Author Archive

Smelling the need for a Windows Event log monitor

July 9, 2014 Leave a comment

Google has not steered me wrong.

Thanks guy who wrote that.

No password/user box/LogonUI prompt after ctrl-alt-del hit

June 10, 2014 Leave a comment

It’s your friendly Windows helpdesk guy here.

We have an issue that seems random, where certain users fail to get the password prompt after hitting ctrl-alt-del combo at logon (LogonUI).

The culprits seem to be the combo of HP Z620 workstations + Matrox video card “drivers” or, simply, Matrox PowerDesk software.

I opened a case with Microsoft support due to the fact that I could not use xbootmgr to troubleshoot the issue, I did not understand where else to go.

They advised me to clear any Credential Provider other than the following list:

Smartcard Credential Provider
Smartcard Pin Provider
WinBio Credential Provider

This includes the stupidly risky Credential Provider “Matrox.Pdesk.LogonRelocator64″.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{FBF75A60-F408-4e8e-905A-FB8F7A8BBC78}

I guess Matrox is trying to be helpful by creating a credential provider to move your LogonUI screen around; it’s quite clear that the cost of messing with Credential Providers to provide such a trivial benefit is too high.

Delete the above registry key to avoid the problem.

WQL/WMI query to check if a user exists

May 12, 2014 Leave a comment

For some odd reason, MSFT didn’t code a straight item-level targeting rule to allow you to query local users. So, if you are renaming a local user, and it is already in existence (which it will be after you rename it), your client will log an error.

In order to avoid the error, you must check if the user exists using the following WQL:

select * from win32_useraccount where localaccount = 1 and caption like '%Administrator'
select * from win32_useraccount where localaccount = 1 and caption like '%Guest'

Note that the caption property will return the computer name as the realm of the user followed by the user (like COMPUTER\Administrator); this is why it checks with a wildcard.

A quick note about WSUS auto-approval policies

You’re neighborhood generic Windows Admin is here to talk about WSUS auto-approval policies.

Here is how WSUS “gets” updates:
1) a synchronization occurs in which WSUS fetches some info about available updates for the product classifications you’ve prescribed.
2) Updates are approved manually or by auto-approval policy.
3) Updates are downloaded by WSUS.
4) Updates are fetched by workstations.

When you adjust an auto-approval, but your classifications have already included a product, and the WSUS has already fetched info about the updates, your auto-approval policy will not affect these updates. As in, they will not be automatically set to “approved,” will not be downloaded by WSUS, and will not be available to your Windows Update clients. Why is this done? I have no idea. It seems like an option would be nice to retroactively approve updates according to current auto-approval policy (and I’m sure you can hack away at the WSUS SQL DB).

So, what do you do? For a few weeks, you’ll just have to slave away at manually approving updates.


MeasurementLabs and JRE

April 29, 2014 Leave a comment

I just “got upgraded” to 100Mbps down and 10Mbps up from time warner. Except that 100Mbps is more like 20Mbps thanks to measurement labs.

I had some trouble configuring JRE to allow me to run Measurementlabs’ NDT tool, so, for reference, below is an %userprofile%\appdata\locallow\sun\java\deployment\security\exception.sites file:

Looks like I’ll have to give time warner a call.

SElinux coloring book, and MSOpenTech

April 27, 2014 Leave a comment

I subscribe to DevOps Weekly. Not sure why, since I’m not in an agile system development or continuous delivery environment, but I guess I figure I can glean some useful stuff out of it.

This week, the dude linked to two useful things:


Huginn, the self-hosted, secure, automation tool for stuff

April 13, 2014 Leave a comment

Huginn’s author states it to be “a light-weight infrastructure for building data-gathering and data-reacting tasks for your everyday life. Think of it as an open source Yahoo! Pipes, IFTTT, or Zapier.”

I finally am hopping onto the “activity tracker” craze with a recent purchase of the Jawbone UP24 (waiting for the Basis to get better and awaiting Samsung’s Gear Fit), and would love to use the data to automate a workflow.

I saw If this then that (IFTTT) about a year ago, and thought that it was way too… well.. scary. I mean, to have my UP data stored on Jawbone’s servers is enough to make me shiver, but then to use a third third party to take my “private” UP data and dump it to a Google Doc (which would require IFTTT to have access to both of those things in a non-restrictive way) is just too much.

Luckily, tonight some good fellow posted Huginn to Hacker News. Looks like a great way to keep automated workflows private. And maybe, when I have the time, I can work on storing Jawbone data as I wish.

Did I mention that you can, of course, write your own Huginns agents?

My bleeding heart: Dear argus, I miss you.

April 9, 2014 Leave a comment

Since I started a new job, I’ve got a lot of stuff to master before I revisit implementing flow data.

With all the Heartbleed reaction craze, I noticed that some Snort defs were released the other day, and that means there are likely IOCs that can be found in historical flow data.

Carter looks like he’s going to start a write up shortly, so keep an eye on the mailing list.

Powershell: Very fast ping

April 9, 2014 Leave a comment

Citing a post, I’ve thrown together a powershell function that is a very fast ping.

It is a useful replacement for the test-connection cmdlet, who’s timeout is more than desirably long.

Congratulations to the Chocolatey team!

April 4, 2014 Leave a comment

It looks like MSFT will be including direct access to “Chocolatey repositories” in WMF v5 (Powershell v5). Congratulations to Rob Reynolds and the Chocolatey team!


Get every new post delivered to your Inbox.

Join 30 other followers

%d bloggers like this: