Convert NT Time Epoch to human readable time in Excel

September 13, 2016 Leave a comment

This is the formula (cell formatting should be long date)

=A1/(8.64*10^11) - 109205

If you want to change this to EDT (-4 UTC):

=A1/(8.64*10^11) - 109205 - time(4,0,0)

Thanks to this guy.

Outlook macros: what.

September 1, 2016 Leave a comment

I had a request to make Outlook do something after an email is sent.

Here’s how you do that (I’m not too exciting this morning):

Public WithEvents myOlApp As Outlook.Application
Private Sub Application_Startup()
    Call Initialize_handler
End Sub
Public Sub Initialize_handler()
 Set myOlApp = Outlook.Application
 MsgBox ("I be loading")
End Sub
Private Sub myOlApp_ItemSend(ByVal Item As Object, Cancel As Boolean)
 Dim prompt As String
 prompt = "Are you sure you want to send " & Item.Subject & "?"
 If MsgBox(prompt, vbYesNo + vbQuestion, "Sample") = vbNo Then
 Cancel = True
 End If
End Sub

Pop up the developers tab on your ribbon, and insert that code into the “ThisOutlookSession.” Save. Close and reopen. Macro security is important.

If we move this into production, I’ll work on signing the macro also.

Windows update failing, use dism to uninstall the failing package

August 29, 2016 Leave a comment

After reviewing the c:\windows\system32\cbs\CBS.log and c:\windows\Windowsupdate.log, the following failure was reported in the windowsupdate.log file:

2016-08-29	10:26:05:812	 984	11c0	Agent	Attempt 1 to obtain post-reboot results.
2016-08-29	10:26:06:999	 984	11c0	Handler	Post-reboot status for package Package_for_KB3125574~31bf3856ad364e35~amd64~~ 0x80004005.
2016-08-29	10:26:06:999	 984	11c0	Handler	WARNING: Got extended error: "Generic Command	ErrorCode	80004005	Executable	bfsvc.exe	ExitCode	112	Phase	38	Mode	Install (upgrade)	Component	Microsoft-Windows-BootEnvironment-Core-BootManager-PCAT, Culture=neutral, PublicKeyToken=31bf3856ad364e35, ProcessorArchitecture=x86, versionScope=NonSxS"
2016-08-29	10:26:11:812	4304	58c	COMAPI	-----------  COMAPI: IUpdateServiceManager::RemoveService  -----------
2016-08-29	10:26:11:812	4304	58c	COMAPI	  - ServiceId = {6d7dbb69-4bc2-4e6e-9dec-0651152c5691}
2016-08-29	10:26:11:874	4304	58c	COMAPI	IUpdateService removing volatile scan package service, serviceID = {6D7DBB69-4BC2-4E6E-9DEC-0651152C5691}
2016-08-29	10:26:11:874	 984	cb8	Agent	WARNING: WU client fails CClientCallRecorder::RemoveService with error 0x80248014
2016-08-29	10:26:11:953	4304	58c	COMAPI	WARNING: ISusInternal::RemoveService failed, hr=80248014
2016-08-29	10:26:12:015	 984	a88	Report	REPORT EVENT: {0D6E181E-8A07-40B9-BD04-93B81A786626}	2016-08-29 10:26:07:015-0400	1	182	101	{5A44EA4D-9446-49BC-AB5F-71C9A8FE21B4}	501	80004005	wusa	Failure	Content Install	Installation Failure: Windows failed to install the following update with error 0x80004005: Update for Windows (KB3125574).
2016-08-29	10:26:12:015	 984	a88	Report	CWERReporter::HandleEvents - WER report upload completed with status 0x8
2016-08-29	10:26:12:015	 984	a88	Report	WER Report sent: 7.6.7601.23453 0x80004005(0x17766a8) A44EA4D-9446-49BC-AB5F-71C9A8FE21B4 Install 501 0 wusa {21586AC6-9DBE-4916-8E8C-F6B5F901AF52} 0

Try running the following then reboot, then try to reinstall the failing package:

dism.exe /online /remove-package /packagename:Package_for_KB3125574~31bf3856ad364e35~amd64~~

You might note that the failing KB is one of these new fangled cumulative rollups which contains a bunch o’ packages. Even after a roll back by the Windows updates client, I was surprised to see that this package was still installed. Meaning the above dism command didn’t return an error, but succeeded.

However, in my specific case, the following was found in the CBS.log file:

2016-08-29 12:10:38, Info                  CSI    00000369 Calling generic command executable (sequence 75 (0x0000004b)): [20]"C:\Windows\bfsvc.exe"
    CmdLine: [47]""C:\Windows\bfsvc.exe" C:\Windows\boot /nofonts"
2016-08-29 12:11:10, Error      [0x018009] CSI    0000036a (F) Done with generic command 75 (0x0000004b); CreateProcess returned 0, CPAW returned S_OK
    Process exit code 112 (0x00000070) resulted in success? FALSE
    Process output: [l:8995 [4096]"BFSVC: BfspCopyFile(C:\Windows\boot\PCAT\bootmgr, \\?\GLOBALROOT\Device\HarddiskVolume1\Boot\bootmgr) failed! (Attempt 1 of 60) Last Error = 0x70

This indicates that HarddiskVolume1 has not enough room (error 112, try running `net helpmsg 112`). HarddiskVolume1 is the System Reserved Partition. This is fairly convoluted, but you must add a drive letter to the partition, give a user ownership, take full control, then you can manage the files, remove the drive letter, reboot and try to install the hotfix again. And always remember to drop the size of a file to 1KB, hit it with the old `echo > file.ext`.


A word about WMI DateTime format conversions in powershell

May 25, 2016 Leave a comment

A word.

I was working on this for too much time trying to use DateTime::Parse() and DateTime::ParseExact() within the expression. But… duh… just use string formatting…

Get-WmiObject win32_operatingsystem | select @{LABEL='LastBootUpTime';EXPRESSION={($_.ConverttoDateTime($_.lastbootuptime)).tostring('MM-dd-yyyy hh:mm:ss')}}

New page: Shavlik Protect: An actual quick start guide.

March 30, 2016 Leave a comment

I’ve created a new page under Technology Solutions that will assist people with rolling our Shavlik Protect in actually under an hour (or whatever they say in their marketing).

Shavlik Protect: An actual quick start guide.

Change the default size of CABs that WSUS will accept to be published

March 10, 2016 Leave a comment

I came across an issue when using our third party patch management system (that integrates into WSUS) that an update could not be published to WSUS because it exceeded 384MB.

Searching the web, I located several posts, but arrived on this one which contains a quick powershell script that increases the maximum size of the CAB file that can be published.

I’ve not messed with reflection too much, but I do think this would be useful specifically for WSUS management classes that aren’t revealed through the regular cmdlets.

Don’t get-mousejacked

March 4, 2016 Leave a comment

[UPDATED: April 14th, 2016:

Good news everyone! MSFT has released an optional update that resolves this issue:


This morning, my boy Bruce Schneier posted about Bastille’s February 23rd published attacks on various wireless mouse/keyboard dongles.

I’ve written a quick Powershell script to get a full inventory of affected computers (deal with the output yourself).

Worth noting that this is clearly novel, but, as of this time, MSFT hasn’t released a patch, which is weird given that Bastille disclosed the vulnerabilities to them November 24th, 2015. The recommended solution (from Bastille) is to move to a wired keyboard. Nice! But aren’t those vulnerable as well?! Is Tom Cruise crawling in my ceiling tiles?!!1

Here are the details and links to attack code:

%d bloggers like this: