Category Archives: Tools

Any sort of useful tools that could be used in windows!
MAC… SNAaa whats that about??

Obtaining local Passwords from Memory Dump

Outputting memory dump of Windows security sessions. (Obtaining passwords stored locally in cache). This can be run against a remote system to obtain password credential information. This requires “local administrator” rights on the remote PC being targeted.

Requires: PsExec & ProcDump

psexec \\computername -accepteula -s -c procdump -accepteula -ma -o lsass.exe \\server\logs\computername.log

Reference: https://cyberarms.wordpress.com/2015/03/16/grabbing-passwords-from-memory-using-procdump-and-mimikatz/

Trent AV | Tools & Commands

Transferring Trend OfficeScan Client from One Trend Console to Another

\\TrendAV01.domain.com\ofcscan\Admin\Utility\IpXfer\ipxfer.exe -s TrendAV01.domain.com -m 1 -p 8080 -c 49831

Transferring Trend OfficeScan Client from One Trend Console to Another REMOTELY

Download PSEXEC and copy to to C:\Windows\System32

psexec \\LaptopName -u Domain\ADMUSER -p Passw0rd -i "\\TrendAV01.domain.com\Trend_Antivirus\Tools\TrendClientMove_x86.bat"

TrendClientMove_x86.bat

@ECHO OFF
REM Modifies Trend Update Policy Server to use TRENDAV01.domain.com
\\TrendAV01.domain.com\ofcscan\Admin\Utility\IpXfer\ipxfer.exe -s TrendAV01.domain.com -m 1 -p 8080 -c 49831
Echo Update is now Complete!
Echo Click to Close 
Pause

TrendClientMove_x64.bat

@ECHO OFF
REM Modifies Trend Update Policy Server to use TRENDAV01.domain.com
\\TrendAV01.domain.com\ofcscan\Admin\Utility\IpXfer\ipxfer.exe -s TrendAV01.domain.com -m 1 -p 8080 -c 49831
Echo Update is now Complete!
Echo Click to Close 
Pause

Reseting OfficeScan Password:

Reference: Reset Officescan Password

Trend Uninstall Tools:

PSEXEC | Remove File Share Remotely

Sometime it takes time to go and speak to a user, then stop what they are doing so you can make a change or tweak on their PC/Laptop so I like to do this in the background remotely without their knowledge (Hey! I’m an Admin that’s what I do)

PSEXEC has become a good friend for doing this!
I usually dump the “psexec” exe in the c:\Windows\System32 folder so I don’t have to change CMD paths. (Remember you need to run CMD as the user with access to the remote system for this to work)

Remove Share Remotely:

psexec \\PCNAME net share <SHARENAME> /delete

Map Drive Remotely:

psexec \\PCNAME net use S: \\SERVER\SHARE

Formatting Device | “diskpart”

Formatting a USB Flash Drive using the “diskpart” utility:

Diskpart also resolves issues with formatting within Windows GUI:

Error: “Format Cannot Run because the volume is in use by another process” & “Will not format – unknown capacity

CMD

diskpart
list volume
select volume X
clean
create partition primary
format fs=ntfs quick label=DATA
assign letter X

SubACL & iCALCS

SUBINACL (SubInACL.exe)

SubInACL is an alternative command line tool to iCACLS that enables administrators to obtain security information about files, registry keys, and services, and transfer this information from user to user, from local or global group to group, and from domain to domain.

iCACLS

iCACLS example of modifying file permissions:

@echo off
REM ** /T = Performs the operation on all specified files in the current directory and its subdirectories.
REM ** /F = Full Access
REM ** /M = Modify Access
if exist "C:\Program Files (x86)" goto 64
icacls "%ProgramFiles%\Folder" /inheritance:e /grant "MyDomain\Domain Users":M /T
goto next
:64
icacls "%ProgramFiles(x86)%\Folder" /inheritance:e /grant "MyDomain\Domain Users":M /T
next
pause

Show “system uptime” single/multiple servers

“Show uptime of multiple computers” – Looking after multiple servers, I wanted to check which have rebooted and require rebooting due to windows updates. In order to interrogate multiple servers I can use the Sysinternals “PSTools”

Multiple Servers: (Output to txt)

  1. Download PSInfo
  2. Install PSInfo to a chosen location i.e. c:\windows\system32
  3. cmd
psinfo uptime \\* c:\ShowSystemUptimesReport.txt

Uptime = Shows only uptime
\* = checked every pc on the local network

> c:\inventory.txt = Outputs file to this location

Example:

psinfo uptime \\Server-DC1,Server-DC2 > c:\ShowSystemUptimesReport.txt

Single server: (without tools)

systeminfo | find "System Boot Time:"

Robocopy (FileServer Migration)

I often use Robocopy when migrating/copying data from file servers.

When running the copy process to transfer data from Windows Server 2003 to Windows Server 2008 I usually run robocopy from the destination server (usually the newer server) in order that it will use version XP027 (5.1.10) There are a number of flaws in XP026 and also requires a seperate download Windows 2003 Resource Kit to obtain it.

This is the main syntax I use to perform a full copy.

robocopy D:\Source E:\Destination /MIR /R:1 /W:1 /COPYALL

Example, when copying from another server (using UNC):

robocopy \\myserver\e$\data E:\data /MIR /R:1 /W:1 /COPYALL

Although “/MIR” is mirroring the data, this will not actually copy the ACL permissions, therefore you will need to ensure that /COPYALL is included. I’ve copied a whole load of data before without including this only to find I have had to recopy to correct the ACL.

/COPYALL : Copy ALL file info (equivalent to /COPY:DATSOU) including timescamps, permissions, ACL, other attributes.
/MIR : MIRror a directory tree – equivalent to /PURGE plus all subfolders (/E)
/R:n : Number of Retries on failed copies – default is 1 million.
/W:n : Wait time between retries – default is 30 seconds.

Sometimes the copy may set the top level folder to “hidden” This can be un-hidden using the “attrib” command:

attrib -h -s E:\data

-s : Removes the system file attribute.
-h : Removes the hidden file attribute.

Continue reading

Windows & Office Key Activation / Removal

Windows Keys (slmgr):

Change Windows Product Key & Activate:

cmd
slmgr -ipk your-mak-key-here
slmgr -ato

Office Keys (ospp.vbs):

In order to deactivate an Office license you can use the “ospp.vbs” script located in the Office 2010 Installation directory.

This allows for a number of functions, my objective being the deactivation of a activated MAK for Visio & Office 2010.

These are the steps take for this scenario:

CD C:\Program Files\Microsoft Office\Office14

or

CD C:\Program Files (x86)\Microsoft Office\Office14

(32-bit Office 2010 on a 64-bit OS)

Displays a list of Office Product keys installed / Make a note of the Last 5 char of key to be removed:

script ospp.vbs /dstatus

Remove Office Product key activation:

cscript ospp.vbs /unpkey:M9TKQ

WBAdmin | Daily Backup and Restore via Schedule

I’ve been working with the windows backup. One downside of this in Windows 2008 is that you can’t schedule a routine backup job to a network device. A work around is use a scheduled task and the WBAdmin tool.

Scheduled Task: (Create a scheduled task and us the following switches)

wbadmin start backup -backuptarget:\\server\backup$\ -vssFull -allCritical -quiet

This command will backup the entire drive including a system image. I don’t think the “allcritical” will work if you then specify items to exclude.

Show Backups Running:

Wbadmin get status

Full list of switches: cc742083

Continue reading

SCANPST.EXE Tool Location (PST recovery)

Looking for ScanPST tool bundled with Microsoft Office?

Try on the following locations:

SCANPST.EXE

  • disk drive:\Program Files\Microsoft Office\OFFICE12
  • disk drive:\Program Files\Common Files\System\Mapi\1033\
  • disk drive:\Program Files\Common Files\System\Mapi\1033\NT
  • disk drive:\Program Files\Common Files\System\MSMAPI\1033
  • disk drive:\Program Files(x86)\Microsoft Office\Office12
  • disk drive:\Program Files(x86)\Common Files\System\Mapi\1033\
  • disk drive:\Program Files(x86)\Common Files\System\MSMAPI\1033

If not download it from: http://www.edwardsd.co.uk/work/storage/tools/

BGinfo Auto Background set @ Login (*.VBS)

“bginfo_admin_background.vbs”

Set objShell = CreateObject("Wscript.Shell")
objShell.Run "\\domain.com\NETLOGON\Logon_Software\bginfo.exe \\domain.com\NETLOGON\Logon_Software\BGINFO_background.bgi /timer:0", 1, True

I usually do this layout:

“<Host Name>”

Default Gateway: <Default Gateway>
IP Address: <IP Address>
Logon Domain: <Logon Domain>
Logon Server: <Logon Server>
Machine Domain: <Machine Domain>
OS Version: <OS Version>
Service Pack: <Service Pack>

Easy zip up of these settings here

Requires BGinfo: Sysinternals