Interesting: [Ardhive.is] Use Software Restriction Policies to block viruses and malware | Branko Vucinec
via: [WayBack] Ransomware treft Tweede Kamer – Malware versleutelt overheidsbestanden – IT Pro – Nieuws – Tweakers
–jeroen
Archive for the ‘Windows’ Category
Use Software Restriction Policies to block viruses and malware | Branko Vucinec
Posted by jpluimers on 2018/06/25
Posted in Microsoft Surface on Windows 7, Power User, Windows, Windows 10, Windows 7, Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Vista, Windows XP | Leave a Comment »
PowerShell – query reboot/shutdown events
Posted by jpluimers on 2018/06/19
Thanks [WayBack] gbabu for the below PowerShell ide
As PowerShell command:
Get-EventLog System | Where-Object {$_.EventID -eq "1074" -or $_.EventID -eq "6008" -or $_.EventID -eq "1076"} | ft Machinename, TimeWritten, UserName, EventID, Message -AutoSize -Wrap
Based on it and my own experience, thse Event IDs can be interesting:
- 41 – The system has rebooted without cleanly shutting down first
- 109 – The kernel power manager has initiated a shutdown transition.
- 1073 – The attempt by user [domain]\[username] to restart/shutdown computer [computername] failed.
- 1074 – The process [filename].[extension] has initiated the restart of computer [computername] on behalf of user [domain]\[username\ for the
- 1076 – ???
- 6008 – The previous system shutdown at [time-in-local-format] on [date-in-local-format] was unexpected.
You can also run this as a batch file, but not you need to escape the pipe | into ^| like this:
PowerShell Get-EventLog System ^| Where-Object {$_.EventID -eq "1074" -or $_.EventID -eq "6008" -or $_.EventID -eq "1076"} ^| ft Machinename, TimeWritten, UserName, EventID, Message -AutoSize -Wrap
If you have PowerShell 3.0 or greater, then you can use the [Archive.is] -In operator:
PowerShell Get-EventLog System ^| Where-Object {$_.EventID -in "41", "109", "1074", "6008", "1076"} ^| ft Machinename, TimeWritten, UserName, EventID, Message -AutoSize -Wrap
–jeroen
- Source: [WayBack] eventviewer – View Shutdown Event Tracker logs under Windows Server 2008 R2 – Server Fault :: https://serverfault.com/questions/204417/view-shutdown-event-tracker-logs-under-windows-server-2008-r2cmd
- [WayBack] Useful Operational Insights Search Query Collection | musc@> $daniele.work.ToString() “Corporate” Blog of Daniele Muscetta, Premier Field Engineer.
- Event log IDs lists via [WayBack] List of all Windows 7 Event IDs and Sources? – Super User:
- [WayBack] Windows Security Log Encyclopedia
- [WayBack] Troubleshooting Microsoft Windows Event Logs
- [WayBack] Events and Errors isn’t a list nor searchable any more nor is [WayBack] Events and Errors
Share this:
Posted in Batch-Files, CommandLine, Development, Power User, PowerShell, PowerShell, Scripting, Software Development, Windows | Leave a Comment »
stascorp/rdpwrap: RDP Wrapper Library – up to 15 RDP sessions on any Windows edition including basic/home/core
Posted by jpluimers on 2018/06/04
RDP Wrapper works as a layer between Service Control Manager and Terminal Services, so the original termsrv.dll file remains untouched. Also this method is very strong against Windows Update.
- Source: [WayBack] stascorp/rdpwrap: RDP Wrapper Library
- Via: [WayBack] RDP Wrapper – concurrent RDP sessions for home usage (up to 15 concurrent sessions) https://github.com/stascorp/rdpwrap/releases – Ilya S – Google+
- Releases: [WayBack] Releases · stascorp/rdpwrap
I’ve tested this on Windows 7 Home Premium and it works fine, see the log below. On Windows 10 Fall Creators Update and up, I had to get the rfxvmt.dll files (in %windir%\System32 and %windir%\SysWOW64) from a Windows Professional system, see Known Issues. You can download them from the repository as well.
- Download from github.com/stascorp/rdpwrap/releases
- Unzip
- Run the
install.bat:
C:\Users\jeroenp\Downloads\RDPWrap-v1.6.1>install.bat RDP Wrapper Library v1.6 Installer v2.3 Copyright (C) Stas'M Corp. 2016 [*] Notice to user: - By using all or any portion of this software, you are agreeing to be bound by all the terms and conditions of the license agreement. - To read the license agreement, run the installer with -l parameter. - If you do not agree to any terms of the license agreement, do not use the software. [*] Installing... [*] Terminal Services version: 6.1.7600.16385 [+] This version of Terminal Services is fully supported. [+] TermService found (pid 1168). [*] Shared services found: CryptSvc, Dnscache, LanmanWorkstation, NlaSvc [*] Extracting files... [+] Folder created: C:\Program Files\RDP Wrapper\ [*] Downloading latest INI file... [+] Latest INI file -> C:\Program Files\RDP Wrapper\rdpwrap.ini [+] Extracted rdpw64 -> C:\Program Files\RDP Wrapper\rdpwrap.dll [+] Extracted rdpclip6164 -> C:\Windows\System32\rdpclip.exe [*] Configuring service library... [*] Checking dependencies... [*] Checking CertPropSvc... [*] Checking SessionEnv... [*] Terminating service... [*] Starting CryptSvc... [*] Starting Dnscache... [*] Starting LanmanWorkstation... [*] Starting NlaSvc... [-] StartService error (code 1056). [*] Starting TermService... [*] Configuring registry... [*] Configuring firewall... OK. [+] Successfully installed. ______________________________________________________________ You can check RDP functionality with RDPCheck program. Also you can configure advanced settings with RDPConf program. Druk op een toets om door te gaan. . . C:\Users\jeroenp\Downloads\RDPWrap-v1.6.1>rdpcheck
Note that this “error” is normal: [-] StartService error (code 1056). as it means the service is already started: [WayBack] System Error Codes (1000-1299) (Windows)
ERROR_SERVICE_ALREADY_RUNNING
- 1056 (0x420)
- An instance of the service is already running.
–jeroen
Share this:
Posted in Power User, Remote Desktop Protocol/MSTSC/Terminal Services, Windows | Leave a Comment »
Windows 10 added one more account: WDAGUtilityAccount
Posted by jpluimers on 2018/05/28
As of Windows 10 fall creators update, the WDAGUtilityAccount was added, so the default accounts on such a machine are these:
- Administrator
- DefaultAccount
- Guest
- WDAGUtilityAccount
Then there is one account for the user that installed the system (which is named by that user).
Windows Defender Application Guard is the reason for WDAGUtilityAccount as explained here:
- [WayBack] WDAGUtilityAccount | Drew Robinson’s Blog: Azure, Powershell and Security things
- [WayBack] Local system account and User-Group named WDAGUtilityAccount – Windows 10 indicates it is also installed in the Home edition
- [WayBack] Windows Defender Application Guard (Windows 10) | Microsoft Docs indicates it is only meant for Enterprise and Professional editions
- [WayBack] WDAGUtilityAccount ???? – Microsoft Community
–jeroen
Share this:
Posted in Power User, Windows, Windows 10 | Leave a Comment »
Microsoft is gestopt met gratis Windows 10-upgrade via toegankelijkheidspagina – Computer – Nieuws – Tweakers
Posted by jpluimers on 2018/05/21
[WayBack] Microsoft is gestopt met gratis Windows 10-upgrade via toegankelijkheidspagina – Computer – Nieuws – Tweakers
Licenses: Retail, OEM, ODM, VLK.
[WayBack] Activation in Windows 10 – Windows Help
Notes
- Microsoft doesn’t keep a record of purchased product software keys.
- For help finding your product key, see Find your Windows product key.
- If you don’t have a product key, you can purchase a Windows 10 license after installation finishes. Select the Start button > Settings > Update & Security > Activation . Then select Go to Store to go to the Windows Store, where you can purchase a Windows 10 license.
–jeroen
Share this:
Posted in Power User, Windows, Windows 10 | Leave a Comment »
dzComputerInfo: a small tool that shows a window on top of all other windows displaying the computer name and currently logged on user.
Posted by jpluimers on 2018/05/18
Interesting as bgInfo does not support top most windows or overlay: it only does the Desktop background, and you need to go through hoops to recreate the background on each logon:
Enter dzComputerInfo. It’s a small tool that I wrote the evening after the above incident which does exactly one thing: It shows a window on top of all other windows displaying the computer name and currently logged on user. Since the window is so small and it places itself automatically just above the start button, it does not really become a nuisance.
The tool and the source code is available from sourceforge, if anybody else thinks he has a use for it.
- [WayBack] A few days ago I was working in one of our measurement vehicles and found, that I couldn’t for the life of me tell, which of the 3 computers (soon to be… – Thomas Mueller (dummzeuch) – Google+
- [WayBack] dzComputerInfo tool – twm’s blog
The G+ thread also the interesting comment by Gaurav Kale:
The Classic Shell Start button supports environment variables in its tooltip. So just specify: %username% on %computername% for the Setting called “Button Tooltip”. Then to see the currently logged on user and computer name, you just have to HOVER over the Start button!
–jeroen
Share this:
Posted in Power User, SysInternals, Windows | Leave a Comment »
When Windows suddenly starts mixing up keys for various applications.
Posted by jpluimers on 2018/05/14
Since:
- many people use the left-alt key as it as it is more accessible
- development tools uses a lot of Alt-Shift based keyboard shortcuts
- Windows by default has the Left Alt+Shift shortcut enabled to switch language+keyboard layout combinations
- In most countries, Windows by default has more than one language+keyboard combination installed
- Windows remembers per application instance which language+keyboard combination is used
every now and then you will get strange characters in only your development tools.
You can change this Windows setting, but be aware that every now and then, various Windows versions will re-enable the Left Alt+Shift even if you have previously disabled it. As of Windows 7 this occurs far less often, but still seems to occur.
Source: Question: Does anyone else have instances in the IDE (Berlin but has happened…
Comments at https://plus.google.com/+JeroenPluimers/posts/ektRa2qW92L
Share this:
Posted in internatiolanization (i18n) and localization (l10), Keyboards and Keyboard Shortcuts, Power User, Windows | Leave a Comment »
Windows Firewall: Block rules take precedence over Allow rules
Posted by jpluimers on 2018/05/07
Reminder to self for Windows Firewall: Block rules take precedence over Allow rules (see * below as actually it is even more complex); [WayBack] Firewall Rule Properties Page: General Tab has
Firewall rules are evaluated in the following order:
- Allow if secure with Override block rules selected in the Customize Allow if Secure Settings dialog box.
- Block the connection.
- Allow the connection.
- Default profile behavior (allow or block as specified on the applicable Profile tab of the Windows Firewall with Advanced Security Properties dialog box).
Within each category, rules are evaluated from the most specific to the least specific. A rule that specifies four criteria is selected over a rule that specifies only three criteria.
Which means that this will block TCP port 1024 traffic to bar.exe:
The Block rules are inserted by Windows if you click “Cancel” on a dialog like this (note the lowercase path, despite the application being at C:\Program Files (x86)\Foo\Bar.exe):
Share this:
Posted in Firewall, Infrastructure, Power User, Windows | 1 Comment »
A while ago, Windows 10 started to popup an Edge browser window after reboot without an internet connection
Posted by jpluimers on 2018/04/21
Does anyone know how to disable Edge popping up with a failed link www.msftconnecttest.com/redirect on machines blocked by a router?
This happens on the PC running Windows 10 Pro N (winver shows 1709 build 16299.371) that is not allowed to do any internet access.
Related: [WayBack] How to Find Out Which Build and Version of Windows 10 You Have | ilicomm
Later:
This seems to be intended as per these links:
- [WayBack] Why do I get an Internet Explorer or Edge popup open when I get connected to my corpnet or a public network? – Hybrid Networking | Cloud and OnPrem
- [WayBack] Why does Internet Explorer or Edge popup after a Network change?
TL;DR:
This can happen on Windows 8 and up when Windows thinks there is a partial network connection and a logon to a proxy or captive portal might solve the solution.
Allowing these in the proxy for port 80 solves the issue:
-
*.msftncsi.com *.msftconnecttest.com
--jeroen
Share this:
Posted in Captive Portal, Internet, Power User, Windows, Windows 10 | Leave a Comment »
Fixing a broken mirrored Intel Matrix RAID-1 machine
Posted by jpluimers on 2018/04/20
A while ago I had an Intel Matrix RAID-1 pair of drives that got broken. One of them turned “red” and – since both drives were only a few serial numbers apart – the other was giving issues the moment I tried fiddling with it.
These actions failed:
- Windows image backup – would end up with a “blue” screen indicating Windows 10 had a problem and was trying to collect data
- Paragon HDM
- Migrating the OS to a brand new RAID-1 set
- P2V
- Disk2vhd would hang at the 100% completion mark
What had succeeded was a regular Windows backup (a non-image one).
This is what I finally did to get it working again:
- Kill disk2vhd after it hung a few hours at the 100% completion mark
- Verify with
- Mark the VHD file as online using diskpart (first atach the vdisk, select disk, then mark it online)
- Verify with chkdsk that the image was in fact without problems
- Detach the VHD file using diskpart
- Copy the VHD file to a HDD that Paragon HDM would recognise
- Use Paragon HDM to perform a V2P copy
- Paragon expects a .VD file, but if you ask it to use all file types, it does recognise that VHD files contain disk images
–jeroen
References:
- [WayBack] recovery – How to recover data and partition after diskpart clean – Super User
- [WayBack] TestDisk – Partition Recovery and File Undelete
- [Archive.is] Paragon Hard Disk Manager Suite – Overview
- [WayBack] DiskPart Command-Line Options
- [WayBack] DiskPart.exe and managing Virtual Hard Disks (VHDs) in Windows 7 – GES on Windows 7
- [WayBack] Disk2VHD will not end properly – Sysinternals Forums – Page 1
- [WayBack] Disk2vhd
Share this:
Posted in NTFS, Power User, Windows, Windows 10 | Leave a Comment »
The Wiert Corner - irregular stream of stuff 