Resetting forgotten password with Trinity Rescue Kit

In  a home environment I have always used and been able to rely upon Trinity Rescue Kit. If your working in an enterprise environment this won’t work on Domain Accounts but if you for some reason don’t have any access at all to the PC you can at least reset the administrator’s password and get in. If I don’t even need to get in to retrieve any information I would just re-image the PC and not bother getting in but in case you need something here is the tool.

Its free and really easy to use.

  1. Download it from this link
  2. You will get an ISO image and just burn it to CD since it is most likely your PC has a cd player. If not then you will have to make a bootable USB drive with it and boot using USB if your PC doesn’t use a CD player. This tutorial is for use of the CD version but if you need to make a bootable USB drive I like using this little tool called YUMI
  3. Boot into your TRK disc and Choose the Interactive WinPass option and then choose option 1 to select your Windows Installment and list its users.
  4. Type in the name of the user you want to clear a password for and your done!(See video for details)


Downloading Music/Audio From Youtube with Windows

So we like playing music in the car or wherever we are from our phone using youtube. Now lets instead just download our music before-hand and not use our costly phone’s bandwidth! On top of this we just want to download the audio since it is a much smaller file size and will take up little room.

Tool Needed:

Back to my favorite online video downloader: Youtube-dl – This is our simple command line tool we will run in the command prompt to grab our videos with. I have written a previous post on this on how to use it please check that out on figuring out how it’s used.

Downloading Youtube Videos Instead of Streaming on Phone


  1. Grab the URL for your video

Where to grab the URL from the youtube Video:


Once you have that simply run this in the command line(cmd.exe)to download the audio only.

youtube-dl –extract-audio <Enter URL of video>



Final note: Keep in mind it will download to your working directory so in the case above the file was downloaded to my user profile folder.

That’s it. Just upload it to your phone and jam it out in the car!

-Bolivian Gene

Search And Delete Emails in Exchange2013

This is a quick  blogged guide for administrators who need to delete an email from their organization for some reason or another. In my case this was due to a cryptolocker like virus outbreak called Cerber.

The Task: Find the emails and delete them from the system to prevent further incidents from popping up making more work for us because we always have to re-image and physically replace the machines in some cases not to mention user downtime.

First Step:

First we want to be able to locate and identify the emails targeted for deletion. In my case we received the payload from this address: (first just want to say .ru its Russian!) we should never open emails like this but users will still go for it. There are several ways to find where the emails went and find out who read them and so on and this is what we will do going off this address.

Options for Searching: Exchange Powershell OR Exchange E-Discovery Gui

I’ll use both normally. In many cases if the search involves gathering emails it is easiest for me to just run an E-discovery search and shoot them over into a PST file. In the case of deletions though we want to use the Powershell since it is the only way as of now that I know of to delete emails from the system and user mailboxes in mass action.

-So log into your Exchange server as the Exchange Admin or verify you have proper rights to run search commands(ref:


then open the Exchange Management Shell and we can now use the following commands to search for our items with the matching email address.

Get-mailbox -ResultSize unlimited | Search-Mailbox -SearchQuery “” Targetmailbox adminuser -TargetFolder “SearchAndDeleteLog” -LogOnly -LogLevel Full

-This command first grabs all mailboxes within the Organization then pipes it to our search function using the “|” symbol. In our Search operation we “Searh-Mailbox -Search Query” so here we will then specifcy with the “From:” text to find our matching address. The command then follows up with a “target” mailbox and user to send a report of the results. In my case I’m sending it to my adminuser’s mailbox under the “SearchAndDeleteLog” I created for it.SearchAndDeleteLog

Here is a guide to other parameters I might use when running the search. We can use things like Subject line or Dates and get fairly specific. Keep in mind it is using KQL language which is the same syntax used in e-Discovery. Use this guide to have an idea of what search parameters you can use for the -SearchQuery:

Once you receive the results you like you can then move on to delete them. with the following command:

Get-mailbox -ResultSize unlimited | Search-Mailbox -SearchQuery “”  -DeleteContent

This command will basically gather the results and delete them from the mailboxes. You will be asked to say yes to all deletions from each mailbox.

I advise running a backup on anything before deleting it but since this is virus in the email we clean our hands of it.

The Cerber File Encrypting Virus

Screen Shots:

CerberRansom1Ran into this bad boy today. I was reviewing the code from the github dump i found  here:

I was concerned that it worked on also infecting file shares but from what I can see it doesn’t touch them. After having a user infect a computer here in our Network it looks like nothing else has been touched but all the files on her computer displaying messages like this:

Cerber Virus

Every file basically encrypted until you pay the son of aguns.

Basic Steps on handling this type of problem:

  1. Verify none of your other networked file shares have been infected and run a full virus scan of the shares just to be safe. So far I haven’t heard of Cerber jumping to any networked shares so it keeps things local to the machine which means it is mainly targeting end users. Here is a snip of Code from the above link that leads me to believe it is only keeping things local since it’s the only reference to any directories it makes:                         “folders”: [
    “:\\$recycle.bin\\”,”: \\$windows.~bt\\”,
    “:\\boot\\”,”: \\drivers\\”,
    “:\\program files\\”,”: \\program files (x86)\\”,
    “:\\programdata\\”,”: \\users\\all users\\”,
    “\\public\\music\\sample music\\”,”\\public\\pictures\\sample pictures\\”,
    “\\public\\videos\\sample videos\\”,”\\tor browser\\
  2. Next step is to Burn the infected machine(Just re-image it) Users might ask for the files in which case they can pay the ransom if it’s that important. Something like 2 bit coins or $500 if you pay up before it doubles on you every week. One other thing users have asked me is if they can at least see the files they lost in which case your going to be taking a picture of the computer screen because there’s no safe bets I would take making any kind of digital bridge to that computer(ie: plugging in a usb stick or taking a snapshot to transfer to a usb Stick)
  3. Final step is replace the users PC and restore their files. That is if you back them up!


Confirmed with Talos Security group that this is not de-cryptable as of yet

Distribute Adobe Creative Cloud Package with SCCM 2012 With Device License

So if you have had to ever do this you will first have to deal with the legal side of the software. With adobe you can order a Device or User license.

User licences are the easiest to deal with because you don’t really manage it other than give a user the license.

With a device license however we need to specifically create a package using Adobe’s Creative Cloud Packager by which we end up downloading the software we want ie: Premier,Photoshop,etc. And then we can create an MSI file from that to distribute in SCCM 2012.

So check it out I have a video for this:)

-Sorry for the Blurred parts, for security purposes

-If there are questions, post in the comments and I’ll reply.

  1. Download Creative Cloud Packager to local HD
  2. Run CC Packager and select the Option to create a package for Teams and Educational licenses(Otherwise you won’t get the Device License Option)
  3. Use the program to download and create a package of the Adobe programs you want
  4. Import it into SCCM as an application
  5. Distribute to your Device Collection as needed. The applications should afterwards run without requiring the device to sign into the Cloud

Can you Recover Data after Re-imaging?

So I have re-imaged a computer and it has been several weeks. I have already re-provisioned the computer and another user has been writing to it obviously. The simple answer on this one is the chances are incredibly slim. Although after speaking with a Kroll Ontrack recovery rep they did say something can still be recovered but highly unlikely it would be what we were looking for. I also had memory of using FTK imager for file investigations. That ended up being far to pricey just to recover data although their product is great for finding lost data or hidden data; A post for another time on FTK..

I tried the free program Recova to see what thatrecovamight unveil and it picked up some deleted PDF files but even the ones it deemed were in excellent condition were too damaged to work in Adobe Acrobat. And of course its advanced feature will at least let you filter through pictures,files,documents etc.. I will say it was good only for recovering images since it seemed to keep them intact. But again only the ones deemed excellent(denoted by the green circles)

Download I tried from Recova at time of post:



Nonetheless in a situation involving a Hard disk data recovery your best bet is to send it to a professional company and even that isn’t a guarantee but if the data is that important maybe it’s worth the cost. A managerial decision to be made.

And of Course another lesson in Backup. Always backup your information. In this case we had the user wait forever to tell us what was needed and with a backup policy that doesn’t include local hard drives it was close to impossible. You move on and leave it in the past.

Downloading Youtube Videos Instead of Streaming on Phone

So there are several programs to use for this but my favorite has become “Youtube-dl”  It’s a simple command line program you can easily use for scripting and more. But simply its just simple to use and straightforward no gui, just type in the commands on your command line and your set!youtube-dlworks

It involves basically taking the Share URL for the video or Playlist you want and then downloading it to your working directory from the CMD prompt. That’s it we just use CMD for this bad boy.


Here are my notes  on the basic uses. I basically just use it to download playlists to play on my phone using my Home internet connection. This saves my phone’s preciously expensive High Speed data!

USING youtube-dl in Powershell
-install python
-Download youtube-dl
-Download the .exe file for windows and create a folder for it in your Program Files C:\program files\youtube-dl
-Now add it to the environemental path for use in powershell and cmd

  • Go to>Start Menu > Right Click “Computer” >Properties> Advanced System Properties > Environmental Variables button at bottom > Under “System Variables” go to the PATH variable
  • Edit and by adding a “;” to the end enter your path C:\program files\youtube-dl

-Start Powershell or CMD.exe(just type them into the start menu search) ChoosingPsOrCmdand use it as any program you would call with the command “youtube-dl” and add any arguments after see below for simple practical uses
-Keep in mind a video downloads to the current working directory displayed in your CMD prompt(Just open file explorer and browse there)



                                           youtube-dl <url from youtube to video>

-Files are downloaded to the working directory.


youtube-dl -cit <url of playlist>

-Go to the Youtube channel click on the play list (not play all) and you should see a “share” button for the play list for which you can download.
ie: the share button on this page will generate the playlist url:

-You had to update before using powershell in admin mode

youtube-dl -U


Dell OptiPlex 9010 Driver Signing Issue

Description: Dells Optiplex 9010 PCs will sometimes become unsigned and the Windows 7 Microsoft Operating system won’t use them rendering the Keyboard and Mouse useless.

Steps to Take:

You can verify this issue by checking your Device Drivers and seeing the problematic drivers(Start Menu>Right Click My Computer>Manage>Device Manager)

Quick Workaround restart your PC and spamming the F8 key to get into the Advanced Boot menu. Then choose to start with Signed Drivers ‘Disabled’. This should boot to Windows with generic drivers and the keyboard and mouse should be working again.

Now the Fix: Replace the affected drivers with good drivers. So first you will need to Copy drivers from a working PC into a share somwhere.

We will need to install the Unlocker.exe program or whatever you choose to be allowed to rename the driver files here: %windir%\System32\drivers

Rename the affected drivers to .OLD and replace them with the good drivers(Click on pic for drivers to pull). Pull the good drivers from a working PC.


Copy and Paste the good drivers into the drivers directory and restart the PC. Walla all good:)

UPDATE: seems to have been an issue related to KB2913431

Remove the update from PCs and try to make sure it doesn’t get distrbuted via WDS or SCCM.



UPDATE: Me and a Colleague wrote a script on the process save this into a .bat file and its automated for you! Just remember to edit the part where you will enter your server-name when mapping to it to copy the files from.

@echo on
rem * Take Owner of files and make new owner the local administrators group *
takeown /f c:\windows\system32\drivers\iusb3hub.sys /a
takeown /f c:\windows\system32\drivers\iusb3xhc.sys /a
takeown /f c:\windows\system32\drivers\usbccgp.sys /a
takeown /f c:\windows\system32\drivers\usbd.sys /a
takeown /f c:\windows\system32\drivers\usbehci.sys /a
takeown /f c:\windows\system32\drivers\usbhub.sys /a
takeown /f c:\windows\system32\drivers\usbport.sys /a

rem * break inheritance, grant modify permission to the local administrators group *
icacls c:\windows\system32\drivers\iusb3hub.sys /inheritance:r /grant:r “Administrators”:M
icacls c:\windows\system32\drivers\iusb3xhc.sys /inheritance:r /grant:r “Administrators”:M
icacls c:\windows\system32\drivers\usbccgp.sys /inheritance:r /grant:r “Administrators”:M
icacls c:\windows\system32\drivers\usbd.sys /inheritance:r /grant:r “Administrators”:M
icacls c:\windows\system32\drivers\usbehci.sys /inheritance:r /grant:r “Administrators”:M
icacls c:\windows\system32\drivers\usbhub.sys /inheritance:r /grant:r “Administrators”:M
icacls c:\windows\system32\drivers\usbport.sys /inheritance:r /grant:r “Administrators”:M

rem * rename the “bad” files*
ren c:\windows\system32\drivers\iusb3hub.sys iusb3hub.sysOLD
ren c:\windows\system32\drivers\iusb3xhc.sys iusb3xhc.sysOLD
ren c:\windows\system32\drivers\usbccgp.sys usbccgp.sysOLD
ren c:\windows\system32\drivers\usbd.sys usbd.sysOLD
ren c:\windows\system32\drivers\usbehci.sys usbehci.sysOLD
ren c:\windows\system32\drivers\usbhub.sys usbhub.sysOLD
ren c:\windows\system32\drivers\usbport.sys usbport.sysOLD

rem * map drive with the “good” files *
net use z: “\\YourServer\Location Of Good Driver Files”

rem * copy the “good” files to the local computer *
copy z:\iusb3hub.sys c:\windows\system32\drivers\iusb3hub.sys
copy z:\iusb3xhc.sys c:\windows\system32\drivers\iusb3xhc.sys
copy z:\usbccgp.sys c:\windows\system32\drivers\usbccgp.sys
copy z:\usbd.sys c:\windows\system32\drivers\usbd.sys
copy z:\usbehci.sys c:\windows\system32\drivers\usbehci.sys
copy z:\usbhub.sys c:\windows\system32\drivers\usbhub.sys
copy z:\usbport.sys c:\windows\system32\drivers\usbport.sys

rem * remove the drive map *
net use z: /delete

rem * reboot local computer *
shutdown -r -t 0 -f


Microsoft KB3114717 Issue

Funny how we have to protect ourselves from Microsoft’s own mishaps along with malicious software,oblivious users and all the like… But that’s the IT game.

And so it happens; Your users start to experience freezing across their Microsoft office programs out of nowhere and you need to become a detective. In my experience this has always been because of a recent update that has been applied to your organizations computers. Not sure how everyone else goes about applying updates but in this case It is controlled by a WDS server and then further controlled by System Center Configuration Manager. After checking the sites device collections I found that all affected computers were within the collection that receives all of the most recent Microsoft updates. Upon further research I found that it was linked to installed KB3114717 recently pushed by microsoft on 02/09/2016(Feburary’s Patch Tuesday 2016)

Uninstall this KB and walla; issues gone. Just another thing to look out for and another great reason to put together a Microsoft WDS server that will control which updates to push. This combined with Update groups and Device Collections in SCCM makes isolating and keeping machines from being patched to only a minimum which will serve to keep user outcry to only the selected test machines. Afterwards we just move that affected KB into a “do not deploy” group and collect the rest for deployment to the entire domain of computers.

If your reading this and just need to know how to uninstall it manually use this quick little guide:

Start Menu > Search Bar > type ‘appwiz.cpl’ > click “View Installed Updates” > Search for KB3114717 in the upper right hand corner of the Pane> Find it and uninstall itkbuninstal

As always make sure the users run with the programs for a day before you mark this issue as resolved.





My Overview on RIP Version 2 Routing


  1. Classless
  2. Sends Subnet Information
  3. VLSMS
  4. CIDR
  5. authentication
  6. key management


Devices: Cisco 2811 Router


  • router rip—Enable RIP routing from Global Configuratoin Mode
    • version 2—Enable RIP V2. Default is Version 1
    • network <network ID>——Make sure to add the networks of the configured interfaces.
      Tip: everything is basically configured the same as RIP V1
    • no auto summary—–disable summarization to advertise sub-netted classless routes. It is enabled by default.

debug ip rip ————turn this on from privileged exec mode    to see the router display rip packets/routers being sent in advertisements. Use the ‘no form’ when finished to stop the processes

Video Play: