Posts Tagged ‘windows’

Don’t get-mousejacked

March 4, 2016 Leave a comment

[UPDATED: April 14th, 2016:

Good news everyone! MSFT has released an optional update that resolves this issue:


This morning, my boy Bruce Schneier posted about Bastille’s February 23rd published attacks on various wireless mouse/keyboard dongles.

I’ve written a quick Powershell script to get a full inventory of affected computers (deal with the output yourself).

Worth noting that this is clearly novel, but, as of this time, MSFT hasn’t released a patch, which is weird given that Bastille disclosed the vulnerabilities to them November 24th, 2015. The recommended solution (from Bastille) is to move to a wired keyboard. Nice! But aren’t those vulnerable as well?! Is Tom Cruise crawling in my ceiling tiles?!!1

Here are the details and links to attack code:


Outlook freezing and spiking Exchange Indexing service processes? You probably have some corruption in your mailboxen

April 9, 2015 Leave a comment

Last night, at about 4:50PM we faced a momentary “freeze” in all Outlook clients.

I hopped onto one of our mailbox servers (the DAG member where our three DBs were mounted), and noticed a large lag in connection.

Read more…

Exchange distribution group migration… remember the Outlook cache

December 23, 2014 Leave a comment

Outlook caches the X500 address (aka LegacyExchangeDN attribute) of a Distribution Group object.

So, when you migrate a distribution group, remember to not only bind the SMTP address to the destination Distribution Group, but also the X500 address (available as the LegacyExchangeDN attribute value) of the old distribution group, as an additional Email address for the destination distribution group.

Forgot to grab that LegacyExchangeDN attribute value before removing the old distribution group?   Don’t worry.  Have someone with the cached entry in their Outlook send an email to the old distribution group, and they will get an NDR.

This NDR will contain something similar to the following:

#550 5.1.1 RESOLVER.ADR.ExRecipNotFound; not found ##

You can create an X500 Email address from this information and add it as an Email address on the destination/new distribution group.

As described in KB2807779, simply take that string and perform the following:

  • Replace any underscore character (_) with a slash character (/).
  • Replace “+20” with a blank space.
  • Replace “+28” with an opening parenthesis character.
  • Replace “+29” with a closing parenthesis character.
  • Delete the “IMCEAEX-” string.
  • Delete the “@contoso.corp” string.

Note that any character is just ASCII encoded, so an underscore is +5F, etc.

In the above example’s X500 address would be:

/O=FIRST ORGANIZATION/OU=First Administrative Group/cn=Recipients/cn=olddistrogroup

You can assign this additional Email address (aka alias) to the distribution group through the distribution group properties Email Address tab in the Exchange Management Console (use Email type: “x500”, and the Email address as above), or via the `set-distributiongroup newdistrubiongroup -emailaddresses [list of email addresses]` powershell command. Note that you should use `get-distribitiongroup newdistributiongroup | select emailaddresses` to see the existing entries, then set-distributiongroup…` with the input including the existing entries.

Once the X500 address is bound to the new distribution group, re-test with the cached address and you should be good.

Quick link: This guy/chick knows spell check

November 6, 2014 Leave a comment

Just a quick link to what appears to be a serious Word user’s site (okay they’re an Office MVP). For your spell check failure needs.

Quick script: Report the Windows updates installed within the last 30 days

October 27, 2014 Leave a comment
Get-WmiObject -Class "win32_quickfixengineering" | where {$_.installedon -gt (get-date).adddays(-30) } | select HotFixID,installedon

Search an offline Windows event/application log quickly

October 22, 2014 Leave a comment
get-winevent -FilterHashTable @{path="pathto:\dc4secevent.evtx";logname='Security';ID=628}

Apply auto-approval rules to new classifications in WSUS

October 17, 2014 Leave a comment

Okay, so not exactly what I said above, but you can use Powershell to approve updates that match some classification, OS, and/or product matching your auto-approval rules (although you will have to know your auto-approval rules).

You can use where-object to specify which Microsoft.UpdateServices.Commands.WsusUpdate objects to pipe into `approve-wsus` as follows.

This makes approving all updates for newly selected products or OSes much easier than going through the GUI and manually approving each for Install.

Here is an example of approving all updates for Windows 2012:

import-module updateservices
Get-WsusUpdate -Classification Critical -Approval Unapproved -Status FailedOrNeeded | where {$_.products -like "*2012*"} | approve-wsusupdate -action install -targetgroupname "All Computers" -whatif
Get-WsusUpdate -Classification Security -Approval Unapproved -Status FailedOrNeeded | where {$_.products -like "*2012*"} | approve-wsusupdate -action install -targetgroupname "All Computers" -whatif
Get-WsusUpdate -Classification all -Approval Unapproved -Status FailedOrNeeded | where {$_.products -like "*2012*" -and $_.classification -like "Updates"} | approve-wsusupdate -action install -targetgroupname "Servers" -whatif

Can’t find much in the way of the Microsoft.UpdateServices.Commands.WsusUpdate class, so here are the available fields to filter on (using -like or -contains as per the type definition):

Approved                           Property   string Approved {get;}
Classification                     Property   string Classification {get;}
ComputersInstalledOrNotApplicable  Property   int ComputersInstalledOrNotApplicable {get;}
ComputersNeedingThisUpdate         Property   int ComputersNeedingThisUpdate {get;}
ComputersWithErrors                Property   int ComputersWithErrors {get;}
ComputersWithNoStatus              Property   int ComputersWithNoStatus {get;}
InstalledOrNotApplicablePercentage Property   int InstalledOrNotApplicablePercentage {get;}
LanguagesSupported                 Property   System.Collections.Specialized.StringCollection LanguagesSupported {get;}
LicenseAgreement                   Property   string LicenseAgreement {get;}
MsrcNumbers                        Property   System.Collections.Specialized.StringCollection MsrcNumbers {get;}
MustBeInstalledExclusively         Property   bool MustBeInstalledExclusively {get;}
Products                           Property   System.Collections.Specialized.StringCollection Products {get;}
Removable                          Property   bool Removable {get;}
RestartBehavior                    Property   string RestartBehavior {get;}
Update                             Property   Microsoft.UpdateServices.Administration.IUpdate Update {get;}
UpdateId                           Property   string UpdateId {get;}
UpdatesSupersededByThisUpdate      Property   System.Collections.Specialized.StringCollection UpdatesSupersededByThi...
UpdatesSupersedingThisUpdate       Property   System.Collections.Specialized.StringCollection UpdatesSupersedingThis...
%d bloggers like this: