[WayBack] Use the System File Checker tool to repair missing or corrupted system files:
Archive for the ‘Windows 8’ Category
Use the System File Checker tool to repair missing or corrupted system files
Posted by jpluimers on 2021/09/30
Posted in Development, Power User, Software Development, Windows, Windows 10, Windows 7, Windows 8, Windows 8.1, Windows Development | Leave a Comment »
Digging Through Event Log Hell (finding user logon & logoff) – Ars Technica OpenForum
Posted by jpluimers on 2021/08/31
This helped me big time finding failed logon attempts: [WayBack] Event Log Hell (finding user logon & logoff) – Ars Technica OpenForum
Alternatively, you can use the XPath query mechanism included in the Windows 7 event viewer. In the event viewer, select “Filter Current Log…”, choose the XML tab, tick “Edit query manually”, then copy the following to the textbox:
Code:<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">*[System[EventID=4624] and EventData[Data[@Name='TargetUserName'] = 'USERNAME']]</Select>
</Query>
</QueryList>This selects all events from the Security log with EventID 4624 where the EventData contains a Data node with a Name value of TargetUserName that is equal to USERNAME. Remember to replace USERNAME with the name of the user you’re looking for.
If you need to be even more specific, you can use additional XPath querying – have a look at the detail view of an event and select the XML view to see the data that you are querying into.
Thanks user Hamstro!
Notes:
- you need to perform this using
eventvwr.exerunning as an elevated process using an Administrative user CUA token. USERNAMEneeds to be the name of the user in UPPERCASE.- replacing
TargetUserNamewithsubjectUsername(as suggested by [WayBack] How to Filter Event Logs by Username in Windows 2008 and higher | Windows OS Hub) fails. - there are more relevant EventID values you might want to filter on (all links have screenshot and XML example of an event):
- [WayBack]
4624(S) An account was successfully logged on. (Windows 10) | Microsoft Docs - [WayBack]
4625(F) An account failed to log on. (Windows 10) | Microsoft Docs - [WayBack]
4626(S) User claims information./Device claims information. (Windows 10) | Microsoft Docs - [WayBack]
4634(S) An account was logged off. (Windows 10) | Microsoft Docs - [WayBack] 4647(S) User initiated logoff. (Windows 10) | Microsoft Docs
- [WayBack] 4648(S) A logon was attempted using explicit credentials. (Windows 10) | Microsoft Docs
- [WayBack]
4797(An attempt was made to query the existence of a blank password for an account) At the time of writing, it was undocumented, but it seems to be part of an account checking process as per [WayBack] Windows 8 Event ID 4797 in Security Log:
That means that an application or service makes an attempt to query the accounts which have blank password. I think some security software may make such request.
- [WayBack]
- blank (empty passwords) can only be used for local logon, so they disable network logon. That can be a useful security strategy.
Related:
- [WayBack] How to search the Windows Event Log for logins by username
- [WayBack] Active Directory – How to Find Failed Logon Requests – geekmungus
- [WayBack] Audit Failure – Suspicious Activity On A Server – IT Security – Spiceworks
–jeroen
Share this:
Posted in Development, Microsoft Surface on Windows 7, Power User, Software Development, Windows, Windows 10, Windows 7, Windows 8, Windows 8.1, Windows 9, Windows Vista, Windows XP, XML/XSD | Leave a Comment »
Windows 10: quickly view Settings -> Printers no matter the installed language
Posted by jpluimers on 2021/08/23
From Windows 8 on, Microsoft has been pushing more and more stuff to the App UI (sometimes called Immersive User Interface).
By default they are only easily accessible from the search feature from the “Start” button or “Search” pane in the task bar.
This is cumbersome or even problematic when you have to remember the correct terms over many localisations.
In the past you could run this from the command prompt or Windows+R keyboard shortcut “Run” pop-up:
control printers
This does not work however in either of the two:
settings printers
This works from the Windows+R keyboard shortcut “Run” pop-up:
ms-settings:printers
This works from the command prompt:
start ms-settings:printers
The difference is that with control , it will eventually find control.exe on the path, but ms-settings: is the scheme bit of an URI. The start command can handle this, the plain command-line cannot.
What in fact happens is that the URI scheme handler, will have a Windows Service (which runs under NT AUTHORITY\SYSTEM) start "C:\Windows\ImmersiveControlPanel\SystemSettings.exe" -ServerName:microsoft.windows.immersivecontrolpanel under your current user.
List of Settings URIs
Next to a List of applications behind the various control panel links – via “Stop user access to control panel”, below is a list of Settings URIs.
The below list is from [WayBack] The list of Settings pages URIs (ms-settings) in Windows 10 , but misses ms-settings:printers.
Share this:
Posted in Power User, Windows, Windows 10, Windows 8, Windows 8.1 | Leave a Comment »
The Windows key has no Unicode equivalent, so use ⊞ like Wikipedia and many others do
Posted by jpluimers on 2021/08/23
lFor Mac keyboard keys, almost all (except the old solid and open Apple logo’s) have a Unicode code point, see for instance the modifier keys from the [WayBack] List of Mac/Apple keyboard symbols · GitHub (the “Alt” column has a solid Apple logo in the bottom right; on non-Mac systems it will look differently as it is in the Unicode private range: [WayBack] Unicode Character ” (U+F8FF): ‘<Private Use, Last>’):
Sym Key Alt ⌃ Control ⌥ Option ⇧ Shift ⌘ Command
These are the code points for the “Sym” column:
- ⌃ – [WayBack] Unicode Character ‘UP ARROWHEAD’ (U+2303) (less wide than the below three)
- ⌥ – [WayBack] Unicode Character ‘OPTION KEY’ (U+2325)
- ⇧ – [WayBack] Unicode Character ‘UPWARDS WHITE ARROW’ (U+21E7)
- ⌘ – [WayBack] Unicode Character ‘PLACE OF INTEREST SIGN’ (U+2318)
Keys on many platforms
Share this:
Posted in Microsoft Surface on Windows 7, Power User, Windows, Windows 10, Windows 7, Windows 8, Windows 8.1, Windows 95, Windows 98, Windows NT, Windows Server 2000, Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Vista, Windows XP | 1 Comment »
The continued Windows PrintNightmare saga: no more printer Plug&Play for end-users on Windows
Posted by jpluimers on 2021/08/12
It was fun while it lasted, and puts other operating systems at an advantage.
[Wayback] Jeroen Wiert Pluimers on Twitter: “Bye bye printer Plug & Play on Windows for end-users: … Though MacOS has its share of printer driving issues (like only printing monochrome to colour printers), this is a serious step back on Windows compared to MacOS.”
More on the MacOS printer woes in a later blog post.
Web related:
- [Wayback] More PrintNightmare: “We TOLD you not to turn the Print Spooler back on!” – Naked Security
- [Wayback] Microsoft responds to PrintNightmare by making life that little bit harder for admins • The Register:
Have they forgotten SysAdmin Appreciation Day so soon?
- [Wayback] Point and Print Default Behavior Change – Microsoft Security Response Center
Today, we are addressing this risk by changing the default Point and Print driver installation and update behavior to require administrator privileges. The installation of this update with default settings will mitigate the publicly documented vulnerabilities in the Windows Print Spooler service. This change will take effect with the installation of the security updates released on August 10, 2021 for all supported versions of Windows, and is documented as CVE-2021-34481.
- [Wayback] KB5005652—Manage new Point and Print default driver installation behavior (CVE-2021-34481)
- [Archive.is] Security Update Guide – CVE-2021-36958
- [Wayback] Microsoft Warns: Another Unpatched PrintNightmare Zero-Day | Threatpost
Twitter related:
- [Archive.is] 🥝 Benjamin Delpy on Twitter: “Basicaly: – assuming default value is “restrict install to admin” 1 now – more check on remote files install path… “
- [Archive.is] 🥝 Benjamin Delpy on Twitter: “August PatchTuesday #printnightmare… “
- [Archive.is] 🥝 Benjamin Delpy on Twitter: “Want to test #printnightmare (ep 4.x) user-to-system as a service?🥝 (POC only, will write a log file to system32) connect to … with – user: .\gentilguest – password: password Open ‘Kiwi Legit Printer – x64’, then ‘Kiwi Legit Printer – x64 (another one)’… …”
- [Archive.is] Victor Mata on Twitter: “Hey guys, I reported the vulnerability in Dec’20 but haven’t disclosed details at MSRC’s request. It looks like they acknowledged it today due to the recent events with print spooler.… “
- [Archive.is] Will Dormann on Twitter: “For what it’s worth, Microsoft has just notified me that they published … for this issue. That is, the execution of code specified in “CopyFiles” directives of shared printers (VU#131152) is (per Microsoft’s confirmation to me): CVE-2021-36958… …”
–jeroen
Share this:
Posted in Hardware, Power User, Printer drivers, Printers, Windows, Windows 10, Windows 7, Windows 8, Windows 8.1 | Leave a Comment »
