Author Archive

Querying for and uninstalling evil KBs with Powershell Remoting

August 18, 2014 1 comment

You haven’t enabled Powershell Remoting yet? C’mon! Check out this blog post.

Disregarding security flaw edge cases, Powershell Remoting defaults follow good security practices, such as Kerberos cert based authentication (much like accessing an admin share), and fully encrypted TCP pipe.

This past week, two KBs made news for cause BSODs. Although none of our systems (workstations or servers) had BSODs caused, we still wanted to get a grasp on where the KBs were installed.

Powershell Remoting made this very simple.

In this case, the block starting with `get-wmiobject` queries computer objects (by OU) to check if the two given KBs are installed. A report is output to my desktop.

The block starting with `Invoke-Command` runs `wusa.exe` synchronously, and returns once the given KB is uninstalled. It will create a restore point. Before I did this, I took a look at WSUS to verify that the patch was pulled (and it was).

i have some IRCcloud invites

August 8, 2014 Leave a comment

I have some IRCcloud invites.

You know the deal. Respond and input your Email address in the Comment form (nothing fancy please), and I’ll get back to the first people that post [note that I can see the order even if you can't see the comment below].

Tags: , ,

I have some Demonoid invites

July 26, 2014 1 comment

I have some Demonoid invites.

You know the deal. Respond and input your Email address in the Comment form (nothing fancy please), and I’ll get back to the first people that post [note that I can see the order even if you can't see the comment below].

I went Blackberry and I can’t go back

July 25, 2014 Leave a comment

Three weeks ago my HTC One started rebooting repeatedly. I did what any self-respecting systems engineer would do, booted into TWRP recovery and performed a system wipe. This succeeded, but the rebooting continued. Odd, so I flashed stock recovery and performed a system wipe again. Same symptom.

I already had conditional forwarding (calls are forwarded on the condition of “no answer” or “busy”, *28 on Sprint) configured to forward to Google Voice, which served as my voicemail (set “do not disturb” on Google Voice); so I just added my work cell phone to ring when a Google voice call is received, and shut off “do not disturb.” Essentially, I had calls from my Sprint phone forwarded to my work cell phone without issue; granted no SMS/MMS forwarding, but so be it.

At Sprint’s advice, I called HTC for warranty replacement and, while visions of defense contractor surveillance engineers and package interception dancing in my head, I sent my phone off to HTC; and so began my journey to accidentally switching to Blackberry OS10 on the Z30, and now I can’t go back.
Read more…

Smelling the need for a Windows Event log monitor

July 9, 2014 Leave a comment

Google has not steered me wrong.

Thanks guy who wrote that.

No password/user box/LogonUI prompt after ctrl-alt-del hit

June 10, 2014 Leave a comment

It’s your friendly Windows helpdesk guy here.

We have an issue that seems random, where certain users fail to get the password prompt after hitting ctrl-alt-del combo at logon (LogonUI).

The culprits seem to be the combo of HP Z620 workstations + Matrox video card “drivers” or, simply, Matrox PowerDesk software.

I opened a case with Microsoft support due to the fact that I could not use xbootmgr to troubleshoot the issue, I did not understand where else to go.

They advised me to clear any Credential Provider other than the following list:

Smartcard Credential Provider
Smartcard Pin Provider
WinBio Credential Provider

This includes the stupidly risky Credential Provider “Matrox.Pdesk.LogonRelocator64″.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{FBF75A60-F408-4e8e-905A-FB8F7A8BBC78}

I guess Matrox is trying to be helpful by creating a credential provider to move your LogonUI screen around; it’s quite clear that the cost of messing with Credential Providers to provide such a trivial benefit is too high.

Delete the above registry key to avoid the problem.

WQL/WMI query to check if a user exists

May 12, 2014 Leave a comment

For some odd reason, MSFT didn’t code a straight item-level targeting rule to allow you to query local users. So, if you are renaming a local user, and it is already in existence (which it will be after you rename it), your client will log an error.

In order to avoid the error, you must check if the user exists using the following WQL:

select * from win32_useraccount where localaccount = 1 and caption like '%Administrator'
select * from win32_useraccount where localaccount = 1 and caption like '%Guest'

Note that the caption property will return the computer name as the realm of the user followed by the user (like COMPUTER\Administrator); this is why it checks with a wildcard.

A quick note about WSUS auto-approval policies

You’re neighborhood generic Windows Admin is here to talk about WSUS auto-approval policies.

Here is how WSUS “gets” updates:
1) a synchronization occurs in which WSUS fetches some info about available updates for the product classifications you’ve prescribed.
2) Updates are approved manually or by auto-approval policy.
3) Updates are downloaded by WSUS.
4) Updates are fetched by workstations.

When you adjust an auto-approval, but your classifications have already included a product, and the WSUS has already fetched info about the updates, your auto-approval policy will not affect these updates. As in, they will not be automatically set to “approved,” will not be downloaded by WSUS, and will not be available to your Windows Update clients. Why is this done? I have no idea. It seems like an option would be nice to retroactively approve updates according to current auto-approval policy (and I’m sure you can hack away at the WSUS SQL DB).

So, what do you do? For a few weeks, you’ll just have to slave away at manually approving updates.


MeasurementLabs and JRE

April 29, 2014 Leave a comment

I just “got upgraded” to 100Mbps down and 10Mbps up from time warner. Except that 100Mbps is more like 20Mbps thanks to measurement labs.

I had some trouble configuring JRE to allow me to run Measurementlabs’ NDT tool, so, for reference, below is an %userprofile%\appdata\locallow\sun\java\deployment\security\exception.sites file:

Looks like I’ll have to give time warner a call.

SElinux coloring book, and MSOpenTech

April 27, 2014 Leave a comment

I subscribe to DevOps Weekly. Not sure why, since I’m not in an agile system development or continuous delivery environment, but I guess I figure I can glean some useful stuff out of it.

This week, the dude linked to two useful things:



Get every new post delivered to your Inbox.

Join 33 other followers

%d bloggers like this: