that we’ll be using to convert the names into the format that SCCM wants is:

=char(34)&A2&char(34)&","

Lets break that down to see how it will convert the name into a format that can be used..

  • Char(34) is going to give us the quotation marks we want on either side of our computer name.
  • A2, in this instance, is the cell that contains one of my computer names. You will have to adjust this cell reference to fit your excel sheet.
  • At the very end of it, we add a comma.

Once we have that taken care of, we can drag the corner of the cell down to apply that same formula to the rest of our list.

Below is the basic query we will be using and adding our formatted list of names to.

select * from SMS_R_System where SMS_R_System.Name in ( )

The end result, using the example list of computer names above, will look like this. The one thing to note is that you need to remove the very last comma from the list of computer names or you’ll get an error message when you try to save it.

select * from SMS_R_System where SMS_R_System.Name in (
"computer001",
"computer002",
"computer003",
"computer004",
"computer005",
"computer006",
"computer007",
"computer008",
"computer009"
)

That is how you populate a SCCM device collection from an Excel list.

8 May 2020

Export/Import Putty Sessions

If you’re like me you probably use one machine heavily. You have all of the hosts and devices which you connect to regularly, saved in Putty. but what if you want to conveniently share all of those saved settings with a coworker, or back them up so you can restore them in the future to a new PC.

Putty saves all of those ‘saved’ sessions in the Windows registry. While you’re not able to export them directly from Putty, you can use the command line to export either just the sessions, or all settings, from putty.

Note: These instructions only work with the ‘regular’ installed version of Putty on Windows. They will not work with the portable version.

Export

Open a Command Prompt (or PowerShell) as an Administrator.

Export only sessions with this command:

regedit /e "%USERPROFILE%\Desktop\putty-sessions.reg" HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions

Export all settings with this command

regedit /e "%USERPROFILE%\Desktop\putty.reg" HKEY_CURRENT_USER\Software\SimonTatham

This will create a “reg” file on the desktop of the current user. It will not export SSH keys. Do not replace “SimonTathom” with your username, Simon is the author of Putty and that is the name that particular folder inside the registry where the settings are saved.

Import

Copy the reg file to the machine which you want to import the putty settings on.

Double-click on the .reg file and accept the import.